Problem creating self signed certifcate using -subj option
Hello All, I am using OpenSSL 0.9.8 When creating a self signed certificate using req commandwe can specify the X509 name either by using -subj option or prompting the userto enter the values. i. prompting the userto enter the values eg # openssl req -x509 -out cacert.pem -new -keyout cakey.pem -nodes Country Name (2 letter code) [AU]:INN string is too long, it needs to be less than 2 bytes long Here the values entered by the user are checked with minimum and maximum limits of each field specified in the openssl.conf file Reason: req_check_len function is called to verify the field length Flow : make_REQ( ) --- prompt_info( ) --- add_DN_object( ) --- req_check_len() ii -subj option eg # openssl req -x509 -out cacert.pem -new -keyout cakey.pem -subj /C=IN/ST=TamilNadu/L=CBE/O=test/CN=test -nodes Here the values entered by the user are not checked with minimum and maximum limits of each field specified in the openssl.conf file Reason: req_check_len function is not called Flow : make_REQ( ) --- build_subject( ) --- parse_name( ) //req_check_len is not called Is this a bug ? Suggestion for OpenSSL 0.9.8 : The following code can be added in file apps/apps.c between lines 2135 and 2137 to checkthe minimum and maximum limits of each field specified in the openssl.conf file 2133 BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_types[i]); 2134 continue; 2135 } //--- // const char *longname;char buffer[100];char longname_min[256],longname_max[256],*p;long n_min,n_max,j;long errline;int len_buf;static CONF *req_conf=NULL;char *dn_sect,*value; //Get the longname from the NIDlongname=OBJ_nid2ln(nid); //Load the default configuration filep=make_config_name();req_conf=NCONF_new(NULL);j=NCONF_load(req_conf, p, errline);if (j == 0){BIO_printf(bio_err,"error on line %ld of %s\n",errline,req_conf);goto error;} dn_sect=NCONF_get_string(req_conf,"req","distinguished_name"); if (dn_sect == NULL){BIO_printf(bio_err,"unable to find distinguished_name in config %s\n",p);goto error;} if ((value=NCONF_get_string(req_conf,dn_sect,longname)) == NULL){ERR_clear_error();value=NULL;} //Get the min length of the field from config fileBIO_snprintf(buffer,sizeof buffer,"%s_min",longname);if (!NCONF_get_number(req_conf,dn_sect,buffer, n_min)){ERR_clear_error();n_min = -1;} //Get the max length of the field from config fileBIO_snprintf(buffer,sizeof buffer,"%s_max",longname);if (!NCONF_get_number(req_conf,dn_sect,buffer, n_max)){ERR_clear_error();n_max = -1;} //Compare the length of field against against the allowable minimum and maximum len_buf=strlen(ne_values[i]);if ((n_min 0) (len_buf n_min)) { BIO_printf(bio_err,"%s is too short, it needs to be at least %d bytes long\n",longname,n_min); goto error; }if ((n_max = 0) (len_buf n_max)) { BIO_printf(bio_err,"%s is too long, it needs to be less than %d bytes long\n",longname,n_max); goto error; } //--- // 2137 if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_values[i], -1,-1,mval[i])) 2138 goto error; 2139 } Thanks, Prakash Babu Start your day with Yahoo! - make it your home page
question about error message: unable to write 'random state'
I hope this isn't a repeat of a previous posting, and apologize if it is (I tried posting this question a couple of days ago and think the email may not have actually been sent). Anyway, I'm having trouble using openssl to encrypt email messages, and would greatly appreciate any advice anyone may have. I'm trying to write a PERL CGI script that uses openssl to send an encrypted email. The script is executing the following command, piping the body of the message to the command's standard input: openssl smime -subject 'subject' -encrypt /path/to/cert.pem outfile 21 Standard error is redirected to standard output for debugging. The command's output (written to outfile) looks like this: Subject: subject MIME-Version: 1.0 Content-Disposition: attachment; filename=smime.p7m Content-Type: application/x-pkcs7-mime; name=smime.p7m Content-Transfer-Encoding: base64 MIIBnQYJKoZIhvcNAQcDoIIBjjCCAYoCAQAxggE4MIIBNAIBADCBnDCBlDEaMBgG A1UEChMRTGVuZGluZyBSZXNvdXJjZXMxKDAmBgkqhkiG9w0BCQEWGXBldGVAbGVu ZGluZ3Jlc291cmNlcy5uZXQxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzARBgNV BAgTCkNhbGlmb3JuaWExCzAJBgNVBAYTAlVTMRIwEAYDVQQDEwlQZXRlciBZZWUC AxAAATANBgkqhkiG9w0BAQEFAASBgKBPMjrDgbB0c6yVAboSeMrBHdKClgajJ53I kkOA0UZqut71DJsoCm5LPRGJ73bEiydY9R9y2OrsLMPEZ0dNC2JEBTfP1EL1gNom UkbRpYRpa9liAq2QFEjflcFZBw4d8vIDrMCDJSrEUCWAW3U57nLl6RU5M01V/MuK 3dgWkXhGMEkGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIAoAQILKEDpzpFXQmA IJ6P3o41/T4Tq5J2ak7vHpmGI94Inf/2ObSCXYaCtYMn unable to write 'random state' I was reading some info about the unable to write 'random state' message. Apparently this indicates a problem accessing a seeding file for random number generation. The info I am reading says that openssl tries to use /dev/urandom by default, and starting with version 0.9.7, tries /dev/random if /dev/urandom is unavailable. The web server executing the CGI script is running FreeBSD 4.11-STABLE and the version of openssl installed on the server is 0.9.7d (17 Mar 2004). I wrote a little CGI script that does an ls -l /dev | grep random and the result looks like this: crw-r--r-- 1 root wheel 2, 3 Apr 15 11:11 random crw-r--r-- 1 root wheel 2, 4 Apr 15 11:11 urandom As shown above, both /dev/urandom and /dev/random exist and are world-readable. Therefore I do not know why openssl is printing the error message. Does anyone know why this is happening? Any suggestions on how to solve this problem are greatly appreciated. When replying, please cc [EMAIL PROTECTED] Thanks, Dave __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Plan for OCSP verifier to LDAP?
