[openssl.org #184] OpenVMS openssl-0.9.7-beta3.tar.gz
Hi (probably) Richard, Compaq TCP/IP Services for OpenVMS Alpha Version V5.3 on a AlphaServer 1200 5/533 4MB running OpenVMS V7.3 Compaq C V6.5-001 on OpenVMS Alpha V7.3 has some minor issues for me (hope it's still intelligable). ~~~ Compiling The CA.C File. if (!strcasecmp(rev_arg, crl_reasons[i])) .^ %CC-I-IMPLICITFUNC, In this statement, the identifier strcasecmp is implicitly declared as a function. at line number 2878 in file HT_ROOT:[SRC.OPENSSL-0_9_7-BETA3.APPS]CA.C;1 Compiling The SPEED.C File. printf(HZ=%g, (double)HZ); ^ %CC-I-IMPLICITFUNC, In this statement, the identifier sysconf is implicitly declared as a function. at line number 1630 in file HT_ROOT:[SRC.OPENSSL-0_9_7-BETA3.APPS]SPEED.C;1 Compiling The S_TIME.C File. Compiling The APPS.C File. if (!strcasecmp(arg, none)) .^ %CC-I-IMPLICITFUNC, In this statement, the identifier strcasecmp is implicitly declared as a function. at line number 1123 in file HT_ROOT:[SRC.OPENSSL-0_9_7-BETA3.APPS]APPS.C;1 ~~~ Also one major issue ... the following code works in all versions prior to 0.9.7b3 (including 0.9.6e). With 0.9.7b3 it returns a 'Total' of 1 which SS_CIPHER_get..() returns a string of (NONE). Can you tell me whether my original code is broken and 0.9.7 is just revealing this or is it a toolkit problem? ~~~ /* this is the service's cipher list - not the current session's! */ StackPtr = SslCtx-cipher_list; Total = sk_num (StackPtr); for (Count = 0; Count Total; Count++) { CipherPtr = (SSL_CIPHER *)sk_value (StackPtr, Count); vecptr = FaoVector; *vecptr++ = Count + 1; *vecptr++ = SSL_CIPHER_get_version (CipherPtr); *vecptr++ = SSL_CIPHER_get_name (CipherPtr); status = NetWriteFaol (rqptr, CiphersFao, FaoVector); if (VMSnok (status)) ErrorNoticed (status, NetWriteFaol(), FI_LI); } ~~~ Regards, Mark. ++ Mark Daniel http://wasd.vsm.com.au/adelaide mailto:[EMAIL PROTECTED] ([EMAIL PROTECTED]) ++ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #185] Breakage with 9.6.e
Just FYI ; An existing (and functional) Perl script that generated and exported pkcs12 certs now fails with the upgrade to 9.6e. The command running is (retyped from another screen): openssl pkcs12 -chain -CAfile MY-CAcert.pem -name BillyBob -out testdir/BillyBob.p12 -in alldata -export The PEM pass phrase is prompted for. Supplying the correct passphrase results in 300 lines of : openssl in free(); warning: chunk is already free (300 is the size of the xterm scroll buffer) and then just quits. The output file has been created but is empty. Andrew Bashere __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #186] [PATCH] Makefile.org GNU ld detection
Here's a patch that fixes the DETECT_GNU_LD code in Makefile.org when building on a Sun box with GCC 2.95.2 and higher. Yes the timestamp is a few months old, but the patch applies cleanly to openssl-0.9.6e/Makefile.org Please let me know if this is not your preferred format for receiving patches. -chris *** Makefile.org.orig Wed Mar 20 13:37:25 2002 --- Makefile.orgWed Mar 20 13:42:38 2002 *** *** 263,267 done ! DETECT_GNU_LD=${CC} -v 21 | grep '^gcc' /dev/null 21 \ collect2=`gcc -print-prog-name=collect2 21` \ [ -n $$collect2 ] \ --- 263,267 done ! DETECT_GNU_LD=`${CC} -print-prog-name=ld` --version 21 | grep '^GNU' /dev/null 21 \ collect2=`gcc -print-prog-name=collect2 21` \ [ -n $$collect2 ] \ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #187] realloc() on sunos4 : openssl-0.9.6e
On Wed, 31 Jul 2002, Jon Peatfield wrote: Looking through the rest of the 0.9.6e patch I can't see any other cases where realloc() is called like this but I might well have missed some. I'm hoping that someone who understands the code better will confirm/check this. Might it not be better to add a check to OPENSSL_realloc (inside an #ifdef if necessary/prudent for speed reasons) to check for this condition on SunOS4 and any other similar platform? That way, you could be sure this (pretty unusual) case would be caught everywhere... -- Jon Bright Lead Programmer, Silicon Circus Ltd. http://www.siliconcircus.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
0.9.6e boffed on Win32 ... but easily recoverable
Attached is a trivial patch to allow Win32 to build the OpenSSL dll's. If you want to post it up to contrib, that's fine. Even a non-patch user should be able to follow what to do. Will # The new OpenSSLDie() entry point was undefined in the 0.9.6e release # and win32 dll's will not build without it. Here's the fix; # --- ../orig/openssl-0.9.6e/util/libeay.num Fri Jan 04 07:02:40 2002 +++ util/libeay.num Wed Jul 31 12:53:53 2002 -1934,3 +1934,4 BN_pseudo_rand_range2523 EXIST::FUNCTION: X509_STORE_CTX_set_verify_cb2524 EXIST::FUNCTION: ERR_load_COMP_strings 2525 EXIST::FUNCTION: +OpenSSLDie 2526EXIST::FUNCTION: --- ../orig/openssl-0.9.6e/util/mkdef.plWed Dec 19 11:48:51 2001 +++ util/mkdef.pl Wed Jul 31 12:50:51 2002 -202,6 +202,7 $crypto.= crypto/rand/rand.h; $crypto.= crypto/comp/comp.h; $crypto.= crypto/tmdiff.h; +$crypto.= crypto/cryptlib.h; my $symhacks=crypto/symhacks.h;
Re: OpenSSL stability
On Tue, Jul 30, 2002 at 11:37:36AM -0400, Chris Jarshant wrote: I asked this on -users but I think -dev might be more appropriate... Are there any declarations of the stability of the APIs found in the OpenSSL distribution? For example, are there any guarantees or even we will try not to's which limit the amount of change that the APIs can undergo from release to release? We try to keep the API stable, and I think we are not that bad at it. (This does not yet apply for binary compatibility. You have to recompile when changing the OpenSSL release.) On the other hand we know, that the API is somewhat limited in several parts (e.g. certificate chain support for the client_certificate_callback), so that we might have to introduce some changes in order to get some issues resolved. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #188] CRL Different Behavior between versions
Hi We have found a strange and different behavior between OpenSSL 0.9.6d 9 May 2002 and OpenSSL 0.9.7-beta2 16 Jun 2002, working on Windows 2000. We have a 2 level hierarchy of Cas, with 9 second level Cas, based on openssl, with a Lotus Domino Interface, for managing all the lifecycle of certificates. To put it clear, and simplifying, we could say we have CAroot selsigned at the top level of the tree and CAlevel2 with its certificate signed by CAroot. Today we signed using OpenSSL 0.9.7-beta2 the CRLs for CAroot and everything went fine, but when we signed the CRL for CAlevel2 we got in the CRL as the ISSUER field, the data from the CAroot Certificate. So the CRL for CAlevel2 had the issuer information of the Caroot, it is like there is a bug and the issuer information for the second level CRL comes from the top level certificate and not from the second level certificate. We re-signed the second level CA CRL with OpenSSL 0.9.6d 9 May 2002, using the same configuration file, and the issuer information on the Calevel2 CRL in the issuer field was correctly that from the CAlevel2 Certificate. Hopes this is clear. Best Regards Rodolfo Lomascolo http://certs.ipsca.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: read_pwd.c
In message [EMAIL PROTECTED] on Wed, 31 Jul 2002 11:15:03 -0500, Ken Hoo [EMAIL PROTECTED] said: Ken_Hoo Is read_pwd.c used in version 097beta2? When I change it, it Ken_Hoo doesn't seem to compile and create a new object file. It isn't used any more. Please take a look in crypto/ui/ to see what has replaced the functions in it. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #187] realloc() on sunos4 : openssl-0.9.6e
[[EMAIL PROTECTED] - Thu Aug 1 09:20:27 2002]: On Wed, 31 Jul 2002, Jon Peatfield wrote: Looking through the rest of the 0.9.6e patch I can't see any other cases where realloc() is called like this but I might well have missed some. I'm hoping that someone who understands the code better will confirm/check this. Might it not be better to add a check to OPENSSL_realloc (inside an #ifdef if necessary/prudent for speed reasons) to check for this condition on SunOS4 and any other similar platform? That way, you could be sure this (pretty unusual) case would be caught everywhere... I'm not sure I udnerstand what you say. It seems like you say that the 'if (ret-data == NULL) ...' check be wrapped in a conditional so it will only be performed on some operating systems. If that's what you say, I'm totally against. Checking for NULL is cheap, and it's much easier to do that for all than try to guess what operating systems have realloc() do the same check (trust me, we already have enough checks like that elsewhere, we really don't need yet another one). I intend to apply the given patch. It's easy to understand and to the point. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #187] realloc() on sunos4 : openssl-0.9.6e
AAAaaargh! I didn't read properly. Please ignore my rant. I rather believe that the change should be done in OPENSSL_realloc(), so future uses elsewhere do not get into the same trouble. [levitte - Thu Aug 1 11:23:34 2002]: [[EMAIL PROTECTED] - Thu Aug 1 09:20:27 2002]: On Wed, 31 Jul 2002, Jon Peatfield wrote: Looking through the rest of the 0.9.6e patch I can't see any other cases where realloc() is called like this but I might well have missed some. I'm hoping that someone who understands the code better will confirm/check this. Might it not be better to add a check to OPENSSL_realloc (inside an #ifdef if necessary/prudent for speed reasons) to check for this condition on SunOS4 and any other similar platform? That way, you could be sure this (pretty unusual) case would be caught everywhere... I'm not sure I udnerstand what you say. It seems like you say that the 'if (ret-data == NULL) ...' check be wrapped in a conditional so it will only be performed on some operating systems. If that's what you say, I'm totally against. Checking for NULL is cheap, and it's much easier to do that for all than try to guess what operating systems have realloc() do the same check (trust me, we already have enough checks like that elsewhere, we really don't need yet another one). I intend to apply the given patch. It's easy to understand and to the point. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #179] openssl-0.9.6e under HP-UX 10.20
[jaenicke - Wed Jul 31 09:46:10 2002]: [[EMAIL PROTECTED] - Wed Jul 31 09:35:46 2002]: When I type ./config under HP-UX 10.20 I get the message ./config[398]: test: Specify a parameter with this command. The problem occurs with version 0.9.6e, not with earlier versions. This problem is due to the handling of gcc-3.1 support with 64bit. In the HP-UX section, the GCC variables are tested and set. Unfortunately the case that no gcc is installed was not considered and has to be caught. (I am using HP-UX 10.20 but didn't note it, as I have gcc available). Fixed the same way as in 0.9.7. This ticket is now resolved. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #171] packaging problems in 0.9.6e
[jaenicke - Tue Jul 30 22:25:20 2002]: [[EMAIL PROTECTED] - Tue Jul 30 18:49:55 2002]: Some of the files in the 0.9.6e tarball have restrictive permissions which prevent building and installing as different non-privileged users. -rw--- openssl/openssl 23853 Jul 30 11:06 2002 openssl- 0.9.6e/Makefile.ssl lrwx-- openssl/openssl 0 Jul 30 11:03 2002 openssl- 0.9.6e/apps/md4.c - ../crypto/md4/md4.c -rw--- openssl/openssl 4772 Jul 30 11:06 2002 openssl- 0.9.6e/crypto/opensslconf.h drwx-- openssl/openssl 0 Jul 30 11:03 2002 openssl- 0.9.6e/include/openssl/ lrwx-- openssl/openssl 0 Jul 30 11:03 2002 openssl- 0.9.6e/include/openssl/* lrwx-- openssl/openssl 0 Jul 30 11:03 2002 openssl- 0.9.6e/test/{various} A recursive find/chmod should fix that. (Obviously, I checked out the source with my usual restrictive umask setting!?). There should be a way to automatically correct this in the make dist procedure. I'll take care of this for the next release. I may have misunderstood, but isn't this only a problem if one unpacks the tarball with the p (preserve permissions) modifier? Or is p a GNU-only option? -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #189] Kerberos Ciphersuite IDs
resubmitting via RT. The absence of a quick reply leads me to believe that there is indeed something wrong. I encourage you too look at this before 0.9.7 release, otherwise we will run into serious interoperability problems in the future. Andreas. Original Message Subject: Kerberos Ciphersuite IDs Date: Thu, 25 Jul 2002 20:27:03 +0100 From: Andreas Sterbenz [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Hi, I am looking at ssl/ssl3.h from 0.9.7-beta2 and the Kerberos ciphersuite IDs don't seem to match the IDs given in RFC2712. I assume I am missing something obvious, could someone please enlighten me? Thanks, Andreas. === ::ssl/ssl3.h:: #define SSL3_CK_KRB5_DES_40_CBC_SHA 0x0321 #define SSL3_CK_KRB5_DES_40_CBC_MD5 0x0322 #define SSL3_CK_KRB5_DES_64_CBC_SHA 0x0323 #define SSL3_CK_KRB5_DES_64_CBC_MD5 0x0324 #define SSL3_CK_KRB5_DES_192_CBC3_SHA 0x0325 #define SSL3_CK_KRB5_DES_192_CBC3_MD5 0x0326 ::http://www.ietf.org/rfc/rfc2712.txt:: CipherSuite TLS_KRB5_WITH_DES_CBC_SHA= { 0x00,0x1E }; CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1F }; CipherSuite TLS_KRB5_WITH_RC4_128_SHA= { 0x00,0x20 }; CipherSuite TLS_KRB5_WITH_IDEA_CBC_SHA = { 0x00,0x21 }; CipherSuite TLS_KRB5_WITH_DES_CBC_MD5= { 0x00,0x22 }; CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = { 0x00,0x23 }; CipherSuite TLS_KRB5_WITH_RC4_128_MD5= { 0x00,0x24 }; CipherSuite TLS_KRB5_WITH_IDEA_CBC_MD5 = { 0x00,0x25 }; CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = { 0x00,0x26 }; CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = { 0x00,0x27 }; CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_SHA = { 0x00,0x28 }; CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = { 0x00,0x29 }; CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = { 0x00,0x2A }; CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x2B }; === __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #171] packaging problems in 0.9.6e
On Thu, Aug 01, 2002 at 12:24:46PM +0200, Richard Levitte via RT wrote: [jaenicke - Tue Jul 30 22:25:20 2002]: [[EMAIL PROTECTED] - Tue Jul 30 18:49:55 2002]: Some of the files in the 0.9.6e tarball have restrictive permissions which prevent building and installing as different non-privileged users. -rw--- openssl/openssl 23853 Jul 30 11:06 2002 openssl- 0.9.6e/Makefile.ssl lrwx-- openssl/openssl 0 Jul 30 11:03 2002 openssl- 0.9.6e/apps/md4.c - ../crypto/md4/md4.c -rw--- openssl/openssl 4772 Jul 30 11:06 2002 openssl- 0.9.6e/crypto/opensslconf.h drwx-- openssl/openssl 0 Jul 30 11:03 2002 openssl- 0.9.6e/include/openssl/ lrwx-- openssl/openssl 0 Jul 30 11:03 2002 openssl- 0.9.6e/include/openssl/* lrwx-- openssl/openssl 0 Jul 30 11:03 2002 openssl- 0.9.6e/test/{various} A recursive find/chmod should fix that. (Obviously, I checked out the source with my usual restrictive umask setting!?). There should be a way to automatically correct this in the make dist procedure. I'll take care of this for the next release. I may have misunderstood, but isn't this only a problem if one unpacks the tarball with the p (preserve permissions) modifier? Yes and no. Normally restrictive permissions inside the tarball are kept when unpacking. With or without p. Or is p a GNU-only option? No, its a standard option. I was thinking about adding something like #find . -type s -print | xargs rm -f find . -type d -print | xargs chmod 755 find . -type f -print | xargs chmod a+r to the make dist. This is from postfix, which removes softlinks when doing a make tidy. I have thus shown it here with # FYI, but I don't think this is handy for us :-) Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #189] Kerberos Ciphersuite IDs
Hmm, there's a problem that haven't been addressed at all by the IETF. SSLv3 contains the following as part of it's ciphersuite: The final cipher suites are for the FORTEZZA token. CipherSuite SSL_FORTEZZA_KEA_WITH_NULL_SHA = { 0X00,0X1C }; CipherSuite SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = { 0x00,0x1D }; CipherSuite SSL_FORTEZZA_KEA_WITH_RC4_128_SHA = { 0x00,0x1E }; Please note how the last one clashes with the first of the KRB5 suite. Also, when one looks at RFC 2246 (TLS), there's this note at the end of section A.5: Note: The cipher suite values { 0x00, 0x1C } and { 0x00, 0x1D } are reserved to avoid collision with Fortezza-based cipher suites in SSL 3. which indicates that SSL_FORTEZZA_KEA_WITH_RC4_128_SHA was not considered or entirely dropped. Still a clash, and I honestly wouldn't have any idea on what to do with this. If it wasn't for this, I'd apply the needed changes immediately. As it is now, I'd like to see this issue cleared first. [[EMAIL PROTECTED] - Thu Aug 1 12:31:17 2002]: resubmitting via RT. The absence of a quick reply leads me to believe that there is indeed something wrong. I encourage you too look at this before 0.9.7 release, otherwise we will run into serious interoperability problems in the future. Andreas. Original Message Subject: Kerberos Ciphersuite IDs Date: Thu, 25 Jul 2002 20:27:03 +0100 From: Andreas Sterbenz [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Hi, I am looking at ssl/ssl3.h from 0.9.7-beta2 and the Kerberos ciphersuite IDs don't seem to match the IDs given in RFC2712. I assume I am missing something obvious, could someone please enlighten me? Thanks, Andreas. === ::ssl/ssl3.h:: #define SSL3_CK_KRB5_DES_40_CBC_SHA 0x0321 #define SSL3_CK_KRB5_DES_40_CBC_MD5 0x0322 #define SSL3_CK_KRB5_DES_64_CBC_SHA 0x0323 #define SSL3_CK_KRB5_DES_64_CBC_MD5 0x0324 #define SSL3_CK_KRB5_DES_192_CBC3_SHA 0x0325 #define SSL3_CK_KRB5_DES_192_CBC3_MD5 0x0326 ::http://www.ietf.org/rfc/rfc2712.txt:: CipherSuite TLS_KRB5_WITH_DES_CBC_SHA= { 0x00,0x1E }; CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1F }; CipherSuite TLS_KRB5_WITH_RC4_128_SHA= { 0x00,0x20 }; CipherSuite TLS_KRB5_WITH_IDEA_CBC_SHA = { 0x00,0x21 }; CipherSuite TLS_KRB5_WITH_DES_CBC_MD5= { 0x00,0x22 }; CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = { 0x00,0x23 }; CipherSuite TLS_KRB5_WITH_RC4_128_MD5= { 0x00,0x24 }; CipherSuite TLS_KRB5_WITH_IDEA_CBC_MD5 = { 0x00,0x25 }; CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = { 0x00,0x26 }; CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = { 0x00,0x27 }; CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_SHA = { 0x00,0x28 }; CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = { 0x00,0x29 }; CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = { 0x00,0x2A }; CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x2B }; === -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #189] Kerberos Ciphersuite IDs
Richard Levitte via RT wrote: Hmm, there's a problem that haven't been addressed at all by the IETF. SSLv3 contains the following as part of it's ciphersuite: The final cipher suites are for the FORTEZZA token. CipherSuite SSL_FORTEZZA_KEA_WITH_NULL_SHA = { 0X00,0X1C }; CipherSuite SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = { 0x00,0x1D }; CipherSuite SSL_FORTEZZA_KEA_WITH_RC4_128_SHA = { 0x00,0x1E }; Please note how the last one clashes with the first of the KRB5 suite. Also, when one looks at RFC 2246 (TLS), there's this note at the end of section A.5: My understanding of the history is that the original SSLv3 spec only included the first two (see http://wp.netscape.com/eng/ssl3/4-APPN.HTM#A-6). A later version (http://wp.netscape.com/eng/ssl3/draft302.txt) added the third one, but that never made it into RFC2246 and escaped the attention of the authors of RFC2712. As for a solution for OpenSSL, one option would be to disable (completely or in the default Kerberos enabled configuration) the ciphersuite 0x00 0x1E, which is only 56 bit DES anyway (TLS_KRB5_WITH_DES_CBC_SHA). Andreas. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Announcement: OpenSSL 0.9.6e (Security related upgrade)
On Thu, Aug 01, 2002 at 02:17:20AM -0400, Scott Gifford wrote: I've done some work on running SSL/TLS code as a separate process in a chroot jail as an unprivileged user, communicating with the daemon it's doing encryption for via UNIX domain sockets. This approach massively mitigates the possible damages from the bugs discovered in the last day or two. OpenSSL is good code, but it's over 200,000 lines. It makes sense to isolate it from the special privileges daemons often have. The work I've done is with stunnel. See: http://www.suspectclass.com/~sgifford/stunnel/ http://www.suspectclass.com/~sgifford/stunnel/stunnel-patches.txt http://www.suspectclass.com/~sgifford/stunnel/stunnel3.22+paranoia0.1-openfd0.1.patch for the patch to stunnel (and some related patches; I'll be happy to split out just the paranoia patch if anybody wants it without the others), and the various README files in: http://www.suspectclass.com/~sgifford/stunnel-tlsproxy/ ... We add URIs of applications and add-ons to our web-pages in the Related section. Please propose an entry if you want a link to be added. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #189] Kerberos Ciphersuite IDs
Has anyone sent a query to Win Treese [EMAIL PROTECTED] [TLS WG chair] and perhaps the area directors looking for guidance? The TLS Protocol Version 1.0 is in the process of being re-issued: http://www.ietf.org/internet-drafts/draft-ietf-tls-rfc2246-bis-01.txt and clearly this problem should be addressed in that document and by the working group. If this has not already been brought to their attention, let me know and I will do so. - Jeff Hmm, there's a problem that haven't been addressed at all by the IETF. SSLv3 contains the following as part of it's ciphersuite: The final cipher suites are for the FORTEZZA token. CipherSuite SSL_FORTEZZA_KEA_WITH_NULL_SHA = { 0X00,0X1C }; CipherSuite SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = { 0x00,0x1D }; CipherSuite SSL_FORTEZZA_KEA_WITH_RC4_128_SHA = { 0x00,0x1E }; Please note how the last one clashes with the first of the KRB5 suite. Also, when one looks at RFC 2246 (TLS), there's this note at the end of section A.5: Note: The cipher suite values { 0x00, 0x1C } and { 0x00, 0x1D } are reserved to avoid collision with Fortezza-based cipher suites in SSL 3. which indicates that SSL_FORTEZZA_KEA_WITH_RC4_128_SHA was not considered or entirely dropped. Still a clash, and I honestly wouldn't have any idea on what to do with this. If it wasn't for this, I'd apply the needed changes immediately. As it is now, I'd like to see this issue cleared first. Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP http://www.kermit-project.org/Secured with MIT Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
java app connecting to openssl CA
Where can I find information on connecting a java based application to an OpenSSL based Certificate Authority? Thank you. -- Mark Webb Software Engineer Dolphin Technology 1300B Floyd Ave Rome, NY 13440 Phone: (315) 334-4892 x222 Fax: (315) 339-4846 Email: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #190] [PATCH] Command line processing bug in 'ocsp'.
Hi, The -rother option of the 'ocsp' command is not processed correctly (probably nobody has used it before :-)). Here is a patch for openssl-0.9.7-beta3, I tested and it works, the additional certificates are included in the OCSP response. Regards, Zoltan --- openssl-0.9.7-beta3/apps/ocsp.c Wed Jul 10 06:57:36 2002 +++ openssl-0.9.7-beta3.own/apps/ocsp.c Thu Aug 1 10:14:19 2002 @@ -613,9 +613,9 @@ NULL, e, CA certificate); if (rcertfile) { - rother = load_certs(bio_err, sign_certfile, FORMAT_PEM, + rother = load_certs(bio_err, rcertfile, FORMAT_PEM, NULL, e, responder other certificates); - if (!sign_other) goto end; + if (!rother) goto end; } rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, NULL, NULL, responder private key); __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #190] [PATCH] Command line processing bug in 'ocsp'.
Patch applied as given. Thanks. This ticket is now resolved. [[EMAIL PROTECTED] - Thu Aug 1 15:15:55 2002]: Hi, The -rother option of the 'ocsp' command is not processed correctly (probably nobody has used it before :-)). Here is a patch for openssl-0.9.7-beta3, I tested and it works, the additional certificates are included in the OCSP response. Regards, Zoltan --- openssl-0.9.7-beta3/apps/ocsp.c Wed Jul 10 06:57:36 2002 +++ openssl-0.9.7-beta3.own/apps/ocsp.c Thu Aug 1 10:14:19 2002 @@ -613,9 +613,9 @@ NULL, e, CA certificate); if (rcertfile) { - rother = load_certs(bio_err, sign_certfile, FORMAT_PEM, + rother = load_certs(bio_err, rcertfile, FORMAT_PEM, NULL, e, responder other certificates); - if (!sign_other) goto end; + if (!rother) goto end; } rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, NULL, NULL, responder private key); __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Need recipe for finding binaries with static libssl
In light of the recent vulnerabilities announced in openssl, I am attempting to recompile packages against openssl-0.9.6e. Finding binaries/libraries compiled against shared libraries has been straightforward. However, I have no clue how to approach finding binaries/libraries that have statically compiled openssl code in them. Does anyone have a recipe for doing this? I would appreciate an idea of what tools to use (nm?) and symbols to look for. The environment I am attempting to do this in is linux on packages compiled for i686. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #181] Makefile enhancement requests
In message 87731AA8A1D5D411A6260002555821870A5C17@SPHD on Thu, 1 Aug 2002 10:39:11 +0200 , Sharon Hezy [EMAIL PROTECTED] said: shezy --* When linking the libraries, make sure that libssl finds libcrypto shezy --and that they both find all their external dependencies at run time. shezy --This is accomplished by the -R, -rpath or --rpath flags which behave shezy --just like the -L flag. It is not necessary when all libraries can be shezy --found using the default paths. To recap: giving --prefix to config shezy --should automatically add -R${prefix}/lib and giving -L... to config shezy --should automatically generate the same -R... shezy --(Which flag to use depends on which compiler one is using.) shezy -- shezy shezy As far as I know (enlighten me otherwise), VC++ compiler (cl.exe, Win32) shezy does not support these shezy options; your proposition is good for Unix, but not for Windows. I hope this shezy fact will be remembered when (if?) these changes will be done. The same shezy comment is true for few other suggestions below in the letter (e.g., BSD's shezy install, gmake inseat of make). shezy shezy Please remember that there are developers who're using OpenSSL on Windows shezy (and pretty successfully, so far :-) I don't know if you've noticed, but the building instructions for Windows are quite different from the ones on Unix, in most cases. When it comes to -R and such, I doubt it will be easy to add, since the correct option is spelled differently with different ld implementations, and I'm told it doesn't work properly on some systems (I might be able to add more detail about that tonight). -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #170] OpenSSLDie not exported in Win32
