RE: [Fwd: Re: Queries over OpenSSL programs]
Gayathri Sundar, Thanks for your help. -Rohan > Hi there, > > Can any body please tell me, > where can I find the answers to these questions? > > Thanks > -Rohan > > > Original Message > Subject: Re: Queries over OpenSSL programs > From:"Rohan Shrivastava" <[EMAIL PROTECTED]> > Date:Wed, June 8, 2005 8:03 am > To: openssl-users@openssl.org > -- > > Riaz, > Thanks for the help, > I am able to dump the packets using ssldump. > > Some of my queries are still unanswered. > I am again pasting it here. > >>> [#]. If they are able to communicate in a secured session, >>> then how come they completed SSL handshake without random number > source(I think it is required at time of Handshake)? > the default random file is in /dev/urandom in linux .. check the > environvent variable rand and see where its pointing to. > >>> >>> [#]. How can I authenticate Clients (any sample code will help me a > lot) or what is function used for asking Client's certificate ? > > There is an option in SSL that can be set either in the SSL_CTX or > in the SSLOBJECT depending on whether you need to enforce "client auth" > always or based on certain requirement. If set in CTX it is > always enforced. > > SSL_CTX_set_verify(pSSLCtx, SSL_VERIFY_PEER, > client_cert_verify_callback); > > SSL_set_verify(pSSLCtx,SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, > client_cert_verify_callback); > > this callback function will be executed when the client cert is sent to > the server, once this option is set, SSL_accept will automatically prompt > for a client cert. > >>> >>> [#]. Is the loading CAs list, required at the server/client (as here I > did not load) ,if required then how can I create such list as I am > using this in local network? > > This is not mandatory, depends on what ctx/sslobj options you have set. > you can use openssl tools to generate the same. >>> >>> [#]. Also can I place the code here? > > > Thanks > -Rohan > > > >> use ssldump or tcpdump to view if the connection is being established in > a secure manner >> >> On 6/7/05, Rohan Shrivastava <[EMAIL PROTECTED]> wrote: >>> >>> Hello, >>> >>> I am new to OpenSSL programming through C. >>> >>> This is my first program, so I am not sure whether >>> I have achieved secure session between client and server or not, though > they are able to communicate >>> using SSL_write/read functions. >>> >>> This is how I did the things >>> >>> At server I loaded certificate & private key & after accepting >>> TCP connection I accepted SSL session request. >>> & then started communicating with Client. >>> >>> At client I just used SSLv3_method() & SSL_CTX_new() functions to get >>> new >>> ctx object. >>> Here after setting up TCP connection I initiated SSL connection > request, & on success it communicates with server. >>> >>> I tired to load Random file with the following code, but could not get > through, >>> so I did without random source (for both client & server). >>> >>> #defile RANDOM "/dev/random" >>> >>> if (!(RAND_load_file(RANDOM,1024*1024))) { >>> printf("\n Error in loading random file"); >>> exit(0); >>> } >>> >>> >>> I generated Certificate & Keys with the following commands >>> >>> openssl -genrsa 1024 -out key.pem >>> openssl req -new -key key.pem -x509 -days 3650 -out server_crt.pem >>> >>> Now my queries are: >>> >>> [#]. How can I be sure that session is secure? >>> >>> [#]. If they are able to communicate in a secured session, >>> then how come they completed SSL handshake without random number source > (I think it is required at time of Handshake)? >>> >>> [#]. How can I authenticate Clients (any sample code will help me a > lot) or what is function used for asking Client's certificate ? >>> >>> [#]. Is the loading CAs list, required at the server/client (as here I >>> did >>> not load) ,if required then how can I create such list as I am using >>> this >>> in local network? >>> >>> [#]. Also can I place the code here? >>> >>> >>> Any help will be highly appreciated >>> >>> Thanks >>> -Rohan >>> >>> __ > OpenSSL Project http://www.openssl.org >>> User Support Mailing List openssl-users@openssl.org >>> Automated List Manager [EMAIL PROTECTED] >>> >> >> >> >> -- >> Thank you, >> Best Regards >> Riaz Ur Rahaman >> > > __ > OpenSSL Projecthttp://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > > __ > OpenSSL Projecthttp://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager
RE: [Fwd: Re: Queries over OpenSSL programs]
Hi there, Can any body please tell me, where can I find the answers to these questions? Thanks -Rohan Original Message Subject: Re: Queries over OpenSSL programs From:"Rohan Shrivastava" <[EMAIL PROTECTED]> Date:Wed, June 8, 2005 8:03 am To: openssl-users@openssl.org -- Riaz, Thanks for the help, I am able to dump the packets using ssldump. Some of my queries are still unanswered. I am again pasting it here. >> [#]. If they are able to communicate in a secured session, >> then how come they completed SSL handshake without random number source(I think it is required at time of Handshake)? the default random file is in /dev/urandom in linux .. check the environvent variable rand and see where its pointing to. >> >> [#]. How can I authenticate Clients (any sample code will help me a lot) or what is function used for asking Client's certificate ? There is an option in SSL that can be set either in the SSL_CTX or in the SSLOBJECT depending on whether you need to enforce "client auth" always or based on certain requirement. If set in CTX it is always enforced. SSL_CTX_set_verify(pSSLCtx, SSL_VERIFY_PEER, client_cert_verify_callback); SSL_set_verify(pSSLCtx,SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, client_cert_verify_callback); this callback function will be executed when the client cert is sent to the server, once this option is set, SSL_accept will automatically prompt for a client cert. >> >> [#]. Is the loading CAs list, required at the server/client (as here I did not load) ,if required then how can I create such list as I am using this in local network? This is not mandatory, depends on what ctx/sslobj options you have set. you can use openssl tools to generate the same. >> >> [#]. Also can I place the code here? Thanks -Rohan > use ssldump or tcpdump to view if the connection is being established in a secure manner > > On 6/7/05, Rohan Shrivastava <[EMAIL PROTECTED]> wrote: >> >> Hello, >> >> I am new to OpenSSL programming through C. >> >> This is my first program, so I am not sure whether >> I have achieved secure session between client and server or not, though they are able to communicate >> using SSL_write/read functions. >> >> This is how I did the things >> >> At server I loaded certificate & private key & after accepting >> TCP connection I accepted SSL session request. >> & then started communicating with Client. >> >> At client I just used SSLv3_method() & SSL_CTX_new() functions to get new >> ctx object. >> Here after setting up TCP connection I initiated SSL connection request, & on success it communicates with server. >> >> I tired to load Random file with the following code, but could not get through, >> so I did without random source (for both client & server). >> >> #defile RANDOM "/dev/random" >> >> if (!(RAND_load_file(RANDOM,1024*1024))) { >> printf("\n Error in loading random file"); >> exit(0); >> } >> >> >> I generated Certificate & Keys with the following commands >> >> openssl -genrsa 1024 -out key.pem >> openssl req -new -key key.pem -x509 -days 3650 -out server_crt.pem >> >> Now my queries are: >> >> [#]. How can I be sure that session is secure? >> >> [#]. If they are able to communicate in a secured session, >> then how come they completed SSL handshake without random number source (I think it is required at time of Handshake)? >> >> [#]. How can I authenticate Clients (any sample code will help me a lot) or what is function used for asking Client's certificate ? >> >> [#]. Is the loading CAs list, required at the server/client (as here I did >> not load) ,if required then how can I create such list as I am using this >> in local network? >> >> [#]. Also can I place the code here? >> >> >> Any help will be highly appreciated >> >> Thanks >> -Rohan >> >> __ OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager [EMAIL PROTECTED] >> > > > > -- > Thank you, > Best Regards > Riaz Ur Rahaman > __ OpenSSL Projecthttp://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Projecthttp://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated
RE: [Fwd: Re: Queries over OpenSSL programs]
Hi there, Can any body please tell me, where can I find the answers to these questions? Thanks -Rohan Original Message Subject: Re: Queries over OpenSSL programs From:"Rohan Shrivastava" <[EMAIL PROTECTED]> Date:Wed, June 8, 2005 8:03 am To: openssl-users@openssl.org -- Riaz, Thanks for the help, I am able to dump the packets using ssldump. Some of my queries are still unanswered. I am again pasting it here. >> [#]. If they are able to communicate in a secured session, >> then how come they completed SSL handshake without random number source(I think it is required at time of Handshake)? the default random file is in /dev/urandom in linux .. check the environvent variable rand and see where its pointing to. >> >> [#]. How can I authenticate Clients (any sample code will help me a lot) or what is function used for asking Client's certificate ? There is an option in SSL that can be set either in the SSL_CTX or in the SSLOBJECT depending on whether you need to enforce "client auth" always or based on certain requirement. If set in CTX it is always enforced. SSL_CTX_set_verify(pSSLCtx, SSL_VERIFY_PEER, client_cert_verify_callback); SSL_set_verify(pSSLCtx,SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, client_cert_verify_callback); this callback function will be executed when the client cert is sent to the server, once this option is set, SSL_accept will automatically prompt for a client cert. >> >> [#]. Is the loading CAs list, required at the server/client (as here I did not load) ,if required then how can I create such list as I am using this in local network? This is not mandatory, depends on what ctx/sslobj options you have set. you can use openssl tools to generate the same. >> >> [#]. Also can I place the code here? Thanks -Rohan > use ssldump or tcpdump to view if the connection is being established in a secure manner > > On 6/7/05, Rohan Shrivastava <[EMAIL PROTECTED]> wrote: >> >> Hello, >> >> I am new to OpenSSL programming through C. >> >> This is my first program, so I am not sure whether >> I have achieved secure session between client and server or not, though they are able to communicate >> using SSL_write/read functions. >> >> This is how I did the things >> >> At server I loaded certificate & private key & after accepting >> TCP connection I accepted SSL session request. >> & then started communicating with Client. >> >> At client I just used SSLv3_method() & SSL_CTX_new() functions to get new >> ctx object. >> Here after setting up TCP connection I initiated SSL connection request, & on success it communicates with server. >> >> I tired to load Random file with the following code, but could not get through, >> so I did without random source (for both client & server). >> >> #defile RANDOM "/dev/random" >> >> if (!(RAND_load_file(RANDOM,1024*1024))) { >> printf("\n Error in loading random file"); >> exit(0); >> } >> >> >> I generated Certificate & Keys with the following commands >> >> openssl -genrsa 1024 -out key.pem >> openssl req -new -key key.pem -x509 -days 3650 -out server_crt.pem >> >> Now my queries are: >> >> [#]. How can I be sure that session is secure? >> >> [#]. If they are able to communicate in a secured session, >> then how come they completed SSL handshake without random number source (I think it is required at time of Handshake)? >> >> [#]. How can I authenticate Clients (any sample code will help me a lot) or what is function used for asking Client's certificate ? >> >> [#]. Is the loading CAs list, required at the server/client (as here I did >> not load) ,if required then how can I create such list as I am using this >> in local network? >> >> [#]. Also can I place the code here? >> >> >> Any help will be highly appreciated >> >> Thanks >> -Rohan >> >> __ OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager [EMAIL PROTECTED] >> > > > > -- > Thank you, > Best Regards > Riaz Ur Rahaman > __ OpenSSL Projecthttp://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Projecthttp://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated