./config -d
on a standard linux box (RedHat 7.1) gives :
Operating system: i686-whatever-linux2
This system (debug-linux-pentium) is not supported. See file INSTALL for
details
I think that out of the box debug support for this kind of platform is
needed.
The doc says :
Create an OCSP request and write it to a file:
openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der
In my test, I try to do exactly that with :
openssl ocsp -issuer ocsp_ca.pem -cert ocsp_valide.cer -cert
ocsp_revoque.cer -reqout req.der
But no req.der
Mike Pechkin via RT wrote:
On Wed, Jun 05, 2002 at 03:10:58PM +0200, Lutz Jaenicke via RT wrote:
The problem is caused by inconsistent definitions for the OID values.
According to RFC2256, the OID 2.5.4.45 is assigned to
X500UniqueIdentifier. UniqueIdentifier was assigned to
Lutz Jaenicke via RT wrote:
I would like to see more discussions about this issue. I have looked
around some more and still find referrals like
http://www.alvestrand.no/objectid/2.5.4.45.html
with the UniqueIdentifier term instead of X500UniqueIdentifier.
This is the original name of this
In 0.9.7-b1, an invalid value for the CAfile parameter in a call to
openssl ocsp generates a core dump when verifying OCSP requests.
When the setup_verify function fails because it can not open the CAfile
parameters, it returns NULL.
The function OCSP_basic_verify that is called just after
Michael Bell wrote:
Rich Salz schrieb:
OtherName ::= SEQUENCE {
type-idOBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
It means that the type-id OID defines the datatype of the value. Think
of it as a union.
So the software must now the
"Reddie, Steven" wrote:
Greg, I'm not sure about the state of PKCS#11 support in relation to the
latest snapshot, however I can give you some answers in relation to the
latest release, OpenSSL 0.9.4.
It seems everyone is duplicating this effort in fact.
I supected that already.
*
But the log was explicit enough to guess his problem is truly that the
assembler is not present.
So install gas Schaefer.
And check carefully all the pipes before turning on, you don't want your
computer to explode and blow away the office, do you ? ;-)
Hannes Reinecke wrote:
Tom Schaefer
Michael Sierchio wrote:
"Rene G. Eberhard (keyon)" wrote:
...Unicode for example is suppored by
Universal and UTF8.
I also meant to point out that UTF-8 supports ASCII, but not EBCDIC, for
example (not that I imagine that anyone would want to use the latter...;-)
Well, we're getting
Peter Gutmann wrote:
Dr Stephen Henson [EMAIL PROTECTED] writes:
Is there any circumstances where the environment isn't safe? I believe extra
privs are normally needed to read another users processes environment.
Under DEC Unixen you can read anyone's environment without any extra privs
Ben Laurie wrote:
No - it is a limitation of the current usage of http over SSL, where the
SSL negotiation happens before the Host: header. It is a general problem
inherent in most simplistic SSL-ing of protocols, where the rush to SSL-ify
meant that the protocol got broken, rather than
Dr Stephen Henson wrote:
Jean-Marc Desperrier wrote:
Ben Laurie wrote:
No - it is a limitation of the current usage of http over SSL, where the
SSL negotiation happens before the Host: header. It is a general problem
inherent in most simplistic SSL-ing of protocols, where
I'm trying to define an ASN1 type that has an element which is a stack
of UTF-8 string usins 0.9.4 and I have some problems.
I figured I had to define the type STACK_OF(ASN1_UTF8STRING) with
DECLARE_STACK_OF(ASN1_UTF8STRING), but this bring problems.
I suggest you give up this message now if
Denis Ducamp wrote:
I'm developping a password cracker using libcrypto.a from openssl. The goal
isn't to have a fast password cracker as John the Ripper, but to document
the different algorithmes, their weaknesses and to show how easy it is to
develop such a piece of software when good
Dr Stephen Henson wrote:
#define DECLARE_STACK_OF(type) \
#define IMPLEMENT_STACK_OF(type) \
There's a problem with this solution. If you need another ASN1_STRING
equivalent STACK_OF such as ASN1_IA5STRING you get a conflict because
the structure STACK_ASN1_STRING gets declared twice.
