RE: Problems installing OpenSSL on Linux

2004-07-12 Thread John . Airey 
 -Original Message-
 From: J Harper [mailto:[EMAIL PROTECTED]
 Sent: Thursday, 10 June 2004 20:39
 To: [EMAIL PROTECTED]
 Subject: Re: Problems installing OpenSSL on Linux
 
 
 This is an informative post, thank you.  I'd like to add that 
 this is one of
 the huge problems with RedHat's library and dependencies 
 configuration.
 Manually weeding through the dependencies by hand to install 
 a new version
 of OpenSSL from source is very difficult, and upgrading an 
 entirely new
 kernel and OS seems completely ludicrous to have timely 
 security updates.
 Production systems that are tested and have been running for 
 months/years
 can't go through this process each time a critical security update for
 OpenSSL is released.
 
 The OpenSSL team does a fine job of acknowledging and fixing security
 issues, but if users of the most popular Linux distribution 
 can't use them,
 it seems like a huge issue.  Is there a workaround we don't 
 know about?  How
 well do other distributions handle this?  Ideally you could just use
 apt-get, and have the latest version installed.
 
 J Harper
 PeerSec Networks
 http://www.peersec.com
 

Actually in my experience (which goes back to compiling openssl and apache
on Red Hat BEFORE they were included in the OS) sticking with Red Hat's RPMs
is always easier than trying to roll your own generic installations. The
only restriction on using the Red Hat openssl are that certain ciphers are
not included due to US patent restrictions. 

In fact, it is Red Hat's stated policy that they backport patches rather
than add new features. That does mean that version numbers differ from the
latest version, which is frankly a minor inconvenience.

Details of all of this and how to build openssl without patent restrictions
on your systems is in the openssl FAQ.

-- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

I don't know which is worse. The makers of soap operas thinking they portray
real life or those that watch them thinking it is real life!

-- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: [98] Address in use.. Could not bind to 443

2004-04-28 Thread John . Airey 
 -Original Message-
 From: kloomis [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, 14 April 2004 15:21
 To: [EMAIL PROTECTED]
 Subject: [98] Address in use.. Could not bind to 443
 
 
 Hello:
 
 I have migrated from RH 7.1 to RH 9. I have edited the 
 httpd.conf, and 
 connections work to the server thru port 80.  But when I move the 
 connection to 443 and SSL, I get a Could not bind to 443, 
 Address already 
 in use error message.  Upon some investigation I discovered 
 that in the 
 ssl.conf file there is: listen 443. When I removed the listen 
 443, I was 
 able to connect to the server. The problem now is that the 
 virtual host 
 defined in the ssl.conf is not what I want.  My question is, should I 
 remove the virtual host for ssl from the httpd.conf and edit 
 the ssl.conf, 
 or vice versa?  Is the ssl.conf necessary if everything is 
 covered in the 
 httpd.conf?
 
I'm way behind my reading on this list, so I've only just read this one.
Historically Apache had three config files (httpd.conf, access.conf and
srm.conf). These were all combined into httpd.conf. However, distributions
like Red Hat split the ssl configuration into an ssl.conf file. In the case
of 9 this is in /etc/httpd/conf/conf.d.

The simple answer is that it's up to you. Simply renaming the ssl.conf in
/etc/httpd/conf.d will prevent its use (it's included with Include
conf.d/*.conf in httpd.conf), but the configuration will have to go in the
httpd.conf file.

Can you send me more details off list? I've not come across this before and
I've not had to change this ssl.conf file at all. I suspect that you may be
trying to run Apache 2.0 with a lot of Apache 1.3 directives that are now
out of date.

-- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Every person who has set out to disprove the resurrection of Jesus Christ
has changed their mind after examining the evidence in detail.

- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Encrypted attachments

2004-03-31 Thread John . Airey 
 -Original Message-
 From: Thorsten Müller
 [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, 31 March 2004 15:55
 To: [EMAIL PROTECTED]
 Subject: Re: Encrypted attachments
 
 
 Dave wrote:
 
 I am encrypting email attachments.  I am on HP-UX 11.11 using openssl
 0.9.7c.  I can send unencrypted attachments.  I am having 
 trouble sending
 encrypted attachments to Outlook.  When I look at the 
 message source the
 attachment seems to be there but Outlook can not make sense 
 of it.  Any
 ideas?
 
   
 
 I'm not quite sure what exactly you are doing and what Outlook you
 are using. When you only encrypt the attachments, i think Outlook has 
 some problems. You have to encrypt the complete mail generating a 
 correct S/MIME mail, this should work, unless you are testing with 
 Outlook 97 which i think has its problems with S/MIME
 
 Thorsten
 
Don't use Outlook 97, not even for a joke. It's seriously broken in many
other ways too. 98 is passible but 2000 is fairly reliable. YMMV of course.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Shameless movie plug - go see the Passion of the Christ!

- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Openssl upgrade on Red Hat 7.3 question

2004-03-12 Thread John . Airey 
 -Original Message-
 From: Vigilance [mailto:[EMAIL PROTECTED]
 Sent: Thursday, 11 March 2004 20:02
 To: [EMAIL PROTECTED]
 Subject: Openssl upgrade on Red Hat 7.3 question
 
 
 
 
 
 I have a question about upgrading openssl on Redhat 7.3
 
 I have been runnning openssl 0.9.6b for quite some time without 
 problems.  Now I see that there is apparently a psybnc 
 attack out there 
 for apache port 443.  I've had to shut down https until I 
 can get this fixed.
 
 I installed 0.9.6l which seemed to go in just fine.  
 However, Redhat is 
 still using the old stuff because the new openssl went into 
 /usr/local/ssl 
 and the old stuff is in /usr/bin.  I don't see anything like 
 $SSL_HOME to set.
 
 There is an FAQ comment to not remove /usr/bin/openssl or it 
 will break 
 sendmail and ssh but there is nothing in there about what to 
 do about 
 it.  I'm not too keen to just put in a link under these 
 circumstances.
 
 I'd really like to be able to take advantage of these new 
 feature/security 
 fixes for at least apache and ideally also for ssh. What do 
 I need to do 
 to get this to work?
 
 Please cc me as well as responding to the forum.
 
 Thanks in advance
 

First of all, Red Hat 7.3 is no longer supported by Red Hat. However, if you
had used all the security updates so far supplied by Red Hat, there would be
no known security issues. There is a legacy project for Red Hat 7.3 but no
updates for Apache, openssl or mod_ssl have been released since the end of
last year, when support ceased.

However, if you wish to use a different version of openssl with apache, you
would be best advised to recompile both openssl and apache. Details of how
to do this are in the openssl documentation.

www.redhat.com and https://rhn.redhat.com are a good place to start.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Why do so many people who call themselves christians use the name of Jesus
Christ as a swear word?

- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Virus Scanner

2004-03-02 Thread John . Airey 
 -Original Message-
 From: Thomas H Jones II [mailto:[EMAIL PROTECTED]
 Sent: 27 February 2004 23:10
 To: '[EMAIL PROTECTED]'
 Subject: Virus Scanner
 
 
 Is there any possibility that this list could be run through a virus 
 scanner so that we wouldn't get spammed every time a virus passed 
 through this list to a system that mails back virus warning messages? 
 Seems like half the traffic is either virus or virus-response traffic.
 
 -tom
 
 ps. I don't -think- my site sends similar warnings,
  let me know if it does, please.
 
Well, for one those people on this list who are susceptible to viruses will
have anti-virus software anyway (and if they don't, getting openssl to work
is the least of their problems).

Two, there is the resource to this about. I don't think the server that runs
the openssl lists has been upgraded for years because of lack of funds, and
consequently I don't think anyone has the money to pay for it.

Three, it must be borne in mind that the vast amount of virus traffic now
is:

Out of office replies
Automatic responses from undeliverable addresses.
Automatic responses from anti-virus programs.
Real responses by individuals to the preceding three.

With the exception of a dedicated mail echo address, people today should
not have any kind of automatic responses to email set up. Recently viruses
have been faking addresses, and in some cases send viruses back to someone
who hadn't even sent it!

Given all these difficulties, a virus scanner would probably create more
problems than it solves.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

According to the book of Acts, Eutychus was the first man to suffer from a
General Protection Fault with Windows.


- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Using OpenSSL and smartcards with pkcs#11

2004-01-15 Thread John . Airey 
 -Original Message-
 From: The Doctor [mailto:[EMAIL PROTECTED]
 Sent: 15 January 2004 05:18
 To: [EMAIL PROTECTED]
 Subject: Re: Using OpenSSL and smartcards with pkcs#11
 
 
 On Thu, Jan 15, 2004 at 07:03:22AM +0200, Amira Solomovici wrote:
  Hi all,
  
  I have been having difficulty in finding a tutorial 
 explaining how to use the openssl application with 
 smartcards, and I hope that someone could help me with the following:
  
  What I am basically trying to do is use a smartcard for 
 logging into my Linux machine. 
  I have openssl ver 0.9.7a installed, and I have implemented 
 a pkcs#11 interface to the smartcard. 
  I also installed the OpenSC libraries, but I'm not sure how 
 to use it with openssl and with my pkcs#11 module.
  
  I would be grateful if someone could guide me on how to 
 configure all those tools, and especially how to obtain or 
 generate a certificate/key-pair to use in the login process 
 to the computer.
  
 
 May I recommend that you update to openssl 0.9.7.c as 0.9.7a
 has a security advisory.  Also, something like 
 http://www.apache-ssl.org
 might be of help.
 
This depends on what you are running. If you are running Red Hat 9, for
example, it says the version is 0.9.7a, and rpm -q openssl gives
openssl-0.9.7a-20. However, this version does have the security updates.
rpm -q --changelog openssl | more shows that the security fixes were added
on Sep 23 2003.

Before suggesting they upgrade, find out what version of Linux they are
running please. Otherwise they may come back with more problems that what
they started with.

Thank you.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Even if you win the rat race, that will still only make you a rat.



- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL file destinations

2004-01-14 Thread John . Airey 
I'm not sure why you'd want to run the query against a package that isn't
installed (that's what the p option does). Surely he wants to check it is
installed, then use rpm -ql openssl |more to see where the files are now?

One reason to check whether your distro has openssl already installed is so
that you don't have issues where your programs are executing the wrong
version. It's surprising how many times that happens.

You might also find that the distro version is sufficient for your needs
too, especially now the engine code is included. (I remembered that time...)

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Even if you win the rat race, that will still only make you a rat.


 -Original Message-
 From: Obermeier Markus ICM MP PD TS
 [mailto:[EMAIL PROTECTED]
 Sent: 13 January 2004 16:35
 To: '[EMAIL PROTECTED]'
 Subject: RE: OpenSSL file destinations
 
 
 Dear John,
 
 best way to find out is to do a `rpm -qlp openssl-xyz.rpm` 
 where openssl-xyz
 is the rpm-file from a distribution's pre-installed openssl 
 library archive.
 Then you have to do a bit of manual work to figure out how to use the
 options of the ./configure-command of the tarball. In some 
 cases you will
 find out from the rpm command above have to adjust/create the library
 version links e.g. libssl.so.x.y as well.
 
 I did this for the SuSE 8.1/8.2 distributions.
 
 Rgds,
 Markus
 
 -Original Message-
 From: Boyle Owen [mailto:[EMAIL PROTECTED] 
 Sent: Dienstag, 13. Januar 2004 15:30
 To: [EMAIL PROTECTED]
 Subject: RE: OpenSSL file destinations
 
 
  -Original Message-
  From: John S. Wolter [mailto:[EMAIL PROTECTED]
  
  I am wondering if there is a document that describes where 
  the files of 
   OpenSSL should normally be placed?
 
 Look in the INSTALL file. The default location for Unix is
 /usr/local/openssl, but you can put it anywhere you like. NB - openssl
 is a library of functions, not a single binary.
 
 Rgds,
 Owen Boyle
 Disclaimer: Any disclaimer attached to this message may be ignored. 
 
  
  
  -- 
   Wolter Works - Always Innovating -
  - Industry and Commerce Internet Invention
  - Internet Marketing Product Concepts  Implementation
  
  mailto:[EMAIL PROTECTED]
  
  John Wolter, President
  1531 Jones Drive
  Ann Arbor, MI 48105-1871 USA
  1-734-665-1263
  
  Copyright 2003 John S. Wolter

  Neither this information block, the typed name of the sender,
  nor anything else in this message is intended to constitute an
  electronic signature unless a specific statement to the contrary
  is included in this message.
  
  
  
  
  
  
 __
  OpenSSL Project 
http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est
un message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you

RE: un-tar'ing not working for me

2004-01-13 Thread John . Airey 
-Original Message-
From: John S. Wolter [mailto:[EMAIL PROTECTED]
Sent: 13 January 2004 13:40
To: [EMAIL PROTECTED]
Subject: un-tar'ing not working for me

[snip]

What obvious error I'm I making using tar?

It's a gzipped tar file. I would use this to extract the contents:

tar -zxvf openssl-0.9.7c.tar.gz.tar

To be really sure, use this first:

tar -ztvf openssl-0.9.7c.tar.gz.tar

To ensure there are no errors with the tar file.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Even if you win the rat race, that will still only make you a rat.

- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL file destinations

2004-01-13 Thread John . Airey 
 -Original Message-
 From: John S. Wolter [mailto:[EMAIL PROTECTED]
 Sent: 13 January 2004 14:19
 To: [EMAIL PROTECTED]
 Subject: OpenSSL file destinations
 
 
 I've downloaded the latest OpenSSL and I'm going to target an already 
 installed SUSE 8.1 for testing and then build a 9.0 system.  I've 
 noticed that the tarballs are not targeted to distributions.  SUSE 's 
 distribution does include an rpm file but the only way to 
 know where to 
 place files is to do an rpm query.  That does not appear to 
 be efficient 
 route for the installed result.
 
 I am wondering if there is a document that describes where 
 the files of 
  OpenSSL should normally be placed?
 
 
 -- 
I would guess (without having a copy of Suse to hand) that their RPM is
already installed.

Try 

rpm -q openssl

To see if it is. If it is then try

rpm -e openssl --test

You'll probably see a list of packages that depend on it. If you don't, then
you are free to stick with the defaults. If you do, then follow the build
instructions in the openssl FAQ that refer to Red Hat.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Even if you win the rat race, that will still only make you a rat.

- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Sign PIX certificate using OpenSSL CA

2003-12-16 Thread John . Airey 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Sent: 16 December 2003 14:34
 To: [EMAIL PROTECTED]
 Subject: Sign PIX certificate using OpenSSL CA
 
 
 I would like to sign a certificate created by pix firewall 
 using OpenSSL CA server. 
 My current set up is: the OpenSSL CA server is 
 
 Network 1-- Router -- PIX Firewall 
  Network 2 
 (CA server)   VPN tunnel
 
 I have established VPN tunnel between router and pix firewall 
 using preshared secret, but I would like to use the 
 certificate signed by OpenSSL CA.
 
 How can I sign the pix certificate? Also, how can I download 
 the CA certificate to PIX firewall?
 Thank you. Your advice is appreciated.
 
 Sanborne
 
I'm assuming you mean a Pix Firewall version 6.3.x. I don't think there is a
way to get a certificate onto a Pix, as the ca commands can only create
certificates. Have a look at the version 6.3 command reference at
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_refer
ence_book09186a008017284e.html

If you do find a way, I'd love to know!

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

There is more historical evidence for the existence of Jesus Christ than for
either Henry VIII or Julius Caesar.

- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Signing a CSR from JetDirect

2003-07-25 Thread John . Airey 
 -Original Message-
 From: Bob DeBolt [mailto:[EMAIL PROTECTED]
 Sent: 14 July 2003 18:35
 To: [EMAIL PROTECTED]
 Subject: RE: Signing a CSR from JetDirect
 
 
  
  It seems to me that it is in the best interest of the major 
  CAs to not offer wildcard certificates;  that way, they can 
  charge their outrageous prices for each certificate that you 
  need, and when you happen to change a hostname, they are 
  right there at the trough looking for more money.
   
 
 Isn't capitalism wonderful?
 
 Bob D

There are still CAs that will issue wildcards, but most will want to charge
heavily for them. Add to this the fact that IIS doesn't support them
directly (I know it has a small market share, but it's still second place to
Apache) and Microsoft keep messing up support for them in IE, they can be
more trouble than they are worth. Most of these problems can be overcome
however. I keep meaning to write a book including all this, as I don't think
anyone has yet. Maybe this year I will...

Getting back to the posters original point, is it at all possible that the
JetDirect won't accept a certificate that is over one or two years from
expiry?

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

After over 144 years, there's still no fossil evidence of Evolution.

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Upgrading to the lastest version, what happends with my Apach e-Mod_SSL?

2003-06-16 Thread John . Airey 
Sorry for my delay in replying. It shouldn't affect SSH as that didn't come
with Red Hat 6.2. It's a while since I used 6.2, but at the time I
downloaded an RPM from a dutch encryption site (which is now long gone).
They used their own security libraries so were independent of openssl.

However, your time might be better spent upgrading to a newer version of
Linux.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Evolution isn't true just because the majority of people think it is.



 -Original Message-
 From: Francisco Javier Martinez Martinez 
 [mailto:[EMAIL PROTECTED]
 Sent: 13 June 2003 14:38
 To: [EMAIL PROTECTED]
 Subject: RE: Upgrading to the lastest version, what happends with my
 Apach e-Mod_SSL?
 
 
 Thanks for the anwser,
 
 I was wondering whether with the same scenario (Redhat 6.2) 
 this upgrade 
 could affect to other services installed like SSH or not? An 
 if yes, is 
 necesary to update them too?
 
 Thanks and greets.
 At 13:42 13/06/2003 +0100, you wrote:
 Yes, but check the mod_ssl website http://www.mod_ssl.org 
 and ensure you are
 compiling the correct mod_ssl against openssl. Since you 
 compile mod_ssl
 into apache, you will need to recompile both.
 
 This is why I prefer RPMS! Even if you customise your 
 version of Apache, you
 only need to build it once and then you can install it on 
 any number of
 systems.
 
 John
 


- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Upgrading to the lastest version, what happends with my Apache-Mod_SSL?

2003-06-12 Thread John . Airey 
If I had a Euro for each time this question gets asked...

The openssl FAQ details that fact the Red Hat 7.x (onwards) uses backported
versions. That is, if you have installed the Red Hat update to your version
(either manually or using Red Hat Network at rhn.redhat.com) you are
protected from currently known vulnerabilities.

