Tracking amount of Time spent on a computation
Hey List, I am using Openssl for experimenting with the cryptographic accelerator on Sun machine. I am using this command openssl speed -engine pkcs11 -evp aes-128-cbc to have the results and this gives me number of bytes that are communicated between the processor and accelerator in 3 sec (or any certain time). My question is, is it possible to do it the other way around, I will send a fix number of bytes, say 8K data, and when this job gets done ..see what is the time spent on that particular computation. .i.e instead of constant time and variable data have a constant data and see its effect on time. Any pointers in this regard will be appreciated. Thanks Shoaib __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Using the FIPS Object Module
From: Steve Marquess [mailto:marqu...@opensslfoundation.com] Sent: Tuesday, 23 August 2011 10:34 a.m. To: Harvey Shepherd Cc: openssl-users@openssl.org Subject: Re: Using the FIPS Object Module ... Please, please always keep in mind that the OpenSSL FIPS Object Module and the OpenSSL library are separate and distinct software components. They should be built separately, with the FIPS capable OpenSSL libraries incorporating the independently generated FIPS module. For the v1.2.3 module use http://www.openssl.org/source/openssl-fips-1.2.3.tar.gz for the FIPS module and the latest 0.9.8 distribution (currently 0.9.8r) for the FIPS capable libraries. Okay, so I've now built a FIPS capable OpenSSL library (using OpenSSL FIPS v1.2.3 and OpenSSL v0.9.8r) as follows (for my platform): FOR OPENSSL-FIPS export CROSS_COMPILE=ppc_8xx- export HOSTCC=/usr/bin/gcc export FIPS_SIG=snipped path/openssl-fips/incore ./Configure linux-generic32 fipscanisterbuild no-asm no-hw make FOR OPENSSL === ./Configure fips no-asm no-hw no-shared --with-fipslibdir=snipped path/openssl-fips/fips ppc_8xx-gcc make LDFLAGS=-static This all builds successfully and I then build my application (Net-SNMP) and link in the .../openssl/libcrypto.a library. It builds successfully but when I try to run the application and enable FIPS mode, it aborts with the error: 340:error:2D069070:FIPS routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not match segment aliasing:fips.c:230: Now I see in the User Guide, that it specifies that if the runtime application interfaces with the OpenSSL FIPS Object Module, then it must be linked using the fipsld script. Perhaps I'm misunderstanding something here but in my case is it not base OpenSSL which is interfacing with the Object Module (when those two are linked together, the fipsld script is used and the fingerprint checks all pass), and therefore it would not be necessary to link Net-SNMP using this script? I have actually tried linking Net-SNMP using the script, which isn't straightforward as it also uses its own script to link, rather than the makefile. When I did manage to get it to try, it failed with diff: .sha1: No such file or directory No such file or directory fingerprint mismatch It looks like a pathname appears to be missing. Please can anyone let me know what I'm doing wrong. Thanks, Harvey Shepherd __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Tracking amount of Time spent on a computation
Hey List, I am using Openssl for experimenting with the cryptographic accelerator on Sun machine. I am using this command openssl speed -engine pkcs11 -evp aes-128-cbc to have the results and this gives me number of bytes that are communicated between the processor and accelerator in 3 sec (or any certain time). My question is, is it possible to do it the other way around, I will send a fix number of bytes, say 8K data, and when this job gets done ..see what is the time spent on that particular computation. .i.e instead of constant time and variable data have a constant data and see its effect on time. Any pointers in this regard will be appreciated. Thanks Shoaib __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Repost - Using the FIPS Object Module
Reposting as my original message doesn't seem to have been added to the mailing list. From: Steve Marquess [mailto:marqu...@opensslfoundation.com] Sent: Tuesday, 23 August 2011 10:34 a.m. To: Harvey Shepherd Cc: openssl-users@openssl.org Subject: Re: Using the FIPS Object Module ... Please, please always keep in mind that the OpenSSL FIPS Object Module and the OpenSSL library are separate and distinct software components. They should be built separately, with the FIPS capable OpenSSL libraries incorporating the independently generated FIPS module. For the v1.2.3 module use http://www.openssl.org/source/openssl-fips-1.2.3.tar.gz for the FIPS module and the latest 0.9.8 distribution (currently 0.9.8r) for the FIPS capable libraries. Okay, so I've now built a FIPS capable OpenSSL library (using OpenSSL FIPS v1.2.3 and OpenSSL v0.9.8r) as follows (for my platform): FOR OPENSSL-FIPS export CROSS_COMPILE=ppc_8xx- export HOSTCC=/usr/bin/gcc export FIPS_SIG=snipped path/openssl-fips/incore ./Configure linux-generic32 fipscanisterbuild no-asm no-hw make FOR OPENSSL === ./Configure fips no-asm no-hw no-shared --with-fipslibdir=snippedpath/openssl-fips/fips ppc_8xx-gcc make LDFLAGS=-static This all builds successfully