subject:"Please help"

Re: OpenSSL 1.0.1h for android ?? Please help.

2014-07-02 Thread Abhishek Gupta

Hello everyone, Thanks for your timely help.

I was able to compile openssl 1.0.1e from a github project. It had an
Android.mk files.

In case, i wish to update to 1.0.1h, what changes do i need to make to
android.mk files?


On Sun, Jun 29, 2014 at 10:22 PM, birajendu sahu biraje...@yahoo.co.in
wrote:

 Hi Abhishek,

 You can build the openssl using the NDK tool chain and get libcrypto.a file,
 then you need to link that in your master so which will be build from
 android.mk file.

 I will publish the detail steps soon.

 Thanks,
 Birajendu


   On Tuesday, 24 June 2014 12:16 AM, Abhishek Gupta abhis...@meddiff.com
 wrote:


 Hello Users,

 I am at task to compile OpenSSL 1.0.1h for android platform and link it
 with an application.

 Can somebody give some pointers on how to do it. My problem is that there
 are no Android.mk files for this. And how can I user ndk-build here?

 Development env:
 1. Ubuntu 14.04 / 12.04
 2. Android NDK-r9d

 Regards
 Abhishek.

Re: OpenSSL 1.0.1h for android ?? Please help.

2014-07-02 Thread Amit Agrawal

As Jeffrey also mentioned, wiki link for android compile is way to go.
config utility takes care of generating required makefie.

Regards,


On Wed, Jul 2, 2014 at 11:45 AM, Abhishek Gupta abhis...@meddiff.com
wrote:

 Hello everyone, Thanks for your timely help.

 I was able to compile openssl 1.0.1e from a github project. It had an
 Android.mk files.

 In case, i wish to update to 1.0.1h, what changes do i need to make to
 android.mk files?


 On Sun, Jun 29, 2014 at 10:22 PM, birajendu sahu biraje...@yahoo.co.in
 wrote:

 Hi Abhishek,

 You can build the openssl using the NDK tool chain and get libcrypto.a file,
 then you need to link that in your master so which will be build from
 android.mk file.

 I will publish the detail steps soon.

 Thanks,
 Birajendu


   On Tuesday, 24 June 2014 12:16 AM, Abhishek Gupta abhis...@meddiff.com
 wrote:


  Hello Users,

 I am at task to compile OpenSSL 1.0.1h for android platform and link it
 with an application.

 Can somebody give some pointers on how to do it. My problem is that there
 are no Android.mk files for this. And how can I user ndk-build here?

 Development env:
 1. Ubuntu 14.04 / 12.04
 2. Android NDK-r9d

 Regards
 Abhishek.






-- 
Regards,
Amit Agrawal

Re: OpenSSL 1.0.1h for android ?? Please help.

2014-06-29 Thread birajendu sahu

Hi Abhishek,

You can build the openssl using the NDK tool chain and get libcrypto.a file, 
then you need to link that in your master so which will be build from 
android.mk file.

I will publish the detail steps soon.

Thanks,
Birajendu


On Tuesday, 24 June 2014 12:16 AM, Abhishek Gupta abhis...@meddiff.com wrote:
 


Hello Users, 

I am at task to compile OpenSSL 1.0.1h for android platform and link it with an 
application. 

Can somebody give some pointers on how to do it. My problem is that there are 
no Android.mk files for this. And how can I user ndk-build here?

Development env:
1. Ubuntu 14.04 / 12.04
2. Android NDK-r9d

Regards
Abhishek.

OpenSSL 1.0.1h for android ?? Please help.

2014-06-23 Thread Abhishek Gupta

Hello Users,

I am at task to compile OpenSSL 1.0.1h for android platform and link it
with an application.

Can somebody give some pointers on how to do it. My problem is that there
are no Android.mk files for this. And how can I user ndk-build here?

Development env:
1. Ubuntu 14.04 / 12.04
2. Android NDK-r9d

Regards
Abhishek.

Re: OpenSSL 1.0.1h for android ?? Please help.

2014-06-23 Thread Mike Mohr

Openssl does not directly support Android AFAIR. You can try some manual
changes to e.g. CC or write your own make file.
On Jun 23, 2014 11:18 AM, Abhishek Gupta abhis...@meddiff.com wrote:

 Hello Users,

 I am at task to compile OpenSSL 1.0.1h for android platform and link it
 with an application.

 Can somebody give some pointers on how to do it. My problem is that there
 are no Android.mk files for this. And how can I user ndk-build here?

 Development env:
 1. Ubuntu 14.04 / 12.04
 2. Android NDK-r9d

 Regards
 Abhishek.

Re: OpenSSL 1.0.1h for android ?? Please help.

2014-06-23 Thread Jeffrey Walton

On Mon, Jun 23, 2014 at 2:17 PM, Abhishek Gupta abhis...@meddiff.com wrote:
 Hello Users,

 I am at task to compile OpenSSL 1.0.1h for android platform and link it with
 an application.

 Can somebody give some pointers on how to do it. My problem is that there
 are no Android.mk files for this. And how can I user ndk-build here?

http://wiki.openssl.org/index.php/Android
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL 1.0.1h for android ?? Please help.

2014-06-23 Thread Blibbet

 http://wiki.openssl.org/index.php/Android

In addition, the Guardian Project's Orbot is a live working example of
of a project currently building OpenSSL on Android.

https://gitweb.torproject.org/orbot.git/blob/HEAD:/external/Makefile
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL_Certificate Validation ( Server Authentication): Please Help

2012-05-23 Thread Mr.Rout


Since 5 days i have not received any response. It could be a silly questions
to you guys. But i need the answer. 

Waiting for a nice reply.

Best Regards,
S  S Rout
-- 
View this message in context: 
http://old.nabble.com/SSL_Certificate-Validation-%28-Server-Authentication%29%3A-Please-Help-tp33873598p33897202.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

SSL_Certificate Validation ( Server Authentication): Please Help

2012-05-18 Thread Mr.Rout


Hey Crypto guys,
I have a basic questions regarding Certificate validation. Basically in a
Server Authentication a TLS client should  validate the CN/SN with Host
portion of the ACS.URL. If it matches then handshake will succeed else will
fail.  Am I right ?
e.g. 
if Host.Url=x.x.x.x then CN (in both subject   issuer field should be
x.x.x.x ) for self-signed certificate.
Issuer: C=IN, ST=Karnataka, L=Bangalore, O=AN, CN=www.https.com
Subject: C=IN, ST=Karnataka, L=Bangalore, O=AN, CN=www.https.com
if Host.Url=x.x.x.x then CN (in  subject  field should be x.x.x.x ) for
CA-Signed certificate
Issuer: C=IN, ST=Karnataka, L=Bangalore, O=AN, CN=Veisign
Subject: C=IN, ST=Karnataka, L=Bangalore, O=AN, CN=10.204.4.69


CN validation using self-signed certificate.
SN validation:
1)  Using CA signed  certificate : using Subject name as HostURL
2)  Using CA signed certificate : using subAltname as HostUrl

Method for CN validation: 
1)  Keep the same  Self-signed cert at both side (FAP  Server)
Method for SN validation:
1)  Keep ROOT cert at FAP and server cert (signed cert) at Server.


Am  I  right guys ? Please let me know.
Best Regards,
S  S rout

-- 
View this message in context: 
http://old.nabble.com/SSL_Certificate-Validation-%28-Server-Authentication%29%3A-Please-Help-tp33873598p33873598.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Please Help: Certificate Validation using subjectAltName extension

2012-05-18 Thread Mr.Rout


Thanks Dave for explanation.
One doubt regarding sentence  If a subjectAltName extension of type dNSName
is present, that MUST
be used as the identity(RFC 2818)

What does this line means ?

Does it says if a certificate have different CN in issuer  subject field
but SubAltname: x.x.x.x which matches with HOST.URL (server) then will
handshake goes through ?


i.e. 


[ certificate_extensions ]
basicConstraints = CA:false
subjectAltName = DNS:x.x.x.x DNS:localhost

[ req_distinguished_name ]
countryName= US
stateOrProvinceName= Chems
localityName   = Washington
organizationName   = Sercomm
commonName = Verisign

[ req_extensions ]
basicConstraints = CA:true
subjectAltName = DNS:x.x.x.x,DNS:localhost

Am i correct ?

Please help.

Best Regards,
 S  S rout

-- 
View this message in context: 
http://old.nabble.com/Please-Help%3A-Certificate-Validation-using-subjectAltName-extension-tp32906983p33873612.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Please Help me out- SSL ERROR

2012-01-18 Thread Dave Thompson

 From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout
 Sent: Wednesday, 18 January, 2012 02:52
snip
 root@1143726:/usr/bin# openssl s_client -connect 10.204.4.69:7003
 WARNING: can't open config file: /usr/ssl/openssl.cnf
 CONNECTED(0003)
 depth=0 C = IN, ST = Karnataka, L = Bangalore, O = Airvana, 
 CN = 10.204.4.69
 verify error:num=20:unable to get local issuer certificate
snip
 Certificate chain
  0 s:/C=IN/ST=Karnataka/L=Bangalore/O=Airvana/CN=10.204.4.69
i:/C=IN/ST=Karnataka/L=Bangalore/O=Airvana/CN=Root CA
snip
 My Set up looks like this.
  e.g.  Certificate Chain  would be , ROOT-  Server ( I  
 keep ROOT at
 CLIENT and Server cert at SERVER). Am I right ?
 
Yes, at least for server auth. If you use client auth,
which is not very common, then *also* have the client cert 
at the client and its root at the server. 

 [root@squidpc TEST]# openssl x509 -in root.pem -text
snip

 Please let me know what is missing here  why i am getting 
 the above error.
 
Either specify -CAfile root.pem on the s_client commandline
OR put that root cert in the default truststore which is used 
when you don't specify -CAfile and/or -CApath on the commandline.
The default truststore can be a single file or a directory with 
hashcode names or links or both, and is in a location that depends 
on your platform and the build options of your OpenSSL.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Please Help me out- SSL ERROR

2012-01-17 Thread Mr.Rout

://old.nabble.com/Please-Help-me-out--SSL-ERROR-tp33159464p33159464.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Please Help: Certificate Validation using subjectAltName extension

2011-12-03 Thread Dave Thompson

 From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout
 Sent: Saturday, 03 December, 2011 02:56

 My TLS client can validate both CN and SN  i need to test both the
 scenario.
 
 I don't know how to create certificate with subjectAltName 
 extension using openssl commands.
 
 In the RFC-2818 , there are two ways of Certificate 
 Validation for Host name
 1)CN (Common Name)
 2)SN( Subject Name)

1. Common Name part of subject name which is the value of Subject.
2. Subject *Alternative* Name which is an extension.

 If a subjectAltName extension of type dNSName is present, that MUST
 be used as the identity. Otherwise, the (most specific) Common Name
 field in the Subject field of the certificate MUST be used. Although
 the use of the Common Name is existing practice, it is deprecated and
 Certification Authorities are encouraged to use the dNSName instead.
   
As this says, although a bit tersely.

 I created Self-signed certificate  using open-ssl commands and my
 certificate chain looks like below where CN=10.204.4.69
   openssl genrsa -des3 -out server.key 1024
   openssl req -new -key server.key -out server.csr
   openssl x509 -req -days 365 -in server.csr 
 -signkey server.key -out server.crt

 Please tell how to create certificate with subjectAltName 
 extension using openssl commands ?

The same way(s) you create a cert with any extension(s).
See man req; man x509; man ca; man x509v3_config 

In x509 -req supply -extfile with the name of a config file, 
and -extsect with the name of a section in that file 
unless it is default or pointed to by default.extensions,
specifying the extension(s) you want. You want something like
subjectAltName=DNS:my.host.example

For selfsigned you can save a step (or two) with req -x509 (and 
-newkey) in which case use -extensions or req.x509_extensions .


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Please Help: Certificate Validation using subjectAltName extension

2011-12-02 Thread Mr.Rout


Dear All,

My TLS client can validate both CN and SN  i need to test both the
scenario.

I don't know how to create certificate with “subjectAltName extension” 
using openssl commands.

In the RFC-2818 , there are two ways of Certificate Validation for Host name
1)  CN (Common Name)
2)  SN( Subject Name)
If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.
  
I created Self-signed certificate  using open-ssl commands and my
certificate chain looks like below where CN=10.204.4.69
  openssl genrsa -des3 -out server.key 1024
  openssl req -new -key server.key -out server.csr
  openssl x509 -req -days 365 -in server.csr -signkey server.key
-out server.crt

My Certificate chain
===
 0 s:/C=IN/ST=Karnataka/L=Bangalore/O=Home
Inc/OU=TLS/CN=10.204.4.69/emailAddress=ssr...@www.https.com
   i:/C=IN/ST=Karnataka/L=Bangalore/O=Home
Inc/OU=TLS/CN=10.204.4.69/emailAddress=ssr...@www.https.com

Please tell how to create certificate with “subjectAltName extension”  using
openssl commands ?

Thanks  in advance.
Regards,
Rout

-- 
View this message in context: 
http://old.nabble.com/Please-Help%3A-Certificate-Validation-using-subjectAltName-extension-tp32906983p32906983.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

2011-08-03 Thread Gaglia

On 07/20/2011 12:45 PM, Gaglia wrote:
 ...

Feedbacks always appreciated, in case somebody has further investigated
the issue :)
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

2011-07-20 Thread Gaglia

On 07/16/2011 07:13 PM, y...@inbox.lv wrote:
 ...

So everybody here seems to agree that steps 1)...7) I listed in the
first post are correct, and that the problem in EC management lies in
OpenVPN, right?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

2011-07-16 Thread Gaglia

On 07/16/2011 06:50 AM, y...@inbox.lv wrote:
  openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt
  WARNING: can't open config file: /usr/local/ssl/openssl.cnf
  Error setting context

My premise is that we are considering only OpenSSL v 1.0.0. Under this
condition, as I wrote in the first post, I do something like:

# generate EC private key for curve sect571k1, no point compression
# (to enable point compression, use -conv_form compressed )
openssl ecparam -out cakey.pem -name sect571k1 -text -genkey

# generate EC certificate with the above private key with SHA512
# (note that the -sha512 arg has no effect if using v0.9.8, it
# will use SHA-1 instead)
openssl req -out cacert.pem -key cakey.pem -sha512 -x509 -new

# check that everything is OK
openssl x509 -text -in cacert.pem

Certificate:
...
*Signature Algorithm: ecdsa-with-SHA512*
Issuer:
...
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
02:3A:...
ASN1 OID: sect571k1
X509v3 extensions:
...
*Signature Algorithm: ecdsa-with-SHA512*
20:89:...
-BEGIN CERTIFICATE-
MIJ...
...
ASd45g==
-END CERTIFICATE-


Any wrongdoing up to here?

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

2011-07-16 Thread Dr. Stephen Henson

On Sat, Jul 16, 2011, y...@inbox.lv wrote:

 
  openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt
  WARNING: can't open config file: /usr/local/ssl/openssl.cnf
  Error setting context
  5664:error:100C508A:elliptic curve routines:PKEY_EC_CTRL:invalid
  digest type:.c
  ryptoecec_pmeth.c:229:

AFAIK there is no standard for using ECC with ripemd160. OpenSSL supports SHA1
and SHA2 algorithms with ECC. So if you used -sha256 it should work.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

2011-07-16 Thread yyyy


 sha256 worked. (both for dgst and for req)
 If i understand correctly, ECDSA algorithm only needs hash as a
 defined length
 bitstring, so adapting ripemd in place of sha1 should have been
 easier than
 sha256 (because ripemd has the same length as sha1, sha256 is
 longer).
  Citējot *Dr. Stephen Henson st...@openssl.org [1]*:
 On Sat, Jul 16, 2011, y...@inbox.lv wrote:
 
  
openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Error setting context
5664:error:100C508A:elliptic curve
 routines:PKEY_EC_CTRL:invalid
digest type:.c
ryptoecec_pmeth.c:229:
 
  AFAIK there is no standard for using ECC with ripemd160. OpenSSL
 supports SHA1
  and SHA2 algorithms with ECC. So if you used -sha256 it should
 work.
 
  Steve.
  --
  Dr Stephen N. Henson. OpenSSL project core developer.
  Commercial tech support now available see: http://www.openssl.org
  __
  OpenSSL Project
 http://www.openssl.org
  User Support Mailing List   
 openssl-users@openssl.org
  Automated List Manager  
 majord...@openssl.org
  -- Tavs bezmaksas pasts Inbox.lv

Links:
--
[1] mailto:st...@openssl.org

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

2011-07-15 Thread Kyle Hamilton




On Thu, Jul 14, 2011 at 3:35 PM, Jeffrey Walton noloa...@gmail.com wrote:

On Thu, Jul 14, 2011 at 6:22 PM, Kyle Hamilton aerow...@gmail.com wrote:
Dismissed or withdrawn? It seems to me Certicom stopped bitting a hand
that feeds it.

Jeff


Looking at the docket, it looks like they reached an agreement to dismiss 
without prejudice (meaning the suit could be refiled in the future).

-Kyle H


Verify This Message with Penango.p7s
Description: S/MIME Cryptographic Signature

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

2011-07-15 Thread Gaglia

On 07/15/2011 08:23 AM, Kyle Hamilton wrote:
 ...

Excuse me, I got lost somewhere... Does this mean that it is not
possible to use EC crypto with OpenSSL because the algorithms are
patented? If so, why OpenSSL does provide support to EC crypto?

Sorry, I don't want to start a religion war, but as an EU citizen (and
as like as many other humans too, I guess), I find unbelievably absurd
the idea of patenting the mathematical description of an algorithm.

Let's put it in this way: in the unlikely and deplorable event of an
user willing to illegally use patented EC cryptography with OpenSSL for
personal use (hence assuming responsibility for any consequence), could
he/she use OpenSSL? Is OpenSSL able to handle this kind of crypto? I
guess yes, for (as in the first post of the thread) I managed to
apparently do a lot of things with the curve of my choice... My question
is, apart from legal considerations: did I do something wrong in the
certificate generation process?

Thanks for any help :)
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

2011-07-15 Thread yyyy


 Version of ECDSA available in openssl 1.0.0d supports only SHA1.
 (maybe there are patches, which adds other hash functions, but
 default build on win32 supports only sha1).
 ECDH and ECDSA are not guaranteed to use the same curve. At least
 with s_server curve for ECDSA is specified in certificate, but curve
 for ECDH is specified by -named_curve argument. Other programs
 probably use something similar.
 Last time i searched openvpn forums for anything ECC related, did not
 found anything (probably bad keywords, but also might be lack of ECC
 support).
  Citējot *Kyle Hamilton aerow...@gmail.com [1]*:
 ECDSA is the elliptical curve (discrete-logarithm-based) variant of
 DSA, the Digital Signature Algorithm.  DSA was developed by the US
 National Security Agency as a means of creating
 prime-factorization-based signatures without providing code paths
 which would permit the encryption of arbitrary data.
 
  ANSI X9 has object identifiers for ECDSA with a variety of hashes.
 
  1.2.840.10045.4.3. and then one of the following:
 
  1: ECDSA with SHA-224
  2: with SHA-256
  3: SHA-384
  4: SHA-512
 
  The information on the curve in use is part of
 subjectPublicKeyInfo:
 
  Subject Public Key Info:
  Public Key Algorithm: id-ecPublicKey
  Public-Key: (521 bit)
  pub:
  04:00:ef:07:81:ff:79:01:d3:10:a4:42:6b:d5:37:
  a9:ed:6b:a4:1d:20:8a:20:b6:44:34:09:d9:3d:f0:
  69:0f:b2:65:3f:d9:dd:68:72:a7:2b:cd:d4:70:e9:
  cb:21:dd:05:34:1b:4e:42:0f:65:63:5e:b9:24:a6:
  40:f6:cc:22:94:ea:3b:01:7f:65:38:09:33:b0:0d:
  b3:91:b6:1d:4a:a7:9f:17:2e:56:4d:ff:14:d3:aa:
  65:5d:3a:3d:ba:c2:d9:30:30:41:73:14:3e:6e:c7:
  01:ae:af:52:b6:cc:31:6d:26:dd:39:dc:60:c8:b9:
  07:fb:21:38:ec:75:dc:0f:3b:b7:9d:44:35
  Field Type: prime-field
  Prime:
  01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
  ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
  ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
  ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
  ff:ff:ff:ff:ff:ff
  A:
  01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
  ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
  ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
  ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
  ff:ff:ff:ff:ff:fc
  B:
  51:95:3e:b9:61:8e:1c:9a:1f:92:9a:21:a0:b6:85:
  40:ee:a2:da:72:5b:99:b3:15:f3:b8:b4:89:91:8e:
  f1:09:e1:56:19:39:51:ec:7e:93:7b:16:52:c0:bd:
  3b:b1:bf:07:35:73:df:88:3d:2c:34:f1:ef:45:1f:
  d4:6b:50:3f:00
  Generator (uncompressed):
  04:00:c6:85:8e:06:b7:04:04:e9:cd:9e:3e:cb:66:
  23:95:b4:42:9c:64:81:39:05:3f:b5:21:f8:28:af:
  60:6b:4d:3d:ba:a1:4b:5e:77:ef:e7:59:28:fe:1d:
  c1:27:a2:ff:a8:de:33:48:b3:c1:85:6a:42:9b:f9:
  7e:7e:31:c2:e5:bd:66:01:18:39:29:6a:78:9a:3b:
  c0:04:5c:8a:5f:b4:2c:7d:1b:d9:98:f5:44:49:57:
  9b:44:68:17:af:bd:17:27:3e:66:2c:97:ee:72:99:
  5e:f4:26:40:c5:50:b9:01:3f:ad:07:61:35:3c:70:
  86:a2:72:c2:40:88:be:94:76:9f:d1:66:50
  Order:
  01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
  ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
  ff:ff:ff:fa:51:86:87:83:bf:2f:96:6b:7f:cc:01:
  48:f7:09:a5:d0:3b:b5:c9:b8:89:9c:47:ae:bb:6f:
  b7:1e:91:38:64:09
  Cofactor:  1 (0x1)
  Seed:
  d0:9e:88:00:29:1c:b8:53:96:cc:67:17:39:32:84:
  aa:a0:da:64:ba
  Signature Algorithm: ecdsa-with-SHA256
  30:81:87:02:41:7b:7d:88:a9:56:e8:d5:a0:f6:38:e7:85:4c:
  f5:1c:81:64:de:92:25:37:42:2d:31:cb:8b:af:04:32:7b:d7:
  06:19:4a:eb:a9:ca:9d:88:38:11:99:bc:2e:2b:35:e6:69:1c:
  ca:1c:8c:86:7d:74:bc:dd:96:20:8e:38:01:63:15:8b:02:42:
  01:66:42:70:5f:2e:cc:fb:1f:f3:d4:96:54:e9:b7:0a:3b:82:
  ec:b7:90:45:19:c0:ac:4c:ef:82:3d:77:07:e1:4d:13:81:d3:
  12:23:bc:84:4f:9b:ac:55:c4:a1:3b:85:08:5a:2f:ae:ad:45:
  3f:5f:da:cd:80:45:c9:79:58:d3:79:a2
 
  The curve in use can be named (reducing the size of the
 subjectPublicKeyInfo), or it can be specified explicitly (like the
 above).
 
