RE: libssl.so: undefined symbol: sk_X509_NAME_value
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 06, 2001 4:30 AM To: [EMAIL PROTECTED] Subject: libssl.so: undefined symbol: sk_X509_NAME_value snip /apachectl startssl Syntax error on line 243 of /usr/local/share/apachessl/conf/httpd.conf: Cannot load /usr/local/share/apachessl/libexec/libssl.so into server: /usr/local/share/apachessl/libexec/libssl.so: undefined symbol: sk_X509_NAME_value ./apachectl startssl: httpd could not be started /snip snip 1. install openssl # cd src/openssl-0.9.6b # ./config # make # make install /snip The library that it can't find is part of the openssl package and as I can see from your install steps for openssl you didn't specify a specific prefix, so your libs where installed in there default locations which is /usr/lib/libssl.so, etc. on my system. Try to do a locate libssl.so or a find / -name libssl.so to locate them on your system Regards, Dirk. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
simple question about OpenSSL and HTTP
Hi folks, I have a simple question about OpenSSL and HTTP I try to enhance httpd codes into secure one, such as httpsd. could i simply combine openssl library with httpd codes for that? are there any different between http and https except for the ssl handshacking? best regards, Mars. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: simple question about OpenSSL and HTTP
Mars, have a look at http://www.modssl.org/ cheers, Sean MARS.LIN ªL¨|¼w wrote: I have a simple question about OpenSSL and HTTP I try to enhance httpd codes into secure one, such as httpsd. could i simply combine openssl library with httpd codes for that? are there any different between http and https except for the ssl handshacking? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
try to help me X509_get_version
hello.
i have a
problem how to read version and serial number from certificate.
just now i
have a certificate.
the code
like this
#include
stdio.h#include openssl/x509.h#include
openssl/pem.h
main(){ X509
*x; FILE *fp; EVP_PKEY
* pkey; long
version; char * s;
if
((fp=fopen("C:\\CryptoWeb\\backup 492001\\Haizad.crt","r")) !=
NULL) {
x=X509_new(); if
(PEM_read_X509(fp,x,NULL,NULL)!=NULL)
printf("\nReading success!\n"); else
{ printf ("\nError reading
certificate!");exit
(1);}printf("\nCertificate value:
%s",x); version =
X509_NAME_oneline(X509_get_version(x), NULL,NULL);
printf ("\nVersion: %s\n",version);
s =
X509_NAME_oneline(X509_get_subject_name(x),NULL,NULL);printf("\nSUBJECT
NAME: %s\n",s);s =
X509_NAME_oneline(X509_get_issuer_name(x),NULL,NULL);printf("\nISSUER
NAME: %s\n",s);
/* Get public key - eay
*/pkey=X509_get_pubkey(x);if (pkey == NULL)
{printf ("\nPublic key error!");exit
(1);}if (pkey == NULL)
{printf ("\nPublic key is
NULL!");exit
(1);}elseprintf ("Public
key found!");
printf("\nPublic
key:");RSA_print_fp(stdout,pkey-pkey.rsa,0);
X509_free(x); fclose(fp); }
else perror("ERROR,
haizad.crt");
}
this code
have some error.
can you
help me give any example.
please
reply as soon as possible.
thank
you
RE: simple question about OpenSSL and HTTP
Dear Sean, Thanks for your help! and there's another problem. is mod_ssl designed closely with apache? 'cause i don't use apache as httpd code. are there other alternate methods? very thanks, Mars -Original Message- From: Sean O'Riordain [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 06, 2001 5:06 PM To: [EMAIL PROTECTED] Subject: Re: simple question about OpenSSL and HTTP Mars, have a look at http://www.modssl.org/ cheers, Sean MARS.LIN ªL¨|¼w wrote: I have a simple question about OpenSSL and HTTP I try to enhance httpd codes into secure one, such as httpsd. could i simply combine openssl library with httpd codes for that? are there any different between http and https except for the ssl handshacking? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
perm to raw convertion
Hi all, Is there a way to convert PEM keys to RAW keys or vice versa. Because i am facing compatibility problem between RSA-REF and cryptix.. thanks -- Nagas
Re: try to help me X509_get_version
On Thu, 6 Sep 2001, Zulkiffli Mohd Nur wrote:
hello.
i have a problem how to read version and serial number from certificate.
X509_get_version() will return a long that could be printed using %ld
specification.
just now i have a certificate.
the code like this
#include stdio.h
#include openssl/x509.h
#include openssl/pem.h
main()
{
X509 *x;
FILE *fp;
EVP_PKEY * pkey;
long version;
char * s;
if ((fp=fopen(C:\\CryptoWeb\\backup 492001\\Haizad.crt,r)) != NULL)
{
x=X509_new();
if (PEM_read_X509(fp,x,NULL,NULL)!=NULL)
printf(\nReading success!\n);
else
{
printf (\nError reading certificate!);
exit (1);
}
printf(\nCertificate value: %s,x);
version = X509_NAME_oneline(X509_get_version(x), NULL,NULL);
printf (\nVersion: %s\n,version);
s = X509_NAME_oneline(X509_get_subject_name(x),NULL,NULL);
printf(\nSUBJECT NAME: %s\n,s);
s = X509_NAME_oneline(X509_get_issuer_name(x),NULL,NULL);
printf(\nISSUER NAME: %s\n,s);
/* Get public key - eay */
pkey=X509_get_pubkey(x);
if (pkey == NULL) {
printf (\nPublic key error!);
exit (1);
}
if (pkey == NULL) {
printf (\nPublic key is NULL!);
exit (1);
}
else
printf (Public key found!);
printf(\nPublic key:);
RSA_print_fp(stdout,pkey-pkey.rsa,0);
X509_free(x);
fclose(fp);
}
else
perror(ERROR, haizad.crt);
}
this code have some error.
can you help me give any example.
please reply as soon as possible.
thank you
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: libssl.so: undefined symbol: sk_X509_NAME_value
[EMAIL PROTECTED] wrote: I have, for two days, been banging my head on trying to install this apache server with mod_ssl. I keep having problems. I have tried absolutely everything I can think of to try to fix this. I have searched all of the postings and tried their solutions. Nothing works. Here is my OS ... Linux host_name_omitted 2.2.16-22smp #1 SMP Tue Aug 22 16:39:21 EDT 2000 i686 unknown Here is the error ... /apachectl startssl Syntax error on line 243 of /usr/local/share/apachessl/conf/httpd.conf: Cannot load /usr/local/share/apachessl/libexec/libssl.so into server: /usr/local/share/apachessl/libexec/libssl.so: undefined symbol: sk_X509_NAME_value ./apachectl startssl: httpd could not be started Here was my install process ... gtar xzvf src/openssl-0.9.6b.tar.gz gtar xzvf src/apache_1.3.20.tar.gz gtar xzvf src/mod_ssl-2.8.4-1.3.20.tar.gz gtar xzvf src/mod_auth_ldap.tar.gz gtar xzvf src/mod_put.tar.gz 1. install openssl # cd src/openssl-0.9.6b # ./config # make # make install 2. Add authmodldap to the apache src # cp -pr modauthldap apache_1.3.20/src/modules/ldap 3. configure mod_ssl # ./configure --with-apache=/usr/src/apache_1.3.20/ --prefix=/usr/local/share/apachessl 4. configure apache ( include modauthldap, mod_put, mod_ssl ) # SSL_BASE=/usr/local/ssl ./configure --enable-module=ssl --enable-rule=EAPI --prefix=/usr/local/share/apachessl --enable-shared=max --enable-module=all --add-module=../mod_put-1.3/mod_put.c --activate-module=src/modules/ldap/mod_auth_ldap.c # make # make certificate TYPE=test # make install 5. Edit /usr/local/share/apachessl/conf/httpd.conf 6. Should be done now start by using /usr/local/share/apachessl/bin/apachectl startssl This is where it totally bombs on me. I even tried Upgrading with APXS # ./configure --with-apxs=/usr/local/share/apachessl/bin/apxs --with-ssl=/usr/local/ssl This still didn't work. Ah, didn't work, eh? That'll be because something went wrong. Or, to put it another way - details! Cheers, Ben. -- http://www.apache-ssl.org/ben.html There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: libssl.so: undefined symbol: sk_X509_NAME_value
[EMAIL PROTECTED] wrote: I have, for two days, been banging my head on trying to install this apache server with mod_ssl. I keep having problems. I have tried absolutely everything I can think of to try to fix this. I have searched all of the postings and tried their solutions. Nothing works. Here is my OS ... Linux host_name_omitted 2.2.16-22smp #1 SMP Tue Aug 22 16:39:21 EDT 2000 i686 unknown Here is the error ... /apachectl startssl Syntax error on line 243 of /usr/local/share/apachessl/conf/httpd.conf: Cannot load /usr/local/share/apachessl/libexec/libssl.so into server: /usr/local/share/apachessl/libexec/libssl.so: undefined symbol: sk_X509_NAME_value ./apachectl startssl: httpd could not be started This is what may be happening: an earlier version of OpenSSL had a function called sk_X509_NAME_value, later versions have a macro instead. So somehow the old definition is being picked up when OpenSSL and/or mod_ssl is being compiled. I suspect that you may have some headers for an older version of OpenSSL on your system somewhere and those are being seen instead of the newer OpenSSL 0.9.6b ones. Do a search on your system for some of the header names (x509.h for example) and remove any old versions. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Netscape Extension
Dear all, Let me ask that if I omit to specify the nsCertType extension, the certificate can be used for keyEncippherment even I specify the digitalSignature only in keyUsage? Does anyone knows that Netscape recognizes the keyUsage bit and limits the usage of the certificate? Regards, Kiyoshi, Kiyoshi WATANANBE Hitachi, Ltd. ---openssl.cnf-- # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # # # For an object signing certificate this would be used. # nsCertType = objsign # # For normal client use this is typical # nsCertType = client, email # # and for everything including object signing: # nsCertType = client, email, objsign #nsCertType = client #nsCertType = email #nsCertType = objsign #nsCertType = client, email # This is typical in keyUsage for a client certificate. keyUsage = nonRepudiation, digitalSignature, keyEncipherment __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Re: doubt regarding X509_verify_cert
Hi all and Hello Dr. Henson, please find attached files: cacert.pem - trusted certificate cakey.pem - trusted certificate's private key. selfcert.pem - certificate signed by the given trusted certificate. The following is the output when we try to use openssl verify utility: $ openssl verify -CApath /usr/local/lib/openscep/ -CAfile cacert.pem -verbose -issuer_checks tmp.pem tmp.pem: /unstructuredName=3.com error 29 at 0 depth lookup:subject issuer mismatch /unstructuredName=3.com error 29 at 0 depth lookup:subject issuer mismatch /unstructuredName=3.com error 29 at 0 depth lookup:subject issuer mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 31 at 0 depth lookup:authority and issuer serial number mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 31 at 0 depth lookup:authority and issuer serial number mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 31 at 0 depth lookup:authority and issuer serial number mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 31 at 0 depth lookup:authority and issuer serial number mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 2 at 1 depth lookup:unable to get issuer certificate We could not make any progress with the OpenSSL verify utility as well. I request u to help us in this regard... Awaiting your valuable Response Regards Suram I have a doubt regarding the x509_verify_cert(). When we have a TRUSTED certificate with the authority-key-identifier extension, and when we are trying to verify a SELF certificate using the function X509_verify_cert(), the verification is failing. Upon a deeper look into the function, the function is failing as follows... When we call the X509_verify_cert() with the CTX, Before calling this function we are initializing the CTX-cert with the self-certificate, and we are adding the trusted-certificates in X509_STORE using the function X509_STORE_add_cert(). In the X509_verify_cert() 1. checks whether CTX-cert (self-certificate) is self-signed certificate or not by PUSHing the certificates into a chain. 2. It is looking for Trusted certificates whose subject name is same as the Issuer Name of CTX-cert(ie., self-certificate) and pushing the certificates into the chain in the CTX. Now we are checking the Trusted certificates are Self-signed or not by calling the function X509_check_issued( ). 