The current supported openssl versions for Red Hat are:

openssl-0.9.6-16 - 7.1
openssl-0.9.6b-32.7 -  7.2, 7.3 
openssl-0.9.6b-33 - 8.0
openssl-0.9.7a-5 - 9.0

Of course, there is nothing to stop you building a separate version in a
different directory. Unless you need to use patent restricted code there'll
be no need.

If you haven't built against one of these versions, you'll either need to
recompile or use the Red Hat supplied mod_ssl package. Whichever you choose
is up to you.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Evolution isn't true just because the majority of people think it is.

 -Original Message-
 From: Francisco Javier Martinez Martinez 
 [mailto:[EMAIL PROTECTED]
 Sent: 12 June 2003 08:01
 To: [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Subject: Upgrading to the lastest version, what happends with my
 Apache-Mod_SSL?
 
 
 Hello.
 
 I want to upgrade the OpenSSL to the 0.9.6j version to get 
 ride of the two 
 last vulnerabilities found in the previous versions of 
 OpenSSL. The system 
 is RedHat 7.x running Apache 1.3.27 with mod_ssl, both 
 compiled with APACI 
 method (configure, make  make install), an my question is:
 
 It is necessary once I had upgraded the OpenSSL to recompile 
 my Apache so 
 the mod_ssl could be linked to the new libraries of the 
 OpenSSL or only 
 with upgrading the openssl is the work done?
 
 Thanks in advance. Regards.
 
 
 
 
 
 
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Upgrading to the lastest version, what happends with my Apach e-Mod_SSL?

2003-06-12 Thread John . Airey 
Undoubtedly yes. Redhat 6.2 doesn't come with openssl, although an optional
RPM is available for it, version 0.9.5a-33 (which is up to date as of March
26th this year). 

rpm -q openssl will tell you if this optional package is installed.

However, this version of Linux is no longer supported by Red Hat, so
continue at your own risk.

I believe that you compile openssl as shared to use it with mod_ssl. Others
on the list will surely flame me if I get it wrong. I'd be surprised if you
get it to compile on version 6.2 anyway. I was finding that the glibc
libraries were too far out of date the last time I tried.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Evolution isn't true just because the majority of people think it is.

 -Original Message-
 From: Francisco Javier Martinez Martinez 
 [mailto:[EMAIL PROTECTED]
 Sent: 12 June 2003 14:20
 To: [EMAIL PROTECTED]
 Subject: RE: Upgrading to the lastest version, what happends with my
 Apach e-Mod_SSL?
 
 
 Sorry for disturbing you, but I was in a mistake with the 
 version of Linux, 
 my client had a Redhat 6.2 I had realized this because there is not 
 libssl.so.0.9.6xx in the files system, there is 
 /usr/local/ssl/lib/libssl.a 
 instead, this may indicate that the openssl is not built in 
 share mode?,
 The openssl  and the apache was compiled, this last  with 
 mod_ssl between 
 other modules using APACI format (configure and make).
 
 Would you please be so kind of tell me if I had to recompile 
 the apache 
 once the openssl has been compiled?
 
 Thanks in advance and regards.
 
 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Anyone where to get a signed SSL certificate cheap?

2003-02-14 Thread John . Airey 
You are right about the price Jo. They've hiked their prices a lot (must be
to pay for Mark Shuttleworth's space trip...).

If you are representing a charity you may be able to negotiate a lower
price. We did that last year and received a wildcard certificate at a
discount.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

A fundamentalist - what you call someone more sure of what they believe than
what you are


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
 Sent: 13 February 2003 21:29
 To: [EMAIL PROTECTED]
 Subject: Re: Anyone where to get a signed SSL certificate cheap?
 
 
 Check tucows
 
 Josef Karthauser [EMAIL PROTECTED] wrote ..
  I need to obtain a certificate to use on my openssl/apache 
 web server,
  but looking at Verisign and Thawte it appears that they're 
 charging a
  lot of money ($450) per year for one!  Does anyone know 
 where I can get
  one cheaper?  Last time I bought I'm sure that they were 
 only $100/yr
  each.
  
  Joe
  
  p.s. yes, I know that I could self-sign, but this is for an 
 ecommerce
  system and I'd prefer our customer's customers not to have to ask
  themselves why the certificate is in our name and not our 
 customer's! :)
  -- 
  Josef Karthauser ([EMAIL PROTECTED])  http://www.josef-k.net/
  FreeBSD (cvs meister, admin and hacker) 
 http://www.uk.FreeBSD.org/
  Physics Particle Theory (student)   
 http://www.pact.cpes.sussex.ac.uk/
   An eclectic mix of fact and theory. 
 =
 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Anyone where to get a signed SSL certificate cheap?

2003-02-14 Thread John . Airey 
Try globalsign www.globalsign.com, 175 Euro ($189 or £116.91 in proper
money).

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

A fundamentalist - what you call someone more sure of what they believe than
what you are


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
 Sent: 13 February 2003 21:29
 To: [EMAIL PROTECTED]
 Subject: Re: Anyone where to get a signed SSL certificate cheap?
 
 
 Check tucows
 
 Josef Karthauser [EMAIL PROTECTED] wrote ..
  I need to obtain a certificate to use on my openssl/apache 
 web server,
  but looking at Verisign and Thawte it appears that they're 
 charging a
  lot of money ($450) per year for one!  Does anyone know 
 where I can get
  one cheaper?  Last time I bought I'm sure that they were 
 only $100/yr
  each.
  
  Joe
  
  p.s. yes, I know that I could self-sign, but this is for an 
 ecommerce
  system and I'd prefer our customer's customers not to have to ask
  themselves why the certificate is in our name and not our 
 customer's! :)
  -- 
  Josef Karthauser ([EMAIL PROTECTED])  http://www.josef-k.net/
  FreeBSD (cvs meister, admin and hacker) 
 http://www.uk.FreeBSD.org/
  Physics Particle Theory (student)   
 http://www.pact.cpes.sussex.ac.uk/
   An eclectic mix of fact and theory. 
 =
 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Problems building 0.9.7 on RedHat 7.3

2003-01-20 Thread John . Airey 
What are you using to build it with? I've managed to build 0.9.7 fine on
RedHat 7.3 with ./config and ./config shared

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

I know it sounds cocky, but I honestly believe that one day there'll be a
telephone in every Town in America - Alexander Graham Bell (my paraphrase)


 -Original Message-
 From: Brian Ipsen [mailto:[EMAIL PROTECTED]]
 Sent: 17 January 2003 18:59
 To: [EMAIL PROTECTED]
 Subject: Problems building 0.9.7 on RedHat 7.3
 
 
 Hi!
 
  I'm trying to compile 0.9.7 on a RedHat 7.3 box, but when I 
 do thge make
 test I get:
 
 NIST curve P-521 -- Generator:
  x =
 0xC6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B
 4D3DBAA14B5E77
 EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66
  y =
 0x11839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD172
 73E662C97EE729
 95EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650
 verify group order  ok
 combined multiplication . ok
 
 cat
 base64
 aes-128-cbc
 aes-128-cbc is an unknown cipher
 options are
 -in file input file
 -out fileoutput file
 -pass argpass phrase source
 -e encrypt
 -d decrypt
 -a/-base64 base64 encode/decode, depending on encryption flag
 -k key is the next argument
 -kfile key is the first line of the file argument
 -K/-iv key/iv in hex is the next argument
 -[pP]  print the iv/key (then exit if -P)
 -bufsize n   buffer size
 -engine e  use engine e, possibly a hardware device.
 Cipher Types
 
 aes-128-cbc is an unknown cipher
 options are
 -in file input file
 -out fileoutput file
 -pass argpass phrase source
 -e encrypt
 -d decrypt
 -a/-base64 base64 encode/decode, depending on encryption flag
 -k key is the next argument
 -kfile key is the first line of the file argument
 -K/-iv key/iv in hex is the next argument
 -[pP]  print the iv/key (then exit if -P)
 -bufsize n   buffer size
 -engine e  use engine e, possibly a hardware device.
 Cipher Types
 
 cmp: EOF on ./p.aes-128-cbc.clear
 
 
 Any idea why I get that aes-128-cbc error ??
 
 Regards,
 
 /Brian
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL Project Environment Migration on 10-Dec-2002 11:00 am CET

2002-12-12 Thread John . Airey 
Can you give us more details about the move, like where, who, and whether it
has bigger bandwidth please Ralf? Sorry for being late in replying, but I've
been unwell.

Thanks.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

If you are easily offended, don't read the next line!
It always amazes me how people believe in evolution as if it is a fact when
at the very best it is and always will be a theory.


 -Original Message-
 From: Ralf S. Engelschall [mailto:[EMAIL PROTECTED]]
 Sent: 10 December 2002 09:10
 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Subject: OpenSSL Project Environment Migration on 10-Dec-2002 11:00 am
 CET
 
 
 The OpenSSL project migrates today (10-Dec-2002, 11:00 am 
 CET) its whole
 project environment to a completely new setup and location. In case of
 any problems after this switch time, please do not hesitate to contact
 me directly and describe the problem in detail. I'll make sure it is
 fixed as quick as possible. Sorry in advance for any inconviniences
 today. Thanks for understanding.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: regenerate a host-specific ?

2002-11-15 Thread John . Airey 
This is a question for the openssh site, www.openssh.org. However, as I'm
feeling friendly, I'll answer your question.

Indeed, RSA keys are generated by ssh-keygen as a default. These are only of
use for SSH version 1. Version 2 uses DSA keys, so you use ssh-keygen -t
dsa.

If you don't give a passphrase, you can copy the contents of the id_dsa.pub
to $HOME/.ssh/authorized_keys on the remote server, chmod this file to 600,
chmod the .ssh directory to 700 and then ssh should let you in with this key
from that host rather than via a password.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

If we could learn one thing from September 11th 2001, it would be the utter
absurdity of moral relativism.



 -Original Message-
 From: rmckee [mailto:rmckeever;earthlink.net]
 Sent: 15 November 2002 16:38
 To: [EMAIL PROTECTED]
 Subject: regenerate a host-specific ?
 
 
 Hello,
 
 I was wondering how do you regenerate a host-specific RSA key 
 on unix with
 ssh. Do you use ssh-keygen?
 
 thanks
 Rm
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Building 0.9.6g --RH8.0

2002-11-08 Thread John . Airey 
I've now managed a build of openssl 0.9.6g on RedHat 8.0 now, much to my
surprise.

First of all, make sure you have these RPMs installed (from the RedHat 8.0
CD 1):

binutils-2.13.90.0.2-2
gcc-3.2-7
glibc-devel-2.2.93-5
glibc-kernheaders-2.4-7.20 (this used to be called kernel-headers pre
version 7.3)

I'm running the latest kernel, 2.4.18-17.8.0.

I used the following as a non root user:

./config shared

to install everything into /usr/local/ssl, including the shared libraries.

make and make test completed without errors, so I su'ed to root and ran
make install.

To show that it is installed, I used:

[openssl-0.9.6g]# openssl
OpenSSL version
OpenSSL 0.9.6b [engine] 9 Jul 2001
OpenSSL exit
[openssl-0.9.6g]# cd /usr/local/ssl/bin
[bin]# ./
c_rehash  openssl   
[root@becketts bin]# ./openssl 
OpenSSL version
OpenSSL 0.9.6g 9 Aug 2002
OpenSSL exit

You'll note that the first version is what comes with RedHat 8.0, the second
version is what goes in /usr/local/ssl. To check I haven't stuffed up the
currently installed version rpm -V openssl returns no results, so no files
within the packages have changed. (I really like rpm -V, it helps me to
check whether anything has been tampered with).

I hope that helps.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

If we could learn one thing from September 11th 2001, it would be the utter
absurdity of moral relativism.


 -Original Message-
 From: Inman, David [mailto:David.Inman;siemens.com]
 Sent: 31 October 2002 14:37
 To: ([EMAIL PROTECTED])
 Subject: Building 0.9.6g --RH8.0
 
 
 I am trying to build openssl-0.9.6g on a RedHat 8.0 system.  
 When I run make
 test everything pass but when I run a make install it does 
 not install the
 binaries into /usr/local/openssl (where I told it with 
 config).  I have done
 this several times on RH7.3 without a problem so I was 
 wondering if others
 have had this problem and what the solution might be.
 
 Thanks,
 
 David Inman
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Building 0.9.6g --RH8.0

2002-10-31 Thread John . Airey 
Attached is the openssl.spec file for Red Hat 8.0, which is what Red Hat
uses to build their openssl package, presumably with gcc 3.2.

If you can make some sense of it, you'll probably find out how to get
openssl to compile. Ignore the configure options no-idea, no-mdc2 and
no-rc5. These are only there because of US patent restrictions.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Theories of evolution are like buses - there'll be another one along in a
minute


 -Original Message-
 From: Inman, David [mailto:David.Inman;siemens.com]
 Sent: 31 October 2002 14:37
 To: ([EMAIL PROTECTED])
 Subject: Building 0.9.6g --RH8.0
 
 
 I am trying to build openssl-0.9.6g on a RedHat 8.0 system.  
 When I run make
 test everything pass but when I run a make install it does 
 not install the
 binaries into /usr/local/openssl (where I told it with 
 config).  I have done
 this several times on RH7.3 without a problem so I was 
 wondering if others
 have had this problem and what the solution might be.
 
 Thanks,
 
 David Inman
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
  




openssl.spec
Description: Binary data

RE: openssl 9.6g Redhat 7.3 Seg Fault

2002-10-10 Thread John . Airey 

 -Original Message-
 From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) 
 [mailto:[EMAIL PROTECTED]]
 Sent: 10 October 2002 14:59
 To: '[EMAIL PROTECTED]'
 Subject: RE: openssl 9.6g Redhat 7.3 Seg Fault
 
 
 Hello all,
 
 all good points, however.
 
 Redhat is a good linux platform (in my opinion) so I am quite happy to
 accept a fair ammount of rpm.
 However that fact 7.3 put on so much crap in rpm I decided 
 to strip down
 and run most things compiled from source so I know where/how 
 they where
 built.
 
 I understand that using the --nodeps option will break the 
 packages what
 depend on the package removed. Infact I am HAPPY to break the 
 packages that
 depend on openssl, as I am chomping at the bit to recompile 
 them !!! as I
 think their RPM packages are rubbish and buggy also.
 [snip]

Well, there's a contradiction for you! Red Hat consists of multiple RPM
packages, nothing more, nothing less. So you are saying that the whole is
good, but that the parts are crap. 

I've been running Red Hat for years, and in the days before they did bundle
openssl, I had to compile openssl, modssl and apache. After that I found
someone else who had created rpms (ie they did the hard work of getting
these to compile). I still compile Apache as I have a business need to run a
slightly different version, but even then I create an RPM package. 

I'd like to think that someone else would be able to help you further,
although why you should deliberately break a working system knowing full
well what you are doing (as you appear to) and then want help is beyond me.
We have a legal expression in England you are the author of your own
misfortune!

If you really want to know how the packages were built, install the source
rpms and go to /usr/src/redhat/SPECS. The individual spec files that build
each package are there. I think you'd find they aren't built that much
differently to how you are building them.

I'm also a big fan of Red Hat Network now as I'm able to see that my systems
are up to date with all the released patches at a glance. I should also add
that I'm not on any commission from Red Hat to say this (sadly ;-) ).

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Theories of evolution are like buses - there'll be another one along in a
minute

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: openssl 9.6g Redhat 7.3 Seg Fault

2002-10-10 Thread John . Airey 

 -Original Message-
 From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) 
 [mailto:[EMAIL PROTECTED]]
 Sent: 10 October 2002 14:59
 To: '[EMAIL PROTECTED]'
 Subject: RE: openssl 9.6g Redhat 7.3 Seg Fault
 
 
 Hello all,
 
 all good points, however.
 
 Redhat is a good linux platform (in my opinion) so I am quite happy to
 accept a fair ammount of rpm.
 However that fact 7.3 put on so much crap in rpm I decided 
 to strip down
 and run most things compiled from source so I know where/how 
 they where
 built.
 
 I understand that using the --nodeps option will break the 
 packages what
 depend on the package removed. Infact I am HAPPY to break the 
 packages that
 depend on openssl, as I am chomping at the bit to recompile 
 them !!! as I
 think their RPM packages are rubbish and buggy also.
 [snip]

I should have mentioned that someone did recently post a method to this list
detailing how to remove openssl from Red Hat and build it. A search of the
archives should bring it up.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Theories of evolution are like buses - there'll be another one along in a
minute

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: openssl 9.6g Redhat 7.3 Seg Fault

2002-10-10 Thread John . Airey 

 -Original Message-
 From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) 
 [mailto:[EMAIL PROTECTED]]
 Sent: 10 October 2002 14:59
 To: '[EMAIL PROTECTED]'
 Subject: RE: openssl 9.6g Redhat 7.3 Seg Fault
 
 
 Hello all,
 
 all good points, however.
 
 Redhat is a good linux platform (in my opinion) so I am quite happy to
 accept a fair ammount of rpm.
 However that fact 7.3 put on so much crap in rpm I decided 
 to strip down
 and run most things compiled from source so I know where/how 
 they where
 built.
 
 I understand that using the --nodeps option will break the 
 packages what
 depend on the package removed. Infact I am HAPPY to break the 
 packages that
 depend on openssl, as I am chomping at the bit to recompile 
 them !!! as I
 think their RPM packages are rubbish and buggy also.
 [snip]

Link to aforementioned post:

http://www.mail-archive.com/openssl-users@openssl.org/msg28006.html

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Theories of evolution are like buses - there'll be another one along in a
minute

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: apache and that whole bugbear thing

2002-10-09 Thread John . Airey 

I think you ([EMAIL PROTECTED]) are confusing bugbear with slapper.
Provided you restarted your web server after the upgrade to 0.9.6g, you
should be OK as far as that is concerned. The restart is necessary to ensure
that no code from the previous version of openssl is still in memory.

Could you give some more details about your other problems please? eg,
version of apache and mod_ssl? You may need to upgrade these. For example,
there is a recent update to apache (1.3.27) that contains several new
security fixes.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Theories of evolution are like buses - there'll be another one along in a
minute


 -Original Message-
 From: B. van Ouwerkerk [mailto:[EMAIL PROTECTED]]
 Sent: 07 October 2002 17:17
 To: [EMAIL PROTECTED]
 Subject: Re: apache and that whole bugbear thing
 
 
 Uhhh last time I checked bugbear was a virus infecting M$ 
 Lookout users.
 Don't think it runs against Linux.
 
