Re: Enabling https capability
On 11/2/2012 3:06 PM, John A. Wallace wrote: -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Jakob Bohm Sent: Thursday, November 01, 2012 12:25 PM To: openssl-users@openssl.org Subject: Re: Enabling https capability (Note you really should have started a new thread, not replied to an old one). On 11/1/2012 5:00 PM, John A. Wallace wrote: Not sure if this is the right place to ask, but I will give it a try because it seems likely that someone here can point me in the right direction if need be. I am not a programmer. I have an application that can make http connections but not https. The connections are made from a Windows command line interface, not a browser. I would like to enable it to make https connections too without having to reinvent the wheel. If there is some way to connect it to an intermediary proxy program that does have built-in support for the https protocol, that would be swell. Is such a thing possible or is there another solution I don't see? Thanks. If you don't want to link the SSL code into you application, look up stunnel, which is a free program (for Windows too) which does almost exactly what you ask for. If you would rather link the code into your application, you are in the right place, this is exactly what OpenSSL was originally created for. Link your application to the latest version of OpenSSL and follow the tutorials elsewhere for how to call it in a https client (It is mostly about passing all your socket send/recv calls through OpenSSL functions, plus some slightly tricky code to call when doing connect() and socketclose()). If you have questions about any of the function calls needed, post on this mailing list. Jakob, hello. In the procedures you mention are you referring to building this program anew from source in a Linux environment? If so, what tools would be needed to do something like that and where can I find a well-stated introduction to this procedure in general? I would like to at least take a look at it to see what is entailed. Thanks. Linux? I thought you said Windows. If you don't know how to rebuild your application on your chosen OS, then you should probably not even try to do this kind of programming, I was assuming you already had those skills and had probably written the application yourself. Go with stunnel then, it doesn't require you to know the inner workings of the application and how to modify its code. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: ECDH-RSA and TLS 1.2
What if the server has an ECDH certificate? Would that then be the appropriate set of suites? Erik Tkal Juniper OAC/UAC/Pulse Development -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, November 01, 2012 10:38 PM To: openssl-users@openssl.org Subject: Re: ECDH-RSA and TLS 1.2 On Fri, Nov 02, 2012, Abhiram Shandilya wrote: Hi Steve, Thanks for your response. I'm just trying to figure out what it takes to get this working - are you of the opinion that an SSL server should not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why? Well one reason is that the fixed ECDH cipher suites do not support forward secrecy because they always use the same ECDH key. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
setting a CSR’s challenge password?
Hi all, What ways other than the interactive command shell are available for setting a CSR’s challenge password attribute? I can’t find a command-line switch that does it, and perl’s Crypt::OpenSSL::PKCS10 doesn’t seem to know about it, either. Thanks! -Felipe Gasper Houston, TX __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDH-RSA and TLS 1.2
Well one reason is that the fixed ECDH cipher suites do not support forward secrecy because they always use the same ECDH key. ECDHE cipher suites as implemented in OpenSSL don't necessarily support forward secrecy either. I wonder what it takes to get SSL_OP_SINGLE_ECDH_USE option by default in the code base? BBB __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
setting a CSR’s challenge password?
Hi all, What ways other than the interactive command shell are available for setting a CSR’s challenge password attribute? I can’t find a command-line switch that does it, and perl’s Crypt::OpenSSL::PKCS10 doesn’t seem to know about it, either. Thanks! -Felipe Gasper Houston, TX __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: setting a CSR’s challenge password?
On 11/2/2012 5:20 PM, Felipe Gasper wrote: Hi all, What ways other than the interactive command shell are available for setting a CSR’s challenge password attribute? I can’t find a command-line switch that does it, and perl’s Crypt::OpenSSL::PKCS10 doesn’t seem to know about it, either. Thanks! It is set via the passed in config file. Specifically, the openssl req command looks in the [req] section for a line named attributes, then the value of that line is the name of another section (without the []). In that other section, there are lines describing what attributes to put in the CSR, if there should be any prompting and what the value should be if not prompting. So to not prompt for a challenge password and not put a challenge password in the CSR (the most common need for this), simply do not mention the challenge password in that section [req] ... attributes = req_attributes [req_attributes] ; Nothing here To set a specific challenge password in the CSR without prompting invoke openssl req -config secretfiles/thisreq.cnf where secretfiles/thisreq.cnf is a modified openssl.cnf with these changes: ; Make sure to prevent others from reading this temp config file ;and wipe it securely after use [req] ... attributes = thisreq_attributes [thisreq_attributes] challengePassword_default = VerySecretWordTheyCannotGuessThisHaHa Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
openssl verify always returns 0 (success) to shell
In testing my regression tests, I supply a bad CA certificate to force the verify to fail. I use: openssl verify -CAfile cacert.pem cert.pem It printed this, which I expected. error 20 at 0 depth lookup: ... However, when my bash script checks the return code, it is still 0. I was hoping for a non-zero error return to catch real errors later. A bug? If not, what's the correct way to capture errors in a shell script? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: ECDH-RSA and TLS 1.2
I thought the keys in ECC certificates can be used for both ECDH key agreement and ECDSA digital signature. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Erik Tkal Sent: Friday, November 02, 2012 8:24 AM To: openssl-users@openssl.org Subject: RE: ECDH-RSA and TLS 1.2 What if the server has an ECDH certificate? Would that then be the appropriate set of suites? Erik Tkal Juniper OAC/UAC/Pulse Development -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, November 01, 2012 10:38 PM To: openssl-users@openssl.org Subject: Re: ECDH-RSA and TLS 1.2 On Fri, Nov 02, 2012, Abhiram Shandilya wrote: Hi Steve, Thanks for your response. I'm just trying to figure out what it takes to get this working - are you of the opinion that an SSL server should not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why? Well one reason is that the fixed ECDH cipher suites do not support forward secrecy because they always use the same ECDH key. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Automating self signed certificate creation
I create a self signed certificate using openssl req -new -x509 -key ... -out ... -days ... It then prompts for the country, state, locality, etc. Is there a way to enter that data on the command line or in a configuration file to avoid the prompts? I tried -config and a configuration file, but that seems to just change the defaults. It still prompts. Rationale: I can script it and avoid user errors. I can automate changing the values for regression testing. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDH-RSA and TLS 1.2
(continuing TOFU posting to keep the thread somewhat consistent) Given some of the mathematical restrictions on parameters needed to keep DSA and ECDSA safe from attackers, I don't think using the same private key for ECDSA and ECDH is a good/safe idea. However I am not a genius cryptanalyst, so I cannot guarantee that this is really dangerous, it is just a somewhat educated guess. On 11/2/2012 9:06 PM, Abhiram Shandilya wrote: I thought the keys in ECC certificates can be used for both ECDH key agreement and ECDSA digital signature. -Original Message- From: Erik Tkal Sent: Friday, November 02, 2012 8:24 AM To: openssl-users@openssl.org Subject: RE: ECDH-RSA and TLS 1.2 What if the server has an ECDH certificate? Would that then be the appropriate set of suites? -Original Message- From: Dr. Stephen Henson Sent: Thursday, November 01, 2012 10:38 PM To: openssl-users@openssl.org Subject: Re: ECDH-RSA and TLS 1.2 On Fri, Nov 02, 2012, Abhiram Shandilya wrote: Hi Steve, Thanks for your response. I'm just trying to figure out what it takes to get this working - are you of the opinion that an SSL server should not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why? Well one reason is that the fixed ECDH cipher suites do not support forward secrecy because they always use the same ECDH key. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDH-RSA and TLS 1.2
