Re: [openssl-users] OpenSSL vs GPG for encrypting files? Security best practices?
On Sat, 3 Nov 2018 12:28:02 +0500 Марк Коренберг wrote: > Try openssl cms ( as newer alternative to s/mime) cms is not newer than s/mime, it's the underlying message format of s/mime. According to this https://www.openssl.org/docs/man1.0.2/apps/openssl.html it only supports deprecated cipher modes (cbc, cfb, ofb, ecb) and has exactly the malleability vulnerability the original poster was asking about (including a wide variety of obscure and some insecure ciphers). I don't think this should be recommended. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL vs GPG for encrypting files? Security best practices?
Hi, Malleability means that an attacker who is able to modify your encrypted data can - given some partial knowledge about the plaintext - do some modification of the ciphertext that will lead to specific modifications in the plaintext. This can e.g. mean that if the attacker knows your plaintext is a tar file he knows the first bytes. Thus by some clever XOR-ing he can inject blocks into your ciphertext that he can control. All of this was the basis of the efail attack earlier this year. Ideally you don't want to use any cipher that is vulnerable to these kinds of attacks. More modern cipher modes use authenticated encryption, which means they'll detect if modifications have happened. Such modes are e.g. GCM or Poly1305. As for OpenSSL CLI vs. GnuPG, neither of them is ideal, but GnuPG is better. It uses a hash to provide some kind of authentication. It's not really an authenticated encryption mode, but it comes close. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] TLS 1.3 compatibility issues with OpenSSL 1.1.1 prereleases, please stop using them
Hi, tl;dr If you use OpenSSL 1.1.1_pre* versions please update to the final version as soon as possible. Not sure if this has been discussed here before, but I'd like to point out a mail David Benjamin has recently sent to the TLS WG list: https://www.ietf.org/mail-archive/web/tls/current/msg27066.html Particularly he talks about issues the Chrome team had with deploying TLS 1.3. One of the issues affects OpenSSL prereleases. Some early versions of OpenSSL 1.1.1 (-pre6 and earlier) would allow connections from TLS 1.3 clients, but they would try to do a connection with a Draft TLS 1.3 version with a client that uses the final TLS 1.3 version. This obviously fails. Long story short: If you happen to use such an OpenSSL pre version you'll likely have connection issues as more and more software will support TLS 1.3. So please update as soon as possible. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Bleichenbacher Vulnerability
Hi, On Wed, 20 Dec 2017 11:51:39 +0530 haris iqbal <haris.p...@gmail.com> wrote: > I was wondering when exactly (the version) was the OpenSSL library > patched for the Bleichenbacher Vulnerability? It was probably fixed some time in the late 90s. However according to https://www.openssl.org/news/changelog.html the countermeasures were accidentally removed in some 0.9.6 version. However there also was a 2012/2013 timing version of the attack fixed here: https://github.com/openssl/openssl/commit/adb46dbc6dd7347750df2468c93e8c34bcb93a4b We also observed some old Openssl 0.9.8g crashing when we ran bleichenbacher scans against it, but we haven't entirely analyzed this. > Wanted to know this, since my custom application uses an older version > of OpenSSL, and I wanted to be sure that it is not affected. Don't do this. Switch to a supported version. There's no way you will plausibly keep this secure. Bleichenbacher attacks may be the least of your worries. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] AES-256 Do I need random IV?
On Thu, 27 Apr 2017 15:00:37 +0300 Yaşar Arabacı <yasar11...@gmail.com> wrote: > For AES-256 encryption, should IV be random? I am already using a > random salt, so I was wondering if IV should be random too. An IV is part of a cipher mode. AES-256 is just a block cipher. You can't use it on its own. So you need to specify which cipher mode you want to use in order to make sense. You most likely want to use GCM. The requirement for the IV is usually that it's unique. Choosing it at random may or may not be a good idea, depending on how much data you encrypt and how long the IV is for that particular cipher mode. For GCM using random IVs is not exactly recommended, better use a counter if you can keep state. But if you only encrypt small amounts of data per key a random IV is doable. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] More secure use of DSA?
On Fri, 2 Sep 2016 13:29:31 -0400 Leam Hall <leamh...@gmail.com> wrote: > Do you have something I can read up on? A couple: https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/ https://cr.yp.to/talks/2015.01.07/slides-djb-20150107-a4.pdf https://eprint.iacr.org/2015/262.pdf -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 pgpWNUILUIlJK.pgp Description: OpenPGP digital signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DSA with OpenSSL-1.1
Hi, On Fri, 1 Jul 2016 15:29:53 +0200 "pepone.onrez" <pepone.on...@gmail.com> wrote: > After upgrade my software to use OpenSSL-1.1 one of the test is > failing, the test in question client and server are configured to use > DSA certificates. The server is configured to request a client > certificate. I can't answer your question, but I have one to you: Why do you use DSA? There was a discussion in the TLS working group a while ago about DSA support and there was overwhelming support to remove it in TLS 1.3. The rationale was basically that DSA in TLS is rarely used at all, is often used with insecure key sizes (1024 bit) and has a severe weakness when it comes to bad random numbers. On top of that it has basically no advantage over the much more widely used RSA. The original reason (in the early 90s) to use DSA over RSA were patent issues, but those are long expired. So my (and I think most others) impression is that DSA in TLS is as dead as it can be and probably the most sane move for OpenSSL would be to just remove it. Given that I'd like to know why you seem to have chosen to still use DSA. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 pgppWLrwbnI5W.pgp Description: OpenPGP digital signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] BIO_read hangs, how can I know if the server wants to send data?
Hello, On Tue, 26 Apr 2016 16:58:48 + Michael Wojcik <michael.woj...@microfocus.com> wrote: > But, again, this is just a performance and efficiency hit - it won't > break anything - and if it's on the Apache side, there probably isn't > much you can do about it. Maybe it's tunable in the Apache > configuration but it seems like an odd thing to make configurable, > and even odder to make wrong by default. First of all: Before you continue speculating, my server is not doing anything secret, just connect to it :-) (the one behind hboeck.de) It's definitely chunking, if I manually connect via openssl s_client I can see. The reason is (as Rainer pointed out in a private mail) server side includes used in the error pages. So it seems Apache's server side includes implementation causes lots of small chunks. This essentially means my error pages are serverd horribly inefficient. However I think that doesn't matter too much, as they should only be served on errors and errors should be hopefully scarce. This does not happen with static content. Also with PHP content I still get chunked encoding, but not these many small chunks. I think we're getting pretty far away from openssl, so I hope nobody is annoyed by offtopic discussion (and I think we can close it here), just as people were speculating and it seemed to have generated quite some interest I wanted to give a final answer what the cause was. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 pgpiFlypNIuaH.pgp Description: OpenPGP digital signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] BIO_read hangs, how can I know if the server wants to send data?
On Tue, 26 Apr 2016 18:31:31 +0200 Rainer Jung <rainer.j...@kippdata.de> wrote: > The second pattern looks like "Transfer-Encoding: chunked". In this > mode, a response is sent in chunks and each chunk is preceded by a > hex number telling how big the next chunk is. The last chunk is > followed by a "0" indicating no more chunks are expected. So the "2" > is the size of the chunk size (two hex digits), next comes the chunk > itself. > > That sort of encoding is typically used for dynamic content, when the > final size of the response is not known in advance to avoid needing > to buffer the whole response before sending it. It does not use a > content-length header. Another case might be a transformation during > response delivery that changes the size in a way that is not easy to > calculate in advance, like compression. Thanks, that was it. if I look at the data coming that's exactly how it looks like. (I still wonder why apache does that - for a 404 error page - but at least now I know what's going on) -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 pgpxK76e7wkmt.pgp Description: OpenPGP digital signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] BIO_read hangs, how can I know if the server wants to send data?
Thanks for both your answers, that was very helpful (although it probably means what I'm trying to do is more complicated than I thought)... One more question you might be able to answer: When I run my test code and connect to google.com I get the following bytes read for each BIO_read call: 1024 365 289 When I run these against my own server (relatively standard apache2.4+openssl setup) I get very different numbers: 240 287 2 588 2 41 2 115 2 12 2 110 2 69 2 20 2 6 2 34 2 17 2 12 2 37 2 290 2 6 5 Why is this so much more split up? And to what correspond these BIO_read chunks on the protocol level? Are these TLS records? TCP packets? Is there something horribly wrong with my server config because it splits them up in so many small parts? -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 pgpRMVHUyuZPY.pgp Description: OpenPGP digital signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] BIO_read hangs, how can I know if the server wants to send data?
Hi, I have a problem here using OpenSSL, maybe I have some fundamental misunderstanding of how the api is supposed to be used. What I want to do: Send a couple of HTTP requests over one connection (with HTTP/1.1, keep-alive enabled). Seems simple enough: I send a HTTP request and then read what the server sends, then send the next. However: How do I know when the server has stopped sending? I have attached a code sample (it's missing lots of error checking in the initialization phase, but that's just for simplification of the code and shouldn't matter for now). The relevant part is here: for (i = 0; i < 5; i++) { printf("calling BIO_write\n"); r = BIO_write(bio, request, strlen(request)); printf("%i bytes written\n", r); do { printf("calling BIO_read\n"); r = BIO_read(bio, buf, 1024); printf("%i bytes read\n", r); } while (r > 0); } Now when I run this code it sends one write and reads a couple of times. However when it's done BIO_read will block the program execution and not return until a timeout. So I need a way to know that there's nothing to read before calling BIO_read. Searching the docs I thought SSL_pending() might be what I need. However it always returns zero, no matter if the server has something to send or not. Another sidenote: I have set the timeout of the context to 2, but it still hangs for much longer, so the timeout value doesn't seem to have any effect. I also tried a number of other things, including using SSL_read/write, BIO_puts/gets (I didn't really find any good explanation when to use which of the three), using a nonblocking bio (but that was totally confusing) etc. Any help apprechiated. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 #include int main() { SSL_CTX *ctx; BIO *bio; SSL *ssl; char *buf[1024]; int r, i; char *request = "GET / HTTP/1.1\r\nHost: x\r\n\r\n"; SSL_library_init(); SSL_load_error_strings(); ctx = SSL_CTX_new(TLSv1_2_method()); SSL_CTX_set_timeout(ctx, 2); bio = BIO_new_ssl_connect(ctx); BIO_set_conn_hostname(bio, "google.com:443"); BIO_get_ssl(bio, ); BIO_do_connect(bio); for (i = 0; i < 5; i++) { printf("calling BIO_write\n"); r = BIO_write(bio, request, strlen(request)); printf("%i bytes written\n", r); do { printf("calling BIO_read\n"); r = BIO_read(bio, buf, 1024); printf("%i bytes read\n", r); } while (r > 0); } } pgpavpcJww3Rb.pgp Description: OpenPGP digital signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: Re?: How to make a secure tcp connection without using certificate
On Fri, 23 May 2014 16:32:15 + Viktor Dukhovni openssl-us...@dukhovni.org wrote: On Fri, May 23, 2014 at 06:11:05PM +0200, nicolas@free.fr wrote: use at the very least TLSv1 (and preferably TLSv1_2) protocol if you want to use SSLv23_server_method(), don't forget to disable SSLv2 and 3 protocols (and maybe TLSv1) with the command SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); Typically, leaving SSLv3 enabled is just fine if both ends support something stronger they'll negotiate that. That's not always true. Some clients (e.g. all common browsers) do fallbacks that in fact can invalidate all improvements of later tls versions. These fallbacks also can happen by accident (e.g. bad connections) and sometimes disable features like SNI. That's why I recommend to everyone that we need at least to deprecate SSLv3. -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature
Re: RSASSA-PSS command
On Thu, 17 Apr 2014 19:20:49 +0800 (CST) shixin shixin...@163.com wrote: Oh, my purpose is generate x509 certificate that the Subject Public Key Information is id-RSASA-PSS 2058. I think openssl is not able to do that. At least it wasn't when I wrote my thesis on RSA-PSS [1]. The only software out there capable of creating such PSS-only-keys was the IAIK java library. [1] http://rsapss.hboeck.de/ -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature
Re: RSASSA-PSS command
On Thu, 17 Apr 2014 19:54:27 +0800 (CST) shixin shixin...@163.com wrote: I implement X.509 certificates with RSASSA-PSS signatures by openssl function, is it possible? It is possible, however most browsers won't like it. (my code for nss is unfortunately bitrotting in bugzilla) But we have two things here: a) you can create RSASSA-PSS signatures with normal RSA key type. Openssl supports that. b) You can have specific RSASSA-PSS-only-keys that are not allowed to do anything else. No support in OpenSSL as far as I know. -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature
Re: Coverity Scan: Would/DId It Catch the Heartbleed Defect?
On Wed, 16 Apr 2014 05:25:58 -0500 Tom Browder tom.brow...@gmail.com wrote: Is OpenSSL participating in the Coverity free scanning program for open source software? Don't know. If not, it might have caught the Heartbleed bug. No. http://blog.regehr.org/archives/1128 -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature
Re: Converting a root certificate from md5 to sha1
I don't know the answer to your main question, but: On Tue, 15 Apr 2014 10:41:20 +0200 steff...@gmx.de wrote: I need to change this do sha1 because I have clients that do not accept md5 anymore. If you use SHA256 you won't have to do this again in a few years. (Microsoft announced to deprecated sha1 signed certs at some point) Is there any way to convert the existing cert from md5 to sha1 ? I tried converting it to another format and then reimporting it using -sha1 but this doesn't work. I think it should be somehow possible to create a cert with all the same parameters and just a new signature, but I'm not sure. Others may know more. -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature
Who uses heartbeat?
Hi, I wasn't really sure where to ask this, but I think this list is appropriate. While having read so much about heartbleed, one question stays unanswered for me all the time: What's the use of this heartbeat extension? I mean not the theoretical use (I can imagine that) but the use in practise. Is there any software out there that doees anything with heatbeat? And more specifically: If there is, is it using TCP or UDP? cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature
Re: Who uses heartbeat?
On Sun, 13 Apr 2014 13:12:41 +0200 Graham Leggett minf...@sharp.fm wrote: On 13 Apr 2014, at 12:25 PM, Hanno Böck ha...@hboeck.de wrote: Is there any software out there that doees anything with heatbeat? And more specifically: If there is, is it using TCP or UDP? The RFC answers this: No, it doesn't. My question explicitely wasn't what the theoretical use cases for Heartbleed are. My question was specifically about real uses in real software. I haven't seen any yet. -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature
Extracting of key exchange (DH / DHE) parameters of a connection
Hi, I wanted to ask if anyone is aware of a simple way to extract the parameters of a key exchange. On an SSL connection protected with either Diffie Hellman or Elliptic Curve Diffie Hellman usually the server should send the parameters of the key exchange to the client. What I'd like to have is a possibility with e.g. openssl s_client to extract these parameters, so I am able to investigate what parameters a server sends. Is there any way to do this? s_client seems to have no such option, openssl dhparam is only meant to handle parameter generation and manipulation offline. I'd also be happy with pointers to any other tool beside openssl that is capable of doing so (preferrably free, commandline and linux-compatible). cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature
Re: Reading digest algorithm from x509
On Mon, 18 Jun 2012 16:08:28 +0200 Dirk Menstermann noadsple...@web.de wrote: Would anybody be so kind to explain me how I can read the digest algorithm (sha1, sha256, other) from a X509 struct that was used by a CA when issuing the certificate (I am using version 0.9.8). openssl x509 -in [filename of certificate] -text Then you will get a long output with various details, you have to look for a line like: Signature Algorithm: sha1WithRSAEncryption which obviously means sha1. If it's sha256WithRSAEncryption, it's sha256 etc. For non-RSA-algorihtms or RSA-PSS, the situation can be more complex, but you won't find any of them in the wild. You'll also rarely find anything else than sha1 today - md5 and earlier are (luckily) almost distinct and for strange reasons CAs seem to resist the idea of replacing sha1 with the more secure sha256/sha512-algorithms. -- Hanno Böck mail/jabber: ha...@hboeck.de GPG: BBB51E42 http://www.hboeck.de/ signature.asc Description: PGP signature
Re: Is Sha2 supported for signing certs?
On Wed, 13 Jun 2012 11:11:50 -0700 Pushkar Pathak pushkar...@gmail.com wrote: openssl ca -md sha256 This one works - however openssl ca --help doesn't mention it. So it's undocumentet, but works. I've used it to do this test installation: https://sha2.hboeck.de/ sha2 can't work, because there is no sha2-algorithm. sha2 is an (afaik inofficial) name for a whole number of functions - sha256, sha384, sha512 and sha224. -- Hanno Böck mail/jabber: ha...@hboeck.de GPG: BBB51E42 http://www.hboeck.de/ signature.asc Description: PGP signature
Re: SubjectAltName in a wildcard certificate - is this possible?
On Fri, 11 May 2012 12:21:10 -0700 Andy GOKTAS andy.gok...@state.or.us wrote: We have the following in our certificate: CN = *.env.domain.com SubjectAltName: DNS=*.env.domain.com DNS=*.env Reason: We want to have users use the short name w/o getting the certificate warning prompt. Of course it works just fine with the FQDN, but we still get this error when attempting to hit the shortname in the url. What exact shortname doesn't work? As far as I'm aware of, you need to consider two things: - *.env does not match env without a second level domain - * only matches one domainpart. For example, *.env does not match abc.abc.env - you'd need *.*.env then -- Hanno Böck mail/jabber: ha...@hboeck.de GPG: BBB51E42 http://www.hboeck.de/ signature.asc Description: PGP signature
ECDH vs. ECDHE
Hello, I'm trying to make sense out of the various abbrevations used for the SSL cipher suites listed by openssl ciphers. I've googled, but found no explanation of what ECDHE is and how it compares to ECDH. I'm aware that ECDH stands for elliptic curve diffie hellman key exchange (and I'm also - cryptographically - aware what that means - perfect forward secrecy and such). What is ECDHE, is it better than just ECDH and what's the difference? Yours, -- Hanno Böck mail/jabber: ha...@hboeck.de GPG: BBB51E42 http://www.hboeck.de/ signature.asc Description: PGP signature
[PATCH] Enable setting CC and AR with environment vars
This patch allows the Configure script to detect the ar and cc command via environment variables. Taken from Gentoo package. Please apply. -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail:[EMAIL PROTECTED] --- Configure +++ Configure @@ -928,7 +928,8 @@ print IsMK1MF=$IsMK1MF\n; my @fields = split(/\s*:\s*/,$table{$target} . : x 30 , -1); -my $cc = $fields[$idx_cc]; +my $cc = $ENV{'CC'} || $fields[$idx_cc]; +my $ar = $ENV{'AR'} || ar; my $cflags = $fields[$idx_cflags]; my $unistd = $fields[$idx_unistd]; my $thread_cflag = $fields[$idx_thread_cflag]; @@ -951,7 +951,7 @@ my $shared_cflag = $fields[$idx_shared_cflag]; my $shared_ldflag = $fields[$idx_shared_ldflag]; my $shared_extension = $fields[$idx_shared_extension]; -my $ranlib = $fields[$idx_ranlib]; +my $ranlib = $ENV{'RANLIB'} || $fields[$idx_ranlib]; my $arflags = $fields[$idx_arflags]; my $no_shared_warn=0; @@ -1292,6 +1292,7 @@ s/^RMD160_ASM_OBJ=.*$/RMD160_ASM_OBJ= $rmd160_obj/; s/^PROCESSOR=.*/PROCESSOR= $processor/; s/^RANLIB=.*/RANLIB= $ranlib/; + s/^AR=ar /AR= $ar /; s/^ARFLAGS=.*/ARFLAGS= $arflags/; s/^PERL=.*/PERL= $perl/; s/^KRB5_INCLUDES=.*/KRB5_INCLUDES=$withargs{krb5-include}/; signature.asc Description: This is a digitally signed message part.
[PATCH] allow setting make command via env var
Taken from Gentoo Linux, please apply. -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail:[EMAIL PROTECTED] respect $MAKE if it is set in the environment so we don't get a mix of the host `make` and whatever $MAKE is set to when recursing http://bugs.gentoo.org/146316 --- openssl-0.9.8e/Configure +++ openssl-0.9.8e/Configure @@ -931,6 +931,7 @@ $default_ranlib= which(ranlib) or $default_ranlib=true; $perl=$ENV{'PERL'} or $perl=which(perl5) or $perl=which(perl) or $perl=perl; +my $make = $ENV{'MAKE'} || make; chop $openssldir if $openssldir =~ /\/$/; chop $prefix if $prefix =~ /\/$/; @@ -1554,7 +1557,7 @@ EOF close(OUT); } else { - my $make_command = make PERL=\'$perl\'; + my $make_command = $make PERL=\'$perl\'; my $make_targets = ; $make_targets .= links if $symlink; $make_targets .= depend if $depflags ne $default_depflags $make_depend; signature.asc Description: This is a digitally signed message part.