Re: RANDFILE configuration

[Mads Toftum]

On Tue, Jul 11, 2000 at 01:47:11PM -0700, Yewen Tang wrote:
> I used following command to check if openssl 0.9.5a is installed OK,
> 
> openssl s_client -connect shop.sol.no:443
> 
> and given out following error
> 
> unable to load 'random state'
> This means that the random number generator has not been seeded
> with much random data.
> Consider setting the RANDFILE environment variable to point at a file that
> 'random' data can be kept in (the file will be overwritten).

This is in the FAQ: http://www.openssl.org/support/faq.html#6

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RANDFILE configuration

[Yewen Tang]

I used following command to check if openssl 0.9.5a 
is installed OK,
 
openssl s_client -connect 
shop.sol.no:443
 
and given out following error
 
unable to load 'random state'This means that 
the random number generator has not been seededwith much random 
data.Consider setting the RANDFILE environment variable to point at a file 
that'random' data can be kept in (the file will be 
overwritten).CONNECTED(0003)depth=1 /C=US/O=RSA Data Security, 
Inc./OU=Secure Server Certification Authorityverify error:num=19:self signed 
certificate in certificate chainverify 
return:023363:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG 
not seeded:md_rand.c:538:23363:error:05067003:Diffie-Hellman 
routines:DH_generate_key:BN lib:dh_key.c:148:23363:error:14098005:SSL 
routines:SSL3_SEND_CLIENT_KEY_EXCHANGE:bad asn1 object 
header:s3_clnt.c:1405:
 
It seems my openssl can't go farther after it 
connected with a HTTPS server. Anybody know to deal with this random number 
problem?
 
 

compling ssl on Windows 2000

[eda turan]

hi,
i had a problem in compling SSL in WIndows 2000.
the error message is :

Building OpenSSL
 link /nologo /subsystem:console /machine:I386 /opt:ref /dll 
/out:out32dl
l\libeay32.dll /def:ms/LIBEAY32.def @C:\DOCUME~1\eturan\LOCALS~1\Temp\nma00920.
OPTLINK (R) for Win32  Release 7.50.6
Copyright (C) Symantec Corporation 1989-97  All rights reserved.
OPTLINK : Warning 9: Unknown Option : DLL
OPTLINK : Warning 9: Unknown Option : OUT
OPTLINK : Warning 9: Unknown Option : LIBEAY32.DEF
:ref.obj
  Error 2: File Not Found :ref.obj
NMAKE : fatal error U1077: 'link' : return code '0x1'
Stop.

What could be the problem?

Thanks
Eda Turan
Graduate Research Assistant
OSU, Corvallis, OR

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: ssl for authentication only

[Eric Murray]

On Tue, Jul 11, 2000 at 01:22:27PM -0700, [EMAIL PROTECTED] wrote:
> hello,
> 
> i have a somewhat unusual question about ssl that i hope someone 
> here will be able to answer.
> 
> i'm working on an embedded device with an imap client in it. we'd 
> like to be able to authenticate to the imap server without revealing 
> the password to eavesdroppers. the only form of security for imap 
> supported by the server we use is ssl. we think that our device 
> doesn't have the horsepower to do full ssl at the datarates we need. 
> by poking around in the ssl rfc, i found that ssl has commands to 
> change the encryption algorithm dynamically. 
> 
> so my idea was this: establish a connection, turn on full-strength 
> encryption, and then send the login command. once i'm logged in, i 
> can then negotiate back down to no encryption. that way, the 
> user's password, at least, is hidden, even if nothing else is. 
> 
> is this possible? will the server allow it? what openssl function 
> would i use to turn off encryption after i've logged in?

You can do that, but the problem is that the part of the SSL protocol that
used the most CPU cycle is the public-key operations for authenticating
the server and doing the key exchange.  That happens when the SSL
connection's set up.  So the only good that you'd be doing by switching
to a lower-protection ciphersuite after sending the login would be to
reduce the overhead of the bulk encryption algorithm (and possibly the
hashing algorithm if you renegotiate to NULL).

Since the CPU overhead for the public-key ops is a lot higher than
the symmetric-key stuff, renegotiating doesn't save you
all that much.

Also, another problem is that if you are using someone else's
client (i.e. a web browser), many clients won't do SSL_WITH_NULL_NULL.
or SSL_WITH_NULL_MD5.


-- 
 Eric Murray www.lne.com/~ericm  ericm at the site lne.com  PGP keyid:E03F65E5
Security consulting: security reviews, protocols, crypto, ssl.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

DSA signing problem on Windows

[Kerschbaum, Florian]

Hi,

I am trying to sign a root certificate using a DSA key:

I am using Windows 2000 and openssl 0.95a issuing the following commands:

openssl dsaparam -out dsa.cnf 1024
openssl req -newkey dsa:dsa.cnf -keyout root.key

-newkey within the same command didn't work. It issued a RSA certificate.

openssl req -new -out root.ca -key root.key -config openssl.cnf -x509

I do get the following error:

312:error:24064064:random number generator:SSLEAY_RAND_BYTES:prng not
seeded:.\crypto\rand\md_rand.c:470:
312:error:0A06B003::lib(10) :DSA_sign_setup:BN
lib:.\crypto\dsa\dsa_ossl.c:214:
312:error:0A070003::lib(10) :DSA_do_sign:BN lib:.\crypto\dsa\dsa_ossl.c:152:
312:error:0D072006:asn1 encoding routines:ASN1_sign:bad get asn1 object
call:.\crypto\asn1\a_sign.c:129:

I think this is an error due to not being seeded. Specifing a random file in
openssl.cnf or putting .rnd in the current directory didn't work either.

Hints or patches are welcome.

Thanks,
Florian Kerschbaum

P.S. Good work OpenSSL team !

Disclaimer: All opinions expressed in this e-mail or my own and do not
officially represent my current employer.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Build Failure On Digital Unix 4.0D

[Richard Levitte - VMS Whacker]

From: "Boyce, Nick" <[EMAIL PROTECTED]>

nick.boyce> I've just had a go at building OpenSSL 0.9.5a on our
nick.boyce> Digital Unix box, but the build fails, apparently with a
nick.boyce> bizarre parameter error in a linker call, thus :
nick.boyce> ===< cut >
nick.boyce>
nick.boyce>
nick.boyce> cc -DMONOLITH -I../include -DNO_IDEA -fPIC -std1 -tune host -O4 
-readonly_strings -c smime.c
nick.boyce> cc -DMONOLITH -I../include -DNO_IDEA -fPIC -std1 -tune host -O4 
-readonly_strings -c rand.c
nick.boyce> cc -DMONOLITH -I../include -DNO_IDEA -fPIC -std1 -tune host -O4 
-readonly_strings -c openssl.c
nick.boyce> rm -f openssl
nick.boyce> cc -o openssl -DMONOLITH -I../include -DNO_IDEA -fPIC -std1 -tune host -O4 
-readonly_strings openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o 
passwd.o gendh.o errstr.o  ca.o pkcs7.o crl2p7.o crl.o  rsa.o dsa.o dsaparam.o x509.o 
genrsa.o gendsa.o s_server.o s_client.o speed.o  s_time.o apps.o s_cb.o s_socket.o 
app_rand.o version.o sess_id.o  ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o  smime.o 
rand.o -L. -L.. -L../.. -L../../.. -L.. -lssl -L.. -lcrypto 
nick.boyce> ld:
nick.boyce> Badly formed hex number: -std1
nick.boyce> ld: Usage: ld [options] file [...]
nick.boyce> *** Exit 1
nick.boyce> Stop.
nick.boyce> *** Exit 1
nick.boyce> Stop.
nick.boyce> ===< cut >

Well, it looks like Compaq C will just ignore -fPIC when it compiles,
and try to pass it on to ld when linking is going on.  However,
there's no support for -fPIC anywhere in True64.  If you check the
manual for ld, you'll probably find a few lines about '-f fil', where
the filling is expected to be a 4-byte hex constant.

My suggestion: don't configure with -fPIC on True64.

EOL

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

ssl for authentication only

[clausen]

hello,

i have a somewhat unusual question about ssl that i hope someone 
here will be able to answer.

i'm working on an embedded device with an imap client in it. we'd 
like to be able to authenticate to the imap server without revealing 
the password to eavesdroppers. the only form of security for imap 
supported by the server we use is ssl. we think that our device 
doesn't have the horsepower to do full ssl at the datarates we need. 
by poking around in the ssl rfc, i found that ssl has commands to 
change the encryption algorithm dynamically. 

so my idea was this: establish a connection, turn on full-strength 
encryption, and then send the login command. once i'm logged in, i 
can then negotiate back down to no encryption. that way, the 
user's password, at least, is hidden, even if nothing else is. 

is this possible? will the server allow it? what openssl function 
would i use to turn off encryption after i've logged in?

thanks in advance.
   --caleb
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Build Failure On Digital Unix 4.0D

[Boyce, Nick]

I've just had a go at building OpenSSL 0.9.5a on our Digital Unix box, but
the build fails, apparently with a bizarre parameter error in a linker call,
thus :
===< cut >
   
   
cc -DMONOLITH -I../include -DNO_IDEA -fPIC -std1 -tune host -O4
-readonly_string
s -c smime.c
cc -DMONOLITH -I../include -DNO_IDEA -fPIC -std1 -tune host -O4
-readonly_string
s -c rand.c
cc -DMONOLITH -I../include -DNO_IDEA -fPIC -std1 -tune host -O4
-readonly_string
s -c openssl.c
rm -f openssl
cc -o openssl -DMONOLITH -I../include -DNO_IDEA -fPIC -std1 -tune host -O4
-read
only_strings openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o
pas
swd.o gendh.o errstr.o  ca.o pkcs7.o crl2p7.o crl.o  rsa.o dsa.o dsaparam.o
x50
9.o genrsa.o gendsa.o s_server.o s_client.o speed.o  s_time.o apps.o s_cb.o
s_so
cket.o app_rand.o version.o sess_id.o  ciphers.o nseq.o pkcs12.o pkcs8.o
spkac.o
 smime.o rand.o -L. -L.. -L../.. -L../../.. -L.. -lssl -L.. -lcrypto 
ld:
Badly formed hex number: -std1
ld: Usage: ld [options] file [...]
*** Exit 1
Stop.
*** Exit 1
Stop.
===< cut >

I've searched the list archives, but this isn't the same as any previously
reported problem with Digital Unix that I can find.   Configure appeared to
work OK, except for reporting that it couldn't set up for threads (which is
OK by me).   I'm building for use with Apache/MOD_SSL, so I configured with 
  sh config no-idea -fPIC

The box is Digital Unix 4.0D with Patch Kit 5, on an AXP 4270 (dual CPU).
I'm using DEC's C compiler (the standard one - not the "better" one you can
download from their website).

I'll be grateful if anybody has any ideas here ...

[ PS: I noted previous issues with D/Unix 4.0x in the archive which resulted
in advice to avoid the assembler routines on this platform; is that still
the right advice ?   If so, do I achieve this using "./config no-asm" ? ]

Thanks
> Nick
> Systems Team, EDS Healthcare, Bristol, UK
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Installation...

[문규원]

Hello..
 
My name is Kyuwon.
 
I have installed the openssl in windows NT.
 
But, I have a problem.. It is INSTALLTOP 
directory...
 
I have installed the openssl in 
"e:\apache\openssl"..
 
How do I change the position of INSTALLTOP 
directory?
 
and...
 
How do I create test certification for csr created in 
IIS?
 
Thanks for reading my mail...
 
Please send me a answer?
 

Re: Encryption algorithm

[Richard Levitte - VMS Whacker]

From: "Gotfried, Colette" <[EMAIL PROTECTED]>

To begin with, what part of OpenSSL are we talking about?  I'm
assuming that it's the "openssl genrsa" application.  If not, you'll
have to restate your question:

ColetteG> Another set of very very basic questions:
ColetteG> 
ColetteG> - What encryption algorithm does openSSL use when generating
ColetteG>   the asymmetric keys?

Technically none.  However, you may have meant to ask what algorithm
is used to encrypt the generated key.  By default it's not encrypted,
but with the arguments '-des', '-des3' or '-idea', you will have it
encrypted with one of those algorithms.

ColetteG> - Is it something that the developer has to specify, or is
ColetteG> there a default?

That got answered above.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Encryption algorithm

[Gotfried, Colette]

Hi everyone,

Another set of very very basic questions:

- What encryption algorithm does openSSL use when generating the asymmetric
keys?
- Is it something that the developer has to specify, or is there a default?
Thank you

Colette
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

What about internationalization?

[Gotfried, Colette]

Hello !

I have some questions regarding international compliance for the Certificate
requests and keys.
-Are there any implications in the Certificate request content, and
response, to the international string formats? like, can an CSR support
different character sets, time and dates format than the US. 
- Does openSSL have any specific features related to that?
- Same question applies for the formats involved at key exchange time
between server and client, or is it country independent raw data?
Thank you.
Colette
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: make failure

[Richard Levitte - VMS Whacker]

From: "Govind Vinjamuri" <[EMAIL PROTECTED]>

Looks like a gcc bug to me.  I think it's better to upgrade GNU c a
bit, BTW, 2.7 is a bit old, and some of those versions had flaws, IIRC.

