SSL Certificate cache
How to check in Linux client device whether the certificate used is cached or it's from the server? I am using openssl s_client to establish http connection. Thanks, Sharan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL Certificate Caching
Hi All, Is there a option to specify a source interface along with openssl s_cleint option to establish multiple HTTP Connections from single linux device? This is required to test certificate caching scenario where need to have multiple clients trying to connect to a same server. For Ex: specify eth1:1, eth1:2..etc... Thanks, Sharan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to place signature into an X509 format
Yes that is exactly what I was asking a standard format and yes I do use a
SHA1
for the message digest. So Formally known as PKCS#7 now called CMS thats the
way to go.
I will do that, and any pointers to documents/commands would be appreciated.
redpath wrote:
I have created EC Digital Signature and saved it in a file.
Excerpt of code shown below for a message digest md
unsigned int siglen = ECDSA_size(peckey);
printf(Max signature length is %d \n,siglen);
siglen = ECDSA_size(peckey);
unsigned char *ptr = OPENSSL_malloc(siglen);
unsigned char *save= ptr;
ECDSA_SIG *sig;
ret= ECDSA_sign(0 ,md, 20, ptr, siglen, peckey); //Do sign it dude
if (!ret){
printf(ERROR signing null\n);
return 1;
}
printf( Signature success \n);
printf(Signature length is %d \n,siglen);
/**
* Write out Digital Signature File
*
***/
strcpy(buffer,args[1]);
strcat(buffer,.ecdsa);
fp = fopen(buffer,wb);
fwrite(save, 1, siglen, fp);
fclose(fp);
printf(OUTPUT signature file is %s\n\n,buffer);
And I use this signature file to verify a message digest later using a
public key.
ret = ECDSA_verify(0, md, 20, sig, siglen, pubeckey);
Everything works great. I want this signature to be in an X509 and open
the X509 and
extract it to use to verify things.
How do you place a signature in an X509 format and use code to extract
them?
In the past I have created an X509 for public keys
before and extract the key to use it; and that works great to extract them
and use them.
So if anyone has a procedure for the using the API to do this let me know.
--
View this message in context:
http://old.nabble.com/How-to-place-signature-into-an-X509-format-tp34513865p34531958.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Problem configuring Apache 2.2.22 after openssl 1.0.0h release
I am running a Solaris 10 system on which I'm attempting to build Apache 2.2.22 with openssl 1.0.1c. Openssl is built with: ./config make make test make install and appears to work fine. When I attempt to build Apache I receive the following error during the configuration phase (taken from the apache config.log) : configure:13896: error: ... Error, SSL/TLS libraries were missing or unusable The configuration commands are fairly basic: ./configuration --enable-ssl --enable-so --with-ssl=/usr/local/ssl When configuring against openssl version 1.0.0g and earlier I have no issues. Since the release of 1.0.0h I receive the above error (along with 1.0.1 builds). Has something changed between 1.0.0g and 1.0.0h which would necessitate a change to my build process? Or is this a bug? I reviewed the change log and didn't see anything that jumped out at me (two changes from 1.0.0g to 1.0.0h). I also searched the Internet for possible solutions and came across the recommendation of adding the following to my Apache configuration line: env LDFLAGS=-ldl making the configuration command the following: env LDFLAGS=-ldl ./configuration --enable-ssl --enable-so --with-ssl=/usr/local/ssl Unfortunately this did not work and, from what I gather of the solution, is really a bandaid and not a cure. Anyone have any information on how to build Apache with openssl releases post 1.0.0g?
Effect of EC_GROUP_precompute_mult when doing signature verification (ECDSA_verify)
Hello list I became aware of EC_GROUP_precompute_mult when I had to generate a lot of public keys fast. It speeds up this process by about a factor of 5. So it's been very useful for me. I've been researching if EC_GROUP_precompute_mult has any effect when verifying ECDSA signatures using ECDSA_verify, and my results are somewhat inconclusive. I see a small speedup, around 2-5%, but I'm not sure what the reason is for this. I can see the code that verifies signatures uses EC_POINT_mul, but I don't see a significant speedup as I did when using it to just generate public keys (q and m set to NULL in EC_POINT_mul). I can see that in the OpenSSL signature verification code q and m are not NULL in EC_POINT_mul, so it makes sense why the speedup wouldn't be as great as when they are NULL (since precomputations are only made for the generator point of the curve). But I don't understand why the speedup becomes so small when q and m are set, as I still did see a 5x speedup (from roughly 1000 us per execution of EC_POINT_mul to roughly 200 us) when q and m are NULL. Should there, in theory, be any reason for EC_GROUP_precompute_mult to speed up signature verification? Thanks! /Rune __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
CN 64 chars
Hello, Im trying to make a CSR with a CN that has more than 64 chars I know that the upper bound is 64 chars, but I can see in the RFC 5280 this note: -- Note - upper bounds on string types, such as TeletexString, are -- measured in characters. Excepting PrintableString or IA5String, a -- significantly greater number of octets will be required to hold -- such a value. As a minimum, 16 octets, or twice the specified -- upper bound, whichever is the larger, should be allowed for -- TeletexString. For UTF8String or UniversalString at least four -- times the upper bound should be allowed. I used in the config file string_mask = utf8only, but I get the error again: 2072:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:.\crypto\asn1\a_mbstr.c:154:maxsize=64 Can you help me? Thanks in advance Juan Ángel Martín Gómez
Re: Effect of EC_GROUP_precompute_mult when doing signature verification (ECDSA_verify)
On Tue, Oct 9, 2012 at 12:29 PM, Rune K. Svendsen runesv...@gmail.comwrote: I've been researching if EC_GROUP_precompute_mult has any effect when verifying ECDSA signatures using ECDSA_verify, and my results are somewhat inconclusive. I see a small speedup, around 2-5%, but I'm not sure what the reason is for this. I can see the code that verifies signatures uses EC_POINT_mul, but I don't see a significant speedup as I did when using it to just generate public keys (q and m set to NULL in EC_POINT_mul). I can see that in the OpenSSL signature verification code q and m are not NULL in EC_POINT_mul, so it makes sense why the speedup wouldn't be as great as when they are NULL (since precomputations are only made for the generator point of the curve). But I don't understand why the speedup becomes so small when q and m are set, as I still did see a 5x speedup (from roughly 1000 us per execution of EC_POINT_mul to roughly 200 us) when q and m are NULL. EC_GROUP_precompute_mult precomputation is based only on common group parameters, not on the specific key. It would be possible to speed up ECDSA verification similarly by doing something like that on a per-key level, but it would only help if you verify multiple signatures signed by the same key. That's why it is currently not supported by the OpenSSL API -- it would be a bit cumbersome to use properly. Bodo
Re: CN 64 chars
On Tue, Oct 09, 2012, Juan Angel Martin Gomez [AC Camerfirma] wrote: Hello, Im trying to make a CSR with a CN that has more than 64 chars I know that the upper bound is 64 chars, but I can see in the RFC 5280 this note: -- Note - upper bounds on string types, such as TeletexString, are -- measured in characters. Excepting PrintableString or IA5String, a -- significantly greater number of octets will be required to hold -- such a value. As a minimum, 16 octets, or twice the specified -- upper bound, whichever is the larger, should be allowed for -- TeletexString. For UTF8String or UniversalString at least four -- times the upper bound should be allowed. I used in the config file string_mask = utf8only, but I get the error again: 2072:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:.\crypto\asn1\a_mbstr.c:154:maxsize=64 Can you help me? Changing this requires source modification. In the file crypto/asn1/a_strnid.c there is a table with NID_commonName in it and a value of ub_common_name (set to 64) against it. If you change that value it will permit larger values. I'd regard the current behaviour as a bug: it should handle multi-byte characters properly. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CN 64 chars