  (I included the hash to show that it is indeed legitimate to have a
 different hash size.  I should note that I didn't generate this with
 OpenSSL, and I don't know how

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

2011-07-15 Thread Dr. Stephen Henson

On Fri, Jul 15, 2011, y...@inbox.lv wrote:

 
  Version of ECDSA available in openssl 1.0.0d supports only SHA1.
  (maybe there are patches, which adds other hash functions, but
  default build on win32 supports only sha1).

What makes you think that? OpenSSL 0.9.8 only supports SHA1 with ECDSA in 
things like certificates but 1.0.0 and later should support other hashes
such as SHA256.

Can you give an example where 1.0.0 is failing?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

2011-07-15 Thread Kyle Hamilton

On Fri, Jul 15, 2011 at 10:32 AM, Gaglia san...@paranoici.org wrote:
 On 07/15/2011 08:23 AM, Kyle Hamilton wrote:
 ...

 Excuse me, I got lost somewhere... Does this mean that it is not
 possible to use EC crypto with OpenSSL because the algorithms are
 patented? If so, why OpenSSL does provide support to EC crypto?

EC is considered to be a patent minefield.  Some people (RSA Data
Security) say that it's possible to implement EC cryptography using
different types of algorithms which are not covered by the patents.
Other people (Bruce Schneier, US NSA) say that the mechanism itself is
patented, not simply specific algorithms for calculation.

The US NSA licensed from Certicom the right to sublicense the EC
algorithms used in Suite B.  My understanding is that OpenSSL
received a gift from Sun Microsystems of its EC sublicense from NSA.

 Let's put it in this way: in the unlikely and deplorable event of an
 user willing to illegally use patented EC cryptography with OpenSSL for
 personal use (hence assuming responsibility for any consequence), could
 he/she use OpenSSL? Is OpenSSL able to handle this kind of crypto?

Yes.  And, given OpenSSL's EC sublicense gift, the user of OpenSSL (if
my understanding is correct, IANAL!) is also licensed.

 I
 guess yes, for (as in the first post of the thread) I managed to
 apparently do a lot of things with the curve of my choice... My question
 is, apart from legal considerations: did I do something wrong in the
 certificate generation process?

Nobody can know unless you post the certificate in question, or at the
least the dump of the x509 structure you have.

One thing that might cause a problem is if you enabled EC point
compression in your OpenSSL compile, as I don't believe OpenSSL has a
license for that.

-Kyle H
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

2011-07-15 Thread Steve Marquess

On 07/15/2011 05:36 PM, Kyle Hamilton wrote:
 ...

 EC is considered to be a patent minefield. Some people (RSA Data
 Security) say that it's possible to implement EC cryptography using
 different types of algorithms which are not covered by the patents.
 Other people (Bruce Schneier, US NSA) say that the mechanism itself
 is patented, not simply specific algorithms for calculation.

I'll make just one comment here: U.S. patent law, at least as applied to
software, is a festering cesspool.

 The US NSA licensed from Certicom the right to sublicense the EC
 algorithms used in Suite B. My understanding is that OpenSSL
 received a gift from Sun Microsystems of its EC sublicense from NSA.

OpenSSL (in the guise of its corporate manifestation, the OpenSSL
Software Foundation), is a direct NSA sublicensee
(http://opensslfoundation.com/testing/docs/NSA-PLA.pdf).  Note that
sublicense only covers some prime field ECC; for the rest of it seek
competent legal advice.  Also note the license is nontransferrable.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

2011-07-15 Thread Jeffrey Walton

On Fri, Jul 15, 2011 at 5:36 PM, Kyle Hamilton aerow...@gmail.com wrote:
 On Fri, Jul 15, 2011 at 10:32 AM, Gaglia san...@paranoici.org wrote:
 On 07/15/2011 08:23 AM, Kyle Hamilton wrote:
 ...

 Excuse me, I got lost somewhere... Does this mean that it is not
 possible to use EC crypto with OpenSSL because the algorithms are
 patented? If so, why OpenSSL does provide support to EC crypto?

 EC is considered to be a patent minefield.  Some people (RSA Data
 Security) say that it's possible to implement EC cryptography using
 different types of algorithms which are not covered by the patents.
Consider the source: RSA's strongest competition is ECC and Certicom
(or should we say ECC's past competition was RSA?). RSA Data Security
managed to implant RSA into DSA with heavy lobbying, but RSA's glory
days are behind them or gone. The SecurID scandal is another testament
to the fact.

I often wonder why open source implementations even care: (1) the
implementations are often available through out the world, where US
patent law does not apply, (2) for US domestic uses, push the burden
of licensing compliance onto the user (or #define out any code found
to be offense by *real* lawyers), and (3) most implementors don't have
the money to make it worthwhile to litigate.

For (3), Certicom most likely won't make a dime, so there's no
monetary relief or benefit even if they incur loss or damages. And at
best, they will probably be granted an injunction against US
distribution. Guess wheat folks will do in that case (what did they do
with RSA - download form Australia or Germany or ...).

Jeff
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

2011-07-15 Thread yyyy


 openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt
 WARNING: can't open config file: /usr/local/ssl/openssl.cnf
 Error setting context
 5664:error:100C508A:elliptic curve routines:PKEY_EC_CTRL:invalid
 digest type:.c
 ryptoecec_pmeth.c:229:
 Also, in documentation on pkeyutl program is mentioned, that ECDSA
 supports only sha1
 http://www.openssl.org/docs/apps/pkeyutl.html#
 (subsection EC ALGORITHM)
 Documentation on dgst program did not mention any limitations for
 choice of hash, there only was said, that sha1 is preferred choice.
 That EC key used in failed example above is  based on secp521r1 and
 was generated by openssl.
  Citējot *Dr. Stephen Henson st...@openssl.org [1]*:
 On Fri, Jul 15, 2011, y...@inbox.lv wrote:
 
  
Version of ECDSA available in openssl 1.0.0d supports only
 SHA1.
(maybe there are patches, which adds other hash functions,
 but
default build on win32 supports only sha1).
 
  What makes you think that? OpenSSL 0.9.8 only supports SHA1 with
 ECDSA in
  things like certificates but 1.0.0 and later should support other
 hashes
  such as SHA256.
 
  Can you give an example where 1.0.0 is failing?
 
  Steve.
  --
  Dr Stephen N. Henson. OpenSSL project core developer.
  Commercial tech support now available see: http://www.openssl.org
  __
  OpenSSL Project
 http://www.openssl.org
  User Support Mailing List   
 openssl-users@openssl.org
  Automated List Manager  
 majord...@openssl.org
  -- Tavs bezmaksas pasts Inbox.lv

Links:
--
[1] mailto:st...@openssl.org

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

2011-07-14 Thread Kyle Hamilton


ECDSA is the elliptical curve (discrete-logarithm-based) variant of DSA, the 
Digital Signature Algorithm.  DSA was developed by the US National Security 
Agency as a means of creating prime-factorization-based signatures without 
providing code paths which would permit the encryption of arbitrary data.

ANSI X9 has object identifiers for ECDSA with a variety of hashes.

1.2.840.10045.4.3. and then one of the following:

1: ECDSA with SHA-224
2: with SHA-256
3: SHA-384
4: SHA-512

The information on the curve in use is part of subjectPublicKeyInfo:

   Subject Public Key Info:
   Public Key Algorithm: id-ecPublicKey
   Public-Key: (521 bit)
   pub:
   04:00:ef:07:81:ff:79:01:d3:10:a4:42:6b:d5:37:
   a9:ed:6b:a4:1d:20:8a:20:b6:44:34:09:d9:3d:f0:
   69:0f:b2:65:3f:d9:dd:68:72:a7:2b:cd:d4:70:e9:
   cb:21:dd:05:34:1b:4e:42:0f:65:63:5e:b9:24:a6:
   40:f6:cc:22:94:ea:3b:01:7f:65:38:09:33:b0:0d:
   b3:91:b6:1d:4a:a7:9f:17:2e:56:4d:ff:14:d3:aa:
   65:5d:3a:3d:ba:c2:d9:30:30:41:73:14:3e:6e:c7:
   01:ae:af:52:b6:cc:31:6d:26:dd:39:dc:60:c8:b9:
   07:fb:21:38:ec:75:dc:0f:3b:b7:9d:44:35
   Field Type: prime-field
   Prime:
   01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
   ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
   ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
   ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
   ff:ff:ff:ff:ff:ff
   A:
   01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
   ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
   ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
   ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
   ff:ff:ff:ff:ff:fc
   B:
   51:95:3e:b9:61:8e:1c:9a:1f:92:9a:21:a0:b6:85:
   40:ee:a2:da:72:5b:99:b3:15:f3:b8:b4:89:91:8e:
   f1:09:e1:56:19:39:51:ec:7e:93:7b:16:52:c0:bd:
   3b:b1:bf:07:35:73:df:88:3d:2c:34:f1:ef:45:1f:
   d4:6b:50:3f:00
   Generator (uncompressed):
   04:00:c6:85:8e:06:b7:04:04:e9:cd:9e:3e:cb:66:
   23:95:b4:42:9c:64:81:39:05:3f:b5:21:f8:28:af:
   60:6b:4d:3d:ba:a1:4b:5e:77:ef:e7:59:28:fe:1d:
   c1:27:a2:ff:a8:de:33:48:b3:c1:85:6a:42:9b:f9:
   7e:7e:31:c2:e5:bd:66:01:18:39:29:6a:78:9a:3b:
   c0:04:5c:8a:5f:b4:2c:7d:1b:d9:98:f5:44:49:57:
   9b:44:68:17:af:bd:17:27:3e:66:2c:97:ee:72:99:
   5e:f4:26:40:c5:50:b9:01:3f:ad:07:61:35:3c:70:
   86:a2:72:c2:40:88:be:94:76:9f:d1:66:50
   Order:
   01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
   ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
   ff:ff:ff:fa:51:86:87:83:bf:2f:96:6b:7f:cc:01:
   48:f7:09:a5:d0:3b:b5:c9:b8:89:9c:47:ae:bb:6f:
   b7:1e:91:38:64:09
   Cofactor:  1 (0x1)
   Seed:
   d0:9e:88:00:29:1c:b8:53:96:cc:67:17:39:32:84:
   aa:a0:da:64:ba
   Signature Algorithm: ecdsa-with-SHA256
   30:81:87:02:41:7b:7d:88:a9:56:e8:d5:a0:f6:38:e7:85:4c:
   f5:1c:81:64:de:92:25:37:42:2d:31:cb:8b:af:04:32:7b:d7:
   06:19:4a:eb:a9:ca:9d:88:38:11:99:bc:2e:2b:35:e6:69:1c:
   ca:1c:8c:86:7d:74:bc:dd:96:20:8e:38:01:63:15:8b:02:42:
   01:66:42:70:5f:2e:cc:fb:1f:f3:d4:96:54:e9:b7:0a:3b:82:
   ec:b7:90:45:19:c0:ac:4c:ef:82:3d:77:07:e1:4d:13:81:d3:
   12:23:bc:84:4f:9b:ac:55:c4:a1:3b:85:08:5a:2f:ae:ad:45:
   3f:5f:da:cd:80:45:c9:79:58:d3:79:a2

The curve in use can be named (reducing the size of the subjectPublicKeyInfo), 
or it can be specified explicitly (like the above).

(I included the hash to show that it is indeed legitimate to have a different 
hash size.  I should note that I didn't generate this with OpenSSL, and I don't 
know how OpenSSL generates the sPKI.)

Also, note the large number of 0xff bytes in the prime.  These can be eliminated if 
you're willing to pay Certicom's point compression patent license fee.

The patent situation around Elliptical Curve is a bit murky, but (IANAL) I am 
proceeding as though the narrow interpretation promoted by the RSA Crypto FAQ 
is correct: the patent situation is the opposite of what was the case for DH 
and RSA: the algorithm itself is not specifically described in any particular 
patent, only particular efficient implementations of it -- such as 'an 
efficient algorithm using only left-shift and add instructions'.  The reason 
why there's murkiness is because everyone who does things is pretty much 
counseled to avoid looking at the patents -- if the patents are known, then 
it's evidence of willful

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

2011-07-14 Thread Jeffrey Walton

On Thu, Jul 14, 2011 at 6:22 PM, Kyle Hamilton aerow...@gmail.com wrote:
 ECDSA is the elliptical curve (discrete-logarithm-based) variant of DSA, the
 Digital Signature Algorithm.  DSA was developed by the US National Security
 Agency as a means of creating prime-factorization-based signatures without
 providing code paths which would permit the encryption of arbitrary data.

 ANSI X9 has object identifiers for ECDSA with a variety of hashes.

 [SNIP]

 The patent situation around Elliptical Curve is a bit murky, but (IANAL) I
 am proceeding as though the narrow interpretation promoted by the RSA Crypto
 FAQ is correct: the patent situation is the opposite of what was the case
 for DH and RSA: the algorithm itself is not specifically described in any
 particular patent, only particular efficient implementations of it -- such
 as 'an efficient algorithm using only left-shift and add instructions'.  The
 reason why there's murkiness is because everyone who does things is pretty
 much counseled to avoid looking at the patents -- if the patents are known,
 then it's evidence of willful (rather than accidental) infringement and any
 punitive damages for such are tripled.  However, Professer Dan J Bernstein
 says that his prime at 256 bits is unpatented and there's prior art from
 several years before the Certicom patents were filed -- and there was an
 infringement lawsuit brought by Certicom against Sony, which was dismissed
 in 2009.
Dismissed or withdrawn? It seems to me Certicom stopped bitting a hand
that feeds it.

Jeff

 On Sun, Jul 10, 2011 at 8:27 PM,  y...@inbox.lv wrote:

 When i searched on it, it seemed that ECDH requires specified named curve,
 and openVPN does not have a means of specifying it. Also, it seems that
 ECDSA works only with SHA-1 (I also would like to know, why it cannot take
 any 160 bit hash). I searched about it few weeks ago and relevant messages
 were few months old.


 Citējot Gaglia san...@paranoici.org:

 On 07/05/2011 03:23 PM, Gaglia wrote:

 I'm trying to make an OpenVPN setup with Elliptic Curves cryptography
 and SHA-512 on Linux Debian.

 No idea anybody, really? :(



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

2011-07-13 Thread Gaglia

On 07/11/2011 05:27 AM, y...@inbox.lv wrote:
  When i searched on it, it seemed that ECDH requires specified named
  curve

You need to specify the curve's name, like this:

openssl ecparam -name sect571k1

but this should only be done in the parameters generation stage, the
generated certificates should contain this information by themselves, so
I don't think specifying it to OpenVPN should be needed.

 Also, it seems that ECDSA works only with SHA-1

This has been marked as a bug and it was fixed in the most recent
versions of OpenSSL. I've met this issue with OpenSSL 0.9.8x (I don't
remember the x), this version is indeed the deafult one for both
Debain Squeeze and Ubuntu Natty, so this is quite annoying (I like
Debian a lot, but its repos are often too much outdated). As I've
written before, I've manually compiled OpenSSL v1.0.0 and I can read the
following for my certificate, as expected:

openssl x509 -text -in cacert.pem
...
Signature Algorithm: ecdsa-with-SHA512


  I searched about it few weeks
  ago and relevant messages were few months old.

Same problem here :( it seems that if someone managed to solve the
problem, he/she didn't bother to write back the solution.

Thanks anyway for the reply, still waiting for further help, I can't
believe nobody managed to solve this issue :(

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

2011-07-10 Thread Gaglia

On 07/05/2011 03:23 PM, Gaglia wrote:
 I'm trying to make an OpenVPN setup with Elliptic Curves cryptography
 and SHA-512 on Linux Debian.

No idea anybody, really? :(
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

2011-07-10 Thread yyyy


 When i searched on it, it seemed that ECDH requires specified named
 curve, and openVPN does not have a means of specifying it. Also, it
 seems that ECDSA works only with SHA-1 (I also would like to know,
 why it cannot take any 160 bit hash). I searched about it few weeks
 ago and relevant messages were few months old.
  Citējot *Gaglia san...@paranoici.org [1]*:
 On 07/05/2011 03:23 PM, Gaglia wrote:
   I'm trying to make an OpenVPN setup with Elliptic Curves
 cryptography
   and SHA-512 on Linux Debian.
 
  No idea anybody, really? :(
 

Links:
--
[1] mailto:san...@paranoici.org

Re: Please help RFC 5746

2011-07-06 Thread Dr. Stephen Henson

On Sun, Jul 03, 2011, Ritesh Rekhi wrote:

 Hi ,
 
 I need little help in implementing RFC 5746 on server, as per RFC it is not 
 very clear on how to tell clients that Server doesn't support renegotiation.
 
 If anybody knows a way to tell clients that server doesn't support 
 renegotiation , please let me know.
 

It isn't clear from your message whether you want to tell the client you don't
support renegotiation or don't support secure renegotiation.

If a client doesn't support secure renegotiation and attempts to renegotiate
then by default it will get back a no renegotiation alert (for TLS v1.0 or
later).

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

2011-07-05 Thread Gaglia

Hi, first of all please accept my apologizes, I know this is a question
more related to OpenVPN, but I think that the problem lies in the cert
authority and client/server certificate generation step with OpenSSL, so
I'm also posting it here, hoping for a solution.

I'm trying to make an OpenVPN setup with Elliptic Curves cryptography
and SHA-512 on Linux Debian. This seems to be very hard, I didn't find
any howto on the web :( if and when I will manage to get the whole thing
up and running I will write a detailed howto, so any help is appreciated!

As a premise: yes, I've recompiled OpenVPN using the latest OpenSSL
version (see below). My suspect is that I made some mistake in the
certificate generation process but I can't find it.

I also posted this issue at https://forums.openvpn.net/topic8404.html
but there I included a lot of information more strictly related to my
OpenVPN configuration, I will include here just the steps I used to
setup the PKI with OpenSSL. Here is what I did:


1) downloaded OpenSSL 1.0.0, configured and installed in
/usr/local/openssl (to avoid removing the already installed openssl
0.9.8 which looks like it's a crucial packet for everything on my
system) with:
8888888
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl
8888888
I am calling the new openssl version with the openssl-new alias

2) created a CA:
8888888
openssl-new ecparam -out private/cakey_temp.pem -name sect571k1 -text
-genkey
openssl-new ec -in private/cakey_temp.pem -out private/cakey.pem -aes256
wipe -f private/cakey_temp.pem
openssl-new req -new -x509 -out cacert.pem -key private/cakey.pem -days
36500 -sha512 -extensions v3_ca
openssl-new x509 -text -in cacert.pem
8888888
with the last command I read: Signature Algorithm: ecdsa-with-SHA512

3) created a server key and certification request:
8888888
openssl-new req -nodes -sha512 -newkey ec:cacert.pem -new -days 36500
-out req.pem
chmod 600 privkey.pem
mv privkey.pem private/serverkey.pem
openssl-new req -in req.pem -text -verify -noout
8888888
again, I read: Signature Algorithm: ecdsa-with-SHA512

4) modified openssl.cnf accordingly and signed the request with the CA:
8888888
openssl-new ca -config openssl.cnf -policy policy_anything -out
servercert.pem -md sha512 -cert cacert.pem -keyfile private/cakey.pem
-infiles req.pem
rm req.pem
8888888

5) created a client key and certification request:
8888888
openssl-new req -nodes -sha512 -newkey ec:cacert.pem -new -days 36500
-out req.pem
chmod 600 privkey.pem
mv privkey.pem private/clientkey.pem
8888888

6) signed the request with the CA:
8888888
openssl-new ca -config openssl.cnf -policy policy_anything -out
clientcert.pem -md sha512 -cert cacert.pem -keyfile private/cakey.pem
-infiles req.pem
8888888
(I later moved client files in ~/.ssl )

7) created both ECDH and DH (for testing) parameters:
8888888
openssl-new ecparam -out ecdh.pem -name sect571k1
openssl-new dhparam -out dh.pem 4096
8888888


My OpenVPN configuration does not work, I receive this error in the logs:
8888888
TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
8888888
but, as I said, this is more related to OpenVPN and it is detailed in
the forum post I linked above. What I'd like to know from more
experienced OpenSSL users here is: did I perform correctly steps
1)...7)? Please help, I'm really in need of this ._. I will write a
complete and detailed howto as a small compensation for the community!

