using openssl to generate dsa key-pair
guys: i have a quick question regarding using openssl to generate dsa key pair. i know that i can generate a dsa private key by doing the following: openssl dsaparam -genkey 1024 -out dsaprivatekey.pem however, i cannot find a command to have the dsa public key associated with the dsa private key i just generated. i am sure the answer is easy and quick, i just cannot find it. tia. chong peng __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
FW: SSL_write error
soory, just noticed that i sent it to the wrong address. my aplogy. -Original Message- From: Chong Peng Sent: Tuesday, January 23, 2007 10:21 AM To: [EMAIL PROTECTED] Subject: SSL_write error guys: i have 2 embedded system connected with ssl. these embedded systems are identical and both are running openssl, one as server, the other is the client. during the ssl handshaking, the server uses a self-signed certificate and does not ask the client to send the certificate. the link come up ok. but some times, when SSL_write is called, it returns error. using the SSL_get_error, ERR_get_error, and then ERR_error_string, i'v got the following: error:0906D06C:PEM routines:PEM_read_bio:no start line do i get an irrelavent error string? i tried to google this string and cannot find much useful information. any ideas? what could be wrong? thanks in advance. chong peng __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
a question about SSL_CTX_free
guys: the man page for SSL_CTX_free says: SSL_CTX_free() decrements the reference count of ctx, and removes the SSL_CTX object pointed to by ctx and frees up the allocated memory if the the reference count has reached 0. i have a couple of questions regarding this: 1. what make the reference count of ctx increase/decrease? 2. if i call SSL_CTX_free, does that mean all ssl connections based on this ctx will be closed automatically? or i should close all ssl connections based on a ctx before i call SSL_CTX_free? tia. chong peng __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
a private ca question
guys: i ahve a question regarding how to implement /use a private ca with openssl. the follow is what i have done: 1. generate ca private key and ca certificate $ openssl genrsa -out cakey.pem 1024 $ openssl req -new -key cakey.pem -out cacert_req.pem $ openssl x509 -req -days 300 -in cacert_req.pem -signkey cakey.pem -out cacert.pem my intention here is to get the ca private key (cakey.pem) and ca certificate (cacert.pem). i am assuming ca certificate is self signed 2. generate ssl private ket and sign its corresponding public key with ca's private key $ openssl genrsa -out ssl_key.pem 1024 $ openssl req -new -key ssl_key.pem -out sslcert_req.pem $ openssl x509 -req -days 200 -in sslcert_req.pem -signkey cakey.pem -out ssl_cert.pem my intention here is to get the rsa private key (ssl_key.pem) and its corresponding certificate signed by ca (ssl_cert.pem) however, when i tried to use these three keys (ssl_key.pem, ssl_cert.pem, cacert.pem) to start a ssl server. i got the following error: $ openssl s_server -accept 1500 -cert ssl_cert.pem -key ssl_key.pem -CAfile cacert.pem -debug -state Using default temp DH parameters unable to get private key from ssl_key.pem 14841:error:0B080074:x509:certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:279: obviously, i did something wrong in the process. is the way i create/use private ca wrong? anybody here has quick ideas what is going on? thanks in advance. chong peng __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Error accepting connections
prabhu: wesaw similiar problem (i.e. bad record mac) when i have an ssl client (java implementation, talking tlsv1) try to connect to an ssl server (openssl, talking sslv3 only).we solved the problem by changing "sslv3_server_method" to "sslv23_server_method". i do not know why, but this change obviously solved my problem. your problem may not be like ours, but just fyi. chong peng -Original Message-From: Prabhu.S [mailto:[EMAIL PROTECTED]Sent: Tuesday, October 31, 2006 6:45 AMTo: openssl-users@openssl.orgSubject: Error accepting connections Hello All: I have a SSL Server application .In a test scenario20 clients try connecting to the server simultaneously. In most of the test run atleast one connection fails. The server logs the following message for the failed connection: ** server.c:809 Error accepting SSL connection14658:error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:426: What is the reason for this inconsistent handshake failures? I have OpenSSL 0.9.8a . Regards, Prabhu. S
a simple ca question
guys: how to tell a root certificate from a non-root certificate? i sthere a field in x509 structure for us to tell? thanks. chong peng __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: a simple ca question
thanks for the reply. so that can i say that if a certificate is self signed, then it is a root certificate. how do i know a certificate is self signed? another question is that, for example, if i want to use a self-signed certificate as my server certificate, so that during the ssl handshake phase, this self-signed certificate is going to be sent from the server to the client. to verify this self-signed certificate, what the client is suppose to do? to be specific, do i have to independently distribute this self-signed certicate to the client before the ssl handshake? thanks. chong peng -Original Message- From: Bernhard Froehlich [mailto:[EMAIL PROTECTED] Sent: Saturday, October 14, 2006 1:10 PM To: openssl-users@openssl.org Subject: Re: a simple ca question Chong Peng wrote: guys: how to tell a root certificate from a non-root certificate? i sthere a field in x509 structure for us to tell? thanks. Root certificates are self signed, that is the issuer equals the subject in the certificate. Hope it helps, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
i have a question ragarding self-signed certificate
guys: we all know that a ca-signed certificate can provide authentication because the ca is trustable, by using ca-signed certificate, one is saying i am somebady because the ca says so. but it seems that a self-signed certificate _cannot_ provide any authentication at all, because by using self-signed certificate, one is saying i am somebody because i say so. if my understanding is correct, then why self-signed certificate is still used? thanks. chong peng __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Memory leak with multiple threads running with a singleSSLserver serving incoming requests...
lei: have you enabled session cache? if you enabled session cache and you have a lot of ssl connections come and go, you may encounter mem leak problem. the mem is not actually leaked, but hold by the session cache. the mem will be released eventually after certain amount of time (in the matter of hours if i remember correctly). you can use: SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); to explicitly disable the session cache. just my guess. chong peng -Original Message- From: Lei Cao [mailto:[EMAIL PROTECTED] Sent: Friday, May 26, 2006 1:45 PM To: openssl-users@openssl.org Subject: RE: Memory leak with multiple threads running with a singleSSLserver serving incoming requests... Thanks for pointing that out for me about ERR_remove_state(0); But i still have memory leaks after large amount of connections(simulated by my own crazy test program which connects to the server recursively with different messages) I am using OpenSSL0.9.7i . Regards! Lei -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Marek Marcola Sent: Friday, May 26, 2006 1:32 PM To: openssl-users@openssl.org Subject: RE: Memory leak with multiple threads running with a singleSSLserver serving incoming requests... Hello What version of OpenSSL you use ? I do not remember exactly but in one version there was memory leak after general release. (I do not remember version). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
open ssl memory leak?
dear all: i have a ssl server running in an embedded system on top of vxworks operating system. the ssl server is based on teamf1's ssecure lib (this lib, of course, is based on openssl, i believe is 0.9.7). i was using a linux machine as ssl client to connect to my ssl server and close the connection right away. after each connect/close, i then use vxworks command memPartShow to check the mem partition cryptoMemPartId, it appears that i lost exactly 400bytes per connection/close (because the alloced mem from this cmd increase exactly 400 bytes every connect/close). eventually, the system will give me memPartAlloc: block too big error. after the error, i cannot setup an ssl connection with the server anymore. in my code, to close a ssl connection, i made three calls (in this sequence): SSL_shutdown(ssl); SSL_free(ssl); close(socket); i used to think this may related to the session cache, but after i read the document and check my code carefully, i do not enable session cache specifically (i believe it should be disabled by default). even if i use SSL_CTX_set_timeout(ctx, 1); to set the ctx timeout to 1 sec right after the ctx is created, i still have this problem. do i miss anything here? does anybody here have anu idea what is going on? thanks in advance. chong peng __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
team f1 ssl-ssh module compiling problem
hi, guys: i was compiling team f1's open ssh-ssl module for vxworks, the make gives me the following error message: make: Unknown option -w does anybody here have a clue of this problem? tia. chong peng __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Hard-coded keys and cert in the image
grace: i believe what your are trying to do is what i did a few days ago. here is how you do it: 1. obtain the private key and certificate in pem format, e.g., by using the following openssl command: $ openssl genrsa -out key.pem 1024 $ openssl req -new -key key.pem -out request.pem $ openssl x509 -req -days 30 -in request.pem -signkey key.pem -out certificate.pem $ openssl x509 -inform der -in certificate.crt -out certificate.pem this will give you a self signed private key and certificate (in pem format). 2. open the pem files (e.g., key.pem and certificate.pem) in a text editor, copy and paste the the key and certificate to a c array. 3. your c code is going to look like the following: #include buffer.h #include pem.h #include evp.h #include bio.h #include x509.h EVP_PKEY*pkey = NULL; X509*cert = NULL; const char skey[] = -BEGIN RSA PRIVATE KEY- MIICXAIBAAKBgQC0SF/4JTo3XzffsPeNPbglZ6sz/f/mlUO/CUtB8hk0DTz3V/9r iWagrVHjqaF/xikWFsxbzKecRyDDNyhgMWV8eeAVGpJSvmyJZH43MWO1zCiBXsi2 MSHqQAJOfT803qTc3tPCb5k4UK5ytvwpQ8ZIyokrnQJS0FYKsonf3ASjKwIDAQAB AoGAMR3Sv6lsze8sKs5s81cQV2iCFT0rPegGuAJRNZs+0JaWuJCJ7wNVKYtu1wa9 EDGtue3mKVB9ja83NthNML/kdOszLc1G6NVnWYSzgBPPsyPAJkSZw8TQKODmw+LF sqGFjC73s49/lWO12Tv8qA0Zf4sXRY9dMiqX5kA5m8OWXfECQQDYkv2B1xfNK41v PPeggVapasX53ZIiOdjc5UuaOWU7GDLhlyyFUCkDdx4eviBAEclWfNSueJNcK1Me pulScGFTAkEA1RoXxsYgFVbZsK1i9hjxEqoWzP7dQBJTWqi/77BaPQvqX12ctVk0 pa0sR4XEKxGOBr11XJVlloTjpmm1hwLDyQJBAM25o1IpLhTZIDrgoSE4e0fngzQ9 A0m7xYLf1RclGkIuVHbykXn5kVwXVOdDF4OE4cpkPeuV4fUVuplNWCnVUr0CQBWR a4ChwtOGE8hO9ComQhf6gQ5EaU43zJnrZGm09p0hHJqEVf0Ax1RRX57pif4166MA /+Tb9gky7/uCzW2ZuQkCQFUoAhZnV9sQoifQpkCE10J3fZNyNLEvHKU3b4/rwvn7 5W618+Fr0DiwBkH07YSWRCVvi8rsYrK2/25DXSbXbD8= -END RSA PRIVATE KEY-; const char scert[] = -BEGIN CERTIFICATE- MIICeTCCAeICCQDVIB2PKnpDmjANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAkNBMRAwDgYDVQQHEwdTQU5KT1NFMQ8wDQYDVQQKEwZNQVhY QU4xDDAKBgNVBAsTA0VORzEOMAwGA1UEAxMFY2hvbmcxIzAhBgkqhkiG9w0BCQEW FGNob25ncGVuZ0BtYXh4YW4uY29tMB4XDTA1MTIyMTA0MDcxNloXDTA2MDEyMDA0 MDcxNlowgYAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEQMA4GA1UEBxMHU0FO Sk9TRTEPMA0GA1UEChMGTUFYWEFOMQwwCgYDVQQLEwNFTkcxDjAMBgNVBAMTBWNo b25nMSMwIQYJKoZIhvcNAQkBFhRjaG9uZ3BlbmdAbWF4eGFuLmNvbTCBnzANBgkq hkiG9w0BAQEFAAOBjQAwgYkCgYEAtEhf+CU6N18337D3jT24JWerM/3/5pVDvwlL QfIZNA0891f/a4lmoK1R46mhf8YpFhbMW8ynnEcgwzcoYDFlfHngFRqSUr5siWR+ NzFjtcwogV7ItjEh6kACTn0/NN6k3N7Twm+ZOFCucrb8KUPGSMqJK50CUtBWCrKJ 39wEoysCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBX0jTsC73wXYHDhenL2piboCMQ qF96W/YLShYJla3ipc8JG0GHStTjUY4w7KGjDJippRUhddv0CUAilD7EPYusr1oY sk+Tt7QKCSLnued6NZwGnjIV78BmMi5gp5UEotgmPMk6Q6WKl0rVMbiJWqgy9f7b Hk3SUgTCdn/T+ajIFQ== -END CERTIFICATE-; int serverKey(void) { BIO *bio; if( (bio=BIO_new_mem_buf((void *)skey, sizeof(skey))) == NULL) { return(-1); } if( (pkey=PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL)) == NULL) { BIO_free(bio); return(-1); } BIO_free(bio); return(0); } int serverCert(void) { BIO *bio; if( (bio=BIO_new_mem_buf((void *)scert, sizeof(scert))) == NULL) { return(-1); } if( (cert=PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL) { BIO_free(bio); return(-1); } BIO_free(bio); return(0); } this piece of code worked in the embedded system i am working on, hope this helps. chong peng -Original Message- From: Xie Grace Jingru-LJX001 [mailto:[EMAIL PROTECTED] Sent: Thursday, February 09, 2006 9:47 AM To: openssl-users@openssl.org Subject: Hard-coded keys and cert in the image Hello, If the privkey and cacert have to be hard-coded in the image (by using #define), how can I tell SSL to look into these constants for the key and cert instead of the default directory? Which SSL routine I need to change to let SSL know the new location of the key and certificate? All suggestions are appreciated...! Grace __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Hard-coded keys and cert in the image
