RE: Man in the middle proxy - Not working
> From: owner-openssl-us...@openssl.org On Behalf Of Raj > Sent: Friday, 06 August, 2010 10:14 >I was able to read the content data from the server > using SSL_read > and put back to the browser by using SSL_write. I don't know > whether is a > right approach or not. If you are doing an SSL connection to the server then SSL_write to and SSL_read from the server are correct. (And you should since the client is requesting SSL.) SSL_read from and SSL_write back to the client are correct if the client is SSL, and you said it is. > For [an .ico] I got the response as follows and I was > able to see the > icon in my browser > But for [a .png], which is 42,565 bytes long, I am > receiving the > following output. I understood that there is more to do > inorder to read the > content data, which I am not sure about > Can anybody tell me what else should I do inorder to read > the content > and show it the browser. The following are sending some code snippets > > > RequestSock = > WSASocket(AF_INET,SOCK_STREAM,0,NULL,0,WSA_FLAG_OVERLAPPED); For a socket used with openssl directly, I believe OVERLAPPED will be ignored and is of no use. I think you would have to do your own 'physical' level either as your own BIO type or as a BIO_pair looping back to your code (the more usual way). Frankly I don't think you're anywhere near ready for that. > pHost = gethostbyname(pcTargetURL); > memset(&ClientAddr,0,sizeof(ClientAddr)); > ClientAddr.sin_family = AF_INET; > memcpy(&ClientAddr.sin_addr,pHost->h_addr, > pHost->h_length); > ClientAddr.sin_port = htons(atoi(pcPort)); > if(0 != connect(RequestSock,(SOCKADDR *)&ClientAddr, > sizeof(SOCKADDR_IN))) > { > closesocket(RequestSock); // Connection failed > return false; > } > > SSL *Serverssl; > Serverssl = SSL_new(m_pSSLCtx); > SSL_set_fd(Serverssl, RequestSock); > iRes = SSL_connect(Serverssl); > if(iRes <= 0 ) > { > ERR_print_errors_fp(stderr); > cout << " connect Failed " << endl; > } >iRes = SSL_write(Serverssl,pcData, strlen(pcData)); You should check for error (<=0) and report/handle it. Error on _write especially initial is not common, but if it ever happens, proceeding with other operations will likely cause much greater confusion. > SSL_accept(Serverssl); This is useless. SSL_accept _creates_ a server-side endpoint; it is not applicable to a client-side endpoint. > do > { > dwReadDataLen = > SSL_read(Serverssl,pBuff,iBufferSize); >SSL_write(SourceSsl,pBuff,dwReadDataLen); >cout << "Read buffer \n" << pBuff << endl; Again check for errors. Especially on the _read side, they are actually quite possible. Also, the data read by SSL_read (like POSIX read or C fread) does not get a null terminator byte added, so outputting pBuff as a C-style string is likely to append garbage, especially on the second or more time through the loop. >} while(SSL_pending(Serverssl)); > That's your problem. SSL_pending only indicates data _already received and buffered_ by OpenSSL but not yet read by the app. For responses more than one SSL record (max 32kbytes if I recall correctly, and server may choose less) AND (probably) more than the TCP window (varies but typically 2 MTU = about 3kbytes to start) there will be some time delay between receiving the first chunk of the data and the next, and the next and so on. For a waited/blocking socket, which is the default as you have here, you need to keep reading from the server (and in your case writing back to the client) until you've done all the data in the response. If you require, or the server chooses, HTTP/1.0 style conn-per-txn (also known as connection: close or not-keepalive or not-pipelined, and also not-chunked) you can just loop until you receive "EOF" (0) from SSL_read, caused by the server closing the connection. If you allow and the server uses HTTP/1.1 keep-alive (or pipelining) and/or chunked data, the situation can get quite a bit more complicated. See RFC 2616. If you use a nonblocking socket (which is supported on Windows as far as I know but is apparently not the same as OVERLAPPED) you can also do your own timeout -- that is, read until EOF or optionally calculated end of the response body, *or* timeout. Since HTTP servers will normally send a complete response within a short time (like at most a few seconds), and if one doesn't a person at a browser usually doesn't want to wait anyway, this can be a good simple compromise. __ OpenSSL Project
Support of SHA-2
Is SHA-2 supported in OpenSSL 1.0 or the latest version? From my search in Google, I found the following entry in openssl-dev mailing list: > List: openssl-dev > Subject:Re: SHA-2 support in openssl? > From: smitha daggubati > Date: 2009-11-18 9:56:55 > Message-ID: 40a23ffd0911180144m27523ca3g9be5cf6be406bd0b () mail ! gmail ! com > [Download message RAW] > > Marc, > Thanks for the reply. > > On Wed, Nov 18, 2009 at 2:54 PM, Jean-Marc Desperrier wrote: > > > smitha daggubati wrote: > > > >> Does openssl have support for SHA-2. ? > >> I know that SHA-2 is part of the crypto library but looking at the way > >> the > >> context is setup in ssl_ctx_new we are setiing up > >> > >> ret->sha1=EVP_get_digestbyname("ssl3-sha1")) > >> > >> > >> So is there a way to establish an openssl connection using SHA-2 > >> currently? > >> > > > > Yes openssl has support for SHA-2, but what it doesn't have is support for > > a SSL cipher suite using SHA-2. > > > > It's a bit late in being updated to support the SHA-2 suites from RFC5289. > > I suppose this not the main priority of the development team, since sha1 > > inside tls is not actually endangered at the moment. > > Any help in implementing it, and rearchitecturing the code where use of > > SHA-1 is hardcoded, would certainly be welcomed. > > > > > > __ > > OpenSSL Project http://www.openssl.org > > Development Mailing List openssl-...@openssl.org > > > > Automated List Manager majord...@openssl.org > > Does that means SHA-2 is still not in OpenSSL 1.0 yet? Alex
Re: Question about extensions
On 08/06/2010 01:18 PM, Dr. Stephen Henson wrote: > On Fri, Aug 06, 2010, Bram Cymet wrote: > > >> On 08/06/2010 08:49 AM, Dr. Stephen Henson wrote: >> >>> On Wed, Aug 04, 2010, Bram Cymet wrote: >>> >>> >>> HI, Give a configuration like the following: subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name # Copy subject details issuerAltName=issuer:copy [princ_name] realm = EXP:0, GeneralString:${ENV::REALM} principal_name = EXP:1, SEQUENCE:principal_seq [principal_seq] name_type = EXP:0, INTEGER:1 name_string = EXP:1, SEQUENCE:principals [principals] princ1 = GeneralString:${ENV::CLIENT} Can someone give me an idea of how openssl would encode this, or at least point me at the code that would encode this so I can figure it out. I am trying to figure out the asn1 structures that would be created. >>> Well the ${ENV::xxx} stuff is environment variable expansion. >>> >>> If you want to see what structure is created your easiest option is to >>> create >>> a tets certificate using that configuration and check the subjectAltName >>> extension using asn1parse. There is also an option to asn1parse that uses >>> the >>> mini-ASN1 compiler with similar syntax. >>> >>> It's not too hard to figure out from the docs, for example: >>> >>> subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name >>> >>> Is subjectAltName extension, using otherName option and that OID, the value >>> is >>> a SEQUENCE defined by the section "princ_name": >>> >>> [princ_name] >>> realm = EXP:0, GeneralString:${ENV::REALM} >>> principal_name = EXP:1, SEQUENCE:principal_seq >>> >>> From above that SEQUENCE consists of an explicit tag 0 GeneralString with >>> REALM environment variable value and another explicit tage 1 SEQUENCE >>> described by the section principal_seq, etc etc. >>> >>> Steve. >>> -- >>> Dr Stephen N. Henson. OpenSSL project core developer. >>> Commercial tech support now available see: http://www.openssl.org >>> __ >>> OpenSSL Project http://www.openssl.org >>> User Support Mailing Listopenssl-users@openssl.org >>> Automated List Manager majord...@openssl.org >>> >>> >> Thanks, >> >> The only problem is (and I have sent a separate email to the list about >> this. Is whenever I try to create a cert I get >> >> "Error Loading extension section " >> >> >> Is there any way I could get a more specific error message. Maybe >> recompile with some debug option? >> >> > That is the complete error message? What section does it complain about, the > whole extension section or some subsection? > > Can you post the complete configuration file that produces this? > > What version of OpenSSL are you using? > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > It complains about the client_cert section. Attached is the conf file. I am using openssl 