RE: possible SSL_write bug
If I close stunnel, the next SSL_write will return a positive value, as if everything is ok, the second causes sudden application termination. Make a build with debugging symbols, get a core dump, and analyze it with 'gdb' or similar. Alternatively, post the smallest complete, compilable example of code that demonstrates the problem. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: possible SSL_write bug
Hi, I made more tests, I even adapted sample code from samples I got in the web, and I always have the same result. If I close stunnel, the next SSL_write will return a positive value, as if everything is ok, the second causes sudden application termination. Could anybody please verify this behavior? It is possible that this is just my mistake, but I think it is worth looking because I might have found a big bug. Thanks in advance. David Schwartz ha scritto: I made a program that connects to a stunnel server. I am able to connect to the server, read, write, with no problems. Good. The problem is that if I close the stunnel, I can handle the error correctly if I make an SSL_read, but not if I make an SSL_write. The SSL_write returns a positive value even if the stunnel is closed, and on next SSL_write the application closes suddently. The first part is typical. Depending on exactly how the tunnel was closed, a write may not detect it immediately. As for your application closing suddenly on the next SSL_write, this is abnormal. Most likely, it's a bug in your program. It could be a bad OpenSSL build or a bug in OpenSSL, but that's unlikely. So if I close the stunnel, and make two writes in a row in my application, my application dies. Figure out why. Get a core dump or attach a debugger and see why and where it's dying. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AW: RSA_public_decrypt error
I'm not that good in OpenSSL. How do I create a RSA file if I only have a modulus and exponent. Programmatically I have set the 2 values with BN_bin2bn(), buit how do I save this to a file? I just add a working and a non working example to this mail. Modulus: A1 65 EE 74 8F 23 5E A4 4C 85 05 3D 0F 60 D5 86 F9 3D B0 92 C4 94 02 C5 1E C3 4C F9 60 39 33 72 40 7B 02 A6 30 25 73 A4 6E 21 AD 95 89 DA 84 D8 BA 72 2A 3A 00 4D 17 BD B2 86 2E AC B6 CE DD 5D 6E E7 01 B4 15 3F D4 08 AA 06 B7 83 05 67 94 2C 41 71 03 CB C1 C2 74 68 75 DF 5C 9F 38 42 A5 98 4D A7 87 9E 02 0D 70 55 DA B5 91 B7 4F 72 32 08 DB 0B 44 62 AD 25 59 D5 6E E5 F7 44 44 B8 A8 3A 55 A9 BA DB BB 65 11 F6 39 A3 74 E1 64 0B AB 3E 0E 62 CB A5 C4 49 E1 B1 C8 D2 7D 3E E4 ED 0B A7 DF 2C 88 63 67 DF 30 CF 14 F2 FC 53 AD 4F 3D 2A 3A 21 E8 DF EB A7 13 58 A2 0B A7 D0 97 CC A2 EB 12 C3 21 41 FC 4A C7 71 A2 29 C3 EC BC 6A 7E 0F 02 D8 08 1D 09 94 2F 5F FC 94 6B 4F 40 A6 F3 9D 36 EF 7F 5E A9 D6 9C D2 8C 31 94 E9 F5 8F CB D4 C4 0D D6 F7 F6 CB 21 4C 04 E3 04 8B 46 58 A3 85 Exponent: 00 00 00 00 40 00 00 81 --Working: Ciphertext: 24 C0 AA 41 DE 72 BD 5D 32 BA 52 92 2A B5 3B 54 E8 64 75 35 25 1E F4 A4 FA 31 B0 17 A0 C6 8C E0 07 62 F7 FC 31 27 E6 32 EA BB 47 7B AF 7F D9 B2 42 5F 28 C6 92 A9 10 A9 12 03 D9 6D 7D 07 9D D9 22 B8 46 C2 A0 49 8D E0 7D CC 3E A1 6E C6 F9 28 0D EE 2A F0 57 B3 70 C0 EF 42 15 39 B4 D9 74 9B 87 31 02 C3 EF A4 07 79 69 DF 74 B1 D4 01 75 C9 2C 7D F0 D4 D0 A1 55 D5 97 C9 78 50 FF 30 82 3C 30 BC BC 74 78 E8 08 C6 11 64 00 8A E7 86 E2 FD 9C CF FA F7 91 C5 14 AF 58 AB CE 4C 34 D3 B0 2C 93 42 7B 1B 3A CA 05 E1 20 EE CF 41 B2 10 5D 41 0C F7 DE 41 D6 47 22 F3 7E 18 2D 7A BF B5 53 21 3A D0 F6 59 CD 10 E9 E7 4A AE 26 B9 85 5D F9 0C 03 A5 2E 58 C5 CE 01 0F AD 71 60 CF F1 86 08 B7 D5 D8 3C AB 6E 1E F1 00 8A D4 91 15 92 47 B3 5C 20 13 28 4E D6 5B 22 76 E2 D2 E9 B1 84 43 9B 0B Not working(modulus and exponent are like before): Ciphertext: 52 E7 7A 20 17 B8 27 FD 74 2D 43 FE 48 A9 56 71 04 A7 