forget one thing, after you have the private key (of type EVP_PKEY) and certificate (of type X509, you use: SSL_CTX_use_certificate(ctx,cert) and SSL_CTX_use_PrivateKey(ctx, pkey) to read them into your ssl context. -Original Message- From: Chong Peng Sent: Thursday, February 09, 2006 5:25 PM To: openssl-users@openssl.org Subject: RE: Hard-coded keys and cert in the image grace: i believe what your are trying to do is what i did a few days ago. here is how you do it: 1. obtain the private key and certificate in pem format, e.g., by using the following openssl command: $ openssl genrsa -out key.pem 1024 $ openssl req -new -key key.pem -out request.pem $ openssl x509 -req -days 30 -in request.pem -signkey key.pem -out certificate.pem $ openssl x509 -inform der -in certificate.crt -out certificate.pem this will give you a self signed private key and certificate (in pem format). 2. open the pem files (e.g., key.pem and certificate.pem) in a text editor, copy and paste the the key and certificate to a c array. 3. your c code is going to look like the following: #include buffer.h #include pem.h #include evp.h #include bio.h #include x509.h EVP_PKEY*pkey = NULL; X509*cert = NULL; const char skey[] = -BEGIN RSA PRIVATE KEY- MIICXAIBAAKBgQC0SF/4JTo3XzffsPeNPbglZ6sz/f/mlUO/CUtB8hk0DTz3V/9r iWagrVHjqaF/xikWFsxbzKecRyDDNyhgMWV8eeAVGpJSvmyJZH43MWO1zCiBXsi2 MSHqQAJOfT803qTc3tPCb5k4UK5ytvwpQ8ZIyokrnQJS0FYKsonf3ASjKwIDAQAB AoGAMR3Sv6lsze8sKs5s81cQV2iCFT0rPegGuAJRNZs+0JaWuJCJ7wNVKYtu1wa9 EDGtue3mKVB9ja83NthNML/kdOszLc1G6NVnWYSzgBPPsyPAJkSZw8TQKODmw+LF sqGFjC73s49/lWO12Tv8qA0Zf4sXRY9dMiqX5kA5m8OWXfECQQDYkv2B1xfNK41v PPeggVapasX53ZIiOdjc5UuaOWU7GDLhlyyFUCkDdx4eviBAEclWfNSueJNcK1Me pulScGFTAkEA1RoXxsYgFVbZsK1i9hjxEqoWzP7dQBJTWqi/77BaPQvqX12ctVk0 pa0sR4XEKxGOBr11XJVlloTjpmm1hwLDyQJBAM25o1IpLhTZIDrgoSE4e0fngzQ9 A0m7xYLf1RclGkIuVHbykXn5kVwXVOdDF4OE4cpkPeuV4fUVuplNWCnVUr0CQBWR a4ChwtOGE8hO9ComQhf6gQ5EaU43zJnrZGm09p0hHJqEVf0Ax1RRX57pif4166MA /+Tb9gky7/uCzW2ZuQkCQFUoAhZnV9sQoifQpkCE10J3fZNyNLEvHKU3b4/rwvn7 5W618+Fr0DiwBkH07YSWRCVvi8rsYrK2/25DXSbXbD8= -END RSA PRIVATE KEY-; const char scert[] = -BEGIN CERTIFICATE- MIICeTCCAeICCQDVIB2PKnpDmjANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAkNBMRAwDgYDVQQHEwdTQU5KT1NFMQ8wDQYDVQQKEwZNQVhY QU4xDDAKBgNVBAsTA0VORzEOMAwGA1UEAxMFY2hvbmcxIzAhBgkqhkiG9w0BCQEW FGNob25ncGVuZ0BtYXh4YW4uY29tMB4XDTA1MTIyMTA0MDcxNloXDTA2MDEyMDA0 MDcxNlowgYAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEQMA4GA1UEBxMHU0FO Sk9TRTEPMA0GA1UEChMGTUFYWEFOMQwwCgYDVQQLEwNFTkcxDjAMBgNVBAMTBWNo b25nMSMwIQYJKoZIhvcNAQkBFhRjaG9uZ3BlbmdAbWF4eGFuLmNvbTCBnzANBgkq hkiG9w0BAQEFAAOBjQAwgYkCgYEAtEhf+CU6N18337D3jT24JWerM/3/5pVDvwlL QfIZNA0891f/a4lmoK1R46mhf8YpFhbMW8ynnEcgwzcoYDFlfHngFRqSUr5siWR+ NzFjtcwogV7ItjEh6kACTn0/NN6k3N7Twm+ZOFCucrb8KUPGSMqJK50CUtBWCrKJ 39wEoysCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBX0jTsC73wXYHDhenL2piboCMQ qF96W/YLShYJla3ipc8JG0GHStTjUY4w7KGjDJippRUhddv0CUAilD7EPYusr1oY sk+Tt7QKCSLnued6NZwGnjIV78BmMi5gp5UEotgmPMk6Q6WKl0rVMbiJWqgy9f7b Hk3SUgTCdn/T+ajIFQ== -END CERTIFICATE-; int serverKey(void) { BIO *bio; if( (bio=BIO_new_mem_buf((void *)skey, sizeof(skey))) == NULL) { return(-1); } if( (pkey=PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL)) == NULL) { BIO_free(bio); return(-1); } BIO_free(bio); return(0); } int serverCert(void) { BIO *bio; if( (bio=BIO_new_mem_buf((void *)scert, sizeof(scert))) == NULL) { return(-1); } if( (cert=PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL) { BIO_free(bio); return(-1); } BIO_free(bio); return(0); } this piece of code worked in the