[OPENSSL Crash]SSL_CTX_free() function will happen the "segmentation fault" in arm-linux which kernel is version 2.6
I make the openssl 0.9.8i or openssl 0.9.8k and build the libssl.so and libcrypto.so in the arm-linux which kernel is version 2.6. When I will deinit the SSL Ctx buffer and call the SSL_CTX_free() in my porting eap_supplicant, the SSL_CTX_free() function will happen the "segmentation fault". But I use the same eap_supplicant with openssl 0.9.7d, the function can not crash. Do I be able to make the openssl 0.9.8 seriors with some special parameters or other action. Thanks. -- View this message in context: http://www.nabble.com/-OPENSSL-Crash-SSL_CTX_free%28%29-function-will-happen-the-%22segmentation-fault%22-in-arm-linux-which-kernel-is-version-2.6-tp23648275p23648275.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: On the fly certificate generation to send to the client
AngelWarrior wrote: > but this still requires a CA kind of certificate right. > I dont know if the client will be have a CA certificate > to authenticate it.If I am wrong please explain me how > it can be done. The usual solution (as used on secure web pages, for credit card orders, and so on) is as follows: 1) The client connects to the server, knowing the name of the server it wants to reach (say, 'www.amazon.com' or 'www.paypal.com'. 2) The server proves its identity to the client with a CA-issued certificate. The client confirms that the certificate is validly signed by a CA it trusts, issued to the name of the server it wanted to reach, and that the server it connects to knows the private key corresponding to the public key in the server. - - At this stage, the client knows it has a secure connection to the server it wants. The server has no idea who it's talking to. - - 3) The client proves its identity to the server with a user/account name and password. The user knows it is talking to the correct server, and so can send its password without fear. - - At this stage, each end knows who it is talking to and knows that there cannot be any interceptors or MITMs (unless one side has not done what it was supposed to do, but you can always compromise your own security). - - There is no need for the client to have a certificate unless there is no other way for the client to prove its identity to the server. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: On the fly certificate generation to send to the client
AngelWarrior writes: > but this still requires a CA kind of certificate right.I dont know if the > client will be have a CA certificate to authenticate it.If I am wrong please > explain me how it can be done. Regular SSL only requires a certificate on the server. Encrypted Web browsing with https, for example, doesn't require a client certificate. Scott. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: On the fly certificate generation to send to the client
AngelWarrior wrote: > Thank you for replying. > I am thinking of this design.Is this feasible.My design approach > is mainly based on > "I dont need to know with whom I am contacting but after contact > my messages should be private." I don't think this is a coherent approach unless you layer some kind of authentication on top of it. For example, you cannot set up authentication of this type and then send a password, because you have no idea who you are sending it to. Suppose Alice wants to send some message to Bob. The problem is, she never knows if she has: Alice <-> Bob or Alice <-> MITM <-> Bob And if she has the bottom, your messages are not private. The MITM can detect them. So you never know if there is someone between you and the actual originator of the data. I can't see how this could be useful unless you do one of several things that you don't seem to be doing. (For example, using Shamir's Interlock protocol, using a second-round of authentication against the SSL finished messages, or using secure challenge-response authentication to prove identity.) >1.(client)create a normal socket and connect to the server >2.(server)After receiving the connection send deffie hellman paramerters >3. (client)compute my key and pass the params for DH >4.(server)compute the key number >6. (client)Multiple(n==10) key exchange using DH >5. (server)Multiple(n==10) key exchange using DH >7.(server)generate the public key and encrypt with the key which we have already exchanged. >8.(server)Send the key to client and disconnect the normal socket. >10.(client)after receiving the key close the connection. >11.(client)Start a normal openssl connection. Why not just let SSL and an anonymous protocol do the whole thing? I don't see any benefit to all the early steps. And I don't see how this would be useful if you don't implement MITM detection elsewhere or otherwise design the next protocol up to reject a MITM. Most people who say they want to do what you are doing don't realize that they really do need MITM detection. They think "I don't care who's at the other end, so I don't need a known certificate", but the problem is that you can't know that the data is actually originating with the other end of the SSL connection without MITM detection. What's the point of encryption if you don't know if you're talking to Bob, or Bob through a MITM? You can't hide the data from the MITM, so why bother encrypting? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: On the fly certificate generation to send to the client
On Wed, May 20, 2009 at 03:18:34PM -0500, AngelWarrior wrote: > Thank you for replying. > I am thinking of this design.Is this feasible.My design approach is mainly > based on > "I dont need to know with whom I am contacting but after contact my messages > should be private." For pseudonymous security, where authentication is boot-strapped from an insecure initial introduction: Post the server certificate on a web-site, have clients download it the first time, and cache it for its lifetime. You can sign each generation of the server cert with the previous cert using s/mime or similar. For one-shot message confidentiality against passive eavesdroppers: Use anonymous TLS cipher-suites that don't have any certificates at all. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: On the fly certificate generation to send to the client
Thank you for replying. I am thinking of this design.Is this feasible.My design approach is mainly based on "I dont need to know with whom I am contacting but after contact my messages should be private." client(My own application) Server (My own application) 1.(client)create a normal socket and connect to the server 2.(server)After receiving the connection send deffie hellman paramerters 3. (client)compute my key and pass the params for DH 4.(server)compute the key number 6. (client)Multiple(n==10) key exchange using DH 5. (server)Multiple(n==10) key exchange using DH 7.(server)generate the public key and encrypt with the key which we have already exchanged. 8.(server)Send the key to client and disconnect the normal socket. 10.(client)after receiving the key close the connection. 11.(client)Start a normal openssl connection. With Regards On Wed, May 20, 2009 at 2:48 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Wed, May 20, 2009 at 02:37:58PM -0500, AngelWarrior wrote: > > > I need some Info.I have a client and server application which requires a > > secure medium for the transferring of data between each other. Currently > I > > am using openssl to achieve this using private and public key > certificates > > with RSA encryption. I don't want to ship the certificate with each every > > and client application. > > > > So, Is there a method where I can transfer an on the fly created > certificate > > from the server to the client securely(like using diffi-hellman) and > > after exchanging the certificates. I will communicate with the normal > > openssl process. > > Certifications are for *authentication*, which is only possible via: > >- Prior bi-lateral exchange of keys (what you are doing now) > OR >- Mediated key-exchange via a "trusted" introducer (the public CA > model such as it is today) > OR >- Scalable mediated introduction via a trusted online distributed > database, i.e keys in a secure DNS. This has not happened yet, > and may yet fail to materialize. > > If you need authentication, pick one of the first two. If you don't, > use anonymous ciphers and accept the risk of active man-in-the-middle > attacks, with TLS protecting you only against passive eavesdropping. > > -- >Viktor. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- _/\_ With Regards SB Angel Warrior
RE: On the fly certificate generation to send to the client
> AngelWarrior writes: > > > but this still requires a CA kind of certificate right. > > I dont know if the client will be have a CA certificate > > to authenticate it.If I am wrong please explain me how > > it can be done. > > The server must have or know something that an attacker does not > have or know. Otherwise, there is no way for the client to know > that it is talking to the server, which you have said is a requirement. > > So the question is: What would you like to be that something that > the server has or knows that an attacker cannot have or know? > > It can be a CA certificate, but it does not have to be. > However, it must be something. > > DS Sorry to reply to myself, but I should clarify: That something the server has or knows, must be from the perspective of the client. So "some random certificate I just generated" doesn't work because an attacker can also generate some random certificate. Though they can't generate the exact same certificate the server happened to generate, the client must have some way to tell the difference. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: On the fly certificate generation to send to the client
AngelWarrior writes: > but this still requires a CA kind of certificate right. > I dont know if the client will be have a CA certificate > to authenticate it.If I am wrong please explain me how > it can be done. The server must have or know something that an attacker does not have or know. Otherwise, there is no way for the client to know that it is talking to the server, which you have said is a requirement. So the question is: What would you like to be that something that the server has or knows that an attacker cannot have or know? It can be a CA certificate, but it does not have to be. However, it must be something. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CMS/ANS1 examples
