RE: Man in the middle proxy - Not working
> From: owner-openssl-us...@openssl.org On Behalf Of Raj
> Sent: Friday, 06 August, 2010 10:14
>I was able to read the content data from the server
> using SSL_read
> and put back to the browser by using SSL_write. I don't know
> whether is a
> right approach or not.
If you are doing an SSL connection to the server then
SSL_write to and SSL_read from the server are correct.
(And you should since the client is requesting SSL.)
SSL_read from and SSL_write back to the client are
correct if the client is SSL, and you said it is.
> For [an .ico] I got the response as follows and I was
> able to see the
> icon in my browser
> But for [a .png], which is 42,565 bytes long, I am
> receiving the
> following output. I understood that there is more to do
> inorder to read the
> content data, which I am not sure about
> Can anybody tell me what else should I do inorder to read
> the content
> and show it the browser. The following are sending some code snippets
>
>
> RequestSock =
> WSASocket(AF_INET,SOCK_STREAM,0,NULL,0,WSA_FLAG_OVERLAPPED);
For a socket used with openssl directly, I believe OVERLAPPED
will be ignored and is of no use. I think you would have to do
your own 'physical' level either as your own BIO type or as
a BIO_pair looping back to your code (the more usual way).
Frankly I don't think you're anywhere near ready for that.
> pHost = gethostbyname(pcTargetURL);
> memset(&ClientAddr,0,sizeof(ClientAddr));
> ClientAddr.sin_family = AF_INET;
> memcpy(&ClientAddr.sin_addr,pHost->h_addr,
> pHost->h_length);
> ClientAddr.sin_port = htons(atoi(pcPort));
> if(0 != connect(RequestSock,(SOCKADDR *)&ClientAddr,
> sizeof(SOCKADDR_IN)))
> {
> closesocket(RequestSock); // Connection failed
> return false;
> }
>
> SSL *Serverssl;
> Serverssl = SSL_new(m_pSSLCtx);
> SSL_set_fd(Serverssl, RequestSock);
> iRes = SSL_connect(Serverssl);
> if(iRes <= 0 )
> {
> ERR_print_errors_fp(stderr);
> cout << " connect Failed " << endl;
> }
>iRes = SSL_write(Serverssl,pcData, strlen(pcData));
You should check for error (<=0) and report/handle it. Error on _write
especially initial is not common, but if it ever happens, proceeding
with other operations will likely cause much greater confusion.
> SSL_accept(Serverssl);
This is useless. SSL_accept _creates_ a server-side endpoint;
it is not applicable to a client-side endpoint.
> do
> {
> dwReadDataLen =
> SSL_read(Serverssl,pBuff,iBufferSize);
>SSL_write(SourceSsl,pBuff,dwReadDataLen);
>cout << "Read buffer \n" << pBuff << endl;
Again check for errors. Especially on the _read side,
they are actually quite possible.
Also, the data read by SSL_read (like POSIX read or C fread)
does not get a null terminator byte added, so outputting
pBuff as a C-style string is likely to append garbage,
especially on the second or more time through the loop.
>} while(SSL_pending(Serverssl));
>
That's your problem. SSL_pending only indicates data _already
received and buffered_ by OpenSSL but not yet read by the app.
For responses more than one SSL record (max 32kbytes if I recall
correctly, and server may choose less) AND (probably) more than
the TCP window (varies but typically 2 MTU = about 3kbytes to start)
there will be some time delay between receiving the first chunk
of the data and the next, and the next and so on.
For a waited/blocking socket, which is the default as you have here,
you need to keep reading from the server (and in your case writing
back to the client) until you've done all the data in the response.
If you require, or the server chooses, HTTP/1.0 style conn-per-txn
(also known as connection: close or not-keepalive or not-pipelined,
and also not-chunked) you can just loop until you receive "EOF" (0)
from SSL_read, caused by the server closing the connection.
If you allow and the server uses HTTP/1.1 keep-alive (or pipelining)
and/or chunked data, the situation can get quite a bit more
complicated. See RFC 2616.
If you use a nonblocking socket (which is supported on Windows
as far as I know but is apparently not the same as OVERLAPPED)
you can also do your own timeout -- that is, read until EOF
or optionally calculated end of the response body, *or* timeout.
Since HTTP servers will normally send a complete response within
a short time (like at most a few seconds), and if one doesn't
a person at a browser usually doesn't want to wait anyway,
this can be a good simple compromise.