gvinjamu> make
gvinjamu> making all in crypto...
gvinjamu> ( echo "#ifndef MK1MF_BUILD"; \
gvinjamu> echo "  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */"; \
gvinjamu> echo "  #define CFLAGS \"gcc -DTHREADS -D_REENTRANT -DNO_ASM -O3 
-fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W\""; \
gvinjamu> echo "  #define PLATFORM \"solaris-sparcv7-gcc\""; \
gvinjamu> echo "  #define DATE \"`date`\""; \
gvinjamu> echo "#endif" ) >buildinf.h
gvinjamu> gcc -I. -I../include -DTHREADS -D_REENTRANT -DNO_ASM -O3 
-fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W  -c  cryptlib.c
gvinjamu> In file included from 
/appl/gnu/lib/gcc-lib/sparc-sun-solaris2.5.1/2.7.2.3/include/time.h:90,
gvinjamu>  from /usr/include/sys/time.h:405,
gvinjamu>  from /usr/include/sys/select.h:17,
gvinjamu>  from 
/appl/gnu/lib/gcc-lib/sparc-sun-solaris2.5.1/2.7.2.3/include/sys/types.h:281,
gvinjamu>  from 
/appl/gnu/lib/gcc-lib/sparc-sun-solaris2.5.1/2.7.2.3/include/unistd.h:15,
gvinjamu>  from ../include/openssl/e_os.h:278,
gvinjamu>  from cryptlib.h:69,
gvinjamu>  from cryptlib.c:61:
gvinjamu> /usr/include/sys/siginfo.h:74: parse error before `pthread_attr_t'
gvinjamu> /usr/include/sys/siginfo.h:74: warning: no semicolon at end of struct or 
union
gvinjamu> /usr/include/sys/siginfo.h:76: parse error before `}'
gvinjamu> *** Error code 1
gvinjamu> make: Fatal error: Command failed for target `cryptlib.o'
gvinjamu> Current working directory /tmp/openssl-0.9.5a/crypto
gvinjamu> *** Error code 1
gvinjamu> make: Fatal error: Command failed for target `all'
gvinjamu> 

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

make failure

[Govind Vinjamuri]

solaris 2.7 gcc27

--
Govind Vinjamuri
NSA Unix Administrator
Clinical Research Computing Unit (CRCU)
215-573-5977



make
making all in crypto...
( echo "#ifndef MK1MF_BUILD"; \
echo "  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */"; \
echo "  #define CFLAGS \"gcc -DTHREADS -D_REENTRANT -DNO_ASM -O3 -fomit-frame-pointer 
-Wall -DB_ENDIAN -DBN_DIV2W\""; \
echo "  #define PLATFORM \"solaris-sparcv7-gcc\""; \
echo "  #define DATE \"`date`\""; \
echo "#endif" ) >buildinf.h
gcc -I. -I../include -DTHREADS -D_REENTRANT -DNO_ASM -O3 -fomit-frame-pointer -Wall 
-DB_ENDIAN -DBN_DIV2W  -c  cryptlib.c
In file included from 
/appl/gnu/lib/gcc-lib/sparc-sun-solaris2.5.1/2.7.2.3/include/time.h:90,
 from /usr/include/sys/time.h:405,
 from /usr/include/sys/select.h:17,
 from 
/appl/gnu/lib/gcc-lib/sparc-sun-solaris2.5.1/2.7.2.3/include/sys/types.h:281,
 from 
/appl/gnu/lib/gcc-lib/sparc-sun-solaris2.5.1/2.7.2.3/include/unistd.h:15,
 from ../include/openssl/e_os.h:278,
 from cryptlib.h:69,
 from cryptlib.c:61:
/usr/include/sys/siginfo.h:74: parse error before `pthread_attr_t'
/usr/include/sys/siginfo.h:74: warning: no semicolon at end of struct or union
/usr/include/sys/siginfo.h:76: parse error before `}'
*** Error code 1
make: Fatal error: Command failed for target `cryptlib.o'
Current working directory /tmp/openssl-0.9.5a/crypto
*** Error code 1
make: Fatal error: Command failed for target `all'

RE: Docs

[mark schoneman]

A bit outdated but still useful is
http://www.columbia.edu/~ariel/ssleay/. BTW it looks like ariel may not
be at Columbia anymore so I don't know how long these will be available.

  Mark S.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Marko Vukovic'
Sent: Tuesday, July 11, 2000 8:12 AM
To: [EMAIL PROTECTED]
Subject: Re: 


simon wrote:
> 
> Hi all, where can I get the documents about the usage of functions in
openssl lib?
> 
> [EMAIL PROTECTED]
> 

Have you been through this document:
  http://www.openssl.org/docs/ssl/ssl.html

-- 
Marko Vukovic'  E-mail: [EMAIL PROTECTED]
Technical Support,  WWW:http://www.cequrux.com
CEQURUX TechnologiesPhone:  +27(21)423-6065
Firewalls/VPN Specialists   Fax:+27(21)424-3656
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re:

[Marko Vukovic']

simon wrote:
> 
> Hi all, where can I get the documents about the usage of functions in openssl lib?
> 
> [EMAIL PROTECTED]
> 

Have you been through this document:
http://www.openssl.org/docs/ssl/ssl.html

-- 
Marko Vukovic'  E-mail: [EMAIL PROTECTED]
Technical Support,  WWW:http://www.cequrux.com
CEQURUX TechnologiesPhone:  +27(21)423-6065
Firewalls/VPN Specialists   Fax:+27(21)424-3656
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RE:

[simon]

>You have asked the $1,000,000 question.
>If you get any information  about any documentation, please tell me also ...
>
>Itai Levy,
>Software Developer R&D
>Algorithmic Research Ltd. ( Data Security Across the Enterprise )
>10 Nevatim st., Kiryat Matalon
>Petah Tikva 49561
>Israel
>
>Tel: +972-3-9279514
>e-mail:[EMAIL PROTECTED]
>http://www.arx.com
>
> 
>
Really? It's a lot of money.

[EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

keytool, and jarsigner

[Sergio Basto]

 RTF file

RE: Stop the listserver!

[Gotfried, Colette]

No. She was exactly referring to the sentence used by Michael: "Stop being
silly women and bickering about it". THIS was the sexist sentence!
Considering the fact that most of the arguing parties were men.
Good answer Deborah.


-Original Message-
From: Charles Forsythe [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 10, 2000 6:03 PM
To: [EMAIL PROTECTED]
Subject: Re: Stop the listserver!


"Hansknecht, Deborah A" wrote:
> 
> How about all of you stop being silly MEN?

At least the discussion was vaguely technical and vaguely on topic. 
This is just a moronic, sexist remark.

-- Charles
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE:

[Levy itai]

You have asked the $1,000,000 question.
If you get any information  about any documentation, please tell me also ...

Itai Levy,
Software Developer R&D
Algorithmic Research Ltd. ( Data Security Across the Enterprise )
10 Nevatim st., Kiryat Matalon
Petah Tikva 49561
Israel

Tel: +972-3-9279514
e-mail:[EMAIL PROTECTED]
http://www.arx.com

 

-Original Message-
From: simon [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 11, 2000 12:17 PM
To: openssl users
Subject: 


Hi all, where can I get the documents about the usage of functions in
openssl lib? 

[EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Ret: Re: How do I reuse a SSL-session on the client-side?

[Lutz Jaenicke]

On Tue, Jul 11, 2000 at 01:52:20PM +0200, [EMAIL PROTECTED] wrote:
> could SSL_get1_session() help me out?
Probably, see the post of Geoff Thorpe.

> I've downloaded the latest snapshot (
> ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/related/postfix/snapshot-2531.tar.gz
> ),
> but in this I've found nothing about SSL in it.
> Have I got something wrong?
Yes, this is the original postfix-source. You then need the patchkit to
install the TLS extension:
ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/pfixtls-0.6.12-snap2531-0.9.5a.tar.gz

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

itissl-0.3 dll for NT40

[Allan Coignet]

Hi,

Has somebody generated the itissl.dll for NT40 with the last itissl
version (0.3).
I would like to have it to make some interoperability tests. thanks.

A.

--
-

 Allan Coignet  Operating Systems Lab. (LSE)
 Mail: [EMAIL PROTECTED]Communication Systems Department
(DSC)
 Tel: +41 21 693 5269   Swiss Federal Institute of
Technology  (EPFL)
 Fax: +41 21 693 6770   CH-1015 Lausanne, SWITZERLAND
 Phd. Student & Research Assistant  WWW: http://lsewww.epfl.ch/~acoignet



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Ret: Re: How do I reuse a SSL-session on the client-side?

[silvio . matthes]

Hallo Lutz,

first of all, thanks for your help.

>Remark: I "get" the sessions and save them into an external database,
>later reload them from the database, so I don't have the following
problem:
>SSL_get_session() does not create a copy of the session for you, just a
>pointer to the place where the session is stored. Hence, the session might
be
>(re-)moved inside the SSL-engine and the SSL_set_session() might fail.
>You must hence create your own copy of the session to avoid this problem,
>check out i2d_SSL_SESSION() for that.

could SSL_get1_session() help me out?
In my code-example posted in the request,
in which cases the ssl-engine might remove the session?


>PS. As I told you I use it, so you can have a look into the source of
>my Postfix/TLS patchkit (available at my homepage) for an example.

