Re: openSSL and PKCS #12 certificates
Bon courage pour la suite! -- Mounir IDRASSI IDRIX http://www.idrix.fr On 4/14/2010 3:01 PM, Rémi Després-Smyth wrote: Merci beaucoup, Mounir, but I got the same error. Given the time constraints I have, I think my path moving forward is to try another library or two to see if I can find one that uses openSSL properly. Au plaisir, Remi. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI Sent: April 13, 2010 9:09 PM To: openssl-users@openssl.org Subject: Re: openSSL and PKCS #12 certificates Hi Remi, I don't know what the inputs of your python module are, but from the error message I guess that it's expecting the PEM file to contain also the certificate of the private key and the associated CA chain. For that, I advice you to replace the option "-nocerts" in your command line with "-nodes". Thus: - The output PEM file will contain the private key AND its certificate along with any associated CAs - You will not be asked for a password a second time because the private key in the output PEM file will be unencrypted. After that, you will have to open the output PEM file in a text editor in order to ensure that the certificate that comes just after the private key block is the one associated with the key and not a CA certificate ( a cut and past is almost necessary to put everything in the right order). I hope that with all this steps, you will finally be able to perform your client authentication. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 4/13/2010 6:45 PM, Rémi Després-Smyth wrote: Mounir, Thank you so much for your answer. I did extract the key into a pem file (using command: c:\openssl\bin\openssl pkcs12 -in cert.pfx -nocerts -out cert_key.pem), and tried to connect using the key file as output. It got further along in the process - I was prompted to enter my PEM pass phrase - but a different error came up: File "C:\python26\lib\ssl.py", line 113, in __init__ cert_reqs, ssl_version, ca_certs) ssl.SSLError: [Errno 336445449] _ssl.c:351: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib Would you have any insight in regards to the problem here? I should also note that while I was creating the key file, I noticed that I was prompted to "Enter Import Password", but also to "Enter PEM pass phrase". Does this mean the private key found in the pfx file is actually in PEM format to begin with? Does this change your advice at all? Regards, Remi. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI Sent: April 13, 2010 11:29 AM To: openssl-users@openssl.org Subject: Re: openSSL and PKCS #12 certificates Hi, OPENSSL supports PKCS#12 files. Look at the header pkcs12.h that contains functions for parsing and exporting private keys and certificates from a PKCS#12 file (like d2i_PKCS12 and PKCS12_parse). Concerning the error you are getting, it appears that the phython module you are using is calling SSL_CTX_use_PrivateKey_file by giving it the PKCS#12 file name. This is does not because SSL_CTX_use_PrivateKey_file only accepts two formats : SSL_FILETYPE_PEM and SSL_FILETYPE_ASN1. In order to correct this, you have two solutions : - Either feed the python module with the private key in a PEM file. - Or modify the source code of this python module in order to use the PKCS#12 functions I mentioned above to extract the private key as an EVP_PKEY and then call SSL_use_PrivateKey instead of SSL_CTX_use_PrivateKey_file, along with SSL_use_certificate for setting the associated certificate. The first solution is the easiest because you can simply use the OPENSSL command line utility in order to extract the private key and its certificate from the PKCS#12 file as PEM files and then give them as input to your python module. I hope this will help. -- Mounir IDRASSI IDRIX http://www.idrix.fr On 4/13/2010 2:55 PM, Rémi Després-Smyth wrote: Hello. I’ve been trying to setup client authentication using a PKCS #12 certificate, and I’ve been having some trouble. I’m trying to determine whether its because its something unsupported in openSSL, or if it’s a problem with the wrapper library I’m using (Python’s httplib). I’d appreciate it if anyone might be able to provide some insight. I’m getting an error raised by the openSSL library when the wrapper class is trying to instantiate and wrap a socket, and from what I’ve been able to gather to-date, the error appears to be coming from openSSL: Ssl.SSLError: [Errno 336265225] _sll.c:337: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib Is PKCS #12 supposed to be supported by openSSL? I would guess yes; I dug around in the source and found that “PEM lib” is the error text for ERR_R_PEM_LIB
RE: openSSL and PKCS #12 certificates
Merci beaucoup, Mounir, but I got the same error. Given the time constraints I have, I think my path moving forward is to try another library or two to see if I can find one that uses openSSL properly. Au plaisir, Remi. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI Sent: April 13, 2010 9:09 PM To: openssl-users@openssl.org Subject: Re: openSSL and PKCS #12 certificates Hi Remi, I don't know what the inputs of your python module are, but from the error message I guess that it's expecting the PEM file to contain also the certificate of the private key and the associated CA chain. For that, I advice you to replace the option "-nocerts" in your command line with "-nodes". Thus: - The output PEM file will contain the private key AND its certificate along with any associated CAs - You will not be asked for a password a second time because the private key in the output PEM file will be unencrypted. After that, you will have to open the output PEM file in a text editor in order to ensure that the certificate that comes just after the private key block is the one associated with the key and not a CA certificate ( a cut and past is almost necessary to put everything in the right order). I hope that with all this steps, you will finally be able to perform your client authentication. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 4/13/2010 6:45 PM, Rémi Després-Smyth wrote: > Mounir, > Thank you so much for your answer. > > I did extract the key into a pem file (using command: c:\openssl\bin\openssl > pkcs12 -in cert.pfx -nocerts -out cert_key.pem), and tried to connect using > the key file as output. It got further along in the process - I was > prompted to enter my PEM pass phrase - but a different error came up: > >File "C:\python26\lib\ssl.py", line 113, in __init__ > cert_reqs, ssl_version, ca_certs) > ssl.SSLError: [Errno 336445449] _ssl.c:351: error:140DC009:SSL > routines:SSL_CTX_use_certificate_chain_file:PEM lib > > Would you have any insight in regards to the problem here? > > > I should also note that while I was creating the key file, I noticed that I > was prompted to "Enter Import Password", but also to "Enter PEM pass > phrase". Does this mean the private key found in the pfx file is actually > in PEM format to begin with? Does this change your advice at all? > > Regards, > Remi. > > > -Original Message- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI > Sent: April 13, 2010 11:29 AM > To: openssl-users@openssl.org > Subject: Re: openSSL and PKCS #12 certificates > > Hi, > > OPENSSL supports PKCS#12 files. Look at the header pkcs12.h that > contains functions for parsing and exporting private keys and > certificates from a PKCS#12 file (like d2i_PKCS12 and PKCS12_parse). > > Concerning the error you are getting, it appears that the phython module > you are using is calling SSL_CTX_use_PrivateKey_file by giving it the > PKCS#12 file name. This is does not because SSL_CTX_use_PrivateKey_file > only accepts two formats : SSL_FILETYPE_PEM and SSL_FILETYPE_ASN1. > In order to correct this, you have two solutions : > - Either feed the python module with the private key in a PEM file. > - Or modify the source code of this python module in order to use the > PKCS#12 functions I mentioned above to extract the private key as an > EVP_PKEY and then call SSL_use_PrivateKey instead of > SSL_CTX_use_PrivateKey_file, along with SSL_use_certificate for setting > the associated certificate. > > The first solution is the easiest because you can simply use the OPENSSL > command line utility in order to extract the private key and its > certificate from the PKCS#12 file as PEM files and then give them as > input to your python module. > > I hope this will help. > -- > Mounir IDRASSI > IDRIX > http://www.idrix.fr > > > On 4/13/2010 2:55 PM, Rémi Després-Smyth wrote: > >> Hello. >> >> Ive been trying to setup client authentication using a PKCS #12 >> certificate, and Ive been having some trouble. Im trying to determine >> whether its because its something unsupported in openSSL, or if its a >> problem with the wrapper library Im using (Pythons httplib). Id >> appreciate it if anyone might be able to provide some insight. >> >> >> >> Im getting an error raised by the openSSL library when the wrapper class >> > is > >> trying to instantiate and wrap a socket, and from what Ive been able to >> gather to-date, the error appears to be coming from openSSL
Re: openSSL and PKCS #12 certificates
Hi Remi, I don't know what the inputs of your python module are, but from the error message I guess that it's expecting the PEM file to contain also the certificate of the private key and the associated CA chain. For that, I advice you to replace the option "-nocerts" in your command line with "-nodes". Thus: - The output PEM file will contain the private key AND its certificate along with any associated CAs - You will not be asked for a password a second time because the private key in the output PEM file will be unencrypted. After that, you will have to open the output PEM file in a text editor in order to ensure that the certificate that comes just after the private key block is the one associated with the key and not a CA certificate ( a cut and past is almost necessary to put everything in the right order). I hope that with all this steps, you will finally be able to perform your client authentication. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 4/13/2010 6:45 PM, Rémi Després-Smyth wrote: Mounir, Thank you so much for your answer. I did extract the key into a pem file (using command: c:\openssl\bin\openssl pkcs12 -in cert.pfx -nocerts -out cert_key.pem), and tried to connect using the key file as output. It got further along in the process - I was prompted to enter my PEM pass phrase - but a different error came up: File "C:\python26\lib\ssl.py", line 113, in __init__ cert_reqs, ssl_version, ca_certs) ssl.SSLError: [Errno 336445449] _ssl.c:351: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib Would you have any insight in regards to the problem here? I should also note that while I was creating the key file, I noticed that I was prompted to "Enter Import Password", but also to "Enter PEM pass phrase". Does this mean the private key found in the pfx file is actually in PEM format to begin with? Does this change your advice at all? Regards, Remi. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI Sent: April 13, 2010 11:29 AM To: openssl-users@openssl.org Subject: Re: openSSL and PKCS #12 certificates Hi, OPENSSL supports PKCS#12 files. Look at the header pkcs12.h that contains functions for parsing and exporting private keys and certificates from a PKCS#12 file (like d2i_PKCS12 and PKCS12_parse). Concerning the error you are getting, it appears that the phython module you are using is calling SSL_CTX_use_PrivateKey_file by giving it the PKCS#12 file name. This is does not because SSL_CTX_use_PrivateKey_file only accepts two formats : SSL_FILETYPE_PEM and SSL_FILETYPE_ASN1. In order to correct this, you have two solutions : - Either feed the python module with the private key in a PEM file. - Or modify the source code of this python module in order to use the PKCS#12 functions I mentioned above to extract the private key as an EVP_PKEY and then call SSL_use_PrivateKey instead of SSL_CTX_use_PrivateKey_file, along with SSL_use_certificate for setting the associated certificate. The first solution is the easiest because you can simply use the OPENSSL command line utility in order to extract the private key and its certificate from the PKCS#12 file as PEM files and then give them as input to your python module. I hope this will help. -- Mounir IDRASSI IDRIX http://www.idrix.fr On 4/13/2010 2:55 PM, Rémi Després-Smyth wrote: Hello. I’ve been trying to setup client authentication using a PKCS #12 certificate, and I’ve been having some trouble. I’m trying to determine whether its because its something unsupported in openSSL, or if it’s a problem with the wrapper library I’m using (Python’s httplib). I’d appreciate it if anyone might be able to provide some insight. I’m getting an error raised by the openSSL library when the wrapper class is trying to instantiate and wrap a socket, and from what I’ve been able to gather to-date, the error appears to be coming from openSSL: Ssl.SSLError: [Errno 336265225] _sll.c:337: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib Is PKCS #12 supposed to be supported by openSSL? I would guess yes; I dug around in the source and found that “PEM lib” is the error text for ERR_R_PEM_LIB (defined in err_str.c), and I also noticed ERR_R_PKCS12_LIB in there. This gives me the impression that openSSL is incorrectly trying to load the PKCS #12 cert as a PEM cert, and thus the error – which leads me to believe that the wrapper library may not be calling openSSL properly, if PKCS #12 certificates should be supported. (Otherwise, why would openSSL be returning an error related to PEM certs and not PKCS #12 certs?) Can anyone tell me whether or not openSSL should be able to work with PKCS#12 certs? Any advice anyone might have is welcome. (Sorry if this is vague; this is the fi
RE: openSSL and PKCS #12 certificates
Mounir, Thank you so much for your answer. I did extract the key into a pem file (using command: c:\openssl\bin\openssl pkcs12 -in cert.pfx -nocerts -out cert_key.pem), and tried to connect using the key file as output. It got further along in the process - I was prompted to enter my PEM pass phrase - but a different error came up: File "C:\python26\lib\ssl.py", line 113, in __init__ cert_reqs, ssl_version, ca_certs) ssl.SSLError: [Errno 336445449] _ssl.c:351: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib Would you have any insight in regards to the problem here? I should also note that while I was creating the key file, I noticed that I was prompted to "Enter Import Password", but also to "Enter PEM pass phrase". Does this mean the private key found in the pfx file is actually in PEM format to begin with? Does this change your advice at all? Regards, Remi. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI Sent: April 13, 2010 11:29 AM To: openssl-users@openssl.org Subject: Re: openSSL and PKCS #12 certificates Hi, OPENSSL supports PKCS#12 files. Look at the header pkcs12.h that contains functions for parsing and exporting private keys and certificates from a PKCS#12 file (like d2i_PKCS12 and PKCS12_parse). Concerning the error you are getting, it appears that the phython module you are using is calling SSL_CTX_use_PrivateKey_file by giving it the PKCS#12 file name. This is does not because SSL_CTX_use_PrivateKey_file only accepts two formats : SSL_FILETYPE_PEM and SSL_FILETYPE_ASN1. In order to correct this, you have two solutions : - Either feed the python module with the private key in a PEM file. - Or modify the source code of this python module in order to use the PKCS#12 functions I mentioned above to extract the private key as an EVP_PKEY and then call SSL_use_PrivateKey instead of SSL_CTX_use_PrivateKey_file, along with SSL_use_certificate for setting the associated certificate. The first solution is the easiest because you can simply use the OPENSSL command line utility in order to extract the private key and its certificate from the PKCS#12 file as PEM files and then give them as input to your python module. I hope this will help. -- Mounir IDRASSI IDRIX http://www.idrix.fr On 4/13/2010 2:55 PM, Rémi Després-Smyth wrote: > Hello. > > Ive been trying to setup client authentication using a PKCS #12 > certificate, and Ive been having some trouble. Im trying to determine > whether its because its something unsupported in openSSL, or if its a > problem with the wrapper library Im using (Pythons httplib). Id > appreciate it if anyone might be able to provide some insight. > > > > Im getting an error raised by the openSSL library when the wrapper class is > trying to instantiate and wrap a socket, and from what Ive been able to > gather to-date, the error appears to be coming from openSSL: > > > > Ssl.SSLError: [Errno 336265225] _sll.c:337: error:140B0009:SSL > routines:SSL_CTX_use_PrivateKey_file:PEM lib > > > > Is PKCS #12 supposed to be supported by openSSL? I would guess yes; I dug > around in the source and found that PEM lib is the error text for > ERR_R_PEM_LIB (defined in err_str.c), and I also noticed ERR_R_PKCS12_LIB in > there. This gives me the impression that openSSL is incorrectly trying to > load the PKCS #12 cert as a PEM cert, and thus the error which leads me to > believe that the wrapper library may not be calling openSSL properly, if > PKCS #12 certificates should be supported. (Otherwise, why would openSSL be > returning an error related to PEM certs and not PKCS #12 certs?) > > > > Can anyone tell me whether or not openSSL should be able to work with > PKCS#12 certs? Any advice anyone might have is welcome. (Sorry if this is > vague; this is the first time I dig into the openSSL project.) > > > > The certificate appears correct, as Ive tested it by adding it to MSIE and > Firefox and Im able to connect to the server. > > > > Regards, > > Remi. > > > > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openSSL and PKCS #12 certificates