 
 At 20:51 5-10-02 -0400, [EMAIL PROTECTED] wrote:
 
 Is this the right place to ask questions about the bugbear worm?
 
 On a Sun box, we upgraded openssl to 0.9.6g because of the potential
 for the whole bugbear attack... I realize it's apparently targeted
 at linux, but better safe then sorry... well, we've started getting
 hit with what we think may be attacks... they're not getting through,
 but they cause apache to lock up... it's very strange... the 
 situation
 seems to happen as follows:
 
 We get a couple http requests that return a 400 status... then the
 server stops serving requests... then EXACTLY (every time) 5 minutes
 later, to the second, we get a request that gives a 408 error from
 the same IP, then apache needs to be restarted before it accepts any
 further requests...
 
 until this morning, there has not been much information in 
 the logs...
 but this morning, there were some entries in the ssl_engine_log that
 looked like this:
 
 [05/Oct/2002 02:55:42 00969] [error] SSL handshake timed out (client 
 66.46.213.130, server XXX.XXX.com:443)
 [05/Oct/2002 02:55:42 00969] [info]  Connection to child 14 
 established 
 (server YYY.YYY.com:443, client 66.46.213.130)
 [05/Oct/2002 02:55:42 00969] [info]  Seeding PRNG with 1160 
 bytes of entropy
 [05/Oct/2002 02:55:42 00969] [error] SSL handshake failed (server 
 YYY.YYY.com:443, client 66.46.213.130) (OpenSSL library 
 error follows)
 [05/Oct/2002 02:55:42 00969] [error] OpenSSL: error:1406B458:SSL 
 routines:GET_CLIENT_MASTER_KEY:key arg too long
 [05/Oct/2002 02:55:42 00969] [info]  Connection to child 14 
 established 
 (server XXX.XXX.com:443, client 66.46.213.130)
 [05/Oct/2002 02:55:42 00969] [info]  Seeding PRNG with 1160 
 bytes of entropy
 
 66.46.213.130 was the ip address that gave the 400's and 408 this
 time around (different IP each time)...
 
 If this is not the best place to ask about this, please point me in
 the right direction... I'm starting to sweat with my boss breathing
 down my next... this is a 24/7 production server, running critical
 web applications that internal and external customers access
 constantly... so any help towards an answer would be greatly
 appreciated...
 
 Thanks.
 Dan.
 
 
 _
 _
 OpenSSL Project 
 http://www.openssl.org
 User Support Mailing List
 [EMAIL PROTECTED]
 Automated List Manager   
 [EMAIL PROTECTED]
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing

RE: Validity period of certificates

2002-09-27 Thread John . Airey 

In addition, that was your key and certificate that you sent, not just . So
I'd hope you have a pass-phrase on your key or the key and certificate that
you sent aren't ones that you intend to use.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Theories of evolution are like buses - there'll be another one along in a
minute

 -Original Message-
 From: Jose Correia (J) [mailto:[EMAIL PROTECTED]]
 Sent: 27 September 2002 13:50
 To: [EMAIL PROTECTED]
 Subject: RE: Validity period of certificates
 
 
 Try
 
 openssl x509 -in thiscert -noout -dates
 
 do a man x509 for more info.
 
 Cheers
 Jose
 
 
 -Original Message-
 From: Radboud Platvoet [mailto:[EMAIL PROTECTED]]
 Sent: 27 September 2002 14:43
 To: [EMAIL PROTECTED]
 Subject: Validity period of certificates
 
 
 Hi everyone,
 
 I would like to know if there is a way to find out for what period a
 certificate is valid (ie: the start and end date).
 
 This is the certificate from which I like to determine the validity
 period:
 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RH 7.3 hosed up

2002-09-18 Thread John . Airey 

Of course, you are overlooking the fact that many packages depend on the
existence of openssl on Red Hat 7.0 and above such as ssh and sendmail. So
if you want to forcibly remove the package and break your system, go right
ahead. 

Otherwise, following the directions in the openssl FAQ:
http://www.openssl.org/support/faq.cgi#BUILD8

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Reality TV - the ultimate oxymoron


 -Original Message-
 From: David Tonhofer, m-plify S.A. [mailto:[EMAIL PROTECTED]]
 Sent: 17 September 2002 15:40
 To: [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Subject: Re: RH 7.3 hosed up
 
 
 The attached doc may be of use. My notes on installing 
 openssl on RH7.3:
 remove RPM, then go for a tarball. Of course it's 
 stream-of-consciousness,
 but even so
 
 Good luck,
 
   -- David Tonhofer
   m-plify S.A.
 
 
 P.S. It's called a 'howtoon' because 'toon' is my nickname.
 
 
 --On Tuesday, September 17, 2002 9:31 AM -0500 
 [EMAIL PROTECTED] 
 wrote:
 
  Howdy all.  I just attempted to upgrade OpenSSL on a RH 7.3 
 box (1st of
  about 7 7.3 and 7.2 boxes) and I thoroughly hosed the install up.
  Everything that relied on libcrypto or libssl is KIA.  I've 
 never had any
  luck with compiling and installing OpenSSL for some reason. 
  I usually
  stick with the RPMS for OpenSSL.  I use ApacheToolbox and 
 also let it
  compile it there (and install again).  After removing the RPMS I
  downloaded 0.9.6g, configured with --prefix=/usr/local, compiled and
  installed.  I did a little searching in the archives but I'm in a
  hurry and didn't find much.  Any pointers or tips would be greatly
  appreciated.  If anyone has a spec file for OpenSSL (and 
 some instructions
  for building an RPM because I've never done it--always 
 either work with
  straight source or a prebuilt RPM) I'd gladly take it.  Many thanks
 
  Justin
 
  
 __
  OpenSSL Project 
http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]




- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RH 7.3 hosed up

2002-09-18 Thread John . Airey 

On my desktop, removing openssl would break these packages:

openssl is needed by libpcap-0.6.2-11.7.2.0
libcrypto.so.2   is needed by bind-utils-9.2.1-1.7x.2
libcrypto.so.2   is needed by curl-7.8-1
libcrypto.so.2   is needed by libesmtp-0.8.4-2
libcrypto.so.2   is needed by wget-1.7-3
libcrypto.so.2   is needed by cyrus-sasl-md5-1.5.24-23
libcrypto.so.2   is needed by links-0.96-2
libcrypto.so.2   is needed by autofs-3.1.7-21
libcrypto.so.2   is needed by nss_ldap-189-2
libcrypto.so.2   is needed by pine-4.44-1.72.0
libcrypto.so.2   is needed by sendmail-8.11.6-3
libcrypto.so.2   is needed by fetchmail-5.9.0-11
libcrypto.so.2   is needed by mutt-1.2.5.1-1
libcrypto.so.2   is needed by stunnel-3.22-1
libcrypto.so.2   is needed by gq-0.4.0-3
libcrypto.so.2   is needed by openssh-3.1p1-6
libcrypto.so.2   is needed by openssh-clients-3.1p1-6
libcrypto.so.2   is needed by openssh-server-3.1p1-6
libcrypto.so.2   is needed by pidentd-3.0.14-1
libcrypto.so.2   is needed by xchat-1.8.9-1.72.0
libcrypto.so.2   is needed by licq-1.0.3-7
libcrypto.so.2   is needed by ucd-snmp-4.2.5-7.72.0
libcrypto.so.2   is needed by balsa-1.2.3-1
libssl.so.2   is needed by curl-7.8-1
libssl.so.2   is needed by wget-1.7-3
libssl.so.2   is needed by links-0.96-2
libssl.so.2   is needed by autofs-3.1.7-21
libssl.so.2   is needed by nss_ldap-189-2
libssl.so.2   is needed by pine-4.44-1.72.0
libssl.so.2   is needed by sendmail-8.11.6-3
libssl.so.2   is needed by fetchmail-5.9.0-11
libssl.so.2   is needed by mutt-1.2.5.1-1
libssl.so.2   is needed by stunnel-3.22-1
libssl.so.2   is needed by gq-0.4.0-3
libssl.so.2   is needed by xchat-1.8.9-1.72.0
libssl.so.2   is needed by licq-1.0.3-7
libssl.so.2   is needed by balsa-1.2.3-1

The last few are of course repeated. It might work now, but the sshd daemon
won't restart. Neither will the auto-mounter or most of the email clients
for your system (elm being the one exception here). 

Have you read the FAQ?

John

 -Original Message-
 From: David Tonhofer, m-plify S.A. [mailto:[EMAIL PROTECTED]]
 Sent: 18 September 2002 09:55
 To: [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Subject: RE: RH 7.3 hosed up
 
 
 Haven't had a single problem. Maybe I know what I'm doing? ;-)
 And sendmail is a no-no aaanyway...
 
 --On Wednesday, September 18, 2002 9:10 AM +0100 
 [EMAIL PROTECTED] 
 wrote:
 
  Of course, you are overlooking the fact that many packages 
 depend on the
  existence of openssl on Red Hat 7.0 and above such as ssh 
 and sendmail. So
  if you want to forcibly remove the package and break your 
 system, go right
  ahead.
 
  Otherwise, following the directions in the openssl FAQ:
  http://www.openssl.org/support/faq.cgi#BUILD8
 
  -
  John Airey, BSc (Jt Hons), CNA, RHCE
  Internet systems support officer, ITCSD, Royal National 
 Institute of the
  Blind,
  Bakewell Road, Peterborough PE2 6XU,
  Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 
 [EMAIL PROTECTED]
 
  Reality TV - the ultimate oxymoron
 
 
  -Original Message-
  From: David Tonhofer, m-plify S.A. [mailto:[EMAIL PROTECTED]]
  Sent: 17 September 2002 15:40
  To: [EMAIL PROTECTED]
  Cc: [EMAIL PROTECTED]
  Subject: Re: RH 7.3 hosed up
 
 
  The attached doc may be of use. My notes on installing
  openssl on RH7.3:
  remove RPM, then go for a tarball. Of course it's
  stream-of-consciousness,
  but even so
 
  Good luck,
 
 -- David Tonhofer
 m-plify S.A.
 
 
  P.S. It's called a 'howtoon' because 'toon' is my nickname.
 
 
  --On Tuesday, September 17, 2002 9:31 AM -0500
  [EMAIL PROTECTED]
  wrote:
 
   Howdy all.  I just attempted to upgrade OpenSSL on a RH 7.3
  box (1st of
   about 7 7.3 and 7.2 boxes) and I thoroughly hosed the install up.
   Everything that relied on libcrypto or libssl is KIA.  I've
  never had any
   luck with compiling and installing OpenSSL for some reason.
   I usually
   stick with the RPMS for OpenSSL.  I use ApacheToolbox and
  also let it
   compile it there (and install again).  After removing the RPMS I
   downloaded 0.9.6g, configured with --prefix=/usr/local, 
 compiled and
   installed.  I did a little searching in the archives but I'm in a
   hurry and didn't find much.  Any pointers or tips would 
 be greatly
   appreciated.  If anyone has a spec file for OpenSSL (and
  some instructions
   for building an RPM because I've never done it--always
  either work with
   straight source or a prebuilt RPM) I'd gladly take it.  
 Many thanks
  
   Justin
  
  
  
 __
   OpenSSL Project
  http://www.openssl.org
  User Support Mailing List
 [EMAIL PROTECTED]
  Automated List Manager

RE: RH 7.3 hosed up

2002-09-18 Thread John . Airey 

Just in case you've got the wrong end of the stick, I'm not suggesting that
you shouldn't compile stuff yourself rather than use pre-packaged software.
I'm simply saying that there may be more broken by forcibly removing
packages that have dependencies than is at first realised. Personally I'd
never forcibly install or remove packages without good reason.

The section of the FAQ I referred to has instructions of how to compile
openssl without breaking the rest of your installation. And that's my last
word on the subject.

John


 -Original Message-
 From: David Tonhofer, m-plify S.A. [mailto:[EMAIL PROTECTED]]
 Sent: 18 September 2002 12:00
 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Subject: RE: RH 7.3 hosed up
 
 
 Sigh
 
 No, I haven't read the FAQ recently (maybe 5y ago). And Yes, 
 RedHat will
 complain if you remove the RPM. That's why I have been fumbling the 
 symlinks,
 see? I have compiled SSH  Stunnel from the source tarball. 
 And dontcha
 worry, everything works just dandy.
 
 I mean, I didn't power away from the Microsoft Deathstar to 
 get back to 
 being
 forced to use prepacked things only.
 
 Further discussions of this will be off list.
 
 Best regards,
 
   -- David Tonhofer
   m-plify.com
 
 --On Wednesday, September 18, 2002 11:13 AM +0100 
 [EMAIL PROTECTED] 
 wrote:
 
  On my desktop, removing openssl would break these packages:
 
  openssl is needed by libpcap-0.6.2-11.7.2.0
  libcrypto.so.2   is needed by bind-utils-9.2.1-1.7x.2
  libcrypto.so.2   is needed by curl-7.8-1
  libcrypto.so.2   is needed by libesmtp-0.8.4-2
  libcrypto.so.2   is needed by wget-1.7-3
  libcrypto.so.2   is needed by cyrus-sasl-md5-1.5.24-23
  libcrypto.so.2   is needed by links-0.96-2
  libcrypto.so.2   is needed by autofs-3.1.7-21
  libcrypto.so.2   is needed by nss_ldap-189-2
  libcrypto.so.2   is needed by pine-4.44-1.72.0
  libcrypto.so.2   is needed by sendmail-8.11.6-3
  libcrypto.so.2   is needed by fetchmail-5.9.0-11
  libcrypto.so.2   is needed by mutt-1.2.5.1-1
  libcrypto.so.2   is needed by stunnel-3.22-1
  libcrypto.so.2   is needed by gq-0.4.0-3
  libcrypto.so.2   is needed by openssh-3.1p1-6
  libcrypto.so.2   is needed by openssh-clients-3.1p1-6
  libcrypto.so.2   is needed by openssh-server-3.1p1-6
  libcrypto.so.2   is needed by pidentd-3.0.14-1
  libcrypto.so.2   is needed by xchat-1.8.9-1.72.0
  libcrypto.so.2   is needed by licq-1.0.3-7
  libcrypto.so.2   is needed by ucd-snmp-4.2.5-7.72.0
  libcrypto.so.2   is needed by balsa-1.2.3-1
  libssl.so.2   is needed by curl-7.8-1
  libssl.so.2   is needed by wget-1.7-3
  libssl.so.2   is needed by links-0.96-2
  libssl.so.2   is needed by autofs-3.1.7-21
  libssl.so.2   is needed by nss_ldap-189-2
  libssl.so.2   is needed by pine-4.44-1.72.0
  libssl.so.2   is needed by sendmail-8.11.6-3
  libssl.so.2   is needed by fetchmail-5.9.0-11
  libssl.so.2   is needed by mutt-1.2.5.1-1
  libssl.so.2   is needed by stunnel-3.22-1
  libssl.so.2   is needed by gq-0.4.0-3
  libssl.so.2   is needed by xchat-1.8.9-1.72.0
  libssl.so.2   is needed by licq-1.0.3-7
  libssl.so.2   is needed by balsa-1.2.3-1
 
  The last few are of course repeated. It might work now, but the sshd
  daemon won't restart. Neither will the auto-mounter or most 
 of the email
  clients for your system (elm being the one exception here).
 
  Have you read the FAQ?
 
  John
  
 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Pls. suggest some books on security

2002-09-18 Thread John . Airey 

Maximum Linux Security - ISBN 0-672-31670-6 is also very useful. Despite the
title, it covers UNIX based security fairly well.

John

 -Original Message-
 From: Matthew Hannigan [mailto:[EMAIL PROTECTED]]
 Sent: 18 September 2002 14:10
 To: [EMAIL PROTECTED]
 Subject: Re: Pls. suggest some books on security
 
 
 A little more practical and appropriate to this list:
 
 Network Security with OpenSSL
 http://safari.oreilly.com/main.asp?bookname=openssl
 
 Matt
 
 v.p.r.n.saibabu v.p.r.n.saibabu wrote:
  Hi Vaidya,
  
  SSL and TLS by Eric Recorla
  SSL and TLS Essentials by Stephen Thomas
  
  are two good books.
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: FIPS-140 certification

2002-07-25 Thread John . Airey 

Indeed. In the UK there was recently an issue of the security of
cash-machines because of a bug in the implementation of a similarly
certified protocol. It meant that you could potentially get card details by
sniffing what went down the telephone lines. I haven't heard whether this
has been resolved or not. 

Of course, taking this to extremes many government agencies should therefore
disconnect from the Internet. I think it's an issue that will keep cropping
up until governments realise that security is something that you aim for,
and not necessarily guaranteed by any particular certificate.

John



 -Original Message-
 From: Andrew T. Finnell [mailto:[EMAIL PROTECTED]]
 Sent: 25 July 2002 15:12
 To: [EMAIL PROTECTED]
 Subject: RE: FIPS-140 certification
 
 
 John,
   
   Sometimes that is not up to the developer. You state it like
 someone has a choice of what they use. Most government 
 agency's disallow
 any encryption that isn't FIPS certified. If they had a choice it
 probably wouldn't be a question. :)
 
 - 
 Andrew T. Finnell
 Active Solutions L.L.C
 [EMAIL PROTECTED] 
 
  -Original Message-
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] On Behalf Of 
  [EMAIL PROTECTED]
  Sent: Thursday, July 25, 2002 10:04 AM
  To: [EMAIL PROTECTED]
  Subject: RE: FIPS-140 certification
  
  
  Just to add my thoughts to the cooking pot, FIPS-140 probably 
  isn't worth a string of beans. The actual encryption 
  protocols used in openssl haven't changed in a long time, for 
  example 3DES encryption is still 3DES encryption. Granted, 
  newer one's have been added (rijndael for example), but on 
  the whole protocols remain static.
  
  So if someone had obtained FIPS-140 certification for openssl 
  0.9.6d (for
  example) and a security bug was subsequently found in that 
  software version, the fix for the bug would invalidate the 
  certification.
  
  Which all boils down to a question of choice, do you prefer a 
  certificate that says your software is safe even if it isn't 
  to uncertified software which is worked on constantly to 
  ensure it is as safe as possible? I know which I would choose.
  
  
  - 
  John Airey
  Internet systems support officer, ITCSD, Royal National 
  Institute of the Blind, Bakewell Road, Peterborough PE2 6XU,
  Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 
  [EMAIL PROTECTED] 
  
  Is the statement 'There is no such thing as truth'  true?
  
  
   -Original Message-
   From: Ed Moyle [mailto:[EMAIL PROTECTED]]
   Sent: 25 July 2002 14:47
   To: [EMAIL PROTECTED]
   Subject: RE: FIPS-140 certification
   
   
   On Wednesday, July 24, 2002 23:14, Bil Kleb wrote:
   
   Bil,
   
This may be a blasphemous question due to U.S. patent 
 issues, but 
has anyone figured out if Open-SSL is FIPS-140 certified/ 
certifiable?
   
 You and I are on the same page.  NIST doesn't have a 
  cert for OpenSSL 
   or SSLeay (bummer) and I've asked about this in the past.  
  The problem 
   is the cost of certification as I understand it, plus the 
 release 
   early release often mantra doesn't lend well to NIST's 
  perspective of 
   everytime you change the crypto, you need to get it recertified.
   
 I've done some of the work of determining if the thing is 
   certifiable (meaning does it comply to the FIPS 140-2 
 req's) and 
   from what I've seen, it seems to, but I haven't finished 
  this effort.  
   I coded up the random # statistical tests that are 
 described in the 
   req, and they pass (I'll send this to you if you want it... 
  just write 
   me off-list).  Also, it supports ciphersuites that use only 
   NIST-approved algorithms.  This is good news, but, of 
 course, what 
   matters is the cert, and there isn't one.
   
 So, I guess the upshot of the deal is that until 
  somebody certifies 
   it, it can't be used for unclassified cryptography (strictly 
   speaking).  If you want to go down a different route, you 
  might want 
   to check out SSL/C from RSA.  I don't know, since I haven't 
  looked at 
   it, but since Eric Young had some involvement, the API 
  might be close 
   to openssl since the historical roots are inter- twined, 
  and most of 
   the B-Safe line is 140-1 certified (pretty sure about 
 this, but you 
   might want to check at NIST to be double-sure).
   
   Hope this helps,
   -Ed
   
   
   
  
 __
   OpenSSL Project 
  http://www.openssl.org
   User Support Mailing List
  [EMAIL PROTECTED]
   Automated List Manager   
  [EMAIL PROTECTED]
   
  
  - 
  
  NOTICE: The information contained in this email and any 
  attachments is 
  confidential and may be legally privileged. If you are not the 
  intended recipient you are hereby notified that you must not use, 
  disclose, distribute, copy, print or rely on this email's 
 content

Submission for the openssl FAQ

2002-07-01 Thread John . Airey 

Further to my previous message, I have discovered that the sentence: (They
are /lib/libssl.so.0.9.6b and  /lib/libcrypto.so.0.9.6b with symlinks
/lib/libssl.so.2 and /lib/libcrypto.so.2 respectively)

Should have read:

(eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and
/lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and
/lib/libcrypto.so.2 respectively).

I've also doubled check the patents against the US Patent and Trademark
Office website at http://patft.uspto.gov/netahtml/srchnum.htm, and these
appear to be the correct numbers (I took them from the Red Hat openssl
source packages).

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL, IIS 5.0 and Installing certificate trouble

2002-06-27 Thread John . Airey 

There is a way to create certificates with openssl and convert them to
IIS4.0 format. We've  done that here for a number of years. I believe that
you can then copy them from an IIS4 server to an IIS5 server, though I
haven't done it myself. I don't know of anyone who has got the certificates
straight onto IIS5.

Contact me off the list for more details. I have a task for myself to test
keys of greater than 1024 bits before the end of next week. I'll be running
through the whole IIS procedure to do this.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Is the statement 'There is no such thing as truth'  true?


 -Original Message-
 From: Ian Coggins [mailto:[EMAIL PROTECTED]]
 Sent: 19 June 2002 20:06
 To: [EMAIL PROTECTED]
 Subject: OpenSSL, IIS 5.0 and Installing certificate trouble
 
 
 Hi,
 
 I've been through faq's until they come out of my ears but 
 still don't quite have the answer I need.
 
 I am simply trying to create a certificate to use on an IIS 
 web server, using openssl on a linux box to create it. 
 
 The linux installation does not have the CA.pl scripts as far 
 as I can tell (not my box to manage I'm afraid). 
 
 I have managed to create (or I believe) 
 
 1/ root CA certificate. Generated own key and certificate. 
 This created a key/cert file which I managed to combine into 
 a single pfx format. 
 2/ server certificate signed by root CA; hwoever this is in a 
 pem format.
 
 
 I cannot directly import the certificate ( as key manager 
 backup file) under IIS 5.0; 
 
 I have however successfully loaded the certificates into the 
 MMC - certiticate manager console. The root CA under Trusted 
 roots; the other under Personal. However neither appear in 
 the 'assign existing' certificate dialog box on IIS 5.0
 
 Where am I going wrong ?
 
 How do I 
 
 a) I get IIS 5.0 to import the certificates directly? (can 
 I?) - it always reports an error about Cannot import key 
 ring backup file.
 
 b) otherwise install the certificates I created so that I can 
 assign an existing cert to IIS 5.0?
 
 or 
 
 c) create a CSR from IIS and sign this using openssl ?
 
 Thanks
 Ian
 
 
 
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to
find out all about it.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: REMOVE

2002-06-06 Thread John . Airey 

Can't you read the headers of your email? There should be a line something
like

Received: from mmx.engelschall.com (mmx.engelschall.com [195.27.130.252])
by maggotts.rnib.org.uk (8.11.6/8.11.6) with ESMTP id g56Bp6r03903
for [EMAIL PROTECTED]; Thu, 6 Jun 2002 12:51:11 +0100

My email address is on the bottom line. Your mail server name will differ of
course. This header line was generated by sendmail. 

John

 -Original Message-
 From: David Lang [mailto:[EMAIL PROTECTED]]
 Sent: 05 June 2002 21:54
 To: [EMAIL PROTECTED]
 Subject: Re: REMOVE
 
 
 doesn't work becouse to get the old address of the list I 
 need to be able
 to figure out EXACTLY what the address is (capitalizations 
 included) or
 the robot won't match (I've attempted this already)
 
 if the list manager notices this thread the addres I am on as 
 should be a
 varient of
 
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 
 I've attempted to unsubscribe all four addresses and get a response of
 'name not subscribed'
 
 David Lang
 
  On Wed, 5 Jun 2002,
 Michal Bachorik wrote:
 
  Date: Wed, 5 Jun 2002 12:10:52 +0200
  From: Michal Bachorik [EMAIL PROTECTED]
  Reply-To: [EMAIL PROTECTED]
  To: [EMAIL PROTECTED]
  Subject: Re: REMOVE
 
  :))
 
  but there's simple solution .. just join the list again, 
 read instructions
  how to get off and that's it ..
 
  or someone who still has the welcome message could forward 
 it to you ..
 
  - Original Message -
  From: David Lang [EMAIL PROTECTED]
  To: [EMAIL PROTECTED]
  Sent: Wednesday, June 05, 2002 1:01 AM
  Subject: RE: REMOVE
 
 
   seems that way. (as someone who has attempted to get off 
 the list a few
   times, but cannot get majordomo to cooperate)
  
   and no I didn't save the welcome message from when I 
 joined years ago.
  
   David Lang
  
   On Tue, 4 Jun 2002, Dilkie, Lee wrote:
  
Date: Tue, 4 Jun 2002 15:01:32 -0400
From: Dilkie, Lee [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: '[EMAIL PROTECTED]' [EMAIL PROTECTED]
Subject: RE: REMOVE
   
NO! You are NOT allowed to leave You HAVE to stay.
   
(sorry to the list members for the noise, but I couldna 
 help maself)
   
-Original Message-
From: Sidney Fortes [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 2:30 PM
To: [EMAIL PROTECTED]
Subject: REMOVE
   
   
REMOVE
   
   
   
 __
   OpenSSL Project 
 http://www.openssl.org
   User Support Mailing List
 [EMAIL PROTECTED]
   Automated List Manager   
 [EMAIL PROTECTED]
 
 
  
 __
  OpenSSL Project 
 http://www.openssl.org
  User Support Mailing List
 [EMAIL PROTECTED]
  Automated List Manager   
 [EMAIL PROTECTED]
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to
find out all about it.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Key strength confusion

2002-04-29 Thread John . Airey 

A quick search found the reseller for Verisign for the Asia/Pacific region.
Their site describes their SSL certificates as 128bit and 40bit at
http://www.esign.com.au/server/. Worse still, they describe the 40bit
certificate as standard.

(I do wonder why people just don't buy the cheaper Thawte certificates.
envy If they did, Mark Shuttleworth wouldn't be enjoying his trip to the
ISS /envy).

The global cert costs about twice the standard cert. As for the law in
Australia on cryptography, this seems a reasonable page on International
encryption. http://rechten.kub.nl/koops/cryptolaw/

Finally, their support for servers mentions Apache-SSL with no mention at
all of openssl.

Without a little more information about which browsers are causing trouble,
there's not a lot more we can do.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

The teaching of evolution as a proven fact rather than a theory has done
more harm to scientific progress than anything else in history.




-Original Message-
From: Eric Rescorla [mailto:[EMAIL PROTECTED]]
Sent: 26 April 2002 16:17
To: [EMAIL PROTECTED]
Subject: Re: Key strength confusion

[snip]
As far as I know, there is in fact no such thing as a 40-bit cert.

There are two kinds of certificates:

(1) Ordinary X.509 certs containing an RSA key of whatever strength
you've chosen.
(2) Certs containing the SGC/Step-Up extensions.

There are three kinds of browsers in the world:
(1) Really old export browsers which will only do 40 bit crypto.
(2) Newer export browsers which will do SGC/Step-Up.
(3) Old domestic browsers or new (post export-control removal)
export browsers which do strong crypto.

So, the interaction matrix between certificates and browsers looks like
this:

Cert
Browser  Ordinary SGC/Step-Up

Old Export   40-bit crypto40-bit crypto
Newer Export 40-bit cryptoSGC/Step-Up to strong
New Export/Domestic  Strong cryptoStrong crypto

There is no way to tag an X.509 certificate in such a way that
it is 40-bit only.




- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to
find out all about it.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Key strength confusion

2002-04-26 Thread John . Airey 

I don't know much about the restrictions in Australia, but I do know that
we've had a 128bit certificate since 1997. At that time we were running
apache-ssl. So I confess that I've never touched a 40bit certificate.

There are issues with versions of IE5 before 5.01SP2 (which itself is being
dropped by Microsoft at the end of June). There may well be issues with
older versions of Netscape. If you can let me know browser versions or build
numbers I may be able to help you further. I have come across users who were
fixed once they upgraded their version of IE.

If you can let me know the address of the site in question, I can have a
look and see what I can ascertain from that also.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

The teaching of evolution as a proven fact rather than a theory has done
more harm to scientific progress than anything else in history.



- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to
find out all about it.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: smime segfault on redhat 7.2

2002-02-25 Thread John . Airey 

As I've said before, RedHat 7.2 comes with openssl anyway, but that doesn't
preclude you from installing from source but you MUST put the newer openssl
binary in a different directory (eg in /usr/local/bin/openssl rather than
the pre-installed /usr/bin/openssl). Although the preinstalled openssl has
files in /lib, these have different filenames from the libraries that are
created with the source compilation (for reasons beyond the scope of your
problem).

On that basis, which openssl are you executing?

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Evolution - A crutch for scientists who can't handle the existence of a
creator. See  disproven scientific theories and Romans 1:22.


-Original Message-
From: alexandru matei [mailto:[EMAIL PROTECTED]]
Sent: 21 February 2002 22:33
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: smime segfault on redhat 7.2


Hello,
I complied latest snaps (all snaps from 2002) on a Redhat 7.2 system.
Make test finished succesfully. But on trying openssl smime -sign
-encrypt  command, it segfaults. The rest of commands (as far as I
tested) are OK.
Can you give me some advice?

Alex
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to
find out all about it.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: linux/openssl/apache problem solved

2002-01-21 Thread John . Airey 

-Original Message-
From: Rick Dennis [mailto:[EMAIL PROTECTED]]
Sent: 16 January 2002 19:27
To: [EMAIL PROTECTED]
Subject: linux/openssl/apache problem solved


I found my problem.

I was sure I had done everything right, but couldn't get a connection
using https.

Found out I needed to open port 443 in IPCHAINS.

Voila !!!

Anyone running a semi-standard installation of Linux RedHat 7.1+ will
have this issue, unless they chose No Firewall during the
installation.


Rick Dennis
Alaska Internetworks

Not entirely correct. If you select normal or high and then customise, you
can trust certain interfaces, eg eth0. Whilst this has the effect of
disabling firewalling for that interface, it still allows you to add
firewalling later.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Agnostic (Greek) = Ignoramus (Latin)

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RedHat Linux 7.1 ssh connection refused

2002-01-21 Thread John . Airey 

Does ps -C sshd give a result on the server you are connecting to? Does
netstat -a on the server you are connecting to show that it is listening on
port 22?

If you telnet to port 22 on the server from your client, do you get a
response?
If you telnet to port 22 on the server from the server (ie telnet localhost
22) does that give a response? If it does, I would imagine that your
firewall configuration on the server disallows connections to port 22 from
remote machines.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Agnostic (Greek) = Ignoramus (Latin)




-Original Message-
From: Kevin A. T. Silverstein [mailto:[EMAIL PROTECTED]]
Sent: 16 January 2002 22:47
To: [EMAIL PROTECTED]
Subject: RedHat Linux 7.1 ssh connection refused


I am running sshd on a RedHat Linux 7.1 (with the latest upgrades
for all openssh* rpms) Dell computer, but cannot seem to
connect to it:

[prompt]$ ssh machine-name.umn.edu
Secure connection to machine-name.umn.edu refused.

In debug mode:
[prompt]$ ssh machine-name.umn.edu -v
OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 500 geteuid 0 anon 1
debug1: Connecting to hostname [IP address] port 22.
debug1: temporarily_use_uid: 500/500 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 500/500 (e=0)
debug1: connect: Connection refused
debug1: restore_uid
debug1: Trying again...
[two more times, then...]
Secure connection to giverny.umn.edu refused.

The machine I'm trying to connect to seems to be running sshd:

[prompt]$ ps -elf | grep sshd
140 S root  1354 1  0  69   0-   662 do_sel 14:24 ?   
00:00:00 

and it can connect to other machines without problems.

Oddly, in /etc/xinetd.d/, there are many services, but ssh is not among
them.

[prompt]$ cd /etc/xinetd.d; ls
amanda   daytime  finger  klogin rexec   telnet
amandaidxdaytime-udp  gssftp  krb5-telnetrlogin  tftp
amidxtapedbskkd-cdb   imapkshell rsh time
chargen  echo imaps   linuxconf-web  rsync   time-udp
chargen-udp  echo-udp ipop2   ntalk  swatwu-ftpd
comsat   eklogin  ipop3   pop3s  talk

[prompt]$ cat rsh
# default: on
# description: The rshd server is the server for the rcmd(3) routine
and, \
#  consequently, for the rsh(1) program.  The server provides \
#  remote execution facilities with authentication based on \
#  privileged port numbers from trusted hosts.
service shell
{
   socket_type = stream
   wait= no
   user= root
   log_on_success  += USERID
   log_on_failure  += USERID
   server  = /usr/sbin/in.rshd
   disable = yes
}

I tried to make a similar entry as root for ssh, using /usr/sbin/sshd
as the server (since there does not appear to be a /usr/sbin/in.sshd),
and set disable = no, but that didn't work.

The file /etc/ssh/sshd_config is exactly as in the following version:
#  $OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $

Does anyone know what I'm doing wrong? or what I need to install?

Thanks very much,
Kevin Silverstein


-- 
Kevin A. T. Silverstein, Ph.D. [EMAIL PROTECTED]
Department of Plant Biology, University of Minnesota
220 Biological Sciences Center, 1445 Gortner Avenue
St. Paul, MN 55108  612-624-3057
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk

RE: Why DNS/IP in certificate?

2002-01-14 Thread John . Airey 

Personally I would have a second server outside the NAT device that proxies
requests in and out of the server behind the firewall. There seems to me
little point in having a firewall if you allow public access straight
through it!

In that case you can secure the connection between the outside machine and
the client machine without worrying about the firewall.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Agnostic (Greek) = Ignoramus (Latin)


-Original Message-
From: Stanley Hopcroft [mailto:[EMAIL PROTECTED]]
Sent: 14 January 2002 09:36
To: [EMAIL PROTECTED]
Subject: Re: Why DNS/IP in certificate?


Deear Ladies and Gentlemen,

I am writing to thank you for your comments about this matter and ask

On Thu, Jan 10, 2002 at 09:34:50AM -0500, Neff Robert A wrote:
 
 The client needs to verify who it is connected to.
 Anyone in the world can present a certificate to
 establish an ssl connection.  In a nutshell, the
 checks that need to be made on the client end are:
   a. Do you trust the signer of the certificate received
   b. Is the CN contained within the cert what you expect
 

..snip..

  Your next task is to ensure that the
 trusted cert truly came from the site you expected and
 not www.someothersite.com.  The browser does this step by
 comparing the CN contained in the cert to the URL address
 typed into your browser.  Your own app must do so as well...
 

is it possible to have an OpenSSL server located behind a 
Network Adress
Transalation device (a NET device is sometimes part of firewalls, eg
the Cisco PIX) and still have the client handshake complete without
error ?

Here is the scenario.

Server has valid certificate signed by root CA for Distinguished Name
'S'.

DNS responds to an A record request from the client for S, with the
public interface of the NAT device (PTR query for that address also
returns S), but the OpenSSL server with that cert has a completely
different address (because its been translated)

One might do this because of outsourcing or merger activities that
result in a new or different firewall.

Presumably the network between the NAT box and the OpenSSL server is
secure enough to be tolerablee.

So :-

1 Will the scenario above work ?
2 If not, how can it be made to work ? 

Thank you,

Yours sincerely.