On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm jb-open...@wisemo.com wrote: (continuing TOFU posting to keep the thread somewhat consistent) Given some of the mathematical restrictions on parameters needed to keep DSA and ECDSA safe from attackers, I don't think using the same private key for ECDSA and ECDH is a good/safe idea. However I am not a genius cryptanalyst, so I cannot guarantee that this is really dangerous, it is just a somewhat educated guess. Not at all - its good advice. Its called Key Separation, and its covered in the Handbook of Applied Cryptography (HAC), Chapter 13. I usually see folks trying to use the same key for signing and encryption. This is a slight twist in that they want to do signing and agreement. The HAC is available for free online at http://cacr.uwaterloo.ca/hac/. Jeff On 11/2/2012 9:06 PM, Abhiram Shandilya wrote: I thought the keys in ECC certificates can be used for both ECDH key agreement and ECDSA digital signature. -Original Message- From: Erik Tkal Sent: Friday, November 02, 2012 8:24 AM To: openssl-users@openssl.org Subject: RE: ECDH-RSA and TLS 1.2 What if the server has an ECDH certificate? Would that then be the appropriate set of suites? -Original Message- From: Dr. Stephen Henson Sent: Thursday, November 01, 2012 10:38 PM To: openssl-users@openssl.org Subject: Re: ECDH-RSA and TLS 1.2 On Fri, Nov 02, 2012, Abhiram Shandilya wrote: Hi Steve, Thanks for your response. I'm just trying to figure out what it takes to get this working - are you of the opinion that an SSL server should not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why? Well one reason is that the fixed ECDH cipher suites do not support forward secrecy because they always use the same ECDH key. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Automating self signed certificate creation
On Fri, Nov 2, 2012 at 4:23 PM, Ken Goldman kgold...@us.ibm.com wrote: I create a self signed certificate using openssl req -new -x509 -key ... -out ... -days ... It then prompts for the country, state, locality, etc. Is there a way to enter that data on the command line or in a configuration file to avoid the prompts? I tried -config and a configuration file, but that seems to just change the defaults. It still prompts. Rationale: I can script it and avoid user errors. I can automate changing the values for regression testing. Try something like: -subj /C=US/ST=Florida/L=Waldo/O=Mythical Mad Monkeys, GmbH./OU=IT/CN=$FQDN as an argument to your openssl statement. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Automating self signed certificate creation
On 2.11.12 3:23 PM, Ken Goldman wrote: I create a self signed certificate using openssl req -new -x509 -key ... -out ... -days ... It then prompts for the country, state, locality, etc. Is there a way to enter that data on the command line or in a configuration file to avoid the prompts? I tried -config and a configuration file, but that seems to just change the defaults. It still prompts. Yes: pass in the -subj parameter. Backslash-escape foreslashes and backslashes. -F __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: ECDH-RSA and TLS 1.2 [AESGCM]
From: owner-openssl-us...@openssl.org On Behalf Of Abhiram Shandilya Sent: Thursday, 01 November, 2012 21:31 -dev added I configured my openssl RSA CA to add the key usage extension for key agreement to the ECC certificate but even then it does not work. Pre-TLS 1.2 cipher suites such as ECDH-RSA-AES128-SHA work fine but just not the TLS 1.2 cipher suites with AESGCM. Looks like a bug to me. (1.0.1c) s3_lib.c ciphers C031 and C032 have kECDHe when it appears they should have kECDHr . __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Automating self signed certificate creation
From: owner-openssl-us...@openssl.org On Behalf Of Mauricio Tavares Sent: Friday, 02 November, 2012 16:53 On Fri, Nov 2, 2012 at 4:23 PM, Ken Goldman kgold...@us.ibm.com wrote: I create a self signed certificate using openssl req -new -x509 -key ... -out ... -days ... It then prompts for the country, state, locality, etc. Is there a way to enter that data on the command line or in a configuration file to avoid the prompts? I tried -config and a configuration file, but that seems to just change the defaults. It still prompts. Try something like: -subj /C=US/ST=Florida/L=Waldo/O=Mythical Mad Monkeys, GmbH./OU=IT/CN=$FQDN as an argument to your openssl statement. as described in the manpage for req; or put prompt=no and values *instead of* prompts in the config file as described further down in the same manpage. Note: it doesn't make clear that if you use a config file with prompt=no and values, you can't override with commandline -subj. -subj only overrides prompt=yes. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: RSA public key in x509 format
From: owner-openssl-us...@openssl.org On Behalf Of Taraniteja Vishwanatha Sent: Friday, 02 November, 2012 18:29 Answering only -users, this is not a -dev question. I want to generate a RSA key pair in x509 format and pem encoded ( BEGIN PUBLIC KEY .END PUBLIC KEY). Can anyone give me an example of how to do that? Its working if I want it in PKCS1 format. Here is my code: snip int retVal = PEM_write_bio_RSAPublicKey(publicBio, rsaKey); if( retVal == 0) ... Assuming you mean SubjectPublicKeyInfo, on the same man page as PEM_{read,write}{,_bio}_RSAPublicKey, see PEM_{read,write}{,_bio}_RSA_PUBKEY. Or use generic EVP_PKEY and PEM_{read,write}{,_bio}_PUBKEY . __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org