RE: Compiler Recomendations Solaris 8
I don't understand - the packge is a binary so you don't need to compile. It's like RPM on linux. -Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:matthew.darcy;hp.com] Sent: Donnerstag, 31. Oktober 2002 16:58 To: '[EMAIL PROTECTED]' Subject: RE: Compiler Recomendations Solaris 8 thats what I have done, but what version og GCC is recommended. -Original Message- From: Boyle Owen [mailto:Owen.Boyle;swx.com] Sent: Thursday, October 31, 2002 2:59 PM To: [EMAIL PROTECTED] Subject: RE: Compiler Recomendations Solaris 8 You might like to download the package from www.sunfreeware.com - then just use pkgadd and don't bother compiling... -Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:matthew.darcy;hp.com] Sent: Donnerstag, 31. Oktober 2002 15:29 To: '[EMAIL PROTECTED]' Subject: Compiler Recomendations Solaris 8 hi, can someone recomend a working compiler build for solaris 8 to build openssl 9.6g I am getting a seg fault on make test, when this happened on redhat I was told it was probably the compiler. thanks, Matt. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PRNG not seeded ERROR!!!!
On Thu, 31 Oct 2002, Manoj Kithany wrote: I installing OPENSSL and when running I get following ERROR - wonder why: -- # ./openssl req -new -nodes -keyout private.key -out public.csr Using configuration from /usr/local/ssl/openssl.cnf unable to load 'random state' This means that the random number generator has not been seeded with much random data. Generating a 1024 bit RSA private key 22664:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:501:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html 22664:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182: # -- I am using IBM AIX System. Any information on above...? Yes, just point your browser to the link given in the error messages: http://www.openssl.org/support/faq.html -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - Un forum peut répondre à plusieurs besoins à la fois Ici, le groupe des débutants dépasse en nombre le groupe des utilisateur middle-class ce qui provoque inévitablement des tensions. -+- EF - Guide du Neuneu d'Usenet - La lutte des middle classes -+- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Compiler Recomendations Solaris 8 (and RedHat 8 too!)
I compiled openssl 9-6g on redhat 7.3 with gcc 2.96 and was told to use 3 or 2.95 (still failing) I am using 2.95 on Solaris and it is failing with the same error as redhat so I am lost as to what is a recomended GCC -Original Message- From: [EMAIL PROTECTED] [mailto:John.Airey;rnib.org.uk] Sent: Thursday, October 31, 2002 4:08 PM To: [EMAIL PROTECTED] Subject: RE: Compiler Recomendations Solaris 8 (and RedHat 8 too!) The last post to this list about compiling on RedHat 8 seems strangely relevant too. RedHat 8 comes with gcc 3 only, whereas previous versions came with 2.9x and a choice of using gcc 3. Perhaps it is the case that openssl doesn't compile on gcc 3, and if so, does anyone know how to fix it? - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:matthew.darcy;hp.com] Sent: 31 October 2002 15:58 To: '[EMAIL PROTECTED]' Subject: RE: Compiler Recomendations Solaris 8 thats what I have done, but what version og GCC is recommended. -Original Message- From: Boyle Owen [mailto:Owen.Boyle;swx.com] Sent: Thursday, October 31, 2002 2:59 PM To: [EMAIL PROTECTED] Subject: RE: Compiler Recomendations Solaris 8 You might like to download the package from www.sunfreeware.com - then just use pkgadd and don't bother compiling... -Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:matthew.darcy;hp.com] Sent: Donnerstag, 31. Oktober 2002 15:29 To: '[EMAIL PROTECTED]' Subject: Compiler Recomendations Solaris 8 hi, can someone recomend a working compiler build for solaris 8 to build openssl 9.6g I am getting a seg fault on make test, when this happened on redhat I was told it was probably the compiler. thanks, Matt. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL
RE: Compiler Recomendations Solaris 8
I have installed gcc 2.95 package from sun freeware. I am trying to compile openssl-9.6g it is failing. Could some one recomend a compiler version / package to compile openssl-9.6g -Original Message- From: Boyle Owen [mailto:Owen.Boyle;swx.com] Sent: Thursday, October 31, 2002 4:14 PM To: [EMAIL PROTECTED] Subject: RE: Compiler Recomendations Solaris 8 I don't understand - the packge is a binary so you don't need to compile. It's like RPM on linux. -Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:matthew.darcy;hp.com] Sent: Donnerstag, 31. Oktober 2002 16:58 To: '[EMAIL PROTECTED]' Subject: RE: Compiler Recomendations Solaris 8 thats what I have done, but what version og GCC is recommended. -Original Message- From: Boyle Owen [mailto:Owen.Boyle;swx.com] Sent: Thursday, October 31, 2002 2:59 PM To: [EMAIL PROTECTED] Subject: RE: Compiler Recomendations Solaris 8 You might like to download the package from www.sunfreeware.com - then just use pkgadd and don't bother compiling... -Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:matthew.darcy;hp.com] Sent: Donnerstag, 31. Oktober 2002 15:29 To: '[EMAIL PROTECTED]' Subject: Compiler Recomendations Solaris 8 hi, can someone recomend a working compiler build for solaris 8 to build openssl 9.6g I am getting a seg fault on make test, when this happened on redhat I was told it was probably the compiler. thanks, Matt. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Rolling a Windows Secure Webserver...
This question is asked a lot. With asynchornous sockets, you need to check the err using SSL_get_error. If the error IS SSSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE then you need to call SSL_accept again. I would reccommend adding the FD back into your select queue based on the read/write status, and call the accept function again based on the socket availability, since you are using asynch sockets. Oh wait. Asynch sockets on windoze? I forgot the semantics on that platform. You already have a registered window handler or something that can handle the callback. Just maintain the current state of the connection within the ssl context and act accordingly and you probably don't need to mess with the select. Tim --- Thomas J. Hruska [EMAIL PROTECTED] wrote: At 01:41 PM 10/31/2002 +0800, Pj writeth: Hello OpenSSL experts, I have written a working web server in C (non blocking asynchronous), and wish to incorporate OpenSSL into it. I have used the example openssl-0.9.6g\demos\ssl\serv.cpp to help with the process... My server compiles, links and runs ok (so far so good), but returns an error (err = -1) from the line below and bombs out when I connect via a web browser (https://127.0.0.1:6010/x.htm) (Im using port 6010 for my tests) err = SSL_accept (ssl); (complete function below) does any one know what this might be? The socket passed into SSL is a valid socket just accepted by the accept code... could my certificates be no good? The first question that runs through my mind is: Why write your own web server when so many other web servers are likely to be more powerful, stable, and versatile than yours? It is a good exercise of one's programming skills, but considering that more powerful tools already exist, I just felt the urge to ask about your motivation for development of yet another web server. To answer your question: SSL_accept() can fail when using non-blocking sockets. I don't remember the exact error message associated with the fail state, but basically you have to repeat the call to SSL_accept() with the same parameters until it succeeds. During this time, the client selects a certificate to send back (or not) and other handshaking sorts of things take place. Since this process can take a while, SSL_accept(), when using non-blocking sockets, returns so that it does not consume any extra time while waiting for data. Hope this helps! Thomas J. Hruska -- [EMAIL PROTECTED] Shining Light Productions -- Meeting the needs of fellow programmers http://www.shininglightpro.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Compiler Recomendations Solaris 8
Sorry - I meant to get the package for openssl! (not for gcc...) -Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:matthew.darcy;hp.com] Sent: Donnerstag, 31. Oktober 2002 17:20 To: '[EMAIL PROTECTED]' Subject: RE: Compiler Recomendations Solaris 8 I have installed gcc 2.95 package from sun freeware. I am trying to compile openssl-9.6g it is failing. Could some one recomend a compiler version / package to compile openssl-9.6g -Original Message- From: Boyle Owen [mailto:Owen.Boyle;swx.com] Sent: Thursday, October 31, 2002 4:14 PM To: [EMAIL PROTECTED] Subject: RE: Compiler Recomendations Solaris 8 I don't understand - the packge is a binary so you don't need to compile. It's like RPM on linux. -Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:matthew.darcy;hp.com] Sent: Donnerstag, 31. Oktober 2002 16:58 To: '[EMAIL PROTECTED]' Subject: RE: Compiler Recomendations Solaris 8 thats what I have done, but what version og GCC is recommended. -Original Message- From: Boyle Owen [mailto:Owen.Boyle;swx.com] Sent: Thursday, October 31, 2002 2:59 PM To: [EMAIL PROTECTED] Subject: RE: Compiler Recomendations Solaris 8 You might like to download the package from www.sunfreeware.com - then just use pkgadd and don't bother compiling... -Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:matthew.darcy;hp.com] Sent: Donnerstag, 31. Oktober 2002 15:29 To: '[EMAIL PROTECTED]' Subject: Compiler Recomendations Solaris 8 hi, can someone recomend a working compiler build for solaris 8 to build openssl 9.6g I am getting a seg fault on make test, when this happened on redhat I was told it was probably the compiler. thanks, Matt. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived
Re: PRNG not seeded ERROR!!!!
