Re: 2 Server certificates
To handle CA cert chain, you can use SSL_CTX_add_extra_chain_cert.. are you expect certificate form client ? - Saurabh On Thu, Jun 12, 2014 at 7:09 AM, Hafedh TRIMECHE hafedh.trime...@gmail.com wrote: Hi, I would implement an OpenSSL Server which can handle authentication initiated by 2 client certificates issued by 2 CAs: Client1 CA1 Root1 and Client2 CA2 Root2 Please how to achieve mutual authentication using some APIs: - X509_STORE_add_cert - SSL_CTX_add_extra_chain_cert - SSL_CTX_add_client_CA to avoid the error 14094416 certificate unknown Regards -- View this message in context: http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 2 Server certificates
Yes, The client certificate is excepted. - Original Message - From: Saurabh Pandya er.saurabhpan...@gmail.com To: openssl-users openssl-users@openssl.org Date: Thu, 12 Jun 2014 12:05:09 +0530 Subject: Re: 2 Server certificates To handle CA cert chain, you can use SSL_CTX_add_extra_chain_cert.. are you expect certificate form client ? - Saurabh On Thu, Jun 12, 2014 at 7:09 AM, Hafedh TRIMECHE hafedh.trime...@gmail.com wrote: Hi, I would implement an OpenSSL Server which can handle authentication initiated by 2 client certificates issued by 2 CAs: Client1 CA1 Root1 and Client2 CA2 Root2 Please how to achieve mutual authentication using some APIs: - X509_STORE_add_cert - SSL_CTX_add_extra_chain_cert - SSL_CTX_add_client_CA to avoid the error 14094416 certificate unknown Regards -- View this message in context: http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 2 Server certificates
I used this pascal procedure to handle other CAs
procedure TWEBStandaloneServer.InsertCA(CA,Root:UnicodeString);
var
x509 : pX509;
begin
{ The next four functions are only useful for TLS/SSL servers.
f_SSL_CTX_add_client_CA : function(C: PSSL_CTX; CaCert:
PX509): Integer; cdecl = nil; //AG
f_SSL_add_client_CA : function(ssl: PSSL; CaCert:
PX509): Integer; cdecl = nil; //AG
f_SSL_CTX_set_client_CA_list : procedure(C: PSSL_CTX; List:
PSTACK_OF_X509_NAME); cdecl = nil; //AG
f_SSL_set_client_CA_list : procedure(s: PSSL; List:
PSTACK_OF_X509_NAME); cdecl = nil; //AG
}
CA := Trim(CA);
Root := Trim(Root);
if (CA='') or (Root='') then Exit;
FCS.Lock;
try
x509 := BlobToX509(CA);
X509_STORE_add_cert(Pointer(FSSLContext.fContext.cert_store),x509);
SSL_CTX_add_client_CA(Pointer(FSSLContext.fContext),x509);
SSL_CTX_add_extra_chain_cert(Pointer(FSSLContext.fContext),x509);
x509 := BlobToX509(Root);
X509_STORE_add_cert(Pointer(FSSLContext.fContext.cert_store),x509);
SSL_CTX_add_client_CA(Pointer(FSSLContext.fContext),x509);
SSL_CTX_add_extra_chain_cert(Pointer(FSSLContext.fContext),x509);
except
end;
FCS.Unlock;
end;
and I obtained this log
Thank you to guide me set suitable procedure to accept connection from
client which the certificate is issued by the second CA (pit-ca) not
RapidSSL CA
Regards
-
D:\Developer\Tools\SSL\OpenSSLopenssl s_client -showcerts -connect
localhost:44
30
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Loading 'screen' into random state - done
CONNECTED(0170)
depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018,
OU = S
ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated -
RapidSS
L(R), CN = secure.payerspot.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018,
OU = S
ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated -
RapidSS
L(R), CN = secure.payerspot.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018,
OU = S
ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated -
RapidSS
L(R), CN = secure.payerspot.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/serialNumber=abcu8WWhYjl3NQaipWsZh5eFlY3Giv71/OU=GT82566018/OU=See
www.rap
idssl.com/resources/cps (c)13/OU=Domain Control Validated -
RapidSSL(R)/CN=secur
e.payerspot.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
-BEGIN CERTIFICATE-
MIIFLjCCBBagAwIBAgIDDfI5MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTMwOTEwMjEyMDMyWhcNMTQwOTEyMjMwNDI2WjCBwzEpMCcGA1UEBRMgYWJj
dThXV2hZamwzTlFhaXBXc1poNWVGbFkzR2l2NzExEzARBgNVBAsTCkdUODI1NjYw
MTgxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMR0wGwYDVQQDExRzZWN1cmUucGF5ZXJzcG90LmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMNR0N+FmQnQhgX9u3M101VWanDFoSy42IOO
CdcgAfhbyfVKA1azIxDsRNvf2A50yPTJGKT54r8H53q0a26RLHjTICfLQnfw0ala
o9DTC5zcZ0IoibTXC6XmxOsQyoOJ1qavgKUloZHFEj9uHWRKEAaUUX/nQ0x7nTlL
uXhQrzWFAqCawA2pElvehrsdvQKlVbeXCKfKptDuNkMcDhMNQhDp9mBG8yNn5bd3
zLxIs0R9H/SpeCS314xwj4MKwwcwV8wTt7heekASQ85/IMSp27HdlOTWZYNZZWdJ
8EA6+wnhVpUxDgea/HG9GffSRc21hCSSBmxuQklLpYOmLww3YbECAwEAAaOCAa8w
ggGrMB8GA1UdIwQYMBaAFGtpPWoYQkrdjwJlOf01JIZ4kRYwMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0RBBgwFoIU
c2VjdXJlLnBheWVyc3BvdC5jb20wQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL3Jh
cGlkc3NsLWNybC5nZW90cnVzdC5jb20vY3Jscy9yYXBpZHNzbC5jcmwwHQYDVR0O
BBYEFKQx20IXCPfRhermzmPBd4Qp+2xBMAwGA1UdEwEB/wQCMAAweAYIKwYBBQUH
AQEEbDBqMC0GCCsGAQUFBzABhiFodHRwOi8vcmFwaWRzc2wtb2NzcC5nZW90cnVz
dC5jb20wOQYIKwYBBQUHMAKGLWh0dHA6Ly9yYXBpZHNzbC1haWEuZ2VvdHJ1c3Qu
Y29tL3JhcGlkc3NsLmNydDBMBgNVHSAERTBDMEEGCmCGSAGG+EUBBzYwMzAxBggr
BgEFBQcCARYlaHR0cDovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczAN
BgkqhkiG9w0BAQUFAAOCAQEAgDs51+io4xWWYrR9LhMv5Ks8URfluQPFO2FUA6PI
KjOoQwLr2pa5u1mxwlkZC4j5g0uf9Afis6iVkhHMiI3fkf17sdPq/jnU7lj0sjgW
WaJu5AmcIGVyMwWRXtyTQmfmdJ6QYK/uXJUdE45YnD5qU+h0wW2PY9UhTwEqLqPH
XYFkyR3ioIuB3bx3SNeEdw4HfynrsszxqCtwEffOoS/99OMF/7K2LZS+gHPtMjTD
SmJFnr6U21/XQx1pVYsVLps+4tWcwGwWdvLabyydgoRvSLdVnEoWveNVzYjWrXO+
A5jWDIoTe3UJduh6qRlfvJalheNmhqAKOe5H9/LCBUn+gA==
-END CERTIFICATE-
1 s:/C=US/O=Caradas/OU=PIT/CN=pit-ca
i:/C=US/O=Caradas/OU=PIT/CN=pit-root
-BEGIN CERTIFICATE-
MIICnzCCAgigAwIBAgIJANhcG/IeHwt9MA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNV
BAYTAlVTMRAwDgYDVQQKEwdDYXJhZGFzMQwwCgYDVQQLEwNQSVQxETAPBgNVBAMT
CHBpdC1yb290MB4XDTE0MDMwNjA0NDYzN1oXDTI0MDMwMzA0NDYzN1owPjELMAkG
Re: SSL_CTX_clear_options(ssl_ctx, SSL_CTX_get_options(ssl_ctx))
On Wed, 11 Jun 2014, Viktor Dukhovni wrote: On Wed, Jun 11, 2014 at 07:24:05PM +0200, Dimitrios Apostolou wrote: Hello list, given that I'm developing a custom client-server application that communicates via TLS, I decided to zero-out all options since I don't care about backwards compatibility and heterogenous clients like browsers by doing: SSL_CTX_clear_options(ssl_ctx, SSL_CTX_get_options(ssl_ctx)); Can you think of reasons this might be bad practice? (e.g. openssl changing default behaviour in the future unless an option is set) The options start out clear by default. Are you positive on that? I'm quite sure that SSL_OP_LEGACY_SERVER_CONNECT is on for example. Thanks, Dimitris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re : Re: 2 Server certificates
