- Page 1 and 2: HP Open Source Security for OpenVMS
- Page 3 and 4: Contents 1. Installation and Releas
- Page 5 and 6: Contents 4.3.2 Creating and Setting
- Page 7 and 8: Tables Table 4-1. APIs for Data Str
- Page 9 and 10: Figures Figure 3-1. Certificate Too
- Page 11 and 12: Preface The HP Open Source Security
- Page 13: Convention Meaning [ ] In command f
- Page 17 and 18: Installation and Release Notes Inst
- Page 19 and 20: and restart it with the following c
- Page 21 and 22: %PCSIUI-I-COMPWERR, operation compl
- Page 23 and 24: SYS$SHARE:SSL$LIBCRYPTO_SHR.EXE - 6
- Page 25 and 26: answer NO to continue the operation
- Page 27 and 28: 1.8.16 Enhancements to the HP SSL E
- Page 29 and 30: Supply the necessary prototype befo
- Page 31 and 32: 2 Overview of SSL Overview of SSL T
- Page 33 and 34: 2.3 Public Key Encryption Overview
- Page 35 and 36: Overview of SSL Digital Signatures
- Page 37 and 38: 3 Using the Certificate Tool Using
- Page 39 and 40: Signature algorithm Issuer Validity
- Page 41 and 42: Use OpenVMS syntax (defaults to SSL
- Page 43 and 44: Using the Certificate Tool Create a
- Page 45 and 46: Using the Certificate Tool Create a
- Page 47 and 48: Signed Request File specification U
- Page 49 and 50: Using the Certificate Tool Hash Cer
- Page 51 and 52: 4 SSL Programming Concepts SSL Prog
- Page 53 and 54: SSL Programming Concepts HP SSL Dat
- Page 55 and 56: SSL Programming Concepts Certificat
- Page 57 and 58: SSL Programming Concepts Certificat
- Page 59 and 60: Security policy of the application
- Page 61 and 62: 4.3.1 Initializing the SSL Library
- Page 63 and 64: 4.3.3.3 Loading a CA Certificate SS
- Page 65 and 66:
* Set to require peer (client) cert
- Page 67 and 68:
4.3.6 Setting Up the Socket/Socket
- Page 69 and 70:
* Read data from buf_io and store i
- Page 71 and 72:
printf("Starting SSL renegotiation
- Page 73 and 74:
5 Example Programs Example Programs
- Page 75 and 76:
Example Programs Template for Creat
- Page 77 and 78:
Example Programs Template for Creat
- Page 79 and 80:
* * - this server program, and its
- Page 81 and 82:
* Load encryption & hashing algorit
- Page 83 and 84:
*-------- DATA EXCHANGE - send mess
- Page 85 and 86:
* */ #include #include #include
- Page 87 and 88:
* Set to require peer (client) cert
- Page 89 and 90:
6 OpenSSL Command Line Interface Op
- Page 91 and 92:
passwd pkcs12 pkcs7 pkcs8 rand req
- Page 93 and 94:
ase64 bf-cbc bf bf-cfb bf-ecb bf-of
- Page 95 and 96:
6.5 Password Arguments OpenSSL Comm
- Page 97 and 98:
OpenSSL Command Line Interface (CLI
- Page 99 and 100:
..... ..... 229:d=3 hl=3 l= 141 pri
- Page 101 and 102:
-cert the CA certificate file. -key
- Page 103 and 104:
-crl_compromise time This sets the
- Page 105 and 106:
If neither option is present the fo
- Page 107 and 108:
./demoCA/index.txt.old - CA text da
- Page 109 and 110:
ciphers NAME Synopsis ciphers - SSL
- Page 111 and 112:
EXPORT40 40 bit export encryption a
- Page 113 and 114:
SSL_FORTEZZA_KEA_WITH_NULL_SHA Not
- Page 115 and 116:
config NAME config - OpenSSL CONF l
- Page 117 and 118:
crl NAME Synopsis crl - CRL utility
- Page 119 and 120:
crl2pkcs7 NAME Synopsis crl2pkcs7 -
- Page 121 and 122:
dgst NAME dgst, md5, md4, md2, sha1
- Page 123 and 124:
dhparam NAME dhparam - DH parameter
- Page 125 and 126:
dsa NAME Synopsis dsa - DSA key pro
- Page 127 and 128:
To just output the public part of a
- Page 129 and 130:
numbits this option specifies that
- Page 131 and 132:
-k password the password to derive
- Page 133 and 134:
c2-40-cbc 40 bit RC2 in CBC mode rc
- Page 135 and 136:
genrsa NAME Synopsis genrsa - gener
- Page 137 and 138:
nseq NAME Synopsis nseq - create or
- Page 139 and 140:
-nonce, -no_nonce Add an OCSP nonce
- Page 141 and 142:
-port portnum Port to listen for OC
- Page 143 and 144:
openssl NAME Synopsis openssl - Ope
- Page 145 and 146:
sautl RSA utility for signing, veri
- Page 147 and 148:
file:pathname the first line of pat
- Page 149 and 150:
EXAMPLES openssl passwd -crypt -sal
- Page 151 and 152:
-nokeys no private keys will be out
- Page 153 and 154:
NOTES Although there are a large nu
- Page 155 and 156:
pkcs7 NAME Synopsis pkcs7 - PKCS#7
- Page 157 and 158:
pkcs8 NAME Synopsis pkcs8 - PKCS#8
- Page 159 and 160:
Private keys encrypted using PKCS#5
- Page 161 and 162:
and NAME Synopsis rand - generate p
- Page 163 and 164:
-noout this option prevents output
- Page 165 and 166:
-engine id specifying an engine (by
- Page 167 and 168:
The "prompt" string is used to ask
- Page 169 and 170:
-----BEGIN NEW CERTIFICATE REQUEST-
- Page 171 and 172:
sa NAME Synopsis rsa - RSA key proc
- Page 173 and 174:
EXAMPLES To remove the pass phrase
- Page 175 and 176:
-asn1parse asn1parse the output dat
- Page 177 and 178:
s_client NAME Synopsis s_client - S
- Page 179 and 180:
-starttls protocol send the protoco
- Page 181 and 182:
s_server NAME Synopsis s_server - S
- Page 183 and 184:
-bugs there are several known bug i
- Page 185 and 186:
s_time NAME Synopsis s_time - SSL/T
- Page 187 and 188:
CA list can be viewed and checked.
- Page 189 and 190:
Session-ID-ctx: 01000000 Master-Key
- Page 191 and 192:
smime NAME Synopsis smime - S/MIME
- Page 193 and 194:
-nocerts when signing a message the
- Page 195 and 196:
Send a signed message under UNIX di
- Page 197 and 198:
speed NAME Synopsis speed - test li
- Page 199 and 200:
-engine id specifying an engine (by
- Page 201 and 202:
certificates one or more certificat
- Page 203 and 204:
15 X509_V_ERR_ERROR_IN_CRL_LAST_UPD
- Page 205 and 206:
version NAME Synopsis version - pri
- Page 207 and 208:
DISPLAY OPTIONS Note: the -alias an
- Page 209 and 210:
-signkey filename this option cause
- Page 211 and 212:
utf8 convert all strings to UTF8 fo
- Page 213 and 214:
ca_default the value used by the ca
- Page 215 and 216:
SSL Client CA The extended key usag
- Page 217 and 218:
CRYPTO Application Programming Inte
- Page 219 and 220:
ASN1_STRING_dup NAME Synopsis ASN1_
- Page 221 and 222:
ASN1_STRING_new NAME Synopsis ASN1_
- Page 223 and 224:
The content of a string instead of
- Page 225 and 226:
BIO_ctrl NAME Synopsis BIO_ctrl, BI
- Page 227 and 228:
BIO_f_base64 NAME Synopsis BIO_f_ba
- Page 229 and 230:
BIO_f_buffer NAME Synopsis BIO_f_bu
- Page 231 and 232:
BIO_f_cipher NAME Synopsis BIO_f_ci
- Page 233 and 234:
BIO_f_md NAME Synopsis BIO_f_md, BI
- Page 235 and 236:
SEE ALSO None. 235
- Page 237 and 238:
BIO_f_ssl NAME Synopsis BIO_f_ssl,
- Page 239 and 240:
ERR_load_SSL_strings(); OpenSSL_add
- Page 241 and 242:
* Setup accept BIO */ if(BIO_do_acc
- Page 243 and 244:
BIO_method_type() returns the type
- Page 245 and 246:
SEE ALSO None. 245
- Page 247 and 248:
SEE ALSO None. 247
- Page 249 and 250:
BIO_s_accept NAME Synopsis BIO_s_ac
- Page 251 and 252:
BIO *abio, *cbio, *cbio2; ERR_load_
- Page 253 and 254:
BIO_destroy_pair() destroys the ass
- Page 255 and 256:
BIO_s_connect NAME Synopsis BIO_s_c
- Page 257 and 258:
BIO_get_conn_port() returns a strin
- Page 259 and 260:
EXAMPLE This is a file descriptor B
- Page 261 and 262:
NOTES When wrapping stdout, stdin o
- Page 263 and 264:
BIO_s_mem NAME Synopsis BIO_s_mem,
- Page 265 and 266:
BIO_s_null NAME Synopsis BIO_s_null
- Page 267 and 268:
BIO_set_callback NAME Synopsis BIO_
- Page 269 and 270:
BIO_should_retry NAME Synopsis BIO_
- Page 271 and 272:
lowfish NAME Synopsis blowfish, BF_
- Page 273 and 274:
n NAME Synopsis bn - multiprecision
- Page 275 and 276:
The creation of BIGNUM objects is d
- Page 277 and 278:
BN_mod_exp() computes a to the p-th
- Page 279 and 280:
BN_bn2bin NAME Synopsis BN_bn2bin,
- Page 281 and 282:
BN_cmp NAME Synopsis BN_cmp, BN_ucm
- Page 283 and 284:
BN_CTX_new NAME Synopsis BN_CTX_new
- Page 285 and 286:
BN_generate_prime NAME Synopsis BN_
- Page 287 and 288:
n_mul_words NAME Synopsis bn_mul_wo
- Page 289 and 290:
n_mul_recursive(r, a, b, n2, dna, d
- Page 291 and 292:
BN_mod_mul_montgomery NAME Synopsis
- Page 293 and 294:
BN_mod_mul_reciprocal NAME Synopsis
- Page 295 and 296:
BN_new NAME Synopsis BN_new, BN_ini
- Page 297 and 298:
BN_rand NAME Synopsis BN_rand, BN_p
- Page 299 and 300:
BN_swap NAME Synopsis BN_swap - exc
- Page 301 and 302:
BUF_MEM_new NAME Synopsis BUF_MEM_n
- Page 303 and 304:
CONF_modules_free NAME Synopsis CON
- Page 305 and 306:
crypto NAME crypto - OpenSSL crypto
- Page 307 and 308:
CRYPTO_set_ex_data NAME Synopsis CR
- Page 309 and 310:
d2i_DHparams NAME Synopsis d2i_DHpa
- Page 311 and 312:
SEE ALSO d2i_X509(3) HISTORY None.
- Page 313 and 314:
d2i_RSAPublicKey NAME Synopsis d2i_
- Page 315 and 316:
The ways that *in and *out are incr
- Page 317 and 318:
RETURN VALUES d2i_X509(), d2i_X509_
- Page 319 and 320:
d2i_X509_CRL NAME Synopsis d2i_X509
- Page 321 and 322:
d2i_X509_REQ NAME Synopsis d2i_X509
- Page 323 and 324:
DES_random_key NAME Synopsis DES_ra
- Page 325 and 326:
argument, previously set via DES_se
- Page 327 and 328:
CONFORMING TO ANSI X3.106 The des l
- Page 329 and 330:
Selection of a small value for j wi
- Page 331 and 332:
dh NAME Synopsis dh - Diffie-Hellma
- Page 333 and 334:
DH_generate_key NAME Synopsis DH_ge
- Page 335 and 336:
HISTORY DH_check() is available in
- Page 337 and 338:
DH_new NAME Synopsis DH_new, DH_fre
- Page 339 and 340:
* compute r = a ^ p mod m (May be N
- Page 341 and 342:
dsa NAME Synopsis dsa - Digital Sig
- Page 343 and 344:
DSA_do_sign NAME Synopsis DSA_do_si
- Page 345 and 346:
DSA_generate_key NAME Synopsis DSA_
- Page 347 and 348:
HISTORY DSA_generate_parameters() a
- Page 349 and 350:
DSA_new NAME Synopsis DSA_new, DSA_
- Page 351 and 352:
* verify */ int (*dsa_do_verify)(co
- Page 353 and 354:
DSA_SIG_new NAME Synopsis DSA_SIG_n
- Page 355 and 356:
DSA_size NAME Synopsis DSA_size - g
- Page 357 and 358:
int ENGINE_register_DH(ENGINE *e);
- Page 359 and 360:
This basic type of reference is typ
- Page 361 and 362:
openssl, then the resulting applica
- Page 363 and 364:
the parameter could be NULL in some
- Page 365 and 366:
Future developments The ENGINE API
- Page 367 and 368:
ADDING NEW ERROR CODES TO OPENSSL S
- Page 369 and 370:
ERR_clear_error NAME Synopsis ERR_c
- Page 371 and 372:
ERR_get_error NAME Synopsis ERR_get
- Page 373 and 374:
ERR_GET_LIB NAME Synopsis ERR_GET_L
- Page 375 and 376:
ERR_load_strings NAME Synopsis ERR_
- Page 377 and 378:
ERR_put_error NAME Synopsis ERR_put
- Page 379 and 380:
evp NAME Synopsis evp - high-level
- Page 381 and 382:
HISTORY None. 381
- Page 383 and 384:
EVP_DigestInit_ex() sets up digest
- Page 385 and 386:
md = EVP_get_digestbyname(argv[1]);
- Page 387 and 388:
int EVP_CIPHER_CTX_set_key_length(E
- Page 389 and 390:
EVP_CIPHER_mode() and EVP_CIPHER_CT
- Page 391 and 392:
PKCS padding works by adding n padd
- Page 393 and 394:
for(;;) { inlen = fread(inbuf, 1, 1
- Page 395 and 396:
EVP_PKEY_new NAME Synopsis EVP_PKEY
- Page 397 and 398:
RETURN VALUES EVP_PKEY_set1_RSA(),
- Page 399 and 400:
SEE ALSO evp (3), rand (3), EVP_Enc
- Page 401 and 402:
Since only a copy of the digest con
- Page 403 and 404:
SEE ALSO evp (3), EVP_SignInit (3),
- Page 405 and 406:
RETURN VALUES HMAC() returns a poin
- Page 407 and 408:
lh_new NAME Synopsis lh_new, lh_fre
- Page 409 and 410:
lh_doall(hashtable, LHASH_DOALL_FN(
- Page 411 and 412:
HISTORY The lhash library is availa
- Page 413 and 414:
MD2_Init(), MD2_Update(), MD2_Final
- Page 415 and 416:
OBJ_nid2obj NAME Synopsis OBJ_nid2o
- Page 417 and 418:
SEE ALSO ERR_get_error (3) HISTORY
- Page 419 and 420:
OPENSSL_config NAME Synopsis OPENSS
- Page 421 and 422:
OPENSSL_load_builtin_modules NAME S
- Page 423 and 424:
The "Configure" target of the libra
- Page 425 and 426:
int PEM_write_bio_DSAparams(BIO *bp
- Page 427 and 428:
The PEM functions which write priva
- Page 429 and 430:
A frequent cause of problems is att
- Page 431 and 432:
PKCS12_parse NAME Synopsis PKCS12_p
- Page 433 and 434:
PKCS7_encrypt NAME Synopsis PKCS7_e
- Page 435 and 436:
PKCS7_sign NAME Synopsis PKCS7_sign
- Page 437 and 438:
PKCS7_verify NAME Synopsis PKCS7_ve
- Page 439 and 440:
and NAME Synopsis rand - pseudo-ran
- Page 441 and 442:
I believe the above addressed point
- Page 443 and 444:
HISTORY RAND_seed() and RAND_screen
- Page 445 and 446:
RAND_cleanup NAME Synopsis RAND_cle
- Page 447 and 448:
SEE ALSO rand (3), RAND_add (3), RA
- Page 449 and 450:
RAND_set_rand_method NAME Synopsis
- Page 451 and 452:
RC4_set_key NAME Synopsis RC4_set_k
- Page 453 and 454:
sa NAME Synopsis rsa - RSA public k
- Page 455 and 456:
RSA_blinding_on NAME Synopsis RSA_b
- Page 457 and 458:
HISTORY RSA_check_key() appeared in
- Page 459 and 460:
RSA_get_ex_new_index NAME Synopsis
- Page 461 and 462:
RSA_new NAME Synopsis RSA_new, RSA_
- Page 463 and 464:
SSLv23 PKCS #1 EME-PKCS1-v1_5 with
- Page 465 and 466:
RSA_private_encrypt NAME Synopsis R
- Page 467 and 468:
SEE ALSO ERR_get_error (3), rand (3
- Page 469 and 470:
THE RSA_METHOD STRUCTURE typedef st
- Page 471 and 472:
RSA_sign NAME Synopsis RSA_sign, RS
- Page 473 and 474:
RSA_size NAME Synopsis RSA_size - g
- Page 475 and 476:
SMIME_read_PKCS7 NAME Synopsis SMIM
- Page 477 and 478:
SMIME_write_PKCS7 NAME Synopsis SMI
- Page 479 and 480:
Additionally, OpenSSL supports dyna
- Page 481 and 482:
UI_new NAME Synopsis UI_new, UI_new
- Page 483 and 484:
The flags currently supported are U
- Page 485 and 486:
X509_NAME_add_entry_by_txt NAME Syn
- Page 487 and 488:
X509_NAME_ENTRY_get_object NAME Syn
- Page 489 and 490:
X509_NAME_get_index_by_NID NAME Syn
- Page 491 and 492:
X509_NAME_print_ex NAME Synopsis X5
- Page 493 and 494:
X509_new NAME Synopsis X509_new, X5
- Page 495 and 496:
SSL Application Programming Interfa
- Page 497 and 498:
SSL NAME SSL - OpenSSL SSL/TLS libr
- Page 499 and 500:
Constructor for the TLSv1 SSL_METHO
- Page 501 and 502:
void SSL_CTX_set_cert_verify_cb(SSL
- Page 503 and 504:
int SSL_connect(SSL *ssl); void SSL
- Page 505 and 506:
void SSL_set_options(SSL *ssl, unsi
- Page 507 and 508:
SSL_accept NAME Synopsis SSL_accept
- Page 509 and 510:
"UM"/"unexpected message" An inappr
- Page 511 and 512:
SSL_CIPHER_get_name NAME Synopsis S
- Page 513 and 514:
SSL_clear NAME Synopsis SSL_clear -
- Page 515 and 516:
SEE ALSO ssl (3) 515
- Page 517 and 518:
SSL_CTX_add_extra_chain_cert NAME S
- Page 519 and 520:
SEE ALSO ssl (3), SSL_CTX_set_sessi
- Page 521 and 522:
SSL_CTX_flush_sessions NAME Synopsi
- Page 523 and 524:
SSL_CTX_get_ex_new_index NAME Synop
- Page 525 and 526:
SSL_CTX_load_verify_locations NAME
- Page 527 and 528:
SSL_CTX_new NAME Synopsis SSL_CTX_n
- Page 529 and 530:
SSL_CTX_sess_number NAME Synopsis S
- Page 531 and 532:
SSL_CTX_sess_set_cache_size NAME Sy
- Page 533 and 534:
The remove_session_cb() is called,
- Page 535 and 536:
SSL_CTX_set_cert_store NAME Synopsi
- Page 537 and 538:
HISTORY Previous to OpenSSL 0.9.7,
- Page 539 and 540:
SSL_CTX_set_client_CA_list NAME Syn
- Page 541 and 542:
SSL_CTX_set_client_cert_cb NAME Syn
- Page 543 and 544:
SSL_CTX_set_default_passwd_cb NAME
- Page 545 and 546:
SSL_CTX_set_generate_session_id NAM
- Page 547 and 548:
SEE ALSO ssl (3), SSL_get_version (
- Page 549 and 550:
SSL_CB_READ_ALERT (SSL_CB_ALERT|SSL
- Page 551 and 552:
SSL_CTX_set_max_cert_list NAME Syno
- Page 553 and 554:
SSL_CTX_set_mode NAME Synopsis SSL_
- Page 555 and 556:
SSL_CTX_set_msg_callback NAME Synop
- Page 557 and 558:
SSL_CTX_set_options NAME Synopsis S
- Page 559 and 560:
SSL_OP_EPHEMERAL_RSA Always use eph
- Page 561 and 562:
SSL_CTX_set_quiet_shutdown NAME Syn
- Page 563 and 564:
SSL_SESS_CACHE_NO_AUTO_CLEAR Normal
- Page 565 and 566:
The length sid_ctx_len of the sessi
- Page 567 and 568:
SSL_CTX_set_timeout NAME Synopsis S
- Page 569 and 570:
to prevent small subgroup attacks.
- Page 571 and 572:
SSL_CTX_set_tmp_rsa_callback NAME S
- Page 573 and 574:
} rsa_tmp = RSA_generate_key(keylen
- Page 575 and 576:
SSL_VERIFY_FAIL_IF_NO_PEER_CERT Ser
- Page 577 and 578:
*/ if (depth > mydata->verify_depth
- Page 579 and 580:
SSL_CTX_use_certificate NAME Synops
- Page 581 and 582:
The private keys loaded from file c
- Page 583 and 584:
SEE ALSO SSL_get_error (3), SSL_con
- Page 585 and 586:
SSL_get_ciphers NAME Synopsis SSL_g
- Page 587 and 588:
SSL_get_current_cipher NAME Synopsi
- Page 589 and 590:
SSL_get_error NAME Synopsis SSL_get
- Page 591 and 592:
SSL_get_ex_data_X509_STORE_CTX_idx
- Page 593 and 594:
SSL_get_fd NAME Synopsis SSL_get_fd
- Page 595 and 596:
SSL_get_peer_certificate NAME Synop
- Page 597 and 598:
SSL_get_session NAME Synopsis SSL_g
- Page 599 and 600:
SSL_get_verify_result NAME Synopsis
- Page 601 and 602:
SSL_library_init NAME Synopsis SSL_
- Page 603 and 604:
SSL_new NAME Synopsis SSL_new - cre
- Page 605 and 606:
SSL_read NAME Synopsis SSL_read - r
- Page 607 and 608:
SSL_rstate_string NAME Synopsis SSL
- Page 609 and 610:
SSL_SESSION_get_ex_new_index NAME S
- Page 611 and 612:
SSL_session_reused NAME Synopsis SS
- Page 613 and 614:
SSL_set_connect_state NAME Synopsis
- Page 615 and 616:
SSL_set_session NAME Synopsis SSL_s
- Page 617 and 618:
SSL_set_verify_result NAME Synopsis
- Page 619 and 620:
If the underlying BIO is non-blocki
- Page 621 and 622:
SSL_want NAME Synopsis SSL_want, SS
- Page 623 and 624:
SSL_write NAME Synopsis SSL_write -
- Page 625 and 626:
A Data Structures and Header Files
- Page 627 and 628:
int (*app_verify_callback)(); char
- Page 629 and 630:
int shutdown;/* we have shut things
- Page 631 and 632:
A.4 SSL_METHOD Structure The SSL_ME
- Page 633 and 634:
* is not ok, we must remember the e
- Page 635 and 636:
unsigned long ex_kusage; unsigned l
- Page 637 and 638:
New and Changed APIs in OpenSSL 0.9
- Page 639 and 640:
New and Changed APIs in OpenSSL 0.9
- Page 641 and 642:
C Open Source Notices C.1 OpenSSL O
- Page 643 and 644:
A Applications building using 32-bi
- Page 645 and 646:
Public key encryption, 33 R rand fu