Re: Evp_Encrypt_Init Segfault
Girish Venkatachalam wrote: Try calling EVP_CIPHER_CTX_cleanup(ctx) at the end... I have tried this, does not change the situation. gdb output is 200 EVP_EncryptInit(ctx, EVP_bf_ecb(), NULL, NULL); (gdb) step Program received signal SIGSEGV, Segmentation fault. 0xb7df82fb in mallopt () from /lib/libc.so.6 I really dont know whats wrong here, Felix __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Evp_Encrypt_Init Segfault
Have you tried with the EVP_EncryptInit_ex() family of functions ? I'm not sure it would help much but it could be worth a try Felix Dorner wrote: Girish Venkatachalam wrote: Try calling EVP_CIPHER_CTX_cleanup(ctx) at the end... I have tried this, does not change the situation. gdb output is 200 EVP_EncryptInit(ctx, EVP_bf_ecb(), NULL, NULL); (gdb) step Program received signal SIGSEGV, Segmentation fault. 0xb7df82fb in mallopt () from /lib/libc.so.6 I really dont know whats wrong here, Felix __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Alain Damiral __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Evp_Encrypt_Init Segfault
Hi, the following code executes once, and does fine. Calling the function a second time gives a segfault during the call marked by -- You may have inadvertantly corrupted the heap the first time your code is executed. I suggest you put several assert statements to ensure that memory outside of that you allocated is not overwritten. Regards, Mark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL_connect fails with SSL_ERROR_SSL
Dear all, Using openssl (openssl 0.9.7), I have set up a CA and this CA has issued 2 certs - one for client and the other for the server. I have checked that these certificates are ok. I am attempting to write a SSL client-server program. SSL Server:- Java. It has a keystore, which contains the server cert and the CA cert. SSL Client: C. In the program, using appropraite openssl calls, I have added the cleint certificate, the private key and the CA cert to the context. Please see the code snippet. /* code snippet starts - all error handling removed for readability */ SSLeay_add_ssl_algorithms(); meth = SSLv3_client_method(); SSL_load_error_strings(); ctx = SSL_CTX_new (meth); err = SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM); err = SSL_CTX_use_PrivateKey_file(ctx, PvtKeyFile, SSL_FILETYPE_PEM); SSL_CTX_check_private_key(ctx) SSL_CTX_load_verify_locations(ctx, TrustedCACertFile, NULL); /* code snippet ends - all error handling removed for readability */ Initialization is successful, but the handshake fails. We first create TCP socket and then connect as shown below. Then, we call SSL_connect, which fails with SSL_ERROR_SSL. At this point, the Java server outputs SSLException No Trusted certificate. sd = socket(AF_INET, SOCK_STREAM, 0); int c = connect(sd, (struct sockaddr*) host_id , sizeof(host_id)); // By now, the SSL context is initialized and the TCP sockets are created. // Now, SSLize the TCP sockets. ssl = SSL_new(ctx); // create SSL objects from the SSL context. r = SSL_set_fd (ssl, sd); // Associate the network connection with the SSL object. int err = SSL_connect (ssl);// Initiate the SSL handshake *FAILS HERE if (err = 0) { int errcode = SSL_get_error(ssl, err); switch(errcode) { /* other cases */ case SSL_ERROR_SSL: LogMesg(logger, LOGFATAL, SSL connect: Protocol Error.); break; } } Can anyone please tell me what is happenning? Best regards, Ambarish. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL_connect fails with SSL_ERROR_SSL
Dear all, Using openssl (openssl 0.9.7), I have set up a CA and this CA has issued 2 certs - one for client and the other for the server. I have checked that these certificates are ok. I am attempting to write a SSL client-server program. SSL Server:- Java. It has a keystore, which contains the server cert and the CA cert. SSL Client: C. In the program, using appropraite openssl calls, I have added the cleint certificate, the private key and the CA cert to the context. Please see the code snippet. ... Initialization is successful, but the handshake fails. We first create TCP socket and then connect as shown below. Then, we call SSL_connect, which fails with SSL_ERROR_SSL. At this point, the Java server outputs SSLException No Trusted certificate. If you want client authentication, you need to explicitly state this at the server side(ie., you should ask the client to send the certificate.) So to verify the authenticity of the certifiacte you shud have the CA( who signed the cert)in your list of trusted CAs . I believe you need the following function.. SSL_CTX_set_verify() I somewhere found that java does not support .pem format keystore( but im not sure). If I am right and if you are using .pem that might also be a reason. Hope this helps, Samy sd = socket(AF_INET, SOCK_STREAM, 0); int c = connect(sd, (struct sockaddr*) host_id , sizeof(host_id)); // By now, the SSL context is initialized and the TCP sockets are created. // Now, SSLize the TCP sockets. ssl = SSL_new(ctx); // create SSL objects from the SSL context. r = SSL_set_fd (ssl, sd); // Associate the network connection with the SSL object. int err = SSL_connect (ssl); // Initiate the SSL handshake *FAILS HERE if (err = 0) { int errcode = SSL_get_error(ssl, err); switch(errcode) { /* other cases */ case SSL_ERROR_SSL: LogMesg(logger, LOGFATAL, SSL connect: Protocol Error.); break; } } Can anyone please tell me what is happenning? Best regards, Ambarish. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL_connect fails with SSL_ERROR_SSL
Samy, Thanksfor your reply. On the server side (Java), I have explictly set client authentication to true. ks.load(new FileInputStream(KEYSTORE_FILE), passphrase); kmf.init(ks, passphrase);ctx.init(kmf.getKeyManagers(), null, null);ssf = ctx.getServerSocketFactory(); sSocket = (SSLServerSocket)ssf.createServerSocket(tcpPort, 10);//Creation of Server SocketsSocket.setNeedClientAuth(true);//Needs successful client authentication snip So to verify the authenticity of the certifiacte you shud have the CA(who signed the cert)in your list of "trusted CAs ". /snip That CA cert is in the keystore file already of the server side. Also, I am not using .PEM certificates, I am using what the keytool created, got the CSR signed. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Samy ThiyagarajanSent: Tuesday, January 31, 2006 4:03 PMTo: openssl-users@openssl.orgSubject: Re: SSL_connect fails with SSL_ERROR_SSLDear all,Using openssl (openssl 0.9.7), I have set up a CA and this CA has issued 2certs - one for client and the other for the server. I have checked thatthese certificates are ok.I am attempting to write a SSL client-server program.SSL Server:- Java. It has a keystore, which contains the server cert and theCA cert.SSL Client: C. In the program, using appropraite openssl calls, I have addedthe cleint certificate, the private key and the CA cert to the context.Please see the code snippet. ... Initialization is successful, but the handshake fails. We first create TCPsocket and then "connect" as shown below. Then, we call SSL_connect, whichfails with SSL_ERROR_SSL. At this point, the Java server outputsSSLException "No Trusted certificate". If you want client authentication, you need to explicitly state this at the server side(ie., you should ask the client to send the certificate.) So to verify the authenticity of the certifiacte you shud have the CA( who signed the cert)in your list of " trusted CAs ". I believe you need the following function.. SSL_CTX_set_verify() I somewhere found that java does not support .pem format keystore( but im not sure). If I am right and if you are using .pem that might also be a reason. Hope this helps, Samy sd = socket(AF_INET, SOCK_STREAM, 0); int c = connect(sd, (struct sockaddr*) host_id , sizeof(host_id));// By now, the SSL context is initialized and the TCP sockets are created.// Now, SSLize the TCP sockets.ssl = SSL_new(ctx); // create SSL objects from the SSL context.r = SSL_set_fd (ssl, sd); // Associate the network connection with the SSLobject. int err = SSL_connect (ssl); // Initiate the SSL handshake *FAILSHERE if (err = 0) { int errcode = SSL_get_error(ssl, err); switch(errcode) { /* other cases */ case SSL_ERROR_SSL: LogMesg(logger, LOGFATAL, "SSL connect: ProtocolError."); break; } }Can anyone please tell me what is happenning?Best regards,Ambarish.__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
Re: SSL_connect fails with SSL_ERROR_SSL
