Re: OpenSSL 1.0.1h for android ?? Please help.
Hello everyone, Thanks for your timely help. I was able to compile openssl 1.0.1e from a github project. It had an Android.mk files. In case, i wish to update to 1.0.1h, what changes do i need to make to android.mk files? On Sun, Jun 29, 2014 at 10:22 PM, birajendu sahu biraje...@yahoo.co.in wrote: Hi Abhishek, You can build the openssl using the NDK tool chain and get libcrypto.a file, then you need to link that in your master so which will be build from android.mk file. I will publish the detail steps soon. Thanks, Birajendu On Tuesday, 24 June 2014 12:16 AM, Abhishek Gupta abhis...@meddiff.com wrote: Hello Users, I am at task to compile OpenSSL 1.0.1h for android platform and link it with an application. Can somebody give some pointers on how to do it. My problem is that there are no Android.mk files for this. And how can I user ndk-build here? Development env: 1. Ubuntu 14.04 / 12.04 2. Android NDK-r9d Regards Abhishek.
Re: OpenSSL 1.0.1h for android ?? Please help.
As Jeffrey also mentioned, wiki link for android compile is way to go. config utility takes care of generating required makefie. Regards, On Wed, Jul 2, 2014 at 11:45 AM, Abhishek Gupta abhis...@meddiff.com wrote: Hello everyone, Thanks for your timely help. I was able to compile openssl 1.0.1e from a github project. It had an Android.mk files. In case, i wish to update to 1.0.1h, what changes do i need to make to android.mk files? On Sun, Jun 29, 2014 at 10:22 PM, birajendu sahu biraje...@yahoo.co.in wrote: Hi Abhishek, You can build the openssl using the NDK tool chain and get libcrypto.a file, then you need to link that in your master so which will be build from android.mk file. I will publish the detail steps soon. Thanks, Birajendu On Tuesday, 24 June 2014 12:16 AM, Abhishek Gupta abhis...@meddiff.com wrote: Hello Users, I am at task to compile OpenSSL 1.0.1h for android platform and link it with an application. Can somebody give some pointers on how to do it. My problem is that there are no Android.mk files for this. And how can I user ndk-build here? Development env: 1. Ubuntu 14.04 / 12.04 2. Android NDK-r9d Regards Abhishek. -- Regards, Amit Agrawal
Re: OpenSSL 1.0.1h for android ?? Please help.
Hi Abhishek, You can build the openssl using the NDK tool chain and get libcrypto.a file, then you need to link that in your master so which will be build from android.mk file. I will publish the detail steps soon. Thanks, Birajendu On Tuesday, 24 June 2014 12:16 AM, Abhishek Gupta abhis...@meddiff.com wrote: Hello Users, I am at task to compile OpenSSL 1.0.1h for android platform and link it with an application. Can somebody give some pointers on how to do it. My problem is that there are no Android.mk files for this. And how can I user ndk-build here? Development env: 1. Ubuntu 14.04 / 12.04 2. Android NDK-r9d Regards Abhishek.
OpenSSL 1.0.1h for android ?? Please help.
Hello Users, I am at task to compile OpenSSL 1.0.1h for android platform and link it with an application. Can somebody give some pointers on how to do it. My problem is that there are no Android.mk files for this. And how can I user ndk-build here? Development env: 1. Ubuntu 14.04 / 12.04 2. Android NDK-r9d Regards Abhishek.
Re: OpenSSL 1.0.1h for android ?? Please help.
Openssl does not directly support Android AFAIR. You can try some manual changes to e.g. CC or write your own make file. On Jun 23, 2014 11:18 AM, Abhishek Gupta abhis...@meddiff.com wrote: Hello Users, I am at task to compile OpenSSL 1.0.1h for android platform and link it with an application. Can somebody give some pointers on how to do it. My problem is that there are no Android.mk files for this. And how can I user ndk-build here? Development env: 1. Ubuntu 14.04 / 12.04 2. Android NDK-r9d Regards Abhishek.
Re: OpenSSL 1.0.1h for android ?? Please help.
On Mon, Jun 23, 2014 at 2:17 PM, Abhishek Gupta abhis...@meddiff.com wrote: Hello Users, I am at task to compile OpenSSL 1.0.1h for android platform and link it with an application. Can somebody give some pointers on how to do it. My problem is that there are no Android.mk files for this. And how can I user ndk-build here? http://wiki.openssl.org/index.php/Android __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.1h for android ?? Please help.
http://wiki.openssl.org/index.php/Android In addition, the Guardian Project's Orbot is a live working example of of a project currently building OpenSSL on Android. https://gitweb.torproject.org/orbot.git/blob/HEAD:/external/Makefile __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_Certificate Validation ( Server Authentication): Please Help
Since 5 days i have not received any response. It could be a silly questions to you guys. But i need the answer. Waiting for a nice reply. Best Regards, S S Rout -- View this message in context: http://old.nabble.com/SSL_Certificate-Validation-%28-Server-Authentication%29%3A-Please-Help-tp33873598p33897202.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL_Certificate Validation ( Server Authentication): Please Help
Hey Crypto guys, I have a basic questions regarding Certificate validation. Basically in a Server Authentication a TLS client should validate the CN/SN with Host portion of the ACS.URL. If it matches then handshake will succeed else will fail. Am I right ? e.g. if Host.Url=x.x.x.x then CN (in both subject issuer field should be x.x.x.x ) for self-signed certificate. Issuer: C=IN, ST=Karnataka, L=Bangalore, O=AN, CN=www.https.com Subject: C=IN, ST=Karnataka, L=Bangalore, O=AN, CN=www.https.com if Host.Url=x.x.x.x then CN (in subject field should be x.x.x.x ) for CA-Signed certificate Issuer: C=IN, ST=Karnataka, L=Bangalore, O=AN, CN=Veisign Subject: C=IN, ST=Karnataka, L=Bangalore, O=AN, CN=10.204.4.69 CN validation using self-signed certificate. SN validation: 1) Using CA signed certificate : using Subject name as HostURL 2) Using CA signed certificate : using subAltname as HostUrl Method for CN validation: 1) Keep the same Self-signed cert at both side (FAP Server) Method for SN validation: 1) Keep ROOT cert at FAP and server cert (signed cert) at Server. Am I right guys ? Please let me know. Best Regards, S S rout -- View this message in context: http://old.nabble.com/SSL_Certificate-Validation-%28-Server-Authentication%29%3A-Please-Help-tp33873598p33873598.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Please Help: Certificate Validation using subjectAltName extension
Thanks Dave for explanation. One doubt regarding sentence If a subjectAltName extension of type dNSName is present, that MUST be used as the identity(RFC 2818) What does this line means ? Does it says if a certificate have different CN in issuer subject field but SubAltname: x.x.x.x which matches with HOST.URL (server) then will handshake goes through ? i.e. [ certificate_extensions ] basicConstraints = CA:false subjectAltName = DNS:x.x.x.x DNS:localhost [ req_distinguished_name ] countryName= US stateOrProvinceName= Chems localityName = Washington organizationName = Sercomm commonName = Verisign [ req_extensions ] basicConstraints = CA:true subjectAltName = DNS:x.x.x.x,DNS:localhost Am i correct ? Please help. Best Regards, S S rout -- View this message in context: http://old.nabble.com/Please-Help%3A-Certificate-Validation-using-subjectAltName-extension-tp32906983p33873612.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Please Help me out- SSL ERROR
From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout Sent: Wednesday, 18 January, 2012 02:52 snip root@1143726:/usr/bin# openssl s_client -connect 10.204.4.69:7003 WARNING: can't open config file: /usr/ssl/openssl.cnf CONNECTED(0003) depth=0 C = IN, ST = Karnataka, L = Bangalore, O = Airvana, CN = 10.204.4.69 verify error:num=20:unable to get local issuer certificate snip Certificate chain 0 s:/C=IN/ST=Karnataka/L=Bangalore/O=Airvana/CN=10.204.4.69 i:/C=IN/ST=Karnataka/L=Bangalore/O=Airvana/CN=Root CA snip My Set up looks like this. e.g. Certificate Chain would be , ROOT- Server ( I keep ROOT at CLIENT and Server cert at SERVER). Am I right ? Yes, at least for server auth. If you use client auth, which is not very common, then *also* have the client cert at the client and its root at the server. [root@squidpc TEST]# openssl x509 -in root.pem -text snip Please let me know what is missing here why i am getting the above error. Either specify -CAfile root.pem on the s_client commandline OR put that root cert in the default truststore which is used when you don't specify -CAfile and/or -CApath on the commandline. The default truststore can be a single file or a directory with hashcode names or links or both, and is in a location that depends on your platform and the build options of your OpenSSL. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Please Help me out- SSL ERROR
://old.nabble.com/Please-Help-me-out--SSL-ERROR-tp33159464p33159464.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Please Help: Certificate Validation using subjectAltName extension
From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout Sent: Saturday, 03 December, 2011 02:56 My TLS client can validate both CN and SN i need to test both the scenario. I don't know how to create certificate with subjectAltName extension using openssl commands. In the RFC-2818 , there are two ways of Certificate Validation for Host name 1)CN (Common Name) 2)SN( Subject Name) 1. Common Name part of subject name which is the value of Subject. 2. Subject *Alternative* Name which is an extension. If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. As this says, although a bit tersely. I created Self-signed certificate using open-ssl commands and my certificate chain looks like below where CN=10.204.4.69 openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Please tell how to create certificate with subjectAltName extension using openssl commands ? The same way(s) you create a cert with any extension(s). See man req; man x509; man ca; man x509v3_config In x509 -req supply -extfile with the name of a config file, and -extsect with the name of a section in that file unless it is default or pointed to by default.extensions, specifying the extension(s) you want. You want something like subjectAltName=DNS:my.host.example For selfsigned you can save a step (or two) with req -x509 (and -newkey) in which case use -extensions or req.x509_extensions . __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Please Help: Certificate Validation using subjectAltName extension
Dear All, My TLS client can validate both CN and SN i need to test both the scenario. I don't know how to create certificate with “subjectAltName extension” using openssl commands. In the RFC-2818 , there are two ways of Certificate Validation for Host name 1) CN (Common Name) 2) SN( Subject Name) If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. I created Self-signed certificate using open-ssl commands and my certificate chain looks like below where CN=10.204.4.69 openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt My Certificate chain === 0 s:/C=IN/ST=Karnataka/L=Bangalore/O=Home Inc/OU=TLS/CN=10.204.4.69/emailAddress=ssr...@www.https.com i:/C=IN/ST=Karnataka/L=Bangalore/O=Home Inc/OU=TLS/CN=10.204.4.69/emailAddress=ssr...@www.https.com Please tell how to create certificate with “subjectAltName extension” using openssl commands ? Thanks in advance. Regards, Rout -- View this message in context: http://old.nabble.com/Please-Help%3A-Certificate-Validation-using-subjectAltName-extension-tp32906983p32906983.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On 07/20/2011 12:45 PM, Gaglia wrote: ... Feedbacks always appreciated, in case somebody has further investigated the issue :) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On 07/16/2011 07:13 PM, y...@inbox.lv wrote: ... So everybody here seems to agree that steps 1)...7) I listed in the first post are correct, and that the problem in EC management lies in OpenVPN, right? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On 07/16/2011 06:50 AM, y...@inbox.lv wrote: openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt WARNING: can't open config file: /usr/local/ssl/openssl.cnf Error setting context My premise is that we are considering only OpenSSL v 1.0.0. Under this condition, as I wrote in the first post, I do something like: # generate EC private key for curve sect571k1, no point compression # (to enable point compression, use -conv_form compressed ) openssl ecparam -out cakey.pem -name sect571k1 -text -genkey # generate EC certificate with the above private key with SHA512 # (note that the -sha512 arg has no effect if using v0.9.8, it # will use SHA-1 instead) openssl req -out cacert.pem -key cakey.pem -sha512 -x509 -new # check that everything is OK openssl x509 -text -in cacert.pem Certificate: ... *Signature Algorithm: ecdsa-with-SHA512* Issuer: ... Public Key Algorithm: id-ecPublicKey EC Public Key: pub: 02:3A:... ASN1 OID: sect571k1 X509v3 extensions: ... *Signature Algorithm: ecdsa-with-SHA512* 20:89:... -BEGIN CERTIFICATE- MIJ... ... ASd45g== -END CERTIFICATE- Any wrongdoing up to here? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On Sat, Jul 16, 2011, y...@inbox.lv wrote: openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt WARNING: can't open config file: /usr/local/ssl/openssl.cnf Error setting context 5664:error:100C508A:elliptic curve routines:PKEY_EC_CTRL:invalid digest type:.c ryptoecec_pmeth.c:229: AFAIK there is no standard for using ECC with ripemd160. OpenSSL supports SHA1 and SHA2 algorithms with ECC. So if you used -sha256 it should work. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
sha256 worked. (both for dgst and for req) If i understand correctly, ECDSA algorithm only needs hash as a defined length bitstring, so adapting ripemd in place of sha1 should have been easier than sha256 (because ripemd has the same length as sha1, sha256 is longer). Citējot *Dr. Stephen Henson st...@openssl.org [1]*: On Sat, Jul 16, 2011, y...@inbox.lv wrote: openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt WARNING: can't open config file: /usr/local/ssl/openssl.cnf Error setting context 5664:error:100C508A:elliptic curve routines:PKEY_EC_CTRL:invalid digest type:.c ryptoecec_pmeth.c:229: AFAIK there is no standard for using ECC with ripemd160. OpenSSL supports SHA1 and SHA2 algorithms with ECC. So if you used -sha256 it should work. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- Tavs bezmaksas pasts Inbox.lv Links: -- [1] mailto:st...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On Thu, Jul 14, 2011 at 3:35 PM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Jul 14, 2011 at 6:22 PM, Kyle Hamilton aerow...@gmail.com wrote: Dismissed or withdrawn? It seems to me Certicom stopped bitting a hand that feeds it. Jeff Looking at the docket, it looks like they reached an agreement to dismiss without prejudice (meaning the suit could be refiled in the future). -Kyle H Verify This Message with Penango.p7s Description: S/MIME Cryptographic Signature
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On 07/15/2011 08:23 AM, Kyle Hamilton wrote: ... Excuse me, I got lost somewhere... Does this mean that it is not possible to use EC crypto with OpenSSL because the algorithms are patented? If so, why OpenSSL does provide support to EC crypto? Sorry, I don't want to start a religion war, but as an EU citizen (and as like as many other humans too, I guess), I find unbelievably absurd the idea of patenting the mathematical description of an algorithm. Let's put it in this way: in the unlikely and deplorable event of an user willing to illegally use patented EC cryptography with OpenSSL for personal use (hence assuming responsibility for any consequence), could he/she use OpenSSL? Is OpenSSL able to handle this kind of crypto? I guess yes, for (as in the first post of the thread) I managed to apparently do a lot of things with the curve of my choice... My question is, apart from legal considerations: did I do something wrong in the certificate generation process? Thanks for any help :) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
Version of ECDSA available in openssl 1.0.0d supports only SHA1. (maybe there are patches, which adds other hash functions, but default build on win32 supports only sha1). ECDH and ECDSA are not guaranteed to use the same curve. At least with s_server curve for ECDSA is specified in certificate, but curve for ECDH is specified by -named_curve argument. Other programs probably use something similar. Last time i searched openvpn forums for anything ECC related, did not found anything (probably bad keywords, but also might be lack of ECC support). Citējot *Kyle Hamilton aerow...@gmail.com [1]*: ECDSA is the elliptical curve (discrete-logarithm-based) variant of DSA, the Digital Signature Algorithm. DSA was developed by the US National Security Agency as a means of creating prime-factorization-based signatures without providing code paths which would permit the encryption of arbitrary data. ANSI X9 has object identifiers for ECDSA with a variety of hashes. 1.2.840.10045.4.3. and then one of the following: 1: ECDSA with SHA-224 2: with SHA-256 3: SHA-384 4: SHA-512 The information on the curve in use is part of subjectPublicKeyInfo: Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (521 bit) pub: 04:00:ef:07:81:ff:79:01:d3:10:a4:42:6b:d5:37: a9:ed:6b:a4:1d:20:8a:20:b6:44:34:09:d9:3d:f0: 69:0f:b2:65:3f:d9:dd:68:72:a7:2b:cd:d4:70:e9: cb:21:dd:05:34:1b:4e:42:0f:65:63:5e:b9:24:a6: 40:f6:cc:22:94:ea:3b:01:7f:65:38:09:33:b0:0d: b3:91:b6:1d:4a:a7:9f:17:2e:56:4d:ff:14:d3:aa: 65:5d:3a:3d:ba:c2:d9:30:30:41:73:14:3e:6e:c7: 01:ae:af:52:b6:cc:31:6d:26:dd:39:dc:60:c8:b9: 07:fb:21:38:ec:75:dc:0f:3b:b7:9d:44:35 Field Type: prime-field Prime: 01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff A: 01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:fc B: 51:95:3e:b9:61:8e:1c:9a:1f:92:9a:21:a0:b6:85: 40:ee:a2:da:72:5b:99:b3:15:f3:b8:b4:89:91:8e: f1:09:e1:56:19:39:51:ec:7e:93:7b:16:52:c0:bd: 3b:b1:bf:07:35:73:df:88:3d:2c:34:f1:ef:45:1f: d4:6b:50:3f:00 Generator (uncompressed): 04:00:c6:85:8e:06:b7:04:04:e9:cd:9e:3e:cb:66: 23:95:b4:42:9c:64:81:39:05:3f:b5:21:f8:28:af: 60:6b:4d:3d:ba:a1:4b:5e:77:ef:e7:59:28:fe:1d: c1:27:a2:ff:a8:de:33:48:b3:c1:85:6a:42:9b:f9: 7e:7e:31:c2:e5:bd:66:01:18:39:29:6a:78:9a:3b: c0:04:5c:8a:5f:b4:2c:7d:1b:d9:98:f5:44:49:57: 9b:44:68:17:af:bd:17:27:3e:66:2c:97:ee:72:99: 5e:f4:26:40:c5:50:b9:01:3f:ad:07:61:35:3c:70: 86:a2:72:c2:40:88:be:94:76:9f:d1:66:50 Order: 01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:fa:51:86:87:83:bf:2f:96:6b:7f:cc:01: 48:f7:09:a5:d0:3b:b5:c9:b8:89:9c:47:ae:bb:6f: b7:1e:91:38:64:09 Cofactor: 1 (0x1) Seed: d0:9e:88:00:29:1c:b8:53:96:cc:67:17:39:32:84: aa:a0:da:64:ba Signature Algorithm: ecdsa-with-SHA256 30:81:87:02:41:7b:7d:88:a9:56:e8:d5:a0:f6:38:e7:85:4c: f5:1c:81:64:de:92:25:37:42:2d:31:cb:8b:af:04:32:7b:d7: 06:19:4a:eb:a9:ca:9d:88:38:11:99:bc:2e:2b:35:e6:69:1c: ca:1c:8c:86:7d:74:bc:dd:96:20:8e:38:01:63:15:8b:02:42: 01:66:42:70:5f:2e:cc:fb:1f:f3:d4:96:54:e9:b7:0a:3b:82: ec:b7:90:45:19:c0:ac:4c:ef:82:3d:77:07:e1:4d:13:81:d3: 12:23:bc:84:4f:9b:ac:55:c4:a1:3b:85:08:5a:2f:ae:ad:45: 3f:5f:da:cd:80:45:c9:79:58:d3:79:a2 The curve in use can be named (reducing the size of the subjectPublicKeyInfo), or it can be specified explicitly (like the above). (I included the hash to show that it is indeed legitimate to have a different hash size. I should note that I didn't generate this with OpenSSL, and I don't know how
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On Fri, Jul 15, 2011, y...@inbox.lv wrote: Version of ECDSA available in openssl 1.0.0d supports only SHA1. (maybe there are patches, which adds other hash functions, but default build on win32 supports only sha1). What makes you think that? OpenSSL 0.9.8 only supports SHA1 with ECDSA in things like certificates but 1.0.0 and later should support other hashes such as SHA256. Can you give an example where 1.0.0 is failing? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On Fri, Jul 15, 2011 at 10:32 AM, Gaglia san...@paranoici.org wrote: On 07/15/2011 08:23 AM, Kyle Hamilton wrote: ... Excuse me, I got lost somewhere... Does this mean that it is not possible to use EC crypto with OpenSSL because the algorithms are patented? If so, why OpenSSL does provide support to EC crypto? EC is considered to be a patent minefield. Some people (RSA Data Security) say that it's possible to implement EC cryptography using different types of algorithms which are not covered by the patents. Other people (Bruce Schneier, US NSA) say that the mechanism itself is patented, not simply specific algorithms for calculation. The US NSA licensed from Certicom the right to sublicense the EC algorithms used in Suite B. My understanding is that OpenSSL received a gift from Sun Microsystems of its EC sublicense from NSA. Let's put it in this way: in the unlikely and deplorable event of an user willing to illegally use patented EC cryptography with OpenSSL for personal use (hence assuming responsibility for any consequence), could he/she use OpenSSL? Is OpenSSL able to handle this kind of crypto? Yes. And, given OpenSSL's EC sublicense gift, the user of OpenSSL (if my understanding is correct, IANAL!) is also licensed. I guess yes, for (as in the first post of the thread) I managed to apparently do a lot of things with the curve of my choice... My question is, apart from legal considerations: did I do something wrong in the certificate generation process? Nobody can know unless you post the certificate in question, or at the least the dump of the x509 structure you have. One thing that might cause a problem is if you enabled EC point compression in your OpenSSL compile, as I don't believe OpenSSL has a license for that. -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On 07/15/2011 05:36 PM, Kyle Hamilton wrote: ... EC is considered to be a patent minefield. Some people (RSA Data Security) say that it's possible to implement EC cryptography using different types of algorithms which are not covered by the patents. Other people (Bruce Schneier, US NSA) say that the mechanism itself is patented, not simply specific algorithms for calculation. I'll make just one comment here: U.S. patent law, at least as applied to software, is a festering cesspool. The US NSA licensed from Certicom the right to sublicense the EC algorithms used in Suite B. My understanding is that OpenSSL received a gift from Sun Microsystems of its EC sublicense from NSA. OpenSSL (in the guise of its corporate manifestation, the OpenSSL Software Foundation), is a direct NSA sublicensee (http://opensslfoundation.com/testing/docs/NSA-PLA.pdf). Note that sublicense only covers some prime field ECC; for the rest of it seek competent legal advice. Also note the license is nontransferrable. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On Fri, Jul 15, 2011 at 5:36 PM, Kyle Hamilton aerow...@gmail.com wrote: On Fri, Jul 15, 2011 at 10:32 AM, Gaglia san...@paranoici.org wrote: On 07/15/2011 08:23 AM, Kyle Hamilton wrote: ... Excuse me, I got lost somewhere... Does this mean that it is not possible to use EC crypto with OpenSSL because the algorithms are patented? If so, why OpenSSL does provide support to EC crypto? EC is considered to be a patent minefield. Some people (RSA Data Security) say that it's possible to implement EC cryptography using different types of algorithms which are not covered by the patents. Consider the source: RSA's strongest competition is ECC and Certicom (or should we say ECC's past competition was RSA?). RSA Data Security managed to implant RSA into DSA with heavy lobbying, but RSA's glory days are behind them or gone. The SecurID scandal is another testament to the fact. I often wonder why open source implementations even care: (1) the implementations are often available through out the world, where US patent law does not apply, (2) for US domestic uses, push the burden of licensing compliance onto the user (or #define out any code found to be offense by *real* lawyers), and (3) most implementors don't have the money to make it worthwhile to litigate. For (3), Certicom most likely won't make a dime, so there's no monetary relief or benefit even if they incur loss or damages. And at best, they will probably be granted an injunction against US distribution. Guess wheat folks will do in that case (what did they do with RSA - download form Australia or Germany or ...). Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt WARNING: can't open config file: /usr/local/ssl/openssl.cnf Error setting context 5664:error:100C508A:elliptic curve routines:PKEY_EC_CTRL:invalid digest type:.c ryptoecec_pmeth.c:229: Also, in documentation on pkeyutl program is mentioned, that ECDSA supports only sha1 http://www.openssl.org/docs/apps/pkeyutl.html# (subsection EC ALGORITHM) Documentation on dgst program did not mention any limitations for choice of hash, there only was said, that sha1 is preferred choice. That EC key used in failed example above is based on secp521r1 and was generated by openssl. Citējot *Dr. Stephen Henson st...@openssl.org [1]*: On Fri, Jul 15, 2011, y...@inbox.lv wrote: Version of ECDSA available in openssl 1.0.0d supports only SHA1. (maybe there are patches, which adds other hash functions, but default build on win32 supports only sha1). What makes you think that? OpenSSL 0.9.8 only supports SHA1 with ECDSA in things like certificates but 1.0.0 and later should support other hashes such as SHA256. Can you give an example where 1.0.0 is failing? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- Tavs bezmaksas pasts Inbox.lv Links: -- [1] mailto:st...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
ECDSA is the elliptical curve (discrete-logarithm-based) variant of DSA, the Digital Signature Algorithm. DSA was developed by the US National Security Agency as a means of creating prime-factorization-based signatures without providing code paths which would permit the encryption of arbitrary data. ANSI X9 has object identifiers for ECDSA with a variety of hashes. 1.2.840.10045.4.3. and then one of the following: 1: ECDSA with SHA-224 2: with SHA-256 3: SHA-384 4: SHA-512 The information on the curve in use is part of subjectPublicKeyInfo: Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (521 bit) pub: 04:00:ef:07:81:ff:79:01:d3:10:a4:42:6b:d5:37: a9:ed:6b:a4:1d:20:8a:20:b6:44:34:09:d9:3d:f0: 69:0f:b2:65:3f:d9:dd:68:72:a7:2b:cd:d4:70:e9: cb:21:dd:05:34:1b:4e:42:0f:65:63:5e:b9:24:a6: 40:f6:cc:22:94:ea:3b:01:7f:65:38:09:33:b0:0d: b3:91:b6:1d:4a:a7:9f:17:2e:56:4d:ff:14:d3:aa: 65:5d:3a:3d:ba:c2:d9:30:30:41:73:14:3e:6e:c7: 01:ae:af:52:b6:cc:31:6d:26:dd:39:dc:60:c8:b9: 07:fb:21:38:ec:75:dc:0f:3b:b7:9d:44:35 Field Type: prime-field Prime: 01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff A: 01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:fc B: 51:95:3e:b9:61:8e:1c:9a:1f:92:9a:21:a0:b6:85: 40:ee:a2:da:72:5b:99:b3:15:f3:b8:b4:89:91:8e: f1:09:e1:56:19:39:51:ec:7e:93:7b:16:52:c0:bd: 3b:b1:bf:07:35:73:df:88:3d:2c:34:f1:ef:45:1f: d4:6b:50:3f:00 Generator (uncompressed): 04:00:c6:85:8e:06:b7:04:04:e9:cd:9e:3e:cb:66: 23:95:b4:42:9c:64:81:39:05:3f:b5:21:f8:28:af: 60:6b:4d:3d:ba:a1:4b:5e:77:ef:e7:59:28:fe:1d: c1:27:a2:ff:a8:de:33:48:b3:c1:85:6a:42:9b:f9: 7e:7e:31:c2:e5:bd:66:01:18:39:29:6a:78:9a:3b: c0:04:5c:8a:5f:b4:2c:7d:1b:d9:98:f5:44:49:57: 9b:44:68:17:af:bd:17:27:3e:66:2c:97:ee:72:99: 5e:f4:26:40:c5:50:b9:01:3f:ad:07:61:35:3c:70: 86:a2:72:c2:40:88:be:94:76:9f:d1:66:50 Order: 01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:fa:51:86:87:83:bf:2f:96:6b:7f:cc:01: 48:f7:09:a5:d0:3b:b5:c9:b8:89:9c:47:ae:bb:6f: b7:1e:91:38:64:09 Cofactor: 1 (0x1) Seed: d0:9e:88:00:29:1c:b8:53:96:cc:67:17:39:32:84: aa:a0:da:64:ba Signature Algorithm: ecdsa-with-SHA256 30:81:87:02:41:7b:7d:88:a9:56:e8:d5:a0:f6:38:e7:85:4c: f5:1c:81:64:de:92:25:37:42:2d:31:cb:8b:af:04:32:7b:d7: 06:19:4a:eb:a9:ca:9d:88:38:11:99:bc:2e:2b:35:e6:69:1c: ca:1c:8c:86:7d:74:bc:dd:96:20:8e:38:01:63:15:8b:02:42: 01:66:42:70:5f:2e:cc:fb:1f:f3:d4:96:54:e9:b7:0a:3b:82: ec:b7:90:45:19:c0:ac:4c:ef:82:3d:77:07:e1:4d:13:81:d3: 12:23:bc:84:4f:9b:ac:55:c4:a1:3b:85:08:5a:2f:ae:ad:45: 3f:5f:da:cd:80:45:c9:79:58:d3:79:a2 The curve in use can be named (reducing the size of the subjectPublicKeyInfo), or it can be specified explicitly (like the above). (I included the hash to show that it is indeed legitimate to have a different hash size. I should note that I didn't generate this with OpenSSL, and I don't know how OpenSSL generates the sPKI.) Also, note the large number of 0xff bytes in the prime. These can be eliminated if you're willing to pay Certicom's point compression patent license fee. The patent situation around Elliptical Curve is a bit murky, but (IANAL) I am proceeding as though the narrow interpretation promoted by the RSA Crypto FAQ is correct: the patent situation is the opposite of what was the case for DH and RSA: the algorithm itself is not specifically described in any particular patent, only particular efficient implementations of it -- such as 'an efficient algorithm using only left-shift and add instructions'. The reason why there's murkiness is because everyone who does things is pretty much counseled to avoid looking at the patents -- if the patents are known, then it's evidence of willful
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On Thu, Jul 14, 2011 at 6:22 PM, Kyle Hamilton aerow...@gmail.com wrote: ECDSA is the elliptical curve (discrete-logarithm-based) variant of DSA, the Digital Signature Algorithm. DSA was developed by the US National Security Agency as a means of creating prime-factorization-based signatures without providing code paths which would permit the encryption of arbitrary data. ANSI X9 has object identifiers for ECDSA with a variety of hashes. [SNIP] The patent situation around Elliptical Curve is a bit murky, but (IANAL) I am proceeding as though the narrow interpretation promoted by the RSA Crypto FAQ is correct: the patent situation is the opposite of what was the case for DH and RSA: the algorithm itself is not specifically described in any particular patent, only particular efficient implementations of it -- such as 'an efficient algorithm using only left-shift and add instructions'. The reason why there's murkiness is because everyone who does things is pretty much counseled to avoid looking at the patents -- if the patents are known, then it's evidence of willful (rather than accidental) infringement and any punitive damages for such are tripled. However, Professer Dan J Bernstein says that his prime at 256 bits is unpatented and there's prior art from several years before the Certicom patents were filed -- and there was an infringement lawsuit brought by Certicom against Sony, which was dismissed in 2009. Dismissed or withdrawn? It seems to me Certicom stopped bitting a hand that feeds it. Jeff On Sun, Jul 10, 2011 at 8:27 PM, y...@inbox.lv wrote: When i searched on it, it seemed that ECDH requires specified named curve, and openVPN does not have a means of specifying it. Also, it seems that ECDSA works only with SHA-1 (I also would like to know, why it cannot take any 160 bit hash). I searched about it few weeks ago and relevant messages were few months old. Citējot Gaglia san...@paranoici.org: On 07/05/2011 03:23 PM, Gaglia wrote: I'm trying to make an OpenVPN setup with Elliptic Curves cryptography and SHA-512 on Linux Debian. No idea anybody, really? :( __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On 07/11/2011 05:27 AM, y...@inbox.lv wrote: When i searched on it, it seemed that ECDH requires specified named curve You need to specify the curve's name, like this: openssl ecparam -name sect571k1 but this should only be done in the parameters generation stage, the generated certificates should contain this information by themselves, so I don't think specifying it to OpenVPN should be needed. Also, it seems that ECDSA works only with SHA-1 This has been marked as a bug and it was fixed in the most recent versions of OpenSSL. I've met this issue with OpenSSL 0.9.8x (I don't remember the x), this version is indeed the deafult one for both Debain Squeeze and Ubuntu Natty, so this is quite annoying (I like Debian a lot, but its repos are often too much outdated). As I've written before, I've manually compiled OpenSSL v1.0.0 and I can read the following for my certificate, as expected: openssl x509 -text -in cacert.pem ... Signature Algorithm: ecdsa-with-SHA512 I searched about it few weeks ago and relevant messages were few months old. Same problem here :( it seems that if someone managed to solve the problem, he/she didn't bother to write back the solution. Thanks anyway for the reply, still waiting for further help, I can't believe nobody managed to solve this issue :( __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On 07/05/2011 03:23 PM, Gaglia wrote: I'm trying to make an OpenVPN setup with Elliptic Curves cryptography and SHA-512 on Linux Debian. No idea anybody, really? :( __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
When i searched on it, it seemed that ECDH requires specified named curve, and openVPN does not have a means of specifying it. Also, it seems that ECDSA works only with SHA-1 (I also would like to know, why it cannot take any 160 bit hash). I searched about it few weeks ago and relevant messages were few months old. Citējot *Gaglia san...@paranoici.org [1]*: On 07/05/2011 03:23 PM, Gaglia wrote: I'm trying to make an OpenVPN setup with Elliptic Curves cryptography and SHA-512 on Linux Debian. No idea anybody, really? :( Links: -- [1] mailto:san...@paranoici.org
Re: Please help RFC 5746
On Sun, Jul 03, 2011, Ritesh Rekhi wrote: Hi , I need little help in implementing RFC 5746 on server, as per RFC it is not very clear on how to tell clients that Server doesn't support renegotiation. If anybody knows a way to tell clients that server doesn't support renegotiation , please let me know. It isn't clear from your message whether you want to tell the client you don't support renegotiation or don't support secure renegotiation. If a client doesn't support secure renegotiation and attempts to renegotiate then by default it will get back a no renegotiation alert (for TLS v1.0 or later). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
Hi, first of all please accept my apologizes, I know this is a question more related to OpenVPN, but I think that the problem lies in the cert authority and client/server certificate generation step with OpenSSL, so I'm also posting it here, hoping for a solution. I'm trying to make an OpenVPN setup with Elliptic Curves cryptography and SHA-512 on Linux Debian. This seems to be very hard, I didn't find any howto on the web :( if and when I will manage to get the whole thing up and running I will write a detailed howto, so any help is appreciated! As a premise: yes, I've recompiled OpenVPN using the latest OpenSSL version (see below). My suspect is that I made some mistake in the certificate generation process but I can't find it. I also posted this issue at https://forums.openvpn.net/topic8404.html but there I included a lot of information more strictly related to my OpenVPN configuration, I will include here just the steps I used to setup the PKI with OpenSSL. Here is what I did: 1) downloaded OpenSSL 1.0.0, configured and installed in /usr/local/openssl (to avoid removing the already installed openssl 0.9.8 which looks like it's a crucial packet for everything on my system) with: 8888888 ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl 8888888 I am calling the new openssl version with the openssl-new alias 2) created a CA: 8888888 openssl-new ecparam -out private/cakey_temp.pem -name sect571k1 -text -genkey openssl-new ec -in private/cakey_temp.pem -out private/cakey.pem -aes256 wipe -f private/cakey_temp.pem openssl-new req -new -x509 -out cacert.pem -key private/cakey.pem -days 36500 -sha512 -extensions v3_ca openssl-new x509 -text -in cacert.pem 8888888 with the last command I read: Signature Algorithm: ecdsa-with-SHA512 3) created a server key and certification request: 8888888 openssl-new req -nodes -sha512 -newkey ec:cacert.pem -new -days 36500 -out req.pem chmod 600 privkey.pem mv privkey.pem private/serverkey.pem openssl-new req -in req.pem -text -verify -noout 8888888 again, I read: Signature Algorithm: ecdsa-with-SHA512 4) modified openssl.cnf accordingly and signed the request with the CA: 8888888 openssl-new ca -config openssl.cnf -policy policy_anything -out servercert.pem -md sha512 -cert cacert.pem -keyfile private/cakey.pem -infiles req.pem rm req.pem 8888888 5) created a client key and certification request: 8888888 openssl-new req -nodes -sha512 -newkey ec:cacert.pem -new -days 36500 -out req.pem chmod 600 privkey.pem mv privkey.pem private/clientkey.pem 8888888 6) signed the request with the CA: 8888888 openssl-new ca -config openssl.cnf -policy policy_anything -out clientcert.pem -md sha512 -cert cacert.pem -keyfile private/cakey.pem -infiles req.pem 8888888 (I later moved client files in ~/.ssl ) 7) created both ECDH and DH (for testing) parameters: 8888888 openssl-new ecparam -out ecdh.pem -name sect571k1 openssl-new dhparam -out dh.pem 4096 8888888 My OpenVPN configuration does not work, I receive this error in the logs: 8888888 TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher 8888888 but, as I said, this is more related to OpenVPN and it is detailed in the forum post I linked above. What I'd like to know from more experienced OpenSSL users here is: did I perform correctly steps 1)...7)? Please help, I'm really in need of this ._. I will write a complete and detailed howto as a small compensation for the community! Thanks in advance __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Please help RFC 5746
