Re: Certificate and Certificate request (Using API)
Hi friends. I want to rise one more question here, What is the difference in generated server certificate (A), If make using certificate request, or make directly (X509_REQ *csr vs X509 *cert) I have my OWN CA, its keys, I am making new certificate (A) from old certificate (B). Question just it to make certificate directly (without making request) OR make certificate request first, then make certificate from request. I want to know if there any technical difference in final certificate yield. I know how to make request, , make certificate, sign it etc.. Thanks, Saurabh On 7/30/12, Mark H. Wood mw...@iupui.edu wrote: On Fri, Jul 27, 2012 at 08:05:58AM -0700, Sanford Staab wrote: It really looks to me like the openssl documentation needs improvement as well as a better tool besides CA.pl to help people use openssl in common scenarios. I suspect there is a strong demand for creative private CA support and we should have a friendly script or cookbook for this available somewhere. Fixing this will relieve you guys of answering all these inquiries via email. TinyCA has, so far, sufficed for my modest needs. http://tinyca.sm-zone.net/ -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
smime decrypt: No recipient certificate
Hello, I'm trying to decrypt a pkcs7 file using a private key. The file is produced by python library M2Crypto, and i managed to decrypt it properly using that. I tried like this: cat text.ssl| openssl smime -decrypt -binary -inform PEM -keyform PEM -inkey priv_key.pem -recip cacert.pem and many other variants, but I get always the same error message: No recipient certificate or key specified Usage smime [options] cert.pem ... where options are Any idea would be helpful...
Re: SSL compression
On Tue, Jul 31, 2012, Sebastian Raymond wrote: Hello, I have written a SSL client program to talk with SSL server. I have a linux machine and Openssl 1.0.0e is installed with zlib enabled. That means, deflate compression method is supported. I want to transfer the data without compression. Therefore, I used following to disable the compression. SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); Where ctx is SSL_CTX object. When I inspect the traffic in Wireshark, I still see that my client program is offering deflate compression method and server is replying with server hello that chooses deflate as compression. What happens if you try this with the s_server utility and the -no_comp command line option? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL compression
Hello, I have tried following: 1. $openssl s_server -accept 443 -cert server.crt -key server.key Result- Client offered deflate compression and server selected compression method. 2. $openssl s_server -accept 443 -cert server.crt -key server.key *-no_comp *Result- Client offered deflate compression and this time, *server selected null method.* On Tue, Jul 31, 2012 at 7:16 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Tue, Jul 31, 2012, Sebastian Raymond wrote: Hello, I have written a SSL client program to talk with SSL server. I have a linux machine and Openssl 1.0.0e is installed with zlib enabled. That means, deflate compression method is supported. I want to transfer the data without compression. Therefore, I used following to disable the compression. SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); Where ctx is SSL_CTX object. When I inspect the traffic in Wireshark, I still see that my client program is offering deflate compression method and server is replying with server hello that chooses deflate as compression. What happens if you try this with the s_server utility and the -no_comp command line option? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Regards, *Sebastian*
certificate validation issues with openssl 1.0.0 and expired certificates in cafile
Hi! I wrote a small program which dumps all root certificates from Windows certificate store into a file. Then I use openssl to connect to Google and validate its certificate: openssl s_client -connect www.google.com:443 -CAfile dump.crt When using openssl0.9.8k or openssl0.9.8x everything works as expected. When using openssl1.0.0g or openssl 1.0.1c the certificate validation fails with: Verify return code: 10 (certificate has expired) CONNECTED(016C) depth=2 C = US, O = VeriSign, Inc., OU = Class 3 Public Primary Certification Authority verify error:num=10:certificate has expired notAfter=Jan 7 23:59:59 2004 GMT verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority When analyzing the cafile with the dumped certificates from Windows certificate store, I found out that there are two certificates for Verisign with identical subject, whereas one is expired, the other not. X.509 Certificate Information: Version: 1 Serial Number (hex): 00e49efdf33ae80ecfa5113e19a4240232 Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority Validity: Not Before: Mon Jan 29 00:00:00 UTC 1996 Not After: Wed Jan 07 23:59:59 UTC 2004 Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority Subject Public Key Algorithm: RSA X.509 Certificate Information: Version: 1 Serial Number (hex): 70bae41d10d92934b638ca7b03ccbabf Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority Validity: Not Before: Mon Jan 29 00:00:00 UTC 1996 Not After: Tue Aug 01 23:59:59 UTC 2028 Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority Subject Public Key Algorithm: RSA Thus, it seems that openssl 0.9.8 just ignores the expired certificate and searches if there is another valid one whereas openssl 1.0.0 stop with the first expired certificate. Is the new behavior the intended behavior? Is it possible to have the old behavior also in new openssl versions? Thanks Klaus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Unusual Fips Mode Set Failure
First off, I'd like to apologize if this is considered a re-post. I posted a question a few days ago but my question has evolved significantly since then so I decided to pose the new question in a new thread: I'm trying to develop a very simple C program to practice calling FIPS_mode_set(1). --Errors-- The error that I always receive is: 5652:error:0F06D065:common libcrypto routines:FIPS_mode_set:fips not supported:.\crypto\o_fips.c:92: --o_fips.c-- The error appears to stem from line 92 of o_fips.c. Here is the block from o_fips.c containing line 92: --Begin C code-- int FIPS_mode_set(int r) { OPENSSL_init(); #ifdef OPENSSL_FIPS #ifndef FIPS_AUTH_USER_PASS #define FIPS_AUTH_USER_PASSDefault FIPS Crypto User Password #endif if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS)) return 0; if (r) RAND_set_rand_method(FIPS_rand_get_method()); else RAND_set_rand_method(NULL); return 1; #else if (r == 0) return 1; //line 92 follows CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED); return 0; #endif } --End C code-- Analysis of this block leads me to the conclusion that OPENSSL_FIPS must not be defined. This is an issue because my original code checks #ifdef OPENSSL_FIPS before it even calls FIPS_mode_set(1) and always proceeds as if it *is* defined How can this be? Here is all of the additional information that I could anticipate anyone would need: My code: --Begin C code-- //parts of this code come from http://old.nabble.com/AES-cbc--How-to-Init-Openssl--td12475822.html #include stdio.h #include string.h #include openssl\err.h #include openssl\fips.h #include openssl\aes.h #include openssl\applink.c int main(int argc, char *argv[]) { //32byte key unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31}; //16byte Initialization Vector unsigned char iv[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; //plain txt input with padding buffer. Since the AES Block Size is 16bytes and 'crypto' is only 6 bytes, it needs 10 bytes of padding unsigned char plaintxt[1024]=crypto\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a; //output unsigned char encrypted[1024]; AES_KEY aeskey; //Setting up FIPS MODE: CRYPTO_malloc_init(); //Check if OPENSSL_FIPS is defined #ifdef OPENSSL_FIPS printf(\nOPENSSL_FIPS is defined\n); //Check if FIPS_mode is already engaged if(FIPS_mode()) { printf(FIPS_mode is already engaged\n); } else { //Attempt to enable FIPS_mode printf(Attempting to enable FIPS MODE\n); if(FIPS_mode_set(1)) { printf(FIPS mode set successful\n); } else { //print errors printf(FIPS mode set failure\n); ERR_load_crypto_strings(); ERR_print_errors_fp(stderr); exit(2); } } #else printf(OPENSSL_FIPS is not defined); #endif //OPENSSL_FIPS //Perform AES 256bit Encryption memset(encrypted, 0, sizeof(encrypted)); AES_set_encrypt_key(key, 256, aeskey); AES_cbc_encrypt(plaintxt, encrypted, 16, aeskey, iv, AES_ENCRYPT); //direct output to enc.bin freopen (enc.bin,w,stdout); printf(%s, encrypted); fclose (stdout); printf(Printed encrypted string to enc.bin); return(0); } --End C code-- --Environment Details-- I am using Visual Studio C++ to debug this program. To the search directories for include I have added C:\usr\local\ssl\include and C:\usr\local\ssl\fips-2.0\include. To the search directories for libraries I have added C:\usr\local\ssl\lib and C:\usr\local\ssl\fips-2.0\lib. To the additional dependencies I have added the paths to ssleay32.lib, libeay32.lib, and fipscanister.lib. --Other Info-- If you take out the 'exit(2)' line, the encryption will proceed correctly even if the FIPS_mode_set(1) fails enc.bin can be decrypted with the following command (the output should be 'crypto'): openssl aes-256-cbc -d -in out.txt -K 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -iv 000102030405060708090A0B0C0D0E0F --Build Details-- Here is my exact build
Re: Unusual Fips Mode Set Failure
Obvious conclusion: The OpenSSL library or DLL you link to was compiled with OPENSSL_FIPS not set, but your code was compiled with OPENSSL_FIPS set. So either you are using a different copy of the compiled OpenSSL library than you think, or you have passed different options when compiling your program than you did when compiling OpenSSL. More specifically, check the following: 1. Is OPENSSL_FIPS defined in the Visual Studio Properties for your C file (In project view, right click your file, choose Properties, and look under C/C++, Preprocessor)? 2. In the C file editor, right click the filename in the line #include openssl/fips.h and select Open Document. Then hover over the tab that shows fips.h to make sure it is using a copy of the openssl headers from the expected path. Also check if that file defines OPENSSL_FIPS unconditionally. 3. Did you build OpenSSL with FIPS enabled? 4. In the Properties for your C project, navigate to Linker, General and enable Show Progress (it may have a different name in different VS versions, but the command line equivalent is always /VERBOSE). Then link your project again. The build log should contain a lot of details about which .obj and .lib files it uses from where, check that it mentions your compiled OpenSSL library and not some other copy. On 7/31/2012 8:01 PM, ejh891 wrote: First off, I'd like to apologize if this is considered a re-post. I posted a question a few days ago but my question has evolved significantly since then so I decided to pose the new question in a new thread: I'm trying to develop a very simple C program to practice calling FIPS_mode_set(1). --Errors-- The error that I always receive is: 5652:error:0F06D065:common libcrypto routines:FIPS_mode_set:fips not supported:.\crypto\o_fips.c:92: --o_fips.c-- The error appears to stem from line 92 of o_fips.c. Here is the block from o_fips.c containing line 92: --Begin C code-- int FIPS_mode_set(int r) { OPENSSL_init(); #ifdef OPENSSL_FIPS #ifndef FIPS_AUTH_USER_PASS #define FIPS_AUTH_USER_PASSDefault FIPS Crypto User Password #endif if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS)) return 0; if (r) RAND_set_rand_method(FIPS_rand_get_method()); else RAND_set_rand_method(NULL); return 1; #else if (r == 0) return 1; //line 92 follows CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED); return 0; #endif } --End C code-- Analysis of this block leads me to the conclusion that OPENSSL_FIPS must not be defined. This is an issue because my original code checks #ifdef OPENSSL_FIPS before it even calls FIPS_mode_set(1) and always proceeds as if it *is* defined How can this be? Here is all of the additional information that I could anticipate anyone would need: My code: --Begin C code-- //parts of this code come from http://old.nabble.com/AES-cbc--How-to-Init-Openssl--td12475822.html #include stdio.h #include string.h #include openssl\err.h #include openssl\fips.h #include openssl\aes.h #include openssl\applink.c int main(int argc, char *argv[]) { //32byte key unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31}; //16byte Initialization Vector unsigned char iv[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; //plain txt input with padding buffer. Since the AES Block Size is 16bytes and 'crypto' is only 6 bytes, it needs 10 bytes of padding unsigned char plaintxt[1024]=crypto\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a; //output unsigned char encrypted[1024]; AES_KEY aeskey; //Setting up FIPS MODE: CRYPTO_malloc_init(); //Check if OPENSSL_FIPS is defined #ifdef OPENSSL_FIPS printf(\nOPENSSL_FIPS is defined\n); //Check if FIPS_mode is already engaged if(FIPS_mode()) { printf(FIPS_mode is already engaged\n); } else { //Attempt to enable FIPS_mode printf(Attempting to enable FIPS MODE\n); if(FIPS_mode_set(1)) { printf(FIPS mode set successful\n); } else { //print errors printf(FIPS mode set failure\n); ERR_load_crypto_strings(); ERR_print_errors_fp(stderr); exit(2); }
Re: SSL compression
Its not yet clear for me. What should be done to disable the compression? Since, the server is not going to be the openssl s_server. On Tue, Jul 31, 2012 at 7:35 PM, Sebastian Raymond ray.s...@gmail.comwrote: Hello, I have tried following: 1. $openssl s_server -accept 443 -cert server.crt -key server.key Result- Client offered deflate compression and server selected compression method. 2. $openssl s_server -accept 443 -cert server.crt -key server.key *-no_comp *Result- Client offered deflate compression and this time, *server selected null method.* On Tue, Jul 31, 2012 at 7:16 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Tue, Jul 31, 2012, Sebastian Raymond wrote: Hello, I have written a SSL client program to talk with SSL server. I have a linux machine and Openssl 1.0.0e is installed with zlib enabled. That means, deflate compression method is supported. I want to transfer the data without compression. Therefore, I used following to disable the compression. SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); Where ctx is SSL_CTX object. When I inspect the traffic in Wireshark, I still see that my client program is offering deflate compression method and server is replying with server hello that chooses deflate as compression. What happens if you try this with the s_server utility and the -no_comp command line option? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Regards, *Sebastian* -- Regards, *Sebastian*
RE: SSL compression
In your client app are you setting the options on the SSL_CTX *before* you call SSL_new()? Erik Tkal Juniper OAC/UAC/Pulse Development From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Sebastian Raymond Sent: Tuesday, July 31, 2012 4:18 PM To: openssl-users@openssl.org Subject: Re: SSL compression Its not yet clear for me. What should be done to disable the compression? Since, the server is not going to be the openssl s_server. On Tue, Jul 31, 2012 at 7:35 PM, Sebastian Raymond ray.s...@gmail.commailto:ray.s...@gmail.com wrote: Hello, I have tried following: 1. $openssl s_server -accept 443 -cert server.crt -key server.key Result- Client offered deflate compression and server selected compression method. 2. $openssl s_server -accept 443 -cert server.crt -key server.key -no_comp Result- Client offered deflate compression and this time, server selected null method. On Tue, Jul 31, 2012 at 7:16 PM, Dr. Stephen Henson st...@openssl.orgmailto:st...@openssl.org wrote: On Tue, Jul 31, 2012, Sebastian Raymond wrote: Hello, I have written a SSL client program to talk with SSL server. I have a linux machine and Openssl 1.0.0e is installed with zlib enabled. That means, deflate compression method is supported. I want to transfer the data without compression. Therefore, I used following to disable the compression. SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); Where ctx is SSL_CTX object. When I inspect the traffic in Wireshark, I still see that my client program is offering deflate compression method and server is replying with server hello that chooses deflate as compression. What happens if you try this with the s_server utility and the -no_comp command line option? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.orgmailto:openssl-users@openssl.org Automated List Manager majord...@openssl.orgmailto:majord...@openssl.org -- Regards, Sebastian -- Regards, Sebastian
Re: SSL compression
Yes, I am calling it before SSL_new(); SSL_CTX_set_options(ctx,SSL_OP_NO_COMPRESSION); SSL *ssl = SSL_new(ctx); On Tue, Jul 31, 2012 at 10:26 PM, Erik Tkal et...@juniper.net wrote: In your client app are you setting the options on the SSL_CTX *before* you call SSL_new()? *Erik Tkal** *Juniper OAC/UAC/Pulse Development ** ** *From:* owner-openssl-us...@openssl.org [mailto: owner-openssl-us...@openssl.org] *On Behalf Of *Sebastian Raymond *Sent:* Tuesday, July 31, 2012 4:18 PM *To:* openssl-users@openssl.org *Subject:* Re: SSL compression ** ** Its not yet clear for me. What should be done to disable the compression? Since, the server is not going to be the openssl s_server. On Tue, Jul 31, 2012 at 7:35 PM, Sebastian Raymond ray.s...@gmail.com wrote: Hello, I have tried following: 1. $openssl s_server -accept 443 -cert server.crt -key server.key Result- Client offered deflate compression and server selected compression method. 2. $openssl s_server -accept 443 -cert server.crt -key server.key *-no_comp *Result- Client offered deflate compression and this time, *server selected null method.* ** ** On Tue, Jul 31, 2012 at 7:16 PM, Dr. Stephen Henson st...@openssl.org wrote: On Tue, Jul 31, 2012, Sebastian Raymond wrote: Hello, I have written a SSL client program to talk with SSL server. I have a linux machine and Openssl 1.0.0e is installed with zlib enabled. That means, deflate compression method is supported. I want to transfer the data without compression. Therefore, I used following to disable the compression. SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); Where ctx is SSL_CTX object. When I inspect the traffic in Wireshark, I still see that my client program is offering deflate compression method and server is replying with server hello that chooses deflate as compression. What happens if you try this with the s_server utility and the -no_comp command line option? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Regards, *Sebastian* -- Regards, *Sebastian* -- Regards, *Sebastian*
Re: SSL compression
On Tue, Jul 31, 2012, Sebastian Raymond wrote: Yes, I am calling it before SSL_new(); SSL_CTX_set_options(ctx,SSL_OP_NO_COMPRESSION); SSL *ssl = SSL_new(ctx); Is your application linked to an older version of OpenSSL? If that isn't it you could try running it under a debugger to see why SSL_OP_NO_COMPRESSION isn't being recognised. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org