Okay. The question is: You have a CA. Did you encode the CA:true attribute in it? You created a server certificate signed by that CA. How? You created a client certificate signed by that CA. How? You have loaded the CA certificate into the server's keystore, and marked it 'trusted'. Have you verified that it exists correctly in the server's keystore? You have loaded the CA certificate into the client's keystore, and marked it 'trusted'. Have you verified that it exists correctly in the client's keystore? Have you verified that the serial numbers on the certificates are not the same? How did you verify that the certificates were okay? Are there any requirements in Java's SSL implementation for specific OIDs/extensions to be in the client certificate for it to be recognized as such? Do your certificates have 'version=3' properly encoded? -Kyle H On 1/31/06, Ambarish Mitra [EMAIL PROTECTED] wrote: Samy, Thanks for your reply. On the server side (Java), I have explictly set client authentication to true. ks.load(new FileInputStream(KEYSTORE_FILE), passphrase); kmf.init(ks, passphrase); ctx.init(kmf.getKeyManagers(), null, null); ssf = ctx.getServerSocketFactory(); sSocket = (SSLServerSocket)ssf.createServerSocket(tcpPort, 10);//Creation of Server Socket sSocket.setNeedClientAuth(true);//Needs successful client authentication snip So to verify the authenticity of the certifiacte you shud have the CA(who signed the cert)in your list of trusted CAs . /snip That CA cert is in the keystore file already of the server side. Also, I am not using .PEM certificates, I am using what the keytool created, got the CSR signed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Samy Thiyagarajan Sent: Tuesday, January 31, 2006 4:03 PM To: openssl-users@openssl.org Subject: Re: SSL_connect fails with SSL_ERROR_SSL Dear all, Using openssl (openssl 0.9.7), I have set up a CA and this CA has issued 2 certs - one for client and the other for the server. I have checked that these certificates are ok. I am attempting to write a SSL client-server program. SSL Server:- Java. It has a keystore, which contains the server cert and the CA cert. SSL Client: C. In the program, using appropraite openssl calls, I have added the cleint certificate, the private key and the CA cert to the context. Please see the code snippet. ... Initialization is successful, but the handshake fails. We first create TCP socket and then connect as shown below. Then, we call SSL_connect, which fails with SSL_ERROR_SSL. At this point, the Java server outputs SSLException No Trusted certificate. If you want client authentication, you need to explicitly state this at the server side(ie., you should ask the client to send the certificate.) So to verify the authenticity of the certifiacte you shud have the CA( who signed the cert)in your list of trusted CAs . I believe you need the following function.. SSL_CTX_set_verify() I somewhere found that java does not support .pem format keystore( but im not sure). If I am right and if you are using .pem that might also be a reason. Hope this helps, Samy sd = socket(AF_INET, SOCK_STREAM, 0); int c = connect(sd, (struct sockaddr*) host_id , sizeof(host_id)); // By now, the SSL context is initialized and the TCP sockets are created. // Now, SSLize the TCP sockets. ssl = SSL_new(ctx); // create SSL objects from the SSL context. r = SSL_set_fd (ssl, sd); // Associate the network connection with the SSL object. int err = SSL_connect (ssl); // Initiate the SSL handshake *FAILS HERE if (err = 0) { int errcode = SSL_get_error(ssl, err); switch(errcode) { /* other cases */ case SSL_ERROR_SSL: LogMesg(logger, LOGFATAL, SSL connect: Protocol Error.); break; } } Can anyone please tell me what is happenning? Best regards, Ambarish. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL_connect fails with SSL_ERROR_SSL
Kyle, How to check CA:true attribute? The server cert was signed by using the openssl utility sign-server-cert. It is provided in the openssl link. Same for client cert. The server cert and the CA cert was loaded into the keystore and using keytool utility, we checked that it is okay. On the client side, there is no keytool, but since it is in C, it is loaded into the context programatically. The cert serial numbers and the dates are verified to be okay. version = 3. Ambarish. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kyle Hamilton Sent: Tuesday, January 31, 2006 4:32 PM To: openssl-users@openssl.org Subject: Re: SSL_connect fails with SSL_ERROR_SSL Okay. The question is: You have a CA. Did you encode the CA:true attribute in it? You created a server certificate signed by that CA. How? You created a client certificate signed by that CA. How? You have loaded the CA certificate into the server's keystore, and marked it 'trusted'. Have you verified that it exists correctly in the server's keystore? You have loaded the CA certificate into the client's keystore, and marked it 'trusted'. Have you verified that it exists correctly in the client's keystore? Have you verified that the serial numbers on the certificates are not the same? How did you verify that the certificates were okay? Are there any requirements in Java's SSL implementation for specific OIDs/extensions to be in the client certificate for it to be recognized as such? Do your certificates have 'version=3' properly encoded? -Kyle H On 1/31/06, Ambarish Mitra [EMAIL PROTECTED] wrote: Samy, Thanks for your reply. On the server side (Java), I have explictly set client authentication to true. ks.load(new FileInputStream(KEYSTORE_FILE), passphrase); kmf.init(ks, passphrase); ctx.init(kmf.getKeyManagers(), null, null); ssf = ctx.getServerSocketFactory(); sSocket = (SSLServerSocket)ssf.createServerSocket(tcpPort, 10);//Creation of Server Socket sSocket.setNeedClientAuth(true);//Needs successful client authentication snip So to verify the authenticity of the certifiacte you shud have the CA(who signed the cert)in your list of trusted CAs . /snip That CA cert is in the keystore file already of the server side. Also, I am not using .PEM certificates, I am using what the keytool created, got the CSR signed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Samy Thiyagarajan Sent: Tuesday, January 31, 2006 4:03 PM To: openssl-users@openssl.org Subject: Re: SSL_connect fails with SSL_ERROR_SSL Dear all, Using openssl (openssl 0.9.7), I have set up a CA and this CA has issued 2 certs - one for client and the other for the server. I have checked that these certificates are ok. I am attempting to write a SSL client-server program. SSL Server:- Java. It has a keystore, which contains the server cert and the CA cert. SSL Client: C. In the program, using appropraite openssl calls, I have added the cleint certificate, the private key and the CA cert to the context. Please see the code snippet. ... Initialization is successful, but the handshake fails. We first create TCP socket and then connect as shown below. Then, we call SSL_connect, which fails with SSL_ERROR_SSL. At this point, the Java server outputs SSLException No Trusted certificate. If you want client authentication, you need to explicitly state this at the server side(ie., you should ask the client to send the certificate.) So to verify the authenticity of the certifiacte you shud have the CA( who signed the cert)in your list of trusted CAs . I believe you need the following function.. SSL_CTX_set_verify() I somewhere found that java does not support .pem format keystore( but im not sure). If I am right and if you are using .pem that might also be a reason. Hope this helps, Samy sd = socket(AF_INET, SOCK_STREAM, 0); int c = connect(sd, (struct sockaddr*) host_id , sizeof(host_id)); // By now, the SSL context is initialized and the TCP sockets are created. // Now, SSLize the TCP sockets. ssl = SSL_new(ctx); // create SSL objects from the SSL context. r = SSL_set_fd (ssl, sd); // Associate the network connection with the SSL object. int err = SSL_connect (ssl); // Initiate the SSL handshake *FAILS HERE if (err = 0) { int errcode = SSL_get_error(ssl, err); switch(errcode) { /* other cases */ case SSL_ERROR_SSL: LogMesg(logger, LOGFATAL, SSL connect: Protocol Error.); break; } } Can
Errors with firefox
Hello thereI've previously sent this to the mod_ssl list with no success. Sorry if you've seen it before:I have apache compiled on solaris with sun cc with mod_ssl- 2.8.25-1.3.34 and openssl-0.9.8a (I've also tried 0.9.7i and the nightly build).When accessing the site using Internet Explorer I have no problems. With Firefox the browser reports an 'incorrect Message Authentication Code' and the server logs report: [Mon Jan 23 13:13:54 2006] [error] mod_ssl: SSL handshake failed (server xxx:443, client xxx) (OpenSSL library error follows)[Mon Jan 23 13:13:54 2006] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac I do have previous builds that 'work' ... but have been unable to determine precisely what change initiated this problem. It might be the release of openssl, it might also be the Sun compiler, which was now from studio 11 and was previously from an earlier version which I don't have access to any more. Any suggestions much appreciatedThanksMichael Smith
OpenSSL 0.9.8a dumps core in SSL_CTX_load_verify_locations()
hi I'm having problems with the OpenSSL SSL_CTX_load_verify_locations() routine dumping core on Solaris 8 (sparc, 64-bit). I first noticed this problem with Apache mod_ssl but it can be reproduced with a minimal standalone C program which calls SSL_CTX_load_verify_locations (). I've only experienced this problem with one certain CA bundle file. The problem doesn't appear with OpenSSL release 0.9.7e (and at least d) but starting with f I'm getting core dumps (tested with i, g, f and 0.9.8a). Any ideas on what has changed between 0.9.7e and 0.9.7f that may be causing this? Here's the code for reproducing the problem: /* export PATH=/opt/local/gcc/4.0/bin:$PATH:/usr/ccs/bin:/opt/sfw/bin export or=/home/aspa/tmp/openssl098a coreadm -p core $$ gcc x509catest.c -g -m64 -I$or/include -L$or/lib -lssl -lcrypto - lsocket -ldl ./a.out */ #include openssl/ssl.h int main() { char *capath=/home/aspa/kronodoc/dev-3.4/httpd/conf/ssl.crt; char *cafile; cafile=/home/aspa/kronodoc/dev-3.4/httpd/conf/ssl.crt/bundle.crt; cafile=/home/aspa/kronodoc/dev-3.4/httpd/conf/ssl.crt/ca- bundle.crt; SSL_load_error_strings(); SSL_library_init(); SSL_CTX *ctx = SSL_CTX_new(SSLv3_method()); int r = SSL_CTX_load_verify_locations(ctx, cafile, capath); printf(SSL_CTX_load_verify_locations: %d\n,r); } Here's the stack backtrace from the core file: #0 0x0001000639a8 in x509_object_cmp (a=value optimized out, b=value optimized out) at x509_lu.c:161 161 ret=((*a)-type - (*b)-type); (gdb) bt #0 0x0001000639a8 in x509_object_cmp (a=value optimized out, b=value optimized out) at x509_lu.c:161 #1 0x7ef53a9c in qsort () from /usr/lib/64/libc.so.1 #2 0x00010004d9ac in sk_sort (st=0x1002351a0) at stack.c:331 #3 0x00010004dac0 in sk_find (st=0x1002351a0, data=0x100291900 ) at stack.c:227 #4 0x0001000640f4 in X509_OBJECT_retrieve_match (h=0x1002351a0, x=0x100291900) at x509_lu.c:460 #5 0x000100064354 in X509_STORE_add_cert (ctx=0x10021db80, x=0x100257f70) at x509_lu.c:344 #6 0x0001000663e8 in X509_load_cert_crl_file (ctx=0x1002354a0, file=value optimized out, type=value optimized out) at by_file.c:287 #7 0x000100066504 in by_file_ctrl (ctx=0x1002354a0, cmd=1, argp=0x18 Address 0x18 out of bounds, argl=1, ret=0x0) at by_file.c:120 #8 0x000100063858 in X509_LOOKUP_ctrl (ctx=0x0, cmd=1, argc=0x1000d0210 /home/aspa/kronodoc/dev-3.4/httpd/conf/ssl.crt/ ca-bundle.crt, argl=1, ret=0x0) at x509_lu.c:117 #9 0x000100060258 in X509_STORE_load_locations (ctx=0x10021db80, file=0x1000d0210 /home/aspa/kronodoc/dev-3.4/httpd/conf/ssl.crt/ ca-bundle.crt, path=0x1000d01a0 /home/aspa/kronodoc/dev-3.4/httpd/conf/ ssl.crt) at x509_d2.c:92 #10 0x000100023e64 in main () at x509catest.c:17 Here's the exact build procedure I'm using to build OpenSSL: # build OpenSSL export PATH=/opt/local/gcc/4.0/bin:$PATH:/usr/ccs/bin:/opt/sfw/bin perl Configure solaris64-sparcv9-gcc no-idea no-shared -g -fPIC -- prefix=/home/aspa/tmp/openssl098a gmake depend gmake gmake test gmake install -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Evp_Encrypt_Init Segfault
I'm not much of an expert with any of this, but you may want to look at some of the return values of some of the functions to make sure everything is good, such as on EVP_EncryptFinal. Please take a look at some code I did up last summer in C++ (but it is almost all C), located at http://lunir.com/Encryption.cpp. The Function in particular would be int Encryption::encrypt(std::ifstream istream, std::ofstream ostream). It deals with streams but converts it all into cstrings, so it should roughtly be the same. Hope this helps. -- Matthew Clarkson On Mon, 30 Jan 2006, Felix Dorner wrote: Hi, the following code executes once, and does fine. Calling the function a second time gives a segfault during the call marked by -- unsigned char *encrypt_message(unsigned char *message, int inl, int *outl) { EVP_CIPHER_CTX ctx; EVP_CIPHER_CTX_init(ctx); --EVP_EncryptInit(ctx, EVP_bf_ecb(), NULL, NULL); EVP_CIPHER_CTX_set_key_length(ctx, SHA_DIGEST_LENGTH); EVP_EncryptInit(ctx, NULL, k, NULL); char *ret; int tmp, ol; ol = 0; ret = (char *)malloc(inl + EVP_CIPHER_CTX_block_size(ctx)); EVP_EncryptUpdate(ctx, ret[ol], tmp, message, inl); ol = tmp; EVP_EncryptFinal(ctx, ret[ol], tmp); *outl = ol+tmp; return ret; } Anything obvious that might lead to the segfault? Thanks, Felix __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
any information regarding adding DTLS using OpenSSL
Dear all, I am a student and am trying to setup a demonstration with TLS and DTLS support between a SIP client and a Proxy. Has anyone some information regarding adding DTLS support for a SIP client/Proxy or a more generic one using OpenSSL. I just need it for demonstration purposes and so error handling's if any need not be complete. Just a simple support and a demonstration of both would do fine. If anyone has any information regarding this, may be a how to start or any introductory article would be of great help, kindly let me know. This would be of great help. Any suggestions regarding the same are most welcome. kindly let me know and thank you very much. regards, Pjothi
OPENSSL for z/OS 1.4 ???
Hello ... where can I find OPENSSL for z/OS 1.4 ?? The IBM site directs me to the OPENSSL site but I do not see an OPENSSLversion specifically listed for z/OS ??? thanks so much for any info you can supply !!! marian
RE: OPENSSL for z/OS 1.4 ???
You should take the OpenSSL tar file for the version you want. All the materials you need are there. once you un-tar, you should use the command./Confgure OS390-Unix, and then make. I would recommend Perl 5.6.1, and you need GNU make. Dave McLellan --Consulting Software Engineer - SPEA Engineering EMC Corporation 228 South St. Mail Stop: 228 LL/AA-24 Hopkinton, MA 01748 USA +1-508-249-1257 F: +1-508-497-8030 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MarianSent: Tuesday, January 31, 2006 12:52 PMTo: openssl-users@openssl.orgSubject: OPENSSL for z/OS 1.4 ??? Hello ... where can I find OPENSSL for z/OS 1.4 ?? The IBM site directs me to the OPENSSL site but I do not see an OPENSSLversion specifically listed for z/OS ??? thanks so much for any info you can supply !!! marian
SSL_METHOD
It appears that the SSL_METHOD functions don't allow a server to accept connections using either SSL or TLS, so it has to be either one or the other. Does anyone have a work around to allow both SSL and TLS connections to be accepted? -Chris Clark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
PKCS7_TEXT with PKCS7_NOVERIFY | PKCS7_NOSIGS
Hello, I am trying to obtain a MIME version of an S/MIME message...I can sign and verify e-mail messages with the libraries provided. However when I don't want to verify and I just want to receive the text with MIME headers, it fails. It works fine when there is a valid certificate, but if I don't have a valid certificate/or don't use a certificate, it returns 0. I just want to view it in NON-S/MIME I am not concerned about the signature, because that works... Here is the function I am trying to use: cout PKCS7_verify(pkcs7, NULL, NULL, pkcs7BIO, outBIO, PKCS7_NOVERIFY|PKCS7_NOSIGS|PKCS7_TEXT) endl; I get the following errors from ERR: SMIME_text:invalid mime type: pk7_mime.c:348:type: multipart/mixed PKCS7_verify:smime text error:pk7_smime.c:250 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: PKCS7_TEXT with PKCS7_NOVERIFY | PKCS7_NOSIGS
On Tue, Jan 31, 2006, Chevalier, Victor T. wrote: Hello, I am trying to obtain a MIME version of an S/MIME message...I can sign and verify e-mail messages with the libraries provided. However when I don't want to verify and I just want to receive the text with MIME headers, it fails. It works fine when there is a valid certificate, but if I don't have a valid certificate/or don't use a certificate, it returns 0. I just want to view it in NON-S/MIME I am not concerned about the signature, because that works... Here is the function I am trying to use: cout PKCS7_verify(pkcs7, NULL, NULL, pkcs7BIO, outBIO, PKCS7_NOVERIFY|PKCS7_NOSIGS|PKCS7_TEXT) endl; I get the following errors from ERR: SMIME_text:invalid mime type: pk7_mime.c:348:type: multipart/mixed PKCS7_verify:smime text error:pk7_smime.c:250 As the docs say PKCS7_TEXT expects text headers. If you that isn't true don't use that flag. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL_METHOD
On Tue, Jan 31, 2006, Chris Clark wrote: It appears that the SSL_METHOD functions don't allow a server to accept connections using either SSL or TLS, so it has to be either one or the other. Have you tried SSLv23_server_method()? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: CVSNT sserver SSL error
