Re: Cert / Key storage
On Wed, Jan 23, 2002 at 10:43:22AM -0800, Michael Shanzer wrote: --- Lutz Jaenicke [EMAIL PROTECTED] SSL_load_client_CA_file() reads in a file and obtains the X509 certificates. From each X509 certificate the subject name is extracted and put onto a STACK_OF(X509_NAMES). I am confident that you will find it simple to use the function as a template and replace the reading of the file with appropriate database operations. (ssl/ssl_cert.c) I started looking there and got bogged down with all the BIO stuff. Which I was not really in the mood to deal with. But if there is no other option ... Thanks for the info. Actually: forget the BIO stuff. It is just a generalized I/O layer, that is used inside OpenSSL at all places. What you do have to take a look at are the X509_* operations... Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Building crypto library
Hello all, I want to compile an executable that will only support EDH-DSS-DES-CBC3-SHA. I tried configuring with these options: no-idea no-rsa no-cast no-bf no-rc4 no-rc5 no-rc2 no-des but when I go to compile I get errors in evp.h because a union is defined and it is empty because of the all #defines.. Basically I want one application that will support EDH-DSS-DES-CBC3-SHA and another that will support EXP1024-DHE-DSS-DES-CBC-SHA. So I figured I would create two libcrypto builts but I cannot find the configuration options to make it work the way I want. Any ideas? - Andrew T. Finnell ActiveSol.net [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL.PM question
I'm using SSLeay along with Open SSl to retrieve https pages via SSL.pm. I'm not using a proxy, but in the runtime I get the familiar unitialized variable message being displayed for a line in SSL.pm. I normally like to keep my executions clean and don't want uninit messages from coming up, so I would like to resolve this problem. I'm using 2.75 SSL.pm and the error is coming from line 363 $proxy_server =~ s|^https?://||i; First, I haven't a clue as to what this statement is doing from the syntax. I'm guessing that it is doing a pattern search but the | are throwing me off. I too see from the code that it is trying to parse HTTPS_PROXY key value from the ENV hash. I put a value into the key value, (i.e. HTTPS_PROXY) but I still get the unit message. Could someone be so kind as to tell me what the statement is doing and how I might eliminate the message. Yes, I do know that I could remove -w on the execution to suppress the message. Thanks in advance for any help. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
libssl.so.2
Hi there, I've removed OpenSSL 0.9.6.b ( which was installed during the RH72 installation ) and I installed OpenSSL 0.9.6.c. Now I have the problem that certain applications ( sendmail as an example ) is complaining that it can not find the library libssl.so.2 Now this library will not be installed with OpenSSL 0.9.6.c . Can anybody tell me what to do to solve this problem ( without a downgrade to 0.9.6.b ) Thanks, Mich
Re: SSL.PM question
On Wed, 23 Jan 2002 [EMAIL PROTECTED] wrote: I'm using SSLeay along with Open SSl to retrieve https pages via SSL.pm. I'm not using a proxy, but in the runtime I get the familiar unitialized variable message being displayed for a line in SSL.pm. I normally like to keep my executions clean and don't want uninit messages from coming up, so I would like to resolve this problem. I'm using 2.75 SSL.pm and the error is coming from line 363 $proxy_server =~ s|^https?://||i; First, I haven't a clue as to what this statement is doing from the syntax. I'm guessing that it is doing a pattern search but the | are throwing me off. I too see from the code that it is trying to parse HTTPS_PROXY key value from the ENV hash. I put a value into the key value, (i.e. HTTPS_PROXY) but I still get the unit message. Could someone be so kind as to tell me what the statement is doing and how I might eliminate the message. Yes, I do know that I could remove -w on the execution to suppress the message. Thanks in advance for any help. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This line is attempting a substitution -- the | characters are the regular expression delimiters (Perl is quite liberal in what characters are used in this context). The 'http' (with optional 's') and '://' are being replaced by a null string. The trailing 'i' indicates ignore case. So it is actually stripping the protocol information from the URL. The complaint is probably coming from the variable $proxy_server not being properly defined somewhere before this line, hence it cannot be bound to the substitution operator. Philip Shanks [EMAIL PROTECTED] - If you find a solution and become attached to it, the solution may become your next problem. (more wisdom from /usr/games/fortune) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Correct way to expire certificate
