Cross-Compile openssl-0.9.8j with zlib-dynamic Option give Error
Hi , I am cross-compiling openssl-0.9.8j with zlib-dynamic Option. The Options are : ./Configure zlib-dynamic shared threads no-dso no-krb5 Now , I am getting following Error Message : c_zlib.c: In function 'COMP_zlib': c_zlib.c:402: error: too few arguments to function 'CRYPTO_get_ex_new_index' Could you please tell me solution or work around for this Error. Thanks. With Best Regards Ashish
RE: exception when using Self Signed Certificate
>From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar
>Sent: Thursday, 04 October, 2012 14:31
>I have a self signed certificate created and i have loaded that
>into a trust store of the client. I have also configured the Server
>with that self signed certificate. So when i try to establish
>connection i get the exception in following code
>v3_purp.c
>else if(ku_reject(issuer, KU_KEY_CERT_SIGN))
>return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; //Exception thrown here
Aside: C doesn't "throw" exceptions as some other languages do
(including C++). This is really "returned", or at most "raised".
But that doesn't affect your point.
>Any inputs why client is throwing X509_V_ERR_KEYUSAGE_NO_CERTSIGN
exception?
Because the cert has a KeyUsage extension that excludes certSign.
OpenSSL requires issuer certs to have certSign -- and treats a
selfsigned cert as issuing itself, which is somewhat debatable.
>Here my server is Microsoft SQL Server , Client uses openssl. Also this
>issue occurs only when i create a self signed certificate using IIS
server!!!
You create with IIS but use in SQLserver? On the (one) IIS-manager
I have access to (but don't normally use) "create self-signed cert..."
creates KU keyEncrypt,dataEncrypt and EKU serverAuth -- which
violates RFC 5280 as I read it but hey that's Microsoft for you.
(And per RFC 5246 it allows only plain RSA not DHE-RSA or ECDHE-RSA,
but plain RSA is widely supported, probably widest.)
Options:
- create (or get created) a key + selfsigned cert with KU having
certSign in addition to keyEncrypt (and preferably digSign),
or KU omitted (then relier must default to allow-all-usage).
This is easy to do with openssl 'req -new -x509'.
- use a CA-issued cert, where the CA's root and issued certs have
desired or omitted KU. A real CA already does this, and one you
create with openssl ('ca' or just 'x509 -req') easily can.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: simple server with using openssl
have a look at this thread https://groups.google.com/forum/?fromgroups=#!topic/mailing.openssl.users/-t7KRH-8phs Since this is not related to dev i have removed openssl-dev from list. On Thu, Oct 4, 2012 at 10:14 PM, Indtiny s wrote: > Hi, > > I need a TLS security based server which can handle request from few > clients (max 4) . at the client side I just curl client and post or put > https request . > > at the the server side I need to receive those request and pass to the my > CGI . > > Can somebody suggest how to start this server application using openssl > ..? it could be better if I can get some start up code/docs . > > Rgds > Indu >
Re: how to extract O= and OU= from a subject cert
On Wed, Oct 03, 2012, mclellan, dave wrote: > We know how to extract the subject and issuer from a cert sent by a peer. > Can anyone point out where we get started to look into how to extract the > Organization and organizationalUnit attributes? > > It's not obvious from the API definitions and I've been searching the > openssl-users archive but I am not finding hits that clearly identify this. > Check out the manual pages for the X509_NAME functions in particular X509_NAME_get_index_by_NID. Then X509_NAME_ENTRY_get_data and possibly ASN1_STRING_to_UTF8. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[no subject]
> We know how to extract the subject and issuer from a cert sent by a peer. > Can anyone point out where we get started to look into how to extract > the Organization and organizationalUnit attributes? > It’s not obvious from the API definitions and I’ve been searching > the openssl-users archive but I am not finding hits >that clearly identify this. Quick and dirty, man x509, look for the -nameopt option and read about the TEXT OPTIONS. Look at the corresponding flags in starting from apps/x509.c code: you can obtain the subject with parts split by \n (line feeds) and that makes easier to search for \nOU= and alike. Not the best solution but quick. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Documentation for TXT_DB errors?
