Re: [openssl-users] Build problems on Windows

thanks a lot. I opened a "VS2015 x64 Native Tools" window as opposed to a "VS2015 x64 x86 Cross Tools" and everything worked amazingly with no issues. The names are super confusing. but i'm ok now. thanks From: openssl-users

Re: [openssl-users] Build problems on Windows

I installed ActivePerl and got a lot further I now get link errors. Please see below. The commands are the same: perl Configure VS-WIN64A and nmake: "C:\Perl64\bin\perl.exe" "util\mkdef.pl" "crypto" 32 > libcrypto-1_1-x64.def "C:\Perl64\bin\perl.exe" -i.tmp -pe

Re: [openssl-users] Build problems on Windows

.org Subject: Re: [openssl-users] Build problems on Windows On 10/01/17 18:34, jeff saremi wrote: > D:\repos\openssl2\openssl-1.1.0c>perl -v > > This is perl 5, version 22, subversion 1 (v5.22.1) built for > x86_64-msys-thread-multi > Copyright 1987-2015, Larry Wall You are using

Re: [openssl-users] Build problems on Windows

<jb-open...@wisemo.com> Sent: Monday, January 9, 2017 9:46 PM To: openssl-users@openssl.org Subject: Re: [openssl-users] Build problems on Windows On 10/01/2017 05:04, jeff saremi wrote: > > Hello > > I downloaded openssl-1.1.0c and i'm trying to build this on Windows 10 > using Vis

[openssl-users] Build problems on Windows

Hello I downloaded openssl-1.1.0c and i'm trying to build this on Windows 10 using Visual Studio 2015. I'm following the INSTALL and NOTES.WIN instructions however I get stopped rather quickly with file not found issues.. I have also installed nasm. The build fails for 32 or 64 with slightly

Re: Help Needed: SSL Connect starting from a weird state

My initial analysis of this was very misleading. I have to apologize for that. The problem was that during the first part of the handshake (clienthello), the call failed without anything being written out. Tracing ssl23_client_hello() in s23_clnt.c showed that the following statement returned

Help Needed: SSL Connect starting from a weird state

We've been running our SSL code for a while now with no issues. But recently one of our developers started encountering this problem. We did the best we could to troubleshoot to no avail. I know the problem is not OpenSSL and it's something we're doing incorrectly, probably at the start up. The

Re: Running SSL on own socket code

:29AM -0400, Jeff Saremi wrote: I'd like to know the feasibility or complexity around using my own socket code with OpenSSL's ssl code. If I provide OpenSSL with a pair of BIOs to read and write would that be sufficient? How tightly integrated the code

Running SSL on own socket code

I'd like to know the feasibility or complexity around using my own socket code with OpenSSL's ssl code. If I provide OpenSSL with a pair of BIOs to read and write would that be sufficient? How tightly integrated the code is with bio_connect and bio_socket? thanks jeff

Valgrind Suppressed Leak on dlfcn_globallookup

I'd like to eliminate this suppressed error in valgrind. Does anyone have any idea? I have my cleanup code also pasted father below ==3317== 20 bytes in 1 blocks are still reachable in loss record 1 of 1 ==3317==at 0x402425F: calloc (vg_replace_malloc.c:467) ==3317==by 0x4063105:

Re: Possibility to create CRL without the CA key

read my post: http://www.mail-archive.com/openssl-users@openssl.org/msg63740.html On 11-05-02 06:50 AM, Viliam Ďurina wrote: Hello, I'm doing my own CA with openssl and want to regularly generate CRLs. We plan limited use of the CA (say 1-2 certificates per year), so the CA private key is

Re: CRL validation must be skipped for certs with no CRLDPs

I'm not sure how you read this. I read it like a programmer. In programming primitives, the spec would be coded like this: Here's the spec: This algorithm begins by assuming that the certificate is not revoked For each distribution point (DP) in the certificate's CRL distribution points

Re: Need Help with Programmatic Downloading+Checking of CRLs

There are other out of band mechanisms where a CRL might be available but not mentioned in a CRLDP. OpenSSL has no way of telling what those might be and if the absence is really an error or not. The best you can do is trap the issuer error in the verify callback and ignore it if

Re: Handling Indirect CRL Issuer

With great many thanks to Dr. Henson for not only responding to every post I have had so far but also for providing solid guidance on how to address the problem leading to the heading of this thread, I am adding some extra material and some verbatim quotes from Dr. Henson here so that they might

CRL validation must be skipped for certs with no CRLDPs

This was mentioned briefly in another thread by myself. I thought it deserved its own discussion. The copies of how it went on are pasted below. Section 6.3.3. of RFC 5280 - CRL Processing This algorithm begins by assuming that the certificate is not revoked For each distribution point (DP)

what does X509_STORE_get1_crls() return and how?

If I call X509_STORE_get1_crls(ctx, nm) with nm being the issuer name, the method is supposed to return a list of CRL's with that issuer name. How does it do that when it comes to CRLs issued by a CRL issuer authorized by the original issuer? Does it use Authority Key Identifier? thanks, jeff

Re: Need Help with Programmatic Downloading+Checking of CRLs

So as per previous posts, I implemented lookup_crl(). Now one of the major problems is what do I return from this method, if the certificate has no CRL distribution points! Returning an empty stack causes get_crl_delta() to fail. Is there a flag that I can setup to let this cert be excluded from

Handling Indirect CRL Issuer

Does anyone have an example of how an indirect CRL issuer is handled? This is my understanding of needs to be done. If at least someone could verify that, I'd be really appreciative: 1. download the CRL 2. If not indirect, handle as usual (let's pretend for now that we know how to handle these in

Re: Handling Indirect CRL Issuer

It looks like we need to support indirect CRL Issuers at least for CRL's issued for ourselves. I have done most of the work. It looks I don't quite know how to generate CRLs with the indirect CRL issuer or I don't know how to generate the CRL issuer's certificate using the root certificate. So I

How can I make CertificateIssuer extension show up in CRL Entries?

I'm generating my CRLs using openssl ca command. In the CRL entry extension list, I can see X509v3 CRL Reason Code but I'd like to also include the certificate issuer. (I think this is needed if an issuer does the issuing indirectly for another CA). Is there a command line option of config entry

Re: Need Help with Programmatic Downloading+Checking of CRLs

Thanks Patrick. Unfortunately this has be a part of our code to run on various platforms. If you know of any openssl-based implementation that does this and is opensource please let me know so at least I could use that as an example. Patrick Patterson Tue, 15 Mar 2011 13:11:11 -0700 Hi

Re: Need Help with Programmatic Downloading+Checking of CRLs

Try supplying your own lookup_crls() implementation instead. This can be much simpler and just needs to return any CRLs which match the supplied X509_NAME value. If there are multiple CRLs it will pick the most appopriate. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer.

Re: Need Help with Programmatic Downloading+Checking of CRLs

Here are some more interesting points that I'm banging my head against the wall until I find the answer: - Overwriting get_crl forces you to provide your own CRL checking logic as well. Specifically two things need to be set during this check which are required witin check_cert(): a) score of

Cert Verification based on CRL when least expected

We're trying to enable CRL checking on our client-side application. When doing limited unit tests, everything is OK. But when we extend the tests to real server we see errors from places where least expected. The error is unable to get certificate CRL depth:0. The scenario is a mutually

RE: SSL_VERIFY_PEER and the presence of client's X509 certificate after the handshake

So this is some minor debugging I did to get to this problem. Modified the following methods to add two printf lines: ssl_lib.c: X509 *SSL_get_peer_certificate(const SSL *s) { X509 *r; if ((s == NULL) || (s-session == NULL)) {

SSL_VERIFY_PEER and the presence of client's X509 certificate after the handshake

We have some intermittent problems which seem to go away after restarting our server. The problem is that the client's certificate disappears on the server, even though SSL_VERIFY_PEER is set in the context using SSL_CTX_set_verify(). So under situations that are not entirely clear, a call to

Enhancement Request: 64bit BIO API

what is there now -acts like 32 under 32bits (add 'l' or '64' prefixes or suffixes at will) - as a transparent approach: in 64bit compilations you get 64bit versions otherwise 32 - as a complementary set always available regardless of the underlying addressing capability Thanks, Jeff Saremi

RE: Getting detailed ssl-handshake debug output

I received the answer in a direct email and just wanted to share it here too: - command line: openssl s_client -state -debug -connect host:port - programmatic: One can look in the callback mechanism used in the above, specifically in apps/s_cb.c

Getting detailed ssl-handshake debug output

I'd like to know if there's a way -- programmatic, config, environment -- that I can get detailed print of what goes on during a handshake at the client or the server? Below is the output from Apache Tomcat as an example of the level of details i'm looking for: http-442-1, READ: TLSv1 Handshake,

Re: 64bit BIOs and support in OpenSSL

Are there any plans to change this? Getting streams larger than 4GB is not very unusual these days anymore. On Mon, Oct 04, 2010 at 10:37:55AM -0400, Jeff Saremi wrote: Does BIO support 64 bit IO (large files)? If so would the rest of OpenSSL (such as the ssl itself) support those BIOs

64bit BIOs and support in OpenSSL

Does BIO support 64 bit IO (large files)? If so would the rest of OpenSSL (such as the ssl itself) support those BIOs? I configured the build with 64bit support and didn't see any noticeable changes. Specifically, I'd like to know if BIO_tell() is able to return a 64bit value?

Is there a function to invoke ad-hoc to report an error without having to load/unload strings?

I'm looking for something like: ERR_report_oneoff_error(const char *func, const char *reason, int line, const char *file) that I could use without having to define structures like the following or calling Err_load_strings and Err_unload_strings: static ERR_STRING_DATA BIO_str_functs[]= {

Re: dynamic locks don't get cleaned up

allocated ==3959== ==3959== All heap blocks were freed -- no leaks are possible On 10-08-18 04:28 PM, Jeff Saremi wrote: any takers from the openssl team? true, false? known issue, user error? anything? On 10-08-17 04:23 PM, Jeff Saremi wrote: I apologize if this shows up more than once

Re: dynamic locks don't get cleaned up

any takers from the openssl team? true, false? known issue, user error? anything? On 10-08-17 04:23 PM, Jeff Saremi wrote: I apologize if this shows up more than once. I've been having problems sending emails out, all day. First I encountered this with valgrind but then I decided to have

dynamic locks don't get cleaned up

I apologize if this shows up more than once. I've been having problems sending emails out, all day. First I encountered this with valgrind but then I decided to have openssl print the leaks and it was also confirmed. I have reduced my code to the following two lines. Prior to this if course

My custom engine_finish method does not get called through ENGINE_finish

I'm trying to use my custom engine however I cannot get it to clean up nicely. For the initialization i used the sample in openssl ENGINE(3) documentation. Here's how it goes: ENGINE *loadEngine() { ENGINE *e; e = ENGINE_by_id(MY_ENGINE_ID); if(!e)

Re: My custom engine_finish method does not get called through ENGINE_finish

from ENGINE_init() */ ENGINE_finish(e); /* Release the structural reference from ENGINE_by_id() */ ENGINE_free(e); } On 10-08-13 09:23 AM, Jeff Saremi wrote: I'm trying to use my custom engine however I cannot get it to clean up nicely. For the initialization i used

Procedure to define and add new lock types?

In my engine, i'd like to use a new lock for a set of operations. This lock is not CRYPTO_LOCK_ENGINE or any other defined ones. Is there any way in OpenSSL to define a say user lock (type) and then use CRYPTO_Lock function on it? What would happen to CRYPTO_NUM_LOCKS? would that increase by way

Re: Procedure to define and add new lock types?

CRYPTO_set_dynlock_create_callback CRYPTO_set_dynlock_lock_callback CRYPTO_set_dynlock_destroy_callback The desired lock type is passed in the struct CRYPTO_dynlock_value * parameter to the cusom dynlock_lock_callback. On 10-08-09 09:18 AM, Jeff Saremi wrote: In my engine, i'd like to use a new lock

Frustration with method based on EVP_PKEY_METHOD

The structure itself is only forward-declared meaning that a programmer has no way of getting into the actual evp_pkey_method_st and its fields. Now that would be fine if there were a complete set of methods EVP_PKEY_meth_* to manipulate the pointers to EVP_PKEY_METHOD. But alas there's only a

Re: Frustration with method based on EVP_PKEY_METHOD

OK. Thanks for replying. On Thu, 2010-07-08 at 18:59 +0200, Dr. Stephen Henson wrote: The only current example of an external EVP_PKEY_METHOD (in the gost ENGINE) implements everything from scratch. It is perfectly reasonable for another implementation to copy existing methods or intercept

ENGINE: where are corresponding 'save' methods for ENGINE_set_load_pub/privatekey_function?

How does one provide own engine functions for saving public and private keys? thanks jeff This email contains Morega Systems Inc. Privileged and Confidential information. __ OpenSSL Project

ENGINE: RSA_METHOD-rsa_keygen does not behave like other function pointers

To avoid having to override every RSA function, I could fill my engine's custom RSA_METHOD with methods from RSA_PKCS1_SSLeay. Alternatively I could have my functions wrap the internal OpenSSL functions. For instance: int myEngineRsaModExp(BIGNUM *r0,const BIGNUM *I,RSA *rsa,BN_CTX *ctx) { int

Q: Ramifications of creating new X509-Store and setting it in SSL_CTX while SSL_accept's being done

In order to update the CRLs in our server socket and due to seemingly lack of any CRL update methods, I decided to create new X509_STOREs and set them in the SSL_CTX every time there's a change in the CRL list. I'd like to know the effects of that if at the same time new SSLs being created, setup