X509v1 root CA certificate
Hi everybody, OpenSSL 0.9.7b3 tells me error=24 (invalid CA certificate) in the verify_callback when I use a certificate chain where the CAs are X509 version 1 (i.e. they are missing the X509v3 extension that says that the CA certificate is good for signing other public keys). I checked the code and there is only one place that emits X509_V_ERR_INVALID_CA, in x509_vfy.c:396. if (!X509_check_purpose(x, ctx-purpose, i)) { if (i) ctx-error = X509_V_ERR_INVALID_CA; else ctx-error = X509_V_ERR_INVALID_PURPOSE; Is there any reason, why a CA cannot have a version1 certificate? I also did not find an option to set on the SSL_CTX to allow CA with x509v1. Any idea ? Thanks a lot, Joerg __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SUN Crypto Accelerator + OpenSSL
Edward Chan wrote: Hmm, so does that mean with the SUN Crypto Accelerator 1000 card, we would specify ubsec when initializing the engine? I tried openssl speed -engine ubsec but it complained as with any other engine id: can't use that engine 4683:error:25067066:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:157: 4683:error:25072066:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:230: 4683:error:260A6068:engine routines:UBSEC_INIT:DSO failure:hw_ubsec.c:347: 4683:error:2607E06D:engine routines:ENGINE_SET_DEFAULT_TYPE:init failed:engine_lib.c:400: No answer from SUN support yet. Joerg __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SUN Crypto Accelerator + OpenSSL
Arin Komins wrote: This is just from memory, but isn't the Sun card a repackaged Rainbow Cryptoswift? (which is engine cswift?) I read an article on the web, indicating that the old SUN Crypto Accelerator 1 is a CryptoSwift (http://www.james.rcpt.to/2001/sun-crypto/), but I don't know about the 1000, because the libs mentioned in that article are not on my machine I have filed a SUN support request, but no answer yet. I'll let you know when I get a response. Joerg __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SUN Crypto Accelerator + OpenSSL
Hi everybody, is someone using OpenSSL with the SUN Crypto Accelerator 1000? The openssl binary that comes on the driver CD *always* uses the hardware crypto. It does not need the -engine switch, and I cannot switch it off. With the openssl-engine binaries, I compiled myself, I do need that -engine id, but what is that id? How can I determine that id? The reason for me to get this thing working with the binaries compiled myself are - the openssl from the driver CD also has disabled IDEA, RC5, etc. - I'd like to use 0.9.7-beta3 Any suggestions? Thanks, Joerg __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to use DH?
Innokentiy Ivanov wrote: Good afternoon! Can anybody help me, please? What shell i do to use ciphers with DH/DH-anon key exchange algorithms? When i try to connect to OpenSSL server with only cipher DH_..._..._... or DH_anon_..._..._..., it says: no shared cipher. Please, help me to do this. Maybe, OpenSSL doesn't support DH/DHa at all? OpenSSL supports DH, but to use it, you must setup some key material (which is more or less timeconsuming). Either you use the setup-routine DH_generate_parameters() and SSL_CTX_set_tmp_dh() or use fixed key material as seen in ssl/ssltest.c (fast, but insecure). Jorg __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Longterm verify_callback in single threaded app
Dr S N Henson wrote: Joerg Bartholdt wrote: Hi *, During the SSL Handshake, OpenSSL can call a verify_callback that can manipulate the outcome of the certificate verification process. If I use some longterm evaluation like an OCSP-Request, my single threaded application is blocked during this time. I cannot return a value like I don't know yet, ask later - I have to have the decision before I return from the callback. So, there is no change for handling other connections (I usually use select() and async IO to handle multiple connection which OpenSSL can do pretty well in all other states...) during that time. I'm not sure this has ever been tested but it looks like you can handle this by returning -1 from the verify callback instead of the normal 1=success or 0=failure. There's some code in place that handles this in a manner analagous to other non-blocking operations using a special condition SSL_ERROR_WANT_X509_LOOKUP. Hm, I just tried it, but -1 accepts the certificate. Maybe I have to set something in the X509_STORE which is given as a parameter to the verify_callback? I'll have a look into the code, maybe I find something. Thanks so far. Jörg __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Decryption wrong when seeking into a file.
Lorenzo wrote: I have a quick question to ask. I'm using the EVP_EncryptInit and EVP_DecryptInit functions to stream data to a file. Basically, I encrypt data , one byte at a time, which is in the put area of my filebuf object and send it out. I When I get data from the file, I decrypt each byte I receive one byte at a time. The problem is when i use 'seekg(x)' to seek to a point in the file , when I try to decrypt the buffer I get back, the results are wrong. However, when I start from the beginning, every thing is fine. When I seek, it does seek to the right byte in the file. Does any one know why this may be the case? Ecryption does (usually) not encrypt each byte independently from all the others. The encryption of a byte in the stream depends on what was done before. So, seeking to a different position in the file gets the encryption routines out of sync and you get garbage. You have to read all data If you want your applicatoin to use a seek command, have a look at the BIOs in OpenSSL (an abstraction of I/O-Operations). BIOs can be layered and perform some kind of filtering (e.g. RC4 encryption/decryption). And they provide a BIO_seek() command. I havn't tried it myself, but I assume it does the right stuff. Jörg __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Longterm verify_callback in single threaded app
Hi *, During the SSL Handshake, OpenSSL can call a verify_callback that can manipulate the outcome of the certificate verification process. If I use some longterm evaluation like an OCSP-Request, my single threaded application is blocked during this time. I cannot return a value like I don't know yet, ask later - I have to have the decision before I return from the callback. So, there is no change for handling other connections (I usually use select() and async IO to handle multiple connection which OpenSSL can do pretty well in all other states...) during that time. Does anybody have a solution? Thanks in advance, Joerg P.S.: I thought I had send this email a couple of days ago already, but it did not show up - so I assume, I didn't :-( __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Async IO and long running verify_callback (e.g. OCSP)
Hi *, when using a single threaded application, I can use Async IO even with OpenSSL to cope with many concurrent connections (using select()). Unfortunately, if I use a verify_callback for doing checking on the certificates of my peer, I _have to_ generate a decision immediately if I do not want to break my quasi-parallel handling of multiple connections. In case the checking takes some time (e.g. because I use a OCSP request), I would have to stop execution here and wait for the response. My single threaded application cannot continue in the meantime. Are there any solutions to this problem? How can I continue using single threaded async IO with such long-running callbacks? Any help appreciated, Joerg __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]