Hi Mr. Erwann: THANKS for your reply. I checked the url before I posted my query to this List. I am bit confused - should I need to install EGD or PRNG? I checked my IBM Server and could'nt find /dev/random? Can you/anyone please help? THANKS! Manoj G. Kithany [EMAIL PROTECTED] 10/31/02 09:31AM On Thu, 31 Oct 2002, Manoj Kithany wrote: I installing OPENSSL and when running I get following ERROR - wonder why: -- # ./openssl req -new -nodes -keyout private.key -out public.csr Using configuration from /usr/local/ssl/openssl.cnf unable to load 'random state' This means that the random number generator has not been seeded with much random data. Generating a 1024 bit RSA private key 22664:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:501:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html 22664:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182: # -- I am using IBM AIX System. Any information on above...? Yes, just point your browser to the link given in the error messages: http://www.openssl.org/support/faq.html -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - Un forum peut rTpondre a plusieurs besoins a la fois Ici, le groupe des dTbutants dTpasse en nombre le groupe des utilisateur middle-class ce qui provoque inTvitablement des tensions. -+- EF - Guide du Neuneu d'Usenet - La lutte des middle classes -+- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Compiler Recomendations Solaris 8
the package I got from openssl did not include shared librarys - hence why I am keen to compile it myself. good suggestion though -Original Message- From: Boyle Owen [mailto:Owen.Boyle;swx.com] Sent: Thursday, October 31, 2002 4:54 PM To: [EMAIL PROTECTED] Subject: RE: Compiler Recomendations Solaris 8 Sorry - I meant to get the package for openssl! (not for gcc...) -Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:matthew.darcy;hp.com] Sent: Donnerstag, 31. Oktober 2002 17:20 To: '[EMAIL PROTECTED]' Subject: RE: Compiler Recomendations Solaris 8 I have installed gcc 2.95 package from sun freeware. I am trying to compile openssl-9.6g it is failing. Could some one recomend a compiler version / package to compile openssl-9.6g -Original Message- From: Boyle Owen [mailto:Owen.Boyle;swx.com] Sent: Thursday, October 31, 2002 4:14 PM To: [EMAIL PROTECTED] Subject: RE: Compiler Recomendations Solaris 8 I don't understand - the packge is a binary so you don't need to compile. It's like RPM on linux. -Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:matthew.darcy;hp.com] Sent: Donnerstag, 31. Oktober 2002 16:58 To: '[EMAIL PROTECTED]' Subject: RE: Compiler Recomendations Solaris 8 thats what I have done, but what version og GCC is recommended. -Original Message- From: Boyle Owen [mailto:Owen.Boyle;swx.com] Sent: Thursday, October 31, 2002 2:59 PM To: [EMAIL PROTECTED] Subject: RE: Compiler Recomendations Solaris 8 You might like to download the package from www.sunfreeware.com - then just use pkgadd and don't bother compiling... -Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:matthew.darcy;hp.com] Sent: Donnerstag, 31. Oktober 2002 15:29 To: '[EMAIL PROTECTED]' Subject: Compiler Recomendations Solaris 8 hi, can someone recomend a working compiler build for solaris 8 to build openssl 9.6g I am getting a seg fault on make test, when this happened on redhat I was told it was probably the compiler. thanks, Matt. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project
RE: Building 0.9.6g --RH8.0
Attached is the openssl.spec file for Red Hat 8.0, which is what Red Hat uses to build their openssl package, presumably with gcc 3.2. If you can make some sense of it, you'll probably find out how to get openssl to compile. Ignore the configure options no-idea, no-mdc2 and no-rc5. These are only there because of US patent restrictions. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: Inman, David [mailto:David.Inman;siemens.com] Sent: 31 October 2002 14:37 To: ([EMAIL PROTECTED]) Subject: Building 0.9.6g --RH8.0 I am trying to build openssl-0.9.6g on a RedHat 8.0 system. When I run make test everything pass but when I run a make install it does not install the binaries into /usr/local/openssl (where I told it with config). I have done this several times on RH7.3 without a problem so I was wondering if others have had this problem and what the solution might be. Thanks, David Inman __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk openssl.spec Description: Binary data
Re: PRNG not seeded ERROR!!!!
On Thu, 31 Oct 2002, Manoj Kithany wrote: THANKS for your reply. I checked the url before I posted my query to this List. I am bit Sorry if I offended you. You didn't specify in your first post that you checked the URL, and since this question is in the FAQ, that means it is asked a *lot* of times. :) confused - should I need to install EGD or PRNG? I checked my IBM Server and could'nt find /dev/random? No, you don't have a /dev/random device entry. I don't use AIX (only Linux or Solaris), so I can only speculate. Why don't you install prngd and either do: - set the random pool to the default (something like /var/run/egd-pool), but you'll have to specify the option -rand /var/run/egd-pool or an equivalent to every program using the OpenSSL library - set the random pool to /dev/random, so everyone will be able to use this random pool - set the random pool to ~/.rnd, but it will be easily usable only to one particular user, while the others will have to use the -rand ... equivalent - set the random pool to the default, and set the RANDFILE environment variable so that it points to the good pool One of these things should work... -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - The secret of success is knowing who to blame for your failures. Demotivators, 2001 calendar __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PRNG not seeded ERROR!!!!
Thanks Erwann: I checked my System and have installed PRNG. I checked it by using: # ps -ef | grep prng root 47354 6518 0 14:13:01 - 0:03 /opt/freeware/sbin/prngd -f /dev/egd-pool -m 666 # But still when I run OPENSSL.command it gives me same error PRNG not seeded - wonder why! THANKS! Erwann ABALEA [EMAIL PROTECTED] 10/31/02 11:03AM On Thu, 31 Oct 2002, Manoj Kithany wrote: THANKS for your reply. I checked the url before I posted my query to this List. I am bit Sorry if I offended you. You didn't specify in your first post that you checked the URL, and since this question is in the FAQ, that means it is asked a *lot* of times. :) confused - should I need to install EGD or PRNG? I checked my IBM Server and could'nt find /dev/random? No, you don't have a /dev/random device entry. I don't use AIX (only Linux or Solaris), so I can only speculate. Why don't you install prngd and either do: - set the random pool to the default (something like /var/run/egd-pool), but you'll have to specify the option -rand /var/run/egd-pool or an equivalent to every program using the OpenSSL library - set the random pool to /dev/random, so everyone will be able to use this random pool - set the random pool to ~/.rnd, but it will be easily usable only to one particular user, while the others will have to use the -rand ... equivalent - set the random pool to the default, and set the RANDFILE environment variable so that it points to the good pool One of these things should work... -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - The secret of success is knowing who to blame for your failures. Demotivators, 2001 calendar __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Invalid command SSLEngine ?
Hi, Why it show invalid command SSLEngine, when running ./apachectl startssl? How to make it work? Thank you very much! Best Regards, Eric Tan _ 1874(³¯«³¨³)¡A¦A¨£ÅSµ·º¿²ú(¦óÃý¸Ö)¡A·à¤l¤s¤U(ù¤å)... Over 800 latest ringtones, only on Yahoo! http://ringtone.yahoo.com.hk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_read() hang after read http 100 continue headers
Hi,My program is using OpenSSL function SSL_read() to read http content.It works fine for most of the headers, but after it receives HTTP/1.1100 Continue header (the first block of headers), it will hang there. It shouldcontinue to read the headers (which is HTTP/1.1 200 OK...). The following is the headerdumping and the code I used. The http equivalent code works fine.After the first block of headers, it should continually read the 2nd block of headers. Is it because after the first block of header (see the following), the terminators0d 0a 0d 0a confused SSL_read? or the terminators are the same as SSL block terminator? How can I get around it? This is the first block of headers HTTP/1.1 100 Continue Server: Microsoft-IIS/5.0Date:Wed, 30 Oct 2002 06:34:56 GMT Can you help me?Thank you.while (Retries = 4 ){ len = strlen(buf); printf("before SSL_read(), buf len=%d\n", len); r=SSL_read(Connect-ssl,buf,100); err = SSL_get_error(Connect-ssl, r);printf("r=%d, err=%d\n", r, err);if (err == SSL_ERROR_NONE) bytes = r; if (err != SSL_ERROR_NONE err != SSL_ERROR_WANT_READ err ==SSL_ERROR_ZERO_RETURN) { printf(" SSL_ERROR_ZERO_RETURN\n");break; }if (err != SSL_ERROR_NONE err != SSL_ERROR_WANT_READ err ==SSL_ERROR_SYSCALL) { printf(" SSL_ERROR_SYSCALL\n");break; } if (err != SSL_ERROR_NONE err != SSL_ERROR_WANT_READ err !=SSL_ERROR_SYSCALL err != SSL_ERROR_ZERO_RETURN) { printf("Reading header, SSL read problem\n");break; } if (bytes 0 Control-AGW==1) { printf("read returned -1 (Error %d), returning ...\n", errno);break; } else if (bytes == 0) { Retries++; } else if (bytes 0) { buf[bytes] = '\0'; printf("read %d bytes, buf={%s}\n", bytes, buf); } } 0x | 48 54 54 50 2f 31 2e 31 20 31 30 30 20 43 6f 6e |HTTP/1.1 100 Con0x0010 | 74 69 6e 75 65 0d 0a 53 65 72 76 65 72 3a 20 4d |tinue..Server: M0x0020 | 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 35 2e 30 |icrosoft-IIS/5.00x0030 | 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 33 30 20 | ..Date:Wed, 300x0040 | 4f 63 74 20 32 30 30 32 20 30 36 3a 33 34 3a 35 | Oct 2002 06:34:50x0050 | 36 20 47 4d 54 0d 0a 0d 0a | 6 GMT0x | 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.0x0010 | 0a 53 65 72 76 65 72 3a 20 4d 69 63 72 6f 73 6f |.Server: Microso0x0020 | 66 74 2d 49 49 53 2f 35 2e 30 0d 0a 44 61 74 65 |ft-IIS/5.0..Date0x0030 | 3a 20 57 65 64 2c 20 33 30 20 4f 63 74 20 32 30 | : Wed,30 Oct 200x0040 | 30 32 20 30 36 3a 33 35 3a 30 37 20 47 4d 54 0d | 02 06:35:07 GMT.0x0050 | 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a |.Content-Length:0x0060 | 20 31 38 36 33 0d 0a 43 6f 6e 74 65 6e 74 2d 54 |1863..Content-T0x0070 | 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a | ype:text/html..0x0080 | 45 78 70 69 72 65 73 3a 20 57 65 64 2c 20 33 30 |Expires: Wed, 300x0090 | 20 4f 63 74 20 32 30 30 32 20 30 36 3a 33 35 3a | Oct 2002 06:35:0x00a0 | 30 37 20 47 4d 54 0d 0a 43 61 63 68 65 2d 63 6f | 07 GMT..Cache-co0x00b0 | 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 0d 0a | ntrol: private..
MD5_Init
Having problems with MD5_Init when attempting to use common messenger programs (i.e.- ymessenger). error - relocation error: /opt/ymessenger/bin/ymessenger.bin undefined symbol: MD5_Init - Using latest version 0.9.6g. Attempted using config --prefix=/usr and /usr/local. Neither have fixed issue. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
to secure a directory
Hello !Here is my problem : I wrote 2 codes : a server under linux and client forlinux (and windows). The server sends datas to a client (which is on an othercomputer denoted by C) and the connection is secured using openssl. Theclient stores those datas in a directory of C but I would like that nobodycould access to this directory but the administrator of C (the root) can:( . So I thought that I could crypt the files which are in this directoryusing functions of openssl. But the datas which are in the directory have tobe used by a code which is in this directory and I want the datas stillremain crypted.So is it possible to do all that ?Thanks a lot for your help !Karim
RE: PRNG not seeded ERROR!!!!
Install prngd. It's better. You can get egd package with egc to seed prngd, but you don't need it. You can just cat a bunch of files into the prngd seed file. David -Original Message- From: Manoj Kithany [mailto:MKITHANY;utah.gov] Sent: Thursday, October 31, 2002 11:56 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: PRNG not seeded ERROR Hi Mr. Erwann: THANKS for your reply. I checked the url before I posted my query to this List. I am bit confused - should I need to install EGD or PRNG? I checked my IBM Server and could'nt find /dev/random? Can you/anyone please help? THANKS! Manoj G. Kithany [EMAIL PROTECTED] 10/31/02 09:31AM On Thu, 31 Oct 2002, Manoj Kithany wrote: I installing OPENSSL and when running I get following ERROR - wonder why: -- # ./openssl req -new -nodes -keyout private.key -out public.csr Using configuration from /usr/local/ssl/openssl.cnf unable to load 'random state' This means that the random number generator has not been seeded with much random data. Generating a 1024 bit RSA private key 22664:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:501:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html 22664:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182: # -- I am using IBM AIX System. Any information on above...? Yes, just point your browser to the link given in the error messages: http://www.openssl.org/support/faq.html -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - Un forum peut rTpondre a plusieurs besoins a la fois Ici, le groupe des dTbutants dTpasse en nombre le groupe des utilisateur middle-class ce qui provoque inTvitablement des tensions. -+- EF - Guide du Neuneu d'Usenet - La lutte des middle classes -+- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_set_fd() harmful when using nonblocking sockets?
I believe I have seen the OS return 0 on a 2nd read even when not at EOF. I'll try to come up with a test case to demonstrate it. (See http://groups.google.com/groups?selm=3DB8738F.2000409%40kegel.com for a related thread.) - Dan Noel Burton-Krahn [EMAIL PROTECTED] wrote: Uh... Dan, read() always returns 0 on EOF, so SSL_read() will always return 0 too (also setting SSL_ERROR_ZERO_RETURN). That's true for the first read on EOF and all reads afterwards. Do you think that read() will return 0 if it's not EOF? If read() would block, it returns -1 and sets errno=EAGAIN. read()==0 alwats means EOF. - Original Message - From: Dan Kegel [EMAIL PROTECTED] With Unix nonblocking sockets, the only way to detect that the connection has shut down is to check for a zero return from read after poll or select says the socket is ready for reading. (Read will cheerfully return zero at any time if you call it again after a fully successful read(), so only the first read() after poll() should be checked. If you don't believe me, try it.) Given that, let's look at how OpenSSL detects EOF: int SSL_get_error(SSL *s,int i) { ... if (i == 0) { if (s-version == SSL2_VERSION) { /* assume it is the socket being closed */ return(SSL_ERROR_ZERO_RETURN); } else { if ((s-shutdown SSL_RECEIVED_SHUTDOWN) (s-s3-warn_alert == SSL_AD_CLOSE_NOTIFY)) return(SSL_ERROR_ZERO_RETURN); } } return(SSL_ERROR_SYSCALL); } Hrmf. Looks like SSL_get_error will return SSL_ERROR_ZERO_RETURN or SSL_ERROR_SYSCALL on any zero read. When using SSLV3 or TLS, OpenSSL seems to have a case where it won't tell you about zero returns from read(), which is confusing. And since the user has no idea when OpenSSL is calling read(), and there's no way to tell OpenSSL what poll() said, *there is no way to properly detect EOF with nonblocking sockets in OpenSSL when using SSL_set_fd() / bss_sock.c *. I'm starting to think that you *must* do the read() yourself into a buffer, and use a memory BIO of some sort. Otherwise you have too little control over hard EOF detection. Somebody tell me how I'm wrong, please... I almost certainly haven't looked into this enough to know what I'm talking about. Thanks, Dan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Compiler Recomendations Solaris 8
I haven't seen a recommendation. I have gotten it to work with gcc 3.2 fine on solaris 8... David -Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:matthew.darcy;hp.com] Sent: Thursday, October 31, 2002 10:58 AM To: '[EMAIL PROTECTED]' Subject: RE: Compiler Recomendations Solaris 8 thats what I have done, but what version og GCC is recommended. -Original Message- From: Boyle Owen [mailto:Owen.Boyle;swx.com] Sent: Thursday, October 31, 2002 2:59 PM To: [EMAIL PROTECTED] Subject: RE: Compiler Recomendations Solaris 8 You might like to download the package from www.sunfreeware.com - then just use pkgadd and don't bother compiling... -Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:matthew.darcy;hp.com] Sent: Donnerstag, 31. Oktober 2002 15:29 To: '[EMAIL PROTECTED]' Subject: Compiler Recomendations Solaris 8 hi, can someone recomend a working compiler build for solaris 8 to build openssl 9.6g I am getting a seg fault on make test, when this happened on redhat I was told it was probably the compiler. thanks, Matt. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Compiler Recomendations Solaris 8 (and RedHat 8 too!)
What is the error? -Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:matthew.darcy;hp.com] Sent: Thursday, October 31, 2002 11:18 AM To: '[EMAIL PROTECTED]' Subject: RE: Compiler Recomendations Solaris 8 (and RedHat 8 too!) I compiled openssl 9-6g on redhat 7.3 with gcc 2.96 and was told to use 3 or 2.95 (still failing) I am using 2.95 on Solaris and it is failing with the same error as redhat so I am lost as to what is a recomended GCC -Original Message- From: [EMAIL PROTECTED] [mailto:John.Airey;rnib.org.uk] Sent: Thursday, October 31, 2002 4:08 PM To: [EMAIL PROTECTED] Subject: RE: Compiler Recomendations Solaris 8 (and RedHat 8 too!) The last post to this list about compiling on RedHat 8 seems strangely relevant too. RedHat 8 comes with gcc 3 only, whereas previous versions came with 2.9x and a choice of using gcc 3. Perhaps it is the case that openssl doesn't compile on gcc 3, and if so, does anyone know how to fix it? - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:matthew.darcy;hp.com] Sent: 31 October 2002 15:58 To: '[EMAIL PROTECTED]' Subject: RE: Compiler Recomendations Solaris 8 thats what I have done, but what version og GCC is recommended. -Original Message- From: Boyle Owen [mailto:Owen.Boyle;swx.com] Sent: Thursday, October 31, 2002 2:59 PM To: [EMAIL PROTECTED] Subject: RE: Compiler Recomendations Solaris 8 You might like to download the package from www.sunfreeware.com - then just use pkgadd and don't bother compiling... -Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:matthew.darcy;hp.com] Sent: Donnerstag, 31. Oktober 2002 15:29 To: '[EMAIL PROTECTED]' Subject: Compiler Recomendations Solaris 8 hi, can someone recomend a working compiler build for solaris 8 to build openssl 9.6g I am getting a seg fault on make test, when this happened on redhat I was told it was probably the compiler. thanks, Matt. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project
RE: Invalid command SSLEngine ?
You can start be making sure that mod_ssl is either linked statically or (Bloaded dynamically via a LoadModule call in your conf/httpd.conf file. (B (B (B-Original Message- (BFrom: [EMAIL PROTECTED] (B[mailto:[EMAIL PROTECTED]] On Behalf Of Eric Tan (BSent: Wednesday, October 30, 2002 5:15 PM (BTo: [EMAIL PROTECTED] (BSubject: Invalid command "SSLEngine" ? (B (BHi, (B (B Why it show invalid command "SSLEngine", when (Brunning "./apachectl startssl"? (B (B How to make it work? (B (B Thank you very much! (B (BBest Regards, (B Eric Tan (B (B_ (B1874($BDDTu?W(B)$B!$:F8+O*e/`uh=(B($B2?1$;m(B)$B!$;b;R;32<(B($BMeJ8(B)... (BOver 800 latest ringtones, only on Yahoo! (Bhttp://ringtone.yahoo.com.hk (B__ (BOpenSSL Project http://www.openssl.org (BUser Support Mailing List[EMAIL PROTECTED] (BAutomated List Manager [EMAIL PROTECTED] (B (B__ (BOpenSSL Project http://www.openssl.org (BUser Support Mailing List[EMAIL PROTECTED] (BAutomated List Manager [EMAIL PROTECTED]
to secure a directory
Hello !Here is my problem : I wrote 2 codes : a server under linux and client forlinux (and windows). The server sends datas to a client (which is on an othercomputer denoted by C) and the connection is secured using openssl. Theclient stores those datas in a directory of C but I would like that nobodycould access to this directory but the administrator of C (the root) can:( . So I thought that I could crypt the files which are in this directoryusing functions of openssl. But the datas which are in the directory have tobe used by a code which is in this directory and I want the datas stillremain crypted.So is it possible to do all that ?Thanks a lot for your help !Karim
to secure a directory
Hello !Here is my problem : I wrote 2 codes : a server under linux and client forlinux (and windows). The server sends datas to a client (which is on an othercomputer denoted by C) and the connection is secured using openssl. Theclient stores those datas in a directory of C but I would like that nobodycould access to this directory but the administrator of C (the root) can:( . So I thought that I could crypt the files which are in this directoryusing functions of openssl. But the datas which are in the directory have tobe used by a code which is in this directory and I want the datas stillremain crypted.So is it possible to do all that ?Thanks a lot for your help !Karim
Building openssl on Win2K
Okay, I give up.I followed the build instructions in INSTALL.W32 for VC++ only to find an unparseable makefile (ntdll.mak) with carriage returns embedded in the names of two macros (e.g. SSL^MOBJ=$(OBJ_D)\ssl.obj ...).When I fixed that, I discovered that the makefile was attempting to copy files from the $(SRC_D) (".") directory that actually lived in its many subdirectories. Rather than perform the major surgery required to fix that gaff, I decided to fall back, regroup and try plan B, building under Cygwin.That got me as far as the first call to gcc:gcc -I. -I../include -DTHREADS -DDSO_WIN32 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -m486 -Wall -c -o cryptlib.o cryptlib.ccryptlib.c:105: #error "Inconsistency between crypto.h and cryptlib.c"cryptlib.c checks for#if CRYPTO_NUM_LOCKS != 29# error "Inconsistency between crypto.h and cryptlib.c"#endifOf course, crypto.h says#define CRYPTO_NUM_LOCKS 29but that doesn't seem to impress cryptlib.c.At this point I started to get suspicious...So my question is - is there anyone who has successfully built openssl-0.9.6g on any Win32 platform? If so, can I please hear from you as to how you managed the feat?Thanks, -Nick
OpenSSL and Onboard Private Key Processing
Hello: Just wondering if anyone has attempted to use OpenSSL in an environment where the private key generated by a CA/RA is only available on a smart key token, and cannot be extracted. That is all of the private key processing must be done on board the token's processor, and so the key is not available in the in a file as OpenSSL normally requires. I am most interested in a solution that uses the Datakey Smart Key token. Thanks a lot! Melbourne \ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Building openssl on Win2K
I did it, and without any problem worth mentioning. Your troubles might be with two things, though. One might be the perl configure .. that is needed to set up the makefile, there is mention of a specific perl distro req'd, I just ran it with the one I had, and it worked fine (could be the required one, but I really can't remember which one I installed). Second is that you might have forgotten to run vcvars32 before the nmake. BTW, I built it with VC6 under Win2KPro. There is also an IDE for VC6, runs just as fine, and as a bonus, compiles all the openssl tools separately as well. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 31, 2002 8:09 PM Subject: Building openssl on Win2K Okay, I give up.I followed the build instructions in INSTALL.W32 for VC++ only to find an unparseable makefile (ntdll.mak) with carriage returns embedded in the names of two macros (e.g. SSL^MOBJ=$(OBJ_D)\ssl.obj ...).When I fixed that, I discovered that the makefile was attempting to copy files from the $(SRC_D) (".") directory that actually lived in its many subdirectories. Rather than perform the major surgery required to fix that gaff, I decided to fall back, regroup and try plan B, building under Cygwin.That got me as far as the first call to gcc:gcc -I. -I../include -DTHREADS -DDSO_WIN32 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -m486 -Wall -c -o cryptlib.o cryptlib.ccryptlib.c:105: #error "Inconsistency between crypto.h and cryptlib.c"cryptlib.c checks for#if CRYPTO_NUM_LOCKS != 29# error "Inconsistency between crypto.h and cryptlib.c"#endifOf course, crypto.h says#define CRYPTO_NUM_LOCKS 29but that doesn't seem to impress cryptlib.c.At this point I started to get suspicious...So my question is - is there anyone who has successfully built openssl-0.9.6g on any Win32 platform? If so, can I please hear from you as to how you managed the feat?Thanks, -Nick
Re: SSL_read() hang after read http 100 continue headers
Looks like your code is impatient. When you get continue, 4 retries won't be enough to get the next response. Basically, if you get an SSL_ERROR_WANT_READ, you just need to keep continuing to retry the SSL_read, if you expect more data that is. So, if you expect a server response, keep trying till you get some (you may want to hack in a timeout there), then process the response. If it's a continue, discard it and just start again reading till you get some... - Original Message - From: Lin Ma To: '[EMAIL PROTECTED]' Cc: Lin Ma Sent: Wednesday, October 30, 2002 11:17 PM Subject: SSL_read() hang after read http 100 continue headers Hi,My program is using OpenSSL function SSL_read() to read http content.It works fine for most of the headers, but after it receives HTTP/1.1100 Continue header (the first block of headers), it will hang there. It shouldcontinue to read the headers (which is HTTP/1.1 200 OK...). The following is the headerdumping and the code I used. The http equivalent code works fine.After the first block of headers, it should continually read the 2nd block of headers. Is it because after the first block of header (see the following), the terminators0d 0a 0d 0a confused SSL_read? or the terminators are the same as SSL block terminator? How can I get around it? This is the first block of headers HTTP/1.1 100 Continue Server: Microsoft-IIS/5.0Date:Wed, 30 Oct 2002 06:34:56 GMT Can you help me?Thank you.while (Retries = 4 ){len = strlen(buf); printf("before SSL_read(), buf len=%d\n", len);r=SSL_read(Connect-ssl,buf,100);err = SSL_get_error(Connect-ssl, r);printf("r=%d, err=%d\n", r, err);if (err == SSL_ERROR_NONE) bytes = r;if (err != SSL_ERROR_NONE err != SSL_ERROR_WANT_READ err ==SSL_ERROR_ZERO_RETURN){printf(" SSL_ERROR_ZERO_RETURN\n");break;}if (err != SSL_ERROR_NONE err != SSL_ERROR_WANT_READ err ==SSL_ERROR_SYSCALL){printf(" SSL_ERROR_SYSCALL\n");break;}if (err != SSL_ERROR_NONE err != SSL_ERROR_WANT_READ err !=SSL_ERROR_SYSCALL err != SSL_ERROR_ZERO_RETURN){printf("Reading header, SSL read problem\n");break;}if (bytes 0 Control-AGW==1) {printf("read returned -1 (Error %d), returning ...\n", errno);break;}else if (bytes == 0) {Retries++;}else if (bytes 0){buf[bytes] = '\0';printf("read %d bytes, buf={%s}\n", bytes, buf);}} 0x | 48 54 54 50 2f 31 2e 31 20 31 30 30 20 43 6f 6e |HTTP/1.1 100 Con0x0010 | 74 69 6e 75 65 0d 0a 53 65 72 76 65 72 3a 20 4d |tinue..Server: M0x0020 | 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 35 2e 30 |icrosoft-IIS/5.00x0030 | 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 33 30 20 | ..Date:Wed, 300x0040 | 4f 63 74 20 32 30 30 32 20 30 36 3a 33 34 3a 35 | Oct 2002 06:34:50x0050 | 36 20 47 4d 54 0d 0a 0d 0a | 6 GMT0x | 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.0x0010 | 0a 53 65 72 76 65 72 3a 20 4d 69 63 72 6f 73 6f |.Server: Microso0x0020 | 66 74 2d 49 49 53 2f 35 2e 30 0d 0a 44 61 74 65 |ft-IIS/5.0..Date0x0030 | 3a 20 57 65 64 2c 20 33 30 20 4f 63 74 20 32 30 | : Wed,30 Oct 200x0040 | 30 32 20 30 36 3a 33 35 3a 30 37 20 47 4d 54 0d | 02 06:35:07 GMT.0x0050 | 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a |.Content-Length:0x0060 | 20 31 38 36 33 0d 0a 43 6f 6e 74 65 6e 74 2d 54 |1863..Content-T0x0070 | 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a | ype:text/html..0x0080 | 45 78 70 69 72 65 73 3a 20 57 65 64 2c 20 33 30 |Expires: Wed, 300x0090 | 20 4f 63 74 20 32 30 30 32 20 30 36 3a 33 35 3a | Oct 2002 06:35:0x00a0 | 30 37 20 47 4d 54 0d 0a 43 61 63 68 65 2d 63 6f | 07 GMT..Cache-co0x00b0 | 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 0d 0a | ntrol: private..