and I then build my application (Net-SNMP) and link in the .../openssl/libcrypto.a library. It builds successfully but when I try to run the application and enable FIPS mode, it aborts with the error: 340:error:2D069070:FIPS routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not match segment aliasing:fips.c:230: Now I see in the User Guide, that it specifies that if the runtime application interfaces with the OpenSSL FIPS Object Module, then it must be linked using the fipsld script. Perhaps I'm misunderstanding something here but in my case is it not base OpenSSL which is interfacing with the Object Module (when those two are linked together, the fipsld script is used and the fingerprint checks all pass), and therefore it would not be necessary to link Net-SNMP using this script? I have actually tried linking Net-SNMP using the script, which isn't straightforward as it also uses its own script to link, rather than the makefile. When I did manage to get it to try, it failed with diff: .sha1: No such file or directory No such file or directory fingerprint mismatch It looks like a pathname appears to be missing. Please can anyone let me know what I'm doing wrong. Thanks, Harvey Shepherd __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: being my own ca
What EKU are you using for the HTTP server cert? Sent from my Windows Phone From: Craig White Sent: 8/24/2011 6:03 PM To: openssl-users@openssl.org Subject: Re: being my own ca Definitely there in Keychain_Access.app and specifically indicated to 'Always Trust' for everything (trying a shotgun approach) Now that obviously doesn't work for Firefox but apparently Chrome uses Keychain_Access for certificate management and it still tosses the alert. Chrome Definitely there in Firefox = Preferences = Advanced = Encryption = View Certificates and finally stored under 'authorities' and check boxes are all checked (This certificate can: - idenfity websites - identify email - identify software makers and yet still... even though my server certificate (created with the code below) is not trusted and the worst part is that it doesn't give any reason... the only thing displayed is 'permanently store this exception' (meaning, not a name error, etc.) Craig On Aug 24, 2011, at 2:22 PM, Eduardo Navarro wrote: You need to have your Root CA certificate (the one used to issue the intermmediate CAs and the HTTP cert) to be added to the Trusted Root Certificates store. Firefox manages this separately, same as Apple. Apple needs to add the CA to the Keychain as a trusted root. Firefox, you need to add it to the Security Settings (don�t remember exact name of menu/tab) -Eduardo -Original Message- From: Craig White Sent: Wednesday, August 24, 2011 4:54 PM To: openssl-users@openssl.org Subject: being my own ca I've been at this for too many hours and too many web pages and I'm so close... I think I could use a little help over the final obstacle. I'm trying to be my own CA and what I want to accomplish is to be able to sign web server certificates that are automatically accepted by our LAN users if they have the CA certificate installed. My CA certificate verifies fine... root@ubuntu:/etc/ssl# openssl verify cacert.pem cacert.pem: OK My host web server certificate (generated with the key removed) verifies fine... root@ubuntu:/etc/ssl# openssl verify ubuntu/http.pem ubuntu/http.pem: OK I signed all the certificates that I generated with the CA key file that was used for the CA certificate. and If I load either the DER or the PEM version of my self-signed CA into Firefox or Apple's Keychain access, I would expect that it should just be accepted (but it's not). Of course users can choose to 'accept' but I'm looking to get past that. If someone can help me get over the hurdle, I would appreciate it. The code I use to generate the web cert is... openssl req -new -nodes \ -out $CERTPATH/http.csr \ -keyout $CERTPATH/http.key \ -days 3650 \ -config $CONFIG openssl ca \ -config $CONFIG \ -policy policy_anything \ -out $CERTPATH/http.pem \ -infiles $CERTPATH/http.csr TIA -- Craig White ~~ craig.wh...@ttiltd.com 1.800.869.6908 ~~~ www.ttiassessments.com Need help communicating between generations at work to achieve your desired success? Let us help! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Craig White ~~ craig.wh...@ttiltd.com 1.800.869.6908 ~~~ www.ttiassessments.com Need help communicating between generations at work to achieve your desired success? Let us help! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Tracking amount of Time spent on a computation
Hi, Hey List, I am using Openssl for experimenting with the cryptographic accelerator on Sun machine. I am using this command openssl speed -engine pkcs11 -evp aes-128-cbc to have the results and this gives me number of bytes that are communicated between the processor and accelerator in 3 sec (or any certain time). My question is, is it possible to do it the other way around, I will send a fix number of bytes, say 8K data, and when this job gets done ..see what is the time spent on that particular computation. .i.e instead of constant time and variable data have a constant data and see its effect on time. time openssl speed -engine pkcs11 -evp aes-128-cbc ? alan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Issue while building fips-capable openssl 1.0.1 on windows from latest snapshot build
Hi All, I am trying to build the latest fips-capable openssl (openssl-1.0.1-stable-SNAP-20110823 against openssl-fips-2.0-test-20110823) on 32-bit windows XP platform using vs9.0. I managed to build fips object module and run the fips test suite and test vectors. However, while trying to build fips capable openssl, I am running into a few problems. Given below are the steps I performed 1) perl Configure VC-WIN32 fips --with-fipslibdir= - all is well here, no errors yet. 2) ms\do_nasm: I see a few warnings because the win32 ordinal file was out of date. I got around this problem by running perl util\mkdef.pl crypto ssl update as mentioned in the troubleshooting section of INSTALL.W32. 3) nmake -f ms\ntdll.mak: I run into an error due to missing fips header files. .\crypto\o_fips.c(60) : fatal error C1083: Cannot open include file: 'openssl/fips.h': No such file or directory NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio 9.0\VC\BIN \cl.EXE' : return code '0x2' Stop. Has anyone seen this error before? Just to get past this problem, I copied 'fips.h' and 'fips_rand.h' from the corresponding fips object module although I am not sure if this is right. Perhaps, fips.h for 1.0.1 is not ready yet? In any case, I could not make much progress beyond this step as I ran into the following NMAKE error. NMAKE : fatal error U1073: don't know how to make 'srocalslips-2.0\lib\fipscanister.lib' Stop. Can someone tell me if I am missing something here or if it is an issue with the openssl build script/code? Thanks Ajil
Openssl compile issues on solaris 10
Hi I am attempting to compile Openssl 0.9.8r on a sparc based solaris10 machine. I am hitting an error when I run make test, the majority of the tests pass successfully, but when It gets to the AES tests I am getting a cyphertext mismatch: Testing cipher AES-128-ECB(encrypt) Key 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f Plaintext 00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff Ciphertext 69 c4 e0 d8 6a 7b 04 30 d8 cd b7 80 70 b4 c5 5a Ciphertext mismatch Got 95 f8 f4 78 28 65 23 15 73 b3 28 a8 ba e5 ef fe Expected 69 c4 e0 d8 6a 7b 04 30 d8 cd b7 80 70 b4 c5 5a *** Error code 9 make: Fatal error: Command failed for target `test_evp' Has anyone ever seem this error before, or got any Idea what might be going on? The test passes successfully when I perform an identical build on sparc solaris 7 (using sunworkshop 6 compiler) But is failing on sparc solaris 10 (using sun C 5.8 compiler with optimisations turned off) Any help would be gratefully received Thanks Ben Ritchie
OpenSSL FIPS module self signed certificate creation failed
Hi All, I am new to linux and openssl stuff. I have tried to install OpenSSL (1.2.3 with fips)with FIPS module and it's successful. (built and installed) For building: i had used make and gcc version 4.3.4 I hope installation was successful and it created FIPS module and openssl binary (usr/local/ssl/fips1-0/bin) Note: my machine already installed with openssl 0.9.8h. I didnt uninstall it. what i tried is, 1.executed /usr/local/ssl/fips1-0/bin/openssl this binary and created self signed certificate key -successful 2.Using same command, trying to create certificate signing request and it failed with Invalid instruction 3.I saw system logs, it had an entry Aug 23 05:11:36 lglor248 kernel: [14103.238431] openssl[15942] trap invalid opcode ip:7fcb3cc886d0 sp:7fff7a02c9a8 error:0 in libcrypto.so.0.9.8[7fcb3cb9+16a000] I had some googling on this and found a relevant link: http://forum.doom9.org/archive/index.php/t-125808.html But i don't feel my gcc version would be causing this issue since that post was quite old and i have almost latest gcc. It will be appreciated if any one helps me out on this.. NOTE: i used the openssl command which i created and never used existing installation (old 0.9.8h). Thanks in advance rock! -- View this message in context: http://old.nabble.com/OpenSSL-FIPS-module-self-signed-certificate-creation-failed-tp32333668p32333668.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Query regarding pseudo number generation error in OpenSSL
Hi, I am using openssl to one of my application. The application has support of multithreading and runs on Windows platform. This application uses openssl 0.9.8.0 version and has support of fips. The application listens on a particular port and for each new connection it creates a separate threads. Each thread separately invokes SSL APIs like SSL_accept(). I have observed that during high load (when connection count goes above to 500) the SSL_accept()fails and gives error (random number generator:FIPS_RAND:prng error) after that my application crashes. If I place mutex for SSL_accept() then I did not find any problem. But it could affect the performance. I doubt there is some issue because of that SSL_accept() fails in multithreaded environment during high load. I have also observed if I disable Fips then my application works without any problem. Is it any known issues in openssl? Is there any way to avoid such kind of issue? Regards, Alok
ssl handshake with multiple tcp connect?
