error:wrong version number
Hello, I want to commmunicate a server Ive developed over openssl, with a non-ssl client through a stunnel. First, I have tried to comunicate using:s_server -secure- stunnel -plain-text- telnet $ openssl s_server -accept 4567 -cert my_cert.pem -key my_key.pem as server, and telnet myhost 5000 as a client through stunnel 3.11 (Ive tried over openssl 0.9.6/win and 0.9.5a/solaris). command line is $ stunnel -f -r myhost:4567 -d 5000 -p my_certANDkey.pem It works fine most of time, but sometimes I get errors like this from stunnel: LOG5[727:4]: myhost.4567 connected from 127.0.0.1:32862 LOG3[727:4]: SSL_read: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number LOG5[727:4]: Connection reset: 13 bytes sent to SSL, 0 bytes sent to socket which closes the connection. What does this error means? How can I help it? -- Jorge Olmos Fors SGI Soluciones Globales Internet [http://www.sgi.es] GMV Sistemas S.A. Sector Foresta 1, 2 planta 28760 Tres Cantos, Madrid, Espaa. E-mail: [EMAIL PROTECTED] PGP keyId: 0xCB290369 Searchable at certserver.pgp.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: trying to understand handshake in s23_srvr.c
From: [EMAIL PROTECTED] terr So I put some debugging code in and found out that the server terr is recieving the following request: terr terr GET / HTTP/ terr terr This is in the buffer (char *)p terr terr I am under the impression that this is correct. That is not correct. A correct string would be: GET / HTTP/1.0 You might want to read RFC2616 to know more about HTTP. Anyhow, the message: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request means that a (non-encrypted) message has been sent where SSL was expected. In other words, someone has tried to access the following: http://whatever:443/ instead of https://whatever:443/ -- Richard Levitte \ Spannvgen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: trying to understand handshake in s23_srvr.c
From: [EMAIL PROTECTED] Oh, and now I realised some bloody fsck moronic software is replaying messages. The message I just answered to has the following headers. rly-mx1.maxis.net.my seems to be at fault: Received: from ossp.org ([EMAIL PROTECTED] [62.208.181.50]) by brev.stacken.kth.se (8.9.3/8.9.3) with ESMTP id LAA00084 for [EMAIL PROTECTED]; Mon, 5 Feb 2001 11:36:52 +0100 (MET) Received: by mail.ossp.org (Sendmail 8.11.0+/smtpfeed 1.07) for openssl-users-L2 id f15AYLT12727; Mon, 5 Feb 2001 11:34:21 +0100 (CET) Received: by mail.ossp.org (Sendmail 8.11.0+) via ESMTP for [EMAIL PROTECTED] from opensource.ee.ethz.ch id f15AXfj12724; Mon, 5 Feb 2001 11:33:41 +0100 (CET) Received: by en5.engelschall.com (Sendmail 8.9.2/smtpfeed 1.06) for openssl-users-L id LAA01845; Mon, 5 Feb 2001 11:33:27 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for [EMAIL PROTECTED] from rly-mx1.maxis.net.my id LAA01828; Mon, 5 Feb 2001 11:33:19 +0100 (MET) Received: from mail pickup service by rly-mx1.maxis.net.my with Microsoft SMTPSVC; Mon, 5 Feb 2001 18:32:07 +0800 Received: from mail pickup service by rly-mx1.maxis.net.my with Microsoft SMTPSVC; Mon, 5 Feb 2001 11:11:14 +0800 Received: from rly-mx1.maxis.net.my ([202.75.130.117]) by rly-mx1.maxis.net.my with Microsoft SMTPSVC(5.5.1877.467.46); Sun, 4 Feb 2001 10:14:21 +0800 Received: from ossp.org (ossp1.ossp.org [62.208.181.50]) by rly-mx1.maxis.net.my with SMTP (MailShield v2.0 - WIN32 Oct 17 2000 11:47:19); Sun, 04 Feb 2001 10:14:20 +0800 Received: by mail.ossp.org (Sendmail 8.11.0+/smtpfeed 1.07) for openssl-users-L2 id f142BhD32658; Sun, 4 Feb 2001 03:11:43 +0100 (CET) [...] -- Richard Levitte \ Spannvgen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: random state, openssl.cnf and RAND_edg(/var/run/egd-pool)
On Sat, Feb 03, 2001 at 12:06:14PM +0100, Lutz Jaenicke wrote:
On Sat, Feb 03, 2001 at 09:47:35AM +0100, Richard Levitte - VMS Whacker wrote:
Lutz.Jaenicke 2. If nobody has an argument against it, I will change
Lutz.Jaenickethis for 0.9.7 and 0.9.6a tomorrow.
I suggest that unless you know 100% that the fix will work everywhere,
you leave 0.9.6a alone until you know. 0.9.6a is not supposed to be
"replace a bug with wnother bug" :-).
Hmm, that's true of course. We have already been sure for 100% before
we encountered the Unixware problem, so speaking of 100% would be pretty
thin ice :-)
Anyway, I have just checked in the change discussed yesterday that helped
for John Hughes, as I give it 100% :-) I will then take my time for the
other change.
Continuing discussion of the problem:
"Boyd Lynn Gerber" [EMAIL PROTECTED] in the meantime arranged for an
account for me on his system so that I could investigate this issue.
(The system is identified as Unixware-7.)
1. When disabling threads in the Configure phase of OpenSSL, the connection
to the entropy daemon is opened fine.
2. When supporting threads (the default for unixware-7), the 'connect()'
system call comes back with EINTR. When calling connect() in a loop,
it then returns with EISCONN, because it already seems to be connected.
I have now patched rand_egd.c (0.9.6a-dev) to perform the following loop,
which is working out fine for unixware-7 with threading (please ignore
the fprintf-debugging at the end :-):
Index: rand_egd.c
===
RCS file: /e/openssl/cvs/openssl/crypto/rand/rand_egd.c,v
retrieving revision 1.10
diff -u -r1.10 rand_egd.c
--- rand_egd.c 2000/06/28 16:47:45 1.10
+++ rand_egd.c 2001/02/05 13:37:32
@@ -76,6 +76,8 @@
#include sys/socket.h
#include sys/un.h
#include string.h
+#include stdio.h
+#include errno.h
#ifndef offsetof
# define offsetof(TYPE, MEMBER) ((size_t) ((TYPE *)0)-MEMBER)
@@ -97,7 +99,11 @@
len = offsetof(struct sockaddr_un, sun_path) + strlen(path);
fd = socket(AF_UNIX, SOCK_STREAM, 0);
if (fd == -1) return (-1);
- if (connect(fd, (struct sockaddr *)addr, len) == -1) goto err;
+ do {
+ ret=connect(fd, (struct sockaddr *)addr, len)
+ } while ((ret 0) (errno == EINTR));
+ if ((ret 0) (errno != EISCONN))
+ goto err;
buf[0] = 1;
buf[1] = 255;
write(fd, buf, 2);
@@ -109,6 +115,8 @@
if (RAND_status() == 1)
ret = num;
err:
+ if (ret 0)
+ fprintf(stderr, "errno = %d\n", errno);
if (fd != -1) close(fd);
return(ret);
}
Would it make sense to include this into the openssl source as a standard
solution? Even more: are there better ideas avaible?
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Fw: How to add Key usage attribute...
chandu wrote: Hi all, I have a question regarding the adding of the Key usage attribute to the PKCS10 certificate request. I tried using the following code.. ikeyUsageAttr = X509v3_KU_DIGITAL_SIGNATURE; iRetVal = X509_REQ_add1_attr_by_NID(preq, NID_key_usage,V_ASN1_INTEGER, (ikeyUsageAttr), 4); When I try to print the request using X509_REQ_print, it is not printing the key usage attribute. It is giving "Unable to print the value of the attribute" In X509_REQ_print ( ) function , there is no option to print the value of attribute of either type V_ASN1_INTEGER or V_ASN1_BIT_STRING My question is whether I am following the correct way to add the Key usage attribute.. If not what is the correct way to add it. If Yes What is the way to check and print the value of the key usage attribute... No, that isn't the way to add extensions to a certificate request. Currently this is a bit awkward. There are several ways to do this, for example: STACK_OF(X509_EXTENSION) *extensions; X509_EXTENSION *ku_ext; extensions = sk_X509_EXTENSION_new_null(); ku_ext = X509V3_EXT_conf_nid(NULL, NULL, NID_key_usage, "digitalSignature"); sk_X509_EXTENSION_push(extensions, ku_ext); /* Maybe add other extensions here ...*/ X509_REQ_add_extensions(preq, extensions); sk_X509_EXTENSIONS_pop_free(extensions, X509_EXTENSION_free); Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Man in the middle attacks
Greg Stark wrote: The attack you are referring to is defeated by the client checking the identity that is contained in the certificate. I do not know why you are so sure that this checking is not normally done. IE and Netscape Nav. do it, for example [...] IE 5.x does not, by default, check to see if the server or signer certificate is revoked. These must be turned on in the advanced options. This is a real problem because it means an attacker can break into a web site, steal their certificates and do what they wish to do without the certificate owner able to do anything about it because they can't revoke their certificates in a meaningful way. -- Michael T. Babcock (PGP: 0xBE6C1895) http://www.fibrespeed.net/~mbabcock/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Man in the middle attacks
On Mon, Feb 05, 2001 at 09:12:42AM -0500, Michael T. Babcock wrote: Greg Stark wrote: The attack you are referring to is defeated by the client checking the identity that is contained in the certificate. I do not know why you are so sure that this checking is not normally done. IE and Netscape Nav. do it, for example [...] IE 5.x does not, by default, check to see if the server or signer certificate is revoked. These must be turned on in the advanced options. This is a real problem because it means an attacker can break into a web site, steal their certificates and do what they wish to do without the certificate owner able to do anything about it because they can't revoke their certificates in a meaningful way. That should be an exceptionally rare circumstance and, presuming the secret key is passphrase protected (all of ours are), still requires that the attacker steal the passphrase as well as the secret key. The certificates are useless without those. The secret key should be tougher to steal (root access on the box or maybe stored in a smart card where it can be used but not read). The passphrase is normally only entered when the server is started. Alternatives... You could try to steal the key out of memory (where it is no longer protected) but you have to find it first, or you could trojan the box to sniff the passphrase and then force the server to restart. An advanced cracker/intruder could do it... But he's probably got better/easier things to do. Gee... If you have reached that level of authority on the box, why bother with a man in the middle attack at all? You have the end point. Game over! Drop in a root kit, hide yourself real well, and really do some REAL damage, no MITM required! You got that level of authority, trojan the web server! That's a hell of a lot easier and yields a much better return than attempting very iffy MITM attacks. That could even defeat the cases where you can NOT obtain the secret key (smart cards). The threat you describe is not a realistic threat since once an individual can achieve your base requirements (level of authority capable of stealing certificates, secret keys, and passphrases) he already has done far more damaged to you and is capable of continuing to do far more damage to you on your own box than he could with those purloined keys and certs. Not that it should be totally dismissed, mind you. PKI is intended to provide support for revocation lists and such and what you describe is a limitation in the application implimentation, not a limitation in the SSL protocol. The information (just like CN and the start and end dates) is there (well, you have to access a CRL to check for revocation). It's up to the end point application to check it and what to do with it when it fails. So... In the end, what you describe is not an SSL problem but an application problem. Just like Kurt Seifert's paper describes MITM attacks that depend on user stupidity (ignoring warnings about CN not matching or expired or unknown CA). The cryptography and the protocols are fine. It's what we do with them as end users. As Bruce Schneier likes to say "If you believe that cryptography can solve your problem, you don't understand your problem and you don't understand cryptography." -- Michael T. Babcock (PGP: 0xBE6C1895) http://www.fibrespeed.net/~mbabcock/ Mike -- Michael H. Warfield| (770) 985-6132 | [EMAIL PROTECTED] (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471| possible worlds. A pessimist is sure of it! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
MITM Paper....
"Just like Kurt Seifert's paper describes MITM attacks that depend on user stupidity (ignoring warnings about CN not matching or expired or unknown CA)." Would anyone have a reference to this paper?? This is a point I have been trying to make to some "security" people where I am currently contracting. G. -- Gil Peeters BVBA CANCAS I.T. Willemsstraat 2 3000 Leuven Belgium JAVA and Distributed Object Specialists __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: error:wrong version number
Hola Jorge: Althougth I dont know how this could happen with stunnel or your server Ive had similar errors when a client which doesnt speak SSL talks with a SSL server who expects SSL. This can also happen, I think, when there is a SSLv23/v3 mismatch between client and server, so perhaps you should try -ssl3/23 options in s_server command. Hope this helps Pablo J. Royo -Original Message- From: Jorge Olmos [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: lunes 5 de febrero de 2001 12:18 Subject: error:wrong version number Hello, I want to commmunicate a server Ive developed over openssl, with a non-ssl client through a stunnel. First, I have tried to comunicate using:s_server -secure- stunnel -plain-text- telnet $ openssl s_server -accept 4567 -cert my_cert.pem -key my_key.pem as server, and telnet myhost 5000 as a client through stunnel 3.11 (Ive tried over openssl 0.9.6/win and 0.9.5a/solaris). command line is $ stunnel -f -r myhost:4567 -d 5000 -p my_certANDkey.pem It works fine most of time, but sometimes I get errors like this from stunnel: LOG5[727:4]: myhost.4567 connected from 127.0.0.1:32862 LOG3[727:4]: SSL_read: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number LOG5[727:4]: Connection reset: 13 bytes sent to SSL, 0 bytes sent to socket which closes the connection. What does this error means? How can I help it? -- Jorge Olmos Fors SGI Soluciones Globales Internet [http://www.sgi.es] GMV Sistemas S.A. Sector Foresta 1, 2 planta 28760 Tres Cantos, Madrid, Espaa. E-mail: [EMAIL PROTECTED] PGP keyId: 0xCB290369 Searchable at certserver.pgp.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Brand New E-Mail pager for FR-EE! 7681
Again, Do not use this service for unsolicited advertisements. James Kleinschmidt Sr. Analyst, Signal Corporation IM/IT Specialist, CDMRP 1077 Patchel Street Ft. Detrick, MD 21702-5024 (301) 619-7048 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Sunday, February 04, 2001 7:25 PM To: [EMAIL PROTECTED] Subject:Brand New E-Mail pager for FR-EE! 7681 Accessmate E-Mail display pager. This is the top of the line PCS technology pager made today. This side viewable display pager has a retail value of $189.00and comes with its own e-mail address so you can receive your e-mails as well as alpha-numeric and numeric messages instantly where ever you are. Your new e-mail pager has features like 50,000 character memory, message time stamping, automatic garbled message correction, beeps or vibrates, incandescent backlight, saved message folder, a unique never out of range feature that allows your pager to retrieve messages sent earlier when your pager was out of range or turned completely off. You can also receive weather, news and sports .The Motorola e-mail pager is very small and uses only a single double A battery. All we ask before we ship you your Free pager is for you to allow us to provide the airtime for you. There is no long term contract or credit check. Airtime is month to month and can be cancelled at any time. This pager will comes pre-programmed with its own e-mail address as well as a local telephone number to receive numeric pages. This pager comes with a complete 30 day money back guarantee, if after receiving this pager you're not completely happy, send it back and receive a full refund. For immediate delivery call Paging America at toll free at 877-699-8546 Brand New E-Mail pager for FREE! No long term contract No activation fee No big prepayment of airtime No credit check PAGING AMERICA is going to give you absolutely Free the Brand new Motorola __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: MITM Paper....
On Mon, Feb 05, 2001 at 04:05:01PM +0100, Gil Peeters wrote: "Just like Kurt Seifert's paper describes MITM attacks that depend on user stupidity (ignoring warnings about CN not matching or expired or unknown CA)." Would anyone have a reference to this paper?? This is a point I have been trying to make to some "security" people where I am currently contracting. What point is that? The fact that "stupid user tricks" and defeat their best security measures (the primary point of Kurt's paper was that SSL and SSH couldn't prevent stupid users from ignoring errors)? Ok... Here is Kurt's original article: http://www.securityportal.com/cover/coverstory20001218.html You can find some extensive, well thought out, discussion in the BugTraq archives from about Dec 19, 2000 through Dec 23, 2000. http://www.securityfocus.com/templates/archive.pike?start=2000-12-18end=2000-12-24list=1threads=0; (Navigating the BugTraq archives can be a real pain since they force you into these assinine frames). Here is my rebuttal to Kurt's article on BugTraq: http://www.securityfocus.com/archive/1/152239 Here is Richard Silverman's (author of the O'Reilly book on SSH) rebuttal to Kurt's original article: http://sysadmin.oreilly.com/news/silverman_1200.html And here is Kurt's response to Richard's rebuttal: http://www.securityportal.com/seifried/sslssh-followup20001222.html G. -- Gil Peeters BVBA CANCAS I.T. Willemsstraat 2 3000 Leuven Belgium JAVA and Distributed Object Specialists __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Mike -- Michael H. Warfield| (770) 985-6132 | [EMAIL PROTECTED] (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471| possible worlds. A pessimist is sure of it! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_CTX_set_verify_locations CAPATH help
Hi, I'm was wondering if anyone could help with this. I want to keep a store of CA certificates in one directory and I was under the impression that the CAPATH variable allows for this. However the certificates in the directory are never loaded. Theres a mention of using a hash tool but im unsure of this could someone provide more information on the CAPATH and what I have to do for it to load multiple trusted certificates. Evan Get your own zoom email - click here - http://www.zoom.co.uk/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl-0.9.6 + apache-1.3.14 make errors
There seem to be a problem with ./config shared in openssl-0.9.6 that occurs completely independantly of apache. Os=RH6.1 The problem I am running into seems to be an apache-ssl problem so I ask the pure openssl people to ignore that part of the email. This is weird. I _had_ it all working after following Ben Laurie's instructions. Then something funny seems to have happened. I think this may have been triggered by something I did but I can not find it. Enlightnment would be appreciated. apache will no longer link. It gives the error that the "shared library" libcrypto.so is not availaible. So... after many attempts I blew everything away and started from scratch. 1) tar -xzvf openssl-0_0_6_tar.gz All looks fine. No errors nor warnings. 2) ./config It does not build the shared libs. Apache seems to need shared libs but I don't know why. After several failed attempts I decide to try: 3) ./config shared This seems to work. Final message is Configured for linux-elf 4) make This appears to work properly. 5) make install This does _attempt_ to install the shared libs however it gives and error message to the effect that there is an unknown file format. The specific messages are: installing libcrypto.so /usr/bin/ranlib: /usr/local/ssl/lib/libcrypto.so: File format not recognized installing libcrypto.so.0 /usr/bin/ranlib: /usr/local/ssl/lib/libcrypto.so.0: File format not recognized installing libcrypto.so.0.9.6 /usr/bin/ranlib: /usr/local/ssl/lib/libcrypto.so.0.9.6: File format not recognized installing libssl.so /usr/bin/ranlib: /usr/local/ssl/lib/libssl.so: File format not recognized installing libssl.so.0 /usr/bin/ranlib: /usr/local/ssl/lib/libssl.so.0: File format not recognized installing libssl.so.0.9.6 /usr/bin/ranlib: /usr/local/ssl/lib/libssl.so.0.9.6: File format not recognized I specifically remember reading Ben's step 0 and it seems to me there is _something_ that I needed to do to openssl 0.9.6 in the way of a patch. But I can see no relevant patch. There is a patch for 0.9.5a but this is not relevant to 0.9.6. If anyone has tried compliling and linking apache 1.3.14 into openssl using the tar from apache-ssl.org - specifically apache_1_3_14+ssl_1.1.42_tar.gz In any event it appears to me that the shared option is not working. The system is redhat 6.1 and it is the server edition. Now - there is something that I did which I don't think is related. I was trying to figure out the ld commands for creating a DSO because I have not done this before. So I cd'd to the openssl source tree and typed make libcrypto.so This _should_ be pretty harmless. After this nothing ran. Even blowing everything away and starting fresh does not seem to work. ANyway... I do not remember building ssl for shared library support and I don't think it needs to be in a shared library. I think there may be a link or something that is bad. If anyone has any ideas please let me know. Thanx __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
problems resolved w/o openssl shared libs.
This has me stumped. Do libraries cache or something? I went through this at least 10 times and used a bash script to do it all - same session even - and suddenly it is runnning. I was damn careful to try to reporoduce EXACTLY what I did before. Perhaps there is somthing in the make install that doesn't work properly in all cases but I can not see anything. Clearly there does seem to be a repeatable problem with the installation of the shared libs. But this is totally unrelated to what I was running in to. The problem from the apache side is that gen_test_char found in src/main would not run and it complained about a missing library. The one thing I did differently is go into /usr/local and remove both ssl and apache before this latest rebuild. Perhaps there was something in the old ssl directory that triggered this but I doubt it and I can't see anything that should not be there. Anyway, if anyone has encountered anything like this I'd like to know. I'll be rebuilding on a regular basis I think and if I see anything I'll try to reproduce and track it down. If anyone else has any ideas please advise. Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL samples under win32
Hi. Trying to compile the cli.cpp (is a .c actually) sample under Win32 (VC5), I find out it uses a function called Free() to deallocate the strings returned by the query server certificate functions -- there's no such function available. free(), with a lowercase f, GPFs the program. How do I deallocate those strings? Do I need to at all? Thanx, Juan -- "What is freedom of expression? Without the freedom to offend, it ceases to exist." -- Salman Rushdie __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: problems resolved w/o openssl shared libs.
talking to yourself is the first sign of insanity -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, February 05, 2001 1:27 PM To: [EMAIL PROTECTED] Subject: problems resolved w/o openssl shared libs. This has me stumped. Do libraries cache or something? I went through this at least 10 times and used a bash script to do it all - same session even - and suddenly it is runnning. I was damn careful to try to reporoduce EXACTLY what I did before. Perhaps there is somthing in the make install that doesn't work properly in all cases but I can not see anything. Clearly there does seem to be a repeatable problem with the installation of the shared libs. But this is totally unrelated to what I was running in to. The problem from the apache side is that gen_test_char found in src/main would not run and it complained about a missing library. The one thing I did differently is go into /usr/local and remove both ssl and apache before this latest rebuild. Perhaps there was something in the old ssl directory that triggered this but I doubt it and I can't see anything that should not be there. Anyway, if anyone has encountered anything like this I'd like to know. I'll be rebuilding on a regular basis I think and if I see anything I'll try to reproduce and track it down. If anyone else has any ideas please advise. Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
how do I decipher using this?
Hi,
I am enciphering a series of files and am trying to decipher them with this
routine, it is basically the same as the one I have used for enciphering.
It has however been a while since I have done this and I am now having
trouble trying to remember how it is done. Can anyone help with this.
thanx
lee
--- code follows --
filesLeft=0;
while(filesLeft(mObjects-numFiles)){
sourceFile=mObjects-files[filesLeft];
destFile=sourceFile;
destFile.Replace(".enc",".zip");
fileIn.Open(sourceFile, CFile::typeBinary | CFile::modeRead, NULL);
fileOut.Open(destFile, CFile::typeBinary | CFile::modeCreate |
CFile::modeWrite, NULL);
RAND_pseudo_bytes(salt,PKCS5_SALT_LEN);
fileIn.Read("Salted__",strlen("Salted__"));
fileIn.Read(salt,PKCS5_SALT_LEN);
// seems to fail after here - am i using the salt correctly??
ciph = EVP_des_ede3_cbc();
EVP_BytesToKey(ciph,EVP_md5(),salt,(unsigned char
*)passwd,strlen(passwd),1,(unsigned char *)key,(unsigned char *)iv);
EVP_CipherInit(ctx, ciph, (unsigned char *)key, (unsigned char
*)iv,0);
i=1;
while (i!=0){
i=fileIn.Read(buff,512);
EVP_CipherUpdate(ctx, out, outl, (unsigned char *)buff, i);
fileOut.Write(out, outl);
}
EVP_CipherFinal(ctx, out, outl);
fileOut.Write(out, outl);
fileIn.Close();
fileOut.Close();
filesLeft++;
}
- end of code -
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: openssl-0.9.6 + apache-1.3.14 make errors
From: [EMAIL PROTECTED] terr apache will no longer link. It gives the error that the "shared terr library" libcrypto.so is not availaible. In which directory do you have libcrypto.so? If not in /lib or /usr/lib, have you created the environment variable LD_LIBRARY_PATH to include the directory where libcrypto.so resides? At least, I think setting LD_LIBRARY_PATH is necessary, but I could be wrong... terr This does _attempt_ to install the shared libs however it gives terr and error message to the effect that there is an unknown file terr format. The specific messages are: That's ranlib who whines. ranlib doesn't recognise shared library, since it's designed to handle static libraries only. Therefore, when presented with a shared library, it will complain, but it will not alter the file, for that reason, the messages you get can be safely ignored. If you do take a look in /usr/local/ssl/lib, you will see that you have shared libraries (and probably copies, instead of most of them being soflinks), and you can probably check with nm that they are at least potentially useful. The shared support in OpenSSL has been, and still is, experimental. Some of the handling in 0.9.6 is incorrect, but as far as I recall, the shared libraries that are produced are correct. terr ANyway... I do not remember building ssl for shared library terr support and I don't think it needs to be in a shared library. I terr think there may be a link or something that is bad. I'd guess at a directory reference that's not quite right. That is, however, a very blind guess... -- Richard Levitte \ Spannvgen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
