Cheers!
In general, should I be looking to submit patches against master? Assuming
the latest stable branch was the place to go may have been presumptuous of
me. :)
Best regards,
Oscar Jacobsson
On 2014-06-26 14:40, Hubert Kario via RT r...@openssl.org wrote:
- Original Message
Just my two hundredths of a crown:
(and I really hope I get the ordering right.)
O=McDonalds, L=Tampa, ST=FL, C=US
This does break the naming recommendations given in X.521 Annex B
though, which don't allow for a stateOrProvinceName.
Best regards,
//oscar
David Lyon wrote:
We have a new
Well...
I think it's more a case of OpenSSL and LDAP using *different*
mechanisms for string encoding. LDAP reverses the RDN sequence (making
it conform to RFC 2253), while OpenSSL (and this goes back to SSLeay)
does not.
I don't think you could really claim that there was an X.500 order at
Bodo Moeller wrote:
Oh, that. I think that was a typo; all the other branches use
INT_MAX (and so does 0.9.6-stable now).
Ah. I haven't got anything that could really pass for a C standard
library reference handy, so I just chalked it up to MSVC misbehaving out
of habit.
Thanks for clearing
Bodo Moeller wrote:
* crypto/bio/bss_bio.c now checks SSIZE_MAX, and in the visual c++
limits.h this won't get defined unless one defines _POSIX_. Should this
definition go into e_os.h or is it ok to simply insert it here prior to
the inclusion of limits.h?
If SSIZE_MAX is not defined,
Hi!
More MSVC fixes.
The little path below is required to get crypto/engine/hw_aep.c to
compile with MSVC.
Best regards,
//oscar
diff -u -r1.1.2.4 hw_aep.c
--- hw_aep.c7 Feb 2002 22:04:27 - 1.1.2.4
+++ hw_aep.c23 Feb 2002 10:20:39 -
@@ -82,8 +82,8 @@
#endif
-static
Unfortunately, the engine version of 0.9.6c doesn't build cleanly with
MSVC. Would you mind terribly using a current snapshot of the stable
engine branch instead, until there's an official release that addresses
this issue?
Best regards,
//oscar
Hi!
Just a couple of quick niggles with the 0.9.6-stable branch:
* The fix for crypto/tmdiff.c (ie. the diff between 1.9.2.1 1.9.2.2)
needs to be merged into this branch as well. Missing #endif.
* crypto/bio/bss_bio.c now checks SSIZE_MAX, and in the visual c++
limits.h this won't get defined
This was all actually changed intentionally a while back as there was a
conflict between id-at-uniqueIdentifier and { 0 9 2342 19200300 100 1 1
} (henceforth simply reffered to as Userid.)
The reason for the conflict is that both claimed the short name uid.
Userid, having formally had the
Warning: loads of Win32-specific information inside. Proceed at your own
risk!
If by making it run via ASP/IIS you mean having it accessible from
Visual Basic/VBScript I'm afraid there's quite a bit of manual tweaking
that will have to be done.
In order for C functions to be at all usable from
Hi!
Just two slight problems with the Win32/VC6 build:
1) util/libeay.num seems to be missing a couple of entires, namely:
ENGINE_load_aep
ENGINE_load_sureware
These are both in the trunk, but don't seem to have made it out into the
release branch.
2) For some reason, in the
Richard Levitte - VMS Whacker wrote:
I just commited a libeay.num that have these added. I also changed
the main trunk libeay.num so those two would stay in the same position
there as well.
Grand!
According to the Unixly manuals, they are defined in or through
string.h. Is that true in
Richard Levitte - VMS Whacker wrote:
Actually, wouldn't the availability of functionality be somewhat up to
the plug-in as well? In the full-blown PKI, you will also have things
like fetch me the cert corresponding to this name and fetch me the
key (or a handle to the key) with this
Bear Giles wrote:
Remember that there are actually two independent pieces of code here -
a tab A independent shared library and a slot B library that loads
it. The latter can provide convenience wrappers to functions in the
former, avoiding the need to duplicate code in the independent part.
Dr S N Henson wrote:
I'd be reluctant to have multiple APIs handling each case. What we could
have is flags or profiles saying what a certain kind of database should
support.
OpenSSL currently has separate APIs, as opposed to flags or profiles,
for handling EVP_PKEYs, X509s and X509_CRLs
Bear Giles wrote:
And from a pragmatic perspective, whole-cert hashes make a lot of sense.
NB: I've only ever messed about with relational databases for a brief
spell a few years back, so please excuse my struggling with the
terminology.
As primary keys go, I'm certain that whole-cert hashes
Bear Giles wrote:
But a plug-in that transparently updated a smart card would be extremely
handy. :-) That's what makes the design so hard - it needs to be able
to handle everything from 8k smart cards holding a single veiled key and
cert to RDBMS databases with 50,000+ entries.
I think the
Richard Levitte - VMS Whacker wrote:
From: Bear Giles [EMAIL PROTECTED]
bear Of course, this opens the whole can-o-worms of what constitutes
bear a duplicate cert? Is it an exact match, or matching I+SN, or
bear some other criteria?
Depending on who you listen to, one could say it's the
I couldn't seem to find too much information about what platform your
client is running on, but it sure sounds like a case of run-time library
conflict.
If you're on a tunning win32 building with msvc please consult the FAQ
for info on how you might be able to resolve this:
Ralf Dreger wrote:
After a while the error is coming. I tryed to find the file, but it is not
coming
with your product.
[...]
.\crypto\cryptlib.c(59) : fatal error C1083: Cannot open include file:
'stdio.h'
: No such file or directory
From the FAQ:
* Why does the OpenSSL compilation
Please find attached the patches required to get the trunk (as of last
night) to compile with visual c++ using the standard build procedure.
Best regards,
//oscar
Index: crypto/aes/Makefile.ssl
===
RCS file:
Hmm. Seems to have gotten lost on the way. Resending.
//oscar
---BeginMessage---
Please find attached the patches required to get the trunk (as of last
night) to compile with visual c++ using the standard build procedure.
Best regards,
//oscar
Index: crypto/aes/Makefile.ssl
Hi!
This really depends a lot on your situation. If you've got access to the
card containing the certificate and private key, you're better off using
something like Cryptoki (PKCS#11) to encrypt/decrypt directly using the
card without having to extract data.
If you don't have access to the
Works like a charm. Thanks!
//oscar
Richard Levitte - VMS Whacker wrote:
Thanks for finding that. I've a patch that I'm going to commit as
soon as I see that it compiles. Wanna try it? Expect it within half
an hour.
__
About half a year ago, apps/pkcs12.c was patched to use the load_*()
functions of apps/apps.c instead of its own. This patch appears to have
broken the client, as the new function prototype is:
stack = load_certs(...)
which is called twice in case CA certificates are passed using the
Richard Levitte - VMS Whacker wrote:
Thanks for finding that. I've a patch that I'm going to commit as
soon as I see that it compiles. Wanna try it? Expect it within half
an hour.
Cheers! I'll try rsync:ing my repository copy again in a bit.
//oscar
I've used DC-based naming (RFC 2377?) for a while now, and can't really
remember running in to any particular problems.
I generate the certificates using the OpenSSL command line apps using a
configuration like this:
[ OJ_req_distinguished_name ]
0.domainComponent = TLD component
Your private key is in the file 'user.key', which you have specified by
passing the argument '-out user.key' to the genrsa command.
Your certificate, stored in 'user.crt' does not contain the private key,
hence the name public-key certificate, but the PFX you create
('user.pfx') using the pkcs12
Amodhini U wrote:
Does OpenSSL already have a function to pack an
X.509v3 structure into a contiguous array-block? And
to unpack it back afterwards? If so, could you please
point me to those functions? And to any sample code
that uses them?
OpenSSL does indeed have such a function, which
how one
should tell them apart either, if necessary. Perhaps by appending an 's'
to the static library builds, much like a 'd' would be to the debug
builds?
Richard Levitte - VMS Whacker wrote:
From: Oscar Jacobsson [EMAIL PROTECTED]
oscar Might I also request some kind of additional
Neff Robert A wrote:
In keeping with Windows tradition, I would move that you NOT use
the letter 's' for single-threaded, but rather use the mt
designation for multi-threaded or mtd for multi-threaded-debug
would be my preference. No mt designation within the library name
would imply
Richard Levitte - VMS Whacker wrote:
Single threaded Static, non-debug - ??? (please help me out)
libc.lib (Compiler flag /ML)
Single threaded Static, debug - ??? (please help me out)
libcd.lib (Compiler flag /MLd)
Multithreaded Static, non-debug - ??? (please help
First off, both server names appear to point to the same IP address,
meaning it's a case of a single dodgy server.
I'm pretty sure this is a case of the server ignoring the minor protocol
version number sent by the openssl client (3.1 = TLSv1), and simply
responding as if the client had
Hi!
The easiest way to set this up is to make sure your client has the root CA
certificate in a file locally on his machine. Then you can call the function
load_verify_locations(ctx, CA_FILE, 0) in your client code in order to have your
client's SSL_CTX trust the certificates in that file.
It is indeed.
The reason load_verify_locations(ctx, 0, caPath) isn't working as expected, is
because that method places requirements on how the certificate files in there
are named.
When you run load_verify_locations(ctx, caFile, 0), all certificates are in
caFile are loadad and added to your
Dr S N Henson wrote:
Only problem is that this is on Windows and the standard c_rehash wont
work.
Ah.
Oh well, the functionality can be emulated quite easily by mimicking the script.
First make sure we can actually verify our cert directly by file:
openssl verify -CAfile ca.crt user.crt
Dr S N Henson wrote:
Only problem is that this is on Windows and the standard c_rehash wont
work.
Actually, after looking at the c_rehash code, and removing the (IMHO quite
redundant) stuff that sifts through the path and tries to find the openssl
command, it works just fine on windows, using
Making sure that the server uses a certificate issued by verisign is a case of
using the SSL_CTX_load_verify_locations(...) function to add verisign's root as
a trusted certificate. There are actually quite a number of verisign roots,
but I digress...
You will definitely want to perform some
Hi!
From the SSL_CTX_load_verify_locations manpage:
If CApath is not NULL, it points to a directory containing CA certificates in
PEM format. The files each contain one CA certificate. The files are looked up
by the CA subject name hash value, which must hence be available. If more than
one CA
Just a quick hack to dump a private key to an unsigned char[]. Basically copied
and pasted the equivalent bit from x509.c. Seems to work ok (famous last words
aside.)
Cheers,
//oscar
diff -r1.31 rsa.c
82a83
* -C - print out C code forms
99c100
int
The declaration of tmp.clear in SSL2_STATE seems to have changed from
int to unsigned int, so the following patch should get rid of the only
current compiler warning:
diff -r1.33 s2_srvr.c
475c475
|| (is_export ((i != ek) || (s-s2-tmp.clear+i !=
---
|| (is_export
Oscar Jacobsson wrote:
Also, would it be possible to add *.out to ms/.cvsignore so that these
files can actually be overwritten as required by the test process?
And could ms/*.out then also please be removed from the repository in the first
place?
Cheers,
//oscar
From: [EMAIL PROTECTED]
mark Log:
mark Back-port of Broadcom engine code from 0.9.7 to 0.9.6, but with a few
mark patches taken from Red Hat Linux 7.2. Original code from Broadcom with
mark patches and backport by Nalin, more backport to fix warnings and const
mark changes by Mark
It
List,
I encountered a problem (as well as the odd warning or two) when
compiling last night's snapshot on VC-NT.
Basically, EVP_Digest now takes an additional ENGINE*, which is not
present in the MD() macros defined in crypto/rand/rand_lcl.h.
I'm not entirely sure how best to solve this. I
Hi again!
I'll attempt to answer the questions you have in-line below. I hope it's
ok if I try to keep things as simple as possible right now, referring to
the OpenSSL command-line tools as much as possible.
PS. I hope to be able to start work on the tutorial during the day.
//oscar
Ravi
I guess it depends on exactly what you mean by interdependent CAs. Are
you referring to cross-certification between different CA products, or
were you more interested in cross certification in general?
I've done a bit cross certification work using OpenSSL for a piece of
software I'm currently
Hi Amnon!
IIRC, enabling TLSv1 in IE5 would result in not being able to connect to
such a buggy server, which I assume would be for the same reason as with
s_client.
IE6 however seems to be able to connect, which I think (although this is
only me guessing here) is due to it detecting the bad
Hi!
I *think* the problem you are describing is actually on the server side.
IIRC this is because your s_client by default will attempt to use TLS
1.0 (SSL 3.1), which the server incorrectly parses as SSL 3.0 (ignoring
the minor version number).
TLS 1, which s_client assumes both parties have
I can recommend taking a look at the Adaptive Communications Environment
(http://www.cs.wustl.edu/~schmidt/ACE.html) if you're interested in a
package that will hide the OpenSSL implementation details for you.
The documentation available from the site is excellent, IMHO, and
there's even a
Harald Koch wrote:
I'm not quite sure either, to be honest, which is why I don't like the
separate certificates approach. On the other hand, I'm told that the
financial institutions, for whatever reason, *like* having separate certs
(presumably so that different people can be given access to
Dr S N Henson wrote:
Extensions are also used for security purposes, for example to indicate
whether a certificate is a valid CA certificate and to prevent end user
certificates being able to masquerade as CAs.
I would definitely consider the ability to constrain issued certificates
through
Hi!
