Openssl for Solaris 10

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Openssl for Solaris 10

Ruiyuan Jiang
Hi, all

Does openssl 0.9.7g and 0.9.8 supports Solaris 10? The "config" command
passed but "make" failed for both version. Thanks.

Ryan
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Openssl for Solaris 10

Nils Larsch
Ruiyuan Jiang wrote:
> Hi, all
>
> Does openssl 0.9.7g and 0.9.8 supports Solaris 10? The "config" command
> passed but "make" failed for both version. Thanks.

what's the error message ?

Nils
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Openssl for Solaris 10

Ruiyuan Jiang
In reply to this post by Ruiyuan Jiang
Never mind, Ramon. I think openssl 0.9.8 supports Solaris 10. The
problem that I had was that I did not update gcc header file. When I
installed pre-compiled gcc on the Solaris 10, there is an instruction
about to update gcc header file but I did not do that at the time. After
I updated gcc header file, both openssl 0.9.7g and 0.9.8 was compiled
fine. I am not sure why you got the problem maybe library files were not
in your path? Thanks anyway.

Ryan

-----Original Message-----
From: Ramon Berger [mailto:[hidden email]]
Sent: Tuesday, July 26, 2005 6:06 PM
To: Ruiyuan Jiang
Subject: Re: Openssl for Solaris 10

Ruiyan,

What error are you getting? I had a problem with 0.9.8 on Solaris 10 and
9. But I got the following information from Tim Rosmus
[hidden email], from this mailing list...

|# gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o
|sshconnect1.o # sshconnect2.o -L. -Lopenbsd-compat/ -L/opt/ssl/lib
|-R/opt/ssl/lib  -lssh # -lopenbsd-compat -lresolv -lcrypto -lrt -lz
|-lsocket -lnsl #
|# Undefined                       first referenced
|#  symbol                             in file
|# dlopen
/opt/ssl/lib/libcrypto.a(dso_dlfcn.o)
|#  (symbol belongs to implicit dependency /usr/lib/libdl.so.1)
|# dlclose
/opt/ssl/lib/libcrypto.a(dso_dlfcn.o)
|#  (symbol belongs to implicit dependency /usr/lib/libdl.so.1)
|# dlsym
/opt/ssl/lib/libcrypto.a(dso_dlfcn.o)
|#  (symbol belongs to implicit dependency /usr/lib/libdl.so.1)
|# dlerror
/opt/ssl/lib/libcrypto.a(dso_dlfcn.o)
|#  (symbol belongs to implicit dependency /usr/lib/libdl.so.1) # ld:
|fatal: Symbol referencing errors. No output written to ssh # collect2:
|ld returned 1 exit status # make: *** [ssh] Error 1 #

Add "--with-ldflags=-ldl" to your configure run for openssh.
--
                Tim Rosmus <[hidden email]>
                   Postmaster / USENET / DNS
                      Northwest Nexus Inc.

> Hi, all
>
> Does openssl 0.9.7g and 0.9.8 supports Solaris 10? The "config"
> command passed but "make" failed for both version. Thanks.
>
> Ryan
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Loading PKCS#12 Files: Client Cert. and Key

david kine
Hello,

I'm having great success securing my application with
OpenSSLL, but I have a small question regarding client
certificates and private keys.

I load a PKCS#12 file into an SSL_CTX as follows:

1.  Use PKCS12_parse() to read the client certificate,
private key, and trusted CA stack

2.  Use SSL_CTX_get_cert_store() to get the SSL_CTX's
trusted CA certificate store (initially empty)

3.  Pop the X509's from the PKCS#12 CA stack and push
onto the SSL_CTX's certificate store

4.  Use SSL_CTX_use_certificate() to load the client
certificate into the SSL_CTX

5.  Use SSL_CTX_use_PrivateKey() to load the client's
private key into the SSL_CTX

All this is working fine.  Now I need to print the
contents of the SSL_CTX for administrative purposes.

I am able to access the trusted CA's with
SSL_CTX_get_cert_store(), traverse the stack and print
the subject and issuer.

MY QUESTION IS:  how do I access the client
certificate and private key from an SSL_CTX?

Thanks for the help,

-David


               
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs 
 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Accessing Client Cert. and Key from SSL_CTX

david kine
How do I access the client certificate and private key
from an SSL_CTX?

It was previously loaded into the SSL_CTX with
SSL_CTX_use_certificate() and
SSL_CTX_use_PrivateKey().
 
Thanks for the help,

-David


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Accessing Client Cert. and Key from SSL_CTX

david kine
How do I access the client certificate and private key
from an SSL_CTX?

It was previously loaded into the SSL_CTX with
SSL_CTX_use_certificate() and
SSL_CTX_use_PrivateKey().
 
Thanks for the help,

-David

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

CRL support

david kine
I am implemeting CRL support in an application on
Solaris using OpenSSL 0.9.6d 9 May 2002.

According to the information I have gathered, CRL
support is not available in pre-0.9.7 OpenSSL
releases.

