RE: Unable to locate the keystore/certificate store or private key
Hello, The server side SSL is no longer terminated on the IIS server. It is being handled by Cisco 11500 series content switches and it the application will no longer work. My proposition is to get ssldump and dump SSL handshake with IIS and Cisco to check difference and working parameters (with IIS). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
BIO and DTLS
Hi All, Can anyone tell me if the behavior of the BIO_new_accept, BIO_do_accept, and BIO_read functions changes in any way while using DTLS? Thanks, Jeremy __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Build problem on HP Itanium 64 bit machine
Hi everyone, I am having problem building openssl on HP Itanium 64 bit box. Attached are the files that show the output of Configure and make. The output of make is stripped to show the last section where error is reported. The error is ld: Unknown input file type: "./libcrypto.so"Fatal error. I am also getting many "Unsatisfied symbol" errors during make. The cc version is: openssl-0.9.8b cc --version(Bundled) cc: HP aC++/ANSI C B3910B A.05.50 [May 15 2003] at the end of unsuccessfulmake, this is what I have libcrypto.alibcrypto.so - libcrypto.so.0.9.8libcrypto.so.0.9.8libssl.a Has anyone faced this problem? Does openssl have dependency on a specific version of cc? Is there any problem with the enable-shared option? If you require any more information about the environment, please let me know. Thanks, ~ UrjitDISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails.
Re: Build problem on HP Itanium 64 bit machine
Hello, I am having problem building openssl on HP Itanium 64 bit box. Attached are the files that show the output of Configure and make. The output of make is stripped to show the last section where error is reported. The error is ld: Unknown input file type: ./libcrypto.so Fatal error. I am also getting many Unsatisfied symbol errors during make. The cc version is: openssl-0.9.8b cc --version (Bundled) cc: HP aC++/ANSI C B3910B A.05.50 [May 15 2003] at the end of unsuccessful make, this is what I have libcrypto.a libcrypto.so - libcrypto.so.0.9.8 libcrypto.so.0.9.8 libssl.a Has anyone faced this problem? Does openssl have dependency on a specific version of cc? Is there any problem with the enable-shared option? If you require any more information about the environment, please let me know. Do you have libssl library dependency like: $ ldd libssl.so.0.9.8 libcrypto.so.0.9.8 = ./libcrypto.so.0.9.8 libdl.so.1 = /usr/lib/hpux32/libdl.so.1 in your build directory. When this error occurs (when building openssl command ?) ? Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: related license question
On Mon, 28 Aug 2006, David Schwartz wrote: Certainly. Nothing in the OpenSSL licenses requires you to allow redistribution of any derivative works you create. Wrong. See the following: ...The licence and distribution terms for any publically available version or derivative of this code cannot be changed... http://www.openssl.org/source/license.html I always assumed that publically available version meant an open source distribution and didn't apply to proprietary code where the source isn't made available at all. But now that you point it out, it's not clear at all exactly what that means. In any event, it doesn't compel you to make the source available, but it could mean that you can't prevent redistribution of the binaries. IANAL, but this is a fairly standard BSD-style license and such have always allowed proprietory derivative works. I see nothing here that forbids distributors from imposing additional terms on derivative works (unlike the GPL). --| John L. Ries | Salford Systems | Phone: (619)543-8880 x107 | or (435)865-5723 | --| __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Unable to locate the keystore/certificate store or private key
Excellent, excellent idea. Is ssldump an API call? If so, I haven't seen that. Let me go out to the site and look. I wish there were a more organized and informative source for information on the openssl API. That should definitely make the problem expose itself. Thanks! Marek Marcola [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/29/2006 02:20 AM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject RE: Unable to locate the keystore/certificate store or private key Hello, The server side SSL is no longer terminated on the IIS server. It is being handled by Cisco 11500 series content switches and it the application will no longer work. My proposition is to get ssldump and dump SSL handshake with IIS and Cisco to check difference and working parameters (with IIS). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Unable to locate the keystore/certificate store or private key
On Tue, 2006-08-29 at 13:52 -0400, [EMAIL PROTECTED] wrote: Excellent, excellent idea. Is ssldump an API call? If so, I haven't seen that. Let me go out to the site and look. I wish there were a more organized and informative source for information on the openssl API. This is very useful utility, you may find this at: http://freshmeat.net/projects/ssldump/ Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Build problem on HP Itanium 64 bit machine
Hi, I have also had problems building shared version of openssl-0.9.8b on hpux-11.00 parisc using the hp ansi-c compiler. It looks like the openssl shared-library building part is completely re-implemented in 0.9.8 (compared to 0.9.7 which worked out of the box) In 0.9.7 shared libraries where linked using ld directly on this platform, but in 0.9.8 the configuration is setup to link shared libraries by running cc as a frontend to ld and this does not work for me. (maybe I have an ancient version of hp ansi-c that does not support this?) You can get a bit more insight into what is going on during the linking by uncommenting the #SET_X=set -x line in the Makefile.shared At this stage I have hand edited the Makefile and Makefile.shared to make it link directly with ld as in 0.9.7 and I have now managed to build shared libraries. I'm running the tests as I write this and it looks at least some test works okay now. :-) /Leif Urjit Gokhale wrote: Hi everyone, I am having problem building openssl on HP Itanium 64 bit box. Attached are the files that show the output of Configure and make. The output of make is stripped to show the last section where error is reported. The error is ld: Unknown input file type: ./libcrypto.so Fatal error. I am also getting many Unsatisfied symbol errors during make. The cc version is: openssl-0.9.8b cc --version (Bundled) cc: HP aC++/ANSI C B3910B A.05.50 [May 15 2003] at the end of unsuccessful make, this is what I have libcrypto.a libcrypto.so - libcrypto.so.0.9.8 libcrypto.so.0.9.8 libssl.a Has anyone faced this problem? Does openssl have dependency on a specific version of cc? Is there any problem with the enable-shared option? If you require any more information about the environment, please let me know. Thanks, ~ Urjit DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Unable to locate the keystore/certificate store or private key
[EMAIL PROTECTED] wrote: Excellent, excellent idea. Is ssldump an API call? it's an application to analyze a ssl connection (see http://www.rtfm.com/ssldump/ ) Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Build problem on HP Itanium 64 bit machine
Original message Date: Tue, 29 Aug 2006 20:05:51 +0200 From: Leif Thuresson [EMAIL PROTECTED] Subject: Re: Build problem on HP Itanium 64 bit machine To: openssl-users@openssl.org Hi, I have also had problems building shared version of openssl-0.9.8b on hpux-11.00 parisc using the hp ansi-c compiler. It looks like the openssl shared-library building part is completely re-implemented in 0.9.8 (compared to 0.9.7 which worked out of the box) In 0.9.7 shared libraries where linked using ld directly on this platform, but in 0.9.8 the configuration is setup to link shared libraries by running cc as a frontend to ld and this does not work for me. (maybe I have an ancient version of hp ansi-c that does not support this?) You can get a bit more insight into what is going on during the linking by uncommenting the #SET_X=set -x line in the Makefile.shared Okay ... I will check that out. At this stage I have hand edited the Makefile and Makefile.shared to make it link directly with ld as in 0.9.7 and I have now managed to build shared libraries. I'm running the tests as I write this and it looks at least some test works okay now. :-) Thanks for the reply. Will update the group with the findings ... or may be with some more doubts :-) /Leif ~ Urjit DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Build problem on HP Itanium 64 bit machine
Original message Date: Tue, 29 Aug 2006 19:02:32 +0200 From: Marek Marcola [EMAIL PROTECTED] Subject: Re: Build problem on HP Itanium 64 bit machine To: openssl-users@openssl.org Hello, I am having problem building openssl on HP Itanium 64 bit box. Attached are the files that show the output of Configure and make. The output of make is stripped to show the last section where error is reported. The error is ld: Unknown input file type: ./libcrypto.so Fatal error. I am also getting many Unsatisfied symbol errors during make. The cc version is: openssl-0.9.8b cc --version (Bundled) cc: HP aC++/ANSI C B3910B A.05.50 [May 15 2003] at the end of unsuccessful make, this is what I have libcrypto.a libcrypto.so - libcrypto.so.0.9.8 libcrypto.so.0.9.8 libssl.a Has anyone faced this problem? Does openssl have dependency on a specific version of cc? Is there any problem with the enable-shared option? If you require any more information about the environment, please let me know. Do you have libssl library dependency like: $ ldd libssl.so.0.9.8 libcrypto.so.0.9.8 = ./libcrypto.so.0.9.8 libdl.so.1 = /usr/lib/hpux32/libdl.so.1 in your build directory. Are you suggesting looking into the Makefile? Well ... I can see that building a shared object libssl.so.0.9.8b there is a dependancy on crypto library. It is specified as -lcrypto.so When this error occurs (when building openssl command ?) ? After all the object files for the libssl are built and when it begins to start building a shared object. I am mainly confused by the error unknown input file type. Why would linker treat libcrypto.so as unknown file type? DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Build problem on HP Itanium 64 bit machine
Hello, Do you have libssl library dependency like: $ ldd libssl.so.0.9.8 libcrypto.so.0.9.8 = ./libcrypto.so.0.9.8 libdl.so.1 = /usr/lib/hpux32/libdl.so.1 in your build directory. Are you suggesting looking into the Makefile? Well ... I can see that building a shared object libssl.so.0.9.8b there is a dependancy on crypto library. It is specified as -lcrypto.so No, sometimes when building OpenSSL on hpux1123 libssl.so library has dependency on libcrypto.so but in form: ./libcrypto.so.0.9.8 And when build process goes to apps directory there is no such library (in current directory) and build fails. Againg, check with ldd command libssl.so.0.9.8 library in build directory. When this error occurs (when building openssl command ?) ? After all the object files for the libssl are built and when it begins to start building a shared object. I am mainly confused by the error unknown input file type. Why would linker treat libcrypto.so as unknown file type? On hpux1123 there was many application with its on OpenSSL bundled (Apache, WBEM, some administration utilities) maybe some of this libraries are for example for HPPA (but on other hand you will get some ABI errors then). Look for libcrypto* in /opt and /usr. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: license question
What is actually going on when the end-user runs OpenSSL and it dynamically links in your restricted library, or the end user compiles the unrestricted OpenSSL into your restricted library, is that they are committing a license violation of the OpenSSL license when they start using the resultant unified whole, because your license is going to require them to accept your license terms for the result of of whatever they link into. This is a violation of the OpenSSL terms on changing the OpenSSL license. I wholeheartedly disagree. You cannot violate the OpenSSL license by using OpenSSL. The end user is not creating a derivative work because he is not creating a work at all. For copyright purposes, you only create a work when you add creative input. Compiling and linking is not a creative process. IANAL, this is not legal advice. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: license question
Ryan Shon wrote: I work for nFocal, a company in Rochester, New York. We want to develop a variant of OpenSSL in which we optimize the cryptography library to run on a particular DSP. The other components of OpenSSL would remain unchanged except where needed to utilize our custom library. We might modify OpenSSL's cryptography library, or we may write our own from scratch. Could you please explain our licensing restrictions for these two scenarios? Just an observation, but if you left the OpenSSL core alone, and created your optimized module as a loadable engine for OpenSSL - I suspect you would have a win-win from licensing, distribution and code design views. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SMIME_read_PKCS7 fails with memory BIO but works with file BIO
I am trying to use SMIME_read_PKCS7 to read a signed and encrypted MIME
message from memory BIO, but I can't get it to work. It works fine if I
construct a file BIO to read from. Am I doing something wrong, or is
this a bug?
See the test application below that shows the problem. Please note that
you need to save the contents of smime_text variable into a file called
smime_text.txt manually, before the file BIO case will work.
When I run the program, I get the following output:
3445
Memory BIO case, error: 21854
This is on Cygwin, with OpenSSL 0.9.8a.
---CLIP---
#include stdio.h
#include string.h
#include openssl/crypto.h
#include openssl/err.h
#include openssl/bio.h
#include openssl/evp.h
#include openssl/objects.h
#include openssl/pkcs7.h
char smime_text[] =
MIME-Version: 1.0\n
Content-Disposition: attachment; filename=\smime.p7m\\n
Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data;
name=\smime.p7m\\n
Content-Transfer-Encoding: base64\n
\n
MIIJXQYJKoZIhvcNAQcDoIIJTjCCCUoCAQAxgeMwgeACAQAwSTBEMQswCQYDVQQG\n
EwJVUzELMAkGA1UECBMCQ0ExFDASBgNVBAoTC00yQ3J5cHRvIENBMRIwEAYDVQQD\n
Ewlsb2NhbGhvc3QCAQQwDQYJKoZIhvcNAQEBBQAEgYCac8jhFIMOgOxMbvdEJwYt\n
84CLHCdtSA/3y6ex6PrN5NlxNfpNIRsrmRyJQb5MJIiOuFFUbN6DMWbki0MYx1Pf\n
X4+2i924p+5wTNv8DsTeInjSryiz5CcUS5Bq117vZfZ0H8+zNouF+Hf19Qam5gT5\n
gaMBXzLKx9P+xd4qBXKsqTCCCF0GCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIvboS\n
cTawrl6Aggg4WbNItj3soy1iAfF38ZYbFftVoHqzYXsD2ZeVl1DTOgnTPltQomGw\n
Vlb8eLAzn4MEh/K8vzZXumuc9hCHnr0TXsHUPMpzDnBtTplyahfPNxqI0fBmelZH\n
DoJ85UXk4iURnadzywIU83Krl8yJAmirKxjA3IiwD2gU9/Xni8kD0kxhgi9ghjHW\n
WiefD1e+mspQ2uh1ZL0tXy4S4U759+9xuwPwJIRYaGuXli2eM8GijE5IigJS34+N\n
j760vQaP/IwKNhI7QkyU6EI+JdlmfU2OHijRlR8jMmre2hmz1OU7yILps5tlokpq\n
QrwPFo0Gmd6m7UD+6XSZDIfe/OytVFZsJ15/oZXtEknkg+G/tFN9wvPbf/O0KDPn\n
wr1SrcAWQ3u4Nolz7HS1ZWM2DMSpHktaDtDxFHWobIDtQvjlX3MSc683K+M6WNs/\n
e9j3082EbGiCYsbYusMDA+fSH/WGrH7HJrZDy1sDBlxIxy+9Z1eBtCZptOKBu6TA\n
OV4X/nt1W/UW2FQBY8rToqDjjWN+z6B2cuS5XM5/Tm45Qse6fnsUaFxv1b4eVSwf\n
c9dPX0eQmX3hUlpZZf1ZIdQbzOZU4wJei4B9n8jK6/oqibHu4KjPCln2Hv9tlO1d\n
K/rJn+Jrhnn40TiSMwJ8oJMQrF48dHDiZyDsWuOtf4CqusCYK82vxZgV+Hk6dwCz\n
DOqajcNKm8ZBCm7y0Qtndk+OgqWHu/CX/jKUugczZ4amFdBlhaSsBWy1AEjgMf7+\n
KdqcfqdOgPdj7k6NfjB/nqOQWoMqgICNC+0/ufFADxN1+06c3IF0lZ0ZcU6EYDb+\n
BkyGbdiKlD/aCJnHdocDAR42cXKBw/SJHtZ6fgHchM3HFF9QkYKqTLA6iU57JB2I\n
iCMbtJNh8TjkJMuAzl7/7SDhy2fcMMNJLOknV8Htp5o/EREF4ZpA/HQOXLthYQf2\n
j0NTtE8+sX3y198SXD36gn/SWkG981IP5qSZze65shrRGYK6qNqTwQpwKPwKxhVL\n
NjKRsCa2xlWqnhh5cmxG4u/gCoN5mbJQdmqxP21szZb5qV9lyG3UcttYjGUy7n6w\n
grH495LXX5b/aheAg/ZOwq4Z1d8ZS/tLxcO4bas+AWHa3aZqpYMmInx5bxvdl1DW\n
2EvLEjNSkjcWcwhoodeT6vjtxavtx1Ub7/OVquJBsR8uvZUcsmLVsYpCpGmoB1a7\n
D0Vgkt/g5LIvoMCtTq2FhcZgj7LzoKJNJQkC5nXYoqPX7iZ9J0b69YYVCAuzzul6\n
9ZECxQvgadjzj3kPlSZMTknKYavE0R9Tdeq8zjAfajjL5BN4V2w1Op5yR1VTsZZL\n
27VAoEBuAVav+OpNMLXBwScaKhHGKk5wlsp1ZEN5Jl3IV4Go67voDkjEy/nBiWCq\n
DVpUGXkzOWRgMWi28Zw0vc2v6x6uO24D3X1g+1CL4WkFo3edyroN8R3zfMW1JY56\n
nPm+uU/byRpMeEeddSEfUJh7sNI4Fx/u7ohm1P0TIKhTq/BxQdeLrwVQJsHpjmBB\n
ZMss1/hmjTOFf7MsrXCCy8GLeT3c/psGaDP9spquRTVLssMBc5CC45GoPrNLAODn\n
OQDVyRmnR6PTnjSKS2EU/YH9wJ7DobDlqKhLEEbMpu4PdK5bkt8nz7ne3R8erZUn\n
v9IzJBlTAWQcaflxThL91kJjaOcoNkGT1LNKbJVmDia5vMJr4Blz6g5KQTFVhmWD\n
hso+zvpEbV/O24BWAxS8e8U1nx78lujK1a9qg5YPns3l98On/31C/QtDB0F1JNoT\n
KUStGoz/1vmgxwqco3qC0ogbQqIuthS5umwuJdl3+ZNXlu9G2h7/2egwU84hE1wT\n
hTfjI9zgJXsxuUXxCqcN7tcptDQusxsl+c1d77GhDi0VfC8yT7ffVTr4NmA5pMpu\n
XsmqFLxHCWkL6aaPK9d9NfHEsNVr0gEekVrBGK1KA0zD39axAIoOSS26k8jViW/Z\n
CtKZIyiWo/s0db05712+EbMIhYyX0XF5olJTbXeXs0cLlX3XFnu2vyMzBHLxUS/9\n
8I8JfUYlLKad6MD8+rIPX2OrcO6C3U1LChlIjkNYtOPK0CeVS1BelSsHez40JO8M\n
luEq3ZRhqycDJ1xUAgLNYzCeZibkHdYOlgQVCtEwaO5Ao0/CV/3MaMS5fjpAxAve\n
9bJbEue/CYfdAuJmK2dEpu/obwKWq/0gdnngNk1UjLBMwQKk+8SFaOJikp1G4d3v\n
1RylODneJJtFsl1JHtJ2t4KfT+JZ++qd3w1CT5G79cqFAQB1TxgAr5AQwa84KcaR\n
NCyczJn1w2l7DGevWsEZhPVSmKkiLB1U0wnakVHF4Xeyc+gRR/l8r2F51l5jt3rd\n
nvpjikCgiRLthKWhgss4I4clHNM4oOkcuQPtzOrqErHayHeV25rfuJQtlcsTHlnw\n
MV7FIaV2TCcutoOCJIHJvPv1hCQiOnWOvW4V8vzPCvXc1kPRVmFfzP5Ogmf8OUxa\n
DNy7VfRfwQOUL/r4WtLf8bdEsaFjsuDM2WNRc14vh8k054qaAmGTmkJPV0hub6kB\n
pp2vme963FcTy9v5uJNUIiC6oc0K9L7TdoA4EOeojg5HjGkfiinp4+gfcSpEssVM\n
iAo1iNdnXVadr/1CqFh0CDU6ZAww/jc164rjZyGSHceoEv2IHK+9eG3kPPFIA04/\n
Ldfk2XI2W2Kai1ySk95j5OsKK0COZYe8vzH8Cxasy/HRUsml0EnPdCcqRnErIURQ\n
9TTgAN28f6po85zOkod4Ou63bEfqdjlLtvaX3gPvrU7h+eddxSNSSqqXqH3ayCDo\n
zg==;
int main(void)
{
{
/* This does not work */
PKCS7 *p7;
BIO *bcont = NULL;
BIO *signedEncryptedBio = BIO_new(BIO_s_mem());
printf(%d\n,
BIO_write(signedEncryptedBio, smime_text, strlen(smime_text)));
p7 = SMIME_read_PKCS7(signedEncryptedBio, bcont);
if (!p7) {
printf(Memory BIO case, error: %ld\n, ERR_get_error());
}
}
{
/* This works */
BIO *bcont = NULL;
BIO *f = BIO_new_file(smime_text.txt, rb);
PKCS7 *p7 = SMIME_read_PKCS7(f, bcont);
if (!p7) {
printf(File BIO case, error: %ld\n, ERR_get_error());
}
}
return 0;
}
---CLIP---
--
Heikki Toivonen
Re: Unable to locate the keystore/certificate store or private key
Nils, The basic succession of calls are as follows. I think the program waits for an ssl_read or ssl_write to implicitly trigger the handshake process. meth = TLSv1_client_method() SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); SSL_CTX_new(meth); ssl = SSL_new( ctx ); sbio = BIO_new_socket( sock, BIO_NOCLOSE ); SSL_set_bio( ssl, sbio, sbio ); SSL_set_connect_state( ssl ); iSslInitStatus = SSL_in_init( ssl ); After that, the only API calls are ssl_read(), ssl_write() and an occasional SSL_pending( ssl ). Nils Larsch [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/29/2006 02:58 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: Unable to locate the keystore/certificate store or private key [EMAIL PROTECTED] wrote: Nils, Yes. I read the entire e-mail. I can't find ANYWHERE where it's being fed to the application, (including the source code). As far as I can see, it's definitely not being used in an ssl_ library call nor is he which ssl api calls are used to initialize the ssl context ? Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Validating Cert Chain
Thanks for all the reponse,
i have a question about this following method
int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
X509 *x509, STACK_OF(X509) *chain);
if i understand this correctly the argument 'x509' is the cert that u want
to be verified the 'chain' is the chain of untrusted certificates(leading
up to a cert that is trusted or root, right ?).
So i one calls X509_verify_cert(X509_STORE_CTX); it would verify the x509
cert specified as well as all the chain. is that correct ?
also how do i get a STACK_OF(X509) from files containg pem certs ?
-kb
From: Marek Marcola [EMAIL PROTECTED]
Reply-To: openssl-users@openssl.org
To: openssl-users@openssl.org
Subject: Re: Validating Cert Chain
Date: Sat, 26 Aug 2006 01:22:19 +0200
Hello,
Hi,
How do i validate a certificate chain. is there a EVP api for it ?
thanks
If we are talking about verifying X509 cert against CA certs this
may be done for example like:
-
FILE *fp;
X509_STORE * CAcerts;
X509 * cert;
X509_STORE_CTX ca_ctx;
char *strerr;
/* load CA cert store */
if (!(CAcerts; = X509_STORE_new())) {
goto err;
}
if (X509_STORE_load_locations(CAcerts, cacert.pem, NULL) != 1) {
goto err;
}
if (X509_STORE_set_default_paths(CAcerts) != 1) {
goto err;
}
/* load X509 certificate */
if (!(fp = fopen (cert.pem, r))){
goto err;
}
if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){
goto err;
}
/* verify */
if (X509_STORE_CTX_init(ca_ctx, CAcerts, cert, NULL) != 1) {
goto err;
}
if (X509_verify_cert(ca_ctx) != 1) {
strerr = (char *) X509_verify_cert_error_string(ca_ctx.error);
printf(Vrification error: %s, strerr);
goto err;
}
X509_STORE_free(CAcerts);
X509_free(cert);
Hope this helps.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