3. We are passing the subject and issuer certificates the same Trusted Certificate. In this function we are checking the Serial Number of the Issuer certificate with the Serial number in the extension Authorithy Key Identifier of the Subject Certificate. Here we are facing problem. The problem is ASN1_INTEGER_cmp( ) is failing. The QUESTION is whether the Serial Number in the Trusted Certificate should be SAME as the Serial Number in the Authority Key Identifier extension? If the two need not be the same then we feel that there is a bug in the X509_check_issued ( ) function as we are using it to verify whether the certificate is self-signed or not. I would be thankful for any help regarding this question.. Regards Suram I've already responded to this in openssl-dev: Does this fail with the OpenSSL verify utility? If so what is the failure reason? Also try it with the -issuer_checks command line option. If that doesn't help much then if you could send me the certificate(s) causing the trouble I'll investigate further. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] --- -- Rama Krishna Prasad Chunduru Software engineer Intoto Software(I) Pvt Ltd Kharkhana Secundrabad selfcert.pem cacert.pem cakey.pem
Export Control
Hello, I'm using openssl 0.96b (in the EU/ US) and have a question regarding ciphers and current export controls. When I create two peers and establish a connection the cipher seems to be EXP1024-RC4-SHA with the actual strength at 56 bits. This seems to be export constrained somehow in the build/ configuration step. Can I build openssl so that is uses an actual strength of 128 bits? Is this allowable/ possible? regards, Michael. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problem running cswift on Linux
I haven't seen this particular error before, but I'd suggest contacting our tech support ([EMAIL PROTECTED]), and including information on the versions of OpenSSL, Apache, and CryptoSwift IK involved, just what load test is being run, and any errors that may appear in the Apache error log. Lynn Gazis Rainbow Technologies -Original Message- From: Andy Tsz Kwan Chan [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 05, 2001 8:21 PM To: [EMAIL PROTECTED] Subject: Problem running cswift on Linux Hi, I am running cswift on Linux 2.2.17 using regular Apache. After a load test is over, I see the followings: 140 D abuser1700 1688 2 60 0- 1206 end19:52 ? 00:00:24ab-helper -f /USR/A/conf/httpd.conf This process stays in this state forever and it can not be killed. It seems to be waiting for a disk operation to be completed. When I do lsmod, I see something like: cspci5744x where x is the number of processes staying in the above state. Any idea why this is happening? Thanks. best regards, Andy __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Encrypt attached Documents using Certificate
Hi All, I got my personal certificate and use it to sign my emails with netscape messenger or Outlook. It works fine (Sign and Encryption). My question is: If I send an email with attached documents, are these attached documents encrypted when they fly? And how can I check if they are encrypted or not? Regards -- # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- # Averroes A. Aysha # Think Linux, Think Slackware! # Network Security Auditor (NSA) # e-fingerprint = 73B7 2559 2968 5094 3B95 5C70 4E85 5F94 6068 1DD8 # http://www.keyserver.net/en/ # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Better than Sex! Register your .Sex Domain! 58876
The latest domain name extension is here .SEX!!! It's the fresh ,new, exciting web address that is taking the world by storm. Who wants to be .com when you can now be .SEX Register your .SEX domain name today exclusively at: http://www.dotsex.com - To be taken off the mailing list please click below: http://195.178.213.33/unsubscribe.phtml __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
