Re: DSA_sign maximum digest length?

2005-06-15 Thread Nils Larsch

Andrey Warkentin wrote:

Hi everybody,

I am not at all familiar with OpenSSL or DSA, but I was tinkering around 
trying to get
DSA_sign/DSA_verify to work. I've stumbled upon a peculiar issue I have 
not seen brought
up anywhere else, or documented. Somehow I am not able to sign messages 
longer than 20 bytes.
The error message I am getting back is 
error:0A070064:lib(10):func(112):reason(100). I have not been able to 
find further info on this. Is there a maximum digest length?


DSA_sign/DSA_verify expect a SHA-1 message digest as input, hence
you need to hash your message before signing it. Alternative you
may use EVP_SignInit etc.

Nils
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: using AES encryption

2005-06-15 Thread Julien ALLANOS

Quoting Nils Larsch [EMAIL PROTECTED]:


Julien ALLANOS wrote:

Hello, I want to use AES encryption in my C application, but I am missing
documentation. I only have openssl/aes.h but there isn't any manpage. Can
someone points me to any how-to or source code? Thanks for you help.


consider using the EVP_Cipher* etc. functions (see EVP_CipherInit_ex
manpage)

Nils


Thanks Nils. This manpage shows a great example of an encryption/decryption
function using this high-level API. However, I have a last question: is there
any limit on the input buffer size for EVP_CipherUpdate()? I see in the 
example
that you're using 1024 bytes buffers inside a for loop. In my 
application, most
of the buffers I'm encrypting using AES-192 are 1024 bytes, but there 
might be

cases where a buffer has a greater size (not so much though). I'm wondering if
calling EVP_CipherUpdate() only once would be generic enough to handle these
situations, or if I should use a for loop as you did. Thanks for any help.
--
Julien ALLANOS
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: mini-ASN.1 compiler 0.9.8-beta5

2005-06-15 Thread pana
I used those commands: openssl asn1parse -inform TXT -in in.txt -out out.tx
and openssl asn1parse -genstr 'UTF8:Hello World' 
Then I tryed to use it in the openssl.cnf file
myextension=IA5STRING:Hello World
Do you know where is the error?

bye
pana

2005/6/14, Nils Larsch [EMAIL PROTECTED]:
 pana wrote:
  Hi,
  I try to run the mini-ASN.1 compiler with several OpenSSL version but
  it doesn't work. The -genstr option results ever unknown by the
  system.
  Where is the error? What I miss?
 
 works for me, what did you do ?
 
 Nils
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


problem verifying signature from java

2005-06-15 Thread coco coco
I'm trying to get a client application written in C++ using OpenSSL to 
verify a signature sent by a
server (in Java) and vice versa. Not sure I specified it correctly, but the 
signatures generated on
both sides, from the same input data, are not the same, and therefore, can't 
be verify. And this

is using the same key, of course.

Here is the code in Java for signing it:

==
String testKey =
-BEGIN RSA PRIVATE KEY-\n +

MIIBPAIBAAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNwL4lYKbpzzlmC5beaQXeQ\n +

2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAAQJBALjkK+jc2+iihI98riEF\n +

oudmkNziSRTYjnwjx8mCoAjPWviB3c742eO3FG4/soi1jD9A5alihEOXfUzloenr\n +

8IECIQD3B5+0l+68BA/6d76iUNqAAV8djGTzvxnCxycnxPQydQIhAMXt4trUI3nc\n +

a+U8YL2HPFA3gmhBsSICbq2OptOCnM7hAiEA6Xi3JIQECob8YwkRj29DU3/4WYD7\n +

WLPgsQpwo1GuSpECICGsnWH5oaeD9t9jbFoSfhJvv0IZmxdcLpRcpslpeWBBAiEA\n +
6/5B8J0GHdJq89FHwEG/H2eVVUYu5y/aD6sgcm+0Avg=\n +
-END RSA PRIVATE KEY-\n;

String testCert =
-BEGIN CERTIFICATE-\n +

MIICLDCCAdYCAQAwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlBUMRMwEQYD\n +

VQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5ldXJv\n +

bmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMTEmJy\n +

dXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZpMB4X\n +

DTk2MDkwNTAzNDI0M1oXDTk2MTAwNTAzNDI0M1owgaAxCzAJBgNVBAYTAlBUMRMw\n +

EQYDVQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5l\n +

dXJvbmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMT\n +

EmJydXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZp\n +

MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNw\n +

L4lYKbpzzlmC5beaQXeQ2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAATAN\n +

BgkqhkiG9w0BAQQFAANBAFqPEKFjk6T6CKTHvaQeEAsX0/8YHPHqH/9AnhSjrwuX\n +
9EBc0n6bVGhN7XaXd6sJ7dym9sbsWxb+pJdurnkxjx4=\n +
-END CERTIFICATE-\n;

  // same input string for both Java and C++
String input = 9O2CQ14zAXEd7GzJ9XELhQH.aE6;

public void doSign()
{
try
{
  // Note: PEMReader is from BouncyCastle
StringReader sReader = new StringReader(testKey);
PEMReader pemReader = new PEMReader(sReader);

KeyPair keypair = (KeyPair) pemReader.readObject();

PrivateKey privKey = keypair.getPrivate();
PublicKey pubKey = keypair.getPublic();

sReader = new StringReader(testCert);
pemReader = new PEMReader(sReader);

X509Certificate cert = 
(X509Certificate)pemReader.readObject();
PublicKey pubKey2 = cert.getPublicKey();

Signature sig = Signature.getInstance(SHA1withRSA);
sig.initSign(privKey);
sig.update(input.getBytes());

byte[] sigvalue = sig.sign();

Base64 b64 = new Base64();
byte[] b = b64.encode(sigvalue);
String s = new String(b);
System.out.println(' + s + ');

sig.initVerify(pubKey2);
sig.update(input.getBytes());
boolean status = sig.verify(sigvalue);

System.out.println(status);

}
catch(Exception e)
{
e.printStackTrace();
}
}

==

And the code in C for verifying:

==

char * testKey =
-BEGIN RSA PRIVATE KEY-\n \

MIIBPAIBAAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNwL4lYKbpzzlmC5beaQXeQ\n \

2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAAQJBALjkK+jc2+iihI98riEF\n \

oudmkNziSRTYjnwjx8mCoAjPWviB3c742eO3FG4/soi1jD9A5alihEOXfUzloenr\n \

8IECIQD3B5+0l+68BA/6d76iUNqAAV8djGTzvxnCxycnxPQydQIhAMXt4trUI3nc\n \

a+U8YL2HPFA3gmhBsSICbq2OptOCnM7hAiEA6Xi3JIQECob8YwkRj29DU3/4WYD7\n \

WLPgsQpwo1GuSpECICGsnWH5oaeD9t9jbFoSfhJvv0IZmxdcLpRcpslpeWBBAiEA\n \
6/5B8J0GHdJq89FHwEG/H2eVVUYu5y/aD6sgcm+0Avg=\n \
-END RSA PRIVATE KEY-\n;

char * testCert =
-BEGIN CERTIFICATE-\n \

MIICLDCCAdYCAQAwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlBUMRMwEQYD\n \


Re: DSA_sign maximum digest length?

2005-06-15 Thread Andrey Warkentin
Whoops - thanks a lot! I guess for now I'll use the
SHA1-Init/Update/Final functions, then look at the EVP higher level
interface. Thanks again for clarifying it.

On 6/15/05, Nils Larsch [EMAIL PROTECTED] wrote:
 Andrey Warkentin wrote:
  Hi everybody,
 
  I am not at all familiar with OpenSSL or DSA, but I was tinkering around
  trying to get
  DSA_sign/DSA_verify to work. I've stumbled upon a peculiar issue I have
  not seen brought
  up anywhere else, or documented. Somehow I am not able to sign messages
  longer than 20 bytes.
  The error message I am getting back is
  error:0A070064:lib(10):func(112):reason(100). I have not been able to
  find further info on this. Is there a maximum digest length?
 
 DSA_sign/DSA_verify expect a SHA-1 message digest as input, hence
 you need to hash your message before signing it. Alternative you
 may use EVP_SignInit etc.
 
 Nils
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]
 


-- 
here
dup = 
negate
dup invert 
negate dup dup +
dup dup lshift invert
negate dup emit 2tuck
rot 2tuck dup lshift + swap
( Andrey/Andrei Warkentin )
invert - emit 2tuck 2swap drop
+ + dup rot + swap emit rot dup
invert negate * + emit drop cr bye
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


make error on AMD64

2005-06-15 Thread Ronan McGlue

Hi i have a dual opteron box running slamd64 and am trying to compile

openssl-engine-0.9.6m$./config

./config
Operating system: x86_64-whatever-linux2
Configuring for linux-elf
Configuring for linux-elf
IsWindows=0
CC=gcc
CFLAG =-fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H 
-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM 
-DMD5_ASM -DRMD160_ASM

EX_LIBS   =-ldl
BN_ASM=asm/bn86-elf.o asm/co86-elf.o
DES_ENC   =asm/dx86-elf.o asm/yx86-elf.o
BF_ENC=asm/bx86-elf.o
CAST_ENC  =asm/cx86-elf.o
RC4_ENC   =asm/rx86-elf.o
RC5_ENC   =asm/r586-elf.o
MD5_OBJ_ASM   =asm/mx86-elf.o
SHA1_OBJ_ASM  =asm/sx86-elf.o
RMD160_OBJ_ASM=asm/rm86-elf.o
PROCESSOR =
RANLIB=/usr/bin/ranlib
PERL  =/usr/bin/perl
THIRTY_TWO_BIT mode
DES_PTR used
DES_RISC1 used
DES_UNROLL used
BN_LLONG mode
RC4_INDEX mode
RC4_CHUNK is undefined

[snip]

generating dummy tests (if needed)...
make[1]: Entering directory `/home/exim/openssl-engine-0.9.6m/test'
make[1]: Nothing to be done for `generate'.
make[1]: Leaving directory `/home/exim/openssl-engine-0.9.6m/test'

Configured for linux-elf

~/openssl-engine-0.9.6m$make
+ rm -f libcrypto.so.0
+ rm -f libcrypto.so
+ rm -f libcrypto.so.0.9.6
+ rm -f libssl.so.0
+ rm -f libssl.so
+ rm -f libssl.so.0.9.6
making all in crypto...
make[1]: Entering directory `/home/exim/openssl-engine-0.9.6m/crypto'
( echo #ifndef MK1MF_BUILD; \
echo '  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c 
*/'; \
echo '  #define CFLAGS gcc -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN 
-DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall 
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM'; \

echo '  #define PLATFORM linux-elf'; \
echo   #define DATE \`LC_ALL=C LC_TIME=C date`\; \
echo '#endif' ) buildinf.h
gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN 
-DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall 
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o cryptlib.o cryptlib.c
gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN 
-DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall 
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o mem.o mem.c
gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN 
-DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall 
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o mem_clr.o mem_clr.c

mem_clr.c: In function `OPENSSL_cleanse':
mem_clr.c:71: warning: cast from pointer to integer of different size
gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN 
-DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall 
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o mem_dbg.o mem_dbg.c
gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN 
-DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall 
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o cversion.o cversion.c
gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN 
-DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall 
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o ex_data.o ex_data.c
gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN 
-DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall 
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o tmdiff.o tmdiff.c
gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN 
-DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall 
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o cpt_err.o cpt_err.c
gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN 
-DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall 
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o ebcdic.o ebcdic.c
gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN 
-DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall 
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o uid.o uid.c
ar r ../libcrypto.a cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o 
ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o

ar: creating ../libcrypto.a
You may get an error following this line. Please ignore.
/usr/bin/ranlib ../libcrypto.a
making all in crypto/md2...
make[2]: Entering directory `/home/exim/openssl-engine-0.9.6m/crypto/md2'
gcc -I.. -I../.. -I../../include -fPIC -DTHREADS -D_REENTRANT 
-DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer 
-m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o md2_dgst.o md2_dgst.c
gcc -I.. -I../.. -I../../include -fPIC -DTHREADS -D_REENTRANT 
-DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer 
-m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o md2_one.o md2_one.c

ar r ../../libcrypto.a md2_dgst.o md2_one.o
You may get an error following this line. Please ignore.
/usr/bin/ranlib ../../libcrypto.a
make[2]: Leaving directory `/home/exim/openssl-engine-0.9.6m/crypto/md2'
making all in crypto/md4...
make[2]: Entering directory `/home/exim/openssl-engine-0.9.6m/crypto/md4'
gcc -I.. -I../.. 

Re: using AES encryption

2005-06-15 Thread Julien ALLANOS

Quoting Julien ALLANOS [EMAIL PROTECTED]:


Quoting Nils Larsch [EMAIL PROTECTED]:


Julien ALLANOS wrote:

Hello, I want to use AES encryption in my C application, but I am missing
documentation. I only have openssl/aes.h but there isn't any manpage. Can
someone points me to any how-to or source code? Thanks for you help.


consider using the EVP_Cipher* etc. functions (see EVP_CipherInit_ex
manpage)

Nils


Thanks Nils. This manpage shows a great example of an encryption/decryption
function using this high-level API. However, I have a last question: is there
any limit on the input buffer size for EVP_CipherUpdate()? I see in 
the example
that you're using 1024 bytes buffers inside a for loop. In my 
application, most
of the buffers I'm encrypting using AES-192 are 1024 bytes, but 
there might be
cases where a buffer has a greater size (not so much though). I'm 
wondering if

calling EVP_CipherUpdate() only once would be generic enough to handle these
situations, or if I should use a for loop as you did. Thanks for any help.


Actually, I have tested the following:

   EVP_CIPHER_CTX_init(ctx);
   EVP_CipherInit_ex(ctx, EVP_aes_192_ecb(), NULL, key-data, NULL, 1);

   if (!EVP_CipherUpdate(ctx, ciphertext-data, (int *) ciphertext-length,
   plaintext-data, (int) plaintext-length))
   {
   EVP_CIPHER_CTX_cleanup(ctx);
   return NULL;
   }

   if (!EVP_CipherFinal_ex(ctx, ciphertext-data,
   (int *) ciphertext-length))
   {
   EVP_CIPHER_CTX_cleanup(ctx);
   return NULL;
   }

   EVP_CIPHER_CTX_cleanup(ctx);

Here, key, plaintext and ciphertext are structs with an unsigned char * 'data'
field and a size_t 'length' field. plaintext-length is 59 (in bytes), so I
have allocated 59 + 16 bytes for ciphertext-data before the snippet of code
above. But after encryption, ciphertext-length is only 16 bytes long! Do I
have to call EVP_CipherUpdate multiple times (and manage an offset for both
plaintext and ciphertext) to encrypt the entire incoming data? If so, what's
the purpose of the inl parameter if only a block length (16 bytes for AES) is
read per call? Thanks for any enlightenment.
--
Julien ALLANOS
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: mini-ASN.1 compiler 0.9.8-beta5

2005-06-15 Thread Nils Larsch

pana wrote:

I used those commands: openssl asn1parse -inform TXT -in in.txt -out out.tx


openssl asn1parse ... doesn't support TXT input


and openssl asn1parse -genstr 'UTF8:Hello World' 


works for me:

[EMAIL PROTECTED]:~ openssl version
OpenSSL 0.9.8-beta4-dev XX xxx 
[EMAIL PROTECTED]:~ openssl asn1parse -genstr 'UTF8:Hello World'
0:d=0  hl=2 l=  11 prim: UTF8STRING


Then I tryed to use it in the openssl.cnf file
myextension=IA5STRING:Hello World


did you read doc/openssl.txt ?

what error messages do you get ?

Nils
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: using AES encryption

2005-06-15 Thread Nils Larsch

Julien ALLANOS wrote:
...

Actually, I have tested the following:

   EVP_CIPHER_CTX_init(ctx);
   EVP_CipherInit_ex(ctx, EVP_aes_192_ecb(), NULL, key-data, NULL, 1);

   if (!EVP_CipherUpdate(ctx, ciphertext-data, (int *) 
ciphertext-length,

   plaintext-data, (int) plaintext-length))
   {
   EVP_CIPHER_CTX_cleanup(ctx);
   return NULL;
   }

   if (!EVP_CipherFinal_ex(ctx, ciphertext-data,
   (int *) ciphertext-length))


here you overwrite the previously set length and data. Have a look
at the do_crypt example in the EVP_EncryptInit manpage.

Nils
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


sendmail + STARTTLS w/ evolution = error:1408A0C1

2005-06-15 Thread Andy W. Clements
Hello All,

I'm currently having a problem with setting up STARTTLS with my sendmail
on my FreeBSD 5.3 box.  I've used openssl to create the cert and key:

openssl dsaparam 1024 -out dsa1024.pem
openssl req -x509 -nodes -newkey dsa:dsa1024.pem -out mycert.pem -keyout
mykey.pem

my version of openssl:
OpenSSL 0.9.7d 17 Mar 2004

I've recompiled sendmail to use ssl and then added the following to my
sendmail.cf:
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl

However, when I attempt to connect the server with evolution, evolution 
gives me an unable to connect error.

Sendmail logs the following error:

Jun 15 13:53:41 zeppo sm-mta[17104]: j5FKrfYA017104: Milter: no active
filter
Jun 15 13:53:41 zeppo sm-mta[17104]: STARTTLS=server, error: accept
failed=-1, SSL_error=1, timedout=0, errno=0
Jun 15 13:53:41 zeppo sm-mta[17104]: STARTTLS=server:
17104:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_srvr.c:887:
Jun 15 13:53:41 zeppo sm-mta[17104]: j5FKrfYA017104: [65.125.115.243]
did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA


When I use the openssl client to connect, I get the following results:

misato.awclemen openssl s_client -starttls smtp -connect
zeppo.candhsoftware.com:25
CONNECTED(0003)
depth=0 /C=US/ST=Arizona/L=Tucson/O=C  H Software
L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/[EMAIL PROTECTED]
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Arizona/L=Tucson/O=C  H Software
L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/[EMAIL PROTECTED]
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Arizona/L=Tucson/O=C  H Software
L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/[EMAIL PROTECTED]
   i:/C=US/ST=Arizona/L=Tucson/O=C  H Software
L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/[EMAIL PROTECTED]
---
Server certificate
-BEGIN CERTIFICATE-
MIIEojCCBGKgAwIBAgIBADAJBgcqhkjOOAQDMIGuMQswCQYDVQQGEwJVUzEQMA4G
A1UECBMHQXJpem9uYTEPMA0GA1UEBxMGVHVjc29uMR4wHAYDVQQKFBVDICYgSCBT
b2Z0d2FyZSBMLkwuQy4xFDASBgNVBAsTC0VuZ2luZWVyaW5nMSAwHgYDVQQDExd6
ZXBwby5jYW5kaHNvZnR3YXJlLmNvbTEkMCIGCSqGSIb3DQEJARYVYXdjQGNhbmRo
c29mdHdhcmUuY29tMB4XDTA1MDYxMzIyMDExOVoXDTA2MDYxMzIyMDExOVowga4x
CzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMQ8wDQYDVQQHEwZUdWNzb24x
HjAcBgNVBAoUFUMgJiBIIFNvZnR3YXJlIEwuTC5DLjEUMBIGA1UECxMLRW5naW5l
ZXJpbmcxIDAeBgNVBAMTF3plcHBvLmNhbmRoc29mdHdhcmUuY29tMSQwIgYJKoZI
hvcNAQkBFhVhd2NAY2FuZGhzb2Z0d2FyZS5jb20wggG2MIIBKwYHKoZIzjgEATCC
AR4CgYEAh/GZcaq+qODWgob4GOKQYoFn4/RE6ZVyfXWCqjlao/KjDV1pm1A+HqFb
eK6dU73hGlTijcZF+Iw8onD87rwdO1d/5GS+EBdYTriZYsU8QnJFfaNFY/iHkHof
BNIdvMl6bV56e4iFtwcAghAmBi9ZOn7gEetJYIYpiC/clpwFQasCFQDbWQOf3xN6
OuO3/x0OU2Gb3bShbQKBgA+d3bboMytLRWgGTLI0eNuWQ2j6l9YhO/T8naljgtu3
B5eOivFWvA/DA2Ljslx4pGtQ3xxqUeqGOYAcbfuoir4GZ+Zg6zz8PYxa6Hh9NWLb
RZeT85mPzGbFByGQ/41NOf/kHXKkPut2KPhnmAubfF44sjATk/nGkUufwa7UmDc7
A4GEAAKBgBQHIuOqNm3W35pTAViNelH13POl68dpgMR1hIMNRmb7cMwXv44aStE9
AjtEddLjXHs47pEigkD+9A4VMsqVPolTSyUARKUk/sqiSVq896t0D0WQ2pzQuiRP
BoCi0Zd2SJk/KtpxPVauaPBZSimscNhp2MsBcjNyLnzUQOaY1WVyo4IBDzCCAQsw
HQYDVR0OBBYEFINAkoeJs7TbPCwjksYGq7XKs5CLMIHbBgNVHSMEgdMwgdCAFINA
koeJs7TbPCwjksYGq7XKs5CLoYG0pIGxMIGuMQswCQYDVQQGEwJVUzEQMA4GA1UE
CBMHQXJpem9uYTEPMA0GA1UEBxMGVHVjc29uMR4wHAYDVQQKFBVDICYgSCBTb2Z0
d2FyZSBMLkwuQy4xFDASBgNVBAsTC0VuZ2luZWVyaW5nMSAwHgYDVQQDExd6ZXBw
by5jYW5kaHNvZnR3YXJlLmNvbTEkMCIGCSqGSIb3DQEJARYVYXdjQGNhbmRoc29m
dHdhcmUuY29tggEAMAwGA1UdEwQFMAMBAf8wCQYHKoZIzjgEAwMvADAsAhRyfUoO
9ZLFxZLGsijrAzbCSQLBXwIUfYf/FeKdY/embpVrLnTV942wOuk=
-END CERTIFICATE-
subject=/C=US/ST=Arizona/L=Tucson/O=C  H Software
L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/[EMAIL PROTECTED]
issuer=/C=US/ST=Arizona/L=Tucson/O=C  H Software
L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/[EMAIL PROTECTED]
---
Acceptable client certificate CA names
/C=US/ST=Arizona/L=Tucson/O=C  H Software
L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/[EMAIL PROTECTED]
---
SSL handshake has read 1861 bytes and written 298 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-DSS-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol  : TLSv1
Cipher: DHE-DSS-AES256-SHA
Session-ID:
28239EBE3C499BDD7E00B2F0FE3A7645E65AC135348B8FE6F4990843579F94F7
Session-ID-ctx:
Master-Key:
5651D294B719C6C19FA743A0EE0EC7B1E00F2AD1AD8E70AD072715165690E0AC919193A5148AE24111BCA86433621264
Key-Arg   : None
Start Time: 1118876232
Timeout   : 300 (sec)
Verify return code: 18 (self signed certificate)
---
220 zeppo.candhsoftware.com ESMTP Sendmail 8.13.1/8.13.1; Wed, 15 Jun
2005 15:41:53 -0700 (MST)
helo misato.candhsoftware.com
250 zeppo.candhsoftware.com Hello [65.125.115.243], pleased to meet you
quit
221 2.0.0 

RE: [Fwd: Re: Queries over OpenSSL programs]

2005-06-15 Thread Gayathri Sundar
Hi there,

Can any body please tell me,
where can I find the answers to these questions?

Thanks
-Rohan


 Original Message 
Subject: Re: Queries over OpenSSL programs
From:Rohan Shrivastava [EMAIL PROTECTED]
Date:Wed, June 8, 2005 8:03 am
To:  openssl-users@openssl.org
--

Riaz,
Thanks for the help,
I am able to dump the packets using ssldump.

