Re: How to disable index and serial?
Fredrik Strömberg a écrit : Hello, I want to sign a certificate without using the index or serial files. Can someone tell me how to disable them? Not using -config makes openssl use the compiled default, and using my own while commenting out database and serial gives me the error variable lookup failed for CA_default::database. If they can´t be disabled I would like to know if there´s a possibility to lock the files from openssl. Should that not work I need to implement my own filelocking. (For the curious: I don´t need serial because I only identify with CN, and I don´t need a database because I will never revoke any certificates.) In my understanding of your problem, the serial number of the certificate is always required because you can generate more than one certificate for a given user identified with a given DN( and not CN) This arise because you issue a certificate valid from January 1st to March 31th the next one valid from April 1st to June 30th etc for example etc The only way to distinguish these certificates is the serial number. I hope this helps Best regards Dominique LOHEZ Any thoughts? Kind regards, Fredrik Strömberg __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: dominique.lo...@isen.fr __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Multiple CRL with same issuer
PS a écrit : Hi All, I was under the impression that openssl allows loading multiple CRLs for the same issuer. But, this does not seem to be the case as is proved by using openssl verify. $ ls -l ./ca/ total 24 lrwxrwxrwx 1 pshah users 10 Jan 28 21:56 ba4bb3b6.0 - cacert.pem - the CA cert lrwxrwxrwx 1 pshah users 14 Jan 28 21:56 ba4bb3b6.r0 - revoked_48.pem revokes only cert48.pem lrwxrwxrwx 1 pshah users 14 Jan 28 21:56 ba4bb3b6.r1 - revoked_49.pem - revokes only cert49.pem -rw-r--r-- 1 pshah users 1233 Jan 28 17:09 cacert.pem -rw-r--r-- 1 pshah users 560 Jan 28 17:10 revoked_48.pem -rw-r--r-- 1 pshah users 560 Jan 28 17:10 revoked_49.pem $ openssl verify -CApath ./ca/ -crl_check -verbose cert49.pem cert49.pem: OK $ openssl verify -CApath ./ca/ -crl_check -verbose cert48.pem cert48.pem: /C=--/ST=California/L=San Francisco/O=Riverbed Technology, Inc./OU=Steelhead/CN=hw1-sh18/emailaddress=fakeem...@example.com mailto:fakeem...@example.com error 23 at 0 depth lookup:certificate revoked 29615:error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table:x509_lu.c:418: A CRL ( Certificat revocation list) is the list of ALL the revoked certificates at the time it is issued So if at time t1 a certificate 48 is revoked then all the subsequent CRLs MUST indicate that the certificate 48 as revoked If later at time t2 the certificate 49 is revoked hen all the subsequent CRLs MUST indicate that both certificate 48 and certificate 49 arte revoked Thus only the lasT CRL has to considered . Since the delivery times of the CRLs are close together it is not easy to check into the example which is ithe last CRL So, as seen above, the second CRL is not loaded (and I have confirmed this with gdb.). A second related question is that even if openssl allowed loading multiple CRL for the same issuer, it looks as if openssl will only use the first unexpired CRL from the list. There might be cases where you would have a fresher unexpired CRL which might not get picked and result in wrong verification result. If a CRL is expired this means that a new CRL should have been delivered and you have not received it. To avoid dangerous forbidden access every access should be forbidden. To take into account unexpected urgent problem a new CRL may be issued even when the previous one is not expired. I hope this help. Dominique LOHEZ A third question is that what if I had two valid CRLs from the same issuer (CRL1 revoked cert 1 and CRL2 revokes cert 2), then when cert 2 is to be verified, it would wrongly be considered unrevoked. Thanks, Paras -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: dominique.lo...@isen.fr __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Signature validation in certificates
The signature checkingwork like this The SIGNER ( CA or SERVER ) build a digest with an appropriate algorithm then he encrypt the digest with its private key Within the certificate you know the digest algorithm so you can build this digest and then you decrypt thi sdsignature with the public key of the signer , this must be identical to the digest I hope this helps Dominique LOHEZ Geetha_Priya a écrit : I have read numerous certification related docs. Being new to this technology I don't find any material detailing the manual certificate validation [even the faq on the same heading ] specially verifying key part. I also went through verify.c in openssl but key verification is lost amongst the APIs. Here is my understanding on certificate validation A root certificate [signed by CA] comprises of version, serial num, issuer and subject details, public key algorithm details and a signature which is hash of the rest of cert details further encrypted using private key. This root cert is installed by browsers automatically. The web servers have their certificates signed by these CA. When a https site id accessed , the server sends a server certificate that contains most of the