Re: DSA_sign maximum digest length?
Andrey Warkentin wrote: Hi everybody, I am not at all familiar with OpenSSL or DSA, but I was tinkering around trying to get DSA_sign/DSA_verify to work. I've stumbled upon a peculiar issue I have not seen brought up anywhere else, or documented. Somehow I am not able to sign messages longer than 20 bytes. The error message I am getting back is error:0A070064:lib(10):func(112):reason(100). I have not been able to find further info on this. Is there a maximum digest length? DSA_sign/DSA_verify expect a SHA-1 message digest as input, hence you need to hash your message before signing it. Alternative you may use EVP_SignInit etc. Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: using AES encryption
Quoting Nils Larsch <[EMAIL PROTECTED]>: Julien ALLANOS wrote: Hello, I want to use AES encryption in my C application, but I am missing documentation. I only have openssl/aes.h but there isn't any manpage. Can someone points me to any how-to or source code? Thanks for you help. consider using the EVP_Cipher* etc. functions (see EVP_CipherInit_ex manpage) Nils Thanks Nils. This manpage shows a great example of an encryption/decryption function using this high-level API. However, I have a last question: is there any limit on the input buffer size for EVP_CipherUpdate()? I see in the example that you're using 1024 bytes buffers inside a for loop. In my application, most of the buffers I'm encrypting using AES-192 are <1024 bytes, but there might be cases where a buffer has a greater size (not so much though). I'm wondering if calling EVP_CipherUpdate() only once would be generic enough to handle these situations, or if I should use a for loop as you did. Thanks for any help. -- Julien ALLANOS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: mini-ASN.1 compiler 0.9.8-beta5
I used those commands: "openssl asn1parse -inform TXT -in in.txt -out out.tx" and "openssl asn1parse -genstr 'UTF8:Hello World' " Then I tryed to use it in the openssl.cnf file "myextension=IA5STRING:Hello World" Do you know where is the error? bye pana 2005/6/14, Nils Larsch <[EMAIL PROTECTED]>: > pana wrote: > > Hi, > > I try to run the mini-ASN.1 compiler with several OpenSSL version but > > it doesn't work. The "-genstr" option results ever unknown by the > > system. > > Where is the error? What I miss? > > works for me, what did you do ? > > Nils > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
problem verifying signature from java
I'm trying to get a client application written in C++ using OpenSSL to verify a signature sent by a server (in Java) and vice versa. Not sure I specified it correctly, but the signatures generated on both sides, from the same input data, are not the same, and therefore, can't be verify. And this is using the same key, of course. Here is the code in Java for signing it: == String testKey = "-BEGIN RSA PRIVATE KEY-\n" + "MIIBPAIBAAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNwL4lYKbpzzlmC5beaQXeQ\n" + "2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAAQJBALjkK+jc2+iihI98riEF\n" + "oudmkNziSRTYjnwjx8mCoAjPWviB3c742eO3FG4/soi1jD9A5alihEOXfUzloenr\n" + "8IECIQD3B5+0l+68BA/6d76iUNqAAV8djGTzvxnCxycnxPQydQIhAMXt4trUI3nc\n" + "a+U8YL2HPFA3gmhBsSICbq2OptOCnM7hAiEA6Xi3JIQECob8YwkRj29DU3/4WYD7\n" + "WLPgsQpwo1GuSpECICGsnWH5oaeD9t9jbFoSfhJvv0IZmxdcLpRcpslpeWBBAiEA\n" + "6/5B8J0GHdJq89FHwEG/H2eVVUYu5y/aD6sgcm+0Avg=\n" + "-END RSA PRIVATE KEY-\n"; String testCert = "-BEGIN CERTIFICATE-\n" + "MIICLDCCAdYCAQAwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlBUMRMwEQYD\n" + "VQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5ldXJv\n" + "bmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMTEmJy\n" + "dXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZpMB4X\n" + "DTk2MDkwNTAzNDI0M1oXDTk2MTAwNTAzNDI0M1owgaAxCzAJBgNVBAYTAlBUMRMw\n" + "EQYDVQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5l\n" + "dXJvbmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMT\n" + "EmJydXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZp\n" + "MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNw\n" + "L4lYKbpzzlmC5beaQXeQ2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAATAN\n" + "BgkqhkiG9w0BAQQFAANBAFqPEKFjk6T6CKTHvaQeEAsX0/8YHPHqH/9AnhSjrwuX\n" + "9EBc0n6bVGhN7XaXd6sJ7dym9sbsWxb+pJdurnkxjx4=\n" + "-END CERTIFICATE-\n"; // same input string for both Java and C++ String input = "9O2CQ14zAXEd7GzJ9XELhQH.aE6"; public void doSign() { try { // Note: PEMReader is from BouncyCastle StringReader sReader = new StringReader(testKey); PEMReader pemReader = new PEMReader(sReader); KeyPair keypair = (KeyPair) pemReader.readObject(); PrivateKey privKey = keypair.getPrivate(); PublicKey pubKey = keypair.getPublic(); sReader = new StringReader(testCert); pemReader = new PEMReader(sReader); X509Certificate cert = (X509Certificate)pemReader.readObject(); PublicKey pubKey2 = cert.getPublicKey(); Signature sig = Signature.getInstance("SHA1withRSA"); sig.initSign(privKey); sig.update(input.getBytes()); byte[] sigvalue = sig.sign(); Base64 b64 = new Base64(); byte[] b = b64.encode(sigvalue); String s = new String(b); System.out.println("'" + s + "'"); sig.initVerify(pubKey2); sig.update(input.getBytes()); boolean status = sig.verify(sigvalue); System.out.println(status); } catch(Exception e) { e.printStackTrace(); } } == And the code in C for verifying: == char * testKey = "-BEGIN RSA PRIVATE KEY-\n" \ "MIIBPAIBAAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNwL4lYKbpzzlmC5beaQXeQ\n" \ "2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAAQJBALjkK+jc2+iihI98riEF\n" \ "oudmkNziSRTYjnwjx8mCoAjPWviB3c742eO3FG4/soi1jD9A5alihEOXfUzloenr\n" \ "8IECIQD3B5+0l+68BA/6d76iUNqAAV8djGTzvxnCxycnxPQydQIhAMXt4trUI3nc\n" \ "a+U8YL2HPFA3gmhBsSICbq2OptOCnM7hAiEA6Xi3JIQECob8YwkRj29DU3/4WYD7\n" \ "WLPgsQpwo1GuSpECICGsnWH5oaeD9t9jbFoSfhJvv0IZmxdcLpRcpslpeWBBAiEA\n" \ "6/5B8J0GHdJq89FHwEG/H2eVVUYu5y/aD6sgcm+0Avg=\n" \ "-END RSA PRIVATE KEY-\n"; char * testCert = "-BEGIN CERTIFICATE-\n" \ "MIICLDCCAdYCAQAwDQYJKoZIhvcNAQEEBQAwga
Re: DSA_sign maximum digest length?
Whoops - thanks a lot! I guess for now I'll use the SHA1-Init/Update/Final functions, then look at the EVP higher level interface. Thanks again for clarifying it. On 6/15/05, Nils Larsch <[EMAIL PROTECTED]> wrote: > Andrey Warkentin wrote: > > Hi everybody, > > > > I am not at all familiar with OpenSSL or DSA, but I was tinkering around > > trying to get > > DSA_sign/DSA_verify to work. I've stumbled upon a peculiar issue I have > > not seen brought > > up anywhere else, or documented. Somehow I am not able to sign messages > > longer than 20 bytes. > > The error message I am getting back is > > error:0A070064:lib(10):func(112):reason(100). I have not been able to > > find further info on this. Is there a maximum digest length? > > DSA_sign/DSA_verify expect a SHA-1 message digest as input, hence > you need to hash your message before signing it. Alternative you > may use EVP_SignInit etc. > > Nils > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- here dup = negate dup invert negate dup dup + dup dup lshift invert negate dup emit 2tuck rot 2tuck dup lshift + swap ( Andrey/Andrei Warkentin ) invert - emit 2tuck 2swap drop + + dup rot + swap emit rot dup invert negate * + emit drop cr bye __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
make error on AMD64
Hi i have a dual opteron box running slamd64 and am trying to compile openssl-engine-0.9.6m$./config ./config Operating system: x86_64-whatever-linux2 Configuring for linux-elf Configuring for linux-elf IsWindows=0 CC=gcc CFLAG =-fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM EX_LIBS =-ldl BN_ASM=asm/bn86-elf.o asm/co86-elf.o DES_ENC =asm/dx86-elf.o asm/yx86-elf.o BF_ENC=asm/bx86-elf.o CAST_ENC =asm/cx86-elf.o RC4_ENC =asm/rx86-elf.o RC5_ENC =asm/r586-elf.o MD5_OBJ_ASM =asm/mx86-elf.o SHA1_OBJ_ASM =asm/sx86-elf.o RMD160_OBJ_ASM=asm/rm86-elf.o PROCESSOR = RANLIB=/usr/bin/ranlib PERL =/usr/bin/perl THIRTY_TWO_BIT mode DES_PTR used DES_RISC1 used DES_UNROLL used BN_LLONG mode RC4_INDEX mode RC4_CHUNK is undefined [snip] generating dummy tests (if needed)... make[1]: Entering directory `/home/exim/openssl-engine-0.9.6m/test' make[1]: Nothing to be done for `generate'. make[1]: Leaving directory `/home/exim/openssl-engine-0.9.6m/test' Configured for linux-elf ~/openssl-engine-0.9.6m$make + rm -f libcrypto.so.0 + rm -f libcrypto.so + rm -f libcrypto.so.0.9.6 + rm -f libssl.so.0 + rm -f libssl.so + rm -f libssl.so.0.9.6 making all in crypto... make[1]: Entering directory `/home/exim/openssl-engine-0.9.6m/crypto' ( echo "#ifndef MK1MF_BUILD"; \ echo ' /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */'; \ echo ' #define CFLAGS "gcc -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM"'; \ echo ' #define PLATFORM "linux-elf"'; \ echo " #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \ echo '#endif' ) >buildinf.h gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c -o cryptlib.o cryptlib.c gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c -o mem.o mem.c gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c -o mem_clr.o mem_clr.c mem_clr.c: In function `OPENSSL_cleanse': mem_clr.c:71: warning: cast from pointer to integer of different size gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c -o mem_dbg.o mem_dbg.c gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c -o cversion.o cversion.c gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c -o ex_data.o ex_data.c gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c -o tmdiff.o tmdiff.c gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c -o cpt_err.o cpt_err.c gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c -o ebcdic.o ebcdic.c gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c -o uid.o uid.c ar r ../libcrypto.a cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o ar: creating ../libcrypto.a You may get an error following this line. Please ignore. /usr/bin/ranlib ../libcrypto.a making all in crypto/md2... make[2]: Entering directory `/home/exim/openssl-engine-0.9.6m/crypto/md2' gcc -I.. -I../.. -I../../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c -o md2_dgst.o md2_dgst.c gcc -I.. -I../.. -I../../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c -o md2_one.o md2_one.c ar r ../../libcrypto.a md2_dgst.o md2_one.o You may get an error following this line. Please ignore. /usr/bin/ranlib ../../libcrypto.a make[2]: Leaving directory `/home/exim/openssl-engine-0.9.6m/crypto/md2' making all in crypto/md4... make[2]: Entering directory `/home/exim/openssl-engine-0.9.6m/crypto/md4' gcc -I.. -I../..
Re: using AES encryption
Quoting Julien ALLANOS <[EMAIL PROTECTED]>: Quoting Nils Larsch <[EMAIL PROTECTED]>: Julien ALLANOS wrote: Hello, I want to use AES encryption in my C application, but I am missing documentation. I only have openssl/aes.h but there isn't any manpage. Can someone points me to any how-to or source code? Thanks for you help. consider using the EVP_Cipher* etc. functions (see EVP_CipherInit_ex manpage) Nils Thanks Nils. This manpage shows a great example of an encryption/decryption function using this high-level API. However, I have a last question: is there any limit on the input buffer size for EVP_CipherUpdate()? I see in the example that you're using 1024 bytes buffers inside a for loop. In my application, most of the buffers I'm encrypting using AES-192 are <1024 bytes, but there might be cases where a buffer has a greater size (not so much though). I'm wondering if calling EVP_CipherUpdate() only once would be generic enough to handle these situations, or if I should use a for loop as you did. Thanks for any help. Actually, I have tested the following: EVP_CIPHER_CTX_init(&ctx); EVP_CipherInit_ex(&ctx, EVP_aes_192_ecb(), NULL, key->data, NULL, 1); if (!EVP_CipherUpdate(&ctx, ciphertext->data, (int *) &ciphertext->length, plaintext->data, (int) plaintext->length)) { EVP_CIPHER_CTX_cleanup(&ctx); return NULL; } if (!EVP_CipherFinal_ex(&ctx, ciphertext->data, (int *) &ciphertext->length)) { EVP_CIPHER_CTX_cleanup(&ctx); return NULL; } EVP_CIPHER_CTX_cleanup(&ctx); Here, key, plaintext and ciphertext are structs with an unsigned char * 'data' field and a size_t 'length' field. plaintext->length is 59 (in bytes), so I have allocated 59 + 16 bytes for ciphertext->data before the snippet of code above. But after encryption, ciphertext->length is only 16 bytes long! Do I have to call EVP_CipherUpdate multiple times (and manage an offset for both plaintext and ciphertext) to encrypt the entire incoming data? If so, what's the purpose of the inl parameter if only a block length (16 bytes for AES) is read per call? Thanks for any enlightenment. -- Julien ALLANOS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: mini-ASN.1 compiler 0.9.8-beta5
pana wrote: I used those commands: "openssl asn1parse -inform TXT -in in.txt -out out.tx" "openssl asn1parse ..." doesn't support "TXT" input and "openssl asn1parse -genstr 'UTF8:Hello World' " works for me: [EMAIL PROTECTED]:~> openssl version OpenSSL 0.9.8-beta4-dev XX xxx [EMAIL PROTECTED]:~> openssl asn1parse -genstr 'UTF8:Hello World' 0:d=0 hl=2 l= 11 prim: UTF8STRING Then I tryed to use it in the openssl.cnf file "myextension=IA5STRING:Hello World" did you read doc/openssl.txt ? what error messages do you get ? Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: using AES encryption
Julien ALLANOS wrote: ... Actually, I have tested the following: EVP_CIPHER_CTX_init(&ctx); EVP_CipherInit_ex(&ctx, EVP_aes_192_ecb(), NULL, key->data, NULL, 1); if (!EVP_CipherUpdate(&ctx, ciphertext->data, (int *) &ciphertext->length, plaintext->data, (int) plaintext->length)) { EVP_CIPHER_CTX_cleanup(&ctx); return NULL; } if (!EVP_CipherFinal_ex(&ctx, ciphertext->data, (int *) &ciphertext->length)) here you overwrite the previously set length and data. Have a look at the do_crypt example in the EVP_EncryptInit manpage. Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
sendmail + STARTTLS w/ evolution = error:1408A0C1
Hello All, I'm currently having a problem with setting up STARTTLS with my sendmail on my FreeBSD 5.3 box. I've used openssl to create the cert and key: openssl dsaparam 1024 -out dsa1024.pem openssl req -x509 -nodes -newkey dsa:dsa1024.pem -out mycert.pem -keyout mykey.pem my version of openssl: OpenSSL 0.9.7d 17 Mar 2004 I've recompiled sendmail to use ssl and then added the following to my sendmail.cf: define(`CERT_DIR', `/etc/mail/certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/mycert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl However, when I attempt to connect the server with evolution, evolution gives me an "unable to connect error." Sendmail logs the following error: Jun 15 13:53:41 zeppo sm-mta[17104]: j5FKrfYA017104: Milter: no active filter Jun 15 13:53:41 zeppo sm-mta[17104]: STARTTLS=server, error: accept failed=-1, SSL_error=1, timedout=0, errno=0 Jun 15 13:53:41 zeppo sm-mta[17104]: STARTTLS=server: 17104:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_srvr.c:887: Jun 15 13:53:41 zeppo sm-mta[17104]: j5FKrfYA017104: [65.125.115.243] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA When I use the openssl client to connect, I get the following results: misato.awclemen> openssl s_client -starttls smtp -connect zeppo.candhsoftware.com:25 CONNECTED(0003) depth=0 /C=US/ST=Arizona/L=Tucson/O=C & H Software L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/[EMAIL PROTECTED] verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=Arizona/L=Tucson/O=C & H Software L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/[EMAIL PROTECTED] verify return:1 --- Certificate chain 0 s:/C=US/ST=Arizona/L=Tucson/O=C & H Software L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/[EMAIL PROTECTED] i:/C=US/ST=Arizona/L=Tucson/O=C & H Software L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/[EMAIL PROTECTED] --- Server certificate -BEGIN CERTIFICATE- MIIEojCCBGKgAwIBAgIBADAJBgcqhkjOOAQDMIGuMQswCQYDVQQGEwJVUzEQMA4G A1UECBMHQXJpem9uYTEPMA0GA1UEBxMGVHVjc29uMR4wHAYDVQQKFBVDICYgSCBT b2Z0d2FyZSBMLkwuQy4xFDASBgNVBAsTC0VuZ2luZWVyaW5nMSAwHgYDVQQDExd6 ZXBwby5jYW5kaHNvZnR3YXJlLmNvbTEkMCIGCSqGSIb3DQEJARYVYXdjQGNhbmRo c29mdHdhcmUuY29tMB4XDTA1MDYxMzIyMDExOVoXDTA2MDYxMzIyMDExOVowga4x CzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMQ8wDQYDVQQHEwZUdWNzb24x HjAcBgNVBAoUFUMgJiBIIFNvZnR3YXJlIEwuTC5DLjEUMBIGA1UECxMLRW5naW5l ZXJpbmcxIDAeBgNVBAMTF3plcHBvLmNhbmRoc29mdHdhcmUuY29tMSQwIgYJKoZI hvcNAQkBFhVhd2NAY2FuZGhzb2Z0d2FyZS5jb20wggG2MIIBKwYHKoZIzjgEATCC AR4CgYEAh/GZcaq+qODWgob4GOKQYoFn4/RE6ZVyfXWCqjlao/KjDV1pm1A+HqFb eK6dU73hGlTijcZF+Iw8onD87rwdO1d/5GS+EBdYTriZYsU8QnJFfaNFY/iHkHof BNIdvMl6bV56e4iFtwcAghAmBi9ZOn7gEetJYIYpiC/clpwFQasCFQDbWQOf3xN6 OuO3/x0OU2Gb3bShbQKBgA+d3bboMytLRWgGTLI0eNuWQ2j6l9YhO/T8naljgtu3 B5eOivFWvA/DA2Ljslx4pGtQ3xxqUeqGOYAcbfuoir4GZ+Zg6zz8PYxa6Hh9NWLb RZeT85mPzGbFByGQ/41NOf/kHXKkPut2KPhnmAubfF44sjATk/nGkUufwa7UmDc7 A4GEAAKBgBQHIuOqNm3W35pTAViNelH13POl68dpgMR1hIMNRmb7cMwXv44aStE9 AjtEddLjXHs47pEigkD+9A4VMsqVPolTSyUARKUk/sqiSVq896t0D0WQ2pzQuiRP BoCi0Zd2SJk/KtpxPVauaPBZSimscNhp2MsBcjNyLnzUQOaY1WVyo4IBDzCCAQsw HQYDVR0OBBYEFINAkoeJs7TbPCwjksYGq7XKs5CLMIHbBgNVHSMEgdMwgdCAFINA koeJs7TbPCwjksYGq7XKs5CLoYG0pIGxMIGuMQswCQYDVQQGEwJVUzEQMA4GA1UE CBMHQXJpem9uYTEPMA0GA1UEBxMGVHVjc29uMR4wHAYDVQQKFBVDICYgSCBTb2Z0 d2FyZSBMLkwuQy4xFDASBgNVBAsTC0VuZ2luZWVyaW5nMSAwHgYDVQQDExd6ZXBw by5jYW5kaHNvZnR3YXJlLmNvbTEkMCIGCSqGSIb3DQEJARYVYXdjQGNhbmRoc29m dHdhcmUuY29tggEAMAwGA1UdEwQFMAMBAf8wCQYHKoZIzjgEAwMvADAsAhRyfUoO 9ZLFxZLGsijrAzbCSQLBXwIUfYf/FeKdY/embpVrLnTV942wOuk= -END CERTIFICATE- subject=/C=US/ST=Arizona/L=Tucson/O=C & H Software L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/[EMAIL PROTECTED] issuer=/C=US/ST=Arizona/L=Tucson/O=C & H Software L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/[EMAIL PROTECTED] --- Acceptable client certificate CA names /C=US/ST=Arizona/L=Tucson/O=C & H Software L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/[EMAIL PROTECTED] --- SSL handshake has read 1861 bytes and written 298 bytes --- New, TLSv1/SSLv3, Cipher is DHE-DSS-AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: DHE-DSS-AES256-SHA Session-ID: 28239EBE3C499BDD7E00B2F0FE3A7645E65AC135348B8FE6F4990843579F94F7 Session-ID-ctx: Master-Key: 5651D294B719C6C19FA743A0EE0EC7B1E00F2AD1AD8E70AD072715165690E0AC919193A5148AE24111BCA86433621264 Key-Arg : None Start Time: 1118876232 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- 220 zeppo.candhsoftware.com ESMTP Sendmail 8.13.1/8.13.1; Wed, 15 Jun 2005 15:41:53 -0700 (MST) helo misato.candhsoftware.com 250 zeppo.candhsoftware.com Hello [65.125.115.243], pleased to meet you quit 221 2.
RE: [Fwd: Re: Queries over OpenSSL programs]
Hi there, Can any body please tell me, where can I find the answers to these questions? Thanks -Rohan Original Message Subject: Re: Queries over OpenSSL programs From:"Rohan Shrivastava" <[EMAIL PROTECTED]> Date:Wed, June 8, 2005 8:03 am To: openssl-users@openssl.org -- Riaz, Thanks for the help, I am able to dump the packets using ssldump. Some of my queries are still unanswered. I am again pasting it here. >> [#]. If they are able to communicate in a secured session, >> then how come they completed SSL handshake without random number source(I think it is required at time of Handshake)? the default random file is in /dev/urandom in linux .. check the environvent variable rand and see where its pointing to. >> >> [#]. How can I authenticate Clients (any sample code will help me a lot) or what is function used for asking Client's certificate ? There is an option in SSL that can be set either in the SSL_CTX or in the SSLOBJECT depending on whether you need to enforce "client auth" always or based on certain requirement. If set in CTX it is always enforced. SSL_CTX_set_verify(pSSLCtx, SSL_VERIFY_PEER, client_cert_verify_callback); SSL_set_verify(pSSLCtx,SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, client_cert_verify_callback); this callback function will be executed when the client cert is sent to the server, once this option is set, SSL_accept will automatically prompt for a client cert. >> >> [#]. Is the loading CAs list, required at the server/client (as here I did not load) ,if required then how can I create such list as I am using this in local network? This is not mandatory, depends on what ctx/sslobj options you have set. you can use openssl tools to generate the same. >> >> [#]. Also can I place the code here? Thanks -Rohan > use ssldump or tcpdump to view if the connection is being established in a secure manner > > On 6/7/05, Rohan Shrivastava <[EMAIL PROTECTED]> wrote: >> >> Hello, >> >> I am new to OpenSSL programming through C. >> >> This is my first program, so I am not sure whether >> I have achieved secure session between client and server or not, though they are able to communicate >> using SSL_write/read functions. >> >> This is how I did the things >> >> At server I loaded certificate & private key & after accepting >> TCP connection I accepted SSL session request. >> & then started communicating with Client. >> >> At client I just used SSLv3_method() & SSL_CTX_new() functions to get new >> ctx object. >> Here after setting up TCP connection I initiated SSL connection request, & on success it communicates with server. >> >> I tired to load Random file with the following code, but could not get through, >> so I did without random source (for both client & server). >> >> #defile RANDOM "/dev/random" >> >> if (!(RAND_load_file(RANDOM,1024*1024))) { >> printf("\n Error in loading random file"); >> exit(0); >> } >> >> >> I generated Certificate & Keys with the following commands >> >> openssl -genrsa 1024 -out key.pem >> openssl req -new -key key.pem -x509 -days 3650 -out server_crt.pem >> >> Now my queries are: >> >> [#]. How can I be sure that session is secure? >> >> [#]. If they are able to communicate in a secured session, >> then how come they completed SSL handshake without random number source (I think it is required at time of Handshake)? >> >> [#]. How can I authenticate Clients (any sample code will help me a lot) or what is function used for asking Client's certificate ? >> >> [#]. Is the loading CAs list, required at the server/client (as here I did >> not load) ,if required then how can I create such list as I am using this >> in local network? >> >> [#]. Also can I place the code here? >> >> >> Any help will be highly appreciated >> >> Thanks >> -Rohan >> >> __ OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager [EMAIL PROTECTED] >> > > > > -- > Thank you, > Best Regards > Riaz Ur Rahaman > __ OpenSSL Projecthttp://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Projecthttp://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated
RE: [Fwd: Re: Queries over OpenSSL programs]
Hi there, Can any body please tell me, where can I find the answers to these questions? Thanks -Rohan Original Message Subject: Re: Queries over OpenSSL programs From:"Rohan Shrivastava" <[EMAIL PROTECTED]> Date:Wed, June 8, 2005 8:03 am To: openssl-users@openssl.org -- Riaz, Thanks for the help, I am able to dump the packets using ssldump. Some of my queries are still unanswered. I am again pasting it here. >> [#]. If they are able to communicate in a secured session, >> then how come they completed SSL handshake without random number source(I think it is required at time of Handshake)? the default random file is in /dev/urandom in linux .. check the environvent variable rand and see where its pointing to. >> >> [#]. How can I authenticate Clients (any sample code will help me a lot) or what is function used for asking Client's certificate ? There is an option in SSL that can be set either in the SSL_CTX or in the SSLOBJECT depending on whether you need to enforce "client auth" always or based on certain requirement. If set in CTX it is always enforced. SSL_CTX_set_verify(pSSLCtx, SSL_VERIFY_PEER, client_cert_verify_callback); SSL_set_verify(pSSLCtx,SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, client_cert_verify_callback); this callback function will be executed when the client cert is sent to the server, once this option is set, SSL_accept will automatically prompt for a client cert. >> >> [#]. Is the loading CAs list, required at the server/client (as here I did not load) ,if required then how can I create such list as I am using this in local network? This is not mandatory, depends on what ctx/sslobj options you have set. you can use openssl tools to generate the same. >> >> [#]. Also can I place the code here? Thanks -Rohan > use ssldump or tcpdump to view if the connection is being established in a secure manner > > On 6/7/05, Rohan Shrivastava <[EMAIL PROTECTED]> wrote: >> >> Hello, >> >> I am new to OpenSSL programming through C. >> >> This is my first program, so I am not sure whether >> I have achieved secure session between client and server or not, though they are able to communicate >> using SSL_write/read functions. >> >> This is how I did the things >> >> At server I loaded certificate & private key & after accepting >> TCP connection I accepted SSL session request. >> & then started communicating with Client. >> >> At client I just used SSLv3_method() & SSL_CTX_new() functions to get new >> ctx object. >> Here after setting up TCP connection I initiated SSL connection request, & on success it communicates with server. >> >> I tired to load Random file with the following code, but could not get through, >> so I did without random source (for both client & server). >> >> #defile RANDOM "/dev/random" >> >> if (!(RAND_load_file(RANDOM,1024*1024))) { >> printf("\n Error in loading random file"); >> exit(0); >> } >> >> >> I generated Certificate & Keys with the following commands >> >> openssl -genrsa 1024 -out key.pem >> openssl req -new -key key.pem -x509 -days 3650 -out server_crt.pem >> >> Now my queries are: >> >> [#]. How can I be sure that session is secure? >> >> [#]. If they are able to communicate in a secured session, >> then how come they completed SSL handshake without random number source (I think it is required at time of Handshake)? >> >> [#]. How can I authenticate Clients (any sample code will help me a lot) or what is function used for asking Client's certificate ? >> >> [#]. Is the loading CAs list, required at the server/client (as here I did >> not load) ,if required then how can I create such list as I am using this >> in local network? >> >> [#]. Also can I place the code here? >> >> >> Any help will be highly appreciated >> >> Thanks >> -Rohan >> >> __ OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager [EMAIL PROTECTED] >> > > > > -- > Thank you, > Best Regards > Riaz Ur Rahaman > __ OpenSSL Projecthttp://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Projecthttp://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated
Re: sendmail + STARTTLS w/ evolution = error:1408A0C1
On Wed, Jun 15, 2005, Andy W. Clements wrote: > I'm currently having a problem with setting up STARTTLS with my sendmail > on my FreeBSD 5.3 box. I've used openssl to create the cert and key: > > openssl dsaparam 1024 -out dsa1024.pem > openssl req -x509 -nodes -newkey dsa:dsa1024.pem -out mycert.pem -keyout > mykey.pem Try an RSA key instead, most systems have problems with DSA (sendmail works fine however). > Jun 15 13:53:41 zeppo sm-mta[17104]: STARTTLS=server: > 17104:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared > cipher:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_srvr.c:887: Typical indication that the client doesn't support DSA. You can use ssldump to see what's going on. > I have no ideas what the error message in the sendmail log is telling > me, can someone give me a clue what needs to be done? 1. See above. 2. See the source code (the OpenSSL error message kindly provides that information). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]