Re: Building openssl on Win2K
Right, I remember I had a ton of problems building openssl under cygwin. No problems at all with ActiveState perl in an NT DOS prompt. --Noel - Original Message - From: Gait Boxman To: [EMAIL PROTECTED] Sent: Thursday, October 31, 2002 12:45 PM Subject: Re: Building openssl on Win2K I did it, and without any problem worth mentioning. Your troubles might be with two things, though. One might be the perl configure .. that is needed to set up the makefile, there is mention of a specific perl distro req'd, I just ran it with the one I had, and it worked fine (could be the required one, but I really can't remember which one I installed). Second is that you might have forgotten to run vcvars32 before the nmake. BTW, I built it with VC6 under Win2KPro. There is also an IDE for VC6, runs just as fine, and as a bonus, compiles all the openssl tools separately as well. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 31, 2002 8:09 PM Subject: Building openssl on Win2K Okay, I give up.I followed the build instructions in INSTALL.W32 for VC++ only to find an unparseable makefile (ntdll.mak) with carriage returns embedded in the names of two macros (e.g. SSL^MOBJ=$(OBJ_D)\ssl.obj ...).When I fixed that, I discovered that the makefile was attempting to copy files from the $(SRC_D) (".") directory that actually lived in its many subdirectories. Rather than perform the major surgery required to fix that gaff, I decided to fall back, regroup and try plan B, building under Cygwin.That got me as far as the first call to gcc:gcc -I. -I../include -DTHREADS -DDSO_WIN32 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -m486 -Wall -c -o cryptlib.o cryptlib.ccryptlib.c:105: #error "Inconsistency between crypto.h and cryptlib.c"cryptlib.c checks for#if CRYPTO_NUM_LOCKS != 29# error "Inconsistency between crypto.h and cryptlib.c"#endifOf course, crypto.h says#define CRYPTO_NUM_LOCKS 29but that doesn't seem to impress cryptlib.c.At this point I started to get suspicious...So my question is - is there anyone who has successfully built openssl-0.9.6g on any Win32 platform? If so, can I please hear from you as to how you managed the feat?Thanks, -Nick
HP and OpenSSL
Has anyone successfully installed OpenSSL on an HP-UX box?See the error below: ar r ../libcrypto.a cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o/usr/lib/dld.sl: Can't find path for shared library: libfl.sl/usr/lib/dld.sl: No such file or directory*** Termination signal 134 Stop.*** Error exit code 1 I have an HP-UX 11 (11.11) system with gcc 3.2 installed (HP's port). I have looked high and low for the file 'libfl.sl' and found no mention of it. I even tried looking for an HP port of OpenSSL but only found a cut down version of it for their hp3000 series web servers. Any information you may have would be greatly appreciated. Ryan
RSA Secure Server CA cert expire
Hi there, I compiled libwww with Openssl. When I test the client program, wwwssl, against my secure server, I have CA certificate expired error. Actually the CA for the server cert is not expired. I found later that OpenSSL try to replace the server CA cert with the corresponding one in its own store and it appears that the one in its own store expired. Can anyone confirm this behavior? How to correct the expired cert in the cert store? BTW, wwwssl does not load CA from any file. Thank you very much, -Sean __ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HP and OpenSSL
There is an hp-ux depot here : http://hpux.cs.utah.edu/hppd/hpux/Languages/openssl-0.9.6d/ Ryan Frantz wrote: Has anyone successfully installed OpenSSL on an HP-UX box? See the error below:ar r ../libcrypto.a cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o /usr/lib/dld.sl: Can't find path for shared library: libfl.sl /usr/lib/dld.sl: No such file or directory *** Termination signal 134Stop. *** Error exit code 1I have an HP-UX 11 (11.11) system with gcc 3.2 installed (HP's port). I have looked high and low for the file 'libfl.sl' and found no mention of it. I even tried looking for an HP port of OpenSSL but only found a cut down version of it for their hp3000 series web servers.Any information you may have would be greatly appreciated.Ryan begin: vcard fn: Hendrick Chan n: Chan;Hendrick org:Maxim Integrated Products email;internet: [EMAIL PROTECTED] x-mozilla-cpt: ;0 x-mozilla-html: TRUE version:2.1 end:vcard
Re: anybody using EGADS?
