[Fwd: Re: Queries over OpenSSL programs]

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[Fwd: Re: Queries over OpenSSL programs]

Rohan Shrivastava
Hi there,

Can any body please tell me,
where can I find the answers to these questions?

Thanks
-Rohan


---------------------------- Original Message ----------------------------
Subject: Re: Queries over OpenSSL programs
From:    "Rohan Shrivastava" <[hidden email]>
Date:    Wed, June 8, 2005 8:03 am
To:      [hidden email]
--------------------------------------------------------------------------

Riaz,
Thanks for the help,
I am able to dump the packets using ssldump.

Some of my queries are still unanswered.
I am again pasting it here.

>> [#]. If they are able to communicate in a secured session,
>> then how come they completed SSL handshake without random number source
(I think it is required at time of Handshake)?
>>
>> [#]. How can I authenticate Clients (any sample code will help me a
lot) or what is function used for asking Client's certificate ?
>>
>> [#]. Is the loading CAs list, required at the server/client (as here I
did not load) ,if required then how can I create such list as I am
using this in local network?
>>
>> [#]. Also can I place the code here?


Thanks
-Rohan



> use ssldump or tcpdump to view if the connection is being established in
a secure manner
>
> On 6/7/05, Rohan Shrivastava <[hidden email]> wrote:
>>
>> Hello,
>>
>> I am new to OpenSSL programming through C.
>>
>> This is my first program, so I am not sure whether
>> I have achieved secure session between client and server or not, though
they are able to communicate

>> using SSL_write/read functions.
>>
>> This is how I did the things
>>
>> At server I loaded certificate & private key & after accepting
>> TCP connection I accepted SSL session request.
>> & then started communicating with Client.
>>
>> At client I just used SSLv3_method() & SSL_CTX_new() functions to get new
>> ctx object.
>> Here after setting up TCP connection I initiated SSL connection
request, & on success it communicates with server.
>>
>> I tired to load Random file with the following code, but could not get
through,

>> so I did without random source (for both client & server).
>>
>> #defile RANDOM "/dev/random"
>>
>> if (!(RAND_load_file(RANDOM,1024*1024))) {
>> printf("\n Error in loading random file");
>> exit(0);
>> }
>>
>>
>> I generated Certificate & Keys with the following commands
>>
>> openssl -genrsa 1024 -out key.pem
>> openssl req -new -key key.pem -x509 -days 3650 -out server_crt.pem
>>
>> Now my queries are:
>>
>> [#]. How can I be sure that session is secure?
>>
>> [#]. If they are able to communicate in a secured session,
>> then how come they completed SSL handshake without random number source
(I think it is required at time of Handshake)?
>>
>> [#]. How can I authenticate Clients (any sample code will help me a
lot) or what is function used for asking Client's certificate ?

>>
>> [#]. Is the loading CAs list, required at the server/client (as here I did
>> not load) ,if required then how can I create such list as I am using this
>> in local network?
>>
>> [#]. Also can I place the code here?
>>
>>
>> Any help will be highly appreciated
>>
>> Thanks
>> -Rohan
>>
>> ______________________________________________________________________
OpenSSL Project http://www.openssl.org

>> User Support Mailing List [hidden email]
>> Automated List Manager [hidden email]
>>
>
>
>
> --
> Thank you,
> Best Regards
> Riaz Ur Rahaman
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [Fwd: Re: Queries over OpenSSL programs]

Gayathri Sundar-2
Hi there,

Can any body please tell me,
where can I find the answers to these questions?

Thanks
-Rohan


---------------------------- Original Message ----------------------------
Subject: Re: Queries over OpenSSL programs
From:    "Rohan Shrivastava" <[hidden email]>
Date:    Wed, June 8, 2005 8:03 am
To:      [hidden email]
--------------------------------------------------------------------------

Riaz,
Thanks for the help,
I am able to dump the packets using ssldump.

Some of my queries are still unanswered.
I am again pasting it here.

>> [#]. If they are able to communicate in a secured session,
>> then how come they completed SSL handshake without random number
source(I think it is required at time of Handshake)?
the default random file is in /dev/urandom in linux .. check the
environvent variable rand and see where its pointing to.

>>
>> [#]. How can I authenticate Clients (any sample code will help me a
lot) or what is function used for asking Client's certificate ?

There is an option in SSL that can be set either in the SSL_CTX or
in the SSLOBJECT depending on whether you need to enforce "client auth"
always or based on certain requirement. If set in CTX it is
always enforced.

SSL_CTX_set_verify(pSSLCtx, SSL_VERIFY_PEER,
                  client_cert_verify_callback);

SSL_set_verify(pSSLCtx,SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
                client_cert_verify_callback);

this callback function will be executed when the client cert is sent to
the server, once this option is set, SSL_accept will automatically prompt
for a client cert.

>>
>> [#]. Is the loading CAs list, required at the server/client (as here I
did not load) ,if required then how can I create such list as I am
using this in local network?

This is not mandatory, depends on what ctx/sslobj options you have set.
you can use openssl tools to generate the same.
>>
>> [#]. Also can I place the code here?


Thanks
-Rohan



> use ssldump or tcpdump to view if the connection is being established in
a secure manner
>
> On 6/7/05, Rohan Shrivastava <[hidden email]> wrote:
>>
>> Hello,
>>
>> I am new to OpenSSL programming through C.
>>
>> This is my first program, so I am not sure whether
>> I have achieved secure session between client and server or not, though
they are able to communicate

>> using SSL_write/read functions.
>>
>> This is how I did the things
>>
>> At server I loaded certificate & private key & after accepting
>> TCP connection I accepted SSL session request.
>> & then started communicating with Client.
>>
>> At client I just used SSLv3_method() & SSL_CTX_new() functions to get new
>> ctx object.
>> Here after setting up TCP connection I initiated SSL connection
request, & on success it communicates with server.
>>
>> I tired to load Random file with the following code, but could not get
through,

>> so I did without random source (for both client & server).
>>
>> #defile RANDOM "/dev/random"
>>
>> if (!(RAND_load_file(RANDOM,1024*1024))) {
>> printf("\n Error in loading random file");
>> exit(0);
>> }
>>
>>
>> I generated Certificate & Keys with the following commands
>>
>> openssl -genrsa 1024 -out key.pem
>> openssl req -new -key key.pem -x509 -days 3650 -out server_crt.pem
>>
>> Now my queries are:
>>
>> [#]. How can I be sure that session is secure?
>>
>> [#]. If they are able to communicate in a secured session,
>> then how come they completed SSL handshake without random number source
(I think it is required at time of Handshake)?
>>
>> [#]. How can I authenticate Clients (any sample code will help me a
lot) or what is function used for asking Client's certificate ?

>>
>> [#]. Is the loading CAs list, required at the server/client (as here I did
>> not load) ,if required then how can I create such list as I am using this
>> in local network?
>>
>> [#]. Also can I place the code here?
>>
>>
>> Any help will be highly appreciated
>>
>> Thanks
>> -Rohan
>>
>> ______________________________________________________________________
OpenSSL Project http://www.openssl.org

>> User Support Mailing List [hidden email]
>> Automated List Manager [hidden email]
>>
>
>
>
> --
> Thank you,
> Best Regards
> Riaz Ur Rahaman
>

______________________________________________________________________
OpenSSL Project                                http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                          [hidden email]


______________________________________________________________________
OpenSSL Project                                http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                          [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [Fwd: Re: Queries over OpenSSL programs]

Gayathri Sundar-2
In reply to this post by Rohan Shrivastava
Hi there,

Can any body please tell me,
where can I find the answers to these questions?

Thanks
-Rohan


---------------------------- Original Message ----------------------------
Subject: Re: Queries over OpenSSL programs
From:    "Rohan Shrivastava" <[hidden email]>
Date:    Wed, June 8, 2005 8:03 am
To:      [hidden email]
--------------------------------------------------------------------------

Riaz,
Thanks for the help,
I am able to dump the packets using ssldump.

Some of my queries are still unanswered.
I am again pasting it here.