Hello, both E and R could be used. E means expired R means revoked Both values in the index.txt file have the effect that you can recreate or prolong this certificate. Regards, Gertraud Roach, Mark R. wrote: On Tue, 2002-01-22 at 18:28, Michael Richardson wrote: I had to change the V to an R and enter a date when the certificate was to have expired. This goes in a field that is normally blank, e.g: Hmm, so I could just parse all the certificates via cron, and make it insert the appropriate timestamp... Are you sure that an 'R' is the right character? I saw in my searches some pages that indicated an 'E' was appropriate. Thanks, Mark Roach __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Gertraud Unterreitmeier Development Activis Gutenbergstr. 1 D-85737 Ismaning Tel: +49-89-94573-453 Fax: +49-89-94573-479 mailto:[EMAIL PROTECTED] http://www.activis.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Can't start Apache server / expecting an asn1 sequence
I'm running: apache_1.3.22 mod_perl-1.26 mod_ssl-2.8.5-1.3.22 openssl-0.9.6c. When I try to start apache, this shows in the error log: mod_ssl: Init: Unable to read server certificate from file /usr/local/www/conf/ssl.crt/server.crt (Open SSL library error follows) OpenSSL: error: 0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence. FWIW, everything works, if I don't use mod_perl. Thanks. Jeff Slonaker __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Correct way to expire certificate
Roach, == Roach, Mark R [EMAIL PROTECTED] writes: Roach, On Tue, 2002-01-22 at 18:28, Michael Richardson wrote: I had to change the V to an R and enter a date when the certificate was to have expired. This goes in a field that is normally blank, e.g: Roach, Hmm, so I could just parse all the certificates via cron, and make it Roach, insert the appropriate timestamp... Roach, Are you sure that an 'R' is the right character? I saw in my searches Roach, some pages that indicated an 'E' was appropriate. You could be right. I did this on advice from Rodney Thayer when my email relaying-permitted certificate expired while at IETF. ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[ ] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic(Just another NetBSD/notebook using, kernel hacking, security guy); [ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: creating shared libs on hp-ux 11
Madhu, I originally ran the config script as ./config shared threads -D_REENTRANT. However, I was unable to run anything in the apps directory, so I'm assuming that this was not quite right. I just tried the config options you gave, but -fPIC is an unknown option and is being ignored by the machine I'm building on. Rob MATHIHALLI,MADHUSUD AN To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] (HP-Cupertino,ex1) cc: madhusudan_mathihalSubject: RE: creating shared libs on hp-ux 11 [EMAIL PROTECTED] Sent by: owner-openssl-users@ openssl.org 01/23/2002 01:36 PM Please respond to openssl-users Rob, What are the last couple of lines of your build output ??.. BTW, what options did you give to the config script ?.. I used ./config -fPIC --openssldir=$DESTDIR shared, and the last couple of lines of my build is something like : + rm -f libssl.sl.0 + rm -f libssl.sl + rm -f libssl.sl.0.9.6 libs='-L/proj/middleware/madhum/src/openssl-0.9.6c -lcrypto'; for i in ssl; do \ ( set -x; /usr/ccs/bin/ld +vnocompatwarnings \ -b -z -o lib$i.sl.0.9.6 \ +h lib$i.sl.0.9.6 \ -Fl lib$i.a $libs -L/proj/middleware/madhum/src/openssl-0.9.6c -L/usr/local/lib/gcc-lib/hppa1.1-hp-hpux11.00/2.9-hppa-991112 -lgcc -L/proj/middleware/madhum/src/openssl-0.9.6c -lcrypto -lm -ldld -lc ) || exit 1; \ libs=$libs -L. -l$i; \ done + /usr/ccs/bin/ld +vnocompatwarnings -b -z -o libssl.sl.0.9.6 +h libssl.sl.0.9.6 -Fl libssl.a -L/proj/middleware/madhum/src/openssl-0.9.6c -lcrypto -L/proj/middleware/madhum/src/openssl-0.9.6c -L/usr/local/lib/gcc-lib/hppa1.1-hp-hpux11.00/2.9-hppa-991112 -lgcc -L/proj/middleware/madhum/src/openssl-0.9.6c -lcrypto -lm -ldld -lc + ln -f -s libssl.sl.0.9.6 libssl.sl.0 + ln -f -s libssl.sl.0 libssl.sl make[2]: Leaving directory `/tmp_mnt/proj/middleware/madhum/src/openssl-0.9.6c' make[1]: Leaving directory `/tmp_mnt/proj/middleware/madhum/src/openssl-0.9.6c' In the worst case, you can atleast use the above ld options : -).. Thanks -Madhu -Original Message- From: Robert Pungello [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 23, 2002 5:51 AM To: [EMAIL PROTECTED] Subject: Re: creating shared libs on hp-ux 11 Madhu, I am indeed building openssl 0.9.6c on hp-ux 11 Rob L Nehring nehring@newparticleTo: [EMAIL PROTECTED] s.com cc: Sent by:Subject: Re: creating shared libs on hp-ux 11 owner-openssl-users@ openssl.org 01/22/2002 06:33 PM Please respond to openssl-users Hi Madhu, I was speaking in general terms for building shared libs on HP-UX. I have some in-depth experience with ANSI C on HP-UX 10.x and 11.0 in a previous life. Personally, I currently use openssl 0.9.6b on Linux Intel and will soon upgrade. I still have a couple clients running HP-UX that I do consulting for, but not using openssl. I'm not sure what version of openssl Rob is using (or which version of his compiler.). He did say he was running on HP-UX 11 though. -Lance MATHIHALLI,MADHUSUDAN