CB 5F E1 96 F4 47 49 32 73 74 85 70 3D A9 CA AD 33 6C 9F F0 85 44 94 A2 67 3F FE 1E FE C0 60 09 EC 5F BE CB C3 91 43 AF 87 A1 61 AB 29 CF 7F 91 23 74 D1 2E D3 D3 48 AF 79 AA 90 CF 5A 4D D9 BA AC 64 0D 51 47 60 5D D9 41 5F A4 B7 7A D1 D1 FC 83 74 5C 90 BB DD 5A FB 83 88 86 BD E6 75 D2 B1 7D D3 62 5E 6C D0 60 A2 02 A5 BC D7 B0 24 75 1E FB CA F2 3E 4F 62 39 EE E8 EB DF 73 5B B0 8C 21 E0 D8 15 0A 4D 32 DC 26 2A 56 17 61 28 EA 7C 68 88 9B D8 B1 40 CB 1C 03 D5 31 5A ED AD FF 22 C3 54 BB E4 98 9D AC 62 2A 91 9D 63 8D 20 52 BC 53 79 39 EA 23 C8 1A CE 9E CF 7D 76 27 F2 3E CD 2B 28 8C 7F BA 4F 34 DD CF EA AF FE 18 C6 86 A5 BE D8 AE 3B B6 4C 4B BE 52 7A C9 03 A3 75 4F 01 08 49 71 70 7C 1E FC F8 02 08 3D 7D 6B F1 Best regards Frank -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Dr. Stephen Henson Gesendet: Montag, 11. Februar 2008 15:15 An: openssl-users@openssl.org Betreff: Re: RSA_public_decrypt error On Mon, Feb 11, 2008, Wockenfu, Frank wrote: Hi all, I have the following problem: I want to verify a signature that was created inside a smartcard. The smartcard creates a digital signature with RSA 2048 bit over a hash that was created using SHA-512 (OpenSSL). To verify the signature I call the OpenSSL-function RSA_public_decrypt with RSA_PKCS1_PADDING as padding. Most of the created signature are working fine with this function, but I have some of them that cause the error 106 that has the following error reason RSA_R_BLOCK_TYPE_IS_NOT_01. All signatures are created at the same time with the same card and program. All other signatures work fine. What could be the problem? I don't think that this is a problem with the card that creates the signatures. Maybe there is some inconstistence in the hashvalue generation or the initialisation of OpenSSL. Could this be a reason? Hope someone can help me. I'd suggest you put the values through the rsautl utility to see if you get the same error. If you do try posting the public key and a few good and bad examples. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl server + smart card
Hello, In SSL/TLS you encrypt pre_master_secret with server certificate. For that, you do not need smartcard, TLS server will send you certificate and (after verification) you (client) encrypt generated pre_master_secret with server public key send to you by server with certificate. You may use smartcard if TLS server requires client verification, then your (client) private key from smartcard is used to prove your identity. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Here the server is using the smart card and the smart card holds the server certificate and the private key. So the server got the server cert from the smart card and sends it to the client. The client encrypts the pre_master_secret with the public key and sends it to the server. Now the server must use the smart card because the servers private key is only on the smart card. Ok, misunderstanding :-) You may use for that OpenSSL ENGINE interface ( $ man engine ). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
-passout problem?
I am trying to use openssl to create a password protected key in openvpn, but not succeeding. I am not sure I am doing it correctly. With: # openssl version OpenSSL 0.9.8b 04 May 2006 # uname -a Linux mbrc32 2.6.22.1-41.fc7 #1 SMP Fri Jul 27 18:10:34 EDT 2007 i686 athlon i386 GNU/Linux # echo $vpnFullPassFile /root/code/keygen/vpn_targ/passVPNfull.txt from: # openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG -passout file:$vpnFullPassFile I get: file /root/code/keygen/vpn_targ/passVPNfull.txt is not present but: # ll /root/code/keygen/vpn_targ/passVPNfull.txt -r 1 root root 36 2008-02-11 11:43 /root/code/keygen/vpn_targ/passVPNfull.txt Thanks for your help. Mike. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
key iv generation?
