RE: Please Remove [EMAIL PROTECTED]
Triguy, remove yourself here. HYPERLINK http://www.openssl.org/support/http://www.openssl.org/support/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carrie Sent: Thursday, 3 January 2008 8:17 AM To: openssl-users@openssl.org Subject: RE: Please Remove [EMAIL PROTECTED] I’m only a recipient of e-mails from openssl.org. I do not, nor have I ever had any control over their e-mail system or membership information. You need to direct your request to the administrator. Just a fellow member. Carrie From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carrie Sent: Wednesday, January 02, 2008 4:03 PM To: openssl-users@openssl.org Subject: RE: Please Remove [EMAIL PROTECTED] I beg your pardon. Can you redirect you request to HYPERLINK mailto:[EMAIL PROTECTED][EMAIL PROTECTED] or HYPERLINK mailto:[EMAIL PROTECTED][EMAIL PROTECTED] Thank you kindly Carrie Schlagenhauser 3-D Graphics and Web Design [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Sent: Tuesday, January 01, 2008 1:02 PM To: openssl-users@openssl.org Subject: Please Remove [EMAIL PROTECTED] Too many emails for me. Please take me off _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KOLLURU SURESH Sent: Tuesday, December 25, 2007 6:08 AM To: openssl-users@openssl.org Subject: Hi Please remove from the mailing list K. Suresh K. Suresh HOD, Dept of Computer Science Sri Vasavi Engineering College Tadepalligudem _ Looking for last minute shopping deals? HYPERLINK http://us.rd.yahoo.com/evt=51734/*http:/tools.search.yahoo.com/newsearch/ca tegory.php?category=shoppingFind them fast with Yahoo! Search. No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.17.13/1207 - Release Date: 2/01/2008 11:29 AM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.17.13/1207 - Release Date: 2/01/2008 11:29 AM
RE: Dont Hate Me
Well I definitely won't be voting for him, since his followers apparently have no respect. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Thursday, 19 July 2007 11:10 AM To: openssl-users@openssl.org Subject: Re: Dont Hate Me On Wed, Jul 18, 2007 at 05:21:19PM -0700, edf green wrote: #2 That its important to share an important message regardless of consequence if the message is right. At this point, i believe 100% that the message is worth getting out. Narcissism must feel pretty good. :-) and #3 You guys should spend less time whining and more time writing documentation. Yep. If I was running this list the OP would be unsubscribed already. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.10.8/906 - Release Date: 17/07/2007 6:30 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.10.8/906 - Release Date: 17/07/2007 6:30 PM __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AES
Hi, Does OpenSSL have AES support specifically Rijndael and if so which is the minimum release number we need? Thanks Pj -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.12.8/163 - Release Date: 8/11/2005
Open SSL Crashes in 0.9.7g
Whats the best way to report GPF's for openssl dll's?... having a few self combusting issues with build 0.9.7g -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.9.5/58 - Release Date: 25/07/2005 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
smime encryption
Hi all, For implementing AS2, where is the best place to look for resources on how to encrypt and decrypt using SMIME via the openssl libraries? Thanks Pj. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ralf Hauser Sent: Tuesday, 19 July 2005 4:33 PM To: openssl-users@openssl.org Subject: how to smime decrypt if certificate is lost? Hi, If I do still have the public key and private key, I hope I still can use openssl to decrypt a message even if I lost the certificate originally used to encrypt to. Unfortunately, my attempts fail so far: openssl smime -decrypt -in encrypted.eml -recip privKeyAndPubkeyInOtherCert.pem Enter pass phrase for privKeyAndPubkeyInOtherCert.pem: Error decrypting PKCS#7 structure 2116:error:21070073:PKCS7 routines:PKCS7_dataDecode:no recipient matches certificate:pk7_doit.c:430: 2116:error:21072077:PKCS7 routines:PKCS7_decrypt:decrypt error:pk7_smime.c:451: If I just take the private key, it gets worse: openssl smime -decrypt -in encrypted.eml -recip privKeyOnly.pem unable to load certificate 2504:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE I guess it is partially explained why this happens (issuer-name, certificate-id pair) in http://marc.theaimsgroup.com/?l=openssl-usersm=110056304510836w=2 Is there a way to decrypt that eml with openssl anyway short of Derek's ugly hack where he rebuilds a cert with same certificate-id/Issuer from the public key? Kind-of force openssl to use a decryption key irrespective of all other rules it normally implements ...? Many thanks for any hints in advance! Ralf __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.9.1/51 - Release Date: 18/07/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.9.1/51 - Release Date: 18/07/2005 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Apache API and ssl certificates.
When you do please tell me!! I have the same problem -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fco .J. Arias Sent: Saturday, 9 July 2005 6:15 AM To: Lista OPENSSL Subject: Apache API and ssl certificates. Hello, Know anyone how to extract clearly information about certificate of client into C module in apache. For example extract the name of CA that signed the client certificate and use it. Thanks, Fran. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.10/43 - Release Date: 6/07/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.11/45 - Release Date: 9/07/2005 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Capturing X509 certificate and storing them using the Windows Certificates API
Hi all, My application needs to support Non-repudiation using X509 certificates ala AS2. Has anyone had the pleasure of storing X509 client and server certificates in the windows certificate registry / database? And if so, whats the best place to start to convert X509 to the windows format? Thanks! Pj. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.9/42 - Release Date: 6/07/2005 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Dumping SSL Certificates form mod_ssl in apache
Hi all, I am writing a module for apache that needs to dump client certificate information from mod_ssl which ultimately uses OpenSSL... Does anyone have any idea how to apply this hook? If this is the wrong forum for this can someone suggest a mailing list? Thanks.. Pj. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.9/39 - Release Date: 4/07/2005 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
zero byte header files in latest release.
Hey OpenSSL guru guys! Just downloaded http://www.openssl.org/source/openssl-0.9.7g.tar.gz ALL the header files in openssl-0.9.7g\include\openssl are zero bytes in length!?? Is there something wrong with the distribution or am I doing something stupid? Thanks in advance, Pj. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Thursday, 23 June 2005 10:32 AM To: openssl-users@openssl.org Subject: Re: syntax for multiple authorityInfoAccess entries On Thu, Jun 23, 2005, Dr. Rodney McDuff wrote: Hi I'm try to add multiple caIssuers and OCSP entries to my authorityInfoAccess attribute and I am having some difficulties with getting the right openssl.cnf syntax. I want to add the following (Note LDAP URIs and nasty commas) caIssuers;http://server1.domain/certs/ca-certs.p7b caIssuers;http://server2.domain/certs/ca-certs.p7b caIssuers;ldap://server1.domain/CN=My%20CA,o=ORG,c=AU?crossCertificatePair;b inary caIssuers;ldap://server2.domain/CN=My%20CA,o=ORG,c=AU?crossCertificatePair;b inary OCSP;http://server1.domain/ocsp OCSP;http://server2.domain/ocsp How is it done? To use commas the @section form is mandatory. You also need to keep the LHS unique so something like this should do the trick: [EMAIL PROTECTED] ... [aia_sect] OCSP;URI.1=http://www.some.responder.org/ OCSP;URI.2=http://www.some.other-responder.org/ caIssuers;URI.3=http://server.whatever.org/cert-path caIssuers;URI.4=ldap://server.whatever.org/xxx,yyy Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date: 22/06/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.0/27 - Release Date: 23/06/2005 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL_renegotiation using non block sockets
Hi I did the same thing yesterday myself but because I wanted to implement a timeout solution as well as quick shutdown of my COM object via object notification. You might be able to hack my work ... this is what I came up with... It takes a blocking socket, makes it un-blocking... negotiates with timeout and signalling considerations and then passes back normal error codes... // SSLConnectWithTimeout, connect to a remote server with timeout int CHTTP::SSLConnectWithTimeout(DWORD timeout, SOCKET s, SSL *ssl) { //- // Set the socket I/O mode: In this case FIONBIO // enables or disables the blocking mode for the // socket based on the numerical value of iMode. // If iMode = 0, blocking is enabled; // If iMode != 0, non-blocking mode is enabled. int iMode = 1; LogInformation2(Running SSL non-blocking connection timeout = %ld, timeout); if (timeout) { // establish non- blocking mode to enable us to time out. ioctlsocket(s, FIONBIO, (u_long FAR*) iMode); } // make the connection attempt int nRet = SSL_connect(ssl); // if we are using a timeout then ... if (timeout) { // convert nRet to a real error if necessary if (nRet != 1) nRet = SSL_get_error(ssl, nRet); LogInformation2(connect run return value %d., nRet); LogInformation1(Starting SSL polling loop); // get the start time DWORD starttime = timeGetTime(); while ((nRet==SSL_ERROR_WANT_READ || nRet==SSL_ERROR_WANT_WRITE) !isStopEventSignaled()) { // Back off to let the connection happen. //Sleep(50); // reiterate the connection nRet = SSL_connect(ssl); if (nRet != 1) nRet = SSL_get_error(ssl, nRet); // check for timeout if ((timeGetTime() - starttime = timeout) || m_signalled) { // return an error nRet = -1; break; } } LogInformation2(Finished polling loop signalled? %d, m_signalled); // if we made it to here with nRet = 1 we are SSL connected if (nRet == 1) { LogInformation2(Successful connection made! returning %d., nRet); // turn off non-blocking mode, back to blocking mode for the rest // of the connection iMode = 0; ioctlsocket(s, FIONBIO, (u_long FAR*) iMode); } else { // just a log the error, remember logging disappears when compiled // without LOG_BUILD defined. LogInformation2(Timeout occurred returning %d., nRet); } } // return connection state. return nRet; } -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 2 June 2005 2:14 PM To: openssl-users@openssl.org Subject: SSL_renegotiation using non block sockets Hi, I am using Non Blocking sockets, and would like to know the behaviour wrt SSL_renegotiation. Once I make a call to do_handshake, as the FD is non blocking it will return immediately with a success, but from the application's point of view how will it come to know that the renegotiation in thro' so that it can call SSL_write/SSL_read? Should the application poll on that do_handshake flag within the ssl control block? Any suggestion/help appreciated a lot. Thanks --Gayathri __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Checking for socket read state
Ok... Sorry, maybe that was the wrong question altogether... I am trying to signal my blocking connection thread to end while OpenSSL is negotiating a connection with SSL_connect. Is there any way to tell SSL to stop once it enters SSL_connect, perhaps with a non-blocking approach? Pseudocode Eg: SSL_connect While not connected and not signalled Sleep(1) Wend If signalled exit ... SSL_get_peer_certificate ... Send data ... / What is happening is that my application blocks until the SSL negotiation takes place. Thanks! Pj. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz Sent: Tuesday, 31 May 2005 2:00 PM To: openssl-users@openssl.org Subject: RE: Checking for socket read state Hi all quick question of you guru's. If I wish to check to see if data is ready to be read on my SSL connection do I just use normal select or is there something in the SSL libraries that I need to use? You aren't asking a precise question. For example, if there's data that could be read on the socket, but it's just a chunk of SSL protocol data with no application data, does that mean data is ready to be read? Or not? If you want to tell if there's data that the kernel has received over the network that the SSL engine has not yet processed, 'select' can tell you that. Or are you trying to find out if there's data that's ready for the application that's already been processed by SSL? Or are you trying to tell if you should ask the SSL engine to process data in the hopes of producing data for the application to read? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.3.0 - Release Date: 30/05/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.3.0 - Release Date: 30/05/2005 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Checking for socket read state
Hi all quick question of you guru's. If I wish to check to see if data is ready to be read on my SSL connection do I just use normal select or is there something in the SSL libraries that I need to use? I normally use the function below: int CheckRead(SOCKET socket) { struct timeval stTimeOut; fd_set stReadFDS; fd_set stErrorFDS; FD_ZERO(stReadFDS); FD_ZERO(stErrorFDS); FD_SET(socket,stReadFDS); FD_SET(socket,stErrorFDS); stTimeOut.tv_sec=0; stTimeOut.tv_usec=0; int i; i = select(0,stReadFDS,NULL,stErrorFDS,stTimeOut); if (i) { if (FD_ISSET(socket,stReadFDS)) return 1; } return 0; } Thanks! Pj. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.3.0 - Release Date: 30/05/2005 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
X509 Cert dates
Hi All, How can I print localised, human readable certificate dates into a null terminated string buffer? I wish to present the cert dates to the user as well as the fact that the dates are valid or invalid. Can someone point me to a good source for X509 manipulation? At the moment my function reads: void dumpCertificate(X509 *cert, char *fileName) { char buf[2044]; int ret; X509_NAME *subj = X509_get_subject_name(cert); X509_NAME *issuer = X509_get_issuer_name(cert); FILE *fp; unlink(fileName); fp = fopen(fileName,w); if (!fp) return; /* check expiry dates */ if (X509_cmp_current_time(X509_get_notBefore(cert)) = 0) { fprintf(fp, DateValid:false:Certificate date not yet valid\n); } else if (X509_cmp_current_time(X509_get_notAfter(cert)) = 0) { fprintf(fp, DateValid:false:Certificate date expired\n); } else fprintf(fp, DateValid:true\n); /* Subject commonName */ ret = X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName, buf, 1024); fprintf(fp, Subject.CommonName:%s\n,(ret 1)?:buf); /* Subject Organization name */ ret = X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_organizationName, buf, 1024); fprintf(fp, Subject.OrganizationName:%s\n,(ret 1)?:buf); /* Subject Email Address */ ret = X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_pkcs9_emailAddress, buf, 1024); fprintf(fp, Subject.Email:%s\n,(ret 1)?:buf); /* Issuer Organization name */ ret = X509_NAME_get_text_by_NID(X509_get_issuer_name(cert), NID_organizationName, buf, 1024); fprintf(fp, Issuer.OrganizationName:%s\n,(ret 1)?:buf); fclose(fp); } Thanks Heaps! Phillip. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 266.11.17 - Release Date: 25/05/2005 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: X509 Cert dates
Thanks Tan! that worked, I'm wondering if there is a way of reading the dates directly to a string buffer my code now reads: One more question, how do you read the certificate authority from the cert? // Read in certificate dates // there must be a better way of doing this! char bigBuffer[1024]; BIO *out; char * tmpFile = getTempFile(); out = BIO_new_file(tmpFile, w+); BIO_printf(out, DateValid.From:); ASN1_TIME_print(out, X509_get_notBefore(cert)); BIO_printf(out, \r\nDateValid.To:); ASN1_TIME_print(out, X509_get_notAfter(cert)); BIO_printf(out, \r\n); BIO_free(out); FILE *fp = NULL; fp = fopen(tmpFile, rb); if (fp) { // find file size fseek(fp,0,SEEK_END); int l = ftell(fp) + 1; rewind(fp); // read entire file fread(bigBuffer, l, 1, fp); // null terminate the buffer *(bigBuffer + l) = '\0'; fclose(fp); } _unlink(tmpFile); free(tmpFile); // -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tan Eng Ten Sent: Thursday, 26 May 2005 10:30 AM To: openssl-users@openssl.org Subject: Re: X509 Cert dates Hi, U could try: BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE); ASN1_TIME_print(bio, X509_get_notBefore(cert)); BIO_free(bio); Tell me if it works. Pj wrote: Hi All, How can I print localised, human readable certificate dates into a null terminated string buffer? I wish to present the cert dates to the user as well as the fact that the dates are valid or invalid. Can someone point me to a good source for X509 manipulation? At the moment my function reads: void dumpCertificate(X509 *cert, char *fileName) { char buf[2044]; int ret; X509_NAME *subj = X509_get_subject_name(cert); X509_NAME *issuer = X509_get_issuer_name(cert); FILE *fp; unlink(fileName); fp = fopen(fileName,w); if (!fp) return; /* check expiry dates */ if (X509_cmp_current_time(X509_get_notBefore(cert)) = 0) { fprintf(fp, DateValid:false:Certificate date not yet valid\n); } else if (X509_cmp_current_time(X509_get_notAfter(cert)) = 0) { fprintf(fp, DateValid:false:Certificate date expired\n); } else fprintf(fp, DateValid:true\n); /* Subject commonName */ ret = X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName, buf, 1024); fprintf(fp, Subject.CommonName:%s\n,(ret 1)?:buf); /* Subject Organization name */ ret = X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_organizationName, buf, 1024); fprintf(fp, Subject.OrganizationName:%s\n,(ret 1)?:buf); /* Subject Email Address */ ret = X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_pkcs9_emailAddress, buf, 1024); fprintf(fp, Subject.Email:%s\n,(ret 1)?:buf); /* Issuer Organization name */ ret = X509_NAME_get_text_by_NID(X509_get_issuer_name(cert), NID_organizationName, buf, 1024); fprintf(fp, Issuer.OrganizationName:%s\n,(ret 1)?:buf); fclose(fp); } Thanks Heaps! Phillip. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 266.11.17 - Release Date: 25/05/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 266.11.17 - Release Date: 25/05/2005 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: X509 Cert dates
