Re: About OpenSSL 0.9.7 release
On Fri, Apr 05, 2002 at 12:27:34PM +0200, Francesco Dal Bello wrote: I'm planning my activity, and so I like to know (if possible) what is the approximately time for 0.9.7 release. Nobody will give you a timeframe. (This is not meant as an offense. We are more or less waiting for one or two bugs to be fixed, especially the BIGNUM problem on 64bit platforms.) I have tried to build my company utility with openssl-0.9.7-stable-SNAP-20020226 and I have obtained a mistake (a function doesn't exist anymore). This mistake doesn't exist using 0.9.6c release. The 0.9.7 will be quite compatible backwards? It is our intention to be as compatible as possible except for changes required to fix bugs and extend functionality. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
To: Francesco Dal Bello Re: R: need help
Thanks for replying again. Now, i have these error messages. Please help me again. Sorry for disturbing you again. C:\opensslnmake -f ms\nt.mak Microsoft (R) Program Maintenance Utility Version 6.00.8168.0Copyright (C) Microsoft Corp 1988-1998. All rights reserved. Building OpenSSL cl /Fotmp32\cryptlib.obj -Iinc32 -Itmp32 /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 /Fdout32 -DOPENSSL_NO_KRB5 -c .\crypto\cryptlib.ccryptlib.ctmp32\e_os.h(294) : fatal error C1083: Cannot open include file: 'unistd.h': Nosuch file or directoryNMAKE : fatal error U1077: 'cl' : return code '0x2' Francesco Dal Bello [EMAIL PROTECTED] wrote: I have install activeperl with default setting.Try nmake -f ms\nt.mak-Messaggio originale-Da: Alberto T Isais [mailto:[EMAIL PROTECTED]]Inviato: sabato 6 aprile 2002 0.59A: [EMAIL PROTECTED]Oggetto: need helpThank you Sir Francesco for helping me. i did that and now i have new errors. Can you still help me with this one? My system is windows 2000 OS SP1, Windows 2000 DDK, ActivePerl-5.6.1.631-MSWin32-x86, and MSVC++ 6. By the way, how did you install activepearl?C:\opensslnmake -f ms\ntdll.makMicrosoft (R) Program Maintenance Utility Version 6.00.8168.0Copyright (C) Microsoft Corp 1988-1998. All rights reserved.Building OpenSSLcopy nul+ .\crypto\buildinf.h tmp32dll\buildinf.hnul.\crypto\buildinf.h1 file(s) copied.copy nul+ .\crypto\opensslconf.h inc32\opens! sl\opensslconf.hnul.\crypto\opensslconf.h1 file(s) copied.cl /Fotmp32dll\o_time.obj -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN-DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll -DOPENSSL_NO_KRB5 -D_WINDLL -D_DLL -DOPENSSL_BUILD_SHLIBCRYPTO -c .\crypto\o_time.co_time.c.\crypto\o_time.c(79) : error C2220: warning treated as error - no object file generated.\crypto\o_time.c(79) : warning C4013: 'gmtime_r' undefined; assuming extern returning intNMAKE : fatal error U1077: 'cl' : return code '0x2'Stop.C:\openssl[EMAIL PROTECTED] wrote:I have build OpenSSL on my platform (very similar to your plat) with those steps and they had worked fine. Unpack openssl package (openssl-0.9.7-stable-SNAP-20020226 in my case) on HD (ex. C:\OpenSSL)You don't have to modify anything.
Copy VCVARS32.BAT on this folder (for convenience).Instal l ActivePerl (you have alredy do it).Go to cmd session. Go to C:\OpenSSL. VCVARS32 perl Configure VC-WIN32 ms\do_ms nmake -f ms\ntdll.makFrancescoDal Bello-Messaggio originale-Da: Alberto T Isais [mailto:[EMAIL PROTECTED]]Inviato: venerd?5 aprile 2002 0.47A: [EMAIL PROTECTED]Cc: [EMAIL PROTECTED]Oggetto: Re: R: need helpThank you very much for attending to my needs. However, i already did that - i ran VCVARS32.BAT before, still the same problem. My system is windows 2000 OS SP1, Windows 2000 DDK, ActivePerl-5.6.1.631-MSWin32-x86, and MSVC++ 6. I opened the hw_aep.c it has the line #include . I tried to search for that file and found only one! It is in the active pearl directory(C:\perl\site\lib\Tk\pTk\compat). I tried to include this directory in t! he c++ environment and i receive the error messages below. i still think that this is not the unistd.h needed. Please help me on this one. i also included the steps i did to compile it. please see below.Microsoft Windows 2000 [Version 5.00.2195](C) Copyright 1985-1999 Microsoft Corp.C:\cd C:\openssl-engine-0.9.6cC:\openssl-engine-0.9.6cperl Configure VC-WIN32Configuring for VC-WIN32IsWindows=1CC =clCFLAG =-DTHREADS -DDSO_WIN32EX_LIBS =BN_ASM =bn_asm.oDES_ENC =des_enc.o fcrypt_b.oBF_ENC =bf_enc.oCAST_ENC =c_enc.oRC4_ENC =rc4_enc.oRC5_ENC =rc5_enc.oMD5_OBJ_ASM =SHA1_OBJ_ASM =RMD160_OBJ_ASM=PROCESSOR =RANLIB =truePERL =perlTHIRTY_TWO_BIT modeBN_LLONG modeRC4_INDEX modeRC4_CHUNK is undefinedConfigured for VC-WIN32.C:\o! penssl-engine-0.9.6cms\do_masmGenerating x86 for MASM asse mberBignumDES"crypt(3)"BlowfishCAST5RC4MD5SHA1RIPEMD160RC5\32C:\openssl-engine-0.9.6cperl util\mkfiles.pl 1MINFOC:\openssl-engine-0.9.6crem perl util\mk1mf.pl VC-MSDOS no-sock ms\msdos.makC:\openssl-engine-0.9.6crem perl util\mk1mf.pl VC-W31-32 ms\w31.makC:\openssl-engine-0.9.6cperl util\mk1mf.pl dll VC-W31-32 1ms\w31dll.makC:\openssl-engine-0.9.6cperl util\mk1mf.pl VC-WIN32 1ms\nt.makC:\openssl-engine-0.9.6cperl util\mk1mf.pl dll VC-WIN32 1ms\ntdll.makC:\openssl-engine-0.9.6cperl util\mkdef.pl 16 libeay 1ms\libeay16.defC:\openssl-engine-0.9.6cperl util\mkdef.pl 32 libeay 1ms\libeay32.defC:\openssl-engine-0.9.6cperl util\mkdef.pl 16 ssleay 1ms\ssleay16.defC:\openssl-en! gine-0.9.6cperl util\mkdef.pl 32 ssleay 1ms\ssleay32.defC:\openssl-engine-0.9.6cvcvars32.batSetting environment for using Microsoft Visual C++ tools.C:\openssl-engine-0.9.6cC:\openssl-engine-0.9.6cnmake -f ms\ntdll.makMicrosoft (R) Program Maintenance Utility Version 6.00.8168.0Copyright (C) Microsoft Corp 1988-1998. All rights