Peter Onion wrote:
s/OSCP/OCSP/ I think ???
Let's all dump english.
From now, we speak vi !!
Oh, year, here is an english translation for the slow to learn :
Shouldn't we replace the substring OSCP in this line by the string OCSP ?
Ben Laurie wrote:
Eben Moglen wrote:
In the worst case analysis, components exported
now might subsequently become non-exportable in the event that
Perhaps I'm failing to understand here ... you say "No code not
originally developed in the US would be subject to..." but sure we're
Richard Levitte - VMS Whacker wrote:
sorribas Hi, I'm trying to compile the gpkcs11 module witch uses the
sorribas openssl. The gpkcs11 try to find a file called evp_pkcs11.h
sorribas and doesn't found it. Where can I find that file?
As far as I know, evp_pkcs11.h is not part of OpenSSL.
Hi,
Either I've got something wrong or there's a big problem here.
I create new objects with OBJ_create, giving their OID as an argument
and getting back an NID.
Then I convert some data that is the DER encoding of an OID to an
ASN1_OBJECT.
I then call OBJ_obj2nid, expecting to get back the
Oscar Jacobsson wrote:
Richard Levitte - VMS Whacker wrote:
* 105:d=2 hl=2 l= 19 cons: cont [ 0 ]
107:d=3 hl=2 l= 17 cons: SEQUENCE
109:d=4 hl=2 l= 15 cons: SEQUENCE
* 111:d=5 hl=2 l= 3 prim: OBJECT:X509v3 Authority Key Identifier
* 116:d=5 hl=2 l=
Dr Stephen Henson wrote:
There are several possible reasons for this. I've done some things which
use OBJ_create() fairly recently and I can't remember it being altered
since then.
I wrote a short test for this, and it works in it.
I'll check my program until I find what can make the
Hi,
I have some code that calls OCSP_basic_verify with a NULL st argument,
and I have just found it will crash if the ocsp cert is self-signed.
What happens is that OCSP_basic_verify doesn't check the argument is non
NULL, but calls X509_verify_cert(ctx) and we end up in
Diego de Freitas Aranha wrote:
During my Msc, I developed an implementation of bilinear pairings over
elliptic curves using OpenSSL. In particular, an implementation of the Tate
pairing over curves defined on prime fields.
I am writing to ask you guys if the OpenSSL team has any interest on
Hi,
I notice MDC-2 is not enabled by default on openssl 0.9.8.
This has no reason to be, the IBM patent on MDC-2 has expired in march
2002 because IBM did not renew it.
(the wikipedia MDC-2 page has the link proving it. Go to :
Joe Orton wrote:
On Fri, Nov 06, 2009 at 12:00:06AM +, Joe Orton wrote:
On Thu, Nov 05, 2009 at 09:31:00PM +, Joe Orton wrote:
* we can detect in mod_ssl when the client is renegotiating by using the
callback installed using SSL_CTX_set_info_callback(), in conjunction
Hi,
So when Apache is compiled with openssl 0.9.8l, TLS renegotiation will
be fully disabled.
But the problem with that if that some comments of the discussion inside
https://issues.apache.org/bugzilla/show_bug.cgi?id=39243 are true, this
change will unexpectedly break very badly a *lot* of
smitha daggubati wrote:
Does openssl have support for SHA-2. ?
I know that SHA-2 is part of the crypto library but looking at the way the
context is setup in ssl_ctx_new we are setiing up
ret-sha1=EVP_get_digestbyname(ssl3-sha1))
So is there a way to establish an openssl connection using
Thor Lancelot Simon wrote:
I think it's a mistake to send a fatal alert. In the past week as I've
been experimenting with this, I've encountered a number of embedded
client devices (cellphones -- I suspect I know which stack they're using
but I'm not certain, so I won't identify the vendor
john via RT wrote:
Why is it that the static locks have not been removed completely for
0.9.8? If it is to keep some backward compatibility with older apps,
or ones that see no reason to change, would it not be preferable if
the whole of openssl was compatible in this way, including the
Hi,
I just noticed that
ASN1_INTEGER * s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, char *value);
should be
ASN1_INTEGER * s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const char *value);
BTW the v3_sxnet.c code is missing a *lot* of const-ification.
