RE: What should be freed when looping?

2000-11-06 Thread Ruud Rietveld



> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Lutz Jaenicke
> Sent: Monday, November 06, 2000 16:00
> To: [EMAIL PROTECTED]
> Subject: Re: What should be freed when looping?
>
>  [some included mail deleted for brevity] 
>
> >   SSL_free (ssl);
> >   SSL_CTX_free (ctx);
> > 
> You can and should safely reuse a SSL_CTX object, so that you 
> don't need to
> reinitialize things like the certificate stuff.
> An SSL object can also be reused, you should however make sure to call
> SSL_clear() on it before reuse.
> I cannot give you numbers on the performance impact of SSL_new() or
> SSL_CTX_new(), respectively. Both functions do however call functions
> of the malloc() class quite often, so that memory fragmentation might
> occur. For this reason alone, I would already recommend you to reuse SSL
> and SSL_CTX objects.

But, if you reuse the SSL object by calling SSL_clear(), what should you do
to start reusing it? Just call SSL_set_fd() (or like) again?
I've looked into the manual pages, but there's nothing about this...

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: openssl install problem

2000-11-06 Thread David Schwartz


> Hi
>   sorry for the newbie question, but when I run make, I get the following:

Your build environment is corrupt. It's not OpenSSL's fault.

> /usr/include/bits/errno.h:25: linux/errno.h: No such file or directory

Seems like '/usr/include/bits/errno.h' refers to a 'linux/errno.h' file
that doesn't exist.

DS

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



PKCS1 block type error

2000-11-06 Thread duncan

I'm trying to get Courier IMAP's IMAP-over-SSL server running and it's
giving me this error when someone tries to connect with Netscape
Messenger:

Nov  3 22:45:32 gaigax couriertls: starttls: accept: error:0407106B:rsa
routines:RSA_padding_check_PKCS1_type_2:block type is not 02

What does this mean?  Any ideas what would cause this?
I asked on the Courier list and all I could determine is that it is an
SSL error.  So I thought I'd ask here. I'm running OpenSSL 0.96.

Any help would be appreciated.
Duncan

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: Blind signatures

2000-11-06 Thread Rene G. Eberhard


> I would like to know is there is an easy way of making blind signatures 
> with openssl.  I need a text string to be signed but I don`t want the 
> server that is going to sign this text string to know it.

As much as I remeber using OpenSSL RSA methods you could create 
a blind signature scheme according to Chaum (1982). I never made a test
but there you only need the basic RSA methods and a random blinding 
factor.

Regards Rene

--
Rene G. Eberhard <[EMAIL PROTECTED]>, CEO
keyon
Herrenberg 35, CH-8640 Rapperswil, Switzerland
Phone +41 (0)55 220 71 63, Fax +41 (0)55 220 71 61
www.keyon.ch - applying security to your e-business

Get your WAP certificate for free: www.freecerts.com

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



openssl-engine has some problem with profiling

2000-11-06 Thread Jihui Yang

Has anybody ever used profiling(CFLAGS=-pg) to analyze  the amount of time 
spent in each routine in openssl? I tried it in openssl-engine-0.9.6. But 
the option -pg seemed to conflict with the option of  -fomit-frame-pointer, 
so I got rid of the latter. But when I tried to do speed test(apps/openssl 
speed -engine cswift), it failed. THe following is the error message:

can't use that engine
6653:error:25067066:DSO support routines:DLFCN_LOAD:could not load the 
shared library:dso_dlfcn.c:157:
6653:error:25072066:DSO support routines:DSO_load:could not load the shared 
library:dso_lib.c:230:
6653:error:26065068:engine routines:CSWIFT_INIT:DSO failure:hw_cswift.c:271:
6653:error:2607E06D:engine routines:ENGINE_SET_DEFAULT_TYPE:init 
failed:engine_lib.c:399:
error in speed

I'm using FreeBSD 4.1. I did add -DDSO_DLFCN -DHAVE_DLFCN_H when I did 
config, and there was no problem when I didn't use profiling. Only when I 
added -pg and got rid of -formit-frame-pointer did this problem exist. Does 
anybody has such experience? Please give me some hint.



Thanks a lot,
Jennifer
_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at 
http://profiles.msn.com.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



0.9.6 for MacOS X Public Beta?

2000-11-06 Thread Ken Sayward

Suggestions for building the latest version of OpenSSL for MacOS X PB? Currently 
installed version is 0.95a (I think), but it doesn't have the includes and such that 
are needed to compile "cURL" with ssl support...

Help?

-KenS

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: signed after/before encryption?

2000-11-06 Thread zhu qun-ying

I am sorry for my unclear questions.

In a scenario that the signature is stored in PKCS#7 format which is encrypted
with the recipient's public key. While the data is encrypted with 3DES.

If the data are to be stored in its encryption form and only decrypted when its
in use, does the verification of encrypted data's signature have the same level
of security of the decrypted data's signature? The reason for this is that if
the data have been corrupted, there is no point to decrypt them.

-- 
(~._.~)  Öì Ⱥ Ó¢  (Qun-Ying)  (65) 874-6643
 ( O )   TrustCopy Pte Ltd / Kent Ridge Digital Labs
()~*~()  21 Heng Mui Keng Terrace,  Singapore 119613
(_)-(_)[EMAIL PROTECTED]  *  [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



openssl install problem

2000-11-06 Thread Bryan Supak

Hi
  sorry for the newbie question, but when I run make, I get the following:

making all in crypto...
make[1]: Entering directory `/tmp/openssl-0.9.6/crypto'
( echo "#ifndef MK1MF_BUILD"; \
echo "  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */";
\
echo "  #define CFLAGS
\"gcc -DTHREADS -D_REENTRANT -DB_ENDIAN -DTERMIO -O3 -fom
it-frame-pointer -Wall\""; \
echo "  #define PLATFORM \"linux-sparcv7\""; \
echo "  #define DATE \"`date`\""; \
echo "#endif" ) >buildinf.h
gcc -I. -I../include -DTHREADS -D_REENTRANT -DB_ENDIAN -DTERMIO -O3 -fomit-f
rame
-pointer -Wall   -c -o cryptlib.o cryptlib.c
In file included from /usr/include/errno.h:36,
 from ../include/openssl/err.h:90,
 from cryptlib.h:70,
 from cryptlib.c:61:
/usr/include/bits/errno.h:25: linux/errno.h: No such file or directory
make[1]: *** [cryptlib.o] Error 1
make[1]: Leaving directory `/tmp/openssl-0.9.6/crypto'
make: *** [all] Error 1

Can anyone point me in the right direction? I've tried doing a
./config -no-asm, but that didn't seem to work any better.

Thanks,

Bryan

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Self Signed Company CA Root --signs--> Project CA --signs-> Server and Client certs

2000-11-06 Thread Scott Goodwin

Mathew,

Sounds like certificate problems. I've set up the nsopenssl module for
AOLserver to do what you're trying to do, so I know that at least OpenSSL
0.9.5a works ok in this regard. I've taken the Dept of Defense root CA and
second level CA and made them available to the web server for verifying
client certificates. Then I used s_client with my client cert and key (and
the same two CA certs so s_client could verify the server cert) and made a
connection to the server. The verify depth was set to 3, but only 2 levels
were needed to verify. Both client and server verified fine. All certs were
in PEM format.

Although I haven't done this with Apache/mod_ssl, I have a few ideas about
what you might try.

First, make sure the CA certificates are in a directory of their own. I
don't think your server certificate should not be in the same directory as
the CA certificates.

Second, reverse the process: generate a server certificate from your root
CA/project CA certificates and have your Apache server use that certificate
for https connections. Make sure verify client is OFF. Then point 'openssl
s_client' to the root CA/project CA certificates and connect to your server.
If s_client verifies your server certificate, then you know that your root
CA/project CA certificates and the process you're using to generate
certificates is sound.


I notice in 4a & 4b below that you've set the ca file to either the root CA
or the project CA; both must be available to verify the chain, if memory
serves me correctly.

/s.





- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, November 06, 2000 1:43 PM
Subject: Self Signed Company CA Root --signs--> Project CA --signs-> Server
and Client certs


>
>
> I'm having a bitch of a time getting client verification to work to work.
>
> I've got the root CA cert, project CA cert, and server and client certs
(keys
> with passphrase removed) all in pem encoded format.  I've done the
following.
>
> 1.Created a new mod_ssl instance of apache
> 2.Set the server key and cert tags
> 3.set verifyclient to 'require', left the verifydepth at 10 (i've tried
playing
> with this.. seems to have _no_ affect)
> 4. multiple scenerios here.
> a) set the ca file to the project CA cert (errors with something like
'failed to
> get local issuer)
> b) set the ca file to the root CA cert (some other error which basically
said..
> can't verify the issuer)
> c) set the capath to a directory with the server, root ca, and project ca
certs
> and ran make to build the hash symlinks
> d) set cerfificate chain to a file with project CA cert and root ca cert
> e) set ca file to a ca bundle I created with name, md5 fingerprint, cert,
and
> text ouput of root CA and project CA.
>
> What works?
> if i turn off client verification i can hit the server with an https
connection
>
> I realize that I'm not including error messages, and thats cuz they all
seem to
> be alittle different.  I've tried connecting to all these scenerio's using
a p12
> version of the client cert which i generated using the client cert, key
(with
> passphrase removed) and also using openssl s_client with cert and key
parameters
> using the pem format cert/key (pass removed)
>
> Has anyone else attempted to do this multiple level CA thing and had
success
> doing client cert verification?  Is there something I might have missed?
>
> some various errors for a-e) "Certificate Verification: Error (26):
unsupported
> certificate purpose"
>"Certificate
> Verification: Error (20): unable to get local issuer certificate"
>
> openssl 0.9.5a
> apache 1.3.12
>
> Matthew Lenz
>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Self Signed Company CA Root --signs--> Project CA --signs->Server and Client certs

2000-11-06 Thread Dr S N Henson

[EMAIL PROTECTED] wrote:
> 
> I'm having a bitch of a time getting client verification to work to work.
> 
> I've got the root CA cert, project CA cert, and server and client certs (keys
> with passphrase removed) all in pem encoded format.  I've done the following.
> 
> 1.Created a new mod_ssl instance of apache
> 2.Set the server key and cert tags
> 3.set verifyclient to 'require', left the verifydepth at 10 (i've tried playing
> with this.. seems to have _no_ affect)
> 4. multiple scenerios here.
> a) set the ca file to the project CA cert (errors with something like 'failed to
> get local issuer)
> b) set the ca file to the root CA cert (some other error which basically said..
> can't verify the issuer)
> c) set the capath to a directory with the server, root ca, and project ca certs
> and ran make to build the hash symlinks
> d) set cerfificate chain to a file with project CA cert and root ca cert
> e) set ca file to a ca bundle I created with name, md5 fingerprint, cert, and
> text ouput of root CA and project CA.
> 
> What works?
> if i turn off client verification i can hit the server with an https connection
> 
> I realize that I'm not including error messages, and thats cuz they all seem to
> be alittle different.  I've tried connecting to all these scenerio's using a p12
> version of the client cert which i generated using the client cert, key (with
> passphrase removed) and also using openssl s_client with cert and key parameters
> using the pem format cert/key (pass removed)
> 
> Has anyone else attempted to do this multiple level CA thing and had success
> doing client cert verification?  Is there something I might have missed?
> 
> some various errors for a-e) "Certificate Verification: Error (26): unsupported
> certificate purpose"
>"Certificate
> Verification: Error (20): unable to get local issuer certificate"
> 

You don't say what you are using as a client. 

It looks like its having problems verifying the client certificate
chain.

You mention root CA, project CA and server and client certificates. What
actually signs the client certificates, i.e. what is its chain?

Also the unsupported purpose error suggests that you've either hit the
OpenSSL 0.9.5a verification bug (which can cause server verify problems:
its fixed in 0.9.6) or the chain is really invalid. Without seeing the
client certificate chain (text output) I can't decide which.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: ostrich head in the sand... Please stop sending the virus!

2000-11-06 Thread Merton Campbell Crockett


On Mon, 6 Nov 2000, Paul Allen wrote:

> Erwann ABALEA wrote:
> > 
> > [...]
> > 
> > I thought that using Pine solved the problem of viruses... I was
> > wrong... Even the simple 'mailx' can be exploited... and I don't have any
> > multimedia extension to Pine... ;-)
> 
> I know this is drifting off-topic, but I'm curious.
> 
> Our corporate gateway apparently filtered this virus, since there's
> no trace of it in my inbox other than converstion about it.  What
> vulnerability did it exploit?  If you care to reply, perhaps edit
> the To: line to point to me instead of the list.

I deleted them along with a bunch from one of my customers.  As a result
my memory might be faulty.  I recall seeing variants of the following

W97M (Melissa)
VBS_LoveLetter
VBS_Columbia

All make use of the Microsoft Visual Basic Scripting engine present in
WindowsNT, Windows95, Windows98, and Windows2000.  They modify the Windows
Registry to enable the scripting engine if it is not already enable and
create a process to be run each time the system is rebooted.  They insert
or replace files in the system directory.  They propagate using either a
Personal Address Book (PAB), the Global Address List (GAL), or both.

Depending upon which one is involved the damage is deletion of executable
images or replacement with a copy of the virus/worm.  Deletion of all GIF,
JPG, BMP, etc. graphic images and creation of some "image" files that are
nothing more than the virus/worm payload.  Usually there is also an
insertion of a contaminated HTML object in your browser history and
favorites lists.

Although they take advantage of "features" in Microsoft's Outlook and
Outlook Express, they make use of security holes and backdoors left in
Windows for Microsoft's Office Suite.  So as was pointed out above you are
not that much more resistant to infection if you use a third party MUA,
particularly, if you "integrate" it into your Windows environment.

The only way to avoid the problem is to use Linux, MacOS, Unix, VMS, etc.
system to read and exchange mail.

Merton Campbell Crockett
General Dynamics Electronic Systems
Intelligence Systems
Network & IT Engineering

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: ostrich head in the sand... Please stop sending the virus!

2000-11-06 Thread Paul Allen

Erwann ABALEA wrote:
> 
> [...]
> 
> I thought that using Pine solved the problem of viruses... I was
> wrong... Even the simple 'mailx' can be exploited... and I don't have any
> multimedia extension to Pine... ;-)

I know this is drifting off-topic, but I'm curious.

Our corporate gateway apparently filtered this virus, since there's
no trace of it in my inbox other than converstion about it.  What
vulnerability did it exploit?  If you care to reply, perhaps edit
the To: line to point to me instead of the list.

Thanks!

Paul Allen

-- 
Paul L. Allen   | voice: (425) 865-3297  fax: (425) 865-2964
Unix Technical Support  | [EMAIL PROTECTED]
Boeing Phantom Works Math & Computing Technology Site Operations,
POB 3707 M/S 7L-68, Seattle, WA 98124-2207
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



SSL Session caching

2000-11-06 Thread Brian Koref

Was wondering if anyone had documentation on how to configure session
caching and /or SSL Batching.  I've seen reference to a session.doc, but
have been unable to find it.  Thanks


begin:vcard 
n:Koref;Brian 
tel;work:(408) 341-3246
x-mozilla-html:FALSE
adr:;;
version:2.1
email;internet:[EMAIL PROTECTED]
fn:Brian Koref
end:vcard



Newbie question: How do you share parameters (IV, padding scheme) with other non-ssl clients?

2000-11-06 Thread Edh

I'm trying to write a package that links to the OpenSSL libs on the C side
and communicates with another server that will be running Java's JCE. I can
get the two to talk using DES ECB (and I expect Triple DES, but haven't
tried that yet.) This is because both sides internally agree to use PKCS5
padding. 

But for DES CBC or others that want an IV, I'm not sure how to communicate
the IV (or another padding scheme). Both sides use a binary shared key. I
considered encoding it into the head of the transmission, sort of like the
way the base64 salt is prepended to Unix passwords. But this is problematic.


But I've read some stuff that indicates that some sort of this scheme exists
already. Its not in the KeyAgreement stuff, which seems to want to open a
socket based path between the two end points. This won't work in our case. I
just need the entire ciphertext to be interpreted correctly by my libs on
the other end.


Can anyone help? Are there existing protocols for this sort of thing?

Thanks

Ed

Ed Howland
Director, Unix Development
StreamSearch.com
(314) 746-1827
(314) 406-6836 (mobile)
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Sorry... PKCS5 cert chain question

2000-11-06 Thread Aaron Jackson

Sorry about the last message it was user error on my part.  Please
disregard the previous message, as it was incomplete.  This is the
finished version...

I'm trying to get a handle on what needs to be done to get a commercial
product I just started administrating to provide ssl access to three
different services.  Below is an edited quote from the operations guide:

The name of a file containing a PKCS 5 password-encrypted, formatted
private key, followed by DER formatted certificates defining the private
key and certificate chain for the servers. The last certificate in the
file is the root certificate. "_Begin" and "_End" PEM syntax
delimits the encrypted private key and certificates.

I have already looked at the openssl man page and through the mailing
list archive and even the RSA crypto faq, but I couldn't find answers to
the following questions.  It seems that when generating a private key
pkcs#10 is used.  I don't see any mention to pkcs#5.  How would I go
about generating a pkcs#5 private key?And finally, I have only
limited experience with openssl and personal servers so my next
questions is what is meant by "certificate chain" and how does one
create the chain?  Thanks in advance for any information.

Aaron
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



PKCS5 cert chain question

2000-11-06 Thread Aaron Jackson

I'm trying to get a handle on what needs to be done to get a commercial
product I just started administrating to provide ssl access to three
different services.  Below is an edited quote from the operations guide:

The name of a file containing a PKCS 5 password-encrypted, formatted
private key, followed by DER formatted certificates defining the private
key and certificate chain for the servers. The last certificate in the
file is the root certificate. "_Begin" and "_End" PEM syntax
delimits the encrypted private key and certificates.

I have already looked at the openssl man page and through the mailing
list archive and even the RSA crypto faq.  Thus far I've
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Self Signed Company CA Root --signs--> Project CA --signs-> Server and Client certs

2000-11-06 Thread Matthew_Lenz



I'm having a bitch of a time getting client verification to work to work.

I've got the root CA cert, project CA cert, and server and client certs (keys
with passphrase removed) all in pem encoded format.  I've done the following.

1.Created a new mod_ssl instance of apache
2.Set the server key and cert tags
3.set verifyclient to 'require', left the verifydepth at 10 (i've tried playing
with this.. seems to have _no_ affect)
4. multiple scenerios here.
a) set the ca file to the project CA cert (errors with something like 'failed to
get local issuer)
b) set the ca file to the root CA cert (some other error which basically said..
can't verify the issuer)
c) set the capath to a directory with the server, root ca, and project ca certs
and ran make to build the hash symlinks
d) set cerfificate chain to a file with project CA cert and root ca cert
e) set ca file to a ca bundle I created with name, md5 fingerprint, cert, and
text ouput of root CA and project CA.

What works?
if i turn off client verification i can hit the server with an https connection

I realize that I'm not including error messages, and thats cuz they all seem to
be alittle different.  I've tried connecting to all these scenerio's using a p12
version of the client cert which i generated using the client cert, key (with
passphrase removed) and also using openssl s_client with cert and key parameters
using the pem format cert/key (pass removed)

Has anyone else attempted to do this multiple level CA thing and had success
doing client cert verification?  Is there something I might have missed?

some various errors for a-e) "Certificate Verification: Error (26): unsupported
certificate purpose"
   "Certificate
Verification: Error (20): unable to get local issuer certificate"

openssl 0.9.5a
apache 1.3.12

Matthew Lenz


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: HELP !

2000-11-06 Thread Zandi Patrick S TSgt AFRL/IFOSS

I am resending this message :::

> Hello, I am receiving the following error with openssl 0.9.6.. 
> -
> ./openssl genrsa -des3 -out server.key 1024   
> warning, not much extra random data, consider using the -rand option
> Generating RSA private key, 1024 bit long modulus
> 12754:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
> seeded:md_rand.c:474:You need to read the OpenSSL FAQ,
> http://www.openssl.org/support/faq.html
> 12754:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182:
> --
> I went to the web site, but I do not understand what the issue is.. I
> patched the solaris 2.6 server...
> But I still get the error.. can I get Idiot Proof instructions .. I do not
> know what to do ..
> the make ran, the make test ran, and the make ran fine.. 
> now I get some unseeded issue ?? what is that?
> 
> 
> Customer Support Program Manager/Remedy Development Manager
> [Zandi Patrick S TSgt AFRL/IFOSS]<< OLE Object: Picture (Metafile) >>
> WP 315-330-3911 Fax 315-330-3314 
> Air Force Rome Research Laboratory, 525 Brooks Ave Rome NY, 13440,
>  << OLE Object: Picture (Metafile) >>    << OLE
> Object: Picture (Metafile) >>    Way to Go Remedy
> ~~~>  << OLE Object: Picture (Metafile) >> 
> 
> 
> 
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



excuse me !!!!!

2000-11-06 Thread Gianluca Russo



I'm sorry 
!
I 
apologize for the virus I sent to the comunity. I'm a victim 
too.
excuse me 
!
Gianluca


RE: Crypt::SSLeay mmap failed

2000-11-06 Thread Thykattil, Joe

Joshua,

Thank you for the response.  

The LD_LIBRARY_PATH had been set fine.  

What I did was download the full release of openssl and use gcc instead.  

There also seems to be an issue with the patch-level of the OS for Solaris
2.6.  It works on a machine with kernel level 105181-23, but not on one
105181-08.  I set the user/envs/perl/gcc/openssl exactly the same across
both machines.  One worked and the other one did not...of course I could be
completely off
Thanks,

Joe


-Original Message-
From: Joshua Chamas [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 02, 2000 7:54 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Crypt::SSLeay mmap failed


"Thykattil, Joe" wrote:
> 
> Hello,
> 
> Having trouble compiling/testing the CRYPT Perl module Crypt-SSLeay-0.17
> with openssl-0.9.6-beta2.  The compile, test and install on the openssl
went
> fine.  The compile of the SSLeay module had the following ran fine.  The
> test of the SSLeay module encountered the following error:
> 
> Any suggestions would be greatly appreciated.
> Thanks,
> 

That was pretty bad... I haven't see this kind of error before,
though I saw you had perl5. which is good, but that you
are using Sun's cc compiler, which is generally bad.  Lots of
times, if you just use gcc to compile your stuff, especially,
perl, things just work, so your compiler might be the problem.

Here's the error that particularly struck me...

t/ssl_context...Can't load 'blib/arch/auto/Crypt/SSLeay/SSLeay.so' for
module Crypt::SSLeay: ld.so.1: /home/rmiller/bin/perl: fatal:
blib/arch/auto/Crypt/SSLeay/SSLeay.so: mmap failed: No such device at
/home/rmiller/lib/perl5/sun4-solaris/DynaLoader.pm line 169.

You are on Solaris/SunOS?, there's a chance that your LD_LIBRARY_PATH
is not set to include your openssl libs?  Try that too.

-- Joshua
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: What should be freed when looping?

2000-11-06 Thread Stephane Bortzmeyer

On Monday 6 November 2000, at 10 h 3, the keyboard of Tom Biggs 
<[EMAIL PROTECTED]> wrote:
 
> Did you check the "documentation" section of the
> website listed below in the maillist signature?

It's just the list of the prototypes of the functions... Without any semantic 
information.



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: What should be freed when looping?

2000-11-06 Thread Tom Biggs

At 03:50 PM 11/6/00 +0100, Stephane wrote:

>  Since
>there is apparently no documentation of the API (if I'm wrong, I pay a beer
>for any pointer to actual documentation),

Did you check the "documentation" section of the
website listed below in the maillist signature?

>__
>OpenSSL Project http://www.openssl.org

It's mostly 'man pages' and may not answer your
question, but it's a start...




Tom Biggs
'89 FJ1200 DoD #1146

"The whole aim of practical politics is to keep the populace alarmed -
and hence clamorous to be led to safety - by menacing it with an endless
series of hobgoblins, all of them imaginary."  -- H.L. Mencken


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: What should be freed when looping?

2000-11-06 Thread Lutz Jaenicke

On Mon, Nov 06, 2000 at 03:50:02PM +0100, Stephane Bortzmeyer wrote:
> I have a program (whose purpose is to test and benchmark Web servers) which 
> can loop over a given server. During the loop, what should I close/free? Since 
> there is apparently no documentation of the API (if I'm wrong, I pay a beer 
> for any pointer to actual documentation), I wonder if I should:

New manual pages are added over time. Please get a latest snapshot or access
the online documentation on www.openssl.org; there are links at the bottom
of the ssl(3) manual page...

>   SSL_free (ssl);
>   SSL_CTX_free (ctx);
> 
> at every iteration or not? May I safely reuse contexts?
You can and should safely reuse a SSL_CTX object, so that you don't need to
reinitialize things like the certificate stuff.
An SSL object can also be reused, you should however make sure to call
SSL_clear() on it before reuse.
I cannot give you numbers on the performance impact of SSL_new() or
SSL_CTX_new(), respectively. Both functions do however call functions
of the malloc() class quite often, so that memory fragmentation might
occur. For this reason alone, I would already recommend you to reuse SSL
and SSL_CTX objects.