How is the key and iv generated? I am using enc -aes256 with a text based password. Is there an stand alone openssl command that will do this? I need to find the code that does this step so that I can replicate it in javascript. Cheers. Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
Re: RSA_public_decrypt error
On Mon, Feb 11, 2008, Wockenfu, Frank wrote: Hi all, I have the following problem: I want to verify a signature that was created inside a smartcard. The smartcard creates a digital signature with RSA 2048 bit over a hash that was created using SHA-512 (OpenSSL). To verify the signature I call the OpenSSL-function RSA_public_decrypt with RSA_PKCS1_PADDING as padding. Most of the created signature are working fine with this function, but I have some of them that cause the error 106 that has the following error reason RSA_R_BLOCK_TYPE_IS_NOT_01. All signatures are created at the same time with the same card and program. All other signatures work fine. What could be the problem? I don't think that this is a problem with the card that creates the signatures. Maybe there is some inconstistence in the hashvalue generation or the initialisation of OpenSSL. Could this be a reason? Hope someone can help me. I'd suggest you put the values through the rsautl utility to see if you get the same error. If you do try posting the public key and a few good and bad examples. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl server + smart card
Am Montag, 11. Februar 2008 14:22:39 schrieb [EMAIL PROTECTED]: Hello, I writing a TLS server application. That is the easy part. The server certificate is on a smart card. So I get only the public key and the certificate but not the private key from the smart card. So I have to decrypt everything in the TLS handshake, which is encrypted with server public key (the premaster secret), with the smart card . So my question is: How can I control the TLS handshake in openssl so, that the premaster secrete is decypted with the smart card. In SSL/TLS you encrypt pre_master_secret with server certificate. For that, you do not need smartcard, TLS server will send you certificate and (after verification) you (client) encrypt generated pre_master_secret with server public key send to you by server with certificate. You may use smartcard if TLS server requires client verification, then your (client) private key from smartcard is used to prove your identity. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Here the server is using the smart card and the smart card holds the server certificate and the private key. So the server got the server cert from the smart card and sends it to the client. The client encrypts the pre_master_secret with the public key and sends it to the server. Now the server must use the smart card because the servers private key is only on the smart card. Best regards, Lars Kühl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl server + smart card
Hello, I writing a TLS server application. That is the easy part. The server certificate is on a smart card. So I get only the public key and the certificate but not the private key from the smart card. So I have to decrypt everything in the TLS handshake, which is encrypted with server public key (the premaster secret), with the smart card . So my question is: How can I control the TLS handshake in openssl so, that the premaster secrete is decypted with the smart card. In SSL/TLS you encrypt pre_master_secret with server certificate. For that, you do not need smartcard, TLS server will send you certificate and (after verification) you (client) encrypt generated pre_master_secret with server public key send to you by server with certificate. You may use smartcard if TLS server requires client verification, then your (client) private key from smartcard is used to prove your identity. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL specification -reg
I am able to specifications for SSL. This site works. Thank you so much, Uday. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mohamad Badra Sent: Friday, February 08, 2008 5:49 PM To: openssl-users@openssl.org Subject: Re: SSL specification -reg Try this: http://wp.netscape.com/eng/ssl3/ Then click on previous draft of the SSL 3.0 Specification or on most recent Draft SSL 3.0 specification. Best regards, Badra Thanaraj, Udayakumar (STSD-OpenVMS) a écrit : Hi, Where can I find specifications or rfcs for SSL. I came to know that the official site is @ http://home.netscape.com/eng/ssl3/ssl-toc.html. But I had no luck to access this link as it fails to connect. Please let me know if there is an alternate site wherein I can get this info. Thanks, Uday. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: FIPS 1.0 available?
FIPS 1.0 is no longer valid for procurement, thus to avoid confusion it is no longer available from the download site. -Kyle H On Feb 8, 2008 3:07 PM, Briones, Frank [EMAIL PROTECTED] wrote: Hi there, I am looking for a previous version of OpenSSL, FIPS 1.0, but is not available at the download site. Does anyone know if it is still available for download? Thanks for any help, Frank __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
FIPS 1.0 available?
Hi there, I am looking for a previous version of OpenSSL, FIPS 1.0, but is not available at the download site. Does anyone know if it is still available for download? Thanks for any help, Frank __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL_shutdown
-- Original Message -- To: (openssl-users@openssl.org) From: Saju ([EMAIL PROTECTED]) Subject: RE: SSL_shutdown Date: 10/2/2008 3:52:05p Connection shutdown is just: Library-BIO_ssl_shutdown(Bio); Library-BIO_set_close(Bio,BIO_CLOSE); Library-BIO_free_all(Bio); //if (Library-SSL_shutdown(Ssl) == 0) // Library-SSL_shutdown(Ssl); // Library-SSL_free(Ssl); // Do I need this or not? (doesn't help the TCP socket issue) Would be my best guess. Thats working for me. Thank you so much. Regards -- Matthew Allen - Memecode Software (http://www.memecode.com) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Universisdad San Francisco de Quito Development
Dear friends, I am a student and I am working in one investigation university project. With this project I am going to get my engineer title. I want to know if OpenSSl can create wap certificates and how Can I integrate it in one wap simulator. Please help me. I am studying wap security -- Saludos Cordiales, Juan Pablo Albuja
openssl server + smart card
Hi all, I writing a TLS server application. That is the easy part. The server certificate is on a smart card. So I get only the public key and the certificate but not the private key from the smart card. So I have to decrypt everything in the TLS handshake, which is encrypted with server public key (the premaster secret), with the smart card . So my question is: How can I control the TLS handshake in openssl so, that the premaster secrete is decypted with the smart card. The communication with the card is no problem. Best regards Lars Kühl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: RSA_verify problem
Hi, I have made the modifications you suggested and run the sample code for RSA_public_decrypt. I get the same error that I receive with RSA_verify- error:0306E06C:bignum routines:BN_mod_inverse:no inverse. Do you have any further suggestions? I do not understand what I am doing wrong. Thanks Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]