David Taylor wrote:
I only just joined this list today to past this patch.
So in one word :
- for technical reasons, fd bio are preferable to file bio on Solaris
- but as fd bio don't implement gets, they are not usable as a direct
replacement for file bio
- your attached patch implements
Brian Long wrote:
On Fri, 2006-01-27 at 15:23 +0100, Stephen Henson via RT wrote:
Note that some TLS extension code has recently been committed to the
HEAD (0.9.9-dev). So if this is to be included into OpenSSL it would
have to work with that.
Is it true that openssl-0.9.7 and 0.9.8
Dr. Stephen Henson wrote:
PKCS12_parse() in its current form will only handle well formed PKCS#12 files
which contain a private key, its corresponding certificate and zero or more
CA certificates.
The PKCS#12 standard doesn't seem to require that a PKCS#12 files
contains all of this, I've
camino (sent by Nabble.com) wrote:
i have a signed letter,
how can i extract the certificate from it ?
[...]
but i wonder how to achieve it in program
The openssl documentation is somewhat lacking on this subject.
Still http://www.openssl.org/docs/crypto/PKCS7_verify.html# gives you a
Klaus Weidner wrote:
[...] - please let me know if you have issues with the
bugfix, [...]
The following patch uses the ANSI C setvbuf(3) function [...]
+ {
+ if (bufsize != NULL)
+ setvbuf(stdin, (char *)NULL, _IONBF, 0);
Hi,
I'm trying to build a version of openssl with a very strongly reduced
set of cryptographic primitives.
I've already hit a number of quirks (it might be it mostly impacts
Windows builds) that I'll try to detail when I have time, but here is
one that's easy to fix :
ts.h doesn't use the
I've found out three functions in OpenSSL aren't defined with const
arguments, despites the fact they do not modify them.
They are :
ASN1_PRINTABLE_type (arg 1)
and
X509_NAME_ENTRY_create_by_* (arg 4)
X509_NAME_add_entry_by_* (arg 4)
which end up calling ASN1_STRING_set that has the const.
Ben Laurie wrote:
The bug is in MS - they are encoding a top-bit-set number without
inserting a leading zero, so OpenSSL (correctly) sees it as negative.
The output of openssl x509 is not very explicit.
It probably should fail, instead of diplaying it as a 510 bits number without saying
it's
simon wrote:
I have the PEM file that they generated. How do I covert the data in that pem
file into a certificate that can import to windows 2000/NT
Your immediate help will be appreciated
I think you should convert the PEM file to DER-encoded form first,then you can import
Andrey Romanov wrote:
I am looking for information about timestamping in general (Any standards
existing?) and how to implement it using OpenSSL library. So far I am were
not able to find anything, even about MS Authenticode implementation
details.
Read the TSP
Michael Ströder wrote:
Currently there is no such central document since everybody is free
to define OIDs after getting a OID arc. Not even a central registry
exists.
No official central regitry, yes, but at least there is this non-official
one :
http://www.alvestrand.no/objectid/
It's
Jean-Marc Desperrier wrote:
Michael Ströder wrote:
Currently there is no such central document since everybody is free
to define OIDs after getting a OID arc. Not even a central registry
exists.
No official central regitry, yes, but at least there is this non-official
one :
http
Hi,
pkcs#7 DER structures generated by openssl have two header in
BER (infinite length) for the two sequence at the very start of the
encoding.
Is there a good reason for that ?
I have a tool that 's annoyed by this BER encoding and I think it should
not be too difficult to patch p7_lib.c so
I have some code that I could use to verify certificate, and that's not
able to do it anymore when compiled with 0.9.6
I traced this to the following line (330) in the file by_dir.c
This line has been changed from 0.9.5 to 0.9.6.
I think the last argument in the call to sk_X509_OBJECT_value
Dr S N Henson wrote:
I make the verification using a call to X509_verify_cert.
When the call returns, they are some errors left in the error stack from
a call to check_issued to check if the check is self-signed or not.
Is this a normal behaviour ?
That shouldn't happen unless you
Dr S N Henson wrote:
Jean-Marc Desperrier wrote:
I have some code that I could use to verify certificate, and that's not
able to do it anymore when compiled with 0.9.6
I traced this to the following line (330) in the file by_dir.c
- if(j != -1) tmp=sk_X509_OBJECT_value(xl-store_ctx
Goetz Babin-Ebell wrote:
Should a self-signed root certificate ever need to be revoked, shall it
list itself in its usual CRL(s), as the last thing it does before it is
thrown away, or is it sufficient (from its users' standpoint) that it
simply ceases to issue more CRLs?
Since the
"Tridib, Mumbai" wrote:
3. If I have a crypto API which can generate a hash of a data and then sign it using
the private key of the certificate, then is it possible to output a PKCS#7
signed-object?If yes, How it can be done.
Technically talking, yes, but only pkcs#7 _without_ any signed
Jeffrey Altman wrote:
From the GNUTLS site:
"You should view this as an alternative implementation of OpenSSL
(actually GNUTLS is closer to Eric Young's SSLEAY rather than
OpenSSL)."
What does this mean?
A great news for everyone for writes GPL code that needs crypto.
When the FSF
Alexander 'Alfe' Fetke wrote:
[...]
The modulus and exponent are also retrieve from the smart card,
and stored in the RSA structure at this time.
does this mean that the secret information (the private key) is retrieved
from the smart card to carry out the computation in the computer as
Emmanuel Gadaix wrote:
When generating MIME mails, e.g. for signing an email, OpenSSL adds an extra
white space before the semi-column sign that separates the headers.
In doing so, it violates MIME syntax (see RFC 2045, 2046, 2047).
Some mail clients will not be able to understand the MIME
Insh_Allah wrote:
I've had the same problem. What I did was feed the entropy pool with
anything I could find that was at least a bit 'random'.
I suggest the content of the stack on any architecture where there are
asynchronous interrupts that will store content in your local stack.
Easiest
Insh_Allah wrote:
I suggest the content of the stack on any architecture where there are
asynchronous interrupts that will store content in your local stack.
They are architectures where a context switch is made after every interrupt, and
the local stack is not used.
They are architectures
Richard Levitte - VMS Whacker wrote:
mlist it's true you're welcome to do versioning anyway you want..but
mlist noone i know has ever taken 'a' as a newer release on the same
mlist version.
Now you know one: me. :-)
And I can give you another one: RMS (emacs 19.34 was followed by
19.34a
Hi,
I have found out in a project that the use of the short name UID in
openssl, for the Unique Identifier OID defined in X520, definitively
causes confusion and potentials problems.
There seem a very common use of this abreviation to designate instead
the user id, defined in RFC1274.
A little
Richard Levitte - VMS Whacker wrote:
From: Jean-Marc Desperrier [EMAIL PROTECTED]
Note that since the short name UID exists in both camps and OpenSSL
is somewhere in the middle, there's a definite conflict of interest
here. However, most people I've talked with consider UID
Oscar Jacobsson wrote:
I don't think we could really go ahead and deprecate the use of UID, as RFC
2253 defines it as the proper string encoding of the userid attribute type, and the
short names
appear to be used when string encoding distinguished names.
The UID of openssl is NOT the UID of
Richard Levitte - VMS Whacker wrote:
I'd like your help to name the OpenSSL libraries. The idea I have
right now is the following (base names are 'osslc' for 'libcrypto',
'ossls' for 'libssl', and one adds 's' for single-threaded or 'm' for
multithreaded, as well as 'd' when it's a debug
Richard Levitte - VMS Whacker wrote:
From: Jean-Marc Desperrier [EMAIL PROTECTED]
jean-marc.desperrier I'd be in favor of longer names, with the
jean-marc.desperrier version number included when there are
jean-marc.desperrier incompabilities between version number.
I think there's still
Bear Giles wrote:
As for domainComponent in particular, the RFC clearly limits it
to 64 octets
Not _the_ RFC. Which RFC ?
Not 2459, there's not a word about domainComponent.
Not 1274, which first defined domainComponent, it did not fit a size
limit.
So that must be some LDAP related RFC,
OpenSSL wrote:
Record of death vulnerability in OpenSSL 0.9.8f through 0.9.8m
How comes the vulnerability doesn't touch 0.9.8e though the patched file
wasn't modified between 0.9.8e and 0.9.8f ?
But that code was modified between 0.9.8d and 0.9.8e, see this patch :
Bodo Moeller wrote:
it's code elsewhere that no longer tolerates the coarse logic we are
changing in the patch, which has been around forever.
In fact, I already suspected that, thanks for the confirmation.
__
OpenSSL Project
On 26/03/2010 18:31, Andy Polyakov wrote:
My patch (unapplied for 6 months now) would at least fix the problem of
the AESNI engine not being used automatically,
The reason for low priority is that the code is in development, lack of
hardware...
Hum ? Maybe the openssl team doesn't have the
OpenSSL wrote:
OpenSSL Ciphersuite Downgrade Attack
=
A flaw has been found in the OpenSSL SSL/TLS server code where an old bug
workaround allows malicous clients to modify the stored session cache
ciphersuite. In some cases the ciphersuite can be downgraded
Tom Wu via RT wrote:
This patch adds full RFC 5054 support in OpenSSL 1.0.1 and 1.1.0,
and has been updated to apply cleanly to the 20101229 dev snapshot.
This version of the patch supercedes the earlier patches submitted
under this ticket. Please let me know what the next steps are for
the
Jean-Marc Desperrier wrote:
Tom Wu via RT wrote:
This patch adds full RFC 5054 support in OpenSSL 1.0.1 and 1.1.0,
and has been updated to apply cleanly to the 20101229 dev snapshot.
This version of the patch supercedes the earlier patches submitted
under this ticket. Please let me know what
On Tue, 17 Apr 2012, Lubomír Sedlář wrote:
I would like to ask if any static analysis tool was ever used to detect
possible problems in OpenSSL source code. Is some tool used regularly?
I tried running Clang Static Analyzer [1] on the source of OpenSSL.
Julia Lawall a écrit :
A few years ago,
Steve Marquess a écrit :
The OpenSSL FIPS Object Module 1.2 has been extended to include support
for the iOS and Mac OS X operating systems, as the newly released
revision 1.2.4. This new support was made possible by a collaboration
with Thursby Software Systems, Inc, (http://www.thursby.com/),
Jean-Marc Desperrier a écrit :
Do they (or anyone else) also intend to sponsor the same extension for
the new v2.0 module ?
I must say that in the rather extensive list of OS for the new module OS
X and iOS are the two that are most obviously missing.
Well :-) I've *just* seen the following
The doc says :
Create an OCSP request and write it to a file:
openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der
In my test, I try to do exactly that with :
openssl ocsp -issuer ocsp_ca.pem -cert ocsp_valide.cer -cert
ocsp_revoque.cer -reqout req.der
But no
In 0.9.7-b1, an invalid value for the CAfile parameter in a call to
openssl ocsp generates a core dump when verifying OCSP requests.
When the setup_verify function fails because it can not open the CAfile
parameters, it returns NULL.
The function OCSP_basic_verify that is called just after
In ERR_get_state (err_def.c:613), there's the following code :
/* If a race occured in this function and we came second, tmpp
* is the first one that we just replaced. */
if (tmpp)
ERR_STATE_free(tmpp);
As already suggested in 2006 in this message
72 matches
Mail list logo