Thanks in advance
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Please help RFC 5746

2011-07-03 Thread Ritesh Rekhi

Hi ,

I need little help in implementing RFC 5746 on server, as per RFC it is not 
very clear on how to tell clients that Server doesn't support renegotiation.

If anybody knows a way to tell clients that server doesn't support 
renegotiation , please let me know.

Thanks
Ritesh Rekhi

Could you please help me about the basics of how to set and run open-ssl on my server

2009-12-26 Thread Koray Erol

Hi Open-SSL Users,
Could you please help me about the basics of how to set and run open-ssl on my 
server.
Thanks

Please Help: RSA Public Key Exponent size

2009-10-30 Thread Bizhan Gholikhamseh (bgholikh)

Hi All,
In our environment a secure server creates Private/Public RSA keys.
We Can never access the Private key but we are able to access the Public
Key.
The command BN_num_bytes(rsa_public_key-e) returns the size of the
exponent part of the public key, and it is 3 bytes. 10001. 

Could this be a valid value?

We have a system that requires public key exponent to be 4 bytes, could
I pad the exponent so it be 4 bytes?

Many thanks in advance,

B
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Please Help: RSA Public Key Exponent size

2009-10-30 Thread Jeffrey Walton

Hi Bizhan,

 The command BN_num_bytes(rsa_public_key-e) returns the size
 of the exponent part of the public key, and it is 3 bytes. 10001.
 Could this be a valid value?
Yes. Typical values are 3, 17, and 65535.

 We have a system that requires public key exponent to be 4 bytes,
 could I pad the exponent so it be 4 bytes?
Yes. Pad at the leading octets.

Jeff

On Fri, Oct 30, 2009 at 10:38 PM, Bizhan Gholikhamseh (bgholikh)
bghol...@cisco.com wrote:
 Hi All,
 In our environment a secure server creates Private/Public RSA keys.
 We Can never access the Private key but we are able to access the Public
 Key.
 The command BN_num_bytes(rsa_public_key-e) returns the size of the
 exponent part of the public key, and it is 3 bytes. 10001.

 Could this be a valid value?

 We have a system that requires public key exponent to be 4 bytes, could
 I pad the exponent so it be 4 bytes?

 Many thanks in advance,

 B

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Problem with install...Please Help

2009-04-02 Thread Jaber, Adam M CTR DLA J6UIA

Hello,

I am trying to install OpenSSL-0.9.8k.  I currently have OpenSSL-0.9.8.602.
Do I need to remove my older version before I install the new version?
Also, I ran a ./config --prefix=/usr/opt/OpenSSL, which came back with NO
error.  Then when I ran make it gives me the following error:

cc: unrecognized option '-qthreaded'
cc: unrecognized option '-q32'
cc: unrecognized option '-qmaxmem=16384'
cc: unrecognized option '-qro'
cc: unrecognized option '-qroconst'
cc: error trying to exec 'cc1plus': execvp: No such file or directory
make: 1254-004 The error code from the last command is 1.

Please, let me know what route I should take from here to get it OpenSSL
installed.

Thank you,
Adam Jaber
(801)586-1480
adam.jaber@dla.mil



smime.p7s
Description: S/MIME cryptographic signature

RE: Problem with install...Please Help

2009-04-02 Thread Yang, Jun

I am also a bit of newbie here but I do think that the problem you
having could be due to the previous version of gcc somewhere in you
linux box and that is still called in your makefile. Perhaps you have to
double check your env variables? Or removing old gcc?

 

61-2-9013-4203

y...@ali.com.au

 



From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Jaber, Adam M CTR
DLA J6UIA
Sent: Thursday, 2 April 2009 2:24 AM
To: openssl-users@openssl.org
Subject: Problem with install...Please Help

 

Hello, 

I am trying to install OpenSSL-0.9.8k.  I currently have
OpenSSL-0.9.8.602.  Do I need to remove my older version before I
install the new version?  Also, I ran a ./config
--prefix=/usr/opt/OpenSSL, which came back with NO error.  Then when I
ran make it gives me the following error:

cc: unrecognized option '-qthreaded' 
cc: unrecognized option '-q32' 
cc: unrecognized option '-qmaxmem=16384' 
cc: unrecognized option '-qro' 
cc: unrecognized option '-qroconst' 
cc: error trying to exec 'cc1plus': execvp: No such file or directory 
make: 1254-004 The error code from the last command is 1. 

Please, let me know what route I should take from here to get it OpenSSL
installed. 

Thank you, 
Adam Jaber 
(801)586-1480 
adam.jaber@dla.mil 



Aristocrat Technologies Corporate Head Office in Lane Cove and Rosebery, Sydney 
Australia have relocated to:

Building A, Pinnacle Office Park
85 Epping Road
North Ryde NSW 2113

PO Box 361,  North Ryde BC NSW 1670, Australia

IMPORTANT CONFIDENTIALITY NOTICE:

This E-mail (including any documents referred to in, or attached, to this 
E-mail) may contain information that is personal, confidential or the subject 
of copyright, privilege or other proprietary rights in favor of Aristocrat, its 
affiliates or third parties. This E-mail is intended only for the named 
addressee. Any privacy, confidence, legal professional privilege, copyright or 
other proprietary rights in favor of Aristocrat, its affiliates or third 
parties, is not lost if this E-mail was sent to you by mistake.

If you received this E-mail by mistake you should: (i) not copy, disclose, 
distribute or otherwise use it, or its contents, without the consent of 
Aristocrat or the owner of the relevant rights; (ii) let us know of the mistake 
by reply E-mail or by telephone (AUS +61 2 9013 6300 or USA 1-877-274-9661); 
and (iii) delete it from your system and destroy all copies.

Any personal information contained in this E-mail must be handled in accordance 
with applicable privacy laws.

Electronic and internet communications can be interfered with or affected by 
viruses and other defects. As a result, such communications may not be 
successfully received or, if received, may cause interference with the 
integrity of receiving, processing or related systems (including hardware, 
software and data or information on, or using, that hardware or software). 
Aristocrat gives no assurances in relation to these matters.

If you have any doubts about the veracity or integrity of any electronic 
communication we appear to have sent you, please call (AUS +61 2 9013 6300 or 
USA 1-877-274-9661) for clarification.

NEW Bee Please help in writing a client server program

2008-09-17 Thread Deepak Mundra

Hi everybody .. I am new to open ssl .. I am trying to write a simple client
server  program ... I have already created client server program .. now i
have to add ssl code snippet so that i can send and recive data using ssl..

and please tel me how to create certificates for server and clients .. if
some one has already written a sample code (with information of creating
certificates to both client and server)


Thanks

Re: Please help: very urgent: Query on patented algorithms

2008-06-17 Thread Vin McLellan


At 01:20 PM 6/16/2008, Michael Sierchio wrote:


RC4 is owned (and trademarked) by RSA Security Inc, but they are no
longer enforcing the patent,


RC4 was never protected by patent, but by trade secret.  When the
details of the algorithm were published, Ron Rivest himself suggested
calling the alleged RC4 ARCFOUR.  It is indeed a trademark of RSA
Security.


Michael is right. No patent.  RSA subsequently switched to patent 
protection for RC5 and RC5. Some ancient history might offer context.


RC4, developed by Rivest in 1987, was originally sold, under 
contractual constraints, as a proprietary RSA trade secret -- a mode 
of IP protection which soon proved to be frail and toothless in 
Cyberspace, where anonymous publication on the Net broke the trade 
secret contract but allowed the perpetrator to escape all liability.


RSADSI initially filed for US trademark protection on RC4 in 1993, 
and the trademark -- as a mark of origin, a mark that identified 
the source of the distributed code -- became the last line defense 
for the RC4 IP when the RC4 algorithm was reverse engineered and 
published on the Cypherpunks List in September of 1994.


In a swirl of ironies, this was a critical event in public crypto 
history, because the illicit publication of RC4 made it possible for 
non-US developers to do their own versions of SSL.  SSLea, ancestor 
of OpenSSL, soon broke the NSA's restrictive policies  on the 
international use of strong-crypto SSL for browsers and web-based 
transactions.  Many versions of alleged RC4 (ARC4 or ArcFour) were 
soon in widespread use, even in IETF standards.  Anyone can code or 
use ACR4, but EMC/RSA still defends its monopoly on the RC4 trademark 
because undefended trademarks become invalid.


_Vin 



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Please help: very urgent: Query on patented algorithms

2008-06-16 Thread bagavathy raj

Hi,

I have openssl dlls(i.e.libeay32.dll, ssleay32.dll). I need to know if these
libaries are using any of the patented algorithms like IDEA, RC4, RC5,MDC2
etc. Can you please let me know if there is any way to find out this?
Any help would be highly appreciated.

Thanks in adavance,
Bagavathy

Re: Please help: very urgent: Query on patented algorithms

2008-06-16 Thread Mounir IDRASSI

Hi,

Use the tool Dependency Walker (http://www.dependencywalker.com/) to look
at the exported functions of libeay32.dll. If it exports RC5, you will see
exported symbols starting with RC5. For MDC2, you'll find symbols starting
with MDC2 and etc...

Cheers,
-- 
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On Mon, June 16, 2008 3:55 pm, bagavathy raj wrote:
 Hi,

 I have openssl dlls(i.e.libeay32.dll, ssleay32.dll). I need to know if
 these
 libaries are using any of the patented algorithms like IDEA, RC4, RC5,MDC2
 etc. Can you please let me know if there is any way to find out this?
 Any help would be highly appreciated.

 Thanks in adavance,
 Bagavathy


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Please help: very urgent: Query on patented algorithms

2008-06-16 Thread bagavathy raj

Hi,
Is there any binary distribution where I can find SSL dlls without
patented algorithms like IDEA,MCD2,RC4,RC5 etc. I tried compiling
without them. I could exclude other algos but not RC4. Some linking
issues. So i need to know if there is any ssl release without the
patented algorithms.

On 6/16/08, Mounir IDRASSI [EMAIL PROTECTED] wrote:
 Hi,

 Use the tool Dependency Walker (http://www.dependencywalker.com/) to look
 at the exported functions of libeay32.dll. If it exports RC5, you will see
 exported symbols starting with RC5. For MDC2, you'll find symbols starting
 with MDC2 and etc...

 Cheers,
 --
 Mounir IDRASSI
 IDRIX
 http://www.idrix.fr

 On Mon, June 16, 2008 3:55 pm, bagavathy raj wrote:
 Hi,

 I have openssl dlls(i.e.libeay32.dll, ssleay32.dll). I need to know if
 these
 libaries are using any of the patented algorithms like IDEA, RC4, RC5,MDC2
 etc. Can you please let me know if there is any way to find out this?
 Any help would be highly appreciated.

 Thanks in adavance,
 Bagavathy


 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Please help: very urgent: Query on patented algorithms

2008-06-16 Thread Chris Clark

On 6/16/08, bagavathy raj [EMAIL PROTECTED] wrote:
 Hi,
 Is there any binary distribution where I can find SSL dlls without
 patented algorithms like IDEA,MCD2,RC4,RC5 etc. I tried compiling
 without them. I could exclude other algos but not RC4. Some linking
 issues. So i need to know if there is any ssl release without the
 patented algorithms.

RC4 is owned (and trademarked) by RSA Security Inc, but they are no
longer enforcing the patent, and will allow free usage of the OpenSSL
implementation of this cipher to those that ask. However they do
require that OpenSSL toolkit users either do not call it RC4, or call
it Alleged RC4 cipher to avoid trademark infringement. If you even
mention the words RC4 in your documentation you may need to mention
that it is Alleged and that RC4 is a trademark of RSA Security.
RC2 is also a trademark of RSA Security, but this one can be used
without the Alleged prefix, providing you list them as the trademark
owner.

Disclaimer: I am not a lawyer, and I suggest you contact RSA directly
to confirm this information on your own.

-Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Please help: very urgent: Query on patented algorithms

2008-06-16 Thread Michael Sierchio





RC4 is owned (and trademarked) by RSA Security Inc, but they are no
longer enforcing the patent,


RC4 was never protected by patent, but by trade secret.  When the
details of the algorithm were published, Ron Rivest himself suggested
calling the alleged RC4 ARCFOUR.  It is indeed a trademark of RSA
Security.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

please help about using openssl

2007-12-14 Thread Michelle Zhang

Hi,

 

I download openssl-0.9.8g from openssl.org website.

I want to build it using cygwin, so I run command config and command
make in cygwin.

libssl.a and libcrypt.a all be created.

 

But, this two lib can not work. Because I need armcc as compiler, not
gcc.

 

How can I do? I think that it is so difficult for me to modify makefile.

Could you give me some advise?

 

Thank you

michelle

Re: please help me.....

2007-10-24 Thread Shalmi


Hi,

Tried the given function, it compiles but throws error Run-Time Check
Failure #3 - The variable 'rsa' is being used without being defined.. Any
clue?? And the char * buf contains the key right??

Thanks  Regards
Shalmi

Marek Marcola wrote:
 
 Hello,
 ok i l try that.let me know u ..
 
 You may try something like that (not tested):
 
 int rsa_read_pem(RSA ** rsa, char *buf, int len)
 {
 BIO *mem;
 
 if ((mem = BIO_new_mem_buf(buf, len)) == NULL) {
 goto err;
 }
 
 *rsa = PEM_read_bio_RSAPrivateKey(mem, NULL, NULL, NULL);
 BIO_free(mem);
 
 if (*rsa == NULL) {
 goto err;
 }
 
 return (0);
 
   err:
 return (-1);
 }
 
 Best regards,
 -- 
 Marek Marcola [EMAIL PROTECTED]
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]
 
 

-- 
View this message in context: 
http://www.nabble.com/please-help-me.-tf3975055.html#a13384524
Sent from the OpenSSL - User mailing list archive at Nabble.com.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

eapol_test failed, please help

2007-08-24 Thread jinlu8591

 06 03 55 04 0b 13 0b 45 6e
67 69 6e 65 65 72 69 6e 67 31 0e 30 0c 06 03 55 04 03 13 05 6a 69 6e 6c 75
31 22 30 20 06 09 2a 86 48 86 f7 0d 01 09 01 16 13 6a 69 6e 6c 75 38 35 39
31 40 79 61 68 6f 6f 2e 63 6f 6d 0e 00 00 00 
Attribute 80 (Message-Authenticator) length=18 
Value: 6a b5 d5 15 78 ec 0d a6 92 50 8e 45 38 63 ba 52 
Attribute 24 (State) length=18 
Value: 5f 54 ce c4 d3 14 cd b3 23 76 96 b7 c4 27 2a 3e 
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec 
RADIUS packet matching with station 
decapsulated EAP packet (code=1 id=3 len=213) from RADIUS server:
EAP-Request-TLS (13) 
EAPOL: Received EAP-Packet frame 
EAPOL: SUPP_BE entering state REQUEST 
EAPOL: getSuppRsp 
EAP: EAP entering state RECEIVED 
EAP: Received EAP-Request id=3 method=13 vendor=0 vendorMethod=0 
EAP: EAP entering state METHOD 
SSL: Received packet(len=213) - Flags 0x80 
SSL: TLS Message Length: 1227 
SSL: (where=0x1001 ret=0x1) 
SSL: SSL_connect:SSLv3 read server hello A 
TLS: Certificate verification failed, error 18 (self signed certificate)
depth 0 for '/C=US/ST=California/L=Oak Park/O=Jins
Company/OU=Engineering/CN=jinlu/[EMAIL PROTECTED]' 
SSL: (where=0x4008 ret=0x230) 
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA 
SSL: (where=0x1002 ret=0x) 
SSL: SSL_connect:error in SSLv3 read server certificate B 
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 
SSL: 7 bytes pending from ssl_out 
SSL: Failed - tls_out available to report error 
SSL: 7 bytes left to be sent out (of total 7 bytes) 
EAP-TLS: TLS processing failed 
EAP: method process - ignore=FALSE methodState=DONE decision=FAIL 
EAP: EAP entering state SEND_RESPONSE 
EAP: EAP entering state IDLE 
EAPOL: SUPP_BE entering state RESPONSE 
EAPOL: txSuppRsp 
WPA: eapol_test_eapol_send(type=0 len=13) 
TX EAP - RADIUS - hexdump(len=13): 02 03 00 0d 0d 00 15 03 01 00 02 02 30 
Encapsulating EAP message into a RADIUS packet 
Copied RADIUS State Attribute 
Sending RADIUS message to authentication server 
RADIUS message: code=1 (Access-Request) identifier=3 length=139 
Attribute 1 (User-Name) length=7 
Value: 'jinlu' 
Attribute 4 (NAS-IP-Address) length=6 
Value: 127.0.0.1 
Attribute 31 (Calling-Station-Id) length=19 
Value: '02-00-00-00-00-01' 
Attribute 12 (Framed-MTU) length=6 
Value: 1400 
Attribute 61 (NAS-Port-Type) length=6 
Value: 19 
Attribute 77 (Connect-Info) length=24 
Value: 'CONNECT 11Mbps 802.11b' 
Attribute 79 (EAP-Message) length=15 
Value: 02 03 00 0d 0d 00 15 03 01 00 02 02 30 
Attribute 24 (State) length=18 
Value: 5f 54 ce c4 d3 14 cd b3 23 76 96 b7 c4 27 2a 3e 
Attribute 80 (Message-Authenticator) length=18 
Value: c1 6a 58 d8 74 f7 5f dc 07 9d 85 6f 8d b6 14 5d 
Next RADIUS client retransmit in 3 seconds 
EAPOL: SUPP_BE entering state RECEIVE 
EAPOL: startWhen -- 0 
STA 02:00:00:00:00:01: Resending RADIUS message (id=3) 
Next RADIUS client retransmit in 6 seconds 
Received 44 bytes from RADIUS server 
Received RADIUS message 
RADIUS message: code=3 (Access-Reject) identifier=3 length=44 
Attribute 79 (EAP-Message) length=6 
Value: 04 03 00 04 
Attribute 80 (Message-Authenticator) length=18 
Value: a2 c8 1a 01 9b 4b 9b 3f 98 29 ee c0 74 7b 37 6a 
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec 
RADIUS packet matching with station 
decapsulated EAP packet (code=4 id=3 len=4) from RADIUS server: EAP Failure 
EAPOL: Received EAP-Packet frame 
EAPOL: SUPP_BE entering state REQUEST 
EAPOL: getSuppRsp 
EAP: EAP entering state RECEIVED 
EAP: Received EAP-Failure 
EAP: EAP entering state FAILURE 
CTRL-EVENT-EAP-FAILURE EAP authentication failed 
EAPOL: SUPP_PAE entering state HELD 
EAPOL: SUPP_BE entering state RECEIVE 
EAPOL: SUPP_BE entering state FAIL 
EAPOL: SUPP_BE entering state IDLE 
eapol_sm_cb: success=0 
EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit 
ENGINE: engine deinit 
MPPE keys OK: 0 mismatch: 2 
FAILURE 
  




-- 
View this message in context: 
http://www.nabble.com/eapol_test---failed%2C--please-help-tf4324490.html#a12315550
Sent from the OpenSSL - User mailing list archive at Nabble.com.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

please help me.....

2007-06-25 Thread sri dhar

hi ,
  I am sridhar.D
  I have a RSA key information on buffer.i want to merge with buffer content to 
SSLcontext object.
   i am using SSL_CTX_use_RSAPrivateKey_ASN1(ctxr[i],keyinfo,strlen(keyinfo)) 
this SSL API.
  that  API is failing . it gives following error message.
   
   
  9755: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong 
tag:tasn_dec.c:1282:
  29755: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 
error:tasn_dec.c:374:Type=RSA
  29755: error:140B200D:SSL routines:SSL_CTX_use_RSAPrivateKey_ASN1:ASN1 
lib:ssl_rsa.c:607
   
   
  how to resolve the issue. please help me.

   
-
 Download prohibited? No problem. CHAT from any browser, without download.

Re: please help me.....

2007-06-25 Thread Marek Marcola

Hello,
 
 I have a RSA key information on buffer.i want to merge with buffer
 content to SSLcontext object.
  i am using
 SSL_CTX_use_RSAPrivateKey_ASN1(ctxr[i],keyinfo,strlen(keyinfo)) this
 SSL API.
 that  API is failing . it gives following error message.
  
  
 9755: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
 tag:tasn_dec.c:1282:
 29755: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested
 asn1 error:tasn_dec.c:374:Type=RSA
 29755: error:140B200D:SSL routines:SSL_CTX_use_RSAPrivateKey_ASN1:ASN1
 lib:ssl_rsa.c:607
  
  
 how to resolve the issue. please help me.
Try d2i_RSAPrivateKey() if your buffer has RSA key in DER format.

Best regards,
-- 
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: please help me.....