Hello, today i ran into a situation, where i notice firefox/chrome and gnutls-cli use 3 tcp sessions to get a single ssl session, where openssl s_client takes only one. one tcp session is what i expect, and i hope someone may have an explanation. compared the gnutls-cli with openssl s_client as thay would do no http interpretation, and are easely reproduced by commandline: gnutls-cli --insecure -V -r www.xs4all.nl /dev/null uses 3 tcp sessions to complete openssl s_client -connect www.xs4all.nl:443 /dev/null uses 1 tcp session to complete Any idea how that may come? until now, i was under the impression a ssl session setup should only use 1 tcp session (apart from ocsp/crl checks) Thanks in advance Regards, -- Arjan Filius mailto:iafil...@xs4all.nl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
loadbalancer affinity/persistence with tls sessiontickets
Hello, a question about ssl persistence in loadbalancers. Until now we'd used SSL Session ID in loadbalancer to get some ssl and application affinity to the backend. But is it possible with the TSL sessiontickets extension? In the first tcp/ssl session i can't see any ssl session ID, (as it is negotiated then) but in the second and further sessions i can see session id's (and tls sesiontickets). Does one know it the tls sessionticket consept could work with loadbalancer afinity/persistence? Thanks in advance, Regards, -- Arjan Filius mailto:iafil...@xs4all.nl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] loadbalancer affinity/persistence with tls sessiontickets
Bonjour, Hodie VIII Kal. Sep. MMXI, Arjan Filius scripsit: Does one know it the tls sessionticket consept could work with loadbalancer afinity/persistence? It is perfectly suited to dumb loadbalancers. The session state is the ticket, and is saved by the client, encrypted by the server's private key. -- Erwann ABALEA erwann.aba...@keynectis.com Département RD KEYNECTIS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: being my own ca
I see said the blind man... It took a while to figure out what you were asking (EKU) but I had to set my apache server to 'SSLVerifyClient none' unless I can induce clients to install not only the CA cert but also a user cert. Now onto Nginx ;-) Thanks Craig On Aug 24, 2011, at 3:43 PM, Eduardo Navarro wrote: What EKU are you using for the HTTP server cert? Sent from my Windows Phone From: Craig White Sent: 8/24/2011 6:03 PM To: openssl-users@openssl.org Subject: Re: being my own ca Definitely there in Keychain_Access.app and specifically indicated to 'Always Trust' for everything (trying a shotgun approach) Now that obviously doesn't work for Firefox but apparently Chrome uses Keychain_Access for certificate management and it still tosses the alert. Chrome Definitely there in Firefox = Preferences = Advanced = Encryption = View Certificates and finally stored under 'authorities' and check boxes are all checked (This certificate can: - idenfity websites - identify email - identify software makers and yet still... even though my server certificate (created with the code below) is not trusted and the worst part is that it doesn't give any reason... the only thing displayed is 'permanently store this exception' (meaning, not a name error, etc.) Craig On Aug 24, 2011, at 2:22 PM, Eduardo Navarro wrote: You need to have your Root CA certificate (the one used to issue the intermmediate CAs and the HTTP cert) to be added to the Trusted Root Certificates store. Firefox manages this separately, same as Apple. Apple needs to add the CA to the Keychain as a trusted root. Firefox, you need to add it to the Security Settings (don�t remember exact name of menu/tab) -Eduardo -Original Message- From: Craig White Sent: Wednesday, August 24, 2011 4:54 PM To: openssl-users@openssl.org Subject: being my own ca I've been at this for too many hours and too many web pages and I'm so close... I think I could use a little help over the final obstacle. I'm trying to be my own CA and what I want to accomplish is to be able to sign web server certificates that are automatically accepted by our LAN users if they have the CA certificate installed. My CA certificate verifies fine... root@ubuntu:/etc/ssl# openssl verify cacert.pem cacert.pem: OK My host web server certificate (generated with the key removed) verifies fine... root@ubuntu:/etc/ssl# openssl verify ubuntu/http.pem ubuntu/http.pem: OK I signed all the certificates that I generated with the CA key file that was used for the CA certificate. and If I load either the DER or the PEM version of my self-signed CA into Firefox or Apple's Keychain access, I would expect that it should just be accepted (but it's not). Of course users can choose to 'accept' but I'm looking to get past that. If someone can help me get over the hurdle, I would appreciate it. The code I use to generate the web cert is... openssl req -new -nodes \ -out $CERTPATH/http.csr \ -keyout $CERTPATH/http.key \ -days 3650 \ -config $CONFIG openssl ca \ -config $CONFIG \ -policy policy_anything \ -out $CERTPATH/http.pem \ -infiles $CERTPATH/http.csr TIA __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
Go to an entirely different computer and try accessing - you will know if it's your computer or their certificates. If it's your computer, it's either your browser or your OS Certificate store (Windows and Macintosh use entirely different methods to accomplish). Firefox uses it's own certificates... if it's Firefox on your computer... uninstall it completely and re-install it. If it's Chrome, Safari or Internet Explorer, it uses the OS certificate store and you will probably need to get the OS to update the Root Certificates. This is all pretty much beyond what a user can manage but some users can manage them, but this is the wrong list... it would be an OS problem. Craig On Aug 25, 2011, at 12:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Craig White ~~ craig.wh...@ttiltd.com 1.800.869.6908 ~~~ www.ttiassessments.com Need help communicating between generations at work to achieve your desired success? Let us help! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
