RE: Problems installing OpenSSL on Linux
-Original Message- From: J Harper [mailto:[EMAIL PROTECTED] Sent: Thursday, 10 June 2004 20:39 To: [EMAIL PROTECTED] Subject: Re: Problems installing OpenSSL on Linux This is an informative post, thank you. I'd like to add that this is one of the huge problems with RedHat's library and dependencies configuration. Manually weeding through the dependencies by hand to install a new version of OpenSSL from source is very difficult, and upgrading an entirely new kernel and OS seems completely ludicrous to have timely security updates. Production systems that are tested and have been running for months/years can't go through this process each time a critical security update for OpenSSL is released. The OpenSSL team does a fine job of acknowledging and fixing security issues, but if users of the most popular Linux distribution can't use them, it seems like a huge issue. Is there a workaround we don't know about? How well do other distributions handle this? Ideally you could just use apt-get, and have the latest version installed. J Harper PeerSec Networks http://www.peersec.com Actually in my experience (which goes back to compiling openssl and apache on Red Hat BEFORE they were included in the OS) sticking with Red Hat's RPMs is always easier than trying to roll your own generic installations. The only restriction on using the Red Hat openssl are that certain ciphers are not included due to US patent restrictions. In fact, it is Red Hat's stated policy that they backport patches rather than add new features. That does mean that version numbers differ from the latest version, which is frankly a minor inconvenience. Details of all of this and how to build openssl without patent restrictions on your systems is in the openssl FAQ. -- John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] I don't know which is worse. The makers of soap operas thinking they portray real life or those that watch them thinking it is real life! -- DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [98] Address in use.. Could not bind to 443
-Original Message- From: kloomis [mailto:[EMAIL PROTECTED] Sent: Wednesday, 14 April 2004 15:21 To: [EMAIL PROTECTED] Subject: [98] Address in use.. Could not bind to 443 Hello: I have migrated from RH 7.1 to RH 9. I have edited the httpd.conf, and connections work to the server thru port 80. But when I move the connection to 443 and SSL, I get a Could not bind to 443, Address already in use error message. Upon some investigation I discovered that in the ssl.conf file there is: listen 443. When I removed the listen 443, I was able to connect to the server. The problem now is that the virtual host defined in the ssl.conf is not what I want. My question is, should I remove the virtual host for ssl from the httpd.conf and edit the ssl.conf, or vice versa? Is the ssl.conf necessary if everything is covered in the httpd.conf? I'm way behind my reading on this list, so I've only just read this one. Historically Apache had three config files (httpd.conf, access.conf and srm.conf). These were all combined into httpd.conf. However, distributions like Red Hat split the ssl configuration into an ssl.conf file. In the case of 9 this is in /etc/httpd/conf/conf.d. The simple answer is that it's up to you. Simply renaming the ssl.conf in /etc/httpd/conf.d will prevent its use (it's included with Include conf.d/*.conf in httpd.conf), but the configuration will have to go in the httpd.conf file. Can you send me more details off list? I've not come across this before and I've not had to change this ssl.conf file at all. I suspect that you may be trying to run Apache 2.0 with a lot of Apache 1.3 directives that are now out of date. -- John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Every person who has set out to disprove the resurrection of Jesus Christ has changed their mind after examining the evidence in detail. - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Encrypted attachments
-Original Message- From: Thorsten Müller [mailto:[EMAIL PROTECTED] Sent: Wednesday, 31 March 2004 15:55 To: [EMAIL PROTECTED] Subject: Re: Encrypted attachments Dave wrote: I am encrypting email attachments. I am on HP-UX 11.11 using openssl 0.9.7c. I can send unencrypted attachments. I am having trouble sending encrypted attachments to Outlook. When I look at the message source the attachment seems to be there but Outlook can not make sense of it. Any ideas? I'm not quite sure what exactly you are doing and what Outlook you are using. When you only encrypt the attachments, i think Outlook has some problems. You have to encrypt the complete mail generating a correct S/MIME mail, this should work, unless you are testing with Outlook 97 which i think has its problems with S/MIME Thorsten Don't use Outlook 97, not even for a joke. It's seriously broken in many other ways too. 98 is passible but 2000 is fairly reliable. YMMV of course. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Shameless movie plug - go see the Passion of the Christ! - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Openssl upgrade on Red Hat 7.3 question
-Original Message- From: Vigilance [mailto:[EMAIL PROTECTED] Sent: Thursday, 11 March 2004 20:02 To: [EMAIL PROTECTED] Subject: Openssl upgrade on Red Hat 7.3 question I have a question about upgrading openssl on Redhat 7.3 I have been runnning openssl 0.9.6b for quite some time without problems. Now I see that there is apparently a psybnc attack out there for apache port 443. I've had to shut down https until I can get this fixed. I installed 0.9.6l which seemed to go in just fine. However, Redhat is still using the old stuff because the new openssl went into /usr/local/ssl and the old stuff is in /usr/bin. I don't see anything like $SSL_HOME to set. There is an FAQ comment to not remove /usr/bin/openssl or it will break sendmail and ssh but there is nothing in there about what to do about it. I'm not too keen to just put in a link under these circumstances. I'd really like to be able to take advantage of these new feature/security fixes for at least apache and ideally also for ssh. What do I need to do to get this to work? Please cc me as well as responding to the forum. Thanks in advance First of all, Red Hat 7.3 is no longer supported by Red Hat. However, if you had used all the security updates so far supplied by Red Hat, there would be no known security issues. There is a legacy project for Red Hat 7.3 but no updates for Apache, openssl or mod_ssl have been released since the end of last year, when support ceased. However, if you wish to use a different version of openssl with apache, you would be best advised to recompile both openssl and apache. Details of how to do this are in the openssl documentation. www.redhat.com and https://rhn.redhat.com are a good place to start. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Why do so many people who call themselves christians use the name of Jesus Christ as a swear word? - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Virus Scanner
-Original Message- From: Thomas H Jones II [mailto:[EMAIL PROTECTED] Sent: 27 February 2004 23:10 To: '[EMAIL PROTECTED]' Subject: Virus Scanner Is there any possibility that this list could be run through a virus scanner so that we wouldn't get spammed every time a virus passed through this list to a system that mails back virus warning messages? Seems like half the traffic is either virus or virus-response traffic. -tom ps. I don't -think- my site sends similar warnings, let me know if it does, please. Well, for one those people on this list who are susceptible to viruses will have anti-virus software anyway (and if they don't, getting openssl to work is the least of their problems). Two, there is the resource to this about. I don't think the server that runs the openssl lists has been upgraded for years because of lack of funds, and consequently I don't think anyone has the money to pay for it. Three, it must be borne in mind that the vast amount of virus traffic now is: Out of office replies Automatic responses from undeliverable addresses. Automatic responses from anti-virus programs. Real responses by individuals to the preceding three. With the exception of a dedicated mail echo address, people today should not have any kind of automatic responses to email set up. Recently viruses have been faking addresses, and in some cases send viruses back to someone who hadn't even sent it! Given all these difficulties, a virus scanner would probably create more problems than it solves. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] According to the book of Acts, Eutychus was the first man to suffer from a General Protection Fault with Windows. - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Using OpenSSL and smartcards with pkcs#11
-Original Message- From: The Doctor [mailto:[EMAIL PROTECTED] Sent: 15 January 2004 05:18 To: [EMAIL PROTECTED] Subject: Re: Using OpenSSL and smartcards with pkcs#11 On Thu, Jan 15, 2004 at 07:03:22AM +0200, Amira Solomovici wrote: Hi all, I have been having difficulty in finding a tutorial explaining how to use the openssl application with smartcards, and I hope that someone could help me with the following: What I am basically trying to do is use a smartcard for logging into my Linux machine. I have openssl ver 0.9.7a installed, and I have implemented a pkcs#11 interface to the smartcard. I also installed the OpenSC libraries, but I'm not sure how to use it with openssl and with my pkcs#11 module. I would be grateful if someone could guide me on how to configure all those tools, and especially how to obtain or generate a certificate/key-pair to use in the login process to the computer. May I recommend that you update to openssl 0.9.7.c as 0.9.7a has a security advisory. Also, something like http://www.apache-ssl.org might be of help. This depends on what you are running. If you are running Red Hat 9, for example, it says the version is 0.9.7a, and rpm -q openssl gives openssl-0.9.7a-20. However, this version does have the security updates. rpm -q --changelog openssl | more shows that the security fixes were added on Sep 23 2003. Before suggesting they upgrade, find out what version of Linux they are running please. Otherwise they may come back with more problems that what they started with. Thank you. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Even if you win the rat race, that will still only make you a rat. - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL file destinations
I'm not sure why you'd want to run the query against a package that isn't installed (that's what the p option does). Surely he wants to check it is installed, then use rpm -ql openssl |more to see where the files are now? One reason to check whether your distro has openssl already installed is so that you don't have issues where your programs are executing the wrong version. It's surprising how many times that happens. You might also find that the distro version is sufficient for your needs too, especially now the engine code is included. (I remembered that time...) - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Even if you win the rat race, that will still only make you a rat. -Original Message- From: Obermeier Markus ICM MP PD TS [mailto:[EMAIL PROTECTED] Sent: 13 January 2004 16:35 To: '[EMAIL PROTECTED]' Subject: RE: OpenSSL file destinations Dear John, best way to find out is to do a `rpm -qlp openssl-xyz.rpm` where openssl-xyz is the rpm-file from a distribution's pre-installed openssl library archive. Then you have to do a bit of manual work to figure out how to use the options of the ./configure-command of the tarball. In some cases you will find out from the rpm command above have to adjust/create the library version links e.g. libssl.so.x.y as well. I did this for the SuSE 8.1/8.2 distributions. Rgds, Markus -Original Message- From: Boyle Owen [mailto:[EMAIL PROTECTED] Sent: Dienstag, 13. Januar 2004 15:30 To: [EMAIL PROTECTED] Subject: RE: OpenSSL file destinations -Original Message- From: John S. Wolter [mailto:[EMAIL PROTECTED] I am wondering if there is a document that describes where the files of OpenSSL should normally be placed? Look in the INSTALL file. The default location for Unix is /usr/local/openssl, but you can put it anywhere you like. NB - openssl is a library of functions, not a single binary. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. -- Wolter Works - Always Innovating - - Industry and Commerce Internet Invention - Internet Marketing Product Concepts Implementation mailto:[EMAIL PROTECTED] John Wolter, President 1531 Jones Drive Ann Arbor, MI 48105-1871 USA 1-734-665-1263 Copyright 2003 John S. Wolter Neither this information block, the typed name of the sender, nor anything else in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you
RE: un-tar'ing not working for me
-Original Message- From: John S. Wolter [mailto:[EMAIL PROTECTED] Sent: 13 January 2004 13:40 To: [EMAIL PROTECTED] Subject: un-tar'ing not working for me [snip] What obvious error I'm I making using tar? It's a gzipped tar file. I would use this to extract the contents: tar -zxvf openssl-0.9.7c.tar.gz.tar To be really sure, use this first: tar -ztvf openssl-0.9.7c.tar.gz.tar To ensure there are no errors with the tar file. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Even if you win the rat race, that will still only make you a rat. - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL file destinations
-Original Message- From: John S. Wolter [mailto:[EMAIL PROTECTED] Sent: 13 January 2004 14:19 To: [EMAIL PROTECTED] Subject: OpenSSL file destinations I've downloaded the latest OpenSSL and I'm going to target an already installed SUSE 8.1 for testing and then build a 9.0 system. I've noticed that the tarballs are not targeted to distributions. SUSE 's distribution does include an rpm file but the only way to know where to place files is to do an rpm query. That does not appear to be efficient route for the installed result. I am wondering if there is a document that describes where the files of OpenSSL should normally be placed? -- I would guess (without having a copy of Suse to hand) that their RPM is already installed. Try rpm -q openssl To see if it is. If it is then try rpm -e openssl --test You'll probably see a list of packages that depend on it. If you don't, then you are free to stick with the defaults. If you do, then follow the build instructions in the openssl FAQ that refer to Red Hat. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Even if you win the rat race, that will still only make you a rat. - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Sign PIX certificate using OpenSSL CA
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 14:34 To: [EMAIL PROTECTED] Subject: Sign PIX certificate using OpenSSL CA I would like to sign a certificate created by pix firewall using OpenSSL CA server. My current set up is: the OpenSSL CA server is Network 1-- Router -- PIX Firewall Network 2 (CA server) VPN tunnel I have established VPN tunnel between router and pix firewall using preshared secret, but I would like to use the certificate signed by OpenSSL CA. How can I sign the pix certificate? Also, how can I download the CA certificate to PIX firewall? Thank you. Your advice is appreciated. Sanborne I'm assuming you mean a Pix Firewall version 6.3.x. I don't think there is a way to get a certificate onto a Pix, as the ca commands can only create certificates. Have a look at the version 6.3 command reference at http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_refer ence_book09186a008017284e.html If you do find a way, I'd love to know! - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] There is more historical evidence for the existence of Jesus Christ than for either Henry VIII or Julius Caesar. - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Signing a CSR from JetDirect
-Original Message- From: Bob DeBolt [mailto:[EMAIL PROTECTED] Sent: 14 July 2003 18:35 To: [EMAIL PROTECTED] Subject: RE: Signing a CSR from JetDirect It seems to me that it is in the best interest of the major CAs to not offer wildcard certificates; that way, they can charge their outrageous prices for each certificate that you need, and when you happen to change a hostname, they are right there at the trough looking for more money. Isn't capitalism wonderful? Bob D There are still CAs that will issue wildcards, but most will want to charge heavily for them. Add to this the fact that IIS doesn't support them directly (I know it has a small market share, but it's still second place to Apache) and Microsoft keep messing up support for them in IE, they can be more trouble than they are worth. Most of these problems can be overcome however. I keep meaning to write a book including all this, as I don't think anyone has yet. Maybe this year I will... Getting back to the posters original point, is it at all possible that the JetDirect won't accept a certificate that is over one or two years from expiry? - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] After over 144 years, there's still no fossil evidence of Evolution. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Upgrading to the lastest version, what happends with my Apach e-Mod_SSL?
Sorry for my delay in replying. It shouldn't affect SSH as that didn't come with Red Hat 6.2. It's a while since I used 6.2, but at the time I downloaded an RPM from a dutch encryption site (which is now long gone). They used their own security libraries so were independent of openssl. However, your time might be better spent upgrading to a newer version of Linux. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Evolution isn't true just because the majority of people think it is. -Original Message- From: Francisco Javier Martinez Martinez [mailto:[EMAIL PROTECTED] Sent: 13 June 2003 14:38 To: [EMAIL PROTECTED] Subject: RE: Upgrading to the lastest version, what happends with my Apach e-Mod_SSL? Thanks for the anwser, I was wondering whether with the same scenario (Redhat 6.2) this upgrade could affect to other services installed like SSH or not? An if yes, is necesary to update them too? Thanks and greets. At 13:42 13/06/2003 +0100, you wrote: Yes, but check the mod_ssl website http://www.mod_ssl.org and ensure you are compiling the correct mod_ssl against openssl. Since you compile mod_ssl into apache, you will need to recompile both. This is why I prefer RPMS! Even if you customise your version of Apache, you only need to build it once and then you can install it on any number of systems. John - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Upgrading to the lastest version, what happends with my Apache-Mod_SSL?
If I had a Euro for each time this question gets asked... The openssl FAQ details that fact the Red Hat 7.x (onwards) uses backported versions. That is, if you have installed the Red Hat update to your version (either manually or using Red Hat Network at rhn.redhat.com) you are protected from currently known vulnerabilities. The current supported openssl versions for Red Hat are: openssl-0.9.6-16 - 7.1 openssl-0.9.6b-32.7 - 7.2, 7.3 openssl-0.9.6b-33 - 8.0 openssl-0.9.7a-5 - 9.0 Of course, there is nothing to stop you building a separate version in a different directory. Unless you need to use patent restricted code there'll be no need. If you haven't built against one of these versions, you'll either need to recompile or use the Red Hat supplied mod_ssl package. Whichever you choose is up to you. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Evolution isn't true just because the majority of people think it is. -Original Message- From: Francisco Javier Martinez Martinez [mailto:[EMAIL PROTECTED] Sent: 12 June 2003 08:01 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Upgrading to the lastest version, what happends with my Apache-Mod_SSL? Hello. I want to upgrade the OpenSSL to the 0.9.6j version to get ride of the two last vulnerabilities found in the previous versions of OpenSSL. The system is RedHat 7.x running Apache 1.3.27 with mod_ssl, both compiled with APACI method (configure, make make install), an my question is: It is necessary once I had upgraded the OpenSSL to recompile my Apache so the mod_ssl could be linked to the new libraries of the OpenSSL or only with upgrading the openssl is the work done? Thanks in advance. Regards. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Upgrading to the lastest version, what happends with my Apach e-Mod_SSL?
Undoubtedly yes. Redhat 6.2 doesn't come with openssl, although an optional RPM is available for it, version 0.9.5a-33 (which is up to date as of March 26th this year). rpm -q openssl will tell you if this optional package is installed. However, this version of Linux is no longer supported by Red Hat, so continue at your own risk. I believe that you compile openssl as shared to use it with mod_ssl. Others on the list will surely flame me if I get it wrong. I'd be surprised if you get it to compile on version 6.2 anyway. I was finding that the glibc libraries were too far out of date the last time I tried. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Evolution isn't true just because the majority of people think it is. -Original Message- From: Francisco Javier Martinez Martinez [mailto:[EMAIL PROTECTED] Sent: 12 June 2003 14:20 To: [EMAIL PROTECTED] Subject: RE: Upgrading to the lastest version, what happends with my Apach e-Mod_SSL? Sorry for disturbing you, but I was in a mistake with the version of Linux, my client had a Redhat 6.2 I had realized this because there is not libssl.so.0.9.6xx in the files system, there is /usr/local/ssl/lib/libssl.a instead, this may indicate that the openssl is not built in share mode?, The openssl and the apache was compiled, this last with mod_ssl between other modules using APACI format (configure and make). Would you please be so kind of tell me if I had to recompile the apache once the openssl has been compiled? Thanks in advance and regards. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Anyone where to get a signed SSL certificate cheap?
You are right about the price Jo. They've hiked their prices a lot (must be to pay for Mark Shuttleworth's space trip...). If you are representing a charity you may be able to negotiate a lower price. We did that last year and received a wildcard certificate at a discount. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] A fundamentalist - what you call someone more sure of what they believe than what you are -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 13 February 2003 21:29 To: [EMAIL PROTECTED] Subject: Re: Anyone where to get a signed SSL certificate cheap? Check tucows Josef Karthauser [EMAIL PROTECTED] wrote .. I need to obtain a certificate to use on my openssl/apache web server, but looking at Verisign and Thawte it appears that they're charging a lot of money ($450) per year for one! Does anyone know where I can get one cheaper? Last time I bought I'm sure that they were only $100/yr each. Joe p.s. yes, I know that I could self-sign, but this is for an ecommerce system and I'd prefer our customer's customers not to have to ask themselves why the certificate is in our name and not our customer's! :) -- Josef Karthauser ([EMAIL PROTECTED]) http://www.josef-k.net/ FreeBSD (cvs meister, admin and hacker) http://www.uk.FreeBSD.org/ Physics Particle Theory (student) http://www.pact.cpes.sussex.ac.uk/ An eclectic mix of fact and theory. = - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Anyone where to get a signed SSL certificate cheap?
Try globalsign www.globalsign.com, 175 Euro ($189 or £116.91 in proper money). - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] A fundamentalist - what you call someone more sure of what they believe than what you are -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 13 February 2003 21:29 To: [EMAIL PROTECTED] Subject: Re: Anyone where to get a signed SSL certificate cheap? Check tucows Josef Karthauser [EMAIL PROTECTED] wrote .. I need to obtain a certificate to use on my openssl/apache web server, but looking at Verisign and Thawte it appears that they're charging a lot of money ($450) per year for one! Does anyone know where I can get one cheaper? Last time I bought I'm sure that they were only $100/yr each. Joe p.s. yes, I know that I could self-sign, but this is for an ecommerce system and I'd prefer our customer's customers not to have to ask themselves why the certificate is in our name and not our customer's! :) -- Josef Karthauser ([EMAIL PROTECTED]) http://www.josef-k.net/ FreeBSD (cvs meister, admin and hacker) http://www.uk.FreeBSD.org/ Physics Particle Theory (student) http://www.pact.cpes.sussex.ac.uk/ An eclectic mix of fact and theory. = - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problems building 0.9.7 on RedHat 7.3
What are you using to build it with? I've managed to build 0.9.7 fine on RedHat 7.3 with ./config and ./config shared - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] I know it sounds cocky, but I honestly believe that one day there'll be a telephone in every Town in America - Alexander Graham Bell (my paraphrase) -Original Message- From: Brian Ipsen [mailto:[EMAIL PROTECTED]] Sent: 17 January 2003 18:59 To: [EMAIL PROTECTED] Subject: Problems building 0.9.7 on RedHat 7.3 Hi! I'm trying to compile 0.9.7 on a RedHat 7.3 box, but when I do thge make test I get: NIST curve P-521 -- Generator: x = 0xC6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B 4D3DBAA14B5E77 EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66 y = 0x11839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD172 73E662C97EE729 95EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650 verify group order ok combined multiplication . ok cat base64 aes-128-cbc aes-128-cbc is an unknown cipher options are -in file input file -out fileoutput file -pass argpass phrase source -e encrypt -d decrypt -a/-base64 base64 encode/decode, depending on encryption flag -k key is the next argument -kfile key is the first line of the file argument -K/-iv key/iv in hex is the next argument -[pP] print the iv/key (then exit if -P) -bufsize n buffer size -engine e use engine e, possibly a hardware device. Cipher Types aes-128-cbc is an unknown cipher options are -in file input file -out fileoutput file -pass argpass phrase source -e encrypt -d decrypt -a/-base64 base64 encode/decode, depending on encryption flag -k key is the next argument -kfile key is the first line of the file argument -K/-iv key/iv in hex is the next argument -[pP] print the iv/key (then exit if -P) -bufsize n buffer size -engine e use engine e, possibly a hardware device. Cipher Types cmp: EOF on ./p.aes-128-cbc.clear Any idea why I get that aes-128-cbc error ?? Regards, /Brian __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL Project Environment Migration on 10-Dec-2002 11:00 am CET
Can you give us more details about the move, like where, who, and whether it has bigger bandwidth please Ralf? Sorry for being late in replying, but I've been unwell. Thanks. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If you are easily offended, don't read the next line! It always amazes me how people believe in evolution as if it is a fact when at the very best it is and always will be a theory. -Original Message- From: Ralf S. Engelschall [mailto:[EMAIL PROTECTED]] Sent: 10 December 2002 09:10 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: OpenSSL Project Environment Migration on 10-Dec-2002 11:00 am CET The OpenSSL project migrates today (10-Dec-2002, 11:00 am CET) its whole project environment to a completely new setup and location. In case of any problems after this switch time, please do not hesitate to contact me directly and describe the problem in detail. I'll make sure it is fixed as quick as possible. Sorry in advance for any inconviniences today. Thanks for understanding. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: regenerate a host-specific ?
This is a question for the openssh site, www.openssh.org. However, as I'm feeling friendly, I'll answer your question. Indeed, RSA keys are generated by ssh-keygen as a default. These are only of use for SSH version 1. Version 2 uses DSA keys, so you use ssh-keygen -t dsa. If you don't give a passphrase, you can copy the contents of the id_dsa.pub to $HOME/.ssh/authorized_keys on the remote server, chmod this file to 600, chmod the .ssh directory to 700 and then ssh should let you in with this key from that host rather than via a password. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If we could learn one thing from September 11th 2001, it would be the utter absurdity of moral relativism. -Original Message- From: rmckee [mailto:rmckeever;earthlink.net] Sent: 15 November 2002 16:38 To: [EMAIL PROTECTED] Subject: regenerate a host-specific ? Hello, I was wondering how do you regenerate a host-specific RSA key on unix with ssh. Do you use ssh-keygen? thanks Rm __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Building 0.9.6g --RH8.0
I've now managed a build of openssl 0.9.6g on RedHat 8.0 now, much to my surprise. First of all, make sure you have these RPMs installed (from the RedHat 8.0 CD 1): binutils-2.13.90.0.2-2 gcc-3.2-7 glibc-devel-2.2.93-5 glibc-kernheaders-2.4-7.20 (this used to be called kernel-headers pre version 7.3) I'm running the latest kernel, 2.4.18-17.8.0. I used the following as a non root user: ./config shared to install everything into /usr/local/ssl, including the shared libraries. make and make test completed without errors, so I su'ed to root and ran make install. To show that it is installed, I used: [openssl-0.9.6g]# openssl OpenSSL version OpenSSL 0.9.6b [engine] 9 Jul 2001 OpenSSL exit [openssl-0.9.6g]# cd /usr/local/ssl/bin [bin]# ./ c_rehash openssl [root@becketts bin]# ./openssl OpenSSL version OpenSSL 0.9.6g 9 Aug 2002 OpenSSL exit You'll note that the first version is what comes with RedHat 8.0, the second version is what goes in /usr/local/ssl. To check I haven't stuffed up the currently installed version rpm -V openssl returns no results, so no files within the packages have changed. (I really like rpm -V, it helps me to check whether anything has been tampered with). I hope that helps. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If we could learn one thing from September 11th 2001, it would be the utter absurdity of moral relativism. -Original Message- From: Inman, David [mailto:David.Inman;siemens.com] Sent: 31 October 2002 14:37 To: ([EMAIL PROTECTED]) Subject: Building 0.9.6g --RH8.0 I am trying to build openssl-0.9.6g on a RedHat 8.0 system. When I run make test everything pass but when I run a make install it does not install the binaries into /usr/local/openssl (where I told it with config). I have done this several times on RH7.3 without a problem so I was wondering if others have had this problem and what the solution might be. Thanks, David Inman __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Building 0.9.6g --RH8.0
Attached is the openssl.spec file for Red Hat 8.0, which is what Red Hat uses to build their openssl package, presumably with gcc 3.2. If you can make some sense of it, you'll probably find out how to get openssl to compile. Ignore the configure options no-idea, no-mdc2 and no-rc5. These are only there because of US patent restrictions. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: Inman, David [mailto:David.Inman;siemens.com] Sent: 31 October 2002 14:37 To: ([EMAIL PROTECTED]) Subject: Building 0.9.6g --RH8.0 I am trying to build openssl-0.9.6g on a RedHat 8.0 system. When I run make test everything pass but when I run a make install it does not install the binaries into /usr/local/openssl (where I told it with config). I have done this several times on RH7.3 without a problem so I was wondering if others have had this problem and what the solution might be. Thanks, David Inman __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk openssl.spec Description: Binary data
RE: openssl 9.6g Redhat 7.3 Seg Fault
-Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:[EMAIL PROTECTED]] Sent: 10 October 2002 14:59 To: '[EMAIL PROTECTED]' Subject: RE: openssl 9.6g Redhat 7.3 Seg Fault Hello all, all good points, however. Redhat is a good linux platform (in my opinion) so I am quite happy to accept a fair ammount of rpm. However that fact 7.3 put on so much crap in rpm I decided to strip down and run most things compiled from source so I know where/how they where built. I understand that using the --nodeps option will break the packages what depend on the package removed. Infact I am HAPPY to break the packages that depend on openssl, as I am chomping at the bit to recompile them !!! as I think their RPM packages are rubbish and buggy also. [snip] Well, there's a contradiction for you! Red Hat consists of multiple RPM packages, nothing more, nothing less. So you are saying that the whole is good, but that the parts are crap. I've been running Red Hat for years, and in the days before they did bundle openssl, I had to compile openssl, modssl and apache. After that I found someone else who had created rpms (ie they did the hard work of getting these to compile). I still compile Apache as I have a business need to run a slightly different version, but even then I create an RPM package. I'd like to think that someone else would be able to help you further, although why you should deliberately break a working system knowing full well what you are doing (as you appear to) and then want help is beyond me. We have a legal expression in England you are the author of your own misfortune! If you really want to know how the packages were built, install the source rpms and go to /usr/src/redhat/SPECS. The individual spec files that build each package are there. I think you'd find they aren't built that much differently to how you are building them. I'm also a big fan of Red Hat Network now as I'm able to see that my systems are up to date with all the released patches at a glance. I should also add that I'm not on any commission from Red Hat to say this (sadly ;-) ). - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: openssl 9.6g Redhat 7.3 Seg Fault
-Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:[EMAIL PROTECTED]] Sent: 10 October 2002 14:59 To: '[EMAIL PROTECTED]' Subject: RE: openssl 9.6g Redhat 7.3 Seg Fault Hello all, all good points, however. Redhat is a good linux platform (in my opinion) so I am quite happy to accept a fair ammount of rpm. However that fact 7.3 put on so much crap in rpm I decided to strip down and run most things compiled from source so I know where/how they where built. I understand that using the --nodeps option will break the packages what depend on the package removed. Infact I am HAPPY to break the packages that depend on openssl, as I am chomping at the bit to recompile them !!! as I think their RPM packages are rubbish and buggy also. [snip] I should have mentioned that someone did recently post a method to this list detailing how to remove openssl from Red Hat and build it. A search of the archives should bring it up. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: openssl 9.6g Redhat 7.3 Seg Fault
-Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:[EMAIL PROTECTED]] Sent: 10 October 2002 14:59 To: '[EMAIL PROTECTED]' Subject: RE: openssl 9.6g Redhat 7.3 Seg Fault Hello all, all good points, however. Redhat is a good linux platform (in my opinion) so I am quite happy to accept a fair ammount of rpm. However that fact 7.3 put on so much crap in rpm I decided to strip down and run most things compiled from source so I know where/how they where built. I understand that using the --nodeps option will break the packages what depend on the package removed. Infact I am HAPPY to break the packages that depend on openssl, as I am chomping at the bit to recompile them !!! as I think their RPM packages are rubbish and buggy also. [snip] Link to aforementioned post: http://www.mail-archive.com/openssl-users@openssl.org/msg28006.html - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: apache and that whole bugbear thing
I think you ([EMAIL PROTECTED]) are confusing bugbear with slapper. Provided you restarted your web server after the upgrade to 0.9.6g, you should be OK as far as that is concerned. The restart is necessary to ensure that no code from the previous version of openssl is still in memory. Could you give some more details about your other problems please? eg, version of apache and mod_ssl? You may need to upgrade these. For example, there is a recent update to apache (1.3.27) that contains several new security fixes. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: B. van Ouwerkerk [mailto:[EMAIL PROTECTED]] Sent: 07 October 2002 17:17 To: [EMAIL PROTECTED] Subject: Re: apache and that whole bugbear thing Uhhh last time I checked bugbear was a virus infecting M$ Lookout users. Don't think it runs against Linux. At 20:51 5-10-02 -0400, [EMAIL PROTECTED] wrote: Is this the right place to ask questions about the bugbear worm? On a Sun box, we upgraded openssl to 0.9.6g because of the potential for the whole bugbear attack... I realize it's apparently targeted at linux, but better safe then sorry... well, we've started getting hit with what we think may be attacks... they're not getting through, but they cause apache to lock up... it's very strange... the situation seems to happen as follows: We get a couple http requests that return a 400 status... then the server stops serving requests... then EXACTLY (every time) 5 minutes later, to the second, we get a request that gives a 408 error from the same IP, then apache needs to be restarted before it accepts any further requests... until this morning, there has not been much information in the logs... but this morning, there were some entries in the ssl_engine_log that looked like this: [05/Oct/2002 02:55:42 00969] [error] SSL handshake timed out (client 66.46.213.130, server XXX.XXX.com:443) [05/Oct/2002 02:55:42 00969] [info] Connection to child 14 established (server YYY.YYY.com:443, client 66.46.213.130) [05/Oct/2002 02:55:42 00969] [info] Seeding PRNG with 1160 bytes of entropy [05/Oct/2002 02:55:42 00969] [error] SSL handshake failed (server YYY.YYY.com:443, client 66.46.213.130) (OpenSSL library error follows) [05/Oct/2002 02:55:42 00969] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long [05/Oct/2002 02:55:42 00969] [info] Connection to child 14 established (server XXX.XXX.com:443, client 66.46.213.130) [05/Oct/2002 02:55:42 00969] [info] Seeding PRNG with 1160 bytes of entropy 66.46.213.130 was the ip address that gave the 400's and 408 this time around (different IP each time)... If this is not the best place to ask about this, please point me in the right direction... I'm starting to sweat with my boss breathing down my next... this is a 24/7 production server, running critical web applications that internal and external customers access constantly... so any help towards an answer would be greatly appreciated... Thanks. Dan. _ _ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing
RE: Validity period of certificates
In addition, that was your key and certificate that you sent, not just . So I'd hope you have a pass-phrase on your key or the key and certificate that you sent aren't ones that you intend to use. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: Jose Correia (J) [mailto:[EMAIL PROTECTED]] Sent: 27 September 2002 13:50 To: [EMAIL PROTECTED] Subject: RE: Validity period of certificates Try openssl x509 -in thiscert -noout -dates do a man x509 for more info. Cheers Jose -Original Message- From: Radboud Platvoet [mailto:[EMAIL PROTECTED]] Sent: 27 September 2002 14:43 To: [EMAIL PROTECTED] Subject: Validity period of certificates Hi everyone, I would like to know if there is a way to find out for what period a certificate is valid (ie: the start and end date). This is the certificate from which I like to determine the validity period: - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: RH 7.3 hosed up
Of course, you are overlooking the fact that many packages depend on the existence of openssl on Red Hat 7.0 and above such as ssh and sendmail. So if you want to forcibly remove the package and break your system, go right ahead. Otherwise, following the directions in the openssl FAQ: http://www.openssl.org/support/faq.cgi#BUILD8 - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Reality TV - the ultimate oxymoron -Original Message- From: David Tonhofer, m-plify S.A. [mailto:[EMAIL PROTECTED]] Sent: 17 September 2002 15:40 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: RH 7.3 hosed up The attached doc may be of use. My notes on installing openssl on RH7.3: remove RPM, then go for a tarball. Of course it's stream-of-consciousness, but even so Good luck, -- David Tonhofer m-plify S.A. P.S. It's called a 'howtoon' because 'toon' is my nickname. --On Tuesday, September 17, 2002 9:31 AM -0500 [EMAIL PROTECTED] wrote: Howdy all. I just attempted to upgrade OpenSSL on a RH 7.3 box (1st of about 7 7.3 and 7.2 boxes) and I thoroughly hosed the install up. Everything that relied on libcrypto or libssl is KIA. I've never had any luck with compiling and installing OpenSSL for some reason. I usually stick with the RPMS for OpenSSL. I use ApacheToolbox and also let it compile it there (and install again). After removing the RPMS I downloaded 0.9.6g, configured with --prefix=/usr/local, compiled and installed. I did a little searching in the archives but I'm in a hurry and didn't find much. Any pointers or tips would be greatly appreciated. If anyone has a spec file for OpenSSL (and some instructions for building an RPM because I've never done it--always either work with straight source or a prebuilt RPM) I'd gladly take it. Many thanks Justin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: RH 7.3 hosed up
On my desktop, removing openssl would break these packages: openssl is needed by libpcap-0.6.2-11.7.2.0 libcrypto.so.2 is needed by bind-utils-9.2.1-1.7x.2 libcrypto.so.2 is needed by curl-7.8-1 libcrypto.so.2 is needed by libesmtp-0.8.4-2 libcrypto.so.2 is needed by wget-1.7-3 libcrypto.so.2 is needed by cyrus-sasl-md5-1.5.24-23 libcrypto.so.2 is needed by links-0.96-2 libcrypto.so.2 is needed by autofs-3.1.7-21 libcrypto.so.2 is needed by nss_ldap-189-2 libcrypto.so.2 is needed by pine-4.44-1.72.0 libcrypto.so.2 is needed by sendmail-8.11.6-3 libcrypto.so.2 is needed by fetchmail-5.9.0-11 libcrypto.so.2 is needed by mutt-1.2.5.1-1 libcrypto.so.2 is needed by stunnel-3.22-1 libcrypto.so.2 is needed by gq-0.4.0-3 libcrypto.so.2 is needed by openssh-3.1p1-6 libcrypto.so.2 is needed by openssh-clients-3.1p1-6 libcrypto.so.2 is needed by openssh-server-3.1p1-6 libcrypto.so.2 is needed by pidentd-3.0.14-1 libcrypto.so.2 is needed by xchat-1.8.9-1.72.0 libcrypto.so.2 is needed by licq-1.0.3-7 libcrypto.so.2 is needed by ucd-snmp-4.2.5-7.72.0 libcrypto.so.2 is needed by balsa-1.2.3-1 libssl.so.2 is needed by curl-7.8-1 libssl.so.2 is needed by wget-1.7-3 libssl.so.2 is needed by links-0.96-2 libssl.so.2 is needed by autofs-3.1.7-21 libssl.so.2 is needed by nss_ldap-189-2 libssl.so.2 is needed by pine-4.44-1.72.0 libssl.so.2 is needed by sendmail-8.11.6-3 libssl.so.2 is needed by fetchmail-5.9.0-11 libssl.so.2 is needed by mutt-1.2.5.1-1 libssl.so.2 is needed by stunnel-3.22-1 libssl.so.2 is needed by gq-0.4.0-3 libssl.so.2 is needed by xchat-1.8.9-1.72.0 libssl.so.2 is needed by licq-1.0.3-7 libssl.so.2 is needed by balsa-1.2.3-1 The last few are of course repeated. It might work now, but the sshd daemon won't restart. Neither will the auto-mounter or most of the email clients for your system (elm being the one exception here). Have you read the FAQ? John -Original Message- From: David Tonhofer, m-plify S.A. [mailto:[EMAIL PROTECTED]] Sent: 18 September 2002 09:55 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: RH 7.3 hosed up Haven't had a single problem. Maybe I know what I'm doing? ;-) And sendmail is a no-no aaanyway... --On Wednesday, September 18, 2002 9:10 AM +0100 [EMAIL PROTECTED] wrote: Of course, you are overlooking the fact that many packages depend on the existence of openssl on Red Hat 7.0 and above such as ssh and sendmail. So if you want to forcibly remove the package and break your system, go right ahead. Otherwise, following the directions in the openssl FAQ: http://www.openssl.org/support/faq.cgi#BUILD8 - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Reality TV - the ultimate oxymoron -Original Message- From: David Tonhofer, m-plify S.A. [mailto:[EMAIL PROTECTED]] Sent: 17 September 2002 15:40 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: RH 7.3 hosed up The attached doc may be of use. My notes on installing openssl on RH7.3: remove RPM, then go for a tarball. Of course it's stream-of-consciousness, but even so Good luck, -- David Tonhofer m-plify S.A. P.S. It's called a 'howtoon' because 'toon' is my nickname. --On Tuesday, September 17, 2002 9:31 AM -0500 [EMAIL PROTECTED] wrote: Howdy all. I just attempted to upgrade OpenSSL on a RH 7.3 box (1st of about 7 7.3 and 7.2 boxes) and I thoroughly hosed the install up. Everything that relied on libcrypto or libssl is KIA. I've never had any luck with compiling and installing OpenSSL for some reason. I usually stick with the RPMS for OpenSSL. I use ApacheToolbox and also let it compile it there (and install again). After removing the RPMS I downloaded 0.9.6g, configured with --prefix=/usr/local, compiled and installed. I did a little searching in the archives but I'm in a hurry and didn't find much. Any pointers or tips would be greatly appreciated. If anyone has a spec file for OpenSSL (and some instructions for building an RPM because I've never done it--always either work with straight source or a prebuilt RPM) I'd gladly take it. Many thanks Justin __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager
RE: RH 7.3 hosed up
Just in case you've got the wrong end of the stick, I'm not suggesting that you shouldn't compile stuff yourself rather than use pre-packaged software. I'm simply saying that there may be more broken by forcibly removing packages that have dependencies than is at first realised. Personally I'd never forcibly install or remove packages without good reason. The section of the FAQ I referred to has instructions of how to compile openssl without breaking the rest of your installation. And that's my last word on the subject. John -Original Message- From: David Tonhofer, m-plify S.A. [mailto:[EMAIL PROTECTED]] Sent: 18 September 2002 12:00 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: RH 7.3 hosed up Sigh No, I haven't read the FAQ recently (maybe 5y ago). And Yes, RedHat will complain if you remove the RPM. That's why I have been fumbling the symlinks, see? I have compiled SSH Stunnel from the source tarball. And dontcha worry, everything works just dandy. I mean, I didn't power away from the Microsoft Deathstar to get back to being forced to use prepacked things only. Further discussions of this will be off list. Best regards, -- David Tonhofer m-plify.com --On Wednesday, September 18, 2002 11:13 AM +0100 [EMAIL PROTECTED] wrote: On my desktop, removing openssl would break these packages: openssl is needed by libpcap-0.6.2-11.7.2.0 libcrypto.so.2 is needed by bind-utils-9.2.1-1.7x.2 libcrypto.so.2 is needed by curl-7.8-1 libcrypto.so.2 is needed by libesmtp-0.8.4-2 libcrypto.so.2 is needed by wget-1.7-3 libcrypto.so.2 is needed by cyrus-sasl-md5-1.5.24-23 libcrypto.so.2 is needed by links-0.96-2 libcrypto.so.2 is needed by autofs-3.1.7-21 libcrypto.so.2 is needed by nss_ldap-189-2 libcrypto.so.2 is needed by pine-4.44-1.72.0 libcrypto.so.2 is needed by sendmail-8.11.6-3 libcrypto.so.2 is needed by fetchmail-5.9.0-11 libcrypto.so.2 is needed by mutt-1.2.5.1-1 libcrypto.so.2 is needed by stunnel-3.22-1 libcrypto.so.2 is needed by gq-0.4.0-3 libcrypto.so.2 is needed by openssh-3.1p1-6 libcrypto.so.2 is needed by openssh-clients-3.1p1-6 libcrypto.so.2 is needed by openssh-server-3.1p1-6 libcrypto.so.2 is needed by pidentd-3.0.14-1 libcrypto.so.2 is needed by xchat-1.8.9-1.72.0 libcrypto.so.2 is needed by licq-1.0.3-7 libcrypto.so.2 is needed by ucd-snmp-4.2.5-7.72.0 libcrypto.so.2 is needed by balsa-1.2.3-1 libssl.so.2 is needed by curl-7.8-1 libssl.so.2 is needed by wget-1.7-3 libssl.so.2 is needed by links-0.96-2 libssl.so.2 is needed by autofs-3.1.7-21 libssl.so.2 is needed by nss_ldap-189-2 libssl.so.2 is needed by pine-4.44-1.72.0 libssl.so.2 is needed by sendmail-8.11.6-3 libssl.so.2 is needed by fetchmail-5.9.0-11 libssl.so.2 is needed by mutt-1.2.5.1-1 libssl.so.2 is needed by stunnel-3.22-1 libssl.so.2 is needed by gq-0.4.0-3 libssl.so.2 is needed by xchat-1.8.9-1.72.0 libssl.so.2 is needed by licq-1.0.3-7 libssl.so.2 is needed by balsa-1.2.3-1 The last few are of course repeated. It might work now, but the sshd daemon won't restart. Neither will the auto-mounter or most of the email clients for your system (elm being the one exception here). Have you read the FAQ? John - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Pls. suggest some books on security
Maximum Linux Security - ISBN 0-672-31670-6 is also very useful. Despite the title, it covers UNIX based security fairly well. John -Original Message- From: Matthew Hannigan [mailto:[EMAIL PROTECTED]] Sent: 18 September 2002 14:10 To: [EMAIL PROTECTED] Subject: Re: Pls. suggest some books on security A little more practical and appropriate to this list: Network Security with OpenSSL http://safari.oreilly.com/main.asp?bookname=openssl Matt v.p.r.n.saibabu v.p.r.n.saibabu wrote: Hi Vaidya, SSL and TLS by Eric Recorla SSL and TLS Essentials by Stephen Thomas are two good books. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: FIPS-140 certification
Indeed. In the UK there was recently an issue of the security of cash-machines because of a bug in the implementation of a similarly certified protocol. It meant that you could potentially get card details by sniffing what went down the telephone lines. I haven't heard whether this has been resolved or not. Of course, taking this to extremes many government agencies should therefore disconnect from the Internet. I think it's an issue that will keep cropping up until governments realise that security is something that you aim for, and not necessarily guaranteed by any particular certificate. John -Original Message- From: Andrew T. Finnell [mailto:[EMAIL PROTECTED]] Sent: 25 July 2002 15:12 To: [EMAIL PROTECTED] Subject: RE: FIPS-140 certification John, Sometimes that is not up to the developer. You state it like someone has a choice of what they use. Most government agency's disallow any encryption that isn't FIPS certified. If they had a choice it probably wouldn't be a question. :) - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, July 25, 2002 10:04 AM To: [EMAIL PROTECTED] Subject: RE: FIPS-140 certification Just to add my thoughts to the cooking pot, FIPS-140 probably isn't worth a string of beans. The actual encryption protocols used in openssl haven't changed in a long time, for example 3DES encryption is still 3DES encryption. Granted, newer one's have been added (rijndael for example), but on the whole protocols remain static. So if someone had obtained FIPS-140 certification for openssl 0.9.6d (for example) and a security bug was subsequently found in that software version, the fix for the bug would invalidate the certification. Which all boils down to a question of choice, do you prefer a certificate that says your software is safe even if it isn't to uncertified software which is worked on constantly to ensure it is as safe as possible? I know which I would choose. - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Is the statement 'There is no such thing as truth' true? -Original Message- From: Ed Moyle [mailto:[EMAIL PROTECTED]] Sent: 25 July 2002 14:47 To: [EMAIL PROTECTED] Subject: RE: FIPS-140 certification On Wednesday, July 24, 2002 23:14, Bil Kleb wrote: Bil, This may be a blasphemous question due to U.S. patent issues, but has anyone figured out if Open-SSL is FIPS-140 certified/ certifiable? You and I are on the same page. NIST doesn't have a cert for OpenSSL or SSLeay (bummer) and I've asked about this in the past. The problem is the cost of certification as I understand it, plus the release early release often mantra doesn't lend well to NIST's perspective of everytime you change the crypto, you need to get it recertified. I've done some of the work of determining if the thing is certifiable (meaning does it comply to the FIPS 140-2 req's) and from what I've seen, it seems to, but I haven't finished this effort. I coded up the random # statistical tests that are described in the req, and they pass (I'll send this to you if you want it... just write me off-list). Also, it supports ciphersuites that use only NIST-approved algorithms. This is good news, but, of course, what matters is the cert, and there isn't one. So, I guess the upshot of the deal is that until somebody certifies it, it can't be used for unclassified cryptography (strictly speaking). If you want to go down a different route, you might want to check out SSL/C from RSA. I don't know, since I haven't looked at it, but since Eric Young had some involvement, the API might be close to openssl since the historical roots are inter- twined, and most of the B-Safe line is 140-1 certified (pretty sure about this, but you might want to check at NIST to be double-sure). Hope this helps, -Ed __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content
Submission for the openssl FAQ
Further to my previous message, I have discovered that the sentence: (They are /lib/libssl.so.0.9.6b and /lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and /lib/libcrypto.so.2 respectively) Should have read: (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and /lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and /lib/libcrypto.so.2 respectively). I've also doubled check the patents against the US Patent and Trademark Office website at http://patft.uspto.gov/netahtml/srchnum.htm, and these appear to be the correct numbers (I took them from the Red Hat openssl source packages). - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL, IIS 5.0 and Installing certificate trouble
There is a way to create certificates with openssl and convert them to IIS4.0 format. We've done that here for a number of years. I believe that you can then copy them from an IIS4 server to an IIS5 server, though I haven't done it myself. I don't know of anyone who has got the certificates straight onto IIS5. Contact me off the list for more details. I have a task for myself to test keys of greater than 1024 bits before the end of next week. I'll be running through the whole IIS procedure to do this. - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Is the statement 'There is no such thing as truth' true? -Original Message- From: Ian Coggins [mailto:[EMAIL PROTECTED]] Sent: 19 June 2002 20:06 To: [EMAIL PROTECTED] Subject: OpenSSL, IIS 5.0 and Installing certificate trouble Hi, I've been through faq's until they come out of my ears but still don't quite have the answer I need. I am simply trying to create a certificate to use on an IIS web server, using openssl on a linux box to create it. The linux installation does not have the CA.pl scripts as far as I can tell (not my box to manage I'm afraid). I have managed to create (or I believe) 1/ root CA certificate. Generated own key and certificate. This created a key/cert file which I managed to combine into a single pfx format. 2/ server certificate signed by root CA; hwoever this is in a pem format. I cannot directly import the certificate ( as key manager backup file) under IIS 5.0; I have however successfully loaded the certificates into the MMC - certiticate manager console. The root CA under Trusted roots; the other under Personal. However neither appear in the 'assign existing' certificate dialog box on IIS 5.0 Where am I going wrong ? How do I a) I get IIS 5.0 to import the certificates directly? (can I?) - it always reports an error about Cannot import key ring backup file. b) otherwise install the certificates I created so that I can assign an existing cert to IIS 5.0? or c) create a CSR from IIS and sign this using openssl ? Thanks Ian __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: REMOVE
Can't you read the headers of your email? There should be a line something like Received: from mmx.engelschall.com (mmx.engelschall.com [195.27.130.252]) by maggotts.rnib.org.uk (8.11.6/8.11.6) with ESMTP id g56Bp6r03903 for [EMAIL PROTECTED]; Thu, 6 Jun 2002 12:51:11 +0100 My email address is on the bottom line. Your mail server name will differ of course. This header line was generated by sendmail. John -Original Message- From: David Lang [mailto:[EMAIL PROTECTED]] Sent: 05 June 2002 21:54 To: [EMAIL PROTECTED] Subject: Re: REMOVE doesn't work becouse to get the old address of the list I need to be able to figure out EXACTLY what the address is (capitalizations included) or the robot won't match (I've attempted this already) if the list manager notices this thread the addres I am on as should be a varient of [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] I've attempted to unsubscribe all four addresses and get a response of 'name not subscribed' David Lang On Wed, 5 Jun 2002, Michal Bachorik wrote: Date: Wed, 5 Jun 2002 12:10:52 +0200 From: Michal Bachorik [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: REMOVE :)) but there's simple solution .. just join the list again, read instructions how to get off and that's it .. or someone who still has the welcome message could forward it to you .. - Original Message - From: David Lang [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 05, 2002 1:01 AM Subject: RE: REMOVE seems that way. (as someone who has attempted to get off the list a few times, but cannot get majordomo to cooperate) and no I didn't save the welcome message from when I joined years ago. David Lang On Tue, 4 Jun 2002, Dilkie, Lee wrote: Date: Tue, 4 Jun 2002 15:01:32 -0400 From: Dilkie, Lee [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: REMOVE NO! You are NOT allowed to leave You HAVE to stay. (sorry to the list members for the noise, but I couldna help maself) -Original Message- From: Sidney Fortes [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 2:30 PM To: [EMAIL PROTECTED] Subject: REMOVE REMOVE __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Key strength confusion
A quick search found the reseller for Verisign for the Asia/Pacific region. Their site describes their SSL certificates as 128bit and 40bit at http://www.esign.com.au/server/. Worse still, they describe the 40bit certificate as standard. (I do wonder why people just don't buy the cheaper Thawte certificates. envy If they did, Mark Shuttleworth wouldn't be enjoying his trip to the ISS /envy). The global cert costs about twice the standard cert. As for the law in Australia on cryptography, this seems a reasonable page on International encryption. http://rechten.kub.nl/koops/cryptolaw/ Finally, their support for servers mentions Apache-SSL with no mention at all of openssl. Without a little more information about which browsers are causing trouble, there's not a lot more we can do. - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] The teaching of evolution as a proven fact rather than a theory has done more harm to scientific progress than anything else in history. -Original Message- From: Eric Rescorla [mailto:[EMAIL PROTECTED]] Sent: 26 April 2002 16:17 To: [EMAIL PROTECTED] Subject: Re: Key strength confusion [snip] As far as I know, there is in fact no such thing as a 40-bit cert. There are two kinds of certificates: (1) Ordinary X.509 certs containing an RSA key of whatever strength you've chosen. (2) Certs containing the SGC/Step-Up extensions. There are three kinds of browsers in the world: (1) Really old export browsers which will only do 40 bit crypto. (2) Newer export browsers which will do SGC/Step-Up. (3) Old domestic browsers or new (post export-control removal) export browsers which do strong crypto. So, the interaction matrix between certificates and browsers looks like this: Cert Browser Ordinary SGC/Step-Up Old Export 40-bit crypto40-bit crypto Newer Export 40-bit cryptoSGC/Step-Up to strong New Export/Domestic Strong cryptoStrong crypto There is no way to tag an X.509 certificate in such a way that it is 40-bit only. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Key strength confusion
I don't know much about the restrictions in Australia, but I do know that we've had a 128bit certificate since 1997. At that time we were running apache-ssl. So I confess that I've never touched a 40bit certificate. There are issues with versions of IE5 before 5.01SP2 (which itself is being dropped by Microsoft at the end of June). There may well be issues with older versions of Netscape. If you can let me know browser versions or build numbers I may be able to help you further. I have come across users who were fixed once they upgraded their version of IE. If you can let me know the address of the site in question, I can have a look and see what I can ascertain from that also. - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] The teaching of evolution as a proven fact rather than a theory has done more harm to scientific progress than anything else in history. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: smime segfault on redhat 7.2
As I've said before, RedHat 7.2 comes with openssl anyway, but that doesn't preclude you from installing from source but you MUST put the newer openssl binary in a different directory (eg in /usr/local/bin/openssl rather than the pre-installed /usr/bin/openssl). Although the preinstalled openssl has files in /lib, these have different filenames from the libraries that are created with the source compilation (for reasons beyond the scope of your problem). On that basis, which openssl are you executing? - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Evolution - A crutch for scientists who can't handle the existence of a creator. See disproven scientific theories and Romans 1:22. -Original Message- From: alexandru matei [mailto:[EMAIL PROTECTED]] Sent: 21 February 2002 22:33 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: smime segfault on redhat 7.2 Hello, I complied latest snaps (all snaps from 2002) on a Redhat 7.2 system. Make test finished succesfully. But on trying openssl smime -sign -encrypt command, it segfaults. The rest of commands (as far as I tested) are OK. Can you give me some advice? Alex __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: linux/openssl/apache problem solved
-Original Message- From: Rick Dennis [mailto:[EMAIL PROTECTED]] Sent: 16 January 2002 19:27 To: [EMAIL PROTECTED] Subject: linux/openssl/apache problem solved I found my problem. I was sure I had done everything right, but couldn't get a connection using https. Found out I needed to open port 443 in IPCHAINS. Voila !!! Anyone running a semi-standard installation of Linux RedHat 7.1+ will have this issue, unless they chose No Firewall during the installation. Rick Dennis Alaska Internetworks Not entirely correct. If you select normal or high and then customise, you can trust certain interfaces, eg eth0. Whilst this has the effect of disabling firewalling for that interface, it still allows you to add firewalling later. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Agnostic (Greek) = Ignoramus (Latin) - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: RedHat Linux 7.1 ssh connection refused
Does ps -C sshd give a result on the server you are connecting to? Does netstat -a on the server you are connecting to show that it is listening on port 22? If you telnet to port 22 on the server from your client, do you get a response? If you telnet to port 22 on the server from the server (ie telnet localhost 22) does that give a response? If it does, I would imagine that your firewall configuration on the server disallows connections to port 22 from remote machines. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Agnostic (Greek) = Ignoramus (Latin) -Original Message- From: Kevin A. T. Silverstein [mailto:[EMAIL PROTECTED]] Sent: 16 January 2002 22:47 To: [EMAIL PROTECTED] Subject: RedHat Linux 7.1 ssh connection refused I am running sshd on a RedHat Linux 7.1 (with the latest upgrades for all openssh* rpms) Dell computer, but cannot seem to connect to it: [prompt]$ ssh machine-name.umn.edu Secure connection to machine-name.umn.edu refused. In debug mode: [prompt]$ ssh machine-name.umn.edu -v OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 500 geteuid 0 anon 1 debug1: Connecting to hostname [IP address] port 22. debug1: temporarily_use_uid: 500/500 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 500/500 (e=0) debug1: connect: Connection refused debug1: restore_uid debug1: Trying again... [two more times, then...] Secure connection to giverny.umn.edu refused. The machine I'm trying to connect to seems to be running sshd: [prompt]$ ps -elf | grep sshd 140 S root 1354 1 0 69 0- 662 do_sel 14:24 ? 00:00:00 and it can connect to other machines without problems. Oddly, in /etc/xinetd.d/, there are many services, but ssh is not among them. [prompt]$ cd /etc/xinetd.d; ls amanda daytime finger klogin rexec telnet amandaidxdaytime-udp gssftp krb5-telnetrlogin tftp amidxtapedbskkd-cdb imapkshell rsh time chargen echo imaps linuxconf-web rsync time-udp chargen-udp echo-udp ipop2 ntalk swatwu-ftpd comsat eklogin ipop3 pop3s talk [prompt]$ cat rsh # default: on # description: The rshd server is the server for the rcmd(3) routine and, \ # consequently, for the rsh(1) program. The server provides \ # remote execution facilities with authentication based on \ # privileged port numbers from trusted hosts. service shell { socket_type = stream wait= no user= root log_on_success += USERID log_on_failure += USERID server = /usr/sbin/in.rshd disable = yes } I tried to make a similar entry as root for ssh, using /usr/sbin/sshd as the server (since there does not appear to be a /usr/sbin/in.sshd), and set disable = no, but that didn't work. The file /etc/ssh/sshd_config is exactly as in the following version: # $OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $ Does anyone know what I'm doing wrong? or what I need to install? Thanks very much, Kevin Silverstein -- Kevin A. T. Silverstein, Ph.D. [EMAIL PROTECTED] Department of Plant Biology, University of Minnesota 220 Biological Sciences Center, 1445 Gortner Avenue St. Paul, MN 55108 612-624-3057 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk
RE: Why DNS/IP in certificate?
Personally I would have a second server outside the NAT device that proxies requests in and out of the server behind the firewall. There seems to me little point in having a firewall if you allow public access straight through it! In that case you can secure the connection between the outside machine and the client machine without worrying about the firewall. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Agnostic (Greek) = Ignoramus (Latin) -Original Message- From: Stanley Hopcroft [mailto:[EMAIL PROTECTED]] Sent: 14 January 2002 09:36 To: [EMAIL PROTECTED] Subject: Re: Why DNS/IP in certificate? Deear Ladies and Gentlemen, I am writing to thank you for your comments about this matter and ask On Thu, Jan 10, 2002 at 09:34:50AM -0500, Neff Robert A wrote: The client needs to verify who it is connected to. Anyone in the world can present a certificate to establish an ssl connection. In a nutshell, the checks that need to be made on the client end are: a. Do you trust the signer of the certificate received b. Is the CN contained within the cert what you expect ..snip.. Your next task is to ensure that the trusted cert truly came from the site you expected and not www.someothersite.com. The browser does this step by comparing the CN contained in the cert to the URL address typed into your browser. Your own app must do so as well... is it possible to have an OpenSSL server located behind a Network Adress Transalation device (a NET device is sometimes part of firewalls, eg the Cisco PIX) and still have the client handshake complete without error ? Here is the scenario. Server has valid certificate signed by root CA for Distinguished Name 'S'. DNS responds to an A record request from the client for S, with the public interface of the NAT device (PTR query for that address also returns S), but the OpenSSL server with that cert has a completely different address (because its been translated) One might do this because of outsourcing or merger activities that result in a new or different firewall. Presumably the network between the NAT box and the OpenSSL server is secure enough to be tolerablee. So :- 1 Will the scenario above work ? 2 If not, how can it be made to work ? Thank you, Yours sincerely. -- --- - Stanley Hopcroft Network Specialist --- - '...No man is an island, entire of itself; every man is a piece of the continent, a part of the main. If a clod be washed away by the sea, Europe is the less, as well as if a promontory were, as well as if a manor of thy friend's or of thine own were. Any man's death diminishes me, because I am involved in mankind; and therefore never send to know for whom the bell tolls; it tolls for thee...' from Meditation 17, J Donne. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: ./openssl speed -multi 1000 -engine aep ?
The openssl-engine versions also support openssl speed. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Agnostic (Greek) = Ignoramus (Latin) -Original Message- From: John P. Looney [mailto:[EMAIL PROTECTED]] Sent: 14 January 2002 15:36 To: [EMAIL PROTECTED] Subject: ./openssl speed -multi 1000 -engine aep ? It seems that the 0.9.7 snapshots are the only ones that support running openssl speed concurrently. I was looking to test an AEP card here, and the 0.9.7 snapshots don't have AEP accelleration merged yet. I was wondering - is there version of 0.9.7 with the AEP engine merged into it yet ? Is there likely to be in the future ? John -- ___ John Looney Chief Scientist a n t e f a c t o t: +353 1 8586004 www.antefacto.com f: +353 1 8586014 - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: ./openssl speed -multi 1000 -engine aep ?
-Original Message- From: John P. Looney [mailto:[EMAIL PROTECTED]] Sent: 14 January 2002 15:56 To: [EMAIL PROTECTED] Subject: Re: ./openssl speed -multi 1000 -engine aep ? On Mon, Jan 14, 2002 at 03:52:18PM -, [EMAIL PROTECTED] mentioned: The openssl-engine versions also support openssl speed. But not -multi ? (at least not 0.9.6c - I don't know of any more recent ones). John I don't know about -multi, or the aep code. Someone on the openssl-dev list might know what the current situation is. My guess (and that's all it is) is that the manufacturer may not have released any code or information about how it works. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Agnostic (Greek) = Ignoramus (Latin) - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: I got 4 or more emails identical....
Title: RE: I got 4 or more emails identical The exact configuration line in a Pix firewall for "smtp security" is fixup protocol smtp 25 However, I would doubt this is causing this. There is an old bug with Pix firewall's thatmight cause this, but the same version of IOS has more serious bugs (like being able to send fake TCP RSTs as a DOS attack). Occasionally I get the same message twice, which can occur if the message is received OK but the sending server doesn'treceive the confirmation. However, this happens rarely. The users who've only received one message probably have more queued up waiting for them somewhere! -John AireyInternet systems support officer, ITCSD, Royal National Institute for the Blind,Bakewell Road, Peterborough PE2 6XU,Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]More people die each day of AIDS than died in the terrorist attacks on September 11th 2001. -Original Message-From: Fabro, Loic [mailto:[EMAIL PROTECTED]]Sent: 20 December 2001 16:24To: '[EMAIL PROTECTED]'; 'Andrew T. Finnell'; [EMAIL PROTECTED]; 'Richard Levitte - VMS Whacker'Cc: [EMAIL PROTECTED]Subject: RE: I got 4 or more emails identical Sorry, I do not think I will be able to post to the list (because my !@#%@#$ Exchange Admin make every outgoing email an HTML email. :-( ). If my message does not make it to the list, could anyone of you forward it? Thanks. I had this exact same issue before here on my professional email account. I looked into the issue and found out that we are using a Cisco firewall (PIX?). This firewall has a bug So if you turn on "SMTP Security" (not sure how this is called), they are times where the PIX think that the message timed out and will try to send it again. (I can take technical explanation off-line if needed). I had them turn off this feature until they fix the firware of the PIX. Since then No duplicates! :-) [I used to blame yahoo, then I realized that other messages were duplicated as well] 2 cents, Loic. -Original Message- From: Boyd Lynn Gerber [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 20, 2001 11:17 AM To: [EMAIL PROTECTED] Subject: I got 4 or more emails identical On Thu, 20 Dec 2001, Richard Levitte - VMS Whacker wrote: OK, I just got tired of these mail replays. Since this looks like it comes from some place under rr.com, I'm tossing out all users in that domain or subdomains thereoff.. If you want to resubscribe, you're most welcome to, *after* you've removed the replayer. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. I hope these stop soon! -- Boyd Gerber [EMAIL PROTECTED] ZENEZ 3748 Valley Forge Road, Magna Utah 84044 __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk
RE: Help needed with getting SSL installed
-Original Message- From: Doug Poulin [mailto:[EMAIL PROTECTED]] Sent: 10 December 2001 22:51 To: [EMAIL PROTECTED] Subject: Help needed with getting SSL installed I have a Redhat Linux 6.2 server running Apache with mod-ssl. We were using SSH and Teraterm for connecting to the server remotely. Unfortunately that proved to be a security problem, so we are shopping for a solution. We would like to carry on with Teraterm since we have a large number of scripts written for it. The only other option appears to be Teraterm with SSL. I have downloaded the openssl sources and installed them, then I downloaded the SSLtelnet sources from ftp.psych.psy.uq.oz.au and attempted to compile and install them. It would appear that they haven't been looked at since 1996 and as such no longer compile against the most current versions of mod_ssl. I'm running into compile errors, like too few parameters being passed, and it appears that mod_ssl has been modified from the time this version was released. Does anyone have a working copy of SSL Telnetd for Linux, or know where a current working version of ssltelnet can be found. Any and all help would be appreciated. Is this the right way to go? Is anyone working on a SSH2 library for Teraterm? Doug If you look at http://www.openssh.org, you'll see that they have links to various clients for Windows, such as putty. They also have rpms for RedHat (although I can't find any for RedHat 6.2. I still have some copies around myself). You could also consider commercial software such as F-Secure SSH from Datafellows. We have a number of licenses for F-Secure SSH and it is fairly robust. The maintainer of Teraterm SSH is Robert O'Callahan, contact details are at http://www-2.cs.cmu.edu/~roc/. He will be able to tell you if anyone is working on SSH2 support. Teraterm SSL's page is at http://www.infoscience.co.jp/eng/products/ssltterm/index.html, together with contact details. The change log there indicates the last change to Teraterm SSL was over three years ago. Not encouraging. All these pages are linked from the Teraterm Home Page at http://hp.vector.co.jp/authors/VA002416/teraterm.html. Also, as it is only a matter of time before Red Hat drop support for version 6.2, you might consider upgrading to 7.2. This comes with openssh built in. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] More people die each day of AIDS than died in the terrorist attacks on September 11th 2001. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Large File Support
The best advice is to rebuild the rpm packages so that these options are in the makefile. You can then upgrade your openssl packages to your new version without (hopefully) breaking other packages. Mail me off the list and I'll send you instructions. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Andrew Cornell [mailto:[EMAIL PROTECTED]] Sent: 27 November 2001 00:03 To: openssl-users Subject: Large File Support Has anybody compiled openssl with support for large file (2Gbytes) on linux? I'm running Redhat 7.2 with openssl 0.9.6b. The standard build doesn't handle files bigger than 2G. I'm considering adding the _FILE_OFFSET_BITS=64 and and _LARGEFILE_SOURCE gcc flags into the makefile. Anybody got good advice? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: RPM Source code version
-Original Message- From: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED]] Sent: 20 November 2001 19:42 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: RPM Source code version From: Eric Daigneault [EMAIL PROTECTED] scouby At 03:40 PM CN=a2011in.O=acv0111 +, you wrote: scouby RedHat use libcrypto.so.1 (name of the file), but when you install the scouby source, the name of the file is libcrypto.so.0. Go ask RH why they did scouby that, cause it's was stupid ! The reason is probably that RH started producing shared libraries of OpenSSL before we had gotten started on it. So they probably had some idea of what scheme they wanted to use and went ahead with it. The stupid part was probably that they didn't bother talking with us (or perhaps they did, but that was before my time as OpenSSL developer then). I think openssl was released for RedHat 6.2 on April 17th this year (see http://www.redhat.com/support/errata/RHSA-2001-051.html) although this may have been an update to a previous version. I never touched it, as it wasn't necessary and the OS didn't require it. Since RedHat 7.0 it's basically been an essential part of the OS (although I've only tried it on 7.1 and 7.2). It does look like they didn't consult openssl developers before they produced their shared libraries, but I don't think they would object to being contacted now. Any changes could be put into a future edition. However, the version they package has a number of changes, eg they remove certain crypto algorithms that are patented in the US. I had a brief discussion with one of their staff on this list about making a non-US package available, but the sticking point with that is how to integrate it with their up2date tool. Unless we have US and non-US versions of RedHat I think we'll be stuck with that one. Incidentally, the hack of using a symlink doesn't work for all packages, eg openssh still doesn't like the existence of different libraries to the libraries it was compiled against. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: RPM Source code version
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 20 November 2001 15:41 To: [EMAIL PROTECTED] Subject: RPM Source code version Hi Sirs, I'm running RedHat 7.1 with kernel 2.4.3-12 on my Intel P3 866 system. Recently, I just removed the openssl package that came with RedHat 7.1 and I installed the source package from the openssl website. After this I was not able to use most of my apps(like ssh, dig, nslookup, KDE) There is always an error saying libcrypto.so.1 not found. I really need the source code version cause sendmail STARTTLS requires it. Can both type of openssl package work happily on the same machine? If its not possible, is there any way for me to use the source code version without affecting my other apps? sincerely Thanks for your help ddl This gets asked so often it should be in the FAQ! Basically, it's best with RedHat 7.x to stick with what you get. If you need some of the stuff that doesn't come with the RedHat 7.x (certain US patented code that can be used anywhere outside of the US), drop me a line off the list. I can then give you instructions on how to rebuild the RPM to include these. I've counted up over 20 packages that break if you remove openssl on RedHat 7.x. Some people have said that they have installed the latest from source over the RPM, but what they've actually succeeded in doing is corrupting their RPM database. Any updates released by RedHat cannot now be guaranteed to work, since it may depend on the version of a file that isn't there any more. At the risk of starting a flame war, I prefer managing servers with RPMs. It's easy enough to find out what is in them, and one RPM install on one machine is the same on another. (I know that you can create a custom configuration file and use that to compile and install on every machine, but frankly all that compiling and copying is a lot more work for multiple servers. If I build an RPM I do it from source on one machine and install the same one everywhere). - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: porting openssl to linux kernel
Even if it were viable to put openssl in the kernel, I personally think that this would create more problems than it solves. For instance, any bug in the openssl code could potentially crash the kernel, rather than simply segfaulting. (I'm typing this in vmware, which has its own kernel modules and it has taken out my Linux machine several times). Also, do you really want to reboot or recompile your kernel for every upgrade to openssl? I've got some machines that have been running for over a year, so I don't see any benefit there. As machines are getting faster and faster all the time, the length of time required for a context switch is also becoming shorter and shorter. If that's the only reason to do it, it's really not worth it, IMNSHO. Now if the linux kernel had accessibility built in, eg keyboard control of voice synthesisers like a dectalk, that would be useful. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Rich Salz [mailto:[EMAIL PROTECTED]] Sent: 01 November 2001 01:01 To: Imran Badr Cc: [EMAIL PROTECTED] Subject: Re: porting openssl to linux kernel So far the complication has not proven to be worth it to anyone to implement. Go for it. /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Two versions of openssl on one system
Your chances of running KDE2.2 on RedHat 7.0 are approximately zero. My colleague tried this and he totalled his machine. I've said this so often it should be in a FAQ, but RedHat 7.0 onwards depends heavily on the openssl package. KDE2.2 comes with RedHat 7.2, so it's probably a better option to upgrade to that. Make sure you have plenty of backups before you start, though. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 30 October 2001 10:56 To: [EMAIL PROTECTED] Subject: Two versions of openssl on one system Hi, I have Red Hat Linux 7.0 with openssl-0.9.5a-14 as a part of it. Now I want to compile and install KDE 2.2 what requires openssl-0.9.6. Is it possible to use both versions of openssl and it should be configured? I don't want to remove the old version because many packages are depend on it. Thank you, Sascha __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Decrypting encrypted e-mail in OE 5
Specifically, IE5.01SP2 has 128bit support. This is the oldest version of IE that MS currently supports. A trip to http://windowsupdate.microsoft.com/ will allow you to upgrade to this. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Reiner Buehl [mailto:[EMAIL PROTECTED]] Sent: 16 October 2001 11:45 To: [EMAIL PROTECTED] Subject: RE: Decrypting encrypted e-mail in OE 5 Can you check if the IE5 installation is High Crypto? If not this might be the problem. Try generating a cert with 512 Bit in IE6 or upgrade IE5 to High Crypto version if this is the cause. Best regards, Reiner. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Angus Lee Sent: Tuesday, October 16, 2001 11:47 AM To: [EMAIL PROTECTED] Subject: Decrypting encrypted e-mail in OE 5 Hi, I've set up my own CA using OpenSSL. I suppose there're no known problems/mistakes in my CA setup. I could used the digital certificates issued by this CA to send secure e-mail and login intranet web sites (in my office) which require client authentication. Now I have two e-mail accounts, suppose one is S and another one is W. S is using IE 5 with SP2 (but the Outlook Express version is 5.5 as reported by the application) while W is using IE 6. Both run on Microsoft Windows 2000 with SP2. S and W exchange their public certificate by sending a signed e-mail to one another. Then both reply with an encrypted e-mail using Outlook Express. W which has IE 6 has no problem decrypting the encryted e-mail sent by S. S which has IE 5 SP2 could NOT decrypt the encrypted e-mail sent by W. The error message is: Error Decrypting Message You cannot read the message. -- -- This might be because: o You may have lost or deleted the Digital ID that the message is encrypted to. o You may have installed the Digital ID that the message is encrypted to on another computer. o The sender may have meant the message for somebody else. o You do not have the necessary security package installed on this computer. I have the some problem on another machine which has IE 5.5 SP2 installed. Could someone please help me? The BIG problem is that both S and W have no problem decrypting e-mail when I use digital certificates issued by Thawte. I guess there may be something wrong with my CA setup. Please also find the openssl.cnf I use for my own CA. Thank you very much. Angus Lee --- Get Your Free Email at http://www.hknetmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: About libssl.so.2 and libcrypto.so.2
-Original Message- From: Michael H. Warfield [mailto:[EMAIL PROTECTED]] Sent: 08 October 2001 22:02 To: [EMAIL PROTECTED] Subject: Re: About libssl.so.2 and libcrypto.so.2 On Mon, Oct 08, 2001 at 09:28:52AM +0100, [EMAIL PROTECTED] wrote: [...] Rawhide is not another version of Linux, it is simply the name of a repository for optional updates to the current version of RedHat Linux. Of course, that question is a little off-topic for this list. No, it's not optional updates to the current release. It's an alpha thread that you use at your own risk. It's basically a pre-beta rolling release. It is definitely a good spot to catch up on recent kernel releases before they make it to the main updates site. I know, see my follow up! As I have said repeatedly, openssl is included with RedHat 7.1. openssh, sendmail and bind all rely on the package being there. This has been the case since RedHat 7.0, and will undoubtedly be the case for 7.2. I haven't checked out roswell (aka 7.1.93) yet, as RedHat have locked off the file permissions on their ftp site! Looks like they just did that a couple of days ago. I had downloaded both Beta1 and Beta2 from ftp.redhat.com:/pub/redhat/linux/beta/roswell but permissions are now set to deny. Simultanious to that, a 7.2 directory has now appeared as /pub/redhat/linux/7.2 also with access permissions denied. Looks like we are on the verge of the 7.2 release and they are preping the site... :-) Wheee... I think it's worse than that. It appears (looking at all the other betas) that they've inadvertently deleted roswell from their site and locked off the directory so that all the other mirrors that use rsync don't delete their copy! (They might be running short of disk space, but that would be odd). I found this out because the md5 checksum on the roswell iso images doesn't match the entry in the MD5SUM file, so I tried to download from the master site. I'm eagerly awaiting 7.2, not least because I hope to upgrade all our 6.2 machines straight to it, and then be able to put off another upgrade for a bit longer. I suspect 6.2 support will be dropped very soon anyway. RPM packages contain either pre-built binaries or a source package that will compile in a pre-arranged way (specified in a spec file). They are useful for maintaining a common installation on multiple systems, or for administrators who haven't a clue what make or configure does. Anyone who upgrades or changes openssl without using the RedHat updates (details at www.redhat.com/errata/) runs the risk of breaking a lot of code. Also, the version of openssl with RedHat 7.1 is hobbled and does not include all the cipher support. I've asked an employee of RedHat who has OK'd the making available of a package that contains all the support for non-US users. I've yet to get round to doing that though. Relative to the latest RawHide SRPMS (openssl-0.9.6b-9.src.rpm)... 1) Replace the openssl-engine-0.9.6b-usa.tar.bz2 source ball with the real thing from the OpenSSL site. (The source tarball with the RPM has had some things stripped. That's part of the hobbling.) 2) Edit the spec file and remove the -usa from Source. 2) Down in %prep, kill off %{SOURCE1} by commenting it out. (That's another part of the hobbling). 3) Remove no-idea, no-rc5, etc on the config line. (Last part of the hobbling.) 4) Build. All the RedHat patches seem to be compatible with the non-crippled source tarball. 5) Enjoy. Exactly what I've done already, except I haven't made it available to anyone yet! - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http
RE: About libssl.so.2 and libcrypto.so.2
-Original Message- From: Xia Shang [mailto:[EMAIL PROTECTED]] Sent: 05 October 2001 13:55 To: [EMAIL PROTECTED] Subject: About libssl.so.2 and libcrypto.so.2 Hello,everyone I know now that KDE 2.2 is not for Redhat 7.1 but for Roswell, but what is Rawhide? Another version of Redhat Linux? I have downloaded openssl0.9.6b from www.openssl.org and unpacked it, but I still can't find libssl.so.2 and libcrypto.so.2. I guess I must install it so that these two files can be created. Am I right? Another foolish question:What's the difference between the installations from *.rpm package and from *.tar.gz package(with make, install and so on)? Thank you Rawhide is not another version of Linux, it is simply the name of a repository for optional updates to the current version of RedHat Linux. Of course, that question is a little off-topic for this list. As I have said repeatedly, openssl is included with RedHat 7.1. openssh, sendmail and bind all rely on the package being there. This has been the case since RedHat 7.0, and will undoubtedly be the case for 7.2. I haven't checked out roswell (aka 7.1.93) yet, as RedHat have locked off the file permissions on their ftp site! RPM packages contain either pre-built binaries or a source package that will compile in a pre-arranged way (specified in a spec file). They are useful for maintaining a common installation on multiple systems, or for administrators who haven't a clue what make or configure does. Anyone who upgrades or changes openssl without using the RedHat updates (details at www.redhat.com/errata/) runs the risk of breaking a lot of code. Also, the version of openssl with RedHat 7.1 is hobbled and does not include all the cipher support. I've asked an employee of RedHat who has OK'd the making available of a package that contains all the support for non-US users. I've yet to get round to doing that though. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: About libssl.so.2 and libcrypto.so.2
-Original Message- From: Xia Shang [mailto:[EMAIL PROTECTED]] Sent: 05 October 2001 13:55 To: [EMAIL PROTECTED] Subject: About libssl.so.2 and libcrypto.so.2 Hello,everyone I know now that KDE 2.2 is not for Redhat 7.1 but for Roswell, but what is Rawhide? Another version of Redhat Linux? I have downloaded openssl0.9.6b from www.openssl.org and unpacked it, but I still can't find libssl.so.2 and libcrypto.so.2. I guess I must install it so that these two files can be created. Am I right? Another foolish question:What's the difference between the installations from *.rpm package and from *.tar.gz package(with make, install and so on)? Thank you Correction to my previous post, RawHide is indeed another version of Linux, but it is not supported, might destroy all your data, etc. However, I have taken packages from it (apache-mod_ssl 1.3.20-2.8.4 for example) and they've worked for me. Details are at ftp://ftp.redhat.com/pub/redhat/linux/rawhide/README - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Major OpenSSL/mod_ssl install problems.
Your statement I'm using RH 7.1 is the critical one for me. RedHat 7.1 (Which I assume you mean) includes openssl by default. If you build openssl from source and replace that which comes with it, you will break about 24 packages, including sendmail (I can send you a list if you want). Specifically, Apache 1.3.19 comes with RedHat 7.1, which is probably the package that owns the httpd.conf file you are looking at Try the following to check this: rpm -q --whatprovides /etc/httpd/conf/httpd.conf (Although of course it is likely that you've overwritten this file) I suggest you look at http://www.redhat.com/errata/ and ftp://ftp.redhat.com/pub/redhat/linux/rawhide for updates to RedHat 7.1 and the latest packages for Apache and mod_ssl. You can build from source RPMS, which gives you just as much control over what you build, although it is more fiddly. I've offered to help with installing these before on either this list or the mod_ssl list (and unfortunately I deleted my last offer!) John -Original Message- From: The_polymorph To: [EMAIL PROTECTED] Sent: 29/09/01 21:12 Subject: Major OpenSSL/mod_ssl install problems. Hi all. After building OpenSSL 0.9.6b, the latest version of mod_ssl for apache 1.3.20 and rsaref 2.0 ( all without incident ), I experienced the following problems: 1). My httpd.conf file has *no* mention of SSL *anywhere =* in the file. 2). After starting apache in SSL mode ( apachectl startssl ), it works fine but I cannot connect to port 443. The message is connection refused by server. For the record I am using RH 7.1. What might the problem(s) be? Thanks, -Caitlin. = __ Do You Yahoo!? Listen to your Yahoo! Mail messages from any phone. http://phone.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: openssl-0.9.6b.tar.gz.asc
The md5 file contains an md5 checksum of the openssl package. To verify the package use md5sum openssl-0.9.6b.tar.gz The result of the above should match the md5 file. I'm not so sure about why you can't add the pgp signature. It makes no difference AFAIK that the version of the signature is 2.6.3ia. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Victor S. [mailto:[EMAIL PROTECTED]] Sent: 25 September 2001 14:21 To: [EMAIL PROTECTED] Subject: openssl-0.9.6b.tar.gz.asc Hello, I'm having trouble to check openssl package integrity (And I have to do it) In ftp://ftp.openssl.org/source/ I could find 3 files available: openssl-tar.gz openssl-tar.gz.md5 openssl-tar.gz.asc As far as I know, the asc file should be the public key and I should add to pgp before anything else: %pgp -ka openssl-0.9.6b.tar.gz.asc (And the file is under ~/.pgp/ ) Looking for new keys... File '' has signature, but with no text. Keyring add error. What can be wrong? Should the file name be inside the quotes? I have Pretty Good Privacy(tm) Version 6.5.8 Is this the problem since openssl-0.9.6b.tar.gz.asc is Version: 2.6.3ia What is the md5 file for? Thanks, Victor _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Time Diff?
-Original Message- From: Averroes [mailto:[EMAIL PROTECTED]] Sent: 14 September 2001 10:03 To: [EMAIL PROTECTED] Subject: Time Diff? Hi all, Perhaps someone noticed this: When I create a certificate there is difference between system (OS) time and creation time of certificate. Approximately one hour. certificate info: Validity Not Before: Sep 14 09:57:24 2001 GMT Not After : Sep 13 09:57:24 2006 GMT and immediately after signing: Fri Sep 14 10:58:32 BST 2001 Any ideas? There isn't a time difference. These are the same time! 9:58:32 GMT (or more correctly UTC) is 10:58:32 BST, although only between (at present) 1:00AM UTC on the last Sunday in March and 1:00AM UTC on the last Sunday in October. This is the same across the whole of the EU. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Export laws
-Original Message- From: Eric Rescorla [mailto:[EMAIL PROTECTED]] Sent: 14 September 2001 02:22 To: [EMAIL PROTECTED] Subject: Re: Export laws Michael Sierchio [EMAIL PROTECTED] writes: The code was simply reverse-engineered. It's a small, simple piece of code. Reverse-engineering is the determination of someone else's trade secret information via examination and testing of publicly available information. It's legal. RSA required a prohibition on reverse engineering as part of the pass-through license which they imposed on their licensees (at least they did for us). Thus, whoever reverse engineered the code likely violated the license in the process. It's certainly debatable whether such a prohibition is enforceable but it's not a slam-dunk that it isn't, either. Just to enter the fray, it's worth pointing out that Samba was reverse engineered also, and Microsoft support it in all but name. Actually, you could probably reverse engineer Windows as well but it probably wouldn't be worth it. Also, to say that ARC4 violates the RC4 trademark is as daft as stating that the name Christina Saunders violates the right to the initials NASA. I believe someone with a name like this was once refused the right to register a domain name. Closer to home, Does NASDAQ violate the trademark name ASDA? I don't think so! However, like Eric I would be concerned about being sued by RSA. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: WIN32 binaries anyone??
Have you checked out http://curl.haxx.se/download.html? - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Radi Shourbaji [mailto:[EMAIL PROTECTED]] Sent: 13 September 2001 08:50 To: '[EMAIL PROTECTED]' Subject: WIN32 binaries anyone?? Importance: High I am in search of pre-built binaries for WIN32 to use in conjunction with curl in a w2k environment. Any help would be appreciated! Thanks! Radi - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: libssl.so libcrypto.so, again.
-Original Message- From: Joe Orton [mailto:[EMAIL PROTECTED]] Sent: 07 September 2001 15:09 To: Robert Pungello Cc: [EMAIL PROTECTED] Subject: Re: libssl.so libcrypto.so, again. On Fri, Sep 07, 2001 at 08:09:06AM -0400, Robert Pungello wrote: Hello All. I know there have been a few questions about this already, but I'm still a bit confused. I'm using Red Hat 7.1 with the openssl-0.9.6-3 and openssl-devel-0.9.6-3 packages installed. In addition, I have also installed openssl-0.9.6b myself because at the time I didn't realize the previously installed package existed. When I look in my /usr/lib/ directory, I see the following files (among others): libssl.a, libssl.so, libssl.so.0.9.6, libssl.so.1 libcrypto.a, libcrypto.so, libcrypto.so.0.9.6, libcrypto.so.1. Okay, I'll try my best at answering this... with RHL7.1, you would get the following: (the same applies throughout for libssl as libcrypto) libcrypto.so.0.9.6: the actual shared library libcrypto.so.1: symlink to above If you have upgraded your system from 7.0, you will also have libcrypto.so.0.9.5a: another real actual shared library libcrypto.so.0: symlink to above These symlinks are created by the 'ldconfig' command (run automagically just after the RPMs are installed). Each time that the ABI changes (so that the library is no longer backwards-compatible), and a new RPM is made, you'll see a new symlink libcrypto.so.N (where N increases by 1 each time). This allows Red Hat to keep backwards compatibility with old applications. So in the next release, if you upgrade, IIRC you'll find: libcrypto.so.0.9.6a: a real library libcrypto.so.2: symlink to above and if 0.9.7 isn't binary compatibility with 0.9.6a, then at some point later you'll find an RPM with: libcrypto.so.0.9.7: real shared library libcrypto.so.3: symlink to above I hope this makes sense so far. The -devel package will install the following two libs, which you only need if you want to build any packages which link against OpenSSL: libcrypto.so: symlink to real library again libcrypto.a: the static library So that's how Red Hat's OpenSSL RPMs work, I think. This differs slightly from how the stock OpenSSL tarballs will install shared libraries, since the stock Makefiles don't try to cope with binary compatibility issues. I think if you install a stock OpenSSL over a RHL system, it will create libcrypto.so.X.Y.Z libcrypto.so, libcrypto.so.0: symlinks to above This will be a problem if you have any applications on your system linked against the 0.9.5a library if you upgraded from RHL 7.0, but otherwise, your existing applications should work fine still. Compiling things on this system will probably be okay, unless you ever upgrade any of the OpenSSL RPMs, in which case your applications may break again, I'm not sure. I'd advise doing I have tried upgrading the version of openssl 0.9.6 on a RedHat 7.1 machine to 0.9.6b using the RedHat openssl.spec file and it broke several applications, including openssh. This is why I've been saying in the case of RedHat 7.x to stick with the RedHat openssl packages. Now if you could just provide different packages for us Brits (and others) who aren't restricted by RC5 and IDEA patents... # rpm --erase openssl-devel # rpm -Uvh openssl-devel-0.9.6-3.rpm ### from the CD, or wherever if you wish to get back under the RPM management. You may need a --force too. Hope some of that makes sense :) joe It makes sense to me. It's good to see someone from RedHat giving a hand with this one, as it does come up often on the list. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: libssl.so libcrypto.so, again.
-Original Message- From: Joe Orton [mailto:[EMAIL PROTECTED]] Sent: 10 September 2001 10:50 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: libssl.so libcrypto.so, again. On Mon, Sep 10, 2001 at 09:48:28AM +0100, [EMAIL PROTECTED] wrote: I have tried upgrading the version of openssl 0.9.6 on a RedHat 7.1 machine to 0.9.6b using the RedHat openssl.spec file and it broke several applications, including openssh. This is why I've been saying in the case of RedHat 7.x to stick with the RedHat openssl packages. Now if you could just provide different packages for us Brits (and others) who aren't restricted by RC5 and IDEA patents... You could do this yourself without too much trouble. You'd just have to comment out the %{SOURCE1} line in openssl.spec, and adjust the ./config line appropriately, and learn how to rebuild a source RPM :) joe I realise I could do that (and probably will do now!). I take it that SOURCE1 is the hobble.openssl file? I've been building rpms from source for quite a while now. When you have numerous RedHat boxes to administer, building RPMS on one to install on the others makes perfect sense. However, like I said it would help if the packages were made available. If not, does RedHat have any objections to me making them available? - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: W2k wiazrd
-Original Message- From: Nevalainen, Eric [mailto:[EMAIL PROTECTED]] Sent: 22 August 2001 17:20 To: 'Robert Krenn' Cc: '[EMAIL PROTECTED]' Subject: W2k wiazrd Bingo! The string: bash-2.04# OpenSSL ca -out request.pem -notext -infiles certreq.txt where -out =the cert to be generated, and -infiles =the pending request, the -notext option supresses the plaintext form of the certificate to the output file. IIS 5 seems to like this. output looks like: I wouldn't hold your breath if this is a self-signed certificate. No doubt someone else will correct me if I'm wrong, but I've never been able to get self-signed certificate working on any version of IIS. (I'm assuming this is a server cert. If it's a client cert then I'm probably barking up the wrong tree). - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Wasn't someone joking about the virus being posted by an autoresponder
-Original Message- From: Steven Reddie [mailto:[EMAIL PROTECTED]] Sent: 22 August 2001 12:23 To: [EMAIL PROTECTED] Subject: Wasn't someone joking about the virus being posted by an autoresponder At least I thought it was a joke. Steven That was me, and it was a joke. However, there are anti-virus products about that will send the virus back to the sender (what on earth for I ask?). We don't set ours to do this and I'm pleased to see that our AV package didn't send any auto-response other than to internal administrators (including myself). We already get grief from our users because Out of Office messages don't go the Internet! Mind you, if a mischievious sysadmin in the UK has done this deliberately as a result of my suggestion, I'd like to chase him/her under the Computer Misuse Act. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Please reconfigure majordomo to not set Reply-To (was: Failed to clean virus file Emanuel.exe)
-Original Message- From: Amos Gouaux [mailto:[EMAIL PROTECTED]] Sent: 20 August 2001 14:03 To: [EMAIL PROTECTED] Subject: Re: Please reconfigure majordomo to not set Reply-To (was: Failed to clean virus file Emanuel.exe) On Mon, 20 Aug 2001 05:00:01 -0700, Caliban Tiresias Darklock [EMAIL PROTECTED] (ctd) writes: ctd On Mon, 20 Aug 2001 13:33:18 +0200, Michael Ströder ctd [EMAIL PROTECTED] wrote: Because the mailing list processor is configured to set the Reply-To address to the list address. IMHO this should be changed to reduce such problems with automatic replies (vacation e-mails, virus-scans etc.). ctd But that would make *regular* replies a pain in the ass for list ctd members. What we do is send the notice to the envelope sender, which typically is set to the list owner. (Sorry list owner.) At least that way it doesn't flood the entire list time and time again If you think this is bad, imagine what would happen if the anti-virus checker attached the infected email in each alert (which for example InoculateIT can do). Forget out of office replies et al... - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Linux and EVP_rc5_32_12_16_ofb
-Original Message- From: Dr S N Henson [mailto:[EMAIL PROTECTED]] Sent: 27 July 2001 18:50 To: [EMAIL PROTECTED] Subject: Re: Linux and EVP_rc5_32_12_16_ofb Ng Pheng Siong wrote: Hi, I've gotten a few messages about M2Crypto not working on Linux (Red Hat 7.1, SuSe 7.1) because undefined symbol: EVP_rc5_32_12_16_ofb. I understand the packaged OpenSSL on those platforms are versions of 0.9.6. I don't have a Linux installation at the moment, so I have no clue why this is so. RC5 is probably omitted for patent reasons. You are spot on. The pre-packaged openssl with RedHat 7.1 has a file called hobble-openssl. It removes RC5, IDEA and MDC2. Of course, it is possible to rebuild the package so that it doesn't. I'm just building one now. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Web Site Alert: Not Responding
Title: Web Site Alert: Not Responding It worked just now! I've just pulled 0.9.6b again to test it (again). - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: 25 July 2001 11:32To: [EMAIL PROTECTED]Subject: Web Site Alert: Not RespondingThere appears to be a problem in reaching your Web site at http://www.openssl.org/support/. Time of Error: 2001-07-25 06:32:29Error Type: Connection Refused InternetSeer, a Web site monitoring company, is conducting an ongoing study of the true connectivity of the Web. As recommended by the Robots Guidelines, this email is being sent to explain our research activities and to let you know about the difficulty in connecting to your site. If you would like InternetSeer to continue to alert you at no charge whenever there is a problem reaching your Web site, click here. InternetSeer does not store or publish the content of your pages, but rather uses availability and link information for our research. Click here to learn more about InternetSeer. Mike DeverPresident[EMAIL PROTECTED] Note: If you prefer not to receive these occasional alerts regarding the availability of your Web site, reply to this email with Cancel in the subject line. Please leave a full copy of this message in the body of your reply email.##[EMAIL PROTECTED]## - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk
Expired certificates
I've just made an interesting discovery after suffering the ignomy of having an SSL certificate expire. (Supposedly I'll have it within the next two hours. A late night for me!) It appears from my testing that the expiry time on a certificate is taken from the client's machine time, not the server time. I've tested this with IE 5.01 SP1 and Netscape 4.77. Therefore the moral is to ensure that you renew all certificates before the time on the certificate is reached anywhere in the world, to prevent browser warnings. In practical terms this would mean renewing before the last 24 hours of the certificate is reached. As far as I am aware this is not documented anywhere. (No doubt some clever person will point me to the RFC where this is). I believe I'll have some accurate information about self-signed starred certificates with IIS fairly soon also. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL and IIS4 - problem
-Original Message- From: Greg Stark [mailto:[EMAIL PROTECTED]] Sent: 20 July 2001 15:51 To: [EMAIL PROTECTED] Subject: Re: OpenSSL and IIS4 - problem I have to disagree with Mr. Airey, though not without some trepidation. You enter the hostname into IE *exactly* as it is entered in the CN (or subjectAltName) in the certificate. If the certificate has an IP address, then that's what you should put into IE. If it has dotted DNS address, then that is what you should put into IE. Also, even if the addresses differ, IE still pops up a warning window telling you about this. It doesn't just silently fail with an error message. If the IP address is correct in your example, then I tried to connect to it and noticed that the server is actively refusing TCP connections on port 443. It is not even getting to the SSL part, it just sends a TCP RST in response to a TCP SYN on port 443. Perhaps you have a firewall in the way? No problem disagreeing with me, my managers do that all the time ;-). Perhaps I should have said some versions of IE do not like it. I'm using IE 5.01SP1 (I have to because we've internal systems that depend on IE. Yuk!) and can connect to one of our secure sites using an IP address and the actual address. The former gives a warning. I've had problems with older versions of IE4, but upgrading to 128bit security cleared it. (I would recommend anyone who can to upgrade IE to 128bit). But like you say, it looks like a firewall or router configuration that is preventing connections. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL and IIS4 - problem
I would suspect that you are using IE, which is extremely fussy about connecting to IP addresses with SSL. Use the full host name (ie host.domain) to connect. You'll need either an entry in a hosts file, or the host name to exist in your DNS. In the case of the first error, IIS will refuse you access to thatdirectory as you requested a secure channel. It usually says something about requiring a secure connection though. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message-From: David [mailto:[EMAIL PROTECTED]]Sent: 20 July 2001 01:54To: [EMAIL PROTECTED]Subject: OpenSSL and IIS4 - problem Now I am able to install key generated by OpenSSL from IIS key manager by converting format to IIS format. (Thanks Lisle and John) Then I did follow steps. 1. Add my ip(203.1.1.1) and port(443) to keymanager and save changes. 2. Select a virtul directory (download) and update properties with Select 'Require Secure Channel' and 'Do not accept certificates' option 3. Restart IIS. Then when I try URL: http://203.76.4.111/download Error: it tell me not authorized *why? I did not select require client cert option. try another https://203.76.4.111/download Error: The page cannot be displayed *why? I already add my ip and port to key manager. I change option to 'Require Client Certificates' then try URL again, It still give me same error instead of popup a requre cert window. If I use this option, do I need to install the same cert into my browser in order to access my secure directory? What am I doing wrong here? Thanks. David
RE: OpenSSL and IIS4
IIS4 can use 1024 RSA keys. We have several machines that are doing this already. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message-From: haikel [mailto:[EMAIL PROTECTED]]Sent: 19 July 2001 10:06To: [EMAIL PROTECTED]Subject: Re: OpenSSL and IIS4Slamou alycom, Verify that IIS 4 use keys with lenght higher than 512 bits, if not upgrade your version of IIS. Haikel MEJRI David a écrit : Hey, I am trying to setup https on IIS4 by using OpenSSL, I follow steps: 1. Create private key openssl genrsa -des3 holly.pem 2.Generate a CSR from your key openssl req -new -key holly.pem holly.csr 3. Generate a self-signed certificate openssl req -x509 -key holly.pem -in holly.csr holly.crt 4. From IIS4 key Manager select import key file: holly.pem and cert file:holly.crt. I got error: wrong password. I am sure that I use exactly the same password, so what real problem is? anyone has this experience. Thanks
RE: ROOKIE Question
Have a look at http://www.openssh.org/windows.html There's a whole list of them. I haven't tried putty yet. I use TTSSH at home (not that my LAN at home is likely to be hacked, I just prefer it to Windows' telnet!) and F-Secure SSH at work. advert The latter costs money, but I think it's money well spent /advert - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Web boy [mailto:[EMAIL PROTECTED]] Sent: 09 April 2001 20:00 To: [EMAIL PROTECTED] Subject: ROOKIE Question Hello I have installed and configured openssl on my linux box (redhat 6.2). Everything went fine now I need to know how do I connect remotly from my NT workstation? I have seen with SSH that there is something called putty but not sure what my next step is. My goal is to be able to transfer files securly back and forth from my NT workstation to my LINUX box and vis-versa. Any help would be great __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: a question about install
You can also use the DOS "SHELL" command to increase environment space. Details can be gathered from a DOS 6.0-6.22 machine. Windoze doesn't have any information on it, AFAIK. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Jonas Jakobsson [mailto:[EMAIL PROTECTED]] Sent: 06 April 2001 01:03 To: [EMAIL PROTECTED] Subject: Re: a question about install snip before i comple the openssl,i use the vcvars32.bat in the directory D:\Program Files\Microsoft Visual Studio\VC98\Bin but it tell me that out of the environment space,what shoud i do ! /snip I had the same problem. The soultion was in my case was to cut down the size of my path variable in config.sys, restart and run the vcvars.bat in the dos box. Or, you could modify the shortcut to the dos-box to use your own modified config.sys. just my 2 cents /Jonas Jakobsson __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL or Engine
The openssl-engine code contains "experimental" support for hardware crypto devices. If you don't have one, or don't even know what one is, then just use the vanilla "openssl" code. I read somewhere that the two code branches will be merged in 0.9.7. Can't remember where now. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Dave Horner [mailto:[EMAIL PROTECTED]] Sent: 29 March 2001 11:20 To: [EMAIL PROTECTED] Subject: OpenSSL or Engine We are using an apache web server and need to generate a CSR so we can use SSL. The documentation says that we need openssl to generate the CSR. Could someone explain the difference between OpenSSL and OpenSSL (engine) , so I know which one to install ? Many Thanks Dave __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Batching E-Mails
My $0.02 worth. It is perfectly possible for there to be two versions of this list, a normal list and a "digest" or batched list as the original poster calls it. Majordomo supports it, but it will involve more work for someone to set it up. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Gil Peeters [mailto:[EMAIL PROTECTED]] Sent: 14 March 2001 10:37 To: [EMAIL PROTECTED] Subject: Re: Batching E-Mails Hey man, I think you got me wrong here. I am not saying that you should not have the choice, I was just stating my reasons for liking the current system. I was not bagging you for having your own opinion. Choice is a wonderfull thing! Chill out and go in peace! G. Oliver Bode wrote: That's your preference. I prefer batched E-Mails. I would prefer to open one message related to an issue than open 10, I wrote to Majordomo and requested that I would prefer batched E-mails. And as Majordomo can already do all sorts of filtering himslef/herself/itself, I asked him/her/it that I would like my E-mail's batched if possible. Again - what is wrong with choice This is all possible and easilly implemented. - Original Message - From: "Gil Peeters" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 14, 2001 8:52 PM Subject: Re: Batching E-Mails Well actually no... I keep all the messages on this forum as a reference (Just in case I have similar probs later) and I delete and irrelevant/SPAM messges when I get time. I do filter all messaegs from openssl.org to a seperate folder, and I can view the messages threaded in my mail client (Netscape Messanger)... So this is an excellent feature. Mostly I just mark them all as read, and I scan the message subjects if I have a problem that needs solving.. I don't mind the individual messages at all. Gil. Oliver Bode wrote: The mailing lists I enjoy and stick with are the ones where I get one E-Mail everyday - batched. I can then scan through the headings each day and respond when I want or learn what I need. Why do I have to download every message and then delete every single one?. It is not difficult to batch E-Mail messages. And what's wrong with having a choice I can tell that you would appreciate batched E-mails also. - Original Message - From: "Gil Peeters" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 14, 2001 8:05 PM Subject: Re: Batching E-Mails Why not filter all the messages from this group into a seperate folder? That waty they are seperated from your other mails. G, Oliver Bode wrote: Hello Majordomo, I enjoy reading *some* of the E-mail's posted to this list and am prepared to help people enable OpenSSL in their own projects. However, I can't stand my inbox being filled up every morning.with 10,000 messages. Is there a way I can get the messages packaged up in one E-Mail? So I can respond to the ones I can help with! Otherwise, I want out by the end of this week! Majordomo or whoever you are is their a way we can get this happening soon I find it too difficult to sort out the good from the crap and even read my own important messages. Come on can we make this happen! Oliver __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Gil Peeters BVBA CANCAS I.T. Willemsstraat 2 3000 Leuven Belgium JAVA and Distributed Object Specialists __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Gil Peeters BVBA CANCAS I.T. Willemsst
RE: Can't compile openssl-0.9.6
Just to muddy the waters a little, the latest kernel (2.2.17) from RedHat put the "kernel-headers" package in with the "kernel-source" package. A really stupid idea which has caused a number of people a lot of grief, including me! - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Greg Stark [mailto:[EMAIL PROTECTED]] Sent: 09 March 2001 15:04 To: [EMAIL PROTECTED] Subject: Re: Can't compile openssl-0.9.6 Marcel, Your problem is that /usr/include/linux/errno.h does not exist on the machine in question. Make sure you have installed the neccessary RedHat package, which I think is the "kernel-headers-xxx" RPM, and check that any symbolic links point to the correct places. _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: "Marcel Loesberg" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 09, 2001 9:17 AM Subject: Can't compile openssl-0.9.6 Hi, I'm using openssl as a part of Tinc (a VPN program). I've tried to compile openssl-0.9.6 on two machines. Both run RedHat 6.2, the only difference between the machines is the motherboard and CPU. When I try to do "make" on the 2nd machine I get this error: making all in crypto... make[1]: Entering directory `/var/opt/test/openssl-0.9.6/crypto' gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ ASM -DRMD160_ASM -c -o cryptlib.o cryptlib.c In file included from /usr/include/bits/errno.h:25, from /usr/include/errno.h:36, from ../include/openssl/err.h:90, from cryptlib.h:70, from cryptlib.c:61: /usr/include/linux/errno.h:4: asm/errno.h: No such file or directory make[1]: *** [cryptlib.o] Error 1 make[1]: Leaving directory `/var/opt/test/openssl-0.9.6/crypto' make: *** [all] Error 1 I don't understand which file it cannot find. "cryptlib.o" is in /var/opt/test/openssl-0.9.6/crypto What do I do wrong? Regards, Marcel -- It sports 64K of L1 data cache, 64K of L1 instruction cache, three independent integer pipelines, three address calculation pipelines, and a fully pipelined, out-of-order, three-way floating-point engine. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: ????????--???
-Original Message- From: Marco Cunha [mailto:[EMAIL PROTECTED]] Sent: 31 January 2001 15:45 To: [EMAIL PROTECTED] Subject: RE: --??? [snip] If the list already shouldn't accept email from the "outside"... then there's something very wrong with majordomo. Thank you for your time, Marco Cunha I'm not wishing to drift off into too technical a discussion, but majordomo can operate "closed" lists, where only those on the list can send to it. I administer several lists where this is the case. One of them I actually approve messages before they go out, because most of the people on that list reply to the list rather than send messages to me, which is a real pain in the neck! - Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Certificates with many Virtual host
Correction, it does work with IE, we have a wildcard certificate that works with IE 5.01. It works with IE 4 fine. As for IE 3.02 and before, well, they have problems with their root certs anyway. - Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Michael Strder [mailto:[EMAIL PROTECTED]] Sent: 25 January 2001 14:34 To: [EMAIL PROTECTED] Subject: Re: Certificates with many Virtual host Reiner Buehl wrote: There is a (not recommended) possibility for this: If all of your hosts belong to the same domain you could generate a so called "wildcard certificate". This is a certificate with a hostname like '*.mydomain.org' AFAIK this does not work with M$ IE. Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Certificates with many Virtual host
It appears that you are not using one IP address for each virtual host. Once you've configured those correctly the error should go away. - Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Luis Miguel [mailto:[EMAIL PROTECTED]] Sent: 25 January 2001 11:50 To: [EMAIL PROTECTED] Subject: Certificates with many Virtual host Please, help. I have an apache http/https server an 8 virtual http servers (8 virtual host). Four virtual servers are secure servers Then, I have 4 hostnames and my on CA root (self signed) certificate. The certificate have only 1 host name and with 3 of virtual host, clients can see the message: "The certificate you are viewing does not mach the name of the site you are trying to view" or similar (Clients can work, but they see this previous message) I need thay the clients can't see this message. a) Can I make my on certificate valid for many host names ? b) If don't, then the solution is to make 4 certificates, one for each virtual https host - a certificate (C1) for host A - a certificate (C2) for host B ... - a certificate (C3) for host C , but then the client must accept 4 four certificates. I need that the client only accept the firt certificate, and not the four certificates . Are the solution to make a CA root certificate an then 4 CA certificates ? How can make it ? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: URGENT : SSL Handshake failed
I hope you are kidding about using mod_ssl 2.2.7. The latest version is 2.7.1, which is what you should be running. - Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: drt rappanah [mailto:[EMAIL PROTECTED]] Sent: 25 January 2001 14:07 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: URGENT : SSL Handshake failed Importance: High Hi !! I've installed a Netscape Certificate Server 4.2sp1 on a linux mandrake 7.2 (kernel 2.2.17-21)... I've also installed an Apache 1.3.14 server with mod_perl 1.24_01, mod_ssl 2.2.7, php 4.0.3pl1 and openssl 0.9.6... snip __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Rainbow Cryptoswift cards
-Original Message- From: Rodney Thayer [mailto:[EMAIL PROTECTED]] Sent: 19 January 2001 14:52 To: [EMAIL PROTECTED] Subject: Re: Rainbow Cryptoswift cards is there somewhere one can get a list of the supported engine cards? I mean, there are vendors out there, other than Rainbow, who'd like to put their two milli-euro's worth into this conversation but that would be impolite and a commercial advertisement (yeah, yeah, read the source. I mean a real list of the cards and how you buy them/etc.) There's a list of supported cards in the openssl changelog at http://www.openssl.org/news/changelog.html Don't know anything else though. - Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Rainbow Cryptoswift cards
I'm getting a Rainbow Cryptoswift card in the post today (thank you Santa, although you are a bit late). Does anyone have experience of setting this up with mod-ssl? If so, can you let me know how I do it. I understand I need to use shm rather than dbm, but how do I get openssl to recognise the card? I've the openssl change list, and it alleges support for these cards, but I don't seem to have it. I'm using the pre-compiled rpms which I realise may not have compiled this support in. (I can't find anything else in the openssl or modssl docs to help me, hence my post. The documentation available on the Rainbow site is scant as well) Thank you. If no-one can help, I'll battle on and post my results later. - Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Re(2): Problem compilig under RH Linux 6.2
-Original Message- From: Sebastian Paul Avarvarei [mailto:[EMAIL PROTECTED]] Sent: 08 January 2001 12:04 To: [EMAIL PROTECTED] Subject: Re(2): Problem compilig under RH Linux 6.2 Hello Paul, Thanks for the fast reply, but I'm still a little puzzled (sorry, I'm a big Linux fan, but not a good Linux admin yet :) So I did a "rpm -qa", and I see that "kernel-headers-2.2.14-5.0" is installed. On the other hand, some time ago I deleted the kernel sources from HDD, to have some more space. Do I need to put the sources back? Also, can someone tell me how can I check if my kernel is actually compiled with support for elf binaries? Thank you very much for helping a poor beginner. Best regards, Sebastian Paul Avarvarei E-mail: [EMAIL PROTECTED] Not strictly an openssl answer this, but basically you only need the kernel source rpm installed if you are recompiling the kernel. Also, for Redhat 6.2, you really should be using the 2.2.16-3 kernel as there are other problems with the older version. Support for elf binaries comes with the out of the box installation, AFAIK. - Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Re(2): Problem compilig under RH Linux 6.2
-Original Message- From: Sebastian Paul Avarvarei [mailto:[EMAIL PROTECTED]] Sent: 08 January 2001 12:04 To: [EMAIL PROTECTED] Subject: Re(2): Problem compilig under RH Linux 6.2 Hello Paul, Thanks for the fast reply, but I'm still a little puzzled (sorry, I'm a big Linux fan, but not a good Linux admin yet :) So I did a "rpm -qa", and I see that "kernel-headers-2.2.14-5.0" is installed. On the other hand, some time ago I deleted the kernel sources from HDD, to have some more space. Do I need to put the sources back? Also, can someone tell me how can I check if my kernel is actually compiled with support for elf binaries? Thank you very much for helping a poor beginner. I should have mentioned that you can use the RPMs instead for openssl if you want. They are at www.modssl.org/contrib/. Use the versions with "fixed" in the title as there are installation problems with the other versions. I prefer them myself as it makes it easier to know what you have installed. - Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: what is ISO 9796?
And anyway, if ISO9796 is a standard about digital signature, shouldn't it be examined to see if OpenSSL can support it? The interesting thing about the ISO is that it takes years to get around to making standards or changes to standards. Have a look at how often ISO 3166-1 gets changed. It's about every three years, even though country names often change more regularly than that. It was last updated in 1997. I would imagine that either OpenSSL already supports it, or the standard is so dated as to have been superseded by other developments. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: what is ISO 9796?
The International Standards Organisation have a description of this and all their standards at http://www.iso.ch/ Totally off-topic question though. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Martin Szotkowski [mailto:[EMAIL PROTECTED]] Sent: 11 December 2000 15:03 To: [EMAIL PROTECTED] Subject: what is ISO 9796? have anybody description (or short description) of this document? Martin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: what is ISO 9796?
I don't think any of us has ISO 9796 to hand. Do you have a library that would stock it? (They are all stocked on microfiche here in the UK at major libraries). Other than going out and buying it, I don't know how you would be able to compare the two, as I guess you've already seen the description on the ISO site. I don't believe that ISO make the full standards available on the 'net. Although I appreciate that this standard covers data encryption, I don't think it's that relevant to this list. Anyone care to differ? - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Martin Szotkowski [mailto:[EMAIL PROTECTED]] Sent: 11 December 2000 15:53 To: [EMAIL PROTECTED] Subject: Re: what is ISO 9796? Sorry, I did't specify kind of this ISO. This is like PKCS#1 sign algorithm (or something with create padding) and on ISO pages are only a buy this document. I would know differences between PKCS#1 and iso9796 coding (signing). Martin The International Standards Organisation have a description of this and all their standards at http://www.iso.ch/ Totally off-topic question though. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Martin Szotkowski [mailto:[EMAIL PROTECTED]] Sent: 11 December 2000 15:03 To: [EMAIL PROTECTED] Subject: what is ISO 9796? have anybody description (or short description) of this document? Martin __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Corrected openssl.spec file
This spec file is basically an amended version of what was already on the contrib page. However, this file tried to create symlinks in directories that don't normally exist (not on my machines, anyway) and remove a directory as a file. This causes the installation script to fail as it is a more serious error (on my system) than creating a directory that doesn't exist or attempting to remove a non-empty directory. The package doesn't install fully in this case. Since I needed to fix this for my own purposes, I made it public. I'm about to put this spec file on the contrib page and "fixed" versions of the existing rpms. I hope that Steve, who recently posted to this list, will find these useful as they install without errors (again, on my system). - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED]] Sent: 22 November 2000 15:20 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Corrected openssl.spec file From: [EMAIL PROTECTED] John.Airey This is the diff between my file and the old file. If I John.Airey have this the wrong way round please let me know! Actually, your file is much more different from the "standard" one than you showed us. It seems to contain a lot of tweaks to make sure old SSLeay users don't get beothered and a lot of other stuff that I'm not sure really belongs in a .spec... -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Openssl RPMs
Thank you for your reply. However, I find it confusing that RPMs are available from the modssl site yet I am unable to contact the person who provided them. I have managed to contact one person who tells me that he didn't provide them, and I've had no response so far from the only other email address mentioned in the package ([EMAIL PROTECTED]). If the status of these RPMs is now "unsupported" then I myself am perfectly willing to provide and support these, but I would not wish to do that unless I know that I'm not stepping on anyone elses toes. I have plenty of machines at my disposal to create and test these on. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Ulf Moeller [mailto:[EMAIL PROTECTED]] Sent: 17 November 2000 17:07 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Openssl RPMs On Fri, Nov 17, 2000, [EMAIL PROTECTED] wrote: I've used the source rpm for openssl 0.9.6 to create the i386 version (using "rpm --rebuild openssl-0.9.6-1.src.rpm from Why are there no longer i386 and i586 versions being made available? The OpenSSL project doesn't provide RPMs. You'll have to ask whoever made them. The official OpenSSL source creates i486 code with a few time-critical parts hand-optimized for Pentium. You can replace the -m486 flag with -march=pentiumpro if you have a relatively new compiler. If you need to build code that also runs on i386 machines, you must use the config option "386". That will cause some algorithms to be slower. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Openssl RPMs
Thank you all for your replies, especially Fonya's. I agree that modssl isn't openssl , but I find it odd that the RPMS for openssl are being put on the modssl site rather than the openssl site (which incidentally has only one contribution at www.openssl.org./contrib). Openssl RPMS have a much wider use than just for modssl. Could they be moved? (I think I should ask here first before asking the modssl list). My reasons for being keen on RPMs are that I have to explain to less technical people what we have installed and how to uninstall it if it goes wrong. From my point of view it's easier to show someone how to install and uninstall RPMs rather than explaining how to compile code from scratch. I'm not aversed to compiling programs with configure/make/etc , but my colleagues wouldn't even know where to start. They don't even understand what inetd does! - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Villy Kruse [mailto:[EMAIL PROTECTED]] Sent: 20 November 2000 14:37 To: [EMAIL PROTECTED] Subject: RE: Openssl RPMs That is not the openssl site, though. The modssl is something different. BTW, is it still necessary to link from www.modssl.org to www.ssleay.org, considering that www.ssleay.org has very little ssl related stuff? Villy __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE:
There are at least two possibilities here: Either the 3rd party is using ssh, a kind of secure telnet (that runs on port 22) Or the client is using an ssl encrypted connection to the telnet port (23) or any other port for that matter. If it is the latter case it's worth checking out "stunnel" which uses openssl to encrypt data over a standard port. Some protocols can't use this (eg ftp) as they don't use a single port. I think you'll need some more information though! - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Ian Diddams [mailto:[EMAIL PROTECTED]] Sent: 08 November 2000 14:56 To: [EMAIL PROTECTED] Subject: I've been tasked into investigating a link a 3rd party may be making to our servers shortly over SSL. I've downloaded OpenSSL and installed it etc... but frankly I don;t know what I'm supposed to do with it! The 3rd party mentioned will basically be telneting in over an SSL link I am told (but nobody knows any more :-( ) ... so how exactly would such an arrangmet normally occur? Any ideas? Apologies for the ignorance, but I have to start somewhere (the 3rd party is not available for questioning AFAIUI). Ian __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE:
Sorry to correct you, but ssh is much more than secured telnet. Using stunnel it is possible to encrypt telnet over an ssl link using a single key of 40/56/128 bits (this would probably be using the openssl libraries to do so). However ssh uses a combination of keys to encrypt the data. One of those is the server session key that changes automatically every hour. This makes it more difficult to break ssh via brute force than ssl. However, I'm not foolish enough to state that it is impossible to break, just very difficult. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: David Walgamotte [mailto:[EMAIL PROTECTED]] Sent: 08 November 2000 14:52 To: '[EMAIL PROTECTED]' Subject: RE: ssh is secured telnet ! -Original Message- From: Ian Diddams [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 08, 2000 8:56 AM To: [EMAIL PROTECTED] Subject: I've been tasked into investigating a link a 3rd party may be making to our servers shortly over SSL. I've downloaded OpenSSL and installed it etc... but frankly I don;t know what I'm supposed to do with it! The 3rd party mentioned will basically be telneting in over an SSL link I am told (but nobody knows any more :-( ) ... so how exactly would such an arrangmet normally occur? Any ideas? Apologies for the ignorance, but I have to start somewhere (the 3rd party is not available for questioning AFAIUI). Ian __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Error Message : IP address does not match the server name
If memory serves me correctly, a "lame" DNS record is one where a server thinks that record is authorative, but actually isn't. Try querying another DNS server at random to see what it thinks is your primary DNS. If this is what is causing you a problem it isn't related to Openssl at all. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Sze Yee [mailto:[EMAIL PROTECTED]] Sent: 29 October 2000 03:17 To: [EMAIL PROTECTED] Subject: Error Message : IP address does not match the server name Hi, all I am have set up the openssl on a RedHat 6.1 .Have created a self-signed cert using the perl module CA.pl. When I try to send mail or receive mail using the SSL connection using Outlook 98 , the following error message occurs . "IP address does not match the server name" . I have entered my server name (host.domain) as my comman name (CN) in the certificate . I tried keying in the IP address and the error message no longer appears. So , I am wondering if this is due to DNS error ? (PS : I have set up an DNS server as well. When viewing the error log , error messages like "All A RR records are lame ").. Thank u in advance Regards, Sze Yee __ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com.sg/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]