X509_STORE function to clear error
Hi, What is the function to use to clear any error in X509_STORE_CTX Thanks, Arun
RE: unable to build dynamic library on HP-UX RISC and Itanium
This is a suggested configuration. -D stands for preprocessor define. /home/sambuild/OpenSSL ./config -h Usage: config [options] -d Add a debug- prefix to machine choice. -t Test mode, do not run the Configure perl script. -h This help. Any other text will be passed to the Configure perl script. See INSTALL for instructions. Operating system: 9000/800-hp-hpux1x WARNING! If you wish to build 64-bit library then you have to invoke './Configure hpux64-parisc2-cc' *manually*. Configuring for hpux-parisc2-cc /usr/bin/perl ./Configure hpux-parisc2-cc -D_REENTRANT /home/sambuild/OpenSSL uname -a HP-UX rndhp11i B.11.11 U 9000/800 192242760 unlimited-user license /home/sambuild/OpenSSL -Original Message- From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net] Sent: Wednesday, June 02, 2010 4:32 PM To: openssl-users@openssl.org Cc: Alona Rossen Subject: Re: unable to build dynamic library on HP-UX RISC and Itanium On 6/2/2010 11:08 AM, Alona Rossen wrote: Building dynamic library on HP-UX fails despite I explicitly specify ‘shared’ as Configure argument: ./Configure hpux64-ia64-cc -D_REENTRANT shared Why are you adding -D for _REENTRANT? I did a very similar build last week, no such problems, would you care to be more specific about which OpenSSL package you are configuring?
RE: unable to build dynamic library on HP-UX RISC and Itanium
Extra -DXXX does not heart the preprocessor :-) This OpenSSL 0.9.8 -Original Message- From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net] Sent: June 2, 2010 5:11 PM To: Alona Rossen Cc: openssl-users@openssl.org Subject: Re: unable to build dynamic library on HP-UX RISC and Itanium On 6/2/2010 4:04 PM, Alona Rossen wrote: This is a suggested configuration. -D stands for preprocessor define. The reason I ask is that the entries in Configure should provide the necessary defines, and if not, that is a bug. As it was 'suggested', we'll just presume things are fine w/w-o it. You still failed to identify the openssl package you were configuring, which doesn't give anyone much to go on, especially those who are in some position to look at the problem. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Detect CRL format
Hi, Given a CRL file, how to detect its format. whether it is in PEM encoded format or ASN1. Thanks, Arun
Re: Detect CRL format
Hi, One simple and efficient method to distinguish between PEM and DER encoding for a CRL or a certificate is to read the first byte : if it's equal to 0x30 then this DER (this is the start of an ASN.1 Sequence) , otherwise it is PEM encoded. This works ONLY if you are sure that the given file is either PEM or DER encoded and that the encoded object is an ASN.1 Sequence. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 6/3/2010 10:48 AM, Arunkumar Manickam wrote: Hi, Given a CRL file, how to detect its format. whether it is in PEM encoded format or ASN1. Thanks, Arun __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: self-signed SSL certificates and trusted root certificate
--- On Wed, 6/2/10, Eisenacher, Patrick patrick.eisenac...@bdr.de wrote: -Original Message- From: Vieri --- On Tue, 6/1/10, Dave Thompson wrote: CN doesn't need to be hostname or domainname for a CA cert. Technically not required on entity cert either, but on WWW most parties do want/like entity's CN to be domainname. How does one issue a cert for multiple CN? Suppose I have just one HTTP server but it can be accessed via multiple FQDN... I suppose I need to use subjectAltName? Subject alternative name is one possibility. If you need a cert for several hosts/hostnames belonging to the same domain, a wildcard CN comes to mind as well, eg. *.domain.com. Hi again, I must be making a silly mistake. I set this up in openssl.cnf: subjectAltName=dirName:dir_sect2 [dir_sect1] C=COUNTRY O=Org name OU=Org Unit name CN=www.mydomain1.org [dir_sect2] C=COUNTRY O=Org name OU=Org Unit name CN=www.mydomain2.org and when I sign a server certificate I get the following error: X509v3 Subject Alternative Name: DirName:/C=COUNTRY/O=Org name/OU=Org Unit name/CN=www.mydomain2.org Certificate is to be certified until Jun 2 10:21:14 2015 GMT (1825 days) Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 If I don't define subjectAltName in openssl.cnf, all's fine. What does the TXT_DB error number 2 message mean? Is the format incorrect? Vieri __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Detect CRL format
On Thu, Jun 03, 2010, Mounir IDRASSI wrote: Hi, One simple and efficient method to distinguish between PEM and DER encoding for a CRL or a certificate is to read the first byte : if it's equal to 0x30 then this DER (this is the start of an ASN.1 Sequence) , otherwise it is PEM encoded. This works ONLY if you are sure that the given file is either PEM or DER encoded and that the encoded object is an ASN.1 Sequence. Since the 0x30 byte correspond to the ASCII character '0' there is a slight chance this will fail if the file is PEM format and contains text before the PEM headers. This can be further reduced by checking the length field following the SEQUENCE tag. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Detect CRL format
Thanks! On Thu, Jun 3, 2010 at 4:54 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Thu, Jun 03, 2010, Mounir IDRASSI wrote: Hi, One simple and efficient method to distinguish between PEM and DER encoding for a CRL or a certificate is to read the first byte : if it's equal to 0x30 then this DER (this is the start of an ASN.1 Sequence) , otherwise it is PEM encoded. This works ONLY if you are sure that the given file is either PEM or DER encoded and that the encoded object is an ASN.1 Sequence. Since the 0x30 byte correspond to the ASCII character '0' there is a slight chance this will fail if the file is PEM format and contains text before the PEM headers. This can be further reduced by checking the length field following the SEQUENCE tag. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
get_crl callback
Hi, Is setting X509_STORE_CTX-get_crl to my-call-back-function a right way of getting a call back to load the crl for the X509 certificate. Thanks, Arun
NameConstraints are not being applied (or I don't know how to enforce them?)
I have an example, detailed below, that specifies permitted and excluded subtrees for a sub-CA. Later it uses the sub-CA cert to sign certificate requests adhering to and violating the name constraints both, even though the nameConstraints are marked as critical. Is this OpenSSL misbehaving or did I miss something when creating the sub-CA certificate or issuing the user certificate? thanks/jeff openssl.cnf lines for Root CA when issued the sub-CA's certificate: ... nameConstraints = critical,@name_const_section [ name_const_section ] excluded;dirName=excluded_DN permitted;dirName=permitted_DN [ excluded_DN ] O=bad [ permitted_DN ] O=good Print out of the sub-CA's cert (trustedcacert.pem): Certificate Details: Serial Number: 22 (0x16) Validity Not Before: Jun 3 13:13:36 2010 GMT Not After : Jun 3 13:13:36 2011 GMT Subject: countryName = US stateOrProvinceName = NY organizationName = AcmeCorp commonName= AcmeCorp X509v3 extensions: ... X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Name Constraints: critical Permitted: DirName: O = good Excluded: DirName: O = bad Commands issued to create CSRs and sign them with the sub-CA's cert: # signing the good cert req openssl req -new -newkey rsa:2048 -nodes -keyout goodkey.pem \ -sha256 -subj /O=good+CN=Good\/Instance -multivalue-rdn \ goodcsr.pem openssl x509 -CA trustedcacert.pem -CAkey trustedcakey.pem \ -days 365 -req -in goodcsr.pem -set_serial 2 -out goodcert.pem # signing the bad cert req openssl req -new -newkey rsa:2048 -nodes -keyout badkey.pem \ -sha256 -subj /O=bad+CN=Bad\/Instance -multivalue-rdn \ badcsr.pem openssl x509 -CA trustedcacert.pem -CAkey trustedcakey.pem \ -days 365 -req -in badcsr.pem -set_serial 3 -out badcert.pem Print out of the created badcert.pem: Certificate: Data: Version: 1 (0x0) Serial Number: 3 (0x3) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=NY, O=AcmeCorp, CN=AcmeCorp Validity Not Before: Jun 3 13:13:38 2010 GMT Not After : Jun 3 13:13:38 2011 GMT Subject: O=bad, CN=Bad/Instance Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) This email contains Morega Systems Inc. Privileged and Confidential information. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: NameConstraints are not being applied (or I don't know how to enforce them?)
On Thu, Jun 03, 2010, jeff wrote: I have an example, detailed below, that specifies permitted and excluded subtrees for a sub-CA. Later it uses the sub-CA cert to sign certificate requests adhering to and violating the name constraints both, even though the nameConstraints are marked as critical. Is this OpenSSL misbehaving or did I miss something when creating the sub-CA certificate or issuing the user certificate? thanks/jeff This would be much easier to test if you'd attached all the relevant certificates and how you are testing them. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: unable to build dynamic library on HP-UX RISC and Itanium
That's a long-superseded OpenSSL release from 5 years ago; it's unlikely that anyone will be able to remember issues building for HP-UX on IA64 with that release, especially when they're required to guess or mind-read most of what you're doing and what problem you're seeing. In another message you show output from a PA-RISC system running HP-UX 11i v1, but you're trying to build for IA64. Are you using a cross-build system of some sort? I recommend understanding and applying http://www.catb.org/~esr/faqs/smart-questions.html before going further. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Alona Rossen Sent: Wednesday, June 02, 2010 10:20 PM To: William A. Rowe Jr. Cc: openssl-users@openssl.org Subject: RE: unable to build dynamic library on HP-UX RISC and Itanium Extra -DXXX does not heart the preprocessor :-) This OpenSSL 0.9.8 -Original Message- From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net] Sent: June 2, 2010 5:11 PM To: Alona Rossen Cc: openssl-users@openssl.org Subject: Re: unable to build dynamic library on HP-UX RISC and Itanium On 6/2/2010 4:04 PM, Alona Rossen wrote: This is a suggested configuration. -D stands for preprocessor define. The reason I ask is that the entries in Configure should provide the necessary defines, and if not, that is a bug. As it was 'suggested', we'll just presume things are fine w/w-o it. You still failed to identify the openssl package you were configuring, which doesn't give anyone much to go on, especially those who are in some position to look at the problem. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: NameConstraints are not being applied (or I don't know how to enforce them?)
On Thu, Jun 03, 2010 at 09:36:56AM -0400, jeff wrote: I have an example, detailed below, that specifies permitted and excluded subtrees for a sub-CA. Later it uses the sub-CA cert to sign certificate requests adhering to and violating the name constraints both, even though the nameConstraints are marked as critical. I would expect such constraints to only apply when certificates are being *verified*. There seems to be little point in preventing a CA from attempting to sign violating certificates. Generally, OpenSSL does not verify peer names, only the certificate trust chain, and peername checks are left up to applications. Does OpenSSL trust chain validation include any checks on name constraints? -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: NameConstraints are not being applied (or I don't know how to enforce them?)
On Thu, Jun 03, 2010, Victor Duchovni wrote: Generally, OpenSSL does not verify peer names, only the certificate trust chain, and peername checks are left up to applications. Does OpenSSL trust chain validation include any checks on name constraints? OpenSSL 1.0.0 does, sufficient to cover the PKITS RFC3280 tests. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: NameConstraints are not being applied (or I don\'t know how to enforce them?)
On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote: I would expect such constraints to only apply when certificates are being *verified*. There seems to be little point in preventing a CA from attempting to sign violating certificates. Yes I later tried to verify and I still got no complaints. As I said, the verify command only checks the trust chain, peer name verification, is not in scope. Does OpenSSL trust chain validation include any checks on name constraints? If there is an additional step that i need to apply for this verification to happen then i don't know that and I'd appreciate if you detailing that please. thanks. New code to support name constraints appears to be in OpenSSL 1.0.0. I don't believe this is present in any 0.9.x versions. Which version of OpenSSL are you using? -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: NameConstraints are not being applied (or I don\'t know how to enforce them?)
Hodie III Non. Iun. MMX, Victor Duchovni scripsit: On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote: I would expect such constraints to only apply when certificates are being *verified*. There seems to be little point in preventing a CA from attempting to sign violating certificates. Yes I later tried to verify and I still got no complaints. As I said, the verify command only checks the trust chain, peer name verification, is not in scope. It could fail to validate the chain, given the fact that the extension is set critical, and not handled, even if recognized. -- Erwann ABALEA erwann.aba...@keynectis.com - When birds fly in the right formation, they need only exert half the effort. Even in nature, teamwork results in collective laziness. Demotivators, 2001 calendar __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: NameConstraints are not being applied (or I don\'t know how to enforce them?)
