Re: Slow crypto initialization.
Don't be sorry, this is great work!! I'm glad the culprit has been found (and fixed)! BTW: To help the OpenSSL core team help track and fix this, it would be good to submit your message + patch to r...@openssl.org so it ends up as an issue ticket in the tracker and this material does not disappear off the horizon of an ever progressing discussion list. A reference to this email thread in the RT would be handy, e.g.: http://www.bluequartz.us/phpBB2/viewtopic.php?t=131309 (the entire thread is easily viewable as a set of forum messages there, so one page carries all) On Fri, Jul 2, 2010 at 9:13 PM, Jake Goulding gould...@vivisimo.com wrote: -- Met vriendelijke groeten / Best regards, Ger Hobbelt -- web:http://www.hobbelt.com/ http://www.hebbut.net/ mail: g...@hobbelt.com mobile: +31-6-11 120 978 --
Re: Compiling a native code using DES
Hi, libcrypto is enough for basic cryptographic operations like encryption/decryption with DES, AES, ...etc Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr Hello all, I have a C Code which is making use of DES.h in a JNI Environment. I wanted to know if compiling this code with libcrypto will be enough or it will need libssl as well? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: verify certificate in c
Hi,
Just add a call to *OpenSSL_add_all_algorithms* at the beginning of your
main and the certificate verification will be OK.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
Hi, I'm a newbie user of OpenSSL.
I want to create a simple C program that verify a certificate chain like
this:
rootCA-CA-A-client
i found this example on the internet that should work for two consecutive
certificate (but it doesn't work for me); i don't known how to create the
chain...
[code]
#include openssl/pem.h
#include openssl/x509_vfy.h
#include openssl/x509.h
#include openssl/ssl.h
#include openssl/x509v3.h
int main(int argc,char **argv)
{
int i;
FILE *fp;
X509 * cert;
X509_STORE_CTX csc;
char *strerr;
fp = fopen (ca-a-cert.pem, r);
cert = PEM_read_X509 (fp, NULL, NULL, NULL);
X509_STORE *ctx=NULL;
ctx=X509_STORE_new();
X509_STORE_load_locations(ctx, cacert.pem, ./);
X509_STORE_set_default_paths(ctx);
X509_STORE_CTX_init(csc,ctx,cert,NULL);
if (X509_verify_cert(csc) != 1) {
strerr = (char *) X509_verify_cert_error_string(csc.error);
printf(Verification error: %s\n, strerr);
return 1;
}
X509_STORE_CTX_cleanup(csc);
}
[/code]
the output is: Verification error: certificate signature failure
cacert.pem is the certificate of the rootCA, whereas ca-a-cert.pem is
the CA-A cert.
the certificate are good because i verify it by the bash command: openssl
verify -CAfile cacert.pem ca-a-cert.pem
with output:
ca-a-cert.pem: OK
any suggestion?
p.s. sorry for my bad English :)
--
View this message in context:
http://old.nabble.com/verify-certificate-in-c-tp29043989p29043989.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: Compiling a native code using DES
Thanks a lot Mounir :-) On Sat, Jul 3, 2010 at 2:57 PM, Mounir IDRASSI mounir.idra...@idrix.netwrote: Hi, libcrypto is enough for basic cryptographic operations like encryption/decryption with DES, AES, ...etc Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr Hello all, I have a C Code which is making use of DES.h in a JNI Environment. I wanted to know if compiling this code with libcrypto will be enough or it will need libssl as well? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Large CRL Handling Problem
I have written a FIPS-1.1.2 compliant (OpenSSL 0.9.7m) application that
validates certificates that are read in from files. It also loads the CA
certificates and corresponding CRLs from files. I am trying to determine
any limitations with loading large CRLs (~200-250 MB) and to characterize
the resulting performance. I did not have any problem using CRLs that are
~~100MB in size or smaller. However with the ~200MB CRL, I get the following
error,
1418976:error:0D078064:asn1 encoding routines:ASN1_ITEM_EX_D2I:aux
error:tasn_dec.c:407:Type=X509_CRL_INFO
1418976:error:0D08303A:asn1 encoding routines:ANS1_TEMPLATE_D2I:nested asn1
error:tasn_dec.c:567:Field=crl, Type=X509_CRL
1418976:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:82:
This error occurs in a function similar (extraneous stuff has been removed)
to the readX509CRL() function below. The OpenSSL function PEM_read_X509_CRL()
returns an error
int readX509Crl(const std::string crlPath, X509_CRL **crl) {
int result = 0;
X509_CRL* tempCrl = 0;
FILE* crlFp = 0;
// Open CRL file
crlFp = fopen(crlPath.c_str(), r);
//If the certificate file opens correctly
if (crlFp) {
//If the PEM encoded file is read correctly
if (PEM_read_X509_CRL(crlFp, tempCrl, 0, 0)) {
//Set return parameter
*crl = tempCrl;
result = 1;
} else {
result = 0;
//Make sure nothing is returned
*crl = 0;
//If the certificate memory is allocated, free it
if (tempCrl) {
X509_CRL_free(tempCrl);
tempCrl = 0;
}
}
} else {
result = 0;
//Make sure nothing is returned
*crl = 0;
}
//If the file was opened, close it
if (crlFp) {
fclose(crlFp);
}
return result;
}
The certificates and ~200MB CRL in question are all validated successfully
using the OpenSSL command line
openssl verify -CAfile cafile -crl_check certificates
What could possibly be the problem with using large CRLs in my application?
How can I go about troubleshooting this further. Thanks for any help.
-Ryan Smith
Re: verify certificate in c
Damn! how can be possible that in the official openssl documentation there's nothing about this OpenSSL_add_all_algorithms()?!?!?!? that documentation sucks a lot! anyway thanks :) -- View this message in context: http://old.nabble.com/verify-certificate-in-c-tp29043989p29063450.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: verify certificate in c
On Sat, Jul 03, 2010, belo wrote: Damn! how can be possible that in the official openssl documentation there's nothing about this OpenSSL_add_all_algorithms()?!?!?!? http://www.openssl.org/support/faq.html#PROG8 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: verify certificate in c
On Sat July 3 2010, Dr. Stephen Henson wrote: On Sat, Jul 03, 2010, belo wrote: Damn! how can be possible that in the official openssl documentation there's nothing about this OpenSSL_add_all_algorithms()?!?!?!? http://www.openssl.org/support/faq.html#PROG8 The OP does have a point - That faq says: see the openssl manual - I just typed in: man openssl and there is no mention of OpenSSL_add_all_algorithms. How about a fag#8.5 ? - By openssl manual we mean here: _ _ _ _ Note: In case this has changed with openssl versions - I am looking at 0.9.8g which is the version currently provided by the Debian/Stable (Lenny) distribution. Mike Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
key usage for certificates
Hi all, sorry for my bad english i'm don't speak very well. I subscribed here because i have a probably easy question for you. All is in the title. The fact is the notion of keyUsage in signed certficate is very hazy for me right now. Someone told me its purpose is just to legally protect the issuer but softwares can easilly overstep this statements. I mean there is no physical boundaries of what a sofware can do no matter what statement is declared in the certificate. Is that right? Secondly i can't figure out what's the difference between each option and when we use this and not this one. Can someone explain me what's the purpose of each declaration. From what i've read right now (RFC and google), i think there are some options wich include others. For example includes the keyencipherment statement am i wrong? Let's imagin a software which scrupulously follow the statements in the certificate about the key usage. KeyEncipherment. I presume this soft can encrypt a key but can't encrypt other things than that, like the conversation itself or other things like the digest messages in the handshake right? DigitalSignature. It can sign anything. Which i have understand encipher anything. Include Key. But i must be wrong otherwise why should we declare the keyencipherment statement in a server case? :confused: KeyAgreement. I can't really understand what's is its purpose. Is this for the SSL (RSA?) protocole? Because I IMAGINED that this is for the handshake of this protocole (or anything eslse which lead to this kind of... key agreement :-/. So if this is right this one include the keyencipherment and the digitalsignature (for the diggest). KeyCertSign (wich include the keyencipherment only if i ain't wrong), nonRepudiation, EncipherOnly and DecipherOnly had been successfully acquired i think. The remained(ing?) confusion comes from the three statement quoted above. I would be very indebted to the one who can explain me those notions. Even if it's a brief debbuging!! :wistle: Since it's not a physical constraint every tests i can make would not be revealing at all so everything i can learn from is reading and i did'nt find sufficient explanations in the RFC. Thanks in advance to the :super: who will reply my questions and for granting (?) your time. -- View this message in context: http://old.nabble.com/key-usage-for-certificates-tp29064705p29064705.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Unable to set PSK ciphers for DTLS on Federa 13
I am unable to set the cipher PSK-AES128-CBC-SHA for my DTLS client code, even though its displayed when I run openssl ciphers command. I can also set this cipher without any problem when I run openssl s_client test tool. I get the following error during handshake : error:140F80B5:SSL routines:DTLS1_CLIENT_HELLO:no ciphers available:d1_clnt.c:67 Relevant code snippet: SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); char * cipher =PSK-AES128-CBC-SHA; SSL_CTX_set_cipher_list(dtls_ctx,cipher); I also noticed that if I set my cipher to DEFAULT and run it against openssl s_server supporting only PSK-AES128-CBC-SHA, I get this error in the server: :no shared cipher:s3_srvr.c: Indeed, looking at the handshake in wireshark, I noted that PSK-AES128-CBC-SHA is not being offered by my client, even though openssl ciphers -v DEFAULT shows it in the list. I think I am doing something fundamentaly wrong, but have no idea where to look. Any ideas to troubleshoot? Here is some info about my environment: OS : [lind...@fedora2 ~]$uname -a Linux fedora2.localdomain 2.6.33.3-85.fc13.i686 #1 SMP Thu May 6 18:44:12 UTC 2010 i686 i686 i386 GNU/Linux OpenSSL: [lind...@fedora2 ~]$ openssl version OpenSSL 1.0.0-fips 29 Mar 2010 [lind...@fedora2 ~]$ openssl ciphers -v PSK PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1 PSK-3DES-EDE-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1 PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1 PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1 [lind...@fedora2 ~]$ openssl ciphers DEFAULT DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5 Regards, Lindani
Optional Verification of Signature and Date..
Hi, I am a newbie user of openssl, and am using openssl C apis to verify certificates. Is there any way by which I can ignore the date verificationa and the signature verification? Thanks in advance. Regds, Ashok
