RE: a question about building openssl
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George R Goffe Sent: 30 December 2005 22:09 To: openssl-users@openssl.org Subject: a question about building openssl Howdy, I have looked a little on the web sites for the answer to this question but don't see one redily available. I am building openssl on a redhat 9 system. My question is, why is /usr/local/bin hardcoded througout the distribution? RedHat installs perl it in /usr/bin and I have to fool around to get the build to work. Why not create a symlink from /usr/local/bin/perl to /usr/bin/perl instead? You can install openssl in /usr/bin, however that would break several other programs in Red Hat 9, for example the openssh package so this isn't advisable. This is detailed in the FAQ at http://www.openssl.org/support/faq.html#BUILD8/. I really should update this section so that it never goes out of date! To the best of my knowledge the openssl that comes with Red Hat 9 is complete apart from not having new features and not using the patented MDC-2, IDEA and and RC5 algorithms. -- John Airey, BSc (Jt Hons), CNE, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] On April 24th 2006 I'll be running in the London Marathon. Then on July 10th 2006 I'll be riding in the Etape du Tour from Gap to Alpe D'Huez, a distance of 188km. Finally on October 1st 2006 I'll be running in the Great North Run. I hope to raise £2000 for RNIB through all these events. You can sponsor me online at http://justgiving.com/rnibetape. -- DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL_accept error... need help
hi, I am testing a basic (an echo)TLS server with the openSSL client s_client. I get the following error server side : SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:888 client side: SSL_23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:489 I use SSLv23 as my method in the context. my client call is : s_client -connect 'ip address:port number' Before I post this message I browsed through the mail archive and i found a posting addressed the same issue( by kate Aug 2000, msg 11017). But unfortunately no replies. I am a novice and I cudnt find a solution by myself( thought it might be trivial). Hope someone comes up with some hint. Thanks in advance, Samy
Re: regarding usage of SSL_CTX in server
jimmy wrote: Peter Sylvester wrote: It happened that I played with this a bit. It is not just that you have a list of servers in one context, all parameters of the server e;g. requirements for user certs etc can be different, so a separate SSL_CTX seems useful. does this theoretically rule out usage of 1 SSL_CTX for multiple virtual servers (the case where each one has a separate certificate)? It depends to what degree you accept modifying internal features of openssl SSL and SSL_CTX objects, or to add new functions in the api. What about the case where 1 server can have several certificates for itself, each signed by a different root CA? Can this be done? Some possible steps - define one or more ways allowing the server to select one of its 'configurations', based on called IP address, port, servername extension, or whatever else information you have available. - As soon as you have that you can look at an implementation: If you make your decision before having read anything, then you can easily use a different SSL_CTX, this is the actual logic in apeche for example. - If you need to look at the client hello, then you are already in a session, i.e. you have a SSL object. Thus, in some way, the library or your application must make a decision. A flexible way is to give a callback to the application so it can inspect the information from the client hello, and then, do whatever magic or better some allowed actions to change the SSL object depending on the needs of the application architecture and, of course, on the possibilities of the openssl API. - I don't think one should expect too much magics for all kind of configurations available inside the openssl library. Compree it aslo with the possibilities of what can be done selecting a client cert. There is no code inside the library that selects based on the CA names, but there is a callback for an application. -- To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. smime.p7s Description: S/MIME Cryptographic Signature
Re: SSL_accept error... need help
Samy Thiyagarajan wrote: hi, I am testing a basic (an echo)TLS server with the openSSL client s_client. I get the following error [...] Have you checked the samples available on http://www.opensslbook.com/code.html ? If I remember it right there are code samples for a SSL server which might help you... Hope it helps Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
no EVP_dup?
How do I dup a private key there is an X509_dup but I don't see a EVP_PKEY_dup ? Thanks, Perry __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: no EVP_dup?
Perry L. Jones wrote: How do I dup a private key there is an X509_dup but I don't see a EVP_PKEY_dup ? Good question, I missed that feature as well. Thanks, Perry __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL compile flags
When building OpenSSL version 0.9.7i (and all prior versions that I've seen) on Linux, the compiler flags passed to 'gcc' include: -O3 -fomit-frame-pointer -mcpu=pentium This occurs even when the output of `uname -m` and `arch` are i486. I have a few machines with hacked 'uname' and 'arch' commands that will report i486 even when the real arch is i686, for use in compiling binaries for other i486 systems. Looking at the 'config' and 'Configure' scripts, it appears that the arch value is guessed based on 'uname', 'arch', and 'cat /proc/cpuinfo', in different cases. I guess I'm running into a situation where the configure script is looking at /proc/cpuinfo, which I can't do a quick-and-easy hack to give false data. Is there an option that I'm missing to pass a particular arch value to compile OpenSSL for? Right now, I'm working around this by 'sed'ing the above-mentioned string out of the CCFLAGS variable in the Makefile and replacing it with -O2 -march=i586 -pipe. Is this not proper, or should it work OK? (It seems to work fine, in running it, but there's a lot of things I wouldn't know about it.) Also, as a side-note, most of the literature I've seen regarding 'gcc' says that the -mcpu= flag is deprecated, and that -march= should be used instead. Is there a reason why OpenSSL uses -mcpu=? Thanks for the time and help, here--OpenSSL and OpenSSH are wonderful tools, and I appreciate all of the effort that goes into them. Thanks, Ryan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]