Your client is trying to use SSLv2, or SSLv3, and the server is configured to not allow that protocol. (Or, the server isn't configured to use any protocol.) I don't know the specifics of how to configure what you're doing, but I do know that there are environment variables available to specify what protocol versions to accept. -Kyle H On 1/31/06, Jason Williard [EMAIL PROTECTED] wrote: I just installed CVSNT 2.5.03.2151 on a Red Hat Enterprise 4 server. OpenSSL was previously installed with prefix /usr. When I attempt to connect using TortoiseCVS, I get the following error: SSL connection failed (-1): error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number cvs.exe [import aborted]: Connection to server failed Does anyone know what could be wrong? Thank You, Jason Williard I considered this as a possibility. The part that doesn't make sense is that I was under the belief that OpenSSL v0.9.7i supports both SSLv2 SSLv3. Is this correct? Thank You, Jason Williard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CVSNT sserver SSL error
On 1/31/06, Jason Williard [EMAIL PROTECTED] wrote: I considered this as a possibility. The part that doesn't make sense is that I was under the belief that OpenSSL v0.9.7i supports both SSLv2 SSLv3. Is this correct? It does, yes, but by default there's no ciphers or protocol versions enabled. (It also supports TLSv1.) They have to be explicitly enabled -- and a server certificate installed on the server -- before SSL can be used at all. You need to check the documentation for cvsNT to see how to properly configure it. -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: PKCS7_TEXT with PKCS7_NOVERIFY | PKCS7_NOSIGS
The headers are text...and it works when there is a certificate present and I do a normal verify, but when I just want to spit it out, no go...any ideas? Victor -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Tuesday, January 31, 2006 2:02 PM To: openssl-users@openssl.org Subject: Re: PKCS7_TEXT with PKCS7_NOVERIFY | PKCS7_NOSIGS On Tue, Jan 31, 2006, Chevalier, Victor T. wrote: Hello, I am trying to obtain a MIME version of an S/MIME message...I can sign and verify e-mail messages with the libraries provided. However when I don't want to verify and I just want to receive the text with MIME headers, it fails. It works fine when there is a valid certificate, but if I don't have a valid certificate/or don't use a certificate, it returns 0. I just want to view it in NON-S/MIME I am not concerned about the signature, because that works... Here is the function I am trying to use: cout PKCS7_verify(pkcs7, NULL, NULL, pkcs7BIO, outBIO, PKCS7_NOVERIFY|PKCS7_NOSIGS|PKCS7_TEXT) endl; I get the following errors from ERR: SMIME_text:invalid mime type: pk7_mime.c:348:type: multipart/mixed PKCS7_verify:smime text error:pk7_smime.c:250 As the docs say PKCS7_TEXT expects text headers. If you that isn't true don't use that flag. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: PKCS7_TEXT with PKCS7_NOVERIFY | PKCS7_NOSIGS
On Tue, Jan 31, 2006, Chevalier, Victor T. wrote: The headers are text...and it works when there is a certificate present and I do a normal verify, but when I just want to spit it out, no go...any ideas? Well the error messages suggests it is type multipart/mixed. Does the smime utility do the same? Can you post an example message? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Evp_Encrypt_Init Segfault
I somehow corrupted the ctx object by overshooting the malloced area as Mark had pointed out. The problem is solved now, thanks, felix __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: any information regarding adding DTLS using OpenSSL
Dear Pjothi, Making an application TLS aware/TLS enabled is not much trouble once you have access to the source code. You have to set up the SSL/TLS server with proper X.509 certificate and corresponding private key, specify which protocol(in your case TLS v1) you want to use and then call SSL_accept() at the server side. In the client side you would have to call an SSL_connect() which would take care of the SSL/TLS handshake. After that all you have to do is replace all send/write with SSL_write() and all read/recv with SSL_read(). There are a few examples for you to get started. For generating X.509 certificates you can use the openssl command line tool or get a readymade keypair. Here are links that will help you in this endeavor. http://www.rtfm.com/sslbook/examples/c-examples.tar.gz http://www.opensslbook.com/NSwO-1.3.tar.gz I have no idea about DTLS. This website seems to give some info. http://crypto.stanford.edu/~nagendra/projects/dtls/dtls.html Once you get familiarised with TLS DTLS should not be much different I guess. All the best! regards, Girish --- Pjothi [EMAIL PROTECTED] wrote: Dear all, I am a student and am trying to setup a demonstration with TLS and DTLS support between a SIP client and a Proxy. Has anyone some information regarding adding DTLS support for a SIP client/Proxy or a more generic one using OpenSSL. I just need it for demonstration purposes and so error handling's if any need not be complete. Just a simple support and a demonstration of both would do fine. If anyone has any information regarding this, may be a how to start or any introductory article would be of great help, kindly let me know. This would be of great help. Any suggestions regarding the same are most welcome. kindly let me know and thank you very much. regards, Pjothi __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL on OpenBSD - complexities?
Hello, We are planning on using OpenSSL on an OpenBSD 3.8 platform to generate RSA key pairs, sign them with our own CA and embed them in hard tokens. I notice a question in the FAQ: ''Why does OpenBSD-i386 build fail on des-586.s with 'Unimplemented segment type'?'' The answer makes me wonder: are there complexities to this combination (OpenBSD/OpenSSL) that we should know about? Thanks in advance. -- Wes Kussmaul CIO The Village Group 738 Main Street Waltham, MA 02451 781-647-7178 My uncle likes to say that the world’s biggest troubles started when the serpent said, “Try this fruit, and by the way if a bunch of people collectively calling themselves Arthur Andersen signs something it’s the same as if a person named Arthur Andersen signed it.” I don’t get the serpent and fruit part. Must be some Swiss mythology thing. He can be a bit obscure. P.K. Iggy _How I Like Fixed The Internet_ (Tales from the Great Infodepression of 2009 and the prosperity that followed) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: any information regarding adding DTLS using OpenSSL
The problem is this: DTLS code exists in OpenSSL somewhere, but it's not documented. -Kyle H On 1/31/06, Girish Venkatachalam [EMAIL PROTECTED] wrote: Dear Pjothi, Making an application TLS aware/TLS enabled is not much trouble once you have access to the source code. You have to set up the SSL/TLS server with proper X.509 certificate and corresponding private key, specify which protocol(in your case TLS v1) you want to use and then call SSL_accept() at the server side. In the client side you would have to call an SSL_connect() which would take care of the SSL/TLS handshake. After that all you have to do is replace all send/write with SSL_write() and all read/recv with SSL_read(). There are a few examples for you to get started. For generating X.509 certificates you can use the openssl command line tool or get a readymade keypair. Here are links that will help you in this endeavor. http://www.rtfm.com/sslbook/examples/c-examples.tar.gz http://www.opensslbook.com/NSwO-1.3.tar.gz I have no idea about DTLS. This website seems to give some info. http://crypto.stanford.edu/~nagendra/projects/dtls/dtls.html Once you get familiarised with TLS DTLS should not be much different I guess. All the best! regards, Girish --- Pjothi [EMAIL PROTECTED] wrote: Dear all, I am a student and am trying to setup a demonstration with TLS and DTLS support between a SIP client and a Proxy. Has anyone some information regarding adding DTLS support for a SIP client/Proxy or a more generic one using OpenSSL. I just need it for demonstration purposes and so error handling's if any need not be complete. Just a simple support and a demonstration of both would do fine. If anyone has any information regarding this, may be a how to start or any introductory article would be of great help, kindly let me know. This would be of great help. Any suggestions regarding the same are most welcome. kindly let me know and thank you very much. regards, Pjothi __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]