How to get buffer size after calling PEM_write_bio_PrivateKey

Hi all, I need to know how many of bytes have been written after calling PEM_write_bio_PrivateKey. My code: BIO *bo = BIO_new( BIO_s_mem() ); PEM_write_bio_PrivateKey(bo, key, 0, 0, 0, 0, 0); Is there any way I can tell the size of memory written? thanks Peter Lin

How to get buffer size after calling PEM_write_bio_PrivateKey

Hi all, I need to know how many of bytes have been written after calling PEM_write_bio_PrivateKey. My code: BIO *bo = BIO_new( BIO_s_mem() ); PEM_write_bio_PrivateKey(bo, key, 0, 0, 0, 0, 0); Is there any way I can tell the size of memory written? thanks Peter ___

EVP_Cipher()

Hi, all: It is understood that EVP_Cipher() is used in libssh2, but I am not sure from which release of openssl this function is introduced. Can anybody tell me this information? By the way, how to check the version of openssl in my linux box? If it is not a version that has the definition of

random crash in getrn function (ssl, crypto).

Hi Everyone, I am using gsoap stub code on Mac & facing below mentioned crash randomly. It seems that crash happens only if some error occurs in tcp_connect & while getting error value. Any pointers on this ? What may be causing this behavior ? Crash stack: Thread 0 Crashed: Dispatch queue: co

RE: Issue with SSL sockets & pthreads

Laura Arhire wrote: > if (pthread_create (&thr, NULL, print_message_function, (void *) > &data) != 0) > printf("Warning, create did not work for thread #%d\n", > i);fflush(stdout); > else > { > Sleep(1000); > ClientSocket *client = Socke

[ANNOUNCE] OpenSSL.NET version 0.4 released

OpenSSL.NET - Managed wrapper for the OpenSSL toolkit http://openssl-net.sourceforge.net I've pleased to announce the release of version 0.4 of OpenSSL.NET. Description: A managed OpenSSL wrapper written in C# for the 2.0 .NET Framework that exposes both the Crypto API and the SSL API. This a

Re: How do I create TLS v1.0 Self Signed Certificates

On Wed, Sep 02, 2009, Kyle Safford wrote: > > > I have been trying to determine if there is a specific command I need to > use when creating Self Signed Certificates with openssl that determines > TLS v1.0 over SSL v3.0? > No there are no certificate fields or extensions that indicate TLS v1.

How do I create TLS v1.0 Self Signed Certificates

Hi everyone, I have been trying to determine if there is a specific command I need to use when creating Self Signed Certificates with openssl that determines TLS v1.0 over SSL v3.0? I have been using the following commands: Create a file named openca.cnf and copy the content in italic into

Re: Memory leak in threaded server

I was able to solve the problem, the session cache was activated and stored all the sessions and a bug in DTLS caused that twice as much sessions as necessary have been created. The bug will be fixed with an updated version of bugfix #2028. - Robin Am 02.09.2009 um 10:47 schrieb Robin Seg

Re: ErrorCode 06065064

Thank you very much, Regards Nigel Dr. Stephen Henson wrote: Comments inline: On Wed, Sep 02, 2009, Nigel Sollars wrote: Hi, After looking at other examples, decided to go back to basic tried a simple approach at taking a string argv and passing that to the enc/dec methods, Seems i h

Re: ErrorCode 06065064

Comments inline: On Wed, Sep 02, 2009, Nigel Sollars wrote: > Hi, > > After looking at other examples, decided to go back to basic tried a simple > approach at taking a string argv and passing that to the enc/dec methods, > Seems i have the same errorcode as before. I have provided the testfi

Re: ErrorCode 06065064

Hi, After looking at other examples, decided to go back to basic tried a simple approach at taking a string argv and passing that to the enc/dec methods, Seems i have the same errorcode as before. I have provided the testfile any help with this one would be very much appreciated. Regards

Re: add extension to an existing (signed) CA certificate

Peter Sylvester a écrit : well, if one takes the standard configuration of openssl, it sets the authoritykey_identifier both the hash and issuer serial, no exception for the root. comment says that pkix recommends that. yes , and the thread you refered me on this list named "Bug in "authorityKe

Re: pkcs12 with frienlyNames seems to be erroneous

Using openssl 0.9.8k removes the problems with keytool (I haven't tested jarsigner, bur the symptoms were the same) and Mozilla (I checked with Thunderbird and Firefox). >From the CHANGES file I didn't expect any cure, but I was wrong. Thanks for the suggestion for a successful solution. Regards

OpenSSL.NET version 0.4 released

OpenSSL.NET - Managed wrapper for the OpenSSL toolkit http://openssl-net.sourceforge.net I'm pleased to announce the release of version 0.4 of OpenSSL.NET. Description: A managed OpenSSL wrapper written in C# for the 2.0 .NET Framework that exposes both the Crypto API and the SSL API; based on

Re: Verify certificate using subordinate ca

On Wed, Sep 02, 2009, Yin, Ben 1. (NSN - CN/Cheng Du) wrote: > OK, regarding the CA deploy, such as, we have a one root ca and 1000 sub ca > signed by root ca. and each sub ca used as ca by 1000 terminals.so the total > network size is 1000*1000. All our ca, including root ca and sub ca, was > sto

Re: pkcs12 with frienlyNames seems to be erroneous

On Wed, Sep 02, 2009, Willy Weisz wrote: > I'm using openssl version 0.9.8h shipped by openSuSE as 0.9.8h-28.10.1 > > The shortest friendlyName I tried to use was 7 letters long - can this > be too long? > > I got the same results when using Java's keytool trying to create a > keystore or to add

Re: pkcs12 with frienlyNames seems to be erroneous

I'm using openssl version 0.9.8h shipped by openSuSE as 0.9.8h-28.10.1 The shortest friendlyName I tried to use was 7 letters long - can this be too long? I got the same results when using Java's keytool trying to create a keystore or to add the content of a PKCS#12 file to an existing keystore.

post-connection assertions

I'm wondering what's the best way to check the identity of the peer i.e. compare the commonName or subjectAltName included in the x509 cert with the data I expect. The book "Network Security with OpenSSL" calls this "Post-connection assertions" (page 134). I already managed to extract all th

Re: pkcs12 with frienlyNames seems to be erroneous

On Tue, Sep 01, 2009, Willy Weisz wrote: > Being unable to using a PKCS#12 file created by openSSL with 3 different > applications - Java jarsigner, Firefox/Thunderbird and KeyStoreBuilder > of the package "not-yet-commons-ssl" > - I think that the problem may

Re: Verify certificate using subordinate ca

The chain always includes all CAs and certificates. I've done some googling, and it shows that you can trust 'just' the intermediate CA without trusting the root CA, altough this kinda obsoletes the purpose of the root CA. Also, it wholly depends on the applications that use the certificates for th

RE: Verify certificate using subordinate ca

I mean does it possible to verify the certificate successfully if chain only including sub ca and certificate singed by sub ca. geiven we trust the sub ca even if it wasn't a self sign root ca. Br Ben -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us.

Re: Verify certificate using subordinate ca

If you are using client certificates, use a CRL at the server side. that way you can assure that only those that you want can connect to the server Regarding the certificates. * Distribute the CA certificates (a simple script suffices) * Store the certificates and keys on a safe medium you can put

RE: Verify certificate using subordinate ca

Yes. It use openssl lib. My client & server looks like follow to set up sub ca and certificate, the CERTFILE only include the certificate signed by sub ca. Thanks. ... if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1) int_error("Error loading CA file and/or directory");

Re: Verify certificate using subordinate ca

Wat exactly are the applications you use, are they compiled against openssl libraries? On Wed, Sep 2, 2009 at 11:49 AM, Yin, Ben 1. (NSN - CN/Cheng Du) wrote: > Yes. When server send certificate signed by sub ca to client. How client can > verify it only use sub ca. would you please show me the c

RE: Verify certificate using subordinate ca

Yes. When server send certificate signed by sub ca to client. How client can verify it only use sub ca. would you please show me the client side code? :-) Thanks. Br Ben -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of ex

Re: Verify certificate using subordinate ca

Everytime an application connects to an ssl-enabled server the certificate chain is verified. On Wed, Sep 2, 2009 at 11:37 AM, Yin, Ben 1. (NSN - CN/Cheng Du) wrote: > Hi, > > What's you mean "If your client application supports that", do you mean I do > the verify by client itself, don't use ope

RE: Verify certificate using subordinate ca

Hi, What's you mean "If your client application supports that", do you mean I do the verify by client itself, don't use openssl default verify functionality? Br Ben -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Ser

Re: Verify certificate using subordinate ca

If your client application supports that, it could be done. but no standard compliant application allows that to my knowledge. On Wed, Sep 2, 2009 at 10:35 AM, Yin, Ben 1. (NSN - CN/Cheng Du) wrote: > Hi Serge, > > Maybe we can put the root ca into the verification chain if I can prove the > verf

Memory leak in threaded server

Hi all, I have written an DTLS echo server and client for testing purposes. In this case I want to test my new DTLSv1_listen() function, which waits for new connections with responding to ClientHellos with HelloVerifyRequest messages until a ClientHello with a valid cookie arrives. The SSL

RE: Verify certificate using subordinate ca

Hi Serge, Maybe we can put the root ca into the verification chain if I can prove the verfiy certificate using only sub ca is impossible. But before that, do you know if it's possible to verfiy certificate without root ca? Thanks. Br Ben -Original Message- From: owner-openssl-us...@o

Issue with SSL sockets & pthreads

I'm having a bit of an issue with something I encountered while unit testing my socket classes - each test basically creates a thread on which a server socket listens. From the main thread I connect a client to the server socket. I've found that after about 10-15 such tests I cannot create new

Re: Verify certificate using subordinate ca

How do you think compromising a CA would occur, because a CA could only becom compromised when someone leaks the key for that specific CA And if it happens once, it will likely happen twice. And I hope in your best interest, you are not distributing keys to terminals. Also, if you need to copy a f