above details (except for changed subject name/validity etc.)along with the signature and a RSA public key Now for certificate validation: First we verify the credentials of issuer/common name etc.. that is clear to me Second step is to match the signature which I find a lil confusing Here do you use public key to decrypt the signature portion of your root certificate and compare it with, the decrypted portion of server certificate (decrypted with public key that appears in server certificate). Does this sound right? The root certificate has public key and signature and so does the server certificate. Please clarify as I am manually trying to verify certificates. Any other C files within openssl which talks the details about signature validation. Thanks for your help Regards Geetha DISCLAIMER: This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL_ACCEPT...!!! failure
Vinni a écrit : Hello i am using SSL_CTX_load_verify_locations() to load the CA certs. I have another question that .. How actually the SSL_accept get the client certificate ?? Is its internal function also fetch the CA certificate of the client or it check the CA list of its own that is set The program must check that the issuer of the client certificate is a trusted CA This is achieved by verifying that the the signature of the certificate is conform to the information of the CA certificate the above function?? Also is it necessary to have same name of CN and CA certificate. As when got the error it shows the details of my client cert with issuer and subject. In issuer it displays all the details whatever i filled during creation... along with CN name of the CA. Help me out... :-(( Ambarish Mitra wrote: vinni rathore a écrit : hi, i am stuck with the error Unable to get local issuer certificate and then SSL3_GET_CLIENT_CERTIFICATE: peer certificate not return. I have created my own certificates using Openssl.exe . I have created CACert.pem which is self signed CA certificate and then two other certificates one is ClientCert.pem and other is ServerCert.pem which are signed from the CACert.pem. I have created OpenSSL server and other side a client supporting Other type of library(XySSL). There is no problem at client side. Certificate loading got success but verification fails with the above written error message. For some reason, the CA cert is not readable by the client. This looks like a coding error. Unless you give a minimal code snippet that has this problem, it would be difficult to answer. Have you used the function that set the verify certificate? i am using ssl_ctx and its API's for certificate loading and a callback function for verification using SSL_ctx_set_verify(ctx, PEER_Verification MODE, callback function) Is something i doing wrong ...??? or anything more required..??? Minimal working code snippet. please help.. Thanks and regards, DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL_ACCEPT...!!! failure
Hi vinni, As a hint i will reformulate how i understand your problem The server cannot accept the client certificate because it cannot check that the certificate have been issued by a trusted CA. This arise because the CA certificate is not available so the questios are 1) Is the CA certificate available to your program 2) If it is available, why the program does not use it I hope this help Dominique vinni rathore a écrit : hi, i am stuck with the error Unable to get local issuer certificate and then SSL3_GET_CLIENT_CERTIFICATE: peer certificate not return. I have created my own certificates using Openssl.exe . I have created CACert.pem which is self signed CA certificate and then two other certificates one is ClientCert.pem and other is ServerCert.pem which are signed from the CACert.pem. I have created OpenSSL server and other side a client supporting Other type of library(XySSL). There is no problem at client side. Certificate loading got success but verification fails with the above written error message. i am using ssl_ctx and its API's for certificate loading and a callback function for verification using SSL_ctx_set_verify(ctx, PEER_Verification MODE, callback function) Is something i doing wrong ...??? or anything more required..??? please help.. Thanks and regards, -- regards, Vineeta Kumari Software engg Mobera Systems Chandigarh -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [Base64 Decoding] Bug when decoding??
Hello karim The line must be at most 64 octets long using the file essai.pem where the unique has been splited in three the command openssl enc -base64 -d -in essai.pem works. but be carefull most of the characterare not printables karim Bendadda a écrit : Hi All, I'm trying to decode a Base64 encoded string. Using the openssl decoding command:/ echo nnnKZdKOQMmVpLEOBqNU3L07ELMSoQxW0z7SvgZBmwXpjvMYPqnSMaWy9vu6NFUHGc40nhLbaFe8vI159nZHHdMOssHyfI6kzXljRolfrSX6bNjcMvfy7k5J+2xo451u= | openssl enc -base64 -d /I got no result! nothing!!! I tried to decode this string on an online base64 decoder http://webnet77.com/cgi-bin/helpers/base-64.pl and it's ok!! I have the correct string ( wich is an encrypted string). What's wrong with openssl command??? Thank you for help. -- Karim -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [Base64 Decoding] Bug when decoding??
You have to write a loop 1) extract the 64 first byte from the coded string and copy the to a working buffer 2) convert the working buffer to aat most 48 bytes result buffer 3) copy the working buffer to the the result 4) continue with the next 64 byte s of the input string karim Bendadda a écrit : Hi Dominique, First I'd like to thank you for your quick answer. You're right, it works well when spliting. I'd like now to do it using the openssl API (I found the function above on the web). This function works well for input at most 64 bytes .May I have to do a manual split where input is at least 64 bytes long? Is there any methods (an Openssl function for example) to do it automatically???. Thank you for your efforts. /char *unbase64(unsigned char *input, int length) { BIO *b64, *bmem; char *buffer = (char *)malloc(length); memset(buffer, 0, length); b64 = BIO_new(BIO_f_base64()); bmem = BIO_new_mem_buf(input, length); bmem = BIO_push(b64, bmem); BIO_read(bmem, buffer, length); BIO_free_all(bmem); return buffer; } / --- On Thu, May 22, 2008 at 3:57 PM, Dominique Lohez [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hello karim The line must be at most 64 octets long using the file essai.pem where the unique has been splited in three the command openssl enc -base64 -d -in essai.pem works. but be carefull most of the characterare not printables karim Bendadda a écrit : Hi All, I'm trying to decode a Base64 encoded string. Using the openssl decoding command:/ echo nnnKZdKOQMmVpLEOBqNU3L07ELMSoQxW0z7SvgZBmwXpjvMYPqnSMaWy9vu6NFUHGc40nhLbaFe8vI159nZHHdMOssHyfI6kzXljRolfrSX6bNjcMvfy7k5J+2xo451u= | openssl enc -base64 -d /I got no result! nothing!!! I tried to decode this string on an online base64 decoder http://webnet77.com/cgi-bin/helpers/base-64.pl and it's ok!! I have the correct string ( wich is an encrypted string). What's wrong with openssl command??? Thank you for help. -- Karim -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org mailto:openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- Karim -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Apache: modssl SSLRequire
Olaf Gellert wrote: Dominique Lohez wrote: You use the directive Order deny allow so the deny directives are evaluated before the alow directives and furthermore every thing which is not denied is allowed I suggest you should use the Order Allow, deny directive so that everything which is not allowed is denied Thanx for this hint. I changed it to allow, deny but it does not change the result: The server still grants access to the wrong certificate. Hmmm... Still don't know what I am doing wrong. Here's my complete actual config (if someone really would want to look at it) ;-) Seems as if the SSLRequire never comes into effect (even if I compare the CN with Foo instead of Testuser access is allowed)... In fact the Allow from localhost directive should be removed or the test should be carried out from another host: Since this directive is matched by the test connection the other directives are considered and so the SSLRequire directive is not used Dominique -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Apache: modssl SSLRequire
Olaf Gellert wrote: Hi, somewhat off topic, but as there are so many users of Apache/ModSSL around here (and I already asked on the modssl mailing list): I want an Apache SSL server to request client authentication. This works. Additionally I want to restrict access only to certain users with a valid certificate. So I use SSLRequire for the document root directory of the server: SSLOptions +FakeBasicAuth +StdEnvVars +CompatEnvVars +StrictRequire Directory /home/apache/htdocs/ssltest AllowOverride None Options +FollowSymLinks +Includes Satisfy all Order deny,allow Deny from all Allow from localhost SSLVerifyClient require SSLVerifyDepth 3 SSLRequireSSL SSLRequire ( %{SSL_CLIENT_S_DN_O} eq SSLTest SubCA 01 \ %{SSL_CLIENT_S_DN_OU} eq User Certificates \ %{SSL_CLIENT_S_DN_CN} eq Testuser ) /Directory But I can still access the server with a client certificate that has testuser2 (different from Testuser!) as SSL_CLIENT_S_DN_CN (this certificate was issued by the correct CA, but the SSLRequire should deny access). The SSL_CLIENT_S_DN_CN is set correctly in the Apache environment (I print that on the webpage using the SSI command printenv). What else could I have missed? Thanx for help, cheers, Olaf You use the directive Order deny allow so the deny directives are evaluated before the alow directives and furthermore every thing which is not denied is allowed I suggest you should use the Order Allow, deny directive so that everything which is not allowed is denied -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Encrypt in Java and decrypt in Openssl (and vice versa)