The OpenSSL PRNG feels that it is fully seeded with 160 bits, i.e. 20 bytes of entropy. In rand_lcl.h the symbol ENTROPY_NEEDED is defined to 20. In 0.9.6g at least. Tim --- Edward Chan [EMAIL PROTECTED] wrote: Hi Stephen, Thanks for the reply. You're absolutely right. It does appear that I am not blocked indefinitely...it certainly does take a while to gather entropy. I was using nBytes = 1024. Then I tried 512. Still very long time. Any suggestions on what a number should be for acceptable randomness? Does anybody have any alternative suggestions? Does anybody know how Apache seeds the OpenSSL PRNG on Windows? I think Apache uses OpenSSL don't they? Thanks, Ed --- Stephen G. Schoggen [EMAIL PROTECTED] wrote: Ed, I tried EGADS on Windows (PIII 866) and found that it's time to 'gather entropy' was noticeable beyond nBytes=4. So if you use a relatively large nBytes, then it would appear to block. Steve Hi there, Is anybody using EGADS on Windows? I'm having a problem using it. I've downloaded the source and built everything. The egads service is running. I've written a program that links with egads.dll. I have a function that tries to see the OpenSSL PRNG : bool seedPRNG(int nBytes) { prngctx_t ctx; int nError; egads_init(ctx, 0, 0, nError); if (nError != 0) { DEBUG_TRACE1(_T(egads_init() failed : %d (Is egads service running???)), nError); return false; } char* pBuf = new char[nBytes + 1]; egads_entropy(ctx, pBuf, nBytes, nError); bool bOK = (0 == nError); if (bOK) { RAND_seed(pBuf, nBytes); } delete [] pBuf; egads_destroy(ctx); return bOK; } However, I seem to be blocking inside (presumably as egads gathers entropy), but it seems like I never unblock. Can anybody tell me what I'm doing wrong? Thanks, Ed __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: to secure a directory
The data you're talking is some configuration file or something? The application that use this data ... can decrypt the data?, or could you add this functionality to those applications... i think your using symmetric cryptography... that's easy... you have to use the EVP librery... if not... your loss... that's the meaning of security... confidentiality and message integrity (and authentication sometimes...) Regards AD El jue, 31-10-2002 a las 15:40, Karim escribió: Hello ! Here is my problem : I wrote 2 codes : a server under linux and client for linux (and windows). The server sends datas to a client (which is on an other computer denoted by C) and the connection is secured using openssl. The client stores those datas in a directory of C but I would like that nobody could access to this directory but the administrator of C (the root) can :( . So I thought that I could crypt the files which are in this directory using functions of openssl. But the datas which are in the directory have to be used by a code which is in this directory and I want the datas still remain crypted. So is it possible to do all that ? Thanks a lot for your help ! Karim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Building openssl on Win2K
check the version of perl you are using. I had the exact same problem and upgrading my perl version fixed all of the issues. I am sorry, but I do not have version numbers handy. Regards, Tim --- Noel Burton-Krahn [EMAIL PROTECTED] wrote: Right, I remember I had a ton of problems building openssl under cygwin. No problems at all with ActiveState perl in an NT DOS prompt. --Noel - Original Message - From: Gait Boxman To: [EMAIL PROTECTED] Sent: Thursday, October 31, 2002 12:45 PM Subject: Re: Building openssl on Win2K I did it, and without any problem worth mentioning. Your troubles might be with two things, though. One might be the perl configure .. that is needed to set up the makefile, there is mention of a specific perl distro req'd, I just ran it with the one I had, and it worked fine (could be the required one, but I really can't remember which one I installed). Second is that you might have forgotten to run vcvars32 before the nmake. BTW, I built it with VC6 under Win2KPro. There is also an IDE for VC6, runs just as fine, and as a bonus, compiles all the openssl tools separately as well. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 31, 2002 8:09 PM Subject: Building openssl on Win2K Okay, I give up. I followed the build instructions in INSTALL.W32 for VC++ only to find an unparseable makefile (ntdll.mak) with carriage returns embedded in the names of two macros (e.g. SSL^MOBJ=$(OBJ_D)\ssl.obj ...). When I fixed that, I discovered that the makefile was attempting to copy files from the $(SRC_D) (.) directory that actually lived in its many subdirectories. Rather than perform the major surgery required to fix that gaff, I decided to fall back, regroup and try plan B, building under Cygwin. That got me as far as the first call to gcc: gcc -I. -I../include -DTHREADS -DDSO_WIN32 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -m486 -Wall -c -o cryptlib.o cryptlib.c cryptlib.c:105: #error Inconsistency between crypto.h and cryptlib.c cryptlib.c checks for #if CRYPTO_NUM_LOCKS != 29 # error Inconsistency between crypto.h and cryptlib.c #endif Of course, crypto.h says #define CRYPTO_NUM_LOCKS 29 but that doesn't seem to impress cryptlib.c. At this point I started to get suspicious... So my question is - is there anyone who has successfully built openssl-0.9.6g on any Win32 platform? If so, can I please hear from you as to how you managed the feat? Thanks, -Nick __ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: using an on-disk session caching framework
Edward Chan wrote: The default behavior of server-side session caching is to cache session in memory. This is probably not gonna work very well if there are a lot of connections to the server It says to open file named according to session id. However, session_id contains non-ascii chars, chars that are illegal in a filename. So how can I name my file according to the session_id? If you have enough sessions that you need to cache them on disk, you probably don't want to write them one-to-a-file either. Don't be so literal about the open file comment. Instead, open a single database instance (e.g., a Berkeley DB in hash mode, since you don't care about ordering) and use the session ID as your key ID. The non-ASCII characters aren't an issue since you specify a pointer and length, not a null-terminated string, as your key. In practice, I believe apache's mod_ssl uses sdb instead of traditional db files for some reason, and you should definitely investigate why. But definitely go with a single, very efficient container object instead of using the filesystem as one. Even if you're guaranteed to be running on a new FS that uses btrees for the directory info, it's still much faster to do a hash lookup than a btree search, O(1) vs O(lg N). Bear __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Windows: Code Signing Certificate
Title: Message Can anyone direct me to documentation (or a howto) on using openssl to create a digital certificate that can be used to sign macros in an Excel worksheet? I've successfully created and installed a root certificate authority for myself under Windows, but when I try to sign code with it, Windows complains that it doesn't have enough information to verify the certificate. Which is odd, since installing the certificate went smoothly. But that's Windows for you :) - Mark [EMAIL PROTECTED]
RE: Building openssl on Win2K
Thanks to all who replied with suggestions. It turned out to be something completely different. I had used PKZIP to unzip and untar the distribution tarball and - surprise! - rather than creating links (Windows shortcuts) where appropriate, it creates 0-byte files! That meant that all of the header files in ./openssl/include were empty - not much surprise that it caused compilation problems. Even though config attempts to reestablish the links (shortcuts), the attempts fail because the targets already exist (sort of). I nuked all the 0-byte files I could find and re-ran config, after which make ran without a hitch. -Nick -Original Message- From: Tim Regovich - [EMAIL PROTECTED] [mailto:+openssl+nburkitt+222c6d3499.tregovich#yahoo.com;spamgourmet.com ] Sent: Thursday, October 31, 2002 2:26 PM To: [EMAIL PROTECTED] Subject: Re: Building openssl on Win2K (openssl: addressed to trusted sender for this address) check the version of perl you are using. I had the exact same problem and upgrading my perl version fixed all of the issues. I am sorry, but I do not have version numbers handy. Regards, Tim --- Noel Burton-Krahn [EMAIL PROTECTED] wrote: Right, I remember I had a ton of problems building openssl under cygwin. No problems at all with ActiveState perl in an NT DOS prompt. --Noel - Original Message - From: Gait Boxman To: [EMAIL PROTECTED] Sent: Thursday, October 31, 2002 12:45 PM Subject: Re: Building openssl on Win2K I did it, and without any problem worth mentioning. Your troubles might be with two things, though. One might be the perl configure .. that is needed to set up the makefile, there is mention of a specific perl distro req'd, I just ran it with the one I had, and it worked fine (could be the required one, but I really can't remember which one I installed). Second is that you might have forgotten to run vcvars32 before the nmake. BTW, I built it with VC6 under Win2KPro. There is also an IDE for VC6, runs just as fine, and as a bonus, compiles all the openssl tools separately as well. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 31, 2002 8:09 PM Subject: Building openssl on Win2K Okay, I give up. I followed the build instructions in INSTALL.W32 for VC++ only to find an unparseable makefile (ntdll.mak) with carriage returns embedded in the names of two macros (e.g. SSL^MOBJ=$(OBJ_D)\ssl.obj ...). When I fixed that, I discovered that the makefile was attempting to copy files from the $(SRC_D) (.) directory that actually lived in its many subdirectories. Rather than perform the major surgery required to fix that gaff, I decided to fall back, regroup and try plan B, building under Cygwin. That got me as far as the first call to gcc: gcc -I. -I../include -DTHREADS -DDSO_WIN32 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -m486 -Wall -c -o cryptlib.o cryptlib.c cryptlib.c:105: #error Inconsistency between crypto.h and cryptlib.c cryptlib.c checks for #if CRYPTO_NUM_LOCKS != 29 # error Inconsistency between crypto.h and cryptlib.c #endif Of course, crypto.h says #define CRYPTO_NUM_LOCKS 29 but that doesn't seem to impress cryptlib.c. At this point I started to get suspicious... So my question is - is there anyone who has successfully built openssl-0.9.6g on any Win32 platform? If so, can I please hear from you as to how you managed the feat? Thanks, -Nick __ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PRNG not seeded ERROR!!!!