On Wed, May 20, 2009, Chris Bare wrote: > > > Are there any good examples of using the ASN1 and CMS functions in > > > openssl 1.0 > > > for generic operations? > > > I'm trying to talk to an SCVP server, which takes requests wrapped in DER > > > encoded > > > CMS ContentInfo structure. So far I can't find an openssl function to > > > output a > > > CMS that way, so any example code or pointers would be appreciated. > > > > Try demos/cms > > > > I've been through all of that. The thing that confuses me is that I just want > a ContactInfo wrapper. I don't need to sign it or compress it etc, and it > looks like I can use CMS_data_create in that case, but then I just want to > write it to a socket in DER format, not base64. > Also I need to figure out how to build up other ASN1 structures to go inside > the ContactInfo. I hoped looking at the CMS code would give me an example to > follow, but if so, I haven't figured it out yet. > The ContentInfo wrapper can be of many types. If you just want data the CMS_data_create() will work. Then you can write the result to a memory buffer using i2d_CMS_ContentInfo() and once there to a socket. There are various options to set the inner content type as well. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: On the fly certificate generation to send to the client
but this still requires a CA kind of certificate right.I dont know if the client will be have a CA certificate to authenticate it.If I am wrong please explain me how it can be done. On Wed, May 20, 2009 at 2:47 PM, Scott Gifford wrote: > AngelWarrior writes: > > > I need some Info.I have a client and server application which > > requires a secure medium for the transferring of data between each > > other. Currently I am using openssl to achieve this using private > > and public key certificates with RSA encryption. I don't want to > > ship the certificate with each every and client application. > > Hello, > > The easiest way to transfer data securely between a client and server > over the network is to simply use an SSL connection. It will only > require a certificate on the server, and will take care of all of the > necessary details to set up a secure channel. > > Is there a reason this won't work for you and you need to use RSA > directly? If so, please explain the reason; it will probably affect > what sort of solution will be workable for you. > > -Scott. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- _/\_ With Regards SB Angel Warrior
Re: On the fly certificate generation to send to the client
forgot to say at step 7 and 8 agreed upon encryption algorithm On Wed, May 20, 2009 at 3:18 PM, AngelWarrior wrote: > Thank you for replying. > I am thinking of this design.Is this feasible.My design approach is mainly > based on > "I dont need to know with whom I am contacting but after contact my > messages should be private." > > client(My own application) > Server (My own application) > > > 1.(client)create a normal socket and connect to the > server > 2.(server)After receiving the connection send deffie hellman paramerters > 3. (client)compute my key and pass the params for > DH > 4.(server)compute the key number > 6. (client)Multiple(n==10) key exchange using > DH > 5. (server)Multiple(n==10) key exchange using DH > 7.(server)generate the public key and encrypt with the key which we have > already exchanged. > 8.(server)Send the key to client and disconnect the normal socket. > 10.(client)after receiving the key close the connection. > 11.(client)Start a normal openssl connection. > > With Regards > > > > > > > On Wed, May 20, 2009 at 2:48 PM, Victor Duchovni < > victor.ducho...@morganstanley.com> wrote: > >> On Wed, May 20, 2009 at 02:37:58PM -0500, AngelWarrior wrote: >> >> > I need some Info.I have a client and server application which requires a >> > secure medium for the transferring of data between each other. Currently >> I >> > am using openssl to achieve this using private and public key >> certificates >> > with RSA encryption. I don't want to ship the certificate with each >> every >> > and client application. >> > >> > So, Is there a method where I can transfer an on the fly created >> certificate >> > from the server to the client securely(like using diffi-hellman) and >> > after exchanging the certificates. I will communicate with the normal >> > openssl process. >> >> Certifications are for *authentication*, which is only possible via: >> >>- Prior bi-lateral exchange of keys (what you are doing now) >> OR >>- Mediated key-exchange via a "trusted" introducer (the public CA >> model such as it is today) >> OR >>- Scalable mediated introduction via a trusted online distributed >> database, i.e keys in a secure DNS. This has not happened yet, >> and may yet fail to materialize. >> >> If you need authentication, pick one of the first two. If you don't, >> use anonymous ciphers and accept the risk of active man-in-the-middle >> attacks, with TLS protecting you only against passive eavesdropping. >> >> -- >>Viktor. >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing Listopenssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > > > > -- > _/\_ > With Regards > SB Angel Warrior > > -- _/\_ With Regards SB Angel Warrior
Re: On the fly certificate generation to send to the client
AngelWarrior writes: > I need some Info.I have a client and server application which > requires a secure medium for the transferring of data between each > other. Currently I am using openssl to achieve this using private > and public key certificates with RSA encryption. I don't want to > ship the certificate with each every and client application. Hello, The easiest way to transfer data securely between a client and server over the network is to simply use an SSL connection. It will only require a certificate on the server, and will take care of all of the necessary details to set up a secure channel. Is there a reason this won't work for you and you need to use RSA directly? If so, please explain the reason; it will probably affect what sort of solution will be workable for you. -Scott. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: On the fly certificate generation to send to the client
On Wed, May 20, 2009 at 02:37:58PM -0500, AngelWarrior wrote: > I need some Info.I have a client and server application which requires a > secure medium for the transferring of data between each other. Currently I > am using openssl to achieve this using private and public key certificates > with RSA encryption. I don't want to ship the certificate with each every > and client application. > > So, Is there a method where I can transfer an on the fly created certificate > from the server to the client securely(like using diffi-hellman) and > after exchanging the certificates. I will communicate with the normal > openssl process. Certifications are for *authentication*, which is only possible via: - Prior bi-lateral exchange of keys (what you are doing now) OR - Mediated key-exchange via a "trusted" introducer (the public CA model such as it is today) OR - Scalable mediated introduction via a trusted online distributed database, i.e keys in a secure DNS. This has not happened yet, and may yet fail to materialize. If you need authentication, pick one of the first two. If you don't, use anonymous ciphers and accept the risk of active man-in-the-middle attacks, with TLS protecting you only against passive eavesdropping. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
On the fly certificate generation to send to the client
Hi, I need some Info.I have a client and server application which requires a secure medium for the transferring of data between each other. Currently I am using openssl to achieve this using private and public key certificates with RSA encryption. I don't want to ship the certificate with each every and client application. So, Is there a method where I can transfer an on the fly created certificate from the server to the client securely(like using diffi-hellman) and after exchanging the certificates. I will communicate with the normal openssl process. -- _/\_ With Regards SB Angel Warrior
Re: Openssl command line utility with FIPS 140-2 compliant module
If you build the FIPS module as documented, it will create the fipscanister.o. If you then build a version of OpenSSL 0.9.8 that has FIPS support with the appropriate command-line option to build it and link it with fipscanister.o, you have a version of the library (and commandline tools) that will use the FIPS-validated canister. The magic incantation to get the command-line tools to use the FIPS canister is: csh$ setenv OPENSSL_FIPS 1 bash$ export OPENSSL_FIPS=1 -Kyle H On Wed, May 20, 2009 at 1:02 AM, Mansoor Ali Khan wrote: > Hi, > > > > I wanted to know if the openssl command line utility is available with the > FIPS 140-2 package. I mean would I still be able to run commands like > genrsa, genpkey etc. from the command line with openssl FIPS crypto module > doing all the work ? > > > > > > Regards, > > MAK > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the author and delete > the email. Please note that any views or opinions presented in this email > are solely those of the author and do not necessarily represent those of the > organization. Finally, the recipient should check this email and any > attachments for the presence of viruses. HBL accepts no liability for any > damage caused by any virus transmitted by this email. > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [FWD] Openssl-0.9.8e/i build fails with Aix5.3 64 bit
If the 'make test' runs fine, then it's working. You're asking it to test the hardware engine acceleration capability with that command ('openssl engine -t'); you didn't ask it to build the engine support in the original ./config line. For building apache against it, download the apache source and follow their instructions, pointing to /usr/local/ssl as the ssl directory. -Kyle H On Wed, May 20, 2009 at 9:26 AM, Lutz Jaenicke wrote: > Forwarded to openssl-users as this forum seems to be appropriate. > > Best regards, > Lutz > > - Forwarded message from "Jaiman, Yateendra" > - > > Subject: Openssl-0.9.8e/i build fails with Aix5.3 64 bit > Date: Wed, 20 May 2009 17:34:10 +0530 > Thread-Topic: Openssl-0.9.8e/i build fails with Aix5.3 64 bit > Thread-Index: AcnZQxWkTI+KJDUGSpakHdq0cjGSSQ== > From: "Jaiman, Yateendra" > To: r...@openssl.org > > Hi, > > > > I am Building Openssl-0.9.8e/Openssl-0.9.8i On AIX 5.3 64 bit. > > > > Steps that I am following are: > > > > 1. ./Configure aix64-gcc -maix64 -lpthreads no-mdc2 no-rc5 no-idea > --prefix=/usr/local/ssl/ --openssldir=/usr/local/ssl/ > 2. make > 3. make test > 4. make install > > > > Runs fine. > > > > When I am executing ./Openssl engine -t command from /usr/local/ssl/bin > directory. > > > > The Out put Looks like this. > > > > (dynamic) Dynamic engine loading support > > [ unavailable ] > > (4758cca) IBM 4758 CCA hardware engine support > > [ unavailable ] > > (aep) Aep hardware engine support > > [ unavailable ] > > (atalla) Atalla hardware engine support > > [ unavailable ] > > (cswift) CryptoSwift hardware engine support > > [ unavailable ] > > (LunaCA3) Luna CA3 engine support > > [ unavailable ] > > (chil) CHIL hardware engine support > > [ unavailable ] > > (nuron) Nuron hardware engine support > > [ unavailable ] > > (sureware) SureWare hardware engine support > > [ unavailable ] > > (ubsec) UBSEC hardware engine support > > [ unavailable ] > > > > I have checked my gcc version. > > Output put of installed RPM on my system > > bash-3.2# rpm -qa > > cdrecord-1.9-7 > > mkisofs-1.13-4 > > conserver-8.1.7-2 > > info-4.6-1 > > gdbm-1.8.3-1 > > libgcc-4.0.0-1 > > gdbm-devel-1.8.3-1 > > libstdc++-devel-4.0.0-1 > > make-3.80-1 > > bash-3.2-1 > > expat-2.0.1-2 > > AIX-rpm-5.3.8.0-2 > > perl-IO-Multiplex-1.10-1 > > libxml2-2.6.17-3 > > osinstall-1.0-1 > > tk-8.5.6-1 > > perl-Crypt-Blowfish-2.10-1 > > libgcc-4.2.4-1 > > libstdc++-4.2.4-1 > > libstdc++-devel-4.2.4-1 > > gcc-4.2.4-1 > > gcc-cpp-4.2.4-1 > > gcc-c++-4.2.4-1 > > gettext-0.10.40-8 > > gdb-6.8-1 > > tcl-8.5.6-1 > > perl-5.8.8-1 > > perl-Crypt-CAST5-0.05-1 > > perl-Digest-CRC-0.14-1 > > perl-Crypt-CBC-2.29-1 > > egd-0.8-1 > > zlib-1.2.3-5 > > zlib-devel-1.2.3-5 > > dos2unix-3.1-1 > > prngd-0.9.29-1 > > zip-2.3-3 > > unzip-5.51-1 > > vim-common-6.3-1 > > vim-enhanced-6.3-1 > > > > I want to install Openssl with Apache on AIX 5.3 .So please provide me > some details regarding this matter. > > > > > > Thanks&Regards, > > > > Yateendra Jaiman > > Software Engineer HSM-Integrations > > SafeNet InfoTech Pvt Ltd. > > 25 Years of Information Security Leadership > > > > > > The information contained in this electronic mail transmission > may be privileged and confidential, and therefore, protected > from disclosure. If you have received this communication in > error, please notify us immediately by replying to this > message and deleting it from your computer without copying > or disclosing it. > > > - End forwarded message - > -- > Lutz Jaenicke jaeni...@openssl.org > OpenSSL Project http://www.openssl.org/~jaenicke/ > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] Openssl-0.9.8e/i build fails with Aix5.3 64 bit
Forwarded to openssl-users as this forum seems to be appropriate. Best regards, Lutz - Forwarded message from "Jaiman, Yateendra" - Subject: Openssl-0.9.8e/i build fails with Aix5.3 64 bit Date: Wed, 20 May 2009 17:34:10 +0530 Thread-Topic: Openssl-0.9.8e/i build fails with Aix5.3 64 bit Thread-Index: AcnZQxWkTI+KJDUGSpakHdq0cjGSSQ== From: "Jaiman, Yateendra" To: r...@openssl.org Hi, I am Building Openssl-0.9.8e/Openssl-0.9.8i On AIX 5.3 64 bit. Steps that I am following are: 1. ./Configure aix64-gcc -maix64 -lpthreads no-mdc2 no-rc5 no-idea --prefix=/usr/local/ssl/ --openssldir=/usr/local/ssl/ 2. make 3. make test 4. make install Runs fine. When I am executing ./Openssl engine -t command from /usr/local/ssl/bin directory. The Out put Looks like this. (dynamic) Dynamic engine loading support [ unavailable ] (4758cca) IBM 4758 CCA hardware engine support [ unavailable ] (aep) Aep hardware engine support [ unavailable ] (atalla) Atalla hardware engine support [ unavailable ] (cswift) CryptoSwift hardware engine support [ unavailable ] (LunaCA3) Luna CA3 engine support [ unavailable ] (chil) CHIL hardware engine support [ unavailable ] (nuron) Nuron hardware engine support [ unavailable ] (sureware) SureWare hardware engine support [ unavailable ] (ubsec) UBSEC hardware engine support [ unavailable ] I have checked my gcc version. Output put of installed RPM on my system bash-3.2# rpm -qa cdrecord-1.9-7 mkisofs-1.13-4 conserver-8.1.7-2 info-4.6-1 gdbm-1.8.3-1 libgcc-4.0.0-1 gdbm-devel-1.8.3-1 libstdc++-devel-4.0.0-1 make-3.80-1 bash-3.2-1 expat-2.0.1-2 AIX-rpm-5.3.8.0-2 perl-IO-Multiplex-1.10-1 libxml2-2.6.17-3 osinstall-1.0-1 tk-8.5.6-1 perl-Crypt-Blowfish-2.10-1 libgcc-4.2.4-1 libstdc++-4.2.4-1 libstdc++-devel-4.2.4-1 gcc-4.2.4-1 gcc-cpp-4.2.4-1 gcc-c++-4.2.4-1 gettext-0.10.40-8 gdb-6.8-1 tcl-8.5.6-1 perl-5.8.8-1 perl-Crypt-CAST5-0.05-1 perl-Digest-CRC-0.14-1 perl-Crypt-CBC-2.29-1 egd-0.8-1 zlib-1.2.3-5 zlib-devel-1.2.3-5 dos2unix-3.1-1 prngd-0.9.29-1 zip-2.3-3 unzip-5.51-1 vim-common-6.3-1 vim-enhanced-6.3-1 I want to install Openssl with Apache on AIX 5.3 .So please provide me some details regarding this matter. Thanks&Regards, Yateendra Jaiman Software Engineer HSM-Integrations SafeNet InfoTech Pvt Ltd. 25 Years of Information Security Leadership The information contained in this electronic mail transmission may be privileged and confidential, and therefore, protected from disclosure. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer without copying or disclosing it. - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Decoding ASN.1 certificate content
