RE: Openssl signature verification
Dear All, Thank you Dave Thompson for your help and clarifying my doubt. Thank you. Regards, --Ajeet Kumar Singh Sarve Bhavantu Sukhina ,Sarve Santu NiramayaSarve Bhadrani Pashyantu , Maa Kaschit Dukha Bhagh Bhavet -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Saturday, January 31, 2009 8:11 AM To: openssl-users@openssl.org Subject: RE: Openssl signature verification From: owner-openssl-us...@openssl.org On Behalf Of Ajeet kumar.S Sent: Friday, 30 January, 2009 00:07 In openssl API X509_verify(X509 *a, EVP_PKEY *r) is used to verify the signature of certificate. I have some doubt please help me. Is in this API we are passing the CA certificate and public key of CA certificate? We pass any cert and the key we believe (are told) will verify it. CA root certs are self-signed; the key _in_ the cert is used to sign it, or to be precise the keypair whose public half is in the cert is used. As a result you can't trust a root cert simply because the signature verifies; you must have other evidence this is the/a valid root cert from/for a given CA, such as a trusted distribution or manually-checked fingerprint. Lower-level CA certs (if any) and end-entity certs are signed by a parent cert, or to be precise by a keypair whose public half is certified by the parent cert. If you instead use X509_verify_cert, it tries several methods to find and verify the whole cert chain (from a root) by looking in (data from) a configurable file and/or (hashed) entries in a configurable directory. If you want to do this job or part(s) of it yourself, you can look at that for an example, but it's pretty complicated. What is data over SSL compute the HASH? The DER-encoded CertificateInfo portion of the cert, which is the first element in the outermost SEQUENCE and contains version, serial, copy of sig-algid, issuer name, subject name publickey, validity period, and for v3 optional extensions such as keyusage, subjectaltname, keyids, etc. This is everything in the cert except the appended algid and signature, and is indented under Data: in the display from openssl x509 -text . SSL will decrypt the CA signature (Which is on CA certificate bundle)? Decrypted CA Signature will match to above HASH.(query 2)? For RSA signatures this is approximately true. You actually raise the signature value to the public exponent (like RSA encryption) rather than the private exponent (as for RSA decryption), and the (standard) padding is different for sign/verify than for encrypt/decrypt. For DSA signatures this is not true at all. There is no corresponding encryption or decryption; there is simply a signing algorithm and a verifying algorithm. You apply the verifying algorithm to determine if the received signature is correct for the (recomputed) hash. You separately asked In Openssl for signature verification we are using API ASN1_item_verify(). Let me know the data which is used for finger print (signature) creation is the CA public key or some thing else data . Please clarify this doubt. How we are verifying the signature? If you mean in crypto/x509/x_all.c X509_verify(), we are verifying the signature in the cert, of the data in the cert, using the key. No fingerprint is involved. This only applies to X509 certs; the verification of signatures on other things is similar but not identical. Fingerprints can be used in lots of situations and ways. _PKI_ fingerprints can meaningfully be computed on either the whole CertificateInfo thus verifying all the attributes directly, or just on the publickey since that is enough to verify the signature. But a fingerprint is not a signature; it does not itself have any cryptographic protection. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Openssl signature verification
Dear All, In openssl API X509_verify(X509 *a, EVP_PKEY *r) is used to verify the signature of certificate. I have some doubt please help me. 1. Is in this API we are passing the CA certificate and public key of CA certificate? 2. What is data over SSL compute the HASH? 3. SSL will decrypt the CA signature (Which is on CA certificate bundle)? 4. Decrypted CA Signature will match to above HASH.(query 2)? Please tell me. Thank you. Regards, --Ajeet Kumar Singh
Issue related to Finger print
Dear All, In Openssl for signature verification we are using API ASN1_item_verify(). Let me know the data which is used for finger print (signature) creation is the CA public key or some thing else data . Please clarify this doubt. How we are verifying the signature? Thank you. Regards, --Ajeet Kumar Singh
How to verify sever signatureusing openssl API
Dear all, I want to verify server certificate signature. So please tell me how to verify server certificate signature using Openssl API. What API I need to use for signature verification? Thank you. Regards, --Ajeet Kumar Singh
How to check Server certificate and signature?
Dear All, I have one doubt how to check the signature. And I saw server is sending the server certificate, can we check this certificate or what is use of this(certificate come from server side) certificate. In peer verification, at client side checking the system time, which is lying in the range of time given in CA certificate. If we will give wrong time(which is lying in between range of time in CA certificate ) instead of current time of system then also it is working. So I have doubt can we remove this issue or it will check server time also. Please tell me. Thank you. Regards, --Ajeet Kumar Singh
RE: How to check Server certificate and signature?
Dear All, Thank you Ger Hobbelt for your help. I want to validate only the signature of the server certificate. For example in peer verification, ssl will check time of client system(6:28PM 23 Jan 2009) to Ca root certificate validity time after client hello process. Validity Not Before: Aug 1 00:00:00 1996 GMT Not After : Dec 31 23:59:59 2020 GMT If in our application code I don't want to validate with system Time To validity period of time(Not Before and Not After). I want to validate to signature of the server certificate. Can I validate to signature of server certificate. Please reply me. Thank you. Regards, --Ajeet Kumar Singh
RE: openssl 0.9.4
Yes. Thank you. Regards, --Ajeet Kumar Singh _ From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Leo, Liangyou Wang (liangwan) Sent: Monday, January 19, 2009 7:40 AM To: openssl-users@openssl.org Subject: openssl 0.9.4 Importance: High Hi All, Could you give me quick reply that whether openssl 0.9.4 could support multi-threads application? Thanks and regards, Leo image001.jpg
RE: About OPENSSL platform
Hi Wang, It will support AMD also. Openssl only depends upon OS like window, unix etc. Please check what OS you are using. Regards, --Ajeet Kumar Singh _ From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Leo, Liangyou Wang (liangwan) Sent: Monday, January 19, 2009 6:59 AM To: openssl-users@openssl.org Subject: About OPENSSL platform Importance: High Hi All, Could you do me a favor to know whether openssl support to run on opteron (AMD) platform? If yes, which version? And how to set configure file? Thanks and regards, Leo
RE: reducing the size of openssl package
U should enable require Preprocessor for Encryption and Auth. Algorithm. Thank you. Regards, --Ajeet Kumar Singh Sarve Bhavantu Sukhina ,Sarve Santu NiramayaSarve Bhadrani Pashyantu , Maa Kaschit Dukha Bhagh Bhavet -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of harihar Sent: Wednesday, January 07, 2009 6:35 PM To: openssl-users@openssl.org Subject: reducing the size of openssl package Does any one have an idea of how to reduce the size of openSSL package. As the package contain lot of things which r not used in my project. please reply -- View this message in context: http://www.nabble.com/reducing-the-size-of-openssl-package-tp21330938p213309 38.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How can I select selected cipher suites...
Dear All, Thank you Dr. Stephen Henson for your Help. I want to enable some selected cipher suite like TLS_RSA_WITH_AES_256_CBC_SHA. Can it is possible. I selected some specific Algorithm RSA, 3DES, AES,DES, SHA and MD5. So I want to enable cipher suite which support to above algorithms only. Can I use any API? Please guide me on this. Thank you. Regards, --Ajeet Kumar Singh image001.jpg
Re: how to enable ony AES,DES/3DES, RSA algorithm by using MACRO
Dear All, Thank you Ger Hobbelt for your help. Actually I tried using your suggestion. I have doubt it is necessary to use HASH Algorithm(SHA and MD5) for SSL connection. We can not use only DES, 3DES and AES, RSA Algorithms. Please clarify doubt. Thanks allot. Thank you. Regards, --Ajeet Kumar Singh image002.jpg
Please tell me how to enable ony AES,DES/3DES, RSA algorithm by using MACRO
Hi All, I want to enable only DES/3DES, AES and RSA Algorithm.So please tell me any preprocessor definition by using which we can enable only DES/3DES, AES and RSA algorithm. I don't want to use other algorithm except above three. Thank you. Regards, --Ajeet Kumar Singh image002.jpg
how to enable ony AES,DES/3DES, RSA algorithm by using MACRO
Dear All, I want to enable only DES/3DES, AES and RSA Algorithm.So please tell me any preprocessor definition by using which we can enable only DES/3DES, AES and RSA algorithm. I don't want to use other algorithm except above three. Is any macro kind of thing is there by which we can enable only above mention algorithms? Thank you. Regards, --Ajeet Kumar Singh image002.jpg
RE: help
Please take refrence file s_client.c and s_server.c from openssl project in folder apps. Thank you. Regards, --Ajeet Kumar Singh _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of vinni rathore Sent: Monday, November 17, 2008 2:10 PM To: openssl-users@openssl.org Subject: Re: help As u said that if u use already provided certificates then it work fine right... it means that your certificates are not proper at both end.. means may be there is any mismatching of the certificates.. may be u r missing something.. it just my assumptions.. Also u sent me the errors that shows there is some reading problem could u please send me the flow of API's u r using for the ur client and server... On Mon, Nov 17, 2008 at 4:34 PM, naveen.bn [EMAIL PROTECTED] wrote: vinni rathore wrote: What is ur failure error messages can u please send them... On Fri, Nov 14, 2008 at 10:21 PM, Michael Simms [EMAIL PROTECTED] wrote: I am a new to SSL. I have installed openssl and using the SSL APIs , I have written a small client - server program in C, but SSL_connect fails from client end and SSL_accept fails from server. I have generated the root CA certificate, which I have used to sign both the client and server certificate. Are you aware you need to call SSL_connect and SSL_accept a number of times, checking the error return to see if it WANTS_READ or WANTS_WRITE, and reading/writing as appropriate? It can take a number of calls to to the connect/accept before it finishes the job. Thanks -- Michael Simms __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- regards, Vineeta Kumari Software engg Mobera Systems Chandigarh Hi , Thanks for the reply. After the SSL_connect(ssl) , I called SSL_get_error(ssl,ret) and the ret value is 0 always . At the server end SSL_accept returns 0 with SSL_ERROR_NONE. Is there any other way of debugging the client code to find out wher it is failing. If i use the same certificates with the command line server and client provided with the openssl tool it works. Thanks and regards naveen -- regards, Vineeta Kumari Software engg Mobera Systems Chandigarh image001.jpg
RE: Key.pme expiration problem
Please check time function gtime()or gtime_r() return some time that is going to compare certificate time before and after time. Then it will return expire or going to expire. Please check it. Thank you. Regards, --Ajeet Kumar Singh Sarve Bhavantu Sukhina ,Sarve Santu NiramayaSarve Bhadrani Pashyantu , Maa Kaschit Dukha Bhagh Bhavet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Knight Sent: Thursday, November 06, 2008 12:34 AM To: openssl-users@openssl.org Subject: Key.pme expiration problem Hello, Yesterday I created a new certificate request for use with Sendmail and STARTTLS. I signed the request with my existing CA. This morning I'm getting messages from certwatch say the key and cert are expired or are going to expire in less than 7 days. My CA is good till December 2010, and the request is good untill November 2009. When I run certwatch I get these errors... unable to load certificate 5143:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE date: invalid date `+%s' unable to load certificate 5173:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE date: invalid date `+%s' unable to load certificate 5203:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE date: invalid date `+%s' unable to load certificate 5235:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE date: invalid date `+%s' unable to load certificate 5260:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE date: invalid date `+%s' I have 5 files (3 certs and 2 keys) in /etc/mail/certs where certwatch is watching and they all give this error. Only 1 cert and key is from yesterday. The other 3 have been there for almost a year. Is there a way to check the date on the key files to verify that they are expiring. Is the error above causing the problem? Thanks, Rick __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Key.pem expiration problem
Please check time function gtime()or gtime_r() return some time that is going to compare certificate time before and after time. Then it will return expire or going to expire. Please check it. Thank you. Regards, --Ajeet Kumar Singh Thank you. Regards, --Ajeet Kumar Singh Sarve Bhavantu Sukhina ,Sarve Santu NiramayaSarve Bhadrani Pashyantu , Maa Kaschit Dukha Bhagh Bhavet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Knight Sent: Thursday, November 06, 2008 4:57 AM To: openssl-users@openssl.org Subject: Key.pem expiration problem Hello, Yesterday I created a new certificate request for use with Sendmail and STARTTLS. I signed the request with my existing CA. This morning I'm getting messages from certwatch say the key and cert are expired or are going to expire in less than 7 days. My CA is good till December 2010, and the request is good untill November 2009. When I run certwatch I get these errors... unable to load certificate 5143:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE date: invalid date `+%s' unable to load certificate 5173:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE date: invalid date `+%s' unable to load certificate 5203:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE date: invalid date `+%s' unable to load certificate 5235:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE date: invalid date `+%s' unable to load certificate 5260:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE date: invalid date `+%s' I have 5 files (3 certs and 2 keys) in /etc/mail/certs where certwatch is watching and they all give this error. Only 1 cert and key is from yesterday. The other 3 have been there for almost a year. Is there a way to check the date on the key files to verify that they are expiring. Is the error above causing the problem? Thanks, Rick __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problem related to Peer Certificate verification....
Hi all, Actually we have one CA certificate is provided by service server (That is root certificate in .pem format and .crt format). I used that certicate to verify the peer. I got unknown CA. I saw that certificate was coming from service server having thawte CA and having issuer and subject information related to thawte and we have CA root certificate having service server as CA and information related to service server. So please let me know how to verify the peer certificate. And to solve this issue. Thank you. Regards, --Ajeet Kumar Singh image001.jpg
Problem related to self signed certificate peer verification
Dear All, I have self signed root certificate. I want to verify the peer certificate. In API static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer). I saw function calling X509_check_issued(issuer, x); where they are matching issuer and subject. But I saw server is sending the Thwate as server CA (issuer and subject).But self sign certificate having server name(service provider name and email) in subject and issuer. So openssl always returning unknown CA due not matching of issuer and subject. So please help me how to debug this problem to verify the peer using our self signed root certificate (which is provided by service provider). Thank you. Regards, --Ajeet Kumar Singh image002.jpg
RE: non-blocking version of SSL_peek
I think it is depend upon how you configured. Thank you. Regards, --Ajeet Kumar Singh Sarve Bhavantu Sukhina ,Sarve Santu NiramayaSarve Bhadrani Pashyantu , Maa Kaschit Dukha Bhagh Bhavet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of vne Sent: Wednesday, October 08, 2008 4:26 PM To: openssl-users@openssl.org Subject: non-blocking version of SSL_peek Hi, Can anyone tell me if SSL_peek is a blocking or non-blocking call ? When I use it inside my code, then the program blocks on this fuction call where there is no data on the socket. The reason I want to use this call is that before closing the SSL connection by using 'SSL_shutdown', I want to make sure that there is no pending data present on this connection. Is there any method to make the call SSL_peek non-blocking,i.e. it should return if there is no data present on SSL connection like that happens with tcp peek by using option MSG_PEEK|MSG_DONTWAIT. Or can SSL_pending be used for this purpose? Please suggest... I am using openSSL version 0.9.7b. -- View this message in context: http://www.nabble.com/non-blocking-version-of-SSL_peek-tp19876548p19876548.h tml Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How to verify peer certificate
Dear All; Thank you all of you for your support. When I called SSL_CTX_load_verify_locations() and SSL_CTX_set_verify() to verify the peer certificate but I got fetal error unkown certificate authority. Please let me know what is reason behind it. But I have CA certificate, client certificate and keys. I set properly.Please tell me how to debug it? What is reason behind it. Thank you. Regards, --Ajeet Kumar Singh image002.jpg
How to verify peer certificate using self signed root CA certificate.
Dear All, I have self signed root certificate I want to verify the peer certificate. Please tell me how to verifying. What API I need to call. Thank you. Regards, --Ajeet Kumar Singh
Problem Regarding of CA certification peer verification..
Dear All; Thank you all of you for your support. When I called SSL_CTX_load_verify_locations() and SSL_CTX_set_verify() to verify the peer certificate but I got fetal error unkown certificate authority. Please let me know what is reason behind it. But I have CA certificate, client certificate and keys. I set properly.Please tell me how to debug it? What is reason behind it. Thank you. Regards, --Ajeet Kumar Singh image001.jpg
RE: Reading certificate and public key from memory
Hi Dan, Please try like: char *key = -BEGIN RSA PRIVATE KEY- \n\ jGK1T++C+Np4As+ KoaO2NCiCBN5UQJRzXBsZvLDoN6IcfxJwXklp560jrKiIZ8VU\n\ .. . Drys2uVaAzmRhS6tGJ2fdwPnlSLJrQbHuP938BkyxNhdYN8drfqb\n\ -END RSA PRIVATE KEY-\n; BIO *bio = BIO_new_mem_buf(key, -1); SSL_CTX *sslctx; EVP_PKEY *pktmp = NULL; If key don't have password protcted pktmp = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); if your key having in PKCS12 format and password protected. Please try like This pktmp = PEM_read_bio_PrivateKey(bio,0,sslctx-default_passwd_callback, sslctx-default_passwd_callback_userdata); if (pktmp == NULL) { char buffer[120]; ERR_error_string(ERR_get_error(), buffer); fprintf(stderr, OpenSSL error: %s, buffer); } SSL_CTX_use_PrivateKey(sslctx, pktmp); EVP_PKEY_free(pktmp); Please try above. If you are again facing problem. Then please read key using file pointer using fread(char *key will point private key) and please compare to hardcode key pointer and key pointer from file.Beasause it is working. Thank you. Regards, --Ajeet Kumar Singh _ From: Dan Ribe [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 01, 2008 5:41 PM To: Ajeet kumar.S Subject: Re: Reading certificate and public key from memory Hey, How are u doing ? Was trying to read my private key from the mem buffer like : char *key = -BEGIN RSA PRIVATE KEY- jGK1T++C+Np4As+ KoaO2NCiCBN5UQJRzXBsZvLDoN6IcfxJwXklp560jrKiIZ8VU N2AZVq28yjqt3RYaRPn0xhbmLfWH/o+wzlg58wIDAQABAoIBAAHEep7qWWMFWsbc .. .. DwiD1OKnxTlAvZPkTSCS+QKBgDkXMM+2jyeRPwpUEyZjqYveVb5zc3HJMMGbpI/p 09dirkd+sRoXWShF8ctVVb4B1PAFTOBEa8diickehnAyEq6KhzLWpQqhqCnylETw Drys2uVaAzmRhS6tGJ2fdwPnlSLJrQbHuP938BkyxNhdYN8drfqb -END RSA PRIVATE KEY-; int keyLength = strlen(key); BIO *bio = BIO_new_mem_buf(key, keyLength); EVP_PKEY *pktmp = NULL; pktmp = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); if (pktmp == NULL) { char buffer[120]; ERR_error_string(ERR_get_error(), buffer); fprintf(stderr, OpenSSL error: %s, buffer); } But PEM_read_bio_PrivateKey() always returns an error like : OpenSSL error: error:0906D06C:PEM routines:PEM_read_bio:no start line Any Help ? Thanks much. Cheers ! On Tue, Sep 30, 2008 at 2:33 PM, Ajeet kumar.S [EMAIL PROTECTED] wrote: Hi Dan, I am solving this issue. I will get you back soon. It is not required to change in other format. You can use .PEM format. Thank you. Regards, --Ajeet Kumar Singh _ From: Dan Ribe [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2008 2:34 PM To: [EMAIL PROTECTED] Subject: Re: Reading certificate and public key from memory Hi Ajeet, Just wondering whether you was able to solve this one or not. Actually I have similar problem in front of me. I want to read the private key directly from the memory buffer. Currently I have the private key in form of a file (.pem) on disk. I want to hard code its contents in my code read them directly from there. Doing so because I don't want to distribute the private key with my product. If you have already done this. Please share following information. 1. How to hard code the value in some string buffer (how to convert the .pem file to the required format). 2. How to read the key informaiton from the memory buffer. Please give me some sample code, that will make my life much easiler. Hoping for a prompt reply from your side. thanks much Cheers ! On Mon, Sep 15, 2008 at 10:11 AM, Ajeet kumar.S [EMAIL PROTECTED] wrote: Dear All, In open ssl I saw we were passing file name of certificate and public key. In openssl we used this name and reading certificates keys from that file. If instead of file name we want to pass char pointer which point to address of certificate and public key respectively. Is it possible? Actually I don't want to read certificates and keys from file .I want to pass one memory pointer for each certificate and keys respectively which stored both certificate and keys respectively. Please tell me how to possible. Thank you. Regards, --Ajeet Kumar Singh image002.jpgimage003.jpg
.der to .crt file conversion
Hi All, Can we convert .der to .crt file? Please suggest me. How we can convert it using open ssl? Thank you. Regards, --Ajeet Kumar Singh image002.jpg
Problem Related to Peer cetificate verification.
Dear All, I want to verify the peer certificate (server certificate). For that we need CA Certificate, Let me know we required ROOT CA certificate in PEM format or in any other format, open ssl will support. Actually I called SSL_CTX_load_verify_locations() after that I called SSL_CTX_set_verify(). But I saw response: certificate expire. But I saw in certificate it is mention end validation date in 2014.Actually I converted .der format certificate to .pem format using openssl utility. I tried .der certificate directly but also not get success. Please let me know what is reason behind it? How we can remove this error? Thank you. Regards, --Ajeet Kumar Singh image001.jpg
RE: .der to .crt file conversion
Dear All, Thank you Vineeta for your help. hi.. you can simply rename the .pem format to .crt. It will work fine.. As above you mention conversion from .pem to .der but .PEM format having only certificate having like given below: -BEGIN CERTIFICATE- -- - - -END CERTIFICATE- But .der format having some more other information so I thing just renaming is not correct way. Thank you. Regards, --Ajeet Kumar Singh Sarve Bhavantu Sukhina ,Sarve Santu NiramayaSarve Bhadrani Pashyantu , Maa Kaschit Dukha Bhagh Bhavet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of vinni rathore Sent: Wednesday, September 24, 2008 6:34 PM To: openssl-users@openssl.org Subject: Re: .der to .crt file conversion hi.. you can simply rename the .pem format to .crt . It will work fine.. On Wed, Sep 24, 2008 at 3:12 PM, Ajeet kumar.S [EMAIL PROTECTED] wrote: Hi All, Can we convert .der to .crt file? Please suggest me. How we can convert it using open ssl? Thank you. Regards, --Ajeet Kumar Singh -- regards, Vineeta Kumari Software engg Mobera Systems Chandigarh __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: .der to .crt file conversion
Dear All; Thank you Marek Marcola for your help.I tried your suggestion. I got out put but it displayed in command window. But I want to save it in form of file .crt. Please advice me on that also. Thank you. Regards, --Ajeet Kumar Singh Sarve Bhavantu Sukhina ,Sarve Santu NiramayaSarve Bhadrani Pashyantu , Maa Kaschit Dukha Bhagh Bhavet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 24, 2008 7:00 PM To: openssl-users@openssl.org Subject: RE: .der to .crt file conversion Hello, [EMAIL PROTECTED] wrote on 09/24/2008 03:19:20 PM: Dear All, Thank you Vineeta for your help. hi.. you can simply rename the .pem format to .crt. It will work fine.. As above you mention conversion from .pem to .der but .PEM format having only certificate having like given below: -BEGIN CERTIFICATE- -- - - -END CERTIFICATE- But .der format having some more other information so I thing just renaming is not correct way. $ openssl x509 -in crt.pem -text -noout $ openssl x509 -in crt.pem -outform der -out crt.der $ openssl x509 -in crt.der -inform der -text -noout Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How to convert .der file to .pem
Hi all; Thanks all of you for your support. I have cert.der file and I want to convert it cert.pem file using open ssl. How I can convert it. Please Tell me. Thank you. Regards, --Ajeet Kumar Singh image002.jpg
RE: How to convert .der file to .pem
Hi all; Thank you Luciano Quartarone for your help. I tried to convert .der file to .pem using your given idea but I did not get success.I am using open ssl command line tool. Any thing more I need to do? Regards, --Ajeet Kumar Singh Sarve Bhavantu Sukhina ,Sarve Santu NiramayaSarve Bhadrani Pashyantu , Maa Kaschit Dukha Bhagh Bhavet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Luciano Quartarone Sent: Monday, September 22, 2008 5:14 PM To: openssl-users@openssl.org Subject: Re: How to convert .der file to .pem try with: openssl x509 -inform DER -in filename -outform PEM -out filename or look at www.openssl.org LQ Ajeet kumar.S ha scritto: Hi all; Thanks all of you for your support. I have cert.der file and I want to convert it cert.pem file using open ssl. How I can convert it. Please Tell me. Thank you. Regards, --Ajeet Kumar Singh __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: How to convert .der file to .pem
Hi All; Thanks allot Shiva Kumar. I tried it. It is working. Thank you. Regards, --Ajeet Kumar Singh _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shivakumar Balur Sent: Monday, September 22, 2008 5:57 PM To: openssl-users@openssl.org Subject: Re: How to convert .der file to .pem Hi, Try out this: openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM Regards, Shivakumar - Original Message - From: Ajeet kumar.S mailto:[EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Monday, September 22, 2008 5:06 PM Subject: How to convert .der file to .pem Hi all; Thanks all of you for your support. I have cert.der file and I want to convert it cert.pem file using open ssl. How I can convert it. Please Tell me. Thank you. Regards, --Ajeet Kumar Singh image001.jpgimage002.jpg
RE: openssl 0.8.9h sha256
