RE: Help building FIPS openssl (suitable for apache)
But can you confirm that my process for building fips openssl is correct? I downloaded openssl 1.2.3, then ran config fipscanisterbuild, make/make install then I can config fips -with-fipslibdir=/usr/local/ssl/fips1.2.3/lib make/make install. is this right? Date: Sun, 12 Jun 2011 04:10:39 +0200 From: st...@openssl.org To: openssl-users@openssl.org Subject: Re: Help building FIPS openssl (suitable for apache) On Fri, Jun 10, 2011, Sam Theman wrote: Hello, First off, I AM trying to follow the FIPS/OPENSSL user guide What am I doing wrong: 1.) downloaded fips openssl 1.2.3 2) ./config fipscanisterbuild make make install 3.) ./config fips --with-fipslibdir=/usr/local/ssl/fips1.2.3/lib make make install 4) build apache with ./configure --prefix=/usr/local/apache2.2.19 --with-ssl=/usr/local/ssl/fips1.2.3 --with-mpm=prefork --with-ldap --enable-ssl --enable-dav --enable-dav-fs --enable-dav-lock --enable-authnz-ldap --enable-ldap 5. Error: [root]# ./apachectl start Syntax error on line 1 of /usr/local/apache2.2.19/conf/extra/httpd-ssl.conf: SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS Looks like Apache isn't seeing the correct header files and not including the appropriate FIPS code. That's an Apache configuration issue and not OpenSSL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Question about SSL_CTX_load_verify_locations()
Hi, I am using SSL_CTX_load_verify_locations(ssl_ctx, NULL, CApath) function to load the CA certificates from the CApath directory. Since the certificates in CApath are only looked up when required, my questions is that, is any openssl function can be used to load all trusted CA certificates from CApath before performing the verification of a peer certificate? Thanks Bob __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Why my SSL_Connect() hangs at times?
On 6/11/2011 8:52 AM, kali muthu wrote: I have Linux Server which has been connected with a Windows XP client using SSL Sockets. I am able to read and write through those sockets. Good. Recently my calls to SSL_Connect() waits for long time. And yes I am using in Blocking mode. My search on that issue ended up with, I have to use non-blocking mode and have to use time outs as well. But I want the connection to be successful so as to proceed further. Only when I am done with those little transfers between the Server and the Client, I will be able to move to the next step. Hence I used blocking mode here. Sounds good. While at the start of SSL Socket programming, I let the socket connections close abruptly without releasing them (through exceptions and as a beginner's ignorance). Will that might be the reason for my client not get connected with the Server? By the way I mean that those connections may not be still cleared which makes my current SSL_Connect() call to hang? If so, can I clean up those through any command or something? It's not clear what you're talking about. What did you not do? Your SSL_Connect isn't hanging, it's blocking, because you asked it to. Or What might be reasons that make SSL_Connect to hang/wait for long? In blocking mode, SSL_Connection will block until the connection is established or until it fails definitively. This can take arbitrarily long, depending on what the other side does. And how can I establish a connection in such case when I had to use blocking mode? You are establishing a connection, right? It's just taking awhile. But you said you wanted to wait. So what's the problem exactly? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
