How to create SSLv3 certs
Hi, Can you please let me know how to create SSLv3 certs using openSSL? I am able to create v2 certs but not v3 certs. Thanks Praveen
Problem using SSL_CTX_use_certificate_file(); Throws Illegal instruction
Hi All, I am new to OPenssl programming. I have searched the previous posts in the forum before posting my problem. I am trying to execute some sample applications given with Openssl code (openssl-0.9.8) to get basic understanding of how Openssl works. Below is the code sample that I have used. main() { SSL_library_init(); SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); meth = SSLv23_server_method(); ctx = SSL_CTX_new (meth); SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM); ... ... ... } But while executing SSL_CTX_use_certificate_file(), it throws an Illegal instruction while calling PEM_read_bio_X509(); internally. PEM_read_bio_X509(in,NULL,ctx-default_passwd_callback,ctx-default_passwd_callback_userdata); I have found that ctx-default_passwd_callback is NULL, ctx-default_passwd_callback_userdata is NULL I donot understand why these are NULL. I am supposed to call / initialize anything before I call SSL_CTX_use_certificate_file(); inorder to initialize these callbacks. Please let me know on what is the problem , also how to resolve this issue. Thanks Regards, Siddeswar. -- View this message in context: http://old.nabble.com/Problem-using-SSL_CTX_use_certificate_file%28%29--Throws-Illegal-instruction-tp27983064p27983064.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
PKCS7 - SubjectKeyIdentifier CHOICE in SignerIdentifier fails?
Hello, We're having a pkcs7 file that gives the following error when being parsed: 9872:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1320 (openssl-1.0.0-beta3, but same prob in openssl 0.9.8g) Here's part of the file dump, the prob seems to occur at the ERROR! : 4 48: SEQUENCE { 86: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) 19 160: [0] { 23 48: SEQUENCE { 272: INTEGER 3 30 49: SET { 32 48: SEQUENCE { 346: OBJECT IDENTIFIER sha2-256 (2 16 840 1 101 3 4 2 1) : } : } 45 48: SEQUENCE { 486: OBJECT IDENTIFIER '2 23 136 1 1 1' 56 160: [0] { 594: OCTET STRING, encapsulates { EncapsulatedContentInfo [skipped] : } : } 200 49: SET { SignerInfos 204 48: SEQUENCE { SignerInfo 2082: INTEGER 1 CMSVersion 211 128: [0] : 33 8D 0D 81 58 CA 84 C7 12 14 51 C6 8B 17 F0 95 ERROR! : 5E A6 9D E4 233 48: SEQUENCE { 2356: OBJECT IDENTIFIER sha2-256 (2 16 840 1 101 3 4 2 1) DigestAlgorithmIdentifier : } [skipped] Changing the CMSVersion to 3 doesn't work either. Here's the definitions from http://www.ietf.org/rfc/rfc3852.txt: SignerInfo ::= SEQUENCE { version CMSVersion, sid SignerIdentifier, digestAlgorithm DigestAlgorithmIdentifier, [...] SignerIdentifier ::= CHOICE { issuerAndSerialNumber IssuerAndSerialNumber, subjectKeyIdentifier [0] SubjectKeyIdentifier } Could it be that the SubjectKeyIdentifier CHOICE isn't supported here, that the parser expects a IssuerAndSerialNumber only? Thx, best regards, Stef Hoeben Software Engineer Zetes PASS - Personal Authentication and Security Services ___ Zetes PASS - Rue de Strasbourg 3, 1130 Brussels Tel.: +32 2 790 38 15 +++ 728 37 11 +++ Cell: +32 478 21 31 84 mailto: stef.hoe...@zetes.com ___ WWW.ZETES.COM | ALWAYS A GOOD ID __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
extract components from public key
Hello, what kind of informations can be extracted from the public_key ? In particular, i generate it like this: openssl rsa -pubout -in private_key.pem -out public_key.pem I know that from a private_key it's possible to extract many informations (as the modulus, or any other info (doing openssl rsa -text -in private_key.pem). Thanks, Valerio __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: extract components from public key
I think I've found the answer myself: openssl rsa -text -noout -modulus -pubin -in public_key.pem or openssl rsa -noout -modulus -pubin -in public_key.pem On Mon, Mar 22, 2010 at 12:59 PM, Valerio Schiavoni valerio.schiav...@gmail.com wrote: Hello, what kind of informations can be extracted from the public_key ? In particular, i generate it like this: openssl rsa -pubout -in private_key.pem -out public_key.pem I know that from a private_key it's possible to extract many informations (as the modulus, or any other info (doing openssl rsa -text -in private_key.pem). Thanks, Valerio __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS7 - SubjectKeyIdentifier CHOICE in SignerIdentifier fails?
On Mon, Mar 22, 2010, Stef Hoeben wrote: Hello, subjectKeyIdentifier [0] SubjectKeyIdentifier } Could it be that the SubjectKeyIdentifier CHOICE isn't supported here, that the parser expects a IssuerAndSerialNumber only? Yes the SKID option is not part of the PKCS#7 standard so it is illegal in a PKCS#7 file. If you use the CMS routines instead it should work OK. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to create SSLv3 certs
On 21-Mar-10, at 9:12 PM, Bejjam, Praveen wrote: Hi, Can you please let me know how to create SSLv3 certs using openSSL? I am able to create v2 certs but not v3 certs. The version of the SSL protocol is completely independent from the version of X.509 of the certificates used during the exchanges of identity during the SSL handshake. I suggest you go back and read the relevant standards again. Best Regards, --- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Need help on: openssl pkcs12 --- avoid or in batch mode
Hi Dr Stephen Henson, I really could not solve this issue and need your help. When I run openssl pkcs12 -in new.crt -inkey new.key -certfile .CA/cacert.pem -out new.p12 -export -name xx It will prompt user for: Enter Export Password: Verifying - Enter Export Password: Is anyway I can manipulate or default or void those two prompts since those prompts useless in here. I checked pkcs12 command options seems there is no batch mode. I also tried using wrapping script but no help either. Thanks in advance. John -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Saturday, March 20, 2010 2:21 PM To: openssl-users@openssl.org Subject: Re: Apache client certificate authentication On Sat, Mar 20, 2010, Graham Leggett wrote: On 2010/03/20 6:55 PM, Nuno Gonçalves wrote: Questions: Is normal that firefox hangs when it doesn't have a valid certificate to provide? Openssl output looks OK?(or the error in the end is a exception?) I am not 100% sure of the details, but I do recall a hang being a symptom of using a client or a server that did not have the TLS renegotiation bug fixed along with a server or client that did. The only known case is an OpenSSL client without secure renegotiation support (i.e. earlier than 0.9.8m) attempting to renegotiate with a server which does support renegotiation. If the server initiates renegotiation you don't get a a hang. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Need help on: openssl pkcs12 --- avoid or in batch mode
Hi John, I have already answered your question on the list two days ago. Here is what I wrote : To avoid the password prompt, you can add the argument -password pass: to the command line. This will use an empty password for the PKCS12 file. For a non empty value, for example 1234, use -password pass:1234 instead. I hope this will help. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 3/22/2010 3:00 PM, John Chen wrote: Hi Dr Stephen Henson, I really could not solve this issue and need your help. When I run openssl pkcs12 -in new.crt -inkey new.key -certfile .CA/cacert.pem -out new.p12 -export -name xx It will prompt user for: Enter Export Password: Verifying - Enter Export Password: Is anyway I can manipulate or default or void those two prompts since those prompts useless in here. I checked pkcs12 command options seems there is no batch mode. I also tried using wrapping script but no help either. Thanks in advance. John -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Saturday, March 20, 2010 2:21 PM To: openssl-users@openssl.org Subject: Re: Apache client certificate authentication On Sat, Mar 20, 2010, Graham Leggett wrote: On 2010/03/20 6:55 PM, Nuno Gonçalves wrote: Questions: Is normal that firefox hangs when it doesn't have a valid certificate to provide? Openssl output looks OK?(or the error in the end is a exception?) I am not 100% sure of the details, but I do recall a hang being a symptom of using a client or a server that did not have the TLS renegotiation bug fixed along with a server or client that did. The only known case is an OpenSSL client without secure renegotiation support (i.e. earlier than 0.9.8m) attempting to renegotiate with a server which does support renegotiation. If the server initiates renegotiation you don't get a a hang. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Problems with SSL_shutdown() and non blocking socket
On Fri, Mar 12, 2010, Darryl Miles wrote: int rc = SSL_shutdown(ssl); /* BEGIN - INSERT THIS CODE AFTER EVERY SSL_shutdown() INVOCATION IN YOUR CODE */ if(rc == -1) { int ssl_errno; SSL_get_error(ssl, ssl_errno); if(ssl_errno == SSL_ERROR_WANT_READ || ssl_errno == SSL_ERROR_WANT_WRITE) rc = 0; } /* END - INSERT THIS CODE AFTER EVERY SSL_shutdown() INVOCATION IN YOUR CODE */ With this the observable behavior that you got before should be consistent. It should probably be ssl_errno = SSL_get_error(ssl, rc); but even then I get SSL_ERROR_SYSCALL and errno=EBADF using sendmail 8, while previously it didn't complain about errors. So where is the error? In the application (if so: what is the correct handling of the new code?) or in OpenSSL 0.9.8m? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org