Re: SSL renegotiation
Thanks for the reply. But I have already tried that option. It does not work. I still get the same error. On Wed, Jul 18, 2012 at 9:24 PM, Jijo wrote: > you can enable using this directive SSLInsecureRenegotiation > > please refer > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation > documentation. > > > On Mon, Jul 16, 2012 at 11:37 AM, Sebastian Raymond wrote: > >> Hello, >> >> I was investigating the SSL renegotiation in Openssl. >> >> When I emulate the server with s_server and the client with s_client, I >> can renegotiate by sending R. >> >> But when I try the same thing with the server s_server replacing with >> Apache 2.2.14 web server, the renegotiation fails with the following error. >> >> *3077585640:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake >> failure:s3_pkt.c:591* >> >> Can anyone tell me why does this happen? Is there any way to enable SSL >> renegotiation in the Apache web server? >> >> Thank You! >> -- >> Regards, >> *Sebastian* >> >> > -- Regards, *Sebastian*
Re: FIPS: Incore fingerprint check fails on Android?
On Wed, Jul 18, 2012, AJ wrote: > This explains it -- thank you -- I was using a static library -- so I would > need to use fipsld, if I continue to use static. > > However, knowing this, I wanted to try with shared OpenSSL library instead, > but my build fails on "multiple definition" errors. > The only difference I made, was to add "shared" to the config line, when > building openssl-1.0.1c: > > ./config fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/ shared > make depend > > make > > make install > > Don't use --with-fipslibdir instead use --with-fipsdir instead or you can set the FIPSDIR environment variable while building the validated module and the FIPS capable OpenSSL. So you'd instead do: ./config fips --with-fipsdir=/usr/local/ssl/fips-2.0 shared I just tried this with my setup and it worked OK. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS: Incore fingerprint check fails on Android?
This explains it -- thank you -- I was using a static library -- so I would need to use fipsld, if I continue to use static. However, knowing this, I wanted to try with shared OpenSSL library instead, but my build fails on "multiple definition" errors. The only difference I made, was to add "shared" to the config line, when building openssl-1.0.1c: ./config fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/ shared make depend make make install Build log snippet: = if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then \ (cd ..; make libcrypto.so.1.0.0); \ fi [ -z "libcrypto" ] || arm-linux-androideabi-gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -march=armv7-a -mandroid -I/Users/richard/android-ndk-r8/platforms/android-14/arch-arm/usr/include -B/Users/richard/android-ndk-r8/platforms/android-14/arch-arm/usr/lib -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM -Iinclude \ -DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso \ /usr/local/ssl/fips-2.0/lib/fips_premain.c /usr/local/ssl/fips-2.0/lib/fipscanister.o \ libcrypto.a -ldl ar: fipscanister.o: not found in archive libcrypto.a(fipscanister.o): In function `fips_ec_gfp_simple_set_jprojective_coordinates_gfp': fips_canister.c:(.text+0x1b9ec): multiple definition of `fips_ec_gfp_simple_set_jprojective_coordinates_gfp' /usr/local/ssl/fips-2.0/lib//fipscanister.o:fips_canister.c:(.text+0x1b9ec): first defined here libcrypto.a(fipscanister.o): In function `fips_ec_point_set_affine_coordinates_gf2m': fips_canister.c:(.text+0x16448): multiple definition of `fips_ec_point_set_affine_coordinates_gf2m' /usr/local/ssl/fips-2.0/lib//fipscanister.o:fips_canister.c:(.text+0x16448): first defined here libcrypto.a(fipscanister.o): In function `FIPS_drbg_get_app_data': fips_canister.c:(.text+0x37f34): multiple definition of `FIPS_drbg_get_app_data' /usr/local/ssl/fips-2.0/lib//fipscanister.o:fips_canister.c:(.text+0x37f34): first defined here libcrypto.a(fipscanister.o): In function `fips_rsa_padding_add_none': fips_canister.c:(.text+0x283f8): multiple definition of `fips_rsa_padding_add_none' /usr/local/ssl/fips-2.0/lib//fipscanister.o:fips_canister.c:(.text+0x283f8): first defined here Any ideas? Thanks, AJ - Original Message - From: Dr. Stephen Henson To: openssl-users@openssl.org Cc: Sent: Wednesday, July 18, 2012 4:15 PM Subject: Re: FIPS: Incore fingerprint check fails on Android? On Wed, Jul 18, 2012, AJ wrote: > Its my application producing the error. > > I've been reading more... perhaps I need to get Android build to link via > fipsld to get the valid fingerprint? > > Does this sound right? Any tips? > How are you linking your application? If it is to the OpenSSL shared libraries then no further steps are needed as the fingerprint is embedded in the shared library. You should NOT use the fipsld utility to link. If you are linking against static libraries then you do need to make use of the fipsld utility. Check the OpenSSL utility can enter FIPS mode by doing something like this: OPENSSL_FIPS=1 openssl version -a OPENSSL_FIPS=1 openssl md5 somefile OPENSSL_FIPS=1 openssl sha1 somefile The md5 command should fail with an error message indicating that algorithm isn't allowed in FIPS mode. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Make issue with openssl-1.0.0f and openssl-1.0.0j
Jeremy, Thank you very much for your response, Did I tell you it took around 3 hours to get the failure point? It also brought the CPU to it's knees, xload reported like 20 bars. Also, libcrypto.a is only about 5MB when it has been successfully compiled, mine was growing over 11GB when it stopped. I have successfully compiled it on another server, with a lower patch set. We are in the process of trying to discover what OS Patch caused the issue. See comments below > -Original Message- > From: Jeremy Hunt [mailto:jere...@optimation.com.au] > Sent: Tuesday, July 17, 2012 10:02 PM > To: openssl-users@openssl.org > Cc: Barone, Philip > Subject: Re: Make issue with openssl-1.0.0f and openssl-1.0.0j > > > The error message is all important. > > ar: ../../libcrypto.a: cannot write: Bad address > > Bad address is an invalid pointer, cannot write means some access or > system error, which an invalid pointer can be an instance of. > > Seeing as you can use ar to read to this file, I assume it is there, > even though it is truncated (which is a clue in itself). > [Barone, Philip] This compile is being performed in a ClearCase vob, a version control system that my company uses, perhaps you have heard of it. Anyway, in the course of this compile as the file grows and whatever else goes on, access to this file area does seem to change. The view that the compile is performed in, after it stops, can no longer stat libcrypto.a. I am guessing because it has grown too large, not because there is not enough space in the filesystem. File system space is very large now, 64GB. I can access the file fine if I open another window and set the view again. Of course the make had never completed so is incomplete. This is what I get when I try to stat libcrypto.a in the bad view Server1> ls -la ls: libcrypto.a: Value too large for defined data type total 985 In the new window it works fine Server1> ls -la libcrypto.a -rw-rw-r-- 1 pbarone dags 11534025632 Jul 16 15:06 libcrypto.a > Check that the address used (../../libcrypto.a) points to it from > /vobs/IAS_Software_3/COTS/openssl/openssl-1.0.0j/crypto/sha, though it > looks right and I would expect the ar command would create a new one if > it didn't find it. > [Barone, Philip] Yep, like above, it's accessible from the new window but gets the "Value too large" error from the bad view. > Make sure that the components sha_dgst.o sha1dgst.o sha_one.o > sha1_one.o sha256.o sha512.o sha1-sparcv9.o sha256-sparcv9.o sha512- > sparcv9.o have all been created, though I would expect the make would > have failed earlier if any didn't exist. > [Barone, Philip] They are all there Server1> find . -name '*.o' |more ./crypto/md4/md4_dgst.o ./crypto/md4/md4_one.o ./crypto/md5/md5_dgst.o ./crypto/md5/md5_one.o ./crypto/objects/o_names.o ./crypto/objects/obj_dat.o ./crypto/objects/obj_lib.o ./crypto/objects/obj_err.o ./crypto/objects/obj_xref.o ./crypto/sha/sha_dgst.o ./crypto/sha/sha1dgst.o ./crypto/sha/sha_one.o ./crypto/sha/sha1_one.o ./crypto/sha/sha256.o ./crypto/sha/sha512.o ./crypto/sha/sha1-sparcv9.o ./crypto/sha/sha256-sparcv9.o ./crypto/sha/sha512-sparcv9.o ./crypto/cryptlib.o ./crypto/mem.o ./crypto/mem_dbg.o ./crypto/cversion.o ./crypto/ex_data.o ./crypto/cpt_err.o ./crypto/ebcdic.o ./crypto/uid.o ./crypto/o_time.o ./crypto/o_str.o ./crypto/o_dir.o ./crypto/sparcv9cap.o ./crypto/sparccpuid.o > Make sure that you have read access to the components and that you have > write access to /vobs/IAS_Software_3/COTS/openssl/openssl-1.0.0j though > I expect you will, unless you use two user ids to build software with > and an earlier make was interrupted, in which case user id 1 may have > write access to libcrypto.a and you don't. > [Barone, Philip] This is ok > Make sure you have no disk write errors in your system logs. There was > some talk of the file system being full, if this was an issue, how much > space do you have left, under Solaris some percentage (I think it is > 10%) is left as only writeable by "root" user to try and stop system > crashes due to full file systems. Is this disk a virtual or remotely > mounted file system? There may be an issue due to that. > [Barone, Philip] Plenty of space now in these latest tests > You might also like to try writing to libcrypto.a with ar too to see if > there is an error. The build has been interrupted, so the file has to > be > removed anyway, so nothing lost if you corrupt it further. If you can. > try writing to it (with ar) from the directory you had problems with > /vobs/IAS_Software_3/COTS/openssl/openssl-1.0.0j/crypto/sha. > [Barone, Philip] I would try this suggestion but am not sure how to write using ar. Do I just use the exact same command line but add another .o or something on the end? e.g. ar r ../../libcrypto.a sha_dgst.o sha1dgst.o sha_one.o sha1_one.o some_other_file.o I am sure this will fail, it may cause the "Value too large" error in the new view, re
Re: FIPS: Incore fingerprint check fails on Android?
On Wed, Jul 18, 2012, AJ wrote: > Its my application producing the error. > > I've been reading more... perhaps I need to get Android build to link via > fipsld to get the valid fingerprint? > > Does this sound right? Any tips? > How are you linking your application? If it is to the OpenSSL shared libraries then no further steps are needed as the fingerprint is embedded in the shared library. You should NOT use the fipsld utility to link. If you are linking against static libraries then you do need to make use of the fipsld utility. Check the OpenSSL utility can enter FIPS mode by doing something like this: OPENSSL_FIPS=1 openssl version -a OPENSSL_FIPS=1 openssl md5 somefile OPENSSL_FIPS=1 openssl sha1 somefile The md5 command should fail with an error message indicating that algorithm isn't allowed in FIPS mode. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS: Incore fingerprint check fails on Android?
On Wed, Jul 18, 2012 at 3:24 PM, AJ wrote: > I'm running on 4.0.4 and 2.3.4, with same results on both. Android 4.0 got most of ASLR in place (Android 4.1 finished the randomization and fixed a kernel mis-configuration): http://source.android.com/tech/security/index.html#memory-management-security-enhancements and https://blog.duosecurity.com/2012/02/a-look-at-aslr-in-android-ice-cream-sandwich-4-0/. I suspect ASLR is giving you problems (presuming OpenSSL is working as intended). What load address did fipsld use? What address is the executable being loaded at? Jeff > - Original Message - > From: Jeffrey Walton > To: openssl-users@openssl.org > Cc: > Sent: Wednesday, July 18, 2012 2:27 PM > Subject: Re: FIPS: Incore fingerprint check fails on Android? > > On Wed, Jul 18, 2012 at 11:15 AM, Aunt Jomamma wrote: >> Sorry if this is duplicate, but I had an issue with the mailer, and not sure >> if this went... >> >> I have successfully built openssl-fips-2.0 + openssl-1.0.1c for Android >> using ndk-r8. >> I am doing cross-compile on Mac OSX. >> >> However, I cannot pass FIPS_mode_set(1). >> I get the following error: "FIPS >> routines:FIPS_check_incore_fingerprint:fingerprint does not match" >> >> I am using the incore script provided from openssl-fips-2.0/util/incore. >> >> My setup is as follows: >> >> # Edit this to wherever you unpacked the NDK >> export ANDROID_NDK=/home/android-ndk-r8 >> >> # Edit to wherever you put incore script >> export FIPS_SIG=$PWD/openssl-fips-2.0/util/incore >> >> >> PATH=$ANDROID_NDK/toolchains/arm-linux-androideabi-4.4.3/prebuilt/darwin-x86/bin:$PATH; >> export PATH >> export MACHINE=armv7l >> export RELEASE=2.6.32.GMU >> export SYSTEM=android >> export ARCH=arm >> export CROSS_COMPILE="arm-linux-androideabi-" >> export ANDROID_DEV="$ANDROID_NDK/platforms/android-14/arch-arm/usr" >> export HOSTCC=gcc >> >> Any ideas why I cannot pass incore fingerprint validation? Do I need >> anything special wrt incore on cross-compile? >> > What Android OS is being used on the device? > > Android 4.1 recently achieved full ASLR. ASLR might be the problem > since randomizing shared objects and program load adresses is > diametrically opposed to the FIPS check. > > A thread on recent platform security changes can be found at > http://groups.google.com/group/android-security-discuss/browse_thread/thread/d585aa8062964673. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Testing renegotiation with FTP data channel
Hello, We have added SSL/TLS support into our legacy FTP server using OpenSSL. Thanks for the great code BTW :) We are able to test SSL/TLS renegotiation for FTP control channel (port 21) using "openssl s_client" but looking for a way to test data channel (port 20) renegotiation too. Are you aware of an FTP client that is able to trigger an SSL/TLS renegotiation so that we can see if our FTP server is not broken? I can see that "openssl s_client" could not be used for data channel. BTW: we read the API and coded accordingly but just want to test and see the data channel renegotiation is working fine just like we did and made sure for control channel. Thanks. -- it is twice as difficult to debug a program as to write it. Therefore, if you put all of your creativity and effort into writing the program, you are not smart enough to debug it.
Re: SSL renegotiation
you can enable using this directive SSLInsecureRenegotiation please refer http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation documentation. On Mon, Jul 16, 2012 at 11:37 AM, Sebastian Raymond wrote: > Hello, > > I was investigating the SSL renegotiation in Openssl. > > When I emulate the server with s_server and the client with s_client, I > can renegotiate by sending R. > > But when I try the same thing with the server s_server replacing with > Apache 2.2.14 web server, the renegotiation fails with the following error. > > *3077585640:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake > failure:s3_pkt.c:591* > > Can anyone tell me why does this happen? Is there any way to enable SSL > renegotiation in the Apache web server? > > Thank You! > -- > Regards, > *Sebastian* > >
Re: FIPS: Incore fingerprint check fails on Android?
I'm running on 4.0.4 and 2.3.4, with same results on both. - Original Message - From: Jeffrey Walton To: openssl-users@openssl.org Cc: Sent: Wednesday, July 18, 2012 2:27 PM Subject: Re: FIPS: Incore fingerprint check fails on Android? On Wed, Jul 18, 2012 at 11:15 AM, Aunt Jomamma wrote: > Sorry if this is duplicate, but I had an issue with the mailer, and not sure > if this went... > > I have successfully built openssl-fips-2.0 + openssl-1.0.1c for Android using > ndk-r8. > I am doing cross-compile on Mac OSX. > > However, I cannot pass FIPS_mode_set(1). > I get the following error: "FIPS > routines:FIPS_check_incore_fingerprint:fingerprint does not match" > > I am using the incore script provided from openssl-fips-2.0/util/incore. > > My setup is as follows: > > # Edit this to wherever you unpacked the NDK > export ANDROID_NDK=/home/android-ndk-r8 > > # Edit to wherever you put incore script > export FIPS_SIG=$PWD/openssl-fips-2.0/util/incore > > >PATH=$ANDROID_NDK/toolchains/arm-linux-androideabi-4.4.3/prebuilt/darwin-x86/bin:$PATH; > export PATH > export MACHINE=armv7l > export RELEASE=2.6.32.GMU > export SYSTEM=android > export ARCH=arm > export CROSS_COMPILE="arm-linux-androideabi-" > export ANDROID_DEV="$ANDROID_NDK/platforms/android-14/arch-arm/usr" > export HOSTCC=gcc > > Any ideas why I cannot pass incore fingerprint validation? Do I need > anything special wrt incore on cross-compile? > What Android OS is being used on the device? Android 4.1 recently achieved full ASLR. ASLR might be the problem since randomizing shared objects and program load adresses is diametrically opposed to the FIPS check. A thread on recent platform security changes can be found at http://groups.google.com/group/android-security-discuss/browse_thread/thread/d585aa8062964673. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS: Incore fingerprint check fails on Android?
On Wed, Jul 18, 2012 at 11:15 AM, Aunt Jomamma wrote: > Sorry if this is duplicate, but I had an issue with the mailer, and not sure > if this went... > > I have successfully built openssl-fips-2.0 + openssl-1.0.1c for Android using > ndk-r8. > I am doing cross-compile on Mac OSX. > > However, I cannot pass FIPS_mode_set(1). > I get the following error: "FIPS > routines:FIPS_check_incore_fingerprint:fingerprint does not match" > > I am using the incore script provided from openssl-fips-2.0/util/incore. > > My setup is as follows: > > # Edit this to wherever you unpacked the NDK > export ANDROID_NDK=/home/android-ndk-r8 > > # Edit to wherever you put incore script > export FIPS_SIG=$PWD/openssl-fips-2.0/util/incore > > > PATH=$ANDROID_NDK/toolchains/arm-linux-androideabi-4.4.3/prebuilt/darwin-x86/bin:$PATH; > export PATH > export MACHINE=armv7l > export RELEASE=2.6.32.GMU > export SYSTEM=android > export ARCH=arm > export CROSS_COMPILE="arm-linux-androideabi-" > export ANDROID_DEV="$ANDROID_NDK/platforms/android-14/arch-arm/usr" > export HOSTCC=gcc > > Any ideas why I cannot pass incore fingerprint validation? Do I need > anything special wrt incore on cross-compile? > What Android OS is being used on the device? Android 4.1 recently achieved full ASLR. ASLR might be the problem since randomizing shared objects and program load adresses is diametrically opposed to the FIPS check. A thread on recent platform security changes can be found at http://groups.google.com/group/android-security-discuss/browse_thread/thread/d585aa8062964673. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS: Incore fingerprint check fails on Android?
Its my application producing the error.
I've been reading more... perhaps I need to get Android build to link via
fipsld to get the valid fingerprint?
Does this sound right? Any tips?
Thanks.
"Dr. Stephen Henson" wrote:
>On Wed, Jul 18, 2012, Aunt Jomamma wrote:
>
>> Sorry if this is duplicate, but I had an issue with the mailer, and not sure
>> if this went...
>>
>> I have successfully built openssl-fips-2.0 + openssl-1.0.1c for Android
>> using ndk-r8.
>> I am doing cross-compile on Mac OSX.
>>
>> However, I cannot pass FIPS_mode_set(1).
>> I get the following error: "FIPS
>> routines:FIPS_check_incore_fingerprint:fingerprint does not match"
>>
>
>What is producing that error? Is it the openssl utility or an application
>you've developed?
>
>Steve.
>--
>Dr Stephen N. Henson. OpenSSL project core developer.
>Commercial tech support now available see: http://www.openssl.org
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing Listopenssl-users@openssl.org
>Automated List Manager majord...@openssl.org
:��I"Ϯ��r�m
(Z+�K
�+1���x
��h[�z�(Z+�
��f�y��
�f���h��)z{,���
Re: FIPS: Incore fingerprint check fails on Android?
On Wed, Jul 18, 2012, Aunt Jomamma wrote: > Sorry if this is duplicate, but I had an issue with the mailer, and not sure > if this went... > > I have successfully built openssl-fips-2.0 + openssl-1.0.1c for Android using > ndk-r8. > I am doing cross-compile on Mac OSX. > > However, I cannot pass FIPS_mode_set(1). > I get the following error: "FIPS > routines:FIPS_check_incore_fingerprint:fingerprint does not match" > What is producing that error? Is it the openssl utility or an application you've developed? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FIPS: Incore fingerprint check fails on Android?
Sorry if this is duplicate, but I had an issue with the mailer, and not sure if this went... I have successfully built openssl-fips-2.0 + openssl-1.0.1c for Android using ndk-r8. I am doing cross-compile on Mac OSX. However, I cannot pass FIPS_mode_set(1). I get the following error: "FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match" I am using the incore script provided from openssl-fips-2.0/util/incore. My setup is as follows: # Edit this to wherever you unpacked the NDK export ANDROID_NDK=/home/android-ndk-r8 # Edit to wherever you put incore script export FIPS_SIG=$PWD/openssl-fips-2.0/util/incore PATH=$ANDROID_NDK/toolchains/arm-linux-androideabi-4.4.3/prebuilt/darwin-x86/bin:$PATH; export PATH export MACHINE=armv7l export RELEASE=2.6.32.GMU export SYSTEM=android export ARCH=arm export CROSS_COMPILE="arm-linux-androideabi-" export ANDROID_DEV="$ANDROID_NDK/platforms/android-14/arch-arm/usr" export HOSTCC=gcc Any ideas why I cannot pass incore fingerprint validation? Do I need anything special wrt incore on cross-compile? Thanks, AJ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Make issue with openssl-1.0.0f and openssl-1.0.0j
The error message is all important. ar: ../../libcrypto.a: cannot write: Bad address Bad address is an invalid pointer, cannot write means some access or system error, which an invalid pointer can be an instance of. Seeing as you can use ar to read to this file, I assume it is there, even though it is truncated (which is a clue in itself). Check that the address used (../../libcrypto.a) points to it from /vobs/IAS_Software_3/COTS/openssl/openssl-1.0.0j/crypto/sha, though it looks right and I would expect the ar command would create a new one if it didn't find it. Make sure that the components sha_dgst.o sha1dgst.o sha_one.o sha1_one.o sha256.o sha512.o sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o have all been created, though I would expect the make would have failed earlier if any didn't exist. Make sure that you have read access to the components and that you have write access to /vobs/IAS_Software_3/COTS/openssl/openssl-1.0.0j though I expect you will, unless you use two user ids to build software with and an earlier make was interrupted, in which case user id 1 may have write access to libcrypto.a and you don't. Make sure you have no disk write errors in your system logs. There was some talk of the file system being full, if this was an issue, how much space do you have left, under Solaris some percentage (I think it is 10%) is left as only writeable by "root" user to try and stop system crashes due to full file systems. Is this disk a virtual or remotely mounted file system? There may be an issue due to that. You might also like to try writing to libcrypto.a with ar too to see if there is an error. The build has been interrupted, so the file has to be removed anyway, so nothing lost if you corrupt it further. If you can. try writing to it (with ar) from the directory you had problems with /vobs/IAS_Software_3/COTS/openssl/openssl-1.0.0j/crypto/sha. If you can find nothing wrong, then try unpacking openssl-1.0.0j somewhere else (with lots of room) and rebuilding, see if that works Good luck, I hope that little task list helps you find your problem. Jeremy Barone, Philip wrote: -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Jakob Bohm Sent: Tuesday, July 17, 2012 1:03 PM To: openssl-users@openssl.org Subject: Re: Make issue with openssl-1.0.0f and openssl-1.0.0j On 7/17/2012 6:22 PM, Barone, Philip wrote: Hi, I am having issues make'ing openssl-1.0.0j, f fails as well, on Solaris Patch level "5.10 Generic_147440-13 sparc". It works fine at OS patch level "5.10 Generic_125100-10 sparc". I am compiling this using "solaris64-sparcv9-cc" like I have always done. It fails trying to create libcrypto.a, I notice that libcrypto.a is over 11GB when the make finally quits. This is what it looks like when it quits: ... /apps/sun_studio_10_p2/SUNWspro/bin/cc -I.. -I../.. -I../asn1 - I../evp -I../../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -c -o sha512-sparcv9.o sha512-sparcv9.s ar r ../../libcrypto.a sha_dgst.o sha1dgst.o sha_one.o sha1_one.o sha256.o sha512.o sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o ar: ../../libcrypto.a: cannot write: Bad address make[2]: *** [lib] Error 2 make[2]: Leaving directory `/vobs/IAS_Software_3/COTS/openssl/openssl-1.0.0j/crypto/sha' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/vobs/IAS_Software_3/COTS/openssl/openssl-1.0.0j/crypto' make: *** [build_crypto] Error 1 I was wondering if there are any other Solaris guys out there that may have input on this? [Barone, Philip] Jakob, Thanks for the quick reply, see my responses below. Not a Solaris guy, but here are two things to check with this set of error messages: 1. Is the disk full due to this unreasonably large .a file? [Barone, Philip] I did have disk space issues at first, because of the size, but was able to free up more than enough space to get this to run to completion. 2. Does the 11GB .a file contain multiple copies of each .o file, perhaps every version you ever compiled? (You can test this with the command $ ar -t libcrypto.a [Barone, Philip] This does not appear to be the issue either Server1> ar -t libcrypto.a cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o o_dir.o sparcv9cap.o sparccpuid.o o_names.o obj_dat.o obj_lib.o obj_err.o obj_xref.o md4_dgst.o md4_one.o md5_dgst.o md5_one.o If the second is true, then there is a bug in how make invokes ar when an .o file has been recompiled. The workaround would then be to do a clean build every time. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remo
Re: OpenSSL beginner...
ohh i just had a 'duh' moment thank you ~ Dominik Oepen-2 wrote: > > On 17/07/12 05:28, Funshine wrote: >> >> Hi ! I want to learn OpenSSL and I'm having trouble getting any >> meaningful >> result from their example program. No matter the argument I seem to pass >> I >> get 'Unknown message digest' error. What exactly is >> EVP_get_digestbyname(const char*) expecting to see that wont fail the md >> test ? > > [14:37] /tmp $ ./foo > Usage: mdtest digestname > [14:37] /tmp $ ./foo md5 > Digest is: ce73931d2b3da6e60bf18af27494c6cd > [14:37] /tmp $ ./foo sha1 > Digest is: 0541d4e2b052e6ed4bb7e294a1884c2cfbbf30d8 > [14:37] /tmp $ ./foo sha256 > Digest is: > 318b20b83a6730b928c46163a2a1cefee4466132731c95c39613acb547ccb715 > [14:37] /tmp $ ./foo sha512 > Digest is: > bcc37e0208be19c45906c47bbf09dc07c7b9e8614759dd3f85ebe39c1b1e1fcd6d804e36ee0be3cf3d3b57d9f28845de522b641937bbadaf98becacdb0572498 > > HTH, > Dominik > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > > -- View this message in context: http://old.nabble.com/OpenSSL-beginner...-tp34171527p34176099.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