embedded system i am working on, hope this helps. chong peng -Original Message- From: Xie Grace Jingru-LJX001 [mailto:[EMAIL PROTECTED] Sent: Thursday, February 09, 2006 9:47 AM To: openssl-users@openssl.org Subject: Hard-coded keys and cert in the image Hello, If the privkey and cacert have to be hard-coded in the image (by using #define), how can I tell SSL to look into these constants for the key and cert instead of the default directory? Which SSL routine I need to change to let SSL know the new location of the key and certificate? All suggestions are appreciated...! Grace __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager
RE: Question on SSL_connect
have you tried to call ERR_error_string to find out what exactly is going on? could be that the server and client are using different version of ssl. -Original Message- From: Ambarish Mitra [mailto:[EMAIL PROTECTED] Sent: Friday, February 03, 2006 1:27 AM To: openssl-users@openssl.org Subject: Question on SSL_connect On SSL_connect, the openssl documentation mentions that: initiate the TLS/SSL handshake with an TLS/SSL server I have created the client cert and loaded into the context with SSL_CTX_use_certificate_file and the corresponding private key with SSL_CTX_use_PrivateKey_file. This association works since the the call SSL_CTX_check_private_key succeeded. In SSL_connect, does the client program send out the client certificate to the server as a part of handshake? Now, my server is Java based, and I do not have much idea on JVM keystores. It looks like the keystore holds the CA cert and also the server cert. This CA is also the one who issued the client cert. I am getting an error SSL_ERROR_SSL with SSL_connect() returning =0. Under what circumstances does SSL_connect return this error? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
read rsa private key (in pem format) from the memory
dear all: i am trying to read the rsa key from the memory (rather than from a file). here is what i did: 1. use the openssl genrsa -out key.pem 1024 to generate a rsa key in the file key.pem. 2. copy and paste the key from the key.pem to my code. 3. use a mem bio to read the key from the memory. my code to do this is like the following. the call to PEM_ASN1_read_bio always return null. anybody has any idea or similiar experience? thanks a lot chong peng /* copy and paste from key.pem */ char rsakey[] = -BEGIN RSA PRIVATE KEY-\ MIICXAIBAAKBgQC0SF/4JTo3XzffsPeNPbglZ6sz/f/mlUO/CUtB8hk0DTz3V/9r\ iWagrVHjqaF/xikWFsxbzKecRyDDNyhgMWV8eeAVGpJSvmyJZH43MWO1zCiBXsi2\ MSHqQAJOfT803qTc3tPCb5k4UK5ytvwpQ8ZIyokrnQJS0FYKsonf3ASjKwIDAQAB\ AoGAMR3Sv6lsze8sKs5s81cQV2iCFT0rPegGuAJRNZs+0JaWuJCJ7wNVKYtu1wa9\ EDGtue3mKVB9ja83NthNML/kdOszLc1G6NVnWYSzgBPPsyPAJkSZw8TQKODmw+LF\ sqGFjC73s49/lWO12Tv8qA0Zf4sXRY9dMiqX5kA5m8OWXfECQQDYkv2B1xfNK41v\ PPeggVapasX53ZIiOdjc5UuaOWU7GDLhlyyFUCkDdx4eviBAEclWfNSueJNcK1Me\ pulScGFTAkEA1RoXxsYgFVbZsK1i9hjxEqoWzP7dQBJTWqi/77BaPQvqX12ctVk0\ pa0sR4XEKxGOBr11XJVlloTjpmm1hwLDyQJBAM25o1IpLhTZIDrgoSE4e0fngzQ9\ A0m7xYLf1RclGkIuVHbykXn5kVwXVOdDF4OE4cpkPeuV4fUVuplNWCnVUr0CQBWR\ a4ChwtOGE8hO9ComQhf6gQ5EaU43zJnrZGm09p0hHJqEVf0Ax1RRX57pif4166MA\ /+Tb9gky7/uCzW2ZuQkCQFUoAhZnV9sQoifQpkCE10J3fZNyNLEvHKU3b4/rwvn7\ 5W618+Fr0DiwBkH07YSWRCVvi8rsYrK2/25DXSbXbD8=\ -END RSA PRIVATE KEY-; EVP_PKEY*pkey = NULL; int readRsaKey(void) { BIO *bio; if( (bio=BIO_new_mem_buf((void *)rsakey, sizeof(rsakey))) == NULL) { return(ERROR); } if( (pkey=PEM_ASN1_read_bio(d2i_PrivateKey, PEM_STRING_EVP_PKEY, bio, NULL, NULL, NULL)) == NULL) { return(ERROR); } BIO_free(bio); } __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: read rsa private key (in pem format) from the memory