Hi
it seems that you could use the following functions :
void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
- sets the list of trusted CA sent to client (here Rapid SSL CA and pit-ca)
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char
*CApath);
- the CApath should point to a folder where certificates of both CAs are stored
OpenSSL should be able to recover the certificate chain by itself
Hope it works
Nico
- Mail d'origine -
De: Hafedh TRIMECHE hafedh.trime...@gmail.com
À: openssl-users@openssl.org
Envoyé: Thu, 12 Jun 2014 09:49:49 +0200 (CEST)
Objet: Re: 2 Server certificates
I used this pascal procedure to handle other CAs
procedure TWEBStandaloneServer.InsertCA(CA,Root:UnicodeString);
var
x509 : pX509;
begin
{ The next four functions are only useful for TLS/SSL servers.
f_SSL_CTX_add_client_CA : function(C: PSSL_CTX; CaCert:
PX509): Integer; cdecl = nil; //AG
f_SSL_add_client_CA : function(ssl: PSSL; CaCert:
PX509): Integer; cdecl = nil; //AG
f_SSL_CTX_set_client_CA_list : procedure(C: PSSL_CTX; List:
PSTACK_OF_X509_NAME); cdecl = nil; //AG
f_SSL_set_client_CA_list : procedure(s: PSSL; List:
PSTACK_OF_X509_NAME); cdecl = nil; //AG
}
CA := Trim(CA);
Root := Trim(Root);
if (CA='') or (Root='') then Exit;
FCS.Lock;
try
x509 := BlobToX509(CA);
X509_STORE_add_cert(Pointer(FSSLContext.fContext.cert_store),x509);
SSL_CTX_add_client_CA(Pointer(FSSLContext.fContext),x509);
SSL_CTX_add_extra_chain_cert(Pointer(FSSLContext.fContext),x509);
x509 := BlobToX509(Root);
X509_STORE_add_cert(Pointer(FSSLContext.fContext.cert_store),x509);
SSL_CTX_add_client_CA(Pointer(FSSLContext.fContext),x509);
SSL_CTX_add_extra_chain_cert(Pointer(FSSLContext.fContext),x509);
except
end;
FCS.Unlock;
end;
and I obtained this log
Thank you to guide me set suitable procedure to accept connection from
client which the certificate is issued by the second CA (pit-ca) not
RapidSSL CA
Regards
-
D:\Developer\Tools\SSL\OpenSSLopenssl s_client -showcerts -connect
localhost:44
30
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Loading 'screen' into random state - done
CONNECTED(0170)
depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018,
OU = S
ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated -
RapidSS
L(R), CN = secure.payerspot.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018,
OU = S
ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated -
RapidSS
L(R), CN = secure.payerspot.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018,
OU = S
ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated -
RapidSS
L(R), CN = secure.payerspot.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/serialNumber=abcu8WWhYjl3NQaipWsZh5eFlY3Giv71/OU=GT82566018/OU=See
www.rap
idssl.com/resources/cps (c)13/OU=Domain Control Validated -
RapidSSL(R)/CN=secur