IMO a good approach is also to simple read and understand apps/x509.c __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CMS/ANS1 examples
> > Are there any good examples of using the ASN1 and CMS functions in openssl > > 1.0 > > for generic operations? > > I'm trying to talk to an SCVP server, which takes requests wrapped in DER > > encoded > > CMS ContentInfo structure. So far I can't find an openssl function to > > output a > > CMS that way, so any example code or pointers would be appreciated. > > Try demos/cms > I've been through all of that. The thing that confuses me is that I just want a ContactInfo wrapper. I don't need to sign it or compress it etc, and it looks like I can use CMS_data_create in that case, but then I just want to write it to a socket in DER format, not base64. Also I need to figure out how to build up other ASN1 structures to go inside the ContactInfo. I hoped looking at the CMS code would give me an example to follow, but if so, I haven't figured it out yet. -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CMS/ANS1 examples
On Wed, May 20, 2009, Chris Bare wrote: > Are there any good examples of using the ASN1 and CMS functions in openssl 1.0 > for generic operations? > I'm trying to talk to an SCVP server, which takes requests wrapped in DER > encoded > CMS ContentInfo structure. So far I can't find an openssl function to output a > CMS that way, so any example code or pointers would be appreciated. Try demos/cms Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
CMS/ANS1 examples
Are there any good examples of using the ASN1 and CMS functions in openssl 1.0 for generic operations? I'm trying to talk to an SCVP server, which takes requests wrapped in DER encoded CMS ContentInfo structure. So far I can't find an openssl function to output a CMS that way, so any example code or pointers would be appreciated. -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Some question about Diffie-Hellman and RSA program?
Dear all: I have some questions about DH in crypto 1. can we assign different generator in DH, since the default is 2, 3 or 5. 2. the p is randomly generated from BN_generate_prime_ex in dh_buildtin_genparams. if I have a p already, can I directly pass to DH*ret instead of randomly generating it? 3. if the answers of above are no, can I use RSA as replacement, since in Rsa_test.c, I see we directly assign all the prime we need. in RSA, C ≡ M^e mod n and in Diffie-Hellman, X= g^x (mod p). it seems what I only have to do is replacing M as g, n as p, and generate a random number x, right? 4. in rsa_test.c, we usenum = RSA_public_encrypt(plen, ptext_ex, ctext, key, RSA_PKCS1_PADDING); to do the encryption. But each time I run the program with key1, the content of ctext is different. In the program, we set p,n,e, and ptext is the same. Why I got different ctext each time? appreciate your help, miloody __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Decoding ASN.1 certificate content
Hi All, Can someone please direct me to the relevant OpenSSL API for decoding binary stream of the entire certificate content in ASN.1 format? The reason that I need it is for extracting extra details from certificate that I'm getting from IIS web server using Request.ClientCertificate["Certificate"] call. I don't want to use microsoft's API for extracting the details because of compatability issues between MS & OpenSSL in fields represantation. As stated in Microsoft documantation, the Request.ClientCertificate["Certificate"] value is: A string containing the binary stream of the entire certificate content in ASN.1 format. This is useful to discover if special *SubFields* are present. http://msdn.microsoft.com/en-us/library/ms524668.aspx Thanks, -- Lior Aharoni
Openssl command line utility with FIPS 140-2 compliant module
Hi, I wanted to know if the openssl command line utility is available with the FIPS 140-2 package. I mean would I still be able to run commands like genrsa, genpkey etc. from the command line with openssl FIPS crypto module doing all the work ? Regards, MAK This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the author and delete the email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organization. Finally, the recipient should check this email and any attachments for the presence of viruses. HBL accepts no liability for any damage caused by any virus transmitted by this email.
