support for CAdES

2013-09-09 Thread Ottavio Campana 
Hello, I am trying to understand if CAdES is supported in OpenSSL 1.0.1e.

I don't find nay trace of it, neither positively nor negatively. Maybe I
misunderstood the relationship between CAdES and CMS...

Can anyone help me please to understand if CAdES is going to be added to
openssl, or if I am totally wrong?

Thank you

Ottavio

-- 
Non c'è più forza nella normalità, c'è solo monotonia

Which version of net-snmp is compatible with openssl-1.0.1e

2013-09-09 Thread zheng liu 
Hello,
  I have compiled net-snmp-5.5.2 with openssl-1.0.1e, and find it can not
success in windows OS.
  At last I realize net-snmp-5.5.2 is not compatible with openssl-1.0.1e.
  So I want to know which version of net-snmp is right under openssl-1.0.1e
environment.
  Hope your quick answer, thank you very much!
Best Regards

Bidirectional socket communication and SSL_renegotiate.

2013-09-09 Thread Karthik Krishnamurthy 
Hi,

The client and server that I have in my project runs in a simple 1 socket,
blocking mode environment. The model
is that of a typical producer-consumer one. The client produces data, sends
it to the server. The server
consumes it. Once in a while, the server sends a control message to the
client that the client periodically
receives. Below is a simplified version of the client and server after
enabling them for SSL/TLS communication.

  1 Client:
  2 ---
  3 while (true)
  4 {
  5 if (poll(pollin, timeout=0) || 0 < SSL_pending(ssl))
  6 {
  7 SSL_read();
  8 // Handle WANT_READ or WANT_WRITE appropriately.
  9 // If no error, handle the received control message.
 10 }
 11 // produce data.
 12 while (!poll(pollout))
 13 ;   // Wait until the TCP/IP pipe is ready for
a send().
 14 SSL_write();
 15 // Handle WANT_READ or WANT_WRITE appropriately.
 16 if (time to renegotiate)
 17 SSL_renegotiate(ssl);
 18 }
 19
 20 Server:
 21 ---
 22 while (true)
 23 {
 24 if (poll(pollin, timeout=1s) || 0 < SSL_pending(ssl))
 25 {
 26 SSL_read();
 27 // Handle WANT_READ or WANT_WRITE appropriately.
 28 // If no error, consume data.
 29 }
 30 if (control message needs to be sent)
 31 {
 32 while (!poll(pollout))
 33 ;   // Wait until the TCP/IP pipe is
ready for a send().
 34 SSL_write();
 35 // Handle WANT_READ or WANT_WRITE appropriately.
 36 }
 37 }

The trouble happens when I force, for testing purposes, SSL/TLS
renegotiation by calling SSL_renegoitate()
once in a while on the client (lines 16-17). I don't do any follow up
SSL_do_handshake as I assume the
subsequent SSL_write/SSL_read will take care of it automatically.

The session starts of nice and easy. A few messages are transmitted and in
fact, a few forced SSL/TLS
renegotiations happen successfully as well. But, sometime later, I get an
SSL_ERROR_SSL from SSL_write on the
client and SSL_ERROR_SSL from SSL_read on the server. Below are the error
details:

Client:
---
error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record

Server:
---
error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message

What am I doing wrong? Is there anything that needs to be taken care of
when handling SSL/TLS renegotiations in
cases where bidirectional socket communications is used?

Any help is appreciated.

Thanks,
Karthik.

Re: [openssl-users] Re: adding certificate policies extension in CSR

2013-09-09 Thread Willy Weisz 


Am 09.09.2013 12:13, schrieb phildoch:
> Ok. So meanwhile, unless it will be proven that is is illegal, 
Looking at the IETF RFCs, none that I found explicitly or implicitly
indicated a meaningful use of the certificate policies entry in a CSR.
On the other hand the semantics of this entry means that it can be used
to check whether the certificate issuer has a policy that allows the
relying party to trust it, and thus accept the data signed using the
private key associated with the certificate's public key component.

The certificate is a kind of ID document for the data sent and its
relation to its originator. In this sense putting a certificate policy
in a CSR is like requesting the issuance of a passport based on the
requester's wishes not the policy of the public authority issuing the
document.

Allowing a certificate policy entry in the CSR without considering it
for the issuance of a certificate would be consistent with the semantics
of the certification policies, but pure nonsense.

