Crash in DH_Free
Hi, I am using OpenSSL version 0.9.6b on NT I am getting a crash sometimes in my SSL server application when the connection is broken between the server and the client. The crash occurs very rarely and the stack is almost the same. The crash is happening in SSL_free-ssl_cert_free-dh_free. Two of the stack dumps for the crash are shown below. *** 0077427B 03A7FA94 __sbh_free_block+B2 0076D29C 03A7FAA4 free+23 00674D08 03A7FAB0 CRYPTO_free+25 Line 271 0066CFD6 03A7FAC0 BN_clear_free+46 Line 268 0066AA82 03A7FAD0 DH_free+115 Line 160 0067516F 03A7FAE0 ssl_cert_free+4C Line 322 006674A4 03A7FAF0 SSL_free+174 Line 378 ** Call stack: Address Frame 77F64D8A 02E2FB80 RtlFreeHeap+2A 00761C7F 02E2FB94 free+46 00672A18 02E2FBA0 CRYPTO_free+25 Line 271 0066AD46 02E2FBAC BN_free+2B Line 280 0068C9F4 02E2FBB8 BN_MONT_CTX_free+17 Line 266 0067EFC4 02E2FBC4 DH_OpenSSL+3F2 Line 211 006686D0 02E2FBD4 DH_free+53 Line 150 00672E7F 02E2FBE4 ssl_cert_free+4C Line 322 006651B4 02E2FBF4 SSL_free+174 Line 378 *** I have been using this application for long time now and it can run for over 3 days wihout crashing with lots of connections breaks and establishements happening suceesfully. This crash happens very occasionaly and is hard to debug. I have a single-threaded server which connects to multiple clients (clients use Java SSL jsse). Please let me know if anybody else has seen this problem or there is some problem in the way I am using SSL structures. In my application, the SSL_CTX is defined only once for the server and is passed as a parameter to all new SSL connections. DH is used for key generation and exchange. No certificates are being used. Thanks, Sudhi Agarwal __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Java + LDAP it works :)
Hi all, thanks to all people once more who try to help me. I have do the following steps: 1. I have use the posting from Brandon Amundson [[EMAIL PROTECTED]] from 04.04.2002 16:27 there a description how you can create and handle with certificates to create my own certificates. 2. after that I have strip the created certificate from all its text to keep only the -CERTIFICATE- section . Then is use the command to openssl x509 -in cacert.pem -out cacert.crt and copy it to client side. 3. Then I add the cacert.crt with the command keytool -import -alias newreq.der -file cacert.crt -trustcacerts -keystore Path to the keystore. First time my Problem was to understand the sequence of the using of certificates and the names CA,signed certificate, Root certificate My Problem was I think that I copy the newreq.pem 1:1 from server side to client-side without step 2 which I have described and added them to keystore (that's a fatal error, because the newreq.pem includes the private key :)). And finally it works in combine with the JNDI-Example :) regards Ferruh Zamangoer __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Test; ignore please
test Ivan Ing. Ivan Saez Scheihing , Eindhoven University of Technology Systeemhuis/Bush BG 3.41 tel. 040-2475044 P.O.Box 513, 5600 MB Eindhoven, The Netherlands E-Mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How can I check a signed-text
Hi, I have an XML application (works only with MSIE) which signs a html form with the users private key.. Now I want to verify the signaturevalue on the server (Sun Solaris 2.8). I've succeeded in extracting the public key but I can't find the rigth openssl (version 0.9.6c) options to check the signaturevalue. Probably the format of the signaturevalue is wrong: dsig:SignatureValuegQBugbr5aenwu01IvkMBJKsshiwrWUZ/N+gdESuXvWv2b324H7i EZ8QOcxAhT78yS6EVtvGTcbUtHuIx99eqG01HRMavyP0P24BqvkK8nqONJY3GO3bDdLjnVxJ 1Hk4f7c6ZtXiVfnL9VlG/cl+12Wkg 8Oejq8iXsZLyL7Mpibg= /dsig:SignatureValue I've been playing with openssl dgst, openssl rsautl and openssl smime but without success. I would apperciate it very much if someone could give me some directions to look. kind regards, Ivan Ing. Ivan Saez Scheihing , Eindhoven University of Technology Systeemhuis/Bush BG 3.41 tel. 040-2475044 P.O.Box 513, 5600 MB Eindhoven, The Netherlands E-Mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Information on engine design?
Does any information/documentation exist of the design of the engine solutions for OpenSSL? Anyone has actually written something about this? What about the cryptoki interface? So far I guess OpenSSL doesn't support the pkcs 11 but only native interfaces, why? Regards, Mads __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is OpenSSL Production Ready?
