Re: [openssl-dev] [openssl.org #4673] a weird error, please help to check whether is it a but. thanks!

2016-09-12 Thread Viktor Dukhovni 

> On Sep 12, 2016, at 4:08 PM, zy_chongqing via RT  wrote:
> 
> SSL_CTX_use_certificate_file return 0, and the log show: error:140AB18F:SSL 
> routines:SSL_CTX_use_certificate:ee key too small
> 1. this programe is running well in one server, but failed in another. 
> actually these 2 servers is mirrow relationship. 2. I checked the pem file 
> (as attached), also is same on two servers3. I checked the error reason, but 
> cannot find any description about it in the website.I am almost crazy for 
> this issue, would you help to check what's the reason of this error for me? 
> thanks a lot!
> my OS: Linux version 3.7.10-1.1-desktop (geeko@buildhost) (gcc version 4.7.2 
> 20130108 [gcc-4_7-branch revision 195012] (SUSE Linux) ) #1 SMP PREEMPT Thu 
> Feb 28 15:06:29 UTC 2013 (82d3f21)OpenSSL version: OpenSSL 1.1.0  25 Aug 2016
> thanks & Regards!

Use stronger keys, see:

https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_security_level.html

-- 
Viktor.

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4673] a weird error, please help to check whether is it a but. thanks!

2016-09-12 Thread openssl-us...@openssl.org via RT 

> On Sep 12, 2016, at 4:08 PM, zy_chongqing via RT  wrote:
> 
> SSL_CTX_use_certificate_file return 0, and the log show: error:140AB18F:SSL 
> routines:SSL_CTX_use_certificate:ee key too small
> 1. this programe is running well in one server, but failed in another. 
> actually these 2 servers is mirrow relationship. 2. I checked the pem file 
> (as attached), also is same on two servers3. I checked the error reason, but 
> cannot find any description about it in the website.I am almost crazy for 
> this issue, would you help to check what's the reason of this error for me? 
> thanks a lot!
> my OS: Linux version 3.7.10-1.1-desktop (geeko@buildhost) (gcc version 4.7.2 
> 20130108 [gcc-4_7-branch revision 195012] (SUSE Linux) ) #1 SMP PREEMPT Thu 
> Feb 28 15:06:29 UTC 2013 (82d3f21)OpenSSL version: OpenSSL 1.1.0  25 Aug 2016
> thanks & Regards!

Use stronger keys, see:

https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_security_level.html

-- 
Viktor.


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4673
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4673] a weird error, please help to check whether is it a but. thanks!

2016-09-12 Thread zy_chongqing via RT 
Hello,
I have a function to initial the CTX as below:
#define CA_CERT_PATH          "./pem"
#define RSA_CLIENT_CERT "./pem/PushChatCert.pem"
#define RSA_CLIENT_KEY       "./pem/PushChatKey.pem"
bool CAPNSClient::InitCTX()
{
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
 
m_pMeth = TLS_client_method();
m_pCtx = SSL_CTX_new(m_pMeth);
if(NULL == m_pCtx)
{
ERRLOG("Could not get SSL Context");
return false;
}

if(0 == SSL_CTX_load_verify_locations(m_pCtx, NULL, CA_CERT_PATH))
{
ERRLOG("Failed to set CA location:%s", ERR_error_string( 
ERR_get_error(), NULL ));
return false;
}

if (0 == SSL_CTX_use_certificate_file(m_pCtx, RSA_CLIENT_CERT, 
SSL_FILETYPE_PEM))
{
ERRLOG("Cannot use Certificate File:%s", ERR_error_string( 
ERR_get_error(), NULL ));
return false;
}

SSL_CTX_set_default_passwd_cb_userdata(m_pCtx, (void*)"Memo_Server");
 
if (0 == SSL_CTX_use_PrivateKey_file(m_pCtx, RSA_CLIENT_KEY, 
SSL_FILETYPE_PEM))
{
ERRLOG("Cannot use Private Key:%s", ERR_error_string( ERR_get_error(), 
NULL ));
return false;
}

/* Check if the client certificate and private-key matches 验证私钥是否与证书一致*/
if (0 == SSL_CTX_check_private_key(m_pCtx))
{
ERRLOG("Private key does not match the certificate public key");
return false;
}

return true;
}
SSL_CTX_use_certificate_file return 0, and the log show: error:140AB18F:SSL 
routines:SSL_CTX_use_certificate:ee key too small
1. this programe is running well in one server, but failed in another. actually 
these 2 servers is mirrow relationship. 2. I checked the pem file (as 
attached), also is same on two servers3. I checked the error reason, but cannot 
find any description about it in the website.I am almost crazy for this issue, 
would you help to check what's the reason of this error for me? thanks a lot!
my OS: Linux version 3.7.10-1.1-desktop (geeko@buildhost) (gcc version 4.7.2 
20130108 [gcc-4_7-branch revision 195012] (SUSE Linux) ) #1 SMP PREEMPT Thu Feb 
28 15:06:29 UTC 2013 (82d3f21)OpenSSL version: OpenSSL 1.1.0  25 Aug 2016
thanks & Regards!
-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4673
Please log in as guest with password guest if prompted



PushChatCert.pem
Description: Binary data
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4130] Provide enginesdir in pkgconfig file

2016-09-12 Thread Richard Levitte via RT 
Fixed in the 1.1.0 and 1.0.2 branches, as well as master.

Closing ticket. Thank you!

Cheers,
Richard

On Mon Nov 09 08:15:26 2015, dw...@infradead.org wrote:
> External engines such as engine_pkcs11 want to install into
> $ENGINESDIR. Would be nice if we could tell where it is by using
> $(pkg-config --variable=enginesdir openssl)
>
> It's theoretically possible to find it by defining HEADER_CRYPTLIB_H
> and then including opensslconf.h, although that's horrid enough even
> before you consider cross-compilation (i.e. you can't just use printf).
>
> Can we put it in openssl.pc please?
>
> (Of course, something as fundamental as engine_pkcs11 shouldn't be
> external anyway, but that's a different story...)
>


--
Richard Levitte
levi...@openssl.org

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4130
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev