Re: Help building FIPS openssl (suitable for apache)
On Fri, Jun 10, 2011, Sam Theman wrote: > > Hello, > > First off, I AM trying to follow the FIPS/OPENSSL user guide > > What am I doing wrong: > > 1.) downloaded fips openssl 1.2.3 > > 2) ./config fipscanisterbuild > make > make install > > > 3.) ./config fips --with-fipslibdir=/usr/local/ssl/fips1.2.3/lib > make > make install > > > 4) build apache with > > ./configure --prefix=/usr/local/apache2.2.19 > --with-ssl=/usr/local/ssl/fips1.2.3 --with-mpm=prefork --with-ldap > --enable-ssl --enable-dav --enable-dav-fs --enable-dav-lock > --enable-authnz-ldap --enable-ldap > > > 5. Error: > > [root]# ./apachectl start > Syntax error on line 1 of /usr/local/apache2.2.19/conf/extra/httpd-ssl.conf: > SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS > > Looks like Apache isn't seeing the correct header files and not including the appropriate FIPS code. That's an Apache configuration issue and not OpenSSL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Openssl cms question
I fixed it. The certificate was not in the right form. On 11.06.2011 18:16, Victor Sterpu wrote: I tried to use this command from openssl examples: openssl cms -sign -in message.txt -text -out mail.msg -signer ./ssl1/newkey.pem The error is: unable to load certificate 3076057772:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE TO generate my newkey.pem I used this commands: /usr/lib/ssl/misc/CA.pl -newca /usr/lib/ssl/misc/CA.pl -newreq /usr/lib/ssl/misc/CA.pl -signreq I also tryed to pass the argument "-noverify" but the error is the same. newkey.pem looks like this: -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,6CACB288530133B0 7L0zCjlelaI3pqIzGLIs5HJsfDQuNEAZcE8Eguow+9cQaZrPZYy/hlK0aDHkGVSW 1eJlkNGz6Ppk5T69tMdFs8tzdr4NAlV5cAGt502hM3/2hZ94taEBCiSkLzoEk3NU wEIHzNpykrEAn3xTsmedrCru/oogaH9UITD18HfScZLBTaUuXsxBdyfyVy8xyVIn hOVZ8zNFwHU+56xuGy89q2EnGMtNuDo1UGC7Xyj+kFZUw811hIj2WEo8TC1b2Gc1 4mAjNHj4xW35fWla4MRdbXuq/qzDQKcJuLZT+OGbYBIwxcxfkwTL16ptwI1bHEo4 JtJyX7EzW9JhpbPvQmHLR3WDIMkx5johMmd6u3GF9Ae0LjKNqtO7pQYH2rQA2CmM jXQvggpyAbT486hn1pFPJcworPripIIvqAQYPHeMio3J++b287rXzlMCBKnPb7Xs w7UB48axVFrcpP9sDg/+RCz7AoIXG2ODt9GtGQ5xjJKnFQc5nXraDc3Dr64A6JLb zY72SI1oZXeDCfz548PxM5EhXYNM8xIx5lJqH7m8K27tUd0d46YTZEf7ymfAWwN7 +evpBbyCUwm7Bw/B+wjqFNIbUAPN6U0uQjfeguQT73da+1+zR7GkEFuKJFk6n1x1 HNEvqGLKo2FiTGhilMnKllx45c3WdS9TtoYdAWnO10psu9vro5ngQ7nz+WF8lNui KlDP5+mDEzUNBeSowky8d+jEnP3whnsnuLF6JhAb+kfUW97l5Pl5CP1zqXsBHFCv lz04QlQz/lM6/jGn0hZLG9hR+Bz+Y633G4MeUAAW7sGFO5Q9yM4yRQ== -END RSA PRIVATE KEY- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Why my SSL_Connect() hangs at times?
I have Linux Server which has been connected with a Windows XP client using SSL Sockets. I am able to read and write through those sockets. Recently my calls to SSL_Connect() waits for long time. And yes I am using in Blocking mode. My search on that issue ended up with, "I have to use non-blocking mode and have to use time outs as well". But I want the connection to be successful so as to proceed further. Only when I am done with those little transfers between the Server and the Client, I will be able to move to the next step. Hence I used blocking mode here. While at the start of SSL Socket programming, I let the socket connections close abruptly without releasing them (through exceptions and as a beginner's ignorance). Will that might be the reason for my client not get connected with the Server? By the way I mean that those connections may not be still cleared which makes my current SSL_Connect() call to hang? If so, can I clean up those through any command or something? Or What might be reasons that make SSL_Connect to hang/wait for long? And how can I establish a connection in such case when I had to use blocking mode? -- Regards, Kali
Openssl cms question
I tried to use this command from openssl examples: openssl cms -sign -in message.txt -text -out mail.msg -signer ./ssl1/newkey.pem The error is: unable to load certificate 3076057772:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE TO generate my newkey.pem I used this commands: /usr/lib/ssl/misc/CA.pl -newca /usr/lib/ssl/misc/CA.pl -newreq /usr/lib/ssl/misc/CA.pl -signreq I also tryed to pass the argument "-noverify" but the error is the same. newkey.pem looks like this: -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,6CACB288530133B0 7L0zCjlelaI3pqIzGLIs5HJsfDQuNEAZcE8Eguow+9cQaZrPZYy/hlK0aDHkGVSW 1eJlkNGz6Ppk5T69tMdFs8tzdr4NAlV5cAGt502hM3/2hZ94taEBCiSkLzoEk3NU wEIHzNpykrEAn3xTsmedrCru/oogaH9UITD18HfScZLBTaUuXsxBdyfyVy8xyVIn hOVZ8zNFwHU+56xuGy89q2EnGMtNuDo1UGC7Xyj+kFZUw811hIj2WEo8TC1b2Gc1 4mAjNHj4xW35fWla4MRdbXuq/qzDQKcJuLZT+OGbYBIwxcxfkwTL16ptwI1bHEo4 JtJyX7EzW9JhpbPvQmHLR3WDIMkx5johMmd6u3GF9Ae0LjKNqtO7pQYH2rQA2CmM jXQvggpyAbT486hn1pFPJcworPripIIvqAQYPHeMio3J++b287rXzlMCBKnPb7Xs w7UB48axVFrcpP9sDg/+RCz7AoIXG2ODt9GtGQ5xjJKnFQc5nXraDc3Dr64A6JLb zY72SI1oZXeDCfz548PxM5EhXYNM8xIx5lJqH7m8K27tUd0d46YTZEf7ymfAWwN7 +evpBbyCUwm7Bw/B+wjqFNIbUAPN6U0uQjfeguQT73da+1+zR7GkEFuKJFk6n1x1 HNEvqGLKo2FiTGhilMnKllx45c3WdS9TtoYdAWnO10psu9vro5ngQ7nz+WF8lNui KlDP5+mDEzUNBeSowky8d+jEnP3whnsnuLF6JhAb+kfUW97l5Pl5CP1zqXsBHFCv lz04QlQz/lM6/jGn0hZLG9hR+Bz+Y633G4MeUAAW7sGFO5Q9yM4yRQ== -END RSA PRIVATE KEY- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
generic configuration for 64 bit
hi all, The Configure file has generic 32 bit configurations: # Basic configs that should work on any (32 and less bit) box "gcc", "gcc:-O3::(unknown):::BN_LLONG:::", "cc", "cc:-O::(unknown)::", What would be an equivalent generic configuration for 64 bit? Best, Misha __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Help building FIPS openssl (suitable for apache)
Hello, First off, I AM trying to follow the FIPS/OPENSSL user guide What am I doing wrong: 1.) downloaded fips openssl 1.2.3 2) ./config fipscanisterbuild make make install 3.) ./config fips --with-fipslibdir=/usr/local/ssl/fips1.2.3/lib make make install 4) build apache with ./configure --prefix=/usr/local/apache2.2.19 --with-ssl=/usr/local/ssl/fips1.2.3 --with-mpm=prefork --with-ldap --enable-ssl --enable-dav --enable-dav-fs --enable-dav-lock --enable-authnz-ldap --enable-ldap 5. Error: [root]# ./apachectl start Syntax error on line 1 of /usr/local/apache2.2.19/conf/extra/httpd-ssl.conf: SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS