some doubt about ssl programming

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

some doubt about ssl programming

Suchindra Chandrahas
Hi All,
           Saw the part1 and part2. Trying to understand the stuff. I got some client examples given there. I have downloaded "sclient". Upon connecting, it says :

Certificate doesn't verify. Upon verification of SSL error code, the part1.pdf gives the code of check_cert that says :

<snip>
   if(SSL_get_verify_result(ssl)!=X509_V_OK)
39   berr_exit("Certificate doesn’t verify");

</snip>

Does this mean that the host's certificate is not a X509 certificate ?

Regards,
Suchindra Chandrahas


Be a PS3 game guru.
Get your game face on with the latest PS3 news and previews at Yahoo! Games.
Reply | Threaded
Open this post in threaded view
|

Re: some doubt about ssl programming

Vladislav Marinov
Hi,
 
I had the same problem and it turned out that simply the certificates are old (i.e it has expired) since this article was written quite some time ago. So just generate new keys and certificates and then it works nicely.
 
Vladislav
----- Original Message -----
Sent: Tuesday, March 13, 2007 11:57 AM
Subject: some doubt about ssl programming

Hi All,
           Saw the part1 and part2. Trying to understand the stuff. I got some client examples given there. I have downloaded "sclient". Upon connecting, it says :

Certificate doesn't verify. Upon verification of SSL error code, the part1.pdf gives the code of check_cert that says :

<snip>
   if(SSL_get_verify_result(ssl)!=X509_V_OK)
39   berr_exit("Certificate doesn’t verify");

</snip>

Does this mean that the host's certificate is not a X509 certificate ?

Regards,
Suchindra Chandrahas


Be a PS3 game guru.
Get your game face on with the latest PS3 news and previews at Yahoo! Games.
Reply | Threaded
Open this post in threaded view
|

Re: some doubt about ssl programming

Goetz Babin-Ebell
In reply to this post by Suchindra Chandrahas
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Suchindra Chandrahas schrieb:
> Hi All,
Hi Suchindra,

>            Saw the part1 and part2. Trying to understand the stuff.
> I got some client examples given there. I have downloaded "sclient".
???
Which part1 and part2 ?

> <snip>
>    if(SSL_get_verify_result(ssl)!=X509_V_OK)
> 39   berr_exit("Certificate doesn't verify");
>
> </snip>
>
> Does this mean that the host's certificate is not a X509 certificate ?
No it means that the verification of the X509 certificate verify
functionality detewcted an error.

Bye

Goetz
- --
DMCA: The greed of the few outweights the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF9pAt2iGqZUF3qPYRAvd9AJ9k2c9NjYsACnPKqOdz1lWm68QPFQCeOunj
vjW22hsEEL150sNcdpLTYFY=
=o5nx
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: some doubt about ssl programming

Suchindra Chandrahas
Part 1 and Part 2 are the PDFs that were given in openssl.org

Well, the problem is still doubtful because  1. The server certificates are recent (not expired), and 2. But they are self signed certificates (this might be a problem !)

Thanks for the replies

Regards,
Suchindra Chandrahas

Goetz Babin-Ebell <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Suchindra Chandrahas schrieb:
> Hi All,
Hi Suchindra,

> Saw the part1 and part2. Trying to understand the stuff.
> I got some client examples given there. I have downloaded "sclient".
???
Which part1 and part2 ?

>
> if(SSL_get_verify_result(ssl)!=X509_V_OK)
> 39 berr_exit("Certificate doesn't verify");
>
>

>
> Does this mean that the host's certificate is not a X509 certificate ?
No it means that the verification of the X509 certificate verify
functionality detewcted an error.

Bye

Goetz
- --
DMCA: The greed of the few outweights the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF9pAt2iGqZUF3qPYRAvd9AJ9k2c9NjYsACnPKqOdz1lWm68QPFQCeOunj
vjW22hsEEL150sNcdpLTYFY=
=o5nx
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


Need Mail bonding?
Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users.
Reply | Threaded
Open this post in threaded view
|

Re: some doubt about ssl programming

Suchindra Chandrahas
In reply to this post by Vladislav Marinov
Hi Vladislav,
                          I know i should not disturb you, just a small question here. What kind of fuzzing attacks can be done on an SSL based apache web server ? I just wanted a brief idea about them

Thanks and Regards,
Suchindra Chandrahas



Don't pick lemons.
See all the new 2007 cars at Yahoo! Autos.
Reply | Threaded
Open this post in threaded view
|

Re: some doubt about ssl programming

Vladislav Marinov
In reply to this post by Suchindra Chandrahas
Hi,
 
If you are using the certificates from the source code that is given at the mentioned link - looks like this source code was last touched on 10.01.2002 so I doubt that those certs are recent (and when I was testing them sometime in October 2006 they had expired). Another thing could be the self-signed certificates. I think you can solve that by simply loading the proper credentials in SSL_load_verify_locations(). Can you tell what error number do you get from SSL_get_verify_result() - this function returns always some value. This can be then checked in the man pages of verify(1) and you can see what is the problem.
 
Vladislav
----- Original Message -----
Sent: Tuesday, March 13, 2007 2:18 PM
Subject: Re: some doubt about ssl programming

Part 1 and Part 2 are the PDFs that were given in openssl.org

Well, the problem is still doubtful because  1. The server certificates are recent (not expired), and 2. But they are self signed certificates (this might be a problem !)

Thanks for the replies

Regards,
Suchindra Chandrahas

Goetz Babin-Ebell <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Suchindra Chandrahas schrieb:
> Hi All,
Hi Suchindra,

> Saw the part1 and part2. Trying to understand the stuff.
> I got some client examples given there. I have downloaded "sclient".
???
Which part1 and part2 ?

>
> if(SSL_get_verify_result(ssl)!=X509_V_OK)
> 39 berr_exit("Certificate doesn't verify");
>
>

>
> Does this mean that the host's certificate is not a X509 certificate ?
No it means that the verification of the X509 certificate verify
functionality detewcted an error.

Bye

Goetz
- --
DMCA: The greed of the few outweights the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF9pAt2iGqZUF3qPYRAvd9AJ9k2c9NjYsACnPKqOdz1lWm68QPFQCeOunj
vjW22hsEEL150sNcdpLTYFY=
=o5nx
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


Need Mail bonding?
Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users.
Reply | Threaded
Open this post in threaded view
|

Re: some doubt about ssl programming

Vladislav Marinov
In reply to this post by Suchindra Chandrahas
Hi,
 
I have not played with fuzzy attacks and don't have very broad knowledge with apache. I think that some sample attacks against which TLS should protect are listed in RFC2246. Maybe somebody else has tried playing with fuzzy attacks?
 
Vladislav
----- Original Message -----
Sent: Tuesday, March 13, 2007 2:29 PM
Subject: Re: some doubt about ssl programming

Hi Vladislav,
                          I know i should not disturb you, just a small question here. What kind of fuzzing attacks can be done on an SSL based apache web server ? I just wanted a brief idea about them

Thanks and Regards,
Suchindra Chandrahas



Don't pick lemons.
See all the new 2007 cars at Yahoo! Autos.
Reply | Threaded
Open this post in threaded view
|

Re: some doubt about ssl programming

Suchindra Chandrahas
In reply to this post by Vladislav Marinov
Hi Vladislav,
                         THANKS A LOT. I Now understoold that i must look for client certificates time, and not that which is obtained at server end. Will progress and update. Thanks a lot for your help
Suchindra Chandrahas

Vladislav Marinov <[hidden email]> wrote:
Hi,
 
If you are using the certificates from the source code that is given at the mentioned link - looks like this source code was last touched on 10.01.2002 so I doubt that those certs are recent (and when I was testing them sometime in October 2006 they had expired). Another thing could be the self-signed certificates. I think you can solve that by simply loading the proper credentials in SSL_load_verify_locations(). Can you tell what error number do you get from SSL_get_verify_result() - this function returns always some value. This can be then checked in the man pages of verify(1) and you can see what is the problem.
 
Vladislav
----- Original Message -----
Sent: Tuesday, March 13, 2007 2:18 PM
Subject: Re: some doubt about ssl programming

Part 1 and Part 2 are the PDFs that were given in openssl.org

Well, the problem is still doubtful because  1. The server certificates are recent (not expired), and 2. But they are self signed certificates (this might be a problem !)

Thanks for the replies

Regards,
Suchindra Chandrahas

Goetz Babin-Ebell <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Suchindra Chandrahas schrieb:
> Hi All,
Hi Suchindra,

> Saw the part1 and part2. Trying to understand the stuff.
> I got some client examples given there. I have downloaded "sclient".
???
Which part1 and part2 ?

>
> if(SSL_get_verify_result(ssl)!=X509_V_OK)
> 39 berr_exit("Certificate doesn't verify");
>
>

>
> Does this mean that the host's certificate is not a X509 certificate ?
No it means that the verification of the X509 certificate verify
functionality detewcted an error.

Bye

Goetz
- --
DMCA: The greed of the few outweights the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF9pAt2iGqZUF3qPYRAvd9AJ9k2c9NjYsACnPKqOdz1lWm68QPFQCeOunj
vjW22hsEEL150sNcdpLTYFY=
=o5nx
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


Need Mail bonding?
Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users.


Don't get soaked. Take a quick peek at the forecast
with theYahoo! Search weather shortcut.