1.0.0. -- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. Cell: 613-608-9752 [ req ] default_bits= 2048 distinguished_name = req_distinguished_name attributes = req_attributes promt = no output_password = . [ req_distinguished_name ] O = cbn OU = jrz CN = bcymet [ req_attributes ] challengePassword = . [ kdc_cert ] basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage = 1.3.6.1.5.2.3.5 subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer # Copy subject details issuerAltName=issuer:copy # Add id-pkinit-san (pkinit subjectAlternativeName) subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name [kdc_princ_name] realm = EXP:0, GeneralString:TEST.CBN principal_name = EXP:1, SEQUENCE:kdc_principal_seq [kdc_principal_seq] name_type = EXP:0, INTEGER:1 name_string = EXP:1, SEQUENCE:kdc_principals [kdc_principals] princ1 = GeneralString:krbtgt princ2 = GeneralString:TEST.CBN [client_cert] # These extensions are added when 'ca' signs a request. basicConstraints=CA:FALSE keyUsage = digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage = 1.3.6.1.5.2.3.4 subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer # Import the email address. subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name # Copy subject details is
Re: Question about extensions
On Fri, Aug 06, 2010, Bram Cymet wrote: > On 08/06/2010 08:49 AM, Dr. Stephen Henson wrote: > > On Wed, Aug 04, 2010, Bram Cymet wrote: > > > > > >> HI, > >> > >> Give a configuration like the following: > >> > >> subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name > >> > >> > >> # Copy subject details > >> > >> issuerAltName=issuer:copy > >> > >> [princ_name] > >> realm = EXP:0, GeneralString:${ENV::REALM} > >> principal_name = EXP:1, SEQUENCE:principal_seq > >> > >> [principal_seq] > >> name_type = EXP:0, INTEGER:1 > >> name_string = EXP:1, SEQUENCE:principals > >> > >> [principals] > >> princ1 = GeneralString:${ENV::CLIENT} > >> > >> > >> Can someone give me an idea of how openssl would encode this, or at > >> least point me at the code that would encode this so I can figure it out. > >> > >> I am trying to figure out the asn1 structures that would be created. > >> > >> > > Well the ${ENV::xxx} stuff is environment variable expansion. > > > > If you want to see what structure is created your easiest option is to > > create > > a tets certificate using that configuration and check the subjectAltName > > extension using asn1parse. There is also an option to asn1parse that uses > > the > > mini-ASN1 compiler with similar syntax. > > > > It's not too hard to figure out from the docs, for example: > > > > subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name > > > > Is subjectAltName extension, using otherName option and that OID, the value > > is > > a SEQUENCE defined by the section "princ_name": > > > > [princ_name] > > realm = EXP:0, GeneralString:${ENV::REALM} > > principal_name = EXP:1, SEQUENCE:principal_seq > > > > From above that SEQUENCE consists of an explicit tag 0 GeneralString with > > REALM environment variable value and another explicit tage 1 SEQUENCE > > described by the section principal_seq, etc etc. > > > > Steve. > > -- > > Dr Stephen N. Henson. OpenSSL project core developer. > > Commercial tech support now available see: http://www.openssl.org > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing Listopenssl-users@openssl.org > > Automated List Manager majord...@openssl.org > > > Thanks, > > The only problem is (and I have sent a separate email to the list about > this. Is whenever I try to create a cert I get > > "Error Loading extension section " > > > Is there any way I could get a more specific error message. Maybe > recompile with some debug option? > That is the complete error message? What section does it complain about, the whole extension section or some subsection? Can you post the complete configuration file that produces this? What version of OpenSSL are you using? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Verifying X509 Certificates Using The OpenSSL API