e.payerspot.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
-BEGIN CERTIFICATE-
MIIFLjCCBBagAwIBAgIDDfI5MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTMwOTEwMjEyMDMyWhcNMTQwOTEyMjMwNDI2WjCBwzEpMCcGA1UEBRMgYWJj
dThXV2hZamwzTlFhaXBXc1poNWVGbFkzR2l2NzExEzARBgNVBAsTCkdUODI1NjYw
MTgxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMR0wGwYDVQQDExRzZWN1cmUucGF5ZXJzcG90LmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMNR0N+FmQnQhgX9u3M101VWanDFoSy42IOO
CdcgAfhbyfVKA1azIxDsRNvf2A50yPTJGKT54r8H53q0a26RLHjTICfLQnfw0ala
o9DTC5zcZ0IoibTXC6XmxOsQyoOJ1qavgKUloZHFEj9uHWRKEAaUUX/nQ0x7nTlL
uXhQrzWFAqCawA2pElvehrsdvQKlVbeXCKfKptDuNkMcDhMNQhDp9mBG8yNn5bd3
zLxIs0R9H/SpeCS314xwj4MKwwcwV8wTt7heekASQ85/IMSp27HdlOTWZYNZZWdJ
8EA6+wnhVpUxDgea/HG9GffSRc21hCSSBmxuQklLpYOmLww3YbECAwEAAaOCAa8w
ggGrMB8GA1UdIwQYMBaAFGtpPWoYQkrdjwJlOf01JIZ4kRYwMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0RBBgwFoIU
c2VjdXJlLnBheWVyc3BvdC5jb20wQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL3Jh
cGlkc3NsLWNybC5nZW90cnVzdC5jb20vY3Jscy9yYXBpZHNzbC5jcmwwHQYDVR0O
BBYEFKQx20IXCPfRhermzmPBd4Qp+2xBMAwGA1UdEwEB/wQCMAAweAYIKwYBBQUH
AQEEbDBqMC0GCCsGAQUFBzABhiFodHRwOi8vcmFwaWRzc2wtb2NzcC5nZW90cnVz
dC5jb20wOQYIKwYBBQUHMAKGLWh0dHA6Ly9yYXBpZHNzbC1haWEuZ2VvdHJ1c3Qu
Y29tL3JhcGlkc3NsLmNydDBMBgNVHSAERTBDMEEGCmCGSAGG+EUBBzYwMzAxBggr
BgEFBQcCARYlaHR0cDovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczAN
BgkqhkiG9w0BAQUFAAOCAQEAgDs51+io4xWWYrR9LhMv5Ks8URfluQPFO2FUA6PI
Re: Re : Re: 2 Server certificates
Hi Nico, As described in OpenSSL documentation the 2 functions are equivalent: SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object. SSL_CTX_add_client_CA() adds the CA name extracted from cacert to the list of CAs sent to the client when requesting a client certificate for ctx. The problem may be solved by sending two certificates to the client and it will check which one to verify regarding the CA issued the server certificate. SSL_CTX_load_verify_locations can't help because the certificates are stored in blob not in files. Regards -- View this message in context: http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872p50889.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Expansion of the OpenSSL team
I am pleased to announce some changes to the OpenSSL team (see https://www.openssl.org/about/): Andy Polyakov has been added to the core team Tim Hudson has been added to the dev team Viktor Dukhovni has been added to the dev team We anticipate some more additions in the near future. The previous and new team members are currently discussing plans for tacking the multiple issues we are all eager to address. Those plans are ambitious and the issues are complex so those discussions are taking longer than we'd like. We'll have more announcements as those plans converge on some sort of coherence. In the meantime we greatly appreciate the patience and support shown by so many of you in the OpenSSL community. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 2 Server certificates
I used this pascal procedure to handle other CAs
procedure TWEBStandaloneServer.InsertCA(CA,Root:UnicodeString);
var
x509 : pX509;
begin
{ The next four functions are only useful for TLS/SSL servers.