I've downloaded the latest snapshot (
ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/related/postfix/snapshot-2531.tar.gz
),
but in this I've found nothing about SSL in it.
Have I got something wrong?


best regards,

Silvio Matthes



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

openssl and netscape certificate server V4

[fabrice . legrand]

I'd like to form some certificate request using openssl req.
The wished user DN format is : CN=,UID=,OU=,O=
I use the following config file  (extract) :

[req_dn]
O   = myorg
OU  = myou
UID = myuserid
CN  = my cn

I use to get this formulated DN on the request file : CN=my cn , 2.5.4.45=myuserid, 
OU=myorg,O=myorg

The oid 2.5.4.45 doesn't seems to match the UID's oid in netscape server which seems 
to be 0.9.2342.19200300.100.1.1 (information from internet explorer display of a 
certificate).
I tried to insert some oid section but it doesn't work (not sure of the syntax).

So how can i do to make openssl req formulate correct DN ?

Thanks.



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Digital Signature

[Sebastiano Di Paola]

Hi All,
Can anyone help me to write some code that Extract the private key from
PKCS12 File ,extract the public key associated with the previous private
key
and make a digital signature of a digest with the private key?
I think I have to use PKCS12_parse() and EVP_SignInit but I don't know
how!
Kind regards
Sebastiano
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

No Subject

[simon]

Hi all, where can I get the documents about the usage of functions in openssl lib? 

[EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: How do I reuse a SSL-session on the client-side?

[Geoff Thorpe]

Hi there,

On Tue, 11 Jul 2000, Lutz Jaenicke wrote:

> On Mon, Jul 10, 2000 at 07:50:06PM +0200, [EMAIL PROTECTED] wrote:
> > I hope you will help me again:
> > How do I reuse a SSL-Session on the client-side?
> > I'm writing a Http-SSL-Client based on Open-SSL.
> > I do a simple socket connect, then use SSL-connect on the socket.
> > This is where (in my opinion) Open-SSL and the Webserver are creating a 
>SSL-Session.
> > On webserver-side this is taking a lot of cpu-power.
> > After a request, the webserver shuts down the connection.
> > So I do a new socket-connect.
> > An little example of code is at the end of this message.
> > My Question is: What will I have to do to reuse the previously created SSL-Session?
> 
> You have to extract the session on the client side and manually re-load it,
> as the SSL-client-engine has no idea to which server it is connected.
> You get the session with SSL_get_session(). Then later, just before the
> SSL_connect, you set the session with SSL_set_session(ssl, old_session).
> 
> Remark: I "get" the sessions and save them into an external database,
> later reload them from the database, so I don't have the following problem:
> SSL_get_session() does not create a copy of the session for you, just a
> pointer to the place where the session is stored. Hence, the session might be
> (re-)moved inside the SSL-engine and the SSL_set_session() might fail.
> You must hence create your own copy of the session to avoid this problem,
> check out i2d_SSL_SESSION() for that.

Or instead of SSL_get_session(), you can use SSL_get1_session() which
obtains a reference count to the SSL_SESSION ... hence the SSL framework
will not remove the session, only subtract its own reference from the
session, the session itself will survive until we free our own reference
too. This is probably the easiest way to operate, except that one will
need to have a "cache"'d session for each of the servers it might connect
to (or at least some way of matching stored sessions to the server they
came from). Anyway, in the language of the original psuedo-code, here's
how it can work when connecting only to one server (generalising to
multiple servers is an exercise for the reader, who hopefully has a better
idea of their requirements than I do).


SSL_SESSION *cached = NULL;

while(TRUE) {

/* Create a new SSL ready to connect with */

if(cached)
/* fine, reuse the existing session (if possible) - this will
 * still negotiate a new session if the server can't resume
 * the "cached" one. */
SSL_set_session(the_ssl, cached);

/* Go about the handshake and other pleasantries */

if(SSL_is_init_finished(the_ssl)) {
/* OK, we have a functioning SSL session again, check if we have
 * to release our previous reference before caching the session
 * that is *now* in use. */
if(cached)
SSL_SESSION_free(cached);
/* Steal the potentially newer session from the SSL */
cached = SSL_get1_session(the_ssl);
}

/* etc etc etc ... */

if(about_to_bail_out_without_wanting_memory_leaks) {
if(cached)
SSL_SESSION_free(cached);
return (return_code);
}

/* otherwise loop back to the beginning ... */
}


Cheers,
Geoff


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

make test hangs while reading from /dev/urandom

[Gerd Schering]

Excuse me,
for mailing this question once again, but now I know a little bit more:
I´ve compiled openssl-0.9.5a with shared libs under linux (make linux-shared).
After installing the shared libs I ran "make test".
Most of the tests just seem to be o.k., but when it comes to the generation of
a self signed cert from a certificate request  generated by the test
suite, i.e.:
"convert the certificate request into a self signed certificate using 'x509' "
the whole process hangs - it´s still running, ..

The process tries treads from /dev/urandom (1024 bytes each attempt), but never
returns.

Any idea why?

Gerd

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: coredumps in OpenSSL

[Lutz Jaenicke]

On Tue, Jul 11, 2000 at 11:07:16AM +0200, Kallweit, Heiner wrote:
> To answer the question of Lutz: I compiled OpenSSL
> with _REENTRANT, so errno is a #define to *__errno().

You are obviously using a different version than I am doing, since
  find . -name "*" -print | xargs grep __errno
doesn't yield anything. But I run HP-UX 10.20, you have 11.

> The reason for the crash is always a SIGSEGV. Of course
> I also thought first of a heap corruption. But the wicked
> thing is that the crash sometimes happens when just entering
> a function which doesn't access malloced data.

Given the stacktrace you did show with the crash at __errno(), this would
mean the following: The place at which the errno for the particular
thread is stored is returned by __errno() and OpenSSL tries to write "0"
to that location. The location however does not exist inside the
address range of your process.
I don't have an idea about the internal working of HP-UX 11-threads,
but probably whenever you create a thread, memory must be allocated
in some manner to save the per-thread information.
So, even if an innocent call to "errno" may require a lookup into
memory, that has been allocated on the run a long time ago and that
was damaged at some completely other part of the program.
[I don't want to insist on my theory though, I just cannot offer something
better at this point :-)]

Of course, you can also have corrupted stack :-)

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: coredumps in OpenSSL

[Kallweit, Heiner]

Thanx for the response.
To answer the question of Lutz: I compiled OpenSSL
with _REENTRANT, so errno is a #define to *__errno().
The reason for the crash is always a SIGSEGV. Of course
I also thought first of a heap corruption. But the wicked
thing is that the crash sometimes happens when just entering
a function which doesn't access malloced data.
The only common thing between the crashes is that they always
happen somewhere inside of ssl3_connect.

Heiner
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: How do I reuse a SSL-session on the client-side?

[Lutz Jaenicke]

On Mon, Jul 10, 2000 at 07:50:06PM +0200, [EMAIL PROTECTED] wrote:
> I hope you will help me again:
> How do I reuse a SSL-Session on the client-side?
> I'm writing a Http-SSL-Client based on Open-SSL.
> I do a simple socket connect, then use SSL-connect on the socket.
> This is where (in my opinion) Open-SSL and the Webserver are creating a SSL-Session.
> On webserver-side this is taking a lot of cpu-power.
> After a request, the webserver shuts down the connection.
> So I do a new socket-connect.
> An little example of code is at the end of this message.
> My Question is: What will I have to do to reuse the previously created SSL-Session?

You have to extract the session on the client side and manually re-load it,
as the SSL-client-engine has no idea to which server it is connected.
You get the session with SSL_get_session(). Then later, just before the
SSL_connect, you set the session with SSL_set_session(ssl, old_session).

Remark: I "get" the sessions and save them into an external database,
later reload them from the database, so I don't have the following problem:
SSL_get_session() does not create a copy of the session for you, just a
pointer to the place where the session is stored. Hence, the session might be
(re-)moved inside the SSL-engine and the SSL_set_session() might fail.
You must hence create your own copy of the session to avoid this problem,
check out i2d_SSL_SESSION() for that.

Best regards,
Lutz
PS. As I told you I use it, so you can have a look into the source of
my Postfix/TLS patchkit (available at my homepage) for an example.
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

SV: openssl & outlook express

[Hellan,Kim KHE]

I have been having some problems with this too, and here is what you need to
check.

- Use Outlook Express 5.x (on some 4.x installations I haven't been able to
make it work)
- Make sure that your root (CA) certificate is installed in Windows (listed
in the Certification authorities tab in the security settings) and that you
trust this CA.
- Make sure that the e-mail address in the certificate is the same as the
e-mail address specified for your account.
- Try creating the PKCS#12 files with the '-keyex' option
- If you are using Outlook Express 5.01 and are trying to specify the
certificate for digital signature, make sure that this certificate has
KeyUsage=digtalSignature, nonRepudiation (as a minimum).

Regards,
Kim Hellan
KMD / KMD-CA
http://www-kmd-ca.dk

> -Oprindelig meddelelse-
> Fra:  mariano jesus [SMTP:[EMAIL PROTECTED]]
> Sendt:11. juli 2000 11:30
> Til:  [EMAIL PROTECTED]
> Emne: openssl & outlook express
> 
> Hi all.
> 
> I have my own CA and i generate my own digital id. (public and private
> keys
> and certificates) with openssl-0.9.5a.
> first I convert thats keys to pkcs12 format  and .cer format and they are
> export to outlook. Outlook reponse ok the import was success. But in the
> tools/account i select the apropiate account and in the propierties i
> select the security tab.
> in the box "certificate" nothing appears. I have had the caution of
> putting
> in the certificate (in subject) the e-mail address   of outlook's account.
> 
> If I import a digital id from verisign all is ok.
> 
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

openssl & outlook express

[mariano jesus]

Hi all.

I have my own CA and i generate my own digital id. (public and private keys
and certificates) with openssl-0.9.5a.
first I convert thats keys to pkcs12 format  and .cer format and they are
export to outlook. Outlook reponse ok the import was success. But in the
tools/account i select the apropiate account and in the propierties i
select the security tab.
in the box "certificate" nothing appears. I have had the caution of putting
in the certificate (in subject) the e-mail address   of outlook's account.

If I import a digital id from verisign all is ok.

is the problem that My Ca isn't registered in the tab LDAP?
are there to register the digital id. in the registry of windows?.
is it  necessary to use an ActiveX control?.
anybody knows what  I am  doing bad?.

Thanks in advice.

__

  Mariano Jesus Perez
   University of Málaga (Spain)
 Security Group (GYSUM)
__


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: coredumps in OpenSSL

[Lutz Jaenicke]

Hi!

First, let me state that I am just trying a shot into the dark :-)

On Mon, Jul 10, 2000 at 06:20:20PM +0200, Kallweit, Heiner wrote:
> > From: "Kallweit, Heiner" <[EMAIL PROTECTED]>
> > 
> > Heiner.Kallweit> we use OpenSSL 0.9.5a together with Libwww in a CGI
> > Heiner.Kallweit> on a HP-UX 11.0 platform.
> > Heiner.Kallweit> About every 100th request I get a coredump. Strange
> > Heiner.Kallweit> enough, the coredump happens in different functions
> > Heiner.Kallweit> in libcrypto.sl. When I do a backtrace with gdb I can
> > Heiner.Kallweit> see that the crash always happens at the beginning of
> > Heiner.Kallweit> the handshake. But the origin of the backtrace is at
> > Heiner.Kallweit> slightly different places in the handshake_func.
> > 
> > The origin perhaps, but do all the crashes end in CRYPTO_thread_id()?
> > Could you tell us what functions it ends up happening in (the one in
> > frame #0)?
> No, it crashes in different functions, but always inside the handshake_func.
> I include another example:
> 
> #0  0xc0205e34 in __errno () from /usr/lib/libc.2
> #1  0xc1dc62f4 in sock_read (b=0x4002bac8, out=0x40031070
> "\026\003\001\003\345\002", 
> outl=5) at bss_sock.c:191

By checking out bss_sock.c the "clear_socket_error()" macro is being used,
which effectively does a (see include/openssl/e_os.h) "errno=0".

On HP-UX (10.20) errno is an "extern int errno", as defined in .

The question now is, why a function "__errno()" is triggered at that point??

What is the reason for the coredump? Is it a segmentation fault or a
bus error? "file core" will tell you.

Core dumps with different backtraces might be caused by a corrupted
malloc structure (overwriting at the begin or the end of an malloc()ed
array). Have you ever tried to run you program with Efence enabled?
The point of failure can be very far from the actual bug in the program.

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Stop the listserver!

[Jon Barber]

[EMAIL PROTECTED] wrote:

> Which macros are these? I received 30 mails also and didn't sent
> anything.
> I'm subscribed to other mailing lists and never had this problem. And today
> I've already had 4 copies of some mails.
>

Count yourself lucky.  On Sunday I got over 300 copies each of two emails sent
to the list.  This was over a 33Kbps dial up link.

Jon.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

"make test" hangs, when converting cert req into a self signed cert

[Gerd Schering]

Hi,

I´ve compiled openssl-0.9.5a with shared libs under linux (make linux-shared).
After installing the shared libs I ran "make test".
Most of the tests just seem to be o.k., but when it comes to the generation of
a self signed cert from a certificate request  generated by the test
suite, i.e.:
"convert the certificate request into a self signed certificate using 'x509' "
the whole process hangs - it´s still running, but nothing happens.

Any ideas?
Gerd
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]