Profiling openssl functions
Hi, I want to get profiling information about my applications, but if my application contain openssl functions, then I cannot get profiling information. The gprof (software for profile applications) get 0 miliseconds for all functions that I have made and they use openssl functions. I use g++, but the source code is written whith C, and gprof. I also have attempted of install openssl library with the debbugin mode: ./config -d make make test make install but when I want to compile my applications, I get many errors of the undefined reference about internal openssl functions. I don't understand because the these errors are there, furthermore I don't understand because it compile the openssl functions that are where I descompress the openssl tar.gz. In these moments I cannot send the exact errors, but if somebody needs theses, then I can send them later. If somebody know how I can solve this problem, please to answer. Thank you very much. Ivan. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: About RFC3546 (TLS extensions)
The servername and srp authentication are supported by http://www.edelweb.fr/EdelKey/ I am interested in adding extensions support for tls protocol. It seems that OpenSSL does not support it yet. So, if anyone has done something on this, can I join in and offer some efforts? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to generate a random salt
How do I portably generate a random salt within a C program for use in PKCS#5 v2.0 key derivation? I find that just calling RAND_bytes() works OK on Win32 using 0.9.6 and later, but not with 0.9.5. I can fix it by calling RAND_screen() first. Is this OK? Do I also need to call RAND_screen() for 0.9.6+ or is it safe to omit it? What about other OS's? The FAQ notes that /dev/[u]random is used where present; does that imply that I don't need to do anything prior to calling RAND_bytes() for such OS's? For the remaining OS's I'm instructed to call RAND_add() or RAND_seed() first. Where do I get the data to pass to those functions from without requiring the user of my application having EGD available? Finally, if RAND_bytes fails is there any merit in falling back on RAND_pseudo_bytes(), or is that not suitable for generating a salt? (I may also need to generate an IV by the same means.) - Steve Radan Computational Ltd. The information contained in this message and any files transmitted with it are confidential and intended for the addressee(s) only. If you have received this message in error or there are any problems, please notify the sender immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Radan Computational Ltd. The recipient(s) of this message should check it and any attached files for viruses: Radan Computational will accept no liability for any damage caused by any virus transmitted by this email. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
how do i use a CRL file to verify a certificate against?
i can verify a certificate against a root certificate, with openssl verify -CAfile root.ca rsacert.pem but how do i know that the certificate i try to verify has not been revoked? JonB __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: how do i use a CRL file to verify a certificate against?
You can't tell if it has been revoked. That's why they are 'trusted roots'. If you think your root ca has been compromised, that is when you usually hit the big red panic button and shut down the shop. -Original Message- From: Jon Bendtsen [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 21, 2004 9:39 AM To: [EMAIL PROTECTED] Subject: how do i use a CRL file to verify a certificate against? i can verify a certificate against a root certificate, with openssl verify -CAfile root.ca rsacert.pem but how do i know that the certificate i try to verify has not been revoked? JonB __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: how do i use a CRL file to verify a certificate against?
Den 21. sep 2004, kl. 15:43, skrev Lee Baydush: You can't tell if it has been revoked. That's why they are 'trusted roots'. If you think your root ca has been compromised, that is when you usually hit the big red panic button and shut down the shop. no no, it's not the root ca that has been revoked, but a certificate that was signed by the root ca. I would like to know if the certificate has been revoked, and i would expect i could verify against a CRL JonB __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
little question
Hi all ! I must encapsulate OpenSSL to make a simple SSL API. Have you some propositions to do ? I think to propose few functions like : - Init(peer_type) /* client or server */ - Configure(arg, value) /* port, address, SSL version ...*/ - Read() - Write() - Close() - Create_certificate_request() - Is_certificate_revoked() - Verify_server_certificate() - Import_certificate() Is it enough ? TIA, have a good day
Re: how do i use a CRL file to verify a certificate against?
Jon Bendtsen wrote: i can verify a certificate against a root certificate, with openssl verify -CAfile root.ca rsacert.pem but how do i know that the certificate i try to verify has not been revoked? At the risk of seeming to oversimply a VERY complicated issue: 1. You have been downloading Certificate Revocation Lists (CRLs) from the CA that issed the certificate, so you have a current CRL, and the serial number of the certificate in question does NOT appear on that CRL (this is one reason serial numbers must be unique). -or- 2. You conduct an Online Certificate Status Protocol (OCSP) transaction with the verfication point listed in the certificate. I suspect consulting the appropriate Internet RFC documents might be informative, although googling for OCSP and/or Certificate Revocation Lists would also bring in much info... Note that this must be done by the verifying party, which in most cases on the Internet is a web browser like IE or Netscape, so we don't have access to the source code and we are at the mercy of the software vendors as to how and when this is done. My sense at this point is that there is not a whole lot of OCSP being done out there (comments?) nor do end-users really religiously download CRLs, so the issue of revocation is a bit of an embarrasment for the PKI community as a whole. Maybe this is one of the reasons why PKI is three years out, and has been for the past five years... For our part, we are issuing fairly short-lived (1 year) end user certificates, knowing that if worst comes to worst, our losses are limited to one year's exposure. We hope that is good enough for a medium security PKI. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: how do i use a CRL file to verify a certificate against?
ok. You get the CDP from the certificate, load the CRL from the CDP, verify the CRL against the root cert. to verify that the signature matches, it has not expired, etc. , then see if the cert's number is in the CRL. Check out the book 'OpenSSL' by O'Reilly. It walks you through all that, or you can examine some of the samples that call routines like X509_verify_cert(). -Original Message- From: Jon Bendtsen [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 21, 2004 9:50 AM To: [EMAIL PROTECTED] Subject: Re: how do i use a CRL file to verify a certificate against? Den 21. sep 2004, kl. 15:43, skrev Lee Baydush: You can't tell if it has been revoked. That's why they are 'trusted roots'. If you think your root ca has been compromised, that is when you usually hit the big red panic button and shut down the shop. no no, it's not the root ca that has been revoked, but a certificate that was signed by the root ca. I would like to know if the certificate has been revoked, and i would expect i could verify against a CRL JonB __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
you mean Network Security with OpenSSL ? RE: how do i use a CRL file to verify a certificate against?
Do you mean the book Network Security with OpenSSL Cryptography for Secure Communications ByJohnViega, MattMessier, PravirChandra June 2002 ISBN: 0-596-00270-X or is there another SSL book by O'Reilly? Network Security with OpenSSL is NOT an optional read if you work with this stuff. You can get it by subscribing to safari.oreilly.com, which is a great investment. Lee Baydush [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/21/2004 11:40 AM Please respond to openssl-users To: [EMAIL PROTECTED] cc: Subject: RE: how do i use a CRL file to verify a certificate against? ok. You get the CDP from the certificate, load the CRL from the CDP, verify the CRL against the root cert. to verify that the signature matches, it has not expired, etc. , then see if the cert's number is in the CRL. Check out the book 'OpenSSL' by O'Reilly. It walks you through all that, or you can examine some of the samples that call routines like X509_verify_cert(). -Original Message- From: Jon Bendtsen [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 21, 2004 9:50 AM To: [EMAIL PROTECTED] Subject: Re: how do i use a CRL file to verify a certificate against? Den 21. sep 2004, kl. 15:43, skrev Lee Baydush: You can't tell if it has been revoked. That's why they are 'trusted roots'. If you think your root ca has been compromised, that is when you usually hit the big red panic button and shut down the shop. no no, it's not the root ca that has been revoked, but a certificate that was signed by the root ca. I would like to know if the certificate has been revoked, and i would expect i could verify against a CRL JonB __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
FW: OpenSSL and Outlook (2000)
As far as I see in msdn, the code 0x800b010f seems to indicate that the common name in the server cert is not identical to the hostname I'd recommen to have something like the folloiung in your config file for your server extensions = x509v3 [ x509v3 ] subjectAltName = DNS:theserver.edelweb.fr keyUsage = digitalSignature,keyEncipherment extendedKeyUsage = serverAuth basicConstraints = CA:false subjectKeyIdentifier = hash authorityKeyIdentifier = keyid [ req ] default_bits= 1024 distinguished_name = req_DN default_md= sha1 string_mask = pkix [ req_DN ] countryName = 1. Country Name (2 letter code) countryName_value = FR 0.organizationName = 4. Organization Name (eg, company) 0.organizationName_value = EdelWeb commonName = 6. Common Name (eg, FQDN) commonName_value = theserver.edelweb.fr D0h, I should have done a search on that error code. One thing, I used a CN of Mailbox Certificate Authority for the RootCA and the FQDN for the CN (mailbox.simutronics.com) for teh server Cert -- But I remember somewhere that you shouldn't use the same CN for both the RootCA and your server cert(s). Anyway, I'm going to try and re-create my RootCA and Server cert, use the same CN and see what happens. Thank you for your suggestions Peter, I appreciate the input very much. --Jim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]