>> [#]. If they are able to communicate in a secured session,
>> then how come they completed SSL handshake without random number
source(I think it is required at time of Handshake)?
the default random file is in /dev/urandom in linux .. check the
environvent variable rand and see where its pointing to.

>>
>> [#]. How can I authenticate Clients (any sample code will help me a
lot) or what is function used for asking Client's certificate ?

There is an option in SSL that can be set either in the SSL_CTX or
in the SSLOBJECT depending on whether you need to enforce "client auth"
always or based on certain requirement. If set in CTX it is
always enforced.

SSL_CTX_set_verify(pSSLCtx, SSL_VERIFY_PEER,
                  client_cert_verify_callback);

SSL_set_verify(pSSLCtx,SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
                client_cert_verify_callback);

this callback function will be executed when the client cert is sent to
the server, once this option is set, SSL_accept will automatically prompt
for a client cert.

>>
>> [#]. Is the loading CAs list, required at the server/client (as here I
did not load) ,if required then how can I create such list as I am
using this in local network?

This is not mandatory, depends on what ctx/sslobj options you have set.
you can use openssl tools to generate the same.
>>
>> [#]. Also can I place the code here?


Thanks
-Rohan



> use ssldump or tcpdump to view if the connection is being established in
a secure manner
>
> On 6/7/05, Rohan Shrivastava <[hidden email]> wrote:
>>
>> Hello,
>>
>> I am new to OpenSSL programming through C.
>>
>> This is my first program, so I am not sure whether
>> I have achieved secure session between client and server or not, though
they are able to communicate

>> using SSL_write/read functions.
>>
>> This is how I did the things
>>
>> At server I loaded certificate & private key & after accepting
>> TCP connection I accepted SSL session request.
>> & then started communicating with Client.
>>
>> At client I just used SSLv3_method() & SSL_CTX_new() functions to get new
>> ctx object.
>> Here after setting up TCP connection I initiated SSL connection
request, & on success it communicates with server.
>>
>> I tired to load Random file with the following code, but could not get
through,

>> so I did without random source (for both client & server).
>>
>> #defile RANDOM "/dev/random"
>>
>> if (!(RAND_load_file(RANDOM,1024*1024))) {
>> printf("\n Error in loading random file");
>> exit(0);
>> }
>>
>>
>> I generated Certificate & Keys with the following commands
>>
>> openssl -genrsa 1024 -out key.pem
>> openssl req -new -key key.pem -x509 -days 3650 -out server_crt.pem
>>
>> Now my queries are:
>>
>> [#]. How can I be sure that session is secure?
>>
>> [#]. If they are able to communicate in a secured session,
>> then how come they completed SSL handshake without random number source
(I think it is required at time of Handshake)?
>>
>> [#]. How can I authenticate Clients (any sample code will help me a
lot) or what is function used for asking Client's certificate ?

>>
>> [#]. Is the loading CAs list, required at the server/client (as here I did
>> not load) ,if required then how can I create such list as I am using this
>> in local network?
>>
>> [#]. Also can I place the code here?
>>
>>
>> Any help will be highly appreciated
>>
>> Thanks
>> -Rohan
>>
>> ______________________________________________________________________
OpenSSL Project http://www.openssl.org

>> User Support Mailing List [hidden email]
>> Automated List Manager [hidden email]
>>
>
>
>
> --
> Thank you,
> Best Regards
> Riaz Ur Rahaman
>

______________________________________________________________________
OpenSSL Project                                http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                          [hidden email]


______________________________________________________________________
OpenSSL Project                                http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                          [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [Fwd: Re: Queries over OpenSSL programs]

Rohan Shrivastava
Gayathri Sundar,
Thanks for your help.

