Re: Slow crypto initialization.
Don't be sorry, this is great work!! I'm glad the culprit has been found (and fixed)! BTW: To help the OpenSSL core team help track and fix this, it would be good to submit your message + patch to r...@openssl.org so it ends up as an issue ticket in the tracker and this material does not disappear off the horizon of an ever progressing discussion list. A reference to this email thread in the RT would be handy, e.g.: http://www.bluequartz.us/phpBB2/viewtopic.php?t=131309 (the entire thread is easily viewable as a set of forum messages there, so one page carries all) On Fri, Jul 2, 2010 at 9:13 PM, Jake Goulding gould...@vivisimo.com wrote: -- Met vriendelijke groeten / Best regards, Ger Hobbelt -- web:http://www.hobbelt.com/ http://www.hebbut.net/ mail: g...@hobbelt.com mobile: +31-6-11 120 978 --
Re: Compiling a native code using DES
Hi, libcrypto is enough for basic cryptographic operations like encryption/decryption with DES, AES, ...etc Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr Hello all, I have a C Code which is making use of DES.h in a JNI Environment. I wanted to know if compiling this code with libcrypto will be enough or it will need libssl as well? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: verify certificate in c
Hi, Just add a call to *OpenSSL_add_all_algorithms* at the beginning of your main and the certificate verification will be OK. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr Hi, I'm a newbie user of OpenSSL. I want to create a simple C program that verify a certificate chain like this: rootCA-CA-A-client i found this example on the internet that should work for two consecutive certificate (but it doesn't work for me); i don't known how to create the chain... [code] #include openssl/pem.h #include openssl/x509_vfy.h #include openssl/x509.h #include openssl/ssl.h #include openssl/x509v3.h int main(int argc,char **argv) { int i; FILE *fp; X509 * cert; X509_STORE_CTX csc; char *strerr; fp = fopen (ca-a-cert.pem, r); cert = PEM_read_X509 (fp, NULL, NULL, NULL); X509_STORE *ctx=NULL; ctx=X509_STORE_new(); X509_STORE_load_locations(ctx, cacert.pem, ./); X509_STORE_set_default_paths(ctx); X509_STORE_CTX_init(csc,ctx,cert,NULL); if (X509_verify_cert(csc) != 1) { strerr = (char *) X509_verify_cert_error_string(csc.error); printf(Verification error: %s\n, strerr); return 1; } X509_STORE_CTX_cleanup(csc); } [/code] the output is: Verification error: certificate signature failure cacert.pem is the certificate of the rootCA, whereas ca-a-cert.pem is the CA-A cert. the certificate are good because i verify it by the bash command: openssl verify -CAfile cacert.pem ca-a-cert.pem with output: ca-a-cert.pem: OK any suggestion? p.s. sorry for my bad English :) -- View this message in context: http://old.nabble.com/verify-certificate-in-c-tp29043989p29043989.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Compiling a native code using DES
Thanks a lot Mounir :-) On Sat, Jul 3, 2010 at 2:57 PM, Mounir IDRASSI mounir.idra...@idrix.netwrote: Hi, libcrypto is enough for basic cryptographic operations like encryption/decryption with DES, AES, ...etc Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr Hello all, I have a C Code which is making use of DES.h in a JNI Environment. I wanted to know if compiling this code with libcrypto will be enough or it will need libssl as well? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Large CRL Handling Problem
I have written a FIPS-1.1.2 compliant (OpenSSL 0.9.7m) application that validates certificates that are read in from files. It also loads the CA certificates and corresponding CRLs from files. I am trying to determine any limitations with loading large CRLs (~200-250 MB) and to characterize the resulting performance. I did not have any problem using CRLs that are ~~100MB in size or smaller. However with the ~200MB CRL, I get the following error, 1418976:error:0D078064:asn1 encoding routines:ASN1_ITEM_EX_D2I:aux error:tasn_dec.c:407:Type=X509_CRL_INFO 1418976:error:0D08303A:asn1 encoding routines:ANS1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:567:Field=crl, Type=X509_CRL 1418976:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:82: This error occurs in a function similar (extraneous stuff has been removed) to the readX509CRL() function below. The OpenSSL function PEM_read_X509_CRL() returns an error int readX509Crl(const std::string crlPath, X509_CRL **crl) { int result = 0; X509_CRL* tempCrl = 0; FILE* crlFp = 0; // Open CRL file crlFp = fopen(crlPath.c_str(), r); //If the certificate file opens correctly if (crlFp) { //If the PEM encoded file is read correctly if (PEM_read_X509_CRL(crlFp, tempCrl, 0, 0)) { //Set return parameter *crl = tempCrl; result = 1; } else { result = 0; //Make sure nothing is returned *crl = 0; //If the certificate memory is allocated, free it if (tempCrl) { X509_CRL_free(tempCrl); tempCrl = 0; } } } else { result = 0; //Make sure nothing is returned *crl = 0; } //If the file was opened, close it if (crlFp) { fclose(crlFp); } return result; } The certificates and ~200MB CRL in question are all validated successfully using the OpenSSL command line openssl verify -CAfile cafile -crl_check certificates What could possibly be the problem with using large CRLs in my application? How can I go about troubleshooting this further. Thanks for any help. -Ryan Smith
Re: verify certificate in c
