Re: MacOSX Universal Static Libs
> The build process for Universal binaries on the Mac explicitly demands > separate building, and then gluing the parts together. Xcode does > this automatically for its projects, but for Makefile-based projects > you pretty much have to do it yourself. > Please see http://developer.apple.com/ for more information. Hi Kyle: Thank you for your quick response. For my own universal binaries, I have no difficulties compiling and linking using gcc/g++ with the "-arch ppc -arch i386" arguments, including building universal static libraries with ar+ranlib. I use the __LITTLE_ENDIAN__ & __BIG_ENDIAN__ macros in my code for any endian dependant part. So it is possible to have a single build in one step for universal MacOS/ Darwin binaries without separately building then glueing the ppc & i386 parts together. However, for OpenSSL, I was wondering what can be done for any CPU dependant parts like assembler code in the *.s files. I was hoping that other MacOSX developers might have some patches for the darwin universal build. It is looking like I will have to make separate builds for PPC & i386 and manual glue them together myself. Alicia. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
MacOSX Universal Static Libs
Greetings: Does anyone have any experience configuring openssl-0.9.8d to compile Universal (PowerPC + i386) static libraries for Darwin (MacOSX)? Although MacOS 10.4 has a port of openssl universal, it's openssl library is dynamic, and I would much prefer to use static. The configure script for openssl-0.9.8d only provides the following preconfigured ports for Darwin: "darwin-i386-cc" & "darwin-ppc-cc", but not universal. Unfortunately, since the i386 port for OpenSSL contains assembler, so simply adding the "-arch ppc -arch i386" arguments to gcc won't help. Would it be best to build openssl separately for both the "darwin-i386-cc" & "darwin-ppc-cc" ports, and then glue the static libraries together? Thank you in advance, Alicia. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: change/convert 512 bit long modulus to 2048 on private key?
> > Can this be done with out having to make a new private > > key? Or am I just barking up the wrong tree? > Absolutely not. > It's like saying, can I make a two-digit number into a three-digit number. > (You could add leading zero's, but that misses the whole point.) Not quite. For RSA, the highest bit in the modulus must be set. In other words, for all 2048 bit RSA keys, the value of their modulus (which is a product of the two secret primes) must be greater than 2^2047. You cannot add leading zeros to the 512 bit modulus to make it bigger than 2^2047, that is impossible, in the same way that 1+1=3 is impossible. Note that all RSA public and private key operations involve applying a mod (division remainder) with the modulus. You cannot avoid it, you need to bute down the bullet and generate new RSA keyes, Alicia, __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Changing existing certificates from 512 bits to 2048 bits
> Thank you for getting back to me > I need to take the Root CA certificate/private key and > change the modulus from 512 bit to 2048 bit. I assume > that I have to make a new Root CA Certificate request > and then sign it with the old one? > The problem that I have is newer devices are not > allowing me to insert our internal CA root as a trust > root CA. The error message says the root CA is 512bits > and must be 2048 bits before it can be accepted. Dear Ray: You cannot change the RSA key in the root CA certificate from 512 bit to 2048 bits. There is no way to convert a 512 bit RSA key to a 2048 bit key, since the bit size of a RSA key refers to THE HIGH BIT OF THE MODULUS number in the RSA key. You need a brand new RSA key. You need to proceed with the following steps: Step-1) generate a brand new RSA private key with a 2048 bit modulus Step-2) generate a new self-signed root CA certificate the contains the RSA public key from Step-1 and a new X509 subject that is different from the old CA certificate, and is signed with the RSA private key from Step-1 Please note that special care in obtaining random data from multiple sources is needed for Step-1 in order to obtain a secure RSA private key for your CA. OpenSSL has a number of command line options that can be used for Step-1 & Step-2. You should find lots of examples on how to do this if you use a search engine (Google). Alicia. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Changing existing certificates from 512 bits to 2048 bits
> I know this is a noob question but I have inherited an > existing CA based on openssl. I need to change some > existing certificates from 512 bit to 2048 bit. I have > the private keys and was wondering if the proper > approach was to renew the certificate and modify them > there? Or is this not possible? Possible but through > another mechanisms? Dear Ray: Your question is unclear. I assume that you are referring to RSA keys with 512 bit and 2048 bit modulus, correct? Even then, your question is needs additional clarification. Do the existing certificates issued by your CA for each entity have: 1) a 512 bit RSA public key that corresponds to that entity's 512 bit RSA private key 2) a digital signature that was generated by the CA's 512 bit RSA private key when signing the certificate In the case of (1), each entity needs to generate a brand new RSA private key with a 2048 bit RSA modulus, and then issue a certificate requested (which need to be validated) before the CA can issue the replacement certificates. In the case of (2), if you have a copy of the original certificate requests, you can simply re-sign them with your new 2048 bit RSA signing key for your CA. Or if you don't, you can use openssl and other tools to extract the data from any issued certificate (RSA public key, X509 subject, X509v3 extensions, etc.) and then re-issue brand new certificates from that data, which you then sign with your new 2048 bit RSA signing key for your CA. Note that for (2) you will need to generate a brand new CA (root) self-signed certificate that contains the corresponding 2048 bit RSA public key of the CA signing key. Also that new CA certificate should also have a different subject to distinguish it from the old CA root certificate. Alicia. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
no PKCS#5 padding in DES_cbc_encrypt/DES_cbc_decrypt
For some reason, the DES routines for CBC (Cipher Block Chaining) mode: DES_cbc_encrypt DES_cbc_decrypt do not appear to add the required PKCS#5 padding. Is their another routine I should be using that works with the DES_key_schedule type? Thanks in advance, Alicia. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
DES_ede3_cbc_encrypt and padding
Greetings: The DES_ede3_cbc_encrypt() routine does not appear to properly pad data to fill out the last block. Consider, if the last block contains 4 bytes for the unencrypted text "test", DES_ede3_cbc_encrypt() is only padding the remaining characters with NULL characters: 74:65:73:74:00:00:00:00 But shouldn't it be padded as follow: 74:65:73:74:00:00:00:04 with the last byte containing the number of padded bytes. Note that if the last block is full, then an additional block of padding is added with 00:00:00:00:00:00:00:08. Is CBC padding in OpenSSL handled by a separate routine? Shouldn't CBC padding be handled by the CBC routine? Thanks in advance. Alicia. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: The breaking of SHA1
Hi everybody: Bruce Schneier said it best on his blog (dated 18 Feb 2005): == Earlier this week, three Chinese cryptographers showed that SHA-1 is not collision-free. That is, they developed an algorithm for finding collisions faster than brute force. SHA-1 produces a 160-bit hash. That is, every message hashes down to a 160-bit number. Given that there are an infinite number of messages that hash to each possible value, there are an infinite number of possible collisions. But because the number of possible hashes is so large, the odds of finding one by chance is negligibly small (one in 2^80, to be exact). If you hashed 2^80 random messages, you'd find one pair that hashed to the same value. That's the "brute force" way of finding collisions, and it depends solely on the length of the hash value. "Breaking" the hash function means being able to find collisions faster than that. And that's what the Chinese did. They can find collisions in SHA-1 in 2^69 calculations, about 2,000 times faster than brute force. Right now, that is just on the far edge of feasibility with current technology. ... For the average Internet user, this news is not a cause for panic. No one is going to be breaking digital signatures or reading encrypted messages anytime soon. The electronic world is no less secure after these announcements than it was before. == Basically SHA1 is broken in the mathematical sense in that the Chinese cryptographers developed a method to find SHA1 collisions in only 2^69 calculations on average, which is 2048 times faster than the brute force method of finding it in 2^80 calculation. So we are only taking about 3 orders of magnitude decrease in finding SHA1 collisions compared to brute force. Of course, having a method in 2^69 calculations that find a second message that has the same SHA1 hash as a first message does not mean that the second message would be of any use to an attacker/forger. Although this work is brilliant, it does not mean that at this point that digital signatures, certificates, and SSL/TLS handshaking that use SHA1 hashing is no longer secure. Additional SHA1 compromises would be needed to be found before attackers/ forgers have a method to generate useful messages that have the same SHA1 message as a known message. So we are safe for now against having attackers/ forgers having a method of generating blocks of data that can be added to a message so that it SHA1 hashes to a know message. But there is an old saying inside the NSA: "Attacks always get better; they never get worse.". So although digital signatures, certificates, and SSL/TLS handshaking using SHA1 hashing are still secure for now, it is time to find and use better hashing algorithms that do not have the vulnerabilities that MD* & SHA* have. Alicia. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: What binary data format is used by openssl enc?
Hi Steve: > Its not ASN1 because the OpenSSL ASN1 code isn't fully streaming and to do so > would be a massive undertaking which has so far not attracted any interest. > The data following the salt is the raw encrypted data using standard block > padding. This isn't conformant with any public standard. Thank you for clearing things up for me regarding "openssl enc" encoding format. :-) But now that you mentioned it, I would have to say that it would be more than a massive undertaking to use DER encoding for "openssl enc" streaming, it would be impossible, since DER encoding always puts an object's length before an object's contents. You would first need to dump the entire stream contents into a temporary location before you can obtain and DER encode the stream length, and to do so would not qualify as streaming since nothing comes out until everything is put in. Alicia. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
What binary data format is used by openssl enc?
Greetings: I was wondering what type of data format is used by "openssl enc"? Specifically, when I type: openssl enc -des-ede3-cbc -e < fileName > fileName.3des The resulting binary output file from "openssl enc", which is 3DES (triple- DES) encrypted with a password, it not DER encoded. In fact, the binary output file begins with the text "Salted__", which I am guessing is for the 3DES CBC mode initialization vector. This means that "openssl enc" does not appear to use any ANS.1 format, like PKCS-7 EncryptedData, that I can decern. So what is this mystery format? Is it proprietary to OpenSSL, or does it conform to some public standard (CCITT, IETF, or PKIX)? If the "openssl enc" format does conform to some public standard, then it should be specified in the man page so that other encryption librarie can conform to it. Thanks in advance. Alicia. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Limited Intermediate Certificates
> I have a question about creating intermediate certificates with limited > CN's that they can sign for. If I have my own fully-trusted root > certificate, can I create a limited intermediate CA certificate for a > particular subdomain that can sign certificates only for subdomains of that > domain? > For example, can I create a '*.youwant.to' CA cert that can sign > certificates for things like 'www.youwant.to' and 'ftp.youwant.to'? (But not > 'www.gate.net' of course.) I would then give that intermediate cert to the > owners of the domain 'youwant.to'. A certificate is a kind of signed digital document, and there is nothing that prevents any certificate and RSA private key from signing and issuing any certificate. There might be some X509v3 extension (or you can easily create one) that you can put in a parent certificate, that can specify restrictions the child certs signed by the parent. However, I doubt that most of the standard clients (like Netscape/Mozilla, Microsoft IE/Outlook, etc.) would be able to handle that type of X509v3 extension for restrictions in a certificate chain. But if the certs are only intended for a closed client application that is based on OpenSSL, then that application can be modified to use that extension to restrict client certs in the manner that you want. Alicia. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Algorithm used to convert passphase provided in callback to cipher key.
Greetings: I am working on making some embedded encryption code interop with openssl. To that end, I would appreciate if someone could please outline step-by-step how a pass-phase provided in a password callback is converted into an encryption key for a symmetric cipher. Whatever means openssl uses, it is not a simple hashing, since the commonly used digests only provide 128-160 bits per hash, and 168 bits is needed for ciphers like 3DES (Triple-DES). Specially, if a pass-phase of "hello-world" is provided, how does openssl convert that into a 168 bit 3DES (Triple-DES) encryption key used by the "EVP_des_ede3_cbc()" cipher. This way, I can have my software generated the same cipher key that openssl does when the same pass-phase is provided. Thank you in advance. Alicia. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Constructing RSA key from know primes, exponents, coefficents, etc.
Greetings: If I know all of the values of an RSA key, including its primes, exponents, coefficents, etc., can I construct an openssl RSA object from it? The "RSA_generate_key" appears to only allow the building of a new RSA key from scratch, with random values that will not match the desired values of a known key. For example, if we take a trival 128 bit RSA key that has know values: Private-Key: (128 bit) modulus: 00:e2:57:d4:1c:13:73:d2:a3:73:42:0b:c5:35:f1:e0:23 publicExponent: 65537 (0x10001) privateExponent: 5f:a6:3b:f5:8d:66:e1:b8:f3:4d:c6:7e:9d:58:1b:e1 prime1: 00:fa:63:1b:38:77:f5:ed:91 prime2: 00:e7:6a:bd:ab:71:01:a8:73 exponent1: 00:92:9b:16:e4:20:71:51:d1 exponent2: 0a:19:52:65:a4:ec:d9:99 coefficient: 41:07:c6:20:02:27:40:9c What can we do in OpenSSL so that we can import these values into an OpenSSL RSA object, and simply use "PEM_write_bio_RSAPrivateKey" to generate the following input? -BEGIN RSA PRIVATE KEY- MGICAQACEQDiV9QcE3PSo3NCC8U18eAjAgMBAAECEF+mO/WNZuG4803Gfp1YG+EC CQD6Yxs4d/XtkQIJAOdqvatxAahzAgkAkpsW5CBxUdECCAoZUmWk7NmZAghBB8Yg AidAnA== -END RSA PRIVATE KEY- And can I do the same for the public key? If I have the following values? Modulus (128 bit): 00:e2:57:d4:1c:13:73:d2:a3:73:42:0b:c5:35:f1:e0:23 Exponent: 65537 (0x10001) Can I also import these values into an OpenSSL RSA object of the public key, and simply use "PEM_write_bio_RSAPublicKey" to generate the following output? -BEGIN PUBLIC KEY- MCwwDQYJKoZIhvcNAQEBBQADGwAwGAIRAOJX1BwTc9Kjc0ILxTXx4CMCAwEAAQ== -END PUBLIC KEY- My goal is to be able to import RSA keys into OpenSSL from a various sources, including those generated from Linux's FreeSwan IPSec "rsasigkey". Thanks in advance. Alicia. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Constructing RSA key from know primes, exponents, coefficents, etc.
Greetings: If I know all of the values of an RSA key, including its primes, exponents, coefficents, etc., can I construct an openssl RSA object from it? The "RSA_generate_key" appears to only allow the building of a new RSA key from scratch, with random values that will not match the desired values of a known key. For example, if we take a trival 128 bit RSA key that has know values: Private-Key: (128 bit) modulus: 00:e2:57:d4:1c:13:73:d2:a3:73:42:0b:c5:35:f1:e0:23 publicExponent: 65537 (0x10001) privateExponent: 5f:a6:3b:f5:8d:66:e1:b8:f3:4d:c6:7e:9d:58:1b:e1 prime1: 00:fa:63:1b:38:77:f5:ed:91 prime2: 00:e7:6a:bd:ab:71:01:a8:73 exponent1: 00:92:9b:16:e4:20:71:51:d1 exponent2: 0a:19:52:65:a4:ec:d9:99 coefficient: 41:07:c6:20:02:27:40:9c What can we do in OpenSSL so that we can import these values into an OpenSSL RSA object, and simply use "PEM_write_bio_RSAPrivateKey" to generate the following input? -BEGIN RSA PRIVATE KEY- MGICAQACEQDiV9QcE3PSo3NCC8U18eAjAgMBAAECEF+mO/WNZuG4803Gfp1YG+EC CQD6Yxs4d/XtkQIJAOdqvatxAahzAgkAkpsW5CBxUdECCAoZUmWk7NmZAghBB8Yg AidAnA== -END RSA PRIVATE KEY- And can I do the same for the public key? If I have the following values? Modulus (128 bit): 00:e2:57:d4:1c:13:73:d2:a3:73:42:0b:c5:35:f1:e0:23 Exponent: 65537 (0x10001) Can I also import these values into an OpenSSL RSA object of the public key, and simply use "PEM_write_bio_RSAPublicKey" to generate the following output? -BEGIN PUBLIC KEY- MCwwDQYJKoZIhvcNAQEBBQADGwAwGAIRAOJX1BwTc9Kjc0ILxTXx4CMCAwEAAQ== -END PUBLIC KEY- My goal is to be able to import RSA keys into OpenSSL from a various sources, including those generated from Linux's FreeSwan IPSec "rsasigkey". Thanks in advance. Alicia.
Looking for 2 different plaintexts with same MD5 hash.
A number of months ago, I came across a website that had illustrated a MD5 weakness by providing two different pieces of readable English plaintext, with one or more words changed from the other, that had the exact same MD5 hash. I have spend many, many hours looking for that URL (and banging my head against the wall for not archiving it when I first came across it). I have tried the openssl archives and various search engines without any luck. Does anyone know the URL, or does anyone know of any pair of different readable English plaintext with the same MD5 hash? Thank you in advance. Sincerely, Alicia (who's head is still throbbing from wall banging). __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Howto use missing X509 objects in subject and not in X509v3 extensions!
Greetings all: These very useful X509 objects are missing from OpenSSL and "objects.h". member(2.5.4.31) owner (2.5.4.32) roleOccupant (2.5.4.33) name (2.5.4.41) streetAddress (2.5.4.9) postalCode(2.5.4.17) telephoneNumber (2.5.4.20) facsimileTelephoneNumber (2.5.4.23) In fact a lot of others X509 oids missing as well, as you can see at: http://www.alvestrand.no/objectid/2.5.4.html I can add these objects into my OpenSSL apps by using: nid = OBJ_create ("2.5.4.20", "Tel", "telephoneNumber"); And I can used these objects as a X509v3 extension by using something like: X509V3_EXT_add_alias (nid, NID_netscape_comment); // *** this works However, since these are X509 objects, I wish these objects not be used as X509v3 extensions, and to be used within the X509 subject. X509_NAME_ENTRY_create_by_NID (&nameEntry, nid, V_ASN1_PRINTABLESTRING, (unsigned char *) "+1-416-860-9378", -1); // *** this fails If I try to alias the NID of an X509 object, it fails: X509V3_EXT_add_alias (nid, NID_commonName); // ** this fails In fact I cannot find any functions within OpenSSL to add missing X509 objects and use this in certificate subjects. I would be most grateful if someone has any advice on how this might done using OpenSSL. Thank you in advance. Sincerely, Alicia. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
X509v3 extensions for root CA certs to support OCSP?
My contacts at Netscape mentioned that a few CA'a like Versign have issued new root CA certs that support the new OCSP (Online Cert Status Protocol), specified in RFC 2560. He also mentioned that OCSP support will not only be included in future Netscape browser/messenger releases, but will be also turned on (enabled) by default. Because of this, we think it is wise for us to also add OCSP support to our root CA certs. The folks at Netscape mentioned that I only have a few days to resubmit replacement root certs with OSCP support, in order to make the cutoff for the Mozilla 6.0 release. If we add OCSP support to our root certs by the cutoff, it would avoid having to reissue our root certs in a year or so. Unfortunately they did not give me any idea how to do this. I do not know what we need to add to our root CA certs in order to allow it to support OCSP for issued certs. Since OCSP is recent, I would assume it would be some type of X509v3 extension is needed to our root CA certs. But I have no details of what extension is needed and what object identifiers it uses. Unfortunately, I do not have any of the new root CA certs from Verisign (or others) that support OCSP, so I cannot examine those certs for comparison, and look for X509v3 extensions. Do you know where we can download these new certs, I can't find them on Verisign's website? (BTW, none of the older Verisign root CA certs except the newest one in Mozilla 6.0 pr2 has OCSP support. And none of the Thawte root CA certs have it either.) I would be most greatful if anyone have any info that might help. We do not need to impliment OCSP yet, but we would like to make sure that our root certs support it now, so that we don't have to reissue replacement root CA certs in the near future, especially since our root CA certs will be bundled into webbrowsers. BTW, it is cool that Richard Levitte managed to put together an OCSP patch for openssl. Hopefully we can get permission from CertCo to use they code in openssl, or we can replace the CertCo code, so that we can bundle it into the next openssl release. Thank you in advance. Yours truly, Alicia. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Additional custom fields in DN in X509 certificate?
Greetings: Is it possible to add additional customized fields to the DN (Distinguished Name) of a standard X509 certificate. Since the DN appears as text, with fields delimited by the forward slash character '/', in the subject of the X509 certificate, it should be easy enough to adds these extra fields. For example, the DN in my personal certificate is: /C=CA/ST=Ontario/L=Toronto/O=CyberStation Inc./OU= /CN=Alicia da [EMAIL PROTECTED] And if we add a new field for my telephone number "/T=416-860-9378" to my DN: /C=CA/ST=Ontario/L=Toronto/O=CyberStation Inc./OU=/T=416-860-9378 /CN=Alicia da [EMAIL PROTECTED] or if we add it to the end of the DN: /C=CA/ST=Ontario/L=Toronto/O=CyberStation Inc./OU= /CN=Alicia da [EMAIL PROTECTED]/T=416-860-9378 Are any of the above "extended" DN's valid? Would the X509 certificates that contain these DN's still be valid certs? Instead of adding fields to the DN's, would it be better to add extra fields within an extention to the X509 certificate (like the extra netscape fields like "nsCertType")? Thank you in advance. Sincerely, Alicia. PS. If it possible to safely add extra fields to a client certificate, then is it also possible with SSL3 or TLS to only allow those client certificates to be submitted in an encrypted manner, to a SSL server, after the client application first validates the server certificate? That way, the client's certificate can contain private data in its fields that only trusted servers are allowed to see. (This is method would be very useful for decentralized databasing.) begin: vcard fn: Alicia da Conceicao n: da Conceicao;Alicia org:Cyberstation Inc. adr:121 Richmond Street West, Suite 1104;;;Toronto;Ontario;M5H-2G4;Canada email;internet: [EMAIL PROTECTED] title: VP of Technology tel;work: 416-860-9378 tel;fax:416-860-9380 x-mozilla-cpt: ;0 x-mozilla-html: TRUE version:2.1 end:vcard
Re: spam
> > Doesnt majordomo support a feature to let you allow only people registerd on > > the list to post and not have to approve them? > Sorry, what exactly do you mean? Sure, registered users (= subscribers) are > always allowed to post without approval, of course. That's already the case. > We talk about the guys who post but are _NOT_ subscribed. For this I've to > either approve it manually (as I already do for openssl-dev) or we open the > list so they can post without approval (as it's the case for openssl-users > currently). While we are on the subject of mailing list options, is there any way we can get the openssl mailing lists to prepend a [openssl-*] to the e-mail subject headers, like we get with the old [ssl-users] mailing list, the [apache-ssl] mailing list, and the current [ssl] talk mailing list? Some of us get hundreds of e-mails a day, and even with mail filters to sort e-mail, we are still being swamped. Adding subject info would really help. Thanks in advance. Sincerely, Alicia. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]