multiple IP addresses
Hello, Is BIO_do_connect() smart enough to try to connect to all IP addresses if a name resolves to more than one? For example, the name www.microsoft.com resolves to eight different IP addresses. Will they all be tried by BIO_do_connect? is there a way to do this? Do I need to keep calling BIO_do_connect to keep trying? -Joe __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
0.9.8 on OS X (Tiger) (10.4.1)
I think I found the problem installing on OS X. In the ./engines/Makefile, in the install target, the script makes the assumption that shared library files are named *.so, whereas they are named *.dylib on Darwin. There is even a comment to that effect in the Makefile: # X This currently only works on systems that use .so as suffix # for shared libraries as well as for Cygwin which uses the # dlfcn_name_converter and therefore stores the engines with .so suffix, too. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
0.9.8 on OS X (Tiger) (10.4.1)
One last update on getting 0.9.8 to build on OS X. As long as I do NOT try to build shared then everything builds okay. Now if only I could get Xcode to actually use the static libraries... -Joe __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
0.9.8 on OS X (Tiger) (10.4.1)
I seem to be having some build problems. I'll describe what's happening below. I'm trying to install openssl 0.9.8 onto OS X 10.4.1. I have the Xcode 2.1 tools installed. Firstly, I downloaded the tarball using curl to make sure that Safari wasn't causing me any grief. The installed curl is 7.13.1. Second, I verified the MD5 checksum and confirmed that it's the same as reported on the web site (9da21071596a124acde6080552deac16). While untarring the file, I received the following notice: tar: A lone zero block at 31800. The version of tar supplied with OS X is GNU tar (1.14). I then performed the ./config shared which seemed to be okay. make and make test performed without any errors. During make install however, the installation bombed while installing engines. I've attached a typescript of the session. typescript.gz Description: GNU Zip compressed data
Re: Apache 2.0 + ssl + client cert + server cert
Is your client sending only its certificate, or are you sending the entire certificate chain? It looks like your server is unable to rebuild the cert. chain from the client to the root. -Original Message- From: Fco .J. Arias [EMAIL PROTECTED] Sent: Jul 6, 2005 2:47 PM To: openssl-users@openssl.org Subject: Apache 2.0 + ssl + client cert + server cert Hello I'm trying to use apache with client auth, but I can't. The problem is in logs errors: . . . before other CA a, B ,C ,D, E, F are strings . [Wed Jul 06 21:56:47 2005] [debug] ssl_engine_init.c(1095): CA certificate: /C=A/ST=B/L=C/O=D/OU=Webserver Team/CN=www.foo.com/[EMAIL PROTECTED] [Wed Jul 06 21:56:47 2005] [debug] ssl_engine_init.c(1095): CA certificate: /C=A/ST=B/L=C/O=D/OU=Webserver Team/CN=www.foo.com/[EMAIL PROTECTED] [Wed Jul 06 21:56:47 2005] [debug] ssl_engine_init.c(1095): CA certificate: /C=A/ST=B/L=C/O=D/OU=Certificate Authority/CN=F CA/[EMAIL PROTECTED] . . . [Wed Jul 06 21:57:34 2005] [debug] ssl_engine_kernel.c(1210): Certificate Verification: depth: 0, subject: /C=A/ST=B/L=C/O=None/OU=None/CN=Fran D, /[EMAIL PROTECTED], issuer: /C=A/ST=B/L=C/O=D/OU=Certificate Authority/CN=F CA/[EMAIL PROTECTED] [Wed Jul 06 21:57:44 2005] [error] Certificate Verification: Error (20): unable to get local issuer certificate [Wed Jul 06 21:57:44 2005] [debug] ssl_engine_kernel.c(1790): OpenSSL: Write: SSLv3 read client certificate B [Wed Jul 06 21:57:44 2005] [debug] ssl_engine_kernel.c(1809): OpenSSL: Exit: error in SSLv3 read client certificate B [Wed Jul 06 21:57:44 2005] [debug] ssl_engine_kernel.c(1809): OpenSSL: Exit: error in SSLv3 read client certificate B [Wed Jul 06 21:57:44 2005] [info] SSL library error 1 in handshake (server www.foo.com:8443, client 192.168.0.2) [Wed Jul 06 21:57:44 2005] [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [Wed Jul 06 21:57:44 2005] [info] Connection to child 2 closed with abortive shutdown(server www.foo.com:8443, client 192.168.0.2) Anyone know How to solve this problem? It's posible get datum of certificates(like CN of client or server) into Apache C API? Thanks, Fran. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Cert display in 1 line in PEM format
What software are you using to retrieve the certificate? On May 12, 2005, at 5:42 PM, Jana Nguyen wrote: Hi there, I'm having a certificate format problem with Linux. It strips out the line feeds (see below) when I retrieve a proxy certificate from a portal and write it to a file. linux system put the cert data in just 1 line in a PEM format. Do you know how I can resolve this problem? No line feed in PEM: smime.p7s Description: S/MIME cryptographic signature
Re: PEM_read_X509 and d2i_X509_fp problem.
Did you set up your mutex call-backs needed by the library? See the man page for CRYPTO_set_locking_callback, et al for details. -joe On May 6, 2005, at 8:56 AM, Calista wrote: Are the functions d2i_X509_fp and PEM_read_X509 thread safe? smime.p7s Description: S/MIME cryptographic signature
Re: How to link statically openssl in a dylib
OS X ships with openssl pre-installed so you will never find a machine that does not have the dylib's available in /usr/lib. However, the version shipped is 0.9.7b. -Original Message- From: Qadeer Baig [EMAIL PROTECTED] Sent: Apr 27, 2005 7:43 AM To: openssl-users@openssl.org Subject: How to link statically openssl in a dylib Hi, I am using openssl in an application (this application actually is a .dylib on Mac OSX). Currently I am linking openssl calls by using -lssl -lcrypto linker options. Since this links openssl calls dynamcally therefor I can only use resulting application on the computers where libssl.dylib and libcrypto.dylib are already installed. Now what I want is that openssl is statically linked into my application (dll, .dylib on OSX) so that libssl.dylib and libcrypto.dylib are not required on the machines where my application is used. What linker options will I use?, XCode internally uses gcc (I believe). It will be of great help if someone can give a simple make file (or a simple xcode project). I have following libraries available: 1. libssl.dylib 2. libcrypto.dylib 3. libssl.a 4. libcrypto.a I think .a libraries will be used for static linking but how(?) so that the resulting application is a still a .dylib. Any help will be highly appreciated. Thanks and regards, -- Qadeer __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openSSL web interface
http://www.openca.org/ The last time I checked however, the documentation is quite difficult to follow being a rough translation from either German or Klingon. On Apr 27, 2005, at 3:46 PM, Andy Cravens wrote: Is there a free or commercial web interface for openSSL? I'm managing my own CA from the command line using CA.pl. It would be nice to have a web interface for managing certificates and maintaining the revocation list from a web browser. I've found a fairly crude set of CGI scripts on the unicorepro web site along with a FAQ on setting up your own Certificate Authority. However, the scripts only work with Netscape browsers and they provide very limited functions. I don't want to reinvent the wheel if I don't have to. smime.p7s Description: S/MIME cryptographic signature
Re: Problem compiling OpenSSL 0.9.7g for Solaris Apache?
Just a shot in the dark, but shouldn't your LD_LIBRARY_PATH be set to /usr/local/openssl/lib? (I appended the lib part). -Joe On Apr 25, 2005, at 11:36 PM, ohaya wrote: I set the LD_LIBRARY_PATH to /usr/local/openssl:$LD_LIBRARY_PATH before doing the Apache build, and used: smime.p7s Description: S/MIME cryptographic signature
Re: Problem compiling OpenSSL 0.9.7g for Solaris Apache?
