This is a collection of reports about email delivery
process concerning a message you originated:
<smtp ipebio15.ise.pw.edu.pl [EMAIL PROTECTED] 1284>: ...\
expired after 3 days, problem was:
smtp; 500 (connect to ipebio15.ise.pw.edu.pl
[194.29.161.106|25|194.29.160.2|52572]: Connection timed out)
Following is a copy of MESSAGE/DELIVERY-STATUS format section below.
It is copied here in case your email client is unable to show it to you.
The information here below is in Internet Standard format designed to
assist automatic, and accurate presentation and usage of said information.
In case you need human assistance from the Postmaster(s) of the system which
sent you this report, please include this information in your question!
Virtually Yours,
Automatic Email delivery Software
Reporting-MTA: dns; elektron.elka.pw.edu.pl
Arrival-Date: Wed, 18 Jul 2001 19:21:43 +0200
Original-Recipient: rfc822;[EMAIL PROTECTED]
Final-Recipient: RFC822;[EMAIL PROTECTED]
Action: failed
Status: 5.4.1 (TCP/IP-connection failure)
Diagnostic-Code: smtp; 500 (connect to ipebio15.ise.pw.edu.pl
[194.29.161.106|25|194.29.160.2|52572]: Connection timed out)
Remote-MTA: dns; ipebio15.ise.pw.edu.pl (194.29.161.106|25|194.29.160.2|52572)
Last-Attempt-Date: Sun, 22 Jul 2001 04:20:47 +0200
Reporting-MTA: dns; elektron.elka.pw.edu.pl
Arrival-Date: Wed, 18 Jul 2001 19:21:43 +0200
Original-Recipient: rfc822;[EMAIL PROTECTED]
Final-Recipient: RFC822;[EMAIL PROTECTED]
Action: failed
Status: 5.4.1 (TCP/IP-connection failure)
Diagnostic-Code: smtp; 500 (connect to ipebio15.ise.pw.edu.pl [194.29.161.106|25|194.29.160.2|52572]: Connection timed out)
Remote-MTA: dns; ipebio15.ise.pw.edu.pl (194.29.161.106|25|194.29.160.2|52572)
Last-Attempt-Date: Sun, 22 Jul 2001 04:20:47 +0200
Thank you so much Damitha and Lutz.
I'm getting clearer idea gradually on how this works thanks to you guys' advices.
I have one more question on this.
I'm really new to this area, so if my question itself doesn't make sense, let me
know that too. :)
I'm studying demo code that comes with openssl source code to understand how
certificate is used.
Server sends its own certificate to verify itself to the client during the
handshake, right?
Now when the client gets the certificate by using SSL_get_peer_certificate
method, how can it verify whether the server is sending a valid certificate?
I'll break down my question step by step as following.
I'd very,very much appreciate it if you guys could explain this for me. :)
First I assume that I need to create a local CA file and put it in the client
side so that it can use it to validate the server's certificate during the
handshake. Is this correct? If so, is CA.pl perl script is the one that I need to
use to create the CA file?
Second, is SSL_CTX_load_verify_locations API automatically check if it is from
the right server based on the local CA file? That's it? or do I need any further
step to perform to validate the right server?
I've attached the sample client code that I'm studying. This is actually the demo
code that comes with openssl source distribution.
Do I need to add just one more line for
SSL_CTX_load_verify_locations(Client_SSL_ctx, CAFilename,CAFilepath), then does
it automatically use the specified CA file to validate the server during the
handshake?
I know my questions might be vague but it's because I'm really a beginner in this
field. Please help me to understand this problem.
Thank you. ;)
/Best regards,
Sejin.
=================================== Sample client code
======================================================
/* cli.cpp - Minimal ssleay client for Unix
30.9.1996, Sampo Kellomaki <[EMAIL PROTECTED]> */
/* mangled to work with SSLeay-0.9.0b and OpenSSL 0.9.2b
Simplified to be even more minimal
12/98 - 4/99 Wade Scholine <[EMAIL PROTECTED]> */
#include <stdio.h>
#include <memory.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <unistd.h>
#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
/* define HOME to be dir for key and cert files... */
#define HOME "./"
/* Make these what you want for cert & key files */
#define CERTF HOME "foo2.pem"
#define KEYF HOME "foo2.pem"
#define CHK_NULL(x) if ((x)==NULL) exit (1)
#define CHK_ERR(err,s) if ((err)==-1) { perror(s); exit(1); }
#define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); exit(2); }
void main ()
{
int err;
int sd;
struct sockaddr_in sa;
SSL_CTX* ctx;
SSL* ssl;
X509* server_cert;
char* str;
char buf [4096];
SSL_METHOD *meth;
SSLeay_add_ssl_algorithms();
meth = TLSv1_client_method();
SSL_load_error_strings();
ctx = SSL_CTX_new (meth); CHK_NULL(ctx);
CHK_SSL(err);
/* ----------------------------------------------- */
/* Create a socket and connect to server using normal socket calls. */
sd = socket (AF_INET, SOCK_STREAM, 0); CHK_ERR(sd, "socket");
memset (&sa, '\0', sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr ("127.0.0.1"); /* Server IP */
sa.sin_port = htons (1111); /* Server Port number */
err = connect(sd, (struct sockaddr*) &sa,
sizeof(sa)); CHK_ERR(err, "connect");
/* ----------------------------------------------- */
/* Now we have TCP conncetion. Start SSL negotiation. */
ssl = SSL_new (ctx); CHK_NULL(ssl);
SSL_set_fd (ssl, sd);
err = SSL_connect (ssl); CHK_SSL(err);
/* Following two steps are optional and not required for
data exchange to be successful. */
/* Get the cipher - opt */
printf ("SSL connection using %s\n", SSL_get_cipher (ssl));
/* Get server's certificate (note: beware of dynamic allocation) - opt */
server_cert = SSL_get_peer_certificate (ssl); CHK_NULL(server_cert);
printf ("Server certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t subject: %s\n", str);
free (str);
str = X509_NAME_oneline (X509_get_issuer_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t issuer: %s\n", str);
free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free (server_cert);
/* --------------------------------------------------- */
/* DATA EXCHANGE - Send a message and receive a reply. */
err = SSL_write (ssl, "Hello World!", strlen("Hello World!")); CHK_SSL(err);
err = SSL_read (ssl, buf, sizeof(buf) - 1); CHK_SSL(err);
buf[err] = '\0';
printf ("Got %d chars:'%s'\n", err, buf);
SSL_shutdown (ssl); /* send SSL/TLS close_notify */
/* Clean up. */
close (sd);
SSL_free (ssl);
SSL_CTX_free (ctx);
}
/* EOF - cli.cpp */
Damitha Bogahawatta wrote:
> You can generate a CA certificate file using `openssl req` command. This will
> be basically self signed certificate.
>
> Example:
> openssl req -new -newkey rsa:1024 -md5 -x509 -keyout cakey.pem -out
> cacert.pem
>
> Then generate the client or server certificate using cacert.pem and cakey.pem
> files.
>
> Regards,
> Damitha.
>
> Sejin Choi wrote:
>
> > Hi, Lutz.
> > Thanks for you advice.
> > But what I wanted to know was how to generate a CA file which is the second
> > argument for the SSL_CTX_load_verify_locations you mentioned.
> > Could you please help me on this?
> > Thanks in advance.
> >
> > /Best regards,
> > Sejin
> >
> > Lutz Jaenicke wrote:
> >
> > > On Mon, Jul 16, 2001 at 03:40:42PM -0700, Sejin Choi wrote:
> > > > Hi. all.
> > > > I'm trying to use my local CA list to validate clients.
> > > > I'm having a hard time to find out how to generate a CA list for my ssl
> > > > server code.
> > >
> > > I am not sure whether I completely understand your problem.
> > > I can therefore only give you the standard advice. Use
> > > man SSL_CTX_load_verify_locations
> > > as a starting point to learn more about CA certificate handling.
> > >
> > > Best regards,
> > > Lutz
> > > --
> > > Lutz Jaenicke [EMAIL PROTECTED]
> > > BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
> > > Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
> > > Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
> > > ______________________________________________________________________
> > > OpenSSL Project http://www.openssl.org
> > > User Support Mailing List [EMAIL PROTECTED]
> > > Automated List Manager [EMAIL PROTECTED]
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