Hi, I would like to ask one more question in connection to this one. How would you gather randomness or entryopy on a system that doesn't have any /dev/egd-pool or /dev/urandom or /dev/random. What cn be good sources of randomness and how do I know how much randomness is required? Regards Suram Thanks Erwann: I checked my System and have installed PRNG. I checked it by using: # ps -ef | grep prng root 47354 6518 0 14:13:01 - 0:03 /opt/freeware/sbin/prngd -f /dev/egd-pool -m 666 # But still when I run OPENSSL.command it gives me same error PRNG not seeded - wonder why! THANKS! Erwann ABALEA [EMAIL PROTECTED] 10/31/02 11:03AM On Thu, 31 Oct 2002, Manoj Kithany wrote: THANKS for your reply. I checked the url before I posted my query to this List. I am bit Sorry if I offended you. You didn't specify in your first post that you checked the URL, and since this question is in the FAQ, that means it is asked a *lot* of times. :) confused - should I need to install EGD or PRNG? I checked my IBM Server and could'nt find /dev/random? No, you don't have a /dev/random device entry. I don't use AIX (only Linux or Solaris), so I can only speculate. Why don't you install prngd and either do: - set the random pool to the default (something like /var/run/egd-pool), but you'll have to specify the option -rand /var/run/egd-pool or an equivalent to every program using the OpenSSL library - set the random pool to /dev/random, so everyone will be able to use this random pool - set the random pool to ~/.rnd, but it will be easily usable only to one particular user, while the others will have to use the -rand ... equivalent - set the random pool to the default, and set the RANDFILE environment variable so that it points to the good pool One of these things should work... -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - The secret of success is knowing who to blame for your failures. Demotivators, 2001 calendar __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Windows: Code Signing Certificate
Title: Message www.tldp.org SSL-Certificates HOWTO feel free to send an update based on your experience... -Original Message-From: Mark Olbert [mailto:[EMAIL PROTECTED]]Sent: Friday, 1 November 2002 4:53 To: [EMAIL PROTECTED]Subject: Windows: Code Signing Certificate Can anyone direct me to documentation (or a howto) on using openssl to create a digital certificate that can be used to sign macros in an Excel worksheet? I've successfully created and installed a root certificate authority for myself under Windows, but when I try to sign code with it, Windows complains that it doesn't have enough information to verify the certificate. Which is odd, since installing the certificate went smoothly. But that's Windows for you :) - Mark [EMAIL PROTECTED]
RE: Windows: Code Signing Certificate
Title: Message Thanx, Franck, I'll post an update after my head clears; I find using openssl very confusing, not to mention stressful (although that may be due to the fact that I've never gotten CA.pl to work properly; I always have to go back and read the CA.pl source to figure out what the SSL HowTo documentation means). - Mark -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Franck MartinSent: Thursday, October 31, 2002 9:06 PMTo: '[EMAIL PROTECTED]'Subject: RE: Windows: Code Signing Certificate www.tldp.org SSL-Certificates HOWTO feel free to send an update based on your experience... -Original Message-From: Mark Olbert [mailto:[EMAIL PROTECTED]]Sent: Friday, 1 November 2002 4:53 To: [EMAIL PROTECTED]Subject: Windows: Code Signing Certificate Can anyone direct me to documentation (or a howto) on using openssl to create a digital certificate that can be used to sign macros in an Excel worksheet? I've successfully created and installed a root certificate authority for myself under Windows, but when I try to sign code with it, Windows complains that it doesn't have enough information to verify the certificate. Which is odd, since installing the certificate went smoothly. But that's Windows for you :) - Mark [EMAIL PROTECTED]
Re: using an on-disk session caching framework
On Thursday 31 Oct 2002 8:56 pm, Bear Giles wrote: Edward Chan wrote: The default behavior of server-side session caching is to cache session in memory. This is probably not gonna work very well if there are a lot of connections to the server It says to open file named according to session id. However, session_id contains non-ascii chars, chars that are illegal in a filename. So how can I name my file according to the session_id? If you have enough sessions that you need to cache them on disk, you probably don't want to write them one-to-a-file either. Don't be so literal about the open file comment. Instead, open a single database instance (e.g., a Berkeley DB in hash mode, since you don't care about ordering) and use the session ID as your key ID. The non-ASCII characters aren't an issue since you specify a pointer and length, not a null-terminated string, as your key. In practice, I believe apache's mod_ssl uses sdb instead of traditional db files for some reason, and you should definitely investigate why. But definitely go with a single, very efficient container object instead of using the filesystem as one. Even if you're guaranteed to be running on a new FS that uses btrees for the directory info, it's still much faster to do a hash lookup than a btree search, O(1) vs O(lg N). I'd actually contradict you here, one of the main problems with the performance of the disk-based ((s)dbm) cache implementation is precisely the fact that it uses a hash-table! It's often misunderstood as being slower but more stable because it's a file. In reality it's not disk-access that's going to *really* slow things down (the db file usually ends up cached in the kernel anyway), and neither is it more stable because of disk-access - for precisely the same reason! :- The actual performance problem is how to algorithmically expire old sessions flush the database of old data so it doesn't grow without limit - in the case of mod_ssl's dbm-based cache design, these two problems are actually the same problem. The hash-database means the only way to remove expired sessions is to iterate across the entire database! This is the same problem as one of mod_ssl's other cache modes, 'shmht' - though shmht is implemented using shared-memory instead of dbm. The result is that genuine expiry operations are only done every once in a while; you lose storage (and memory-caching) efficiency, and you periodically do a very high overhead O(n) search where n is the number of cached sessions. So, if you save each session to a different file I guess it would be possible to use the path to make the expiry logic easier. Eg. each minute in the future has its own theoretical directory (it is only created if its ever needed). When saving a session, you could put it in the directory corresponding to the minute it will be expired. The current directory you look at (the current minute) will contain a mixture of sessions that are just about to expire or have just expired - but any directories representing minutes in the past contain only old sessions (you can delete/unlink them whenever you like) and all directories representing minutes in the future contain healthy unexpired sessions. This makes 'expiry' and 'flush' operations O(1), which is hard to beat. Inserts are O(1) too. And if you name the session files according to the sessions' ID, 'lookup' operations (and non-expiry 'delete's) become O(n), where n is the length of the session timeout in minutes (so it's a constant anyway) rather than 'n' growing the number of sessions in the cache. Of course, if you don't want to thrash the disk to hell with this example technique (because this wouldn't benefit from kernel-caching like a single dbm file would), I'd suggest doing it inside a loopback file-system so it's all virtualised in memory anyway. Or you could push session caching out of the server and on to the network; http://www.distcache.org/ Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: using an on-disk session caching framework
Geoff Thorpe wrote: The hash-database means the only way to remove expired sessions is to iterate across the entire database! Or you maintain an auxillary database that maps the expiry time to a list of session IDs. This could be a btree (perhaps with a bucket of session IDs, to avoid dulicate keys) or a priority queue, or a number of other things. Since this is a much smaller structure, it could be maintained in memory. If you restart the system you'll have to rebuild the auxillary database, but it should only take O(N lg N) time. I agree that you could also use directories. My concern is just that I've seen applications crawl because of the time required to scan a directory when there's more than a few hundred entries in it. If you use directories to keep the entry count down, you can minimize this problem. Bear __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]