SSL Renegotiation in openssl using blocking sockets

This is regarding openssl renegotiation issue in client server communication.The openssl version is 1.0.1c. The client and server are establishing the SSL connection using blocking sockets and communication is fine.The client sends the data and server receives and send back to client. When server want to do renegotiation it is done using SSL_renogotiate, SSL_do_handshake after that setting SSL state as SSL_ST_ACCEPT. The client side general behaviour is waiting on console to read data using S

OpenSSL::SSL::SSLError - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed:

I deployed a Facebook app using Heroku and got it partially working locally. I can see my app but I as soon as I click on connect with Facebook I get an Internal Server Error Message. This is what Foreman is throwing: OpenSSL::SSL::SSLError - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: Everything works on Production but I need to get local working to start integrating Mongo and FB. I followed all the instructions on: https://devcenter.h

Certificate verification in case of OpenSSL and WL/Java

I am trying to connect to an application over SSL. When connecting through WL/Java then I get sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification and I understand that this is because I don't have server's certificate installed in my WL/Java's trusted store. I imported the certificate from browser, installed it using keytool and now everything is working fine. However, below are few unresolved questions: When I used openssl s_client command to conne

Openssl "PG::ConnectionBad: SSL error: point is not on curve" in Redshift via Ruby/PG gem using SSL

I'm getting the following error when trying to run a query on Amazon Redshift in Ruby (via the PG gem) over SSL: PG::ConnectionBad: SSL error: point is not on curve This error only happens on my local Mac OS X El Capitan machine when trying to connect via SSL. Connecting without SSL works fine. Connecting over SSL on Ubuntu dev server also works fine, which makes me think it's a problem with my local Ruby/OpenSSL setup. Running Ruby 2.2.2, OpenSSL 1.0.2e, pg gem 0.18.2. I've verified that my

Openssl How to create detached CMS signature?

I've been trying to create a detached PKCS#7/CMS signature with OpenSSL. I have a large zip file which I would like to create a digital signature for, but I don't want the contents embedded in the signature. Is this possible with OpenSSL, or can it only verify detached signatures and not create them?

openssl convert apple .cer to .p12 i have only one file cer

how can i generate .p12 file by having one .cer file downloaded from apple by step by step . I read a lot of topics about this issue, but i feel miss something here , many topics described how to convert .cer to .pem OK, then convert .key to .pem :( i haven't .key file . openssl x509 -inform DER -in certificate.cer -out certificate.pem What next So any one can help me here ,Remember i have just only .CER file . Thanks

Terraform Self Signed Certificate Openssl Verification Fails

I am trying to use Terraform to create a self signed certificate to use internally in a test/development environment. I first create a CA private key, self signed certificate. Then I create a certificate signing request and private key for an internal domain name I want to enable HTTPS for. Then I sign the certificate. Here's entire Terraform manifest I use: resource "tls_private_key" "ca" { algorithm = "ECDSA" ecdsa_curve = "P384" } resource "tls_self_signed_cert" "ca" { key_algorith

Openssl DTLS implementation for SCTP connections

I am trying to do DTLS implementation for SCTP connections. I searched through web and found many of the implementations refers to link. But this link is not working. http://sctp.fh-muenster.de/dtls-samples.html. Can someone shared a sample code for DTLS over SCTP using openSSL ? The documentation of openssl is very verbose does not document all the API's well.

Create private key and certificate using RSASSA PSS with openssl

how, if its possible to create a self signed key and certifactes using openssl with RSASSA-PSS (RFC 4065)? I managed to use a existing (non-RSASSA-PSS) certificate with this padding mode: Signing openssl dgst -sha256 -sign privateKey.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out pss.sha256 test.txt Verifying openssl dgst -sha256 -verify pubkey.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature pss.sha256 test.txt But I think these mode and saltlen s

Openssl Requested Extensions in CSR not being reflected in CRT

I have following CSR: Certificate Request: Data: Version: 0 (0x0) Subject: C=US, CN=www.example.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:e5:1d:a3:b2:47:1b:7c:05:f3:f3:36:b6:b2:0f: 79:27:0f:80:4c:39:1b:8c:6c:38:eb:43:f3:b4:33: f4:7a:c5:de:2c:f7:28:69:e5:d1:88:6b:41:6c:5f: b6:55:b5:2a:29:69:a4:da:fa:17:ac:6a:a0:5f:30: 9

