Re: [openssl-users] OpenSSL mail outage tomorrow 1200-1400UTC
On 22/12/14 23:57, Philip Prindeville wrote: > And that's back up and working, right? I've not seen any messages > today, but then again it's the holidays... As far as I am aware all mail has been working today. I've seen emails on openssl-dev and openssl-commits, and they are both run from the same server. Matt ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL mail outage tomorrow 1200-1400UTC
And that's back up and working, right? I've not seen any messages today, but then again it's the holidays... On 12/22/2014 08:56 AM, Steve Marquess wrote: We've been experiencing some issues with the system that handles @openssl.org E-mail and the mailing lists. The hardware vendor will be swapping the system board Tuesday Dec. 23 beginning at 1200UTC. The outage is expected to take approximately two hours. -Steve M. ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
[openssl-users] OpenSSL mail outage tomorrow 1200-1400UTC
We've been experiencing some issues with the system that handles @openssl.org E-mail and the mailing lists. The hardware vendor will be swapping the system board Tuesday Dec. 23 beginning at 1200UTC. The outage is expected to take approximately two hours. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@openssl.com marqu...@opensslfoundation.net gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
Re: [openssl-users] How to display root certificate in command line
> But in certificate chain, I only get 2 certificates information (I think this > two > are return by website.) That's right. The server returns up to, but not including, the root. The client is supposed to have the root stored somewhere as an out-of-band trust anchor. This is the way TLS/SSL works. ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
Re: [openssl-users] Differences in openssl 0.9.8 and 1.0.1x for private pem key file
On 22/12/2014 13:57, Dave Thompson wrote: At least for now; there is another thread started just a few days ago about all PEM formats used by OpenSSL suggesting the traditional privatekey forms are obsolete and maybe should be deleted! Please don't do that until 5+ years after 0.9.8 end-of-life. Because private keyswritten by 0.9.8 to securely stored offline media will be using the old formatand need to be usable down the line. Most certificates expire after 5 years orless though a few private keys may be needed much later: 1. Decryption certificates/keys may be needed to decrypt data long after the certificateexpired (in fact, as long as the data remains relevant, think 30+ years for mortgagecontracts, 50+ years for life insurance, and 140+ years for copyright disputes). 2. A few certs (e.g. CA roots and Android developer certs) have very long (30+ years)certificate lifetimes, but those tend to be used regularly over that period, givingplenty of opportunity to convert the private key files. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
Re: [openssl-users] How to display root certificate in command line
On 22/12/2014 11:52, Jerry OELoo wrote: Hi All: I have used openssl command line to get some website's certificate chain. Now, I want to show root certificate information. but I do not find any command argument to do it. openssl s_client -showcerts -CApath /etc/ssl/certs -connect studentexclusives.hsbc.co.uk:443 I use -CApath to set root certificate path. From below, I can get full certificate path. 3 certificates CONNECTED(0003) depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3 verify return:1 depth=0 C = GB, ST = London, L = London, O = HSBC Holdings plc, OU = HTSE, CN = studentexclusives.hsbc.co.uk verify return:1 But in certificate chain, I only get 2 certificates information (I think this two are return by website.) --- Certificate chain 0 s:/C=GB/ST=London/L=London/O=HSBC Holdings plc/OU=HTSE/CN=studentexclusives.hsbc.co.uk i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 -BEGIN CERTIFICATE- ... -END CERTIFICATE- 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 -BEGIN CERTIFICATE- ... -END CERTIFICATE- --- Now I want to also display root certificate "VeriSign Class 3 Public Primary Certification Authority - G5" information, How can I show it? Thanks! This means the web server did not send it, but expects your client/browser to find it (by name) in your local root certificates store, such as /etc/ssl/certs. Look in that directory for "/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5" and dump that filedirectly with openssl x509 -text -in /etc/ssl/certs/somefile.pem Unfortunately no currently released version of s_client knows how to dump out the constructed verification chain, there is only an option to dump the server supplied certificates (regardless if those were used by the client or not). Hopefully some future version will have options to dump either or both lists. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
[openssl-users] pkcs11 engine client side authentication
Hi All, I need to authenticate my client with a smartcard in ssl connection. So i am using pkcs11 engine. I have called the functions below, i have successfully read the certificate from smart card. But while connecting to server client does not send any certificate. It happens one side ssl connection, i need two side ssl connection I think, this happened because i didn't give the key id. Is there anyone who knows assigning the key id? set_pin("123456"); set_module("/usr/lib/libakisp11.so"); ENGINE_load_dynamic(); e = ENGINE_new(); result |= !bind_helper(e); result |= !ENGINE_init(e); result |= !ENGINE_register_complete(e); result |= !ENGINE_set_default(e, ENGINE_METHOD_ALL); //get certificate ENGINE_ctrl(e, 205, 0, cert_params, NULL); SSL_use_certificate(mConn->sslHandle, cert_params->cert); ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
Re: [openssl-users] Differences in openssl 0.9.8 and 1.0.1x for private pem key file
> From: openssl-users On Behalf Of Jaya Nageswar > Sent: Monday, December 22, 2014 05:51 > In our application, we have been using openssl 0.9.8 and trying to move to > openssl 1.0.1x as 0.9.8 is going to be EOS by December 2015. We have a > sample application where we try to read a sample pem key file, create an > EVP_PKEY indirectly using PEM_read_bio_PrivateKey [and] try to create > pem key files encrypted using different ciphers like (RC2, RC4 etc.). The mechanism was refactored some, but the visible change is deliberate. There have long been routines for the algorithm-specific "traditional" formats PEM_read/write_RSAPrivateKey/DSAPrivateKey/ECPrivateKey AND for the newer standard and algorithm-generic PKCS8 format PEM_read/write_PKCS8PrivateKey. Through 0.9.8 PEM_write_PrivateKey used (the appropriate one of) traditional formats; in 1.0.0 and later it changed to use PKCS8. If you want to continue writing traditional formats in 1.0.0+ call specifically _write_RSAPrivateKey, _write_DSAPrivateKey, etc. using the algorithm-specific struct from (instead of) EVP_PKEY. At least for now; there is another thread started just a few days ago about all PEM formats used by OpenSSL suggesting the traditional privatekey forms are obsolete and maybe should be deleted! Note all PEM_read_xyzPrivateKey routines can read *either* format, legacy or PKCS8, distinguished by the BEGIN line, although if e.g. you _read_RSAPrivateKey and the file is PKCS8 for *another* algorithm that's an error; if you _read_PKCS8PrivateKey it accepts any algorithm into an EVP_PKEY. If you are writing differently-encrypted privatekey files because you are concerned with key security, note one reason PKCS8 encrypted is preferred over traditional encrypted formats is that PKCS8 allows and OpenSSL uses a much stronger PBE key derivation compared to the older and weaker but now set in stone and unchangeable one for traditional. On checking I see the PEM_most manpage has not been updated for this change. ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
[openssl-users] Differences in openssl 0.9.8 and 1.0.1x for private pem key file
Dear openssl community, In our application, we have been using openssl 0.9.8 and trying to move to openssl 1.0.1x as 0.9.8 is going to be EOS by December 2015. We have a sample application where we try to read a sample pem key file, create an EVP_PKEY indirectly using PEM_read_bio_PrivateKey(BIO *bio, NULL, NULL, NULL) defined in crypto/pem/pem_pkey.c. Once we have the EVP_PKEY, we try to create pem key files encrypted using different ciphers like (RC2, RC4 etc.). As per the latest openssl (1.0.1x), the method PEM_write_bio_PrivateKey defined in crypto/pem/pem_pkey.c gets called in the call flow while writing the pem key to a file. The output of the application is different for openssl 0.9.8 and 1.0.1x. This may be due to the following observations. 1. The structure evp_pkey_st at evp.h for EVP_PKEY got additional members (members const EVP_PKEY_ASN1_METHOD *ameth and ENGINE *engine) got added in openssl 1.0.1x versions 2. The logic in PEM_read_bio_PrivateKey n crypto/pem/pem_pkey.c got changed a little bit and the the data related new membebrs ameth for the structure evp_pkey_st (EVP_PKEY) is getting populated in the else if ((slen = pem_check_suffix(nm, "PRIVATE KEY")) > 0) condition. 3. A new method PEM_write_bio_PrivateKey got added(in 1.0.1x) instead of a MACRO ( IMPLEMENT_PEM_write_cb(crypto/pem/pem_all in 0.9.8) which will indirectly call PEM_ASN1_write_bio. The new method PEM_write_bio_PrivateKey in openssl 1.0.1x calls this PEM_ASN1_write_bio in the else condition. However the if condition of this method has a different call and it is always getting satisfied and hence my output is getting changed. I am using the following private key pem file. -BEGIN RSA PRIVATE KEY- MIIBOQIBAAJBAJNw3CZ0Z15+zkvkigtY1vH75Ow0FIFS3li3sj3OQY5pwYWE/PlE 5FEZxogIi5SEtEY/ZXgy5nGiCAILq8p1ynUCAwEAAQJAeIy+c3KZUdm8MrEZbU2l 8RRTiAzM9zAaO892HLKXRyhTL4l3v+wKt7Y/Yd+q1VUHXLr8VXJ8r/Gjr6NCofBO AQIhAMJTTxqkoomY9hWeHSy5Y9FMG5+qI2IroayqfyyoLIBJAiEAwjw9fk0f+Ntz TvRR5K4HcpnQLf3XebaHt0tI/RVakM0CIFdjX497uhxmzUOrdzNFq73TnBiRSpg7 Rtl/UvGiL2EBAiBQPZah0La+ldoC6gfS0tocy9ImzdDwZSmX3TAf7WxmmQIgJRiG wXMpWytUHRvxPD9scrNyCQ96q7x5w88+yWzXFtE= -END RSA PRIVATE KEY- I have highlighted the executing part of the code for the methods PEM_read_bio_PrivateKey and PEM_write_bio_PrivateKey in the openssl 1.0.1x version. EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u) { char *nm=NULL; const unsigned char *p=NULL; unsigned char *data=NULL; long len; int slen; EVP_PKEY *ret=NULL; if (!PEM_bytes_read_bio(&data, &len, &nm, PEM_STRING_EVP_PKEY, bp, cb, u)) return NULL; p = data; if (strcmp(nm,PEM_STRING_PKCS8INF) == 0) { PKCS8_PRIV_KEY_INFO *p8inf; p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len); if(!p8inf) goto p8err; ret = EVP_PKCS82PKEY(p8inf); if(x) { if(*x) EVP_PKEY_free((EVP_PKEY *)*x); *x = ret; } PKCS8_PRIV_KEY_INFO_free(p8inf); } else if (strcmp(nm,PEM_STRING_PKCS8) == 0) { PKCS8_PRIV_KEY_INFO *p8inf; X509_SIG *p8; int klen; char psbuf[PEM_BUFSIZE]; p8 = d2i_X509_SIG(NULL, &p, len); if(!p8) goto p8err; if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u); else klen=PEM_def_callback(psbuf,PEM_BUFSIZE,0,u); if (klen <= 0) { PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY, PEM_R_BAD_PASSWORD_READ); X509_SIG_free(p8); goto err; } p8inf = PKCS8_decrypt(p8, psbuf, klen); X509_SIG_free(p8); if(!p8inf) goto p8err; ret = EVP_PKCS82PKEY(p8inf); if(x) { if(*x) EVP_PKEY_free((EVP_PKEY *)*x); *x = ret; } PKCS8_PRIV_KEY_INFO_free(p8inf); * } else if ((slen = pem_check_suffix(nm, "PRIVATE KEY")) > 0)* *{* *const EVP_PKEY_ASN1_METHOD *ame