On Tue, Jul 30, 2002 at 06:08:46PM +0300, Arne Ansper wrote: attached is a patch for openssl-0.9.6e that removes the usage of die. please review it carefully. all changes are localized but the action i take in some places where error reporting is not possible might be little bit wrong (i.e. in ssl2_generate_key_material(). this is void function, so i cannot indicate error). Thanks for the patch. For static functions, you can safely change void into int so that you can indicate the errors properly. -- Bodo Möller [EMAIL PROTECTED] PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: certificate start date difference!
On Mon, 8 Jul 2002, Mehdi Jabal Ameli wrote: when I sign a certificate , the start date of certificate is different from time of my computer?(about 3 hours diffrence) is this openssl bug? My answer: maybe the time difference between your local time and GMT time is about 3 hours... What is stored in a certificate is a GMT time. -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - Stupidity is no excuse for not thinking. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: certificate start date difference!
Sorry for this late delivery. It seems pipes can be filled with old stuff sometimes. ;) On Mon, 8 Jul 2002, Erwann ABALEA wrote: On Mon, 8 Jul 2002, Mehdi Jabal Ameli wrote: [...] -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - J'aurai aimé savoir si en Norvège il y avait effectivement des panneaux de signalisation sur les routes indiquant la présence éventuelle de fantômes? Merci. -+- DM in :GNU- Il y a quelque chose de pouri au royaume du neuneu -+- __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
what to test ?
Friends, I have compiled openssl source code on AS 400 system and have created nodules and service program. How can I test the client server handshake ? I mean which files or applications to use for that ? Thanks in advance, Ankit Shah __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Need recipe for finding binaries with static libssl
On Thu, Aug 01, 2002 at 10:09:18AM -0500, Mike Green wrote: In light of the recent vulnerabilities announced in openssl, I am attempting to recompile packages against openssl-0.9.6e. Finding binaries/libraries compiled against shared libraries has been straightforward. However, I have no clue how to approach finding binaries/libraries that have statically compiled openssl code in them. Does anyone have a recipe for doing this? I would appreciate an idea of what tools to use (nm?) and symbols to look for. The environment I am attempting to do this in is linux on packages compiled for i686. As long as error messages are compiled in (the linker might omit them when no error messages are used at all), you might look out for the strings being part of the error messsages. Another good bet is the requirement to retrieve random numbers from /dev/urandom, so that the string /dev/urandom might be worth searching for. As long as the binaries have not been stripped, you might also find the function names like SSL_CTX_new (all programs using SSL functionality should have this one). A simple grep for the symbols might do. I would not use strings, as I have seen some items slipping through as the detection of strings is not perfect. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #164] 0.9.7b2
[[EMAIL PROTECTED] - Wed Jul 24 14:24:12 2002]: 1) cmdline openssl rsa cannot read keys from stdin, they have to be specified using the -in argument. I believe I've fixed this part. Please test the next snapshot. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #164] 0.9.7b2
[[EMAIL PROTECTED] - Wed Jul 24 14:24:12 2002]: 2) cmdline openssl x509 doesn't set AKI although it is specified in the config file and the CA cert has an appropriate SKI. Do you have the possibility to send me that config file, your CA cert and that resulting cert, so I can take a look, and possibly try to simulate your problem? Thanks. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #170] OpenSSLDie not exported in Win32
On Tue, Jul 30, 2002 at 06:08:46PM +0300, Arne Ansper wrote: attached is a patch for openssl-0.9.6e that removes the usage of die. please review it carefully. all changes are localized but the action i take in some places where error reporting is not possible might be little bit wrong (i.e. in ssl2_generate_key_material(). this is void function, so i cannot indicate error). Thanks for the patch. For static functions, you can safely change void into int so that you can indicate the errors properly. -- Bodo Möller [EMAIL PROTECTED] PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #170] OpenSSLDie not exported in Win32