Is there any plan to support OCSP verification over LDAP (or LDAP/s)? OT: BTW, could anyone recommend an LDAP client library (C or C++) that works on Windows? Preferably open source. thanks coco _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Plan for OCSP verifier to LDAP?
Is there any plan to support OCSP verification over LDAP (or LDAP/s)? This question makes no sense. OCSP and LDAP are two differnet protocols. It's like saying SMTP over HTTP /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie SSL_write question
Call ERR_clear_error() before while loop and call ERR_get_error_line_data in a loop till it returns 0 inside SSL_ERROR_SYSCALL case. This may give you some idea on what went wrong. JB On 8/11/05, Michael [EMAIL PROTECTED] wrote: On 8/11/05, David Schwartz [EMAIL PROTECTED] wrote: snip My code uses blocking sockets, has the SSL_CTX SSL_MODE_ENABLE_PARTIAL_WRITE option set and loops on the ssl_read but the socket is closed after the first 32k is sent. Why, if a message block size is 16k, does the first 32k of a message get written/read, then the socket dropped? snip Give us example code or more detailed information about what you mean by the socket dropped and how you determined that. My bet is simply that there's a bug in your code. With non-blocking sockets, you have to test the return value of SSL_read and properly handle partial or failed sends. You may get a failed send if there was insufficient space to fit a single block of protocol data (or if protocol data was sent that corresponds to zero bytes of application data!). You may get a partial send. Thanks for your reply David - I think you're probably right about my code! ;-) Upon your suggestion I added some more cases to test the return code of ssl_write and found that I am getting a SSL_ERROR_SYSCALL after the first 32 bytes. Here is is the code. As mentioned before, I have the SSL_CTX set with partial writes enabled, the main write loop is as follows (for clarity,I've removed all the tests of ssl_write other than those that get called). --start char error_str[BUFF_SIZE] char out_buf[BUFFSIZE]; int sent_bytes=0; int offset=0; int bytes_to_send = length of data in out_buf fprintf(stderr, - Attempting to write %d bytes\n, bytes_to_send); while(bytes_to_send){ sent_bytes = SSL_write(p_ssl, out_buf+offset, bytes_to_send); switch(SSL_get_error(p_ssl, sent_bytes)) { case SSL_ERROR_NONE: bytes_to_send -= sent_bytes; offset += sent_bytes; fprintf(stderr, - Written %d bytes\n, sent_bytes); break; case SSL_ERROR_SYSCALL: error_str = Err_error_string(Err_get_error()); fprintf(stderr, - SSL_ERROR_SYSCALL: %s\n, error_str); return false; // exit routine default: fprintf(stderr, - SSL_write reports %d\n, sent_bytes); return false; // exit routine } } --end-- When I try and write more than 32k I get the following messages... - Attempting to write 59266 bytes - Written 16384 bytes - Written 16384 bytes - SSL_ERROR_SYSCALL: error::lib(0):func(0):reason(0) I have SSL_load_error_strings() earlier in my code, but don't get any more information than this. I'm still at a loss as to whats happening here, but many thanks for your help in getting this far. Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
cryptlib vs. openssl
Hi, does anyone know about Peter Gutmann's cryptlib and how it compares to openssl? Gerd __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
BorlandC++ 6 compiler Options
Hi, I have some problems with RSA_bio_read and BN_bn2hex wich fall in segmentation faults. I compiled openssl using standard procedure perl Configure BC-32, do_nasm, make f bcb.mak It compiled well. I try some examples, it works well except for RSA_bio_read and BN. In FAQ it is clear that compilation options are very important particularly for bio functions so I try to set exactly same option to my project (multithread lib) but its hard and not as simple as gcc and vc do. So I m never sure it is correct, nevertheless I keep the seg fault, and even if I compile openssl in debug mode I keep this error. Is there here to help me please? Jean-Michel Lekston Cogendi Phone: +33 (1) 41 91 75 75
Re: Plan for OCSP verifier to LDAP?
I have a (potiential) customer which has a CA configured with an OCSP responder that talks only LDAP. The IT guy wouldn't want to set up an http responder (don't ask reason, I can't figure that out either). He probably means that the OCSP responder only gets certificates and CRL's by doing LDAP queries. That's why I was asking if there is any plan to put in support to send OCSP request over LDAP. There is no such thing. LDAP protocol has bind, search, etc., packets. OCSP uses HTTP POST to make a query. Can you show me where OCSP over LDAP is documented? /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]