What about during runtime? That variable is used by ld to find various shared libraries at runtime. It's generally not used during compile time unless your makefile uses it for the compiler's -L option. On Apr 26, 2005, at 12:06 AM, ohaya wrote: Joe, Sorry. I mis-typed it in my msg. I actually set it to /usr/local/openssl/lib when I did the build/compile. Jim Joseph Bruni wrote: Just a shot in the dark, but shouldn't your LD_LIBRARY_PATH be set to /usr/local/openssl/lib? (I appended the lib part). -Joe On Apr 25, 2005, at 11:36 PM, ohaya wrote: I set the LD_LIBRARY_PATH to /usr/local/openssl:$LD_LIBRARY_PATH before doing the Apache build, and used: __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
Re: Confusion about SSL_ERROR_WANT_READ/WRITE
If all that was sent was the protocol data that the write was waiting for to satisfy the ssl state machine, and no application data was sent, would SSL_read return the number of bytes actually read off the socket (which is just protocol data), or would it read that transparently and return 0 indicating that no application data was read? Ah. Key question! SSL_read will return a positive number indicating the number of APPLICATION DATA bytes written into your buffer. A ZERO indicates a closed connection. A negative result indicates an error (or rather, that your request could not be satisfied). In the case of a WANT_READ or WANT_WRITE, that some action in the BIO needs to occur to satisfy the request. The important thing to keep in mind is that the SSL objects are not inherently tied to sockets. You might be trying to read SSL decrypted data from your own internal buffer. In which case, a WANT_READ means that you need to move a few more bytes into the BIO's buffer. Check out the man page for the SSL_get_error function yet once again. Skip down to the section titled SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE in the context of these discussions, keeping in mind the idea that an SSL object might not be necessarily connected to a socket. (What really frustrated me when I was learning how this worked was that the examples and discussions in the O'Reilly OpenSSL book were wrong on this topic.) smime.p7s Description: S/MIME cryptographic signature
Re: Client Authentication
This would be a feature of Safari rather than OpenSSL. I'm pretty sure that recent versions of Safari can do authentication using certs, but I'm not sure how to do it. You can try posting you question to one of Apple's lists. http://lists.apple.com/ On Apr 18, 2005, at 1:46 AM, [EMAIL PROTECTED] wrote: Hi all I am a newbie to SSL and I want to have clients authenticated using SSL certificates. I am running webserver on Apache 1.3 on Mac OS X server The scenario is something as follows: My webserver is hosting an site for which I want to give limited access worldwide. If someone requests for the site, the first check should be made using the certificates. If the certificate is not present in the clients machine, the Access denied page must pop up. The questions is how do I do client authentication Requesting your assistance. Regards Thanks Mahesh S Kudva __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
Re: Client Authentication
On the Mac, you'll load your client certificate into your users' keychains. On Windows, you'll load it into the certificate store. In either case, simply having the user double-click on the certificate file will launch the appropriate tool. On Apr 18, 2005, at 9:17 PM, [EMAIL PROTECTED] wrote: Hi Apart from Mac clients I also windows users. Regards and Thanks Mahesh S Kudva __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
Re: Confusion about SSL_ERROR_WANT_READ/WRITE
A return result of 0 typically means the other side closed the connection. Here is the section from SSL_read's man page with regards to a 0 return: 0 The read operation was not successful. The reason may either be a clean shutdown due to a close notify alert sent by the peer (in which case the SSL_RECEIVED_SHUTDOWN flag in the ssl shutdown state is set (see SSL_shutdown(3), SSL_set_shutdown(3)). It is also pos- sible, that the peer simply shut down the underlying transport and the shutdown is incomplete. Call SSL_get_error() with the return value ret to find out, whether an error occurred or the connection was shut down cleanly (SSL_ERROR_ZERO_RETURN). -Joe On Apr 17, 2005, at 9:12 PM, Edward Chan wrote: Does SSL_read always return the number of bytes of application data read? If so, that means that SSL_read could return 0, and that this should not be construed as an error. smime.p7s Description: S/MIME cryptographic signature
Re: Confusion about SSL_ERROR_WANT_READ/WRITE
You're right -- the latter. Another thing to think about is that at any time, the remote peer might request a re-negotiation. During such time, the session key will be re-established requiring a few round-trips during the DH process. This will all be handled behind the scenes as you attempt to move application data through the system. If the SSL state machine is waiting on some remote data to be received during the re-negotiation, you will get a WANT_READ in response to an SSL_write (or an SSL_read). At this point, you could call select() waiting for data to arrive. When select() indicates that the socket has data ready, you can just call SSL_write (or SSL_read) again so that the state machine can work its way through the protocol. In my program's case, I had to periodically call SSL_read() on a non-blocking socket so that I could detect whenever the remote peer closed the connection, even though I was not expecting any application data to arrive. On Apr 17, 2005, at 10:20 PM, Edward Chan wrote: Right, but let's say I'm doing an SSL_write, and I get a WANT_READ error. I then select on the socket until data is available for reading. I then call SSL_read. If all that was sent was the protocol data that the write was waiting for to satisfy the ssl state machine, and no application data was sent, would SSL_read return the number of bytes actually read off the socket (which is just protocol data), or would it read that transparently and return 0 indicating that no application data was read? Or would it just read the required protocol data and return an error of WANT_READ to indicate that I should retry the SSL_read when more data arrives? Now that I think about it, I'm guessing the latter. smime.p7s Description: S/MIME cryptographic signature
Re: Confusion about SSL_ERROR_WANT_READ/WRITE
You're on the money. This confused me, too. I had a program that needed to see if there was incoming data, and so I performed an SSL_read(). I received back a WANT_READ, because there was no data yet to read. (I'm using non-blocking I/O). But then some time later I needed to send data. The logic of the program was such that I could expect nothing on the READ side anyway until I had sent something first (query/response). At first, I thought I was stuck having to endlessly perform only the SSL_read even though there was no data available before I would be able to perform my SSL_write. I realized that when you receive a WANT_READ or a WANT_WRITE, you just need to perform the same operation again with the same parameters, but that does not exclude you from performing the other operation elsewhere. Just make sure that two threads aren't trying to do this at the same time on the same connection. On Apr 16, 2005, at 10:22 AM, Edward Chan wrote: Ok, this is getting much clearer. Last question (hopefully)...so if an SSL_write gets a WANT_READ, is it ok for the read thread to do an SSL_read before I retry the SSL_write? Does it matter who does the requested operation as long as it is done? Or does the read thread have to wait until the write thread retries the SSL_write when there is data available before it can read anymore data? And similarly, if the read thread gets a WANT_WRITE, can the write thread do an SSL_write before the read thread retries the SSL_read? If the write thread does an SSL_write before the read thread retries the SSL_read (assuming socket is writable), will it have written whatever data the SSL_read needed to have written? In other words, can the operation specified the WANT_READ/WRITE have to be done by retrying the operation that caused it? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, April 16, 2005 3:02 AM To: openssl-users@openssl.org Subject: RE: Confusion about SSL_ERROR_WANT_READ/WRITE Thanks for this explanation. As I read more, I think I am getting a better understanding of this. So unlike normal tcp connections, where a read juts reads, and a write just writes, SSL_read may write, and SSL_write may read. This is all done under the hood, so I don't need to be concerned with that, except to reissue the call when I get a WANT_READ or WANT_WRITE error. And when I get one of these, I basically just have to wait (select/poll or whatever) until the socket is readable/writable, then reissue the call. Does that sound right? Yes, that's it. If you use socket BIOs, then it all takes place under the hood. You don't have to worry about it, but you do have to know that the semantics of SSL_read and SSL_write are not the same as read and write. And regarding the use of multiple threads, if I protect the SSL object with a lock, that should be fine right? But it sounds like a single thread for both read and writes is the norm. Is this true? And if so, other than the fact that I need to co-ordinate access to the SSL obj with a mutex, is there any draw back to using multiple threads? Neither is the norm. Some I/O strategies use a single thread both reading and writing, where that thread may handle only one connection or dozens. Some I/O strategies use one thread for all reads to all connections and one for all writes to all connections. Some use a pool of threads, any one of which may do a read or write to any connection at any time. What is best depends upon the specifics of a given project, primarily the scalability requirements and the complexity that can be tolerated. One common I/O strategy called 'speculative write' allows whatever thread generated data for a connection to try to write it immediately. If the write fails with a 'would block' error, then the connection is added to a poll or select set to try the write later from an I/O thread. In this case, you would need a lock because one thread might try to write to the connection while an I/O thread is reading from it. The SSL state machine is not protected against concurrent accesses to the same connection. So if you have a situation where you might try to access the same connection from two threads (the typical case being a read and a write, but one could imagine others), you will need to associate a mutex with the connection. Semantically, an SSL connection is a single engine and SSL_read and SSL_write are entry points to that single engine. This is different from a TCP connection which is semantically two unrelated byte streams, one in each direction. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project
thread cancellation
As of 0.9.7g, is OpenSSL still not cancellation safe? If not, am I okay to bracket calls into the ssl library by changing the cancellation state (sort of like a mutex) reverting back on return from the library? According to the pthreads documentation changing the cancellation state should prevent cancellation at the syscalls that would normally cancel a thread. smime.p7s Description: S/MIME cryptographic signature
Re: Newbie questions ....
Hi Steve, Here are a couple books that helped me understand SSL and the X.509 security model: Network Security with OpenSSL, ISBN 059600270X Planning for PKI, ISBN 0471397024 Joe On Sep 10, 2004, at 1:17 PM, Steve Ankeny wrote: I am designing a secure webserver for use in a small company. The connection must be secure. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to convert a buffer in DER format to a RSA structure?