__
OpenSSL Project
Support of SHA-2
Is SHA-2 supported in OpenSSL 1.0 or the latest version?
From my search in Google, I found the following entry in openssl-dev mailing
list:
> List: openssl-dev
> Subject:Re: SHA-2 support in openssl?
> From: smitha daggubati
> Date: 2009-11-18 9:56:55
> Message-ID: 40a23ffd0911180144m27523ca3g9be5cf6be406bd0b () mail ! gmail ! com
> [Download message RAW]
>
> Marc,
> Thanks for the reply.
>
> On Wed, Nov 18, 2009 at 2:54 PM, Jean-Marc Desperrier wrote:
>
> > smitha daggubati wrote:
> >
> >> Does openssl have support for SHA-2. ?
> >> I know that SHA-2 is part of the crypto library but looking at the way
> >> the
> >> context is setup in ssl_ctx_new we are setiing up
> >>
> >> ret->sha1=EVP_get_digestbyname("ssl3-sha1"))
> >>
> >>
> >> So is there a way to establish an openssl connection using SHA-2
> >> currently?
> >>
> >
> > Yes openssl has support for SHA-2, but what it doesn't have is support for
> > a SSL cipher suite using SHA-2.
> >
> > It's a bit late in being updated to support the SHA-2 suites from RFC5289.
> > I suppose this not the main priority of the development team, since sha1
> > inside tls is not actually endangered at the moment.
> > Any help in implementing it, and rearchitecturing the code where use of
> > SHA-1 is hardcoded, would certainly be welcomed.
> >
> >
> > __
> > OpenSSL Project http://www.openssl.org
> > Development Mailing List openssl-...@openssl.org
> >
> > Automated List Manager majord...@openssl.org
> >
Does that means SHA-2 is still not in OpenSSL 1.0 yet?
Alex
Re: Question about extensions
On 08/06/2010 01:18 PM, Dr. Stephen Henson wrote:
> On Fri, Aug 06, 2010, Bram Cymet wrote:
>
>
>> On 08/06/2010 08:49 AM, Dr. Stephen Henson wrote:
>>
>>> On Wed, Aug 04, 2010, Bram Cymet wrote:
>>>
>>>
>>>
HI,
Give a configuration like the following:
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
# Copy subject details
issuerAltName=issuer:copy
[princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:principal_seq
[principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:principals
[principals]
princ1 = GeneralString:${ENV::CLIENT}
Can someone give me an idea of how openssl would encode this, or at
least point me at the code that would encode this so I can figure it out.
I am trying to figure out the asn1 structures that would be created.
>>> Well the ${ENV::xxx} stuff is environment variable expansion.
>>>
>>> If you want to see what structure is created your easiest option is to
>>> create
>>> a tets certificate using that configuration and check the subjectAltName
>>> extension using asn1parse. There is also an option to asn1parse that uses
>>> the
>>> mini-ASN1 compiler with similar syntax.
>>>
>>> It's not too hard to figure out from the docs, for example:
>>>
>>> subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
>>>
>>> Is subjectAltName extension, using otherName option and that OID, the value
>>> is
>>> a SEQUENCE defined by the section "princ_name":
>>>
>>> [princ_name]
>>> realm = EXP:0, GeneralString:${ENV::REALM}
>>> principal_name = EXP:1, SEQUENCE:principal_seq
>>>
>>> From above that SEQUENCE consists of an explicit tag 0 GeneralString with
>>> REALM environment variable value and another explicit tage 1 SEQUENCE
>>> described by the section principal_seq, etc etc.
>>>
>>> Steve.
>>> --
>>> Dr Stephen N. Henson. OpenSSL project core developer.
>>> Commercial tech support now available see: http://www.openssl.org
>>> __
>>> OpenSSL Project http://www.openssl.org
>>> User Support Mailing Listopenssl-users@openssl.org
>>> Automated List Manager majord...@openssl.org
>>>
>>>
>> Thanks,
>>
>> The only problem is (and I have sent a separate email to the list about
>> this. Is whenever I try to create a cert I get
>>
>> "Error Loading extension section "
>>
>>
>> Is there any way I could get a more specific error message. Maybe
>> recompile with some debug option?
>>
>>
> That is the complete error message? What section does it complain about, the
> whole extension section or some subsection?
>
> Can you post the complete configuration file that produces this?
>
> What version of OpenSSL are you using?
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
It complains about the client_cert section.
Attached is the conf file.
I am using openssl 1.0.0.
--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
Cell: 613-608-9752
[ req ]
default_bits= 2048
distinguished_name = req_distinguished_name
attributes = req_attributes
promt = no
output_password = .
[ req_distinguished_name ]
O = cbn
OU = jrz
CN = bcymet
[ req_attributes ]
challengePassword = .
[ kdc_cert ]
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = 1.3.6.1.5.2.3.5
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# Copy subject details
issuerAltName=issuer:copy
# Add id-pkinit-san (pkinit subjectAlternativeName)
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
[kdc_princ_name]
realm = EXP:0, GeneralString:TEST.CBN
principal_name = EXP:1, SEQUENCE:kdc_principal_seq
[kdc_principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:kdc_principals
[kdc_principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:TEST.CBN
[client_cert]
# These extensions are added when 'ca' signs a request.
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = 1.3.6.1.5.2.3.4
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# Import the email address.
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
# Copy subject details
is
Re: Question about extensions
On Fri, Aug 06, 2010, Bram Cymet wrote:
> On 08/06/2010 08:49 AM, Dr. Stephen Henson wrote:
> > On Wed, Aug 04, 2010, Bram Cymet wrote:
> >
> >
> >> HI,
> >>
> >> Give a configuration like the following:
> >>
> >> subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
> >>
> >>
> >> # Copy subject details
> >>
> >> issuerAltName=issuer:copy
> >>
> >> [princ_name]
> >> realm = EXP:0, GeneralString:${ENV::REALM}
> >> principal_name = EXP:1, SEQUENCE:principal_seq
> >>
> >> [principal_seq]
> >> name_type = EXP:0, INTEGER:1
> >> name_string = EXP:1, SEQUENCE:principals
> >>
> >> [principals]
> >> princ1 = GeneralString:${ENV::CLIENT}
> >>
> >>
> >> Can someone give me an idea of how openssl would encode this, or at
> >> least point me at the code that would encode this so I can figure it out.
> >>
> >> I am trying to figure out the asn1 structures that would be created.
> >>
> >>
> > Well the ${ENV::xxx} stuff is environment variable expansion.
> >
> > If you want to see what structure is created your easiest option is to
> > create
> > a tets certificate using that configuration and check the subjectAltName
> > extension using asn1parse. There is also an option to asn1parse that uses
> > the
> > mini-ASN1 compiler with similar syntax.
> >
> > It's not too hard to figure out from the docs, for example:
> >
> > subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
> >
> > Is subjectAltName extension, using otherName option and that OID, the value
> > is
> > a SEQUENCE defined by the section "princ_name":
> >
> > [princ_name]
> > realm = EXP:0, GeneralString:${ENV::REALM}
> > principal_name = EXP:1, SEQUENCE:principal_seq
> >
> > From above that SEQUENCE consists of an explicit tag 0 GeneralString with
> > REALM environment variable value and another explicit tage 1 SEQUENCE
> > described by the section principal_seq, etc etc.
> >
> > Steve.
> > --
> > Dr Stephen N. Henson. OpenSSL project core developer.
> > Commercial tech support now available see: http://www.openssl.org
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing Listopenssl-users@openssl.org
> > Automated List Manager majord...@openssl.org
> >
> Thanks,
>
> The only problem is (and I have sent a separate email to the list about
> this. Is whenever I try to create a cert I get
>
> "Error Loading extension section "
>
>
> Is there any way I could get a more specific error message. Maybe
> recompile with some debug option?
>
That is the complete error message? What section does it complain about, the
whole extension section or some subsection?
Can you post the complete configuration file that produces this?
What version of OpenSSL are you using?
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: Verifying X509 Certificates Using The OpenSSL API
On Fri, Aug 06, 2010, Sam Jantz wrote: > To whomever may have an answer, > > I am writing a SSL/TLS proxy server for my work that is multi-threaded. > I recently replaced my OpenSSL version with 1.0.0a from 0.9.8g. In this > application I need to verify the server certificate otherwise all the > security will be bypassed. However, when I use SSL_get_verify_result() I > almost always get an error code "20 unable to get local issuer certificate." > This is almost always at depth 0, and sometimes depth 1. > I am loading the certificate stores from /etc/ssl/certs which contains > the stores that mozilla, chrome, and the like all verify from, but no matter > what I do I can't get a single certificate to verify. > When I revert to OpenSSL 0.9.8g I can successfully verify several > certificates, but I still get the same error code for about half of the > websites I try, and are known to be valid (e.g. www.gmail.com:443). > > This is not just a difference in my program either, in both s_client and > verify from the command line, 0.9.8g will return a X509_V_OK code, and > 1.0.0a will return error 20. I am completely at a loss as to why this is. > I am not so much concerned with getting the command line to work as I am > with my program. I can't post my code because of a non disclosure > agreement, but I will post the steps that I am taking that are relevant to > verify. > You need to call c_rehash with OpenSSL 1.0.0, the hash algorithm changed and is incompatible with 0.9.8. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Verifying X509 Certificates Using The OpenSSL API
To whomever may have an answer,
I am writing a SSL/TLS proxy server for my work that is multi-threaded.
I recently replaced my OpenSSL version with 1.0.0a from 0.9.8g. In this
application I need to verify the server certificate otherwise all the
security will be bypassed. However, when I use SSL_get_verify_result() I
almost always get an error code "20 unable to get local issuer certificate."
This is almost always at depth 0, and sometimes depth 1.
I am loading the certificate stores from /etc/ssl/certs which contains
the stores that mozilla, chrome, and the like all verify from, but no matter
what I do I can't get a single certificate to verify.
When I revert to OpenSSL 0.9.8g I can successfully verify several
certificates, but I still get the same error code for about half of the
websites I try, and are known to be valid (e.g. www.gmail.com:443).
This is not just a difference in my program either, in both s_client and
verify from the command line, 0.9.8g will return a X509_V_OK code, and
1.0.0a will return error 20. I am completely at a loss as to why this is.
I am not so much concerned with getting the command line to work as I am
with my program. I can't post my code because of a non disclosure
agreement, but I will post the steps that I am taking that are relevant to
verify.
Before I create any ssl objects I am setting up the context:
if((SSL_CTX_load_verify_locations(_ssl_ctx, NULL, "/etc/ssl/certs/" ))!=
1)
cout << "couldn't load verify locations" << endl;
if((SSL_CTX_set_default_verify_paths(_ssl_ctx))!=1)
cout << "couldn't load defaults" << endl;
//This is set to none because if set to PEER no connections can be made
because of the invalid cert
SSL_CTX_set_verify(_ssl_client_ctx, SSL_VERIFY_NONE, verify_callback);
SSL_CTX_set_verify_depth(_ssl_ctx, 9);
Verify_callback is defined as this:
static int verify_callback(int ok, X509_STORE_CTX* store){
if(!ok){
X509 * cert = X509_STORE_CTX_get_current_cert(store);
int depth = X509_STORE_CTX_get_error_depth(store);
int err = X509_STORE_CTX_get_error(store);
cout << "Error at depth: " << depth<< endl;
cout << "Error Text: " << X509_verify_cert_error_string(err) <<
endl;
}
return ok;
}
After this, I read the verification code when I obtain the cert:
X509 *server_cert = SSL_get_peer_certificate(server_ssl);
if(!server_cert){
//couldn't get certificate, exit here
exit(1);
}
long certValid = SSL_get_verify_result(server_ssl);
if(certValid == X509_V_OK)
cout << endl << "Certificate is valid" << endl;
If you need any more information please let me know and I will post what I
can. Thank you in advanced for the help.
Thanks,
Sam
--
Sam Jantz
Software Engineer
Re: Man in the middle proxy - Not working
Hi
I was able to read the content data from the server using SSL_read
and put back to the browser by using SSL_write. I don't know whether is a
right approach or not. I have done the experiment in these two urls
1. https://s-static.ak.facebook.com/rsrc.php/z9Q0Q/hash/8yhim1ep.ico
2. https://s-static.ak.facebook.com/rsrc.php/z8OGI/hash/41j5eq4v.png
For the first try I got the response as follows and I was able to see the
icon in my browser
HTTP/1.1 200 OK
Cache-Control: public, max-age=31536000
Content-Length: 318
Content-Type: image/x-icon
Expires: Sat, 06 Aug 2011 06:58:14 -0700
Last-Modified: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="DSP LAW"
Pragma:
X-Cnection: close
Date: Fri, 06 Aug 2010 13:58:14 GMT
But for the second link, which is 42,565 bytes long, I am receiving the
following output. I understood that there is more to do inorder to read the
content data, which I am not sure about
HTTP/1.1 200 OK
Cache-Control: public, max-age=31536000
Content-Length: 42565
Content-Type: image/png
Expires: Sat, 06 Aug 2011 07:04:17 -0700
Last-Modified: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="DSP LAW"
Pragma:
X-Cnection: close
Date: Fri, 06 Aug 2010 14:04:17 GMT
Can anybody tell me what else should I do inorder to read the content
and show it the browser. The following are sending some code snippets
RequestSock =
WSASocket(AF_INET,SOCK_STREAM,0,NULL,0,WSA_FLAG_OVERLAPPED);
pHost = gethostbyname(pcTargetURL);
memset(&ClientAddr,0,sizeof(ClientAddr));
ClientAddr.sin_family = AF_INET;
memcpy(&ClientAddr.sin_addr,pHost->h_addr, pHost->h_length);
ClientAddr.sin_port = htons(atoi(pcPort));
if(0 != connect(RequestSock,(SOCKADDR *)&ClientAddr,
sizeof(SOCKADDR_IN)))
{
closesocket(RequestSock); // Connection failed
return false;
}
SSL *Serverssl;
Serverssl = SSL_new(m_pSSLCtx);
SSL_set_fd(Serverssl, RequestSock);
iRes = SSL_connect(Serverssl);
if(iRes <= 0 )
{
ERR_print_errors_fp(stderr);
cout << " connect Failed " << endl;
}
iRes = SSL_write(Serverssl,pcData, strlen(pcData));
SSL_accept(Serverssl);
do
{
dwReadDataLen = SSL_read(Serverssl,pBuff,iBufferSize);
SSL_write(SourceSsl,pBuff,dwReadDataLen);
cout << "Read buffer \n" << pBuff << endl;
} while(SSL_pending(Serverssl));
Thanks,
Raj
Rajmohan SK
- Original Message -
From: "Raj"
To:
Sent: Friday, August 06, 2010 10:12 AM
Subject: Re: Man in the middle proxy - Not working
Hi
Can you send me some code snippet which shows how to commutate with
webserver and read the content data
Thanks,
Raj
Rajmohan SK
- Original Message -
From: "Dave Thompson"
To:
Sent: Friday, August 06, 2010 2:19 AM
Subject: RE: Man in the middle proxy - Not working
From: owner-openssl-us...@openssl.org On Behalf Of Raj
Sent: Thursday, 05 August, 2010 01:06
I will describe my code snippet below
The module for connecting to server
SOCKET RequestSock;
SOCKADDR_IN ClientAddr;
RequestSock =
WSASocket(AF_INET,SOCK_STREAM,0,NULL,0,WSA_FLAG_OVERLAPPED);
I don't know much about 'OVERLAPPED' in Windows, but I think
it's something like 'nonblocking' in Unix.
pHost = gethostbyname(pcTargetURL);
memset(&ClientAddr,0,sizeof(ClientAddr));
int iAddrLen = sizeof(ClientAddr);
ClientAddr.sin_family = AF_INET;
memcpy(&ClientAddr.sin_addr,pHost->h_addr, pHost->h_length);
ClientAddr.sin_port = htons(atoi(pcPort));
if(0 != connect(RequestSock,(SOCKADDR *)&ClientAddr,
sizeof(SOCKADDR_IN)))
{
closesocket(RequestSock); // Connection failed
return false;
}
WSAOVERLAPPED SendOverlapped;
DWORD dwSendDataLen = 0;
WSABUF ClientRequestBuf;
WSAEVENT SendEvent[1];
ClientRequestBuf.buf = pcData;
ClientRequestBuf.len = strlen(pcData);
SendEvent[0] = WSACreateEvent();
SendOverlapped.hEvent = SendEvent[0];
iRes =
WSASend(RequestSock,&ClientRequestBuf,1,&dwSendDataLen,dwFlag,
&SendOverlapped,NULL);
// Sending data to the server
At this point, the send probably hasn't actually happened.
And if you call [WSA]Recv and it returns, it almost certainly
hasn't actually been done either. You probably have to do
some kind of synchronization with the .hEvent, following
whatever Windows rules are applicable.
