RE: FAILED:unable to get local issuer certificate

Hi Dr. Steve: can I get clarification on your note about the '...link algorithm has changed...'? Does this refer to the hash computed over a certificate which is needed when using SSL_CTX_load_verify_locations(pCtx, NULL, path_to_verify_directory)? I discovered (and resolved) this in testing

RE: FAILED:unable to get local issuer certificate

Thank you very much.I appreciate your extra effort. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Wednesday, May 09, 2012 6:38 AM To: openssl-users@openssl.org Subject: Re: FAILED:unable to get

FIPS OM 2.0 in application shared library?

Hi. We are experimenting with the FIPS 2.0 Object Module RC1 and the recent GA of OpenSSL 1.0.1. We have a successful FIPS-capable build of OpenSSL and we've verified it with the openssl CLI with OPENSSL_FIPS=1 set. Our experiments are currently limited to Linux X86_64, and we are not

RE: FIPS OM 2.0 in application shared library?

Hi Dr. Steve. Thank you very much. In our static case, we are using fipsld to link libcrypto and fipscanister with our objects. It seems successful, and produces a loadable shared library. But the self-test of FIPS_mode_set() is unable to match the signature. So we will keep

RE: OS390 UNIX - openssl install questions

We build on z/OS. I have some notes on what I've had to do, but what kinds of errors are you seeing, and what version of OpenSSL? The most recent version we built on z/OS is 0.9.8R. +-+-+-+-+-+-+ Dave McLellan, Symmetrix Software Engineering EMC Corporation, 176 South St, Hopkinton MA

OpenSSL FIPS 2.0 Object Module platform questions

In the draft User Guide for the FIPS Object Module 2.0, the official validated platforms are shown as Linux and Windows, 32- and 64-bit architectures, with or without assembler optimizations. The draft Security Policy mentions only Android 2.2 and HP-UX 11i in section 2: Tested

RE: OpenSSL 1.0.1 libraries have 1.0.0 in the names

Thanks very much. That helps a little. it's also in the Makefile very clearly. And why not use 1.0.1, like the 0.9.8 stream used? Thanks again. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeremy Farrell Sent: Friday, March 23, 2012 5:01 PM

OpenSSL 1.0.1 libraries have 1.0.0 in the names

I'm seeing 1.0.0 used in the library (.so) names for crypto and ssl versions. I expected to see 1.0.1, consistent with the 0.9.X stream, where the version number agrees with version in the library name (as referenced in the link of the openssl executable for example). Can someone help me

1.0.1 Beta3 SHLIB_MINOR value is 0.0 - is it on purpose?

I'm noticing the version number of the SSL and crypto libraries are showing 1.0.0, but I expected 1.0.1. I can see the statement SHLIB_MINOR in the Makefile that sets it, and it seems on purpose, but I want to make sure. Snippet from Makefile at the top level, beginning at line 7, through

RE: SSL_get_shutdown() returns 3

Hi Jeff.DOH! I was staring right into the face of two bits on, and didn't even see it. thanks. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Tuesday, November 01, 2011 8:02 AM To:

SSL_get_shutdown() returns 3

I'm looking into the use of SSL_get_shutdown to possibly avoid unnecessary calls to SSL_shutdown. I noticed that SSL_get_shutdown() returns a 3 sometimes, but I can't find a symbol that tells what that means. In ssl.h I see: 1=SSL_SENT_SHUTDOWN and 2=SSL_RECEIVED_SHUTDOWN. No explanation

RE: noob question on OpenSSL

Hi Dhoti. Neither of those questions relate specifically to OpenSSL, since these are part of the fundamental networking behaviors. 1) Look at the system function setsockopt() for how to set the reuse-address behavior. You must call this function after creating the socket, but before

RE: FW: noob question on OpenSSL

I believe there is a call to get the raw socket after you accept, but I'm not sure what it is. In our server, we do all the raw setup first, and then negotiate a secure session after we know the client is capable. We don't use BIOs but there should be a way to get the socket FD either .

Trying to build Openssl 0.9.8r on z/OS -- shell problem?

We are trying to build OpenSSL 0.9.8r on z/OS 1.10 system. We haven't built Openssl on z/OS for a long time, and have rebuilt and environment to do it. Configure is successful, but any use of make (depend, for example) fails with FSUM7332 syntax error: got (, expecting Newline Anyone have

Multiple OpenSSL versions in process, dynamic loading/lookup in use

Hi. I'm looking for experiences in the community with dynamic loading and lookup of crypto/SSL entry points when multiple versions of the libraries might be loaded into the process space. Background is too detailed to start with, so I'll watch for takers and interested parties, so as not to

OpenSSL 1.0.0 and 0.9.8 compatibility

I'm looking for information about compatibility topics relating to OpenSSL 0.9.8 stream and the 1.0.0 stream. The context is: Ø Proprietary Client/server application, clear text protocol had SSL layered over it Ø Many Unix platforms, Many windows platforms, z/OS and z/Linux Ø Very deep

RE: OpenSSL and multithreaded programs

We use OpenSSL in a highly multi-threaded application and don't have problems. There are some locking callbacks that you should be using. Look up these: CRYPTO_set_id_callback(); CRYPTO_set_locking_callback(); CRYPTO_set_dynlock_create_callback();

RE: looking for openssl doc outline

I second that. Absolutely that is a great way to learn about OpenSSL. It's old but it's how lots of people learn. Very friendly to a new SSL person. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John R Pierce Sent: