Re: SSL without Key?
Hi David You install a certificate for Windows IIS by using the Keymanager key generation wizard, then generate a certificate key request and then have a CA sign the certificate and install it. Detailed instructions are available in the Windows help system. I'm guessing it is analogous for other Windows servers such as Outlook. In any event, Microsoft being propritary probably has no ability to work with or use OpenSSL certificates. But then, OpenSSL can't work with Java Cryptography extension-generated KeyStores. So, your SSL artifacts (ie keys) will always be product-specific. David ARMOUR [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/21/2004 09:31 AM Please respond to openssl-users To: [EMAIL PROTECTED] cc: Subject: SSL without Key? Email clients such as Outlook can have a SSL connection to the server as an option. However when these options are selected, the user does not have to provide a key. How does such a system create an SSL connection? How could I use SSL to emulate such action? Regards. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
Re: SSL without Key?
This is great information, Can you point me to a HOWTO or other resource regarding importing SSL certs into IIS? Thanks Charles! Charles B Cranston [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/21/2004 10:04 AM Please respond to openssl-users To: [EMAIL PROTECTED] cc: Subject: Re: SSL without Key? I don't think this is correct at all. I use OpenSSL to generate certificates that are used on Microsoft IIS servers and IBM HTTP servers and Novell eDirectory LDAP servers and IBM Directory Server LDAP servers and all sorts of servers. Now, the vendors may not make it EASY to use non-proprietary certs, and may SUGGEST in their documentation that it does not work (as well)[0,1] with them, and the salesmen certainly may SAY that it does not (really)[0,1] work (well)[0,1] but there is no particular reason you should believe them :-) The answer to the original question is: Only one side needs to have a certificate, so if the server has a certificate, the client can make up a random key (called a session key) and encrypt it with the public key from the certificate, send it up the link to the server, then the server can DECRYPT it with its private (or secret key). Now both sides know the random session key and can use it in a traditional (e.g., non-public) encryption like DES or AES1. Peter O Sigurdson wrote: Hi David You install a certificate for Windows IIS by using the Keymanager key generation wizard, then generate a certificate key request and then have a CA sign the certificate and install it. Detailed instructions are available in the Windows help system. I'm guessing it is analogous for other Windows servers such as Outlook. In any event, Microsoft being propritary probably has no ability to work with or use OpenSSL certificates. But then, OpenSSL can't work with Java Cryptography extension-generated KeyStores. So, your SSL artifacts (ie keys) will always be product-specific. David ARMOUR [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/21/2004 09:31 AM Please respond to openssl-users To: [EMAIL PROTECTED] cc: Subject:SSL without Key? Email clients such as Outlook can have a SSL connection to the server as an option. However when these options are selected, the user does not have to provide a key. How does such a system create an SSL connection? How could I use SSL to emulate such action? Regards. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
'ml' is not recognized as an internal or external command, operable program or batch file. NMAKE : fatal error U1077: 'ml' : return code '0x1'
Greetings, I'm trying to compile OpenSSL for Windows. I am using openssl-0.9.7d Everything goes well until I get to the part about nmake -f ms\ntdll.mak The error message is: 'ml' is not recognized as an internal or external command, operable program or batch file. NMAKE : fatal error U1077: 'ml' : return code '0x1' Can anyone advise me on how to get around this. I am compiling on a Windows XP host using Microsoft C++ version 7 C:\openssl-source\openssl-0.9.7dnmake -f ms\ntdll.mak Microsoft (R) Program Maintenance Utility Version 6.00.8168.0 Copyright (C) Microsoft Corp 1988-1998. All rights reserved. Building OpenSSL copy nul+ .\crypto\buildinf.h tmp32dll\buildinf.h nul .\crypto\buildinf.h 1 file(s) copied. ml /Cp /coff /c /Cx /Focrypto\md5\asm\m5_win32.obj .\crypto\md5\asm\m5_win32.asm 'ml' is not recognized as an internal or external command, operable program or batch file. NMAKE : fatal error U1077: 'ml' : return code '0x1' Stop. C:\openssl-source\openssl-0.9.7d
Re: Microsoft Web server can use OpenSSL?
I'm pretty such that IIS servers can only work with the certificate you generate via the IIS server certificate wizard Nguyen, LocX Q [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/01/2004 12:08 PM Please respond to openssl-users To: [EMAIL PROTECTED] cc: Subject: Microsoft Web server can use OpenSSL? Hi, I am new to OpenSSL, any suggestion is appreciated. My question is: is it possible to force my Microsoft Web server (Windows Server 2003) to use OpenSSL? If so, then how? Many thanks, Loc
Re: Mac users bypass SSL
One reason I can think of is that if you wanted to PREVENT anyone WITHOUT the certificate from accessing your site. That is, you could mail out diskettes with the cert file to use as a perimeter defense. David Schwartz [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/24/2004 02:31 AM Please respond to openssl-users To: [EMAIL PROTECTED] cc: Subject: Re: Mac users bypass SSL kloomis wrote: Hello: I am using SSL with Apache 2.0 to run a secure website. The problem I have is that Mac users using Internet Explorer open the site without encryption. They access it via an https:\\ address but they don't get asked to accept a security certificate and the site opens for them. PC users are required to accept the certificate before they get access. How can I fix this. It's not clear to me why you think this is a problem. If there is some reason they should be required to accept the security certificate, and they aren't being required to, then it's a problem. But if there's no reason they should be required to accept the certificate, then it's not a problem if they're not being required to. So what is the reason that they should be forced to accept the certificate? DS __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
you mean Network Security with OpenSSL ? RE: how do i use a CRL file to verify a certificate against?
Do you mean the book Network Security with OpenSSL Cryptography for Secure Communications ByJohnViega, MattMessier, PravirChandra June 2002 ISBN: 0-596-00270-X or is there another SSL book by O'Reilly? Network Security with OpenSSL is NOT an optional read if you work with this stuff. You can get it by subscribing to safari.oreilly.com, which is a great investment. Lee Baydush [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/21/2004 11:40 AM Please respond to openssl-users To: [EMAIL PROTECTED] cc: Subject: RE: how do i use a CRL file to verify a certificate against? ok. You get the CDP from the certificate, load the CRL from the CDP, verify the CRL against the root cert. to verify that the signature matches, it has not expired, etc. , then see if the cert's number is in the CRL. Check out the book 'OpenSSL' by O'Reilly. It walks you through all that, or you can examine some of the samples that call routines like X509_verify_cert(). -Original Message- From: Jon Bendtsen [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 21, 2004 9:50 AM To: [EMAIL PROTECTED] Subject: Re: how do i use a CRL file to verify a certificate against? Den 21. sep 2004, kl. 15:43, skrev Lee Baydush: You can't tell if it has been revoked. That's why they are 'trusted roots'. If you think your root ca has been compromised, that is when you usually hit the big red panic button and shut down the shop. no no, it's not the root ca that has been revoked, but a certificate that was signed by the root ca. I would like to know if the certificate has been revoked, and i would expect i could verify against a CRL JonB __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Windows OpenSSL: Where to put the config file?
Greetings I'm working (on Windows) with the Apache SSL software, Also, with the OpenSSL for Windows (the Apache just bundles that in) I cannot find where the configuration file is - all the documentation seems to reference the Linux filesystem. Could someone please tell me where to put the config file, if it is already there I haven't found it! Could you send me a simple example, I'd like to make a few simple test certificates and install them in the Apache server and IE browser to get a feel for how it works. thank you!
RE: How should I start?
this seems like a good resource http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/other-formats/html_single/SSL-Certificates-HOWTO.html mclellan, dave [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/15/2004 07:00 AM Please respond to openssl-users To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] cc: Subject: RE: How should I start? Hi Layla: A few months ago, I was in the same position as you are now, and have just turned over my first such effort to my QA group. This list is a great resource and I've learned a lot by watching it. Many experienced implementors and the developers watch and reply on this list. visit: www.openssl.org/docs and follow the four links (crypto, ssl, openssl, howto). The O'Reilly book is excellent, and so is Eric Rescorla's book SSL and TLS - Designing and Building Secure Systems. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Layla Sent: Sunday, August 15, 2004 4:22 AM To: [EMAIL PROTECTED] Subject: How should I start? Hello Everyone: I'm supposed to implement a security protocol using OpenSSL (C++) on windows platform. My qusetion is how can I get myself familiar with using the functions offered by OpenSSL. can anyone please recommend a reference or perhaps a website. I've already ordered this book: Network Security with OpenSSL But i would really appreciate it if anyone can tell me where to start from, or if there's even some sort of a catalog listing the different functions and their uses. Thank you all in advance. Layla. Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses.