RE: SSL_CTX_set{_preferred)_cipher_list?
> > What is the difference between SSL_CTX_SET_cipher_list and > > SSL_CTX_set_preferred_cipher_list? > Which version of OpenSSL has the "preferred" version? I don't see this in > "master". Gaak. Sorry for the confusion. Looking at some decade-old local patches. :( /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Remove SSLv2 via #ifdef
I guess I was confused, expecting to see the "ssl23" stuff removed as well, but I guess it's okay to leave it. -- Principal Security Engineer Akamai Technology Cambridge, MA __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: TLS extensions
On 05/06/2013 09:53 AM, Daniel W wrote: Hello everyone, i want to use TLS extensions. In fact the two extensions trusted_ca_key and status_request. Could someone explain me how this works on a little example or lead me to a tutorial or good documentation? Exim uses status_request; source at http://git.exim.org/exim.git/tree -- Luck, Jeremy __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Self-signed certificates and keyUsage extension
On Sat, May 11, 2013 at 10:49:40AM +0200, Stefan H. Holek wrote: > On 10.05.2013, at 18:48, no_spam...@yahoo.com wrote: > > > openssl verify -check_ss_sig -CAfile ./my-ss-cert.pem ./my-ss-cert.pem > > > > I get the following error: > > error 20 at 0 depth lookup:unable to get local issuer certificate > > IIRC, this means that the Subject and Issuer names on your > self-signed cert do not match. That's one possibility, multiple conditions are checked to determine whether a certificate is self-issued: #define ku_reject(x, usage) \ (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) int X509_check_issued(X509 *issuer, X509 *subject) { if (X509_NAME_cmp(X509_get_subject_name(issuer), X509_get_issuer_name(subject))) return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; x509v3_cache_extensions(issuer); x509v3_cache_extensions(subject); if (subject->akid) { int ret = X509_check_akid(issuer, subject->akid); if (ret != X509_V_OK) return ret; } if (subject->ex_flags & EXFLAG_PROXY) { if (ku_reject(issuer, KU_DIGITAL_SIGNATURE)) return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; } else if (ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; return X509_V_OK; } one of these is that its keyUsage (if set) must include KU_KEY_CERT_SIGN. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Trouble with Illegal instruction
(This is a summary of the mail below, hence posted above it) Wauv! An original Pentium II, the first P6 model with MMX. I guess someone needs to recheck their assembler programming assumptions about which instructions are implied by the MMX CPUID bit. Note that this hardware (along with the P5 MMX) is part of the original definition of what that feature bit implies. For starters, check the code in fips_gcm_ghash_4bit_mmx for instructions that are beyond the MMX instruction set. On 11-05-2013 09:09, Holger Bruenjes wrote: Am 2013-05-11 02:45, schrieb Tom marchand: What platform is this running on? eistre:/ # uname -a Linux eistre 2.6.32-eisfair-1-SMP #1 SMP Thu Apr 4 17:26:28 CEST 2013 i686 i686 i386 GNU/Linux eistre:/ # /lib/libc.so.6 GNU C Library stable release version 2.8, by Roland McGrath et al. eistre:/ # cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 5 model name : Pentium II (Deschutes) stepping: 2 cpu MHz : 398.992 cache size : 512 KB fdiv_bug: no hlt_bug : no f00f_bug: no coma_bug: no fpu : yes fpu_exception : yes cpuid level : 2 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 sep mtrr pge mca cmov pse36 mmx fxsr up bogomips: 797.98 clflush size: 32 cache_alignment : 32 address sizes : 36 bits physical, 32 bits virtual power management: Holger On May 9, 2013, at 4:00 PM, Holger Bruenjes wrote: Hello I have build OpenSSL 1.0.1e with fips 2.0.3 eistre:/ # openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 when I use 'wget' with https I run in Illegal instruction I start with gdb and it comes Verbindungsaufbau zu eisler.nettworks.org (eisler.nettworks.org)| 139.20.200.42|:443... verbunden. Program received signal SIGILL, Illegal instruction. [Switching to Thread 0xb733e700 (LWP 16808)] 0xb7560650 in fips_gcm_ghash_4bit_mmx () from /usr/lib/libcrypto.so. 1.0.0 (gdb) Please can I solve that problem Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Self-signed certificates and keyUsage extension
IIRC, this means that the Subject and Issuer names on your self-signed cert do not match. Stefan On 10.05.2013, at 18:48, no_spam...@yahoo.com wrote: > openssl verify -check_ss_sig -CAfile ./my-ss-cert.pem ./my-ss-cert.pem > > I get the following error: > error 20 at 0 depth lookup:unable to get local issuer certificate -- Stefan H. Holek ste...@epy.co.at http://pki-tutorial.readthedocs.org | http://pgpdump.net
Re: Remove SSLv2 via #ifdef
On 10-05-2013 21:24, Salz, Rich wrote: Would there be any interest (and support) from the dev team for patches that completely remove SSLv2 API’s? /r$ Already there: ./Configure -no-ssl2 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Defintion of OBJ_bsearch_pmeth()
On 11 May 2013 05:05, Lunar Mushrooms wrote: > Hello I can see a call to OBJ_bsearch_pmeth() in openssl source. By I could > not find the definition of OBJ_bsearch_pmeth(). I greped the entire source. > Can somebody help me to find the definition ? > > ./openssl-1.0.1d/crypto/evp/pmeth_lib.c:ret = OBJ_bsearch_pmeth(&t, > standard_methods, > It's a hash define. Defined here in pmeth_lib: IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *, pmeth); IMPLEMENT_OBJ_BSEARCH_CMP_FN is defined in objects.h: #define IMPLEMENT_OBJ_BSEARCH_CMP_FN(type1, type2, nm)\ static int nm##_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)\ { \ type1 const *a = a_; \ type2 const *b = b_; \ return nm##_cmp(a,b); \ } \ static type2 *OBJ_bsearch_##nm(type1 *key, type2 const *base, int num) \ { \ return (type2 *)OBJ_bsearch_(key, base, num, sizeof(type2), \ nm##_cmp_BSEARCH_CMP_FN); \ } \ extern void dummy_prototype(void) Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Trouble with Illegal instruction
Am 2013-05-11 02:45, schrieb Tom marchand: What platform is this running on? eistre:/ # uname -a Linux eistre 2.6.32-eisfair-1-SMP #1 SMP Thu Apr 4 17:26:28 CEST 2013 i686 i686 i386 GNU/Linux eistre:/ # /lib/libc.so.6 GNU C Library stable release version 2.8, by Roland McGrath et al. eistre:/ # cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 5 model name : Pentium II (Deschutes) stepping: 2 cpu MHz : 398.992 cache size : 512 KB fdiv_bug: no hlt_bug : no f00f_bug: no coma_bug: no fpu : yes fpu_exception : yes cpuid level : 2 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 sep mtrr pge mca cmov pse36 mmx fxsr up bogomips: 797.98 clflush size: 32 cache_alignment : 32 address sizes : 36 bits physical, 32 bits virtual power management: Holger On May 9, 2013, at 4:00 PM, Holger Bruenjes wrote: Hello I have build OpenSSL 1.0.1e with fips 2.0.3 eistre:/ # openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 when I use 'wget' with https I run in Illegal instruction I start with gdb and it comes Verbindungsaufbau zu eisler.nettworks.org (eisler.nettworks.org)| 139.20.200.42|:443... verbunden. Program received signal SIGILL, Illegal instruction. [Switching to Thread 0xb733e700 (LWP 16808)] 0xb7560650 in fips_gcm_ghash_4bit_mmx () from /usr/lib/libcrypto.so. 1.0.0 (gdb) Please can I solve that problem Thanks Holger __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org