On Fri, Aug 06, 2010, Sam Jantz wrote: > To whomever may have an answer, > > I am writing a SSL/TLS proxy server for my work that is multi-threaded. > I recently replaced my OpenSSL version with 1.0.0a from 0.9.8g. In this > application I need to verify the server certificate otherwise all the > security will be bypassed. However, when I use SSL_get_verify_result() I > almost always get an error code "20 unable to get local issuer certificate." > This is almost always at depth 0, and sometimes depth 1. > I am loading the certificate stores from /etc/ssl/certs which contains > the stores that mozilla, chrome, and the like all verify from, but no matter > what I do I can't get a single certificate to verify. > When I revert to OpenSSL 0.9.8g I can successfully verify several > certificates, but I still get the same error code for about half of the > websites I try, and are known to be valid (e.g. www.gmail.com:443). > > This is not just a difference in my program either, in both s_client and > verify from the command line, 0.9.8g will return a X509_V_OK code, and > 1.0.0a will return error 20. I am completely at a loss as to why this is. > I am not so much concerned with getting the command line to work as I am > with my program. I can't post my code because of a non disclosure > agreement, but I will post the steps that I am taking that are relevant to > verify. > You need to call c_rehash with OpenSSL 1.0.0, the hash algorithm changed and is incompatible with 0.9.8. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Verifying X509 Certificates Using The OpenSSL API
To whomever may have an answer, I am writing a SSL/TLS proxy server for my work that is multi-threaded. I recently replaced my OpenSSL version with 1.0.0a from 0.9.8g. In this application I need to verify the server certificate otherwise all the security will be bypassed. However, when I use SSL_get_verify_result() I almost always get an error code "20 unable to get local issuer certificate." This is almost always at depth 0, and sometimes depth 1. I am loading the certificate stores from /etc/ssl/certs which contains the stores that mozilla, chrome, and the like all verify from, but no matter what I do I can't get a single certificate to verify. When I revert to OpenSSL 0.9.8g I can successfully verify several certificates, but I still get the same error code for about half of the websites I try, and are known to be valid (e.g. www.gmail.com:443). This is not just a difference in my program either, in both s_client and verify from the command line, 0.9.8g will return a X509_V_OK code, and 1.0.0a will return error 20. I am completely at a loss as to why this is. I am not so much concerned with getting the command line to work as I am with my program. I can't post my code because of a non disclosure agreement, but I will post the steps that I am taking that are relevant to verify. Before I create any ssl objects I am setting up the context: if((SSL_CTX_load_verify_locations(_ssl_ctx, NULL, "/etc/ssl/certs/" ))!= 1) cout << "couldn't load verify locations" << endl; if((SSL_CTX_set_default_verify_paths(_ssl_ctx))!=1) cout << "couldn't load defaults" << endl; //This is set to none because if set to PEER no connections can be made because of the invalid cert SSL_CTX_set_verify(_ssl_client_ctx, SSL_VERIFY_NONE, verify_callback); SSL_CTX_set_verify_depth(_ssl_ctx, 9); Verify_callback is defined as this: static int verify_callback(int ok, X509_STORE_CTX* store){ if(!ok){ X509 * cert = X509_STORE_CTX_get_current_cert(store); int depth = X509_STORE_CTX_get_error_depth(store); int err = X509_STORE_CTX_get_error(store); cout << "Error at depth: " << depth<< endl; cout << "Error Text: " << X509_verify_cert_error_string(err) << endl; } return ok; } After this, I read the verification code when I obtain the cert: X509 *server_cert = SSL_get_peer_certificate(server_ssl); if(!server_cert){ //couldn't get certificate, exit here exit(1); } long certValid = SSL_get_verify_result(server_ssl); if(certValid == X509_V_OK) cout << endl << "Certificate is valid" << endl; If you need any more information please let me know and I will post what I can. Thank you in advanced for the help. Thanks, Sam -- Sam Jantz Software Engineer
Re: Man in the middle proxy - Not working