-Rohan

> Hi there,
>
> Can any body please tell me,
> where can I find the answers to these questions?
>
> Thanks
> -Rohan
>
>
> ---------------------------- Original Message ----------------------------
> Subject: Re: Queries over OpenSSL programs
> From:    "Rohan Shrivastava" <[hidden email]>
> Date:    Wed, June 8, 2005 8:03 am
> To:      [hidden email]
> --------------------------------------------------------------------------
>
> Riaz,
> Thanks for the help,
> I am able to dump the packets using ssldump.
>
> Some of my queries are still unanswered.
> I am again pasting it here.
>
>>> [#]. If they are able to communicate in a secured session,
>>> then how come they completed SSL handshake without random number
> source(I think it is required at time of Handshake)?
> the default random file is in /dev/urandom in linux .. check the
> environvent variable rand and see where its pointing to.
>
>>>
>>> [#]. How can I authenticate Clients (any sample code will help me a
> lot) or what is function used for asking Client's certificate ?
>
> There is an option in SSL that can be set either in the SSL_CTX or
> in the SSLOBJECT depending on whether you need to enforce "client auth"
> always or based on certain requirement. If set in CTX it is
> always enforced.
>
> SSL_CTX_set_verify(pSSLCtx, SSL_VERIFY_PEER,
>                   client_cert_verify_callback);
>
> SSL_set_verify(pSSLCtx,SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
>                 client_cert_verify_callback);
>
> this callback function will be executed when the client cert is sent to
> the server, once this option is set, SSL_accept will automatically prompt
> for a client cert.
>
>>>
>>> [#]. Is the loading CAs list, required at the server/client (as here I
> did not load) ,if required then how can I create such list as I am
> using this in local network?
>
> This is not mandatory, depends on what ctx/sslobj options you have set.
> you can use openssl tools to generate the same.
>>>
>>> [#]. Also can I place the code here?
>
>
> Thanks
> -Rohan
>
>
>
>> use ssldump or tcpdump to view if the connection is being established in
> a secure manner
>>
>> On 6/7/05, Rohan Shrivastava <[hidden email]> wrote:
>>>
>>> Hello,
>>>
>>> I am new to OpenSSL programming through C.
>>>
>>> This is my first program, so I am not sure whether
>>> I have achieved secure session between client and server or not, though
> they are able to communicate
>>> using SSL_write/read functions.
>>>
>>> This is how I did the things
>>>
>>> At server I loaded certificate & private key & after accepting
>>> TCP connection I accepted SSL session request.
>>> & then started communicating with Client.
>>>
>>> At client I just used SSLv3_method() & SSL_CTX_new() functions to get
>>> new
>>> ctx object.
>>> Here after setting up TCP connection I initiated SSL connection
> request, & on success it communicates with server.
>>>
>>> I tired to load Random file with the following code, but could not get
> through,
>>> so I did without random source (for both client & server).
>>>
>>> #defile RANDOM "/dev/random"
>>>
>>> if (!(RAND_load_file(RANDOM,1024*1024))) {
>>> printf("\n Error in loading random file");
>>> exit(0);
>>> }
>>>
>>>
>>> I generated Certificate & Keys with the following commands
>>>
>>> openssl -genrsa 1024 -out key.pem
>>> openssl req -new -key key.pem -x509 -days 3650 -out server_crt.pem
>>>
>>> Now my queries are:
>>>
>>> [#]. How can I be sure that session is secure?
>>>
>>> [#]. If they are able to communicate in a secured session,
>>> then how come they completed SSL handshake without random number source
> (I think it is required at time of Handshake)?
>>>
>>> [#]. How can I authenticate Clients (any sample code will help me a
> lot) or what is function used for asking Client's certificate ?
>>>
>>> [#]. Is the loading CAs list, required at the server/client (as here I
>>> did
>>> not load) ,if required then how can I create such list as I am using
>>> this
>>> in local network?
>>>
>>> [#]. Also can I place the code here?
>>>
>>>
>>> Any help will be highly appreciated
>>>
>>> Thanks
>>> -Rohan
>>>
>>> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
>>> User Support Mailing List [hidden email]
>>> Automated List Manager [hidden email]
>>>
>>
>>
>>
>> --
>> Thank you,
>> Best Regards
>> Riaz Ur Rahaman
>>
>
> ______________________________________________________________________
> OpenSSL Project                                http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                          [hidden email]
>
>
> ______________________________________________________________________
> OpenSSL Project                                http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                          [hidden email]
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]