Re: About OpenSSL 0.9.7 release
Date sent: Fri, 5 Apr 2002 14:03:03 +0200 From: Lutz Jaenicke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: About OpenSSL 0.9.7 release Organization: BTU Cottbus, Allgemeine Elektrotechnik Send reply to: [EMAIL PROTECTED] Just my two cents; lots of people are waiting for the 0.9.7 release, many for over a year. If I remember correctly, the one or two bugs that still are pending have been pending for over a year. How about rolling those fixes into a special release and let the many thousands of us that do not have to support 64 bit platforms be on our way. Ken On Fri, Apr 05, 2002 at 12:27:34PM +0200, Francesco Dal Bello wrote: I'm planning my activity, and so I like to know (if possible) what is the approximately time for 0.9.7 release. Nobody will give you a timeframe. (This is not meant as an offense. We are more or less waiting for one or two bugs to be fixed, especially the BIGNUM problem on 64bit platforms.) I have tried to build my company utility with openssl-0.9.7-stable-SNAP-20020226 and I have obtained a mistake (a function doesn't exist anymore). This mistake doesn't exist using 0.9.6c release. The 0.9.7 will be quite compatible backwards? It is our intention to be as compatible as possible except for changes required to fix bugs and extend functionality. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl- [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is OpenSSL Production Ready?
On Thu, 4 Apr 2002, Michael Kobar wrote: [snip] Perhaps OpenSSL.org should accept and post commercial product names and/or start a voluntary OpenSSL Inside type branding program (like the powered by Apache logo). Watch out for that xxx Inside. I hear that Intel is suing some nonprofit for daring to call themselves Yoga Inside, on the (ludicrous IMHO) grounds that that name harms their trademark. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] MS Windows *is* user-friendly, but only for certain values of user. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is OpenSSL Production Ready?
On Thu, 4 Apr 2002, Lutz Jaenicke wrote: To be precise: according to the OpenSSL license every program that uses the library and advertises its SSL capabilities also must advertise the use of OpenSSL. Actually this is a problem -- it means you can't link OpenSSL libraries with any GPLed code which you intend to distribute. I'm facing the necessity of having to use the not-quite-ready-for-prime-time GNUtls package instead of OpenSSL for a project I'm contemplating, because it builds on an application licensed under the GPL. (And I have no idea how hard it's going to be to get *both* compatibly installed on one box.) IIRC the Ethereal folk have also run up against this problem. I'm not asking for anything at this time; I just wanted to provide a couple of data points. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] MS Windows *is* user-friendly, but only for certain values of user. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: FTP with SSL
At 01:55 05.04.2002 +0200, you wrote: heh, i didn't mean to insult anyone of the great ppl who put a lot of effort into the ftp-tls specs. i'm currently working on a client-side implemenation myself. i spent lots of time to get the command data encryption to work. it was pretty hard for me because of the fact that it's not that common yet, i found few documents/sources which i could use, so I just wanted to state that ftp-tls isn't really as widespread and easy-to-use as shttp or secure mail is. ftp-tls is a great thing, tho and i hope it will be established soon (same with ssl-irc, btw). Have a look at the client and server implementations at ftp://ftp.runestig.com/pub/ I found these very helpful for me. Ciao, Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Exception
Hi all, the following error occurs when I want make a search querie from Java == slapd. I have copy my selfsigned root certificate to client side and use the keytool to import the certificate into the keystore. Java output: Root exception is javax.net.ssl.SSLException: untrusted server cert chain slapd output: TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data #Error occurs here TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(10): got connid=0 connection_read(10): checking for input on id=0 TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS: can't accept. connection_read(10): TLS accept error error=-1 id=0, closing connection_closing: readying conn=0 sd=10 for close connection_close: conn=0 sd=10 What's going wrong Thanks in advance regards Ferruh __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is OpenSSL Production Ready?
On Fri, Apr 05, 2002 at 08:15:04AM -0500, Mark H. Wood wrote: On Thu, 4 Apr 2002, Lutz Jaenicke wrote: To be precise: according to the OpenSSL license every program that uses the library and advertises its SSL capabilities also must advertise the use of OpenSSL. Actually this is a problem -- it means you can't link OpenSSL libraries with any GPLed code which you intend to distribute. I'm facing the necessity of having to use the not-quite-ready-for-prime-time GNUtls package instead of OpenSSL for a project I'm contemplating, because it builds on an application licensed under the GPL. (And I have no idea how hard it's going to be to get *both* compatibly installed on one box.) IIRC the Ethereal folk have also run up against this problem. I'm not asking for anything at this time; I just wanted to provide a couple of data points. Besides the OpenSSL license itself large parts of the code were written by EAY and his license still applies without any option of the OpenSSL team to influence it as long as EAY does not change his license. The OpenSSL team members are aware of this problem but there is not much we can do for the reason stated above. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Apache/OpenSSL Handshake timeout
I am getting a timeout error, from not reading all the bytes from the client(?). The client can talk to retrieve the jar file, but when it sends an RMI, it balks. I obviously have 8443 open for SSL, and my certs must be OK. Is it a client problem? Server: Apache/1.3.14, Interface: mod_ssl/2.7.1, Library: OpenSSL/0.9.6 Solaris 2.6 (this is the jar download - it works over port 8443) [04/Apr/2002 09:01:00 29031] [info] Connection to child 0 established (server x:8443, client x) [04/Apr/2002 09:01:01 29031] [info] Seeding PRNG with 1160 bytes of entropy [04/Apr/2002 09:01:01 29031] [trace] OpenSSL: Handshake: start [04/Apr/2002 09:01:02 29031] [trace] OpenSSL: Loop: before/accept initialization [04/Apr/2002 09:01:02 29031] [debug] OpenSSL: read 11/11 bytes from BIO#0021FE88 [mem: 00234C20] (BIO dump follows) +-+ | : 80 46 01 03 00 00 2d 00-00 00 10 .F- | +-+ [04/Apr/2002 09:01:02 29031] [debug] OpenSSL: read 61/61 bytes from BIO#0021FE88 [mem: 00234C2B] (BIO dump follows) +-+ ... +-+ [04/Apr/2002 09:01:02 29031] [trace] OpenSSL: Loop: SSLv3 read client hello A [04/Apr/2002 09:01:02 29031] [trace] OpenSSL: Loop: SSLv3 write server hello A [04/Apr/2002 09:01:03 29031] [trace] OpenSSL: Loop: SSLv3 write certificate A [04/Apr/2002 09:01:03 29031] [trace] OpenSSL: Loop: SSLv3 write server done A [04/Apr/2002 09:01:03 29031] [debug] OpenSSL: write 937/937 bytes to BIO#0021FE88 [mem: 00242048] (BIO dump follows) +-+ ... [04/Apr/2002 09:01:40 29031] [debug] OpenSSL: write 23/23 bytes to BIO#0021FE88 [mem: 0023D430] (BIO dump follows) +-+ ... +-+ [04/Apr/2002 09:01:40 29031] [trace] OpenSSL: Write: SSL negotiation finished successfully [04/Apr/2002 09:01:40 29031] [info] Connection to child 0 closed with standard shutdown (server x:8443, client x) (this RMI call fails) [03/Apr/2002 08:11:48 29033] [info] Connection to child 2 established (server removed:8443, client removed) [03/Apr/2002 08:11:48 29033] [info] Seeding PRNG with 1160 bytes of entropy [03/Apr/2002 08:11:48 29033] [trace] OpenSSL: Handshake: start [03/Apr/2002 08:11:48 29033] [trace] OpenSSL: Loop: before/accept initialization [03/Apr/2002 08:11:48 29033] [debug] OpenSSL: read 7/11 bytes from BIO#00242AA8 [mem: 00237C38] (BIO dump follows) +-+ | : 4a 52 4d 49 00 02 4b JRMI..K | +-+ [03/Apr/2002 08:12:10 29033] [debug] OpenSSL: I/O error, 4 bytes expected to read on BIO#00242AA8 [mem: 00237C3F] [03/Apr/2002 08:12:10 29033] [trace] OpenSSL: Exit: error in SSLv2/v3 read client hello A [03/Apr/2002 08:12:10 29033] [error] SSL handshake timed out (client 171.64.70.217, server Gary -- You have heard that it was said, 'An eye for an eye and a tooth for a tooth.' But I say to you, 'Do not resist one who is evil. But if any one strikes you on the right cheek, turn to him the other also' Matthew 38-40 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Apache/OpenSSL Handshake timeout
Question is this for winxp running IE5 or IE6? Jeremy Walton DICE Corporation -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gary W Sent: Friday, April 05, 2002 11:44 AM To: [EMAIL PROTECTED] Subject: Apache/OpenSSL Handshake timeout I am getting a timeout error, from not reading all the bytes from the client(?). The client can talk to retrieve the jar file, but when it sends an RMI, it balks. I obviously have 8443 open for SSL, and my certs must be OK. Is it a client problem? Server: Apache/1.3.14, Interface: mod_ssl/2.7.1, Library: OpenSSL/0.9.6 Solaris 2.6 (this is the jar download - it works over port 8443) [04/Apr/2002 09:01:00 29031] [info] Connection to child 0 established (server x:8443, client x) [04/Apr/2002 09:01:01 29031] [info] Seeding PRNG with 1160 bytes of entropy [04/Apr/2002 09:01:01 29031] [trace] OpenSSL: Handshake: start [04/Apr/2002 09:01:02 29031] [trace] OpenSSL: Loop: before/accept initialization [04/Apr/2002 09:01:02 29031] [debug] OpenSSL: read 11/11 bytes from BIO#0021FE88 [mem: 00234C20] (BIO dump follows) +--- --+ | : 80 46 01 03 00 00 2d 00-00 00 10 .F- | +--- --+ [04/Apr/2002 09:01:02 29031] [debug] OpenSSL: read 61/61 bytes from BIO#0021FE88 [mem: 00234C2B] (BIO dump follows) +--- --+ ... +--- --+ [04/Apr/2002 09:01:02 29031] [trace] OpenSSL: Loop: SSLv3 read client hello A [04/Apr/2002 09:01:02 29031] [trace] OpenSSL: Loop: SSLv3 write server hello A [04/Apr/2002 09:01:03 29031] [trace] OpenSSL: Loop: SSLv3 write certificate A [04/Apr/2002 09:01:03 29031] [trace] OpenSSL: Loop: SSLv3 write server done A [04/Apr/2002 09:01:03 29031] [debug] OpenSSL: write 937/937 bytes to BIO#0021FE88 [mem: 00242048] (BIO dump follows) +--- --+ ... [04/Apr/2002 09:01:40 29031] [debug] OpenSSL: write 23/23 bytes to BIO#0021FE88 [mem: 0023D430] (BIO dump follows) +--- --+ ... +--- --+ [04/Apr/2002 09:01:40 29031] [trace] OpenSSL: Write: SSL negotiation finished successfully [04/Apr/2002 09:01:40 29031] [info] Connection to child 0 closed with standard shutdown (server x:8443, client x) (this RMI call fails) [03/Apr/2002 08:11:48 29033] [info] Connection to child 2 established (server removed:8443, client removed) [03/Apr/2002 08:11:48 29033] [info] Seeding PRNG with 1160 bytes of entropy [03/Apr/2002 08:11:48 29033] [trace] OpenSSL: Handshake: start [03/Apr/2002 08:11:48 29033] [trace] OpenSSL: Loop: before/accept initialization [03/Apr/2002 08:11:48 29033] [debug] OpenSSL: read 7/11 bytes from BIO#00242AA8 [mem: 00237C38] (BIO dump follows) +--- --+ | : 4a 52 4d 49 00 02 4b JRMI..K | +--- --+ [03/Apr/2002 08:12:10 29033] [debug] OpenSSL: I/O error, 4 bytes expected to read on BIO#00242AA8 [mem: 00237C3F] [03/Apr/2002 08:12:10 29033] [trace] OpenSSL: Exit: error in SSLv2/v3 read client hello A [03/Apr/2002 08:12:10 29033] [error] SSL handshake timed out (client 171.64.70.217, server Gary -- You have heard that it was said, 'An eye for an eye and a tooth for a tooth.' But I say to you, 'Do not resist one who is evil. But if any one strikes you on the right cheek, turn to him the other also' Matthew 38-40 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Apache/OpenSSL Handshake timeout
Jeremy, Server runs Solaris 2.6, client uses Netscape 4.79 and IE5 on W2k Gary Walton wrote: Question is this for winxp running IE5 or IE6? Jeremy Walton DICE Corporation -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gary W Sent: Friday, April 05, 2002 11:44 AM To: [EMAIL PROTECTED] Subject: Apache/OpenSSL Handshake timeout I am getting a timeout error, from not reading all the bytes from the client(?). The client can talk to retrieve the jar file, but when it sends an RMI, it balks. I obviously have 8443 open for SSL, and my certs must be OK. Is it a client problem? Server: Apache/1.3.14, Interface: mod_ssl/2.7.1, Library: OpenSSL/0.9.6 Solaris 2.6 (this is the jar download - it works over port 8443) [04/Apr/2002 09:01:00 29031] [info] Connection to child 0 established (server x:8443, client x) [04/Apr/2002 09:01:01 29031] [info] Seeding PRNG with 1160 bytes of entropy [04/Apr/2002 09:01:01 29031] [trace] OpenSSL: Handshake: start [04/Apr/2002 09:01:02 29031] [trace] OpenSSL: Loop: before/accept initialization [04/Apr/2002 09:01:02 29031] [debug] OpenSSL: read 11/11 bytes from BIO#0021FE88 [mem: 00234C20] (BIO dump follows) +--- --+ | : 80 46 01 03 00 00 2d 00-00 00 10 .F- | +--- --+ [04/Apr/2002 09:01:02 29031] [debug] OpenSSL: read 61/61 bytes from BIO#0021FE88 [mem: 00234C2B] (BIO dump follows) +--- --+ ... +--- --+ [04/Apr/2002 09:01:02 29031] [trace] OpenSSL: Loop: SSLv3 read client hello A [04/Apr/2002 09:01:02 29031] [trace] OpenSSL: Loop: SSLv3 write server hello A [04/Apr/2002 09:01:03 29031] [trace] OpenSSL: Loop: SSLv3 write certificate A [04/Apr/2002 09:01:03 29031] [trace] OpenSSL: Loop: SSLv3 write server done A [04/Apr/2002 09:01:03 29031] [debug] OpenSSL: write 937/937 bytes to BIO#0021FE88 [mem: 00242048] (BIO dump follows) +--- --+ ... [04/Apr/2002 09:01:40 29031] [debug] OpenSSL: write 23/23 bytes to BIO#0021FE88 [mem: 0023D430] (BIO dump follows) +--- --+ ... +--- --+ [04/Apr/2002 09:01:40 29031] [trace] OpenSSL: Write: SSL negotiation finished successfully [04/Apr/2002 09:01:40 29031] [info] Connection to child 0 closed with standard shutdown (server x:8443, client x) (this RMI call fails) [03/Apr/2002 08:11:48 29033] [info] Connection to child 2 established (server removed:8443, client removed) [03/Apr/2002 08:11:48 29033] [info] Seeding PRNG with 1160 bytes of entropy [03/Apr/2002 08:11:48 29033] [trace] OpenSSL: Handshake: start [03/Apr/2002 08:11:48 29033] [trace] OpenSSL: Loop: before/accept initialization [03/Apr/2002 08:11:48 29033] [debug] OpenSSL: read 7/11 bytes from BIO#00242AA8 [mem: 00237C38] (BIO dump follows) +--- --+ | : 4a 52 4d 49 00 02 4b JRMI..K | +--- --+ [03/Apr/2002 08:12:10 29033] [debug] OpenSSL: I/O error, 4 bytes expected to read on BIO#00242AA8 [mem: 00237C3F] [03/Apr/2002 08:12:10 29033] [trace] OpenSSL: Exit: error in SSLv2/v3 read client hello A [03/Apr/2002 08:12:10 29033] [error] SSL handshake timed out (client 171.64.70.217, server Gary -- You have heard that it was said, 'An eye for an eye and a tooth for a tooth.' But I say to you, 'Do not resist one who is evil. But if any one strikes you on the right cheek, turn to him the other also' Matthew 38-40 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- You have heard that it was said, 'An eye for an eye and a tooth for a tooth.' But I say to you, 'Do not resist one who is evil. But if any one strikes you on the right cheek, turn to him the other also' Matthew 38-40 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL
Problems installing openssl-0.9.6c on Windows 2000 box
Can anyone help me, I am trying to install openssl-0.9.6c through cygwin ona Windows 2000 box. Here is the error message I receive when I run the make command. Devon Jones@CR718118-A /tmp/openssl-0.9.6c$ make+ rm -f libcrypto+ rm -f libsslmaking all in crypto...make[1]: Entering directory `/tmp/openssl-0.9.6c/crypto'gcc -I. -I../include -DDSO_WIN32 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall -c -o cryptlib.o cryptlib.cmake[1]: gcc: Command not foundmake[1]: *** [cryptlib.o] Error 127make[1]: Leaving directory `/tmp/openssl-0.9.6c/crypto'make: *** [sub_all] Error 1 Can anyone help me? Sincerely, Andrew Plata
Re: imaps/pop3s certificates
Mark, Thank you! I followed your suggestion and it works like a charm, so the problem itself is solved... of course, I'm not particularly sure why this works when the regular CA.pl signing script doesn't. What is being done here that isn't being done by the CA script? Sage - Original Message - From: Mark D. Baushke [EMAIL PROTECTED] To: Sage [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, April 05, 2002 1:27 AM Subject: Re: imaps/pop3s certificates Hi Sage, I have done something like the following in a similar situation... mkdir new-directory cd new-directory echo create a new Certificate Authority certificate CA.pl -newca mv demoCA/cacert.pem demoCA/cacert.pem.old openssl x509 -in demoCA/cacert.pem.old -signkey demoCA/private/cakey.pem \ -days 1825 -out demoCA/cacert.pem rm demoCA/cacert.pem.old openssl x509 -inform pem -in demoCA/cacert.pem -outform der -out demoCA/cacert.der echo now create and sign the new mail certificate openssl req -new -nodes -keyout mail.key.pem -out mail.req.pem openssl ca -policy policy_anything -out mail.cert.pem -infiles mail.req.pem openssl gendh 512 mail.dh.pem echo now paste everything together that you need echo the private key, the signed certificate and the dh parameters cat mail.key.pem mail.cert.pem mail.dh.pem ipop3d.pem Now place copies of demoCA/cacert.pem and demoCA/cacert.der on a web page someplace where folks can download them and add them to their mail user agent. You should now be able to test your pop3 server using something like openssl s_client -CAfile cacert.pem -showcerts -host 127.1 -port 995 There are probably 'better' ways to do the job, but the above seems to work okay for me. Good luck, -- Mark Message-ID: 005f01c1dc4d$5b9a5cc0$6f5ce0ce@webmaster From: Sage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: imaps/pop3s certificates Date: Thu, 4 Apr 2002 20:55:31 -0600 I'm using RedHat 7.1, which has its own SSL-wrapped pop3 server. Turning it on is simply a matter of running ntsysv and checking the pop3s option. It does, however, require a digital certificate in order to run. I can cd to /usr/share/ssl/certs and run make ipop3d.pem but this only produces a self-signed test certificate. It works, and the server runs, but an email client (most notably Outlook Express) will query the user as to whether he or she wants to trust the self-signed certificate before it will connect to the server. And it has to ask the user this every time the email client opens. I want to eliminate this. I would have thought that I could create my own self-signed CA certificate, and use that to sign the cert used by the pop3s server, but I can't even get the server to run using the certs that I make with openssl. I'm using the CA.sh and CA.pl scripts, and following the obvious steps in order: ./CA.sh -newca, ./CA.sh -newreq, ./CA.sh -sign This all seems to work, and generates a newcert.pem file for me, but this is very different from the self-signed ipop3d.pem cert that is generated by 'make'. The ipop3d.pem file includes an RSA Private Key, and the newcert.pem file does not (at least, as far as I can see). The newcert.pem file also includes a lot of header info that I don't understand (forgive me, I'm very new to this), and which is not included in the ipop3d.pem file. If I try to use the newcert.pem file as the certificate for the secure pop3 server, the server won't run at all. I'm stuck. I've been trying for two full days to get this to work, and I guess it's time to admit I need help... is it even possible to do what I'm trying to do, and if so, what am I doing wrong? Can anybody help? I'm using RedHat 7.1 and OpenSSL 0.9.6-3. If anybody can help me figure out what I'm doing wrong, I'd greatly appreciate it. :) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
install SSLftp in Solaris 8 SPARC
Hello everybody. I try to install SSLftp 0.13 verison in a Solaris 8 SPARC box and i found problems. I edit the file Makefile and uncomment the line of SunOS 5 and make CC = gcc . etc. But, when i try to compile, appear errors with inet_addr.c, cmds.c, etc . Something can help me with this procedure ? Thanks CAPA
questions/RFEs about X509_NAME
Hi, All! I have few questions/RFEs to OpenSSL developers about X509 and X509_NAME structures. I run into some problems when I've tried to use some low-level functions and I wonder is it worth to patch OpenSSL instead writing custom functions in my library. I am not absolutelly sure that all my points are valid so please correct me if I am wrong. Thank you in advance, Aleksey Sanin. http://www.aleksey.com/xmlsec Questions List: -- 1) Sorting of the X509_NAME_ENTRY elements in X509_NAME structure (for X509 subject and issuer fields). Right now OpenSSL reads the entries in the order they appear in the certificate (or in the order you are adding them if you are creating cert). I am not sure but I do not remember any order restrictions in the X509 rfc or DName RFC (http://www.ietf.org/rfc/rfc2253.txt). And this scares me in general because implementation relaying on the order is likely to have interop problems. The suggestion is to sort X509_NAME_ENTRY elements after reading or creating the cert or before using any order depending function (hashing, comparison, search, etc.) 2) X509_NAME_ENTRY_cmp function missed In order to do the sorting described above a new X509_NAME_ENTRY_cmp function is required. I think it should be implemented something like this: int X509_NAME_ENTRY_cmp(const X509_NAME_ENTRY **a, const X509_NAME_ENTRY **b) { return(OBJ_cmp((*a)-object, (*b)-object)); } 3) X509_NAME_cmp function compares set field of X509_NAME After doing sorting as described in 1) I run into another problem: the function X509_NAME_cmp compares set field of X509_NAME as follows (the interesting lines are marked ): for (i=sk_X509_NAME_ENTRY_num(a-entries)-1; i=0; i--) { na=sk_X509_NAME_ENTRY_value(a-entries,i); nb=sk_X509_NAME_ENTRY_value(b-entries,i); j=na-value-length-nb-value-length; if (j) return(j); j=memcmp(na-value-data,nb-value-data, na-value-length); if (j) return(j); j=na-set-nb-set; if (j) return(j); } AFAIK, the set field stores the X509_NAME_ENTRY position in the list. I am not sure that comparing positions in this way is a right thing here because we are *already* doing this by itterating thru all X509_NAME_ENTRY entires in the X509_NAME. And of course, this comparisson fails after sorting :) I suggest to remove these two lines marked with . __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Exception
If you are using Sun's implementation of JSSE then you can set the javax.net.debug=all property and it will give you a lot more information. I've found it very usefull in figuring out problems like this. My guess would be that the program doesn't know where your keystore is. The keystore is identified by the javax.net.ssl.trustStore property. You can set the properties on the command line like this: java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=/mykeystore.keystore MyProgram Or you can set them in your code like this: System.setProperty(javax.net.ssl.trustStore, path); Attached is one of our JavaLDAP samples that we have for SSLConnections. Furthermore, if you are using Novell's JavaLDAP api (as opposed to JNDI) that is posted on OpenLDAP. Compile a debug version of the jar (ant debug) and then set the property ldap.debug=TraceAll and that'll give you tons of information - Maybe more that you care to have for SSL. Hope that helps. - Cameron Cameron Morris Novell, Inc., the leading provider of Net business solutions http://www.novell.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Re: Exception With Attachment this time
Here is the sample I promised. Cameron Morris Novell, Inc., the leading provider of Net business solutions http://www.novell.com Cameron Morris [EMAIL PROTECTED] 04/05/02 10:14AM If you are using Sun's implementation of JSSE then you can set the javax.net.debug=all property and it will give you a lot more information. I've found it very usefull in figuring out problems like this. My guess would be that the program doesn't know where your keystore is. The keystore is identified by the javax.net.ssl.trustStore property. You can set the properties on the command line like this: java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=/mykeystore.keystore MyProgram Or you can set them in your code like this: System.setProperty(javax.net.ssl.trustStore, path); Attached is one of our JavaLDAP samples that we have for SSLConnections. Furthermore, if you are using Novell's JavaLDAP api (as opposed to JNDI) that is posted on OpenLDAP. Compile a debug version of the jar (ant debug) and then set the property ldap.debug=TraceAll and that'll give you tons of information - Maybe more that you care to have for SSL. Hope that helps. - Cameron Cameron Morris Novell, Inc., the leading provider of Net business solutions http://www.novell.com SSLConnection.java Description: Binary data
To: Francesco Dal Bello Re: R: need help
thanks for help but nothing is still change now errors are: what can I do now? cl /Fotmp32\hw_aep.obj -Iinc32 -Itmp32 /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs 0 /GF /Gy /nologo -DWIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 /Fdout32 -c .\crypto\engine\hw_aep.c hw_aep.c C:\PROGRA~1\MICROS~4\VC98\INCLUDE\unistd.h(691) : error C2220: warning treated a s error - no object file generated C:\PROGRA~1\MICROS~4\VC98\INCLUDE\unistd.h(691) : warning C4273: 'unlink' : inco nsistent dll linkage. dllexport assumed. C:\PROGRA~1\MICROS~4\VC98\INCLUDE\stdlib.h(353) : error C2375: '_exit' : redefin ition; different linkage C:\PROGRA~1\MICROS~4\VC98\INCLUDE\unistd.h(491) : see declaration of '_e xit' C:\PROGRA~1\MICROS~4\VC98\INCLUDE\stdlib.h(367) : warning C4028: formal paramete r 1 different from declaration C:\PROGRA~1\MICROS~4\VC98\INCLUDE\stdlib.h(385) : warning C4028: formal paramete r 1 different from declaration C:\PROGRA~1\MICROS~4\VC98\INCLUDE\io.h(175) : warning C4028: formal parameter 1 different from declaration C:\PROGRA~1\MICROS~4\VC98\INCLUDE\io.h(176) : warning C4028: formal parameter 1 different from declaration C:\PROGRA~1\MICROS~4\VC98\INCLUDE\io.h(176) : warning C4028: formal parameter 2 different from declaration C:\PROGRA~1\MICROS~4\VC98\INCLUDE\io.h(181) : warning C4028: formal parameter 1 different from declaration C:\PROGRA~1\MICROS~4\VC98\INCLUDE\io.h(225) : error C2375: 'access' : redefiniti on; different linkage C:\PROGRA~1\MICROS~4\VC98\INCLUDE\unistd.h(248) : see declaration of 'ac cess' C:\PROGRA~1\MICROS~4\VC98\INCLUDE\io.h(228) : error C2375: 'close' : redefinitio n; different linkage C:\PROGRA~1\MICROS~4\VC98\INCLUDE\unistd.h(296) : see declaration of 'cl ose' C:\PROGRA~1\MICROS~4\VC98\INCLUDE\io.h(230) : error C2375: 'dup' : redefinition; different linkage C:\PROGRA~1\MICROS~4\VC98\INCLUDE\unistd.h(437) : see declaration of 'du p' C:\PROGRA~1\MICROS~4\VC98\INCLUDE\io.h(231) : error C2375: 'dup2' : redefinition ; different linkage C:\PROGRA~1\MICROS~4\VC98\INCLUDE\unistd.h(440) : see declaration of 'du p2' C:\PROGRA~1\MICROS~4\VC98\INCLUDE\io.h(234) : error C2375: 'isatty' : redefiniti on; different linkage C:\PROGRA~1\MICROS~4\VC98\INCLUDE\unistd.h(668) : see declaration of 'is atty' C:\PROGRA~1\MICROS~4\VC98\INCLUDE\io.h(236) : error C2375: 'lseek' : redefinitio n; different linkage C:\PROGRA~1\MICROS~4\VC98\INCLUDE\unistd.h(279) : see declaration of 'ls eek' C:\PROGRA~1\MICROS~4\VC98\INCLUDE\io.h(239) : error C2375: 'read' : redefinition ; different linkage C:\PROGRA~1\MICROS~4\VC98\INCLUDE\unistd.h(301) : see declaration of 're ad' C:\PROGRA~1\MICROS~4\VC98\INCLUDE\io.h(244) : warning C4028: formal parameter 1 different from declaration C:\PROGRA~1\MICROS~4\VC98\INCLUDE\io.h(244) : warning C4273: 'unlink' : inconsis tent dll linkage. dllexport assumed. C:\PROGRA~1\MICROS~4\VC98\INCLUDE\io.h(245) : error C2375: 'write' : redefinitio n; different linkage C:\PROGRA~1\MICROS~4\VC98\INCLUDE\unistd.h(305) : see declaration of 'wr ite' inc32\openssl/e_os.h(198) : warning C4005: 'ssize_t' : macro redefinition C:\PROGRA~1\MICROS~4\VC98\INCLUDE\unistd.h(194) : see previous definitio n of 'ssize_t' .