On windows It can be fixed by adding the following in the code __declspec( dllexport ) before the OpenSSLDie function? I am not sure if it is safe? [[EMAIL PROTECTED] - Thu Aug 1 16:14:14 2002]: On Tue, Jul 30, 2002 at 06:08:46PM +0300, Arne Ansper wrote: attached is a patch for openssl-0.9.6e that removes the usage of die. please review it carefully. all changes are localized but the action i take in some places where error reporting is not possible might be little bit wrong (i.e. in ssl2_generate_key_material(). this is void function, so i cannot indicate error). Thanks for the patch. For static functions, you can safely change void into int so that you can indicate the errors properly. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: compilation failure on rh 6.2
I'd suggest adding a -ldl to the makefile. Lynn Gazis -Original Message- From: Darrel Rüg [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 31, 2002 7:52 PM To: [EMAIL PROTECTED] Subject: compilation failure on rh 6.2 attempting to compile openssl-0.9.6e on rh 6.2 kernel 2.2.14-5.0 during compilation of source ( just ./configure and 'make'): (after many successful compilations). make[1]: Entering directory `/usr/src/openssl-0.9.6e/apps' rm -f openssl cc -o openssl -DMONOLITH -I../include -O openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o -L.. -lssl -L.. -lcrypto ../libcrypto.a(dso_dlfcn.o): In function `dlfcn_load': dso_dlfcn.o(.text+0x99): undefined reference to `dlopen' dso_dlfcn.o(.text+0xa8): undefined reference to `dlopen' dso_dlfcn.o(.text+0xfd): undefined reference to `dlclose' ../libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_var': dso_dlfcn.o(.text+0x1a3): undefined reference to `dlsym' ../libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_func': dso_dlfcn.o(.text+0x253): undefined reference to `dlsym' ../libcrypto.a(dso_dlfcn.o): In function `dlfcn_unload': dso_dlfcn.o(.text+0x332): undefined reference to `dlclose' collect2: ld returned 1 exit status make[1]: *** [openssl] Error 1 make[1]: Leaving directory `/usr/src/openssl-0.9.6e/apps' make: *** [sub_all] Error 1 Please advise on any remedies - Darrel __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
test question
Friends, Are s_server.c and s_client.c are the applications(openssl-engine-0.9.6d/apps) which I can use for testing client-server handshake ? Ankit Shah, Software Engineer __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: test question
In message [EMAIL PROTECTED] on Thu, 1 Aug 2002 13:17:24 -0500, ANKIT K SHAH [EMAIL PROTECTED] said: anshah Friends, anshah Are s_server.c and s_client.c are the anshah applications(openssl-engine-0.9.6d/apps) which I can use for testing anshah client-server handshake ? Yes. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #175] AutoReply: openssl-0.9.6e bug under Irix 6.5?
On Thu, 1 Aug 2002, Andrew Reynolds wrote: I'm having trouble building openssl-0.9.6e under Irix 6.5. I've tried building on two different machines and I've tried using the most recent snapshot. I've added the following line to the Makefile: irix-mips3-cc-uiuc,cc:-mips3 -n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR), and I use ./Configure irix-mips3-cc-uiuc --prefix=/usr/local/encap/openssl-0.9.6e. This worked in the previous release of openssl. Here's my make report output: Making target report [snip] making all in test... [snip] Making target test_x509 echo test normal x509v1 certificate test normal x509v1 certificate sh ./tx509 2/dev/null testing X509 conversions p - d p - n rc5 base64 p - p d - d rc5-cbc n - d p - d d - n rc5-cbc base64 n - n p - n rc5-cfb d - p n - p rc5-cfb base64 p - p rc5-ecb echo test first x509v3 certificate test first x509v3 certificate sh ./tx509 v3-cert1.pem 2/dev/null testing X509 conversions p - d p - n rc5-ecb base64 p - p d - d n - d rc5-ofb p - d d - n rc5-ofb base64 n - n p - n Making target test_rsa d - p rsa testing rsa conversions p - d test_x509: *** Error code 1 (bu21) [/usr/local/src/openssl-0.9.6e/test/Makefile.ssl] p - p d - d p - d d - p p - p ./rsa_test PKCS #1 v1.5 encryption/decryption ok OAEP encryption/decryption ok PKCS #1 v1.5 encryption/decryption ok OAEP encryption/decryption ok PKCS #1 v1.5 encryption/decryption ok OAEP encryption/decryption ok tests: *** Error code 1 (bu21)[/usr/local/src/openssl-0.9.6e/Makefile] Checking compiler... Running make... Running make test... OpenSSL self-test report: OpenSSL version: 0.9.6e Last change: Fix cipher selection routines: ciphers without encrypti... Options: --prefix=/usr/local/encap/openssl-0.9.6e OS (uname): IRIX64 kryten 6.5 07091542 IP35 OS (config): mips4-sgi-irix64 Target (default): irix-mips3-cc Target: irix-mips3-cc-uiuc Compiler: cc ERROR: no source or object file given Failure! [...] Test report in file testlog We tracked this problem to the use of parallel make (make -P under IRIX). The test routines run shell scripts that are not safe to run in parallel. For example, in tx509 there is the sequence: cp $t fff.p $cmd -in fff.p -inform p -outform p f.p cmp fff.p f.p But trsa was run at the same time, and it has the sequence: cp $t fff.p $cmd -in fff.p -inform p -outform p f.p cmp fff.p f.p This leads to a race condition, and causes the cmp to fail. A simple fix would be to use unique names for the temporary files for each test. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 1412 DCL, Workstation Services Group, CITES Ofc:(217)244-3862 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #175] openssl-0.9.6e bug under Irix 6.5?
