Re: Question on OpenSSL encryption

2012-01-07 Thread Matt Caswell (fr...@baggins.org)

Hi

There's quite a good description of the key negotiation here:

http://technet.microsoft.com/en-us/library/cc785811%28WS.10%29.aspx

Matt


On 07/01/12 16:12, Manish Jain wrote:


Hello Michael/Anyone Else,

Can you be kind enough to please point me to some place/URL where I 
can get a bit more information about how the key is negotiated upon ?


I have gone through a a couple of write-ups on OpenSSL which throw 
light upon everything else except for this vital piece of information.



Thanks & Regards
Manish Jain


On 07-Jan-12 19:23, Michael S. Zick wrote:

On Sat January 7 2012, Manish Jain wrote:


Hi,

I am new to OpenSSL and am trying to prepare some illustrative
documentation on how it works.

AFAIK, OpenSSL uses the concept of a pair of keys per host : one is a
private key which is never communicated to any other host, and the 
other

is a public key which is transmitted to the peer (the other party). The
client uses the public key of the server (contained in the server's
certificate) to encrypt its communication, which can only be decrypted
with the server's private key. Please correct me if I am wrong.



That is the essence of what happens and by that the client knows
that it is communicating with the server it intended to reach 
(authentication).


Now the question is : when the server sends data to the client, what 
key

does it use for encryption ?



The general answer is: The client and server establish a shared key
for that propose early in the protocol.


Does the client communicate its public key
to the server (at some initial stage) which the server uses for
encryption ?



If the communications set up between the two requires client 
authentication.
In many cases the client remains a stranger to the server 
(un-authenticated).



If yes, what if the client does not have a pair of
public/private keys ?



The usual case for public web browsing using https and some other 
protocols.

The client remains a stranger to the server.


The question arises because it does not seem logical that the server
would its private key for encrypting data to be sent to the client.
Else, snoopers who might have picked the public key could decrypt the
data too.



There is an early stage in nearly all protocols, called: key agreement
where the client and server agree on a key without exchanging any of
the 'private' information that it is based on.


Any help on clearing up the above points would be greatly appreciated.



My comments above are at a very general level.
If the process was as simple as my answers, OpenSSL would not be as
large a body of code as it is.  ;-)

Mike


Thank you&
Regards

Manish Jain
invalid.poin...@gmail.com

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org





__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: Question on OpenSSL encryption

2012-01-07 Thread Manish Jain


Hello Michael/Anyone Else,

Can you be kind enough to please point me to some place/URL where I can 
get a bit more information about how the key is negotiated upon ?


I have gone through a a couple of write-ups on OpenSSL which throw light 
upon everything else except for this vital piece of information.



Thanks & Regards
Manish Jain


On 07-Jan-12 19:23, Michael S. Zick wrote:

On Sat January 7 2012, Manish Jain wrote:


Hi,

I am new to OpenSSL and am trying to prepare some illustrative
documentation on how it works.

AFAIK, OpenSSL uses the concept of a pair of keys per host : one is a
private key which is never communicated to any other host, and the other
is a public key which is transmitted to the peer (the other party). The
client uses the public key of the server (contained in the server's
certificate) to encrypt its communication, which can only be decrypted
with the server's private key. Please correct me if I am wrong.



That is the essence of what happens and by that the client knows
that it is communicating with the server it intended to reach (authentication).


Now the question is : when the server sends data to the client, what key
does it use for encryption ?



The general answer is: The client and server establish a shared key
for that propose early in the protocol.


Does the client communicate its public key
to the server (at some initial stage) which the server uses for
encryption ?



If the communications set up between the two requires client authentication.
In many cases the client remains a stranger to the server (un-authenticated).


If yes, what if the client does not have a pair of
public/private keys ?



The usual case for public web browsing using https and some other protocols.
The client remains a stranger to the server.


The question arises because it does not seem logical that the server
would its private key for encrypting data to be sent to the client.
Else, snoopers who might have picked the public key could decrypt the
data too.



There is an early stage in nearly all protocols, called: key agreement
where the client and server agree on a key without exchanging any of
the 'private' information that it is based on.


Any help on clearing up the above points would be greatly appreciated.



My comments above are at a very general level.
If the process was as simple as my answers, OpenSSL would not be as
large a body of code as it is.  ;-)

Mike


Thank you&
Regards

Manish Jain
invalid.poin...@gmail.com

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org





__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: Question on OpenSSL encryption

2012-01-07 Thread Michael S. Zick
On Sat January 7 2012, Manish Jain wrote:
> 
> Hi,
> 
> I am new to OpenSSL and am trying to prepare some illustrative 
> documentation on how it works.
> 
> AFAIK, OpenSSL uses the concept of a pair of keys per host : one is a 
> private key which is never communicated to any other host, and the other 
> is a public key which is transmitted to the peer (the other party). The 
> client uses the public key of the server (contained in the server's 
> certificate) to encrypt its communication, which can only be decrypted 
> with the server's private key. Please correct me if I am wrong.
>

That is the essence of what happens and by that the client knows
that it is communicating with the server it intended to reach (authentication).
 
> Now the question is : when the server sends data to the client, what key 
> does it use for encryption ? 
>

The general answer is: The client and server establish a shared key
for that propose early in the protocol.

> Does the client communicate its public key  
> to the server (at some initial stage) which the server uses for 
> encryption ? 
>

If the communications set up between the two requires client authentication.
In many cases the client remains a stranger to the server (un-authenticated).

> If yes, what if the client does not have a pair of  
> public/private keys ?
> 

The usual case for public web browsing using https and some other protocols.
The client remains a stranger to the server.

> The question arises because it does not seem logical that the server 
> would its private key for encrypting data to be sent to the client. 
> Else, snoopers who might have picked the public key could decrypt the 
> data too.
> 

There is an early stage in nearly all protocols, called: key agreement
where the client and server agree on a key without exchanging any of
the 'private' information that it is based on.

> Any help on clearing up the above points would be greatly appreciated.
> 

My comments above are at a very general level.
If the process was as simple as my answers, OpenSSL would not be as
large a body of code as it is.  ;-)

Mike
> 
> Thank you &
> Regards
> 
> Manish Jain
> invalid.poin...@gmail.com
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
> 
> 


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Question on OpenSSL encryption

2012-01-07 Thread Manish Jain


Hi,

I am new to OpenSSL and am trying to prepare some illustrative 
documentation on how it works.


AFAIK, OpenSSL uses the concept of a pair of keys per host : one is a 
private key which is never communicated to any other host, and the other 
is a public key which is transmitted to the peer (the other party). The 
client uses the public key of the server (contained in the server's 
certificate) to encrypt its communication, which can only be decrypted 
with the server's private key. Please correct me if I am wrong.


Now the question is : when the server sends data to the client, what key 
does it use for encryption ? Does the client communicate its public key 
to the server (at some initial stage) which the server uses for 
encryption ? If yes, what if the client does not have a pair of 
public/private keys ?


The question arises because it does not seem logical that the server 
would its private key for encrypting data to be sent to the client. 
Else, snoopers who might have picked the public key could decrypt the 
data too.


Any help on clearing up the above points would be greatly appreciated.


Thank you &
Regards

Manish Jain
invalid.poin...@gmail.com

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: Displaying Serial Number of Cert via s_client ?

2012-01-07 Thread Peter Sylvester

On 01/07/2012 02:01 AM, Ken Adler wrote:

I use  echo GET | openssl s_client -connect www.google.com:443 -state to 
troubleshoot https handshakes.

Is there a way to get it to return the Serial number (or thumbprint) of the 
server certificate?



openssl s_client -connect www.google.com:443 2>&1|openssl x509 -noout -serial

serial=4F9D96D966B0992B54C2957CB4157D4D

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


How to load a Trusted CA?

2012-01-07 Thread Jiankuan Xing

I need to load a client CA file, who is generated by openssl x509 command with 
"-trustout" parameter, and starts with "BEGIN TRUSTED CERTIFICATE-", 
rather than common "-BEGIN CERTIFICATE-".

Currently I use openssl's API "SSL_load_client_CA_file()" to load the cert and 
get this error: PEM routines:PEM_read_bio:no start line:Expecting CERTIFICATE.


So how can I load a Trusted CA?

Thanks very much.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org