Equivelant of "openssl dgst -sha1 -sign" using phpseclib PHP library

I have scoured Google for how to implement the equivalent of "openssl dgst -sha1 -sign" in the phpseclib PHP library without much success. I need to implement the following openssl command-line in PHP openssl dgst -sha1 -sign private.rsa.pem -out signature.out.bin data.in.txt I understand that "dgst -sha1 -sign" will 1) create a hash 2) ASN1 encodes the hash 3) signs the ASN1 encoded hash with private key, Using phpseclib ~2.0, I have gotten as far as use phpseclib\Crypt\RSA; use phpsecl

Static compile openSSL

I am a newbie in Linux, but need somethings doe, so I am trying to get things done. I need to have a openssl static compilesd for a proprietary linux distro at as virtually no tools to build packages. I come across a post which explained how to do that. cd /tmp wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz tar -zxvf openssl-1.0.1e.tar.gz cd openssl-1.0.1e ./config I then Added "-static -static-libgcc" to the CFLAG line of openssl- 1.0.1e/Makefile (Note this was AFTER I ran ./config

Openssl Fetch specific website'SSL certificate's public key on shared server

I have several websites hosted on the same server. Each of them has its own SSL certificate. I want to retrieve the public key from a specific website's certificate using this command openssl s_client -connect url:port but it returns the last SSL certificate installed on the server and not the one that I want. How can I do that ?

Openssl phpmailer sending email via ssl: certificate expired

I have written a new php script but I see some problem when I try to connect with server have a expired certificate: I can use same smtp ip:port in windows program and its work fine. I can use it and working with thunderbird but he give me certificate expired before send any thing The code is below. <?php /** * Created by PhpStorm. * User: n0b0dy * Date: 11/1/18 * Time: 9:40 PM */ require("/usr/share/php/libphp-phpmailer/class.phpmailer.php"); require '/usr/share/php/libphp-phpma

Openssl Signing a Certificate Signing Request using a CA stored on a Yubikey

I want to sign a Certificate Signing Request using the private key & the certificate stored in the PIV Digital Signature slot. I'm using the latest release of OpenSC for MacOS(https://github.com/OpenSC/OpenSC/releases/tag/0.19.0). I have tried the pkcs11-tool, pkcs15-tool & yubikey-piv-tool. All three tools provide a --sign API but they sign a digest generated from the data. My requirement is to sign the Certificate Signing Request to generate a certificate. The only option I have is

Openssl python ssl certificate error while trying youtube api on mac virtualenv

After long hours of banging my head against Mac system and trying to understand which I don't know, I sort of have given up. But I am still trying to find an answer to it. My problem is: I am straight away trying to hit a simple youtube API request in python. (Note: I am not trying to hit it through requests so please do not answer saying, pass the karwgs: verify to false). I also updated certificates, I hit commands and have tried to update, install openssl, ssl, certifi, and what not but the

How to establish TLS connection using HSM and OpenSsl

Background I have inherited the task to establish TLS 1.2 connection with server using cryptography token programmatically. The token in question is a read-only - does not allow extraction of private key - smart card. This token have been initialized during manufacture process. Token holds a private key along with certificate. The token comes with its own PKCS11 module. I have configured openssl to use said module in engine: [openssl_def] engines = engine_section [engine_section] pkcs11 = p

Openssl verifying the signature of x509

While verifying the certificate I am getting EVP_F_EVP_PKEY_GET1_DH My Aim - Verify the certificate signature. I am having 2 certificates : 1. a CA certificate 2. certificate issued by CA. I extracted the 'RSA Public Key (key)' Modulus From CA Certificate using, pPublicKey = X509_get_pubkey(x509); buf_len = (size_t) BN_num_bytes (bn); key = (unsigned char *)malloc (buf_len); n = BN_bn2bin (bn, (unsigned char *) key); if (n != buf_len) LOG(ERROR," : key error

why does openssl send the CA certificate in OCSP protocol

openssl ocsp program documented at http://www.openssl.org/docs/apps/ocsp.html requires that the client send the certificate AND the CA certificate to the ocsp resopnder. RFC 2560 for OCSP however, does not require that. Shouldn't the OCSP responder be preconfigured with the CA certificate and be able to locate the particular CA from the certificate that is sent to it by the client? Thanks for any answers