Dear All, I tried to connect to stream server through using https (using open ssl).But I got response from server nothing means only zero content length of data and headers. Let me know why server was not sending data. Is any problem related to ssl due to delay time out happen towards server side or it is due any other reason. Please reply me. Thank you. Regards, --Ajeet Kumar Singh Sarve Bhavantu Sukhina ,Sarve Santu NiramayaSarve Bhadrani Pashyantu , Maa Kaschit Dukha Bhagh Bhavet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rafiqul Ahsan Sent: Wednesday, August 13, 2008 7:19 PM To: openssl-users@openssl.org Subject: Re: openssl 0.8.9h sha256 Thanks, I will try to figure out as you suggested. Rafi On 8/13/08, Sergio [EMAIL PROTECTED] wrote: Rafiqul Ahsan escribió: Found a previous postings like this where Alan Dekok answered that FreeRadius use SSL from openssl, and if SSL supports any advanced algorithm FreeRadius should support it (I actually added a patch to FreeRadius to make sure this supports all digests). I am currently trying to find out whether I have linked the right openssl libraries when building the FreeRadius. I am unable to find out whether FreeRadius is being built with Solaris prebuilt openssl version 0.9.7d at /usr/sfw, or my newly installed openssl version 0.9.8h at /usr/local (with library /usr/local/ssl/lib). I have however few questions , and I would appreciate your reply: 1. How to create CAcert.pem (root certs), server.pem (device certs), and server_pvt_key.pem (private key file) for server, and same for client to test TTLS, and TLS. It could be self signed. 2. Also how to create certs using different algorithm (sha1, sha2, sha256 etc.) ? I need to create certs to test EAP-TLS/TTLS using WiMAX AP. Thanks, and appreciate your help. On 8/12/08, Sergio [EMAIL PROTECTED] wrote: Rafiqul Ahsan escribió: I see an error like below when trying to use EAP_TLS/TTLS authentication with Certs that has Signature Algorithm: sha256WithRSAEncryption . Can anybody tell me why SSL does not like the TLS session ? I would appreciate your help. here is the radiusd -X log: ++[suffix] returns noop rlm_eap: EAP packet type response id 142 length 13 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert read:fatal:decrypt error TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decry pt error rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. eaptls_process returned 13 rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - anonymous_identity attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 142 to 10.19.198.231 port 19801 Hi, recently i tried to use certs with SHA-2 sign and got the same error. Probaly freeradius doesn't support (also) this size of sign. You can ask about this into freeradius mailing list. Try to put a cert with SHA-1 algorithm and you will see it working. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] I'm not an expert but, not all SSL functions are used by freeradius, por example ocsp functions. You can see raddb/certs/Makefile and raddb/certs/README to follow the commands which creates test certificates. Surely with another openssl options you can use several algorithms but, there is one important point with test certs that freeradius generates. Client certificates are signed by server private key, so you should put the correct permissions into your openssl configuration for server certs creation or sign client cert with ca private key. I taken the second decision because it's more clear for me, and because the functionality is EXACTLY the same. For the other side, i don't know anything about WiMAX, but i suposse that credentials are the same. Hope this helps __ OpenSSL Project
[no subject]
Dear All; When I compiled openssl-0.9.8g on VDSP and run \demos\ssl\cli.cpp .And I tried to connect https://www.gmail.com https://www.gmail.com/ .At that time I saw client sent client hello and server sent server hello successfully. But After that Client is not sending MASTER_KEY message. I checked and I found in file ssl\s2_clnt.c inside function int ssl2_set_certificate(SSL *s, int type, int len, const unsigned char *data) having function x509=d2i_X509 (NULL, data,(long)len); return x509=0; that's why it is going err. And returning ret =-1; Please tell me how I can remove this error. One thing I want to say for compilation purpose I added below function in this file . //// Thnx. Regards; Ajeet Kumar Singh DSP Software Engg. Jasmin Infotech Private Limited Plot No.119, (Opp to N.I.O.T.), Velachery Tambaram Road, Pallikaranai, Chennai 600 100, India
Problem in openssl Master key Generation
Dear All; When I compiled openssl-0.9.8g on VDSP and run \demos\ssl\cli.cpp .And I tried to connect https://www.gmail.com https://www.gmail.com/ using sslv2.0 .At that time I saw client sent client hello and server sent server hello successfully. But After that Client was not sending MASTER_KEY message. I checked and I found in file ssl\s2_clnt.c inside function int ssl2_set_certificate(SSL *s, int type, int len, const unsigned char *data) having function x509=d2i_X509 (NULL, data,(long)len); return x509=0; that's why it is going to label err. And returning ret =-1; Please tell me how I can remove this error. So I can proceed further next step in sslv2.0 response . One thing I want to say for compilation purpose I added below function in this file x_x509.c. //// ASN1_SEQUENCE(X509_EXTENSION) = { ASN1_OPT(X509_EXTENSION, object, ASN1_BOOLEAN), ASN1_OPT(X509_EXTENSION, value, ASN1_OCTET_STRING) } ASN1_SEQUENCE_END(X509_EXTENSION) ASN1_SEQUENCE(PKCS8_PRIV_KEY_INFO) = { ASN1_OPT(PKCS8_PRIV_KEY_INFO, version, ASN1_INTEGER), } ASN1_SEQUENCE_END(PKCS8_PRIV_KEY_INFO) IMPLEMENT_ASN1_FUNCTIONS(X509) IMPLEMENT_ASN1_DUP_FUNCTION(X509) IMPLEMENT_ASN1_DUP_FUNCTION(X509_EXTENSION) IMPLEMENT_ASN1_FUNCTIONS(X509_EXTENSION) IMPLEMENT_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO) IMPLEMENT_ASN1_DUP_FUNCTION(PKCS8_PRIV_KEY_INFO) //// If above function is wrong and problem due to this, what I wrote in file x_x509.c then please tell me how Linux or Window os map this function and how I can map it. Thnx. Regards; Ajeet Kumar Singh
Problem on compilation of Openssl
Dear All; I am compiling the openssl that time I got some function and mapping of function which is not in openssl source. This is as follows: PKCS8_PRIV_KEY_INFO_it() // This function is not available in openssl ; PKCS8_PRIV_KEY_INFO_new () // this function is not going to map X509_EXTENSION_free () // this function is not available in openssl; PKCS8_PRIV_KEY_INFO_new()// This function is not available in openssl X509_EXTENSION_it// This function I did not get whole openssl source file d2i_PKCS8_PRIV_KEY_INFO // this function is not available in openssl; i2d_PKCS8_PRIV_KEY_INFO // this function is not available in openssl; i2d_X509_EXTENSION // this function is not available in openssl; Please tell me how(and where) I will find this function or I will map this function. Some other error on compilation of openssl is given below : [Error li1021] The following symbols referenced in processor 'p0' could not be resolved: 'PKCS8_PRIV_KEY_INFO_it [_PKCS8_PRIV_KEY_INFO_it]' referenced from 'Debug\p12_asn.doj' 'PKCS8_PRIV_KEY_INFO_it [_PKCS8_PRIV_KEY_INFO_it]' referenced from 'Debug\p12_p8d.doj' 'PKCS8_PRIV_KEY_INFO_it [_PKCS8_PRIV_KEY_INFO_it]' referenced from 'Debug\p12_p8e.doj' 'PKCS8_PRIV_KEY_INFO_new [_PKCS8_PRIV_KEY_INFO_new]' referenced from 'Debug\evp_pkey.doj' 'PKCS8_PRIV_KEY_INFO_new [_PKCS8_PRIV_KEY_INFO_new]' referenced from 'Debug\x_all.doj' 'X509_EXTENSION_dup [_X509_EXTENSION_dup]' referenced from 'Debug\x509_v3.doj' 'X509_EXTENSION_free [_X509_EXTENSION_free]' referenced from 'Debug\ocsp_ext.doj' 'X509_EXTENSION_free [_X509_EXTENSION_free]' referenced from 'Debug\t_req.doj' 'X509_EXTENSION_free [_X509_EXTENSION_free]' referenced from 'Debug\v3_conf.doj' 'X509_EXTENSION_free [_X509_EXTENSION_free]' referenced from 'Debug\v3_lib.doj' 'X509_EXTENSION_free [_X509_EXTENSION_free]' referenced from 'Debug\v3_utl.doj' 'X509_EXTENSION_free [_X509_EXTENSION_free]' referenced from 'Debug\x509_req.doj' 'X509_EXTENSION_free [_X509_EXTENSION_free]' referenced from 'Debug\x509_v3.doj' 'X509_EXTENSION_it [_X509_EXTENSION_it]' referenced from 'Debug\ocsp_asn.doj' 'X509_EXTENSION_it [_X509_EXTENSION_it]' referenced from 'Debug\x_crl.doj' 'X509_EXTENSION_it [_X509_EXTENSION_it]' referenced from 'Debug\x_x509.doj' 'X509_EXTENSION_new [_X509_EXTENSION_new]' referenced from 'Debug\ocsp_ext.doj' 'X509_EXTENSION_new [_X509_EXTENSION_new]' referenced from 'Debug\x509_v3.doj' 'd2i_PKCS8_PRIV_KEY_INFO [_d2i_PKCS8_PRIV_KEY_INFO]' referenced from 'Debug\pem_pk8.doj' 'd2i_PKCS8_PRIV_KEY_INFO [_d2i_PKCS8_PRIV_KEY_INFO]' referenced from 'Debug\pem_pkey.doj' 'd2i_PKCS8_PRIV_KEY_INFO [_d2i_PKCS8_PRIV_KEY_INFO]' referenced from 'Debug\x_all.doj' 'd2i_X509_EXTENSION [_d2i_X509_EXTENSION]' referenced from 'Debug\x509_req.doj' 'i2d_PKCS8_PRIV_KEY_INFO [_i2d_PKCS8_PRIV_KEY_INFO]' referenced from 'Debug\pem_pk8.doj' 'i2d_PKCS8_PRIV_KEY_INFO [_i2d_PKCS8_PRIV_KEY_INFO]' referenced from 'Debug\x_all.doj' 'i2d_X509_EXTENSION [_i2d_X509_EXTENSION]' referenced from 'Debug\x509_req.doj' 'lseek [_lseek]' referenced from 'Debug\bss_fd.doj' 'stat [_stat]' referenced from 'Debug\by_dir.doj' Linker finished with 1 error cc3089: fatal error: Link failed Tool failed with exit/exception code: 1. Build was unsuccessful. Please give me suggestion. How I will remove this error. Thank you sir. Regards; Ajeet Kumar Singh
About OpenSSL_free()
Dear All; Please tell me how COMP_CTX_free(COMP_CTX *ctx) will work. Actually I saw in function COMP_CTX_free(COMP_CTX *ctx) we are using function OpenSSL_free().But I saw no definitions of OpenSSL_free(). Then how this function is working.How UNIX and Window Platform taking(Mapping) this function.Actually I want to port openssl library on VDK Operating System.So I thing I need to map OpenSSL_free() to VDK. Because this function is giving Linker error.Plz tell me how I will do. Thanks to all for your help. Thnx. Regards; Ajeet Kumar Singh
Problem in porting open ssl library
Hi all; I want to port open ssl on VDK(VDSP compiler, BF533 Processor).For that purpose I down load Open ssl from openssl.org (openssl-0.9.8g). Actually above project having so man folder like crypto, apps, cert, engine, demo, etc. Let me know which folder I will port in VDK(RTOS) for secure connection. Please reply me. Thnx. Regards; Ajeet Kumar Singh
Problem porting SSL on VDK OS
Hi All; Thanks to you for your suggestions. I followed your suggestion and removed ssl/ssl_task.c and compiled it but I got one problem which is as follows: /*** ***/ crypto\sha\sha1s.cpp, line 72: cc0020: error: identifier GetTSC is undefined GetTSC(s1); ^ crypto\sha\sha1s.cpp, line 74: cc1665: {D} warning: variable e1 is possibly used before its value is set in loop GetTSC(e1); ^ crypto\sha\sha1s.cpp, line 75: cc1665: {D} warning: variable s2 is possibly used before its value is set in loop GetTSC(s2); ^ crypto\sha\sha1s.cpp, line 77: cc1665: {D} warning: variable e2 is possibly used before its value is set in loop GetTSC(e2); ^ 1 error detected in the compilation of crypto\sha\sha1s.cpp. cc3089: fatal error: Compilation failed Tool failed with exit/exception code: 1. Build was unsuccessful. /*** ***/ I want to know what is use of GetTSC function. Can I replace it? Can I know any impact on SSL project after replacement of GetTSC function? As I told I am using VDK RTOS (Analog Devices RTOS, For VDSP). It is required to compile crypto\sha\sha1s.cpp. What is use of sha1s.cpp? Please reply me. Thnx. Regards; Ajeet Kumar Singh DSP Software Engg. Jasmin Infotech Private Limited Plot No.119, (Opp to N.I.O.T.), Velachery Tambaram Road, Pallikaranai, Chennai 600 100, India
How i can bypass SYS$QIOW()
Hi all; I am working on BF-533 Processor(Blackfin Processor, VDK rtos,VDSP4.5 compiler). I am trying to port openssl-0.9.8g on VDK(BF-533,VDSP4.5).but this is giving some error. It is not able to open #include iodef.h and #include descrip.h in ssl_task.c. If I comment it this both include file so some error is coming. Which is as follows: //*// \ssl\ssl_task.c ssl\ssl_task.c, line 158: cc0040: error: expected an identifier static $DESCRIPTOR(sysnet, SYS$NET); ^ ssl\ssl_task.c, line 158: cc0092: {D} warning: identifier-list parameters may only be used in a function definition static $DESCRIPTOR(sysnet, SYS$NET); ^ ssl\ssl_task.c, line 174: cc0020: error: identifier IO$_READVBLK is undefined status = SYS$QIOW ( 0, chan, IO$_READVBLK, iosb, 0, 0, ^ ssl\ssl_task.c, line 174: cc1080: {D} warning: Function does not have a full prototype status = SYS$QIOW ( 0, chan, IO$_READVBLK, iosb, 0, 0, ^ ssl\ssl_task.c, line 185: cc0020: error: identifier IO$_WRITEVBLK is undefined status = SYS$QIOW ( 0, chan, IO$_WRITEVBLK, iosb, 0, 0, ^ ssl\ssl_task.c, line 185: cc1080: {D} warning: Function does not have a full prototype status = SYS$QIOW ( 0, chan, IO$_WRITEVBLK, iosb, 0, 0, ^ ssl\ssl_task.c, line 216: cc1080: {D} warning: Function does not have a full prototype LIB$INIT_TIMER(); ^ ssl\ssl_task.c, line 217: cc0020: error: identifier sysnet is undefined status = SYS$ASSIGN ( sysnet, chan, 0, 0, 0 ); ^ ssl\ssl_task.c, line 217: cc1080: {D} warning: Function does not have a full prototype status = SYS$ASSIGN ( sysnet, chan, 0, 0, 0 ); ^ ssl\ssl_task.c, line 251: cc1080: {D} warning: Function does not have a full prototype LIB$SHOW_TIMER(); ^ ssl\ssl_task.c, line 253: cc1080: {D} warning: Function does not have a full prototype LIB$SHOW_TIMER(); ^ ssl\ssl_task.c, line 259: cc1080: {D} warning: Function does not have a full prototype LIB$SHOW_TIMER(); ^ ssl\ssl_task.c, line 279: cc1080: {D} warning: Function does not have a full prototype c_to_s=BIO_new(BIO_s_rtcp()); ^ ssl\ssl_task.c, line 280: cc1080: {D} warning: Function does not have a full prototype s_to_c=BIO_new(BIO_s_rtcp()); ^ ssl\ssl_task.c, line 316: cc0111: {D} warning: statement is unreachable link_state = 3; ^ ssl\ssl_task.c, line 322: cc0111: {D} warning: statement is unreachable link_state = 3; ^ 4 errors detected in the compilation of ssl\ssl_task.c. cc3089: fatal error: Compilation failed Tool failed with exit/exception code: 1. Build was unsuccessful. //*// So how I can remove this error. What is given below function is doing status = SYS$QIOW ( 0, chan, IO$_READVBLK, iosb, 0, 0,buffer, maxlen, 0, 0, 0, 0 ); What substitution I can do for all these it work for VDK. Please reply me. Thnx. Regards; Ajeet Kumar Singh DSP Software Engg. Jasmin Infotech Private Limited Plot No.119, (Opp to N.I.O.T.), Velachery Tambaram Road, Pallikaranai, Chennai 600 100, India
Which folder and source files required to port for work on SSL
Dear All; I am new user of open ssl.I am trying to port open ssl on VDK RTOS (Which is not VMS OS, Which is RTOS developed by Analog Devices).For porting OPEN SSL I got openssl-0.9.8g from http://www.openssl.org/. I am trying port whole project openssl-0.9.8g but this project having so many folder and each folder having so many .c and .h file. So for that I am facing so many problems. Actually I want to know for secure connetion which folder I will port on VDK. Please reply me which folders I required to port on VDK i.e I can work on SSL. Thnx. Regards; Ajeet Kumar Singh
Problem on porting OpenSSL on VDSP4.5(VDK RTOS)
Hi All; I am trying to port Open SSL on VDSP4.5 (VDK RTOS).But open ssl having 5 types of terminal interface supported, * TERMIO, TERMIOS, VMS, MSDOS and SGTTY */ But VDK is not supporting it. So please tell me how to bypass it. here sgtty.h header is not in open ssl project folder. Can we use rapper and debug this problem. How we can solve this problem. Onre doubt I have for porting VDK where I will change. What change is required for porting on VDK(RTOS). Please reply me. Thnx. Regards; Ajeet Kumar Singh