uno wand wrote: From: Dr. Stephen Henson [EMAIL PROTECTED] The block size of AES is 128 bits, you therefore need 16 characters or 32 hex digits in the IV. Steve. -- Thanks for the reply, I figured that out earlier too, by re-reading the documentation I have on hand. I always had the impression that if I do in Java Cipher cipher = Cipher.getInstance(AES); it is equivalent to Cipher cipher = Cipher.getInstance(AES/CBC/PKCS5Padding); That is obviously not true. After changing that, that helped a bit. And after changing the IV to 16 bytes, I got something going, . Now, IV is hard-coded to unsigned char * _iv[16]; for (int i = 0; i 16; i++) _iv[i] = '1' + i; in both Java and C. But it's still not totally right. Encrypted msg (just text) from Java is decoded almost correctly. The msg consists of multiple lines of text string, but after decrypting it, the first line always get screwed up and I get garbage. All other lines are decrypted correctly. But encrypted msg from Openssl is decrypted in Java half correct, meaning that if I have 8 lines of string, I get about 4 lines correct, the others are garbage. And the order is indeterminate, the first line is always screwed up, the second line is ok sometimes, not ok other times. Same for the other lines. I really have no clue why it's like that. I mean, you either decrypt the whole message correctly, or you don't. I really don't understand how did I get partially correct decryption :( thanks for all. uw This could be due to the fact that in JAVA character are coded in UNICODE ( Each character uses 2 bytes) While in C each character is coded with only one byte for each character. This could be checked from JAVA by squeezing the first byte of each character. In C you have to add the 0x00 byte before each character -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL use into java applet
Angel Martinez Gonzalez wrote: Hello: Sorry for my english. I have a native methods written in C that use openssl functions. This native methods are invoke into java applet throught JNI, but it don´t work. I think that my applet don´t find some .dll or .lib from OpenSSL, but I don´t know how do it. I use Microsoft Visual Studio 6.0 to do my native methods, and here I set the library modules libeay32.lib and ssleay32.lib; the additional library path D:\openssl-0.9.7e\out32dll; and the additional include directory D:\openssl-0.9.7e\inc32. Then, I build a dll that is load from my java applet. The whole program works fine from an java application that use JNI to invoke this native methods, but from an applet don´t work. This sounds as a security restriction related the use of an applet. This can be come around by puting in an UNIQUE jar file all the programs needed to run the applet. Dominique LOHEZ Somebody can help me?. Thanks. Regards. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with revocation
François NOEL wrote: Hi I have some problems with revokating certs. when I type : openssl ca -config ./openssl.cnf -revoke ./newcerts/NOEL_Francois.pem -verbose That update me index.txt but i don't anything in my crl/ca.crl file [EMAIL PROTECTED]:/home/fanfan/public_html/certif_env/essai_env# openssl crl -in crl/ca.crl -noout -text Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: /C=FR/ST=Calvados/O=Ingelis/OU=Stage/L=CAEN/CN=NOEL_Francois/[EMAIL PROTECTED] Last Update: Mar 22 13:02:01 2005 GMT Next Update: Apr 21 13:02:01 2005 GMT *No Revoked Certificates.* Signature Algorithm: md5WithRSAEncryption XX:XX:XX... The crl is not automatically generated each time you revocate a certificate You must create by a command such that openssl ca -gencrl a complete description of the options is described here http://www.openssl.org/docs/apps/ca.html#CRL_OPTIONS regards Dominique -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with revocation
François NOEL wrote: Dominique Lohez wrote: François NOEL wrote: Hi I have some problems with revokating certs. when I type : openssl ca -config ./openssl.cnf -revoke ./newcerts/NOEL_Francois.pem -verbose That update me index.txt but i don't anything in my crl/ca.crl file [EMAIL PROTECTED]:/home/fanfan/public_html/certif_env/essai_env# openssl crl -in crl/ca.crl -noout -text Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: /C=FR/ST=Calvados/O=Ingelis/OU=Stage/L=CAEN/CN=NOEL_Francois/[EMAIL PROTECTED] Last Update: Mar 22 13:02:01 2005 GMT Next Update: Apr 21 13:02:01 2005 GMT *No Revoked Certificates.* Signature Algorithm: md5WithRSAEncryption XX:XX:XX... The crl is not automatically generated each time you revocate a certificate You must create by a command such that openssl ca -gencrl a complete description of the options is described here http://www.openssl.org/docs/apps/ca.html#CRL_OPTIONS I made that : openssl ca -config openssl.cnf -out crl/ca.crl -gencrl before revokating any certs, and It doesn't work any more regards Dominique you must build the crl when at least one certificate has been revoked Dominique -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Error : name does not match
Hello, I tried the following OpenSSl command /usr/local/openssl/bin/openssl ca -revoke \/usr\/local\/openca\.0\.9\.2\/openca\/var\/tmp\/29573_3_cert\.pem -config /usr/local/openca.0.9.2/openca/etc/openssl/openssl.cnf -passin env:pwd and I get the following Error Message Using configuration from /usr/local/openca.0.9.2/openca/etc/openssl/openssl.cnf ERROR:name does not match /member-body=FR/1.2.3.4=ISEN/1.2.3.4.5=Lille/1.2.3.4.5.6.7=tester0/serialNumber=3 What is the intended meaning of the error message name does not match Sincerly yours -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]