2007-06-25 Thread sri dhar

i tried that way, now its generating coredump files.is there any other way to 
solve that issue...

Marek Marcola [EMAIL PROTECTED] wrote:  Hello,
 
 I have a RSA key information on buffer.i want to merge with buffer
 content to SSLcontext object.
 i am using
 SSL_CTX_use_RSAPrivateKey_ASN1(ctxr[i],keyinfo,strlen(keyinfo)) this
 SSL API.
 that API is failing . it gives following error message.
 
 
 9755: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
 tag:tasn_dec.c:1282:
 29755: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested
 asn1 error:tasn_dec.c:374:Type=RSA
 29755: error:140B200D:SSL routines:SSL_CTX_use_RSAPrivateKey_ASN1:ASN1
 lib:ssl_rsa.c:607
 
 
 how to resolve the issue. please help me.
Try d2i_RSAPrivateKey() if your buffer has RSA key in DER format.

Best regards,
-- 
Marek Marcola 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]



-
 Heres a new way to find what you're looking for - Yahoo! Answers

Re: please help me.....

2007-06-25 Thread sri dhar

ok i l try that.let me know u ..

Marek Marcola [EMAIL PROTECTED] wrote:  Hello,
 i tried that way, now its generating coredump files.is there any other
 way to solve that issue...

You should use something like that (buf and len has your key):

unsigned char *p;
RSA *rsa = NULL;

p = buf;
if ((rsa=d2i_RSAPrivateKey(NULL,p,(long)len)) == NULL){
goto err;
}
if (SSL_CTX_use_RSAPrivateKey(ctx,rsa) != 1){
goto err;
}
RSA_free(rsa);

But you should be sure that buf has DER (ASN.1) PKCS1 private key.
If you dump this buffer to file, you should be able to do something
like that:
$ openssl rsa -in key.der -inform der -text -noout
$ openssl asn1parse -in key.der -inform der
If you will get error then probably you have pem format, you may try
to convert with:
$ openssl rsa -in key.pem -outform der -out key.der
and try again.

Best regards,
-- 
Marek Marcola 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]


   
-
 The DELETE button on Yahoo! Mail is unhappy. Know why?

Re: please help me.....

2007-06-25 Thread Marek Marcola

Hello,
 i tried that way, now its generating coredump files.is there any other
 way to solve that issue...

You should use something like that (buf and len has your key):

unsigned char *p;
RSA *rsa = NULL;

p = buf;
if ((rsa=d2i_RSAPrivateKey(NULL,p,(long)len)) == NULL){
   goto err;
}
if (SSL_CTX_use_RSAPrivateKey(ctx,rsa) != 1){
   goto err;
}
RSA_free(rsa);

But you should be sure that buf has DER (ASN.1) PKCS1 private key.
If you dump this buffer to file, you should be able to do something
like that:
$ openssl rsa -in key.der -inform der -text -noout
$ openssl asn1parse -in key.der -inform der
If you will get error then probably you have pem format, you may try
to convert with:
$ openssl rsa -in key.pem -outform der -out key.der
and try again.

Best regards,
-- 
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: please help me.....

2007-06-25 Thread sri dhar

i tried that way,buffer information is  not DER format.
  buffer header like this.
  -BEGIN RSA PRIVATE KEY-
..
   
  -END RSA PRIVATE KEY-
   
  Is they anyother way to resolve that problem?
  


Marek Marcola [EMAIL PROTECTED] wrote:
  Hello,
 
 I have a RSA key information on buffer.i want to merge with buffer
 content to SSLcontext object.
 i am using
 SSL_CTX_use_RSAPrivateKey_ASN1(ctxr[i],keyinfo,strlen(keyinfo)) this
 SSL API.
 that API is failing . it gives following error message.
 
 
 9755: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
 tag:tasn_dec.c:1282:
 29755: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested
 asn1 error:tasn_dec.c:374:Type=RSA
 29755: error:140B200D:SSL routines:SSL_CTX_use_RSAPrivateKey_ASN1:ASN1
 lib:ssl_rsa.c:607
 
 
 how to resolve the issue. please help me.
Try d2i_RSAPrivateKey() if your buffer has RSA key in DER format.

Best regards,
-- 
Marek Marcola 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]



-
 Heres a new way to find what you're looking for - Yahoo! Answers

Re: please help me.....

2007-06-25 Thread Marek Marcola

Hello,
 ok i l try that.let me know u ..

You may try something like that (not tested):

int rsa_read_pem(RSA ** rsa, char *buf, int len)
{
BIO *mem;

if ((mem = BIO_new_mem_buf(buf, len)) == NULL) {
goto err;
}

*rsa = PEM_read_bio_RSAPrivateKey(mem, NULL, NULL, NULL);
BIO_free(mem);

if (*rsa == NULL) {
goto err;
}

return (0);

  err:
return (-1);
}

Best regards,
-- 
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: please help me.....

2007-06-25 Thread sri dhar

thank you, its working fine.

Marek Marcola [EMAIL PROTECTED] wrote:  Hello,
 ok i l try that.let me know u ..

You may try something like that (not tested):

int rsa_read_pem(RSA ** rsa, char *buf, int len)
{
BIO *mem;

if ((mem = BIO_new_mem_buf(buf, len)) == NULL) {
goto err;
}

*rsa = PEM_read_bio_RSAPrivateKey(mem, NULL, NULL, NULL);
BIO_free(mem);

if (*rsa == NULL) {
goto err;
}

return (0);

err:
return (-1);
}

Best regards,
-- 
Marek Marcola 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]


   
-
 The DELETE button on Yahoo! Mail is unhappy. Know why?

Re: SSL concept..Please help...

2006-10-22 Thread Girish Venkatachalam

On Sat, Oct 21, 2006 at 08:04:01PM -0700, Ferianto siregar wrote:
 Dear all,
 
 Thank you very much for this chance. Thanks
 All, now I am finishing my paper. The title is TLS.
 As I know that TLS use SSL to make the communication secure.
 Can anybody tell me how can SSL make communication secure?
 I mean that how SSL use in TLS for secure the voip communication\/
 
 I do hope anybody can help me, so I can responsible my paper to my lecturer. 
 Thanks

Sure. TLS is nothing but a new incarnation of SSL v3. Have you heard of old 
wine in new bottle? :-)

It is exactly that.

As to VoIP I am afraid I don't know since skype uses its own encryption 
mechanism that is proprietary. Since VoIP mostly uses an underlying NAT 
traversal and instant messaging kind of library underneath you should take a 
look at protocols like SILC (Secure Internet Live Conferencing).

The only difference between data encryption and voice encryption being that 
voice is very very delay sensitive and data is very very loss sensitive. So UDP 
is used for voice and TCP for data.

I am not quite clear if SSL is used for VoIP. I doubt. One possibility is 
DTLS...

Best of luck!

regards,
Girish
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL: connect failed..Please help..

2006-10-05 Thread James Brown



On 05/10/2006, at 4:49 AM, Marek Marcola wrote:


Hello,

Dear all,
...

tls_tcpconn_init: Setting in ACCEPT mode (server)
11(5927) tcpconn_add: hashes: 835, 11
11(5927) handle_new_connect: new connection: 0x422d88f0 24 flags:  
0002

11(5927) send2child: to tcp child 0 7(5919), 0x422d88f0
 7(5919) received n=4 con=0x422d88f0, fd=20
 7(5919) DBG: io_watch_add(0x80ed320, 20, 2, 0x422d88f0), fd_no=1
 7(5919) tls_update_fd: New fd is 20
 7(5919) tls_accept: Error in SSL:
 7(5919) tls_error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number
 7(5919) DBG: io_watch_del (0x80ed320, 20, 1, 0x10) fd_no=2 called
 7(5919) releasing con 0x422d88f0, state -2, fd=20, id=11
 7(5919)  extra_data 0x422e8a08
11(5927) handle_tcp_child: reader response= 422d88f0, -2 from 0
11(5927) tcpconn_destroy: destroying connection 0x422d88f0, flags  
0002

11(5927) tls_close: Closing SSL connection
11(5927) tls_update_fd: New fd is 24
11(5927) tls_shutdown: Shutdown successful
11(5927) tls_tcpconn_clean: Entered

What`s wrong? How to solve the error SSL3_GET_RECORD:wrong version
number and SSL: connect failed?
From server side, you may get this error when:

- server is setup to SSL/TLS and client is connecting in plain mode,
  for example:
$ telnet some_server 443
Escape character is '^]'.
lkasdkfgjlasdkfgjsdlkfjgsdfkgjsldkfgjhsdfkgsfgk

  bytes 2 and 3 must be proper SSL3/TLS1 version specification:
0x0300 - SSL3
0x0301 - TLS1
  or for SSL2 (in handshake negotiation) byte 4 and 5 has version
  information:
0x0200 - SSL2
0x0300 - SSL3
0x0301 - TLS1
  and of course using SSL2 client_hello TLS1 may be setup (if  
supported

  by client and server)

- server is setup to SSL3/TLS1 (not SSL2) and client sends SSL2
  client_hello, for example OpenSSL SSL_CTX created with
  SSLv23_client_method() method sends SSL2 client_hello with
  version information set to TLS1. But when server is set to
  understand SSL3/TLS1 only then SSL2 proposition is not recognized
  correctly (version information is at bytes 4 and 5, not 2 and 3)
  and we get wrong version number.
  To correct this, on client side disable SSL2 compatibility handshake
  if SSL_CTX is created with SSLv23_client_method() with
  SSL_OP_NO_SSLv2, or on server side create SSL_CTX with
  SSLv23_server_method() instead of SSLv3_server_method()
  or TLSv1_server_method().
  In other words, both sides should have enabled the same
  protocols.

Best regards,
--
Marek Marcola [EMAIL PROTECTED]

__

Marek, I'm also getting the same error:

LOG7[29231:25188864]: SSL alert (write): fatal: handshake failure
LOG3[29231:25188864]: SSL_connect: 1408F10B: error:1408F10B:SSL  
routines:SSL3_GET_RECORD:wrong version number
LOG5[29231:25188864]: Connection reset: 0 bytes sent to SSL, 0 bytes  
sent to socket


Are you saying that this error is caused by the client sending using  
a different version of SSL to that which the server is using? From  
the error message above, the server is using version 3 of SSL,  
correct? (I'm using the latest version of stunnel and OpenSSL 0.9.7i).


If so, the Apple's Mail app must be using an older SSL version? Does  
anyone know which version it uses?


Or can something else be causing this error?

Thanks,

James.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL: connect failed..Please help..

2006-10-04 Thread Marek Marcola

Hello,
 Dear all,
  
 Thank you very much for your time. This is my first message in this
 forum.
  
 All, I got error message in minisip command prompt when I tried using
 TLS (Transport Method = TLS and Network Port = 5061).But, without
 TLS , I can make a call with minisip.
 The error message says :
  
 A. in client command prompt
  
 init 6/9: Creating MSip SIP stack
 init 7/9: Connecting GUI to SIP logic
 init 8.2/9: Starting TCP transport worker thread
 init 8.3/9: Starting TLS transport worker thread
 init 9/9: Registering Identities to registrar server
 Registering user [EMAIL PROTECTED] to proxy 202.95.149.251,
 requesting domain
  202.95.149.251
 SipMessageTransport: sendMessage: creating new socket
 Creating new SSL_CTX
 SSL: connect failed
 SipMessageTransport: sendMessage: exception thrown!
 SipMessageTransport: sendMessage: creating new socket
 SSL: connect failed
 SipMessageTransport: sendMessage: exception thrown!
 SipMessageTransport: sendMessage: creating new socket
 SSL: connect failed
 SipMessageTransport: sendMessage: exception thrown!
 SipMessageTransport: sendMessage: creating new socket
 SSL: connect failed
 SipMessageTransport: sendMessage: exception thrown!
  
 B. in server terminal
  
 tls_tcpconn_init: Setting in ACCEPT mode (server)
 11(5927) tcpconn_add: hashes: 835, 11
 11(5927) handle_new_connect: new connection: 0x422d88f0 24 flags: 0002
 11(5927) send2child: to tcp child 0 7(5919), 0x422d88f0
  7(5919) received n=4 con=0x422d88f0, fd=20
  7(5919) DBG: io_watch_add(0x80ed320, 20, 2, 0x422d88f0), fd_no=1
  7(5919) tls_update_fd: New fd is 20
  7(5919) tls_accept: Error in SSL:
  7(5919) tls_error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
 version number
  7(5919) DBG: io_watch_del (0x80ed320, 20, 1, 0x10) fd_no=2 called
  7(5919) releasing con 0x422d88f0, state -2, fd=20, id=11
  7(5919)  extra_data 0x422e8a08
 11(5927) handle_tcp_child: reader response= 422d88f0, -2 from 0
 11(5927) tcpconn_destroy: destroying connection 0x422d88f0, flags 0002
 11(5927) tls_close: Closing SSL connection
 11(5927) tls_update_fd: New fd is 24
 11(5927) tls_shutdown: Shutdown successful
 11(5927) tls_tcpconn_clean: Entered
 
 What`s wrong? How to solve the error SSL3_GET_RECORD:wrong version
 number and SSL: connect failed?
From server side, you may get this error when:
- server is setup to SSL/TLS and client is connecting in plain mode,
  for example:
$ telnet some_server 443
Escape character is '^]'.
lkasdkfgjlasdkfgjsdlkfjgsdfkgjsldkfgjhsdfkgsfgk

  bytes 2 and 3 must be proper SSL3/TLS1 version specification:
0x0300 - SSL3
0x0301 - TLS1
  or for SSL2 (in handshake negotiation) byte 4 and 5 has version
  information:
0x0200 - SSL2
0x0300 - SSL3
0x0301 - TLS1
  and of course using SSL2 client_hello TLS1 may be setup (if supported
  by client and server)

- server is setup to SSL3/TLS1 (not SSL2) and client sends SSL2
  client_hello, for example OpenSSL SSL_CTX created with
  SSLv23_client_method() method sends SSL2 client_hello with
  version information set to TLS1. But when server is set to
  understand SSL3/TLS1 only then SSL2 proposition is not recognized
  correctly (version information is at bytes 4 and 5, not 2 and 3)
  and we get wrong version number.
  To correct this, on client side disable SSL2 compatibility handshake
  if SSL_CTX is created with SSLv23_client_method() with
  SSL_OP_NO_SSLv2, or on server side create SSL_CTX with
  SSLv23_server_method() instead of SSLv3_server_method()
  or TLSv1_server_method().
  In other words, both sides should have enabled the same
  protocols.

Best regards,
-- 
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

SSL: connect failed..Please help..

2006-10-03 Thread Ferianto siregar

Dear all,Thank you very much for your time. This is my first message in this forum.All, I got error message in minisip command prompt when I tried using TLS (Transport Method = TLS and Network Port = 5061).But, without TLS , I can make a call with minisip.  The error message says :A. in client command promptinit 6/9: Creating MSip SIP stackinit 7/9: Connecting GUI to SIP logicinit 8.2/9: Starting TCP transport worker threadinit 8.3/9: Starting TLS transport worker threadinit 9/9: Registering Identities to registrar server  Registering user [EMAIL PROTECTED] to proxy 202.95.149.251, requesting domain202.95.149.251  SipMessageTransport: sendMessage: creating new socket  Creating new SSL_CTXSSL: connect
 failed  SipMessageTransport: sendMessage: exception thrown!SipMessageTransport: sendMessage: creating new socketSSL: connect failedSipMessageTransport: sendMessage: exception thrown!SipMessageTransport: sendMessage: creating new socketSSL: connect failedSipMessageTransport: sendMessage: exception thrown!SipMessageTransport: sendMessage: creating new socketSSL: connect failedSipMessageTransport: sendMessage: exception thrown!B. in server terminaltls_tcpconn_init: Setting in ACCEPT mode (server)11(5927) tcpconn_add: hashes: 835, (5927) handle_new_connect: new connection: 0x422d88f0 24 flags: 000211(5927) send2child: to tcp child 0 7(5919), 0x422d88f07(5919) received n=4 con=0x422d88f0, fd=207(5919) DBG: io_watch_add(0x80ed320, 20, 2, 0x422d88f0), fd_no=17(5919) tls_update_fd: New fd is 207(5919)
 tls_accept: Error in SSL:  7(5919) tls_error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number  7(5919) DBG: io_watch_del (0x80ed320, 20, 1, 0x10) fd_no=2 called7(5919) releasing con 0x422d88f0, state -2, fd=20, id=117(5919) extra_data 0x422e8a0811(5927) handle_tcp_child: reader response= 422d88f0, -2 from 011(5927) tcpconn_destroy: destroying connection 0x422d88f0, flags 000211(5927) tls_close: Closing SSL connection11(5927) tls_update_fd: New fd is 2411(5927) tls_shutdown: Shutdown successful11(5927) tls_tcpconn_clean: Entered  What`s wrong? How to solve the error "SSL3_GET_RECORD:wrong version number" and "SSL: connect failed"?I do hope any body can help me, again :)Please tell me if I have shown my openser.cfg file. Thanks  Thank you for your attention and Have a nice day :)Regards, 
 FeriantoNote:1. I use Redhat 9   [EMAIL PROTECTED] root]# rpm -qa|grep -i sslperl-Crypt-SSLeay-0.45-7openssl-devel-0.9.7a-2openssl-perl-0.9.7a-2openssl-0.9.7a-2pyOpenSSL-0.5.1-8mod_ssl-2.0.40-21openssl096b-0.9.6b-3docbook-style-dsssl-1.76-8openssl096-0.9.6-15[EMAIL PROTECTED] root]#   
		Get your email and more, right on the  new Yahoo.com

Can't Upgrade! Can't Add Threading! Please Help!

2006-08-04 Thread beno


Hi;
I have FreeBSD 5.3. I d/l'd the latest distro of openssl, ran:
./config --prefix=/usr/local --openssldir=/usr/local/openssl 
enable-threads enable-shared

make
make test
make install
and everything checked out just fine. However...

server167# openssl version
OpenSSL 0.9.7d 17 Mar 2004
server167# pwd
/usr/ports/www/openssl-0.9.8b
So...

How do I turn off the old version and turn on the new which should 
support threading so I can use Pound??

TIA,
beno

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Can't Upgrade! Can't Add Threading! Please Help!

2006-08-04 Thread Marek Marcola

Hello,
 I have FreeBSD 5.3. I d/l'd the latest distro of openssl, ran:
 ../config --prefix=/usr/local --openssldir=/usr/local/openssl 
 enable-threads enable-shared
 make
 make test
 make install
 and everything checked out just fine. However...
 
 server167# openssl version
 OpenSSL 0.9.7d 17 Mar 2004
 server167# pwd
 /usr/ports/www/openssl-0.9.8b
 So...
 
 How do I turn off the old version and turn on the new which should 
 support threading so I can use Pound??

But I thing:
$ /usr/local/bin/openssl version
will give good results.

When configuring Pound add option:
$ ./configure --with-ssl=/usr/local ...
Hope this helps.

Best regards,
-- 
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

client read problem please help!!!!!

2006-04-06 Thread michael Dorrian

Here is the relevant code. The problem is in this do_client_loop. I need to read from the server to check if it has closed but when i do this i cannot write to the server again for some reason. How can i rectify this..thanks in advance int do_client_loop(SSL *ssl) {  int err, nwritten;  char buf[80];  for (;;)  {  if (!fgets(buf, sizeof(buf), stdin))  break;for (nwritten = 0; nwritten  sizeof(buf); nwritten += err)  {err = SSL_write(ssl, buf + nwritten, sizeof(buf) - nwritten);  if
 (err = 0)  return 0;  }  err = SSL_read(ssl, buf + nwritten, sizeof(buf) - nwritten);  if (err = 0)  return 0;}  return 1; }  int main(int argc, char *argv[]) {  BIO *conn;  SSL *ssl;  SSL_CTX *ctx;  long err;  init_OpenSSL( );  seed_prng( );  clientfile = argv[1];   ctx =
 setup_client_ctx( );   conn = BIO_new_connect(SERVER ":" PORT);  if (!conn)  int_error("Error creating connection BIO");   if (BIO_do_connect(conn) = 0)  int_error("Error connecting to remote machine");   ssl = SSL_new(ctx);  SSL_set_bio(ssl, conn, conn);  if (SSL_connect(ssl) = 0)  int_error("Error connecting SSL object");  if ((err = post_connection_check(ssl, SERVER)) != X509_V_OK)  {  fprintf(stderr, "-Error: peer certificate: %s\n",  X509_verify_cert_error_string(err));
  int_error("Error checking SSL object after connection");  }  fprintf(stderr, "SSL Connection opened\n");  if (do_client_loop(ssl))  SSL_shutdown(ssl);  else  SSL_clear(ssl);  fprintf(stderr, "SSL Connection closed\n");   SSL_free(ssl);  SSL_CTX_free(ctx);  return 0; }
		Blab-away for as little as 1¢/min. Make  PC-to-Phone Calls using Yahoo! Messenger with Voice.

Re: client read problem please help!!!!!

2006-04-06 Thread Girish Venkatachalam

Looks like I have not understood your problem. 

Why do you have to do an SSL_read() to figure out if
it has closed? SSL_write() will fail it the other side
closes...

--- michael Dorrian [EMAIL PROTECTED] wrote:

 Here is the relevant code. The problem is in this
 do_client_loop. I need to read from the server to
 check if it has closed but when i do this i cannot
 write to the server again for some reason. How can i
 rectify this..thanks in advance
  int do_client_loop(SSL *ssl)
  {
  int  err, nwritten;
  char buf[80];
  for (;;)
  {
  if (!fgets(buf, sizeof(buf), stdin))
  break;
  
  for (nwritten = 0;  nwritten  sizeof(buf);
  nwritten += err)
  {   
 err = SSL_write(ssl, buf + nwritten,
 sizeof(buf) - nwritten);
  if (err = 0)
  return 0;
 
  
  }
  err = SSL_read(ssl, buf + nwritten, sizeof(buf)
 - nwritten);
  if (err = 0)
  return 0;
  
  }
  return 1;
  }
   
  int main(int argc, char *argv[])
  {
  BIO *conn;
  SSL *ssl;
  SSL_CTX *ctx;
  longerr;
  init_OpenSSL(  );
  seed_prng(  );
  clientfile = argv[1];
  ctx = setup_client_ctx(  );
   
  conn = BIO_new_connect(SERVER : PORT);
  if (!conn)
  int_error(Error creating connection BIO);
   
  if (BIO_do_connect(conn) = 0)
  int_error(Error connecting to remote
 machine);
   
  ssl = SSL_new(ctx);
  SSL_set_bio(ssl, conn, conn);
  if (SSL_connect(ssl) = 0)
  int_error(Error connecting SSL object);
  if ((err = post_connection_check(ssl, SERVER))
 != X509_V_OK)
  {
  fprintf(stderr, -Error: peer certificate:
 %s\n,
 
 X509_verify_cert_error_string(err));
  int_error(Error checking SSL object after
 connection);
  }
  fprintf(stderr, SSL Connection opened\n);
  if (do_client_loop(ssl))
  SSL_shutdown(ssl);
  else
  SSL_clear(ssl);
  fprintf(stderr, SSL Connection closed\n);
   
  SSL_free(ssl);
  SSL_CTX_free(ctx);
  return 0;
  }
   
 -
 Blab-away for as little as 1ï¿½/min. Make 
PC-to-Phone
 Calls using Yahoo! Messenger with Voice.


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: client read problem please help!!!!!

2006-04-06 Thread michael Dorrian

yeah you would think that but it doesnt for some strange reason.Girish Venkatachalam [EMAIL PROTECTED] wrote:  Looks like I have not understood your problem. Why do you have to do an SSL_read() to figure out ifit has closed? SSL_write() will fail it the other sidecloses...--- michael Dorrian <[EMAIL PROTECTED]>wrote: Here is the relevant code. The problem is in this do_client_loop. I need to read from the server to check if it has closed but when i do this i cannot write to the server again for some reason. How can i rectify this..thanks in advance int do_client_loop(SSL *ssl) { int err, nwritten; char buf[80]; for (;;) { if (!fgets(buf, sizeof(buf), stdin)) break;  for (nwritten = 0;
 nwritten  sizeof(buf); nwritten += err) {  err = SSL_write(ssl, buf + nwritten, sizeof(buf) - nwritten); if (err = 0) return 0;   } err = SSL_read(ssl, buf + nwritten, sizeof(buf) - nwritten); if (err = 0) return 0;  } return 1; }  int main(int argc, char *argv[]) { BIO *conn; SSL *ssl; SSL_CTX *ctx; long err; init_OpenSSL( ); seed_prng( ); clientfile = argv[1];  ctx = setup_client_ctx( );  conn = BIO_new_connect(SERVER ":" PORT); if (!conn) int_error("Error creating connection BIO");  if (BIO_do_connect(conn) = 0) int_error("Error connecting to remote machine");  ssl = SSL_new(ctx); SSL_set_bio(ssl, conn, conn); if (SSL_connect(ssl) =
 0) int_error("Error connecting SSL object"); if ((err = post_connection_check(ssl, SERVER)) != X509_V_OK) { fprintf(stderr, "-Error: peer certificate: %s\n",  X509_verify_cert_error_string(err)); int_error("Error checking SSL object after connection"); } fprintf(stderr, "SSL Connection opened\n"); if (do_client_loop(ssl)) SSL_shutdown(ssl); else SSL_clear(ssl); fprintf(stderr, "SSL Connection closed\n");  SSL_free(ssl); SSL_CTX_free(ctx); return 0; }  - Blab-away for as little as 1E½/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice.__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
 __OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
	
		Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.

Resending - Please help

2005-11-23 Thread Jairds

I apologise for resending, but  I got no response, and am really lost
here. Please take a minute to read it.
Yesterday I reinstalled SSL and the Apache. After that the server
responded ok and then went back to the same problem.



Previous Post 


Hi all,

I am having a weird problem in my site related to SSL.

I can connect from inside the network to the secure pages , so the
certificate is fine. From outside the connections are refused. I have a
monitoring company checking the site and from them I got the following
error message



TCP error (site is not responding): connect: Connection refused at
/usr/local/mybin/IPD/IPSSL.pm line 60

The firewalls are checked and the server is listening the https port.

I searched everywhere in the computer for this directory and files with
no success.

I am starting to think I 've been hacked because of the mybin diretory
in the path, and because I cannot find theses files.

I googled for them files without finding any . Does anybody know if they
really exists on sssl programs ?

How can I find these hidden files in my machine ?

Any help or clue will be very much appreciatted.

Thanks

Jair


 
 

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Resending - Please help

2005-11-23 Thread Jorey Bump


Jairds wrote:


I am having a weird problem in my site related to SSL.

I can connect from inside the network to the secure pages , so the
certificate is fine. From outside the connections are refused. I have a
monitoring company checking the site and from them I got the following
error message

TCP error (site is not responding): connect: Connection refused at
/usr/local/mybin/IPD/IPSSL.pm line 60

The firewalls are checked and the server is listening the https port.

I searched everywhere in the computer for this directory and files with
no success.

I am starting to think I 've been hacked because of the mybin diretory
in the path, and because I cannot find theses files.

I googled for them files without finding any . Does anybody know if they
really exists on sssl programs ?

How can I find these hidden files in my machine ?

Any help or clue will be very much appreciatted.


This is not an SSL issue. Does your ISP block port 443? The error from 
the monitoring company refers to their own script, not any files on your 
machine. It simply can't make a connection to your server.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Resending - Please help

2005-11-23 Thread Jairds




This is not an SSL issue. Does your ISP block port 443? The error from

the monitoring company refers to their own script, not any files on
your 
machine. It simply can't make a connection to your server.
__


I am glad to hear that because I spent all day yesterday trying to find
the directory /usr/local/mybin in my machine. 


The problem is : I already talked to my provider  and they claim not to
block any port. I checked my router and the port is open. If I netstat I
get

tcp0  0 *:https *:*
LISTEN   

And, the worst of all. Sometimes it works.

I have no clue at this point.

Jair

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Resending - Please help

2005-11-23 Thread Jorey Bump


Jairds wrote:


The problem is : I already talked to my provider  and they claim not to
block any port. I checked my router and the port is open. If I netstat I
get

tcp0  0 *:https *:*
LISTEN   


And, the worst of all. Sometimes it works.

I have no clue at this point.


Perhaps your DNS is misconfigured or the monior script is using the 
wrong URL. If you don't mind, post the URL or domain, so some of us can 
try it.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Resending - Please help

2005-11-23 Thread Marek Marcola

Hello,
  The problem is : I already talked to my provider  and they claim not to
  block any port. I checked my router and the port is open. If I netstat I
  get
  
  tcp0  0 *:https *:*
  LISTEN   
  
  And, the worst of all. Sometimes it works.
  
  I have no clue at this point.
You may have duplicated IP address in your network.

Best regards,
-- 
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Resending - Please help

2005-11-23 Thread Jairds


Thanks guys , here it is


www.cliconnect.com
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorey Bump
Sent: Wednesday, November 23, 2005 9:33 AM
To: openssl-users@openssl.org
Subject: Re: Resending - Please help


Jairds wrote:

 The problem is : I already talked to my provider  and they claim not 
 to block any port. I checked my router and the port is open. If I 
 netstat I get
 
 tcp0  0 *:https *:*
 LISTEN   
 
 And, the worst of all. Sometimes it works.
 
 I have no clue at this point.

Perhaps your DNS is misconfigured or the monior script is using the 
wrong URL. If you don't mind, post the URL or domain, so some of us can 
try it.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Resending - Please help

2005-11-23 Thread Victor Duchovni

On Wed, Nov 23, 2005 at 10:13:05AM -0800, Jairds wrote:

 www.cliconnect.com
  

Perhaps shawcable rate limits connections to your system...

$ openssl s_client -connect 24.71.57.40:443
CONNECTED(0003)
depth=1 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust 
External CA Root
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=CA/2.5.4.17=V1V 1R9/ST=British Columbia/L=Kelowna/2.5.4.9=1876 pORTHILL 
dR/O=Cliconnect Internet 
Telephony/OU=Support/OU=InstantSSL/CN=www.cliconnect.com
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External 
CA Root
 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External 
CA Root
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST 
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
---
Server certificate
-BEGIN CERTIFICATE-
MIIFDTCCA/WgAwIBAgIRAOqrcH6CwO1lmnnyOBnjJaAwDQYJKoZIhvcNAQEFBQAw
bzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1B
ZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3Qg
RXh0ZXJuYWwgQ0EgUm9vdDAeFw0wNTEwMTUwMDAwMDBaFw0wNzEwMTUyMzU5NTla
MIHTMQswCQYDVQQGEwJDQTEQMA4GA1UEERMHVjFWIDFSOTEZMBcGA1UECBMQQnJp
dGlzaCBDb2x1bWJpYTEQMA4GA1UEBxMHS2Vsb3duYTEZMBcGA1UECRMQMTg3NiBw
T1JUSElMTCBkUjEmMCQGA1UEChMdQ2xpY29ubmVjdCBJbnRlcm5ldCBUZWxlcGhv
bnkxEDAOBgNVBAsTB1N1cHBvcnQxEzARBgNVBAsTCkluc3RhbnRTU0wxGzAZBgNV
BAMTEnd3dy5jbGljb25uZWN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAsAZvP5zEp2qeePa0ncl7MGrexR7JUpQvxxocfKKKRreV0x5gWHwa+LTqQheb
ybHcSqqyAuJ/24FxtDtK6GojDXwxy841ixSbmaaZvIdpFYHFRzgYzO3nq9ITBQtw
WLn3dOSqD+GqSTa/aPbulW23N6g9n+AFKbA1Pb/xLV5+6IECAwEAAaOCAcEwggG9
MB0GA1UdDgQWBBQV/72KE3LZ6GAMsqqGh20UL96hYDAOBgNVHQ8BAf8EBAMCBaAw
DAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEQYJ
YIZIAYb4QgEBBAQDAgbAMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMEMCswKQYI
KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMHsGA1UdHwR0
MHIwOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0FkZFRydXN0RXh0ZXJu
YWxDQVJvb3QuY3JsMDagNKAyhjBodHRwOi8vY3JsLmNvbW9kby5uZXQvQWRkVHJ1
c3RFeHRlcm5hbENBUm9vdC5jcmwwgYYGCCsGAQUFBwEBBHoweDA7BggrBgEFBQcw
AoYvaHR0cDovL2NydC5jb21vZG9jYS5jb20vQWRkVHJ1c3RVVE5TZXJ2ZXJDQS5j
cnQwOQYIKwYBBQUHMAKGLWh0dHA6Ly9jcnQuY29tb2RvLm5ldC9BZGRUcnVzdFVU
TlNlcnZlckNBLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAKEMEaJZhp/Rl8h3jskLN
2fRcCZhT+o9frfMHliVM0vQJs93ooW7sSkHHlx0DxfgeVipdsZ31mIAg15wM0YMr
a6lisUzjH3SVUsa41GZiBmfEQHM32grK6ubHkprQUq1J3e6LR1NySanu1TuPcnop
gAAlhYmQ/EGm99cMp2RqrpdyRKaUPss/kpyBcQNYLJl16MIEMwSKGXlp10vwFZgq
h/RAw90kfb2Q+rjmdAiCM9nk6oTMsvxJ6IWDIZiS93qVlMyzYtoNRIOl3Ph+nUuB
5iKbpKNo6sX6fQfTx7181yqWGoAhhtfgRMqbAYuuH3Ubgu9Hv7g1MXXjPGapilva
kw==
-END CERTIFICATE-
subject=/C=CA/2.5.4.17=V1V 1R9/ST=British Columbia/L=Kelowna/2.5.4.9=1876 
pORTHILL dR/O=Cliconnect Internet 
Telephony/OU=Support/OU=InstantSSL/CN=www.cliconnect.com
issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust 
External CA Root
---
No client certificate CA names sent
---
SSL handshake has read 2939 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol  : TLSv1
Cipher: DHE-RSA-AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: ...
Key-Arg   : None
Krb5 Principal: None
Start Time: 1132770279
Timeout   : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
GET / HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 23 Nov 2005 18:26:20 GMT
Server: Apache/2.0.55 (Unix) mod_ssl/2.0.55 OpenSSL/0.9.7a DAV/2 PHP/5.0.5
X-Powered-By: PHP/5.0.5
Connection: close
Content-Type: text/html

html
head
titleWelcome to Cliconnect - Free and Unlimited VoIP Phone Calls/title
meta http-equiv=Content-Type content=text/html; charset=windows-1252
META NAME=Description CONTENT=Provides Free and Unlimited VoIP calling 
services. We are an Internet Telephony company which provides PC to PC 
communication for free
!-- etc. --
/html

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: please help me on OCSP

2005-08-24 Thread prakash babu

Hi,

The -Vafile option is used for explicitly trusting the responder certificate of the ocsp serverSo if you omit this option you will get the "unable to get local issuer certificate" error.
To get this command workingopenssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem

1. First you must get a certificate from Verisign -User.pem2. Get the CA certificate that was used to sign your request - ROOT_CA.pem3. Trust the Verisign OCSP responder certficate - OCSPServer.pem

--Prakash
varma d [EMAIL PROTECTED] wrote:
Hi,Today i was very much excited to see this mailing list on openSSL. I searched several messages and its great to see that people here are helping others.I need your help.I read tutorials on OCSP from http://openvalidation.org about using OCSP in openssl,I have couple of questions.1) I used the following command to send OCSP request and get response from OCSP responder.openSSLocsp -url http://ocsp.openvalidation.org -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pemWhen i am executing this command , i am getting response from OCSP responder stating that certificate status is good. (i have taken this command/files from openvalidation.org (http://www.openvalidation.org/useserviceopenssl.htm) )But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pem file.If i give my URL as http://ocsp.verisign.com, how can i get verisign's OCSPServer.pem. Also how can i getlatest OCSPServer.pem file for the given URL. 2)I tested by giving latest user certificates other than openvalidation.org certificates, but i am getting this erroruser.pem:WARNING: Status times invalid.3220:error:270730
 7D:OCSP
 routines:OCSP_check_validity:statusexpired:.\crypto\ocsp\ocsp_cl.c:357:unknownThis Update: Oct 24 06:00:11 2004 GMTNext Update: Oct 25 06:00:11 2004 GMTFor this do i need to update my OCSPServer.pem fileThank you for your time and considerationI would be grateful to you if you would help me out as i am spending a lot of time on understanding this.Please help me out.Thanks,vv__Do You Yahoo!?Tired of spam?  Yahoo! Mail has the best spam protection around http://mail.yahoo.com

Hi, Thanks a lot prakash for your reply. Actually my application works in this way1) I will get the x.509 certificate from any server(lets say) yahoo.com, now from that i will extract
yahoo.com user certificate(may be issued by verisign or others), issuers root certificate.2) Now i need to check the OCSP status of these individual certificates3) Since verisign is an OCSP responder i just want to query
ocsp.verisign.com for these individual certificates.
but while i was trying with your command
openssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem
I am getting an error message like
Error Querying OCSP responder3256: .. Connect error...
But when i am trying with same command and same certificates to ocsp.openvalidation.org i am getting status information.But only problem with openvalidation is that they dont have up-to-date information(for some cases).

Are there are any public ocsp responder where i can query them instead of ocsp.versign.com.
I would be grateful to you if you would give a reply.
Thanks in Advance
Thanks,Varma
On 8/24/05, prakash babu [EMAIL PROTECTED] wrote:

Hi,

The -Vafile option is used for explicitly trusting the responder certificate of the ocsp serverSo if you omit this option you will get the unable to get local issuer certificate error.
To get this command workingopenssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile
OCSPServer.pem -cert User.pem

1. First you must get a certificate from Verisign -User.pem2. Get the CA certificate that was used to sign your request - ROOT_CA.pem3. Trust the Verisign OCSP responder certficate - OCSPServer.pem

--Prakash

varma d [EMAIL PROTECTED] wrote:
Hi,Today i was very much excited to see this mailing list on openSSL. I searched several messages and its great to see that people here are helping others.
I need your help.I read tutorials on OCSP from http://openvalidation.org about using OCSP in openssl,
I have couple of questions.1) I used the following command to send OCSP request and get response from OCSP responder.openSSLocsp -url
http://ocsp.openvalidation.org -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pemWhen i am executing this command , i am getting response from OCSP responder stating that certificate status is
good. (i have taken this command/files from
openvalidation.org (http://www.openvalidation.org/useserviceopenssl.htm) )
But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pem
file.If i give my URL as http://ocsp.verisign.com, how can i get verisign's OCSPServer.pem. Also how can i get
latest OCSPServer.pem file for the given URL. 2)I tested by giving latest user certificates other than
openvalidation.org certificates, but i am getting this erroruser.pem:WARNING: Status times invalid.3220:error:2707307D:OCSP routines:OCSP_check_validity:statusexpired:.\crypto\ocsp\ocsp_cl.c:357:
unknownThis Update: Oct 24 06:00:11 2004 GMTNext Update: Oct 25 06:00:11 2004 GMTFor this do i need to update my OCSPServer.pem fileThank you for your time and considerationI would be grateful to you if you would help me out as i am spending a lot of time on understanding this.
Please help me out.Thanks,vv
__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Re: please help me on OCSP

2005-08-24 Thread Paul Simon

wDAPBgkrBgEFBQcwAQUEAgUAMCcGA1UdEQQgMB6kHDAaMRgwFgYDVQQDEw9PQ1NQ
Mi1UR1YtMS0xNDEwHQYDVR0OBBYEFDDvDY7NWAXpc5YGTmNI+SRZgkHUMB8GA1Ud
IwQYMBaAFA3A2D2/+2WTyDdmJuKKEl+7woD1MA0GCSqGSIb3DQEBBQUAA4GBAGuN
eXqz1R3nDqwY5/C0/LTPA8/y3uCTuWCZq7NSloXcNCDweNgkyLNxJfKQjX/cAH4l
kv3gJvo9maGJhqAJ/gogNApoMc1gnWOh2S82fE10zMqRZculH1865ORzZ5uOUOwz
KDdMBTOohD5jfD3FzZDDcpmZfujpZ0I8G+ZvpW03
-END CERTIFICATE-
Response verify OK
eca_usr_cert.pem: good
This Update: Aug 23 17:10:46 2005 GMT
Next Update: Aug 30 17:10:46 2005 GMT

--- varma d [EMAIL PROTECTED] wrote:

 Hi,
 Thanks a lot prakash for your reply. Actually my
 application works in this 
 way
 1) I will get the x.509 certificate from any
 server(lets say)
 yahoo.comhttp://yahoo.com,
 now from that i will extract yahoo.com
 http://yahoo.com user 
 certificate(may be issued by verisign or others),
 issuers root certificate.
 2) Now i need to check the OCSP status of these
 individual certificates
 3) Since verisign is an OCSP responder i just want
 to query 
 ocsp.verisign.com http://ocsp.verisign.com for
 these individual 
 certificates.
 
 but while i was trying with your command 
 
 openssl ocsp -url http://ocsp.verisign.com:8080
 -issuer ROOT_CA.pem -VAfile 
 OCSPServer.pem -cert User.pem
 
 I am getting an error message like 
 
 Error Querying OCSP responder
 
 3256: .. Connect error...
 
 But when i am trying with same command and same
 certificates to 
 ocsp.openvalidation.org
 http://ocsp.openvalidation.org i am getting status
 
 information.But only problem with openvalidation is
 that they dont have 
 up-to-date information(for some cases).
 
 Are there are any public ocsp responder where i can
 query them instead of 
 ocsp.versign.com http://ocsp.versign.com.
 
 I would be grateful to you if you would give a
 reply.
 
 Thanks in Advance
 
 Thanks,
 Varma
 
 
 On 8/24/05, prakash babu [EMAIL PROTECTED]
 wrote: 
  
  Hi,
   The -Vafile option is used for explicitly
 trusting the responder 
  certificate of the ocsp server
  So if you omit this option you will get the
 unable to get local issuer 
  certificate error.
  
  To get this command working
  openssl ocsp -url http://ocsp.verisign.com:8080
 -issuer ROOT_CA.pem 
  -VAfile OCSPServer.pem -cert User.pem
   1. First you must get a certificate from Verisign
 -User.pem
  2. Get the CA certificate that was used to sign
 your request - ROOT_CA.pem
  3. Trust the Verisign OCSP responder certficate -
 OCSPServer.pem
   --Prakash
   
  *varma d [EMAIL PROTECTED]* wrote:
  
  Hi,
  Today i was very much excited to see this mailing
 list on openSSL. I 
  searched several messages and its great to see
 that people here are helping 
  others.
  I need your help.
  