Hi , I need little help in implementing RFC 5746 on server, as per RFC it is not very clear on how to tell clients that Server doesn't support renegotiation. If anybody knows a way to tell clients that server doesn't support renegotiation , please let me know. Thanks Ritesh Rekhi
Could you please help me about the basics of how to set and run open-ssl on my server
Hi Open-SSL Users, Could you please help me about the basics of how to set and run open-ssl on my server. Thanks
Please Help: RSA Public Key Exponent size
Hi All, In our environment a secure server creates Private/Public RSA keys. We Can never access the Private key but we are able to access the Public Key. The command BN_num_bytes(rsa_public_key-e) returns the size of the exponent part of the public key, and it is 3 bytes. 10001. Could this be a valid value? We have a system that requires public key exponent to be 4 bytes, could I pad the exponent so it be 4 bytes? Many thanks in advance, B __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please Help: RSA Public Key Exponent size
Hi Bizhan, The command BN_num_bytes(rsa_public_key-e) returns the size of the exponent part of the public key, and it is 3 bytes. 10001. Could this be a valid value? Yes. Typical values are 3, 17, and 65535. We have a system that requires public key exponent to be 4 bytes, could I pad the exponent so it be 4 bytes? Yes. Pad at the leading octets. Jeff On Fri, Oct 30, 2009 at 10:38 PM, Bizhan Gholikhamseh (bgholikh) bghol...@cisco.com wrote: Hi All, In our environment a secure server creates Private/Public RSA keys. We Can never access the Private key but we are able to access the Public Key. The command BN_num_bytes(rsa_public_key-e) returns the size of the exponent part of the public key, and it is 3 bytes. 10001. Could this be a valid value? We have a system that requires public key exponent to be 4 bytes, could I pad the exponent so it be 4 bytes? Many thanks in advance, B __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Problem with install...Please Help
Hello, I am trying to install OpenSSL-0.9.8k. I currently have OpenSSL-0.9.8.602. Do I need to remove my older version before I install the new version? Also, I ran a ./config --prefix=/usr/opt/OpenSSL, which came back with NO error. Then when I ran make it gives me the following error: cc: unrecognized option '-qthreaded' cc: unrecognized option '-q32' cc: unrecognized option '-qmaxmem=16384' cc: unrecognized option '-qro' cc: unrecognized option '-qroconst' cc: error trying to exec 'cc1plus': execvp: No such file or directory make: 1254-004 The error code from the last command is 1. Please, let me know what route I should take from here to get it OpenSSL installed. Thank you, Adam Jaber (801)586-1480 adam.jaber@dla.mil smime.p7s Description: S/MIME cryptographic signature
RE: Problem with install...Please Help
I am also a bit of newbie here but I do think that the problem you having could be due to the previous version of gcc somewhere in you linux box and that is still called in your makefile. Perhaps you have to double check your env variables? Or removing old gcc? 61-2-9013-4203 y...@ali.com.au From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jaber, Adam M CTR DLA J6UIA Sent: Thursday, 2 April 2009 2:24 AM To: openssl-users@openssl.org Subject: Problem with install...Please Help Hello, I am trying to install OpenSSL-0.9.8k. I currently have OpenSSL-0.9.8.602. Do I need to remove my older version before I install the new version? Also, I ran a ./config --prefix=/usr/opt/OpenSSL, which came back with NO error. Then when I ran make it gives me the following error: cc: unrecognized option '-qthreaded' cc: unrecognized option '-q32' cc: unrecognized option '-qmaxmem=16384' cc: unrecognized option '-qro' cc: unrecognized option '-qroconst' cc: error trying to exec 'cc1plus': execvp: No such file or directory make: 1254-004 The error code from the last command is 1. Please, let me know what route I should take from here to get it OpenSSL installed. Thank you, Adam Jaber (801)586-1480 adam.jaber@dla.mil Aristocrat Technologies Corporate Head Office in Lane Cove and Rosebery, Sydney Australia have relocated to: Building A, Pinnacle Office Park 85 Epping Road North Ryde NSW 2113 PO Box 361, North Ryde BC NSW 1670, Australia IMPORTANT CONFIDENTIALITY NOTICE: This E-mail (including any documents referred to in, or attached, to this E-mail) may contain information that is personal, confidential or the subject of copyright, privilege or other proprietary rights in favor of Aristocrat, its affiliates or third parties. This E-mail is intended only for the named addressee. Any privacy, confidence, legal professional privilege, copyright or other proprietary rights in favor of Aristocrat, its affiliates or third parties, is not lost if this E-mail was sent to you by mistake. If you received this E-mail by mistake you should: (i) not copy, disclose, distribute or otherwise use it, or its contents, without the consent of Aristocrat or the owner of the relevant rights; (ii) let us know of the mistake by reply E-mail or by telephone (AUS +61 2 9013 6300 or USA 1-877-274-9661); and (iii) delete it from your system and destroy all copies. Any personal information contained in this E-mail must be handled in accordance with applicable privacy laws. Electronic and internet communications can be interfered with or affected by viruses and other defects. As a result, such communications may not be successfully received or, if received, may cause interference with the integrity of receiving, processing or related systems (including hardware, software and data or information on, or using, that hardware or software). Aristocrat gives no assurances in relation to these matters. If you have any doubts about the veracity or integrity of any electronic communication we appear to have sent you, please call (AUS +61 2 9013 6300 or USA 1-877-274-9661) for clarification.
NEW Bee Please help in writing a client server program
Hi everybody .. I am new to open ssl .. I am trying to write a simple client server program ... I have already created client server program .. now i have to add ssl code snippet so that i can send and recive data using ssl.. and please tel me how to create certificates for server and clients .. if some one has already written a sample code (with information of creating certificates to both client and server) Thanks
Re: Please help: very urgent: Query on patented algorithms
At 01:20 PM 6/16/2008, Michael Sierchio wrote: RC4 is owned (and trademarked) by RSA Security Inc, but they are no longer enforcing the patent, RC4 was never protected by patent, but by trade secret. When the details of the algorithm were published, Ron Rivest himself suggested calling the alleged RC4 ARCFOUR. It is indeed a trademark of RSA Security. Michael is right. No patent. RSA subsequently switched to patent protection for RC5 and RC5. Some ancient history might offer context. RC4, developed by Rivest in 1987, was originally sold, under contractual constraints, as a proprietary RSA trade secret -- a mode of IP protection which soon proved to be frail and toothless in Cyberspace, where anonymous publication on the Net broke the trade secret contract but allowed the perpetrator to escape all liability. RSADSI initially filed for US trademark protection on RC4 in 1993, and the trademark -- as a mark of origin, a mark that identified the source of the distributed code -- became the last line defense for the RC4 IP when the RC4 algorithm was reverse engineered and published on the Cypherpunks List in September of 1994. In a swirl of ironies, this was a critical event in public crypto history, because the illicit publication of RC4 made it possible for non-US developers to do their own versions of SSL. SSLea, ancestor of OpenSSL, soon broke the NSA's restrictive policies on the international use of strong-crypto SSL for browsers and web-based transactions. Many versions of alleged RC4 (ARC4 or ArcFour) were soon in widespread use, even in IETF standards. Anyone can code or use ACR4, but EMC/RSA still defends its monopoly on the RC4 trademark because undefended trademarks become invalid. _Vin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Please help: very urgent: Query on patented algorithms
Hi, I have openssl dlls(i.e.libeay32.dll, ssleay32.dll). I need to know if these libaries are using any of the patented algorithms like IDEA, RC4, RC5,MDC2 etc. Can you please let me know if there is any way to find out this? Any help would be highly appreciated. Thanks in adavance, Bagavathy
Re: Please help: very urgent: Query on patented algorithms
Hi, Use the tool Dependency Walker (http://www.dependencywalker.com/) to look at the exported functions of libeay32.dll. If it exports RC5, you will see exported symbols starting with RC5. For MDC2, you'll find symbols starting with MDC2 and etc... Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On Mon, June 16, 2008 3:55 pm, bagavathy raj wrote: Hi, I have openssl dlls(i.e.libeay32.dll, ssleay32.dll). I need to know if these libaries are using any of the patented algorithms like IDEA, RC4, RC5,MDC2 etc. Can you please let me know if there is any way to find out this? Any help would be highly appreciated. Thanks in adavance, Bagavathy __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Please help: very urgent: Query on patented algorithms
Hi, Is there any binary distribution where I can find SSL dlls without patented algorithms like IDEA,MCD2,RC4,RC5 etc. I tried compiling without them. I could exclude other algos but not RC4. Some linking issues. So i need to know if there is any ssl release without the patented algorithms. On 6/16/08, Mounir IDRASSI [EMAIL PROTECTED] wrote: Hi, Use the tool Dependency Walker (http://www.dependencywalker.com/) to look at the exported functions of libeay32.dll. If it exports RC5, you will see exported symbols starting with RC5. For MDC2, you'll find symbols starting with MDC2 and etc... Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On Mon, June 16, 2008 3:55 pm, bagavathy raj wrote: Hi, I have openssl dlls(i.e.libeay32.dll, ssleay32.dll). I need to know if these libaries are using any of the patented algorithms like IDEA, RC4, RC5,MDC2 etc. Can you please let me know if there is any way to find out this? Any help would be highly appreciated. Thanks in adavance, Bagavathy __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Please help: very urgent: Query on patented algorithms
On 6/16/08, bagavathy raj [EMAIL PROTECTED] wrote: Hi, Is there any binary distribution where I can find SSL dlls without patented algorithms like IDEA,MCD2,RC4,RC5 etc. I tried compiling without them. I could exclude other algos but not RC4. Some linking issues. So i need to know if there is any ssl release without the patented algorithms. RC4 is owned (and trademarked) by RSA Security Inc, but they are no longer enforcing the patent, and will allow free usage of the OpenSSL implementation of this cipher to those that ask. However they do require that OpenSSL toolkit users either do not call it RC4, or call it Alleged RC4 cipher to avoid trademark infringement. If you even mention the words RC4 in your documentation you may need to mention that it is Alleged and that RC4 is a trademark of RSA Security. RC2 is also a trademark of RSA Security, but this one can be used without the Alleged prefix, providing you list them as the trademark owner. Disclaimer: I am not a lawyer, and I suggest you contact RSA directly to confirm this information on your own. -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Please help: very urgent: Query on patented algorithms
RC4 is owned (and trademarked) by RSA Security Inc, but they are no longer enforcing the patent, RC4 was never protected by patent, but by trade secret. When the details of the algorithm were published, Ron Rivest himself suggested calling the alleged RC4 ARCFOUR. It is indeed a trademark of RSA Security. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
please help about using openssl
Hi, I download openssl-0.9.8g from openssl.org website. I want to build it using cygwin, so I run command config and command make in cygwin. libssl.a and libcrypt.a all be created. But, this two lib can not work. Because I need armcc as compiler, not gcc. How can I do? I think that it is so difficult for me to modify makefile. Could you give me some advise? Thank you michelle
Re: please help me.....
Hi, Tried the given function, it compiles but throws error Run-Time Check Failure #3 - The variable 'rsa' is being used without being defined.. Any clue?? And the char * buf contains the key right?? Thanks Regards Shalmi Marek Marcola wrote: Hello, ok i l try that.let me know u .. You may try something like that (not tested): int rsa_read_pem(RSA ** rsa, char *buf, int len) { BIO *mem; if ((mem = BIO_new_mem_buf(buf, len)) == NULL) { goto err; } *rsa = PEM_read_bio_RSAPrivateKey(mem, NULL, NULL, NULL); BIO_free(mem); if (*rsa == NULL) { goto err; } return (0); err: return (-1); } Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/please-help-me.-tf3975055.html#a13384524 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
eapol_test failed, please help
06 03 55 04 0b 13 0b 45 6e 67 69 6e 65 65 72 69 6e 67 31 0e 30 0c 06 03 55 04 03 13 05 6a 69 6e 6c 75 31 22 30 20 06 09 2a 86 48 86 f7 0d 01 09 01 16 13 6a 69 6e 6c 75 38 35 39 31 40 79 61 68 6f 6f 2e 63 6f 6d 0e 00 00 00 Attribute 80 (Message-Authenticator) length=18 Value: 6a b5 d5 15 78 ec 0d a6 92 50 8e 45 38 63 ba 52 Attribute 24 (State) length=18 Value: 5f 54 ce c4 d3 14 cd b3 23 76 96 b7 c4 27 2a 3e STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=3 len=213) from RADIUS server: EAP-Request-TLS (13) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=3 method=13 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=213) - Flags 0x80 SSL: TLS Message Length: 1227 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 read server hello A TLS: Certificate verification failed, error 18 (self signed certificate) depth 0 for '/C=US/ST=California/L=Oak Park/O=Jins Company/OU=Engineering/CN=jinlu/[EMAIL PROTECTED]' SSL: (where=0x4008 ret=0x230) SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA SSL: (where=0x1002 ret=0x) SSL: SSL_connect:error in SSLv3 read server certificate B OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed SSL: 7 bytes pending from ssl_out SSL: Failed - tls_out available to report error SSL: 7 bytes left to be sent out (of total 7 bytes) EAP-TLS: TLS processing failed EAP: method process - ignore=FALSE methodState=DONE decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=13) TX EAP - RADIUS - hexdump(len=13): 02 03 00 0d 0d 00 15 03 01 00 02 02 30 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=3 length=139 Attribute 1 (User-Name) length=7 Value: 'jinlu' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=15 Value: 02 03 00 0d 0d 00 15 03 01 00 02 02 30 Attribute 24 (State) length=18 Value: 5f 54 ce c4 d3 14 cd b3 23 76 96 b7 c4 27 2a 3e Attribute 80 (Message-Authenticator) length=18 Value: c1 6a 58 d8 74 f7 5f dc 07 9d 85 6f 8d b6 14 5d Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE EAPOL: startWhen -- 0 STA 02:00:00:00:00:01: Resending RADIUS message (id=3) Next RADIUS client retransmit in 6 seconds Received 44 bytes from RADIUS server Received RADIUS message RADIUS message: code=3 (Access-Reject) identifier=3 length=44 Attribute 79 (EAP-Message) length=6 Value: 04 03 00 04 Attribute 80 (Message-Authenticator) length=18 Value: a2 c8 1a 01 9b 4b 9b 3f 98 29 ee c0 74 7b 37 6a STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=4 id=3 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=0 EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 2 FAILURE -- View this message in context: http://www.nabble.com/eapol_test---failed%2C--please-help-tf4324490.html#a12315550 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
please help me.....
hi , I am sridhar.D I have a RSA key information on buffer.i want to merge with buffer content to SSLcontext object. i am using SSL_CTX_use_RSAPrivateKey_ASN1(ctxr[i],keyinfo,strlen(keyinfo)) this SSL API. that API is failing . it gives following error message. 9755: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1282: 29755: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=RSA 29755: error:140B200D:SSL routines:SSL_CTX_use_RSAPrivateKey_ASN1:ASN1 lib:ssl_rsa.c:607 how to resolve the issue. please help me. - Download prohibited? No problem. CHAT from any browser, without download.
Re: please help me.....
Hello, I have a RSA key information on buffer.i want to merge with buffer content to SSLcontext object. i am using SSL_CTX_use_RSAPrivateKey_ASN1(ctxr[i],keyinfo,strlen(keyinfo)) this SSL API. that API is failing . it gives following error message. 9755: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1282: 29755: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=RSA 29755: error:140B200D:SSL routines:SSL_CTX_use_RSAPrivateKey_ASN1:ASN1 lib:ssl_rsa.c:607 how to resolve the issue. please help me. Try d2i_RSAPrivateKey() if your buffer has RSA key in DER format. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: please help me.....
i tried that way, now its generating coredump files.is there any other way to solve that issue... Marek Marcola [EMAIL PROTECTED] wrote: Hello, I have a RSA key information on buffer.i want to merge with buffer content to SSLcontext object. i am using SSL_CTX_use_RSAPrivateKey_ASN1(ctxr[i],keyinfo,strlen(keyinfo)) this SSL API. that API is failing . it gives following error message. 9755: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1282: 29755: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=RSA 29755: error:140B200D:SSL routines:SSL_CTX_use_RSAPrivateKey_ASN1:ASN1 lib:ssl_rsa.c:607 how to resolve the issue. please help me. Try d2i_RSAPrivateKey() if your buffer has RSA key in DER format. Best regards, -- Marek Marcola __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] - Heres a new way to find what you're looking for - Yahoo! Answers
Re: please help me.....
ok i l try that.let me know u .. Marek Marcola [EMAIL PROTECTED] wrote: Hello, i tried that way, now its generating coredump files.is there any other way to solve that issue... You should use something like that (buf and len has your key): unsigned char *p; RSA *rsa = NULL; p = buf; if ((rsa=d2i_RSAPrivateKey(NULL,p,(long)len)) == NULL){ goto err; } if (SSL_CTX_use_RSAPrivateKey(ctx,rsa) != 1){ goto err; } RSA_free(rsa); But you should be sure that buf has DER (ASN.1) PKCS1 private key. If you dump this buffer to file, you should be able to do something like that: $ openssl rsa -in key.der -inform der -text -noout $ openssl asn1parse -in key.der -inform der If you will get error then probably you have pem format, you may try to convert with: $ openssl rsa -in key.pem -outform der -out key.der and try again. Best regards, -- Marek Marcola __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] - The DELETE button on Yahoo! Mail is unhappy. Know why?
Re: please help me.....