FYI
pcPort = 443
pcTargetURL = L"www.facebook.com";
pcData = "GET https://www.facebook.com HTTP/1.0\r\n\r\n"
__
Re: Question about extensions
On 08/06/2010 08:49 AM, Dr. Stephen Henson wrote:
> On Wed, Aug 04, 2010, Bram Cymet wrote:
>
>
>> HI,
>>
>> Give a configuration like the following:
>>
>> subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
>>
>>
>> # Copy subject details
>>
>> issuerAltName=issuer:copy
>>
>> [princ_name]
>> realm = EXP:0, GeneralString:${ENV::REALM}
>> principal_name = EXP:1, SEQUENCE:principal_seq
>>
>> [principal_seq]
>> name_type = EXP:0, INTEGER:1
>> name_string = EXP:1, SEQUENCE:principals
>>
>> [principals]
>> princ1 = GeneralString:${ENV::CLIENT}
>>
>>
>> Can someone give me an idea of how openssl would encode this, or at
>> least point me at the code that would encode this so I can figure it out.
>>
>> I am trying to figure out the asn1 structures that would be created.
>>
>>
> Well the ${ENV::xxx} stuff is environment variable expansion.
>
> If you want to see what structure is created your easiest option is to create
> a tets certificate using that configuration and check the subjectAltName
> extension using asn1parse. There is also an option to asn1parse that uses the
> mini-ASN1 compiler with similar syntax.
>
> It's not too hard to figure out from the docs, for example:
>
> subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
>
> Is subjectAltName extension, using otherName option and that OID, the value is
> a SEQUENCE defined by the section "princ_name":
>
> [princ_name]
> realm = EXP:0, GeneralString:${ENV::REALM}
> principal_name = EXP:1, SEQUENCE:principal_seq
>
> From above that SEQUENCE consists of an explicit tag 0 GeneralString with
> REALM environment variable value and another explicit tage 1 SEQUENCE
> described by the section principal_seq, etc etc.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
Thanks,
The only problem is (and I have sent a separate email to the list about
this. Is whenever I try to create a cert I get
"Error Loading extension section "
Is there any way I could get a more specific error message. Maybe
recompile with some debug option?
Bram
--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
Cell: 613-608-9752
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: Question about extensions
On Wed, Aug 04, 2010, Bram Cymet wrote:
> HI,
>
> Give a configuration like the following:
>
> subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
>
>
> # Copy subject details
>
> issuerAltName=issuer:copy
>
> [princ_name]
> realm = EXP:0, GeneralString:${ENV::REALM}
> principal_name = EXP:1, SEQUENCE:principal_seq
>
> [principal_seq]
> name_type = EXP:0, INTEGER:1
> name_string = EXP:1, SEQUENCE:principals
>
> [principals]
> princ1 = GeneralString:${ENV::CLIENT}
>
>
> Can someone give me an idea of how openssl would encode this, or at
> least point me at the code that would encode this so I can figure it out.
>
> I am trying to figure out the asn1 structures that would be created.
>
Well the ${ENV::xxx} stuff is environment variable expansion.
If you want to see what structure is created your easiest option is to create
a tets certificate using that configuration and check the subjectAltName
extension using asn1parse. There is also an option to asn1parse that uses the
mini-ASN1 compiler with similar syntax.
It's not too hard to figure out from the docs, for example:
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
Is subjectAltName extension, using otherName option and that OID, the value is
a SEQUENCE defined by the section "princ_name":
[princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:principal_seq
>From above that SEQUENCE consists of an explicit tag 0 GeneralString with
REALM environment variable value and another explicit tage 1 SEQUENCE
described by the section principal_seq, etc etc.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: SSL_CTX_set_verify issue
On 08/06/2010 10:54 AM, Manjunath1847 wrote: I am using SSL_CTX_set_verify() function to set my static C callback verify function. During HTTPS transaction, my callback is also getting called with first parameter 0 or 1 (depending upon of the certificate verification is success or failure). But even if my certification verification is failure I want to continue. So I have hard coded return value as 1 always from my callback function. But still I see the certification error and I don't get the page. Any suggestion please? You might want to try X509_STORE_CTX_set_error(ctx, X509_V_OK) ; __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL_CTX_set_verify issue
I am using SSL_CTX_set_verify() function to set my static C callback verify function. During HTTPS transaction, my callback is also getting called with first parameter 0 or 1 (depending upon of the certificate verification is success or failure). But even if my certification verification is failure I want to continue. So I have hard coded return value as 1 always from my callback function. But still I see the certification error and I don't get the page. Any suggestion please? -- View this message in context: http://old.nabble.com/SSL_CTX_set_verify-issue-tp29356429p29356429.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