[openssl-users] How to display root certificate in command line
Hi All: I have used openssl command line to get some website's certificate chain. Now, I want to show root certificate information. but I do not find any command argument to do it. openssl s_client -showcerts -CApath /etc/ssl/certs -connect studentexclusives.hsbc.co.uk:443 I use -CApath to set root certificate path. >From below, I can get full certificate path. 3 certificates CONNECTED(0003) depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3 verify return:1 depth=0 C = GB, ST = London, L = London, O = HSBC Holdings plc, OU = HTSE, CN = studentexclusives.hsbc.co.uk verify return:1 But in certificate chain, I only get 2 certificates information (I think this two are return by website.) --- Certificate chain 0 s:/C=GB/ST=London/L=London/O=HSBC Holdings plc/OU=HTSE/CN=studentexclusives.hsbc.co.uk i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 -BEGIN CERTIFICATE- MIIFUDCCBDigAwIBAgIQTw4Fx5Xv3tBjt8gNVOKAjjANBgkqhkiG9w0BAQUFADCB tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTMwODA2 MDAwMDAwWhcNMTUwODA3MjM1OTU5WjCBgTELMAkGA1UEBhMCR0IxDzANBgNVBAgT BkxvbmRvbjEPMA0GA1UEBxQGTG9uZG9uMRowGAYDVQQKFBFIU0JDIEhvbGRpbmdz IHBsYzENMAsGA1UECxQESFRTRTElMCMGA1UEAxQcc3R1ZGVudGV4Y2x1c2l2ZXMu aHNiYy5jby51azCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOpGrR8P hBbnPeewbha7UitdVHL+Zk7HCQ9Hi67+1GI8HgX+eMRk2w/LHL7gYSNr9ZelIPap ZfTDwBnHyUUH3SAf5ajg5vVFtROCYr9LLFXEW/97Qy6Anh1efJo15eoBXUYVYhBW IMjU6sO9T+kRBMgxoqtVM4WVmy4pN3NqHqF/8D4k+Y+fcBt2Nm3D/YwI+4H7Bt+P ap5oj5uALFdcr+dbO76FomAAJ3vjTw10lBCCdfnKmOjBayAVoz/qz91Fy1BYY9jA l9p1EXml1bYSPJaxfejiyKjHni64cBAMtHyhknlJYDs47mnyp5FLpg3nmxtGCNMR jXPtxRLDrFMAuGsCAwEAAaOCAYwwggGIMCcGA1UdEQQgMB6CHHN0dWRlbnRleGNs dXNpdmVzLmhzYmMuY28udWswCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwHQYD VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEMGA1UdIAQ8MDowOAYKYIZIAYb4 RQEHNjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz MB8GA1UdIwQYMBaAFA1EXBZTRMGCfh0gqyX0AWPYvnmlMEUGA1UdHwQ+MDwwOqA4 oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZlcmlzaWduLmNvbS9TVlJTZWN1 cmVHMy5jcmwwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz cC52ZXJpc2lnbi5jb20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9TVlJTZWN1cmUtRzMt YWlhLnZlcmlzaWduLmNvbS9TVlJTZWN1cmVHMy5jZXIwDQYJKoZIhvcNAQEFBQAD ggEBAFVoAhJ7Xv0hcv7fkR/mLE+OVhzgkwhTcANZmAuEQwo3ZwHICXg3p/ZjuRe6 4EV1CqSq1RwswG2GtOHFZ+CaC9Fi3lIDVRzaudLkYCF7mtLZls7DF3/HsoJ6muYX P0X3IsQ6hnc6a3ChdyN+IJymW/KRRUtHKmA/BQS8hOGpdmxvZIdgIkrHoAO3EXfk SkESma7BMDeW0DOeGuDhUrvn2N6UdyWSA2cdk6d4fQxWawqOiUtYT+o2oX3imDrg cDKU9HB3eqd0K5nwDFIFlbsZHs6gIGJVJeGVuk07Px5ucOZBFc/UMBBRI3bm2HW4 sjn3tNB8AITr3v3+Evf4vMnbaIs= -END CERTIFICATE- 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 -BEGIN CERTIFICATE- MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtTEL MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVy aVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQCxh4QfwgxF9byrJZenraI+nLr2wTm4i8rCrFbG 5btljkRPTc5v7QlK1K9OEJxoiy6Ve4mbE8riNDTB81vzSXtig0iBdNGIeGwCU/m8 f0MmV1gzgzszChew0E6RJK2GfWQS3HRKNKEdCuqWHQsV/KNLO85jiND4LQyUhhDK tpo9yus3nABINYYpUHjoRWPNGUFP9ZXse5jUxHGzUL4os4+guVOc9cosI6n9FAbo GLSa6Dxugf3kzTU2s1HTaewSulZub5tXxYsU5w7HnO1KVGrJTcW/EbGuHGeBy0RV M5l/JJs/U0V/hhrzPPptf4H1uErT9YU3HLWm0AnkGHs4TvoPAgMBAAGjggHfMIIB 2zA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAh0dHA6Ly9vY3NwLnZlcmlz aWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4 RQEHFwMwVjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nw czAqBggrBgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQG A1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUu Y3JsMA4GA1UdDwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglp bWFnZS9naWYwITAfMAcGBSsOAwI