[[EMAIL PROTECTED] - Thu Aug 1 23:12:26 2002]: We tracked this problem to the use of parallel make (make -P under IRIX). The test routines run shell scripts that are not safe to run in parallel. For example, in tx509 there is the sequence: cp $t fff.p $cmd -in fff.p -inform p -outform p f.p cmp fff.p f.p But trsa was run at the same time, and it has the sequence: cp $t fff.p $cmd -in fff.p -inform p -outform p f.p cmp fff.p f.p This leads to a race condition, and causes the cmp to fail. A simple fix would be to use unique names for the temporary files for each test. Ah, that explains a lot. I think I will change the status of this ticket to be fixed for 0.9.8, and simply add an entry about this in PROBLEMS. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: run time problem
In message [EMAIL PROTECTED] on Thu, 1 Aug 2002 16:53:15 -0500, ANKIT K SHAH [EMAIL PROTECTED] said: anshah I try to run s_client.c application (openssl-engien-0.9.6d) and it's giving anshah me run time error connect: A remote host refused an attempted connect anshah operation. anshah What can be the problem ? The problem is that the host you wanted to connect to doesn't answer on the port you gave. This kind of question should go to [EMAIL PROTECTED], not this list. This list is for development OF OpenSSL. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #184] OpenVMS openssl-0.9.7-beta3.tar.gz
The -V ZIP of the .LIS files was a little big for my mailer Richard. I have placed it at http://wasd.vsm.com.au/wasd_tmp/ On the other issue. After the latest OpenSSL build and after a relink it seems to work. This is obviously some issue with my original build. I will go back to scratch and see what I did wrong. Forget about it unless I get back to you. Thanks. ++ Mark Daniel http://wasd.vsm.com.au/adelaide mailto:[EMAIL PROTECTED] ([EMAIL PROTECTED]) ++ [[EMAIL PROTECTED] - Thu Aug 1 09:03:44 2002]: ~~~ Compiling The CA.C File. if (!strcasecmp(rev_arg, crl_reasons[i])) .^ %CC-I-IMPLICITFUNC, In this statement, the identifier strcasecmp is implicitly declared as a function. at line number 2878 in file HT_ROOT:[SRC.OPENSSL-0_9_7-BETA3.APPS]CA.C;1 I'm not sure I've that version of DEC C available, so it seems like things have changed a bit, again. As far as I can see, CA.C includes strings.h, which declares strcasecmp() properly with Compaq C 6.4. So does string.h, but that one requires a flag macro to be defined... Compiling The SPEED.C File. printf(HZ=%g, (double)HZ); ^ %CC-I-IMPLICITFUNC, In this statement, the identifier sysconf is implicitly declared as a function. at line number 1630 in file HT_ROOT:[SRC.OPENSSL-0_9_7-BETA3.APPS]SPEED.C;1 And speed.c include unistd.h, so sysconf() should also be properly declared... Compiling The S_TIME.C File. Compiling The APPS.C File. if (!strcasecmp(arg, none)) .^ %CC-I-IMPLICITFUNC, In this statement, the identifier strcasecmp is implicitly declared as a function. at line number 1123 in file HT_ROOT:[SRC.OPENSSL-0_9_7-BETA3.APPS]APPS.C;1 Same problem as with ca.c, and same analysis... Mark, could you help me out here? Please send me [.crypto]opensslconf.h, and build like this: $ USER_CCFLAGS := /LIST/SHOW=ALL $ @makevms {your normal parameters} Then send me CA.LIS, SPEED.LIS and APPS.LIS (or if you want, look in them and find out what really happens :-)). (God, I love .LIS files :-). I wish that kind of compiler option was available on Unix...) Also one major issue ... the following code works in all versions prior to 0.9.7b3 (including 0.9.6e). With 0.9.7b3 it returns a 'Total' of 1 which SS_CIPHER_get..() returns a string of (NONE). Can you tell me whether my original code is broken and 0.9.7 is just revealing this or is it a toolkit problem? How do you initialise the cipher list, and if you're building a shared library around OpenSSL, could it be issues with uninitialised stuff that have gone unnoticed? Just a few theories... -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
DES Encryption/Decryption with IV
Hello Everyone, Has anyone had any experience using DES Decryption routines to decrypt a 16 byte ciphertext into the original using an IV?? I am receiving the IV and the Encrypted Data from a server that is using the MS Crypto API for des encryption and decryption. The mode is CBC (Cipher Block Chaining). I have to now decrypt this encrypted data (16 bytes) using the IV (8 bytes). However, after I decrypt, I am getting the wrong data. Please see a snip of the code below and let me know if you've come across anything similar or could help me at all. It would be tremendously appreciated. SNIP des_key_schedule *ks = NULL; if(!input || !output || !inputLen || !iv) return -1; ks = getSessionKey(); /* InputLen is 16 */ if(ks != NULL) { des_ncbc_encrypt(input, output, inputLen, *ks, iv, DES_DECRYPT); dumpall (DECRYPTOUTPUT, output, (strlen ((char *) output))); fprintf (stderr, \nOUTPUT in HEX: \n); dump (output, inputLen); fprintf (stderr, \nIV in HEX: \n); dump (*iv, 8); } else return -2; SNIP Any assistance or feedback will be greatly appreciated. Thanks a lot in advance!!, Regards, J.. __ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]