On Thu, Jun 03, 2010 at 09:45:36PM +0200, Erwann ABALEA wrote: Hodie III Non. Iun. MMX, Victor Duchovni scripsit: On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote: I would expect such constraints to only apply when certificates are being *verified*. There seems to be little point in preventing a CA from attempting to sign violating certificates. Yes I later tried to verify and I still got no complaints. As I said, the verify command only checks the trust chain, peer name verification, is not in scope. It could fail to validate the chain, given the fact that the extension is set critical, and not handled, even if recognized. This is what the 1.0.0 version in fact does, but it also (as I just learned) supports name constraints. The 0.9.8 version of the verify(1) command-line utility does not check critical extensions: if (ctx-error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1; The API raises the error, but verify(1) does not report it. In 1.0.0 there is a new command-line switch to ignore critical extensions. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
trying to send an unsigned cms
the code below works fine if signed = true. If signed = false, i2d_CMS_bio_stream seg faults. I've looked through the code inside CMS_sign and didn't see anything else obvious that I should call. any suggestions on what I'm missing for an unsigned CMS? -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: trying to send an unsigned cms
On Thu, Jun 03, 2010, Chris Bare wrote: the code below works fine if signed = true. If signed = false, i2d_CMS_bio_stream seg faults. I've looked through the code inside CMS_sign and didn't see anything else obvious that I should call. any suggestions on what I'm missing for an unsigned CMS? Depends on what you mean by an unsigned CMS. A CMS signedData structure without signatures is normally just used to sent certificates and not include any content. If you want a CMS structure that sends data only you need the data type. You can create one using CMS_data_create(). It's not currently documented but the cms utility uses it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: NameConstraints are not being applied (or I don\'t know how to enforce them?)
On Thu, Jun 03, 2010, Victor Duchovni wrote: On Thu, Jun 03, 2010 at 09:45:36PM +0200, Erwann ABALEA wrote: Hodie III Non. Iun. MMX, Victor Duchovni scripsit: On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote: I would expect such constraints to only apply when certificates are being *verified*. There seems to be little point in preventing a CA from attempting to sign violating certificates. Yes I later tried to verify and I still got no complaints. As I said, the verify command only checks the trust chain, peer name verification, is not in scope. It could fail to validate the chain, given the fact that the extension is set critical, and not handled, even if recognized. This is what the 1.0.0 version in fact does, but it also (as I just learned) supports name constraints. The 0.9.8 version of the verify(1) command-line utility does not check critical extensions: if (ctx-error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1; The API raises the error, but verify(1) does not report it. In 1.0.0 there is a new command-line switch to ignore critical extensions. The verify utility is designed to continue where possible for debugging purposes. It should report the error via the callback and carry on. OpenSSL 0.9.8 also includes an option to ignore critical extensions: -ignore_critical Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: NameConstraints are not being applied (or I don't know how to enforce them?)
On Thu, 2010-06-03 at 13:47 -0400, Victor Duchovni wrote: Generally, OpenSSL does not verify peer names, only the certificate trust chain, and peername checks are left up to applications. Which is a shame... I'm far too stupid to be writing code like http://git.infradead.org/users/dwmw2/openconnect.git?a=blob;f=ssl.c;hp=v2.25#l436 for myself, and I would much rather have used a library function ;) -- dwmw2 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: self-signed SSL certificates and trusted root certificate
From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton Sent: Wednesday, 02 June, 2010 03:48 Amazingly IE7 on testing likes even CA:false, which is crazy. What store did the cert get put in? Was it the Trusted Root Certification Authorities? If you let Windows automatically select the store, it most likely went in Personal. I did automatic and it went in TrustedRoot. I can also do TrustedRoot, or IntermediateCA or OtherPeople, manually. However, I only checked that it appears in the store. When I try a connection using it, as Vieri indicates, I get a generic cannot display page -- not the slightly-more-specific-if-you-look-carefully security page, and s_server logged successful completion of the handshake. If I try to import to Personal, it popups 'import successful' but nothng appears in the list, which makes sense to me, because AIUI Personal is own credentials which must be cert *plus privatekey*. Importing a PKCS12 containing v1 cert plus privkey to Personal works, and a (subsequent) connection using that entry works. (My current EE certs are v1 and I didn't bother reissuing.) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: self-signed SSL certificates and trusted root certificate
From: owner-openssl-us...@openssl.org On Behalf Of Vieri Sent: Thursday, 03 June, 2010 06:42 To: openssl-users@openssl.org Subject: RE: self-signed SSL certificates and trusted root certificate How does one issue a cert for multiple CN? Subject alternative name is one possibility. ... I must be making a silly mistake. I set this up in openssl.cnf: subjectAltName=dirName:dir_sect2 and when I sign a server certificate I get the following error: Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 If I don't define subjectAltName in openssl.cnf, all's fine. What does the TXT_DB error number 2 message mean? Is the format incorrect? I'd be very surprised if this is due to SAN; I suspect you've coincidentally done something else. Specifically: txt_db error 2 is TXT_DB_INDEX_CLASH. The indexes are on serial, and on subject_name if unique_subject is set which has been the default since early 0.9.8 as I recall. There is an explicit check that is clearly intended to catch duplicate subject_name and give a more specific explanation, but it appears to be broken (row[DB_name] isn't set at the point the get_by_index() is attempted, only much later). So if you try to issue two certs for the same subjectname with 'ca', unless you have initialized your 'database' (index.txt and index.txt.attr) with unique_subject=no, you get this unfortunately cryptic error. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: NameConstraints are not being applied (or I don't know how to enforce them?)
On Fri, Jun 04, 2010 at 01:19:52AM +0100, David Woodhouse wrote: On Thu, 2010-06-03 at 13:47 -0400, Victor Duchovni wrote: Generally, OpenSSL does not verify peer names, only the certificate trust chain, and peername checks are left up to applications. Which is a shame... I'm far too stupid to be writing code like http://git.infradead.org/users/dwmw2/openconnect.git?a=blob;f=ssl.c;hp=v2.25#l436 for myself, and I would much rather have used a library function ;) The problem is that only the application knows which names are those of the peer it tried to reach. The OpenSSL library is not an HTTPS client, or an SMTP STARTTLS client, ... Which is not too say that peername extraction is made as easy as it could be, but ultimately some of the magic has to happen in application (or application library) code. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
The question about the Apache SSL
Hello, I have a question about the apache SSL,please help me. Thanks.(httpd-2.2.15-win32-x86-openssl-0.9.8m-r2.msi) Operation: 1、I made a SSL certification files by myself, and start the openssl s_server; OpenSSL s_server -cert server.pem -key server_nokey.pem -accept -state -debug 2、Input the words in IE address bar; https://localhost:/ Question: SSL_accept:SSLv3 write certificate A write to 0xa778c8 [0xa8ed20] (9 bytes = 9 (0x9)) - 16 03 01 00 04 0e .. 0009 - SPACES/NULS I think the data from server is not the certification, but the key exchange. Why? If I want to send the certificate, what I should to do? Thanks a lot. The server side log is as following: OpenSSL s_server -cert server.pem -key server_nokey.pem -accept -state -debug Loading 'screen' into random state - done Using default temp DH parameters Using default temp ECDH parameters ACCEPT SSL_accept:before/accept initialization read from 0xa778c8 [0xa84bc8] (11 bytes = 11 (0xB)) - 16 03 01 00 61 01 00 00-5d 03 01 a...].. read from 0xa778c8 [0xa84bd3] (91 bytes = 91 (0x5B)) - 4c 07 28 f1 fb 1a 4d 94-97 a4 31 5f 4e 1c 44 4c L.(...M...1_N.DL 0010 - 40 7f 0a ff 62 9b 27 d3-f4 91 95 dd f6 83 c2 0a @...b.'. 0020 - 20 ea a0 5c 95 60 0c 13-50 75 5c ad 56 ee f4 81..\.`..Pu\.V... 0030 - 82 1c 1b b4 3b 35 27 7e-1b da 7e d6 b2 37 ef 96 ;5'~..~..7.. 0040 - 1b 00 16 00 04 00 05 00-0a 00 09 00 64 00 62 00 d.b. 0050 - 03 00 06 00 13 00 12 00-63 01 c. 005b - SPACES/NULS SSL_accept:SSLv3 read client hello A write to 0xa778c8 [0xa8ed20] (79 bytes = 79 (0x4F)) - 16 03 01 00 4a 02 00 00-46 03 01 4c 07 28 f1 93 J...F..L.(.. 0010 - 4a ec f6 ef ec 06 23 f6-a7 87 33 3b 1e d9 8c 19 J.#...3; 0020 - 55 63 50 d8 c9 52 a5 88-3e f6 63 20 86 6f b0 93 UcP..R...c .o.. 0030 - 70 36 32 a1 f1 92 6e 02-80 f6 27 a7 65 33 48 b1 p62...n...'.e3H. 0040 - 7a 6b c1 b5 2b 9e 93 b9-8e 56 37 47 00 04 zk..+V7G.. 004f - SPACES/NULS SSL_accept:SSLv3 write server hello A write to 0xa778c8 [0xa8ed20] (769 bytes = 769 (0x301)) SSL_accept:SSLv3 write certificate A write to 0xa778c8 [0xa8ed20] (9 bytes = 9 (0x9)) - 16 03 01 00 04 0e .. 0009 - SPACES/NULS SSL_accept:SSLv3 write server done A SSL_accept:SSLv3 flush data read from 0xa778c8 [0xa84bc8] (5 bytes = 5 (0x5)) _ USBメモリ代わりにお使いください。無料で使える25GB。 http://skydrive.live.com/?showunauth=1mcid=HomeliveMerchBox1