If you were wondering how to get this policy OID into a CA certificate
using OpenSSL in the first place, the easiest way would be to use the
following line in the CA certificate extension section of your
configuration file:
certificatePolicies=0.4.0.1456.1.1
Best regards,
//oscar
Bahram
Pardon me for barging in, but I just thought a link to the actual paper,
courtesy of NEC's excellent Citeseer service, might come in handy:
http://citeseer.nj.nec.com/8352.html
Is there a specific reason you're looking into using MMH specifically as
opposed to UMAC? (Halevi, Krawczyk et al):
No problems encountered, but I thought there might still be some
interest in seeing which platforms I have so far compiled and tested on
using openssl-e-0.9.6-stable-SNAP-20010708.tar.gz:
win2k sp2/vc++ 6 sp3,
linux 2.2.16/egcs 2.91,
solaris 2.6/sun workshop 6.
No problems at all encountered so
Richard Levitte - VMS Whacker wrote:
I definitely do *not* want to have to tell OpenSSL that I trust the CA
of my "Trusted Responder" certificate, because that might imply that I
trust any certificate that CA has produced.
Precisely, and that's why we have the key usage extensions. You
Dror wrote:
The disadvantages (in VC environment) are:
1.) that the memory leaks report appears in two places: the leaks
occurred in the application (with the file name and line number)
together with those occurred in OpenSSL (without the file name
and line number ) on the debug output
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Richard Levitte - VMS
Whacker
Sent: den 26 september 2000 13:58
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: OCSP and issuerNameHash (was: Object names)
Unless we can assume that the
The 6th draft of X.509 2000 (which was all I had handy) has the following
to say about the encoding of SETs OF:
quote
In order to enable the validation of SIGNED and SIGNATURE types in a
distributed environment, a distinguished encoding is required. A
distinguished encoding of a SIGNED or
Richard Levitte wrote:
And still, short names have been used for a while, since they do appear
in
X.400 addresses and in DNs a little here and there.
Pardon me for butting in to the discussion this late, but is this really
an issue of short or long names?
I think the core problem at hand
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Richard Levitte - VMS
Whacker
Sent: den 25 september 2000 23:14
To: [EMAIL PROTECTED]
Subject: Objects and a configuration file
[...]
I'm definitely willing to redesign the contents of
William C Klein wrote:
...
unable to load 'random state'
This means that the random number generator has not been seeded
with much random data.
Consider setting the RANDFILE environment variable to point at a file that
'random' data can be kept in (the file will be overwritten).
...
Colin Chalmers wrote:
After successfully compiling and testing the source code I am now
trying to integrate the libraries into an application I am building in
VC6, winnt 4.0 sp5 . Unfortunately Iam getting the following error
test.obj : error LNK2001: unresolved external symbol
Alexei Bakharevski wrote:
Some suggestions, although, not specific to NT:
1. have the following build targets: static library (debug release),
dynamic library (debug release);
There's a few other issues at hand, I think. Would it be enough to just
release a "static library" build target? I
Arne Ansper wrote:
One of my colleagues, Mr. Toomas Kiisk [EMAIL PROTECTED] made changed
BIO_s_log so that required functions from advapi32.dll are looked up at
runtime, so you don't have to create NT and 9x versions of OpenSSL
DLLs. I attached the diff between 0.9.5a and our version.
Good.
List,
would there be any interest in seeing some work put into refining the
win32 build process, and if so would there be any specific requests?
I was basically considering something along the lines of unifying the
ms\do_*.bat into a single script that would be able to create all of the
Richard Levitte - VMS Whacker wrote:
Thanks. I'm comparing to a CRL I have and which works, and what I
find that looks weird is this part:
Is this not a case of a "missing" revokedCertificates SEQUENCE OF
SEQUENCE ? Would this be normal encoding for an empty CRL?
revokedCertificates is
Jean-Marc Desperrier wrote:
This looks like a valid crlExtensions as in a RFC-2459, but I'm not sure if OpenSSL
pretends to support RFC-2459 fully.
Keon should probably take part of the blame for failing to set Version,
as required by RFC 2459:
5.1.2.1 Version
This optional field
Oscar Jacobsson wrote:
Keon should probably take part of the blame for failing to set Version,
as required by RFC 2459:
5.1.2.1 Version
This optional field describes the version of the encoded CRL. When
extensions are used, as required by this profile, this field MUST
Hi!
When trying to make a debug win32 link with a MASM 6.11-generated
s1-win32.obj I get the following warning:
libeay32.lib(s1-win32.obj) : warning LNK4200: corrupt line number
information in object file; ignored
NASM-0.98 apperars to have no problems though.
Cheers,
//oscar
S/MIME
69 matches
Mail list logo