I already know its my certificate store. I only asked how to load in their noew root cert On Thu, Aug 25, 2011 at 01:09:20PM -0700, Craig White wrote: Go to an entirely different computer and try accessing - you will know if it's your computer or their certificates. If it's your computer, it's either your browser or your OS Certificate store (Windows and Macintosh use entirely different methods to accomplish). Firefox uses it's own certificates... if it's Firefox on your computer... uninstall it completely and re-install it. If it's Chrome, Safari or Internet Explorer, it uses the OS certificate store and you will probably need to get the OS to update the Root Certificates. This is all pretty much beyond what a user can manage but some users can manage them, but this is the wrong list... it would be an OS problem. Craig On Aug 25, 2011, at 12:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Craig White ~~ craig.wh...@ttiltd.com 1.800.869.6908 ~~~ www.ttiassessments.com Need help communicating between generations at work to achieve your desired success? Let us help! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
Can you please *be* specific and provide us with an exact URL for those of thus that don't live in Canada or use TDWaterhouse? I see TD has several sites and this is why we need you to be specific so we can tell you which root to get. On 08/25/2011 03:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
Sorry http://www.tdwaterhouse.ca/ Its my old cert chain which is broken. I jsut want to go to them and ask them to supply the root cert so I can install it and get rid of the error message which Firefox generates because I can't find the root cert. On Thu, Aug 25, 2011 at 04:44:07PM -0400, Crypto Sal wrote: Can you please *be* specific and provide us with an exact URL for those of thus that don't live in Canada or use TDWaterhouse? I see TD has several sites and this is why we need you to be specific so we can tell you which root to get. On 08/25/2011 03:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
the answer lies with the people who wrote the software for the certificate store since the whole point is trust. If users could manipulate the root certificate store, then it would be impossible to trust anything. Generally, you can add certificates by double clicking them and choosing the correct answer (where to store, how much to trust) You can open 'keychain access' on a Macintosh or use Windows MMC to delete certificates. Banks are entirely sensitive to the issue of SSL and Certificates - they have to be. If your computer doesn't automatically trust your bank's certificates, then you either need to fix your computer or get a new bank. The real answer to your problem is this... If you can't trust the root certificates that are part of your OS, then copy everything off the hard drive and re-install a fresh copy of your OS. That is the only way you can trust that your root certificates do what they are supposed to do. Craig On Aug 25, 2011, at 1:28 PM, t...@terralogic.net wrote: I already know its my certificate store. I only asked how to load in their noew root cert On Thu, Aug 25, 2011 at 01:09:20PM -0700, Craig White wrote: Go to an entirely different computer and try accessing - you will know if it's your computer or their certificates. If it's your computer, it's either your browser or your OS Certificate store (Windows and Macintosh use entirely different methods to accomplish). Firefox uses it's own certificates... if it's Firefox on your computer... uninstall it completely and re-install it. If it's Chrome, Safari or Internet Explorer, it uses the OS certificate store and you will probably need to get the OS to update the Root Certificates. This is all pretty much beyond what a user can manage but some users can manage them, but this is the wrong list... it would be an OS problem. Craig On Aug 25, 2011, at 12:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager
Re: My bank has an invalid cert
On Thu August 25 2011, t...@terralogic.net wrote: Sorry http://www.tdwaterhouse.ca/ Its my old cert chain which is broken. I jsut want to go to them and ask them to supply the root cert so I can install it and get rid of the error message which Firefox generates because I can't find the root cert. They are the wrong people to ask. Capture the certificate chain being sent by their server, examine it to find what root cert you need, then get that root cert from somewhere else, somewhere you can trust. The entire concept of third party trust is broken when you by-pass the third party. ;-) Mike On Thu, Aug 25, 2011 at 04:44:07PM -0400, Crypto Sal wrote: Can you please *be* specific and provide us with an exact URL for those of thus that don't live in Canada or use TDWaterhouse? I see TD has several sites and this is why we need you to be specific so we can tell you which root to get. On 08/25/2011 03:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated
Re: My bank has an invalid cert
Do you log into 'Web Broker' or 'Easy Web'? On 08/25/2011 04:50 PM, t...@terralogic.net wrote: Sorry http://www.tdwaterhouse.ca/ Its my old cert chain which is broken. I jsut want to go to them and ask them to supply the root cert so I can install it and get rid of the error message which Firefox generates because I can't find the root cert. On Thu, Aug 25, 2011 at 04:44:07PM -0400, Crypto Sal wrote: Can you please *be* specific and provide us with an exact URL for those of thus that don't live in Canada or use TDWaterhouse? I see TD has several sites and this is why we need you to be specific so we can tell you which root to get. On 08/25/2011 03:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
I know the theory. I'm also a programmer. I just never bothered to install a root cert before. But I do know how to make them. I'll dig around in FireFox and see where it is and how its done. As for the bank. We build it and they break it. Not my fault. On Thu, Aug 25, 2011 at 01:51:01PM -0700, Craig White wrote: the answer lies with the people who wrote the software for the certificate store since the whole point is trust. If users could manipulate the root certificate store, then it would be impossible to trust anything. Generally, you can add certificates by double clicking them and choosing the correct answer (where to store, how much to trust) You can open 'keychain access' on a Macintosh or use Windows MMC to delete certificates. Banks are entirely sensitive to the issue of SSL and Certificates - they have to be. If your computer doesn't automatically trust your bank's certificates, then you either need to fix your computer or get a new bank. The real answer to your problem is this... If you can't trust the root certificates that are part of your OS, then copy everything off the hard drive and re-install a fresh copy of your OS. That is the only way you can trust that your root certificates do what they are supposed to do. Craig On Aug 25, 2011, at 1:28 PM, t...@terralogic.net wrote: I already know its my certificate store. I only asked how to load in their noew root cert On Thu, Aug 25, 2011 at 01:09:20PM -0700, Craig White wrote: Go to an entirely different computer and try accessing - you will know if it's your computer or their certificates. If it's your computer, it's either your browser or your OS Certificate store (Windows and Macintosh use entirely different methods to accomplish). Firefox uses it's own certificates... if it's Firefox on your computer... uninstall it completely and re-install it. If it's Chrome, Safari or Internet Explorer, it uses the OS certificate store and you will probably need to get the OS to update the Root Certificates. This is all pretty much beyond what a user can manage but some users can manage them, but this is the wrong list... it would be an OS problem. Craig On Aug 25, 2011, at 12:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project
Re: My bank has an invalid cert
Good idea. Ya. I know. But what percentage of the computers the bank deals with are filled with malware? On Thu, Aug 25, 2011 at 04:06:02PM -0500, Michael S. Zick wrote: On Thu August 25 2011, t...@terralogic.net wrote: Sorry http://www.tdwaterhouse.ca/ Its my old cert chain which is broken. I jsut want to go to them and ask them to supply the root cert so I can install it and get rid of the error message which Firefox generates because I can't find the root cert. They are the wrong people to ask. Capture the certificate chain being sent by their server, examine it to find what root cert you need, then get that root cert from somewhere else, somewhere you can trust. The entire concept of third party trust is broken when you by-pass the third party. ;-) Mike On Thu, Aug 25, 2011 at 04:44:07PM -0400, Crypto Sal wrote: Can you please *be* specific and provide us with an exact URL for those of thus that don't live in Canada or use TDWaterhouse? I see TD has several sites and this is why we need you to be specific so we can tell you which root to get. On 08/25/2011 03:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List
Re: My bank has an invalid cert
On Thu August 25 2011, t...@terralogic.net wrote: Sorry http://www.tdwaterhouse.ca/ Its my old cert chain which is broken. I jsut want to go to them and ask them to supply the root cert so I can install it and get rid of the error message which Firefox generates because I can't find the root cert. My Debian V-5 system browsers report: Certificate signing authority is unknown or invalid. My Debian V-6 system browsers considers the chain valid. Translation: Update your OS installation. Mike On Thu, Aug 25, 2011 at 04:44:07PM -0400, Crypto Sal wrote: Can you please *be* specific and provide us with an exact URL for those of thus that don't live in Canada or use TDWaterhouse? I see TD has several sites and this is why we need you to be specific so we can tell you which root to get. On 08/25/2011 03:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
You typically import certs through the Firefox certificate manager found via Edit - Preferences - Adv. - Encryption - View Certificates. It should be self explanatory from here. The only other question that remains is which Root CA. That can only be done by reading the certificate hierarchy that is presented by the bank's server, which it should provide you upon making an s_client connection. On 08/25/2011 05:15 PM, t...@terralogic.net wrote: I know the theory. I'm also a programmer. I just never bothered to install a root cert before. But I do know how to make them. I'll dig around in FireFox and see where it is and how its done. As for the bank. We build it and they break it. Not my fault. On Thu, Aug 25, 2011 at 01:51:01PM -0700, Craig White wrote: the answer lies with the people who wrote the software for the certificate store since the whole point is trust. If users could manipulate the root certificate store, then it would be impossible to trust anything. Generally, you can add certificates by double clicking them and choosing the correct answer (where to store, how much to trust) You can open 'keychain access' on a Macintosh or use Windows MMC to delete certificates. Banks are entirely sensitive to the issue of SSL and Certificates - they have to be. If your computer doesn't automatically trust your bank's certificates, then you either need to fix your computer or get a new bank. The real answer to your problem is this... If you can't trust the root certificates that are part of your OS, then copy everything off the hard drive and re-install a fresh copy of your OS. That is the only way you can trust that your root certificates do what they are supposed to do. Craig On Aug 25, 2011, at 1:28 PM, t...