Hi, OPENSSL supports PKCS#12 files. Look at the header pkcs12.h that contains functions for parsing and exporting private keys and certificates from a PKCS#12 file (like d2i_PKCS12 and PKCS12_parse). Concerning the error you are getting, it appears that the phython module you are using is calling SSL_CTX_use_PrivateKey_file by giving it the PKCS#12 file name. This is does not because SSL_CTX_use_PrivateKey_file only accepts two formats : SSL_FILETYPE_PEM and SSL_FILETYPE_ASN1. In order to correct this, you have two solutions : - Either feed the python module with the private key in a PEM file. - Or modify the source code of this python module in order to use the PKCS#12 functions I mentioned above to extract the private key as an EVP_PKEY and then call SSL_use_PrivateKey instead of SSL_CTX_use_PrivateKey_file, along with SSL_use_certificate for setting the associated certificate. The first solution is the easiest because you can simply use the OPENSSL command line utility in order to extract the private key and its certificate from the PKCS#12 file as PEM files and then give them as input to your python module. I hope this will help. -- Mounir IDRASSI IDRIX http://www.idrix.fr On 4/13/2010 2:55 PM, Rémi Després-Smyth wrote: Hello. I’ve been trying to setup client authentication using a PKCS #12 certificate, and I’ve been having some trouble. I’m trying to determine whether its because its something unsupported in openSSL, or if it’s a problem with the wrapper library I’m using (Python’s httplib). I’d appreciate it if anyone might be able to provide some insight. I’m getting an error raised by the openSSL library when the wrapper class is trying to instantiate and wrap a socket, and from what I’ve been able to gather to-date, the error appears to be coming from openSSL: Ssl.SSLError: [Errno 336265225] _sll.c:337: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib Is PKCS #12 supposed to be supported by openSSL? I would guess yes; I dug around in the source and found that “PEM lib” is the error text for ERR_R_PEM_LIB (defined in err_str.c), and I also noticed ERR_R_PKCS12_LIB in there. This gives me the impression that openSSL is incorrectly trying to load the PKCS #12 cert as a PEM cert, and thus the error – which leads me to believe that the wrapper library may not be calling openSSL properly, if PKCS #12 certificates should be supported. (Otherwise, why would openSSL be returning an error related to PEM certs and not PKCS #12 certs?) Can anyone tell me whether or not openSSL should be able to work with PKCS#12 certs? Any advice anyone might have is welcome. (Sorry if this is vague; this is the first time I dig into the openSSL project.) The certificate appears correct, as I’ve tested it by adding it to MSIE and Firefox and I’m able to connect to the server. Regards, Remi. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
openSSL and PKCS #12 certificates
Hello. Ive been trying to setup client authentication using a PKCS #12 certificate, and Ive been having some trouble. Im trying to determine whether its because its something unsupported in openSSL, or if its a problem with the wrapper library Im using (Pythons httplib). Id appreciate it if anyone might be able to provide some insight. Im getting an error raised by the openSSL library when the wrapper class is trying to instantiate and wrap a socket, and from what Ive been able to gather to-date, the error appears to be coming from openSSL: Ssl.SSLError: [Errno 336265225] _sll.c:337: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib Is PKCS #12 supposed to be supported by openSSL? I would guess yes; I dug around in the source and found that PEM lib is the error text for ERR_R_PEM_LIB (defined in err_str.c), and I also noticed ERR_R_PKCS12_LIB in there. This gives me the impression that openSSL is incorrectly trying to load the PKCS #12 cert as a PEM cert, and thus the error which leads me to believe that the wrapper library may not be calling openSSL properly, if PKCS #12 certificates should be supported. (Otherwise, why would openSSL be returning an error related to PEM certs and not PKCS #12 certs?) Can anyone tell me whether or not openSSL should be able to work with PKCS#12 certs? Any advice anyone might have is welcome. (Sorry if this is vague; this is the first time I dig into the openSSL project.) The certificate appears correct, as Ive tested it by adding it to MSIE and Firefox and Im able to connect to the server. Regards, Remi.