Damn! how can be possible that in the official openssl documentation there's nothing about this OpenSSL_add_all_algorithms()?!?!?!? that documentation sucks a lot! anyway thanks :) -- View this message in context: http://old.nabble.com/verify-certificate-in-c-tp29043989p29063450.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: verify certificate in c
On Sat, Jul 03, 2010, belo wrote: Damn! how can be possible that in the official openssl documentation there's nothing about this OpenSSL_add_all_algorithms()?!?!?!? http://www.openssl.org/support/faq.html#PROG8 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: verify certificate in c
On Sat July 3 2010, Dr. Stephen Henson wrote: On Sat, Jul 03, 2010, belo wrote: Damn! how can be possible that in the official openssl documentation there's nothing about this OpenSSL_add_all_algorithms()?!?!?!? http://www.openssl.org/support/faq.html#PROG8 The OP does have a point - That faq says: see the openssl manual - I just typed in: man openssl and there is no mention of OpenSSL_add_all_algorithms. How about a fag#8.5 ? - By openssl manual we mean here: _ _ _ _ Note: In case this has changed with openssl versions - I am looking at 0.9.8g which is the version currently provided by the Debian/Stable (Lenny) distribution. Mike Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
key usage for certificates
Hi all, sorry for my bad english i'm don't speak very well. I subscribed here because i have a probably easy question for you. All is in the title. The fact is the notion of keyUsage in signed certficate is very hazy for me right now. Someone told me its purpose is just to legally protect the issuer but softwares can easilly overstep this statements. I mean there is no physical boundaries of what a sofware can do no matter what statement is declared in the certificate. Is that right? Secondly i can't figure out what's the difference between each option and when we use this and not this one. Can someone explain me what's the purpose of each declaration. From what i've read right now (RFC and google), i think there are some options wich include others. For example includes the keyencipherment statement am i wrong? Let's imagin a software which scrupulously follow the statements in the certificate about the key usage. KeyEncipherment. I presume this soft can encrypt a key but can't encrypt other things than that, like the conversation itself or other things like the digest messages in the handshake right? DigitalSignature. It can sign anything. Which i have understand encipher anything. Include Key. But i must be wrong otherwise why should we declare the keyencipherment statement in a server case? :confused: KeyAgreement. I can't really understand what's is its purpose. Is this for the SSL (RSA?) protocole? Because I IMAGINED that this is for the handshake of this protocole (or anything eslse which lead to this kind of... key agreement :-/. So if this is right this one include the keyencipherment and the digitalsignature (for the diggest). KeyCertSign (wich include the keyencipherment only if i ain't wrong), nonRepudiation, EncipherOnly and DecipherOnly had been successfully acquired i think. The remained(ing?) confusion comes from the three statement quoted above. I would be very indebted to the one who can explain me those notions. Even if it's a brief debbuging!! :wistle: Since it's not a physical constraint every tests i can make would not be revealing at all so everything i can learn from is reading and i did'nt find sufficient explanations in the RFC. Thanks in advance to the :super: who will reply my questions and for granting (?) your time. -- View this message in context: http://old.nabble.com/key-usage-for-certificates-tp29064705p29064705.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Unable to set PSK ciphers for DTLS on Federa 13
I am unable to set the cipher PSK-AES128-CBC-SHA for my DTLS client code, even though its displayed when I run openssl ciphers command. I can also set this cipher without any problem when I run openssl s_client test tool. I get the following error during handshake : error:140F80B5:SSL routines:DTLS1_CLIENT_HELLO:no ciphers available:d1_clnt.c:67 Relevant code snippet: SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); char * cipher =PSK-AES128-CBC-SHA; SSL_CTX_set_cipher_list(dtls_ctx,cipher); I also noticed that if I set my cipher to DEFAULT and run it against openssl s_server supporting only PSK-AES128-CBC-SHA, I get this error in the server: :no shared cipher:s3_srvr.c: Indeed, looking at the handshake in wireshark, I noted that PSK-AES128-CBC-SHA is not being offered by my client, even though openssl ciphers -v DEFAULT shows it in the list. I think I am doing something fundamentaly wrong, but have no idea where to look. Any ideas to troubleshoot? Here is some info about my environment: OS : [lind...@fedora2 ~]$uname -a Linux fedora2.localdomain 2.6.33.3-85.fc13.i686 #1 SMP Thu May 6 18:44:12 UTC 2010 i686 i686 i386 GNU/Linux OpenSSL: [lind...@fedora2 ~]$ openssl version OpenSSL 1.0.0-fips 29 Mar 2010 [lind...@fedora2 ~]$ openssl ciphers -v PSK PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1 PSK-3DES-EDE-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1 PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1 PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1 [lind...@fedora2 ~]$ openssl ciphers DEFAULT DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5 Regards, Lindani
Optional Verification of Signature and Date..
Hi, I am a newbie user of openssl, and am using openssl C apis to verify certificates. Is there any way by which I can ignore the date verificationa and the signature verification? Thanks in advance. Regds, Ashok