Certificate Expiry and pem file
HI, One of our clients are renewing the digital certificates on their side as it is due to expire and would be rolling over to a new certificate.They have provided a .cer file.Actually we decrypt the messages from them.I understand that I need to generate a .pem file from this .cer file.Can anyone help me in achieveing this. Thanks in Advance. Prabu. -- View this message in context: http://www.nabble.com/Certificate-Expiry-and-pem-file-tp19850758p19850758.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Certificate Expiry and pem file
One of our clients are renewing the digital certificates on their side as it is due to expire and would be rolling over to a new certificate.They have provided a .cer file.Actually we decrypt the messages from them.I understand that I need to generate a .pem file from this .cer file.Can anyone help me in achieveing this. try: openssl x509 nameofcerfile.cer nameofpemfile.pem __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Certificate Expiry and pem file
One of our clients are renewing the digital certificates on their side as it is due to expire and would be rolling over to a new certificate.They have provided a .cer file.Actually we decrypt the messages from them.I understand that I need to generate a .pem file from this .cer file.Can anyone help me in achieveing this. to convert to pem, try: openssl x509 nameofcerfile.cer nameofpemfile.pem if all you want to do is see it, try: openssl x509 -text nameofcerfile.cer __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[PATCH] Fix assert failure in d1_pkt.c
This simple fix to the 0.9.8 branch addresses RT #1703, where a DTLS bug causes applications to abort. It was causing my VPN client to abort during temporary network problems which it should have coped with and recovered from. When the underlying BIO_write() fails to send a datagram, we leave the offending record queued as 'pending'. The DTLS code doesn't expect this, and we end up hitting an OPENSSL_assert() in do_dtls1_write(). The simple fix is just _not_ to leave it queued. In DTLS, dropping packets is perfectly acceptable -- and even preferable. If we wanted a service with retries and guaranteed delivery, we'd be using TCP. --- ssl/s3_pkt.c~ 2006-11-29 14:45:14.0 + +++ ssl/s3_pkt.c2008-10-02 06:41:07.0 +0100 @@ -753,8 +753,15 @@ int ssl3_write_pending(SSL *s, int type, s-rwstate=SSL_NOTHING; return(s-s3-wpend_ret); } - else if (i = 0) + else if (i = 0) { + if (s-version == DTLS1_VERSION || + s-version == DTLS1_BAD_VER) { + /* For DTLS, just drop it. That's kind of the whole + point in using a datagram service */ + s-s3-wbuf.left = 0; + } return(i); + } s-s3-wbuf.offset+=i; s-s3-wbuf.left-=i; } -- dwmw2 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1761] [PATCH] AWOL openssl s_client eating CPU time.
To connect to company-internal IMAP servers, my mail clients are configured to run the following command: ssh $BOX_ON_VPN exec openssl s_client -quiet -connect $IMAPSERVER:993 The '-quiet' part of that is necessary, because the mail programs generally can't cope with extra noise -- they only want IMAP. But the -quiet option implies -ign_eof, which means that when the ssh client disconnects, the openssl process is left eating CPU time in an endless loop: select(5, [4], [4], NULL, NULL) = 1 (out [4]) select(5, [0 4], [], NULL, NULL)= 1 (in [0]) read(0, , 8192) = 0 select(5, [4], [4], NULL, NULL) = 1 (out [4]) select(5, [0 4], [], NULL, NULL)= 1 (in [0]) read(0, , 8192) = 0 select(5, [4], [4], NULL, NULL) = 1 (out [4]) select(5, [0 4], [], NULL, NULL)= 1 (in [0]) read(0, , 8192) = 0 I assume that changing the behaviour of the -quiet option so that it no longer implies -ign_eof is not going to be considered acceptable, so this patch instead adds a -no_ign_eof option which can be used to override the unwanted setting. --- apps/s_client.c.orig2008-10-05 21:50:22.0 +0100 +++ apps/s_client.c 2008-10-07 14:18:23.0 +0100 @@ -216,6 +216,7 @@ static void sc_usage(void) BIO_printf(bio_err, -crlf - convert LF from terminal into CRLF\n); BIO_printf(bio_err, -quiet- no s_client output\n); BIO_printf(bio_err, -ign_eof - ignore input eof (default when -quiet)\n); + BIO_printf(bio_err, -no_ign_eof - don't ignore input eof\n); BIO_printf(bio_err, -ssl2 - just use SSLv2\n); BIO_printf(bio_err, -ssl3 - just use SSLv3\n); BIO_printf(bio_err, -tls1 - just use TLSv1\n); @@ -427,6 +428,8 @@ int MAIN(int argc, char **argv) } else if (strcmp(*argv,-ign_eof) == 0) c_ign_eof=1; + else if (strcmp(*argv,-no_ign_eof) == 0) + c_ign_eof=0; else if (strcmp(*argv,-pause) == 0) c_Pause=1; else if (strcmp(*argv,-debug) == 0) -- dwmw2 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[PATCH] Fix DTLS problems with reordered incoming packets
This patch to the 0.9.8 branch fixes two bugs with misordered incoming packets in DTLS, which are reported as RT #1752. Firstly, the bitmap we use for replay protection was ending up with zero length, so a _single_ pair of packets getting switched around would cause one of them to be 'dropped'. Secondly, it wasn't even _dropping_ the offending packets, in the non-blocking case. It was just returning garbage instead. --- ssl/d1_lib.c~ 2008-10-02 06:43:47.0 +0100 +++ ssl/d1_lib.c2008-10-05 21:31:38.0 +0100 @@ -106,6 +106,7 @@ int dtls1_new(SSL *s) pq_64bit_init((d1-bitmap.map)); pq_64bit_init((d1-bitmap.max_seq_num)); + d1-next_bitmap.length = d1-bitmap.length; pq_64bit_init((d1-next_bitmap.map)); pq_64bit_init((d1-next_bitmap.max_seq_num)); --- ssl/d1_pkt.c~ 2008-10-02 06:43:47.0 +0100 +++ ssl/d1_pkt.c2008-10-05 21:44:54.0 +0100 @@ -597,6 +597,7 @@ again: /* check whether this is a repeat, or aged record */ if ( ! dtls1_record_replay_check(s, bitmap, (rr-seq_num))) { + rr-length = 0; s-packet_length=0; /* dump this record */ goto again; /* get another record */ } -- dwmw2 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[PATCH] Support DTLS compatibility with Cisco AnyConnect VPN
This patch against the 0.9.8 branch adds an SSL option for compatibility with the pre-RFC version of DTLS used by Cisco for their AnyConnect SSL VPN. This is RT #1751. With this patch, and with the two bug fixes I just posted, I now have a fully functional client operating with Cisco's VPN servers. Index: ssl/d1_clnt.c === RCS file: /home/dwmw2/openssl-cvs/openssl/ssl/d1_clnt.c,v retrieving revision 1.3.2.10 diff -u -p -r1.3.2.10 d1_clnt.c --- ssl/d1_clnt.c 4 Jun 2008 18:35:25 - 1.3.2.10 +++ ssl/d1_clnt.c 29 Sep 2008 08:27:31 - @@ -130,7 +130,7 @@ static int dtls1_get_hello_verify(SSL *s static SSL_METHOD *dtls1_get_client_method(int ver) { - if (ver == DTLS1_VERSION) + if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER) return(DTLSv1_client_method()); else return(NULL); @@ -181,7 +181,8 @@ int dtls1_connect(SSL *s) s-server=0; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); - if ((s-version 0xff00 ) != (DTLS1_VERSION 0xff00)) + if ((s-version 0xff00 ) != (DTLS1_VERSION 0xff00) + (s-version 0xff00 ) != (DTLS1_BAD_VER 0xff00)) { SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR); ret = -1; Index: ssl/d1_lib.c === RCS file: /home/dwmw2/openssl-cvs/openssl/ssl/d1_lib.c,v retrieving revision 1.1.2.5 diff -u -p -r1.1.2.5 d1_lib.c --- ssl/d1_lib.c5 Oct 2007 21:05:27 - 1.1.2.5 +++ ssl/d1_lib.c29 Sep 2008 08:38:49 - @@ -186,7 +186,10 @@ void dtls1_free(SSL *s) void dtls1_clear(SSL *s) { ssl3_clear(s); - s-version=DTLS1_VERSION; + if (s-options SSL_OP_CISCO_ANYCONNECT) + s-version=DTLS1_BAD_VER; + else + s-version=DTLS1_VERSION; } /* Index: ssl/d1_pkt.c === RCS file: /home/dwmw2/openssl-cvs/openssl/ssl/d1_pkt.c,v retrieving revision 1.4.2.12 diff -u -p -r1.4.2.12 d1_pkt.c --- ssl/d1_pkt.c14 Sep 2008 17:57:03 - 1.4.2.12 +++ ssl/d1_pkt.c29 Sep 2008 08:27:31 - @@ -986,15 +986,17 @@ start: if (rr-type == SSL3_RT_CHANGE_CIPHER_SPEC) { struct ccs_header_st ccs_hdr; + int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH; dtls1_get_ccs_header(rr-data, ccs_hdr); /* 'Change Cipher Spec' is just a single byte, so we know * exactly what the record payload has to look like */ /* XDTLS: check that epoch is consistent */ - if ((s-client_version == DTLS1_BAD_VER rr-length != 3) || - (s-client_version != DTLS1_BAD_VER rr-length != DTLS1_CCS_HEADER_LENGTH) || - (rr-off != 0) || (rr-data[0] != SSL3_MT_CCS)) + if (s-client_version == DTLS1_BAD_VER || s-version == DTLS1_BAD_VER) + ccs_hdr_len = 3; + + if ((rr-length != ccs_hdr_len) || (rr-off != 0) || (rr-data[0] != SSL3_MT_CCS)) { i=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC); @@ -1310,7 +1312,7 @@ int do_dtls1_write(SSL *s, int type, con #if 0 /* 'create_empty_fragment' is true only when this function calls itself */ if (!clear !create_empty_fragment !s-s3-empty_fragment_done -SSL_version(s) != DTLS1_VERSION) +SSL_version(s) != DTLS1_VERSION SSL_version(s) != DTLS1_BAD_VER) { /* countermeasure against known-IV weakness in CBC ciphersuites * (see http://www.openssl.org/~bodo/tls-cbc.txt) Index: ssl/s3_clnt.c === RCS file: /home/dwmw2/openssl-cvs/openssl/ssl/s3_clnt.c,v retrieving revision 1.88.2.17 diff -u -p -r1.88.2.17 s3_clnt.c --- ssl/s3_clnt.c 16 Jun 2008 16:56:41 - 1.88.2.17 +++ ssl/s3_clnt.c 29 Sep 2008 08:27:31 - @@ -708,7 +708,7 @@ int ssl3_get_server_hello(SSL *s) if (!ok) return((int)n); - if ( SSL_version(s) == DTLS1_VERSION) + if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) { if ( s-s3-tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { Index: ssl/ssl.h === RCS file: /home/dwmw2/openssl-cvs/openssl/ssl/ssl.h,v retrieving revision 1.161.2.21 diff -u -p -r1.161.2.21 ssl.h --- ssl/ssl.h 13 Aug 2008 19:44:44 - 1.161.2.21 +++ ssl/ssl.h 29 Sep
Fwd: how to run gdb in openssl
Hi all, Could anyone please tell me how to run the gdb in openssl? In gdb I am running the command as path_of_bin/bin/openssl s_client -connect ipaddress:4433. But i get the error as: Undefined command: . Try help. why is it so? How do i ensure that the gdb runs correclty? Regards, Prashanth -- Forwarded message -- From: prashanth s joshi [EMAIL PROTECTED] Date: Tue, Oct 7, 2008 at 6:52 PM Subject: how to run gdb in openssl To: [EMAIL PROTECTED] Hi all, could anyone please tell me how to run the gdb in openssl? Regards, Prashanth
Re: Fwd: how to run gdb in openssl
Hi, In gdb I am running the command as path_of_bin/bin/openssl s_client -connect ipaddress:4433. But i get the error as: Undefined command: . Try help. why is it so? For gdb, loading an executable and running it, are two separate steps. So starting gdb path_of_bin/bin/openssl will start gdb and load the executable. Now, when you get to the gdb prompt, you can run the executable by run parameters style=margin:0px;, e.g. run -connect ipaddress:4433. Normally, gdb documentation is not that bad, it should be described there as well ... HTH, Stefan P.S.: No, I don't believe this is the appropriate list for general how do I use gdb questions ... __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: help regarding random numbers in openssl
I see that you've cross-posted to both lists a few times, please don't. Most of your posts (if not all) belong on openssl-users. openssl-dev is for discussing the development of openssl itself, whereas openssl-users is for discussing development *using* openssl (or anything else related to openssl). Thanks, Geoff On Tuesday 07 October 2008 11:47:42 prashanth s joshi wrote: Hi all, In openssl code which part actually handles catching of the random numbers exchanged during the handshake? Regards, Prashanth.. -- Un terrien, c'est un singe avec des clefs de char... __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
help regarding random numbers in openssl
Hi all, In openssl code which part actually handles catching of the random numbers exchanged during the handshake? Regards, Prashanth..