Replace renewed intermediate certificate in the keystore chain
Hi, I have checked my keystore and truststore and the intermediate certificate alone is going to expire. I have received a renewed intermediate pem. I believe it is common practice to just replace an expiring intermediate certificate instead of the root. The root will expire in2025. I have replaceed only the intermediate certificate in the trust store using this command. keytool -import -trustcacerts -alias root -file certificate -keystore keystore.jks Now I have a question. The trust store contains the intermediate certificate with a clear alias and I could access it. The key store seems to have the entire chain. Not sure if it is possible to update only the intermediate certificate here. How do I update the intermediate certificate and still maintain the chain in the keystore using Openssl or the Java keystore commands ? Thanks, Mohan
How to get intermediate CA certificate?
Hi, I want to validate a CA signed certificate against its CRL. I have root certificate from CA. I have downloaded CRL for entity certificate (using URI in CRL Distribution Points field). Intermediate CA certificate is also required to verify entity certificate against CRL. Is there any way I can get the intermidiate CA certificate during SSL handshake. Or what should be the way to get the intermidiate CA certificate? Thanks Regards, Akash
Openssl signature verification of CKM_ECDSA_SHA1 from Safenet HSM fails.
Hi, I am trying to use OpenSSL to independently verify a CKM_ECDSA_SHA1 signature produced by a Safenet protect gold HSM. The signature verification with the error below, however using the HSM ctbrowse tool I can verify the signature being produced. Can anybody out there help me interpret what I'm getting back from the SafeNet device? Or any suggestions how I can validate it using OpenSSL without having a dependency on the HSM / libcryptoki etc? This is the error I am getting: gm@dev:~/hsm/help$ ./a.out Signature verification: ERROR - error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long dumpasn1 doesn't seem to recognize the structure either: gm@dev:~/hsm/help$ dumpasn1 sig.dat Error: Invalid data encountered at position 2: E4 99. Hexdump of data: 0d0e0a0d0b0e0e0f Hexdump of signature (tool was run against raw format): e49938467bef558e63b25d8460ef753c51dfa3d277beecaeffb23f6c23deb6913de34391990c6150dea05472c91156026898477118b872ec2b26aa326799049c Demo verification source code: http://pastebin.com/PybRp0jq Certificate: -BEGIN CERTIFICATE- MIIBxTCCAXECAQEwCwYHKoZIzj0EAQUAMHExEjAQBgNVBAMTCWVjZHNhZGVtbzEQ MA4GA1UEChMHdGVzdG9yZzEUMBIGA1UECxMLdGVzdG9yZ3VuaXQxETAPBgNVBAcT CEJyaXNiYW5lMQwwCgYDVQQIEwNRbGQxEjAQBgNVBAYTCUF1c3RyYWxpYTAeFw0x MTA1MTEwNDIyNDVaFw0xMjA1MTAyMjIyNDVaMHExEjAQBgNVBAMTCWVjZHNhZGVt bzEQMA4GA1UEChMHdGVzdG9yZzEUMBIGA1UECxMLdGVzdG9yZ3VuaXQxETAPBgNV BAcTCEJyaXNiYW5lMQwwCgYDVQQIEwNRbGQxEjAQBgNVBAYTCUF1c3RyYWxpYTBZ MBMGByqGSM49AgEGCCqGSM49AwEHA0IABDHDFQ1VOjE4hgdBsE3Qb/BurxJdUMOi Cbzw6Hn5I916NDppDpkEbYy3NXD15KifAF0JIpNalK8Uc3//o8lrIzIwCwYHKoZI zj0EAQUAA0EAGajEF/eDt3qlwdG8Zv1+yhwkrgL44UHsY0JGLog8TWBrNFqg6Qu/ SD3lJJv9g88rKtQs7DNbj5amNI4/kWaMcQ== -END CERTIFICATE- OpenSSL versions I've tried: OpenSSL 0.9.8g 19 Oct 2007, OpenSSL 0.9.8o 01 Jun 2010 Platfroms tested: Debian, Ubuntu, Windows. Many thanks, Grant.
RE: [FWD] [Bug Reports] Encrypt a file text on unix (Aix 5.3,Aix6.0,SUN5.8,....) to decrypt on Windows Error
Thanks for your feedback. I found the issue, we have had the -K option (-K 3D1) and we can decrypt it on windows after encrypt it on unix. If we can help someone. Best regards. Franck DUBUC RESG/GTS/RET/API Tel : +33 (0)1 64 85 70 31 e-mail : franck.b.du...@socgen.com www.socgen.com -Message d'origine- De : Lutz Jaenicke [mailto:jaeni...@openssl.org] Envoyé : mardi 10 mai 2011 19:47 À : openssl-users@openssl.org Cc : DUBUC Franck ResgGtsRetApiLor Objet : [FWD] [Bug Reports] Encrypt a file text on unix (Aix 5.3, Aix6.0,SUN5.8,) to decrypt on Windows Error Forwarded to openssl users for discussion. Best regards, Lutz - Forwarded message from DUBUC Franck franck.b.du...@socgen.com - From: DUBUC Franck franck.b.du...@socgen.com To: r...@openssl.org r...@openssl.org Date: Mon, 9 May 2011 17:12:45 +0200 Subject: [Bug Reports] Encrypt a file text on unix (Aix 5.3, Aix 6.0,SUN5.8,) to decrypt on Windows Error Thread-Topic: [Bug Reports] Encrypt a file text on unix (Aix 5.3, Aix 6.0,SUN 5.8,) to decrypt on Windows Error Thread-Index: AcwOW4x3R9oL/wkLQ/+aFh+02Bwp4w== Accept-Language: fr-FR acceptlanguage: fr-FR Hie, I create a encrypted file, with openssl, on unix server to encrypted it on windows Version Windows : OpenSSL 0.9.8h 28 May 2008 UNIX : OpenSSL 0.9.8i 15 Sep 2008 Command to encrypt the file on unix /usr/linux/bin/openssl enc -e -aes-256-cbc -salt -in encrypted file -pass pass:PassPhrase Command to uncrypt the file on windows c:\openssl\openssl.exe enc -d -a -aes-256-cbc -salt -in encrypted file -pass pass:PassPhrase Error to uncrypt it unix to windows error reading input file window sto unix bad magic number Is it a bug or is not possible to uncrypt a file crypted on unix ? Best regards [http://www.socgen.com/sites/default/files/socgen_logo.gif] Franck DUBUC RESG/GTS/RET/API Tel : +33 (0)1 64 85 70 31 e-mail : franck.b.du...@socgen.commailto:franck.b.du...@socgen.com www.socgen.comhttp://www.socgen.com/ = Ce message et toutes les pieces jointes (ci-apres le message) sont confidentiels et susceptibles de contenir des informations couvertes par le secret professionnel. Ce message est etabli a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee interdite. Tout message electronique est susceptible d'alteration. La SOCIETE GENERALE et ses filiales declinent toute responsabilite au titre de ce message s'il a ete altere, deforme falsifie. = This message and any attachments (the message) are confidential, intended solely for the addressees, and may contain legally privileged information. Any unauthorised use or dissemination is prohibited. E-mails are susceptible to alteration. Neither SOCIETE GENERALE nor any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified. = - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Can openssl support EAP-TLS?