Hello, i tried that way, now its generating coredump files.is there any other way to solve that issue... You should use something like that (buf and len has your key): unsigned char *p; RSA *rsa = NULL; p = buf; if ((rsa=d2i_RSAPrivateKey(NULL,p,(long)len)) == NULL){ goto err; } if (SSL_CTX_use_RSAPrivateKey(ctx,rsa) != 1){ goto err; } RSA_free(rsa); But you should be sure that buf has DER (ASN.1) PKCS1 private key. If you dump this buffer to file, you should be able to do something like that: $ openssl rsa -in key.der -inform der -text -noout $ openssl asn1parse -in key.der -inform der If you will get error then probably you have pem format, you may try to convert with: $ openssl rsa -in key.pem -outform der -out key.der and try again. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: please help me.....
i tried that way,buffer information is not DER format. buffer header like this. -BEGIN RSA PRIVATE KEY- .. -END RSA PRIVATE KEY- Is they anyother way to resolve that problem? Marek Marcola [EMAIL PROTECTED] wrote: Hello, I have a RSA key information on buffer.i want to merge with buffer content to SSLcontext object. i am using SSL_CTX_use_RSAPrivateKey_ASN1(ctxr[i],keyinfo,strlen(keyinfo)) this SSL API. that API is failing . it gives following error message. 9755: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1282: 29755: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=RSA 29755: error:140B200D:SSL routines:SSL_CTX_use_RSAPrivateKey_ASN1:ASN1 lib:ssl_rsa.c:607 how to resolve the issue. please help me. Try d2i_RSAPrivateKey() if your buffer has RSA key in DER format. Best regards, -- Marek Marcola __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] - Heres a new way to find what you're looking for - Yahoo! Answers
Re: please help me.....
Hello, ok i l try that.let me know u .. You may try something like that (not tested): int rsa_read_pem(RSA ** rsa, char *buf, int len) { BIO *mem; if ((mem = BIO_new_mem_buf(buf, len)) == NULL) { goto err; } *rsa = PEM_read_bio_RSAPrivateKey(mem, NULL, NULL, NULL); BIO_free(mem); if (*rsa == NULL) { goto err; } return (0); err: return (-1); } Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: please help me.....
thank you, its working fine. Marek Marcola [EMAIL PROTECTED] wrote: Hello, ok i l try that.let me know u .. You may try something like that (not tested): int rsa_read_pem(RSA ** rsa, char *buf, int len) { BIO *mem; if ((mem = BIO_new_mem_buf(buf, len)) == NULL) { goto err; } *rsa = PEM_read_bio_RSAPrivateKey(mem, NULL, NULL, NULL); BIO_free(mem); if (*rsa == NULL) { goto err; } return (0); err: return (-1); } Best regards, -- Marek Marcola __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] - The DELETE button on Yahoo! Mail is unhappy. Know why?
Re: SSL concept..Please help...
On Sat, Oct 21, 2006 at 08:04:01PM -0700, Ferianto siregar wrote: Dear all, Thank you very much for this chance. Thanks All, now I am finishing my paper. The title is TLS. As I know that TLS use SSL to make the communication secure. Can anybody tell me how can SSL make communication secure? I mean that how SSL use in TLS for secure the voip communication\/ I do hope anybody can help me, so I can responsible my paper to my lecturer. Thanks Sure. TLS is nothing but a new incarnation of SSL v3. Have you heard of old wine in new bottle? :-) It is exactly that. As to VoIP I am afraid I don't know since skype uses its own encryption mechanism that is proprietary. Since VoIP mostly uses an underlying NAT traversal and instant messaging kind of library underneath you should take a look at protocols like SILC (Secure Internet Live Conferencing). The only difference between data encryption and voice encryption being that voice is very very delay sensitive and data is very very loss sensitive. So UDP is used for voice and TCP for data. I am not quite clear if SSL is used for VoIP. I doubt. One possibility is DTLS... Best of luck! regards, Girish __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL: connect failed..Please help..
On 05/10/2006, at 4:49 AM, Marek Marcola wrote: Hello, Dear all, ... tls_tcpconn_init: Setting in ACCEPT mode (server) 11(5927) tcpconn_add: hashes: 835, 11 11(5927) handle_new_connect: new connection: 0x422d88f0 24 flags: 0002 11(5927) send2child: to tcp child 0 7(5919), 0x422d88f0 7(5919) received n=4 con=0x422d88f0, fd=20 7(5919) DBG: io_watch_add(0x80ed320, 20, 2, 0x422d88f0), fd_no=1 7(5919) tls_update_fd: New fd is 20 7(5919) tls_accept: Error in SSL: 7(5919) tls_error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 7(5919) DBG: io_watch_del (0x80ed320, 20, 1, 0x10) fd_no=2 called 7(5919) releasing con 0x422d88f0, state -2, fd=20, id=11 7(5919) extra_data 0x422e8a08 11(5927) handle_tcp_child: reader response= 422d88f0, -2 from 0 11(5927) tcpconn_destroy: destroying connection 0x422d88f0, flags 0002 11(5927) tls_close: Closing SSL connection 11(5927) tls_update_fd: New fd is 24 11(5927) tls_shutdown: Shutdown successful 11(5927) tls_tcpconn_clean: Entered What`s wrong? How to solve the error SSL3_GET_RECORD:wrong version number and SSL: connect failed? From server side, you may get this error when: - server is setup to SSL/TLS and client is connecting in plain mode, for example: $ telnet some_server 443 Escape character is '^]'. lkasdkfgjlasdkfgjsdlkfjgsdfkgjsldkfgjhsdfkgsfgk bytes 2 and 3 must be proper SSL3/TLS1 version specification: 0x0300 - SSL3 0x0301 - TLS1 or for SSL2 (in handshake negotiation) byte 4 and 5 has version information: 0x0200 - SSL2 0x0300 - SSL3 0x0301 - TLS1 and of course using SSL2 client_hello TLS1 may be setup (if supported by client and server) - server is setup to SSL3/TLS1 (not SSL2) and client sends SSL2 client_hello, for example OpenSSL SSL_CTX created with SSLv23_client_method() method sends SSL2 client_hello with version information set to TLS1. But when server is set to understand SSL3/TLS1 only then SSL2 proposition is not recognized correctly (version information is at bytes 4 and 5, not 2 and 3) and we get wrong version number. To correct this, on client side disable SSL2 compatibility handshake if SSL_CTX is created with SSLv23_client_method() with SSL_OP_NO_SSLv2, or on server side create SSL_CTX with SSLv23_server_method() instead of SSLv3_server_method() or TLSv1_server_method(). In other words, both sides should have enabled the same protocols. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ Marek, I'm also getting the same error: LOG7[29231:25188864]: SSL alert (write): fatal: handshake failure LOG3[29231:25188864]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number LOG5[29231:25188864]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket Are you saying that this error is caused by the client sending using a different version of SSL to that which the server is using? From the error message above, the server is using version 3 of SSL, correct? (I'm using the latest version of stunnel and OpenSSL 0.9.7i). If so, the Apple's Mail app must be using an older SSL version? Does anyone know which version it uses? Or can something else be causing this error? Thanks, James. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL: connect failed..Please help..
Hello, Dear all, Thank you very much for your time. This is my first message in this forum. All, I got error message in minisip command prompt when I tried using TLS (Transport Method = TLS and Network Port = 5061).But, without TLS , I can make a call with minisip. The error message says : A. in client command prompt init 6/9: Creating MSip SIP stack init 7/9: Connecting GUI to SIP logic init 8.2/9: Starting TCP transport worker thread init 8.3/9: Starting TLS transport worker thread init 9/9: Registering Identities to registrar server Registering user [EMAIL PROTECTED] to proxy 202.95.149.251, requesting domain 202.95.149.251 SipMessageTransport: sendMessage: creating new socket Creating new SSL_CTX SSL: connect failed SipMessageTransport: sendMessage: exception thrown! SipMessageTransport: sendMessage: creating new socket SSL: connect failed SipMessageTransport: sendMessage: exception thrown! SipMessageTransport: sendMessage: creating new socket SSL: connect failed SipMessageTransport: sendMessage: exception thrown! SipMessageTransport: sendMessage: creating new socket SSL: connect failed SipMessageTransport: sendMessage: exception thrown! B. in server terminal tls_tcpconn_init: Setting in ACCEPT mode (server) 11(5927) tcpconn_add: hashes: 835, 11 11(5927) handle_new_connect: new connection: 0x422d88f0 24 flags: 0002 11(5927) send2child: to tcp child 0 7(5919), 0x422d88f0 7(5919) received n=4 con=0x422d88f0, fd=20 7(5919) DBG: io_watch_add(0x80ed320, 20, 2, 0x422d88f0), fd_no=1 7(5919) tls_update_fd: New fd is 20 7(5919) tls_accept: Error in SSL: 7(5919) tls_error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 7(5919) DBG: io_watch_del (0x80ed320, 20, 1, 0x10) fd_no=2 called 7(5919) releasing con 0x422d88f0, state -2, fd=20, id=11 7(5919) extra_data 0x422e8a08 11(5927) handle_tcp_child: reader response= 422d88f0, -2 from 0 11(5927) tcpconn_destroy: destroying connection 0x422d88f0, flags 0002 11(5927) tls_close: Closing SSL connection 11(5927) tls_update_fd: New fd is 24 11(5927) tls_shutdown: Shutdown successful 11(5927) tls_tcpconn_clean: Entered What`s wrong? How to solve the error SSL3_GET_RECORD:wrong version number and SSL: connect failed? From server side, you may get this error when: - server is setup to SSL/TLS and client is connecting in plain mode, for example: $ telnet some_server 443 Escape character is '^]'. lkasdkfgjlasdkfgjsdlkfjgsdfkgjsldkfgjhsdfkgsfgk bytes 2 and 3 must be proper SSL3/TLS1 version specification: 0x0300 - SSL3 0x0301 - TLS1 or for SSL2 (in handshake negotiation) byte 4 and 5 has version information: 0x0200 - SSL2 0x0300 - SSL3 0x0301 - TLS1 and of course using SSL2 client_hello TLS1 may be setup (if supported by client and server) - server is setup to SSL3/TLS1 (not SSL2) and client sends SSL2 client_hello, for example OpenSSL SSL_CTX created with SSLv23_client_method() method sends SSL2 client_hello with version information set to TLS1. But when server is set to understand SSL3/TLS1 only then SSL2 proposition is not recognized correctly (version information is at bytes 4 and 5, not 2 and 3) and we get wrong version number. To correct this, on client side disable SSL2 compatibility handshake if SSL_CTX is created with SSLv23_client_method() with SSL_OP_NO_SSLv2, or on server side create SSL_CTX with SSLv23_server_method() instead of SSLv3_server_method() or TLSv1_server_method(). In other words, both sides should have enabled the same protocols. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL: connect failed..Please help..
Dear all,Thank you very much for your time. This is my first message in this forum.All, I got error message in minisip command prompt when I tried using TLS (Transport Method = TLS and Network Port = 5061).But, without TLS , I can make a call with minisip. The error message says :A. in client command promptinit 6/9: Creating MSip SIP stackinit 7/9: Connecting GUI to SIP logicinit 8.2/9: Starting TCP transport worker threadinit 8.3/9: Starting TLS transport worker threadinit 9/9: Registering Identities to registrar server Registering user [EMAIL PROTECTED] to proxy 202.95.149.251, requesting domain202.95.149.251 SipMessageTransport: sendMessage: creating new socket Creating new SSL_CTXSSL: connect failed SipMessageTransport: sendMessage: exception thrown!SipMessageTransport: sendMessage: creating new socketSSL: connect failedSipMessageTransport: sendMessage: exception thrown!SipMessageTransport: sendMessage: creating new socketSSL: connect failedSipMessageTransport: sendMessage: exception thrown!SipMessageTransport: sendMessage: creating new socketSSL: connect failedSipMessageTransport: sendMessage: exception thrown!B. in server terminaltls_tcpconn_init: Setting in ACCEPT mode (server)11(5927) tcpconn_add: hashes: 835, (5927) handle_new_connect: new connection: 0x422d88f0 24 flags: 000211(5927) send2child: to tcp child 0 7(5919), 0x422d88f07(5919) received n=4 con=0x422d88f0, fd=207(5919) DBG: io_watch_add(0x80ed320, 20, 2, 0x422d88f0), fd_no=17(5919) tls_update_fd: New fd is 207(5919) tls_accept: Error in SSL: 7(5919) tls_error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 7(5919) DBG: io_watch_del (0x80ed320, 20, 1, 0x10) fd_no=2 called7(5919) releasing con 0x422d88f0, state -2, fd=20, id=117(5919) extra_data 0x422e8a0811(5927) handle_tcp_child: reader response= 422d88f0, -2 from 011(5927) tcpconn_destroy: destroying connection 0x422d88f0, flags 000211(5927) tls_close: Closing SSL connection11(5927) tls_update_fd: New fd is 2411(5927) tls_shutdown: Shutdown successful11(5927) tls_tcpconn_clean: Entered What`s wrong? How to solve the error "SSL3_GET_RECORD:wrong version number" and "SSL: connect failed"?I do hope any body can help me, again :)Please tell me if I have shown my openser.cfg file. Thanks Thank you for your attention and Have a nice day :)Regards, FeriantoNote:1. I use Redhat 9 [EMAIL PROTECTED] root]# rpm -qa|grep -i sslperl-Crypt-SSLeay-0.45-7openssl-devel-0.9.7a-2openssl-perl-0.9.7a-2openssl-0.9.7a-2pyOpenSSL-0.5.1-8mod_ssl-2.0.40-21openssl096b-0.9.6b-3docbook-style-dsssl-1.76-8openssl096-0.9.6-15[EMAIL PROTECTED] root]# Get your email and more, right on the new Yahoo.com
Can't Upgrade! Can't Add Threading! Please Help!
Hi; I have FreeBSD 5.3. I d/l'd the latest distro of openssl, ran: ./config --prefix=/usr/local --openssldir=/usr/local/openssl enable-threads enable-shared make make test make install and everything checked out just fine. However... server167# openssl version OpenSSL 0.9.7d 17 Mar 2004 server167# pwd /usr/ports/www/openssl-0.9.8b So... How do I turn off the old version and turn on the new which should support threading so I can use Pound?? TIA, beno __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Can't Upgrade! Can't Add Threading! Please Help!
Hello, I have FreeBSD 5.3. I d/l'd the latest distro of openssl, ran: ../config --prefix=/usr/local --openssldir=/usr/local/openssl enable-threads enable-shared make make test make install and everything checked out just fine. However... server167# openssl version OpenSSL 0.9.7d 17 Mar 2004 server167# pwd /usr/ports/www/openssl-0.9.8b So... How do I turn off the old version and turn on the new which should support threading so I can use Pound?? But I thing: $ /usr/local/bin/openssl version will give good results. When configuring Pound add option: $ ./configure --with-ssl=/usr/local ... Hope this helps. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
client read problem please help!!!!!
Here is the relevant code. The problem is in this do_client_loop. I need to read from the server to check if it has closed but when i do this i cannot write to the server again for some reason. How can i rectify this..thanks in advance int do_client_loop(SSL *ssl) { int err, nwritten; char buf[80]; for (;;) { if (!fgets(buf, sizeof(buf), stdin)) break;for (nwritten = 0; nwritten sizeof(buf); nwritten += err) {err = SSL_write(ssl, buf + nwritten, sizeof(buf) - nwritten); if (err = 0) return 0; } err = SSL_read(ssl, buf + nwritten, sizeof(buf) - nwritten); if (err = 0) return 0;} return 1; } int main(int argc, char *argv[]) { BIO *conn; SSL *ssl; SSL_CTX *ctx; long err; init_OpenSSL( ); seed_prng( ); clientfile = argv[1]; ctx = setup_client_ctx( ); conn = BIO_new_connect(SERVER ":" PORT); if (!conn) int_error("Error creating connection BIO"); if (BIO_do_connect(conn) = 0) int_error("Error connecting to remote machine"); ssl = SSL_new(ctx); SSL_set_bio(ssl, conn, conn); if (SSL_connect(ssl) = 0) int_error("Error connecting SSL object"); if ((err = post_connection_check(ssl, SERVER)) != X509_V_OK) { fprintf(stderr, "-Error: peer certificate: %s\n", X509_verify_cert_error_string(err)); int_error("Error checking SSL object after connection"); } fprintf(stderr, "SSL Connection opened\n"); if (do_client_loop(ssl)) SSL_shutdown(ssl); else SSL_clear(ssl); fprintf(stderr, "SSL Connection closed\n"); SSL_free(ssl); SSL_CTX_free(ctx); return 0; } Blab-away for as little as 1¢/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice.
Re: client read problem please help!!!!!
Looks like I have not understood your problem. Why do you have to do an SSL_read() to figure out if it has closed? SSL_write() will fail it the other side closes... --- michael Dorrian [EMAIL PROTECTED] wrote: Here is the relevant code. The problem is in this do_client_loop. I need to read from the server to check if it has closed but when i do this i cannot write to the server again for some reason. How can i rectify this..thanks in advance int do_client_loop(SSL *ssl) { int err, nwritten; char buf[80]; for (;;) { if (!fgets(buf, sizeof(buf), stdin)) break; for (nwritten = 0; nwritten sizeof(buf); nwritten += err) { err = SSL_write(ssl, buf + nwritten, sizeof(buf) - nwritten); if (err = 0) return 0; } err = SSL_read(ssl, buf + nwritten, sizeof(buf) - nwritten); if (err = 0) return 0; } return 1; } int main(int argc, char *argv[]) { BIO *conn; SSL *ssl; SSL_CTX *ctx; longerr; init_OpenSSL( ); seed_prng( ); clientfile = argv[1]; ctx = setup_client_ctx( ); conn = BIO_new_connect(SERVER : PORT); if (!conn) int_error(Error creating connection BIO); if (BIO_do_connect(conn) = 0) int_error(Error connecting to remote machine); ssl = SSL_new(ctx); SSL_set_bio(ssl, conn, conn); if (SSL_connect(ssl) = 0) int_error(Error connecting SSL object); if ((err = post_connection_check(ssl, SERVER)) != X509_V_OK) { fprintf(stderr, -Error: peer certificate: %s\n, X509_verify_cert_error_string(err)); int_error(Error checking SSL object after connection); } fprintf(stderr, SSL Connection opened\n); if (do_client_loop(ssl)) SSL_shutdown(ssl); else SSL_clear(ssl); fprintf(stderr, SSL Connection closed\n); SSL_free(ssl); SSL_CTX_free(ctx); return 0; } - Blab-away for as little as 1�/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: client read problem please help!!!!!
yeah you would think that but it doesnt for some strange reason.Girish Venkatachalam [EMAIL PROTECTED] wrote: Looks like I have not understood your problem. Why do you have to do an SSL_read() to figure out ifit has closed? SSL_write() will fail it the other sidecloses...--- michael Dorrian <[EMAIL PROTECTED]>wrote: Here is the relevant code. The problem is in this do_client_loop. I need to read from the server to check if it has closed but when i do this i cannot write to the server again for some reason. How can i rectify this..thanks in advance int do_client_loop(SSL *ssl) { int err, nwritten; char buf[80]; for (;;) { if (!fgets(buf, sizeof(buf), stdin)) break; for (nwritten = 0; nwritten sizeof(buf); nwritten += err) { err = SSL_write(ssl, buf + nwritten, sizeof(buf) - nwritten); if (err = 0) return 0; } err = SSL_read(ssl, buf + nwritten, sizeof(buf) - nwritten); if (err = 0) return 0; } return 1; } int main(int argc, char *argv[]) { BIO *conn; SSL *ssl; SSL_CTX *ctx; long err; init_OpenSSL( ); seed_prng( ); clientfile = argv[1]; ctx = setup_client_ctx( ); conn = BIO_new_connect(SERVER ":" PORT); if (!conn) int_error("Error creating connection BIO"); if (BIO_do_connect(conn) = 0) int_error("Error connecting to remote machine"); ssl = SSL_new(ctx); SSL_set_bio(ssl, conn, conn); if (SSL_connect(ssl) = 0) int_error("Error connecting SSL object"); if ((err = post_connection_check(ssl, SERVER)) != X509_V_OK) { fprintf(stderr, "-Error: peer certificate: %s\n", X509_verify_cert_error_string(err)); int_error("Error checking SSL object after connection"); } fprintf(stderr, "SSL Connection opened\n"); if (do_client_loop(ssl)) SSL_shutdown(ssl); else SSL_clear(ssl); fprintf(stderr, "SSL Connection closed\n"); SSL_free(ssl); SSL_CTX_free(ctx); return 0; } - Blab-away for as little as 1E½/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice.__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.