Thanks guys, you rock! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tan Eng Ten Sent: Thursday, 26 May 2005 12:13 PM To: openssl-users@openssl.org Subject: Re: X509 Cert dates Hi Pj, U could use memory BIO instead - BIO_new(BIO_s_mem()). Data written to the BIO could be accessed by BIO_get_mem_data(). Pj wrote: Thanks Tan! that worked, I'm wondering if there is a way of reading the dates directly to a string buffer my code now reads: One more question, how do you read the certificate authority from the cert? // Read in certificate dates // there must be a better way of doing this! char bigBuffer[1024]; BIO *out; char * tmpFile = getTempFile(); out = BIO_new_file(tmpFile, w+); BIO_printf(out, DateValid.From:); ASN1_TIME_print(out, X509_get_notBefore(cert)); BIO_printf(out, \r\nDateValid.To:); ASN1_TIME_print(out, X509_get_notAfter(cert)); BIO_printf(out, \r\n); BIO_free(out); FILE *fp = NULL; fp = fopen(tmpFile, rb); if (fp) { // find file size fseek(fp,0,SEEK_END); int l = ftell(fp) + 1; rewind(fp); // read entire file fread(bigBuffer, l, 1, fp); // null terminate the buffer *(bigBuffer + l) = '\0'; fclose(fp); } _unlink(tmpFile); free(tmpFile); // -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tan Eng Ten Sent: Thursday, 26 May 2005 10:30 AM To: openssl-users@openssl.org Subject: Re: X509 Cert dates Hi, U could try: BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE); ASN1_TIME_print(bio, X509_get_notBefore(cert)); BIO_free(bio); Tell me if it works. Pj wrote: Hi All, How can I print localised, human readable certificate dates into a null terminated string buffer? I wish to present the cert dates to the user as well as the fact that the dates are valid or invalid. Can someone point me to a good source for X509 manipulation? At the moment my function reads: void dumpCertificate(X509 *cert, char *fileName) { char buf[2044]; int ret; X509_NAME *subj = X509_get_subject_name(cert); X509_NAME *issuer = X509_get_issuer_name(cert); FILE *fp; unlink(fileName); fp = fopen(fileName,w); if (!fp) return; /* check expiry dates */ if (X509_cmp_current_time(X509_get_notBefore(cert)) = 0) { fprintf(fp, DateValid:false:Certificate date not yet valid\n); } else if (X509_cmp_current_time(X509_get_notAfter(cert)) = 0) { fprintf(fp, DateValid:false:Certificate date expired\n); } else fprintf(fp, DateValid:true\n); /* Subject commonName */ ret = X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName, buf, 1024); fprintf(fp, Subject.CommonName:%s\n,(ret 1)?:buf); /* Subject Organization name */ ret = X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_organizationName, buf, 1024); fprintf(fp, Subject.OrganizationName:%s\n,(ret 1)?:buf); /* Subject Email Address */ ret = X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_pkcs9_emailAddress, buf, 1024); fprintf(fp, Subject.Email:%s\n,(ret 1)?:buf); /* Issuer Organization name */ ret = X509_NAME_get_text_by_NID(X509_get_issuer_name(cert), NID_organizationName, buf, 1024); fprintf(fp, Issuer.OrganizationName:%s\n,(ret 1)?:buf); fclose(fp); } Thanks Heaps! Phillip. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 266.11.17 - Release Date: 25/05/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 266.11.17 - Release Date: 25/05/2005 __ OpenSSL Project http://www.openssl.org User Support Mailing List
Creating self signed client certificates
Please help, I need to test client certificate authorization on my OBI implementation but Im darned if I can get Internet explorer to accept my self signed certificates, my certificates are imported successfully but the browser presents an empty certificate window when I hit my webserver Please, does anybody have the openSSL commands to generate a self signed client certificate for internet explorer that imports successfully? Its driving me Crazzzy! Any help would be greatly appreciated. P.S. all my development including certificate stuff is on an NT box I also have a couple of red hat boxes I can access Pj... __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: X509 client verification
Thanks Steve, this is what I came up with yesterday... (untested as yet) I'll put that X509_get1_email() trick into it. Thanks again for your reply... void dumpCertificate(X509 *cert, char *fileName) { char buf[1024]; int ret; X509_NAME *subj = X509_get_subject_name(cert); X509_NAME *issuer = X509_get_issuer_name(cert); FILE *fp; fp = fopen(fileName,w); if (!fp) return; /* check expiry dates */ if (X509_cmp_current_time(X509_get_notBefore(cert)) = 0) { fprintf(fp, DateValid: false, Certificate date not yet valid); } else if (X509_cmp_current_time(X509_get_notAfter(cert)) = 0) { fprintf(fp, DateValid: false, Certificate date expired); } else fprintf(fp, DateValid: true); /* Subject commonName */ ret = X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName, buf, 1024); fprintf(fp, Subject.CommonName: %s,(ret 1)?:buf); /* Subject Organization name */ ret = X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_organizationName, buf, 1024); fprintf(fp, Subject.OrganizationName: %s,(ret 1)?:buf); /* Subject Email Address */ ret = X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_pkcs9_emailAddress, buf, 1024); fprintf(fp, Subject.Email: %s,(ret 1)?:buf); /* Issuer Organization name */ ret = X509_NAME_get_text_by_NID(X509_get_issuer_name(cert), NID_organizationName, buf, 1024); fprintf(fp, Issuer.Email: %s,(ret 1)?:buf); fclose(fp); } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Phillip J Whillier. Senior software engineer Ruling Software [EMAIL PROTECTED];[EMAIL PROTECTED] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Client side SSL_ERROR_SYSCALL
Hi, continuing my OBI implementation using X509 certificates as backbone, I am implementing the client side, server to server transfers using OpenSSL (0.9.6g)... this is nonblocking async under windows platforms... Handshaking takes place ok... Data transfer takes place ok... always after the last chunk of data is received I get SSL_ERROR_SYSCALL, ErrNo is always set to zero and the OpenSSL error queue is always empty. It seems that maybe my readability check is failing but only after the last chunk is received... Strange indeed. my read loop goes like this: in response to FD_READ: forever { CheckReadability using select SSL_read ... select error code... case WANTREAD or WANTWRITE: return case else: report error and close connection; return } Should I ignore the error? or am I doing something fundementally wrong? my CheckReadability routine goes like this: int CSmashNCCtrl::CheckRead(int socket) { struct timeval stTimeOut; fd_set stReadFDS; fd_set stErrorFDS; FD_ZERO(stReadFDS); FD_ZERO(stErrorFDS); FD_SET(socket,stReadFDS); FD_SET(socket,stErrorFDS); stTimeOut.tv_sec=0; stTimeOut.tv_usec=0; int i; i = select(0,stReadFDS,NULL,stErrorFDS,stTimeOut); if (i) { if (FD_ISSET(socket,stReadFDS)) return 1; } return 0; } Thanks! Pj. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Phillip J Whillier. Senior software engineer Ruling Software [EMAIL PROTECTED];[EMAIL PROTECTED] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Dr. Stephen = RE: Weird input :-( on Certificate Generation
Dr. Stephen Shoot! Im not running unix, (win32) so I cant read the manpages! Any chance of dumping that page for me?? I Would greatly appreciate it... Thanks. Pj. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dr. Stephen Henson Sent: Saturday, 28 December 2002 8:55 PM To: [EMAIL PROTECTED] Subject: Re: Weird input :-( on Certificate Generation On Sat, Dec 28, 2002, Pj wrote: I want to automate self signed certificate generation For my customers, so that my software detects expiration of the Certificate and runs the appropriate commands to generate the new cert. Like this: openssl genrsa -rand .rnd -out key.pem 1024 openssl req -new -key key.pem -out cert.pem -x509 -config openssl.cnf theData.txt theData.txt would contain lines to feed stdin ( req.c contains fgets(buf,1024,stdin) ) However the openssl.exe comes up with weird input :-( whenever I try this, due to a missing \n In the data, even though each line in theData.txt ends in hex 0D0A This is a little confusing, so before I hack req.c, does anyone have a suggestion about this, Maybe someone has done this already and knows of the black art I am missing.! Alternately is there a way of putting the data into the openssl.cnf file, so that no prompts from Stdin need to take place at all? Yes, its in the fine manual for req... Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Weird input :-( on Certificate Generation