  I read tutorials on OCSP from
 http://openvalidation.org about using OCSP 
  in openssl,
  I have couple of questions.
  1) I used the following command to send OCSP
 request and get response from 
  OCSP responder.
  
  openSSLocsp -url http://ocsp.openvalidation.org
 -issuer ROOT_CA.pem 
  -VAfile OCSPServer.pem -cert User.pem
  
  When i am executing this command , i am getting
 response from OCSP 
  responder stating that certificate status is good.
 
  (i have taken this command/files from

openvalidation.orghttp://openvalidation.org/(http://www.openvalidation.org/useserviceopenssl.htm)
 
  )
  
  But, In this command what is the purpose of
 OCSPServer.pem, i still dont 
  understand the purpose of OCSPServer.pem as we
 need to just send our 
  request and expect a response from OCSP responder
 irrespective of 
  OCSPServer.pem file.
  
  If i give my URL as http://ocsp.verisign.com, how
 can i get verisign's 
  OCSPServer.pem. Also how can i get
  latest OCSPServer.pem file for the given URL. 
  
  2)I tested by giving latest user certificates
 other than 
  openvalidation.org http://openvalidation.org/
 certificates, but i am 
  getting this error
  
  user.pem:WARNING: Status times invalid.
  3220:error:2707307D:OCSP 
  routines:OCSP_check_validity:status
  expired:.\crypto\ocsp\ocsp_cl.c:357:
  unknown
  This Update: Oct 24 06:00:11 2004 GMT
  Next Update: Oct 25 06:00:11 2004 GMT
  
  For this do i need to update my OCSPServer.pem
 file
  
  
  Thank you for your time and consideration
  
  I would be grateful to you if you would help me
 out as i am spending a lot 
  of time on understanding this.
  
  Please help me out.
  
  Thanks,
  vv
  
  __
  Do You Yahoo!?
  Tired of spam? Yahoo! Mail has the best spam
 protection around 
  http://mail.yahoo.com 
 
 


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: please help me on OCSP

2005-08-24 Thread Paul Simon

It is the OCSP responder cert. I suppose you already
have that, right? Or you can use this one which will
expire on Sep 15, 2005 though.

-BEGIN CERTIFICATE-
MIID2jCCA0OgAwIBAgIQaVnCDg78Yj+N1V5h9xQh0jANBgkqhkiG9w0BAQUFADCB
lDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UE
CxMDRUNBMSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMTkwNwYD
VQQDEzBWZXJpU2lnbiBDbGllbnQgRXh0ZXJuYWwgQ2VydGlmaWNhdGlvbiBBdXRo
b3JpdHkwHhcNMDUwNTI2MDAwMDAwWhcNMDUwNjI1MjM1OTU5WjB7MQswCQYDVQQG
EwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNFQ0ExFzAV
BgNVBAsTDlZlcmlTaWduLCBJbmMuMSswKQYDVQQDEyJWZXJpU2lnbiBDbGllbnQg
RUNBIE9DU1AgUmVzcG9uZGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO
s7CVM3MfKvWnY2svXQRmE981uWCakqgWU5m9cKWcND/0kQWhFShROBzT1czVgvtD
dH+EbkF3Oaa+RtX775EQa6u5IA3dCr1a+eQr4kNPyTAAicfPgKl2kwMIAxJwpXaG
wR09YBL1L96cnaMrrSJRH7lcev2NpsSzGlBpjNwmkwIDAQABo4IBQzCCAT8wRwYI
KwYBBQUHAQEEOzA5MDcGCCsGAQUFBzAChitodHRwczovL2VjYS52ZXJpc2lnbi5j
b20vQ0EvVmVyaVNpZ25FQ0EuY2VyMFIGA1UdIARLMEkwRwYKYIZIAWUDAgEMAjA5
MDcGCCsGAQUFBwIBFitodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y
eS9lY2EvY3BzMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMJMA4GA1UdDwEB/wQEAwIG
wDAPBgkrBgEFBQcwAQUEAgUAMCcGA1UdEQQgMB6kHDAaMRgwFgYDVQQDEw9PQ1NQ
Mi1UR1YtMS0xNDEwHQYDVR0OBBYEFDDvDY7NWAXpc5YGTmNI+SRZgkHUMB8GA1Ud
IwQYMBaAFA3A2D2/+2WTyDdmJuKKEl+7woD1MA0GCSqGSIb3DQEBBQUAA4GBAHrP
OjxDB35f/2+cORsVIl1oVPy71CaCnJ32KDxlEIRSW7sn4BIkBLfr2Un5ozt7SXzz
6qw5I/hIyT1ADaLjpQubN6H+Oxk6ve6xw1JPuDMLHnABLeF+GzLSs2UxFr3bl4AE
gAnMe402U2NJZBJhvvHu+YWdT4cDohuSqEeu+x5R
-END CERTIFICATE-


--- satish danduvarma [EMAIL PROTECTED] wrote:

 Hi Paul,
Thats great. Thanks for your quick response.
 What is tgv.pem file. how can we get that file.
 
 Thanks in advance,
 Varma
 
 On 8/24/05, Paul Simon [EMAIL PROTECTED]
 wrote:
  Maybe your URL is wrong. I just tried this:
  
  openssl ocsp -issuer VeriSignClientECA.pem -url
  http://ocsp.verisign.com -cert eca_usr_cert.pem
  -VAfile tgv.pem -no_nonce -text
  
  and it works fine as follows:
  
  D:\prjs\ocsp\newEcaCAopenssl ocsp -issuer
  VeriSignClientECA.pem -url http://ocs
  p.verisign.com -cert eca_usr_cert.pem -VAfile
 tgv.pem
  -no_nonce -text
  OCSP Request Data:
 Version: 1 (0x0)
 Requestor List:
 Certificate ID:
   Hash Algorithm: sha1
   Issuer Name Hash:
  75EB8BF61A586BADD9044359324DAC621F5B59C8
   Issuer Key Hash:
  0DC0D83DBFFB6593C8376626E28A125FBBC280F5
   Serial Number:
  1B148220FC005FD035E866279AE682BE
  OCSP Response Data:
 OCSP Response Status: successful (0x0)
 Response Type: Basic OCSP Response
 Version: 1 (0x0)
 Responder Id: C = US, O = U.S. Government, OU =
  ECA, OU = VeriSign, Inc.,
  CN = VeriSign Client ECA OCSP Responder
 Produced At: Aug 23 17:10:46 2005 GMT
 Responses:
 Certificate ID:
   Hash Algorithm: sha1
   Issuer Name Hash:
  75EB8BF61A586BADD9044359324DAC621F5B59C8
   Issuer Key Hash:
  0DC0D83DBFFB6593C8376626E28A125FBBC280F5
   Serial Number:
 1B148220FC005FD035E866279AE682BE
 Cert Status: good
 This Update: Aug 23 17:10:46 2005 GMT
 Next Update: Aug 30 17:10:46 2005 GMT
  
  Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number:
  
  0f:74:76:24:82:2a:30:ad:35:fc:45:8b:13:36:4b:0b
 Signature Algorithm: sha1WithRSAEncryption
 Issuer: C=US, O=U.S. Government, OU=ECA,
  OU=Certification Authorities, C
  N=VeriSign Client External Certification Authority
 Validity
 Not Before: Aug 16 00:00:00 2005 GMT
 Not After : Sep 15 23:59:59 2005 GMT
 Subject: C=US, O=U.S. Government, OU=ECA,
  OU=VeriSign, Inc., CN=VeriSign
   Client ECA OCSP Responder
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 RSA Public Key: (1024 bit)
 Modulus (1024 bit):
  
  00:ce:b3:b0:95:33:73:1f:2a:f5:a7:63:6b:2f:5d:
  
  04:66:13:df:35:b9:60:9a:92:a8:16:53:99:bd:70:
  
  a5:9c:34:3f:f4:91:05:a1:15:28:51:38:1c:d3:d5:
  
  cc:d5:82:fb:43:74:7f:84:6e:41:77:39:a6:be:46:
  
  d5:fb:ef:91:10:6b:ab:b9:20:0d:dd:0a:bd:5a:f9:
  
  e4:2b:e2:43:4f:c9:30:00:89:c7:cf:80:a9:76:93:
  
  03:08:03:12:70:a5:76:86:c1:1d:3d:60:12:f5:2f:
  
  de:9c:9d:a3:2b:ad:22:51:1f:b9:5c:7a:fd:8d:a6:
 c4:b3:1a:50:69:8c:dc:26:93
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 Authority Information Access:
 CA Issuers -
  URI:https://eca.verisign.com/CA/VeriSignECA.cer
  
 X509v3 Certificate Policies:
 Policy: 2.16.840.1.101.3.2.1.12.2
   CPS:
  https://www.verisign.com/repository/eca/cps
  
 X509v3 Extended Key Usage: critical
 OCSP Signing
 X509v3 Key Usage: critical
 Digital Signature, Non Repudiation
 OCSP No Check:
  
 X509v3 Subject Alternative Name:
 DirName:/CN=OCSP2-TGV-1-141
 X509v3 Subject Key

please help me on OCSP

2005-08-17 Thread varma d

Hi,Today i was very much excited to see this mailing
list on openSSL. I searched several messages and its great to see that
people here are helping others.I need your help.I read tutorials on OCSP from http://openvalidation.org about using OCSP in openssl,I have couple of questions.
1) I used the following command to send OCSP request and get response from OCSP responder.openSSLocsp -url http://ocsp.openvalidation.org
 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem

When i am executing this command , i am getting response from OCSP responder stating that certificate status is good.

(i have taken this command/files from openvalidation.org (http://www.openvalidation.org/useserviceopenssl.htm)
)But,
In this command what is the purpose of OCSPServer.pem, i still
dont understand the purpose of OCSPServer.pem as we need to just send
our request and expect a response from OCSP responder irrespective of
OCSPServer.pem file.If i give my URL as http://ocsp.verisign.com, how can i get verisign's OCSPServer.pem. Also how can i getlatest OCSPServer.pem file for the given URL.
2)I tested by giving latest user certificates other than openvalidation.org certificates, but i am getting this erroruser.pem:WARNING: Status times invalid.3220:error:2707307D:OCSP
routines:OCSP_check_validity:statusexpired:.\crypto\ocsp\ocsp_cl.c:357:unknownThis Update: Oct 24 06:00:11 2004 GMTNext Update: Oct 25 06:00:11 2004 GMTFor this do i need to update my OCSPServer.pem
 fileThank you for your time and considerationI would be grateful to you if you would help me out as i am spending a lot of time on understanding this.

Please help me out.

Thanks,
vv

Re: please help me on OCSP

2005-08-17 Thread Dr. Stephen Henson

On Tue, Aug 16, 2005, varma d wrote:

 
 But, In this command what is the purpose of OCSPServer.pem, i still dont 
 understand the purpose of OCSPServer.pem as we need to just send our request 
 and expect a response from OCSP responder irrespective of OCSPServer.pemfile.
 

This is an issue of how you trust the reponse from the OCSP responder. There
are three cases:

1. Response signed by the same key as the CA that issued the certificate.
2. Response signed by a key in a certificate delegated by the issuing CA.
3. A key locally configured as trusted.

In case #1 and #2 the trust can be determined automatically from the
certificate being validated.

In case #3 the relevant key needs to be determined by some other means.

So its a case of how the responder is configured. In some cases the responder
is misconfigured and you have to use option #3.

 2)I tested by giving latest user certificates other than
 openvalidation.orghttp://openvalidation.orgcertificates, but i am
 getting this error
 
 user.pem:WARNING: Status times invalid.
 3220:error:2707307D:OCSP
 routines:OCSP_check_validity:status
 expired:.\crypto\ocsp\ocsp_cl.c:357:
 unknown
 This Update: Oct 24 06:00:11 2004 GMT
 Next Update: Oct 25 06:00:11 2004 GMT
 

The responder is saying that its response is valid between those dates: so it
is sending out of date information.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Linking errors while compilation. Please Help

2005-07-21 Thread Sitaram


Hi

I am facing a problem in compiling the openssl -0.9.7g version. I am using PERL to compile this. The following are the steps I am following in the compilation:

1) Type perl Configure no-idea no-mdc2 no-rc5 no-rc2 no-rc4 VC-WIN32
2) Type ms\do_nasm
3) Type "nmake -f ms\ntdll.mak"

The errors occuring are as follows:

link /nologo /subsystem:console /machine:I386 /opt:ref /dll /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def @C:\DOCUME~1\LMAHES~1\LOCALS~1\Temp\nm2144.tmpms/LIBEAY32.def(7) : warning LNK4017: DESCRIPTION statement not supported for the target platform; ignoredLIBEAY32.def : error LNK2001: unresolved external symbol d2i_Netscape_RSALIBEAY32.def : error LNK2001: unresolved external symbol d2i_RSA_NETLIBEAY32.def : error LNK2001: unresolved external symbol i2d_Netscape_RSALIBEAY32.def : error LNK2001: unresolved external symbol i2d_RSA_NETout32dll\libeay32.lib : fatal error LNK1120: 4 unresolved externalsLINK : fatal error LNK1141: failure during build of exports
 fileNMAKE : fatal error U1077: 'link' : return code '0x475'Stop.

It is really very urgent. Can anyone help me why this is occuring or how to get rid of these errors.

Thank you in advance for the help.

Regards,
SeetharamSitaram,MTS Lead,Sharp Software Development India,Unit 5, Level 3,Innovator, ITPL,Bangalore.Telephone:Res# 25525196Mob# 94488 53090
		Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we.

Please help. X509 v3 java ca cert extensions?

2005-07-17 Thread David Templar


Hi,

How do I create a x509 v3 ca cert that has the standard ANY permission? 
The openssl.cnf will create a cert that works with a computer but not a 
phone.


I need to create a ca cert that will validate a java midlet for a phone.

I have sorted out many of the issues with installing the cert to the 
phone etc, but the certs I create do not validate a java midlet I 
get an authentication error.


Please help!

David
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

openssl.cnf, please help: What is the difference between these 2 certificates?

2005-07-13 Thread David Templar


Hi,

I have attached 2 certificates (I have changed the extension to .txt as 
the openssl forum does not accept .cer). The microsoft.txt is exported 
from the browser and the david.txt is created by openssl and also 
exported from the browser (IE).


The microsoft cert I can install on my motorola phone, but the openssl 
cert can be installed (it is not fully recognized though).


How do I configure openssl to create a root certificate exactly like the 
microsoft one (except for the key etc...)?


Thanks.

David
00ú ÁÑ[EMAIL PROTECTED]
   *H÷
0p1+0)UCopyright (c) 1997 Microsoft Corp.10UMicrosoft 
Corporation1!0UMicrosoft Root Authority0
97011007Z
20123107Z0p1+0)UCopyright (c) 1997 Microsoft 
Corp.10UMicrosoft Corporation1!0UMicrosoft Root Authority00
   *H÷
0
©½Ápæ;òN(x^0ê¢©%_øþL£·þ¢ 
|Q¢¢`2kÑBdyî¬vÉTÚòëf³Åkzb#ÖÞèÄ¿-fhÐ:,¿µXÁFç
8,©(9¨ìIBã»lUa¬|¡`-wLé´d;P1$©ç+æ=c`Xe7R÷§ïÆÓ¿UE³¿:ìTN®ý§zmtN¯Ì
 (!W`i7»KVÿ[û¤f
¦ÒVWï¶;^wÚö¾®þ°ÍÖ§r\Ê¼ð£0³É³ 
wß£¨0¥0¢U0[Ðpïir#Q~²MÿË¡r0p1+0)UCopyright (c) 
1997 Microsoft Corp.10UMicrosoft Corporation1!0UMicrosoft Root 
AuthorityÁÑ[EMAIL PROTECTED]
   *H÷
èÀó5í¸$Øwó\`2ËÉ:æ!òðW,µ GÈbïü×Ì;;Z©6Tiþ$m?ÉÌªÞ|Ý1=pj»þOiÀüÐCãZ
 Oêb{¯ªÈ+7%-¾e¡%c£÷Tù!ÉÖóR¬nC2ýøågl
Qö½ñRÇ½çÄ0ü 1   
)MÕ¥ñà´[ô±ÝÈWîeIÇRT¶´(ÿÖð~¸Å«7,äzä¨wãv Ðj?ÁÒ6àA¨5jjÛ5áÔä¨EÈZ38nM
b·
¢ÓÕT?FÍU¦pÛ:u§Ò 0×0¿   §qPR0
   *H÷
0P10U
David Templar10UCopyright 200710UDavid Root Authority0
050713154124Z
050812154124Z0P10U
David Templar10UCopyright 200710UDavid Root Authority00
   *H÷
0
ïôû|ï$ñ 
;Çö«º®îæN×fátïË²¹z_   Fåá´Êþ\Øÿ 
»ðÇ3õÊzå»:(cdð^#G£8ÎìÆ´´6uwE®o§9%¢¤
'£J¢òð[x_ïÂ«iéBÀ¬øÄÅ!õðßÅ(ÄÇ¡Í¨-¼®(ÕÑçËnKwa+Ø 
Zù5VXK¾v½jºË¢PB!!ãúx3÷¹¥vW[44mM}Ae÷%ûjÛËç©¤y(
·eIOÜ! +  XÆgJ®yJð[Údò+£³0°0U£ 
ÛâP3h¾;Ðs$0U#y0w£ ÛâP3h¾;Ðs$¡T¤R0P10U
David Templar10UCopyright 200710UDavid Root Authority  
§qPR0U0ÿ0
   *H÷
ª-nÿý_O¥íãz¶ºÅfÖUø¢dP
óq!TçÂÌ.HCãëÂüþ¹S¢X[phQáþóUP]Nd¬YWÂew^ïÑß+½ùº/Vnïtå%ÀäË1çw÷¾ïhvn»ôÎõßÖÓEçìKF.Ô9ÀÝÔ.xØEò6úÖ¶ðÅçÂàíÅp¶í÷v9çÞ·.nËówö4¼Sð¤ºÜ
Á¤ùIXÀ¸B{d¿ËËúg
ÇÃ2}~Õv?° y×Ëaáý°èbñ]
T7AKè°e4'çö

3rd time request... PLEASE help! Phone cert creation

2005-07-12 Thread David Templar


Hi all,

I am really stuck and have tried all I can - I really need your help to 
generate a software publishing certificate and its root cert to install 
on motorola phones.


I am enclosing a copy of an already existing cert on the phone. It 
appears to be a V4 x509 cert - I could be wrong though. The phone does 
not seem to accept any certificates I have currently generated. Someone 
said to delete the first 2 octets, using that I can read the file now, 
but how do I generate a certificate like it?? The certificate is called 
motman.crt, but I have attached it as motman.txt as the openssly posting 
does not allow .crt extensions.


The certificate I have enclosed is new to me, and myself as well as 
others are having a problem working out what it is...


Please tell me how to create my own certificates like it either using 
openssl or any other tool.


Your help is really needed and appreciated - even if you cannot help, 
please tell me where I can get some help...


Thanks in advance,

David
0©0 0
   *H÷
0y10  UUS10UIllinois10ULibertyville10U
Motorola Inc10
UPCS10UMotorola Java CA400
03082107Z
18082107Z010  UUS10UIllinois10U
Libertyville10U
Motorola Inc10
UPCS1!0UManufacturer Domain 40-100
   *H÷
0
©ºAJÇòÑ,øæ=2 Ñ½v¨#pË¿T9×(Ø[EMAIL 
PROTECTED](ãL¥_ì?á7=CÏ:¶Ø¦åvñ¨wì!¯`
[EMAIL PROTECTED];µ46wëÈªq³ r[êe¡Þ± 
/¬qyâÿEýBo«ògçùsÍº§o]iïÏÐ8O¤aÁâZ×Má¡ùÅT\Gbä.úCÀ×»~fÃqÚÛDL!¢SìsQÒuÉEãÏï7fÃ»OµËb8á£6040Uÿ0
  `HøB0Uÿ0ÿ0
   *H÷
)f`pÖÁ1Xþ°nÂÿÛöå¨P
171#¸æß?éÃÕìÕ+ÉÇÙ :Ðfg¿h´ÙÛAP²¸§¼ýzQmQ
båÆpA¯#o»Sþã»Ïø¶fôêïí®iqKlò«½¨*5,vÝhqBß¿,ºmÓU~fupþÏ0G¹ÀåJ4à,æ/Îòú
 ¤è»~1½TÏ§þÇQÜ,°mõ÷Z°)ú¡®9¢³Hµ®_ÎL9¯kãna¹W½ÚêGÛÙ²»è
0¥K0ûñyl:¿Ã_¿b0

Re: 3rd time request... PLEASE help! Phone cert creation

2005-07-12 Thread Pablo J Royo

I suppose this is not the right forum to ask for Smartphone issues.

Anyway, here:

http://www.jacco2.dds.nl/networking/crtimprt.html

may be you could find a way to do what you need , a little idea or maybe
something more.
He explains how to import a *personal* certificate and a CA certificate on a
PocketPC, running Windows Mobile 2003.
I have tryed the same on a Windows 2002 Smartphone and it doesn't work, but
I think it could work on windows Mobile 2003, becuse it worked in my
PocketPC PDA.
You could also try to use a little CryptoAPI program for that. Again ,I
suspect this is not the right forum  ;-).

Hope this helps

- Original Message -
From: David Templar [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Tuesday, July 12, 2005 5:49 PM
Subject: 3rd time request... PLEASE help! Phone cert creation


 Hi all,

 I am really stuck and have tried all I can - I really need your help to
 generate a software publishing certificate and its root cert to install
 on motorola phones.

