OpenSSL Error: [links] Segmentation fault on Configure
I have a Linux Redhat 6.2 system running apache web server. I'm trying to update my existing ssl implementation with openssl-0.9.6g. Existing config was compiled from source tar. When I type in configure I get: Operating system: i586-whatever-linux2 This system (linux-elf) is not supported. See file INSTALL for details. I thought this was wierd since it is a linux-elf system and this was exactly what I typed in for previous implementation which is 0.9.3a. So, I moved on to: ./Configure linux-elf, which give me the following: [root@dns openssl-0.9.6g]# ./Configure linux-elf Configuring for linux-elf IsWindows=0 CC=gcc CFLAG =-fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIA N -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_AS M EX_LIBS =-ldl BN_ASM=asm/bn86-elf.o asm/co86-elf.o DES_ENC =asm/dx86-elf.o asm/yx86-elf.o BF_ENC=asm/bx86-elf.o CAST_ENC =asm/cx86-elf.o RC4_ENC =asm/rx86-elf.o RC5_ENC =asm/r586-elf.o MD5_OBJ_ASM =asm/mx86-elf.o SHA1_OBJ_ASM =asm/sx86-elf.o RMD160_OBJ_ASM=asm/rm86-elf.o PROCESSOR = RANLIB=/usr/bin/ranlib PERL =/usr/bin/perl5 THIRTY_TWO_BIT mode DES_PTR used DES_RISC1 used DES_UNROLL used BN_LLONG mode RC4_INDEX mode RC4_CHUNK is undefined Makefile = Makefile.ssl make: *** [links] Segmentation fault (core dumped) [root@dns openssl-0.9.6g]# This also happens when I go back and try to run ./config or ./Configure linux-elf from original source tar (the one which is now running). I have no idea what to do from here. Could someone please give me some suggestions on what may be causing this, and what to do about it? Thanks. -ron -- Ron Parker Software Creations http://www.scbbs.com Self-Administration Web Site http://saw.scbbs.com Civil War Online Library http://civilwar.scbbs.com VSB Interest Group http://vsb.scbbs.com -- Ron Parker Software Creations http://www.scbbs.com Self-Administration Web Site http://saw.scbbs.com Civil War Online Library http://civilwar.scbbs.com VSB Interest Group http://vsb.scbbs.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Name Constraints
Hi all. I have a problem with a certificate chain and a server certificate, I need help. The certificate chain is formed by the Root CA Certificate and the Subordinate CA Certificate below showed. The server certificate is the last certificate. I have configured apache with modssl and when i try to access to https://imladris.dif.um.es I get the following error: Apache/1.3.19 (Unix) ApacheJServ/1.1.2 mod_ssl/2.8.3 OpenSSL/0.9.6g configured -- resuming normal operations [Thu Sep 19 10:13:14 2002] [error] mod_ssl: SSL handshake failed (server imladris.dif.um.es:443, client 2001:720:1710:f00::2) (OpenSSL library error follows) [Thu Sep 19 10:13:14 2002] [error] OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in certificate not server name or identical to CA!?] Obviously it's a mistake, server certificate's subject is the same than the server name (in httpd.conf file) and it's not a CA. I think the problem is in the path validation, in the NameConstraints extensions (2.5.29.30), but I'm not sure. I don't know if openssl supports this extensins and if it's well configured. Any idea? Thanks, Gabi. ** Root CA Certificate ** Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=ES, O=umu, OU=umu, CN=PKIv6 3.2 ca root Validity Not Before: Sep 16 22:00:00 2002 GMT Not After : Sep 16 22:00:00 2004 GMT Subject: C=ES, O=umu, OU=umu, CN=PKIv6 3.2 ca root Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:aa:e5:b5:5b:0a:f4:ef:79:2a:4d:8e:84:e1:ce: 43:59:81:2d:b6:53:8c:97:77:4f:db:07:08:69:b0: 68:ea:1d:cd:fe:c2:a4:a2:08:ec:ce:ed:b4:13:91: dc:da:bf:27:41:ef:f1:f3:3b:96:36:97:2f:9c:f3: 48:21:b3:a0:34:0d:8a:e8:04:cf:d5:c2:06:dd:cf: 5d:ea:7c:d5:9e:ab:92:65:7a:e1:32:ee:73:f4:4f: 99:be:18:5c:a0:84:5c:b0:09:f0:8a:68:61:1a:94: ec:c5:95:9b:10:c4:0b:4b:e9:e0:2f:48:7b:2b:23: 56:02:56:a7:2c:16:c4:2f:0d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE Netscape Cert Type: SSL Client, S/MIME, SSL CA, S/MIME CA, Object Signing CA Signature Algorithm: md5WithRSAEncryption *** Subordinate CA Certificate *** Certificate: Data: Version: 3 (0x2) Serial Number: 28 (0x1c) Signature Algorithm: md5WithRSAEncryption Issuer: C=ES, O=umu, OU=umu, CN=PKIv6 3.2 ca root Validity Not Before: Sep 17 11:25:36 2002 GMT Not After : Sep 17 11:25:36 2003 GMT Subject: C=ES, O=umu, OU=umu dd, CN=PKIv6 3.2 ca sub2 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:b5:e5:36:3f:7a:29:a0:da:3a:67:60:4f:ed:52: 81:09:26:21:4d:a7:14:77:54:56:be:87:1d:5a:62: 26:89:aa:f4:00:19:e6:c5:d8:c0:68:71:0f:2b:b5: 7b:54:25:7f:98:2e:75:e6:65:76:b4:9f:39:99:2e: 56:19:b6:5e:27 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign 2.5.29.30: critical 0...0...umu-euro6ix dd X509v3 Basic Constraints: critical CA:TRUE Netscape Cert Type: SSL Client, S/MIME, SSL CA, S/MIME CA, Object Signing CA Signature Algorithm: md5WithRSAEncryption *** Server Certificate (ServerName=imladris.dif.um.es) ** Certificate: Data: Version: 3 (0x2) Serial Number: 15 (0xf) Signature Algorithm: md5WithRSAEncryption Issuer: C=ES, O=umu, OU=umu dd, CN=PKIv6 3.2 ca sub2 Validity Not Before: Sep 17 15:55:07 2002 GMT Not After : Sep 17 15:55:07 2003 GMT Subject: C=ES, O=umu, OU=umu dd, CN=imladris.dif.um.es Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:b6:85:42:e5:32:6f:30:5f:69:8f:c1:93:ca:a6: 19:3a:67:b7:c0:d2:12:e0:7d:c2:75:0f:4e:00:30: 16:4f:39:fb:9a:49:5d:db:18:bb:20:b4:6b:67:df: ca:96:2f:18:1e:95:b9:56:9b:19:72:9a:2a:78:b7: 09:d9:0f:15:37 Exponent: 65537 (0x10001) X509v3 extensions:
RE: apache with client certificates
Hi, I'm new in the apache/openssl world and I have a question (maybe it's me but I don't understand something about client certificates authentication in Apache) I have Apache 2.40 with openssl 0.9.6g running in my win32 machine without a problem. I want to establish an extranet, and let users authenticate with client certificates. I set up my config files (httpd.conf ssl.conf) to do this and is working fine. Here is my problem: If I trust in (for example) Verisign (putting their certificate in SSLCACertificate file) and filter the certificates I accept with some config lines like #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ #and %{SSL_CLIENT_S_DN_O} eq Snake Oil, Ltd. \ #and %{SSL_CLIENT_S_DN_OU} in {Staff, CA, Dev} \ How can I be sure that I'm letting in ONLY my extranet users and not anybody else with a certificate signed by Verisign whose DN match my filter? Is there any way to tell Apache to accept only certain certificates? (not necessarily signed by the same CA) (maybe a file with the certificates concatenated) My original intention was to tell my extranet users to request a certificate on their own (with the CA they like the most), and then use those certificates to let them in. Thanks in advance. Gaston Christen Internet Technology Siemens Itron Business Services -Mensaje original- De: Patrick Tronnier [mailto:[EMAIL PROTECTED]] Enviado el: Jueves, 19 de Septiembre de 2002 01:16 Para: '[EMAIL PROTECTED]' CC: [EMAIL PROTECTED] Asunto: RE: apache with client certificates In general, when a client certificate is presented to the server the server will attempt to validate the client certificate. In addition to checking validity dates (i.e.. make sure the certificate is not expired), Certificate Revocation Lists (i.e. make sure the certificate is not revoked), and Key Usage extensions (i.e. make sure the client can be used for client authentication), the server will check the digital signature on each certificate in the chain (i.e. root, intermediate, and end user). To check digital signatures, the server will first check in your SSLCACertificateFile to see if you have the root/intermediate/issuing Certification Authority certificates. If you do not have these certificates, the server will attempt to build the certificate chain from information listed in either the Authority Information Access or Authority/Subject Key Identifier extensions which are part of most certificates. Once the certificate chain is built the public key of each certificate is used to verify each child's certificate. So to answer your question Does it compare who signed the client certificate with the CA it has in SSLCACertificateFile? Yes. And if who signed the client