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Blind signatures

2000-11-06 Thread Luis Moraga

I would like to know is there is an easy way of making blind signatures 
with openssl.  I need a text string to be signed but I don`t want the 
server that is going to sign this text string to know it.

Openssl uses blinding in RSA but it is used to avoid timing attacks.

Thanks in advanced.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



InterScan NT Alert

2000-11-06 Thread davide

Receiver, InterScan has detected virus(es) in the e-mail attachment.

Date:   Mon, 06 Nov 2000 10:37:02 +0100 (W. Europe Standard Time)
Method: Mail
From:   <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
File:   Very Funny.vbs
Action: clean failed - deleted
Virus:  VBS_LOVELETTER-O 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Antigen found =*.vbs file

2000-11-06 Thread ANTIGEN_EMAIL

Antigen for Exchange found Very Funny.vbs matching =*.vbs file filter.
The file is currently Deleted.  The message, "fwd: Joke", was
sent from Gianluca Russo  and was discovered in IMC Queues\Inbound
located at UAlbany/ADM/EMAIL.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Computer Virus

2000-11-06 Thread Mailer-Daemon

Achtung, die von Ihnen versandte Mail enthaelt entweder
einen Computer Virus oder mindestens eine beigefuegte Datei des Typs
BAT, CHM, CMD, COM, CPL, EXE, HLP, INF, INS, ISP, JAR, JS, JSE, LNK, MDB, MDE,
MSC, MSI, MSP, MST, OCX, PIF, PL, REG, SCR, SCT, SHB, SHS, VB, VBE, VBS, WSC,
WSF, WSH
und wurde daher nicht an den Empfaenger weitergeleitet.

Wenn Sie Dateien der genannten Typen senden wollen, koennen Sie
diese innerhalb einer ZIP oder TAR Datei, welche Sie Ihrer Mail
beifuegen, uebertragen.

Attention, your mail contains either a computer virus or one of
the following attachment types:
BAT, CHM, CMD, COM, CPL, EXE, HLP, INF, INS, ISP, JAR, JS, JSE, LNK, MDB, MDE,
MSC, MSI, MSP, MST, OCX, PIF, PL, REG, SCR, SCT, SHB, SHS, VB, VBE, VBS, WSC,
WSF, WSH.
These types are not delivered to the final recipients. If you want
to send one of these types, please encode them as ZIP or TAR files.

[EMAIL PROTECTED]

- Unsent message follows -

Received: from ossp1.ossp.org(62.208.181.50) by mozart.adv.magwien.gv.at via smap 
(V2.0)
id xma063272; Mon, 6 Nov 00 10:38:35 +0100
Received: by mail.ossp.org (Sendmail 8.11.0+/smtpfeed 1.07) for openssl-users-L2
id eA69aW231299; Mon, 6 Nov 2000 10:36:32 +0100 (CET)
Received: by mail.ossp.org (Sendmail 8.11.0+) via ESMTP for <[EMAIL PROTECTED]>
from opensource.ee.ethz.ch id eA69aVq31296; Mon, 6 Nov 2000 10:36:31 +0100 
(CET)
Received: by en5.engelschall.com (Sendmail 8.9.2/smtpfeed 1.06) for openssl-users-L
id KAA15918; Mon, 6 Nov 2000 10:36:19 +0100 (MET)
Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for 
<[EMAIL PROTECTED]>
from platone.tasitalia.com id KAA15894; Mon, 6 Nov 2000 10:36:01 +0100 (MET)
Received: from CVPNT ([10.166.64.190]) by platone.tasitalia.com with SMTP (Microsoft 
Exchange Internet Mail Service Version 5.5.2650.21)
id VVT8Y0XW; Mon, 6 Nov 2000 10:31:04 +0100
From: "Gianluca Russo" <[EMAIL PROTECTED]>
To: "SSL_user" <[EMAIL PROTECTED]>
Subject: fwd: Joke
Date: Mon, 6 Nov 2000 10:33:18 -
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_NextPart_000_0081_01C047DC.FA669D20"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
Sender: [EMAIL PROTECTED]
Precedence: bulk
Reply-To: [EMAIL PROTECTED]
X-Sender: "Gianluca Russo" <[EMAIL PROTECTED]>
X-List-Manager: OpenSSL Majordomo [version 1.94.4]
X-List-Name: openssl-users
X-Header-From: "Gianluca Russo" <[EMAIL PROTECTED]>
X-Header-From: "Gianluca Russo" <[EMAIL PROTECTED]>


- Message body suppressed -
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



ALERTE: VIRUS DETECTE DANS UN MESSAGE ENVOYE PAR owner-openssl-users@openssl.org

2000-11-06 Thread root


 A L E R T E   V I R U S


  Notre système de détection automatique anti-virus 
  a détecté un virus dans un message qui vous a été
  envoyé par  "Gianluca Russo" <[EMAIL PROTECTED]>.