The d2i_* functions will convert from DER-encoded things to Internal structures. The two you'll probably want are d2i_RSAPrivateKey() d2i_RSAPublicKey() On Sep 10, 2004, at 3:36 PM, Herbert Skopnik V. wrote: Hi everybody! I'm working in a project (transactional switch) which uses RSA encryption to encrypt part of the transaction data. I'm using RSA keys in DER format stored in a database and I need to convert this buffer to a RSA structure, without using files (which is the method I'm using now). Does someone know how this could be accomplished? Any help would be really appreciated. Best regards, Herbert Skopnik V. Ingeniero de Proyectos Ingeniería Solem Ltda. 7 Norte 1094, Viña del Mar, Chile Fono: +56 (32) 656021 Fax: +56 (32) 656016 Email: [EMAIL PROTECTED] Web: www.solem.cl __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to convert a buffer in DER format to a RSA structure?
It looks like len is uninitialized. I'm assuming you've populated the buf structure with the DER-encoded key from your database. You'll need to set len to be the length of the object retrieved from your database. For example: long len; unsigned char buf[1024]; RSA* pub_key; len = my_read_database(buf,sizeof(buf)); pub_key = d2i_RSAPublicKey(NULL,buf,len); On Sep 10, 2004, at 4:29 PM, Herbert Skopnik V. wrote: Joseph: Thanks for the answer, but I've used d2i_RSAPublicKey() and the application crashed with a segmentation fault. I'm using this piece of code: char buf[1024]; int len; RSA *PubKey; PubKey = d2i_RSAPublicKey(NULL, (const unsigned char **)buf, len); What's wrong? Best regards, Herbert | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of Joseph Bruni | Sent: Viernes, 10 de Septiembre de 2004 06:00 PM | To: [EMAIL PROTECTED] | Subject: Re: How to convert a buffer in DER format to a RSA structure? | | The d2i_* functions will convert from DER-encoded things to | Internal structures. The two you'll probably want are | | d2i_RSAPrivateKey() | d2i_RSAPublicKey() | | | | | On Sep 10, 2004, at 3:36 PM, Herbert Skopnik V. wrote: | | Hi everybody! | | I'm working in a project (transactional switch) which uses RSA | encryption to encrypt part of the transaction data. I'm | using RSA keys | in DER format stored in a database and I need to convert | this buffer | to a RSA structure, without using files (which is the | method I'm using | now). | | Does someone know how this could be accomplished? | | Any help would be really appreciated. | | Best regards, | | Herbert Skopnik V. | Ingeniero de Proyectos | Ingeniería Solem Ltda. | 7 Norte 1094, Viña del Mar, Chile | Fono: +56 (32) 656021 | Fax: +56 (32) 656016 | Email: [EMAIL PROTECTED] | Web: www.solem.cl | | | | __ | OpenSSL Project http://www.openssl.org | User Support Mailing List [EMAIL PROTECTED] | Automated List Manager [EMAIL PROTECTED] | __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to convert a buffer in DER format to a RSA structure?
I don't know what Rich said because it appears not to have been posted to the list. My only guess is that your database is having problems with binary data? What database are you using? On Sep 10, 2004, at 5:00 PM, Herbert Skopnik V. wrote: Joseph and Rich: In the previous code I obviated the len initialization, but it was initialized; and I used what Rich said. The application did not crashed, but I got this error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag I've not found any documentation about this error. Any help again? Best regards, Herbert | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of Joseph Bruni | Sent: Viernes, 10 de Septiembre de 2004 06:42 PM | To: [EMAIL PROTECTED] | Subject: Re: How to convert a buffer in DER format to a RSA structure? | | It looks like len is uninitialized. I'm assuming you've | populated the buf structure with the DER-encoded key from | your database. You'll need to set len to be the length of | the object retrieved from your database. For example: | | long len; | unsigned char buf[1024]; | RSA* pub_key; | | len = my_read_database(buf,sizeof(buf)); | pub_key = d2i_RSAPublicKey(NULL,buf,len); | | | | | | On Sep 10, 2004, at 4:29 PM, Herbert Skopnik V. wrote: | | Joseph: | | Thanks for the answer, but I've used d2i_RSAPublicKey() and the | application crashed with a segmentation fault. I'm using | this piece of | code: | | char buf[1024]; | int len; | RSA *PubKey; | | PubKey = d2i_RSAPublicKey(NULL, (const unsigned char **)buf, len); | | What's wrong? | | Best regards, | | Herbert | | | | -Original Message- | | From: [EMAIL PROTECTED] | | [mailto:[EMAIL PROTECTED] On Behalf Of Joseph Bruni | | Sent: Viernes, 10 de Septiembre de 2004 06:00 PM | | To: [EMAIL PROTECTED] | | Subject: Re: How to convert a buffer in DER format to a RSA | structure? | | | | The d2i_* functions will convert from DER-encoded things | to Internal | | structures. The two you'll probably want are | | | | d2i_RSAPrivateKey() | | d2i_RSAPublicKey() | | | | | | | | | | On Sep 10, 2004, at 3:36 PM, Herbert Skopnik V. wrote: | | | | Hi everybody! | | | | I'm working in a project (transactional switch) which uses RSA | | encryption to encrypt part of the transaction data. I'm | | using RSA keys | | in DER format stored in a database and I need to convert | | this buffer | | to a RSA structure, without using files (which is the | | method I'm using | | now). | | | | Does someone know how this could be accomplished? | | | | Any help would be really appreciated. | | | | Best regards, | | | | Herbert Skopnik V. | | Ingeniero de Proyectos | | Ingeniería Solem Ltda. | | 7 Norte 1094, Viña del Mar, Chile | | Fono: +56 (32) 656021 | | Fax: +56 (32) 656016 | | Email: [EMAIL PROTECTED] | | Web: www.solem.cl | | | | | | | | | | __ | | OpenSSL Project | http://www.openssl.org | | User Support Mailing List | [EMAIL PROTECTED] | | Automated List Manager | [EMAIL PROTECTED] | | | | __ | OpenSSL Project | http://www.openssl.org | User Support Mailing List | [EMAIL PROTECTED] | Automated List Manager | [EMAIL PROTECTED] | | | __ | OpenSSL Project http://www.openssl.org | User Support Mailing List [EMAIL PROTECTED] | Automated List Manager [EMAIL PROTECTED] | __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Reloading the CRL
The way I did it was to delete my SSL_CTX and build a new one. On Sep 9, 2004, at 7:38 AM, Ralf Haferkamp wrote: Hi, I am currently trying to implement CRL checking inside a server. I am now facing the problem, that I would like to trigger a reload of the CRL from disc if it has been updated, without restarting the server application. How can that be done. Is there any possiblity to remove a CRL for the X509_STORE, and trigger a reload? How do others solve this problem? -- regards, Ralf Haferkamp SUSE LINUX AG, Maxfeldstrasse 5, D-90409 Nuernberg T: +49-911-74053-0 F: +49-911-74053575 - [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate expired error
Use the openssl x509 -dates option to view the actual dates in the certificate. Also check your system clock. On Sep 7, 2004, at 5:09 PM, Edward Chan wrote: Hi there, I had created a certificate to test with using OpenSSL. It is supposed to expire in Aug. 2005. I have been using it for the past few weeks. Then all of a sudden, I'm getting sslv3 alert certificate expired from SSL_accept(). What's going on? Thanks, Ed __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Error during Cert Request
The text database used by the openssl ca command can only allow one certificate per subject. If you need to issue another certificate with the exact same subject, revoke the previous certificate first, even if the earlier certificate has expired. On Sep 7, 2004, at 3:03 PM, Areg Alimian wrote: Im using the OpenSSL Certificate Authority to generate X.509 v3 certs for TLS Client Authentication. After creating the CA Root cert and the private key, I generate a certificate request and then issue the command to get it signed by the CA. At this point I get the following error: 780:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_li b.c:329:group=CA_default name=unique_subject Could anyone please help me understand what this refers to. Thank you! -Areg __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: setting CA certificate expiration to more than 30 days through conf file
The default_days in the REQ section doesn't do anything since a certificate request doesn't expire. The default_days is used in the CA section when making a certificate from a request. On Sep 8, 2004, at 5:29 PM, IB wrote: I'd like to create an own CA certificate that will last for more than 30 days. I tried to add the default_days attribute into [ req ] section but this attribute never gets applied. However, if I set -days through a CLI (command line) everything work fine. Any thoughts? hints? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate expired error
Perhaps the issuer's certificate expired? (Assuming it's not a self-signed cert.) On Sep 8, 2004, at 5:53 PM, Edward Chan wrote: It says 2005, and my system clock is fine. But it seems to expire after 30 days. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joseph Bruni Sent: Wednesday, September 08, 2004 3:54 PM To: [EMAIL PROTECTED] Subject: Re: Certificate expired error Use the openssl x509 -dates option to view the actual dates in the certificate. Also check your system clock. On Sep 7, 2004, at 5:09 PM, Edward Chan wrote: Hi there, I had created a certificate to test with using OpenSSL. It is supposed to expire in Aug. 2005. I have been using it for the past few weeks. Then all of a sudden, I'm getting sslv3 alert certificate expired from SSL_accept(). What's going on? Thanks, Ed __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CRL signature failure
I applied the patch this morning and the server seems to be perfectly stable, even under conditions with a bazillion simultaneous in-bound connections. I'll keep an eye on it but I think your patch nailed the problem. Thanks! On Aug 28, 2004, at 5:40 PM, Dr. Stephen Henson wrote: I've attached a preliminary patch. It resolves the issue by avoiding the reordering of the revoked entries but has a side effect that CRLs no longer print out their original order. Let me know of any problems. I'll work out a cleaner fix later and commit it. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Memory Leak still in my app
Can you run your server for thousands of iterations to see if the memory continues to be consumed? Generally memory that has been allocated by the C library is not returned to the OS. Instead those pages are cached to handle future allocations without needing to request them from the OS. If your program continues to burn memory after thousands of iterations, you probably have a memory leak. Otherwise if it levels off it's probably just being cached. On Aug 31, 2004, at 5:53 PM, Carlos Roberto Zainos H wrote: So, I don't understand why after 100 consecutive connections the memory grows up 4.5 Kb something is not being freed, (bios are not problem) how can I see if the structures are freed?? (points to NULL) smime.p7s Description: S/MIME cryptographic signature
CRL signature failure
I wrote a bit earlier about a problem I'm having with regards to a server that is verifying client certificates against a CRL. I currently have about 2000 clients connected simultaneously. Without reason, the CRL object in my SSL_CTX goes bad and all new connection fail with the following error chain: X509_verify_cert_error_string() = CRL signature failure ### error:04077068:rsa routines:RSA_verify:bad signature ### error:0D089006:asn1 encoding routines:ASN1_verify:EVP lib ### error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Only by bouncing the process can I get things working again. After removing the code that adds CRL checking to my SSL_CTX the server runs fine, but I obviously can no longer reject clients with revoked certs. In the OpenSSL book, the example that shows how to add CRL checking went through the process of adding a file lookup to the X509_STORE object. After poking around in the openssl source code a bit, I found a function called X509_STORE_add_crl(). Could the CRL object corruption be related to using the lookup? Would it be better to explicitly read in the X509_CRL object using a PEM_read function and then call this function to add it to the store? Or are these two methods equivalent? I also looked through the s_server and s_client code for examples on how to add a CRL but couldn't find anything; just the setting of the flags when -crl_check is on the command line. Bottom line, what is the proper way to do CRL checking? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CRL signature failure
I did as you suggested and dumped the CRL object from within the validation routine. Using the X509_STORE_CTX pointer passed in, I used the current_crl member to get to a X509_CRL pointer, and fed that to a PEM_write() routine. Interestingly, the PEM_write routine did NOT complain about the CRL. Examining the output file, it is exactly correct. So what's going on? Why am I getting this error (CRL sig failure) when the CRL object is not invalid? There doesn't seem to be a magic number of connections or duration as to when things go nuts. -Original Message- From: Dr. Stephen Henson [EMAIL PROTECTED] Sent: Aug 26, 2004 2:44 PM To: [EMAIL PROTECTED] Subject: Re: CRL signature failure On Thu, Aug 26, 2004, Joseph Bruni wrote: I wrote a bit earlier about a problem I'm having with regards to a server that is verifying client certificates against a CRL. I currently have about 2000 clients connected simultaneously. Without reason, the CRL object in my SSL_CTX goes bad and all new connection fail with the following error chain: X509_verify_cert_error_string() = CRL signature failure ### error:04077068:rsa routines:RSA_verify:bad signature ### error:0D089006:asn1 encoding routines:ASN1_verify:EVP lib ### error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Only by bouncing the process can I get things working again. After removing the code that adds CRL checking to my SSL_CTX the server runs fine, but I obviously can no longer reject clients with revoked certs. In the OpenSSL book, the example that shows how to add CRL checking went through the process of adding a file lookup to the X509_STORE object. After poking around in the openssl source code a bit, I found a function called X509_STORE_add_crl(). Could the CRL object corruption be related to using the lookup? Would it be better to explicitly read in the X509_CRL object using a PEM_read function and then call this function to add it to the store? Or are these two methods equivalent? I also looked through the s_server and s_client code for examples on how to add a CRL but couldn't find anything; just the setting of the flags when -crl_check is on the command line. Bottom line, what is the proper way to do CRL checking? There shouldn't be a problem with the technique you are using. When a CRL is first looked up it is added to a cache and stays there, so apart form the intitial lookup there aren't any differences. It would help if you can dump out the CRL when you get this error to see if the CRL is really corrupted or something else strange is happening. Then use the CRL utility manually on the CRL to see if it verifies OK. You can do this by adding a PEM_write_X509_CRL() inside the verify callback triggered by the CRL signature error code. If that's not clear let me know and I'll give more details. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
CRL bug?
I have a server that runs with many (1500) long-duration SSL connections. I am using
CRLs and have the CRL checking enabled when I'm building my SSL_CTX using the
following code:
X509_STORE* store = SSL_CTX_get_cert_store(ctx);
if ( !store ) {
ERR_print_errors_syslog(LOG_ERR);
throw std::runtime_error(SSL_CTX_get_cert_store);
}
X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if ( !lookup ) {
ERR_print_errors_syslog(LOG_ERR);
throw std::runtime_error(X509_STORE_add_lookup);
}
if (X509_load_crl_file(lookup,crl.pem,
X509_FILETYPE_PEM) != 1)
{
ERR_print_errors_syslog(LOG_ERR);
throw std::runtime_error(X509_load_crl_file);
}
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
The problem is that after running for several hours, all new connections start getting
rejected with a certificate revoked error. The actual error message also shows that
the RSA signature on the CRL has gone bad. Restarting the system or even causing a
rebuild of the SSL_CTX allows things to proceed.
Are there any known issues in 0.9.7d on OS X that might cause the CRL object to become
corrupt?
What is a good lifespan for a SSL_CTX? Should I rebuild it every six hours or
something?
I'm not using sessions.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Suggestions for the password storing
In a user's brain. Any file that is readable by the system is, well, readable, therefore is only as secure as the OS can make it. On OS X you could use the Keychain Services to store your password in an encrypted database, available via an API. This is available as Open Source if you're interested. http://www.opensource.apple.com/ Alternatively, you can use Bruce Schenier's Password Safe. I'm not sure it has an API, though. http://www.schneier.com/passsafe.html On Aug 9, 2004, at 2:21 PM, Carlos Roberto Zainos H wrote: Hi team!! I have a big question, where is an appropriate place to store the encryption password of the private key? I mean, the security base of the priv key is based on the password which is encrypted it (PKCS#1), so where will be a safe place to put this pwd in the client's computer (windows environement)??? Thanks in advance. Zainos Do You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: looking for server test script
The configuration and capabilities of the s_server are available in the s_server man pages. On Aug 5, 2004, at 8:07 AM, weijun jiang wrote: Thank Joseph. I am new to the ssl server, so I just like to if the s_server allow users to configure it to force the server to behave certain ways like reject the tls request and only accept the ssl. thanks, weijun -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joseph Bruni Sent: Wednesday, August 04, 2004 5:47 PM To: [EMAIL PROTECTED] Subject: Re: looking for server test script $openssl s_server... will do the server side of an SSL connection for you. If you need to set up an HTTP server, just fire up apache. On Aug 4, 2004, at 6:49 PM, weijun jiang wrote: Hi, I am looking for some test scripts that could be used as a server to test the http-based client. Does the SSL provide such tools? thanks, weijun __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems using X509_get_ext_d2i()
Or rather since this is C++: distpoints = reinterpret_castSTACK_OF(DISTPONT)* (X509_get_ex_d2i(...)); On Aug 4, 2004, at 7:37 AM, Dr. Stephen Henson wrote: Presumably your are trying this from C++ if so then you will need an explicit cast to the appropriate type, for example distpoints = (STACK_OF(DISTPONT) *)X509_get_ex_d2i(...); Steve. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: looking for server test script
$openssl s_server... will do the server side of an SSL connection for you. If you need to set up an HTTP server, just fire up apache. On Aug 4, 2004, at 6:49 PM, weijun jiang wrote: Hi, I am looking for some test scripts that could be used as a server to test the http-based client. Does the SSL provide such tools? thanks, weijun __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl newbie HELP!