certificate is NOT in the SSLCACertificateFile the server will attempt to download the signing certificate. Hope this helps. Sincerely, Patrick Tronnier Principal Security Architect Open Access Technology International Inc. www.oaticerts.com CONFIDENTIAL INFORMATION: This email and any attachment(s) contain confidential and/or proprietary information of Open Access Technology International, Inc. Do not copy or distribute without the prior written consent of OATI. If you are not a named recipient to the message, please notify the sender immediately and do not retain the message in any form, printed or electronic. -Original Message- From: Jose Correia (J) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 18, 2002 8:54 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: apache with client certificates Actually how does Apache know about the client certificate that the client has got?? Does it compare who signed the client certificate with the CA it has in SSLCACertificateFile? Thanks anyone. Regards Jose -Original Message- From: Jose Correia (J) Sent: 18 September 2002 14:52 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: apache with client certificates Hi all I'm actually now getting in ssl_engine.log: [18/Sep/2002 14:41:57 32739] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?] Any ideas? I don't understand how it can say No CAs known to server for verification (although only a hint) if I am specifying: SSLCACertificateFile /jose/CA2/demoCA/cacert.pem in my httpd.conf... Thanks Jose -Original Message- From: Jose Correia (J) Sent: 18 September 2002 08:30 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: apache with client certificates Hi there I set the depth to 1 and I do have my cache set to: SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/usr/local/apache/logs/ssl_mutex Still not working... Argghhh, this is so frustrating... any other ideas? Did you put your CA into the local .keystore or in C:\Program Files\JavaSoft\JRE\1.3.1\lib\security\cacerts?? On my Java
problem after upgrading openssl
After I upgraded to openssl-0.9.6g (also openssl-engine) on my RedHat 7.3, I got several problem. (1) qmail-pop3d can not authenticate my username and password (2) openssh (sshd) 3.4p1 also can not authenticate my username and password, not root account Do I need to recompile ALL applications? I tried with openssh, I removed ssh* in /usr/local/etc/ /usr/local/sbin /usr/local/bin, recompiled, make install again. But still, the problem exist. Then I read a workaround that I must build openssh --with-pam, and I did that. It's work! But why? Why do I need to use 'pam' after upgrading? Should I recompile all applications with 'pam' ? This will be problem if my application does not support 'pam'. 'checkpassword' for qmail-pop3d does not support pam, if I am not mistaken. Or maybe my upgrade process was wrong? (see below) Please help me. Thanks, kapot I followed this when upgraded my openssl : Upgrading OPENSSL on RedHat 7.3 (Simple Guide) == * Download latest openssl AND openssl-engine from : http://www.openssl/org -OR- http://openssl.planetmirror.com * Copy all *.tar.gz to /tmp * Building openssl-0.9.6g cd /tmp tar -zxvf openssl-0.9.6g.tar.gz cd openssl-0.9.6g.tar.gz ./config shared make make test make install * Building openssl-engine.0.9.6g cd /tmp tar -zxvf openssl-engine-0.9.6g.tar.gz cd openssl-engine-0.9.6g.tar.gz ./config shared make make test make install * Remove old openssl rpm rpm --erase --nodeps openssl * Link new files cd /usr/lib rm libcrypto.so rm libcrypto.so.1 rm libcrypto.so.2 rm libssl.so rm libssl.so.1 rm libssl.so.2 ln -s /usr/local/ssl/lib/libcrypto.so libcrypto.so ln -s /usr/local/ssl/lib/libcrypto.so libcrypto.so.1 ln -s /usr/local/ssl/lib/libcrypto.so libcrypto.so.2 ln -s /usr/local/ssl/lib/libssl.so libssl.so ln -s /usr/local/ssl/lib/libssl.so libssl.so.1 ln -s /usr/local/ssl/lib/libssl.so libssl.so.2 ln -s /usr/local/ssl/include/ /usr/include/ssl cd /usr/include rm -rf openssl ln -s /usr/local/ssl/include/openssl openssl * Rerun ldconfig cd /etc rm ld.so.cache vi ld.so.conf - add /usr/local/ssl/lib - add /usr/local/lib -- optional ldconfig * Done Thanks to David Tonhofer, m-plify S.A. [EMAIL PROTECTED] __ Do you Yahoo!? New DSL Internet Access from SBC Yahoo! http://sbc.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems compiling apache 2.0.40 with openssl-0.9.6g
I need to build apache w/ssl on a separate box from the server. It would *seem* to me to be better to link the web server against static ssl libraries than shared ones for two reasons: 1. it's easier to distributed (fewer dependencies) 2. it *feels* safer - the ssl so can't be modified underneath Apache When I built it with 0.9.6d in August I don't remember having to move the libraries. Regardless, now after building it with 0.9.6g the only way it works is linking with *shared* ssl libraries. David Tonhofer, m-plify S.A. wrote: Uh...actually OpenSSL compile w/o 'shared' by design but... don't you rather want to say that it worked when you did './config shared' instead of the reverse? --On Tuesday, September 17, 2002 10:07 AM -0600 A Keane [EMAIL PROTECTED] wrote: I figured out it was because openssl was compiled with 'shared', plain './config' worked. Is there an error in the pcre make or is that on purpose? Thanks- Ann On Tue, 17 Sep 2002, David Tonhofer, m-plify S.A. wrote: Have you got an answer already? If not, I will answer ;-) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- .tom __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Creating a COM object to use openssl
Hi, I've been working on making a COM object that uses OpenSSL to sign some data that I'm using for a form of software licensing. I have code that works fine as an executable on Windows, but when I try to make a COM object, I can't seem to load the private key from a string. I'm not sure if I'm doing something wrong or not. Here's the code I have to load the private RSA key from a string. After this has been run, key is NULL, so it didn't succeed in loading the key from the given string. STDMETHODIMP CLicence::GenerateLicence(BSTR licenceData, BSTR keyString, BSTR passphrase, BSTR *licence) { AFX_MANAGE_STATE(AfxGetStaticModuleState()) EVP_MD *md = EVP_sha1(); EVP_add_cipher( EVP_des_ede3_cbc() ); EVP_PKEY *key = NULL; BIO *bio = BIO_new_mem_buf( (char *) keyString, -1 ); PEM_read_bio_PrivateKey(bio, key, NULL, (char *) passphrase ); BIO_free( bio ); ... I'm trying to access this object from an ASP page. The specific error from openssl is error:0906D06C:PEM routines:PEM_read_bio:no start line Does anyone have any ideas on what might cause this? Thanks, -- Tim Coleman [EMAIL PROTECTED] Web Developer, Open Text Corporation Global Services Tel: 519 888 7111 ext. 2619 Fax: 519 888 6737 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: apache with client certificates
Thanks Paul, I'm busy looking at PureTLS as a solution. -Original Message- From: Paul L. Allen [mailto:[EMAIL PROTECTED]] Sent: 18 September 2002 19:53 To: [EMAIL PROTECTED] Subject: Re: apache with client certificates Jose Correia (J) wrote: [...] On my Java side I'm using JSSE 1.0.3 together with Innovation's HTTPClient like: That's probably your problem. I tried to get a Java/JSSE client to do client-side authentication with a C/OpenSSL server recently and couldn't get it to work. I posted a query here and on our local Java newsgroup and got zero responses from anybody who had client-side authentication working with a JSSE client talking to any sort of OpenSSL-based server. Eric Rescorla suggested that I look at the PureTLS package that he wrote under contract for Claymore Systems. I did, and it works. A Google search will point you to PureTLS. It doesn't compile under JDK 1.4, but you can build it under 1.3 and then use it with other code built with 1.4. That's what we did, and we're now busy solving the customer's problem rather than trying to make our code work. [...] --- Jose Correia (J) [EMAIL PROTECTED] wrote: Hi all Is anyone aware of Apache version 1.3.20 having problems with client authentication?? [...] Apache is not likely the problem, unless there's a configuration error. You can verify this by watching a connection attempt with ssldump. If you see Apache requesting a client cert, but the client doesn't send one, the problem is likely with the client. Good luck! Paul Allen -- Boeing Phantom Works \ Paul L. Allen, (425) 865-3297 Math Computing Technology \ [EMAIL PROTECTED] POB 3707 M/S 7L-40, Seattle, WA 98124-2207 \ Prototype Systems Group __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems compiling apache 2.0.40 with openssl-0.9.6g
Well, IMHO shared libs are better because (...as long as the API for OpenSSL does not change, which it should not...) 1) Executables using them are smaller (instead of x Megs, one has x Ks) 2) You can replace the shared libs (i.e. upgrade) without recompiling and (generally) without ill effects as long as you tell the runtime loader where the shared libs are found (keyword ldconfig, one should not use LD_LIBRARY_PATH if possible) You are right that in case of static linking, you can replace the libs without effect at all - but that is exactly what one does NOT want in case of an upgrade - one wants to take some profit out of the upgrade w/o having to recompile everything (like in the 70s) Go for shared except in case of special apps (e.g. tripwire IDS) Best regards, -- David Tonhofer --On Thursday, September 19, 2002 9:04 AM -0400 Thomas Gagne [EMAIL PROTECTED] wrote: I need to build apache w/ssl on a separate box from the server. It would *seem* to me to be better to link the web server against static ssl libraries than shared ones for two reasons: 1. it's easier to distributed (fewer dependencies) 2. it *feels* safer - the ssl so can't be modified underneath Apache When I built it with 0.9.6d in August I don't remember having to move the libraries. Regardless, now after building it with 0.9.6g the only way it works is linking with *shared* ssl libraries. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Creating a COM object to use openssl
keyString contains -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,2D1A4A3700D0F3ED RAn7K9q2wwlz2vbwA9v+2I0RS/vxrwo4ldXGzWxlhGDk/yPmCZYonwo5J6WknkGa 4Th4bfSzXyOx1DJnxWDC81WQI9U59hoQZaNWQ/uvv2I691hYyV9hGe4j16nxdA6H s/CUXXVjwBfXGBRS+tOtXk6v/Ze/n5Wp5CvUb+R210EWguSqo+zYLDxk7B3ILEb7 LuOTFsOfz8Fr4GUM0z2JsO5krUMw+4+5XcnUahxecxy+LfSM+uO9nN71/MRKgo8G 6nnwrlCKT3L18XTnXPaXKBZwcHd6jX2jY+RFDhZd17LvH3JI4ZqUQJelLCFLBacd jyTgiZYbI6vuUq6vEoSEwrxV1iJ6z2UafnonSbcectgzyHCEkA/c52Z/8CSusp9p R+uyglijjfFkz0VFE4Da1XNH9Iu4Rvoz8e8ksRYTc7X7GoCfC12YVEERQlkbsPr3 qFreIJFk8o/WJn3/jLVQET6BtwFscRzb+l5iDaHWoAjuPsZIyifybBOL2yy2hwJI WXcpe2jSWv3r6PmHdom9JaQsjg6yObt91LZKeryek25pEs44z71MzNsLkKgnD+Fz hEsHHUhCkqOGpG0yg0OfDQRr10TdOSI3W7DSM9i6oIAq4XATGqsoM1b8dFCJlZ4J mZDOh+IMPlhhS9fnN5MnZWyP6H5d7b1kcH3AL43xzSowXrWetBYOtamqwooAT9Ia ckvum/4x9IrRqxHgHnht9ZT4bjBr9HZMmw9ZPwo6AzWyiZWPmNWvw+grELNINFkv uAqLG/rdVLFPuiNxJtO5UtuyOjfUorsAK1bjoA5OXUkwlH2Omnnnag== -END RSA PRIVATE KEY- It's just a temporary RSA key that I created for development. The passphrase is hello. The ASP page loads the key from a file and sends it to the COM object. When the error occurred, I tried outputting the keyString back to the ASP in the *licence variable, and the ASP did receive a correct looking string. Steven Reddie wrote: What's in keyString? The error message indicates that the banner (-BEGIN PRIVATE KEY-) is missing. Steven -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tim Coleman Sent: Thursday, 19 September 2002 11:49 PM To: [EMAIL PROTECTED] Subject: Creating a COM object to use openssl Hi, I've been working on making a COM object that uses OpenSSL to sign some data that I'm using for a form of software licensing. I have code that works fine as an executable on Windows, but when I try to make a COM object, I can't seem to load the private key from a string. I'm not sure if I'm doing something wrong or not. Here's the code I have to load the private RSA key from a string. After this has been run, key is NULL, so it didn't succeed in loading the key from the given string. STDMETHODIMP CLicence::GenerateLicence(BSTR licenceData, BSTR keyString, BSTR passphrase, BSTR *licence) { AFX_MANAGE_STATE(AfxGetStaticModuleState()) EVP_MD *md = EVP_sha1(); EVP_add_cipher( EVP_des_ede3_cbc() ); EVP_PKEY *key = NULL; BIO *bio = BIO_new_mem_buf( (char *) keyString, -1 ); PEM_read_bio_PrivateKey(bio, key, NULL, (char *) passphrase ); BIO_free( bio ); ... I'm trying to access this object from an ASP page. The specific error from openssl is error:0906D06C:PEM routines:PEM_read_bio:no start line Does anyone have any ideas on what might cause this? Thanks, -- Tim Coleman [EMAIL PROTECTED] Web Developer, Open Text Corporation Global Services Tel: 519 888 7111 ext. 2619 Fax: 519 888 6737 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Creating a COM object to use openssl
Hi Tim, I think the problem is that you are casting a BSTR to a char*, you need to use a conversion routine, e.g. something like: void somefunc(BSTR bstrText) { _bstr_t _bstrText(bstrText, false); char* lpszText = (char*)_bstrText; .. Cheers, Mark - Original Message - From: Tim Coleman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 19, 2002 2:48 PM Subject: Creating a COM object to use openssl Hi, I've been working on making a COM object that uses OpenSSL to sign some data that I'm using for a form of software licensing. I have code that works fine as an executable on Windows, but when I try to make a COM object, I can't seem to load the private key from a string. I'm not sure if I'm doing something wrong or not. Here's the code I have to load the private RSA key from a string. After this has been run, key is NULL, so it didn't succeed in loading the key from the given string. STDMETHODIMP CLicence::GenerateLicence(BSTR licenceData, BSTR keyString, BSTR passphrase, BSTR *licence) { AFX_MANAGE_STATE(AfxGetStaticModuleState()) EVP_MD *md = EVP_sha1(); EVP_add_cipher( EVP_des_ede3_cbc() ); EVP_PKEY *key = NULL; BIO *bio = BIO_new_mem_buf( (char *) keyString, -1 ); PEM_read_bio_PrivateKey(bio, key, NULL, (char *) passphrase ); BIO_free( bio ); ... I'm trying to access this object from an ASP page. The specific error from openssl is error:0906D06C:PEM routines:PEM_read_bio:no start line Does anyone have any ideas on what might cause this? Thanks, -- Tim Coleman [EMAIL PROTECTED] Web Developer, Open Text Corporation Global Services Tel: 519 888 7111 ext. 2619 Fax: 519 888 6737 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Creating a COM object to use openssl
Thank you! I'm still pretty new to COM development, so I didn't appreciate this nuance. See, I thought the conversion worked, because when I returned the string, the ASP could output it just fine. Anyway, that part seems to work now. Again, thanks. Mark Harvey wrote: Hi Tim, I think the problem is that you are casting a BSTR to a char*, you need to use a conversion routine, e.g. something like: void somefunc(BSTR bstrText) { _bstr_t _bstrText(bstrText, false); char* lpszText = (char*)_bstrText; .. Cheers, Mark - Original Message - From: Tim Coleman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 19, 2002 2:48 PM Subject: Creating a COM object to use openssl Hi, I've been working on making a COM object that uses OpenSSL to sign some data that I'm using for a form of software licensing. I have code that works fine as an executable on Windows, but when I try to make a COM object, I can't seem to load the private key from a string. I'm not sure if I'm doing something wrong or not. Here's the code I have to load the private RSA key from a string. After this has been run, key is NULL, so it didn't succeed in loading the key from the given string. STDMETHODIMP CLicence::GenerateLicence(BSTR licenceData, BSTR keyString, BSTR passphrase, BSTR *licence) { AFX_MANAGE_STATE(AfxGetStaticModuleState()) EVP_MD *md = EVP_sha1(); EVP_add_cipher( EVP_des_ede3_cbc() ); EVP_PKEY *key = NULL; BIO *bio = BIO_new_mem_buf( (char *) keyString, -1 ); PEM_read_bio_PrivateKey(bio, key, NULL, (char *) passphrase ); BIO_free( bio ); ... I'm trying to access this object from an ASP page. The specific error from openssl is error:0906D06C:PEM routines:PEM_read_bio:no start line Does anyone have any ideas on what might cause this? Thanks, -- Tim Coleman [EMAIL PROTECTED] Web Developer, Open Text Corporation Global Services Tel: 519 888 7111 ext. 2619 Fax: 519 888 6737 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Any news on 0.9.7?
