Re: Pass parameter to an engine without entering OpenSSL Prompt
On 02/15/2011 05:01 PM, Dr. Stephen Henson wrote: It can be done in the openssl.cnf file but not in general for all openssl utility subcommands. Steve. Thanks, that worked. In my engines section I can write: MY_PARAMETER = value MY_PARAMETER2 = EMPTY One additional (meta-)question: Who should I have come from your answer to the actual information I needed? Because all you said was can be done via openssl.conf. I basically grep'ed the openssl source folder for default_algorithms and ended up reading through config.pod file which showed some useful examples. What would have been the right way? How would you have done it? Regards, Torsten __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Using openssl with MinGw
Hi, I've downloaded the Win32 distributable package of openssl - wich, it says - it's compatible with MinGW. I've extracted the contents to a folder. I do I call the library from Mingw C scripts? Where do I put the folder? Can someone help me out? Kind regards, Rui Fernandes
Re: at what time must I call SSL_free( ) / SSL_CTX_free( )
2) = OK 1) I do not understand when you say I can also call SSL_CTX_use_certificate_file( ) to load another certificate file ... if it fails how can you load another certificate file ? 2011/2/15 lzyzizi lzyz...@126.com What time have you to call SSL_free() and SSL_CTX_free() depends what you want to end the SSL/SSL_CTX object's lifecycle.Calling these functions is just like *del* the object in C++,which means you don't want the object any more. The failure of calling functions(e.g.SSL_CTX_set_cipher_list( ), SSL_CTX_use_certificate_file( ), ..., SSL_CTX_set_verify( )) does not mean that the SSL/SSL_CTX object won't work any more.For example, if the SSL_CTX_use_certificate_file() fails, it just means that the certificate file may be not OK.You can also call it to load another certificate file. 2)You may not call SSL_CTX_free(),when SSL objects fails.Because the SSL_CTX object is used to create SSL object as a factory.SSL_CTX may create many SSL objects.An SSL object just means that this SSL handshake(or other operations) has errors,which does not imply that SSL_CTX object has error.Especially, the failure of these functions(SSL_connect( ), SSL_accept( ), SSL_get_verify_result()) is common in SSL handshake, because your peer sent wrong certificate to you or something that violated the SSL protocol.It is not your fault,so you just need to free the SSL object or do some reconnection operation. At 2011-02-15 22:40:29,Aro RANAIVONDRAMBOLA razuk...@gmail.com wrote: Hello, I 'd like to know at what time have I to call SSL_free( ) and SSL_CTX_free( ) 1) For example, I call SSL_CTX_free( ) when a call to a function which fill in the CTX fails ( SSL_CTX_set_cipher_list( ), SSL_CTX_use_certificate_file( ), ..., SSL_CTX_set_verify( ) ). I am wondering if it is a good idea. 2) I call both SSL_free( ) and SSL_CTX_free( ) when a function using SSL object fails. it concerns SSL_connect( ), SSL_accept( ), SSL_get_verify_result(), ... is that OK ? thanks
Problem with multiple level CA
Hi guys, I have tried to configure multiple level CA structure: ROOT CA - SIGNING CA - Users certificates I use RootSSL.cnf file and these commands to generate root certificate: openssl genrsa -des3 -out root-ca.key 2048 openssl req -new -x509 -days 3650 -key root-ca.key -out root-ca.crt -config RootSSL.cnf In order to generate intermediate CA I use OpenSSL.cnf file and these commands: openssl genrsa -des3 -out signing-ca.key 2048 openssl req -new -days 1095 -key signing-ca.key -out signing-ca.csr -config openssl.cnf openssl ca -config openssl.cnf -name CA_root -extensions v3_ca -out signing-ca.crt -infiles signing-ca.csr As the result I have OK root certificate, but I see error message for signing certificate: This certificate has an nonvalid digital signature. Can somebody advise me what I do wrong? Thanks, -- Tanya Lozovaya. attachment: SigningCA_Error.png RootSSL.cnf Description: Binary data OpenSSL.cnf Description: Binary data
Re:Re: at what time must I call SSL_free( ) / SSL_CTX_free( )
Sorry, I made you confusing. 1)I just want to say that it depends on your needs to call SSL_CTX_free().For example ,you develop an application that needs user to import the certificate .If the user import the wrong certificate , you may not call SSL_CTX_free to free the SSL_CTX object.You may tell the user that your certificate is wrong, and let him import again. Sometimes,you develop a server.Every time starting server, the server will load the certificate.The failure of calling SSL_CTX_use_certificate_file means that it load the wrong certificate,If it is a fatal error for you,you should call SSL_CTX_free to SSL_CTX object and end your server. I think usage of SSL_CTX/SSL function is not about the SSL usage ,but the common sense of object-oriented programming.When to kill the object denpends what your program needs. At 2011-02-16 19:40:50,Aro RANAIVONDRAMBOLA razuk...@gmail.com wrote: 2) = OK 1) I do not understand when you say I can also call SSL_CTX_use_certificate_file( ) to load another certificate file ... if it fails how can you load another certificate file ? 2011/2/15 lzyzizilzyz...@126.com What time have you to call SSL_free() and SSL_CTX_free() depends what you want to end the SSL/SSL_CTX object's lifecycle.Calling these functions is just likedel the object in C++,which means you don't want the object any more. The failure of calling functions(e.g.SSL_CTX_set_cipher_list( ), SSL_CTX_use_certificate_file( ), ..., SSL_CTX_set_verify( )) does not mean that the SSL/SSL_CTX object won't work any more.For example, if the SSL_CTX_use_certificate_file() fails, it just means that the certificate file may be not OK.You can also call it to load another certificate file. 2)You may not call SSL_CTX_free(),when SSL objects fails.Because the SSL_CTX object is used to create SSL object as a factory.SSL_CTX may create many SSL objects.An SSL object just means that this SSL handshake(or other operations) has errors,which does not imply that SSL_CTX object has error.Especially, the failure of these functions(SSL_connect( ), SSL_accept( ), SSL_get_verify_result()) is common in SSL handshake, because your peer sent wrong certificate to you or something that violated the SSL protocol.It is not your fault,so you just need to free the SSL object or do some reconnection operation. At 2011-02-15 22:40:29,Aro RANAIVONDRAMBOLA razuk...@gmail.com wrote: Hello, I 'd like to know at what time have I to call SSL_free( ) and SSL_CTX_free( ) 1) For example, I call SSL_CTX_free( ) when a call to a function which fill in the CTX fails ( SSL_CTX_set_cipher_list( ), SSL_CTX_use_certificate_file( ), ..., SSL_CTX_set_verify( ) ). I am wondering if it is a good idea. 2) I call both SSL_free( ) and SSL_CTX_free( ) when a function using SSL object fails. it concerns SSL_connect( ), SSL_accept( ), SSL_get_verify_result(), ... is that OK ? thanks
OpenSSL and MinGW
Hi again, I've downloaded the package OpenSSL for Windows32 - I've intended to use it with MinGW. The application created a folder, C:\OpenSSL-Win32. My questions - since I'm a newbie - are (if someone can help me): 1) What do I place and where inside MinGW? I've tryed putting the entire folder inside the include dir of MinGW. 2) How do I call the header files - like bn.h - from the C scripts? Kind regards, Rui Fernandes Porto, Portugal
Error OPENSSL_Uplink(006E9000,08): from Windows Service
Hi, I am trying to use OpenSSL in a Windows Service using CAPI to read Certificates and Pvt Key from Windows Certificate Store. But its giving me following error. OPENSSL_Uplink(006E9000,08): no OPENSSL_Applink The same code runs as Desktop Application, but when i put in Service, i start getting the same error. Any suggestions. Thanks. // Harshvir
OpenSSL and MinGW
Hi again, I've downloaded the package OpenSSL for Windows32 - I've intended to use it with MinGW. The application created a folder, C:\OpenSSL-Win32. My questions - since I'm a newbie - are (if someone can help me): 1) What do I place and where inside MinGW? I've tryed putting the entire folder inside the include dir of MinGW. 2) How do I call the header files - like bn.h - from the C scripts? Kind regards, Rui Fernandes Porto, Portugal
OpenSSL and MinGW - Error report
I've followed these instructions: Assuming a default installation (C:\OpenSSL), go to 'C:\OpenSSL\lib\MinGW' and copy all of the files to your MinGW 'lib' directory. Next, copy everything in the 'C:\OpenSSL\include' directory to your MinGW 'include' directory. I've called the bn.h, with: #include openssl/bn.h and I've got the following errors: C:\MinGW\bingcc fatorialBIG.c -o fatorialBIG.exe C:\DOCUME~1\RUIMIG~1\DEFINI~1\Temp\cc7A3ZJd.o:fatorialBIG.c:(.text+0xf): undefin ed reference to `BN_new' C:\DOCUME~1\RUIMIG~1\DEFINI~1\Temp\cc7A3ZJd.o:fatorialBIG.c:(.text+0x4c): undefi ned reference to `BN_dec2bn' C:\DOCUME~1\RUIMIG~1\DEFINI~1\Temp\cc7A3ZJd.o:fatorialBIG.c:(.text+0x6a): undefi ned reference to `BN_mul_word' C:\DOCUME~1\RUIMIG~1\DEFINI~1\Temp\cc7A3ZJd.o:fatorialBIG.c:(.text+0x84): undefi ned reference to `BN_bn2dec' collect2: ld returned 1 exit status Any ideas? Regards, Rui Fernandes
Re: Error OPENSSL_Uplink(006E9000,08): from Windows Service
I think this solved my problem. http://www.openssl.org/support/faq.html#PROG2 On Wed, Feb 16, 2011 at 12:43 PM, Harshvir Sidhu hvssi...@gmail.com wrote: Hi, I am trying to use OpenSSL in a Windows Service using CAPI to read Certificates and Pvt Key from Windows Certificate Store. But its giving me following error. OPENSSL_Uplink(006E9000,08): no OPENSSL_Applink The same code runs as Desktop Application, but when i put in Service, i start getting the same error. Any suggestions. Thanks. // Harshvir
mod_tsa:could not load X.509 certificate
hello! I'm installing mod_tsa over apache2, i follow the configuration but show me the error: [Wed Feb 16 19:51:54 2011] [notice] mod_tsa:database driver is set to: None [Wed Feb 16 19:51:54 2011] [warn] module tsa_module is already loaded, skipping [Wed Feb 16 19:51:54 2011] [warn] module tsa_module is already loaded, skipping [Wed Feb 16 19:51:54 2011] [warn] module tsa_module is already loaded, skipping [Wed Feb 16 19:51:54 2011] [notice] mod_tsa:re-initialization started [Wed Feb 16 19:51:54 2011] [notice] mod_tsa:serial file is re-used: /etc/apache2/conf/tsaserial [Wed Feb 16 19:51:54 2011] [notice] mod_tsa:crypto device is set to: builtin [Wed Feb 16 19:51:54 2011] [error] mod_tsa:could not load X.509 certificate: /usr/local/ssl/misc/demoCA/tsscert.pem [Wed Feb 16 19:51:54 2011] [error] mod_tsa:1590:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206: [Wed Feb 16 19:51:54 2011] [emerg] exiting, fatal error during mod_tsa initialisation. Appreciate for your help. thanks! grettings!
Re: OpenSSL and MinGW - Error report
Hi, Add -leay32 to the end of the gcc command line of order to suppress the link errors you are seeing. This will help the gcc linker find the missing symbols exported by libeay32.a. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 2/16/2011 8:07 PM, Rui Fernandes wrote: I've followed these instructions: Assuming a default installation (C:\OpenSSL), go to 'C:\OpenSSL\lib\MinGW' and copy all of the files to your MinGW 'lib' directory. Next, copy everything in the 'C:\OpenSSL\include' directory to your MinGW 'include' directory. I've called the bn.h, with: #include openssl/bn.h and I've got the following errors: C:\MinGW\bingcc fatorialBIG.c -o fatorialBIG.exe C:\DOCUME~1\RUIMIG~1\DEFINI~1\Temp\cc7A3ZJd.o:fatorialBIG.c:(.text+0xf): undefin ed reference to `BN_new' C:\DOCUME~1\RUIMIG~1\DEFINI~1\Temp\cc7A3ZJd.o:fatorialBIG.c:(.text+0x4c): undefi ned reference to `BN_dec2bn' C:\DOCUME~1\RUIMIG~1\DEFINI~1\Temp\cc7A3ZJd.o:fatorialBIG.c:(.text+0x6a): undefi ned reference to `BN_mul_word' C:\DOCUME~1\RUIMIG~1\DEFINI~1\Temp\cc7A3ZJd.o:fatorialBIG.c:(.text+0x84): undefi ned reference to `BN_bn2dec' collect2: ld returned 1 exit status Any ideas? Regards, Rui Fernandes __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL and MinGW - Error report
Thank you very much Mounir. It works now. Kind regards, Rui Fernandes On Wed, Feb 16, 2011 at 11:57 PM, Mounir IDRASSI mounir.idra...@idrix.netwrote: Hi, Add -leay32 to the end of the gcc command line of order to suppress the link errors you are seeing. This will help the gcc linker find the missing symbols exported by libeay32.a. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 2/16/2011 8:07 PM, Rui Fernandes wrote: I've followed these instructions: Assuming a default installation (C:\OpenSSL), go to 'C:\OpenSSL\lib\MinGW' and copy all of the files to your MinGW 'lib' directory. Next, copy everything in the 'C:\OpenSSL\include' directory to your MinGW 'include' directory. I've called the bn.h, with: #include openssl/bn.h and I've got the following errors: C:\MinGW\bingcc fatorialBIG.c -o fatorialBIG.exe C:\DOCUME~1\RUIMIG~1\DEFINI~1\Temp\cc7A3ZJd.o:fatorialBIG.c:(.text+0xf): undefin ed reference to `BN_new' C:\DOCUME~1\RUIMIG~1\DEFINI~1\Temp\cc7A3ZJd.o:fatorialBIG.c:(.text+0x4c): undefi ned reference to `BN_dec2bn' C:\DOCUME~1\RUIMIG~1\DEFINI~1\Temp\cc7A3ZJd.o:fatorialBIG.c:(.text+0x6a): undefi ned reference to `BN_mul_word' C:\DOCUME~1\RUIMIG~1\DEFINI~1\Temp\cc7A3ZJd.o:fatorialBIG.c:(.text+0x84): undefi ned reference to `BN_bn2dec' collect2: ld returned 1 exit status Any ideas? Regards, Rui Fernandes __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