Some of my queries are still unanswered.
I am again pasting it here.

 [#]. If they are able to communicate in a secured session,
 then how come they completed SSL handshake without random number
source(I think it is required at time of Handshake)?
the default random file is in /dev/urandom in linux .. check the
environvent variable rand and see where its pointing to.


 [#]. How can I authenticate Clients (any sample code will help me a
lot) or what is function used for asking Client's certificate ?

There is an option in SSL that can be set either in the SSL_CTX or
in the SSLOBJECT depending on whether you need to enforce client auth
always or based on certain requirement. If set in CTX it is
always enforced.

SSL_CTX_set_verify(pSSLCtx, SSL_VERIFY_PEER,
  client_cert_verify_callback);

SSL_set_verify(pSSLCtx,SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
client_cert_verify_callback);

this callback function will be executed when the client cert is sent to
the server, once this option is set, SSL_accept will automatically prompt
for a client cert.


 [#]. Is the loading CAs list, required at the server/client (as here I
did not load) ,if required then how can I create such list as I am
using this in local network?

This is not mandatory, depends on what ctx/sslobj options you have set.
you can use openssl tools to generate the same.

 [#]. Also can I place the code here?


Thanks
-Rohan



 use ssldump or tcpdump to view if the connection is being established in
a secure manner

 On 6/7/05, Rohan Shrivastava [EMAIL PROTECTED] wrote:

 Hello,

 I am new to OpenSSL programming through C.

 This is my first program, so I am not sure whether
 I have achieved secure session between client and server or not, though
they are able to communicate
 using SSL_write/read functions.

 This is how I did the things

 At server I loaded certificate  private key  after accepting
 TCP connection I accepted SSL session request.
  then started communicating with Client.

 At client I just used SSLv3_method()  SSL_CTX_new() functions to get new
 ctx object.
 Here after setting up TCP connection I initiated SSL connection
request,  on success it communicates with server.

 I tired to load Random file with the following code, but could not get
through,
 so I did without random source (for both client  server).

 #defile RANDOM /dev/random

 if (!(RAND_load_file(RANDOM,1024*1024))) {
 printf(\n Error in loading random file);
 exit(0);
 }


 I generated Certificate  Keys with the following commands

 openssl -genrsa 1024 -out key.pem
 openssl req -new -key key.pem -x509 -days 3650 -out server_crt.pem

 Now my queries are:

 [#]. How can I be sure that session is secure?

 [#]. If they are able to communicate in a secured session,
 then how come they completed SSL handshake without random number source
(I think it is required at time of Handshake)?

 [#]. How can I authenticate Clients (any sample code will help me a
lot) or what is function used for asking Client's certificate ?

 [#]. Is the loading CAs list, required at the server/client (as here I did
 not load) ,if required then how can I create such list as I am using this
 in local network?

 [#]. Also can I place the code here?


 Any help will be highly appreciated

 Thanks
 -Rohan

 __
OpenSSL Project http://www.openssl.org
 User Support Mailing List openssl-users@openssl.org
 Automated List Manager [EMAIL PROTECTED]




 --
 Thank you,
 Best Regards
 Riaz Ur Rahaman


__
OpenSSL Projecthttp://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager  [EMAIL PROTECTED]


__
OpenSSL Projecthttp://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager  [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


RE: [Fwd: Re: Queries over OpenSSL programs]

2005-06-15 Thread Gayathri Sundar
Hi there,

Can any body please tell me,
where can I find the answers to these questions?

Thanks
-Rohan


 Original Message 
Subject: Re: Queries over OpenSSL programs
From:Rohan Shrivastava [EMAIL PROTECTED]
Date:Wed, June 8, 2005 8:03 am
To:  openssl-users@openssl.org
--

Riaz,
Thanks for the help,
I am able to dump the packets using ssldump.

Some of my queries are still unanswered.
I am again pasting it here.

 [#]. If they are able to communicate in a secured session,
 then how come they completed SSL handshake without random number
source(I think it is required at time of Handshake)?
the default random file is in /dev/urandom in linux .. check the
environvent variable rand and see where its pointing to.


 [#]. How can I authenticate Clients (any sample code will help me a
lot) or what is function used for asking Client's certificate ?

There is an option in SSL that can be set either in the SSL_CTX or
in the SSLOBJECT depending on whether you need to enforce client auth
always or based on certain requirement. If set in CTX it is
always enforced.

SSL_CTX_set_verify(pSSLCtx, SSL_VERIFY_PEER,
  client_cert_verify_callback);

SSL_set_verify(pSSLCtx,SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
client_cert_verify_callback);

this callback function will be executed when the client cert is sent to
the server, once this option is set, SSL_accept will automatically prompt
for a client cert.


 [#]. Is the loading CAs list, required at the server/client (as here I
did not load) ,if required then how can I create such list as I am
using this in local network?

This is not mandatory, depends on what ctx/sslobj options you have set.
you can use openssl tools to generate the same.

 [#]. Also can I place the code here?


Thanks
-Rohan



 use ssldump or tcpdump to view if the connection is being established in
a secure manner

 On 6/7/05, Rohan Shrivastava [EMAIL PROTECTED] wrote:

 Hello,

 I am new to OpenSSL programming through C.

 This is my first program, so I am not sure whether
 I have achieved secure session between client and server or not, though
they are able to communicate
 using SSL_write/read functions.

 This is how I did the things

 At server I loaded certificate  private key  after accepting
 TCP connection I accepted SSL session request.
  then started communicating with Client.

 At client I just used SSLv3_method()  SSL_CTX_new() functions to get new
 ctx object.
 Here after setting up TCP connection I initiated SSL connection
request,  on success it communicates with server.

 I tired to load Random file with the following code, but could not get
through,
 so I did without random source (for both client  server).

 #defile RANDOM /dev/random

 if (!(RAND_load_file(RANDOM,1024*1024))) {
 printf(\n Error in loading random file);
 exit(0);
 }


 I generated Certificate  Keys with the following commands

 openssl -genrsa 1024 -out key.pem
 openssl req -new -key key.pem -x509 -days 3650 -out server_crt.pem

 Now my queries are:

 [#]. How can I be sure that session is secure?

 [#]. If they are able to communicate in a secured session,
 then how come they completed SSL handshake without random number source
(I think it is required at time of Handshake)?

 [#]. How can I authenticate Clients (any sample code will help me a
lot) or what is function used for asking Client's certificate ?

 [#]. Is the loading CAs list, required at the server/client (as here I did
 not load) ,if required then how can I create such list as I am using this
 in local network?

 [#]. Also can I place the code here?


 Any help will be highly appreciated

 Thanks
 -Rohan

 __
OpenSSL Project http://www.openssl.org
 User Support Mailing List openssl-users@openssl.org
 Automated List Manager [EMAIL PROTECTED]




 --
 Thank you,
 Best Regards
 Riaz Ur Rahaman


__
OpenSSL Projecthttp://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager  [EMAIL PROTECTED]


__
OpenSSL Projecthttp://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager  [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: sendmail + STARTTLS w/ evolution = error:1408A0C1

2005-06-15 Thread Claus Assmann
On Wed, Jun 15, 2005, Andy W. Clements wrote:

 I'm currently having a problem with setting up STARTTLS with my sendmail
 on my FreeBSD 5.3 box.  I've used openssl to create the cert and key:
 
 openssl dsaparam 1024 -out dsa1024.pem
 openssl req -x509 -nodes -newkey dsa:dsa1024.pem -out mycert.pem -keyout
 mykey.pem

Try an RSA key instead, most systems have problems with DSA
(sendmail works fine however).

 Jun 15 13:53:41 zeppo sm-mta[17104]: STARTTLS=server:
 17104:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
 cipher:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_srvr.c:887:

Typical indication that the client doesn't support DSA.
You can use ssldump to see what's going on.

 I have no ideas what the error message in the sendmail log is telling
 me, can someone give me a clue what needs to be done?

1. See above.
2. See the source code (the OpenSSL error message kindly provides
that information).

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]