Re: build openssl for android
Hi, When I complied my old code (openssl-android 1.0.0e) which downloaded from the github , ir built properly .. but this new code from the https://github.com/aluvalassuman/OpenSSL1.0.1cForAndroid is throwing the zlib not found error .. I ran everything through $ sudo ndk-build script only . Is there any reference needs to be added in the android.mk for the new code ..? On Thu, Sep 13, 2012 at 10:34 AM, wrote: > > I don't at this point own an android and I am thinking of getting one. > I'd like to ask of the environment. Will I need to root it? I expect the > answer is yes and I'll have to install all the development tools as well. > Its there a website which provides instructions. > > Next what of cross compilers or a development environment which runs on > say the desktop and provides the test bed that the phone uses. > > THanks. > > > On Thu, Sep 13, 2012 at 09:56:03AM +0530, Indtiny s wrote: > > Hi, > > My android for the TAB is HoneyComb and its API level is 12 so I have > > wriiten it as > > TARGET_ABI:=android-12-armeabi > > > > I put the above line in android-config.mk just below the first > LOCAL_CFLAGS > > and excuted the ndk-build but I got the following error . > > > > linux-androideabi/bin/ld: warning: libz.so, needed by > > ./obj/local/armeabi/libcry > > ./obj/local/armeabi/libcrypto.so: undefined reference to `zError' > > ./obj/local/armeabi/libcrypto.so: undefined reference to `inflateEnd' > > ./obj/local/armeabi/libcrypto.so: undefined reference to `deflate' > > ./obj/local/armeabi/libcrypto.so: undefined reference to `deflateInit_' > > > > Rgds > > Indu > > > > > > > > > > > > On Thu, Sep 13, 2012 at 8:06 AM, farmdve data.bg > wrote: > > > > > Oh, and I highly suggest specifying the TARGET_ABI so that the code is > > > optimized(considerable boost compared to without specifying it). > > > > > > So either add TARGET_ABI := android-APILEVEL-armeabi to > android-config.mkOR open Android.mk in the crypto and ssl folders, and add > it just before > > > $(BUILD_SHARED_LIBRARY). > > > Be sure to replace APILEVEL with the API level you target. And if you > want > > > static libraries, replace $(BUILD_SHARED_LIBRARY) where encountered > to > > > $(BUILD_STATIC_LIBRARY) > > > > > > > > > On Thu, Sep 13, 2012 at 5:30 AM, farmdve data.bg > wrote: > > > > > >> Do not use that one, it's old. Use this one > > >> https://github.com/aluvalassuman/OpenSSL1.0.1cForAndroid > > >> > > >> Just calling ndk-build should work. > > >> > > >> On Wed, Sep 12, 2012 at 8:34 PM, Jason Goldberg >wrote: > > >> > > >>> For Android, check out this project as an example: > > >>> > > >>> https://github.com/eighthave/openssl-android > > >>> > > >>> They have the Android-specific Makefile configs for doing an NDK > build. > > >>> You could patch it with your changes and generate the .so libraries > you > > >>> need. > > >>> > > >>> On Sep 12, 2012, at 12:05 PM, Indtiny s wrote: > > >>> > > >>> > > >>> Hi, > > >>> > > >>> I have to build the openssl 1.0.1c for the android , I have added new > > >>> ECC-CCM chiper key support at the openssl , hence i want build the > same > > >>> for android-ndk and use in my application as shared libraries . is > there > > >>> any guide to build the same ..? > > >>> > > >>> Rgds > > >>> Indu > > >>> > > >>> > > >>> > > >> > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: build openssl for android
I don't at this point own an android and I am thinking of getting one. I'd like to ask of the environment. Will I need to root it? I expect the answer is yes and I'll have to install all the development tools as well. Its there a website which provides instructions. Next what of cross compilers or a development environment which runs on say the desktop and provides the test bed that the phone uses. THanks. On Thu, Sep 13, 2012 at 09:56:03AM +0530, Indtiny s wrote: > Hi, > My android for the TAB is HoneyComb and its API level is 12 so I have > wriiten it as > TARGET_ABI:=android-12-armeabi > > I put the above line in android-config.mk just below the first LOCAL_CFLAGS > and excuted the ndk-build but I got the following error . > > linux-androideabi/bin/ld: warning: libz.so, needed by > ./obj/local/armeabi/libcry > ./obj/local/armeabi/libcrypto.so: undefined reference to `zError' > ./obj/local/armeabi/libcrypto.so: undefined reference to `inflateEnd' > ./obj/local/armeabi/libcrypto.so: undefined reference to `deflate' > ./obj/local/armeabi/libcrypto.so: undefined reference to `deflateInit_' > > Rgds > Indu > > > > > > On Thu, Sep 13, 2012 at 8:06 AM, farmdve data.bg wrote: > > > Oh, and I highly suggest specifying the TARGET_ABI so that the code is > > optimized(considerable boost compared to without specifying it). > > > > So either add TARGET_ABI := android-APILEVEL-armeabi to android-config.mkOR > > open Android.mk in the crypto and ssl folders, and add it just before > > $(BUILD_SHARED_LIBRARY). > > Be sure to replace APILEVEL with the API level you target. And if you want > > static libraries, replace $(BUILD_SHARED_LIBRARY) where encountered to > > $(BUILD_STATIC_LIBRARY) > > > > > > On Thu, Sep 13, 2012 at 5:30 AM, farmdve data.bg wrote: > > > >> Do not use that one, it's old. Use this one > >> https://github.com/aluvalassuman/OpenSSL1.0.1cForAndroid > >> > >> Just calling ndk-build should work. > >> > >> On Wed, Sep 12, 2012 at 8:34 PM, Jason Goldberg wrote: > >> > >>> For Android, check out this project as an example: > >>> > >>> https://github.com/eighthave/openssl-android > >>> > >>> They have the Android-specific Makefile configs for doing an NDK build. > >>> You could patch it with your changes and generate the .so libraries you > >>> need. > >>> > >>> On Sep 12, 2012, at 12:05 PM, Indtiny s wrote: > >>> > >>> > >>> Hi, > >>> > >>> I have to build the openssl 1.0.1c for the android , I have added new > >>> ECC-CCM chiper key support at the openssl , hence i want build the same > >>> for android-ndk and use in my application as shared libraries . is there > >>> any guide to build the same ..? > >>> > >>> Rgds > >>> Indu > >>> > >>> > >>> > >> > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: build openssl for android
Hi, My android for the TAB is HoneyComb and its API level is 12 so I have wriiten it as TARGET_ABI:=android-12-armeabi I put the above line in android-config.mk just below the first LOCAL_CFLAGS and excuted the ndk-build but I got the following error . linux-androideabi/bin/ld: warning: libz.so, needed by ./obj/local/armeabi/libcry ./obj/local/armeabi/libcrypto.so: undefined reference to `zError' ./obj/local/armeabi/libcrypto.so: undefined reference to `inflateEnd' ./obj/local/armeabi/libcrypto.so: undefined reference to `deflate' ./obj/local/armeabi/libcrypto.so: undefined reference to `deflateInit_' Rgds Indu On Thu, Sep 13, 2012 at 8:06 AM, farmdve data.bg wrote: > Oh, and I highly suggest specifying the TARGET_ABI so that the code is > optimized(considerable boost compared to without specifying it). > > So either add TARGET_ABI := android-APILEVEL-armeabi to android-config.mkOR > open Android.mk in the crypto and ssl folders, and add it just before > $(BUILD_SHARED_LIBRARY). > Be sure to replace APILEVEL with the API level you target. And if you want > static libraries, replace $(BUILD_SHARED_LIBRARY) where encountered to > $(BUILD_STATIC_LIBRARY) > > > On Thu, Sep 13, 2012 at 5:30 AM, farmdve data.bg wrote: > >> Do not use that one, it's old. Use this one >> https://github.com/aluvalassuman/OpenSSL1.0.1cForAndroid >> >> Just calling ndk-build should work. >> >> On Wed, Sep 12, 2012 at 8:34 PM, Jason Goldberg wrote: >> >>> For Android, check out this project as an example: >>> >>> https://github.com/eighthave/openssl-android >>> >>> They have the Android-specific Makefile configs for doing an NDK build. >>> You could patch it with your changes and generate the .so libraries you >>> need. >>> >>> On Sep 12, 2012, at 12:05 PM, Indtiny s wrote: >>> >>> >>> Hi, >>> >>> I have to build the openssl 1.0.1c for the android , I have added new >>> ECC-CCM chiper key support at the openssl , hence i want build the same >>> for android-ndk and use in my application as shared libraries . is there >>> any guide to build the same ..? >>> >>> Rgds >>> Indu >>> >>> >>> >> >
Re: build openssl for android
Oh, and I highly suggest specifying the TARGET_ABI so that the code is optimized(considerable boost compared to without specifying it). So either add TARGET_ABI := android-APILEVEL-armeabi to android-config.mkOR open Android.mk in the crypto and ssl folders, and add it just before $(BUILD_SHARED_LIBRARY). Be sure to replace APILEVEL with the API level you target. And if you want static libraries, replace $(BUILD_SHARED_LIBRARY) where encountered to $(BUILD_STATIC_LIBRARY) On Thu, Sep 13, 2012 at 5:30 AM, farmdve data.bg wrote: > Do not use that one, it's old. Use this one > https://github.com/aluvalassuman/OpenSSL1.0.1cForAndroid > > Just calling ndk-build should work. > > On Wed, Sep 12, 2012 at 8:34 PM, Jason Goldberg wrote: > >> For Android, check out this project as an example: >> >> https://github.com/eighthave/openssl-android >> >> They have the Android-specific Makefile configs for doing an NDK build. >> You could patch it with your changes and generate the .so libraries you >> need. >> >> On Sep 12, 2012, at 12:05 PM, Indtiny s wrote: >> >> >> Hi, >> >> I have to build the openssl 1.0.1c for the android , I have added new >> ECC-CCM chiper key support at the openssl , hence i want build the same >> for android-ndk and use in my application as shared libraries . is there >> any guide to build the same ..? >> >> Rgds >> Indu >> >> >> >
Re: build openssl for android
Do not use that one, it's old. Use this one https://github.com/aluvalassuman/OpenSSL1.0.1cForAndroid Just calling ndk-build should work. On Wed, Sep 12, 2012 at 8:34 PM, Jason Goldberg wrote: > For Android, check out this project as an example: > > https://github.com/eighthave/openssl-android > > They have the Android-specific Makefile configs for doing an NDK build. > You could patch it with your changes and generate the .so libraries you > need. > > On Sep 12, 2012, at 12:05 PM, Indtiny s wrote: > > > Hi, > > I have to build the openssl 1.0.1c for the android , I have added new > ECC-CCM chiper key support at the openssl , hence i want build the same > for android-ndk and use in my application as shared libraries . is there > any guide to build the same ..? > > Rgds > Indu > > >
Re: Why is the OpenSSL documentation incomplete?
Thanks, will check it out. On Wed, Sep 12, 2012 at 4:30 PM, Matt Caswell (fr...@baggins.org) < fr...@baggins.org> wrote: > Username is guest, password is guest. > > Matt > > On 12 September 2012 14:12, Kenneth Goldman wrote: > >> All I get is an (ironically unsecured) log in page. Do you have a link >> to the actual documentation? >> >> -- >> Ken Goldman kgold...@us.ibm.com >> 914-945-2415 (862-2415) >> >> >> >> >> From: >> To:openssl-users@openssl.org, >> Date:09/11/2012 06:48 PM >> Subject:Re: Why is the OpenSSL documentation incomplete? >> Sent by:owner-openssl-us...@openssl.org >> -- >> >> >> >> On Wed, 2012-09-12 at 00:28 +0300, farmdve data.bg wrote: >> > I have seen a lot of applications that utilize the OpenSSL library, >> > however I see that the majority of the documentation is incomplete. >> > >> > >> > In particular, I need some documentation for the EC package in the >> > 'crypto' sub-folder, I mean, it's not possible for application >> > developers to generate Elliptic Curve keys without first understanding >> > how to use it,in what order and how to initialize it. >> > >> > >> > Any help on this? >> >> >> Please see this patch which I submitted some while ago, but >> unfortunately is still showing as "new" :-( >> >> http://rt.openssl.org/Ticket/Display.html?id=2799 >> >> >> This is my attempt at adding documentation for the EC library. >> >> Matt >> >> PS Apologies if you have received this twice. Problem between chair and >> keyboard on first sending attempt! >> >> >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing Listopenssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> >> >> >
RE: openssl on a home LAN
Hi, Gayathri, I appreciate the clarification. It was helpful, yes. I think my confusion stemmed from the fact that in the past while installing one or another program, I found it to say that "OpenSSL must be installed on your system for this program to work properly." Okay, I think I got it now, the light has made it into my obstinate, thick skull. Clarity is a beautiful thing, thank you. John From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Gayathri Sundar Sent: Wednesday, September 12, 2012 10:07 AM To: openssl-users@openssl.org Subject: Re: openssl on a home LAN Hi John, I definitely do not agree with charles's email, but what I think he meant is, you need to write programs to use OpenSSL. Its an installable library, which you need to invoke from your application using its exposed APIs and recompile your code, link OpenSSL library and execute for it to work. Its not a SSL solution if that is what your looking for. Just installing OpenSSL is not going to give u SSL. Thanks --Gayathri On Tue, Sep 11, 2012 at 8:36 PM, John A. Wallace wrote: Charlie, Frankly, you condescending manner is starting to annoy me, considerably. Furthermore, your name is not on this page as one of the moderators of this group: http://www.openssl.org/about/. Moreover, I don't believe I need your permission to "hang out here". You need to read the link I provided you all the way to the end, it says that this group is for 1. Developers 2. OpenSSL usage 3. Installation problems Now inasmuch as my question pertained to "OpenSSL Usage", i.e., number 2 above, well I think that makes my asking it a legitimate question for this group. If you don't like it, you can just learn to use your reading program and ignore me. Thank you very much. J John From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills Sent: Tuesday, September 11, 2012 3:22 PM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN Right. Are you an application developer? In other words, do you write computer programs? Does the following mean anything to you? int main(int argc, char *argv[]) { printf("hello world\n"); return 0; } Or alternatively, are you a Web site operator? Do you host a Web site that others access? If the answer to both of these questions is No, then you are welcome to hang out here but the answer to your original question, "whether there is any point in using openssl" is No. Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Tuesday, September 11, 2012 12:07 PM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN Hi. I am not trying to be mean or something, but you may want to take a look at this page: http://www.openssl.org/support/community.html Focusing on the part that describes this list, one can read this about its purpose: Application Development, OpenSSL Usage, Installation Problems, etc. That looks clear to me in that this list would provide support for the type of question I just asked, or did I misunderstand you? J Thanks. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills Sent: Tuesday, September 11, 2012 12:52 PM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN Do you write computer programs, or are you a home user of personal computers? If you don't write computer programs, then using OpenSSL at the level addressed by this mailing list is not what you are looking for. Some of the products you might buy might use OpenSSL "under the covers," but you would get support generally directly from the companies that produce those products, not this mailing list. Not trying to be mean or off-putting. If I have missed the mark please let me know. Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Tuesday, September 11, 2012 9:36 AM To: openssl-users@openssl.org Subject: openssl on a home LAN I am trying to figure out whether there is any point in using openssl on a home LAN between two computers. Would that improve on security in any way? Would I be limited in the types of OS connections? I mean, could I connect Windows with Linux? Also, if I want to make such a connection between two OS running in virtual machines, could that be done too? Thanks.
Re: build openssl for android
For Android, check out this project as an example: https://github.com/eighthave/openssl-android They have the Android-specific Makefile configs for doing an NDK build. You could patch it with your changes and generate the .so libraries you need. On Sep 12, 2012, at 12:05 PM, Indtiny s mailto:indt...@gmail.com>> wrote: Hi, I have to build the openssl 1.0.1c for the android , I have added new ECC-CCM chiper key support at the openssl , hence i want build the same for android-ndk and use in my application as shared libraries . is there any guide to build the same ..? Rgds Indu
build openssl for android
Hi, I have to build the openssl 1.0.1c for the android , I have added new ECC-CCM chiper key support at the openssl , hence i want build the same for android-ndk and use in my application as shared libraries . is there any guide to build the same ..? Rgds Indu
RE: openssl on a home LAN
Thanks. Take care. Good luck with your home LAN. Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Wednesday, September 12, 2012 9:51 AM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN No problem and no hard feelings. Take care and have a good day. Thanks. John From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills Sent: Wednesday, September 12, 2012 11:14 AM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN A thousand pardons. You totally misapprehend my intent. I guess that's a classic hazard of e-mail, isn't it? You're right, I make no pretense of being a moderator. It's a forum, and I'm just a citizen trying to help you out by answering the question you asked in the forum. I won't bother you again. P.S. The name is Charles. Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Tuesday, September 11, 2012 6:37 PM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN Charlie, Frankly, you condescending manner is starting to annoy me, considerably. Furthermore, your name is not on this page as one of the moderators of this group: http://www.openssl.org/about/. Moreover, I don't believe I need your permission to "hang out here". You need to read the link I provided you all the way to the end, it says that this group is for 1. Developers 2. OpenSSL usage 3. Installation problems Now inasmuch as my question pertained to "OpenSSL Usage", i.e., number 2 above, well I think that makes my asking it a legitimate question for this group. If you don't like it, you can just learn to use your reading program and ignore me. Thank you very much. J
RE: openssl on a home LAN
No problem and no hard feelings. Take care and have a good day. Thanks. John From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills Sent: Wednesday, September 12, 2012 11:14 AM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN A thousand pardons. You totally misapprehend my intent. I guess that's a classic hazard of e-mail, isn't it? You're right, I make no pretense of being a moderator. It's a forum, and I'm just a citizen trying to help you out by answering the question you asked in the forum. I won't bother you again. P.S. The name is Charles. Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Tuesday, September 11, 2012 6:37 PM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN Charlie, Frankly, you condescending manner is starting to annoy me, considerably. Furthermore, your name is not on this page as one of the moderators of this group: http://www.openssl.org/about/. Moreover, I don't believe I need your permission to "hang out here". You need to read the link I provided you all the way to the end, it says that this group is for 1. Developers 2. OpenSSL usage 3. Installation problems Now inasmuch as my question pertained to "OpenSSL Usage", i.e., number 2 above, well I think that makes my asking it a legitimate question for this group. If you don't like it, you can just learn to use your reading program and ignore me. Thank you very much. J
RE: Memory issues with ssl handshake
Not sure if it help at all but FWIW I am using Windows pre-built OpenSSL dll's with server & client certificates, CAs, DH keys, and a CRL, and I am seeing no memory leaks whatsoever in Visual Studio 2010. Charles -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Thomas Eckert Sent: Wednesday, September 12, 2012 7:59 AM To: openssl-users@openssl.org Subject: Memory issues with ssl handshake Hi, Valgrind gives me a *lot* of messages like this ==19021== 2,056 bytes in 2 blocks are indirectly lost in loss record 186 of 190 ==19021==at 0x68EAC8B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==19021==by 0x6C472DB: default_malloc_ex (mem.c:79) ==19021==by 0x6C4795F: CRYPTO_malloc (mem.c:306) ==19021==by 0x6C73940: bn_expand_internal (bn_lib.c:336) ==19021==by 0x6C73AE0: bn_expand2 (bn_lib.c:451) ==19021==by 0x6C73BB2: BN_set_bit (bn_lib.c:730) ==19021==by 0x6C7E16E: BN_MONT_CTX_set (bn_mont.c:514) ==19021==by 0x6C7E402: BN_MONT_CTX_set_locked (bn_mont.c:552) ==19021==by 0x6C97053: RSA_eay_public_decrypt (rsa_eay.c:693) ==19021==by 0x6C97F1F: RSA_public_decrypt (rsa_lib.c:309) ==19021==by 0x6C98BEB: int_rsa_verify (rsa_sign.c:182) ==19021==by 0x6C98F57: RSA_verify (rsa_sign.c:284) ==19021==by 0x6949E16: ssl3_get_key_exchange (s3_clnt.c:1562) ==19021==by 0x694BF5F: ssl3_connect (s3_clnt.c:335) ==19021==by 0x6964AB9: SSL_connect (ssl_lib.c:933) ==19021==by 0x6953FDD: ssl23_connect (s23_clnt.c:693) ==19021==by 0x6963FBC: SSL_do_handshake (ssl_lib.c:2368) ==19021==by 0x8060D14: ssl_connect (ssl.c:1078) Compared to the above they vary only in one line, e.g. ==19021== 1,024 bytes in 2 blocks are indirectly lost in loss record 181 of 190 ==19021==at 0x68EAC8B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==19021==by 0x6C472DB: default_malloc_ex (mem.c:79) ==19021==by 0x6C4795F: CRYPTO_malloc (mem.c:306) ==19021==by 0x6C73940: bn_expand_internal (bn_lib.c:336) ==19021==by 0x6C73AE0: bn_expand2 (bn_lib.c:451) ==19021==by 0x6C73D53: BN_copy (bn_lib.c:506) ==19021==by 0x6C7DFCA: BN_MONT_CTX_set (bn_mont.c:421) ==19021==by 0x6C7E402: BN_MONT_CTX_set_locked (bn_mont.c:552) ==19021==by 0x6C97053: RSA_eay_public_decrypt (rsa_eay.c:693) ==19021==by 0x6C97F1F: RSA_public_decrypt (rsa_lib.c:309) ==19021==by 0x6C98BEB: int_rsa_verify (rsa_sign.c:182) ==19021==by 0x6C98F57: RSA_verify (rsa_sign.c:284) ==19021==by 0x6949E16: ssl3_get_key_exchange (s3_clnt.c:1562) ==19021==by 0x694BF5F: ssl3_connect (s3_clnt.c:335) ==19021==by 0x6964AB9: SSL_connect (ssl_lib.c:933) ==19021==by 0x6953FDD: ssl23_connect (s23_clnt.c:693) ==19021==by 0x6963FBC: SSL_do_handshake (ssl_lib.c:2368) ==19021==by 0x8060D14: ssl_connect (ssl.c:1078) The application in question is a http proxy and is leaking memory heavily. Actually, Valgrind also reports many entries as "still reachable" instead of "indirectly lost" but even those regions are mentioned by Valgrind like the above two blocks. I doubt OpenSSL has such blatant memory leaks but I have been searching for the leaks for some time now and just cannot find anything - also due to the fact that Valgrind reports all the leaks like above, which is not really helpful. I do realize that for detailed help I would need to give some code on how the connections are set up but that code is pretty large. So best would be some hint as to where to look for or what regions of code to supply. Looking for hints as to what is going wrong I went through some of the OpenSSL functions mentioned above and after "leaving my code" and entering OpenSSL code the only thing being passed around the functions is the actual SSL object - and no buffers of any kind. So I suppose the source of the problem lies in setting up the object, it's context or what ever is stuck to it. The first thing I checked on was how the SSL connections are torn down in my application: ERR_remove_state(0); SSL_CTX_free(ssl->ctx); SSL_free(ssl); The first line was added only after starting the search for the leaks and I'm still not sure if that line doesn't break anything. I did find some minor leaks in my code along the way (e.g. a forgotten ASN1_INTEGER_free()) but they were neither easy to find - because Valgrind also reported them like the above two blocks, meaning in the wrong place! - nor did they change much. Does anyone have some tips for me ? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Memory issues with ssl handshake
Hi, Valgrind gives me a *lot* of messages like this ==19021== 2,056 bytes in 2 blocks are indirectly lost in loss record 186 of 190 ==19021==at 0x68EAC8B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==19021==by 0x6C472DB: default_malloc_ex (mem.c:79) ==19021==by 0x6C4795F: CRYPTO_malloc (mem.c:306) ==19021==by 0x6C73940: bn_expand_internal (bn_lib.c:336) ==19021==by 0x6C73AE0: bn_expand2 (bn_lib.c:451) ==19021==by 0x6C73BB2: BN_set_bit (bn_lib.c:730) ==19021==by 0x6C7E16E: BN_MONT_CTX_set (bn_mont.c:514) ==19021==by 0x6C7E402: BN_MONT_CTX_set_locked (bn_mont.c:552) ==19021==by 0x6C97053: RSA_eay_public_decrypt (rsa_eay.c:693) ==19021==by 0x6C97F1F: RSA_public_decrypt (rsa_lib.c:309) ==19021==by 0x6C98BEB: int_rsa_verify (rsa_sign.c:182) ==19021==by 0x6C98F57: RSA_verify (rsa_sign.c:284) ==19021==by 0x6949E16: ssl3_get_key_exchange (s3_clnt.c:1562) ==19021==by 0x694BF5F: ssl3_connect (s3_clnt.c:335) ==19021==by 0x6964AB9: SSL_connect (ssl_lib.c:933) ==19021==by 0x6953FDD: ssl23_connect (s23_clnt.c:693) ==19021==by 0x6963FBC: SSL_do_handshake (ssl_lib.c:2368) ==19021==by 0x8060D14: ssl_connect (ssl.c:1078) Compared to the above they vary only in one line, e.g. ==19021== 1,024 bytes in 2 blocks are indirectly lost in loss record 181 of 190 ==19021==at 0x68EAC8B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==19021==by 0x6C472DB: default_malloc_ex (mem.c:79) ==19021==by 0x6C4795F: CRYPTO_malloc (mem.c:306) ==19021==by 0x6C73940: bn_expand_internal (bn_lib.c:336) ==19021==by 0x6C73AE0: bn_expand2 (bn_lib.c:451) ==19021==by 0x6C73D53: BN_copy (bn_lib.c:506) ==19021==by 0x6C7DFCA: BN_MONT_CTX_set (bn_mont.c:421) ==19021==by 0x6C7E402: BN_MONT_CTX_set_locked (bn_mont.c:552) ==19021==by 0x6C97053: RSA_eay_public_decrypt (rsa_eay.c:693) ==19021==by 0x6C97F1F: RSA_public_decrypt (rsa_lib.c:309) ==19021==by 0x6C98BEB: int_rsa_verify (rsa_sign.c:182) ==19021==by 0x6C98F57: RSA_verify (rsa_sign.c:284) ==19021==by 0x6949E16: ssl3_get_key_exchange (s3_clnt.c:1562) ==19021==by 0x694BF5F: ssl3_connect (s3_clnt.c:335) ==19021==by 0x6964AB9: SSL_connect (ssl_lib.c:933) ==19021==by 0x6953FDD: ssl23_connect (s23_clnt.c:693) ==19021==by 0x6963FBC: SSL_do_handshake (ssl_lib.c:2368) ==19021==by 0x8060D14: ssl_connect (ssl.c:1078) The application in question is a http proxy and is leaking memory heavily. Actually, Valgrind also reports many entries as "still reachable" instead of "indirectly lost" but even those regions are mentioned by Valgrind like the above two blocks. I doubt OpenSSL has such blatant memory leaks but I have been searching for the leaks for some time now and just cannot find anything - also due to the fact that Valgrind reports all the leaks like above, which is not really helpful. I do realize that for detailed help I would need to give some code on how the connections are set up but that code is pretty large. So best would be some hint as to where to look for or what regions of code to supply. Looking for hints as to what is going wrong I went through some of the OpenSSL functions mentioned above and after "leaving my code" and entering OpenSSL code the only thing being passed around the functions is the actual SSL object - and no buffers of any kind. So I suppose the source of the problem lies in setting up the object, it's context or what ever is stuck to it. The first thing I checked on was how the SSL connections are torn down in my application: ERR_remove_state(0); SSL_CTX_free(ssl->ctx); SSL_free(ssl); The first line was added only after starting the search for the leaks and I'm still not sure if that line doesn't break anything. I did find some minor leaks in my code along the way (e.g. a forgotten ASN1_INTEGER_free()) but they were neither easy to find - because Valgrind also reported them like the above two blocks, meaning in the wrong place! - nor did they change much. Does anyone have some tips for me ? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: openssl on a home LAN
A thousand pardons. You totally misapprehend my intent. I guess that's a classic hazard of e-mail, isn't it? You're right, I make no pretense of being a moderator. It's a forum, and I'm just a citizen trying to help you out by answering the question you asked in the forum. I won't bother you again. P.S. The name is Charles. Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Tuesday, September 11, 2012 6:37 PM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN Charlie, Frankly, you condescending manner is starting to annoy me, considerably. Furthermore, your name is not on this page as one of the moderators of this group: http://www.openssl.org/about/. Moreover, I don't believe I need your permission to "hang out here". You need to read the link I provided you all the way to the end, it says that this group is for 1. Developers 2. OpenSSL usage 3. Installation problems Now inasmuch as my question pertained to "OpenSSL Usage", i.e., number 2 above, well I think that makes my asking it a legitimate question for this group. If you don't like it, you can just learn to use your reading program and ignore me. Thank you very much. J
Re: openssl on a home LAN
Hi John, I definitely do not agree with charles's email, but what I think he meant is, you need to write programs to use OpenSSL. Its an installable library, which you need to invoke from your application using its exposed APIs and recompile your code, link OpenSSL library and execute for it to work. Its not a SSL solution if that is what your looking for. Just installing OpenSSL is not going to give u SSL. Thanks --Gayathri On Tue, Sep 11, 2012 at 8:36 PM, John A. Wallace wrote: > Charlie, > > ** ** > > Frankly, you condescending manner is starting to annoy me, considerably. > Furthermore, your name is not on this page as one of the moderators of > this group: http://www.openssl.org/about/. > > ** ** > > Moreover, I don’t believe I need your permission to “hang out here”. You > need to read the link I provided you all the way to the end, it says that > this group is for > > ** ** > > **1. **Developers > > **2. **OpenSSL usage > > **3. **Installation problems > > ** ** > > Now inasmuch as my question pertained to “OpenSSL Usage”, i.e., number 2 > above, well I think that makes my asking it a legitimate question for this > group. If you don’t like it, you can just learn to use your reading program > and ignore me. Thank you very much. J > > ** ** > > John > > ** ** > > ** ** > > *From:* owner-openssl-us...@openssl.org [mailto: > owner-openssl-us...@openssl.org] *On Behalf Of *Charles Mills > *Sent:* Tuesday, September 11, 2012 3:22 PM > > *To:* openssl-users@openssl.org > *Subject:* RE: openssl on a home LAN > > ** ** > > Right. Are you an application developer? In other words, do you write > computer programs? Does the following mean anything to you? > > ** ** > > int main(int argc, char *argv[]) > > { > > printf(“hello world\n”); > > return 0; > > } > > ** ** > > Or alternatively, are you a Web site operator? Do you host a Web site that > others access? > > ** ** > > If the answer to both of these questions is No, then you are welcome to > hang out here but the answer to your original question, “whether there is > any point in using openssl” is No. > > ** ** > > *Charles* > > *From:* owner-openssl-us...@openssl.org [ > mailto:owner-openssl-us...@openssl.org ] > *On Behalf Of *John A. Wallace > *Sent:* Tuesday, September 11, 2012 12:07 PM > *To:* openssl-users@openssl.org > *Subject:* RE: openssl on a home LAN > > ** ** > > Hi. I am not trying to be mean or something, but you may want to take a > look at this page: > > ** ** > > http://www.openssl.org/support/community.html > > ** ** > > Focusing on the part that describes this list, one can read this about its > purpose: > > ** ** > > Application Development, OpenSSL Usage, Installation Problems, etc. > > ** ** > > That looks clear to me in that this list would provide support for the > type of question I just asked, or did I misunderstand you? J > > ** ** > > Thanks. > > ** ** > > ** ** > > *From:* owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Charles Mills > *Sent:* Tuesday, September 11, 2012 12:52 PM > *To:* openssl-users@openssl.org > *Subject:* RE: openssl on a home LAN > > ** ** > > Do you write computer programs, or are you a home user of personal > computers? > > ** ** > > If you don’t write computer programs, then using OpenSSL at the level > addressed by this mailing list is not what you are looking for. > > ** ** > > Some of the products you might buy might use OpenSSL “under the covers,” > but you would get support generally directly from the companies that > produce those products, not this mailing list. > > ** ** > > Not trying to be mean or off-putting. If I have missed the mark please let > me know. > > ** ** > > *Charles* > > *From:* owner-openssl-us...@openssl.org [ > mailto:owner-openssl-us...@openssl.org ] > *On Behalf Of *John A. Wallace > *Sent:* Tuesday, September 11, 2012 9:36 AM > *To:* openssl-users@openssl.org > *Subject:* openssl on a home LAN > > ** ** > > I am trying to figure out whether there is any point in using openssl on a > home LAN between two computers. Would that improve on security in any > way? Would I be limited in the types of OS connections? I mean, could I > connect Windows with Linux? Also, if I want to make such a connection > between two OS running in virtual machines, could that be done too? Thanks. > >
Re: Parsing X509 certificate subjectAltName
On Wed, Sep 12, 2012, Kenneth Goldman wrote: > If I shouldn't use GEN_IPADD, what should I use? > > The goal is to extract the text value associated with several OIDs. > dumpasn1 says the values are PrintableString. > You check each value of the returned GENERAL_NAMES structure until you find the one you are interested in. It looks like in your case it is the type GEN_DIRNAME which means the X509_NAME field directoryName of the union is relevant. You can then analyse that X509_NAME field e.g. like a certificate subject name. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Why is the OpenSSL documentation incomplete?
Username is guest, password is guest. Matt On 12 September 2012 14:12, Kenneth Goldman wrote: > All I get is an (ironically unsecured) log in page. Do you have a link to > the actual documentation? > > -- > Ken Goldman kgold...@us.ibm.com > 914-945-2415 (862-2415) > > > > > From: > To:openssl-users@openssl.org, > Date:09/11/2012 06:48 PM > Subject:Re: Why is the OpenSSL documentation incomplete? > Sent by:owner-openssl-us...@openssl.org > -- > > > > On Wed, 2012-09-12 at 00:28 +0300, farmdve data.bg wrote: > > I have seen a lot of applications that utilize the OpenSSL library, > > however I see that the majority of the documentation is incomplete. > > > > > > In particular, I need some documentation for the EC package in the > > 'crypto' sub-folder, I mean, it's not possible for application > > developers to generate Elliptic Curve keys without first understanding > > how to use it,in what order and how to initialize it. > > > > > > Any help on this? > > > Please see this patch which I submitted some while ago, but > unfortunately is still showing as "new" :-( > > http://rt.openssl.org/Ticket/Display.html?id=2799 > > > This is my attempt at adding documentation for the EC library. > > Matt > > PS Apologies if you have received this twice. Problem between chair and > keyboard on first sending attempt! > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > > >
Re: Parsing X509 certificate subjectAltName
If I shouldn't use GEN_IPADD, what should I use? The goal is to extract the text value associated with several OIDs. dumpasn1 says the values are PrintableString. -- Ken Goldman kgold...@us.ibm.com 914-945-2415 (862-2415) From: "Dr. Stephen Henson" To: openssl-users@openssl.org, Date: 09/11/2012 06:49 PM Subject:Re: Parsing X509 certificate subjectAltName Sent by:owner-openssl-us...@openssl.org On Tue, Sep 11, 2012, Charles Mills wrote: > > { > > case GEN_DNS: > > case GEN_URI: > > case GEN_IPADD: > > > ASN1_STRING_to_UTF8(&pBuffer, pName->d.ia5); > > b = > isWildcardedCNcompare(reinterpret_cast(pBuffer), nodeName); > > Don't do that with the GEN_IPADD: it isn't an IA5String it is an OCTETSTRING representing the IP address in a format described by RFC3280 et al. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS-Capable openssl-1.0.1c: HP-UX parisc2-gcc hmac.c Build Crashes if FIPS Algs Specified, Runs Otherwise
On 09/11/2012 10:41 PM, Welling, Conrad Gerhart wrote: > openssl-users: > > > > Has anyone tried building FIPS-capable openssl-1.0.1c on HP PA-RISC 2.0? > If so, please give me a clue. We haven't had access to PA-RISC for some time now, so that platform is effectively unsupported. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: HTTPS connection hangs during SSL handshake
It is not a firewall issue, I checked this from outside firewall. The strange part of the problem is it does not happen always, it works intermittently. [root@gateway bin]# openssl s_client -bugs -connect test.mydomain.com:443 -msg -state CONNECTED(0003) SSL_connect:before/connect initialization >>> SSL 2.0 [length 0067], CLIENT-HELLO 01 03 01 00 4e 00 00 00 10 00 00 39 00 00 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f 03 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00 06 04 00 80 00 00 03 02 00 80 00 00 ff c6 89 a6 e3 3e 51 4c 4b d9 e2 c4 29 01 63 54 06 SSL_connect:SSLv2/v3 write client hello A It simply hangs after this. * Here "test.mydomain.com" is not real it is used for posting. On Tue, Sep 11, 2012 at 7:02 PM, Aleksandr Konstantinov wrote: > On Tuesday 11 September 2012, Supratik Goswami wrote: >> Is there no one in the community who can help me to find the cause of >> the problem ? > > Maybe You have firewall issues on "office IP" macine. Have You tried tcpdump > or > similar utility to check if there is something being sent/received? > > Regards, > > A.K. > > >> >> On Tue, Sep 4, 2012 at 7:21 PM, Supratik Goswami >> wrote: >> > I am using OpenSSL version : openssl-1.0.0j in our production. >> > >> > I am facing a strange problem where the SSL connection simply hangs >> > during initial handshake when requested from our office IP address. >> > When I run the same command from another IP address it works fine. >> > >> > From office IP (Unsuccessful connection): >> > >> > [root@gateway ]# openssl s_client -connect test.mydomain.com:443 >> > CONNECTED(0003) >> > >> > >> > From a different IP (Successful connection): >> > >> > ubuntu@ip-10-0-0-10 (Development):~$ openssl s_client -connect >> > test.mydomain.com:443 >> > CONNECTED(0003) >> > depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert >> > Class 2 Policy Validation >> > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com >> > verify error:num=19:self signed certificate in certificate chain >> > verify return:0 >> > --- >> > Certificate chain >> > 0 s:/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com >> >i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, >> > Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure >> > Certification Authority/serialNumber=07969287 >> > 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, >> > Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure >> > Certification Authority/serialNumber=07969287 >> >i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 >> > Certification Authority >> > 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 >> > Certification Authority >> >i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class >> > 2 Policy Validation >> > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com >> > 3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class >> > 2 Policy Validation >> > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com >> >i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class >> > 2 Policy Validation >> > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com >> > --- >> > Server certificate >> > -BEGIN CERTIFICATE- >> > >> > REMOVED FOR SECURITY REASON >> > >> > -END CERTIFICATE- >> > subject=/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com >> > issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, >> > Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure >> > Certification Authority/serialNumber=07969287 >> > --- >> > No client certificate CA names sent >> > --- >> > SSL handshake has read 4827 bytes and written 435 bytes >> > --- >> > New, TLSv1/SSLv3, Cipher is RC4-SHA >> > Server public key is 2048 bit >> > Secure Renegotiation IS supported >> > Compression: NONE >> > Expansion: NONE >> > SSL-Session: >> > Protocol : TLSv1 >> > Cipher: RC4-SHA >> > Session-ID: >> > 276ADBFB75336E7E870C5E109B4C5F6AFB8328C8775029EF135C5DA6F8608533 >> > Session-ID-ctx: >> > Master-Key: >> > 22B470A67XXXB50ED6237BE9 >> > Key-Arg : None >> > Start Time: 1346765613 >> > Timeout : 300 (sec) >> > Verify return code: 19 (self signed certificate in certificate chain >> > >> > >> > >> > Any ideas ? >> > >> > >> > -- >> > Warm Regards >> > >> > Supratik >> >> >> > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org -- Warm Regards Supratik ___
Re: Does this mailinglist work?
On Mon, 10 Sep 2012 13:21:12 -0700 "Charles Mills" wrote: > Yes, it works. It may be moderated. Please be patient. > > Charles > > -Original Message- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Carlo Wood > Sent: Monday, September 10, 2012 10:34 AM > To: openssl-users@openssl.org > Subject: Does this mailinglist work? > > I just sent a long mail... but it doesn't seem to appear on the > list :/ > Apparently my post got lost... I just re-sent it again a few minutes ago... Hopefully it will appear this time, before this reply does :/. -- Carlo Wood __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: certificate validation issues with openssl 1.0.0 and expired certificates in cafile
Hi, I don't think this question was answered. Could you please reply? -- Ashok On Tue, Jul 31, 2012 at 11:13 PM, Klaus Darilion < klaus.mailingli...@pernau.at> wrote: > Hi! > > I wrote a small program which dumps all root certificates from Windows > certificate store into a file. Then I use openssl to connect to Google and > validate its certificate: > > openssl s_client -connect www.google.com:443 -CAfile dump.crt > > When using openssl0.9.8k or openssl0.9.8x everything works as expected. > > When using openssl1.0.0g or openssl 1.0.1c the certificate validation > fails with: > Verify return code: 10 (certificate has expired) > > CONNECTED(016C) > depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary > Certification Authority > verify error:num=10:certificate has expired > notAfter=Jan 7 23:59:59 2004 GMT > verify return:0 > --- > Certificate chain > 0 s:/C=US/ST=California/L=**Mountain View/O=Google Inc/CN=www.google.com >i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA > 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA >i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification > Authority > > When analyzing the cafile with the dumped certificates from Windows > certificate store, I found out that there are two certificates for Verisign > with identical subject, whereas one is expired, the other not. > > X.509 Certificate Information: > Version: 1 > Serial Number (hex): 00e49efdf33ae80ecfa5113e19a424**0232 > Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary > Certification Authority > Validity: > Not Before: Mon Jan 29 00:00:00 UTC 1996 > Not After: Wed Jan 07 23:59:59 UTC 2004 > Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary > Certification Authority > Subject Public Key Algorithm: RSA > > X.509 Certificate Information: > Version: 1 > Serial Number (hex): 70bae41d10d92934b638ca7b03ccba**bf > Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary > Certification Authority > Validity: > Not Before: Mon Jan 29 00:00:00 UTC 1996 > Not After: Tue Aug 01 23:59:59 UTC 2028 > Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary > Certification Authority > Subject Public Key Algorithm: RSA > > > Thus, it seems that openssl 0.9.8 just ignores the expired certificate and > searches if there is another valid one whereas openssl 1.0.0 stop with the > first expired certificate. > > Is the new behavior the intended behavior? Is it possible to have the old > behavior also in new openssl versions? > > Thanks > Klaus > > __**__**__ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
FIPS-Capable openssl-1.0.1c: HP-UX parisc2-gcc hmac.c Build Crashes if FIPS Algs Specified, Runs Otherwise
openssl-users: Has anyone tried building FIPS-capable openssl-1.0.1c on HP PA-RISC 2.0? If so, please give me a clue. I can build the FIPS Object Module and link it, but, attempts to use FIPS algs fail although non-FIPS algs work. Following is brief description of test with hmac.c example from Users Guide. ### ### Platform ### HP 9000 C3600 C-Class Workstation PA-8600 Processor (64-bit) HP-UX 11i uname -a: HP-UX smirnov B.11.11 U 9000/785 2003396480 unlimited-user license gcc-4.7.0 ### ### Configure for FIPS Object Module OK. ### ... CC=gcc CFLAG =-DOPENSSL_FIPSCANISTER -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -DDSO_DL -D_REENTRANT -march=2.0 -O3 -D_REENTRANT EX_LIBS =-Wl,+s -ldld ... PROCESSOR = RANLIB=/barrel/E2E/dhp/hp-gcc-4.7.0/bin/ranlib ARFLAGS = PERL =/usr/local/bin/perl5.8.8 SIXTY_FOUR_BIT mode DES_PTR used DES_RISC1 used ... Configured for hpux-parisc2-gcc. ... ### ### Build FIPS Object Module without any problems and install to ###/usr/local/ssl/fips-2.0 OK ### ### ### Copy and modify hmac.c slightly to print more info. Then use ### following Makefile to build it OK. ### -> cat Makefile CC = gcc OPENSSLDIR = /usr/local/ssl/fips-2.0 LIBCRYPTO = $(OPENSSLDIR)/lib/libcrypto.a INCLUDES = -I$(OPENSSLDIR)/include CMD = hmac OBJS = $(CMD).o $(CMD): $(OBJS) FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -o $(CMD) $(OBJS) $(LIBCRYPTO) $(OBJS): $(CMD).c $(CC) -c $(CMD).c $(INCLUDES) clean: rm $(OBJS) ### ### Run hmac con FIPS ### -> hmac -v hmac.c.old Start main Call FIPS_mode_set() Memory fault(coredump) ### ### Run hmac sin FIPS ### -> hmac -c -v hmac.c.old Start main Start dofile digest: 80a97335cb60a5a8278676aa6a725f5fbeee4944 ### ### Confirm digest ### -> openssl version OpenSSL 0.9.8g 19 Oct 2007 -> openssl dgst -sha1 -hmac etaonrishdlcupfm hmac.c.old HMAC-SHA1(hmac.c.old)= 80a97335cb60a5a8278676aa6a725f5fbeee4944
Re: Why is the OpenSSL documentation incomplete?
On Wed, 2012-09-12 at 00:28 +0300, farmdve data.bg wrote: > I have seen a lot of applications that utilize the OpenSSL library, > however I see that the majority of the documentation is incomplete. > > > In particular, I need some documentation for the EC package in the > 'crypto' sub-folder, I mean, it's not possible for application > developers to generate Elliptic Curve keys without first understanding > how to use it,in what order and how to initialize it. > > > Any help on this? Please see this patch which I submitted some while ago, but unfortunately is still showing as "new" :-( http://rt.openssl.org/Ticket/Display.html?id=2799 This is my attempt at adding documentation for the EC library. Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: HTTPS connection hangs during SSL handshake
On Tuesday 11 September 2012, Supratik Goswami wrote: > Is there no one in the community who can help me to find the cause of > the problem ? Maybe You have firewall issues on "office IP" macine. Have You tried tcpdump or similar utility to check if there is something being sent/received? Regards, A.K. > > On Tue, Sep 4, 2012 at 7:21 PM, Supratik Goswami > wrote: > > I am using OpenSSL version : openssl-1.0.0j in our production. > > > > I am facing a strange problem where the SSL connection simply hangs > > during initial handshake when requested from our office IP address. > > When I run the same command from another IP address it works fine. > > > > From office IP (Unsuccessful connection): > > > > [root@gateway ]# openssl s_client -connect test.mydomain.com:443 > > CONNECTED(0003) > > > > > > From a different IP (Successful connection): > > > > ubuntu@ip-10-0-0-10 (Development):~$ openssl s_client -connect > > test.mydomain.com:443 > > CONNECTED(0003) > > depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert > > Class 2 Policy Validation > > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com > > verify error:num=19:self signed certificate in certificate chain > > verify return:0 > > --- > > Certificate chain > > 0 s:/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com > >i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, > > Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure > > Certification Authority/serialNumber=07969287 > > 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, > > Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure > > Certification Authority/serialNumber=07969287 > >i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 > > Certification Authority > > 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 > > Certification Authority > >i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class > > 2 Policy Validation > > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com > > 3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class > > 2 Policy Validation > > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com > >i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class > > 2 Policy Validation > > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com > > --- > > Server certificate > > -BEGIN CERTIFICATE- > > > > REMOVED FOR SECURITY REASON > > > > -END CERTIFICATE- > > subject=/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com > > issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, > > Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure > > Certification Authority/serialNumber=07969287 > > --- > > No client certificate CA names sent > > --- > > SSL handshake has read 4827 bytes and written 435 bytes > > --- > > New, TLSv1/SSLv3, Cipher is RC4-SHA > > Server public key is 2048 bit > > Secure Renegotiation IS supported > > Compression: NONE > > Expansion: NONE > > SSL-Session: > > Protocol : TLSv1 > > Cipher: RC4-SHA > > Session-ID: > > 276ADBFB75336E7E870C5E109B4C5F6AFB8328C8775029EF135C5DA6F8608533 > > Session-ID-ctx: > > Master-Key: > > 22B470A67XXXB50ED6237BE9 > > Key-Arg : None > > Start Time: 1346765613 > > Timeout : 300 (sec) > > Verify return code: 19 (self signed certificate in certificate chain > > > > > > > > Any ideas ? > > > > > > -- > > Warm Regards > > > > Supratik > > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org