I have the opportunity to easily upgrade to 0.9.7g.

Will 0.9.7g provide the suport necessary for
incorporating CRL handling (in DER format)?  Or should
a later release be used?

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: CRL support

Dr. Stephen Henson
On Tue, Aug 09, 2005, david kine wrote:

> I am implemeting CRL support in an application on
> Solaris using OpenSSL 0.9.6d 9 May 2002.
>
> According to the information I have gathered, CRL
> support is not available in pre-0.9.7 OpenSSL
> releases.
>
> I have the opportunity to easily upgrade to 0.9.7g.
>
> Will 0.9.7g provide the suport necessary for
> incorporating CRL handling (in DER format)?  Or should
> a later release be used?
>

Depends on how much CRL handling you want. If you can supply the necessary
CRLs to OpenSSL it will use them for certificate validation. It is the
applications responsibility to obtain the CRLs, for example downloading them
from a URI.

Some features of CRLs, such as delta CRLs and partitioned CRLs aren't
currently supported. They may be in future.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Accessing Client Cert. and Key from SSL_CTX

Jagannadha Bhattu
In reply to this post by david kine
According to the available APIs:

1. There is no way you can get from SSL_CTX object directly.

2. To get certificate from SSL object:
You can get the certificate by calling SSL_get_certificate. To get the
peer certificate use SSL_get_peer_certificate.

3. To get private key of your application:
There is no way.

-JB

(To get private key of the peer (I hope you are not asking this): Impossible.)


On 8/9/05, david kine <[hidden email]> wrote:

> How do I access the client certificate and private key
> from an SSL_CTX?
>
> It was previously loaded into the SSL_CTX with
> SSL_CTX_use_certificate() and
> SSL_CTX_use_PrivateKey().
>
> Thanks for the help,
>
> -David
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: CRL support

david kine
In reply to this post by Dr. Stephen Henson
Thanks for the response.  The CRL files (multiple) are
provided by an external application.  I provide an API
to reload the CRL files, and my plan is to update the
SSL_CTX objects with the new CRL files.

Can I use 0.9.6d, or should I update to 0.9.7g for
this application?  My understanding is that 0.9.7 is
necessary for handling CRL's, yet I see CRL functions
in 0.9.6.

--- "Dr. Stephen Henson" <[hidden email]> wrote:

> On Tue, Aug 09, 2005, david kine wrote:
>
> > I am implemeting CRL support in an application on
> > Solaris using OpenSSL 0.9.6d 9 May 2002.
> >
> > According to the information I have gathered, CRL
> > support is not available in pre-0.9.7 OpenSSL
> > releases.
> >
> > I have the opportunity to easily upgrade to
> 0.9.7g.
> >
> > Will 0.9.7g provide the suport necessary for
> > incorporating CRL handling (in DER format)?  Or
> should
> > a later release be used?
> >
>
> Depends on how much CRL handling you want. If you
> can supply the necessary
> CRLs to OpenSSL it will use them for certificate
> validation. It is the
> applications responsibility to obtain the CRLs, for
> example downloading them
> from a URI.
>
> Some features of CRLs, such as delta CRLs and
> partitioned CRLs aren't
> currently supported. They may be in future.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys:
> see homepage
> OpenSSL project core developer and freelance
> consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
>
______________________________________________________________________
> OpenSSL Project                                
> http://www.openssl.org
> User Support Mailing List                  
> [hidden email]
> Automated List Manager                          
> [hidden email]
>


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: CRL support

Dr. Stephen Henson
On Wed, Aug 10, 2005, david kine wrote:

> Thanks for the response.  The CRL files (multiple) are
> provided by an external application.  I provide an API
> to reload the CRL files, and my plan is to update the
> SSL_CTX objects with the new CRL files.
>
> Can I use 0.9.6d, or should I update to 0.9.7g for
> this application?  My understanding is that 0.9.7 is
> necessary for handling CRL's, yet I see CRL functions
> in 0.9.6.
>

0.9.6 could parse, print out and generate CRL files, much older versions of
OpenSSL could in fact.

0.9.7 is the first to provided (limited) support for checking CRL files when a
certificate is verified.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Replay attack

BigG-2
TLS allows for the detection of a (post-handshake) replay attack
by detecting incorrect values of the sequence number in the MAC.

However, I can't figure out what action is taken when an attack *is*
detected. Is an alert sent to the peer? How is the recipient application
informed?

TIA
BigG

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Replay attack

Jagannadha Bhattu
From my understanding of the code, in case of bad record mac an alert
is sent to peer. The recipient application gets an error in SSL_read.

JB

On 8/11/05, BG for OpenSSL <[hidden email]> wrote:

> TLS allows for the detection of a (post-handshake) replay attack
> by detecting incorrect values of the sequence number in the MAC.
>
> However, I can't figure out what action is taken when an attack *is*
> detected. Is an alert sent to the peer? How is the recipient application
> informed?
>
> TIA
> BigG
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]