@terralogic.net wrote: I already know its my certificate store. I only asked how to load in their noew root cert On Thu, Aug 25, 2011 at 01:09:20PM -0700, Craig White wrote: Go to an entirely different computer and try accessing - you will know if it's your computer or their certificates. If it's your computer, it's either your browser or your OS Certificate store (Windows and Macintosh use entirely different methods to accomplish). Firefox uses it's own certificates... if it's Firefox on your computer... uninstall it completely and re-install it. If it's Chrome, Safari or Internet Explorer, it uses the OS certificate store and you will probably need to get the OS to update the Root Certificates. This is all pretty much beyond what a user can manage but some users can manage them, but this is the wrong list... it would be an OS problem. Craig On Aug 25, 2011, at 12:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project
Re: My bank has an invalid cert
Web broker. Also they seem to have broken their web site in other ways. I just hate it when they figure they should reprogram my browser so I can't right click on a link and open in a new window. I do run multiple monitors and its nice to put a press release on one monitor and another press release on another monitor while having the main window on yet a 3rd monitor. Their mind set seems to be like if you want to use our service then switch your machine to windows... toss out the extra monitors and set the display to 800x600. Well not quite that bad but close. If I have much more trouble with them I'm going to close my accounts. On Thu, Aug 25, 2011 at 05:08:40PM -0400, Crypto Sal wrote: Do you log into 'Web Broker' or 'Easy Web'? On 08/25/2011 04:50 PM, t...@terralogic.net wrote: Sorry http://www.tdwaterhouse.ca/ Its my old cert chain which is broken. I jsut want to go to them and ask them to supply the root cert so I can install it and get rid of the error message which Firefox generates because I can't find the root cert. On Thu, Aug 25, 2011 at 04:44:07PM -0400, Crypto Sal wrote: Can you please *be* specific and provide us with an exact URL for those of thus that don't live in Canada or use TDWaterhouse? I see TD has several sites and this is why we need you to be specific so we can tell you which root to get. On 08/25/2011 03:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project
Re: My bank has an invalid cert
Very good! I can write a little code to do that! Thanx On Thu, Aug 25, 2011 at 05:24:14PM -0400, Crypto Sal wrote: You typically import certs through the Firefox certificate manager found via Edit - Preferences - Adv. - Encryption - View Certificates. It should be self explanatory from here. The only other question that remains is which Root CA. That can only be done by reading the certificate hierarchy that is presented by the bank's server, which it should provide you upon making an s_client connection. On 08/25/2011 05:15 PM, t...@terralogic.net wrote: I know the theory. I'm also a programmer. I just never bothered to install a root cert before. But I do know how to make them. I'll dig around in FireFox and see where it is and how its done. As for the bank. We build it and they break it. Not my fault. On Thu, Aug 25, 2011 at 01:51:01PM -0700, Craig White wrote: the answer lies with the people who wrote the software for the certificate store since the whole point is trust. If users could manipulate the root certificate store, then it would be impossible to trust anything. Generally, you can add certificates by double clicking them and choosing the correct answer (where to store, how much to trust) You can open 'keychain access' on a Macintosh or use Windows MMC to delete certificates. Banks are entirely sensitive to the issue of SSL and Certificates - they have to be. If your computer doesn't automatically trust your bank's certificates, then you either need to fix your computer or get a new bank. The real answer to your problem is this... If you can't trust the root certificates that are part of your OS, then copy everything off the hard drive and re-install a fresh copy of your OS. That is the only way you can trust that your root certificates do what they are supposed to do. Craig On Aug 25, 2011, at 1:28 PM, t...@terralogic.net wrote: I already know its my certificate store. I only asked how to load in their noew root cert On Thu, Aug 25, 2011 at 01:09:20PM -0700, Craig White wrote: Go to an entirely different computer and try accessing - you will know if it's your computer or their certificates. If it's your computer, it's either your browser or your OS Certificate store (Windows and Macintosh use entirely different methods to accomplish). Firefox uses it's own certificates... if it's Firefox on your computer... uninstall it completely and re-install it. If it's Chrome, Safari or Internet Explorer, it uses the OS certificate store and you will probably need to get the OS to update the Root Certificates. This is all pretty much beyond what a user can manage but some users can manage them, but this is the wrong list... it would be an OS problem. Craig On Aug 25, 2011, at 12:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project
RE: AES encryption using RSA keys
From: owner-openssl-us...@openssl.org On Behalf Of krishnamurthy santhanam Sent: Wednesday, 24 August, 2011 02:32 Basically when we encrypt something using an RSA key (whether public or private), the encrypted value must be smaller than the key (due to the maths used to do the actual encryption). So if you have a 1024-bit key, in theory we could encrypt any 1023-bit value (or a 1024-bit value smaller than the key) with that key. More precisely, smaller than the modulus 'N' but large enough not to be subject to a trivial break. An RSA public key is the pair (e,n) where e is usually small, and the private key is in principle the pair (d,n) where d is usually a substantial fraction of n. RSA private keys may and in OpenSSL do also include additional 'Chinese Remainder Theorem' aka CRT information to make computation faster. Plus, most actual RSA encryption schemes add padding. In particular simply RSA-encrypting raw user data allows an adversary to determine if a guessed plaintext is correct, which in general is considered an unacceptable weakness. Thus the value size you can encrypt is somewhat less than the RSA modulus size because of this padding; the commonly used PKCS#1 v1.5 'classic' and v2 OAEP are 11 and 41 bytes. If used certain ways v1.5 has weakness (see Bleichenbacher's attack on early SSL) which is why OAEP was created. below is the code snippet i am trying to do AES Encryption. it works fine. if i see some example in openssl they are using KEY value EVP_MAX_KEY_LENGTH(32 bytes). can i use RSA public key(1024 bit) to encrypt the same value and use private to decrypt the value. It's not entirely 'fine', see below. EVP_MAX_KEY_LENGTH is the maximum length for *any* (supported) *symmetric* algorithm. It is useful if you want to write generic code that works for various algorithms selectable at runtime, as many common systems like SSL/TLS SMIME/CMS/PKCS7 PGP do. If you are using only a specific cipher you can use the key length for that cipher which might be smaller. However, the key lengths for *asymmetric* algorithms, including RSA, are all separate. You need to use the correct one for each. unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; unsigned char iv[] = {1,2,3,4,5,6,7,8}; char intext[] = string to make the random number generator think it has entropy; // Straight encrypt EVP_CIPHER_CTX x; EVP_CIPHER_CTX_init(x); if(!EVP_EncryptInit_ex(x, EVP_aes_256_cbc(), NULL, key, iv)) printf(\n ERROR!! \n); The key for AES-256 is 32 bytes, and IV for AES-anything 16 bytes. You are using partly unknown possibly garbage values, which means you may be unable to decrypt the result in any other program. (Of course in any real use the IV should be random or at least unique and unpredictable, and the key should be random or at least secret.) if(!EVP_EncryptUpdate(x, outbuf, outlen, (const unsigned char*) intext, strlen(intext))) printf(\n ERROR!! \n); if(!EVP_EncryptFinal_ex(x,outbuf+outlen,tmplen)) printf(\n ERROR!! \n); outlen+=tmplen; In general when any OpenSSL call returns an error, you should look at the error stack: http://www.openssl.org/support/faq.html#PROG6 For these particular calls (symm encrypt without engine) it's not vital, but if and when you start doing other things it becomes valuable. } EVP_CIPHER_CTX_cleanup(x); This should be within the routine (before the closing brace). Now to your actual question: Yes in abstract you can encrypt and decrypt data directly with RSA. In practice people usually don't, because of the limitations. Most widespread systems like SSL/TLS and SMIME and PGP are 'hybrid', where for encryption the data is encrypted with a symmetric algorithm and a random 'working' or 'session' key, and public-key algorithms like RSA DH or ECDH are used to transfer or share that working key; in the simplest case, the working key is just RSA-encrypted. Similarly for signing people don't actually RSA-sign their data; instead a hash like SHA1 is computed from the data, and that hash (plus limited overhead like an OID) is signed by RSA or [EC]DSA. These hybrids are what EVP_{Seal,Open}* and EVP_{Sign,Verify}* do. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: S/MIME attributes
From: owner-openssl-us...@openssl.org On Behalf Of TMS Brokers / Lukasz Kosciesza Sent: Tuesday, 23 August, 2011 09:44 I'm trying to create a pkcs#7 detached signature with openssl. snip I analysed the signature with the signature created by other tool, and only one part is different when created by openssl. I get snip (in auth-attrs) While I need: snip It looks like I need to add id-smime-aa-signingCertificate attribute instead of S/MIME Capabilities and signingTime which I get. Is there any way to add attributes in openssl smime command? Or in some other way? Not in commandline/utility I don't think. You can omit smimecap, or omit auth-attrs entirely and sign directly, but there's no visible provision to add anything much less this specifically. You might look at ts/ts_rsp_sign.c (and ts_asn1.c and ts.h). It does this attribute. It optionally does a full chain (which you apparently don't) and defines but doesn't use the policy part (which you apparently also don't). You could write a few routines or a simple utility which does the same thing (except with detached) or modify your copy to do it in apps/smime.c . I don't think you can omit signingTime; it's buried under PKCS7_dataFinal without any option to suppress it (though you could modify your copy to add one -- probably a state in the PKCS7 object like detached makes most sense). But I'm not sure you need to. In general most receivers of ASN.1 OID+data maps in this style should ignore OIDs they don't want or don't understand except where something overrides that like X.509 extensions 'critical' flag. Worst case, you could recode the parts of PKCS7 you need. Down at the bottom, it's 'merely' an ASN.1 structure with a lot of possible formats and options of which you only need one specific set. It's rather tedious to do, and seems a shame when OpenSSL already includes code that does very nearly what you want, but it should work. Good luck. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org