 I am enclosing a copy of an already existing cert on the phone. It
 appears to be a V4 x509 cert - I could be wrong though. The phone does
 not seem to accept any certificates I have currently generated. Someone
 said to delete the first 2 octets, using that I can read the file now,
 but how do I generate a certificate like it?? The certificate is called
 motman.crt, but I have attached it as motman.txt as the openssly posting
 does not allow .crt extensions.

 The certificate I have enclosed is new to me, and myself as well as
 others are having a problem working out what it is...

 Please tell me how to create my own certificates like it either using
 openssl or any other tool.

 Your help is really needed and appreciated - even if you cannot help,
 please tell me where I can get some help...

 Thanks in advance,

 David







 0,©0,' 0 *?H?÷0y1 0 UUS10UIllinois10U
Libertyville10U
  Motorola Inc1 0
 U PCS10UMotorola Java CA40003082107Z18082107Z01 0
UUS10UIllinois10U Libertyville10U
  Motorola Inc1 0
 U PCS1!0UManufacturer Domain 40-10,0 *?H?÷,0,
 ,©ºAJ^ÇòÑ-,øæ=2
Ñ½v¨#pË¿T9×~.(Ø[EMAIL 
PROTECTED](ãL¥_,ì?á7?=CÏ:¶Ø¦åvñ¨s?wì!¯`2ÂT©
õË¹yøíSÞä%ôB [EMAIL PROTECTED]r';µ46wëÈªq?³S
r[êe¡Þ± /¬qyâÿEýBo«ò?gçùsÍº§.of]iïÏÐ8O¤a,ÁâZ×ZMá¡YùÅTs\G 
1~71#¸æß?.éÃÕìÕ'+ÉÇ .Ù-s :Ðfg¿h´ÙÛAP-²¸§¼fýzQmQ
båÆpA¯?#o»Sþã»Ïø¶fôêïfí®iqKlò«½¨*O5,vÝhq?BZß¿O,ºmÓU~?fupþÏ0G¹-Àf
åJ4à,æ/Îòú ¤è»f~1½TÏ§þÇQÜ,°m?õ÷Z?°)ú ¡®9¢³Hµ®_ÎL9¯kãna¹W½ÚêGÛ Ù²»è
0¥K0ûñyl:¿Ã-_¿b0

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: 3rd time request... PLEASE help! Phone cert creation

2005-07-12 Thread David Templar





Thanks, it does help a bit... could you tell me about the cryptoapi
program?

But I will say that it is not a smartphone. It uses standard motorola
software and its jce package All I really need to do is convert my
standard certs to the motman.crt file I had attached. I have tried
everything else - including using the windows sdk to create
certificates. Importing certificates on motorola can only be done by
manually placing the certificate in the x509 directory - hence the need
to be able to generate a certificate that complies with the format.

The reason why I am posting here is because openssl (I have been using
for many years) comes with cert creation abilities - it has helped me
for many years with PC java!

Also, I was hoping I would be able to ask many crypto experts on the
forum!

RGDS

David
Pablo J Royo wrote:

  I suppose this is not the right forum to ask for Smartphone issues.

Anyway, here:

http://www.jacco2.dds.nl/networking/crtimprt.html

may be you could find a way to do what you need , a little idea or maybe
something more.
He explains how to import a *personal* certificate and a CA certificate on a
PocketPC, running Windows Mobile 2003.
I have tryed the same on a Windows 2002 Smartphone and it doesn't work, but
I think it could work on windows Mobile 2003, becuse it worked in my
PocketPC PDA.
You could also try to use a little CryptoAPI program for that. Again ,I
suspect this is not the right forum  ;-).

Hope this helps

- Original Message -
From: "David Templar" [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Tuesday, July 12, 2005 5:49 PM
Subject: 3rd time request... PLEASE help! Phone cert creation


  
  
Hi all,

I am really stuck and have tried all I can - I really need your help to
generate a software publishing certificate and its root cert to install
on motorola phones.

I am enclosing a copy of an already existing cert on the phone. It
appears to be a V4 x509 cert - I could be wrong though. The phone does
not seem to accept any certificates I have currently generated. Someone
said to delete the first 2 octets, using that I can read the file now,
but how do I generate a certificate like it?? The certificate is called
motman.crt, but I have attached it as motman.txt as the openssly posting
does not allow .crt extensions.

The certificate I have enclosed is new to me, and myself as well as
others are having a problem working out what it is...

Please tell me how to create my own certificates like it either using
openssl or any other tool.

Your help is really needed and appreciated - even if you cannot help,
please tell me where I can get some help...

Thanks in advance,

David


  
  





  
  
0,0,' 0 *?H?0y1 0 UUS10UIllinois10U

  
  Libertyville10U
  
  
 Motorola Inc1 0
U PCS10UMotorola Java CA40003082107Z18082107Z01 0

  
  UUS10UIllinois10U Libertyville10U
  
  
 Motorola Inc1 0
U PCS1!0UManufacturer Domain 40-10,"0 *?H?,0,
,AJ^-,=2

  
  v#p"T9"~.("7Ok@a(L_,?"7?=C:vs?w!`2T
yS%B @cr';46wq?S
r[e /qyEBo"?gs.of]i8Oa,ZZMYTs\G 
1~71#?.'+ .-s :fghAP-"fzQmQ
bpA"?#oSffiqKl*O5,vhq?BZO,mU~?fup0G-f
J4,/ f~1TQ,m?Z?) 9H_L9knaWG 
0K0yl:-_b0

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: 3rd time request... PLEASE help! Phone cert creation

2005-07-12 Thread Daniel Diaz Sanchez










Hi,



CryptoAPI
is the security API of Microsoft. If you are using a Pocket PC or SmartPhone
you can use a subset of functions of that API (that is completely supported on
NT). You can have a look to openssl-dev and will find a message from me giving
support to build OpenSSL for Pocket PC or Windows Mobile 2003 with full access
to the openssl.exe application by using a console on the device (a little difficult
to use with the Soft Input Panel but ok to have openssl everywhere).



For
your concrete problem may you can ask in a Motorola forum or to anybody who
knows flex operating system (the one from Motorola).



Daniel
Díaz 



[EMAIL PROTECTED]











De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En
nombre de David Templar
Enviado el: martes, 12 de julio de
2005 20:01
Para: openssl-users@openssl.org
Asunto: Re: 3rd time request...
PLEASE help! Phone cert creation





Thanks, it does
help a bit... could you tell me about the cryptoapi program?

But I will say that it is not a smartphone. It uses standard motorola
software and its jce package All I really need to do is convert my standard
certs to the motman.crt file I had attached. I have tried everything else -
including using the windows sdk to create certificates. Importing certificates
on motorola can only be done by manually placing the certificate in the x509
directory - hence the need to be able to generate a certificate that complies
with the format.

The reason why I am posting here is because openssl (I have been using for many
years) comes with cert creation abilities - it has helped me for many years
with PC java!

Also, I was hoping I would be able to ask many crypto experts on the forum!

RGDS

David
Pablo J Royo wrote: 

I suppose this is not the right forum to ask for Smartphone issues.Anyway, here:http://www.jacco2.dds.nl/networking/crtimprt.htmlmay be you could find a way to do what you need , a little idea or maybesomething more.He explains how to import a *personal* certificate and a CA certificate on aPocketPC, running Windows Mobile 2003.I have tryed the same on a Windows 2002 Smartphone and it doesn't work, butI think it could work on windows Mobile 2003, becuse it worked in myPocketPC PDA.You could also try to use a little CryptoAPI program for that. Again ,Isuspect this is not the right forum  ;-).Hope this helps- Original Message -From: David Templar [EMAIL PROTECTED]To: openssl-users@openssl.orgSent: Tuesday, July 12, 2005 5:49 PMSubject: 3rd time request... PLEASE help! Phone cert creation  

Hi all,I am really stuck and have tried all I can - I really need your help togenerate a software publishing certificate and its root cert to installon motorola phones.I am enclosing a copy of an already existing cert on the phone. Itappears to be a V4 x509 cert - I could be wrong though. The phone doesnot seem to accept any certificates I have currently generated. Someonesaid to delete the first 2 octets, using that I can read the file now,but how do I generate a certificate like it?? The certificate is calledmotman.crt, but I have attached it as motman.txt as the openssly postingdoes not allow .crt extensions.The certificate I have enclosed is new to me, and myself as well asothers are having a problem working out what it is...Please tell me how to create my own certificates like it either usingopenssl or any other tool.Your help is really needed and appreciated - even if you cannot help,please tell me where I can get some help...Thanks in advance,David    

  





0,



©0,[1]' 



[1][1][1]0 *?H?÷0y1 0 



U



[1]US10



U



Illinois10



U



    

Libertyville10



U



  

 Motorola Inc1 0



U



 



PCS10



U







Motorola Java CA400‑03082107Z18082107Z01 0    





U



[1]US10



U



Illinois10



U



 Libertyville10



U



  

 Motorola Inc1 0



U



 



PCS1!0



U







Manufacturer Domain 40-10,0 *?H?÷



,0,[1],©ºAJ^ÇòÑ-,øæ=2    

Ñ½v¨#pË



¿T9×~.(Ø[EMAIL PROTECTED](ãL¥_,ì?á7?=CÏ:¶Ø¦åvñ¨s?wì!¯`[1]2ÂT©õË¹yøíSÞä%ôB [EMAIL PROTECTED]r';µ46wëÈªq?³Sr[êe¡Þ± /¬qyâÿEýBo‑«ò?gçùsÍº§.of]iïÏÐ8O¤a,ÁâZ×ZMá¡[1]YùÅTs\G 1~71#¸æß?.éÃÕìÕ'+



ÉÇ .Ù-s :Ðfg¿h´ÙÛAP-²¸§¼fýzQmQbåÆpA¯?#o»Sþã»Ïø¶fôêïfí®iqKlò«½¨*O
5,vÝhq?BZß¿O,ºmÓU~?fupþÏ0G¹-ÀfåJ4à,æ/[1]Îòú ¤è»f~1½TÏ§þÇQÜ,°m?õ÷Z?°)ú ¡®9¢³Hµ®_ÎL9¯kãna¹W½ÚêGÛ Ù²»è0¥K0ûñyl:¿Ã-_¿b0__OpenSSL Project     http://www.openssl.orgUser Support Mailing List    openssl-users@openssl.orgAutomated List Manager   [EMAIL PROTECTED]

Re: 3rd time request... PLEASE help! Phone cert creation

2005-07-12 Thread David Templar





Thankyou for the reply. I have tried the microsoft sdk and the matter
is not resolved. Motorola will not help with certificates, they want
you to send them your code and they will sign it if the like it - after
6-8 weeks of an application process! The only hope I have is to create
my own certificates of the format of the motman.crt that I had attached
with the original post.

So far what I know about the cert:

1. the first 2 octets are used to say how many certs in the chain.
2. that it can be read using asn1 readers.
3. that it may use a 128  140 bit key and signature

Daniel Diaz Sanchez wrote:

  
  
  
  
  
  

  
  
  Hi,
   
  CryptoAPI
is the security API of Microsoft. If you are using a Pocket PC or
SmartPhone
you can use a subset of functions of that API (that is completely
supported on
NT). You can have a look to openssl-dev and will find a message from me
giving
support to build OpenSSL for Pocket PC or Windows Mobile 2003 with full
access
to the openssl.exe application by using a console on the device (a
little difficult
to use with the Soft Input Panel but ok to have openssl everywhere).
   
  For
your concrete problem may you can ask in a Motorola forum or to anybody
who
knows flex operating system (the one from Motorola).
   
  Daniel
Díaz 
   
  [EMAIL PROTECTED]
   
  
  
  
  De:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] En
nombre de David Templar
  Enviado el: martes, 12
de julio de
2005 20:01
  Para:
openssl-users@openssl.org
  Asunto: Re: 3rd time
request...
PLEASE help! Phone cert creation
  
   
  Thanks, it does
help a bit... could you tell me about the cryptoapi program?
  
  But I will say that it is not a smartphone. It uses standard
motorola
software and its jce package All I really need to do is convert my
standard
certs to the motman.crt file I had attached. I have tried everything
else -
including using the windows sdk to create certificates. Importing
certificates
on motorola can only be done by manually placing the certificate in the
x509
directory - hence the need to be able to generate a certificate that
complies
with the format.
  
The reason why I am posting here is because openssl (I have been using
for many
years) comes with cert creation abilities - it has helped me for many
years
with PC java!
  
Also, I was hoping I would be able to ask many crypto experts on the
forum!
  
RGDS
  
David
Pablo J Royo wrote: 
  I suppose this is not the right forum to ask for Smartphone issues.
   
  Anyway, here:
   
  http://www.jacco2.dds.nl/networking/crtimprt.html
   
  may be you could find a way to do what you need , a little idea or maybe
  something more.
  He explains how to import a *personal* certificate and a CA certificate on a
  PocketPC, running Windows Mobile 2003.
  I have tryed the same on a Windows 2002 Smartphone and it doesn't work, but
  I think it could work on windows Mobile 2003, becuse it worked in my
  PocketPC PDA.
  You could also try to use a little CryptoAPI program for that. Again ,I
  suspect this is not the right forum  ;-).
   
  Hope this helps
   
  - Original Message -
  From: "David Templar" [EMAIL PROTECTED]
  To: openssl-users@openssl.org
  Sent: Tuesday, July 12, 2005 5:49 PM
  Subject: 3rd time request... PLEASE help! Phone cert creation
   
   
    
  
Hi all,
 
I am really stuck and have tried all I can - I really need your help to
generate a software publishing certificate and its root cert to install
on motorola phones.
 
I am enclosing a copy of an already existing cert on the phone. It
appears to be a V4 x509 cert - I could be wrong though. The phone does
not seem to accept any certificates I have currently generated. Someone
said to delete the first 2 octets, using that I can read the file now,
but how do I generate a certificate like it?? The certificate is called
motman.crt, but I have attached it as motman.txt as the openssly posting
does not allow .crt extensions.
 
The certificate I have enclosed is new to me, and myself as well as
others are having a problem working out what it is...
 
Please tell me how to create my own certificates like it either using
openssl or any other tool.
 
Your help is really needed and appreciated - even if you cannot help,
please tell me where I can get some help...
 
Thanks in advance,
 
David
 
    
  
   
   
  
  
   
   
    
  




0,



©0,[1]' 



[1][1][1]0 *?H?÷0y1 0 



U



[1]US10



U



Illinois10



U




    
  
  Libertyville10



U




    
  
 Motorola Inc1 0




U



 



PCS10



U







Motorola Java CA400‑03082107Z18082107Z01 0
    
  
  



U



[1]US10



U



Illinois10



U



 Libertyville10



U




    
  
 Motorola Inc1 0




U



 



PCS1!0



U







Manufactu

Re: 3rd time request... PLEASE help! Phone cert creation

2005-07-12 Thread Dr. Stephen Henson

On Tue, Jul 12, 2005, David Templar wrote:

 Hi all,
 
 I am really stuck and have tried all I can - I really need your help to 
 generate a software publishing certificate and its root cert to install 
 on motorola phones.
 
 I am enclosing a copy of an already existing cert on the phone. It 
 appears to be a V4 x509 cert - I could be wrong though. The phone does 
 not seem to accept any certificates I have currently generated. Someone 
 said to delete the first 2 octets, using that I can read the file now, 
 but how do I generate a certificate like it?? The certificate is called 
 motman.crt, but I have attached it as motman.txt as the openssly posting 
 does not allow .crt extensions.
 

Its V3 X509 with two additional bytes prepended. IF you want to generate it
just take a DER format file and prepend the same bytes.

However there may not be a solution to your problem. I know of a couple of
phones that deliberately have no way to add new CA certificates.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: 3rd time request... PLEASE help! Phone cert creation

2005-07-12 Thread David Templar

Thanks, I will try this within the next hour to see what happens. Is 
there a key size or any other issues that I need to consider when I 
generate a new cert now?


Dr. Stephen Henson wrote:


On Tue, Jul 12, 2005, David Templar wrote:

 


Hi all,

I am really stuck and have tried all I can - I really need your help to 
generate a software publishing certificate and its root cert to install 
on motorola phones.


I am enclosing a copy of an already existing cert on the phone. It 
appears to be a V4 x509 cert - I could be wrong though. The phone does 
not seem to accept any certificates I have currently generated. Someone 
said to delete the first 2 octets, using that I can read the file now, 
but how do I generate a certificate like it?? The certificate is called 
motman.crt, but I have attached it as motman.txt as the openssly posting 
does not allow .crt extensions.


   



Its V3 X509 with two additional bytes prepended. IF you want to generate it
just take a DER format file and prepend the same bytes.

However there may not be a solution to your problem. I know of a couple of
phones that deliberately have no way to add new CA certificates.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

 



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Dr Henson is a superstar!!! 3rd time request... PLEASE help! Phone cert creation

2005-07-12 Thread David Templar

I tried what you said, and for the first time the phone accepts
something! Only thing is that it gives me 2 messages when I check the
status of the certificate:

1. no name for it
2. expired. The phone says the expiry date is wed 0/0/00.

Instead of generating a new certificate, I used one I generated a week a
ago. It has been some time since I last used openssl and maybe the
version I have is old or I incorrectly generated the certificate. Did I
do something wrong?

I have atached a copy of the certificate I uploaded to the phone - maybe
you can kindly tell me where I have gone wrong. I have changed the
extension of the attached cert to .txt as the openssl forum does not
accept .crt.

Thanks for your great tip! I am now 90% there!

RGDS,
David

Dr. Stephen Henson wrote:

On Tue, Jul 12, 2005, David Templar wrote:

Hi all,

I am really stuck and have tried all I can - I really need your help to
generate a software publishing certificate and its root cert to install
on motorola phones.

I am enclosing a copy of an already existing cert on the phone. It
appears to be a V4 x509 cert - I could be wrong though. The phone does
not seem to accept any certificates I have currently generated. Someone
said to delete the first 2 octets, using that I can read the file now,
but how do I generate a certificate like it?? The certificate is called
motman.crt, but I have attached it as motman.txt as the openssly posting
does not allow .crt extensions.

Its V3 X509 with two additional bytes prepended. IF you want to generate it
just take a DER format file and prepend the same bytes.

However there may not be a solution to your problem. I know of a couple of
phones that deliberately have no way to add new CA certificates.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]

0{0ä 0
*H÷
010 UGB10
ULondon10U
UK Times Online10
UEditor10
UEditor1)0' *H÷
[EMAIL PROTECTED]
050710153114Z
080429153114Z010 UGB10
ULondon10U
UK Times Online10
UEditor10
UEditor1)0' *H÷
[EMAIL PROTECTED]
*H÷
0åÛ¡ðI,ZWí Üï qÏ½¯O^ié]BÃÚÄpôoþ ì×÷öÃÁB
Þ¡ìÀM¥zvq]®Bþ|.Ð3µLÄ*Ù±
²ND§ËR¦K¼N¨t+¦¨¨t0_kqâáBã¤Ò©.NÐíQ£ø0õ0U»òu®¹¸ÜmÈØÔ2ce0²U#ª0§»òu®¹¸ÜmÈØÔ2ce¡¤01
0 UGB10
ULondon10U
UK Times Online10
UEditor10
UEditor1)0' *H÷
[EMAIL PROTECTED]U0ÿ0 `HøB0
*H÷
qèí²*âù¦$.n6²bÈ£û`hE)òtEàÜü§ºD»~s]
N6²ká=²ô°AÛv¼½[Eù,{`;¸Ðáà1òÕýÚF¢[ ¦Ìi®²ª
ð;¶»R²£4=zXà¹ñ]öhé«El

Re: Please, help - compilation or configuration issue

2005-05-18 Thread Sebastian

Hi,
did you link against the openssl-libs (eg. crypto / sll)? Did you use an (ANSI-) 
c compiler or a c++ compiler?

Try
cc(?) prueba.c -I/usr/local/ssl/include -L/path/to/openssl/libs -lcrypto -lssl
Good luck,
Sebastian
Silvia Gisela Pavon Velasco wrote:

I have sent this before and got no answers, It may look simple, but It's
not. Please give me some ideas, or at least if there's someone who has
installed on HP-UX 11.0 with no problems, tellme what C compiler do you
have or if you did something more besides de quick installation
instructions.
-
I'm looking for someone who has installed OpenSSL on an HP-UX 11.0 system.
I've tried to installit and I can't get OpenSSL to work there.
I have:
- HP-UX 11.0 operating system
- Perl 5.8.5
- HP C/ANSI C Developer's Bundle for Hp-ux (S800) wich includes HP C/ANSI C
Compiler
I'm trying to install the file openssl-0.9.7g.tar.gz following the quick
installation instructions and everything goes ok, the log's doesn't show
any errors at all (I have log files in case someone wants to take a look at
them) and the command line tool works just fine just adding the correct
path to my PATH variable.
The problem is when I try to use the libraries in a C program. I try to run
a simple example code I got from the OpenSSL homepage and I got an error
saying that
It can't find the openssl/.h included file:
cc prueba.c
cpp: prueba.c, line 2: error 4036: Can't open include file
'openssl/evp.h'.
Even IF I compile with the -I option It doesn't find the functions:
cc prueba.c -I/usr/local/ssl/include
cc: prueba.c, line 32: warning 604: Pointers are not
assignment-compatible.
cc: prueba.c, line 32: warning 563: Argument #3 is not the correct type.
/usr/ccs/bin/ld: Unsatisfied symbols:
   EVP_get_digestbyname (first referenced in prueba.o) (code)
   EVP_DigestInit_ex (first referenced in prueba.o) (code)
   OpenSSL_add_all_digests (first referenced in prueba.o) (code)
   EVP_DigestFinal_ex (first referenced in prueba.o) (code)
  EVP_MD_CTX_cleanup (first referenced in prueba.o) (code)
   EVP_MD_CTX_init (first referenced in prueba.o) (code)
   EVP_DigestUpdate (first referenced in prueba.o) (code)
I have tried everything I know to find the libraries, from specifying in my
PATH variable the path of the installation; and even to copy the
/usr/local/ssl/include/openssl directory to the /opt/CC/include/CC dirctory
and still can't get it to work.
I have the feeling that I'm missing some configuration specific from my
operating system, that's why I'm asking for your help, cause I've really
have tried to make it work first (I have reinstalled twice openssl and the
C compiler).
At this point these are my env variables related to openssl:
OPENSSLDIR=/usr/local/ssl
PATH=$PATH:/usr/local/ssl/bin:/usr/local/ssl/include/:.
export PATH
SHLIB_PATH=/usr/local/ssl/lib   -- I added this
export SHLIB_PATH
-
Silvia Gisela
_
NOTA: La información de este correo es de propiedad exclusiva y
confidencial. Este mensaje es sólo para el destinatario señalado, si usted
no lo es, destrúyalo de inmediato. Ninguna información aquí contenida debe
ser entendida como dada o avalada por Alestra, sus subsidiarias o sus
empleados, salvo cuando ello expresamente se indique. Es responsabilidad de
quien recibe este correo de asegurarse que esté libre de virus, por lo
tanto ni Alestra, sus subsidiarias ni sus empleados aceptan responsabilidad
alguna.
NOTE:  The information in this email is proprietary and confidential. This
message is for the designated recipient only, if you are not the intended
recipient, you should destroy it immediately. Any information in this
message shall not be understood as given or endorsed by Alestra, its
subsidiaries or their employees, unless expressly so stated. It is the
responsibility of the recipient to ensure that this email is virus free,
therefore neither Alestra, its subsidiaries nor their employees accept any
responsibility.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

[EMAIL PROTECTED]: Please help - OpenSSL failure on HP-UX]

2005-05-17 Thread Lutz Jaenicke

Forwarded to the openssl-users mailing list

Best regards,
Lutz
- Forwarded message from Davis, Scott A. (CRM/PRM) [EMAIL PROTECTED] 
-

X-Original-To: [EMAIL PROTECTED]
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Subject: Please help - OpenSSL failure on HP-UX
Date: Tue, 17 May 2005 12:52:54 -0700
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: Please help - OpenSSL failure on HP-UX
Thread-Index: AcVbGgPkjUJYqIPPQyif46aNsDS5uw==
From: Davis, Scott A. (CRM/PRM) [EMAIL PROTECTED]
To: openssl-bugs@openssl.org
X-OriginalArrivalTime: 17 May 2005 19:52:55.0324 (UTC) 
FILETIME=[048835C0:01C55B1A]
X-Virus-Scanned: by amavisd 0.1
X-Virus-Scanned: by amavisd 0.1

Can someone out there help me?

I'm trying to run OpenSSL on HP-UX, and am running into an error:

# openssl s_client -connect ldap_server.hp.com:636 -showcerts
warning, not much extra random data, consider using the -rand
option
CONNECTED(0003)
write:errno=0

The version is 0.9.7e 25 Oct 2004. It was compiled on HP-UX 11.00 and
subsequently moved over to an HP-UX 11.11 box. I had previously tested
the same build on a different HP-UX 11.11 box and not seen any errors.

I have no idea what is causing this, and what is different between the
server where it is working and the one where it is not.

Is this a known problem, or can it be run in some sort of
debug/trace/log mode to give more useful info about what went wrong?
I've tried -debug, -verify 0, -reconnect, -pause, -msg, -nbio, -bugs,
-ssl3, -ssl2, -tls1, -no_ssl2, -no_ssl3, and -no_tls1, but all of them
give the same error message. 

Thanks,
Scott


- End forwarded message -

-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: [EMAIL PROTECTED]: Please help - OpenSSL failure on HP-UX]

2005-05-17 Thread Lutz Jaenicke

 - Forwarded message from Davis, Scott A. (CRM/PRM) [EMAIL PROTECTED] 
 -
 
 Can someone out there help me?
 
 I'm trying to run OpenSSL on HP-UX, and am running into an error:
 
   # openssl s_client -connect ldap_server.hp.com:636 -showcerts
   warning, not much extra random data, consider using the -rand
 option
   CONNECTED(0003)
   write:errno=0
 
 The version is 0.9.7e 25 Oct 2004. It was compiled on HP-UX 11.00 and
 subsequently moved over to an HP-UX 11.11 box. I had previously tested
 the same build on a different HP-UX 11.11 box and not seen any errors.
 
 I have no idea what is causing this, and what is different between the
 server where it is working and the one where it is not.
 
 Is this a known problem, or can it be run in some sort of
 debug/trace/log mode to give more useful info about what went wrong?
 I've tried -debug, -verify 0, -reconnect, -pause, -msg, -nbio, -bugs,
 -ssl3, -ssl2, -tls1, -no_ssl2, -no_ssl3, and -no_tls1, but all of them
 give the same error message. 

Did you try a network sniffer? Which side is closing the connection?

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Please, help - compilation or configuration issue

2005-05-17 Thread Silvia Gisela Pavon Velasco





I have sent this before and got no answers, It may look simple, but It's
not. Please give me some ideas, or at least if there's someone who has
installed on HP-UX 11.0 with no problems, tellme what C compiler do you
have or if you did something more besides de quick installation
instructions.

-
I'm looking for someone who has installed OpenSSL on an HP-UX 11.0 system.
I've tried to installit and I can't get OpenSSL to work there.

I have:
- HP-UX 11.0 operating system
- Perl 5.8.5
- HP C/ANSI C Developer's Bundle for Hp-ux (S800) wich includes HP C/ANSI C
Compiler

I'm trying to install the file openssl-0.9.7g.tar.gz following the quick
installation instructions and everything goes ok, the log's doesn't show
any errors at all (I have log files in case someone wants to take a look at
them) and the command line tool works just fine just adding the correct
path to my PATH variable.

The problem is when I try to use the libraries in a C program. I try to run
a simple example code I got from the OpenSSL homepage and I got an error
saying that
It can't find the openssl/.h included file:
cc prueba.c
cpp: prueba.c, line 2: error 4036: Can't open include file
'openssl/evp.h'.

Even IF I compile with the -I option It doesn't find the functions:
cc prueba.c -I/usr/local/ssl/include
cc: prueba.c, line 32: warning 604: Pointers are not
assignment-compatible.
cc: prueba.c, line 32: warning 563: Argument #3 is not the correct type.
/usr/ccs/bin/ld: Unsatisfied symbols:
   EVP_get_digestbyname (first referenced in prueba.o) (code)
   EVP_DigestInit_ex (first referenced in prueba.o) (code)
   OpenSSL_add_all_digests (first referenced in prueba.o) (code)
   EVP_DigestFinal_ex (first referenced in prueba.o) (code)
  EVP_MD_CTX_cleanup (first referenced in prueba.o) (code)
   EVP_MD_CTX_init (first referenced in prueba.o) (code)
   EVP_DigestUpdate (first referenced in prueba.o) (code)

I have tried everything I know to find the libraries, from specifying in my
PATH variable the path of the installation; and even to copy the
/usr/local/ssl/include/openssl directory to the /opt/CC/include/CC dirctory
and still can't get it to work.

I have the feeling that I'm missing some configuration specific from my
operating system, that's why I'm asking for your help, cause I've really
have tried to make it work first (I have reinstalled twice openssl and the
C compiler).

At this point these are my env variables related to openssl:
OPENSSLDIR=/usr/local/ssl
PATH=$PATH:/usr/local/ssl/bin:/usr/local/ssl/include/:.
export PATH
SHLIB_PATH=/usr/local/ssl/lib   -- I added this
export SHLIB_PATH

-
Silvia Gisela
_
NOTA: La información de este correo es de propiedad exclusiva y
confidencial. Este mensaje es sólo para el destinatario señalado, si usted
no lo es, destrúyalo de inmediato. Ninguna información aquí contenida debe
ser entendida como dada o avalada por Alestra, sus subsidiarias o sus
empleados, salvo cuando ello expresamente se indique. Es responsabilidad de
quien recibe este correo de asegurarse que esté libre de virus, por lo
tanto ni Alestra, sus subsidiarias ni sus empleados aceptan responsabilidad
alguna.
NOTE:  The information in this email is proprietary and confidential. This
message is for the designated recipient only, if you are not the intended
recipient, you should destroy it immediately. Any information in this
message shall not be understood as given or endorsed by Alestra, its
subsidiaries or their employees, unless expressly so stated. It is the
responsibility of the recipient to ensure that this email is virus free,
therefore neither Alestra, its subsidiaries nor their employees accept any
responsibility.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Please, help - compilation or configuration issue

2005-05-17 Thread Miles Bradford

I will reply for you...but, I have never setup anything as you asking.
I'm sorry.
I'm sure somewhere there is a forum that can address this issue.
Maybe this is not that forum.

miles

-Original Message-
From: Silvia Gisela Pavon Velasco [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 17, 2005 2:08 PM
To: openssl-users@openssl.org
Subject: Please, help - compilation or configuration issue






I have sent this before and got no answers, It may look simple, but It's
not. Please give me some ideas, or at least if there's someone who has
installed on HP-UX 11.0 with no problems, tellme what C compiler do you
have or if you did something more besides de quick installation
instructions.

-
I'm looking for someone who has installed OpenSSL on an HP-UX 11.0 system.
I've tried to installit and I can't get OpenSSL to work there.

I have:
- HP-UX 11.0 operating system
- Perl 5.8.5
- HP C/ANSI C Developer's Bundle for Hp-ux (S800) wich includes HP C/ANSI C
Compiler

I'm trying to install the file openssl-0.9.7g.tar.gz following the quick
installation instructions and everything goes ok, the log's doesn't show
any errors at all (I have log files in case someone wants to take a look at
them) and the command line tool works just fine just adding the correct
path to my PATH variable.

The problem is when I try to use the libraries in a C program. I try to run
a simple example code I got from the OpenSSL homepage and I got an error
saying that
It can't find the openssl/.h included file:
cc prueba.c
cpp: prueba.c, line 2: error 4036: Can't open include file
'openssl/evp.h'.

Even IF I compile with the -I option It doesn't find the functions:
cc prueba.c -I/usr/local/ssl/include
cc: prueba.c, line 32: warning 604: Pointers are not
assignment-compatible.
cc: prueba.c, line 32: warning 563: Argument #3 is not the correct type.
/usr/ccs/bin/ld: Unsatisfied symbols:
   EVP_get_digestbyname (first referenced in prueba.o) (code)
   EVP_DigestInit_ex (first referenced in prueba.o) (code)
   OpenSSL_add_all_digests (first referenced in prueba.o) (code)
   EVP_DigestFinal_ex (first referenced in prueba.o) (code)
  EVP_MD_CTX_cleanup (first referenced in prueba.o) (code)
   EVP_MD_CTX_init (first referenced in prueba.o) (code)
   EVP_DigestUpdate (first referenced in prueba.o) (code)

I have tried everything I know to find the libraries, from specifying in my
PATH variable the path of the installation; and even to copy the
/usr/local/ssl/include/openssl directory to the /opt/CC/include/CC dirctory
and still can't get it to work.

I have the feeling that I'm missing some configuration specific from my
operating system, that's why I'm asking for your help, cause I've really
have tried to make it work first (I have reinstalled twice openssl and the
C compiler).

At this point these are my env variables related to openssl:
OPENSSLDIR=/usr/local/ssl
PATH=$PATH:/usr/local/ssl/bin:/usr/local/ssl/include/:.
export PATH
SHLIB_PATH=/usr/local/ssl/lib   -- I added this
export SHLIB_PATH

-
Silvia Gisela

_
NOTA: La información de este correo es de propiedad exclusiva y
confidencial. Este mensaje es sólo para el destinatario señalado, si usted
no lo es, destrúyalo de inmediato. Ninguna información aquí contenida debe
ser entendida como dada o avalada por Alestra, sus subsidiarias o sus
empleados, salvo cuando ello expresamente se indique. Es responsabilidad de
quien recibe este correo de asegurarse que esté libre de virus, por lo
tanto ni Alestra, sus subsidiarias ni sus empleados aceptan responsabilidad
alguna.
NOTE:  The information in this email is proprietary and confidential. This
message is for the designated recipient only, if you are not the intended
recipient, you should destroy it immediately. Any information in this
message shall not be understood as given or endorsed by Alestra, its
subsidiaries or their employees, unless expressly so stated. It is the
responsibility of the recipient to ensure that this email is virus free,
therefore neither Alestra, its subsidiaries nor their employees accept any
responsibility.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Please, help - compilation or configuration issue

2005-05-17 Thread Lance Nehring

It's been a few years since I've worked on HP-UX and I don't have access 
to a machine running that OS currently.
but here's what I remember. I hope it's accurate.   I've plucked 
a couple settings out of old Makefiles that I've saved - you'll have to 
see where to add the settings in your Makefiles.

1) You almost always need to add some standard defines to get the HP C 
compilers to include common things.  If you use Imake, you'll see it 
adding stuff like this.

CCOPTIONS = -Ae
STD_DEFINES = -Dhpux -DSYSV -D_HPUX_SOURCE
2) The compile-time linker doesn't automatically configure the 
executable stub to use the SHLIB_PATH environment variable.   (Gotta 
love that HP chose not to use LD_LIBRARY_PATH that just about everyone 
else uses and also deactivated it's use by default.)   So, I pass a 
flag to the linker.

SHLIBLDFLAGS = -b
HP also doesn't have ldd, but does have chatr  (maybe it's 
chattryou'll have to look).That utility can be used to inspect 
your executable stub to determine the shared library locationseither 
compiled in or dynamically located, and also whether the SHLIB_PATH is 
used by the run-time linker.Very nice things to know.

Best regards,
Lance
http://www.newparticles.com/
Silvia Gisela Pavon Velasco wrote:

I have sent this before and got no answers, It may look simple, but It's
not. Please give me some ideas, or at least if there's someone who has
installed on HP-UX 11.0 with no problems, tellme what C compiler do you
have or if you did something more besides de quick installation
instructions.
-
I'm looking for someone who has installed OpenSSL on an HP-UX 11.0 system.
I've tried to installit and I can't get OpenSSL to work there.
I have:
- HP-UX 11.0 operating system
- Perl 5.8.5
- HP C/ANSI C Developer's Bundle for Hp-ux (S800) wich includes HP C/ANSI C
Compiler
I'm trying to install the file openssl-0.9.7g.tar.gz following the quick
installation instructions and everything goes ok, the log's doesn't show
any errors at all (I have log files in case someone wants to take a look at
them) and the command line tool works just fine just adding the correct
path to my PATH variable.
The problem is when I try to use the libraries in a C program. I try to run
a simple example code I got from the OpenSSL homepage and I got an error
saying that
It can't find the openssl/.h included file:
 

cc prueba.c
   

cpp: prueba.c, line 2: error 4036: Can't open include file
'openssl/evp.h'.
Even IF I compile with the -I option It doesn't find the functions:
cc prueba.c -I/usr/local/ssl/include
cc: prueba.c, line 32: warning 604: Pointers are not
assignment-compatible.
cc: prueba.c, line 32: warning 563: Argument #3 is not the correct type.
/usr/ccs/bin/ld: Unsatisfied symbols:
  EVP_get_digestbyname (first referenced in prueba.o) (code)
  EVP_DigestInit_ex (first referenced in prueba.o) (code)
  OpenSSL_add_all_digests (first referenced in prueba.o) (code)
  EVP_DigestFinal_ex (first referenced in prueba.o) (code)
 EVP_MD_CTX_cleanup (first referenced in prueba.o) (code)
  EVP_MD_CTX_init (first referenced in prueba.o) (code)
  EVP_DigestUpdate (first referenced in prueba.o) (code)
I have tried everything I know to find the libraries, from specifying in my
PATH variable the path of the installation; and even to copy the
/usr/local/ssl/include/openssl directory to the /opt/CC/include/CC dirctory
and still can't get it to work.
I have the feeling that I'm missing some configuration specific from my
operating system, that's why I'm asking for your help, cause I've really
have tried to make it work first (I have reinstalled twice openssl and the
C compiler).
At this point these are my env variables related to openssl:
OPENSSLDIR=/usr/local/ssl
PATH=$PATH:/usr/local/ssl/bin:/usr/local/ssl/include/:.
export PATH
SHLIB_PATH=/usr/local/ssl/lib   -- I added this
export SHLIB_PATH
-
Silvia Gisela
_
NOTA: La información de este correo es de propiedad exclusiva y
confidencial. Este mensaje es sólo para el destinatario señalado, si usted
no lo es, destrúyalo de inmediato. Ninguna información aquí contenida debe
ser entendida como dada o avalada por Alestra, sus subsidiarias o sus
empleados, salvo cuando ello expresamente se indique. Es responsabilidad de
quien recibe este correo de asegurarse que esté libre de virus, por lo
tanto ni Alestra, sus subsidiarias ni sus empleados aceptan responsabilidad
alguna.
NOTE:  The information in this email is proprietary and confidential. This
message is for the designated recipient only, if you are not the intended
recipient, you should destroy it immediately. Any information in this
message shall not be understood as given or endorsed by Alestra, its
subsidiaries or their employees, unless expressly so stated. It is the
responsibility of the recipient to ensure that

Please - Help me out here - Need to make design decision based on your answer

2005-04-13 Thread Radhika Gunasekar











-Original Message-
From: Radhika Gunasekar
[mailto:[EMAIL PROTECTED] 
Sent: Friday, April
 08, 2005 10:46 AM
To: 'openssl-users@openssl.org'
Subject: Encrypting/Decrypting
messages



Hello,



I am a new user to OpenSSL. I have couple of questions.



Background:



I am working on a client/server environment. Both
communicate with each other via TCPIP/UDP protocol. Client is on Linux
and Server is on AIX. We need to encrypt messages going between them and also
able to decrypt the messages received. Application that we are communicating is
currently return in C.



By going through documents in openssl.org , I found out that
I could use libcrypto.so on both LINUX and AIX side and use its
high level EVP interface functions to achieve what we are looking for. Here are
the functions that I am planning to use. 



EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal fo
Encrytion and

Evp_DecryptInit_ex, EVP_DecryptUpdate, EVP_DecryptFinal for
Decryption.



And I am planning to use blowfish symmetric cipher algorithm.



Now my questions are:




 Am I going in the right direction?
 Are there any other better way to handle message
 encryption and decryption?
 What are EVP_Seal functions, are they better than
 using EVP_Encyrpt/EV_Decrypt functions?
 Since the applications we are communicating
 between are real time application, would blowfish provide the fastest
 encryption/decryption algorithm that we are looking for? 
 Currently I am planning to use the common key
 between client and server which will be stored in a protect file on both
 client and server to perform encryption and decryption. Are there any
 better ways to protect the key information?




Please reply. Thanks for your help.



Regards,

Radhika.

Re: oid_section questions please help!

2004-11-10 Thread Dr. Stephen Henson

On Tue, Nov 09, 2004, ray v wrote:

 
 I think the the reason why I can get the new OIDs to
 work is that I'm using the -config my.cnf when making
 the request myself. This would indicate as you've
 already said, I've got my OIDs in the wrong place.
 
 The question where can my new OIDs be place and what
 makes putting my OIDs in a different place other then
 the CA_default section?
 

As summarized in the conf(5) manual page you do this...

Add an entry to the default section (start of file before any other
sections) containing something like:

openssl_conf=config_section

Add new sections like this:

[config_section]
oid_section=new_oids

[oid_section]

some_oid = 1.2.3.4.1
some_other_oid = 1.2.3.4.2


but obviously using appropriate OID values.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

oid_section questions please help!

2004-11-09 Thread ray v

Hi All!

I created an OID section but I'm a little confused
with how to use it. My example...

oid_section = my_oids

[my_oids]
value1 = 1.3.6.1.4.1..1
value2 = 1.3.6.1.4.1..2
value3 = 1.3.6.1.4.1..3


If I specify the -config sample.cnf when creating the
key, request and certificate this all works fine. When
I recieved and outside cert request it fails with

Error Loading extension section default
10765:error:2207C082:X509 V3
routines:DO_EXT_CONF:unknown extension
name:v3_conf.c:123:
10765:error:2206B080:X509 V3
routines:X509V3_EXT_conf:error in
extension:v3_conf.c:92:name=oid_section

Being new to this I'm not sure if I'm asking the right
question. I need to add extensions to certificate
during the certificate gen and signing process. The
oids_section is in the global or default am I missing
something here? Is there something I'm supposed to put
in the [req] section regarding the new oids?

All help will be appreciate...
I'm loosing my hair faster then a cat in October!
thanks!








__ 
Do you Yahoo!? 
Check out the new Yahoo! Front Page. 
www.yahoo.com 
 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

1 2 3 >

1 - 100 of 203 matches

Mail list logo