Re: Decoding ASN.1 certificate content
On 2009.05.20 at 15:03:09 +0300, Lior Aharoni wrote: >Hi Victor, > >Thank you for the quick reply. >I did try to use d2i_X509 function but I get the following error: > > 2520:error:0D07207B:lib(13):func(114):reason(123):.\crypto\asn1\asn1_lib.c:150: First of all, you should call ERR_load_crypto_strings() in your program before doing anything else with OpenSSL functions. Thus you'll receive much more readable error messages. It seems that you are passing wrong buffer to d2i_X509 function or incorrectly pass buffer length. d2i_X509 expects following arguments: 1. Pointer to pointer to pointer to X509 structure to fill. If is NULL, fresh one would be allocated 2. Pointer to pointer to input buffer. pointer to buffer, pointed by this argument, would be incremented to point to first unparsed byte in the buffer 2. Length of buffer. Your error means that length of ASN1 structure as determined by parsing is bigger than specified length. If you pass data correctly, it means that there is something else in the beginning of the buffer, than binary DER representation of certificate. > > It is d2i_X509 function. It has same API as all other d2i functions and > return X509 structure which can be passed to various OpenSSL information > functions. Unfortunately, this part of OpenSSL is quite poorly > documented. > > __ > OpenSSL Project > [2]http://www.openssl.org > User Support Mailing List > [3]openssl-us...@openssl.org > Automated List Manager > [4]majord...@openssl.org > >-- >Lior Aharoni > > References > >Visible links >1. mailto:vi...@cryptocom.ru >2. http://www.openssl.org/ >3. mailto:openssl-users@openssl.org >4. mailto:majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: When I want to build the openssl 0.9.8k version on aix it fails in make test
On 2009.05.20 at 06:16:49 -0700, jo wrote: > > that is definitely better but now it fails in make test: > > *** Testing openssl-0.9.8k (can take a while) ..failed > *** Error: openssl-0.9.8k build error - make test failed > exec(): 0509-036 Cannot load program ./destest because of the following > errors: > 0509-022 Cannot load module ../util/../libcrypto.so. > 0509-150 Dependent module libgcc_s.a(shr.o) could not be loaded. > 0509-022 Cannot load module libgcc_s.a(shr.o). > 0509-026 System error: A file or directory in the path name does not > exist. > make[1]: *** [test_des] Error 255 This is rather your environment problem, than openssl problem, so I cannot give you definite solution - I'm not familiar with AIX. But from experience with other systems: 1. Recent versions of GCC (3.x and above) produce bineries which depend on some shared library, distributed with GCC. It is named libgcc_s (on most systems - libgcc_s.so.1, on your system it seems to be libgcc_s.a(shr.o) 2. There are two common ways to specify where dynamic linker searches for the dynamic libraries: 1. Set some environment variable (PATH on Windows, LD_LIBRARY_PATH on systems which use ELF executable format - Linux, Solaris, FreeBSD etc) to the list of directories which include directory which contains neccessary file. In your case it is probably /usr/local/lib, judging from that gcc itself is in /usr/local/bin. This solution is quick and dirty, it would make tests run without rebuild, but it is unacceptable for long-term production-use applications. 2. Use some linker switch to specify dynamic library search path to be hardcoded into executable. On most system it is -R/path. To pass this switch to linker you have to specify -Wl,-R/usr/local/lib in the gcc command line. To make OpenSSL makefile to pass this flag to gcc you can just add it to ./Configure command line. Or may be your GCC knows about this flag, and passing -Wl is not neccessary -R/usr/local/lib would suffice as it is so on Solaris. But I'm not sure that on AIX it is -R. Read your ld(1) manual __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: When I want to build the openssl 0.9.8k version on aix it fails in make test
that is definitely better but now it fails in make test: *** Testing openssl-0.9.8k (can take a while) ..failed *** Error: openssl-0.9.8k build error - make test failed exec(): 0509-036 Cannot load program ./destest because of the following errors: 0509-022 Cannot load module ../util/../libcrypto.so. 0509-150 Dependent module libgcc_s.a(shr.o) could not be loaded. 0509-022 Cannot load module libgcc_s.a(shr.o). 0509-026 System error: A file or directory in the path name does not exist. make[1]: *** [test_des] Error 255 Thanks J - Original Message From: Victor B. Wagner To: openssl-users@openssl.org Sent: Wednesday, May 20, 2009 11:58:14 AM Subject: Re: When I want to build the openssl 0.9.8k version on aix it fails as follows: On 2009.05.20 at 02:13:39 -0700, jo wrote: > > When I want to build the openssl 0.9.8k version on aix it fails as follows: > > > /usr/local/bin/gcc -I../crypto -I.. -I../include -DZLIB -DOPENSSL_THREADS > -qthreaded -DDSO_DLFCN -DHAVE_DLFCN_H -q32 -O -DB_ENDIAN -qmaxmem=16384 -qro - > qroconst -c -o ssl_err.o ssl_err.c > gcc: unrecognized option '-qthreaded' > gcc: unrecognized option '-q32' > gcc: unrecognized option '-qmaxmem=16384' > gcc: unrecognized option '-qro' > gcc: unrecognized option '-qroconst' > > > Any ideas on how to fix this? It seems that you are trying to build with GCC OpenSSL source, configured for AIX proprietary compiler Try using ./Configure aix-gcc instead of just ./config (all options you've given to config should be given to Configure after platform specification) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Decoding ASN.1 certificate content
Hi Victor, Thank you for the quick reply. I did try to use d2i_X509 function but I get the following error: 2520:error:0D07207B:lib(13):func(114):reason(123):.\crypto\asn1\asn1_lib.c:150: 2520:error:0D068066:lib(13):func(104):reason(102):.\crypto\asn1\tasn_dec.c:1281: 2520:error:0D07803A:lib(13):func(120):reason(58):.\crypto\asn1\tasn_dec.c:380:Ty pe=X509 Do you know what might be the problem? Thanks, Lior 2009/5/20 Victor B. Wagner > On 2009.05.20 at 14:05:05 +0300, Lior Aharoni wrote: > > >Hi All, > >═ > >Can someone please direct me to the relevant OpenSSL API for decoding > >binary stream of the entire certificate content in ASN.1 format? > > It is d2i_X509 function. It has same API as all other d2i functions and > return X509 structure which can be passed to various OpenSSL information > functions. Unfortunately, this part of OpenSSL is quite poorly > documented. > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- Lior Aharoni
Re: Decoding ASN.1 certificate content
On 2009.05.20 at 14:05:05 +0300, Lior Aharoni wrote: >Hi All, >═ >Can someone please direct me to the relevant OpenSSL API for decoding >binary stream of the entire certificate content in ASN.1 format? It is d2i_X509 function. It has same API as all other d2i functions and return X509 structure which can be passed to various OpenSSL information functions. Unfortunately, this part of OpenSSL is quite poorly documented. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Decoding ASN.1 certificate content
Hi All, Can someone please direct me to the relevant OpenSSL API for decoding binary stream of the entire certificate content in ASN.1 format? The reason that I need it is for extracting extra details from certificate that I'm getting from IIS web server using Request.ClientCertificate["Certificate"] call. I don't want to use microsoft's API for extracting the details because of compatability issues between MS & OpenSSL in fields represantation. As stated in Microsoft documantation, the Request.ClientCertificate["Certificate"] value is: A string containing the binary stream of the entire certificate content in ASN.1 format. This is useful to discover if special SubFields are present. http://msdn.microsoft.com/en-us/library/ms524668.aspx Thanks, -- Lior Aharoni
Re: When I want to build the openssl 0.9.8k version on aix it fails as follows:
On 2009.05.20 at 02:13:39 -0700, jo wrote: > > When I want to build the openssl 0.9.8k version on aix it fails as follows: > > > /usr/local/bin/gcc -I../crypto -I.. -I../include -DZLIB -DOPENSSL_THREADS > -qthreaded -DDSO_DLFCN -DHAVE_DLFCN_H -q32 -O -DB_ENDIAN -qmaxmem=16384 -qro - > qroconst -c -o ssl_err.o ssl_err.c > gcc: unrecognized option '-qthreaded' > gcc: unrecognized option '-q32' > gcc: unrecognized option '-qmaxmem=16384' > gcc: unrecognized option '-qro' > gcc: unrecognized option '-qroconst' > > > Any ideas on how to fix this? It seems that you are trying to build with GCC OpenSSL source, configured for AIX proprietary compiler Try using ./Configure aix-gcc instead of just ./config (all options you've given to config should be given to Configure after platform specification) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
When I want to build the openssl 0.9.8k version on aix it fails as follows:
When I want to build the openssl 0.9.8k version on aix it fails as follows: /usr/local/bin/gcc -I../crypto -I.. -I../include -DZLIB -DOPENSSL_THREADS -qthreaded -DDSO_DLFCN -DHAVE_DLFCN_H -q32 -O -DB_ENDIAN -qmaxmem=16384 -qro - qroconst -c -o ssl_err.o ssl_err.c gcc: unrecognized option '-qthreaded' gcc: unrecognized option '-q32' gcc: unrecognized option '-qmaxmem=16384' gcc: unrecognized option '-qro' gcc: unrecognized option '-qroconst' Any ideas on how to fix this? Tx J __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org