Issuer incorrectly copied into cert ?
In experimenting with setting up "layers" of certificates, I have noticed that the details for the "Issuer" in a user certificate appear to be set incorrectly. In this exercise, I have a root CA, email CA (signed by the root CA) and a user certificate (signed by the email CA). In the user cert., I have some "X509v3 extensions" which include "X509v3 Authority Key Identifier". The keyid for this field matches the email CA *BUT* the DirName is that for the root CA. Netscape appears not to notice this *BUT* IE does :-/ In openssl.cnf, I have the following: [ usr_cert ] ... # PKIX recommendations harmless if included in all certificates. #subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always I suspect that "issuer:always" should not be there ? Heck, are there any *good* docs on how to properly construct and write an openssl.cnf file ? To my mind, the current behaviour (if intended) is at least not obvious in its intent from the configuration file or (at worst?) bringing in the wrong information. Or am I missing something obvious here ? Thanks, Darren -- Darren Reed Senior Software Engineer [EMAIL PROTECTED] http://www.optimation.com.au Phone: +61 3 9525 2111 Fax: +61 3 9521 1733 Level 9 West, 608 St Kilda Rd, 3004, Melbourne, Victoria, Australia X509v3 extensions S/MIME Cryptographic Signature
Re: bad certificate request
thanks Steve, Where can I obtain dumpasn1? (openssl asn1parse is slightly easy) Anyway I've updated the development version to store the original encoding and work out signatures from that. It will now verify your request correctly. It will be in the next snapshot and OpenSSL 0.9.6 When will be approximately released OpenSSL 0.9.6? And my older questions if can I be importunate? PKCS#10 version number? Why is prefer SET SEQUENCE extension1 extension2 extension3 before SET SEQUENCE extension1 SEQUENCE extension2 SEQUENCE extension3 ? Martin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS7 usage?
Hi All, I am little bit confuse on the usage of the PKCS7_* functions. If I have a file that need to be signed and I want the signed data to be separately from the file and store else where. I follow the sign.c example, but get lost a little bit, should I get the digest using EVP_digest*() functions or just use the PKCS7_* functions? Which sequence should I follow? For a sending and receiving scenario, is the X509 * the cert. of the receiver? and EVP_PKEY * the sender's private key? (Referring to signed.c example) Is the sender's cert also need to include in the PKCS7? -- (~._.~) Öì Ⱥ Ó¢ (Qun-Ying) (65) 874-6743 ( O ) ()~*~() (_)-(_)[EMAIL PROTECTED] * [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is ADH included by default into 0.9.5a ??
On Wed, Sep 06, 2000 at 01:33:50PM -0400, Gregory Nicholls wrote: I'm using ssl0.9.5a on Winnt. I ran openssl ciphers -v to look for a list that would use ADH. All the ciphers came up with an authentication scheme, either RSA or DSS. Have I missed something ?? Yes. ADH ciphers are not enabled by default. You must explicitely enable them with "openssl ciphers -v ADH". Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: how to install root certs and other certs into MSIE
I intalled a CA cert using a Perl script like this: ... AND IT WORKED!! On a server on unix systems, yes. Not on others, you amy need to binmode the CERT. Why that script? Why don't you just associate a mime-type to the two file extensions in your server configuration, and just put the files somewhere into the server directory? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem generating CSR.
Hiya, I'm using ssl0.9.5a on Solaris 8. I want to create a RSA private key for my Apache server (will be Triple-DES encrypted and PEM formatted): But, when I ran the command : ./openssl genrsa -rand -des3 -out server.key 1024 I have the following error : 0 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus 363:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:538: 363:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182: What am I doing wrong ? Thanks ___ Julio Cesar de Melhado e Lima Software Engineer CIT - software enabling the e-world http://www.cit.com.br Phone: +55 19 3737.4538 Fax: +55 19 3737.4501 Mobile: +55 19 9111.7282 Pager: www.tess.com.br/infotess __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is ADH included by default into 0.9.5a ??
Ah excellent. Thank you. G. Lutz Jaenicke wrote: On Wed, Sep 06, 2000 at 01:33:50PM -0400, Gregory Nicholls wrote: I'm using ssl0.9.5a on Winnt. I ran openssl ciphers -v to look for a list that would use ADH. All the ciphers came up with an authentication scheme, either RSA or DSS. Have I missed something ?? Yes. ADH ciphers are not enabled by default. You must explicitely enable them with "openssl ciphers -v ADH". Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Using /MT rather than /MD with Microsoft.
Can anyone think of any problems I might encounter compiling openSSL with VC 6.0 using /MT compile option (link static runtime libraries), rather than /MD compile option (link shared runtime libraries)? Thanks, Dennis Kennedy __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem generating CSR.
You need to have a source for the -rand flag. My solution was to use egd and create a file of sufficent length full of random data. then the command line was: openssl genrsa -rand file w/random data -des3 1024 server.key or openssl genrsa -rand file w/random data -des3 -out server.key 1024 Hope that helps. Travis Theune * Julio Cesar de Melhado e Lima ([EMAIL PROTECTED]) [000906 13:43]: Hiya, I'm using ssl0.9.5a on Solaris 8. I want to create a RSA private key for my Apache server (will be Triple-DES encrypted and PEM formatted): But, when I ran the command : ./openssl genrsa -rand -des3 -out server.key 1024 I have the following error : 0 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus 363:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:538: 363:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182: What am I doing wrong ? Thanks ___ Julio Cesar de Melhado e Lima Software Engineer CIT - software enabling the e-world http://www.cit.com.br Phone: +55 19 3737.4538 Fax: +55 19 3737.4501 Mobile: +55 19 9111.7282 Pager: www.tess.com.br/infotess __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem generating CSR.
Julio Cesar de Melhado e Lima [EMAIL PROTECTED] writes: Hiya, I'm using ssl0.9.5a on Solaris 8. I want to create a RSA private key for my Apache server (will be Triple-DES encrypted and PEM formatted): But, when I ran the command : ./openssl genrsa -rand -des3 -out server.key 1024 I have the following error : 0 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus 363:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:538: 363:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182: There may well be problems with the lack of /dev/random on a Solaris box but doesn't the `-rand' option take a file name(s) parameter something like: ./openssl genrsa -rand /tmp/rand1:/tmp/rand2 -des3 -out server.key 1024 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Question on PRNG's and entropy
Hiya, I've read the past items on this list, looking for a good non-interactive source of entropy for the PRNG. Now I've a (possibly very) stupid question. The data I need to encrypt is your basic bit of user data going from system A to system B. Now given that the whole point of encrypting this is to prevent someone from reading the data, is there any reason why I can't select a random bit out of each user message, perform some incantation on it and use this to seed the PRNG ?? I mean, if someone can predict the contents of the data well enough to work out what my seed is, surely they've defeated the purpose of the encryption anyway .. true ??? Given that I'm cryptographically ignorant, I don't want to do this if there's some great gaping flaw. Thanks, G. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: How to use the private key password callback?
Thanks for such a fast reply. I think that I'm still missing something about the parameters to PEM_read_PrivateKey and the callback. Based on what I learned from a posting from a few days ago, I am calling PEM_read_PrivateKey(fp, x, cb, u) where the parameters are: fp: file pointer x: pointer for in object, leasve it NULL cb: callback for passphrase (only needed for private key) u: parameter passed to callback and I am segmenting on (i think) u. What is u supposed to be? I've looked in the pem.h and pem_lib.c files, but they get really complicated really fast. I've tried passing null pointers, character strings, char **'s, SSL_CTX *'s, SSL *'s, and so on, but I though maybe I'd be better off passing the right sort of thing. Thanks! -Original Message- From: Wallace, William [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 06, 2000 12:55 PM To: '[EMAIL PROTECTED]' Cc: Terry Solins Subject: RE: How to use the private key password callback? Try something like this in the callback body: buf[0] = '\0'; // Get the password however you want to. If the operation fails return 0. strcpy( buf, password ); return strlen( buf ); I think size is the length of buf if you want to make overflow checks. -Original Message- From: Randall Ward [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 06, 2000 12:45 PM To: [EMAIL PROTECTED] Cc: Terry Solins Subject: How to use the private key password callback? I need to use a client's private key for a project I am working on, but I am having trouble understanding how to automagically input the password to open the key file. Right now the client blocks waiting for the pass from keyboard input. I am trying to use PEM_read_PrivateKey(...), and I have this prototype for the associated callback: int cb(char *buf, int size, int rwflag, void *userdata); I sort of know what the parameters mean, but I have no idea what to do in the body of the function. This is probably a really simple task, but I'm missing an important bit of information. Do I assign buf to some field in the SSL structs? Is there a predefined function(s) that I need to call? Are there some header files that I could be looking at? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Bad certificate request.
Hi, I'm using openssl to generate a certificate request. When I try to build the subject name from a given DN, there are problems with the DER encoding. I've attached a code fragment and the resulting PEM encoded certificate request. -Dave certRqst.c req_test.pem certRqst.c req_test.pem
Re: How to use the private key password callback?
Randall Ward wrote: Thanks for such a fast reply. I think that I'm still missing something about the parameters to PEM_read_PrivateKey and the callback. Based on what I learned from a posting from a few days ago, I am calling PEM_read_PrivateKey(fp, x, cb, u) where the parameters are: fp: file pointer x: pointer for in object, leasve it NULL cb: callback for passphrase (only needed for private key) u: parameter passed to callback and I am segmenting on (i think) u. What is u supposed to be? I've looked in the pem.h and pem_lib.c files, but they get really complicated really fast. 'u's meaning is left up to the callback. It could be a prompt phrase a window handle or ignored. It was added because there was a need to send info to the callback. There is an additional case though. In OpenSSL 0.9.5a if the callback is 0 and the parameter is not NULL then it is interpreted as a null terminated passphrase. If the parameter is NULL then the passphrase is prompted for in the usual way. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Question on PRNG's and entropy
-Original Message- From: Gregory Nicholls [mailto:[EMAIL PROTECTED]] The data I need to encrypt is your basic bit of user data going from system A to system B. Now given that the whole point of encrypting this is to prevent someone from reading the data, is there any reason why I can't select a random bit out of each user message, perform some incantation on it and use this to seed the PRNG ?? How do you select a "random bit" of a message if you don't have a source of randomness in the first place? From a cryptographic perspective, you'd best assume an attacker knows which bit of the message you're using, even without knowing what the message contains. Also, note that a crypto PRNG seed should ideally contain considerable entropy. Are these messages themselves unpredictable enough to provide sufficient seed material? I mean, if someone can predict the contents of the data well enough to work out what my seed is, surely they've defeated the purpose of the encryption anyway .. true ??? That's a very big assumption. An attacker could know enough about the structure or probable contents of the message to greatly reduce the actual amount of entropy in the seed, without being able to guess the message. (Perhaps details in the message are important, but the message is known to always be English text.) An attacker might be able to inject a known-plaintext attack and defeat the PRNG seeding entirely. (Bob is a legitimate user of your system, but he's secretly trying to crack it as well, so he can read other people's data.) Of course, there are many ways to sanitize the sampled data to reduce the attacker's effective knowledge about it - hashing it, for example. That's certainly better than the original Netscape time+pid+ppid approach. Ultimately it's a question of your threat model. Does your model try to account for serious attacks by knowledgeable people with lots of resources? If not, how you seed your PRNG isn't something to lose a lot of sleep over. If so, then you'd be better off hiring crypto and security experts to vet your application. Michael Wojcik [EMAIL PROTECTED] MERANT Department of English, Miami University __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Bad certificate request.
David Ahrens wrote: Hi, I'm using openssl to generate a certificate request. When I try to build the subject name from a given DN, there are problems with the DER encoding. I've attached a code fragment and the resulting PEM encoded certificate request. Not sure why you've commented out X509_NAME_add_entry_by_NID() it normally does the messing around with string types automatically. The ASN1_PRINTABLE_type() stuff doesn't always get the type right and doesn't use BMPStrings and UTF8Strings. Otherwise your encoding of the IP address is incorrect. It isn't the string representation of the IP address it is in binary form. There's an example of conversion in crypto/x509v3/v3_alt.c Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Why can't I create certificate requests?