Hi I was able to read the content data from the server using SSL_read and put back to the browser by using SSL_write. I don't know whether is a right approach or not. I have done the experiment in these two urls 1. https://s-static.ak.facebook.com/rsrc.php/z9Q0Q/hash/8yhim1ep.ico 2. https://s-static.ak.facebook.com/rsrc.php/z8OGI/hash/41j5eq4v.png For the first try I got the response as follows and I was able to see the icon in my browser HTTP/1.1 200 OK Cache-Control: public, max-age=31536000 Content-Length: 318 Content-Type: image/x-icon Expires: Sat, 06 Aug 2011 06:58:14 -0700 Last-Modified: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="DSP LAW" Pragma: X-Cnection: close Date: Fri, 06 Aug 2010 13:58:14 GMT But for the second link, which is 42,565 bytes long, I am receiving the following output. I understood that there is more to do inorder to read the content data, which I am not sure about HTTP/1.1 200 OK Cache-Control: public, max-age=31536000 Content-Length: 42565 Content-Type: image/png Expires: Sat, 06 Aug 2011 07:04:17 -0700 Last-Modified: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="DSP LAW" Pragma: X-Cnection: close Date: Fri, 06 Aug 2010 14:04:17 GMT Can anybody tell me what else should I do inorder to read the content and show it the browser. The following are sending some code snippets RequestSock = WSASocket(AF_INET,SOCK_STREAM,0,NULL,0,WSA_FLAG_OVERLAPPED); pHost = gethostbyname(pcTargetURL); memset(&ClientAddr,0,sizeof(ClientAddr)); ClientAddr.sin_family = AF_INET; memcpy(&ClientAddr.sin_addr,pHost->h_addr, pHost->h_length); ClientAddr.sin_port = htons(atoi(pcPort)); if(0 != connect(RequestSock,(SOCKADDR *)&ClientAddr, sizeof(SOCKADDR_IN))) { closesocket(RequestSock); // Connection failed return false; } SSL *Serverssl; Serverssl = SSL_new(m_pSSLCtx); SSL_set_fd(Serverssl, RequestSock); iRes = SSL_connect(Serverssl); if(iRes <= 0 ) { ERR_print_errors_fp(stderr); cout << " connect Failed " << endl; } iRes = SSL_write(Serverssl,pcData, strlen(pcData)); SSL_accept(Serverssl); do { dwReadDataLen = SSL_read(Serverssl,pBuff,iBufferSize); SSL_write(SourceSsl,pBuff,dwReadDataLen); cout << "Read buffer \n" << pBuff << endl; } while(SSL_pending(Serverssl)); Thanks, Raj Rajmohan SK - Original Message - From: "Raj" To: Sent: Friday, August 06, 2010 10:12 AM Subject: Re: Man in the middle proxy - Not working Hi Can you send me some code snippet which shows how to commutate with webserver and read the content data Thanks, Raj Rajmohan SK - Original Message - From: "Dave Thompson" To: Sent: Friday, August 06, 2010 2:19 AM Subject: RE: Man in the middle proxy - Not working From: owner-openssl-us...@openssl.org On Behalf Of Raj Sent: Thursday, 05 August, 2010 01:06 I will describe my code snippet below The module for connecting to server SOCKET RequestSock; SOCKADDR_IN ClientAddr; RequestSock = WSASocket(AF_INET,SOCK_STREAM,0,NULL,0,WSA_FLAG_OVERLAPPED); I don't know much about 'OVERLAPPED' in Windows, but I think it's something like 'nonblocking' in Unix. pHost = gethostbyname(pcTargetURL); memset(&ClientAddr,0,sizeof(ClientAddr)); int iAddrLen = sizeof(ClientAddr); ClientAddr.sin_family = AF_INET; memcpy(&ClientAddr.sin_addr,pHost->h_addr, pHost->h_length); ClientAddr.sin_port = htons(atoi(pcPort)); if(0 != connect(RequestSock,(SOCKADDR *)&ClientAddr, sizeof(SOCKADDR_IN))) { closesocket(RequestSock); // Connection failed return false; } WSAOVERLAPPED SendOverlapped; DWORD dwSendDataLen = 0; WSABUF ClientRequestBuf; WSAEVENT SendEvent[1]; ClientRequestBuf.buf = pcData; ClientRequestBuf.len = strlen(pcData); SendEvent[0] = WSACreateEvent(); SendOverlapped.hEvent = SendEvent[0]; iRes = WSASend(RequestSock,&ClientRequestBuf,1,&dwSendDataLen,dwFlag, &SendOverlapped,NULL); // Sending data to the server At this point, the send probably hasn't actually happened. And if you call [WSA]Recv and it returns, it almost certainly hasn't actually been done either. You probably have to do some kind of synchronization with the .hEvent, following whatever Windows rules are applicable. FYI pcPort = 443 pcTargetURL = L"www.facebook.com"; pcData = "GET https://www.facebook.com HTTP/1.0\r\n\r\n" __
Re: Question about extensions
On 08/06/2010 08:49 AM, Dr. Stephen Henson wrote: > On Wed, Aug 04, 2010, Bram Cymet wrote: > > >> HI, >> >> Give a configuration like the following: >> >> subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name >> >> >> # Copy subject details >> >> issuerAltName=issuer:copy >> >> [princ_name] >> realm = EXP:0, GeneralString:${ENV::REALM} >> principal_name = EXP:1, SEQUENCE:principal_seq >> >> [principal_seq] >> name_type = EXP:0, INTEGER:1 >> name_string = EXP:1, SEQUENCE:principals >> >> [principals] >> princ1 = GeneralString:${ENV::CLIENT} >> >> >> Can someone give me an idea of how openssl would encode this, or at >> least point me at the code that would encode this so I can figure it out. >> >> I am trying to figure out the asn1 structures that would be created. >> >> > Well the ${ENV::xxx} stuff is environment variable expansion. > > If you want to see what structure is created your easiest option is to create > a tets certificate using that configuration and check the subjectAltName > extension using asn1parse. There is also an option to asn1parse that uses the > mini-ASN1 compiler with similar syntax. > > It's not too hard to figure out from the docs, for example: > > subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name > > Is subjectAltName extension, using otherName option and that OID, the value is > a SEQUENCE defined by the section "princ_name": > > [princ_name] > realm = EXP:0, GeneralString:${ENV::REALM} > principal_name = EXP:1, SEQUENCE:principal_seq > > From above that SEQUENCE consists of an explicit tag 0 GeneralString with > REALM environment variable value and another explicit tage 1 SEQUENCE > described by the section principal_seq, etc etc. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > Thanks, The only problem is (and I have sent a separate email to the list about this. Is whenever I try to create a cert I get "Error Loading extension section " Is there any way I could get a more specific error message. Maybe recompile with some debug option? Bram -- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. Cell: 613-608-9752 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Question about extensions
On Wed, Aug 04, 2010, Bram Cymet wrote: > HI, > > Give a configuration like the following: > > subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name > > > # Copy subject details > > issuerAltName=issuer:copy > > [princ_name] > realm = EXP:0, GeneralString:${ENV::REALM} > principal_name = EXP:1, SEQUENCE:principal_seq > > [principal_seq] > name_type = EXP:0, INTEGER:1 > name_string = EXP:1, SEQUENCE:principals > > [principals] > princ1 = GeneralString:${ENV::CLIENT} > > > Can someone give me an idea of how openssl would encode this, or at > least point me at the code that would encode this so I can figure it out. > > I am trying to figure out the asn1 structures that would be created. > Well the ${ENV::xxx} stuff is environment variable expansion. If you want to see what structure is created your easiest option is to create a tets certificate using that configuration and check the subjectAltName extension using asn1parse. There is also an option to asn1parse that uses the mini-ASN1 compiler with similar syntax. It's not too hard to figure out from the docs, for example: subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name Is subjectAltName extension, using otherName option and that OID, the value is a SEQUENCE defined by the section "princ_name": [princ_name] realm = EXP:0, GeneralString:${ENV::REALM} principal_name = EXP:1, SEQUENCE:principal_seq >From above that SEQUENCE consists of an explicit tag 0 GeneralString with REALM environment variable value and another explicit tage 1 SEQUENCE described by the section principal_seq, etc etc. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_CTX_set_verify issue
On 08/06/2010 10:54 AM, Manjunath1847 wrote: I am using SSL_CTX_set_verify() function to set my static C callback verify function. During HTTPS transaction, my callback is also getting called with first parameter 0 or 1 (depending upon of the certificate verification is success or failure). But even if my certification verification is failure I want to continue. So I have hard coded return value as 1 always from my callback function. But still I see the certification error and I don't get the page. Any suggestion please? You might want to try X509_STORE_CTX_set_error(ctx, X509_V_OK) ; __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL_CTX_set_verify issue
I am using SSL_CTX_set_verify() function to set my static C callback verify function. During HTTPS transaction, my callback is also getting called with first parameter 0 or 1 (depending upon of the certificate verification is success or failure). But even if my certification verification is failure I want to continue. So I have hard coded return value as 1 always from my callback function. But still I see the certification error and I don't get the page. Any suggestion please? -- View this message in context: http://old.nabble.com/SSL_CTX_set_verify-issue-tp29356429p29356429.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org