-- 
---
-
Stanley Hopcroft  Network 
Specialist
---
-

'...No man is an island, entire of itself; every man is a piece of the
continent, a part of the main. If a clod be washed away by the sea,
Europe is the less, as well as if a promontory were, as well as if a
manor of thy friend's or of thine own were. Any man's death diminishes
me, because I am involved in mankind; and therefore never send to know
for whom the bell tolls; it tolls for thee...'

from Meditation 17, J Donne.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: ./openssl speed -multi 1000 -engine aep ?

2002-01-14 Thread John . Airey 

The openssl-engine versions also support openssl speed.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Agnostic (Greek) = Ignoramus (Latin)


-Original Message-
From: John P. Looney [mailto:[EMAIL PROTECTED]]
Sent: 14 January 2002 15:36
To: [EMAIL PROTECTED]
Subject: ./openssl speed -multi 1000 -engine aep ?


 It seems that the 0.9.7 snapshots are the only ones that 
support running
openssl speed concurrently. I was looking to test an AEP 
card here, and
the 0.9.7 snapshots don't have AEP accelleration merged yet.

 I was wondering - is there version of 0.9.7 with the AEP engine merged
into it yet ? Is there likely to be in the future ?

John

-- 
___
John Looney Chief Scientist
a n t e f a c t o t: +353 1 8586004
www.antefacto.com f: +353 1 8586014



- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: ./openssl speed -multi 1000 -engine aep ?

2002-01-14 Thread John . Airey 

-Original Message-
From: John P. Looney [mailto:[EMAIL PROTECTED]]
Sent: 14 January 2002 15:56
To: [EMAIL PROTECTED]
Subject: Re: ./openssl speed -multi 1000 -engine aep ?


On Mon, Jan 14, 2002 at 03:52:18PM -, 
[EMAIL PROTECTED] mentioned:
 The openssl-engine versions also support openssl speed.

 But not -multi ? (at least not 0.9.6c - I don't know of any 
more recent
ones).

John
I don't know about -multi, or the aep code. Someone on the openssl-dev list
might know what the current situation is. My guess (and that's all it is) is
that the manufacturer may not have released any code or information about
how it works.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Agnostic (Greek) = Ignoramus (Latin)

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: I got 4 or more emails identical....

2001-12-20 Thread John . Airey 
Title: RE: I got 4 or more emails identical



The 
exact configuration line in a Pix firewall for "smtp security" 
is

fixup 
protocol smtp 25
However, I would doubt this is causing this. There is 
an old bug with Pix firewall's thatmight cause this, but the same version 
of IOS has more serious bugs (like being able to send fake TCP RSTs as a DOS 
attack).

Occasionally I get the same message twice, which can 
occur if the message is received OK but the sending server doesn'treceive 
the confirmation. However, this happens rarely. 

The 
users who've only received one message probably have more queued up waiting for 
them somewhere!

-John AireyInternet systems support officer, ITCSD, 
Royal National Institute for the Blind,Bakewell Road, Peterborough PE2 
6XU,Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 
[EMAIL PROTECTED]More people die each day of AIDS than died in the 
terrorist attacks on September 11th 2001.


  -Original Message-From: Fabro, Loic 
  [mailto:[EMAIL PROTECTED]]Sent: 20 December 2001 
  16:24To: '[EMAIL PROTECTED]'; 'Andrew T. Finnell'; 
  [EMAIL PROTECTED]; 'Richard Levitte - VMS Whacker'Cc: 
  [EMAIL PROTECTED]Subject: RE: I got 4 or more emails 
  identical
  Sorry, I do not think I will be able to post to the list 
  (because my !@#%@#$ Exchange Admin make every outgoing email an HTML 
  email. :-( ). If my message does not make it to the list, could anyone of 
  you forward it? Thanks.
  I had this exact same issue before here on my professional 
  email account. I looked into the issue and found out 
  that we are using a Cisco firewall (PIX?). This firewall has a bug So if 
  you turn on "SMTP Security" (not sure how this is called), they are times 
  where the PIX think that the message timed out and will try to send it 
  again. (I can take technical explanation off-line if needed). I had them 
  turn off this feature until they fix the firware of the PIX. Since then No 
  duplicates! :-) [I used to blame yahoo, then I realized that other messages 
  were duplicated as well]
  2 cents, Loic. 
   -Original Message-  
  From: Boyd Lynn Gerber [mailto:[EMAIL PROTECTED]]  Sent: Thursday, December 20, 2001 11:17 AM  To: [EMAIL PROTECTED]  
  Subject: I got 4 or more emails identical  
On Thu, 20 Dec 2001, 
  Richard Levitte - VMS Whacker wrote:   
OK, I just got tired of these mail replays. 
  Since this  looks like it   comes from some place under rr.com, I'm tossing out all 
   users in that   
  domain or subdomains thereoff..   
If you want to resubscribe, you're most welcome to, 
  *after* you've   removed the replayer. 
  -- 
Richard Levitte \ Spannvägen 38, II \ 
  [EMAIL PROTECTED]   
  Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 
  47  
   
  \ SWEDEN \ 
  or +46-733-72 88 11   Procurator Odiosus Ex 
  Infernis 
  -- [EMAIL PROTECTED]   Member of the OpenSSL 
  development team: http://www.openssl.org/   
  Software Engineer, 
  GemPlus: 
  http://www.gemplus.com/  
 Unsolicited commercial email is subject 
  to an archival fee of $400.   See http://www.stacken.kth.se/~levitte/mail/ for more 
  info.   
   I hope these stop soon!   --  Boyd 
  Gerber [EMAIL PROTECTED]  ZENEZ 3748 
  Valley Forge Road, Magna Utah 84044  
   
  __ 
   OpenSSL 
  Project 
  http://www.openssl.org  User 
  Support Mailing 
  List 
  [EMAIL PROTECTED]  Automated List 
  Manager 
  [EMAIL PROTECTED]  



- 


NOTICE: The information contained in this email and any attachments is 

confidential and may be legally privileged. If you are not the 

intended recipient you are hereby notified that you must not use, 

disclose, distribute, copy, print or rely on this email's content. If 

you are not the intended recipient, please notify the sender 

immediately and then delete the email and any attachments from your 

system.


RNIB has made strenuous efforts to ensure that emails and any 

attachments generated by its staff are free from viruses. However, it 

cannot accept any responsibility for any viruses which are 

transmitted. We therefore recommend you scan all attachments.


Please note that the statements and views expressed in this email 

and any attachments are those of the author and do not necessarily 

represent those of RNIB.


RNIB Registered Charity Number: 226227


Website: http://www.rnib.org.uk

RE: Help needed with getting SSL installed

2001-12-11 Thread John . Airey 

-Original Message-
From: Doug Poulin [mailto:[EMAIL PROTECTED]]
Sent: 10 December 2001 22:51
To: [EMAIL PROTECTED]
Subject: Help needed with getting SSL installed


I have a Redhat Linux 6.2 server running Apache with mod-ssl.  We were
using SSH and Teraterm for connecting
to the server remotely.  Unfortunately that proved to be a security
problem, so we are shopping for a solution.  We
would like to carry on with Teraterm since we have a large number of
scripts written for it.  The only other option
appears to be Teraterm with SSL.  I have downloaded the openssl sources
and installed them, then I downloaded
the SSLtelnet sources from ftp.psych.psy.uq.oz.au and attempted to
compile and install them.  It would appear
that they haven't been looked at since 1996 and as such no longer
compile against the most current versions of
mod_ssl.  I'm running into compile errors, like too few 
parameters being
passed, and it appears that mod_ssl has been modified from the 
time this
version was released.  Does anyone have a working copy of SSL Telnetd
for Linux, or know where a current working version of ssltelnet can be
found.  Any and all help would be appreciated.

Is this the right way to go?  Is anyone working on a SSH2 library for
Teraterm?

Doug

If you look at http://www.openssh.org, you'll see that they have links to
various clients for Windows, such as putty. They also have rpms for RedHat
(although I can't find any for RedHat 6.2. I still have some copies around
myself). You could also consider commercial software such as F-Secure SSH
from Datafellows. We have a number of licenses for  F-Secure SSH and it is
fairly robust.

The maintainer of Teraterm SSH is Robert O'Callahan, contact details are at
http://www-2.cs.cmu.edu/~roc/. He will be able to tell you if anyone is
working on SSH2 support. 

Teraterm SSL's page is at
http://www.infoscience.co.jp/eng/products/ssltterm/index.html,
together with contact details. The change log there indicates the last
change to Teraterm SSL was over three years ago. Not encouraging.

All these pages are linked from the Teraterm Home Page at
http://hp.vector.co.jp/authors/VA002416/teraterm.html.

Also, as it is only a matter of time before Red Hat drop support for version
6.2, you might consider upgrading to 7.2. This comes with openssh built in.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

More people die each day of AIDS than died in the terrorist attacks on
September 11th 2001.

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Large File Support

2001-11-28 Thread John . Airey 

The best advice is to rebuild the rpm packages so that these options are in
the makefile. You can then upgrade your openssl packages to your new version
without (hopefully) breaking other packages.

Mail me off the list and I'll send you instructions.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: Andrew Cornell [mailto:[EMAIL PROTECTED]]
Sent: 27 November 2001 00:03
To: openssl-users
Subject: Large File Support


Has anybody compiled openssl with support for large file 
(2Gbytes) on linux?  I'm running Redhat 7.2 with openssl 0.9.6b.

The standard build doesn't handle files bigger than 2G.  I'm 
considering adding the _FILE_OFFSET_BITS=64 and and 
_LARGEFILE_SOURCE gcc flags into the makefile.

Anybody got good advice?

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RPM Source code version

2001-11-21 Thread John . Airey 

-Original Message-
From: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED]]
Sent: 20 November 2001 19:42
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: RPM  Source code version


From: Eric Daigneault [EMAIL PROTECTED]

scouby At 03:40 PM CN=a2011in.O=acv0111 +, you wrote:
scouby RedHat use libcrypto.so.1 (name of the file), but when 
you install the 
scouby source, the name of the file is libcrypto.so.0.  Go 
ask RH why they did 
scouby that, cause it's was stupid !

The reason is probably that RH started producing shared libraries of
OpenSSL before we had gotten started on it.  So they probably had some
idea of what scheme they wanted to use and went ahead with it.

The stupid part was probably that they didn't bother talking with us
(or perhaps they did, but that was before my time as OpenSSL developer
then).

I think openssl was released for RedHat 6.2 on April 17th this year (see
http://www.redhat.com/support/errata/RHSA-2001-051.html) although this may
have been an update to a previous version. I never touched it, as it wasn't
necessary and the OS didn't require it. Since RedHat 7.0 it's basically been
an essential part of the OS (although I've only tried it on 7.1 and 7.2).

It does look like they didn't consult openssl developers before they
produced their shared libraries, but I don't think they would object to
being contacted now. Any changes could be put into a future edition. 

However, the version they package has a number of changes, eg they remove
certain crypto algorithms that are patented in the US. I had a brief
discussion with one of their staff on this list about making a non-US
package available, but the sticking point with that is how to integrate it
with their up2date tool. Unless we have US and non-US versions of RedHat I
think we'll be stuck with that one.

Incidentally, the hack of using a symlink doesn't work for all packages, eg
openssh still doesn't like the existence of different libraries to the
libraries it was compiled against.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RPM Source code version

2001-11-20 Thread John . Airey 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 20 November 2001 15:41
To: [EMAIL PROTECTED]
Subject: RPM  Source code version


Hi Sirs,

I'm running RedHat 7.1 with kernel 2.4.3-12 on my Intel P3 866 
system. Recently, I just removed the openssl package that came 
with RedHat 7.1 and I installed the source package from the 
openssl website. After this I was not able to use most of my 
apps(like ssh, dig, nslookup, KDE)
There is always an error saying libcrypto.so.1 not found. I 
really need the source code version cause sendmail STARTTLS 
requires it.

Can both type of openssl package work happily on the same 
machine? If its not possible, is there any way for me to use 
the source code version without affecting my other apps?

sincerely Thanks for your help
ddl

This gets asked so often it should be in the FAQ! 

Basically, it's best with RedHat 7.x to stick with what you get. If you need
some of the stuff that doesn't come with the RedHat 7.x (certain US patented
code that can be used anywhere outside of the US), drop me a line off the
list. I can then give you instructions on how to rebuild the RPM to include
these.

I've counted up over 20 packages that break if you remove openssl on RedHat
7.x.

Some people have said that they have installed the latest from source over
the RPM, but what they've actually succeeded in doing is corrupting their
RPM database. Any updates released by RedHat cannot now be guaranteed to
work, since it may depend on the version of a file that isn't there any
more.

At the risk of starting a flame war, I prefer managing servers with RPMs.
It's easy enough to find out what is in them, and one RPM install on one
machine is the same on another. (I know that you can create a custom
configuration file and use that to compile and install on every machine, but
frankly all that compiling and copying is a lot more work for multiple
servers. If I build an RPM I do it from source on one machine and install
the same one everywhere).

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: porting openssl to linux kernel

2001-11-02 Thread John . Airey 

Even if it were viable to put openssl in the kernel, I personally think that
this would create more problems than it solves. For instance, any bug in the
openssl code could potentially crash the kernel, rather than simply
segfaulting. (I'm typing this in vmware, which has its own kernel modules
and it has taken out my Linux machine several times).

Also, do you really want to reboot or recompile your kernel for every
upgrade to openssl? I've got some machines that have been running for over a
year, so I don't see any benefit there.

As machines are getting faster and faster all the time, the length of time
required for a context switch is also becoming shorter and shorter. If
that's the only reason to do it, it's really not worth it, IMNSHO.

Now if the linux kernel had accessibility built in, eg keyboard control of
voice synthesisers like a dectalk, that would be useful.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

-Original Message-
From: Rich Salz [mailto:[EMAIL PROTECTED]]
Sent: 01 November 2001 01:01
To: Imran Badr
Cc: [EMAIL PROTECTED]
Subject: Re: porting openssl to linux kernel


So far the complication has not proven to be worth it to anyone to
implement.

Go for it.
   /r$
-- 
Zolera Systems, Securing web services (XML, SOAP, Signatures,
Encryption)
http://www.zolera.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Two versions of openssl on one system

2001-10-30 Thread John . Airey 

Your chances of running KDE2.2 on RedHat 7.0 are approximately zero. My
colleague tried this and he totalled his machine. I've said this so often it
should be in a FAQ, but RedHat 7.0 onwards depends heavily on the openssl
package.

KDE2.2 comes with RedHat 7.2, so it's probably a better option to upgrade to
that. Make sure you have plenty of backups before you start, though.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 30 October 2001 10:56
To: [EMAIL PROTECTED]
Subject: Two versions of openssl on one system


Hi,


I have Red Hat Linux 7.0 with openssl-0.9.5a-14 as a part of 
it. Now I want to 
compile and install KDE 2.2 what requires openssl-0.9.6. Is it 
possible to use 
both versions of openssl and it should be configured? I don't 
want to remove 
the old version because many packages are depend on it.

Thank you,
Sascha

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Decrypting encrypted e-mail in OE 5

2001-10-16 Thread John . Airey 

Specifically, IE5.01SP2 has 128bit support. This is the oldest version of IE
that MS currently supports. A trip to http://windowsupdate.microsoft.com/
will allow you to upgrade to this.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: Reiner Buehl [mailto:[EMAIL PROTECTED]]
Sent: 16 October 2001 11:45
To: [EMAIL PROTECTED]
Subject: RE: Decrypting encrypted e-mail in OE 5


Can you check if the IE5 installation is High Crypto? If not
this might be the problem. Try generating a cert with 512 Bit
in IE6 or upgrade IE5 to High Crypto version if this is the
cause.

Best regards,
Reiner.

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]On Behalf Of Angus Lee
 Sent: Tuesday, October 16, 2001 11:47 AM
 To: [EMAIL PROTECTED]
 Subject: Decrypting encrypted e-mail in OE 5


 Hi,

 I've set up my own CA using OpenSSL. I suppose there're no known
 problems/mistakes in my CA setup. I could used the digital
 certificates issued
 by this CA to send secure e-mail and login intranet web sites (in
 my office)
 which require client authentication.

 Now I have two e-mail accounts, suppose one is S and another one
 is W. S is
 using IE 5 with SP2 (but the Outlook Express version is 5.5 as
 reported by the
 application) while W is using IE 6. Both run on Microsoft Windows
 2000 with
 SP2. S and W exchange their public certificate by sending a
 signed e-mail to
 one another. Then both reply with an encrypted e-mail using
 Outlook Express.

 W which has IE 6 has no problem decrypting the encryted 
e-mail sent by S.
 S which has IE 5 SP2 could NOT decrypt the encrypted e-mail 
sent by W.

 The error message is:
 Error Decrypting Message
 You cannot read the message.
 --
 
 --
 This might be because:
 o You may have lost or deleted the Digital ID that the message is
 encrypted
 to.
 o You may have installed the Digital ID that the message is
 encrypted to on
 another computer.
 o The sender may have meant the message for somebody else.
 o You do not have the necessary security package installed on
 this computer.

 I have the some problem on another machine which has IE 5.5 SP2
 installed.
 Could someone please help me?

 The BIG problem is that both S and W have no problem decrypting
 e-mail when I
 use digital certificates issued by Thawte. I guess there may 
be something
 wrong with my CA setup. Please also find the openssl.cnf I use
 for my own CA.

 Thank you very much.

 Angus Lee

 ---
 Get Your Free Email at http://www.hknetmail.com


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: About libssl.so.2 and libcrypto.so.2

2001-10-09 Thread John . Airey 

-Original Message-
From: Michael H. Warfield [mailto:[EMAIL PROTECTED]]
Sent: 08 October 2001 22:02
To: [EMAIL PROTECTED]
Subject: Re: About libssl.so.2 and libcrypto.so.2


On Mon, Oct 08, 2001 at 09:28:52AM +0100, [EMAIL PROTECTED] wrote:

   [...]

 Rawhide is not another version of Linux, it is simply the name of a
 repository for optional updates to the current version of 
RedHat Linux. Of
 course, that question is a little off-topic for this list.

   No, it's not optional updates to the current release.  It's
an alpha thread that you use at your own risk.  It's basically a
pre-beta rolling release.  It is definitely a good spot to catch up
on recent kernel releases before they make it to the main updates site.

I know, see my follow up!

 As I have said repeatedly, openssl is included with RedHat 
7.1. openssh,
 sendmail and bind all rely on the package being there. This 
has been the
 case since RedHat 7.0, and will undoubtedly be the case for 
7.2. I haven't
 checked out roswell (aka 7.1.93) yet, as RedHat have locked 
off the file
 permissions on their ftp site! 

   Looks like they just did that a couple of days ago.  I 
had downloaded
both Beta1 and Beta2 from 
ftp.redhat.com:/pub/redhat/linux/beta/roswell but
permissions are now set to deny.  Simultanious to that, a 7.2 
directory has
now appeared as /pub/redhat/linux/7.2 also with access 
permissions denied.
Looks like we are on the verge of the 7.2 release and they are 
preping the
site...  :-)  Wheee...

I think it's worse than that. It appears (looking at all the other betas)
that they've inadvertently deleted roswell from their site and locked off
the directory so that all the other mirrors that use rsync don't delete
their copy! (They might be running short of disk space, but that would be
odd).

I found this out because the md5 checksum on the roswell iso images doesn't
match the entry in the MD5SUM file, so I tried to download from the master
site.

I'm eagerly awaiting 7.2, not least because I hope to upgrade all our 6.2
machines straight to it, and then be able to put off another upgrade for a
bit longer. I suspect 6.2 support will be dropped very soon anyway.

 RPM packages contain either pre-built binaries or a source 
package that will
 compile in a pre-arranged way (specified in a spec file). 
They are useful
 for maintaining a common installation on multiple systems, or for
 administrators who haven't a clue what make or configure does.

 Anyone who upgrades or changes openssl without using the 
RedHat updates
 (details at www.redhat.com/errata/) runs the risk of 
breaking a lot of code.
 Also, the version of openssl with RedHat 7.1 is hobbled 
and does not
 include all the cipher support. I've asked an employee of 
RedHat who has
 OK'd the making available of a package that contains all the 
support for
 non-US users. I've yet to get round to doing that though.

   Relative to the latest RawHide SRPMS 
(openssl-0.9.6b-9.src.rpm)...

   1) Replace the openssl-engine-0.9.6b-usa.tar.bz2 source ball
   with the real thing from the OpenSSL site.  (The source
   tarball with the RPM has had some things 
stripped.  That's
   part of the hobbling.)

   2) Edit the spec file and remove the -usa from Source.

   2) Down in %prep, kill off %{SOURCE1} by commenting it 
out.  (That's
   another part of the hobbling).

   3) Remove no-idea, no-rc5, etc on the config line.  
(Last part of
   the hobbling.)

   4) Build.  All the RedHat patches seem to be 
compatible with the
   non-crippled source tarball.

   5) Enjoy.

Exactly what I've done already, except I haven't made it available to anyone
yet!


- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http

RE: About libssl.so.2 and libcrypto.so.2

2001-10-08 Thread John . Airey 

-Original Message-
From: Xia Shang [mailto:[EMAIL PROTECTED]]
Sent: 05 October 2001 13:55
To: [EMAIL PROTECTED]
Subject: About libssl.so.2 and libcrypto.so.2


Hello,everyone
I know now that KDE 2.2 is not for Redhat 7.1 but for Roswell, 
but what is Rawhide? 
Another version of Redhat Linux?
I have downloaded openssl0.9.6b from www.openssl.org and  
unpacked it, but I still 
can't find libssl.so.2 and libcrypto.so.2.
I guess I must install it so that these two files can be 
created. Am I right?
Another foolish question:What's the difference between the 
installations from *.rpm 
package and from *.tar.gz package(with make,
install and so on)?
Thank you

Rawhide is not another version of Linux, it is simply the name of a
repository for optional updates to the current version of RedHat Linux. Of
course, that question is a little off-topic for this list.

As I have said repeatedly, openssl is included with RedHat 7.1. openssh,
sendmail and bind all rely on the package being there. This has been the
case since RedHat 7.0, and will undoubtedly be the case for 7.2. I haven't
checked out roswell (aka 7.1.93) yet, as RedHat have locked off the file
permissions on their ftp site! 

RPM packages contain either pre-built binaries or a source package that will
compile in a pre-arranged way (specified in a spec file). They are useful
for maintaining a common installation on multiple systems, or for
administrators who haven't a clue what make or configure does.

Anyone who upgrades or changes openssl without using the RedHat updates
(details at www.redhat.com/errata/) runs the risk of breaking a lot of code.
Also, the version of openssl with RedHat 7.1 is hobbled and does not
include all the cipher support. I've asked an employee of RedHat who has
OK'd the making available of a package that contains all the support for
non-US users. I've yet to get round to doing that though.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 




- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: About libssl.so.2 and libcrypto.so.2

2001-10-08 Thread John . Airey 

-Original Message-
From: Xia Shang [mailto:[EMAIL PROTECTED]]
Sent: 05 October 2001 13:55
To: [EMAIL PROTECTED]
Subject: About libssl.so.2 and libcrypto.so.2


Hello,everyone
I know now that KDE 2.2 is not for Redhat 7.1 but for Roswell, 
but what is Rawhide? 
Another version of Redhat Linux?
I have downloaded openssl0.9.6b from www.openssl.org and  
unpacked it, but I still 
can't find libssl.so.2 and libcrypto.so.2.
I guess I must install it so that these two files can be 
created. Am I right?
Another foolish question:What's the difference between the 
installations from *.rpm 
package and from *.tar.gz package(with make,
install and so on)?
Thank you

Correction to my previous post, RawHide is indeed another version of Linux,
but it is not supported, might destroy all your data, etc. However, I have
taken packages from it (apache-mod_ssl 1.3.20-2.8.4 for example) and they've
worked for me.

Details are at ftp://ftp.redhat.com/pub/redhat/linux/rawhide/README

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 




- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Major OpenSSL/mod_ssl install problems.

2001-09-30 Thread John . Airey 

Your statement I'm using RH 7.1 is the critical one for me.

RedHat 7.1 (Which I assume you mean) includes openssl by default. If you
build openssl from source and replace that which comes with it, you will
break about 24 packages, including sendmail (I can send you a list if you
want).

Specifically, Apache 1.3.19 comes with RedHat 7.1, which is probably the
package that owns the httpd.conf file you are looking at

Try the following to check this:
rpm -q --whatprovides /etc/httpd/conf/httpd.conf

(Although of course it is likely that you've overwritten this file)

I suggest you look at http://www.redhat.com/errata/ and
ftp://ftp.redhat.com/pub/redhat/linux/rawhide for updates to RedHat 7.1 and
the latest packages for Apache and mod_ssl.

You can build from source RPMS, which gives you just as much control over
what you build, although it is more fiddly. I've offered to help with
installing these before on either this list or the mod_ssl list (and
unfortunately I deleted my last offer!)

John


-Original Message-
From: The_polymorph
To: [EMAIL PROTECTED]
Sent: 29/09/01 21:12
Subject: Major OpenSSL/mod_ssl install problems.

Hi all.

 After building OpenSSL 0.9.6b, the latest version of mod_ssl for
apache 1.3.20 and rsaref 2.0 ( all without incident ), I experienced
the following problems:

1). My httpd.conf file has *no* mention of SSL *anywhere =* in the
file.

2). After starting apache in SSL mode ( apachectl startssl ), it works
fine but I cannot connect to port 443. The message is connection
refused by server. For the record I am using RH 7.1.

 What might the problem(s) be?

 Thanks,

 -Caitlin.
 



=


__
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: openssl-0.9.6b.tar.gz.asc

2001-09-25 Thread John . Airey 

The md5 file contains an md5 checksum of the openssl package.

To verify the package use 

md5sum openssl-0.9.6b.tar.gz

The result of the above should match the md5 file. I'm not so sure about why
you can't add the pgp signature. It makes no difference AFAIK that the
version of the signature is 2.6.3ia.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

-Original Message-
From: Victor S. [mailto:[EMAIL PROTECTED]]
Sent: 25 September 2001 14:21
To: [EMAIL PROTECTED]
Subject: openssl-0.9.6b.tar.gz.asc


Hello,

I'm having trouble to check openssl package integrity (And I 
have to do it)

In ftp://ftp.openssl.org/source/ I could find 3 files available:
openssl-tar.gz
openssl-tar.gz.md5
openssl-tar.gz.asc

As far as I know, the asc file should be the public key and I 
should add to 
pgp before anything else:

%pgp -ka openssl-0.9.6b.tar.gz.asc
(And the file is under ~/.pgp/ )

Looking for new keys...
File '' has signature, but with no text.
Keyring add error.

What can be wrong? Should the file name be inside the quotes?

I have Pretty Good Privacy(tm) Version 6.5.8 Is this the problem since 
openssl-0.9.6b.tar.gz.asc is Version: 2.6.3ia

What is the md5 file for?

Thanks,
Victor


_
Get your FREE download of MSN Explorer at 
http://explorer.msn.com/intl.asp

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Time Diff?

2001-09-14 Thread John . Airey 

-Original Message-
From: Averroes [mailto:[EMAIL PROTECTED]]
Sent: 14 September 2001 10:03
To: [EMAIL PROTECTED]
Subject: Time Diff?


Hi all,

Perhaps someone noticed this:

When I create a certificate there is difference
between system (OS) time and creation time of certificate.
Approximately one hour.


certificate info:
Validity
Not Before: Sep 14 09:57:24 2001 GMT
Not After : Sep 13 09:57:24 2006 GMT

and immediately after signing:
Fri Sep 14 10:58:32 BST 2001

Any ideas?

There isn't a time difference. These are the same time! 9:58:32 GMT (or more
correctly UTC) is 10:58:32 BST, although only between (at present) 1:00AM
UTC on the last Sunday in March and 1:00AM UTC on the last Sunday in
October. This is the same across the whole of the EU.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Export laws

2001-09-14 Thread John . Airey 

-Original Message-
From: Eric Rescorla [mailto:[EMAIL PROTECTED]]
Sent: 14 September 2001 02:22
To: [EMAIL PROTECTED]
Subject: Re: Export laws


Michael Sierchio [EMAIL PROTECTED] writes:
 The code was simply reverse-engineered.  It's a small, simple
 piece of code.  Reverse-engineering is the determination of someone
 else's trade secret information via examination and testing 
of publicly 
 available information.  It's legal.
RSA required a prohibition on reverse engineering as part of the
pass-through license which they imposed on their licensees (at least
they did for us). Thus, whoever reverse engineered the code likely
violated the license in the process. It's certainly debatable whether
such a prohibition is enforceable but it's not a slam-dunk that it
isn't, either.

Just to enter the fray, it's worth pointing out that Samba was reverse
engineered also, and Microsoft support it in all but name. Actually, you
could probably reverse engineer Windows as well but it probably wouldn't be
worth it.

Also, to say that ARC4 violates the RC4 trademark is as daft as stating that
the name Christina Saunders violates the right to the initials NASA. I
believe someone with a name like this was once refused the right to register
a domain name. Closer to home, Does NASDAQ violate the trademark name ASDA?
I don't think so!

However, like Eric I would be concerned about being sued by RSA.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: WIN32 binaries anyone??

2001-09-13 Thread John . Airey 

Have you checked out http://curl.haxx.se/download.html?

-
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]

-Original Message-
From: Radi Shourbaji [mailto:[EMAIL PROTECTED]]
Sent: 13 September 2001 08:50
To: '[EMAIL PROTECTED]'
Subject: WIN32 binaries anyone??
Importance: High


I am in search of pre-built binaries for WIN32 to use in conjunction with
curl in a w2k environment.  Any help would be appreciated!  
 
Thanks!
 
Radi
 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: libssl.so libcrypto.so, again.

2001-09-10 Thread John . Airey 

-Original Message-
From: Joe Orton [mailto:[EMAIL PROTECTED]]
Sent: 07 September 2001 15:09
To: Robert Pungello
Cc: [EMAIL PROTECTED]
Subject: Re: libssl.so  libcrypto.so, again.


On Fri, Sep 07, 2001 at 08:09:06AM -0400, Robert Pungello wrote:
 Hello All.  I know there have been a few questions about 
this already, but
 I'm still a bit confused.  I'm using Red Hat 7.1 with the 
openssl-0.9.6-3
 and openssl-devel-0.9.6-3 packages installed.  In addition, 
I have also
 installed openssl-0.9.6b myself because at the time I didn't 
realize the
 previously installed package existed.  When I look in my /usr/lib/
 directory, I see the following files (among others):
 libssl.a, libssl.so, libssl.so.0.9.6, libssl.so.1
 libcrypto.a, libcrypto.so, libcrypto.so.0.9.6, libcrypto.so.1.

Okay, I'll try my best at answering this... with RHL7.1, you would get
the following: (the same applies throughout for libssl as libcrypto)

libcrypto.so.0.9.6: the actual shared library
libcrypto.so.1: symlink to above

If you have upgraded your system from 7.0, you will also have 

libcrypto.so.0.9.5a: another real actual shared library
libcrypto.so.0: symlink to above

These symlinks are created by the 'ldconfig' command (run automagically
just after the RPMs are installed).

Each time that the ABI changes (so that the library is no longer
backwards-compatible), and a new RPM is made, you'll see a new symlink
libcrypto.so.N (where N increases by 1 each time). This allows Red Hat
to keep backwards compatibility with old applications.  So in the next
release, if you upgrade, IIRC you'll find:

libcrypto.so.0.9.6a: a real library
libcrypto.so.2: symlink to above

and if 0.9.7 isn't binary compatibility with 0.9.6a, then at some point
later you'll find an RPM with:

libcrypto.so.0.9.7: real shared library
libcrypto.so.3: symlink to above

I hope this makes sense so far. The -devel package will install the
following two libs, which you only need if you want to build any
packages which link against OpenSSL:

libcrypto.so: symlink to real library again
libcrypto.a: the static library

So that's how Red Hat's OpenSSL RPMs work, I think. This differs
slightly from how the stock OpenSSL tarballs will install shared
libraries, since the stock Makefiles don't try to cope with binary
compatibility issues.  I think if you install a stock OpenSSL 
over a RHL
system, it will create

libcrypto.so.X.Y.Z
libcrypto.so, libcrypto.so.0: symlinks to above

This will be a problem if you have any applications on your system
linked against the 0.9.5a library if you upgraded from RHL 7.0, but
otherwise, your existing applications should work fine still.

Compiling things on this system will probably be okay, unless you ever
upgrade any of the OpenSSL RPMs, in which case your applications may
break again, I'm not sure. I'd advise doing

I have tried upgrading the version of openssl 0.9.6 on a RedHat 7.1 machine
to 0.9.6b using the RedHat openssl.spec file and it broke several
applications, including openssh. This is why I've been saying in the case of
RedHat 7.x to stick with the RedHat openssl packages. Now if you could just
provide different packages for us Brits (and others) who aren't restricted
by RC5 and IDEA patents...


# rpm --erase openssl-devel
# rpm -Uvh openssl-devel-0.9.6-3.rpm ### from the CD, or wherever

if you wish to get back under the RPM management. You may need 
a --force
too.

Hope some of that makes sense :)

joe

It makes sense to me. It's good to see someone from RedHat giving a hand
with this one, as it does come up often on the list.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: libssl.so libcrypto.so, again.

2001-09-10 Thread John . Airey 

-Original Message-
From: Joe Orton [mailto:[EMAIL PROTECTED]]
Sent: 10 September 2001 10:50
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: libssl.so  libcrypto.so, again.


On Mon, Sep 10, 2001 at 09:48:28AM +0100, [EMAIL PROTECTED] wrote:
 I have tried upgrading the version of openssl 0.9.6 on a 
RedHat 7.1 machine
 to 0.9.6b using the RedHat openssl.spec file and it broke several
 applications, including openssh. This is why I've been 
saying in the case of
 RedHat 7.x to stick with the RedHat openssl packages. Now if 
you could just
 provide different packages for us Brits (and others) who 
aren't restricted
 by RC5 and IDEA patents...

You could do this yourself without too much trouble. You'd just have to
comment out the %{SOURCE1} line in openssl.spec, and adjust 
the ./config
line appropriately, and learn how to rebuild a source RPM :)

joe

I realise I could do that (and probably will do now!). I take it that
SOURCE1 is the hobble.openssl file? I've been building rpms from source for
quite a while now. When you have numerous RedHat boxes to administer,
building RPMS on one to install on the others makes perfect sense. However,
like I said it would help if the packages were made available. If not, does
RedHat have any objections to me making them available?

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: W2k wiazrd

2001-08-23 Thread John . Airey 

-Original Message-
From: Nevalainen, Eric [mailto:[EMAIL PROTECTED]]
Sent: 22 August 2001 17:20
To: 'Robert Krenn'
Cc: '[EMAIL PROTECTED]'
Subject: W2k wiazrd


Bingo!

The string:

bash-2.04# OpenSSL ca -out request.pem -notext -infiles certreq.txt
where -out =the cert to be generated, and -infiles =the 
pending request, 
the -notext option supresses the plaintext form of the 
certificate to the
output file.  IIS 5 seems to like this.  

output looks like:

I wouldn't hold your breath if this is a self-signed certificate. No doubt
someone else will correct me if I'm wrong, but I've never been able to get
self-signed certificate working on any version of IIS.

(I'm assuming this is a server cert. If it's a client cert then I'm probably
barking up the wrong tree).

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Wasn't someone joking about the virus being posted by an autoresponder

2001-08-23 Thread John . Airey 

-Original Message-
From: Steven Reddie [mailto:[EMAIL PROTECTED]]
Sent: 22 August 2001 12:23
To: [EMAIL PROTECTED]
Subject: Wasn't someone joking about the virus being posted by an
autoresponder


At least I thought it was a joke.

Steven

That was me, and it was a joke. However, there are anti-virus products about
that will send the virus back to the sender (what on earth for I ask?). We
don't set ours to do this and I'm pleased to see that our AV package didn't
send any auto-response other than to internal administrators (including
myself). We already get grief from our users because Out of Office messages
don't go the Internet!

Mind you, if a mischievious sysadmin in the UK has done this deliberately as
a result of my suggestion, I'd like to chase him/her under the Computer
Misuse Act.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Please reconfigure majordomo to not set Reply-To (was: Failed to clean virus file Emanuel.exe)

2001-08-20 Thread John . Airey 

-Original Message-
From: Amos Gouaux [mailto:[EMAIL PROTECTED]]
Sent: 20 August 2001 14:03
To: [EMAIL PROTECTED]
Subject: Re: Please reconfigure majordomo to not set Reply-To (was:
Failed to clean virus file Emanuel.exe)


 On Mon, 20 Aug 2001 05:00:01 -0700,
 Caliban Tiresias Darklock [EMAIL PROTECTED] (ctd) writes:

ctd On Mon, 20 Aug 2001 13:33:18 +0200, Michael Ströder
ctd [EMAIL PROTECTED] wrote:

 Because the mailing list processor is configured to set the Reply-To
 address to the list address. IMHO this should be changed to reduce
 such problems with automatic replies (vacation e-mails, virus-scans
 etc.).

ctd But that would make *regular* replies a pain in the ass for list
ctd members. 