Hi, I got problems with "unable to load config info", I read the Diagnostics section and know the reason is that it is can't find the configuration file. But how to fix this bug? Thanks in advance. Dean, __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question on PRNG's and entropy
Hiya, Michael Wojcik wrote: How do you select a "random bit" of a message if you don't have a source of randomness in the first place? From a cryptographic perspective, you'd best assume an attacker knows which bit of the message you're using, even without knowing what the message contains. Fair point. I was thinking along the lines of msglen/n where I'd pick n(hardcoded) out of a hat. The msg lengths won't be predictable but I guess they probably won't be cryptographically random sigh. Also, note that a crypto PRNG seed should ideally contain considerable entropy. Are these messages themselves unpredictable enough to provide sufficient seed material? They obviously have some standard header portion that I was proposing to omit. As to the contents I can't say. Depends on the application. I mean, if someone can predict the contents of the data well enough to work out what my seed is, surely they've defeated the purpose of the encryption anyway .. true ??? That's a very big assumption. An attacker could know enough about the structure or probable contents of the message to greatly reduce the actual amount of entropy in the seed, without being able to guess the message. (Perhaps details in the message are important, but the message is known to always be English text.) An attacker might be able to inject a known-plaintext attack and defeat the PRNG seeding entirely. (Bob is a legitimate user of your system, but he's secretly trying to crack it as well, so he can read other people's data.) Of course, there are many ways to sanitize the sampled data to reduce the attacker's effective knowledge about it - hashing it, for example. That's certainly better than the original Netscape time+pid+ppid approach. Ultimately it's a question of your threat model. Does your model try to account for serious attacks by knowledgeable people with lots of resources? If not, how you seed your PRNG isn't something to lose a lot of sleep over. If so, then you'd be better off hiring crypto and security experts to vet your application. I don't think we're concerned about serious high-resource attacks, after all, we're not going to use authentication but use ADH instead. I'm not sure if this is an attempt by management to tick the encryption box or a serious attempt at supplying a useful option. I'm trying to do the best I can within the constraints. The seed is the toughest bit. We're supplying a library that won't have user interaction. It also needs to run on about 10 different architectures (from NT through Unix to MVS and AS400). The only time I'll get user interaction is during installation sigh. Thanks, g. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
client certificate
Soory to bother again. I have a certificate from verisign, but what is the CA of versign, and how ca i get it? thanks __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: How to use the private key password callback?
'u's meaning is left up to the callback. It could be a prompt phrase a window handle or ignored. It was added because there was a need to send info to the callback. I do nothing with u yet... I'm just hard-coding the passphrase till I can get something to work. There is an additional case though. In OpenSSL 0.9.5a if the callback is 0 and the parameter is not NULL then it is interpreted as a null terminated passphrase. If the parameter is NULL then the passphrase is prompted for in the usual way. If I understand you correctly, if I call: PEM_read_PrivateKey(open_key_file, NULL, NULL, "passphrase"); then the string "passphrase" would be taken as just that there would be no need to define a callback function. However, this does not work for me. It seems that no matter what I try I core dump right as I try to read the private key file. I did a little tinkering around found that I hit an access violation at the line for (;;) { if (!PEM_read_bio(bp,nm,header,data,len)) in the function char *PEM_ASN1_read_bio(char *(*d2i)(), ... ) in pem_lib.c. This occurs after I call PEM_read_PrivateKey ( open_key_file, NULL, cb, anything). I know that the file pointer is good, the cb looks fine in the debugger, and I'm not touching that last parameter anywhere. Thanks again! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Error messages memory leak.
Is there any way to free the error messages that get loaded by OpenSSL? I can't seem to find any cleanup or unload call anywhere. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
looking for dgst command example for DSS signing
The man page at www.openssl.org seems to imply that this supports signing, but this fails: openssl dgst -dss1 -sign privkey.pem test.txt unknown option '-sign' Is there an example of using the openssl app to create DSS1 signatures? Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Using SSL_accept with non blocking socket
Hi, all - I am trying to write both sever/client that using non blocking socket. I am not using BIO based read/write. Here is what my code look like - The code is almost same as the serv.cpp and cli.cpp under demos/ssl, except I am seting non blocking option (O_NONBLOCK) SERVER: SSL *ssl; SSL_CTX *ctx; listen_sd = socket(..) flag = fcntl(listen_sd, F_GETFL); fcntl(listen_sd, F_SETFL, flag | O_NONBLOCK); bind(listen_sd, ...); listen(listen_sd,...); select(listen_sd+1, ...); sd = accept(listen_sd, ...); flag = fcntl(sd, F_GETFL); fcnt(sd, F_SETFL, flag | O_NONBLOCK); ctx = SSL_CTX_new(...); ssl = SSL_new(ctx); SSL_set_fd(ssl, sd); SSL_accept(ssl); for (;;) { SSL_read(ssl); SSL_write(ssl); } CLIENT: == sd = socket(...); flag = fcntl(sd, F_GETFL); fcnt(sd, F_SETFL, flag | O_NONBLOCK); connect(sd,...); ctx = SSL_CTX_new(...); ssl = SSL_new(ctx); SSL_set_fd(ssl, sd); SSL_connect(ssl); SSL_write(ssl); SSL_read(ssl); The problem is that SSL_accept() failed (return -1). I could not get error code witn ERR_print_errors and I don't know why. Does anyone know what's wrong with this piece of code or if it makes sense? The reason I am not using BIO is that I would like to manage both non-SSL and SSL connection over the socket. Can I do something like that? Any help is appreciated. Miha __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Using SSL_accept with non blocking socket
Hopefully you are doing add_ssl_algorithms(..) (and a helpful SSL_load_error_strings(..)) in the beginning. Also, did you try ERR_print_errors_fp(stdout) and see if something appears? I may be restating the obvious here. The usual way I detect errors is to do a SSL_get_error(..) and do a switch-case on all possible values. Arun. - Original Message - From: Miha Wang [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 06, 2000 4:15 PM Subject: Using SSL_accept with non blocking socket Hi, all - I am trying to write both sever/client that using non blocking socket. I am not using BIO based read/write. Here is what my code look like - The code is almost same as the serv.cpp and cli.cpp under demos/ssl, except I am seting non blocking option (O_NONBLOCK) SERVER: SSL *ssl; SSL_CTX *ctx; listen_sd = socket(..) flag = fcntl(listen_sd, F_GETFL); fcntl(listen_sd, F_SETFL, flag | O_NONBLOCK); bind(listen_sd, ...); listen(listen_sd,...); select(listen_sd+1, ...); sd = accept(listen_sd, ...); flag = fcntl(sd, F_GETFL); fcnt(sd, F_SETFL, flag | O_NONBLOCK); ctx = SSL_CTX_new(...); ssl = SSL_new(ctx); SSL_set_fd(ssl, sd); SSL_accept(ssl); for (;;) { SSL_read(ssl); SSL_write(ssl); } CLIENT: == sd = socket(...); flag = fcntl(sd, F_GETFL); fcnt(sd, F_SETFL, flag | O_NONBLOCK); connect(sd,...); ctx = SSL_CTX_new(...); ssl = SSL_new(ctx); SSL_set_fd(ssl, sd); SSL_connect(ssl); SSL_write(ssl); SSL_read(ssl); The problem is that SSL_accept() failed (return -1). I could not get error code witn ERR_print_errors and I don't know why. Does anyone know what's wrong with this piece of code or if it makes sense? The reason I am not using BIO is that I would like to manage both non-SSL and SSL connection over the socket. Can I do something like that? Any help is appreciated. Miha __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Using SSL_accept with non blocking socket
If you get an error result from either SSL_connect or SSL_accept you should call SSL_get_error. This can give you a number of different results indicating such things as remote end closing connection, system error, ssl protocol error, write blocked or read blocked. In the case of the last two you need to select on the socket, monitoring for the appropriate event. If you get it then make the original SSL_* call again. -Original Message- From: Miha Wang To: [EMAIL PROTECTED] Cc: Miha Wang Sent: 9/6/00 7:15 PM Subject: Using SSL_accept with non blocking socket Hi, all - I am trying to write both sever/client that using non blocking socket. I am not using BIO based read/write. Here is what my code look like - The code is almost same as the serv.cpp and cli.cpp under demos/ssl, except I am seting non blocking option (O_NONBLOCK) SERVER: SSL *ssl; SSL_CTX *ctx; listen_sd = socket(..) flag = fcntl(listen_sd, F_GETFL); fcntl(listen_sd, F_SETFL, flag | O_NONBLOCK); bind(listen_sd, ...); listen(listen_sd,...); select(listen_sd+1, ...); sd = accept(listen_sd, ...); flag = fcntl(sd, F_GETFL); fcnt(sd, F_SETFL, flag | O_NONBLOCK); ctx = SSL_CTX_new(...); ssl = SSL_new(ctx); SSL_set_fd(ssl, sd); SSL_accept(ssl); for (;;) { SSL_read(ssl); SSL_write(ssl); } CLIENT: == sd = socket(...); flag = fcntl(sd, F_GETFL); fcnt(sd, F_SETFL, flag | O_NONBLOCK); connect(sd,...); ctx = SSL_CTX_new(...); ssl = SSL_new(ctx); SSL_set_fd(ssl, sd); SSL_connect(ssl); SSL_write(ssl); SSL_read(ssl); The problem is that SSL_accept() failed (return -1). I could not get error code witn ERR_print_errors and I don't know why. Does anyone know what's wrong with this piece of code or if it makes sense? The reason I am not using BIO is that I would like to manage both non-SSL and SSL connection over the socket. Can I do something like that? Any help is appreciated. Miha __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: looking for dgst command example for DSS signing
Michael Sierchio wrote: The man page at www.openssl.org seems to imply that this supports signing, but this fails: openssl dgst -dss1 -sign privkey.pem test.txt unknown option '-sign' Is there an example of using the openssl app to create DSS1 signatures? Thanks. Presumably you are using OpenSSL 0.9.5a? The -sign option has only been added to the latest development versions. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: looking for dgst command example for DSS signing
Dr S N Henson wrote: Michael Sierchio wrote: The man page at www.openssl.org seems to imply that this supports signing, but this fails: openssl dgst -dss1 -sign privkey.pem test.txt unknown option '-sign' Is there an example of using the openssl app to create DSS1 signatures? Thanks. Presumably you are using OpenSSL 0.9.5a? The -sign option has only been added to the latest development versions. Yes, this is with 0.9.5a. I'd be happy for a working example... __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS7 usage?
Dr S N Henson wrote: Well it doesn't have to be a file. Any BIO will do. The S/MIME API doesn't currently have an init/update/final equivalent though. I am facing a problem here: the decrypted data is stored in some strange format (beyond my control), and I have to read in the data into buffer block by block to verify the data. How do I setup such operations? Regards -- (~._.~) Öì Ⱥ Ó¢ (Qun-Ying) (65) 874-6743 ( O ) TrustCopy Pte Ltd / Kent Ridge Digital Labs ()~*~() 21 Heng Mui Keng Terrace, Singapore 119613 (_)-(_)[EMAIL PROTECTED] * [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Crypt::SSLeay + LWP::UserAgent + Client Key/Certificate
No idea how to do it, but seems useful. Anyone have any pointers? Perhaps I should look at the IO::Socket::SSL code for ideas on how to deal with this? If anyone wants to submit a patch for Crypt::SSLeay to make this work, please feel free. What's the expected API here, some file on disk with the cert specified in %ENV? --Joshua [EMAIL PROTECTED] wrote: Joshua or anyone who can fill me in, I'm having a heck of a time trying to figure out an easy way to use a client key/cert with a simple https POST. I've got a relatively short chunk of code that posts data to a CGI (sitting on a https enabled server) and it works beautifully. Now I need to make it worth with a client cert. Spent several hours looking and it looks like IO::Socket::SSL might work but I'd _much_ rather just use the original Crypt::SSLeay and LWP combination. Is this possible? I would really appreciate any help you could offer. thanks Matthew Lenz __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
conver PKCS7 *p7 to DER string?
Hi, If I have the signature generated, how do I convert the p7 into a DER string without writing out to a file? How do I know the size of the buffer to prepare? Thanks -- (~._.~) Öì Ⱥ Ó¢ (Qun-Ying) (65) 874-6743 ( O ) ()~*~() (_)-(_)[EMAIL PROTECTED] * [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]