Openssl SSL_ERROR__SSL occurs while calling SSL_connect

I wrote code with openssl to connect the server under tls. If I load certificates from pem file it works properly. But if I load certificate from pfx file it occurs SSL_ERROR_SSL while calling SSL_connect. I don't know if the process of loading pfx file is wrong or not. The process is below. FILE* fp = fopen("cert.pfx", "rb"); PKCS12* p12 = d2i_PKCS12_fp(fp, NULL); PKCS12_parse(p12, NULL, &private_key, &certificate, &ca_certificates); SSL_CTX_use_certificate(ctx, certificate); SSL_C

OpenSSL keyUsage as CA

How could I set the keyUsage of new a certificate signed by my CA that will have the same policies? I tried to generate a certificate by running the command below: openssl ca \ -policy policy_anything \ -cert ca.cer \ -in cerreq.csr \ -keyfile ca.key \ -days 365 \ -out cer.cer Is there command parameter that should I include to set the keyUsage for the certificate?

Locating openssl on Debian

I've installed the most recent Debian, and I'm trying to use OpenSSL: root@debianvm:~# apt-get install openssl Reading package lists... Done Building dependency tree Reading state information... Done openssl is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. root@debianvm:~# openssl -su: openssl: command not found locate openssl outputs enormous list, but I can't see the openssl executable there. So, where is it? Update: updatedb doesn't se

Openssl How do I convert jks keystore file to something like PEM?

I have a JKS keystore with a couple of certicates signed by CA. I would like to convert this jks file to PCKS12, however TrustedCertEntrys cannot be converted using the Java keytool because they are not supported. How would I convert this jks file to, say, PCKS12 ? I have looked for similar questions on SO, and this is what I have found: Convert CA-signed JKS keystore to PEM However, this did not seem to work for me, as the conversion failed at this step C:\Temp>openssl x5

Openssl package ssl cert, private key, and intermediate certs into single pfx?

I have this kit of files: 1.crt: My certificate 2.key: private key 3.crt: intermediate cert auth (from godaddy) 4.crt: root cert or intermediate cert (from godaddy) n.crt: some others like this from godaddy How do I package all of these into a single pfx for a web server app? (this needs to be portable , in one file, for deploy purposes) thanks!

Openssl How to generate a .pfx file from a .cer file?

I've only the .cer file now i want to convert it to .pfx file. But when i tried to convert via openssl it is asking for private key file? Is it necessary to have a private key file to generate a .pfx file? if not then could you please suggest the open ssl command to accomplish this. Thanks Sushma.

Openssl Qualified digital certificate for SSL

Is it possible to use Qualified digital certificate used to Digital signature to client authentication during SSL? I tried to test if is it possible - run and configure Apache2 with SSL for server and client authentication. I also tried to use openssl s_server openssl s_server -key server-key.pem -cert server-cert.pem -accept 44330 -www -verify 1 When I got my local server address, browser asked me to type token password but I got the response: s_server -key server-key.pem -cert server-cert

Openssl Encrypted Private Key to RSA Private Key

I have an Encrypted Private Key(say,servenc.key) in below format: -----BEGIN ENCRYPTED PRIVATE KEY----- MIIC2TBTBgkqhkiG9w0BBQ0wRjAlBgkqhkiG9w0BBQwwGAQSIFFvMaBFyBvqqhY6 yTV2fMVVAgIUczAdBglghkgBZQMEASoEEGRetyFtHhnJ7TZTM2qolWkEggKAFg/h GERtM1loEd+u8VAtLwTzBiXE5pmRpp/hX/1HrbBnzFjAsNtWlEtzpSuxuCoXtMst uKRB8qveHlfTQPzopkRZtljfOkD1DhdJz8BXSZrFmVkMrUq6m4Y/rnqTqI5JmtmQ qAXTBbl7u8TwMnqIaoSInEHnc+aiFT3KJuIq6PZy2rGKWGW2WB/OML2gANvHBI9n gyOo4VZHNsR6VBbCRJErUFhF5Wk2/YJD9ejnvXH6pJFqZYvnCFjkSlR+4MdCHBSo Ld0Io

ASN1 encoding routines errors when verifying ECDSA signature type with openssl

I'm trying to verify a SHA256 ECDSA digital signature provided to us by an external party. They have verified their signing process in-house, but we've been unsuccessful in our attempts. We repeatedly get asn1 encoding routines errors during openssl verify, but I'm unable to see what's wrong with the signature or our process. Here's out test setup... Public key (pubkey.pem): -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOorVp0M8xien/r1/1Ln7TkSpzzcX BL/MGRz66J1HSlEgBD5FwwpO1vo

Openssl Does private RSA, DSA or ECDSA key in pem-format contain public key?

I use hardcoded ec-kyes for testing my application. There is example for ecdsa: const char pem_ecdsa_prv_key[] = { "-----BEGIN EC PRIVATE KEY-----\n" "MHcCAQEEIAGOaT3/9PJxSIFKPbvEhj61jY3CGPsgA46IVZlvIlnGoAoGCCqGSM49\n" "AwEHoUQDQgAE6Dw87+AYjRQzNsb3RmANmNENCZArERfCKZ5M9+2S/yomA6fmFdeb\n" "XNXeV066Nk4jnuwF1ZKqCBoMBjsnm0jlCw==\n" "-----END EC PRIVATE KEY-----\n" }; const char pem_ecdsa_pub_key[] = { "-----BEGIN PUBLIC KEY-----\n" "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6D

Openssl ECDSA sign input as-is - without digest

I am trying to sign an existing digest with openssl. Let's say I already have a digest 'mydigest'. With that said I dont want to use: echo -n "mydigest" | openssl dgst -sha256 -sign key.pem | openssl enc -A -base64 I have ECDSA not rsa so I assume I should not use rsautl which is using the input as-is. So my assumption is that I would need something which takes input as-is (mydigest) and sign it with my ECDSA private key. I tried following in order to see if the size of hash created with d

Openssl RSA: Get exponent and modulus given a public key

I need to encrypt some data using RSA in JavaScript. All of the libraries around ask for an exponent and a modulus, yet I get a single public.key file from my opponent. How do you retrieve the public exponent and modulus part from an RSA file?

Does OpenSSL support IPV6?

I have an C app running on Windows, Linux, Solaris and HPUX that calls SSL_read() and SSL_write() over a socket. Is this functionality supported over IPV6 in any version of OpenSSL? From my searching it does not seem obvious. I have found some INET6 definitions in the 1.0 release BIO code. I have also read somewhere that to get IPV6 working you do the normal socket calls specifying INET6 and then use BIO_set_fd() to get IPV6 working. Is this correct?

Compiling the openssl binary statically

The openssl binary generated by the config & make commands when building from the source tarball is dynamically linked to these libraries: linux-vdso.so.1 => (0x00007fffa75fe000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ff7f79ab000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff7f75e2000) /lib64/ld-linux-x86-64.so.2 (0x00007ff7f7bd2000) My guess is if I can link statically to lib gcc, the dependencies on the other shared libraries will disa

Openssl Facing error : Cannot create symbolic link

I m trying to install openSSL but its giving me error while extracting openssl-1.0.1g.tar: Error: D:\openssl-1.0.1g.tar_3: Cannot create symbolic link D:\openssl-1.0.1g\apps\md4.c A required privilege is not held by the client. ! Actually I am trying to generate CSR/PEM encoded Certificate request file. So for that I need to install openSSL but its giving me this error while extracting. Can anyone guide me in a right direction.

Openssl getting an error while generating ssl certificates

On entering the following command on centos terminal, openssl rsa -in smtpd.key -out smtpd.key.unencrypted I am getting the following error, Error opening Private Key smtpd.key 3078141676:error:02001002:system library:fopen:No such >file or directory:bss_file.c:398:fopen('smtpd.key','r') 3078141676:error:20074002:BIO >routines:FILE_CTRL:system lib:bss_file.c:400: unable to load Private Key Please help me in resolving this.

Openssl X509 certificate unit testing - I need to create a certificate and a CRL which has it

Ok, so I have a method which is able to be passed a CRL and a certificate. I used it to validate the certificates coming from vendors during the runtime of my application. The hardest part of this has been unit testing the damn thing! I need to create a certificate file, and a CRL file, which I can then distribute as resources with the application, and then pass them in during the unit test. I have the unit test written also, but with hard coded values - But now I need to know how to create t

Using OpenSSL to decrypt hybrid encryption (AES + PKI)

I have my public key and private key in the OpenSSH format. My public key starts with ssh-rsa AAAA and my private key starts with -----BEGIN RSA PRIVATE KEY-----MIIEow; just to give you an idea of the key format. I have a python script that uses external libraries to perform hybrid encryption. The process looks like this: Input: File To Encrypt and RSA Public Key --> Python Script Output: Encrypted File and AES Key File. This AES key file is encrypted again using the RSA public key from a

Openssl A certificate's basic constraint extension has not been observed

I am new to certificates and I have a driver I have to digitally sign to test otherwise windows blocks it. I have created a self signed test certificate for testing purposes using OpenSSL, using their provided tutorial. I have installed the certificate to all of the windows stores necessary for it to be trusted, after signing the driver file everything worked until I rebooted my PC, after that it says my certificate is no longer digitally signed due to this issue: A certificate's basic constra

Openssl Not able to connect to openldap server in ldaps mode

I have configured my openldap server in ldaps mode. But after configuring I am not able to connect it on 636 port where as I am able to connect on 389 port [root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 636 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com" ldap_result: Can't contact LDAP server (-1) [root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 389 -D cn=Manager,dc=india,dc=airwave,dc=com -w

Openssl engine_pkcs11 and softhsm with ECC keys

I have softhsm-v2.5.0-rc1 which has ec keys imported in it. Now, when I try to use these keys from openssl CLI using the pkcs11 engine, it fails. SoftHSM version []:~$ softhsm2-util --version 2.5.0rc1 SoftHSM token init []:~$ softhsm2-util --init-token --slot 0 --label "token 2.5.0-rc1" === SO PIN (4-255 characters) === Please enter SO PIN: **** Please reenter SO PIN: **** === User PIN (4-255 characters) === Please enter user PIN: **** Please reenter user PIN: **** The token has been initia

Is my leaf certificate truly invalid, or am I using `openssl verify` incorrectly?

I thought I created my leaf certificate (device.cert.pem) correctly but it's not validating correctly with my software. I'm therefore trying to use OpenSSL on the command-line to verify said certificate before I debug my software any further. The chain is: root (CN=Halo HSM CA) signs signer (CN=Halo Signing Server 0003) signs device (CN=Halo). Here's how I'm invoking OpenSSL on the command line: $ openssl verify -show_chain -trusted <path>/devel_root.cert.pem signing_server.curly-0003.c

Openssl Error while printing values of EVP_PKEY_CTX structure

In the tester side, I'm trying to print the value of structure evp_pkey_ctx_st but I'm getting error dereferencing pointer to incomplete type EVP_PKEY_CTX. printf("\nOpearation:%d",ctx->operation); Can anyone please guide me. Is this a feasible approach? can we print structure values in the engine or tester side?

Openssl Need to add cipher suite on Windows 2008 r2

There is a .Net application which is running on Windows 2008 r2 which fetches xmls from different web service. This web service's certificate was updated recently and after debugging found the cipher suites used are not being passed by my application.(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A are the cipher suites). Question1 Can I install cipher suites, looked through online and seems to me that OS has to support the ciph

How to ./configure -enable-openssl for libircclient?

I'm trying to configure libircclient with OpenSSL but fails. Using MinGW msys: X@X-PC /c/deps/libircclient $ ./configure -enable-openssl checking for g++... g++ checking whether the C++ compiler works... yes checking for C++ compiler default output file name... a.exe checking for suffix of executables... .exe .......................etc etc checking for CRYPTO_new_ex_data in -lcrypto... no configure: error: OpenSSL not found I have added those lines also but fails: CPPFLAGS="-I/c/deps/openssl

  1    2   3   4   5   6  ... 下一页 最后一页 共 8 页