Destroying X509_CRL Object
Hey All, I'm trying to figure out how to properly destroy an X509_CRL struct. I can't seem to figure out any API for it. Can someone point me in the right direction? I'm using PEM_read_X509_CRL to create the object. Thanks, Shawn
Re: PHP openssl_x509_parse extensions=>subjectAltName
Since there is no fixed, I was tasked to get this to work.. Here is the
workaround I created and the code has been in the production for a year. I
found it works well. Also, when Microsoft utilize subjectAltName as
UserPrincipalName value to integrate smart card authentication with Active
Directory. Getting this to work is very important for web applications.
1) create a directory USERCERT under your PHP script folder. allow this
folder upload files via the web browser.
2) copy paste the following codes to your php script which is used to read
the certificate information.
$yourcn = $_SERVER['SSL_CLIENT_S_DN_CN'];
$filename=str_replace('(Affiliate)', '', str_replace(' ', '.',
$yourcn)).rand().".cer";
$file1 = $_SERVER['SSL_CLIENT_CERT'];
file_put_contents('USERCERT/'.$filename, $file1);
$cmd1 = "openssl asn1parse -in USERCERT/$filename | grep -A 1 'Subject
Alternative Name' | cut -f1 -d':' | tail -1";
$output1 = shell_exec($cmd1);
$output3 = shell_exec("sh testname.sh '$output1' '$filename'");
so. the result of $output3 will be the subjectAltName. This value is the
UserPrincipalName in Active Directory.
3) create a shell script, name testname.sh and place under the same
directory as your php script at the step 2. Please make this testname.sh
with 644 permission in Linux. Here is the content of testname.sh
openssl asn1parse -strparse $1 -in USERCERT/$2 | grep -A 2 "Microsoft
Universal Principal Name" | cut -f4 -d":" |tail -1
Hope this works for you.
--
View this message in context:
http://openssl.6102.n7.nabble.com/PHP-openssl-x509-parse-extensions-subjectAltName-tp21912p44859.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: [openssl-dev] MD5 in openSSL internals
Careful about this. The technically correct answer is misleading. Yes, MD5 is used in the PRF, but it is XORed with SHA1. So you get at least the strength of stronger of the two. --David Jacobson On 4/23/13 3:31 AM, Erwann Abalea wrote: MD5 is used in TLS1.0 for RSA signing and random derivation (PRF). See RFC2246. (Please note that OpenSSL hasn't been mentioned in this sentence). SHA256 used for the PRF is available with TLS1.2 only. SHA256 used for the HMAC is available for some ciphersuites defined for TLS1.2 only (but I think you could define your own with TLS1.0). -- Erwann ABALEA Le 23/04/2013 08:29, Venkataragavan Narayanaswamy a écrit : Hi, We are currently analyzing and understanding the security strength of the openSSL internal implementation to certify the products. In version 0.9.8d, TLSv1.0 alone is supported. Can you please answer the following or provide me with the documentation reference 1.Does openSSL library use MD5 internally for any operation? 2.Can we have SHA256 in the ciphersuite with TLSv1.0? Thanks, Venkat
Re: [openssl-users] Re: [openssl-dev] MD5 in openSSL internals
You're right. PRF in TLS1.0 is done by splitting the secret in 2 parts, hashing the first with MD5, hashing the second with SHA1, and XORing the 2 results. RSA signing in TLS1.0 is done by hashing the data with MD5 and SHA1, concatenating the 2 hash results, and signing the 36 bytes result (with PKCS#1v1.5 padding). PRF construct depends on pre-image resistance. MD5 and SHA1 are still considered pre-image resistant. RSA signing depends on collision resistance. MD5 is not collision resistant, SHA1 is not considered academically collision resistant, but there's no known attack on collision of both MD5 and SHA1 at the same time. -- Erwann ABALEA Le 23/04/2013 14:28, David Jacobson a écrit : Careful about this. The technically correct answer is misleading. Yes, MD5 is used in the PRF, but it is XORed with SHA1. So you get at least the strength of stronger of the two. --David Jacobson On 4/23/13 3:31 AM, Erwann Abalea wrote: MD5 is used in TLS1.0 for RSA signing and random derivation (PRF). See RFC2246. (Please note that OpenSSL hasn't been mentioned in this sentence). SHA256 used for the PRF is available with TLS1.2 only. SHA256 used for the HMAC is available for some ciphersuites defined for TLS1.2 only (but I think you could define your own with TLS1.0). -- Erwann ABALEA Le 23/04/2013 08:29, Venkataragavan Narayanaswamy a écrit : Hi, We are currently analyzing and understanding the security strength of the openSSL internal implementation to certify the products. In version 0.9.8d, TLSv1.0 alone is supported. Can you please answer the following or provide me with the documentation reference 1.Does openSSL library use MD5 internally for any operation? 2.Can we have SHA256 in the ciphersuite with TLSv1.0? Thanks, Venkat
Re: [openssl-dev] MD5 in openSSL internals
MD5 is used in TLS1.0 for RSA signing and random derivation (PRF). See RFC2246. (Please note that OpenSSL hasn't been mentioned in this sentence). SHA256 used for the PRF is available with TLS1.2 only. SHA256 used for the HMAC is available for some ciphersuites defined for TLS1.2 only (but I think you could define your own with TLS1.0). -- Erwann ABALEA Le 23/04/2013 08:29, Venkataragavan Narayanaswamy a écrit : Hi, We are currently analyzing and understanding the security strength of the openSSL internal implementation to certify the products. In version 0.9.8d, TLSv1.0 alone is supported. Can you please answer the following or provide me with the documentation reference 1.Does openSSL library use MD5 internally for any operation? 2.Can we have SHA256 in the ciphersuite with TLSv1.0? Thanks, Venkat
MD5 in openSSL internals
Hi, We are currently analyzing and understanding the security strength of the openSSL internal implementation to certify the products. In version 0.9.8d, TLSv1.0 alone is supported. Can you please answer the following or provide me with the documentation reference 1. Does openSSL library use MD5 internally for any operation? 2. Can we have SHA256 in the ciphersuite with TLSv1.0? Thanks, Venkat