It's been awhile since I've looked at OpenCA. The manual was almost impossible to read and seemed to be quite a rough translation from German. Do you know if any work has been done on cleaning that up in the past 12 months or so? On Aug 1, 2004, at 11:42 PM, Oliver Welter wrote: If you need revocation, crl management and so on for a lot of certificates or must provide a simple management console look at www.openca.org - the current 0.9.2 version is RC currently but quite usable for production. For more details send pm Oliver smime.p7s Description: S/MIME cryptographic signature
Re: max sessions
After even more studying of the sys/types.h header, I could see a MAJOR problem with the way fd_set is defined. It appears that this structure is defined as a wrapper around an array of bytes, the number of which determined by the FD_SETSIZE macro. The length of this is computed at COMPILE TIME. What's worse, the various macros like FD_ZERO, and friends do not do any sort of bounds checking. This means that when I called FD_SET() with a descriptor value greater than FD_SETSIZE, I was actually over-running a buffer. Talk about subtle!!! To fix this, I could simply #define my own value of FD_SETSIZE so that the size of the array is computed large enough to handle all the descriptors I need. (Adding a -D to my makefile). Caveat programmer... -Original Message- From: Geoff Thorpe [EMAIL PROTECTED] Sent: Jul 29, 2004 12:34 PM To: [EMAIL PROTECTED] Subject: Re: max sessions On July 29, 2004 02:20 pm, Joseph Bruni wrote: The other thing I noticed was that (according to the man page for select()) the results of the FD_ macros are undefined if the descriptor value is greater than FD_SETSIZE, which is 1024 on my system. I find this odd since the hard limit of the number of files any given process can have open is kern.maxfilesperproc = 10240. Is this a limitation of the POSIX API or could the man page for select() be wrong? Does anyone have any insight into the proper use of select() if the descriptor values are larger than FD_SETSIZE? Or maybe some other function that replaces select() for programs with LOTS of descriptors? I don't know which system you're runing, but perhaps you might have more luck with poll(2)? Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
max sessions?
Hello all, I'm developing an application that is used as a messaging hub for thousands of users. The idea was that the users would maintain their SSL connections indefinitely because one would never know when a message was to be delivered and the messages need to be sent in near-real-time. So far, everything has been working great. I'm using POSIX threads and non-blocking I/O. With around 1000 busy connections, the system works flawlessly. Once I get to around 1040-1050 connections, my call to SSL_read() just never returns and seems to be getting stuck in an infinite loop. CPU utilization goes from a normal 2-3% up to over 170% (dual CPU system). One of the things I still need to try is to cause a core so that I can find out where it's actually hung up. I've done everything I'm supposed to with regards to registering the mutex functions for threads and I never share a connection between threads. A given connection is only ever managed by a single thread. I know the problem is not related to the number of file descriptors since I've already moved those limits out with a call to setrlimit(). I'm using OpenSSL 0.9.7d on Mac OS X 10.3.4. The OpenSSL library was compiled by me using the shared option rather than the library supplied by Apple (to avoid the memory leaks present in 0.9.7c). Is there some sort of inherent limitation in the OpenSSL library with regards to the number of simultaneous connections? Any advice on how to troubleshoot this would be appreciated. Tomorrow, I'm planning on trying out the latest snapshot of 0.9.8 to see if I get different behavior. Eventually, I'd like the system to handle around 4000 simultaneous connections. Joe __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
X509_REQ_print_ex()
Where might I find the documentation for X509_REQ_print_ex()? I've searched the man pages, the web site, and the source in ./crypto/asn1/t_req.c is uncommented. I really only need info on the nmflags and cflags parameters -- the others I can figure out. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: X509_get_subject_name
Perhaps if you could use gdb to display a stack trace, it would be
easier to locate the error.
-Original Message-
From: Jeff Fulmer [EMAIL PROTECTED]
Sent: May 13, 2004 8:24 AM
To: [EMAIL PROTECTED]
Subject: Re: X509_get_subject_name
It didn't. It still core dumps on Red Hat systems.
On Tue, May 11, 2004 at 11:58:36AM -0600, Bommareddy, Satish (Satish) wrote:
I think the X509_NAME_oneline takes a buffer and length for arguments 2 and 3.
try
buf[256];
str = X509_NAME_oneline(X509_get_subject_name(C-cert), buf, 256);
see if that helps
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jeff Fulmer
Sent: Tuesday, May 11, 2004 10:52 AM
To: [EMAIL PROTECTED]
Subject: X509_get_subject_name
Hello,
I'm the author of siege. That program is dumping core on Red Hat
systems in the following function: X509_get_subject_name
Here's the function which calls it:
BOOLEAN
SSL_initialize(CONN *C)
{
#ifdef HAVE_SSL
int serr;
char *str;
C-ssl= NULL;
C-ctx= NULL;
C-method = NULL;
C-cert = NULL;
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
C-method = SSLv2_client_method();
C-ctx= SSL_CTX_new(C-method);
C-ssl= SSL_new(C-ctx);
SSL_set_fd(C-ssl, C-sock);
serr = SSL_connect(C-ssl);
C-cert = SSL_get_peer_certificate(C-ssl);
str = X509_NAME_oneline(X509_get_subject_name(C-cert), 0, 0);
if(my.debug){printf(X509 subject: %s\n, str); fflush(stdout); }
str = X509_NAME_oneline(X509_get_issuer_name(C-cert), 0, 0);
if(my.debug){printf(X509 issuer: %s\n, str); fflush(stdout); }
X509_free(C-cert);
return TRUE;
#else
return FALSE;
#endif/*HAVE_SSL*/
}
Any thoughts?
--
#include stdio.h
int main(){int a[]={74,117,115,116,32,97,110,111,116,104,101,114,32, \
67,32,104,97,99,107,101,114,10,0}; int *b=a;while(*b0)putchar(*b++);}
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
--
#include stdio.h
int main(){int a[]={74,117,115,116,32,97,110,111,116,104,101,114,32, \
67,32,104,97,99,107,101,114,10,0}; int *b=a;while(*b0)putchar(*b++);}
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Query Verisign certificates
Try using the -enddate option to get the expiration date. On May 3, 2004, at 12:50 PM, Reese Williams wrote: Brand new to openssl. Anyone use openssl x509 -text -n /path/certificate-name.pem with a Verisign certificate to get expiration date? I have quite a few Apache and IIS 5.0 web servers and I am looking to automate in a script notifications concerning certificate expirations. Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_CTX_use_certificate_chain_file()
The man page for SSL_CTX_use_certificate_chain_file states: SSL_CTX_use_certificate_chain_file() loads a certificate chain from file into ctx. The certificates must be in PEM format and must be sorted starting with the certificate to the highest level (root CA). There is no corresponding function working on a single SSL object. My PKI hierarchy consists of three layers, a self-signed root CA that is owned by the corporate security group, a sub-CA that is responsible for distributing end-user certificates, and end users who receive certificates from the sub-CA. The server certificate is issued by the root CA. User certificates are issued by the sub-CA. The root certificate is loaded into the CTX using SSL_CTX_load_verify_locations() on both client and server applications. Now comes the question: o If I build a certificate chain file as described in the man page with all three certificates (user,sub-CA,root-CA), handshake fails. o If a build a certificate chain file with only two certificates (user,sub-CA), handshake succeeds. Why? Is this a bug? Or is there something more subtle going on? smime.p7s Description: S/MIME cryptographic signature
Re: how to load DER format CRL via my program?
d2i_X509_CRL_bio() On Mar 31, 2004, at 6:59 PM, wrote: how to load DER format CRL via my program? I see an example which is PEM format,the type para is X509_FILETYPE_PEM.And is not have a X509_FILETYPE_DER.so,how to load DER format CRL? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: EVP ciphers
I feel your pain. I too have tried looking through various headers and source files to find the definitions of things. To my dismay, I've found that the openssl group makes heavy use of C preprocessor macros for the definition of various functions and whatnot, which makes finding routine definitions damn near impossible. It may be that the functions you are looking for are macro-defined at cpp time. The C Preprocessor is Evil. -- Bjarne Stroustrup On Mar 28, 2004, at 2:53 AM, Sue_Office wrote: When looking into old OpenSSL tar's these routines existed in files within the crypto\evp directory, but they are missing from the latest versions. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: binaries built with openssl 0.9.7b running on openssl 0.9.6b or 0.9.6g
If you build your application on OS X or Darwin, you'll run into the really nasty problem where the LinkEditor will bind your app to shared libraries even if you specify static libraries. (I found this out the hard way.) Not fun. On Mar 19, 2004, at 9:52 AM, Mark Rowe wrote: Hi, Question If I build applications using a later version of openssl and run the compiled binaries on an operating system with earlier versions of openssl will there be any problems? Example: I build applications using openssl 0.9.7b on linux redhat version 7.2 with kernel 2.4.7 and gnu gcc 2.96 and then run these binaries on linux redhat version 7.2 with kernel 2.4.17 gnu gcc 2.96 that has openssl version 0.9.6g. Will there be any problems? Thanks -Mark- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Directory Structure
When you finish this, please post the results. It would make great documentation. :) On Mar 12, 2004, at 7:16 AM, Reginaldo de Oliveira Santos wrote: Hi., it´s my first time in this list and I have some questions. I wanna a map of the directory structure of the C code of OpenSSL 0.9.7c. I wanna know the functions of each directory like: apps, crypto, ssl, test. What´s the functions of each file inside that directories and for wich library or file it´s used in the compiled way. If someone can help, please do it!! It´s and University work. Thanks, anyway. -- Reginaldo de Oliveira Santos BRAZIL - UNESP - BAURU BCC 2003 -- Mensagem enviada pelo Webmail da Faculdade de Ciências __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Finding multiple PEM-encoded objects in a file
I know that it is possible to place multiple PEM-encoded objects into a single file. Is it possible to iterate through each item? The command-line tools only seem to work on the first one found. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: adding linker command line options
Thanks for the tip. It turns out there is already a do_darwin-shared:
target. It was missing the ${SHARED_LDFLAGS} variable after the ${CC}
variable. And the line in Configure that begins with darwin-ppc-cc
didn't have the -prebind option in the place that would set
${SHARED_LDFLAGS}. I needed to make the change to Makefile.org so that
Configure wouldn't overwrite my changes when it regenerated the
Makefile.ssl.
After only making those two line changes, my dylib's were prebound.
That got Xcode to stop whining.
On Mar 11, 2004, at 9:30 AM, ViSolve OpenSSL Support wrote:
Hello,
For OpenSSL, there is no -prebind configure option. You need to
edit Makefile.ssl (as you guessed) under your OS-specific shared
section (identified by do_OS Name-shared ) to add any options
for building shared libraries. For what it is worth, an example is
shown below:
# ./Configure shared --openssldir=/opt/iexpress YOUR OS name
Edit the shared section of Makefile.ssl as shown below:
do_YOUR OS name-shared:
for i in ${SHLIBDIRS}; do \
if [ ${SHLIBDIRS} = ssl -a -n $(LIBKRB5) ]; then \
libs=$(LIBKRB5) $$libs; \
fi; \
( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
+vnocompatwarnings \
-prebind \
-b -z +s \
-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-Fl lib$$i.a -ldld -lc ) || exit 1; \
chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
done
# gmake
Regards,
ViSolve Security Consulting Group
Email: [EMAIL PROTECTED]
www.visolve.com
- Original Message -
From: Joseph Bruni [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 10, 2004 1:56 AM
Subject: adding linker command line options
I want to be able to add the -prebind command line option to the
link
phase when building shared libraries. Is there way to do this from
configure
or do I just hack the Makefile.
__
OpenSSL Project
http://www.openssl.org
User Support Mailing List
[EMAIL PROTECTED]
Automated List Manager
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
custom stuff in a certificate
I'm working on a server that will handle connections from clients on two different interfaces -- a public interface and a private. What I would like to do is somehow encode into a certificate which interface the client is allowed to connect on. (I realize that there is no technical reason for a client preferring one interface over the other, but this is for a business/political reason. Clients allowed to connect via the private interface must be excluded from the public interface and vis versa.) How would I go about encoding my own information into a certificate like this? I'm guessing it has something to do with OID's, but I know nothing about creating my own. I figure that if I could encode the allowed interface name into an OID, then during certificate validation I could compare that field to the interface they connected on. If this is the right track, could someone direct me to the resources I should study for creating OIDs that don't create conflicts with existing OIDs? smime.p7s Description: S/MIME cryptographic signature
Re: to the owner
I don't think that those are coming from the list server itself, but rather from from hosts within the list subscribers' networks. On Mar 6, 2004, at 11:20 AM, Robin Lynn Frank wrote: At least set it to NEVER send you have a virus notifications. There is no excuse for that in an era of forged addresses. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: cURL and HTTPS
Could you post the curl command line that you're using? You might just be missing a param or two. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How can I use random device in AIX?
I thought 5L had /dev/random. Are you running an older version of AIX? On Mar 3, 2004, at 5:21 AM, todayhill wrote: I am using IBM AIX System and DO NOT have /dev/random device. I see I can use EGADS or EGD.But how can I use them?For example,my code: RSA_public_encrypt(fromLen, fromBuf, tmpBuf, pubKey-pkey.rsa,RSA_PKCS1_PADDING); always return -1 in AIX,I just need install EGADS or EGD?Can I need write some other codes? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Regarding all the spam...
I don't know about that. During the latest Windows exploit virus blast (when are they going to fix their stuff?) I kept getting bombed by AV bounces aimed at openssl-users-l. Not to mention that the list was DOWN during that time as well. A good number of my posts just got timed out by my legitimate SMTP relay. On Mar 2, 2004, at 2:15 PM, L Nehring wrote: Have we now crossed the threshold where there are more off-topic messages discussing spam than spam messages themselves? There just doesn't seem to be a real need to take any action at all given the small number of UCE or antivirus bounce messages. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate chain
There is a really good example of how to do that in O'Reilly's Network Security with OpenSSL. You can also download the source from http://www.opensslbook.com/. After downloading the source, check out example 10-7. On Feb 24, 2004, at 12:07 PM, Manuel Sánchez Cuenca wrote: Hello all, Anybody can tell me how can I verify a certificate chain in a C program? Thanks in advance. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
memory leak in OpenSSL?
I have a server that I've written using OpenSSL on Mac OS X that has been running for a few weeks now. Using the leaks command, I am getting the following report: Leak: 0x003130b0 size=32 0x 0x0030a0c0 0x0030a0e0 0x0030d060 0x 0x1381c88d 0x 0x00010002 Call stack: [thread 96a9e04f]: | 0x0 | _pthread_body | 0x8f90 | 0x861c | ssl3_accept | ssl3_get_client_key_exchange | RSA_eay_private_decrypt | setup_blinding | BN_BLINDING_new | CRYPTO_malloc | malloc | malloc_zone_malloc This is repeated many times and only in this exact call chain. (Leaks is reporting the call chain from where the block was originally allocated, not where the last reference was removed.) Is this a bug in OpenSSL or a false positive in Leaks? I'm using the version of openssl as supplied by apple in os x 10.3.2. silverlining:~ brunij$ openssl version OpenSSL 0.9.7b 10 Apr 2003 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Unorthodox SSL Questions
Question: Why the proxy? Perhaps a simple NAT router would suffice. On Feb 17, 2004, at 1:03 PM, Marton Anka wrote: The second question is, can this be improved? For example, can we get rid of the decryption/re-encryption phase? Can I somehow manage to get both Host and Client to negotiate the same cipher suite and session key? I have total control over the code that runs on Proxy and Host, but Client can be any web browser. Please note that I am just an ordinary SSL user and do not understand its internal workings to 100% - so I apologize if the latter question is dumb. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
attributes for CSR via command line
Hello, I'm writing a small GUI app that builds an x509 cert. request and simply shells out to the command line in order to actually build the req. I've noticed that when I specify the subject on the command line (-subj), both the distinguished name and attributes sections in the configuration file are ignored (as I expected). What I did not expect is that there seems to be no way to specify attributes in this manner. Is this true or am I missing something? Specifically, I would like to be able to add the challengePassword attribute via the command line. Regards, Joseph smime.p7s Description: S/MIME cryptographic signature
Re: PHP ftp_ssl_connect - secure ftp via openssl
Take a look at the scp program also which is another program that uses the SSH protocol. Some other ideas are rsync over SSH, or you could use curl which will support HTTPS. If the files don't change much, or if you need to sync up entire directories, rsync is the way to go. FTP/SSL is a different protocol and not that common. On Jan 20, 2004, at 7:56 PM, Mitch Sink wrote: Hi, Red Hat 9 (both systems) I need a secure way to transfer files between two systems running Red Hat Linux 9 by running a program or script from a cron. I would like to run a PHP program from the cron that calls ftp_ssl_connect to create a secure ftp connectiony using openssl: http://www.php.net/manual/en/function.ftp-ssl-connect.php ftp_ssl_connect -- Opens an Secure SSL-FTP connection I can connect to the remote host manually using sftp. I can't connect manually using regular ftp (its been turned off for security purposes). Is the problem that the remote server needs to be running ftp or vsftp instead of sftp? Thanks! Mitch __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
NON-BLOCKING I/O
I have yet another question regarding non-blocking I/O and the OpenSSL library. With normal sockets that have been set to non-blocking, an attempt to read when no data is present will return an EAGAIN. In my case, no data on a read is fine, since that just means there are no messages to pick up. Before the call to SSL_read, I could call select to check to make sure there is nothing ready. But, from our previous discussion, select might indicate that there is data available that is protocol related (renegotiation). This would cause me to call SSL_read. From my reading of the SSL_read man page, if I call SSL_read and there is no data, I will receive a WANT_READ error (or possibly a WANT_WRITE) if the underlying media can't fulfill the request. It is also my understanding that should I get a WANT result, the only thing I can do is to retry the call when it can be fulfilled. However, if no data is a valid condition, and I receive a WANT result, then does that mean I can't call SSL_WRITE to send a message? How can I allow the library to handle renegotiations, but also be able to handle the situation where there is no application data? Joe __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
NON-BLOCKING I/O
As a quick follow-up to my previous question. If I call SSL_read and receive a WANT result, does that also preclude me from calling SSL_write if the socket is currently writable? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: NON-BLOCKING I/O
No. My understanding of ZERO_RETURN means that the SSL session has been closed down by the other end. I've been doing some experimenting, and a no-data condition results in a WANT-READ. I just want to know if that means I'm stuck, unable to send data, until something arrives. -Original Message- From: [EMAIL PROTECTED] Sent: Jan 19, 2004 10:14 AM To: [EMAIL PROTECTED] Subject: Re: NON-BLOCKING I/O brfont size=2 face=sans-serifSomebody please correct me if I'm wrong, but I believe in that case you'd receive a separate error, SSL_ERROR_ZERO_RETURN. I have, for example, experienced conditions where the end of data transmission occurred precisely on my reading buffer size. So the next SSL_raed() that I attempt results in zero data and thus SSL_ERROR_ZERO_RETURN. Is that similar to the scenario you have in mind?/font br brfont size=2 face=sans-serif-- kov/font br br br brfont size=2ttFrom my reading of the SSL_read man page, if I call SSL_read and there is no data, I willbr receive a WANT_READ error (or possibly a WANT_WRITE) if the underlying media can'tbr fulfill the request.br /tt/font brfont size=2ttIt is also my understanding that should I get a WANT result, the only thing I can dobr is to retry the call when it can be fulfilled. However, if no data is a valid condition,br and I receive a WANT result, then does that mean I can't call SSL_WRITE to send a message?br /tt/font br __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: determining incoming connection address using BIOs
int sk; BIO_get_fd(bio,sk); getpeername(sk,address,address_len); On Jan 19, 2004, at 4:44 PM, Zac Hansen wrote: I'm trying to figure out how to get the client address/port when using BIOs to accept new connections. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_MODE_AUTO_RETRY and non-blocking sockets
After reading the man page for SSL_CTX_set_mode, I have to ask, what happens if you set AUTO_RETRY with a non-blocking socket? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_MODE_AUTO_RETRY and non-blocking sockets
On Jan 16, 2004, at 5:57 PM, Dr. Stephen Henson wrote: On Fri, Jan 16, 2004, Joseph Bruni wrote: After reading the man page for SSL_CTX_set_mode, I have to ask, what happens if you set AUTO_RETRY with a non-blocking socket? The AUTO_RETRY flag disables a case where the SSL/TLS code would signal a retry even though the underlying transport did not during a session renegotiation. This is there to support some applications which brokenly use select() and blocking I/O. Now you have me curious: What would be a broken use of select and blocking I/O? I use select before a call to SSL_read in order to facilitate a timeout. Is this wrong (or broken)? (If I receive one of the WANT errors, I just restart the I/O however.) My program makes the assumption that if it hears nothing on the read side of the socket during a period of time, that something is wrong. Currently, I don't like the way my I/O loop is working so I'm probably going to switch to non-blocking anyway. smime.p7s Description: S/MIME cryptographic signature
Re: SSL_MODE_AUTO_RETRY and non-blocking sockets
On Jan 16, 2004, at 8:26 PM, David Schwartz wrote: The AUTO_RETRY flag disables a case where the SSL/TLS code would signal a retry even though the underlying transport did not during a session renegotiation. This is there to support some applications which brokenly use select() and blocking I/O. Now you have me curious: What would be a broken use of select and blocking I/O? I use select before a call to SSL_read in order to facilitate a timeout. Is this wrong (or broken)? Yes, it's wrong/broken. (If I receive one of the WANT errors, I just restart the I/O however.) My program makes the assumption that if it hears nothing on the read side of the socket during a period of time, that something is wrong. But what if SSL_read didn't get enough data to decode anything? Then it will wind up blocking on the socket, which is exactly what you did't want to happen. Currently, I don't like the way my I/O loop is working so I'm probably going to switch to non-blocking anyway. If you never, ever want to block, just set the socket non-blocking. Otherwise, there can always be corner cases where you can block indefinitely. Now that I think it through, I can imagine a situation where this would be true. Select would only indicate that there was something on the read fd. That data might be protocol related (a re-negotiate, or only part of a record) and there might be NO application-level data. My program would then call SSL_read() and block forever since no application data has arrived, just as you described. I think the thing that is most lacking in OpenSSL is the use of library-level threads apart from the application's main threads. I understand the need to be cross-platform, but if the library created a couple threads for handling I/O even when the application wasn't, I think it would go a long way to making the application programmer's life easier. Perhaps this could be done similarly to the way mutexes are set up, by asking the application programmer to register a function that creates new threads. Obviously, those threads would need to be detached by default to avoid memory leaks. Or maybe, there could be a heartbeat function supplied by OpenSSL that an application could call periodically to simulate threads. Basically, the application would call this heartbeat function repeatedly in order to give the library CPU time to perform its functions. An application programmer could just wrap this in a platform-specific threaded function. This would be similar to the way a unix process gives up CPU time by making system calls. Any time the heartbeat was called, the library could move data in and out of its various IO objects into buffers. The downside of this would be that the application could be burning a lot of CPU if nothing needs be done. I vote to move SSL into the kernel! :) Sigh... I guess the only real way to let OpenSSL do its thing most effectively is to use non-blocking I/O. Which means I'll need to get unlazy and actually design a decent I/O loop. smime.p7s Description: S/MIME cryptographic signature
Re: compatibility_version incorrect in 0.9.7c on OSX 10.3
Yep. Reinstall. Panther ships with 0.9.7b. If you want to build your own, put it into /usr/local. On Jan 8, 2004, at 8:03 PM, Ian C Roberts wrote: I have just had this problem and am very stuck. I have an xserve which is colocated, I tried to install another openssl installation and instead of putting it in /usr/local/lib I put prefix=/usr ... a! The web server is working fine, but I cant ssh or ftp or anything into the machine. Does this mean a rebuild? Can I take my ipod to the data centre and take copies of the libs and headers from another 10.3 server installation? What is the best course of action. Am I in real trouble? Please help me i m in a desperate state of mind, Ian smime.p7s Description: S/MIME cryptographic signature
Re: OpenSSL: threading question
On Jan 6, 2004, at 12:47 AM, David Schwartz wrote: In most cases multi threads and only one SOCKET don't really get along. I'm not sure why you'd say that. For TCP, reading and writing are totally independent. Using a pool of threads for I/O is quite common to protect against ambush (when an operation that shouldn't block unexpectedly does) or to take advantage of SMP machines. Indeed, before the advent of threads one could (on unix anyway) handle reading and writing of a single tcp connection via two separate processes since child processes inherit all open descriptors of the parent. [I suspect (based on the all-caps spelling of SOCKET and the sample code provided earlier) that Mr. Giudicelli speaks from a Windows perspective, which doesn't handle multiple processes very well, and certainly does not abstract tcp sockets into simple file descriptors the way unix does.] smime.p7s Description: S/MIME cryptographic signature
Re: OpenSSL: threading question
I'm glad this discussion happened about now. I, too, am implementing a query/response system and I've been thinking about putting the read and write cycles into different threads. My reason for wanting to do this would be to allow the server, which sends the initial message, waits for a response to move on to the next message. If I did this in a single thread, everything would work fine. My only concern was to be able to handle the case were the client closed the connection when there were no more messages pending. Since the server only does an SSL_read after sending a message, it would never receive the close-notify until another message became available. For some clients, the time between messages might be days. Since I need to detect dead clients, I considered the use of keep-alives. This would give me a write/read cycle that should reap a close-notify if one is pending. My other thought (which has been dashed to pieces with this discussion thread) was to have a single global reader thread to receive potential close-notifies. Since my message server will have potentially thousands of simultaneous connections, the last thing I want to do is switch to a non-blocking/polling style. (I would prefer a lot of threads blocked on I/O than a few threads spinning in circles.) Any suggestions? On Jan 5, 2004, at 5:22 PM, Frédéric Giudicelli wrote: Right on ! May I ask a silly question? Why would you do such a weird thing in the first place? (maybe we should have started from there) :) Frédéric Giudicelli http://www.newpki.org smime.p7s Description: S/MIME cryptographic signature
Re: OpenSSL: threading question
An excellent reference to OpenSSL programming can be found in the O'Reilly book: http://www.oreilly.com/catalog/openssl/index.html Lot's of really good stuff here about common mistakes (like not initializing mutexes...). The book was written for 0.9.6 with a few references to some features in 0.9.7, but most of it should still be current. I highly recommend it considering the current state of the man pages. On Jan 5, 2004, at 1:08 PM, Frédéric Giudicelli wrote: I just learned a few weeks ago that libcrypto and libssl did not initialize the MUTEX functions used internally, the application had to do it by itself. I guess (never really checked) my segfault problem was coming from there (see CRYPTO_set_locking_callback, CRYPTO_set_dynlock_create_callback, CRYPTO_set_dynlock_lock_callback, and CRYPTO_set_dynlock_destroy_callback). smime.p7s Description: S/MIME cryptographic signature
expired CRL
I've run into an interesting situation and need some advice. I'm building a server that will be validating clients via certs. So, I've coded this to handle CRLs, but I've encountered that if a CRL has expired no certificates related to that CA are considered valid. I'm not sure this a good way to go because I don't want to shut down communications just because of a CRL that hasn't been updated. The certificates that had been revoked are still revoked! I thought about testing the CRL before loading it, but then that means anyone can connect with a cert. that has been revoked. The other approach would be to set the nextUpdate field of the CRL farther into the future. Any suggestions on this? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: expired CRL
Gotcha. So it would be safe to assume that almost nobody uses CRLs since none of the software I use that does SSL seems to worry about the presence (or lack) of a CRL. Wonderful. That really inspires confidence. I'll just bump the nextUpdate field out and make sure that the CA is keeping the CRL up-to-date. On Dec 29, 2003, at 7:19 PM, Dr. Stephen Henson wrote: The reason this is often done is that if you allow an expired CRL to be used then someone could use a revoked certificate that hadn't been revoked in the expired CRL but has been revoked in the current one. Steve. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Issue with developing client and server with OpenSSL
Check out the pair of functions htonl() and ntohl() which are part of the sockets library. If you need to flip port numbers, you can use htons() and ntohs(). (By the way, your little-endian'ness is due to your x86 hardware, not Linux. Linux runs on big-endian systems also.) On Nov 23, 2003, at 8:48 PM, Srilekha Krishnamurthy wrote: But this function stores the ip address in big endian format and I need to store this in little endian format as it is linux box. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: subjectAltName=email:move
I had tried that as well with no success, which is what is leading me to believe this is a bug. In the CSR, I have the emailAddress field set in the DN. In the CA section of the configuration file, I have subjectAltName=email:move in the section referenced from the x509_extensions option: x509_extensions = email_extensions [ email_extensions ] subjectAltName = email:move When the cert. is created, the X509v3 Subject Alternative Name field is set to the string EMPTY and the emailAddress that was formerly in the DN is no longer present. If I use the email:copy directive, the DN still has the emailAddress field (not removed), and the X509v3 Subject Alternative Name in the extensions part is still set to EMPTY. For whatever reason, the email:move and email:copy directives are not populating the X509v3 Subject Alternative Name with any meaningful data. On Friday, November 21, 2003, at 01:25AM, Richard Levitte - VMS Whacker [EMAIL PROTECTED] wrote: In message [EMAIL PROTECTED] on Thu, 20 Nov 2003 19:56:23 -0700, Joseph Bruni [EMAIL PROTECTED] said: jbruni I've been trying to get the subjectAltName=email:move directive to jbruni work in the ca command with no luck, so I think this might be a bug. jbruni jbruni It seems that the only way I can get this to work is to manually set jbruni the line in the CA section to something like: jbruni jbruni subjectAltName=email:[EMAIL PROTECTED] jbruni jbruni This isn't very flexible if I must edit this file for every cert. I jbruni want to sign. jbruni jbruni If I try to use either the move or copy options, the jbruni X509v3 Subject Alternative Name: extension ends up being jbruni EMPTY. Where do you expect the email address to come from? The email:copy and email:move are designed to copy or move an email address found in the subject RDN with the attribute type emailAddress. So basically, if you have a subject DN that looks like this: C=SE, L= Stockholm, CN=Richard Levitte, [EMAIL PROTECTED] ... the following can be expected: 1. with subjectAltName=email:copy: [EMAIL PROTECTED] in an email subjectAltName. Subject is unchanged. 1. with subjectAltName=email:move: [EMAIL PROTECTED] in an email subjectAltName. Subject is now C=SE, L= Stockholm, CN=Richard Levitte jbruni I have tried to get this to work two different ways: the first jbruni with the subjectAltName in the DN, and the second in the jbruni attributes section of the CSR. Uhmm, subjectAltName has no business being inside any DN. It's a certificate extension, pure and simple. - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. You don't have to be rich, a $10 donation is appreciated! -- Richard Levitte \ Tunnlandsvägen 3 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. -- PGP Fingerprint: 886F 6A8A 68A1 5E90 EF3F 8EFA E2B8 3F99 7343 C1E3 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
subjectAltName=email:move
I've been poking around in the v3_alt.c file to try to determine why the email address is not getting copied or moved into the extension. After sprinkling in a few debug statements, it looks like the copy_email() function is broken and never enters the while loop. Even though the DN has an 'emailAddress' field, this function is unable to locate it, and no value is getting copied into the v3 extensions. This function is only called in response to an email:move or and email:copy directive. If this function is broken, it would explain why hard-coding in an email address works whereas the copy/move directives do not. I will continue to analyze this function to determine why it's not working. I post this with the hope that someone more familiar with it can reach a solution faster than I can. -- PGP Fingerprint: 886F 6A8A 68A1 5E90 EF3F 8EFA E2B8 3F99 7343 C1E3 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: subjectAltName=email:move
Do I ever feel like an idiot. I was building a minimalist configuration file for you and, lo, it started working -- on all versions of 0.9.7 that I have been experimenting with (a,b,c). After a little more experimentation to figure out why this suddenly started working, I uncovered my mistake: I was missing the emailAddress field in the policy section for the CA command. Since I did not want the emailAddress in the DN, I removed this from the policy, which broke the email:move directive. It appears that the email:move takes place AFTER the policy is evaluated and the cert. DN is built. So that even though emailAddress appears in the CA policy, it will NOT appear in the DN if the subjectAltName=email:move is in force. Sorry for the list noise, but this does seem a bit obscure. Perhaps even obtuse. :) On a related note, how does this work for the other types of general names (e.g. DNS, IP)? Looking through the v3_alt.c I don't see any code that moves or copies DNS or IP values from the DN into alternative names extensions. Do all these other general names types need to be hard-coded in the config? (or at least hard-coded into the extensions file?) On Nov 21, 2003, at 4:51 PM, Dr. Stephen Henson wrote: On Sat, Nov 22, 2003, Dr. Stephen Henson wrote: On Sat, Nov 22, 2003, Dr. Stephen Henson wrote: On Fri, Nov 21, 2003, Joseph Bruni wrote: I've been poking around in the v3_alt.c file to try to determine why the email address is not getting copied or moved into the extension. After sprinkling in a few debug statements, it looks like the copy_email() function is broken and never enters the while loop. Even though the DN has an 'emailAddress' field, this function is unable to locate it, and no value is getting copied into the v3 extensions. This function is only called in response to an email:move or and email:copy directive. If this function is broken, it would explain why hard-coding in an email address works whereas the copy/move directives do not. I will continue to analyze this function to determine why it's not working. I post this with the hope that someone more familiar with it can reach a solution faster than I can. OK, someone's woke me up now. I'll look at it :-) I've just tried this against OpenSSL 0.9.7c and it seems to work fine. Could you send me your openssl.cnf and tell me the exact commands you are using to get this behaviour? Oh and which version of OpenSSL are you using? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: match a certificate to a private key
Given an RSA private key, you can regenerate its matching public key with this: % openssl rsa -in privatekey.pem -pubout key1.pem The public key in a certificate can be extracted with this: % openssl x509 -in certificate.pem -pubout -noout key2.pem With the two public keys, you should be able to compare the two to find a match. The following will display all the fields of the public keys. % openssl rsa -in keyX.pem -pubin -text -noout There may be a way to automate this, but I don't see anything in the man pages (yet). On Nov 20, 2003, at 3:35 AM, Jia L Wu wrote: Hi, Given a x509 certificate or several certificates (e.g. produced from openssl pkcs7 -out_prints), which openssl command or function can I use to find the certificate that matches the private key or check if they are match? Thank you. Wu __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
subjectAltName=email:move broken
Hello all, I've been trying to get the subjectAltName=email:move directive to work in the ca command with no luck. I think this is a bug. It seems that the only way I can get this to work is to manually set the line in the CA section to something like: subjectAltName=email:[EMAIL PROTECTED] This isn't very flexible if I must edit this file for every cert. I want to sign. If I try to use either the move or copy options, the X509v3 Subject Alternative Name: extension ends up being EMPTY. I have tried to get this to work two different ways: the first with the subjectAltName in the DN, and the second in the attributes section of the CSR. I've tried with the subjectAltName having the email: prefix and without in both the DN and in the attributes. For the life of me, I cannot get the move to work. Has anyone ever gotten this to work aside from hard-coding the email address in the CA section? Joseph Bruni smime.p7s Description: S/MIME cryptographic signature