What we do is send the notice to the envelope sender, which
typically is set to the list owner.  (Sorry list owner.)  At least
that way it doesn't flood the entire list time and time again

If you think this is bad, imagine what would happen if the anti-virus
checker attached the infected email in each alert (which for example
InoculateIT can do). Forget out of office replies et al...

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Linux and EVP_rc5_32_12_16_ofb

2001-07-30 Thread John . Airey 

-Original Message-
From: Dr S N Henson [mailto:[EMAIL PROTECTED]]
Sent: 27 July 2001 18:50
To: [EMAIL PROTECTED]
Subject: Re: Linux and EVP_rc5_32_12_16_ofb




Ng Pheng Siong wrote:
 
 Hi,
 
 I've gotten a few messages about M2Crypto not working on 
Linux (Red Hat
 7.1, SuSe 7.1) because undefined symbol: EVP_rc5_32_12_16_ofb.
 
 I understand the packaged OpenSSL on those platforms are versions of
 0.9.6.
 
 I don't have a Linux installation at the moment, so I have 
no clue why
 this is so.
 

RC5 is probably omitted for patent reasons.

You are spot on. The pre-packaged openssl with RedHat 7.1 has a file called
hobble-openssl. It removes RC5, IDEA and MDC2.

Of course, it is possible to rebuild the package so that it doesn't. I'm
just building one now.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Web Site Alert: Not Responding

2001-07-27 Thread John . Airey 
Title: Web Site Alert: Not Responding



It 
worked just now! I've just pulled 0.9.6b again to test it 
(again).


- John 
Airey Internet Systems Support Officer, 
ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]]Sent: 25 July 2001 
  11:32To: [EMAIL PROTECTED]Subject: Web Site 
  Alert: Not RespondingThere appears to be a problem in 
  reaching your Web site at http://www.openssl.org/support/. 
  
Time of Error: 2001-07-25 06:32:29Error Type: 
Connection Refused 
  InternetSeer, a Web site monitoring company, is conducting an ongoing study 
  of the true connectivity of the Web. As recommended by the Robots Guidelines, 
  this email is being sent to explain our research activities and to let you 
  know about the difficulty in connecting to your site. 
  If you would like InternetSeer to continue to alert you at no charge 
  whenever there is a problem reaching your Web site, click 
  here. 
  InternetSeer does not store or publish the content of your pages, 
  but rather uses availability and link information for our research.
  Click 
  here to learn more about InternetSeer. 
  Mike DeverPresident[EMAIL PROTECTED] 

  Note: If you prefer not to receive these occasional alerts 
  regarding the availability of your Web site, reply to this email with Cancel 
  in the subject line. Please leave a full copy of this message in the body of 
  your reply email.##[EMAIL PROTECTED]## 



- 


NOTICE: The information contained in this email and any attachments is 

confidential and may be legally privileged. If you are not the 

intended recipient you are hereby notified that you must not use, 

disclose, distribute, copy, print or rely on this email's content. If 

you are not the intended recipient, please notify the sender 

immediately and then delete the email and any attachments from your 

system.


RNIB has made strenuous efforts to ensure that emails and any 

attachments generated by its staff are free from viruses. However, it 

cannot accept any responsibility for any viruses which are 

transmitted. We therefore recommend you scan all attachments.


Please note that the statements and views expressed in this email 

and any attachments are those of the author and do not necessarily 

represent those of RNIB.


RNIB Registered Charity Number: 226227


Website: http://www.rnib.org.uk

Expired certificates

2001-07-25 Thread John . Airey 

I've just made an interesting discovery after suffering the ignomy of having
an SSL certificate expire. (Supposedly I'll have it within the next two
hours. A late night for me!)

It appears from my testing that the expiry time on a certificate is taken
from the client's machine time, not the server time. I've tested this with
IE 5.01 SP1 and Netscape 4.77.

Therefore the moral is to ensure that you renew all certificates before the
time on the certificate is reached anywhere in the world, to prevent browser
warnings. In practical terms this would mean renewing before the last 24
hours of the certificate is reached. As far as I am aware this is not
documented anywhere. (No doubt some clever person will point me to the RFC
where this is).

I believe I'll have some accurate information about self-signed starred
certificates with IIS fairly soon also.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL and IIS4 - problem

2001-07-23 Thread John . Airey 

-Original Message-
From: Greg Stark [mailto:[EMAIL PROTECTED]]
Sent: 20 July 2001 15:51
To: [EMAIL PROTECTED]
Subject: Re: OpenSSL and IIS4 - problem


I have to disagree with Mr. Airey, though not without some trepidation.

You enter the  hostname into IE *exactly* as it is entered in 
the CN (or
subjectAltName) in the certificate. If the certificate has an 
IP address,
then that's what you should put into IE. If it has dotted DNS 
address, then
that is what you should put into IE.

Also, even if the addresses differ, IE still pops up a warning window
telling you about this. It doesn't just silently fail with an 
error message.

If the IP address is correct in your example, then I tried to 
connect to it
and noticed that the server is actively refusing TCP 
connections on port
443. It is not even getting to the SSL part, it just sends a TCP RST in
response to a TCP SYN on port 443. Perhaps you have a firewall 
in the way?

No problem disagreeing with me, my managers do that all the time ;-).
Perhaps I should have said some versions of IE do not like it. I'm using
IE 5.01SP1 (I have to because we've internal systems that depend on IE.
Yuk!) and can connect to one of our secure sites using an IP address and the
actual address. The former gives a warning. I've had problems with older
versions of IE4, but upgrading to 128bit security cleared it. (I would
recommend anyone who can to upgrade IE to 128bit).

But like you say, it looks like a firewall or router configuration that is
preventing connections.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL and IIS4 - problem

2001-07-20 Thread John . Airey 




  I would 
  suspect that you are using IE, which is extremely fussy about connecting to IP 
  addresses with SSL. Use the full host name (ie host.domain) to connect. You'll 
  need either an entry in a hosts file, or the host name to exist in your 
  DNS.
  
  In the case of the first 
  error, IIS will refuse you access to thatdirectory as you requested a 
  secure channel. It usually says something about requiring a secure connection 
  though.
  
  - John 
  Airey Internet Systems Support Officer, 
  ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 
  [EMAIL PROTECTED] 
  
  -Original 
  Message-From: David 
  [mailto:[EMAIL PROTECTED]]Sent: 20 July 2001 
  01:54To: [EMAIL PROTECTED]Subject: OpenSSL and 
  IIS4 - problem Now 
  I am able to install key generated by OpenSSL from IIS key 
  manager by 
  converting format to IIS format. (Thanks Lisle and John) 
  Then I did follow 
  steps. 1. Add my 
  ip(203.1.1.1) and port(443) to keymanager and save changes. 
  2. Select a virtul directory 
  (download) and update properties with  Select 'Require 
  Secure Channel' and 'Do not accept certificates' 
  option 3. 
  Restart IIS. 
  Then when I try URL: 
  http://203.76.4.111/download 
  Error: it tell me not 
  authorized *why? I 
  did not select require client cert option. 
  try another 
  https://203.76.4.111/download 
  Error: The page cannot be 
  displayed *why? I 
  already add my ip and port to key manager. 
  I change option to 'Require Client 
  Certificates' then try URL again, It still give me same error instead of 
  popup a requre cert window. If I use this option, do I need to install the same cert into my 
  browser in order to access my secure directory? 
  What am I doing wrong 
  here? 
  Thanks. David

RE: OpenSSL and IIS4

2001-07-19 Thread John . Airey 



IIS4 
can use 1024 RSA keys. We have several machines that are doing this already. 


- John 
Airey Internet Systems Support Officer, 
ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


  -Original Message-From: haikel 
  [mailto:[EMAIL PROTECTED]]Sent: 19 July 2001 10:06To: 
  [EMAIL PROTECTED]Subject: Re: OpenSSL and 
  IIS4Slamou alycom, 
  Verify that IIS 4 use keys with lenght higher than 512 bits, if not upgrade 
  your version of IIS. 
  Haikel MEJRI  
  David a écrit : 
  Hey, 
I am trying to setup https on 
IIS4 by using OpenSSL, I follow steps: 1. Create private key 
 openssl 
genrsa -des3  holly.pem 2.Generate a CSR from your 
key  openssl req -new -key holly.pem  
holly.csr 3. 
Generate a self-signed certificate  openssl req -x509 -key 
holly.pem -in holly.csr  holly.crt 4. From IIS4 key Manager select import 
key file: holly.pem and cert file:holly.crt. I got error: wrong 
password. 
I am sure that I use exactly the 
same password, so what real problem is? anyone has this experience. 

Thanks

RE: ROOKIE Question

2001-04-12 Thread John . Airey 

Have a look at http://www.openssh.org/windows.html 

There's a whole list of them. I haven't tried putty yet. I use TTSSH at home
(not that my LAN at home is likely to be hacked, I just prefer it to
Windows' telnet!) and F-Secure SSH at work. advert The latter costs money,
but I think it's money well spent /advert

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 



 -Original Message-
 From: Web boy [mailto:[EMAIL PROTECTED]]
 Sent: 09 April 2001 20:00
 To: [EMAIL PROTECTED]
 Subject: ROOKIE Question
 
 
 Hello I have installed and configured openssl on my
 linux box (redhat 6.2).  Everything went fine now I
 need to know how do I connect remotly from my NT
 workstation?
 
 I have seen with SSH that there is something called
 putty but not sure what my next step is.
 
 My goal is to be able to transfer files securly back
 and forth from my NT workstation to my LINUX box and
 vis-versa.
 
 Any help would be great
 
 __
 Do You Yahoo!?
 Get email at your own domain with Yahoo! Mail. 
 http://personal.mail.yahoo.com/
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: a question about install

2001-04-09 Thread John . Airey 

You can also use the DOS "SHELL" command to increase environment space.
Details can be gathered from a DOS 6.0-6.22 machine. Windoze doesn't have
any information on it, AFAIK.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


 -Original Message-
 From: Jonas Jakobsson [mailto:[EMAIL PROTECTED]]
 Sent: 06 April 2001 01:03
 To: [EMAIL PROTECTED]
 Subject: Re: a question about install
 
 
 snip
   before i comple the openssl,i use the vcvars32.bat in the directory
 D:\Program Files\Microsoft Visual Studio\VC98\Bin
  but it tell me that out of the environment space,what shoud i do !
 /snip
 
 I had the same problem.
 The soultion was in my case was to cut down the size of my 
 path variable in
 config.sys, restart
 and run the vcvars.bat in the dos box.
 Or, you could modify the shortcut to the dos-box to use your 
 own modified
 config.sys.
 
 just my 2 cents
 /Jonas Jakobsson
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL or Engine

2001-03-29 Thread John . Airey 

The openssl-engine code contains "experimental" support for hardware crypto
devices. If you don't have one, or don't even know what one is, then just
use the vanilla "openssl" code.

I read somewhere that the two code branches will be merged in 0.9.7. Can't
remember where now.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


 -Original Message-
 From: Dave Horner [mailto:[EMAIL PROTECTED]]
 Sent: 29 March 2001 11:20
 To: [EMAIL PROTECTED]
 Subject: OpenSSL or Engine
 
 
 We are using an apache web server and need to generate a CSR so we can
 use SSL.
 The documentation says that we need openssl to generate the CSR. 
 Could someone explain the difference between OpenSSL and OpenSSL
 (engine) , so I know which one to install ?
 Many Thanks
 Dave
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Batching E-Mails

2001-03-14 Thread John . Airey 

My $0.02 worth. It is perfectly possible for there to be two versions of
this list, a normal list and a "digest" or batched list as the original
poster calls it. Majordomo supports it, but it will involve more work for
someone to set it up.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 



 -Original Message-
 From: Gil Peeters [mailto:[EMAIL PROTECTED]]
 Sent: 14 March 2001 10:37
 To: [EMAIL PROTECTED]
 Subject: Re: Batching E-Mails
 
 
 Hey man, I think you got me wrong here. 
 
 I am not saying that you should not have the choice, I was 
 just stating my
 reasons for liking the current system. I was not bagging you 
 for having your own
 opinion.
 
 Choice is a wonderfull thing!
 
 Chill out and go in peace!
 
 G.
 
 Oliver Bode wrote:
  
  That's your preference. I prefer batched E-Mails. I would 
 prefer to open one
  message related to an issue than open 10,
  
  I wrote to Majordomo and requested that I would prefer 
 batched E-mails.
  
  And as Majordomo can already do all sorts of filtering
  himslef/herself/itself, I asked him/her/it that I would 
 like my E-mail's
  batched if possible.
  
  Again - what is wrong with choice This is all possible 
 and easilly
  implemented.
  
  - Original Message -
  From: "Gil Peeters" [EMAIL PROTECTED]
  To: [EMAIL PROTECTED]
  Sent: Wednesday, March 14, 2001 8:52 PM
  Subject: Re: Batching E-Mails
  
   Well actually no...
  
   I keep all the messages on this forum as a reference 
 (Just in case I have
   similar probs later) and I delete and irrelevant/SPAM 
 messges when I get
  time.
  
   I do filter all messaegs from openssl.org to a seperate 
 folder, and I can
  view
   the messages threaded in my mail client (Netscape 
 Messanger)... So this is
  an
   excellent feature. Mostly I just mark them all as read, 
 and I scan the
  message
   subjects if I have a problem that needs solving..
  
   I don't mind the individual messages at all.
  
   Gil.
  
   Oliver Bode wrote:
   
The mailing lists I enjoy and stick with are the ones 
 where I get one
  E-Mail
everyday - batched. I can then scan through the 
 headings each day and
respond when I want or learn what I need.
   
Why do I have to download every message and then delete 
 every single
  one?.
It is not difficult to batch E-Mail messages. And 
 what's wrong with
  having a
choice
   
I can tell that you would appreciate batched E-mails also.
   
- Original Message -
From: "Gil Peeters" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 14, 2001 8:05 PM
Subject: Re: Batching E-Mails
   
 Why not filter all the messages from this group into 
 a seperate
  folder?

 That waty they are seperated from your other mails.

 G,

 Oliver Bode wrote:
 
  Hello Majordomo,
 
  I enjoy reading *some* of the E-mail's posted to 
 this list and am
prepared
  to help people enable OpenSSL in their own projects.
 
  However, I can't stand my inbox being filled up 
 every morning.with
10,000
  messages. Is there a way I can get the messages 
 packaged up in one
E-Mail?
  So I can respond to the ones I can help with! 
 Otherwise, I want out
  by
the
  end of this week!
 
  Majordomo or whoever you are is their a way we can get this
  happening
  soon I find it too difficult to sort out the 
 good from the crap
  and
even
  read my own important messages. Come on can we make 
 this happen!
 
  Oliver
 
 
  
 __
  OpenSSL Project
  http://www.openssl.org
  User Support Mailing List
  [EMAIL PROTECTED]
  Automated List Manager
  [EMAIL PROTECTED]

 --
 
 Gil Peeters
 BVBA CANCAS I.T.
 Willemsstraat 2
 3000 Leuven
 Belgium
 
 JAVA and Distributed Object Specialists
 
 
 __
 OpenSSL Project 
http://www.openssl.org
User Support Mailing List
[EMAIL PROTECTED]
Automated List Manager
[EMAIL PROTECTED]
   
  
   __
   OpenSSL Project http://www.openssl.org
   User Support Mailing List[EMAIL PROTECTED]
   Automated List Manager   [EMAIL PROTECTED]
 
  --
  
  Gil Peeters
  BVBA CANCAS I.T.
  Willemsst

RE: Can't compile openssl-0.9.6

2001-03-12 Thread John . Airey 

Just to muddy the waters a little, the latest kernel (2.2.17) from RedHat
put the "kernel-headers" package in with the "kernel-source" package. A
really stupid idea which has caused a number of people a lot of grief,
including me!

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


 -Original Message-
 From: Greg Stark [mailto:[EMAIL PROTECTED]]
 Sent: 09 March 2001 15:04
 To: [EMAIL PROTECTED]
 Subject: Re: Can't compile openssl-0.9.6
 
 
 Marcel,
 
 Your problem is that /usr/include/linux/errno.h does not exist on the
 machine in question. Make sure you have installed the 
 neccessary RedHat
 package, which I think is the "kernel-headers-xxx" RPM, and 
 check that any
 symbolic links point to the correct places.
 
 _
 Greg Stark
 Ethentica, Inc.
 [EMAIL PROTECTED]
 _
 
 
 
 - Original Message -
 From: "Marcel Loesberg" [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Friday, March 09, 2001 9:17 AM
 Subject: Can't compile openssl-0.9.6
 
 
  Hi,
 
  I'm using openssl as a part of Tinc (a VPN program).
  I've tried to compile openssl-0.9.6 on two machines.
  Both run RedHat 6.2, the only difference between the machines
  is the motherboard and CPU.
 
  When I try to do "make" on the 2nd machine I get this error:
 
   making all in crypto...
   make[1]: Entering directory `/var/opt/test/openssl-0.9.6/crypto'
  
 gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN 
 -DHAVE_DLFCN_H
 
  -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall 
 -DSHA1_ASM -DMD5_
 ASM
   -DRMD160_ASM   -c -o cryptlib.o cryptlib.c In file included from
   /usr/include/bits/errno.h:25,  from
 /usr/include/errno.h:36,
from ../include/openssl/err.h:90,
   from
   cryptlib.h:70,  from cryptlib.c:61:
   /usr/include/linux/errno.h:4: asm/errno.h: No such file 
 or directory
   make[1]: *** [cryptlib.o] Error 1
   make[1]: Leaving directory `/var/opt/test/openssl-0.9.6/crypto'
   make: *** [all] Error 1
 
  I don't understand which file it cannot find.
  "cryptlib.o" is in /var/opt/test/openssl-0.9.6/crypto
  What do I do wrong?
 
  Regards,
 
  Marcel
  --
  It sports 64K of L1 data cache, 64K of L1 instruction cache, three
  independent integer pipelines, three address calculation pipelines,
  and a fully pipelined, out-of-order, three-way 
 floating-point engine.
  
 __
  OpenSSL Project 
http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: ????????--???

2001-02-01 Thread John . Airey 

 -Original Message-
 From: Marco Cunha [mailto:[EMAIL PROTECTED]]
 Sent: 31 January 2001 15:45
 To: [EMAIL PROTECTED]
 Subject: RE: --???
 
[snip]
 
 If the list already shouldn't accept email from the "outside"... then
 there's something very wrong with majordomo.
 
 Thank you for your time,
 Marco Cunha

I'm not wishing to drift off into too technical a discussion, but majordomo
can operate "closed" lists, where only those on the list can send to it. I
administer several lists where this is the case. One of them I actually
approve messages before they go out, because most of the people on that list
reply to the list rather than send messages to me, which is a real pain in
the neck!

- 
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Certificates with many Virtual host

2001-01-25 Thread John . Airey 

Correction, it does work with IE, we have a wildcard certificate that works
with IE 5.01. It works with IE 4 fine. As for IE 3.02 and before, well, they
have problems with their root certs anyway.

- 
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


 -Original Message-
 From: Michael Strder [mailto:[EMAIL PROTECTED]]
 Sent: 25 January 2001 14:34
 To: [EMAIL PROTECTED]
 Subject: Re: Certificates with many Virtual host
 
 
 Reiner Buehl wrote:
  
  There is a (not recommended) possibility for this: If all 
 of your hosts
  belong to the same domain you could generate a so called "wildcard 
  certificate".
  This is a certificate with a hostname like '*.mydomain.org'
 
 AFAIK this does not work with M$ IE.
 
 Ciao, Michael.
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Certificates with many Virtual host

2001-01-25 Thread John . Airey 

It appears that you are not using one IP address for each virtual host. Once
you've configured those correctly the error should go away.

- 
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


 -Original Message-
 From: Luis Miguel [mailto:[EMAIL PROTECTED]]
 Sent: 25 January 2001 11:50
 To: [EMAIL PROTECTED]
 Subject: Certificates with many Virtual host
 
 
 Please, help.
 I have an apache http/https server an 8 virtual http servers
 (8 virtual host). Four virtual servers are secure servers
 Then, I have 4 hostnames and my on CA root (self signed) certificate.
 
 The certificate have only 1 host name and with
 3 of virtual host, clients can see the message:
 
   "The certificate you are viewing does not mach the
 name of the site you are trying to view"
   or similar
   (Clients can work, but they see this previous message)
 
 I need thay the clients can't see this message.
 
 a) Can I make my on certificate valid for many host names ?
 b) If don't, then the solution is to make 4 certificates, one for each
 virtual https host
 - a certificate (C1) for host A
 - a certificate (C2) for host B
 ...
 - a certificate (C3) for host C
 
 , but then the client must accept 4 four certificates.
 I need that the client only accept the firt certificate, 
 and not the
 
four  certificates .
 
Are the solution to make a CA root certificate an then
4 CA certificates ?
How can make it ?
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: URGENT : SSL Handshake failed

2001-01-25 Thread John . Airey 

I hope you are kidding about using mod_ssl 2.2.7. The latest version is
2.7.1, which is what you should be running.

- 
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm 
John Airey 
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind, 
Bakewell Road, Peterborough PE2 6XU, 
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 
-Original Message-
From: drt rappanah [mailto:[EMAIL PROTECTED]]
Sent: 25 January 2001 14:07
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: URGENT : SSL Handshake failed
Importance: High


Hi !!

I've installed a Netscape Certificate Server 4.2sp1 on a linux mandrake
7.2 (kernel 2.2.17-21)...
I've also installed an Apache 1.3.14 server with mod_perl 1.24_01,
mod_ssl 2.2.7, php 4.0.3pl1 and openssl 0.9.6...

snip 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Rainbow Cryptoswift cards

2001-01-19 Thread John . Airey 

 -Original Message-
 From: Rodney Thayer [mailto:[EMAIL PROTECTED]]
 Sent: 19 January 2001 14:52
 To: [EMAIL PROTECTED]
 Subject: Re: Rainbow Cryptoswift cards
 
 
 is there somewhere one can get a list of the supported engine cards?
 I mean, there are vendors out there, other than Rainbow, who'd like
 to put their two milli-euro's worth into this conversation but
 that would be impolite and a commercial advertisement
 
 (yeah, yeah, read the source.  I mean a real list of the cards
 and how you buy them/etc.)
 
 
There's a list of supported cards in the openssl changelog at
http://www.openssl.org/news/changelog.html

Don't know anything else though.

- 
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Rainbow Cryptoswift cards

2001-01-19 Thread John . Airey 

I'm getting a Rainbow Cryptoswift card in the post today (thank you Santa,
although you are a bit late). 

Does anyone have experience of setting this up with mod-ssl? If so, can you
let me know how I do it. I understand I need to use shm rather than dbm, but
how do I get openssl to recognise the card?

I've the openssl change list, and it alleges support for these cards, but I
don't seem to have it. I'm using the pre-compiled rpms which I realise may
not have compiled this support in.

(I can't find anything else in the openssl or modssl docs to help me, hence
my post. The documentation available on the Rainbow site is scant as well)

Thank you. If no-one can help, I'll battle on and post my results later.

- 
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Re(2): Problem compilig under RH Linux 6.2

2001-01-09 Thread John . Airey 

 -Original Message-
 From: Sebastian Paul Avarvarei [mailto:[EMAIL PROTECTED]]
 Sent: 08 January 2001 12:04
 To: [EMAIL PROTECTED]
 Subject: Re(2): Problem compilig under RH Linux 6.2
 
 
 Hello Paul,
 
 Thanks for the fast reply, but I'm still a little puzzled 
 (sorry, I'm a big Linux fan, but not a good Linux admin yet :)
 
 So I did a "rpm -qa", and I see that 
 "kernel-headers-2.2.14-5.0" is installed. On the other hand, 
 some time ago I deleted the kernel sources from HDD, to have 
 some more space. Do I need to put the sources back?
 
 Also, can someone tell me how can I check if my kernel is 
 actually compiled with support for elf binaries? 
 
 Thank you very much for helping a poor beginner.
 
 Best regards,
 Sebastian Paul Avarvarei
 E-mail: [EMAIL PROTECTED]
 
Not strictly an openssl answer this, but basically you only need the kernel
source rpm installed if you are recompiling the kernel. Also, for Redhat
6.2, you really should be using the 2.2.16-3 kernel as there are other
problems with the older version.

Support for elf binaries comes with the out of the box installation, AFAIK.

- 
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Re(2): Problem compilig under RH Linux 6.2

2001-01-09 Thread John . Airey 

 -Original Message-
 From: Sebastian Paul Avarvarei [mailto:[EMAIL PROTECTED]]
 Sent: 08 January 2001 12:04
 To: [EMAIL PROTECTED]
 Subject: Re(2): Problem compilig under RH Linux 6.2
 
 
 Hello Paul,
 
 Thanks for the fast reply, but I'm still a little puzzled 
 (sorry, I'm a big Linux fan, but not a good Linux admin yet :)
 
 So I did a "rpm -qa", and I see that 
 "kernel-headers-2.2.14-5.0" is installed. On the other hand, 
 some time ago I deleted the kernel sources from HDD, to have 
 some more space. Do I need to put the sources back?
 
 Also, can someone tell me how can I check if my kernel is 
 actually compiled with support for elf binaries? 
 
 Thank you very much for helping a poor beginner.
 
I should have mentioned that you can use the RPMs instead for openssl if you
want. They are at www.modssl.org/contrib/. Use the versions with "fixed" in
the title as there are installation problems with the other versions. 

I prefer them myself as it makes it easier to know what you have installed. 

- 
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: what is ISO 9796?

2000-12-12 Thread John . Airey 

 And anyway, if ISO9796 is a standard about digital signature, 
 shouldn't it
 be examined to see if OpenSSL can support it?
 
 

The interesting thing about the ISO is that it takes years to get around to
making standards or changes to standards. Have a look at how often ISO
3166-1 gets changed. It's about every three years, even though country names
often change more regularly than that. It was last updated in 1997. 

I would imagine that either OpenSSL already supports it, or the standard is
so dated as to have been superseded by other developments.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: what is ISO 9796?

2000-12-11 Thread John . Airey 

The International Standards Organisation have a description of this and all
their standards at http://www.iso.ch/

Totally off-topic question though.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


 -Original Message-
 From: Martin Szotkowski [mailto:[EMAIL PROTECTED]]
 Sent: 11 December 2000 15:03
 To: [EMAIL PROTECTED]
 Subject: what is ISO 9796?
 
 
 have anybody description (or short description) of this document?
 
 Martin
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: what is ISO 9796?

2000-12-11 Thread John . Airey 

I don't think any of us has ISO 9796 to hand. Do you have a library that
would stock it? (They are all stocked on microfiche here in the UK at major
libraries). 

Other than going out and buying it, I don't know how you would be able to
compare the two, as I guess you've already seen the description on the ISO
site. I don't believe that ISO make the full standards available on the
'net. Although I appreciate that this standard covers data encryption, I
don't think it's that relevant to this list. Anyone care to differ?

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


 -Original Message-
 From: Martin Szotkowski [mailto:[EMAIL PROTECTED]]
 Sent: 11 December 2000 15:53
 To: [EMAIL PROTECTED]
 Subject: Re: what is ISO 9796?
 
 
 Sorry,
 I did't specify kind of this ISO. This is like PKCS#1 sign 
 algorithm (or
 something with create padding) and on ISO pages are only a buy this
 document.
 I would know differences between PKCS#1 and iso9796 coding (signing).
 
 Martin
 
  The International Standards Organisation have a description 
 of this and
 all
  their standards at http://www.iso.ch/
 
  Totally off-topic question though.
 
  -
  John Airey
  Internet Systems Support Officer, ITCSD, Royal National 
 Institute for the
  Blind,
  Bakewell Road, Peterborough PE2 6XU,
  Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 
 [EMAIL PROTECTED]
 
 
   -Original Message-
   From: Martin Szotkowski [mailto:[EMAIL PROTECTED]]
   Sent: 11 December 2000 15:03
   To: [EMAIL PROTECTED]
   Subject: what is ISO 9796?
  
  
   have anybody description (or short description) of this document?
  
   Martin
  
   
 __
   OpenSSL Project 
 http://www.openssl.org
   User Support Mailing List
 [EMAIL PROTECTED]
   Automated List Manager   
 [EMAIL PROTECTED]
  
  
 __
  OpenSSL Project 
 http://www.openssl.org
  User Support Mailing List
 [EMAIL PROTECTED]
  Automated List Manager   
 [EMAIL PROTECTED]
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Corrected openssl.spec file

2000-11-22 Thread John . Airey 

This spec file is basically an amended version of what was already on the
contrib page. However, this file tried to create symlinks in directories
that don't normally exist (not on my machines, anyway) and remove a
directory as a file. This causes the installation script to fail as it is a
more serious error (on my system) than creating a directory that doesn't
exist or attempting to remove a non-empty directory. The package doesn't
install fully in this case.

Since I needed to fix this for my own purposes, I made it public.

I'm about to put this spec file on the contrib page and "fixed" versions of
the existing rpms. I hope that Steve, who recently posted to this list, will
find these useful as they install without errors (again, on my system).

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


 -Original Message-
 From: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED]]
 Sent: 22 November 2000 15:20
 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Subject: Re: Corrected openssl.spec file
 
 
 From: [EMAIL PROTECTED]
 
 John.Airey This is the diff between my file and the old file. If I
 John.Airey have this the wrong way round please let me know!
 
 Actually, your file is much more different from the "standard" one
 than you showed us.  It seems to contain a lot of tweaks to make sure
 old SSLeay users don't get beothered and a lot of other stuff that I'm
 not sure really belongs in a .spec...
 
 -- 
 Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
 Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
 Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
 Member of the OpenSSL development team: http://www.openssl.org/
 Software Engineer, Celo Communications: http://www.celocom.com/
 
 Unsolicited commercial email is subject to an archival fee of $400.
 See http://www.stacken.kth.se/~levitte/mail/ for more info.
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Openssl RPMs

2000-11-20 Thread John . Airey 

Thank you for your reply. However, I find it confusing that RPMs are
available from the modssl site yet I am unable to contact the person who
provided them. I have managed to contact one person who tells me that he
didn't provide them, and I've had no response so far from the only other
email address mentioned in the package ([EMAIL PROTECTED]).

If the status of these RPMs is now "unsupported" then I myself am perfectly
willing to provide and support these, but I would not wish to do that unless
I know that I'm not stepping on anyone elses toes. I have plenty of machines
at my disposal to create and test these on.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


 -Original Message-
 From: Ulf Moeller [mailto:[EMAIL PROTECTED]]
 Sent: 17 November 2000 17:07
 To: [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Subject: Re: Openssl RPMs
 
 
 On Fri, Nov 17, 2000, [EMAIL PROTECTED] wrote:
 
  I've used the source rpm for openssl 0.9.6 to create the 
 i386 version (using
  "rpm --rebuild openssl-0.9.6-1.src.rpm from
 
  Why are there no longer i386 and i586 versions being made 
 available? 
 
 The OpenSSL project doesn't provide RPMs. You'll have to ask 
 whoever made
 them.
 
 The official OpenSSL source creates i486 code with a few time-critical
 parts hand-optimized for Pentium. You can replace the -m486 flag with
 -march=pentiumpro if you have a relatively new compiler.
 
 If you need to build code that also runs on i386 machines, 
 you must use
 the config option "386". That will cause some algorithms to be slower.
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Openssl RPMs

2000-11-20 Thread John . Airey 

Thank you all for your replies, especially Fonya's. 

I agree that modssl isn't openssl , but I find it odd that the RPMS for
openssl are being put on the modssl site rather than the openssl site (which
incidentally has only one contribution at www.openssl.org./contrib). Openssl
RPMS have a much wider use than just for modssl. Could they be moved? (I
think I should ask here first before asking the modssl list).

My reasons for being keen on RPMs are that I have to explain to less
technical people what we have installed and how to uninstall it if it goes
wrong. From my point of view it's easier to show someone how to install and
uninstall RPMs rather than explaining how to compile code from scratch. I'm
not aversed to compiling programs with configure/make/etc , but my
colleagues wouldn't even know where to start. They don't even understand
what inetd does!

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


 -Original Message-
 From: Villy Kruse [mailto:[EMAIL PROTECTED]]
 Sent: 20 November 2000 14:37
 To: [EMAIL PROTECTED]
 Subject: RE: Openssl RPMs
 
 
 
 That is not the openssl site, though.  The modssl is 
 something different.
 
 BTW, is it still necessary to link from www.modssl.org to 
www.ssleay.org,
considering that www.ssleay.org has very little ssl related stuff?



Villy

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE:

2000-11-10 Thread John . Airey 

There are at least two possibilities here:

Either the 3rd party is using ssh, a kind of secure telnet (that runs on
port 22)
Or the client is using an ssl encrypted connection to the telnet port (23)
or any other port for that matter.

If it is the latter case it's worth checking out "stunnel" which uses
openssl to encrypt data over a standard port. Some protocols can't use this
(eg ftp) as they don't use a single port.

I think you'll need some more information though!

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 



-Original Message-
From: Ian Diddams [mailto:[EMAIL PROTECTED]]
Sent: 08 November 2000 14:56
To: [EMAIL PROTECTED]
Subject: 



I've been tasked into investigating a link a 3rd party may be making to our
servers shortly over SSL.

I've downloaded OpenSSL and installed it etc... but frankly I don;t know
what I'm supposed to do with it!

The 3rd party mentioned will basically be telneting in over an SSL link I
am told (but nobody knows any more :-( ) ... so how exactly would such an
arrangmet normally occur? Any ideas?
Apologies for the ignorance, but I have to start somewhere (the 3rd party
is not available for questioning AFAIUI).
Ian

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE:

2000-11-10 Thread John . Airey 

Sorry to correct you, but ssh is much more than secured telnet. Using
stunnel it is possible to encrypt telnet over an ssl link using a single key
of 40/56/128 bits (this would probably be using the openssl libraries to do
so). However ssh uses a combination of keys to encrypt the data. One of
those is the server session key that changes automatically every hour. 

This makes it more difficult to break ssh via brute force than ssl. However,
I'm not foolish enough to state that it is impossible to break, just very
difficult.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 



-Original Message-
From: David Walgamotte [mailto:[EMAIL PROTECTED]]
Sent: 08 November 2000 14:52
To: '[EMAIL PROTECTED]'
Subject: RE: 


ssh is secured telnet !

-Original Message-
From: Ian Diddams [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 08, 2000 8:56 AM
To: [EMAIL PROTECTED]
Subject: 



I've been tasked into investigating a link a 3rd party may be making to our
servers shortly over SSL.

I've downloaded OpenSSL and installed it etc... but frankly I don;t know
what I'm supposed to do with it!

The 3rd party mentioned will basically be telneting in over an SSL link I
am told (but nobody knows any more :-( ) ... so how exactly would such an
arrangmet normally occur? Any ideas?
Apologies for the ignorance, but I have to start somewhere (the 3rd party
is not available for questioning AFAIUI).
Ian

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Error Message : IP address does not match the server name

2000-10-30 Thread John . Airey 

If memory serves me correctly, a "lame" DNS record is one where a server
thinks that record is authorative, but actually isn't. Try querying another
DNS server at random to see what it thinks is your primary DNS.

If this is what is causing you a problem it isn't related to Openssl at all.


- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: Sze Yee [mailto:[EMAIL PROTECTED]]
Sent: 29 October 2000 03:17
To: [EMAIL PROTECTED]
Subject: Error Message : IP address does not match the server name


Hi, all

I am have set up the openssl on a RedHat 6.1 .Have
created a self-signed cert using the perl module
CA.pl.

When I try to send mail or receive mail using the SSL
connection using Outlook 98 , the following error
message occurs . "IP address does not match the server
name" . 

I have entered my server name (host.domain) as my
comman name (CN) in the certificate . I tried keying
in the IP address and the error message no longer
appears.

So , I am wondering if this is due to DNS error ? (PS
:
I have set up an DNS server as well. When viewing the
error log , error messages like "All A RR records are
lame ")..

Thank u in advance

Regards, 
Sze Yee


__
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com.sg/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]