Re: Getting OpenSSL with Apache
Cannot load /usr/local/apache_test/libexec/libssl.so into server Have you verified that the usual symbolic links exist? /usr/local/apache_test/libexec/libssl.so - libssl.so.0 /usr/local/apache_test/libexec/libssl.so.0 - libssl.so.0.9.6 and that the actual file is readable, non-empty, etc.? Where does the system search for libssl.so.0.9.6? Whereever it's told to. :-) Linux uses ld.so.conf; I don't recall what Solaris uses for the same purpose. But the error message suggests that it's looking in the right place, but some symbolic links are missing. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Netscape FIPS140-1 cipher compatibility
Hi, I am having problems getting the mentioned cipher to work with a program we have at our company. Does anybody have information as how to resolve this issue, or am I missing something in the settings/compilation ? Thanks. - Tom Tom Tang Array Networks [EMAIL PROTECTED] (408) 874-2761 (o) (408) 874-2753 (f) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Getting OpenSSL with Apache
Following up on my earlier comments
Cannot load /usr/local/apache_test/libexec/libssl.so into server
The fact that I missed this at first is proof that programmers
shouldn't work when still running a fever. Even a low grade one,
if it's following a 40C monster.
libexec is normally used by the shared libraries used by Apache
modules, not by system libraries. mod_ssl is a weird beast, but
if you compiled it to use the system SSL library you should probably
make sure that openssl is set up in some system library.
The fastest way to do this may be to forget about Apache entirely
for now - get a simple program like:
#include openssl/crypto.h
int main()
{
(void) OPENSSL_malloc(1024);
return 0;
}
to compile and run. That will assure you that the SSL library
(or at least the -lcrypto part of it) is properly installed. Once
you know this, you'll know any remaining issues are mod_ssl or
Apache specific.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: X509 V3 extension 'Certificate Template'
hi, I follow the step you give me. Now I have the certificate with private key. Another problem arised. I import the file to the personal store. When I enable the wireless card, winXP let me choose the 'user name on certificate', But there is no option for my certificate which issue in openssl. If I use the CA of windows to get the certificate, it works. Is there some option I missed ? Please give me some idea! the different between certificate create by windows and openssl is that: windows: the certificate information: allow data on disk to be encrypted protect emaill message proves your identity to a remote computer openssl: the certificate information all application policy. is somewhere I could config so that the openssl could create the exact certificate like windows? thanks Hi Adam, Only certificate with corresponding private key is meaningful in the Personal store. Otherwise, you can't use the cert. for signing. To create one, you need to: - set up a CA, e.g. use the perl script in the archive - make a cert req., e.g. openssl req -new ... - get the req signed, e.g. openssl ca ... - bundle key + cert to a pkcs12 file, e.g. openssl pkcs12 ... Then, you can import it into Windows. Rgds. Martin - Original Message - From: Adam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, February 01, 2002 3:45 AM Subject: X509 V3 extension 'Certificate Template' Hello, I have been trying to use OpenSSL (openssl-SNAP-20020129) to generate certificates for Windows XP. While I can generate CA and certificates which XP will accept in general, I can't generate such certificate that it will accept it as 'personal' certificate. The main complaint from XP seems to be that the certificate does not have the 'private key' that correspond to certificate. However, looking over openssl-users mailing list archives it seems that the issue is that M$ has added proprietary extension and some magic is required in order to create certificate windows XP will consider personal certificate. Unfortunatelly I'm not very familar with openssl, so I was wondering if someone has put out of there some HOWTO or FAQ how do I create certificate for windows XP which will be accepted as 'personal certificate. Does such thing exist? Adam __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem encountered while generating a server private key. Help!!
Hi, I encountered a problem while generating a server private key with encryption. Below is my configurations: Solaris 8 7/2001 release Openssl version 0.9.6c egd version 0.8 mm version 1.1.3 mod_ssl version 2.8.5 apache version 1.3.22 Command used to generate a server key: openssl genrsa -des -rand /dev/urandom -out server.key 1024 (I have stated egd by running egd.pl /etc/entropy) Error messages: Generating RSA private key, 1024 bit long modulus 7955:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:501:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html 7955:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182: Please help!! Thanks. Wen Tu (510)739-1890 x110 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl sample programs
hi, I am newbie when it comes to using openssl. I need to use it in the development of one of my applications. but i am not able to make any headway coz i am not able to find the right resources. Can some one help me with some sample programs and also wat has to be done before running em ? srikanth __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl sample programs
i have tried: http://members.netscapeonline.co.uk/jeremyalansmith/ssltutorial/ http://www-itg.lbl.gov/~boverhof/openssl_certs.html and found them quite helpful. --- Sankaran Narayanan http://www.cs.columbia.edu/~sankaran On Sat, 2 Feb 2002, M.Srikanth wrote: hi, I am newbie when it comes to using openssl. I need to use it in the development of one of my applications. but i am not able to make any headway coz i am not able to find the right resources. Can some one help me with some sample programs and also wat has to be done before running em ? srikanth __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Getting OpenSSL with Apache
on 2/1/02 2:22 PM, [EMAIL PROTECTED] purportedly said: Cannot load /usr/local/apache_test/libexec/libssl.so into server Have you verified that the usual symbolic links exist? /usr/local/apache_test/libexec/libssl.so - libssl.so.0 /usr/local/apache_test/libexec/libssl.so.0 - libssl.so.0.9.6 and that the actual file is readable, non-empty, etc.? Where does the system search for libssl.so.0.9.6? Whereever it's told to. :-) Linux uses ld.so.conf; I don't recall what Solaris uses for the same purpose. But the error message suggests that it's looking in the right place, but some symbolic links are missing. Actually, this is a confusing issue with mod_ssl. Mod_ssl creates its own dso for Apache, which it happen to call libssl.so. This is not the same as or has any relation to (besides possibly loading) the openssl shared library by the same name. If the mod_ssl dso exists in the required location, there was a problem with the compile, and there should be more log entries describing why it can't be loaded. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: mod_ssl + OpenSSL + Apache
on 2/1/02 11:23 PM, [EMAIL PROTECTED] purportedly said: I recently have compiled Apache 1.3.22 with PHP 4.1.1, mod_ssl-2.8.5-1.3.22, mm-1.1.3, and OpenSSL 0.9.6c. The server starts fine with startssl, and the I believe the httpd.conf has been setup correctly, but if I try to pull up a https://domain that is hosted on the box, I receive the following error: [Sat Feb 2 01:05:37 2002] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System and OpenSSL library errors follow) [Sat Feb 2 01:05:37 2002] [error] System: Connection reset by peer (errno: 54) [Sat Feb 2 01:05:37 2002] [error] OpenSSL: error:0200100D:system library:fopen:Permission denied [Sat Feb 2 01:05:37 2002] [error] OpenSSL: error:20074002:BIO routines:FILE_CTRL:system lib [Sat Feb 2 01:05:37 2002] [error] OpenSSL: error:0B06F002:x509 certificate routines:X509_load_cert_file:system lib Has anyone else ever seen this before? Or have ideas of what to try to resolve this? In my experience this problem is most likely because SSL session caching is not enabled or configured properly. Some browsers, most notably IE, require caching enabled on the server. Another issue could be the unclean shutdown habit of certain IE (again) versions. Normally, there are Apache directives to get around this. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
incomplete configuration for shared libs for sparc and s390
While diagnosing why the compilation of openssl-0.9.6c blew up on a linux-sparcv8 platform, I found that in the Configure script, some linux platforms simply don't have any table data for shared libraries at all. I'm curious why. Is it that no one has simply ever completed a porting or testing of shared libraries on these various Linux platforms? Is this something I can supply patches for to developers? Or is this data compiled into this form (in the %table array in Configure) from somewhere else? I'm also curious why the RC4_CHAR setting for sparc. Is that due to alignment limitations? The Configure %table data (formatted by make TABLE) shows for the linux-sparcv8 platform: *** linux-sparcv8 $cc = gcc $cflags = -mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W $unistd = $thread_cflag = -D_REENTRANT $lflags = $bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR $bn_obj = asm/sparcv8.o $des_obj = $bf_obj = $md5_obj = $sha1_obj = $cast_obj = $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = $shared_target= $shared_cflag = $shared_extension = $ranlib = For comparison, here is linux-elf: *** linux-elf $cc = gcc $cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall $unistd = $thread_cflag = -D_REENTRANT $lflags = -ldl $bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT $bn_obj = asm/bn86-elf.o asm/co86-elf.o $des_obj = asm/dx86-elf.o asm/yx86-elf.o $bf_obj = asm/bx86-elf.o $md5_obj = asm/mx86-elf.o $sha1_obj = asm/sx86-elf.o $cast_obj = asm/cx86-elf.o $rc4_obj = asm/rx86-elf.o $rmd160_obj = asm/rm86-elf.o $rc5_obj = asm/r586-elf.o $dso_scheme = dlfcn $shared_target= linux-shared $shared_cflag = -fPIC $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = -- - | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | [EMAIL PROTECTED] | Texas, USA | http://phil.ipal.org/ | - __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: incomplete configuration for shared libs for sparc and s390
From: Phil Howard [EMAIL PROTECTED] phil-openssl-users While diagnosing why the compilation of phil-openssl-users openssl-0.9.6c blew up on a linux-sparcv8 phil-openssl-users platform, I found that in the Configure script, phil-openssl-users some linux platforms simply don't have any table phil-openssl-users data for shared libraries at all. I'm curious phil-openssl-users why. Is it that no one has simply ever completed phil-openssl-users a porting or testing of shared libraries on these phil-openssl-users various Linux platforms? To answer that last question: yes, or noone has felt safe enough to make a professional guess. phil-openssl-users Is this something I can supply patches for to phil-openssl-users developers? Or is this data compiled into this phil-openssl-users form (in the %table array in Configure) from phil-openssl-users somewhere else? A patch of the correct %table entry in Configure is what we need. phil-openssl-users I'm also curious why the RC4_CHAR setting for phil-openssl-users sparc. Is that due to alignment limitations? Possibly, or speed (I dunno, that's inherited from SSLeay). -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