> let's say that
> for any reason the Certificate requester wants to add a "certificate
> policies" extension in the CSR.
> Is this syntax correct:?
>  add_ext(exts, NID_certificate_policies, "1.3.6.1"); 
> (based on function mkreq() in file
> openssl/demos/x509/openssl/demos/x509/mkreq.c)
>
>  Thanks
>   
>
>
>
> --
> View this message in context: 
> http://openssl.6102.n7.nabble.com/adding-certificate-policies-extension-in-CSR-tp46467p46471.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org

-- 
---
Willy Weisz

 Computational Science Center
 University of Vienna
   Oskar Morgenstern-Platz 1
A-1090 Wien
Tel: (+43 1) 4277 - 23724Fax: (+43 1) 4277 - 823724
Mobile: +43 699 10109546   e-mail: willy.we...@univie.ac.at

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl-users] Re: adding certificate policies extension in CSR

2013-09-09 Thread phildoch 
Ok. So meanwhile, unless it will be proven that is is illegal, let's say that
for any reason the Certificate requester wants to add a "certificate
policies" extension in the CSR.
Is this syntax correct:?
 add_ext(exts, NID_certificate_policies, "1.3.6.1"); 
(based on function mkreq() in file
openssl/demos/x509/openssl/demos/x509/mkreq.c)

 Thanks
  



--
View this message in context: 
http://openssl.6102.n7.nabble.com/adding-certificate-policies-extension-in-CSR-tp46467p46471.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl-users] Re: adding certificate policies extension in CSR

2013-09-09 Thread Erwann Abalea 

The requestor is allowed to ask for any extension it wants.
The CA will do its job, ignore those requested extensions, and place the 
good ones in the certificate. It can also change the subject name 
contained in the certificate.


--
Erwann ABALEA

Le 09/09/2013 11:21, phildoch a écrit :

Oh I see. Can you point to a documentation where it is defined which
extensions a certificate requestor is allowed to add and which should be
added by the CA only?
  Thanks.



--
View this message in context: 
http://openssl.6102.n7.nabble.com/adding-certificate-policies-extension-in-CSR-tp46467p46469.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: adding certificate policies extension in CSR

2013-09-09 Thread phildoch 
Oh I see. Can you point to a documentation where it is defined which
extensions a certificate requestor is allowed to add and which should be
added by the CA only?
 Thanks.



--
View this message in context: 
http://openssl.6102.n7.nabble.com/adding-certificate-policies-extension-in-CSR-tp46467p46469.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: adding certificate policies extension in CSR

2013-09-09 Thread Willy Weisz 
Hi,

Am 09.09.2013 10:37, schrieb phildoch:
> Hello,
>
>  I am trying to add a "certificate policies" extension in CSR. For this I am
> using the openssl sample function mkreq() in file
> openssl/demos/x509/openssl/demos/x509/mkreq.c
What do you want it for? What does it mean that the certificate
requestor defines the certificate policies? Only the CA may state which
certification policies it is following.

Regards
Willy
>
> This the line of code I added:
> add_ext(exts, NID_certificate_policies, "1.3.6.1");
>
> Unfortunately it causes a segmentation fault.
> Is the syntax correct? Any clue what is wrong?
>
>  Thanks.
>
>
>
> --
> View this message in context: 
> http://openssl.6102.n7.nabble.com/adding-certificate-policies-extension-in-CSR-tp46467.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org

-- 
---
Willy Weisz

 Computational Science Center
 University of Vienna
   Oskar Morgenstern-Platz 1
A-1090 Wien
Tel: (+43 1) 4277 - 23724Fax: (+43 1) 4277 - 823724
Mobile: +43 699 10109546   e-mail: willy.we...@univie.ac.at

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

adding certificate policies extension in CSR

2013-09-09 Thread phildoch 
Hello,

 I am trying to add a "certificate policies" extension in CSR. For this I am
using the openssl sample function mkreq() in file
openssl/demos/x509/openssl/demos/x509/mkreq.c

This the line of code I added:
add_ext(exts, NID_certificate_policies, "1.3.6.1");

Unfortunately it causes a segmentation fault.
Is the syntax correct? Any clue what is wrong?

 Thanks.



--
View this message in context: 
http://openssl.6102.n7.nabble.com/adding-certificate-policies-extension-in-CSR-tp46467.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org