Resending - Please help
I apologise for resending, but I got no response, and am really lost here. Please take a minute to read it. Yesterday I reinstalled SSL and the Apache. After that the server responded ok and then went back to the same problem. Previous Post Hi all, I am having a weird problem in my site related to SSL. I can connect from inside the network to the secure pages , so the certificate is fine. From outside the connections are refused. I have a monitoring company checking the site and from them I got the following error message TCP error (site is not responding): connect: Connection refused at /usr/local/mybin/IPD/IPSSL.pm line 60 The firewalls are checked and the server is listening the https port. I searched everywhere in the computer for this directory and files with no success. I am starting to think I 've been hacked because of the mybin diretory in the path, and because I cannot find theses files. I googled for them files without finding any . Does anybody know if they really exists on sssl programs ? How can I find these hidden files in my machine ? Any help or clue will be very much appreciatted. Thanks Jair __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Resending - Please help
Jairds wrote: I am having a weird problem in my site related to SSL. I can connect from inside the network to the secure pages , so the certificate is fine. From outside the connections are refused. I have a monitoring company checking the site and from them I got the following error message TCP error (site is not responding): connect: Connection refused at /usr/local/mybin/IPD/IPSSL.pm line 60 The firewalls are checked and the server is listening the https port. I searched everywhere in the computer for this directory and files with no success. I am starting to think I 've been hacked because of the mybin diretory in the path, and because I cannot find theses files. I googled for them files without finding any . Does anybody know if they really exists on sssl programs ? How can I find these hidden files in my machine ? Any help or clue will be very much appreciatted. This is not an SSL issue. Does your ISP block port 443? The error from the monitoring company refers to their own script, not any files on your machine. It simply can't make a connection to your server. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Resending - Please help
This is not an SSL issue. Does your ISP block port 443? The error from the monitoring company refers to their own script, not any files on your machine. It simply can't make a connection to your server. __ I am glad to hear that because I spent all day yesterday trying to find the directory /usr/local/mybin in my machine. The problem is : I already talked to my provider and they claim not to block any port. I checked my router and the port is open. If I netstat I get tcp0 0 *:https *:* LISTEN And, the worst of all. Sometimes it works. I have no clue at this point. Jair __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Resending - Please help
Jairds wrote: The problem is : I already talked to my provider and they claim not to block any port. I checked my router and the port is open. If I netstat I get tcp0 0 *:https *:* LISTEN And, the worst of all. Sometimes it works. I have no clue at this point. Perhaps your DNS is misconfigured or the monior script is using the wrong URL. If you don't mind, post the URL or domain, so some of us can try it. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Resending - Please help
Hello, The problem is : I already talked to my provider and they claim not to block any port. I checked my router and the port is open. If I netstat I get tcp0 0 *:https *:* LISTEN And, the worst of all. Sometimes it works. I have no clue at this point. You may have duplicated IP address in your network. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Resending - Please help
Thanks guys , here it is www.cliconnect.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorey Bump Sent: Wednesday, November 23, 2005 9:33 AM To: openssl-users@openssl.org Subject: Re: Resending - Please help Jairds wrote: The problem is : I already talked to my provider and they claim not to block any port. I checked my router and the port is open. If I netstat I get tcp0 0 *:https *:* LISTEN And, the worst of all. Sometimes it works. I have no clue at this point. Perhaps your DNS is misconfigured or the monior script is using the wrong URL. If you don't mind, post the URL or domain, so some of us can try it. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Resending - Please help
On Wed, Nov 23, 2005 at 10:13:05AM -0800, Jairds wrote: www.cliconnect.com Perhaps shawcable rate limits connections to your system... $ openssl s_client -connect 24.71.57.40:443 CONNECTED(0003) depth=1 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=CA/2.5.4.17=V1V 1R9/ST=British Columbia/L=Kelowna/2.5.4.9=1876 pORTHILL dR/O=Cliconnect Internet Telephony/OU=Support/OU=InstantSSL/CN=www.cliconnect.com i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware --- Server certificate -BEGIN CERTIFICATE- MIIFDTCCA/WgAwIBAgIRAOqrcH6CwO1lmnnyOBnjJaAwDQYJKoZIhvcNAQEFBQAw bzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1B ZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3Qg RXh0ZXJuYWwgQ0EgUm9vdDAeFw0wNTEwMTUwMDAwMDBaFw0wNzEwMTUyMzU5NTla MIHTMQswCQYDVQQGEwJDQTEQMA4GA1UEERMHVjFWIDFSOTEZMBcGA1UECBMQQnJp dGlzaCBDb2x1bWJpYTEQMA4GA1UEBxMHS2Vsb3duYTEZMBcGA1UECRMQMTg3NiBw T1JUSElMTCBkUjEmMCQGA1UEChMdQ2xpY29ubmVjdCBJbnRlcm5ldCBUZWxlcGhv bnkxEDAOBgNVBAsTB1N1cHBvcnQxEzARBgNVBAsTCkluc3RhbnRTU0wxGzAZBgNV BAMTEnd3dy5jbGljb25uZWN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEAsAZvP5zEp2qeePa0ncl7MGrexR7JUpQvxxocfKKKRreV0x5gWHwa+LTqQheb ybHcSqqyAuJ/24FxtDtK6GojDXwxy841ixSbmaaZvIdpFYHFRzgYzO3nq9ITBQtw WLn3dOSqD+GqSTa/aPbulW23N6g9n+AFKbA1Pb/xLV5+6IECAwEAAaOCAcEwggG9 MB0GA1UdDgQWBBQV/72KE3LZ6GAMsqqGh20UL96hYDAOBgNVHQ8BAf8EBAMCBaAw DAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEQYJ YIZIAYb4QgEBBAQDAgbAMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMEMCswKQYI KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMHsGA1UdHwR0 MHIwOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0FkZFRydXN0RXh0ZXJu YWxDQVJvb3QuY3JsMDagNKAyhjBodHRwOi8vY3JsLmNvbW9kby5uZXQvQWRkVHJ1 c3RFeHRlcm5hbENBUm9vdC5jcmwwgYYGCCsGAQUFBwEBBHoweDA7BggrBgEFBQcw AoYvaHR0cDovL2NydC5jb21vZG9jYS5jb20vQWRkVHJ1c3RVVE5TZXJ2ZXJDQS5j cnQwOQYIKwYBBQUHMAKGLWh0dHA6Ly9jcnQuY29tb2RvLm5ldC9BZGRUcnVzdFVU TlNlcnZlckNBLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAKEMEaJZhp/Rl8h3jskLN 2fRcCZhT+o9frfMHliVM0vQJs93ooW7sSkHHlx0DxfgeVipdsZ31mIAg15wM0YMr a6lisUzjH3SVUsa41GZiBmfEQHM32grK6ubHkprQUq1J3e6LR1NySanu1TuPcnop gAAlhYmQ/EGm99cMp2RqrpdyRKaUPss/kpyBcQNYLJl16MIEMwSKGXlp10vwFZgq h/RAw90kfb2Q+rjmdAiCM9nk6oTMsvxJ6IWDIZiS93qVlMyzYtoNRIOl3Ph+nUuB 5iKbpKNo6sX6fQfTx7181yqWGoAhhtfgRMqbAYuuH3Ubgu9Hv7g1MXXjPGapilva kw== -END CERTIFICATE- subject=/C=CA/2.5.4.17=V1V 1R9/ST=British Columbia/L=Kelowna/2.5.4.9=1876 pORTHILL dR/O=Cliconnect Internet Telephony/OU=Support/OU=InstantSSL/CN=www.cliconnect.com issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- No client certificate CA names sent --- SSL handshake has read 2939 bytes and written 340 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: Session-ID-ctx: Master-Key: ... Key-Arg : None Krb5 Principal: None Start Time: 1132770279 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- GET / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 23 Nov 2005 18:26:20 GMT Server: Apache/2.0.55 (Unix) mod_ssl/2.0.55 OpenSSL/0.9.7a DAV/2 PHP/5.0.5 X-Powered-By: PHP/5.0.5 Connection: close Content-Type: text/html html head titleWelcome to Cliconnect - Free and Unlimited VoIP Phone Calls/title meta http-equiv=Content-Type content=text/html; charset=windows-1252 META NAME=Description CONTENT=Provides Free and Unlimited VoIP calling services. We are an Internet Telephony company which provides PC to PC communication for free !-- etc. -- /html -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: please help me on OCSP
Hi, The -Vafile option is used for explicitly trusting the responder certificate of the ocsp serverSo if you omit this option you will get the "unable to get local issuer certificate" error. To get this command workingopenssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem 1. First you must get a certificate from Verisign -User.pem2. Get the CA certificate that was used to sign your request - ROOT_CA.pem3. Trust the Verisign OCSP responder certficate - OCSPServer.pem --Prakash varma d [EMAIL PROTECTED] wrote: Hi,Today i was very much excited to see this mailing list on openSSL. I searched several messages and its great to see that people here are helping others.I need your help.I read tutorials on OCSP from http://openvalidation.org about using OCSP in openssl,I have couple of questions.1) I used the following command to send OCSP request and get response from OCSP responder.openSSLocsp -url http://ocsp.openvalidation.org -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pemWhen i am executing this command , i am getting response from OCSP responder stating that certificate status is good. (i have taken this command/files from openvalidation.org (http://www.openvalidation.org/useserviceopenssl.htm) )But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pem file.If i give my URL as http://ocsp.verisign.com, how can i get verisign's OCSPServer.pem. Also how can i getlatest OCSPServer.pem file for the given URL. 2)I tested by giving latest user certificates other than openvalidation.org certificates, but i am getting this erroruser.pem:WARNING: Status times invalid.3220:error:270730 7D:OCSP routines:OCSP_check_validity:statusexpired:.\crypto\ocsp\ocsp_cl.c:357:unknownThis Update: Oct 24 06:00:11 2004 GMTNext Update: Oct 25 06:00:11 2004 GMTFor this do i need to update my OCSPServer.pem fileThank you for your time and considerationI would be grateful to you if you would help me out as i am spending a lot of time on understanding this.Please help me out.Thanks,vv__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: please help me on OCSP
Hi, Thanks a lot prakash for your reply. Actually my application works in this way1) I will get the x.509 certificate from any server(lets say) yahoo.com, now from that i will extract yahoo.com user certificate(may be issued by verisign or others), issuers root certificate.2) Now i need to check the OCSP status of these individual certificates3) Since verisign is an OCSP responder i just want to query ocsp.verisign.com for these individual certificates. but while i was trying with your command openssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem I am getting an error message like Error Querying OCSP responder3256: .. Connect error... But when i am trying with same command and same certificates to ocsp.openvalidation.org i am getting status information.But only problem with openvalidation is that they dont have up-to-date information(for some cases). Are there are any public ocsp responder where i can query them instead of ocsp.versign.com. I would be grateful to you if you would give a reply. Thanks in Advance Thanks,Varma On 8/24/05, prakash babu [EMAIL PROTECTED] wrote: Hi, The -Vafile option is used for explicitly trusting the responder certificate of the ocsp serverSo if you omit this option you will get the unable to get local issuer certificate error. To get this command workingopenssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem 1. First you must get a certificate from Verisign -User.pem2. Get the CA certificate that was used to sign your request - ROOT_CA.pem3. Trust the Verisign OCSP responder certficate - OCSPServer.pem --Prakash varma d [EMAIL PROTECTED] wrote: Hi,Today i was very much excited to see this mailing list on openSSL. I searched several messages and its great to see that people here are helping others. I need your help.I read tutorials on OCSP from http://openvalidation.org about using OCSP in openssl, I have couple of questions.1) I used the following command to send OCSP request and get response from OCSP responder.openSSLocsp -url http://ocsp.openvalidation.org -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pemWhen i am executing this command , i am getting response from OCSP responder stating that certificate status is good. (i have taken this command/files from openvalidation.org (http://www.openvalidation.org/useserviceopenssl.htm) ) But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pem file.If i give my URL as http://ocsp.verisign.com, how can i get verisign's OCSPServer.pem. Also how can i get latest OCSPServer.pem file for the given URL. 2)I tested by giving latest user certificates other than openvalidation.org certificates, but i am getting this erroruser.pem:WARNING: Status times invalid.3220:error:2707307D:OCSP routines:OCSP_check_validity:statusexpired:.\crypto\ocsp\ocsp_cl.c:357: unknownThis Update: Oct 24 06:00:11 2004 GMTNext Update: Oct 25 06:00:11 2004 GMTFor this do i need to update my OCSPServer.pem fileThank you for your time and considerationI would be grateful to you if you would help me out as i am spending a lot of time on understanding this. Please help me out.Thanks,vv __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: please help me on OCSP
wDAPBgkrBgEFBQcwAQUEAgUAMCcGA1UdEQQgMB6kHDAaMRgwFgYDVQQDEw9PQ1NQ Mi1UR1YtMS0xNDEwHQYDVR0OBBYEFDDvDY7NWAXpc5YGTmNI+SRZgkHUMB8GA1Ud IwQYMBaAFA3A2D2/+2WTyDdmJuKKEl+7woD1MA0GCSqGSIb3DQEBBQUAA4GBAGuN eXqz1R3nDqwY5/C0/LTPA8/y3uCTuWCZq7NSloXcNCDweNgkyLNxJfKQjX/cAH4l kv3gJvo9maGJhqAJ/gogNApoMc1gnWOh2S82fE10zMqRZculH1865ORzZ5uOUOwz KDdMBTOohD5jfD3FzZDDcpmZfujpZ0I8G+ZvpW03 -END CERTIFICATE- Response verify OK eca_usr_cert.pem: good This Update: Aug 23 17:10:46 2005 GMT Next Update: Aug 30 17:10:46 2005 GMT --- varma d [EMAIL PROTECTED] wrote: Hi, Thanks a lot prakash for your reply. Actually my application works in this way 1) I will get the x.509 certificate from any server(lets say) yahoo.comhttp://yahoo.com, now from that i will extract yahoo.com http://yahoo.com user certificate(may be issued by verisign or others), issuers root certificate. 2) Now i need to check the OCSP status of these individual certificates 3) Since verisign is an OCSP responder i just want to query ocsp.verisign.com http://ocsp.verisign.com for these individual certificates. but while i was trying with your command openssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem I am getting an error message like Error Querying OCSP responder 3256: .. Connect error... But when i am trying with same command and same certificates to ocsp.openvalidation.org http://ocsp.openvalidation.org i am getting status information.But only problem with openvalidation is that they dont have up-to-date information(for some cases). Are there are any public ocsp responder where i can query them instead of ocsp.versign.com http://ocsp.versign.com. I would be grateful to you if you would give a reply. Thanks in Advance Thanks, Varma On 8/24/05, prakash babu [EMAIL PROTECTED] wrote: Hi, The -Vafile option is used for explicitly trusting the responder certificate of the ocsp server So if you omit this option you will get the unable to get local issuer certificate error. To get this command working openssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem 1. First you must get a certificate from Verisign -User.pem 2. Get the CA certificate that was used to sign your request - ROOT_CA.pem 3. Trust the Verisign OCSP responder certficate - OCSPServer.pem --Prakash *varma d [EMAIL PROTECTED]* wrote: Hi, Today i was very much excited to see this mailing list on openSSL. I searched several messages and its great to see that people here are helping others. I need your help. I read tutorials on OCSP from http://openvalidation.org about using OCSP in openssl, I have couple of questions. 1) I used the following command to send OCSP request and get response from OCSP responder. openSSLocsp -url http://ocsp.openvalidation.org -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem When i am executing this command , i am getting response from OCSP responder stating that certificate status is good. (i have taken this command/files from openvalidation.orghttp://openvalidation.org/(http://www.openvalidation.org/useserviceopenssl.htm) ) But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pem file. If i give my URL as http://ocsp.verisign.com, how can i get verisign's OCSPServer.pem. Also how can i get latest OCSPServer.pem file for the given URL. 2)I tested by giving latest user certificates other than openvalidation.org http://openvalidation.org/ certificates, but i am getting this error user.pem:WARNING: Status times invalid. 3220:error:2707307D:OCSP routines:OCSP_check_validity:status expired:.\crypto\ocsp\ocsp_cl.c:357: unknown This Update: Oct 24 06:00:11 2004 GMT Next Update: Oct 25 06:00:11 2004 GMT For this do i need to update my OCSPServer.pem file Thank you for your time and consideration I would be grateful to you if you would help me out as i am spending a lot of time on understanding this. Please help me out. Thanks, vv __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: please help me on OCSP
It is the OCSP responder cert. I suppose you already have that, right? Or you can use this one which will expire on Sep 15, 2005 though. -BEGIN CERTIFICATE- MIID2jCCA0OgAwIBAgIQaVnCDg78Yj+N1V5h9xQh0jANBgkqhkiG9w0BAQUFADCB lDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UE CxMDRUNBMSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMTkwNwYD VQQDEzBWZXJpU2lnbiBDbGllbnQgRXh0ZXJuYWwgQ2VydGlmaWNhdGlvbiBBdXRo b3JpdHkwHhcNMDUwNTI2MDAwMDAwWhcNMDUwNjI1MjM1OTU5WjB7MQswCQYDVQQG EwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNFQ0ExFzAV BgNVBAsTDlZlcmlTaWduLCBJbmMuMSswKQYDVQQDEyJWZXJpU2lnbiBDbGllbnQg RUNBIE9DU1AgUmVzcG9uZGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO s7CVM3MfKvWnY2svXQRmE981uWCakqgWU5m9cKWcND/0kQWhFShROBzT1czVgvtD dH+EbkF3Oaa+RtX775EQa6u5IA3dCr1a+eQr4kNPyTAAicfPgKl2kwMIAxJwpXaG wR09YBL1L96cnaMrrSJRH7lcev2NpsSzGlBpjNwmkwIDAQABo4IBQzCCAT8wRwYI KwYBBQUHAQEEOzA5MDcGCCsGAQUFBzAChitodHRwczovL2VjYS52ZXJpc2lnbi5j b20vQ0EvVmVyaVNpZ25FQ0EuY2VyMFIGA1UdIARLMEkwRwYKYIZIAWUDAgEMAjA5 MDcGCCsGAQUFBwIBFitodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y eS9lY2EvY3BzMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMJMA4GA1UdDwEB/wQEAwIG wDAPBgkrBgEFBQcwAQUEAgUAMCcGA1UdEQQgMB6kHDAaMRgwFgYDVQQDEw9PQ1NQ Mi1UR1YtMS0xNDEwHQYDVR0OBBYEFDDvDY7NWAXpc5YGTmNI+SRZgkHUMB8GA1Ud IwQYMBaAFA3A2D2/+2WTyDdmJuKKEl+7woD1MA0GCSqGSIb3DQEBBQUAA4GBAHrP OjxDB35f/2+cORsVIl1oVPy71CaCnJ32KDxlEIRSW7sn4BIkBLfr2Un5ozt7SXzz 6qw5I/hIyT1ADaLjpQubN6H+Oxk6ve6xw1JPuDMLHnABLeF+GzLSs2UxFr3bl4AE gAnMe402U2NJZBJhvvHu+YWdT4cDohuSqEeu+x5R -END CERTIFICATE- --- satish danduvarma [EMAIL PROTECTED] wrote: Hi Paul, Thats great. Thanks for your quick response. What is tgv.pem file. how can we get that file. Thanks in advance, Varma On 8/24/05, Paul Simon [EMAIL PROTECTED] wrote: Maybe your URL is wrong. I just tried this: openssl ocsp -issuer VeriSignClientECA.pem -url http://ocsp.verisign.com -cert eca_usr_cert.pem -VAfile tgv.pem -no_nonce -text and it works fine as follows: D:\prjs\ocsp\newEcaCAopenssl ocsp -issuer VeriSignClientECA.pem -url http://ocs p.verisign.com -cert eca_usr_cert.pem -VAfile tgv.pem -no_nonce -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 75EB8BF61A586BADD9044359324DAC621F5B59C8 Issuer Key Hash: 0DC0D83DBFFB6593C8376626E28A125FBBC280F5 Serial Number: 1B148220FC005FD035E866279AE682BE OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = U.S. Government, OU = ECA, OU = VeriSign, Inc., CN = VeriSign Client ECA OCSP Responder Produced At: Aug 23 17:10:46 2005 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 75EB8BF61A586BADD9044359324DAC621F5B59C8 Issuer Key Hash: 0DC0D83DBFFB6593C8376626E28A125FBBC280F5 Serial Number: 1B148220FC005FD035E866279AE682BE Cert Status: good This Update: Aug 23 17:10:46 2005 GMT Next Update: Aug 30 17:10:46 2005 GMT Certificate: Data: Version: 3 (0x2) Serial Number: 0f:74:76:24:82:2a:30:ad:35:fc:45:8b:13:36:4b:0b Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=U.S. Government, OU=ECA, OU=Certification Authorities, C N=VeriSign Client External Certification Authority Validity Not Before: Aug 16 00:00:00 2005 GMT Not After : Sep 15 23:59:59 2005 GMT Subject: C=US, O=U.S. Government, OU=ECA, OU=VeriSign, Inc., CN=VeriSign Client ECA OCSP Responder Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ce:b3:b0:95:33:73:1f:2a:f5:a7:63:6b:2f:5d: 04:66:13:df:35:b9:60:9a:92:a8:16:53:99:bd:70: a5:9c:34:3f:f4:91:05:a1:15:28:51:38:1c:d3:d5: cc:d5:82:fb:43:74:7f:84:6e:41:77:39:a6:be:46: d5:fb:ef:91:10:6b:ab:b9:20:0d:dd:0a:bd:5a:f9: e4:2b:e2:43:4f:c9:30:00:89:c7:cf:80:a9:76:93: 03:08:03:12:70:a5:76:86:c1:1d:3d:60:12:f5:2f: de:9c:9d:a3:2b:ad:22:51:1f:b9:5c:7a:fd:8d:a6: c4:b3:1a:50:69:8c:dc:26:93 Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: CA Issuers - URI:https://eca.verisign.com/CA/VeriSignECA.cer X509v3 Certificate Policies: Policy: 2.16.840.1.101.3.2.1.12.2 CPS: https://www.verisign.com/repository/eca/cps X509v3 Extended Key Usage: critical OCSP Signing X509v3 Key Usage: critical Digital Signature, Non Repudiation OCSP No Check: X509v3 Subject Alternative Name: DirName:/CN=OCSP2-TGV-1-141 X509v3 Subject Key
please help me on OCSP
Hi,Today i was very much excited to see this mailing list on openSSL. I searched several messages and its great to see that people here are helping others.I need your help.I read tutorials on OCSP from http://openvalidation.org about using OCSP in openssl,I have couple of questions. 1) I used the following command to send OCSP request and get response from OCSP responder.openSSLocsp -url http://ocsp.openvalidation.org -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem When i am executing this command , i am getting response from OCSP responder stating that certificate status is good. (i have taken this command/files from openvalidation.org (http://www.openvalidation.org/useserviceopenssl.htm) )But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pem file.If i give my URL as http://ocsp.verisign.com, how can i get verisign's OCSPServer.pem. Also how can i getlatest OCSPServer.pem file for the given URL. 2)I tested by giving latest user certificates other than openvalidation.org certificates, but i am getting this erroruser.pem:WARNING: Status times invalid.3220:error:2707307D:OCSP routines:OCSP_check_validity:statusexpired:.\crypto\ocsp\ocsp_cl.c:357:unknownThis Update: Oct 24 06:00:11 2004 GMTNext Update: Oct 25 06:00:11 2004 GMTFor this do i need to update my OCSPServer.pem fileThank you for your time and considerationI would be grateful to you if you would help me out as i am spending a lot of time on understanding this. Please help me out. Thanks, vv
Re: please help me on OCSP
On Tue, Aug 16, 2005, varma d wrote: But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pemfile. This is an issue of how you trust the reponse from the OCSP responder. There are three cases: 1. Response signed by the same key as the CA that issued the certificate. 2. Response signed by a key in a certificate delegated by the issuing CA. 3. A key locally configured as trusted. In case #1 and #2 the trust can be determined automatically from the certificate being validated. In case #3 the relevant key needs to be determined by some other means. So its a case of how the responder is configured. In some cases the responder is misconfigured and you have to use option #3. 2)I tested by giving latest user certificates other than openvalidation.orghttp://openvalidation.orgcertificates, but i am getting this error user.pem:WARNING: Status times invalid. 3220:error:2707307D:OCSP routines:OCSP_check_validity:status expired:.\crypto\ocsp\ocsp_cl.c:357: unknown This Update: Oct 24 06:00:11 2004 GMT Next Update: Oct 25 06:00:11 2004 GMT The responder is saying that its response is valid between those dates: so it is sending out of date information. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Linking errors while compilation. Please Help
Hi I am facing a problem in compiling the openssl -0.9.7g version. I am using PERL to compile this. The following are the steps I am following in the compilation: 1) Type perl Configure no-idea no-mdc2 no-rc5 no-rc2 no-rc4 VC-WIN32 2) Type ms\do_nasm 3) Type "nmake -f ms\ntdll.mak" The errors occuring are as follows: link /nologo /subsystem:console /machine:I386 /opt:ref /dll /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def @C:\DOCUME~1\LMAHES~1\LOCALS~1\Temp\nm2144.tmpms/LIBEAY32.def(7) : warning LNK4017: DESCRIPTION statement not supported for the target platform; ignoredLIBEAY32.def : error LNK2001: unresolved external symbol d2i_Netscape_RSALIBEAY32.def : error LNK2001: unresolved external symbol d2i_RSA_NETLIBEAY32.def : error LNK2001: unresolved external symbol i2d_Netscape_RSALIBEAY32.def : error LNK2001: unresolved external symbol i2d_RSA_NETout32dll\libeay32.lib : fatal error LNK1120: 4 unresolved externalsLINK : fatal error LNK1141: failure during build of exports fileNMAKE : fatal error U1077: 'link' : return code '0x475'Stop. It is really very urgent. Can anyone help me why this is occuring or how to get rid of these errors. Thank you in advance for the help. Regards, SeetharamSitaram,MTS Lead,Sharp Software Development India,Unit 5, Level 3,Innovator, ITPL,Bangalore.Telephone:Res# 25525196Mob# 94488 53090 Do you Yahoo!? Yahoo! Mail - You care about security. So do we.
Please help. X509 v3 java ca cert extensions?
Hi, How do I create a x509 v3 ca cert that has the standard ANY permission? The openssl.cnf will create a cert that works with a computer but not a phone. I need to create a ca cert that will validate a java midlet for a phone. I have sorted out many of the issues with installing the cert to the phone etc, but the certs I create do not validate a java midlet I get an authentication error. Please help! David __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl.cnf, please help: What is the difference between these 2 certificates?
Hi, I have attached 2 certificates (I have changed the extension to .txt as the openssl forum does not accept .cer). The microsoft.txt is exported from the browser and the david.txt is created by openssl and also exported from the browser (IE). The microsoft cert I can install on my motorola phone, but the openssl cert can be installed (it is not fully recognized though). How do I configure openssl to create a root certificate exactly like the microsoft one (except for the key etc...)? Thanks. David 00ú Á Ñ[EMAIL PROTECTED] *H÷ 0p1+0)UCopyright (c) 1997 Microsoft Corp.10UMicrosoft Corporation1!0UMicrosoft Root Authority0 97011007Z 20123107Z0p1+0)UCopyright (c) 1997 Microsoft Corp.10UMicrosoft Corporation1!0UMicrosoft Root Authority00 *H÷ 0 ©½Ápæ;òN(x^0ꢩ%_øþL£·þ¢ |Q¢¢`2kÑBdyî¬vÉTÚòëf³Åkzb#ÖÞèÄ¿-fhÐ:,¿µXÁFç 8,©(9¨ìIBã»lUa¬|¡`-wLé´d;P1$©ç+æ=c`Xe7R÷§ïÆÓ¿UE³¿:ìTN®ý§zmtN¯Ì (! W`i7»KVÿ[û¤f ¦ÒVWï¶;^wÚö¾®þ°ÍÖ§r\ʼð£0³ ɳ w ß £¨0¥0¢U0[Ðpïir#Q~²MÿË¡r0p1+0)UCopyright (c) 1997 Microsoft Corp.10UMicrosoft Corporation1!0UMicrosoft Root Authority Á Ñ[EMAIL PROTECTED] *H÷ èÀó5í¸$Øwó\`2ËÉ:æ!òðW,µ GÈbïü×Ì;;Z©6Tiþ$m?É̪Þ|Ý1=pj»þOiÀüÐCãZ Oêb{¯ªÈ+7%-¾e¡%c£÷Tù!ÉÖóR¬nC2ýøågl Qö½ñRǽçÄ0ü 1 )MÕ¥ñà´[ô±ÝÈWîeIÇRT¶´(ÿÖð~¸Å«7,äzä¨wãv Ðj?ÁÒ6àA¨5jjÛ5áÔä¨EÈZ38nM b· ¢ÓÕT?FÍU¦pÛ:u§Ò 0×0¿ §qPR0 *H÷ 0P10U David Templar10UCopyright 200710UDavid Root Authority0 050713154124Z 050812154124Z0P10U David Templar10UCopyright 200710UDavid Root Authority00 *H÷ 0 ïôû|ï$ñ ;Çö«º®îæN×fátï˲¹z_ Fåá´Êþ\Øÿ »ðÇ3õÊzå»:(cdð^#G£8ÎìÆ´´6uwE®o§9%¢¤ '£J¢òð[x_ï«iéBÀ¬øÄÅ!õðßÅ(Äǡͨ-¼®(ÕÑçËnKwa+Ø Zù5VXK¾v½jºË¢PB!!ãúx3÷¹¥vW [44mM}Ae÷%ûjÛË穤y( ·eIOÜ! + XÆgJ®yJð[Údò+ £³0°0U£ ÛâP3h¾;Ðs$0U#y0w£ ÛâP3h¾;Ðs$¡T¤R0P10U David Templar10UCopyright 200710UDavid Root Authority §qPR0U0ÿ0 *H÷ ª-nÿý_O¥íãz¶ºÅfÖUø¢dP óq!TçÂÌ.HCãëÂüþ¹S¢X[phQáþóUP]Nd¬YWÂew^ïÑß+½ùº/Vnïtå%ÀäË1çw÷¾ïhvn»ôÎõßÖÓEçìKF.Ô9ÀÝÔ.xØEò 6úÖ¶ðÅçÂàíÅp¶í÷v9çÞ·.nËówö4¼Sð¤ºÜ Á¤ùIXÀ¸B{d¿ËËúg ÇÃ2}~Õv?° y×Ëaáý°èbñ] T7AK è°e4'çö
3rd time request... PLEASE help! Phone cert creation
Hi all, I am really stuck and have tried all I can - I really need your help to generate a software publishing certificate and its root cert to install on motorola phones. I am enclosing a copy of an already existing cert on the phone. It appears to be a V4 x509 cert - I could be wrong though. The phone does not seem to accept any certificates I have currently generated. Someone said to delete the first 2 octets, using that I can read the file now, but how do I generate a certificate like it?? The certificate is called motman.crt, but I have attached it as motman.txt as the openssly posting does not allow .crt extensions. The certificate I have enclosed is new to me, and myself as well as others are having a problem working out what it is... Please tell me how to create my own certificates like it either using openssl or any other tool. Your help is really needed and appreciated - even if you cannot help, please tell me where I can get some help... Thanks in advance, David 0©0 0 *H÷ 0y10 UUS10UIllinois10ULibertyville10U Motorola Inc10 UPCS10UMotorola Java CA400 03082107Z 18082107Z010 UUS10UIllinois10U Libertyville10U Motorola Inc10 UPCS1!0UManufacturer Domain 40-100 *H÷ 0 ©ºAJÇòÑ,øæ=2 ѽv¨#pË¿T9× (Ø[EMAIL PROTECTED](ãL¥_ì?á7=CÏ:¶Ø¦åvñ¨wì!¯` [EMAIL PROTECTED];µ46wëȪq³ r[êe¡Þ± /¬qyâÿEýBo«ògçùsͺ§o]iïÏÐ8O¤aÁâZ×Má¡ùÅT\Gbä.úCÀ×»~fÃqÚÛDL!¢SìsQÒuÉEãÏï7fûOµËb8á £6040Uÿ0 `HøB 0Uÿ0ÿ0 *H÷ )f`pÖÁ1Xþ°nÂÿÛöå¨P 171#¸æß? éÃÕìÕ+ÉÇ Ù :Ðfg¿h´ÙÛAP²¸§¼ýzQmQ båÆpA¯#o»Sþã»Ïø¶fôêïí®iqKlò«½¨*5,vÝhqBß¿,ºmÓU~fupþÏ0G¹ÀåJ4à,æ/Îòú ¤è»~1½TϧþÇQÜ,°mõ÷Z°)ú¡®9¢³Hµ®_ÎL9¯kãna¹W½ÚêGÛÙ²»è 0¥K0ûñyl:¿Ã_¿b0
Re: 3rd time request... PLEASE help! Phone cert creation
I suppose this is not the right forum to ask for Smartphone issues. Anyway, here: http://www.jacco2.dds.nl/networking/crtimprt.html may be you could find a way to do what you need , a little idea or maybe something more. He explains how to import a *personal* certificate and a CA certificate on a PocketPC, running Windows Mobile 2003. I have tryed the same on a Windows 2002 Smartphone and it doesn't work, but I think it could work on windows Mobile 2003, becuse it worked in my PocketPC PDA. You could also try to use a little CryptoAPI program for that. Again ,I suspect this is not the right forum ;-). Hope this helps - Original Message - From: David Templar [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Tuesday, July 12, 2005 5:49 PM Subject: 3rd time request... PLEASE help! Phone cert creation Hi all, I am really stuck and have tried all I can - I really need your help to generate a software publishing certificate and its root cert to install on motorola phones. I am enclosing a copy of an already existing cert on the phone. It appears to be a V4 x509 cert - I could be wrong though. The phone does not seem to accept any certificates I have currently generated. Someone said to delete the first 2 octets, using that I can read the file now, but how do I generate a certificate like it?? The certificate is called motman.crt, but I have attached it as motman.txt as the openssly posting does not allow .crt extensions. The certificate I have enclosed is new to me, and myself as well as others are having a problem working out what it is... Please tell me how to create my own certificates like it either using openssl or any other tool. Your help is really needed and appreciated - even if you cannot help, please tell me where I can get some help... Thanks in advance, David 0,©0,' 0 *?H?÷0y1 0 UUS10UIllinois10U Libertyville10U Motorola Inc1 0 U PCS10UMotorola Java CA40003082107Z18082107Z01 0 UUS10UIllinois10U Libertyville10U Motorola Inc1 0 U PCS1!0UManufacturer Domain 40-10,0 *?H?÷,0, ,©ºAJ^ÇòÑ-,øæ=2 ѽv¨#pË¿T9×~.(Ø[EMAIL PROTECTED](ãL¥_,ì?á7?=CÏ:¶Ø¦åvñ¨s?wì!¯`2ÂT© õ˹yøíSÞä%ôB [EMAIL PROTECTED]r';µ46wëȪq?³S r[êe¡Þ± /¬qyâÿEýBo«ò?gçùsͺ§.of]iïÏÐ8O¤a,ÁâZ×ZMá¡YùÅTs\G 1~71#¸æß?.éÃÕìÕ'+ÉÇ .Ù-s :Ðfg¿h´ÙÛAP-²¸§¼fýzQmQ båÆpA¯?#o»Sþã»Ïø¶fôêïfí®iqKlò«½¨*O5,vÝhq?BZß¿O,ºmÓU~?fupþÏ0G¹-Àf åJ4à,æ/Îòú ¤è»f~1½TϧþÇQÜ,°m?õ÷Z?°)ú ¡®9¢³Hµ®_ÎL9¯kãna¹W½ÚêGÛ Ù²»è 0¥K0ûñyl:¿Ã-_¿b0 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: 3rd time request... PLEASE help! Phone cert creation
Thanks, it does help a bit... could you tell me about the cryptoapi program? But I will say that it is not a smartphone. It uses standard motorola software and its jce package All I really need to do is convert my standard certs to the motman.crt file I had attached. I have tried everything else - including using the windows sdk to create certificates. Importing certificates on motorola can only be done by manually placing the certificate in the x509 directory - hence the need to be able to generate a certificate that complies with the format. The reason why I am posting here is because openssl (I have been using for many years) comes with cert creation abilities - it has helped me for many years with PC java! Also, I was hoping I would be able to ask many crypto experts on the forum! RGDS David Pablo J Royo wrote: I suppose this is not the right forum to ask for Smartphone issues. Anyway, here: http://www.jacco2.dds.nl/networking/crtimprt.html may be you could find a way to do what you need , a little idea or maybe something more. He explains how to import a *personal* certificate and a CA certificate on a PocketPC, running Windows Mobile 2003. I have tryed the same on a Windows 2002 Smartphone and it doesn't work, but I think it could work on windows Mobile 2003, becuse it worked in my PocketPC PDA. You could also try to use a little CryptoAPI program for that. Again ,I suspect this is not the right forum ;-). Hope this helps - Original Message - From: "David Templar" [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Tuesday, July 12, 2005 5:49 PM Subject: 3rd time request... PLEASE help! Phone cert creation Hi all, I am really stuck and have tried all I can - I really need your help to generate a software publishing certificate and its root cert to install on motorola phones. I am enclosing a copy of an already existing cert on the phone. It appears to be a V4 x509 cert - I could be wrong though. The phone does not seem to accept any certificates I have currently generated. Someone said to delete the first 2 octets, using that I can read the file now, but how do I generate a certificate like it?? The certificate is called motman.crt, but I have attached it as motman.txt as the openssly posting does not allow .crt extensions. The certificate I have enclosed is new to me, and myself as well as others are having a problem working out what it is... Please tell me how to create my own certificates like it either using openssl or any other tool. Your help is really needed and appreciated - even if you cannot help, please tell me where I can get some help... Thanks in advance, David 0,0,' 0 *?H?0y1 0 UUS10UIllinois10U Libertyville10U Motorola Inc1 0 U PCS10UMotorola Java CA40003082107Z18082107Z01 0 UUS10UIllinois10U Libertyville10U Motorola Inc1 0 U PCS1!0UManufacturer Domain 40-10,"0 *?H?,0, ,AJ^-,=2 v#p"T9"~.("7Ok@a(L_,?"7?=C:vs?w!`2T yS%B @cr';46wq?S r[e /qyEBo"?gs.of]i8Oa,ZZMYTs\G 1~71#?.'+ .-s :fghAP-"fzQmQ bpA"?#oSffiqKl*O5,vhq?BZO,mU~?fup0G-f J4,/ f~1TQ,m?Z?) 9H_L9knaWG 0K0yl:-_b0 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: 3rd time request... PLEASE help! Phone cert creation
Hi, CryptoAPI is the security API of Microsoft. If you are using a Pocket PC or SmartPhone you can use a subset of functions of that API (that is completely supported on NT). You can have a look to openssl-dev and will find a message from me giving support to build OpenSSL for Pocket PC or Windows Mobile 2003 with full access to the openssl.exe application by using a console on the device (a little difficult to use with the Soft Input Panel but ok to have openssl everywhere). For your concrete problem may you can ask in a Motorola forum or to anybody who knows flex operating system (the one from Motorola). Daniel Díaz [EMAIL PROTECTED] De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de David Templar Enviado el: martes, 12 de julio de 2005 20:01 Para: openssl-users@openssl.org Asunto: Re: 3rd time request... PLEASE help! Phone cert creation Thanks, it does help a bit... could you tell me about the cryptoapi program? But I will say that it is not a smartphone. It uses standard motorola software and its jce package All I really need to do is convert my standard certs to the motman.crt file I had attached. I have tried everything else - including using the windows sdk to create certificates. Importing certificates on motorola can only be done by manually placing the certificate in the x509 directory - hence the need to be able to generate a certificate that complies with the format. The reason why I am posting here is because openssl (I have been using for many years) comes with cert creation abilities - it has helped me for many years with PC java! Also, I was hoping I would be able to ask many crypto experts on the forum! RGDS David Pablo J Royo wrote: I suppose this is not the right forum to ask for Smartphone issues.Anyway, here:http://www.jacco2.dds.nl/networking/crtimprt.htmlmay be you could find a way to do what you need , a little idea or maybesomething more.He explains how to import a *personal* certificate and a CA certificate on aPocketPC, running Windows Mobile 2003.I have tryed the same on a Windows 2002 Smartphone and it doesn't work, butI think it could work on windows Mobile 2003, becuse it worked in myPocketPC PDA.You could also try to use a little CryptoAPI program for that. Again ,Isuspect this is not the right forum ;-).Hope this helps- Original Message -From: David Templar [EMAIL PROTECTED]To: openssl-users@openssl.orgSent: Tuesday, July 12, 2005 5:49 PMSubject: 3rd time request... PLEASE help! Phone cert creation Hi all,I am really stuck and have tried all I can - I really need your help togenerate a software publishing certificate and its root cert to installon motorola phones.I am enclosing a copy of an already existing cert on the phone. Itappears to be a V4 x509 cert - I could be wrong though. The phone doesnot seem to accept any certificates I have currently generated. Someonesaid to delete the first 2 octets, using that I can read the file now,but how do I generate a certificate like it?? The certificate is calledmotman.crt, but I have attached it as motman.txt as the openssly postingdoes not allow .crt extensions.The certificate I have enclosed is new to me, and myself as well asothers are having a problem working out what it is...Please tell me how to create my own certificates like it either usingopenssl or any other tool.Your help is really needed and appreciated - even if you cannot help,please tell me where I can get some help...Thanks in advance,David 0, ©0,[1]' [1][1][1]0 *?H?÷0y1 0 U [1]US10 U Illinois10 U Libertyville10 U Motorola Inc1 0 U PCS10 U Motorola Java CA400‑03082107Z18082107Z01 0 U [1]US10 U Illinois10 U Libertyville10 U Motorola Inc1 0 U PCS1!0 U Manufacturer Domain 40-10,0 *?H?÷ ,0,[1],©ºAJ^ÇòÑ-,øæ=2 ѽv¨#pË ¿T9×~.(Ø[EMAIL PROTECTED](ãL¥_,ì?á7?=CÏ:¶Ø¦åvñ¨s?wì!¯`[1]2ÂT©õ˹yøíSÞä%ôB [EMAIL PROTECTED]r';µ46wëȪq?³Sr[êe¡Þ± /¬qyâÿEýBo‑«ò?gçùsͺ§.of]iïÏÐ8O¤a,ÁâZ×ZMá¡[1]YùÅTs\G 1~71#¸æß?.éÃÕìÕ'+ ÉÇ .Ù-s :Ðfg¿h´ÙÛAP-²¸§¼fýzQmQbåÆpA¯?#o»Sþã»Ïø¶fôêïfí®iqKlò«½¨*O 5,vÝhq?BZß¿O,ºmÓU~?fupþÏ0G¹-ÀfåJ4à,æ/[1]Îòú ¤è»f~1½TϧþÇQÜ,°m?õ÷Z?°)ú ¡®9¢³Hµ®_ÎL9¯kãna¹W½ÚêGÛ Ù²»è0¥K0ûñyl:¿Ã-_¿b0__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
Re: 3rd time request... PLEASE help! Phone cert creation
Thankyou for the reply. I have tried the microsoft sdk and the matter is not resolved. Motorola will not help with certificates, they want you to send them your code and they will sign it if the like it - after 6-8 weeks of an application process! The only hope I have is to create my own certificates of the format of the motman.crt that I had attached with the original post. So far what I know about the cert: 1. the first 2 octets are used to say how many certs in the chain. 2. that it can be read using asn1 readers. 3. that it may use a 128 140 bit key and signature Daniel Diaz Sanchez wrote: Hi, CryptoAPI is the security API of Microsoft. If you are using a Pocket PC or SmartPhone you can use a subset of functions of that API (that is completely supported on NT). You can have a look to openssl-dev and will find a message from me giving support to build OpenSSL for Pocket PC or Windows Mobile 2003 with full access to the openssl.exe application by using a console on the device (a little difficult to use with the Soft Input Panel but ok to have openssl everywhere). For your concrete problem may you can ask in a Motorola forum or to anybody who knows flex operating system (the one from Motorola). Daniel Díaz [EMAIL PROTECTED] De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] En nombre de David Templar Enviado el: martes, 12 de julio de 2005 20:01 Para: openssl-users@openssl.org Asunto: Re: 3rd time request... PLEASE help! Phone cert creation Thanks, it does help a bit... could you tell me about the cryptoapi program? But I will say that it is not a smartphone. It uses standard motorola software and its jce package All I really need to do is convert my standard certs to the motman.crt file I had attached. I have tried everything else - including using the windows sdk to create certificates. Importing certificates on motorola can only be done by manually placing the certificate in the x509 directory - hence the need to be able to generate a certificate that complies with the format. The reason why I am posting here is because openssl (I have been using for many years) comes with cert creation abilities - it has helped me for many years with PC java! Also, I was hoping I would be able to ask many crypto experts on the forum! RGDS David Pablo J Royo wrote: I suppose this is not the right forum to ask for Smartphone issues. Anyway, here: http://www.jacco2.dds.nl/networking/crtimprt.html may be you could find a way to do what you need , a little idea or maybe something more. He explains how to import a *personal* certificate and a CA certificate on a PocketPC, running Windows Mobile 2003. I have tryed the same on a Windows 2002 Smartphone and it doesn't work, but I think it could work on windows Mobile 2003, becuse it worked in my PocketPC PDA. You could also try to use a little CryptoAPI program for that. Again ,I suspect this is not the right forum ;-). Hope this helps - Original Message - From: "David Templar" [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Tuesday, July 12, 2005 5:49 PM Subject: 3rd time request... PLEASE help! Phone cert creation Hi all, I am really stuck and have tried all I can - I really need your help to generate a software publishing certificate and its root cert to install on motorola phones. I am enclosing a copy of an already existing cert on the phone. It appears to be a V4 x509 cert - I could be wrong though. The phone does not seem to accept any certificates I have currently generated. Someone said to delete the first 2 octets, using that I can read the file now, but how do I generate a certificate like it?? The certificate is called motman.crt, but I have attached it as motman.txt as the openssly posting does not allow .crt extensions. The certificate I have enclosed is new to me, and myself as well as others are having a problem working out what it is... Please tell me how to create my own certificates like it either using openssl or any other tool. Your help is really needed and appreciated - even if you cannot help, please tell me where I can get some help... Thanks in advance, David 0, ©0,[1]' [1][1][1]0 *?H?÷0y1 0 U [1]US10 U Illinois10 U Libertyville10 U Motorola Inc1 0 U PCS10 U Motorola Java CA400‑03082107Z18082107Z01 0 U [1]US10 U Illinois10 U Libertyville10 U Motorola Inc1 0 U PCS1!0 U Manufactu
Re: 3rd time request... PLEASE help! Phone cert creation
On Tue, Jul 12, 2005, David Templar wrote: Hi all, I am really stuck and have tried all I can - I really need your help to generate a software publishing certificate and its root cert to install on motorola phones. I am enclosing a copy of an already existing cert on the phone. It appears to be a V4 x509 cert - I could be wrong though. The phone does not seem to accept any certificates I have currently generated. Someone said to delete the first 2 octets, using that I can read the file now, but how do I generate a certificate like it?? The certificate is called motman.crt, but I have attached it as motman.txt as the openssly posting does not allow .crt extensions. Its V3 X509 with two additional bytes prepended. IF you want to generate it just take a DER format file and prepend the same bytes. However there may not be a solution to your problem. I know of a couple of phones that deliberately have no way to add new CA certificates. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: 3rd time request... PLEASE help! Phone cert creation
Thanks, I will try this within the next hour to see what happens. Is there a key size or any other issues that I need to consider when I generate a new cert now? Dr. Stephen Henson wrote: On Tue, Jul 12, 2005, David Templar wrote: Hi all, I am really stuck and have tried all I can - I really need your help to generate a software publishing certificate and its root cert to install on motorola phones. I am enclosing a copy of an already existing cert on the phone. It appears to be a V4 x509 cert - I could be wrong though. The phone does not seem to accept any certificates I have currently generated. Someone said to delete the first 2 octets, using that I can read the file now, but how do I generate a certificate like it?? The certificate is called motman.crt, but I have attached it as motman.txt as the openssly posting does not allow .crt extensions. Its V3 X509 with two additional bytes prepended. IF you want to generate it just take a DER format file and prepend the same bytes. However there may not be a solution to your problem. I know of a couple of phones that deliberately have no way to add new CA certificates. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Dr Henson is a superstar!!! 3rd time request... PLEASE help! Phone cert creation
I tried what you said, and for the first time the phone accepts something! Only thing is that it gives me 2 messages when I check the status of the certificate: 1. no name for it 2. expired. The phone says the expiry date is wed 0/0/00. Instead of generating a new certificate, I used one I generated a week a ago. It has been some time since I last used openssl and maybe the version I have is old or I incorrectly generated the certificate. Did I do something wrong? I have atached a copy of the certificate I uploaded to the phone - maybe you can kindly tell me where I have gone wrong. I have changed the extension of the attached cert to .txt as the openssl forum does not accept .crt. Thanks for your great tip! I am now 90% there! RGDS, David Dr. Stephen Henson wrote: On Tue, Jul 12, 2005, David Templar wrote: Hi all, I am really stuck and have tried all I can - I really need your help to generate a software publishing certificate and its root cert to install on motorola phones. I am enclosing a copy of an already existing cert on the phone. It appears to be a V4 x509 cert - I could be wrong though. The phone does not seem to accept any certificates I have currently generated. Someone said to delete the first 2 octets, using that I can read the file now, but how do I generate a certificate like it?? The certificate is called motman.crt, but I have attached it as motman.txt as the openssly posting does not allow .crt extensions. Its V3 X509 with two additional bytes prepended. IF you want to generate it just take a DER format file and prepend the same bytes. However there may not be a solution to your problem. I know of a couple of phones that deliberately have no way to add new CA certificates. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] 0{0ä 0 *H÷ 0 10 UGB10 ULondon10U UK Times Online10 UEditor10 UEditor1)0' *H÷ [EMAIL PROTECTED] 050710153114Z 080429153114Z0 10 UGB10 ULondon10U UK Times Online10 UEditor10 UEditor1)0' *H÷ [EMAIL PROTECTED] *H÷ 0 åÛ¡ðI,ZWí Üï qϽ¯O^ié]BÃÚÄpôoþ ì×÷öÃÁB Þ¡ìÀM¥zvq]®Bþ|.Ð3µLÄ*Ù± ²ND§ËR¦K¼N¨t+¦¨¨t0_kqâáBã¤Ò©.NÐíQ £ø0õ0U»òu®¹¸ÜmÈØÔ2ce0²U#ª0§»òu®¹¸ÜmÈØÔ2ce¡¤0 1 0 UGB10 ULondon10U UK Times Online10 UEditor10 UEditor1)0' *H÷ [EMAIL PROTECTED]U0ÿ0 `HøB 0 *H÷ qèí²*âù¦$.n6²bÈ£û`hE)òtEàÜü§ºD»~s] N6²ká=²ô°AÛv¼½[Eù,{`;¸Ðáà1òÕýÚF¢[ ¦Ìi®²ª ð;¶»R²£4=zXà¹ñ]öhé«El
Re: Please, help - compilation or configuration issue
Hi, did you link against the openssl-libs (eg. crypto / sll)? Did you use an (ANSI-) c compiler or a c++ compiler? Try cc(?) prueba.c -I/usr/local/ssl/include -L/path/to/openssl/libs -lcrypto -lssl Good luck, Sebastian Silvia Gisela Pavon Velasco wrote: I have sent this before and got no answers, It may look simple, but It's not. Please give me some ideas, or at least if there's someone who has installed on HP-UX 11.0 with no problems, tellme what C compiler do you have or if you did something more besides de quick installation instructions. - I'm looking for someone who has installed OpenSSL on an HP-UX 11.0 system. I've tried to installit and I can't get OpenSSL to work there. I have: - HP-UX 11.0 operating system - Perl 5.8.5 - HP C/ANSI C Developer's Bundle for Hp-ux (S800) wich includes HP C/ANSI C Compiler I'm trying to install the file openssl-0.9.7g.tar.gz following the quick installation instructions and everything goes ok, the log's doesn't show any errors at all (I have log files in case someone wants to take a look at them) and the command line tool works just fine just adding the correct path to my PATH variable. The problem is when I try to use the libraries in a C program. I try to run a simple example code I got from the OpenSSL homepage and I got an error saying that It can't find the openssl/.h included file: cc prueba.c cpp: prueba.c, line 2: error 4036: Can't open include file 'openssl/evp.h'. Even IF I compile with the -I option It doesn't find the functions: cc prueba.c -I/usr/local/ssl/include cc: prueba.c, line 32: warning 604: Pointers are not assignment-compatible. cc: prueba.c, line 32: warning 563: Argument #3 is not the correct type. /usr/ccs/bin/ld: Unsatisfied symbols: EVP_get_digestbyname (first referenced in prueba.o) (code) EVP_DigestInit_ex (first referenced in prueba.o) (code) OpenSSL_add_all_digests (first referenced in prueba.o) (code) EVP_DigestFinal_ex (first referenced in prueba.o) (code) EVP_MD_CTX_cleanup (first referenced in prueba.o) (code) EVP_MD_CTX_init (first referenced in prueba.o) (code) EVP_DigestUpdate (first referenced in prueba.o) (code) I have tried everything I know to find the libraries, from specifying in my PATH variable the path of the installation; and even to copy the /usr/local/ssl/include/openssl directory to the /opt/CC/include/CC dirctory and still can't get it to work. I have the feeling that I'm missing some configuration specific from my operating system, that's why I'm asking for your help, cause I've really have tried to make it work first (I have reinstalled twice openssl and the C compiler). At this point these are my env variables related to openssl: OPENSSLDIR=/usr/local/ssl PATH=$PATH:/usr/local/ssl/bin:/usr/local/ssl/include/:. export PATH SHLIB_PATH=/usr/local/ssl/lib -- I added this export SHLIB_PATH - Silvia Gisela _ NOTA: La información de este correo es de propiedad exclusiva y confidencial. Este mensaje es sólo para el destinatario señalado, si usted no lo es, destrúyalo de inmediato. Ninguna información aquí contenida debe ser entendida como dada o avalada por Alestra, sus subsidiarias o sus empleados, salvo cuando ello expresamente se indique. Es responsabilidad de quien recibe este correo de asegurarse que esté libre de virus, por lo tanto ni Alestra, sus subsidiarias ni sus empleados aceptan responsabilidad alguna. NOTE: The information in this email is proprietary and confidential. This message is for the designated recipient only, if you are not the intended recipient, you should destroy it immediately. Any information in this message shall not be understood as given or endorsed by Alestra, its subsidiaries or their employees, unless expressly so stated. It is the responsibility of the recipient to ensure that this email is virus free, therefore neither Alestra, its subsidiaries nor their employees accept any responsibility. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[EMAIL PROTECTED]: Please help - OpenSSL failure on HP-UX]
Forwarded to the openssl-users mailing list Best regards, Lutz - Forwarded message from Davis, Scott A. (CRM/PRM) [EMAIL PROTECTED] - X-Original-To: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Subject: Please help - OpenSSL failure on HP-UX Date: Tue, 17 May 2005 12:52:54 -0700 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Please help - OpenSSL failure on HP-UX Thread-Index: AcVbGgPkjUJYqIPPQyif46aNsDS5uw== From: Davis, Scott A. (CRM/PRM) [EMAIL PROTECTED] To: openssl-bugs@openssl.org X-OriginalArrivalTime: 17 May 2005 19:52:55.0324 (UTC) FILETIME=[048835C0:01C55B1A] X-Virus-Scanned: by amavisd 0.1 X-Virus-Scanned: by amavisd 0.1 Can someone out there help me? I'm trying to run OpenSSL on HP-UX, and am running into an error: # openssl s_client -connect ldap_server.hp.com:636 -showcerts warning, not much extra random data, consider using the -rand option CONNECTED(0003) write:errno=0 The version is 0.9.7e 25 Oct 2004. It was compiled on HP-UX 11.00 and subsequently moved over to an HP-UX 11.11 box. I had previously tested the same build on a different HP-UX 11.11 box and not seen any errors. I have no idea what is causing this, and what is different between the server where it is working and the one where it is not. Is this a known problem, or can it be run in some sort of debug/trace/log mode to give more useful info about what went wrong? I've tried -debug, -verify 0, -reconnect, -pause, -msg, -nbio, -bugs, -ssl3, -ssl2, -tls1, -no_ssl2, -no_ssl3, and -no_tls1, but all of them give the same error message. Thanks, Scott - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [EMAIL PROTECTED]: Please help - OpenSSL failure on HP-UX]
- Forwarded message from Davis, Scott A. (CRM/PRM) [EMAIL PROTECTED] - Can someone out there help me? I'm trying to run OpenSSL on HP-UX, and am running into an error: # openssl s_client -connect ldap_server.hp.com:636 -showcerts warning, not much extra random data, consider using the -rand option CONNECTED(0003) write:errno=0 The version is 0.9.7e 25 Oct 2004. It was compiled on HP-UX 11.00 and subsequently moved over to an HP-UX 11.11 box. I had previously tested the same build on a different HP-UX 11.11 box and not seen any errors. I have no idea what is causing this, and what is different between the server where it is working and the one where it is not. Is this a known problem, or can it be run in some sort of debug/trace/log mode to give more useful info about what went wrong? I've tried -debug, -verify 0, -reconnect, -pause, -msg, -nbio, -bugs, -ssl3, -ssl2, -tls1, -no_ssl2, -no_ssl3, and -no_tls1, but all of them give the same error message. Did you try a network sniffer? Which side is closing the connection? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Please, help - compilation or configuration issue
I have sent this before and got no answers, It may look simple, but It's not. Please give me some ideas, or at least if there's someone who has installed on HP-UX 11.0 with no problems, tellme what C compiler do you have or if you did something more besides de quick installation instructions. - I'm looking for someone who has installed OpenSSL on an HP-UX 11.0 system. I've tried to installit and I can't get OpenSSL to work there. I have: - HP-UX 11.0 operating system - Perl 5.8.5 - HP C/ANSI C Developer's Bundle for Hp-ux (S800) wich includes HP C/ANSI C Compiler I'm trying to install the file openssl-0.9.7g.tar.gz following the quick installation instructions and everything goes ok, the log's doesn't show any errors at all (I have log files in case someone wants to take a look at them) and the command line tool works just fine just adding the correct path to my PATH variable. The problem is when I try to use the libraries in a C program. I try to run a simple example code I got from the OpenSSL homepage and I got an error saying that It can't find the openssl/.h included file: cc prueba.c cpp: prueba.c, line 2: error 4036: Can't open include file 'openssl/evp.h'. Even IF I compile with the -I option It doesn't find the functions: cc prueba.c -I/usr/local/ssl/include cc: prueba.c, line 32: warning 604: Pointers are not assignment-compatible. cc: prueba.c, line 32: warning 563: Argument #3 is not the correct type. /usr/ccs/bin/ld: Unsatisfied symbols: EVP_get_digestbyname (first referenced in prueba.o) (code) EVP_DigestInit_ex (first referenced in prueba.o) (code) OpenSSL_add_all_digests (first referenced in prueba.o) (code) EVP_DigestFinal_ex (first referenced in prueba.o) (code) EVP_MD_CTX_cleanup (first referenced in prueba.o) (code) EVP_MD_CTX_init (first referenced in prueba.o) (code) EVP_DigestUpdate (first referenced in prueba.o) (code) I have tried everything I know to find the libraries, from specifying in my PATH variable the path of the installation; and even to copy the /usr/local/ssl/include/openssl directory to the /opt/CC/include/CC dirctory and still can't get it to work. I have the feeling that I'm missing some configuration specific from my operating system, that's why I'm asking for your help, cause I've really have tried to make it work first (I have reinstalled twice openssl and the C compiler). At this point these are my env variables related to openssl: OPENSSLDIR=/usr/local/ssl PATH=$PATH:/usr/local/ssl/bin:/usr/local/ssl/include/:. export PATH SHLIB_PATH=/usr/local/ssl/lib -- I added this export SHLIB_PATH - Silvia Gisela _ NOTA: La información de este correo es de propiedad exclusiva y confidencial. Este mensaje es sólo para el destinatario señalado, si usted no lo es, destrúyalo de inmediato. Ninguna información aquí contenida debe ser entendida como dada o avalada por Alestra, sus subsidiarias o sus empleados, salvo cuando ello expresamente se indique. Es responsabilidad de quien recibe este correo de asegurarse que esté libre de virus, por lo tanto ni Alestra, sus subsidiarias ni sus empleados aceptan responsabilidad alguna. NOTE: The information in this email is proprietary and confidential. This message is for the designated recipient only, if you are not the intended recipient, you should destroy it immediately. Any information in this message shall not be understood as given or endorsed by Alestra, its subsidiaries or their employees, unless expressly so stated. It is the responsibility of the recipient to ensure that this email is virus free, therefore neither Alestra, its subsidiaries nor their employees accept any responsibility. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Please, help - compilation or configuration issue
I will reply for you...but, I have never setup anything as you asking. I'm sorry. I'm sure somewhere there is a forum that can address this issue. Maybe this is not that forum. miles -Original Message- From: Silvia Gisela Pavon Velasco [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 17, 2005 2:08 PM To: openssl-users@openssl.org Subject: Please, help - compilation or configuration issue I have sent this before and got no answers, It may look simple, but It's not. Please give me some ideas, or at least if there's someone who has installed on HP-UX 11.0 with no problems, tellme what C compiler do you have or if you did something more besides de quick installation instructions. - I'm looking for someone who has installed OpenSSL on an HP-UX 11.0 system. I've tried to installit and I can't get OpenSSL to work there. I have: - HP-UX 11.0 operating system - Perl 5.8.5 - HP C/ANSI C Developer's Bundle for Hp-ux (S800) wich includes HP C/ANSI C Compiler I'm trying to install the file openssl-0.9.7g.tar.gz following the quick installation instructions and everything goes ok, the log's doesn't show any errors at all (I have log files in case someone wants to take a look at them) and the command line tool works just fine just adding the correct path to my PATH variable. The problem is when I try to use the libraries in a C program. I try to run a simple example code I got from the OpenSSL homepage and I got an error saying that It can't find the openssl/.h included file: cc prueba.c cpp: prueba.c, line 2: error 4036: Can't open include file 'openssl/evp.h'. Even IF I compile with the -I option It doesn't find the functions: cc prueba.c -I/usr/local/ssl/include cc: prueba.c, line 32: warning 604: Pointers are not assignment-compatible. cc: prueba.c, line 32: warning 563: Argument #3 is not the correct type. /usr/ccs/bin/ld: Unsatisfied symbols: EVP_get_digestbyname (first referenced in prueba.o) (code) EVP_DigestInit_ex (first referenced in prueba.o) (code) OpenSSL_add_all_digests (first referenced in prueba.o) (code) EVP_DigestFinal_ex (first referenced in prueba.o) (code) EVP_MD_CTX_cleanup (first referenced in prueba.o) (code) EVP_MD_CTX_init (first referenced in prueba.o) (code) EVP_DigestUpdate (first referenced in prueba.o) (code) I have tried everything I know to find the libraries, from specifying in my PATH variable the path of the installation; and even to copy the /usr/local/ssl/include/openssl directory to the /opt/CC/include/CC dirctory and still can't get it to work. I have the feeling that I'm missing some configuration specific from my operating system, that's why I'm asking for your help, cause I've really have tried to make it work first (I have reinstalled twice openssl and the C compiler). At this point these are my env variables related to openssl: OPENSSLDIR=/usr/local/ssl PATH=$PATH:/usr/local/ssl/bin:/usr/local/ssl/include/:. export PATH SHLIB_PATH=/usr/local/ssl/lib -- I added this export SHLIB_PATH - Silvia Gisela _ NOTA: La información de este correo es de propiedad exclusiva y confidencial. Este mensaje es sólo para el destinatario señalado, si usted no lo es, destrúyalo de inmediato. Ninguna información aquí contenida debe ser entendida como dada o avalada por Alestra, sus subsidiarias o sus empleados, salvo cuando ello expresamente se indique. Es responsabilidad de quien recibe este correo de asegurarse que esté libre de virus, por lo tanto ni Alestra, sus subsidiarias ni sus empleados aceptan responsabilidad alguna. NOTE: The information in this email is proprietary and confidential. This message is for the designated recipient only, if you are not the intended recipient, you should destroy it immediately. Any information in this message shall not be understood as given or endorsed by Alestra, its subsidiaries or their employees, unless expressly so stated. It is the responsibility of the recipient to ensure that this email is virus free, therefore neither Alestra, its subsidiaries nor their employees accept any responsibility. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Please, help - compilation or configuration issue
It's been a few years since I've worked on HP-UX and I don't have access to a machine running that OS currently. but here's what I remember. I hope it's accurate. I've plucked a couple settings out of old Makefiles that I've saved - you'll have to see where to add the settings in your Makefiles. 1) You almost always need to add some standard defines to get the HP C compilers to include common things. If you use Imake, you'll see it adding stuff like this. CCOPTIONS = -Ae STD_DEFINES = -Dhpux -DSYSV -D_HPUX_SOURCE 2) The compile-time linker doesn't automatically configure the executable stub to use the SHLIB_PATH environment variable. (Gotta love that HP chose not to use LD_LIBRARY_PATH that just about everyone else uses and also deactivated it's use by default.) So, I pass a flag to the linker. SHLIBLDFLAGS = -b HP also doesn't have ldd, but does have chatr (maybe it's chattryou'll have to look).That utility can be used to inspect your executable stub to determine the shared library locationseither compiled in or dynamically located, and also whether the SHLIB_PATH is used by the run-time linker.Very nice things to know. Best regards, Lance http://www.newparticles.com/ Silvia Gisela Pavon Velasco wrote: I have sent this before and got no answers, It may look simple, but It's not. Please give me some ideas, or at least if there's someone who has installed on HP-UX 11.0 with no problems, tellme what C compiler do you have or if you did something more besides de quick installation instructions. - I'm looking for someone who has installed OpenSSL on an HP-UX 11.0 system. I've tried to installit and I can't get OpenSSL to work there. I have: - HP-UX 11.0 operating system - Perl 5.8.5 - HP C/ANSI C Developer's Bundle for Hp-ux (S800) wich includes HP C/ANSI C Compiler I'm trying to install the file openssl-0.9.7g.tar.gz following the quick installation instructions and everything goes ok, the log's doesn't show any errors at all (I have log files in case someone wants to take a look at them) and the command line tool works just fine just adding the correct path to my PATH variable. The problem is when I try to use the libraries in a C program. I try to run a simple example code I got from the OpenSSL homepage and I got an error saying that It can't find the openssl/.h included file: cc prueba.c cpp: prueba.c, line 2: error 4036: Can't open include file 'openssl/evp.h'. Even IF I compile with the -I option It doesn't find the functions: cc prueba.c -I/usr/local/ssl/include cc: prueba.c, line 32: warning 604: Pointers are not assignment-compatible. cc: prueba.c, line 32: warning 563: Argument #3 is not the correct type. /usr/ccs/bin/ld: Unsatisfied symbols: EVP_get_digestbyname (first referenced in prueba.o) (code) EVP_DigestInit_ex (first referenced in prueba.o) (code) OpenSSL_add_all_digests (first referenced in prueba.o) (code) EVP_DigestFinal_ex (first referenced in prueba.o) (code) EVP_MD_CTX_cleanup (first referenced in prueba.o) (code) EVP_MD_CTX_init (first referenced in prueba.o) (code) EVP_DigestUpdate (first referenced in prueba.o) (code) I have tried everything I know to find the libraries, from specifying in my PATH variable the path of the installation; and even to copy the /usr/local/ssl/include/openssl directory to the /opt/CC/include/CC dirctory and still can't get it to work. I have the feeling that I'm missing some configuration specific from my operating system, that's why I'm asking for your help, cause I've really have tried to make it work first (I have reinstalled twice openssl and the C compiler). At this point these are my env variables related to openssl: OPENSSLDIR=/usr/local/ssl PATH=$PATH:/usr/local/ssl/bin:/usr/local/ssl/include/:. export PATH SHLIB_PATH=/usr/local/ssl/lib -- I added this export SHLIB_PATH - Silvia Gisela _ NOTA: La información de este correo es de propiedad exclusiva y confidencial. Este mensaje es sólo para el destinatario señalado, si usted no lo es, destrúyalo de inmediato. Ninguna información aquí contenida debe ser entendida como dada o avalada por Alestra, sus subsidiarias o sus empleados, salvo cuando ello expresamente se indique. Es responsabilidad de quien recibe este correo de asegurarse que esté libre de virus, por lo tanto ni Alestra, sus subsidiarias ni sus empleados aceptan responsabilidad alguna. NOTE: The information in this email is proprietary and confidential. This message is for the designated recipient only, if you are not the intended recipient, you should destroy it immediately. Any information in this message shall not be understood as given or endorsed by Alestra, its subsidiaries or their employees, unless expressly so stated. It is the responsibility of the recipient to ensure that
Please - Help me out here - Need to make design decision based on your answer
-Original Message- From: Radhika Gunasekar [mailto:[EMAIL PROTECTED] Sent: Friday, April 08, 2005 10:46 AM To: 'openssl-users@openssl.org' Subject: Encrypting/Decrypting messages Hello, I am a new user to OpenSSL. I have couple of questions. Background: I am working on a client/server environment. Both communicate with each other via TCPIP/UDP protocol. Client is on Linux and Server is on AIX. We need to encrypt messages going between them and also able to decrypt the messages received. Application that we are communicating is currently return in C. By going through documents in openssl.org , I found out that I could use libcrypto.so on both LINUX and AIX side and use its high level EVP interface functions to achieve what we are looking for. Here are the functions that I am planning to use. EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal fo Encrytion and Evp_DecryptInit_ex, EVP_DecryptUpdate, EVP_DecryptFinal for Decryption. And I am planning to use blowfish symmetric cipher algorithm. Now my questions are: Am I going in the right direction? Are there any other better way to handle message encryption and decryption? What are EVP_Seal functions, are they better than using EVP_Encyrpt/EV_Decrypt functions? Since the applications we are communicating between are real time application, would blowfish provide the fastest encryption/decryption algorithm that we are looking for? Currently I am planning to use the common key between client and server which will be stored in a protect file on both client and server to perform encryption and decryption. Are there any better ways to protect the key information? Please reply. Thanks for your help. Regards, Radhika.
Re: oid_section questions please help!
On Tue, Nov 09, 2004, ray v wrote: I think the the reason why I can get the new OIDs to work is that I'm using the -config my.cnf when making the request myself. This would indicate as you've already said, I've got my OIDs in the wrong place. The question where can my new OIDs be place and what makes putting my OIDs in a different place other then the CA_default section? As summarized in the conf(5) manual page you do this... Add an entry to the default section (start of file before any other sections) containing something like: openssl_conf=config_section Add new sections like this: [config_section] oid_section=new_oids [oid_section] some_oid = 1.2.3.4.1 some_other_oid = 1.2.3.4.2 but obviously using appropriate OID values. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
oid_section questions please help!
Hi All! I created an OID section but I'm a little confused with how to use it. My example... oid_section = my_oids [my_oids] value1 = 1.3.6.1.4.1..1 value2 = 1.3.6.1.4.1..2 value3 = 1.3.6.1.4.1..3 If I specify the -config sample.cnf when creating the key, request and certificate this all works fine. When I recieved and outside cert request it fails with Error Loading extension section default 10765:error:2207C082:X509 V3 routines:DO_EXT_CONF:unknown extension name:v3_conf.c:123: 10765:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:v3_conf.c:92:name=oid_section Being new to this I'm not sure if I'm asking the right question. I need to add extensions to certificate during the certificate gen and signing process. The oids_section is in the global or default am I missing something here? Is there something I'm supposed to put in the [req] section regarding the new oids? All help will be appreciate... I'm loosing my hair faster then a cat in October! thanks! __ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]