thanks a lot. I opened a "VS2015 x64 Native Tools" window as opposed to a
"VS2015 x64 x86 Cross Tools" and everything worked amazingly with no issues.
The names are super confusing.
but i'm ok now. thanks
From: openssl-users
I installed ActivePerl and got a lot further
I now get link errors. Please see below. The commands are the same: perl
Configure VS-WIN64A and nmake:
"C:\Perl64\bin\perl.exe" "util\mkdef.pl" "crypto" 32 >
libcrypto-1_1-x64.def
"C:\Perl64\bin\perl.exe" -i.tmp -pe
.org
Subject: Re: [openssl-users] Build problems on Windows
On 10/01/17 18:34, jeff saremi wrote:
> D:\repos\openssl2\openssl-1.1.0c>perl -v
>
> This is perl 5, version 22, subversion 1 (v5.22.1) built for
> x86_64-msys-thread-multi
> Copyright 1987-2015, Larry Wall
You are using
<jb-open...@wisemo.com>
Sent: Monday, January 9, 2017 9:46 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Build problems on Windows
On 10/01/2017 05:04, jeff saremi wrote:
>
> Hello
>
> I downloaded openssl-1.1.0c and i'm trying to build this on Windows 10
> using Vis
Hello
I downloaded openssl-1.1.0c and i'm trying to build this on Windows 10 using
Visual Studio 2015. I'm following the INSTALL and NOTES.WIN instructions
however I get stopped rather quickly with file not found issues..
I have also installed nasm. The build fails for 32 or 64 with slightly
My initial analysis of this was very misleading. I have to apologize for
that.
The problem was that during the first part of the handshake
(clienthello), the call failed without anything being written out.
Tracing ssl23_client_hello() in s23_clnt.c showed that the following
statement returned
We've been running our SSL code for a while now with no issues. But
recently one of our developers started encountering this problem.
We did the best we could to troubleshoot to no avail. I know the
problem is not OpenSSL and it's something we're doing incorrectly,
probably at the start up.
The
:29AM -0400, Jeff Saremi wrote:
I'd like to know the feasibility or complexity around using my own
socket code with OpenSSL's ssl code. If I provide OpenSSL with a
pair of
BIOs to read and write would that be sufficient? How tightly
integrated
the code
I'd like to know the feasibility or complexity around using my own
socket code with OpenSSL's ssl code. If I provide OpenSSL with a pair of
BIOs to read and write would that be sufficient? How tightly integrated
the code is with bio_connect and bio_socket? thanks
jeff
I'd like to eliminate this suppressed error in valgrind.
Does anyone have any idea? I have my cleanup code also pasted father below
==3317== 20 bytes in 1 blocks are still reachable in loss record 1 of 1
==3317==at 0x402425F: calloc (vg_replace_malloc.c:467)
==3317==by 0x4063105:
read my post:
http://www.mail-archive.com/openssl-users@openssl.org/msg63740.html
On 11-05-02 06:50 AM, Viliam ġurina wrote:
Hello,
I'm doing my own CA with openssl and want to regularly generate CRLs.
We plan limited use of the CA (say 1-2 certificates per year), so the
CA private key is
I'm not sure how you read this. I read it like a programmer.
In programming primitives, the spec would be coded like this:
Here's the spec:
This algorithm begins by assuming that the certificate is not revoked
For each distribution point (DP) in the certificate's CRL distribution
points
There are other out of band mechanisms where a CRL might be available but
not mentioned in a CRLDP. OpenSSL has no way of telling what those might be
and if the absence is really an error or not.
The best you can do is trap the issuer error in the verify callback and ignore
it if
With great many thanks to Dr. Henson for not only responding to every
post I have had so far but also for providing solid guidance on how to
address the problem leading to the heading of this thread, I am adding
some extra material and some verbatim quotes from Dr. Henson here so
that they might
This was mentioned briefly in another thread by myself. I thought it
deserved its own discussion. The copies of how it went on are pasted below.