OpensSSL supports TLS; you need to parse the EAP packets in your own application and feed the TLS bits into OpenSSL. Erik Tkal Juniper OAC/UAC/Pulse Development From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Neo Liu Sent: Wednesday, May 11, 2011 12:59 AM To: openssl-users@openssl.org Subject: Can openssl support EAP-TLS? Hi, everyone: I wanna know that if openssl support EAP-TLS protocol?
Re: minor version compatibility
owner-openssl-us...@openssl.org wrote on 05/10/2011 06:52:26 PM: From: Dr. Stephen Henson st...@openssl.org To: openssl-users@openssl.org Date: 05/10/2011 06:57 PM The answer is probably yes but with some caveats. If the application is well behaved and doesn't rely on undocumented features or access structure internals it should be fine. The catch is that it's hard to determine what an 'undocumented feature' is. E.g., the AES_Encrypt function is not in the man page. Nor is MGF1. AES_Encrypt persisted from 0.9.8 to 1.0.0. MGF1 was dropped.
Re: Clients glomming onto a listener
I have found that fork() on modern machines as a negligible affect on performance and in fact I almost always use inetd instead of writing my own servers, mainly because it is dead reliable, easier to code, and again seems to have negligible affect on performance. One would have to do millions upon millions of connects to notice or care. Having said that, I use AIX mostly, and that performs better under load than Linux on Intel, and even Linux on the IBM p series platform. I would do it cheap and easy and worry about performance after-the-fact. Eric At 04:46 PM 5/10/2011, you wrote: On 10 May 2011, at 4:13 PM, David Schwartz wrote: On 5/10/2011 2:10 AM, John Hollingum wrote: Pretty much immediately after the accept the program forks a handler, but the rogue clients must be glomming onto the main process before the SSL negotiation is complete. Calling 'fork' with an accepted SSL connection has all kinds of known issues. The fundamental problem is that there are many operations that must occur both before and after the 'fork', for different reasons, and obviously can't do both. You could accept just the TCP connection in the main process and do all of the SSL handshake in the forked process (I think IO::Socket::SSL-start_SSL() is what you want for that) --- this would not be a high-performance approach (no SSL session cache, fork overhead) but if it's fast enough it's fast enough. It's possible to use openssl in a non-blocking, event-driven manner but I don't think Perl's SSL modules expose enough of the openssl API to do that. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com Pictures of Snake in Spring http://www.facebook.com/album.php?aid=115547id=1409661701l=1c375e1f49 Pictures of Camp Verde http://www.facebook.com/album.php?aid=12771id=1409661701l=fc0e0a2bcf Pictures of Land Cruiser in Sedona http://www.facebook.com/album.php?aid=50953id=1409661701 Pictures of Flagstaff area near our cabin http://www.facebook.com/album.php?aid=12750id=1409661701 Pictures of Cheryl in a Horse Show http://www.facebook.com/album.php?aid=32484id=1409661701 Pictures of the AZ Desert http://www.facebook.com/album.php?aid=58827id=1409661701 (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Clients glomming onto a listener
On Wed, May 11, 2011 at 08:39:49AM -0700, Eric S. Eberhard wrote: I have found that fork() on modern machines as a negligible affect on performance and in fact I almost always use inetd instead of writing my own servers, mainly because it is dead reliable, easier to code, and again seems to have negligible affect on performance. One would have to do millions upon millions of connects to notice or care. Having said that, I use AIX mostly, and that performs better under load than Linux on Intel, and even Linux on the IBM p series platform. I would do it cheap and easy and worry about performance after-the-fact. Eric Let's not start an OS A is better than OS B discussion here. You can safely fork single-threaded OpenSSL servers right after accept(3), and handle the SSL connection in a child. This makes the memory-resident session cache ineffective, but you can use callbacks to implement an external (Berkeley DB similar or shared memory, ...) session cache. Forking after SSL_accept() is tricky, since your parent process will have partial SSL connections in progress for other clients when a given handshake completes (event-based connection management) or will serialize all handshakes, but as you've observed that's not a good option. So, my suggestion is that a forking server is fine, just use an external session cache. The Postfix SMTP server is an example of this model. There before the TLS handshake, we also have an SMTP STARTTLS handshake, but that does not alter the analysis in any substantive way, just a few more packets to exchange before the TLS connection is ready. Note, Postfix is pre-forking, rather than forking, so there is a pool of processes, that serially accept connections, but this too does not impact the design analysis. - You can use a single process with event-based I/O. - You can use multiple threads in a single process. - You can fork after accept(2) and use an external session cache - You can pre-fork and handle clients serially one per process, with re-use of processes for another client after a client hangs-up. This too requires an external session cache. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Clients glomming onto a listener
I was not trying to compare O/S, only point out that my experience is more out of the AIX world than Linux world. I also want to point out again what I was saying ... you don't need to make a server and you don't need to fork() and all kinds of complicated stuff if you write it for inetd. You don't even need to write socket code (stdin/stdout read/write is all you need). The O/S will create the processes and clean them up on disconnects and so forth. Unless you are super performance limited, this is the best way to go because it always works and is always reliable (if inetd fails to function on a Unix O/S then the machine is essentially toast anyway). In addition it is more easily portable if you care about porting to more than one Unix. Using select is not always supported, socket flags not always the same, etc. All a non-issue under inetd. Eric At 08:57 AM 5/11/2011, you wrote: On Wed, May 11, 2011 at 08:39:49AM -0700, Eric S. Eberhard wrote: I have found that fork() on modern machines as a negligible affect on performance and in fact I almost always use inetd instead of writing my own servers, mainly because it is dead reliable, easier to code, and again seems to have negligible affect on performance. One would have to do millions upon millions of connects to notice or care. Having said that, I use AIX mostly, and that performs better under load than Linux on Intel, and even Linux on the IBM p series platform. I would do it cheap and easy and worry about performance after-the-fact. Eric Let's not start an OS A is better than OS B discussion here. You can safely fork single-threaded OpenSSL servers right after accept(3), and handle the SSL connection in a child. This makes the memory-resident session cache ineffective, but you can use callbacks to implement an external (Berkeley DB similar or shared memory, ...) session cache. Forking after SSL_accept() is tricky, since your parent process will have partial SSL connections in progress for other clients when a given handshake completes (event-based connection management) or will serialize all handshakes, but as you've observed that's not a good option. So, my suggestion is that a forking server is fine, just use an external session cache. The Postfix SMTP server is an example of this model. There before the TLS handshake, we also have an SMTP STARTTLS handshake, but that does not alter the analysis in any substantive way, just a few more packets to exchange before the TLS connection is ready. Note, Postfix is pre-forking, rather than forking, so there is a pool of processes, that serially accept connections, but this too does not impact the design analysis. - You can use a single process with event-based I/O. - You can use multiple threads in a single process. - You can fork after accept(2) and use an external session cache - You can pre-fork and handle clients serially one per process, with re-use of processes for another client after a client hangs-up. This too requires an external session cache. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com Pictures of Snake in Spring http://www.facebook.com/album.php?aid=115547id=1409661701l=1c375e1f49 Pictures of Camp Verde http://www.facebook.com/album.php?aid=12771id=1409661701l=fc0e0a2bcf Pictures of Land Cruiser in Sedona http://www.facebook.com/album.php?aid=50953id=1409661701 Pictures of Flagstaff area near our cabin http://www.facebook.com/album.php?aid=12750id=1409661701 Pictures of Cheryl in a Horse Show http://www.facebook.com/album.php?aid=32484id=1409661701 Pictures of the AZ Desert http://www.facebook.com/album.php?aid=58827id=1409661701 (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Replace renewed intermediate certificate in the keystore chain
On 05/10/11 11:03 PM, Mohan Radhakrishnan wrote: Hi, I have checked my keystore and truststore and the intermediate certificate alone is going to expire. as I understand it (vaguely at best), if the intermediate certfiicate expires, that invalidates any certificates it generated, so you will need to regenerate and replace all child certificates too. ... __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Replace renewed intermediate certificate in the keystore chain
No, that should not be true - as long as the subject name of the issuer does not change and the key pair is reused, then any previously issued certificates should still verify against the issuer. Note that the thumbprint will be different, in case that is used anywhere to track the cert. Erik Tkal Juniper OAC/UAC/Pulse Development -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John R Pierce Sent: Wednesday, May 11, 2011 12:47 PM To: openssl-users@openssl.org Subject: Re: Replace renewed intermediate certificate in the keystore chain On 05/10/11 11:03 PM, Mohan Radhakrishnan wrote: Hi, I have checked my keystore and truststore and the intermediate certificate alone is going to expire. as I understand it (vaguely at best), if the intermediate certfiicate expires, that invalidates any certificates it generated, so you will need to regenerate and replace all child certificates too. ... __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Clients glomming onto a listener
Eric, you must be really kidding this time :), servers with this architecture are susceptible to dos and what not..am sure for embedded systems where memory is a big limiting factor the best would be async design, also code becomes easily portable in future. On Wed, May 11, 2011 at 10:39 AM, Eric S. Eberhard fl...@vicsmba.comwrote: I have found that fork() on modern machines as a negligible affect on performance and in fact I almost always use inetd instead of writing my own servers, mainly because it is dead reliable, easier to code, and again seems to have negligible affect on performance. One would have to do millions upon millions of connects to notice or care. Having said that, I use AIX mostly, and that performs better under load than Linux on Intel, and even Linux on the IBM p series platform. I would do it cheap and easy and worry about performance after-the-fact. Eric At 04:46 PM 5/10/2011, you wrote: On 10 May 2011, at 4:13 PM, David Schwartz wrote: On 5/10/2011 2:10 AM, John Hollingum wrote: Pretty much immediately after the accept the program forks a handler, but the rogue clients must be glomming onto the main process before the SSL negotiation is complete. Calling 'fork' with an accepted SSL connection has all kinds of known issues. The fundamental problem is that there are many operations that must occur both before and after the 'fork', for different reasons, and obviously can't do both. You could accept just the TCP connection in the main process and do all of the SSL handshake in the forked process (I think IO::Socket::SSL-start_SSL() is what you want for that) --- this would not be a high-performance approach (no SSL session cache, fork overhead) but if it's fast enough it's fast enough. It's possible to use openssl in a non-blocking, event-driven manner but I don't think Perl's SSL modules expose enough of the openssl API to do that. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com Pictures of Snake in Spring http://www.facebook.com/album.php?aid=115547id=1409661701l=1c375e1f49 Pictures of Camp Verde http://www.facebook.com/album.php?aid=12771id=1409661701l=fc0e0a2bcf Pictures of Land Cruiser in Sedona http://www.facebook.com/album.php?aid=50953id=1409661701 Pictures of Flagstaff area near our cabin http://www.facebook.com/album.php?aid=12750id=1409661701 Pictures of Cheryl in a Horse Show http://www.facebook.com/album.php?aid=32484id=1409661701 Pictures of the AZ Desert http://www.facebook.com/album.php?aid=58827id=1409661701 (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Clients glomming onto a listener
Performance is related to the application. For example, a system that accepts 10 SSL connects per year has different requirements than one that accepts 1000 per second. Obviously there is a middle ground. My point is that theoretical performance differences are very real in the later case, and of no consequence in the first case. Cost of software development and upkeep and system management is much lower using say inetd and not bothering to make a server. I have systems with thousands of SSL connections per minute, holding 500-1000 at a time, going through inetd on a modest AIX box and have zero performance issue. Don't even notice they are there and they take low single digits of CPU usage combined. Depending on the application, usage, hardware, cost of software development, cost of software upkeep, simplicity in system management -- the answer to what is the best way is different. I often find people ignoring that simple concept and developing very complex software to be theoretically faster ... only to end up with complex and buggy code that is hard to manage in an environment where the extra performance was not needed. One has to also consider the cost to develop and manage. So there is no right or wrong answer, I am trying to get the programmer to think ... does he really need, in his case, blistering performance? Can he do it with a simple inetd module (which later could be the core for his own server)? Does he want it up quick and easy with no real management issues? I am only spurring thought, not telling anyone what is right or wrong in their case :-) E At 10:10 AM 5/11/2011, you wrote: Eric, you must be really kidding this time :), servers with this architecture are susceptible to dos and what not..am sure for embedded systems where memory is a big limiting factor the best would be async design, also code becomes easily portable in future. On Wed, May 11, 2011 at 10:39 AM, Eric S. Eberhard mailto:fl...@vicsmba.comfl...@vicsmba.com wrote: I have found that fork() on modern machines as a negligible affect on performance and in fact I almost always use inetd instead of writing my own servers, mainly because it is dead reliable, easier to code, and again seems to have negligible affect on performance. One would have to do millions upon millions of connects to notice or care. Having said that, I use AIX mostly, and that performs better under load than Linux on Intel, and even Linux on the IBM p series platform. I would do it cheap and easy and worry about performance after-the-fact. Eric At 04:46 PM 5/10/2011, you wrote: On 10 May 2011, at 4:13 PM, David Schwartz wrote: On 5/10/2011 2:10 AM, John Hollingum wrote: Pretty much immediately after the accept the program forks a handler, but the rogue clients must be glomming onto the main process before the SSL negotiation is complete. Calling 'fork' with an accepted SSL connection has all kinds of known issues. The fundamental problem is that there are many operations that must occur both before and after the 'fork', for different reasons, and obviously can't do both. You could accept just the TCP connection in the main process and do all of the SSL handshake in the forked process (I think IO::Socket::SSL-start_SSL() is what you want for that) --- this would not be a high-performance approach (no SSL session cache, fork overhead) but if it's fast enough it's fast enough. It's possible to use openssl in a non-blocking, event-driven manner but I don't think Perl's SSL modules expose enough of the openssl API to do that. __ OpenSSL Project http://www.openssl.orghttp://www.openssl.org User Support Mailing List mailto:openssl-users@openssl.orgopenssl-users@openssl.org Automated List Manager mailto:majord...@openssl.orgmajord...@openssl.org Eric S. Eberhard tel:%28928%29%20567-3727(928) 567-3727 Voice tel:%28928%29%20567-6122(928) 567-6122 Fax tel:%28928%29%20301-7537(928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.comhttp://www.vicsmba.com Pictures of Snake in Spring http://www.facebook.com/album.php?aid=115547id=1409661701l=1c375e1f49http://www.facebook.com/album.php?aid=115547id=1409661701l=1c375e1f49 Pictures of Camp Verde http://www.facebook.com/album.php?aid=12771id=1409661701l=fc0e0a2bcfhttp://www.facebook.com/album.php?aid=12771id=1409661701l=fc0e0a2bcf Pictures of Land Cruiser in Sedona http://www.facebook.com/album.php?aid=50953id=1409661701http://www.facebook.com/album.php?aid=50953id=1409661701 Pictures of Flagstaff area near our cabin http://www.facebook.com/album.php?aid=12750id=1409661701http://www.facebook.com/album.php?aid=12750id=1409661701 Pictures of Cheryl in a Horse Show
Core occurred while executing SSL_library_init() and call back method locking_function()
While executing the below code its coring randomly in two cases, 1) While executing the method SSL_library_init() in the constructor. 2) Coring while executing the call back method locking_function(). We are not sure, now the call back method is calling after it is set to NULL Ex : CRYPTO_set_locking_callback(NULL) Here, after we set to NULL its calling the call back method. We want to make sure it should not be called after setting to NULL. It will be great if someone explain me in detail, how the call back mechanism works internally. Code: - pthread_mutex_t *SslBIO::_lnSslBioMutex=NULL; void SslBIO::locking_function(int mode, int type, const char * file, int line) { int rstat; if (mode CRYPTO_LOCK) { fprintf(stderr, \nDEBUG: Locking the Mutex _lnSslBioMutex[%d] Mode = %d File :%s Line No : %d\n,type,mode,file,line); rstat = pthread_mutex_lock((SslBIO::_lnSslBioMutex[type])); lnChkMutex(rstat, FL); } else { fprintf(stderr, \nDEBUG: UnLocking the Mutex _lnSslBioMutex[%d] Mode = %d File :%s Line No : %d\n,type,mode,file,line); rstat = pthread_mutex_unlock((SslBIO::_lnSslBioMutex[type])); lnChkMutex(rstat, FL); } } unsigned long SslBIO::id_function() { unsigned long ulThreadId = (unsigned long)pthread_self(); fprintf(stderr, \nDEBUG: Thread ID = %d\n,ulThreadId); return (ulThreadId); } int SslBIO::init(const char * initarg) { int i; _lnSslBioMutex = (pthread_mutex_t *) OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); if (!_lnSslBioMutex) return 0; fprintf(stderr, \nDEBUG: Number of Locks(CRYPTO_NUM_LOCKS) = %d \n,CRYPTO_num_locks()); for(i=0;iCRYPTO_num_locks();i++) { fprintf(stderr, \nDEBUG: Initialize the Mutex _lnSslBioMutex[%d]\n,i); int rstat = pthread_mutex_init((_lnSslBioMutex[i]), pthread_mutexattr_default); lnChkMutex(rstat, FL); } CRYPTO_set_id_callback(SslBIO::id_function); CRYPTO_set_locking_callback(SslBIO::locking_function); return 0; } int SslBIO::terminate() { int i = 0; int rstat; if (!_lnSslBioMutex) { return 0; } CRYPTO_set_id_callback(NULL); CRYPTO_set_locking_callback(NULL); for(i=0;iCRYPTO_num_locks();i++) { fprintf(stderr, \nDEBUG: Cleanup the Mutex _lnSslBioMutex[%d]\n,i); rstat = pthread_mutex_destroy((_lnSslBioMutex[i])); lnChkMutex(rstat, FL); } OPENSSL_free(_lnSslBioMutex); _lnSslBioMutex = NULL; } SslBIO::SslBIO(const char *host, const int port, const int timeout, int retCode, int blockingConnect) { _debug = 0; _lnreqctx = 0; _type = SslBIO::CALLER; _totSent = 0; _totReceived = 0; _errBuf[0] = '\0'; if(host!=NULL) strcpy(_hostName,(char *)host); _portNum = port; retCode = FAIL; /* Set up the library */ SSL_library_init(); ERR_load_BIO_strings(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); _sslctx = SSL_CTX_new(SSLv23_client_method()); if(_sslctx == 0) { fprintf(stderr, failed SslBIO::SslBIO. SslBIO not initialized. _sslctx=0\n); return; } _bio = BIO_new_ssl_connect(_sslctx); BIO_get_ssl(_bio, _ssl); SSL_set_mode(_ssl, SSL_MODE_AUTO_RETRY); /* Create and setup the connection */ BIO_set_conn_hostname(_bio, _hostName); // cdc13-www.lexisnexis.com:https); BIO_set_conn_int_port(_bio, _portNum); // 443); if(BIO_do_connect(_bio) = 0) { fprintf(stderr, Error attempting to connect [%s[%d]]\n,_hostName,_portNum); ERR_print_errors_fp(stderr); BIO_free_all(_bio); _bio = NULL; //Nullify the _bio member object after deallocating return; } else { fprintf(stderr, SslBIO: connected[%s[%d]]\n,_hostName,_portNum); } /* Check the certificate */ if(SSL_get_verify_result(_ssl) != X509_V_OK) { fprintf(stderr, Certificate verification error: %i\n, SSL_get_verify_result(_ssl)); } _timeout = timeout; retCode = OK; } SslBIO::~SslBIO() { /* Close the connection and free the context */ if (_bio != 0) { BIO_free_all(_bio); _bio=NULL; // bulletproof for webstar 3019980 } if (_sslctx != 0) { fprintf(stderr, Freeing SslBIO::_sslctx\n); SSL_CTX_free(_sslctx); _sslctx=NULL; // bulletproof for webstar 3019980 } } int SslBIO::read(char *buf, int len, int currRead) { int retCode; if (buf == LN_NULL) { return(FAIL); } printf(DEBUG: Before Read \n); currRead = BIO_read(_bio, buf, len); printf(DEBUG: After Read currRead = %d Buf = %s Length = %d\n,currRead,buf,len); if (currRead = 0) { buf[currRead] = 0; if (_debug) { ostrstream strm; strm Out of SslBIO::read currRead =currRead endl; strm ends; delete strm.str(); } } else buf[0] = 0; return(OK); } int SslBIO::write(const char *buf, const int len) { int written; int totLen; if (len 0) { return(FAIL); }
Core occurred while executing SSL_library_init() and call back method locking_function()
While executing the below code its coring randomly in two cases, 1) While executing the method SSL_library_init() in the constructor. 2) Coring while executing the call back method locking_function(). We are not sure, now the call back method is calling after it is set to NULL Ex : CRYPTO_set_locking_callback(NULL) Here, after we set to NULL its calling the call back method. We want to make sure it should not be called after setting to NULL. It will be great if someone explain me in detail, how the call back mechanism works internally. Code: - pthread_mutex_t *SslBIO::_lnSslBioMutex=NULL; void SslBIO::locking_function(int mode, int type, const char * file, int line) { int rstat; if (mode CRYPTO_LOCK) { fprintf(stderr, \nDEBUG: Locking the Mutex _lnSslBioMutex[%d] Mode = %d File :%s Line No : %d\n,type,mode,file,line); rstat = pthread_mutex_lock((SslBIO::_lnSslBioMutex[type])); lnChkMutex(rstat, FL); } else { fprintf(stderr, \nDEBUG: UnLocking the Mutex _lnSslBioMutex[%d] Mode = %d File :%s Line No : %d\n,type,mode,file,line); rstat = pthread_mutex_unlock((SslBIO::_lnSslBioMutex[type])); lnChkMutex(rstat, FL); } } unsigned long SslBIO::id_function() { unsigned long ulThreadId = (unsigned long)pthread_self(); fprintf(stderr, \nDEBUG: Thread ID = %d\n,ulThreadId); return (ulThreadId); } int SslBIO::init(const char * initarg) { int i; _lnSslBioMutex = (pthread_mutex_t *) OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); if (!_lnSslBioMutex) return 0; fprintf(stderr, \nDEBUG: Number of Locks(CRYPTO_NUM_LOCKS) = %d \n,CRYPTO_num_locks()); for(i=0;i= 0) { buf[currRead] = 0; if (_debug) { ostrstream strm; strm Out of SslBIO::read currRead =currRead endl; strm ends; delete strm.str(); } } else buf[0] = 0; return(OK); } int SslBIO::write(const char *buf, const int len) { int written; int totLen; if (len 0) { return(FAIL); } totLen = len; printf(DEBUG: Before Write\n); if ((written = BIO_write(_bio, buf, len)) != totLen) { return(FAIL); } printf(DEBUG: After Write written = %d Buf = %s Length = %d\n,written,buf,len); _totSent += totLen; return(OK); } -- View this message in context: http://old.nabble.com/Core-occurred-while-executing-SSL_library_init%28%29-and-call-back-method-locking_function%28%29-tp31596258p31596258.html Sent from the OpenSSL - User mailing list archive at Nabble.com.
key length discrepancy in key generated by sect233r1
I was recently playing around with OpenSSL's EC_KEY interface, specifically generating and examining keys generated using the curve sect233r1, when I decided to print the raw key out, in hex form. A quick analysis showed me that the key was stored in 232 bits, not 233 bits as the curve sect233r1 requires - in fact, no matter how many keys I generated and checked this way, I was always missing a bit. Is there some reason that OpenSSL uses only 232 bits instead of the full 233? In case it matters, I am using version 1.0.0d on Windows XP. -- View this message in context: http://old.nabble.com/key-length-discrepancy-in-key-generated-by-sect233r1-tp31596580p31596580.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Core occurred while executing SSL_library_init() and call back method locking_function()
Can u share the parsed core file? On Wednesday, May 11, 2011, Mani Suresh suresh84...@gmail.com wrote: While executing the below code its coring randomly in two cases, 1) While executing the method SSL_library_init() in the constructor. 2) Coring while executing the call back method locking_function(). We are not sure, now the call back method is calling after it is set to NULL Ex : CRYPTO_set_locking_callback(NULL) Here, after we set to NULL its calling the call back method. We want to make sure it should not be called after setting to NULL. It will be great if someone explain me in detail, how the call back mechanism works internally. Code: - pthread_mutex_t *SslBIO::_lnSslBioMutex=NULL; void SslBIO::locking_function(int mode, int type, const char * file, int line) { int rstat; if (mode CRYPTO_LOCK) { fprintf(stderr, \nDEBUG: Locking the Mutex _lnSslBioMutex[%d] Mode = %d File :%s Line No : %d\n,type,mode,file,line); rstat = pthread_mutex_lock((SslBIO::_lnSslBioMutex[type])); lnChkMutex(rstat, FL); } else { fprintf(stderr, \nDEBUG: UnLocking the Mutex _lnSslBioMutex[%d] Mode = %d File :%s Line No : %d\n,type,mode,file,line); rstat = pthread_mutex_unlock((SslBIO::_lnSslBioMutex[type])); lnChkMutex(rstat, FL); } } unsigned long SslBIO::id_function() { unsigned long ulThreadId = (unsigned long)pthread_self(); fprintf(stderr, \nDEBUG: Thread ID = %d\n,ulThreadId); return (ulThreadId); } int SslBIO::init(const char * initarg) { int i; _lnSslBioMutex = (pthread_mutex_t *) OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); if (!_lnSslBioMutex) return 0; fprintf(stderr, \nDEBUG: Number of Locks(CRYPTO_NUM_LOCKS) = %d \n,CRYPTO_num_locks()); for(i=0;iCRYPTO_num_locks();i++) { fprintf(stderr, \nDEBUG: Initialize the Mutex _lnSslBioMutex[%d]\n,i); int rstat = pthread_mutex_init((_lnSslBioMutex[i]), pthread_mutexattr_default); lnChkMutex(rstat, FL); } CRYPTO_set_id_callback(SslBIO::id_function); CRYPTO_set_locking_callback(SslBIO::locking_function); return 0; } int SslBIO::terminate() { int i = 0; int rstat; if (!_lnSslBioMutex) { return 0; } CRYPTO_set_id_callback(NULL); CRYPTO_set_locking_callback(NULL); for(i=0;iCRYPTO_num_locks();i++) { fprintf(stderr, \nDEBUG: Cleanup the Mutex _lnSslBioMutex[%d]\n,i); rstat = pthread_mutex_destroy((_lnSslBioMutex[i])); lnChkMutex(rstat, FL); } OPENSSL_free(_lnSslBioMutex); _lnSslBioMutex = NULL; } SslBIO::SslBIO(const char *host, const int port, const int timeout, int retCode, int blockingConnect) { _debug = 0; _lnreqctx = 0; _type = SslBIO::CALLER; _totSent = 0; _totReceived = 0; _errBuf[0] = '\0'; if(host!=NULL) strcpy(_hostName,(char *)host); _portNum = port; retCode = FAIL; /* Set up the library */ SSL_library_init(); ERR_load_BIO_strings(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); _sslctx = SSL_CTX_new(SSLv23_client_method()); if(_sslctx == 0) { fprintf(stderr, failed SslBIO::SslBIO. SslBIO not initialized. _sslctx=0\n); return; } _bio = BIO_new_ssl_connect(_sslctx); BIO_get_ssl(_bio, _ssl); SSL_set_mode(_ssl, SSL_MODE_AUTO_RETRY); /* Create and setup the connection */ BIO_set_conn_hostname(_bio, _hostName); // cdc13-www.lexisnexis.com:https); BIO_set_conn_int_port(_bio, _portNum); // 443); if(BIO_do_connect(_bio) = 0) { fprintf(stderr, Error attempting to connect [%s[%d]]\n,_hostName,_portNum); ERR_print_errors_fp(stderr); BIO_free_all(_bio); _bio = NULL; //Nullify the _bio member object after deallocating return; } else { fprintf(stderr, SslBIO: connected[%s[%d]]\n,_hostName,_portNum); } /* Check the certificate */ if(SSL_get_verify_result(_ssl) != X509_V_OK) { fprintf(stderr, Certificate verification error: %i\n, SSL_get_verify_result(_ssl)); } _timeout = timeout; retCode = OK; } SslBIO::~SslBIO() { /* Close the connection and free the context */ if (_bio != 0) { BIO_free_all(_bio); _bio=NULL; // bulletproof for webstar 3019980 } if (_sslctx != 0) { fprintf(stderr, Freeing SslBIO::_sslctx\n); SSL_CTX_free(_sslctx); _sslctx=NULL; // bulletproof for webstar 3019980 } } int SslBIO::read(char *buf, int len, int currRead) { int retCode; if (buf == LN_NULL) { return(FAIL); } printf(DEBUG: Before Read \n); currRead = BIO_read(_bio, buf, len); printf(DEBUG: After Read currRead = %d Buf = %s Length = %d\n,currRead,buf,len); if (currRead = 0) { buf[currRead] = 0; if (_debug) { ostrstream strm; strm Out of SslBIO::read currRead = currRead endl; strm
Application is failing with cipher or hash unavailable
Hi , My application is running with OpenSSL 0.9.8h 28 May 2008 in gentoo linux: uname -a Linux localhost 2.6.32.9 #1 SMP Thu Jul 8 14:30:23 Local time zone must be set--see zic m i686 Intel(R) Pentium(R) D CPU 2.80GHz GenuineIntel GNU/Linux But ssl hand shake is failing with below error: SSL_ERROR_SSL error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable But on same linux, openssl s_client -connect server:8443 -cert client.pem -CAfile ca-win.pem, is wokring CONNECTED(0003) --- Certificate chain 0 s:/C=/ST=/L=/O=/OU=DGM/DC=CN=A1 1 s:/DC=/DC=/DC=/DC=/CN=A1 i:/DC=/DC=/DC=/DC=/CN=A1 --- Server certificate -BEGIN CERTIFICATE- MAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQBd4LfcDl5d3ODPjBBDy7bL YX6uDP6yG+RdbwR9ul4WRhOUXqb0jkHbaGy/Qlz70TGqfSme81yvLsYmChKTFloU 3NDIRAqagGntPXyaR6WjbV652SYtENTL7RONZhxGyeqDF0ns5fLUAdE2eGYN9f3Y X/k/vFrFnKEmEBEWlciwQjr7vag21YGBtIEeopqnRqN64HCGUVKWqap0sQXAJD/4 -END CERTIFICATE- subject=/C=/ST=/L=/O=/OU=/CN=XY2 issuer=/DC=/DC=/DC=dev/DC=/CN=A1 --- Acceptable client certificate CA names /DC=/DC=/DC=/DC=/CN=A1 --- SSL handshake has read 3241 bytes and written 3148 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: Session-ID-ctx: Master-Key: C47BF1691AB846E449B5FA9E29EC4E25312D4C501 Key-Arg : None Start Time: 1305122070 Timeout : 300 (sec) Verify return code: 0 (ok) --- -- View this message in context: http://old.nabble.com/Application-is-failing-with-cipher-or-hash-unavailable-tp31597508p31597508.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Application is failing with cipher or hash unavailable
I think that means you have not enabled the cipher or hash that is required at that point. Did you forget to call something like OpenSSL_add_all_algorithms() in your app? Erik Tkal Juniper OAC/UAC/Pulse Development -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of pradeepreddy Sent: Wednesday, May 11, 2011 3:55 PM To: openssl-users@openssl.org Subject: Application is failing with cipher or hash unavailable Hi , My application is running with OpenSSL 0.9.8h 28 May 2008 in gentoo linux: uname -a Linux localhost 2.6.32.9 #1 SMP Thu Jul 8 14:30:23 Local time zone must be set--see zic m i686 Intel(R) Pentium(R) D CPU 2.80GHz GenuineIntel GNU/Linux But ssl hand shake is failing with below error: SSL_ERROR_SSL error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable But on same linux, openssl s_client -connect server:8443 -cert client.pem -CAfile ca-win.pem, is wokring CONNECTED(0003) --- Certificate chain 0 s:/C=/ST=/L=/O=/OU=DGM/DC=CN=A1 1 s:/DC=/DC=/DC=/DC=/CN=A1 i:/DC=/DC=/DC=/DC=/CN=A1 --- Server certificate -BEGIN CERTIFICATE- MAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQBd4LfcDl5d3ODPjBBDy7bL YX6uDP6yG+RdbwR9ul4WRhOUXqb0jkHbaGy/Qlz70TGqfSme81yvLsYmChKTFloU 3NDIRAqagGntPXyaR6WjbV652SYtENTL7RONZhxGyeqDF0ns5fLUAdE2eGYN9f3Y X/k/vFrFnKEmEBEWlciwQjr7vag21YGBtIEeopqnRqN64HCGUVKWqap0sQXAJD/4 -END CERTIFICATE- subject=/C=/ST=/L=/O=/OU=/CN=XY2 issuer=/DC=/DC=/DC=dev/DC=/CN=A1 --- Acceptable client certificate CA names /DC=/DC=/DC=/DC=/CN=A1 --- SSL handshake has read 3241 bytes and written 3148 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: Session-ID-ctx: Master-Key: C47BF1691AB846E449B5FA9E29EC4E25312D4C501 Key-Arg : None Start Time: 1305122070 Timeout : 300 (sec) Verify return code: 0 (ok) --- -- View this message in context: http://old.nabble.com/Application-is-failing-with-cipher-or-hash-unavailable-tp31597508p31597508.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Application is failing with cipher or hash unavailable
Hi, I have the SSL_library_init() in my app, which will load the algos. Erik Tkal wrote: I think that means you have not enabled the cipher or hash that is required at that point. Did you forget to call something like OpenSSL_add_all_algorithms() in your app? Erik Tkal Juniper OAC/UAC/Pulse Development -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of pradeepreddy Sent: Wednesday, May 11, 2011 3:55 PM To: openssl-users@openssl.org Subject: Application is failing with cipher or hash unavailable Hi , My application is running with OpenSSL 0.9.8h 28 May 2008 in gentoo linux: uname -a Linux localhost 2.6.32.9 #1 SMP Thu Jul 8 14:30:23 Local time zone must be set--see zic m i686 Intel(R) Pentium(R) D CPU 2.80GHz GenuineIntel GNU/Linux But ssl hand shake is failing with below error: SSL_ERROR_SSL error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable But on same linux, openssl s_client -connect server:8443 -cert client.pem -CAfile ca-win.pem, is wokring CONNECTED(0003) --- Certificate chain 0 s:/C=/ST=/L=/O=/OU=DGM/DC=CN=A1 1 s:/DC=/DC=/DC=/DC=/CN=A1 i:/DC=/DC=/DC=/DC=/CN=A1 --- Server certificate -BEGIN CERTIFICATE- MAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQBd4LfcDl5d3ODPjBBDy7bL YX6uDP6yG+RdbwR9ul4WRhOUXqb0jkHbaGy/Qlz70TGqfSme81yvLsYmChKTFloU 3NDIRAqagGntPXyaR6WjbV652SYtENTL7RONZhxGyeqDF0ns5fLUAdE2eGYN9f3Y X/k/vFrFnKEmEBEWlciwQjr7vag21YGBtIEeopqnRqN64HCGUVKWqap0sQXAJD/4 -END CERTIFICATE- subject=/C=/ST=/L=/O=/OU=/CN=XY2 issuer=/DC=/DC=/DC=dev/DC=/CN=A1 --- Acceptable client certificate CA names /DC=/DC=/DC=/DC=/CN=A1 --- SSL handshake has read 3241 bytes and written 3148 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: Session-ID-ctx: Master-Key: C47BF1691AB846E449B5FA9E29EC4E25312D4C501 Key-Arg : None Start Time: 1305122070 Timeout : 300 (sec) Verify return code: 0 (ok) --- -- View this message in context: http://old.nabble.com/Application-is-failing-with-cipher-or-hash-unavailable-tp31597508p31597508.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://old.nabble.com/Application-is-failing-with-cipher-or-hash-unavailable-tp31597508p31597851.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Can openssl support EAP-TLS?
If you're looking to do authentication, freeradius will do EAP, and talk to openssl for the TLS part (and an LDAP server for the actual authentication and authorization). From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on behalf of Erik Tkal [et...@juniper.net] Sent: Wednesday, May 11, 2011 7:16 AM To: openssl-users@openssl.org Subject: RE: Can openssl support EAP-TLS? OpensSSL supports TLS; you need to parse the EAP packets in your own application and feed the TLS bits into OpenSSL. Erik Tkal Juniper OAC/UAC/Pulse Development From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Neo Liu Sent: Wednesday, May 11, 2011 12:59 AM To: openssl-users@openssl.org Subject: Can openssl support EAP-TLS? Hi, everyone: I wanna know that if openssl support EAP-TLS protocol?
RE: Replace renewed intermediate certificate in the keystore chain
Hi, I think I have been able to replace only the intermediate certificate which has a different validity period. I believe this can be done because what the intermediate certificate is signing is still valid. Only the expiry date is changing and it is being renewed. 1. Root is valid 2. Sub root or intermediate is replaced 3. Public key certificate is valid. No new CSR is required. I have done this by using keystore commands. I exported all the contents of the existing keystore including the private key as a .pem and then replaced only the new intermediate. This was imported back. Now when I run the command Keytool -list -v -keystore store I can see the chain with the new intermediate in the middle. We are going to test the SSL part to validate. Has anyone does this to the Java keystore with OpenSSL ? Thanks, Mohan -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Erik Tkal Sent: Wednesday, May 11, 2011 10:32 PM To: openssl-users@openssl.org Subject: RE: Replace renewed intermediate certificate in the keystore chain No, that should not be true - as long as the subject name of the issuer does not change and the key pair is reused, then any previously issued certificates should still verify against the issuer. Note that the thumbprint will be different, in case that is used anywhere to track the cert. Erik Tkal Juniper OAC/UAC/Pulse Development -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John R Pierce Sent: Wednesday, May 11, 2011 12:47 PM To: openssl-users@openssl.org Subject: Re: Replace renewed intermediate certificate in the keystore chain On 05/10/11 11:03 PM, Mohan Radhakrishnan wrote: Hi, I have checked my keystore and truststore and the intermediate certificate alone is going to expire. as I understand it (vaguely at best), if the intermediate certfiicate expires, that invalidates any certificates it generated, so you will need to regenerate and replace all child certificates too. ... __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
openssl-1.0.1-stable-SNAP-20110512 error
Script started on Wed May 11 22:35:28 2011 doctor.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110512$ gmake if [ -n libcrypto ]; then \ EXCL_OBJ='aes-586.o bn-586.o co-586.o x86-mont.o x86-gf2m.o des-586.o crypt586.o mem_clr.o sha1-586.o sha256-586.o sha512-586.o ghash-x86.o ../crypto/aes/aes_cfb.o ../crypto/aes/aes_ecb.o ../crypto/aes/aes_ofb.o ../crypto/bn/bn_add.o ../crypto/bn/bn_blind.o ../crypto/bn/bn_ctx.o ../crypto/bn/bn_div.o ../crypto/bn/bn_exp2.o ../crypto/bn/bn_exp.o ../crypto/bn/bn_gcd.o ../crypto/bn/bn_gf2m.o ../crypto/bn/bn_lib.o ../crypto/bn/bn_mod.o ../crypto/bn/bn_mont.o ../crypto/bn/bn_mul.o ../crypto/bn/bn_nist.o ../crypto/bn/bn_prime.o ../crypto/bn/bn_rand.o ../crypto/bn/bn_recp.o ../crypto/bn/bn_shift.o ../crypto/bn/bn_sqr.o ../crypto/bn/bn_word.o ../crypto/bn/bn_x931p.o ../crypto/buffer/buf_str.o ../crypto/cmac/cmac.o ../crypto/cryptlib.o ../crypto/des/cfb64ede.o ../crypto/des/cfb64enc.o ../crypto/des/cfb_enc.o ../crypto/des/ecb3_enc.o ../crypto/des/ofb64ede.o ../crypto/des/fcrypt.o ../crypto/des/set_key.o ../crypto/dh/dh_check.o ../crypto/dh/dh_gen.o ../crypto/dh/dh_key.o ../crypto/dsa/dsa_gen.o ../crypto/dsa/dsa_key.o ../crypto/dsa/dsa_ossl.o ../crypto/ec/ec_curve.o ../crypto/ec/ec_cvt.o ../crypto/ec/ec_key.o ../crypto/ec/ec_lib.o ../crypto/ec/ecp_mont.o ../crypto/ec/ec_mult.o ../crypto/ec/ecp_nist.o ../crypto/ec/ecp_smpl.o ../crypto/ec/ec2_mult.o ../crypto/ec/ec2_smpl.o ../crypto/ecdh/ech_key.o ../crypto/ecdh/ech_ossl.o ../crypto/ecdsa/ecs_ossl.o ../crypto/evp/e_aes.o ../crypto/evp/e_des3.o ../crypto/evp/m_sha1.o ../crypto/hmac/hmac.o ../crypto/modes/cbc128.o ../crypto/modes/ccm128.o ../crypto/modes/cfb128.o ../crypto/modes/ctr128.o ../crypto/modes/gcm128.o ../crypto/modes/ofb128.o ../crypto/modes/xts128.o ../crypto/rsa/rsa_eay.o ../crypto/rsa/rsa_gen.o ../crypto/rsa/rsa_crpt.o ../crypto/rsa/rsa_none.o ../crypto/rsa/rsa_oaep.o ../crypto/rsa/rsa_pk1.o ../crypto/rsa/rsa_pss.o ../crypto/rsa/rsa_ssl.o ../crypto/rsa/rsa_x931.o ../crypto/rsa/rsa_x931g.o ../crypto/sha/sha1dgst.o ../crypto/sha/sha256.o ../crypto/sha/sha512.o ../crypto/thr_id.o ../crypto/uid.o' ; export EXCL_OBJ ; \ ARX='/usr/bin/perl5 ${TOP}/util/arx.pl ar r' ; \ else \ ARX='ar r' ; \ fi ; export ARX ; \ if [ y = y ]; then \ AS='/usr/bin/perl5 ${TOP}/util/fipsas.pl ${TOP} ${} gcc -c' ; \ else \ AS='gcc -c' ; \ fi ; export AS ; \ dir=crypto; target=all; if expr crypto fips ssl engines apps test tools : .* $dir /dev/null 21; then if [ -d $dir ]; then ( cd $dir echo making $target in $dir... TOP= unset TOP ${LIB+LIB} ${LIBS+LIBS} ${INCLUDE+INCLUDE} ${INCLUDES+INCLUDES} ${DIR+DIR} ${DIRS+DIRS} ${SRC+SRC} ${LIBSRC+LIBSRC} ${LIBOBJ+LIBOBJ} ${ALL+ALL} ${EXHEADER+EXHEADER} ${HEADER+HEADER} ${GENERAL+GENERAL} ${CFLAGS+CFLAGS} ${ASFLAGS+ASFLAGS} ${AFLAGS+AFLAGS} ${LDCMD+LDCMD} ${LDFLAGS+LDFLAGS} ${SHAREDCMD+SHAREDCMD} ${SHAREDFLAGS+SHAREDFLAGS} ${SHARED_LIB+SHARED_LIB} ${LIBEXTRAS+LIBEXTRAS} gmake -e PLATFORM='debug-bsdi-x86-elf' PROCESSOR='386' CC='gcc' CFLAG='-fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -Wall -g -DOPENSSL_EXPERIMENTAL_JPAKE -DOPENSSL_EXPERIMENTAL_STORE -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DGHASH_ASM' ASFLAG='-fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -Wall -g -DOPENSSL_EXPERIMENTAL_JPAKE -DOPENSSL_EXPERIMENTAL_STORE -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DGHASH_ASM -c' AR='ar r' NM='nm' RANLIB='/usr/bin/ranlib' CROSS_COMPILE='' PERL='/usr/bin/perl5' ENGDIRS='ccgost' SDIRS='objects md4 md5 sha mdc2 hmac ripemd whrlpool des aes rc2 rc4 rc5 idea bf cast camellia seed modes bn ec rsa dsa ecdsa dh ecdh dso engine buffer bio stack lhash rand err evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 cms pqueue ts jpake srp store cmac' LIBRPATH='/usr/contrib/lib' INSTALL_PREFIX='' INSTALLTOP='/usr/contrib' OPENSSLDIR='/usr/contrib' LIBDIR='lib' MAKEDEPEND='$${TOP}/util/domd $${TOP} -MD gcc' DEPFLAG='-DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_EC_NISTP224_64_GCC_128 -DOPENSSL_NO_MD2' MAKEDEPPROG='gcc' SHARED_LDFLAGS='' KRB5_INCLUDES='' LIBKRB5='' ZLIB_INCLUDE='' LIBZLIB='' EXE_EXT='' SHARED_LIBS='libcrypto.so.1.1.0 libssl.so.1.1.0' SHLIB_EXT='.so.1.1.0' SHLIB_TARGET='bsd-gcc-shared' PEX_LIBS='' EX_LIBS='-ldl -lm -lc' CPUID_OBJ='mem_clr.o' BN_ASM='bn-586.o co-586.o x86-mont.o x86-gf2m.o' DES_ENC='des-586.o crypt586.o' AES_ENC='aes-586.o'