f_SSL_CTX_add_client_CA : function(C: PSSL_CTX; CaCert:
PX509): Integer; cdecl = nil; //AG
f_SSL_add_client_CA : function(ssl: PSSL; CaCert:
PX509): Integer; cdecl = nil; //AG
f_SSL_CTX_set_client_CA_list : procedure(C: PSSL_CTX; List:
PSTACK_OF_X509_NAME); cdecl = nil; //AG
f_SSL_set_client_CA_list : procedure(s: PSSL; List:
PSTACK_OF_X509_NAME); cdecl = nil; //AG
}
CA := Trim(CA);
Root := Trim(Root);
if (CA='') or (Root='') then Exit;
FCS.Lock;
try
x509 := BlobToX509(CA);
X509_STORE_add_cert(Pointer(FSSLContext.fContext.cert_store),x509);
SSL_CTX_add_client_CA(Pointer(FSSLContext.fContext),x509);
SSL_CTX_add_extra_chain_cert(Pointer(FSSLContext.fContext),x509);
x509 := BlobToX509(Root);
X509_STORE_add_cert(Pointer(FSSLContext.fContext.cert_store),x509);
SSL_CTX_add_client_CA(Pointer(FSSLContext.fContext),x509);
SSL_CTX_add_extra_chain_cert(Pointer(FSSLContext.fContext),x509);
except
end;
FCS.Unlock;
end;
and I obtained this log
Thank you to guide me set suitable procedure to accept connection from
client which the certificate is issued by the second CA (pit-ca) not
RapidSSL CA
Regards
-
D:\Developer\Tools\SSL\OpenSSLopenssl s_client -showcerts -connect
localhost:44
30
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Loading 'screen' into random state - done
CONNECTED(0170)
depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018,
OU = S
ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated -
RapidSS
L(R), CN = secure.payerspot.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018,
OU = S
ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated -
RapidSS
L(R), CN = secure.payerspot.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018,
OU = S
ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated -
RapidSS
L(R), CN = secure.payerspot.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/serialNumber=abcu8WWhYjl3NQaipWsZh5eFlY3Giv71/OU=GT82566018/OU=See
www.rap
idssl.com/resources/cps (c)13/OU=Domain Control Validated -
RapidSSL(R)/CN=secur
e.payerspot.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
-BEGIN CERTIFICATE-
MIIFLjCCBBagAwIBAgIDDfI5MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTMwOTEwMjEyMDMyWhcNMTQwOTEyMjMwNDI2WjCBwzEpMCcGA1UEBRMgYWJj
dThXV2hZamwzTlFhaXBXc1poNWVGbFkzR2l2NzExEzARBgNVBAsTCkdUODI1NjYw
MTgxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMR0wGwYDVQQDExRzZWN1cmUucGF5ZXJzcG90LmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMNR0N+FmQnQhgX9u3M101VWanDFoSy42IOO
CdcgAfhbyfVKA1azIxDsRNvf2A50yPTJGKT54r8H53q0a26RLHjTICfLQnfw0ala
o9DTC5zcZ0IoibTXC6XmxOsQyoOJ1qavgKUloZHFEj9uHWRKEAaUUX/nQ0x7nTlL
uXhQrzWFAqCawA2pElvehrsdvQKlVbeXCKfKptDuNkMcDhMNQhDp9mBG8yNn5bd3
zLxIs0R9H/SpeCS314xwj4MKwwcwV8wTt7heekASQ85/IMSp27HdlOTWZYNZZWdJ
8EA6+wnhVpUxDgea/HG9GffSRc21hCSSBmxuQklLpYOmLww3YbECAwEAAaOCAa8w
ggGrMB8GA1UdIwQYMBaAFGtpPWoYQkrdjwJlOf01JIZ4kRYwMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0RBBgwFoIU
c2VjdXJlLnBheWVyc3BvdC5jb20wQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL3Jh
cGlkc3NsLWNybC5nZW90cnVzdC5jb20vY3Jscy9yYXBpZHNzbC5jcmwwHQYDVR0O
BBYEFKQx20IXCPfRhermzmPBd4Qp+2xBMAwGA1UdEwEB/wQCMAAweAYIKwYBBQUH
AQEEbDBqMC0GCCsGAQUFBzABhiFodHRwOi8vcmFwaWRzc2wtb2NzcC5nZW90cnVz
dC5jb20wOQYIKwYBBQUHMAKGLWh0dHA6Ly9yYXBpZHNzbC1haWEuZ2VvdHJ1c3Qu
Y29tL3JhcGlkc3NsLmNydDBMBgNVHSAERTBDMEEGCmCGSAGG+EUBBzYwMzAxBggr
BgEFBQcCARYlaHR0cDovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczAN
BgkqhkiG9w0BAQUFAAOCAQEAgDs51+io4xWWYrR9LhMv5Ks8URfluQPFO2FUA6PI
KjOoQwLr2pa5u1mxwlkZC4j5g0uf9Afis6iVkhHMiI3fkf17sdPq/jnU7lj0sjgW
WaJu5AmcIGVyMwWRXtyTQmfmdJ6QYK/uXJUdE45YnD5qU+h0wW2PY9UhTwEqLqPH
XYFkyR3ioIuB3bx3SNeEdw4HfynrsszxqCtwEffOoS/99OMF/7K2LZS+gHPtMjTD
SmJFnr6U21/XQx1pVYsVLps+4tWcwGwWdvLabyydgoRvSLdVnEoWveNVzYjWrXO+
A5jWDIoTe3UJduh6qRlfvJalheNmhqAKOe5H9/LCBUn+gA==
-END CERTIFICATE-
1 s:/C=US/O=Caradas/OU=PIT/CN=pit-ca
i:/C=US/O=Caradas/OU=PIT/CN=pit-root
-BEGIN CERTIFICATE-
MIICnzCCAgigAwIBAgIJANhcG/IeHwt9MA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNV
BAYTAlVTMRAwDgYDVQQKEwdDYXJhZGFzMQwwCgYDVQQLEwNQSVQxETAPBgNVBAMT
CHBpdC1yb290MB4XDTE0MDMwNjA0NDYzN1oXDTI0MDMwMzA0NDYzN1owPjELMAkG
Is OpenSSl fips 2.0.5 also affected by CVE-2014-0224
Does the recent vulnerability exposed in openSSL - CVE-2014-0224 and CVE-2014-0221 affect openssl-fips-2.0.5 ? If Yes, How do I get fips compliant openSSL? -Karthik R
Re: Re : Re: 2 Server certificates
Hi Nico,
As described in OpenSSL documentation the 2 functions are equivalent:
SSL_set_client_CA_list() sets the list of CAs sent to the client when
requesting a client certificate for the chosen ssl, overriding the setting
valid for ssl's SSL_CTX object.
SSL_CTX_add_client_CA() adds the CA name extracted from cacert to the list of
CAs sent to the client when requesting a client certificate for ctx.
The problem may be solved by sending two certificates to the client and it will
check which one to verify regarding the CA issued the server certificate.
SSL_CTX_load_verify_locations can't help because the certificates are stored in
blob not in files.
Regards
- Original Message -
From: nicolas@free.fr
To: openssl-users@openssl.org
Date: Thu, 12 Jun 2014 16:22:36 +0200 (CEST)
Subject: Re : Re: 2 Server certificates
Hi
it seems that you could use the following functions :
void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
- sets the list of trusted CA sent to client (here Rapid SSL CA and pit-ca)
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const
char *CApath);
- the CApath should point to a folder where certificates of both CAs are
stored
OpenSSL should be able to recover the certificate chain by itself
Hope it works
Nico
- Mail d'origine -
De: Hafedh TRIMECHE hafedh.trime...@gmail.com
À: openssl-users@openssl.org
Envoyé: Thu, 12 Jun 2014 09:49:49 +0200 (CEST)
Objet: Re: 2 Server certificates
I used this pascal procedure to handle other CAs
procedure TWEBStandaloneServer.InsertCA(CA,Root:UnicodeString);
var
x509 : pX509;
begin
{ The next four functions are only useful for TLS/SSL servers.
f_SSL_CTX_add_client_CA : function(C: PSSL_CTX; CaCert:
PX509): Integer; cdecl = nil; //AG
f_SSL_add_client_CA : function(ssl: PSSL; CaCert:
PX509): Integer; cdecl = nil; //AG
f_SSL_CTX_set_client_CA_list : procedure(C: PSSL_CTX; List:
PSTACK_OF_X509_NAME); cdecl = nil; //AG
f_SSL_set_client_CA_list : procedure(s: PSSL; List:
PSTACK_OF_X509_NAME); cdecl = nil; //AG
}
CA := Trim(CA);
Root := Trim(Root);
if (CA='') or (Root='') then Exit;
FCS.Lock;
try
x509 := BlobToX509(CA);
X509_STORE_add_cert(Pointer(FSSLContext.fContext.cert_store),x509);
SSL_CTX_add_client_CA(Pointer(FSSLContext.fContext),x509);
SSL_CTX_add_extra_chain_cert(Pointer(FSSLContext.fContext),x509);
x509 := BlobToX509(Root);
X509_STORE_add_cert(Pointer(FSSLContext.fContext.cert_store),x509);
SSL_CTX_add_client_CA(Pointer(FSSLContext.fContext),x509);
SSL_CTX_add_extra_chain_cert(Pointer(FSSLContext.fContext),x509);
except
end;
FCS.Unlock;
end;
and I obtained this log
Thank you to guide me set suitable procedure to accept connection from
client which the certificate is issued by the second CA (pit-ca) not
RapidSSL CA
Regards
-
D:\Developer\Tools\SSL\OpenSSLopenssl s_client -showcerts -connect
localhost:44
30
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Loading 'screen' into random state - done
CONNECTED(0170)
depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018,
OU = S
ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated -
RapidSS
L(R), CN = secure.payerspot.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018,
OU = S
ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated -
RapidSS
L(R), CN = secure.payerspot.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018,
OU = S
ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated -
RapidSS
L(R), CN = secure.payerspot.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/serialNumber=abcu8WWhYjl3NQaipWsZh5eFlY3Giv71/OU=GT82566018/OU=See
www.rap
idssl.com/resources/cps (c)13/OU=Domain Control Validated -
RapidSSL(R)/CN=secur
e.payerspot.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
-BEGIN CERTIFICATE-
MIIFLjCCBBagAwIBAgIDDfI5MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTMwOTEwMjEyMDMyWhcNMTQwOTEyMjMwNDI2WjCBwzEpMCcGA1UEBRMgYWJj
dThXV2hZamwzTlFhaXBXc1poNWVGbFkzR2l2NzExEzARBgNVBAsTCkdUODI1NjYw
MTgxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMR0wGwYDVQQDExRzZWN1cmUucGF5ZXJzcG90LmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMNR0N+FmQnQhgX9u3M101VWanDFoSy42IOO
1.0.2 VC-WIN32 build failure?
Using the 201406012 snapshot on the 1.0.2 branch, I'm seeing an error while trying to build for the VC-WIN32 target. The compiler is VS2010. Can anyone confirm this is the correct build procedure? perl Configure VC-WIN32 ms\do_nasm.bat nmake -f ms\ntdll.mak The error is: cl /Fotmp32dll\cryptlib.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 -DOPENSSL_THREADS -DDSO_WIN32 -W3 -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DOPENSSL_USE_APPLINK -I. -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_JPAKE -DOPENSSL_NO_STATIC_ENGINE /Zi /Fdtmp32dll/lib -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -c .\crypto\cryptlib.c cryptlib.c C:\temp\102\openssl-1.0.2-stable-SNAP-20140612\tmp32dll\e_os.h(62) : fatal error C1083: Cannot open include file: 'openssl/opensslconf.h': No such file or directory NMAKE : fatal error U1077: 'c:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\BIN\cl.EXE' : return code '0x2' Stop. Also of interest, the following error occurred during the Configure script: C:\temp\102\openssl-1.0.2-stable-SNAP-20140612perl util\mkdef.pl 32 libeay 1ms\libeay32.def Warning: BUF_strnlen does not have a number assigned Warning: X509_VERIFY_PARAM_set_hostflags does not have a number assigned __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is OpenSSl fips 2.0.5 also affected by CVE-2014-0224
On Thu, Jun 12, 2014, Karthik R wrote: Does the recent vulnerability exposed in openSSL - CVE-2014-0224 and CVE-2014-0221 affect openssl-fips-2.0.5 ? If Yes, How do I get fips compliant openSSL? If you mean the FIPS module then no. The FIPS module does not contain any TLS or DTLS code so you just use the validated module against OpenSSL 1.0.1h to produce a FIPS capable OpenSSL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDSA - Signature verify
From: owner-openssl-us...@openssl.org On Behalf Of Anant Rao
Sent: Wednesday, June 11, 2014 09:45
The signature is generated by a client program (also a 'c' program). What is
the format of a signature? How do I find out?
The format for an ECDSA or DSA signature is an ASN.1 SEQUENCE of two INTEGERs.
I'm practice I've always seen DER, but I don't know if that's required; the two
reasons
that commonly require DER (hashed and byte-compared) don't apply.
Just to confirm - whether it's ECDSA or RSA, for verification, we just get
the EVP_PKEY data structure filled with
the public key correctly and call in a sequence ending up with a call to
EVP_VerifyFinal. Is that correct?
Either the old way with EVP_Verify{Init,Update,Final} and the key on the Final,
or the new way with EVP_DigestVerify{Init,Update,Final} and the key on the Init.
But either way independent of the keytype = PKalgorithm.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re : Re: Re : Re: 2 Server certificates
Hi, sorry for the first answer, I didn't read in details :-/ looking at your certificate chain, you are in fact trying to validate a certificate issued by RapidSSL using pit-ca --- Certificate chain 0 s:/serialNumber=abcu8WWhYjl3NQaipWsZh5eFlY3Giv71/OU=GT82566018/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=secure.payerspot.com i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA -BEGIN CERTIFICATE- ... -END CERTIFICATE- 1 s:/C=US/O=Caradas/OU=PIT/CN=pit-ca i:/C=US/O=Caradas/OU=PIT/CN=pit-root this at least explains why it fails... however, you didn't indicate how you set up the first chain, if there is any (looks like not here) My guess is you should just add all your certificates (CAs and Roots) using only X509_STORE_add_cert, since the verification function tries to recompose the chain by itself you can also create a single chain containing all your certificates (both CAs and Roots, in any order) once again the verification should be done transparently let me know if it works, or if you already tried - Mail d'origine - De: Hafedh TRIMECHE hafedh.trime...@strong-data.com À: openssl-users@openssl.org Envoyé: Thu, 12 Jun 2014 16:39:23 +0200 (CEST) Objet: Re: Re : Re: 2 Server certificates Hi Nico, As described in OpenSSL documentation the 2 functions are equivalent: SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object. SSL_CTX_add_client_CA() adds the CA name extracted from cacert to the list of CAs sent to the client when requesting a client certificate for ctx. The problem may be solved by sending two certificates to the client and it will check which one to verify regarding the CA issued the server certificate. SSL_CTX_load_verify_locations can't help because the certificates are stored in blob not in files. Regards __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_CTX_clear_options(ssl_ctx, SSL_CTX_get_options(ssl_ctx))
On Thu, Jun 12, 2014 at 11:49:39AM +0200, Dimitrios Apostolou wrote: The options start out clear by default. Are you positive on that? I'm quite sure that SSL_OP_LEGACY_SERVER_CONNECT is on for example. I was not sure, looking at the code for SSL_CTX_new() in the master development branch I see options starting as zero, and then if ticket key initialization fails: ret-options |= SSL_OP_NO_TICKET; then unconditional: ret-options |= SSL_OP_LEGACY_SERVER_CONNECT; So yes, it appears that clear by default used to be true, but then ticket support and renegotiation work-arounds were added and the assumption that the initial slate is clean became false. Mixing policy settings (SSL_OP_LEGACY_SERVER_CONNECT) which are OK to clear, with runtime error status (SSL_OP_NO_TICKET) is rather unfortunate. I would call this a bug. Failure to automatically generate ticket keys MUST NOT change policy, for example, the application may provide its own keys later, and if the user clears the options, tickets should not be used with missing key material. So the state bit for lack of keys belongs elsewhere. This would leave just SSL_OP_LEGACY_SERVER_CONNECT as a default option, which you may choose to clear. For now, don't clear SSL_OP_NO_TICKET if it is already set unless you've provided your own session tickets. -- VIktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_CTX_clear_options(ssl_ctx, SSL_CTX_get_options(ssl_ctx))
On Fri, Jun 13, 2014 at 03:53:07AM +, Viktor Dukhovni wrote: For now, don't clear SSL_OP_NO_TICKET if it is already set unless you've provided your own session tickets. That is your own session ticket keys. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