thanks steve. i got my code working. actually, this is pretty easy. following is my final code. hopefully, this can do a little bit help to those who wants to do the same thing. note that char array skey is copy and paste from a pem file generated by using the openssl genrsa -out key.pem 1024. EVP_PKEY*pkey = NULL; const char skey[] = -BEGIN RSA PRIVATE KEY- MIICXAIBAAKBgQC0SF/4JTo3XzffsPeNPbglZ6sz/f/mlUO/CUtB8hk0DTz3V/9r iWagrVHjqaF/xikWFsxbzKecRyDDNyhgMWV8eeAVGpJSvmyJZH43MWO1zCiBXsi2 MSHqQAJOfT803qTc3tPCb5k4UK5ytvwpQ8ZIyokrnQJS0FYKsonf3ASjKwIDAQAB AoGAMR3Sv6lsze8sKs5s81cQV2iCFT0rPegGuAJRNZs+0JaWuJCJ7wNVKYtu1wa9 EDGtue3mKVB9ja83NthNML/kdOszLc1G6NVnWYSzgBPPsyPAJkSZw8TQKODmw+LF sqGFjC73s49/lWO12Tv8qA0Zf4sXRY9dMiqX5kA5m8OWXfECQQDYkv2B1xfNK41v PPeggVapasX53ZIiOdjc5UuaOWU7GDLhlyyFUCkDdx4eviBAEclWfNSueJNcK1Me pulScGFTAkEA1RoXxsYgFVbZsK1i9hjxEqoWzP7dQBJTWqi/77BaPQvqX12ctVk0 pa0sR4XEKxGOBr11XJVlloTjpmm1hwLDyQJBAM25o1IpLhTZIDrgoSE4e0fngzQ9 A0m7xYLf1RclGkIuVHbykXn5kVwXVOdDF4OE4cpkPeuV4fUVuplNWCnVUr0CQBWR a4ChwtOGE8hO9ComQhf6gQ5EaU43zJnrZGm09p0hHJqEVf0Ax1RRX57pif4166MA /+Tb9gky7/uCzW2ZuQkCQFUoAhZnV9sQoifQpkCE10J3fZNyNLEvHKU3b4/rwvn7 5W618+Fr0DiwBkH07YSWRCVvi8rsYrK2/25DXSbXbD8= -END RSA PRIVATE KEY-; int readKeyFromMem(void) { BIO *bio; if( (bio=BIO_new_mem_buf((void *)skey, sizeof(skey))) == NULL) { return(-1); } if( (pkey=PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL)) == NULL) { return(-1); } BIO_free(bio); return(0); } -Original Message- From: Dr. Stephen Henson [mailto:[EMAIL PROTECTED] Sent: Thursday, February 02, 2006 1:06 PM To: openssl-users@openssl.org Subject: Re: read rsa private key (in pem format) from the memory On Thu, Feb 02, 2006, Chong Peng wrote: dear all: i am trying to read the rsa key from the memory (rather than from a file). here is what i did: 1. use the openssl genrsa -out key.pem 1024 to generate a rsa key in the file key.pem. 2. copy and paste the key from the key.pem to my code. 3. use a mem bio to read the key from the memory. my code to do this is like the following. the call to PEM_ASN1_read_bio always return null. anybody has any idea or similiar experience? thanks a lot chong peng /* copy and paste from key.pem */ char rsakey[] = -BEGIN RSA PRIVATE KEY-\ MIICXAIBAAKBgQC0SF/4JTo3XzffsPeNPbglZ6sz/f/mlUO/CUtB8hk0DTz3V/9r\ iWagrVHjqaF/xikWFsxbzKecRyDDNyhgMWV8eeAVGpJSvmyJZH43MWO1zCiBXsi2\ Well there aren't any line feeds (\n) in there so you the whole thing is being incorrectly represented as a single line. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
a question about loading private key and certificate to the ssl ctx
guys: usually, we use the following two apis to load key/certificate: int SSL_CTX _use_certificate_file(SSL_CTX *ctx, const char *file, int type);int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type); this, if i understand right, requires aprivate key and certificate to be generate off line and saved in a disk file. if i have an embedded system that canot read from a disk or any other media, how can i input the key/certificate to the ssl context? i noticed that there are other apis defined to input key/certificate to the ssl context, such as: int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x); int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey); does this mean that i can generate a certificate of type X509 and a private key of type EVP_PKEY in my code and then load them to the ssl context? if it is, how can i do that? what i am thinking is that each time when my embedded system bootup, i will generate a key/certificate (self signed) and load them to my ssl context. is this doable? thanks in advance. chong peng