On 10/03/2012 05:49 AM, Dave Thompson wrote: >> I deleted index.txt and reset serial.txt to 00 and that >> solved the problem. >> >> Hope that was not a terrible idea. In my opinion, reusing serials is a *very bad* idea in general. It is definitely deprecated and maybe forbidden in some legal context (I work in Italy, no officially appointed CA would reuse serials here). Think about the existence of an OpenSSL function named X509_issuer_and_serial_hash. It exists exactly because serials are intended to be unique and combining them with the CA (the hash is for leveraging the output) makes easy to have a unique identifier for certificates in a system; I personally use it. Just to present another example, OCSP can be queried by a serial number (of the certified that is to be verified). (sorry I'm not keeping the whole message. My MX is a blacklist and I'm forced to use an awkward webmail interface...) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Non-Blocking and ENGINE
On Tue, Oct 02, 2012, Dirk Menstermann wrote: > Hello list, > > is there a way to use ENGINEs in a non-blocking way - meaning for a network > operation (remote HSM) the thread can do something else instead of waiting for > the IO operation to complete? > No there is no way to do that at present. Changing that is non-trivial too. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Non-Blocking and ENGINE
Anybody? Thanks On 02.10.2012 15:58, Dirk Menstermann wrote: > Hello list, > > is there a way to use ENGINEs in a non-blocking way - meaning for a network > operation (remote HSM) the thread can do something else instead of waiting for > the IO operation to complete? > > Thanks > Jens > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Cannot build shared library on Linux with FIPS capable OpenSSL
Thank you very much! How did you come to this solution? -- View this message in context: http://old.nabble.com/Cannot-build-shared-library-on-Linux-with-FIPS-capable-OpenSSL-tp29946444p34510054.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
how to extract O= and OU= from a subject cert
We know how to extract the subject and issuer from a cert sent by a peer. Can anyone point out where we get started to look into how to extract the Organization and organizationalUnit attributes? It's not obvious from the API definitions and I've been searching the openssl-users archive but I am not finding hits that clearly identify this. Thanks for whatever kickstart you can provide. +-+-+-+-+-+-+ Dave McLellan, Symmetrix Software Engineering EMC Corporation, 176 South St, Hopkinton MA Mail Stop 176-B1 1/P-36 office 508-249-1257, fax 508-497-8027 cell 978-500-2546 +-+-+-+-+-+-+
Add 509v3 certificatePolicies in C
I am trying add certificatePolicies in C code and I got this Error on
"certificatePolicies = 2.2.2.2"
** sign1.c:163 Error creating X509 extension object
5432:error:22097088:X509 V3 routines:DO_EXT_NCONF:no config database:.\crypto\x5
09v3\v3_conf.c:156:
5432:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:.\crypt
o\x509v3\v3_conf.c:93:name=certificatePolicies, value=2.2.2.2 struct entry
ext_ent[EXT_COUNT] = { {"extendedKeyUsage", "serverAuth,clientAuth"},
{"certificatePolicies", "2.2.2.2"},
{"subjectAltName", "DNS:www.url2.co.uk,DNS:url2.co.uk" },
{"authorityInfoAccess",
"OCSP;URI:http://ocsp.url2.co.uk,caIssuers;URI:http://my.ca/ca.html"},
{"crlDistributionPoints", "URI:http://crl.url2.co.uk/ssl.crl"},
{"subjectKeyIdentifier", "hash"},
{"authorityKeyIdentifier", "keyid"},
{"basicConstraints", "CA:FALSE"},
{"keyUsage", "digitalSignature,keyEncipherment"} };
Re: Private RANDFILE per CA required?
On 02.10.2012, at 15:22, Jakob Bohm wrote: > On 10/2/2012 2:04 PM, Stefan H. Holek wrote: >> When using the openssl command line utility, is a private RANDFILE per CA >> required for security reasons, or is it just fine to use a single RANDFILE >> for everything (i.e. the default ~/.rnd)? Older configuration files seem to >> indicate the former, but is this still true? >> >> IOW, I am looking for an answer to whether not having its own RANDFILE >> degrades the security of a CA. > > I would say it degrades it, as it makes the randomness used by each CA less > random. > > I would also suggest getting a real hardware RNG source and directly or > indirectly feeding it into OpenSSL. Thank you for the answer. I am after something more specific though: The openssl req, ca, etc. commands always load the RANDFILE, even if an acceptable source for seeding the PRNG exists. This means that RANDFILE is mixed into an already good seed [1]. Given that RANDFILE contains good data as well, I would assume this has exactly zero effect on the "quality" of the seed. I lack the maths degree to be certain about this though. Thanks again, Stefan [1] http://www.openssl.org/docs/crypto/RAND_add.html -- Stefan H. Holek ste...@epy.co.at __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