On Wed, Oct 10, 2012, Dr. Stephen Henson wrote: On Tue, Oct 09, 2012, Juan Angel Martin Gomez [AC Camerfirma] wrote: Hello, Im trying to make a CSR with a CN that has more than 64 chars I know that the upper bound is 64 chars, but I can see in the RFC 5280 this note: -- Note - upper bounds on string types, such as TeletexString, are -- measured in characters. Excepting PrintableString or IA5String, a -- significantly greater number of octets will be required to hold -- such a value. As a minimum, 16 octets, or twice the specified -- upper bound, whichever is the larger, should be allowed for -- TeletexString. For UTF8String or UniversalString at least four -- times the upper bound should be allowed. I used in the config file string_mask = utf8only, but I get the error again: 2072:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:.\crypto\asn1\a_mbstr.c:154:maxsize=64 Can you help me? Changing this requires source modification. In the file crypto/asn1/a_strnid.c there is a table with NID_commonName in it and a value of ub_common_name (set to 64) against it. If you change that value it will permit larger values. I'd regard the current behaviour as a bug: it should handle multi-byte characters properly. Actually looking at the code it does handle multi byte characters properly. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to place signature into an X509 format
PKCS#7 (the original) is RFC2315
CMS is RFC5652
On 10/9/2012 3:37 PM, redpath wrote:
Yes that is exactly what I was asking a standard format and yes I do use a
SHA1
for the message digest. So Formally known as PKCS#7 now called CMS
thats the
way to go.
I will do that, and any pointers to documents/commands would be
appreciated.
redpath wrote:
I have created EC Digital Signature and saved it in a file.
Excerpt of code shown below for a message digest md
unsigned int siglen = ECDSA_size(peckey);
printf(Max signature length is %d \n,siglen);
siglen = ECDSA_size(peckey);
unsigned char *ptr = OPENSSL_malloc(siglen);
unsigned char *save= ptr;
ECDSA_SIG *sig;
ret= ECDSA_sign(0 ,md, 20, ptr, siglen, peckey); //Do sign it
dude
if (!ret){
printf(ERROR signing null\n);
return 1;
}
printf( Signature success \n);
printf(Signature length is %d \n,siglen);
/**
* Write out Digital Signature File
*
***/
strcpy(buffer,args[1]);
strcat(buffer,.ecdsa);
fp = fopen(buffer,wb);
fwrite(save, 1, siglen, fp);
fclose(fp);
printf(OUTPUT signature file is %s\n\n,buffer);
And I use this signature file to verify a message digest later using a
public key.
ret = ECDSA_verify(0, md, 20, sig, siglen, pubeckey);
Everything works great. I want this signature to be in an X509 and open
the X509 and
extract it to use to verify things.
How do you place a signature in an X509 format and use code to extract
them?
In the past I have created an X509 for public keys
before and extract the key to use it; and that works great to
extract them
and use them.
So if anyone has a procedure for the using the API to do this let me
know.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
SSL_accept fails with bad certificate error
Hello, I am trying to write a server that will accept an incoming SSL connection. In psuedo, I have the following chain of function calls SSL_CTX_load_verify_locations(ctx, root_cert_file, root_cert_dir) SSL_CTX_use_certificate_chain_file(chain file) SSK_CTX_use_PrivateKey_file(chain file) SSL_CTX_set_verify (sets SSL_VERIFY_PEER) SSL_CTS_set_verify_depth(to a depth of 4) The chain file has 3 things in it - private key of the server CA a signed certificate request signed by my server CA the public key of the server CA When I create a new SSL structure everything goes fine, but when I call SSL_accept() on it, I get a return of zero, which when I read the error queue says sslv3 alert bad certificate What does this error mean exactly? Is it a problem with my server certificate itself, the client certificate returned on the verify, or what?