On Sat, 6 Apr 2002, Jeffrey Altman wrote: There is an answer to this of course. It is do not link against OpenSSL but instead load the libraries and functions manually as OpenSSL does with the DSO interface. Then the two programs are separate with separate licenses. Thank you! I hadn't thought of that, and it sounds like fun too. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] MS Windows *is* user-friendly, but only for certain values of user. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How can I check a signed-text
XML Signature is quite complicated standard. You could not simply check the signature by calculating the digest of whole XML document. OpenSSL does not support XML DSig. Probably you want to use some other library. For example, you can try one I wrote: http://www.aleksey.com/xmlsec Aleksey Sanin [EMAIL PROTECTED] http://www.aleksey.com/xmlsec [EMAIL PROTECTED] wrote: Hi, I have an XML application (works only with MSIE) which signs a html form with the users private key.. Now I want to verify the signaturevalue on the server (Sun Solaris 2.8). I've succeeded in extracting the public key but I can't find the rigth openssl (version 0.9.6c) options to check the signaturevalue. Probably the format of the signaturevalue is wrong: dsig:SignatureValuegQBugbr5aenwu01IvkMBJKsshiwrWUZ/N+gdESuXvWv2b324H7i EZ8QOcxAhT78yS6EVtvGTcbUtHuIx99eqG01HRMavyP0P24BqvkK8nqONJY3GO3bDdLjnVxJ 1Hk4f7c6ZtXiVfnL9VlG/cl+12Wkg 8Oejq8iXsZLyL7Mpibg= /dsig:SignatureValue I've been playing with openssl dgst, openssl rsautl and openssl smime but without success. I would apperciate it very much if someone could give me some directions to look. kind regards, Ivan Ing. Ivan Saez Scheihing , Eindhoven University of Technology Systeemhuis/Bush BG 3.41 tel. 040-2475044 P.O.Box 513, 5600 MB Eindhoven, The Netherlands E-Mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is OpenSSL Production Ready?
On Mon, 8 Apr 2002, Mark H. Wood wrote: On Sat, 6 Apr 2002, Jeffrey Altman wrote: There is an answer to this of course. It is do not link against OpenSSL but instead load the libraries and functions manually as OpenSSL does with the DSO interface. Then the two programs are separate with separate licenses. Thank you! I hadn't thought of that, and it sounds like fun too. Sounds like this would be a great facility to stick into a contrib directory...call it glen--Gnu Linkage ENabler? -- Chris Cleeland, cleeland_c @ ociweb.com, http://www.milodesigns.com/~chris Principal Software Engineer, Object Computing, Inc., +1 314 579 0066 Support Me Supporting Cancer Survivors in Ride for the Roses 2002 Donate at http://www.milodesigns.com/donate __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OSCP Question
Hi all, Want to set up oscp service in my website: Does oscp implementation in openssl act as a service daemon or it is just a utility tool? Could be very cool if someone has examples of configuration! Regards #-- Averroes __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Wireless Certificate
Hi, Does anyone know if it is possible to generate wireless certificate with openssl? Or if it will be available in a near future? Regards #- Averroes __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Winsock2 out-of-the-box support
Hi all, Are there any plans to support linking against Winsock 2 out-of-the-box for Windows builds? perhaps as a configure option? I can certainly hack the makefile myself to do what I want, but we have our users download and build OpenSSL themselves and it would be nice if it were as easy as possible for them. Does anyone else see this as a useful idea? Regards, Mike Zeoli Rogue Wave Software __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS7
Hi, Would you explain me how I can create a pkcs7 envelope containing a SHA1 signed message? By GV Ing. Gianvittorio Abate System Engineer GBU Telecoms SchlumbergerSema - SEMA S.p.A Via Antiniana, 2/A - 80078 Agnano (NA) - Italy Voice: +39 081 6103266 Fax: +39 081 6103200 Mobile +39 335 7661296 E-mail: mailto:[EMAIL PROTECTED] This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Sema Group. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have received this email in error please notify the Sema Group Helpdesk: by telephone on +39.0125.810500 or by e-mail on mailto:[EMAIL PROTECTED]. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
R: About OpenSSL 0.9.7 release
I have compile my company utility with OpenSSl 0.9.6c libs. None errors. Then I have recompile with OpenSSL 0.9.7 snap libs and I've got these errors: 'RIPEMD160_DIGEST_LENGTH' : undeclared identifier 'RIPEMD160' undefined; assuming extern returning int 'PKCS7_content_free' undefined; assuming extern returning int 'fullname' : is not a member of 'DIST_POINT_NAME_st' 'req_kludge' : is not a member of 'X509_req_info_st' 'MS_STATIC' : undeclared identifier 'set' : is not a member of 'x509_attributes_st' Thanks for interest Francesco Dal Bello -Messaggio originale- Da: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED]] Inviato: sabato 6 aprile 2002 10.50 A: [EMAIL PROTECTED]; Francesco Dal Bello Oggetto: Re: About OpenSSL 0.9.7 release From: Francesco Dal Bello [EMAIL PROTECTED] fdalbello I have tried to build my company utility with fdalbello openssl-0.9.7-stable-SNAP-20020226 and I have obtained a fdalbello mistake (a function doesn't exist anymore). This mistake fdalbello doesn't exist using 0.9.6c release. I'd like to know what function it is you're missing. Either it is an actual glitch on our part, or we might have a good explanation for it missing. fdalbello The 0.9.7 will be quite compatible backwards? Interesting way of putting the question :-). Yes, I believe we can say that it will be quite compatible :-). On a more serious note: we're doing our best to keep backward compatibility. However, there are needed changes that make backward compatibility tricky at best and impossible at worst. Fortunately, this only applies to some parts of OpenSSL. The two things that have changed enormously are the ASN.1 parser/coder/decoder and the ENGINE framework (but that only really affects those who've used the engine variant of OpenSSL 0.9.6x). Something that will affect you on a linker symbol level is the change of the symbols for the DES part. To (re)link with 0.9.7, you basically have to recompile the applications that use the DES functions directly (something we don't recommend to start with). BEWARE: this has a great impact on those that use libcrypto as a shared library (something we do not recommend for anything other than saving space)! -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