Ignore my last silly statement about the man pages, Sorry. Pj. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dr. Stephen Henson Sent: Saturday, 28 December 2002 8:55 PM To: [EMAIL PROTECTED] Subject: Re: Weird input :-( on Certificate Generation On Sat, Dec 28, 2002, Pj wrote: I want to automate self signed certificate generation For my customers, so that my software detects expiration of the Certificate and runs the appropriate commands to generate the new cert. Like this: openssl genrsa -rand .rnd -out key.pem 1024 openssl req -new -key key.pem -out cert.pem -x509 -config openssl.cnf theData.txt theData.txt would contain lines to feed stdin ( req.c contains fgets(buf,1024,stdin) ) However the openssl.exe comes up with weird input :-( whenever I try this, due to a missing \n In the data, even though each line in theData.txt ends in hex 0D0A This is a little confusing, so before I hack req.c, does anyone have a suggestion about this, Maybe someone has done this already and knows of the black art I am missing.! Alternately is there a way of putting the data into the openssl.cnf file, so that no prompts from Stdin need to take place at all? Yes, its in the fine manual for req... Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Building openssl on Win2K
Hey dude, built ok here, after some tweaks to my server code, all is sweet, send you the SSLeay binaries if u like... Pj. - Original Message - From: Thomas J. Hruska [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 01, 2002 2:12 AM Subject: Re: Building openssl on Win2K At 11:09 AM 10/31/2002 -0800, [EMAIL PROTECTED] writeth: Okay, I give up. I followed the build instructions in INSTALL.W32 for VC++ only to find an unparseable makefile (ntdll.mak) with carriage returns embedded in the names of two macros (e.g. SSL^MOBJ=$(OBJ_D)\ssl.obj ...). When I fixed that, I discovered that the makefile was attempting to copy files from the $(SRC_D Rather than perform the major surgery required to fix that gaff, I decided to fall back, regroup and try plan B, building under Cygwin. That got me as far as the first call to gcc: -c -o cryptlib.o cryptlib.c cryptlib.c:105: #error Inconsistency between crypto.h and cryptlib.c cryptlib.c checks for #if CRYPTO_NUM_LOCKS != 29 # error Inconsistency between crypto.h and cryptlib.c #endif Of course, crypto.h says 29 but that doesn't seem to impress cryptlib.c. At this point I started to get suspicious... If so, can I please hear from you as to how you managed the feat? If you just need a default build of OpenSSL for the Win32 Platform, check out the Win32 OpenSSL Installation Project: http://www.shininglightpro.com/search.php?searchname=Win32+OpenSSL It comes with development libraries to link with (for VC++, Borland C++ Builder 5 (3 4?), and MinGW), pre-compiled DLLs, and the entire command-line toolset pre-built for programmers and end-users all in a really nice, fast, and easy installation package for point-and-clickers. This project also cuts out many legal issues since your product can rely on OpenSSL being installed, but not having to distribute binaries. For most users, they can rely on the same code base you use to develop with (a _HUGE_ plus when it comes to support for the product). Just point at the Win32 OpenSSL Project when distributing your product. Hope this helps! Thomas J. Hruska -- [EMAIL PROTECTED] Shining Light Productions -- Meeting the needs of fellow programmers http://www.shininglightpro.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_read() fails for IE 6.0 ?
Asad, Check your sockets ALWAYS before reading or writing. a bit of seek() code should fix this. SSL fires extra read and write events (asyc sockets win32) that are actually handled internally by the SSL protocols. You must check for readability/writability before attempting to get data from the socket, also be aware that connections can stall (due to this anomaly) and must be flagged as such, to retry the (especially SSL_write's) later. Have fun! Pj. - Original Message - From: Asad Ali [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, November 02, 2002 8:19 AM Subject: SSL_read() fails for IE 6.0 ? Hi, I am new to OpenSSL and am running into a strange behavior in my web server application. The web server uses OpenSSL library from 0.9.6g distribution. When the web server is accessed via Netscape 4.76 browser, it works fine. However, the same URL fails when using IE 6.0.26. The problem happens because the first call to SSL_read(), after handshake, returns zero bytes. I am, therefore, unable to read the GET message from IE. Have anyone seen this kind of behavior before. I am using Cygwin on Windows 2000 system. thanks, --- asad __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]