\crypto\engine\hw_aep.c(192) : error C2061: syntax error : identifier 'recorded _pid' .\crypto\engine\hw_aep.c(192) : error C2059: syntax error : ';' .\crypto\engine\hw_aep.c(192) : error C2513: '/*global*/ ' : no variable declare d before '=' .\crypto\engine\hw_aep.c(468) : warning C4018: '=' : signed/unsigned mismatch .\crypto\engine\hw_aep.c(623) : error C2065: 'pid_t' : undeclared identifier .\crypto\engine\hw_aep.c(623) : error C2146: syntax error : missing ';' before i dentifier 'curr_pid' .\crypto\engine\hw_aep.c(623) : error C2065: 'curr_pid' : undeclared identifier .\crypto\engine\hw_aep.c(631) : error C2065: 'recorded_pid' : undeclared identif ier NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. At 13.07 05/04/2002 +0200, you wrote: I have install activeperl with default setting. Try nmake -f ms\nt.mak -Messaggio originale- Da: Alberto T Isais [mailto:[EMAIL PROTECTED]] Inviato: sabato 6 aprile 2002 0.59 A: [EMAIL PROTECTED] Oggetto: need help Thank you Sir Francesco for helping me. i did that and now i have new errors. Can you still help me with this one? My system is windows 2000 OS SP1, Windows 2000 DDK, ActivePerl-5.6.1.631-MSWin32-x86, and MSVC++ 6. By the way, how did you install activepearl? C:\opensslnmake -f ms\ntdll.mak Microsoft (R) Program Maintenance Utility Version 6.00.8168.0 Copyright (C) Microsoft Corp 1988-1998. All rights reserved. Building OpenSSL copy nul+ .\crypto\buildinf.h tmp32dll\buildinf.h nul .\crypto\buildinf.h 1 file(s) copied. copy nul+ .\crypto\opensslconf.h inc32\openssl\opensslconf.h nul .\crypto\opensslconf.h 1 file(s) copied. cl
Problems installing openssl-0.9.6c on Windows 2000 box
Can anyone help me, I am trying to install openssl-0.9.6c through cygwin ona Windows 2000 box. Here is the error message I receive when I run the make command. Devon Jones@CR718118-A /tmp/openssl-0.9.6c$ make+ rm -f libcrypto+ rm -f libsslmaking all in crypto...make[1]: Entering directory `/tmp/openssl-0.9.6c/crypto'gcc -I. -I../include -DDSO_WIN32 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall -c -o cryptlib.o cryptlib.cmake[1]: gcc: Command not foundmake[1]: *** [cryptlib.o] Error 127make[1]: Leaving directory `/tmp/openssl-0.9.6c/crypto'make: *** [sub_all] Error 1 Can anyone help me? Sincerely, Andrew Plata
Re: Problems installing openssl-0.9.6c on Windows 2000 box
Andrew, - make[1]: gcc: Command not found it seems to me that make is trying to use the command gcc... but this is not available... as a double check try typing gcc at the command line... if that works double check your PATH... cheers, Sean Andrew Plata wrote: Can anyone help me, I am trying to install openssl-0.9.6c through cygwin on a Windows 2000 box. Here is the error message I receive when I run the make command. Devon Jones@CR718118-A mailto:Jones@CR718118-A /tmp/openssl-0.9.6c $ make + rm -f libcrypto + rm -f libssl making all in crypto... make[1]: Entering directory `/tmp/openssl-0.9.6c/crypto' gcc -I. -I../include -DDSO_WIN32 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 - m486 -Wall -c -o cryptlib.o cryptlib.c make[1]: gcc: Command not found make[1]: *** [cryptlib.o] Error 127 make[1]: Leaving directory `/tmp/openssl-0.9.6c/crypto' make: *** [sub_all] Error 1 Can anyone help me? Sincerely, Andrew Plata __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem with client certificate authentication.
I get the following error on the client: 24611:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error:s3_pkt.c:985:SSL alert number 51 24611:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: and on the server: 24610:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 24610:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:459: 24610:error:1408807A:SSL routines:SSL3_GET_CERT_VERIFY:bad rsa signature:s3_srvr.c:1635: 24610:error:140780E5:SSL routines:SSL23_READ:ssl handshake failure:s23_lib.c:180: When attempting to do client authentication (with SSL_CTX_set_verify on the server). I've created the certificate and key programatically using the OpenSSL API. The client seems to have no problem verifying the server certificate, but the server dies when trying to verify the client. Any ideas? Sincerely, Kevin Regan Kevin Regan Technical Lead Houston UNIX Team Office: 2200 Phone: 713-548-1767 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]