Section 6.3.3. of RFC 5280 - CRL Processing
This algorithm begins by assuming that the certificate is not revoked
For each distribution point (DP)
If I call X509_STORE_get1_crls(ctx, nm) with nm being the issuer name,
the method is supposed to return a list of CRL's with that issuer name.
How does it do that when it comes to CRLs issued by a CRL issuer
authorized by the original issuer?
Does it use Authority Key Identifier?
thanks,
jeff
So as per previous posts, I implemented lookup_crl().
Now one of the major problems is what do I return from this method, if
the certificate has no CRL distribution points!
Returning an empty stack causes get_crl_delta() to fail.
Is there a flag that I can setup to let this cert be excluded from
Does anyone have an example of how an indirect CRL issuer is handled?
This is my understanding of needs to be done.
If at least someone could verify that, I'd be really appreciative:
1. download the CRL
2. If not indirect, handle as usual (let's pretend for now that we know
how to handle these in
It looks like we need to support indirect CRL Issuers at least for CRL's
issued for ourselves.
I have done most of the work. It looks I don't quite know how to
generate CRLs with the indirect CRL issuer or I don't know how to
generate the CRL issuer's certificate using the root certificate.
So I
I'm generating my CRLs using openssl ca command. In the CRL entry
extension list, I can see X509v3 CRL Reason Code but I'd like to also
include the certificate issuer. (I think this is needed if an issuer
does the issuing indirectly for another CA).
Is there a command line option of config entry
Thanks Patrick. Unfortunately this has be a part of our code to run on
various platforms. If you know of any openssl-based implementation that
does this and is opensource please let me know so at least I could use
that as an example.
Patrick Patterson
Tue, 15 Mar 2011 13:11:11 -0700
Hi
Try supplying your own lookup_crls() implementation instead. This can be much
simpler and just needs to return any CRLs which match the supplied X509_NAME
value. If there are multiple CRLs it will pick the most appopriate.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Here are some more interesting points that I'm banging my head against
the wall until I find the answer:
- Overwriting get_crl forces you to provide your own CRL checking logic
as well. Specifically two things need to be set during this check which
are required witin check_cert():
a) score of
We're trying to enable CRL checking on our client-side application. When
doing limited unit tests, everything is OK. But when we extend the tests
to real server we see errors from places where least expected.
The error is unable to get certificate CRL depth:0. The scenario is a
mutually
So this is some minor debugging I did to get to this problem.
Modified the following methods to add two printf lines:
ssl_lib.c:
X509 *SSL_get_peer_certificate(const SSL *s)
{
X509 *r;
if ((s == NULL) || (s-session == NULL))
{
We have some intermittent problems which seem to go away after
restarting our server.
The problem is that the client's certificate disappears on the server,
even though SSL_VERIFY_PEER is set in the context using
SSL_CTX_set_verify().
So under situations that are not entirely clear, a call to
what is there now -acts like
32 under 32bits (add 'l' or '64' prefixes or suffixes at will)
- as a transparent approach: in 64bit compilations you get 64bit
versions otherwise 32
- as a complementary set always available regardless of the underlying
addressing capability
Thanks,
Jeff Saremi
I received the answer in a direct email and just wanted to share it
here too:
- command line:
openssl s_client -state -debug -connect host:port
- programmatic:
One can look in the callback mechanism used in the above, specifically in
apps/s_cb.c
I'd like to know if there's a way -- programmatic, config, environment
-- that I can get detailed print of what goes on during a handshake at
the client or the server? Below is the output from Apache Tomcat as an
example of the level of details i'm looking for:
http-442-1, READ: TLSv1 Handshake,
Are there any plans to change this? Getting streams larger than 4GB is not very
unusual these days anymore.
On Mon, Oct 04, 2010 at 10:37:55AM -0400, Jeff Saremi wrote:
Does BIO support 64 bit IO (large files)? If so would the rest of
OpenSSL (such as the ssl itself) support those BIOs
Does BIO support 64 bit IO (large files)? If so would the rest of
OpenSSL (such as the ssl itself) support those BIOs?
I configured the build with 64bit support and didn't see any noticeable
changes.
Specifically, I'd like to know if BIO_tell() is able to return a 64bit
value?
I'm looking for something like:
ERR_report_oneoff_error(const char *func, const char *reason, int line,
const char *file)
that I could use without having to define structures like the following
or calling Err_load_strings and Err_unload_strings:
static ERR_STRING_DATA BIO_str_functs[]=
{
allocated
==3959==
==3959== All heap blocks were freed -- no leaks are possible
On 10-08-18 04:28 PM, Jeff Saremi wrote:
any takers from the openssl team? true, false? known issue, user error?
anything?
On 10-08-17 04:23 PM, Jeff Saremi wrote:
I apologize if this shows up more than once
any takers from the openssl team? true, false? known issue, user error?
anything?
On 10-08-17 04:23 PM, Jeff Saremi wrote:
I apologize if this shows up more than once. I've been having problems
sending emails out, all day.
First I encountered this with valgrind but then I decided to have
I apologize if this shows up more than once. I've been having problems
sending emails out, all day.
First I encountered this with valgrind but then I decided to have
openssl print the leaks and it was also confirmed.
I have reduced my code to the following two lines. Prior to this if
course
I'm trying to use my custom engine however I cannot get it to clean up
nicely.
For the initialization i used the sample in openssl ENGINE(3) documentation.
Here's how it goes:
ENGINE *loadEngine()
{
ENGINE *e;
e = ENGINE_by_id(MY_ENGINE_ID);
if(!e)
from ENGINE_init() */
ENGINE_finish(e);
/* Release the structural reference from ENGINE_by_id() */
ENGINE_free(e);
}
On 10-08-13 09:23 AM, Jeff Saremi wrote:
I'm trying to use my custom engine however I cannot get it to clean up
nicely.
For the initialization i used
In my engine, i'd like to use a new lock for a set of operations. This
lock is not CRYPTO_LOCK_ENGINE or any other defined ones.
Is there any way in OpenSSL to define a say user lock (type) and then
use CRYPTO_Lock function on it?
What would happen to CRYPTO_NUM_LOCKS? would that increase by way
CRYPTO_set_dynlock_create_callback
CRYPTO_set_dynlock_lock_callback
CRYPTO_set_dynlock_destroy_callback
The desired lock type is passed in the struct CRYPTO_dynlock_value *
parameter to the cusom dynlock_lock_callback.
On 10-08-09 09:18 AM, Jeff Saremi wrote:
In my engine, i'd like to use a new lock
The structure itself is only forward-declared meaning that a programmer
has no way of getting into the actual evp_pkey_method_st and its fields.
Now that would be fine if there were a complete set of methods
EVP_PKEY_meth_* to manipulate the pointers to EVP_PKEY_METHOD. But alas
there's only a
OK. Thanks for replying.
On Thu, 2010-07-08 at 18:59 +0200, Dr. Stephen Henson wrote:
The only current example of an external EVP_PKEY_METHOD (in the gost ENGINE)
implements everything from scratch.
It is perfectly reasonable for another implementation to copy existing methods
or intercept
How does one provide own engine functions for saving public and private
keys?
thanks
jeff
This email contains Morega Systems Inc. Privileged and Confidential information.
__
OpenSSL Project
To avoid having to override every RSA function, I could fill my engine's
custom RSA_METHOD with methods from RSA_PKCS1_SSLeay. Alternatively I
could have my functions wrap the internal OpenSSL functions. For
instance:
int myEngineRsaModExp(BIGNUM *r0,const BIGNUM *I,RSA *rsa,BN_CTX *ctx)
{
int
In order to update the CRLs in our server socket and due to seemingly
lack of any CRL update methods, I decided to create new X509_STOREs and
set them in the SSL_CTX every time there's a change in the CRL list.
I'd like to know the effects of that if at the same time new SSLs being
created, setup
44 matches
Mail list logo