La distribution de ce message a été stoppée.

  Veuillez vous rapprocher de l'émetteur  "Gianluca Russo" <[EMAIL PROTECTED]> pour
  régler avec lui le problème.


  ***

 V I R U S   A L E R T


  Our anti-virus system has detected a virus in an 
  email sent by  "Gianluca Russo" <[EMAIL PROTECTED]>.

We have stopped the delivery of this email.

  We invite you to contact  "Gianluca Russo" <[EMAIL PROTECTED]>
  to solve the problem.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



WARNING. You sent a potential virus or unauthorised code

2000-11-06 Thread support

The MessageLabs Virus Control Centre discovered a possible 
virus or unauthorised code (such as a joke program or trojan)
in an email sent by you. 

Please read this whole email carefully. It explains what has 
happened to your email, which suspected virus has been caught, 
and what to do if you need help.



Some details about the infected message


To help identify the email:

The message was titled 'fwd: Joke'
The message date was Mon, 6 Nov 2000 10:33:18 -
The message identifier was <[EMAIL PROTECTED]>
The message recipients were 
[EMAIL PROTECTED]


To help identify the virus:

Scanner 1 (F-Secure) reported the following:

F-Secure Anti-Virus for i386-linux Release 4.08 build 2260
sign.def version 2000-11-02
fsmacro.def version 2000-11-01
sign2.def version 2000-11-02

114487_2MA-OCTET-STREAM_Very_Funny.vbs  infection: VBS/LoveLetter.gen

   1 files scanned
   1 infections found


The message was diverted into the virus holding pen on
mail server server-26.tower-1.london-2.starlabs.net (id 114487_973503129)
and will be held for 30 days before being destroyed.



What should you do now?


If you sent the email from a corporate network, you should first 
contact your local Helpdesk or System Administrator for advice. 
They will be able to help you disinfect your workstation.

If you sent the email from a personal or home account, you will 
need to disinfect your computer yourself. To do this you will 
need an anti-virus program. We suggest using one of the leading 
industry anti-virus packages such as McAfee, F-Secure or Cybersoft, 
which cost £15-£30 per copy. 
 


Getting more help


You may like to read the Support FAQs at 
http://www.messagelabs.com/support/FAQs.htm 
These will answer many of the most common queries. 

If you believe this message to be a false alarm or you require 
further assistance, you can email MessageLabs Support at:-

[EMAIL PROTECTED]

or contact MessageLabs Helpdesk by telephone on:-

   +44 (0) 1285 884466

Please quote the following Virus Pen ID when contacting Support.
<<< mail server server-26.tower-1.london-2.starlabs.net (id 114487_973503129) >>>


_
This message has been checked for all known viruses by the 
MessageLabs Virus Control Centre. For further information visit
http://www.messagelabs.com/stats.asp

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: fwd: Joke

2000-11-06 Thread Olivier Dumas


Beware !!!
This file is infected with the VBS.LoveLetter virus !!!

Regards,
Olivier

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: Joke

2000-11-06 Thread Thomas Bätzler

FYI:

> **  InterScan Message (on rhein)
> 
> Found virus VBS_LOVELETTER-O in file Very Funny.vbs
> The uncleanable file is deleted.
> 
> *
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



fwd: Joke

2000-11-06 Thread Gianluca Russo



 Very Funny.vbs


signed after/before encryption?

2000-11-06 Thread zhu qun-ying

While normally the original data before encryption gets signed, what is the
effect of signing the encrypted data? In this form, the verification can take
place without decrypting the data. Any pros and cons of this method?

Thanks
-- 
(~._.~)  Öì Ⱥ Ó¢  (Qun-Ying)  (65) 874-6643
 ( O )   TrustCopy Pte Ltd / Kent Ridge Digital Labs
()~*~()  21 Heng Mui Keng Terrace,  Singapore 119613
(_)-(_)[EMAIL PROTECTED]  *  [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]