what exactly is the difference between ssl and ssh (secure shell)?
if you google ssl and ssh, you will find a few pages regarding this issue, such as: http://www.snailbook.com/faq/ssl.auto.html http://www.rpatrick.com/tech/ssh-ssl/ but all in all, what ssl accomplishes can be done by ssh and what ssh accomplishes can be done by ssl. it seems to me that this is just another example of complicities (confuses) created by human. mybe a little bit off the topic. but any thoughts from this list? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL_accept returns error
dear all: i have a question regarding a SSL_accept error. i have an ssl application in an embedded system running vxworks, the ssl tool kit is from teamf1. during the test, i configure the embedded system as a ssl server, and use another linux machine as the ssl client. the ssl tool kit in the linux machine is a binary distrubution of openssl-0.9.8a downloaded from openssl.org. i issue the following command in the linux machine: openssl s_client -connect 10.100.22.96:1500 in my embedded system, the SSL_accept returns error code '1', by calling "ERR_error_string(ERR_ssl_error(), NULL)", i got a string: SSL routines:SSL3_GET_RECORD:wrong version number i have a couple of questions regarding ths error: 1. does this mean that the tool kit in my embedded system does not match the tool kit in linux machine? 2. is there a way to get around this problem? thanks a lot. chong peng
RE: SSL_accept returns error
victor: thanks for reply. after i chane the command in linux machine from: openssl s_client -connect 10.100.22.96:1500 to: openssl s_client -connect 10.100.22.96:1500 -ssl3 the problem disappears. and i was able to connect the ssl server in my embedded system. it looks like the ssl tool kit in the linux machine is talking ssl2 by default. chong peng -Original Message- From: Victor Duchovni [mailto:[EMAIL PROTECTED] Sent: Thursday, December 22, 2005 11:14 AM To: openssl-users@openssl.org Subject: Re: SSL_accept returns error On Thu, Dec 22, 2005 at 10:38:07AM -0800, Chong Peng wrote: i have an ssl application in an embedded system running vxworks, the ssl tool kit is from teamf1. during the test, i configure the embedded system as a ssl server, and use another linux machine as the ssl client. the ssl tool kit in the linux machine is a binary distrubution of openssl-0.9.8a downloaded from openssl.org. Which Linux distribution? What is the origin of the teamf1 SSL toolkit? Is it a port of OpenSSL and if so which version? openssl s_client -connect 10.100.22.96:1500 in my embedded system, the SSL_accept returns error code '1', by calling ERR_error_string(ERR_ssl_error(), NULL), i got a string: SSL routines:SSL3_GET_RECORD:wrong version number i have a couple of questions regarding ths error: 1. does this mean that the tool kit in my embedded system does not match the tool kit in linux machine? No, rather the SSL version in a packet does not match the SSL version earlier in the protocol. 2. is there a way to get around this problem? Is it perhaps: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338006 ? Try 0.9.7i and report whether that solves the problem. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
rsa certificate and private key question
dear all: by using the following openssl cli, i generate a rsa private key key and a self signed certificate file. $ openssl genrsa -out key.pem 1024 $ openssl req -new -key key.pem -out request.pem $ openssl x509 -req -days 30 -in request.pem -signkey key.pem -out certificate.pem when i try to load the key file and certificate file to my ssl context, both SSL_CTX_use_certificate_file(ctx,keyfile,SSL_FILETYPE_PEM) and SSL_CTX_use_PrivateKey_file(ctx,keyfile,SSL_FILETYPE_PEM) returns 1. however, when i use SSL_CTX_check_private_key(ctx) to check if the key matchs the certificate, this function returns 0. what could be wrong here? it seems these are all standard simple operations. thanks a lot. chong peng __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
a couple of newbie questions regarding ssl lib
dear all: i am new to the open ssl library, after a couple of days source code reading, my understanding is that one can either use bio (come with the open ssl lib) or standard socket interface to connect ssl protocol to the underlying tcp protocol, if i would like to use standard socket to do that, the basic flow is as follows: as tcp client: socket --- connect (blocked!) --- SSL_new --- SSL_write SSL_set_fd SSL_read (blocked!) SSL_connect (blocked!) as tcp server: socket --- accept (blocked!) --- SSL_new--- SSL_write bind SSL_set_fd SSL_read (blocked!) listen SSL_accept (blocked!) the SSL_connect/SSL_accept implement a (pretty complicate) state machine that is used to do the ssl handshaking, for that purpose, these two functions are blocked multiple times on the underlying socket id. after SSL_connect/SSL_accept returns, the corresponding ssl link is established and ready for io. in the io phase, SSL_read will again be blocked on the undelying socket id until data for that link is available. the questions i have are: 1. do i understand right? 2. if my understanding is correct, standard socket works pretty well in this picture. why we still need bio? what are things that the bio can do and the standard socket can not? 3. anybody know if there is any doc available about the state machines implemented in SSL_connect/SSL_accept? thanks a lot. chong peng __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
ssl_select?
Title: Message hello, does anybody here know that is there an api similar to "select" in the regular socket socket api for open ssl? thanks a lot.
RE: ssl_select?
thanks, dr. henson, maybe what i should ask is that if there is a way, in open ssl, to accomplish what select acomplishes in the regular socket api? by reading your answer to my question, i guess there are ways to do this. can you be a little bit more specific? what exactly is OSes equivalent of select? and what are several variations? if it will take too long for you to answer in an email, could you please give me a place to find relative information? many thanks in advance. chong peng -Original Message- From: Dr. Stephen Henson [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 08, 2005 10:02 AM To: openssl-users@openssl.org Subject: Re: ssl_select? On Tue, Nov 08, 2005, Chong Peng wrote: hello, does anybody here know that is there an api similar to select in the regular socket socket api for open ssl? No there isn't. This would have to call the OSes equivalent of select anyway. There are several variations in use each with different properties used in different circumstances depending on the set of events you wish to monitor. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]