Title: Any news on 0.9.7? Hi, Has anybody heard when the 0.9.7 baselevel might be released? I am currently at 0.9.6B (with the Security patches), and know that I have to upgrade. I would like to go directly to 0.9.7, but will stop at 0.9.6G if 0.9.7 looks to be months away. Thanks, Kevin Greaney.
Re: problem after upgrading openssl
Oula la! --On Thursday, September 19, 2002 5:55 AM -0700 Admin-Stress [EMAIL PROTECTED] wrote: After I upgraded to openssl-0.9.6g (also openssl-engine) on my RedHat 7.3, I got several problem. (1) qmail-pop3d can not authenticate my username and password (2) openssh (sshd) 3.4p1 also can not authenticate my username and password, not root account Do I need to recompile ALL applications? No... I tried with openssh, I removed ssh* in /usr/local/etc/ /usr/local/sbin /usr/local/bin, recompiled, make install again. But still, the problem exist. Then I read a workaround that I must build openssh --with-pam, and I did that. It's work! But why? Why do I need to use 'pam' after upgrading? Should I recompile all applications with 'pam' ? Just means that OpenSSH checks logins with the 'pam' (pluggable authentication modules) mechanism. This is the default on RH. Compiling OpenSSH --with-pam affects NOTHING else than the resulting OpenSSH. This will be problem if my application does not support 'pam'. No. Then your application will read /etc/password directly or whatever. 'checkpassword' for qmail-pop3d does not support pam, if I am not mistaken. Possibly not. But the correct phrasing is 'does not use pam'. Or maybe my upgrade process was wrong? (see below) Please help me. Any additional error messages? Log file data? Thanks, kapot I followed this when upgraded my openssl : Upgrading OPENSSL on RedHat 7.3 (Simple Guide) == * Download latest openssl AND openssl-engine from : http://www.openssl/org -OR- http://openssl.planetmirror.com * Copy all *.tar.gz to /tmp * Building openssl-0.9.6g cd /tmp tar -zxvf openssl-0.9.6g.tar.gz cd openssl-0.9.6g.tar.gz ./config shared make make test make install * Building openssl-engine.0.9.6g cd /tmp tar -zxvf openssl-engine-0.9.6g.tar.gz cd openssl-engine-0.9.6g.tar.gz ./config shared make make test make install * Remove old openssl rpm rpm --erase --nodeps openssl * Link new files cd /usr/lib rm libcrypto.so rm libcrypto.so.1 rm libcrypto.so.2 rm libssl.so rm libssl.so.1 rm libssl.so.2 ln -s /usr/local/ssl/lib/libcrypto.so libcrypto.so ln -s /usr/local/ssl/lib/libcrypto.so libcrypto.so.1 ln -s /usr/local/ssl/lib/libcrypto.so libcrypto.so.2 ln -s /usr/local/ssl/lib/libssl.so libssl.so ln -s /usr/local/ssl/lib/libssl.so libssl.so.1 ln -s /usr/local/ssl/lib/libssl.so libssl.so.2 ln -s /usr/local/ssl/include/ /usr/include/ssl cd /usr/include rm -rf openssl ln -s /usr/local/ssl/include/openssl openssl * Rerun ldconfig cd /etc rm ld.so.cache vi ld.so.conf - add /usr/local/ssl/lib - add /usr/local/lib -- optional ldconfig * Done Thanks to David Tonhofer, m-plify S.A. [EMAIL PROTECTED] __ Do you Yahoo!? New DSL Internet Access from SBC Yahoo! http://sbc.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Upgrading OPENSSL on RedHat 7.3 (Simple Guide)
But John...it will break them *how*? What are the error messages? I mean, it *really* works for me. The OpenSSL site being down, I take the liberty to quote the FAQ for 0.9.7: What is special about OpenSSL on Redhat? Red Hat Linux (release 7.0 and later) include a preinstalled limited version of OpenSSL. For patent reasons, support for IDEA, RC5 and MDC2 is disabled in this version. The same may apply to other Linux distributions. Users may therefore wish to install more or all of the features left out. No problem. To do this you MUST ensure that you do not overwrite the openssl that is in /usr/bin on your Red Hat machine. Several packages depend on this file, including sendmail and ssh. /usr/local/bin is a good alternative choice. The libraries that come with Red Hat 7.0 onwards have different names and so are not affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and /lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and /lib/libcrypto.so.2 respectively). So one is good for RH 7.0? Anyway I KNOW I did the thing on our old office box running RH 7.0. Not a peep from the rest of the system. YMMW... Please note that we have been advised by Red Hat attempting to recompile the openssl rpm with all the cryptography enabled will not work. Right. So we don't use the package, no? All other packages depend on the original Red Hat supplied openssl package. Whatever that means. It is also worth noting that due to the way Red Hat supplies its packages, updates to openssl on each distribution never change the package version, only the build number. For example, on Red Hat 7.1, the latest openssl package has version number 0.9.6 and build number 9 even though it contains all the relevant updates in packages up to and including 0.9.6b. A possible way around this is to persuade Red Hat to produce a non-US version of Red Hat Linux. FYI: Patent numbers and expiry dates of US patents: MDC-2: 4,908,861 13/03/2007 IDEA: 5,214,703 25/05/2010 RC5: 5,724,428 03/03/2015 So I see some allusions that might or might not happen, nothing really concrete. And so long as the GNU loader works the same way under RH than anywhere else... the only thing that can happen is that rpm complains on the next update... Best regards, -- David --On Thursday, September 19, 2002 12:43 PM +0100 [EMAIL PROTECTED] wrote: Your biggest error is that removing the openssl package on Red Hat 7.3 will break the openssh, sendmail, and automount packages. It will also break nearly all the email packages on the system, with the exception of elm. Creating symlinks to the newer version doesn't work. I know, I've tried it. It is possible to compile a newer version of openssl on the same system without breaking your currently installed packages. See the openssl FAQ for details: http://www.openssl.org/support/faq.cgi#BUILD8 - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Reality TV - the ultimate oxymoron __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Any news on 0.9.7?
On Thu, Sep 19, 2002 at 01:29:59PM -0400, Greaney, Kevin wrote: Has anybody heard when the 0.9.7 baselevel might be released? I am currently at 0.9.6B (with the Security patches), and know that I have to upgrade. I would like to go directly to 0.9.7, but will stop at 0.9.6G if 0.9.7 looks to be months away. I don't know, when 0.9.7 will be out. The OpenSSL team is currently running very slowly for several reasons. Some members are on vacation, I personally am going to move to another appartment in the next days and am currently spending all free time available with painting etc. I manage to maintain the request tracker but won't be able to do substantial work for the next 3-4 weeks. As you may notice, the number of unsolved issues collected in the request tracker is increasing slowly and with each ticket 0.9.7 seems to become more difficult to reach. There will be a beta4 release for which I don't want to predict a schedule, then beta5 or release. But I wouldn't expect the final release to be available before November. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
certificate verification
Hi, Using OpenSSL, I would like to verify a certificate validity. My environment is visual C++, openSSL 0.9.6g. I need to verify : - cert integrity - cert date validity - CRL (delta CRL, OCSP optional) - chain validity OpenSSL seems to be able to realize this with the 'verify' option. According to http://www.openssl.org/docs/apps/verify.html#, I understand that CRL verification is not already implemented. I believe integrity and validity are not an issue. What about CRL and chain validity? Does someone know any entry point functions to use to do so? thx Damien __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]