Re: [openssl-users] Unable to install OpenSSL

[Jeremy Farrell]

On 04/05/2018 01:16, Lunessia wrote:

I've been having various troubles with installing and compiling OpenSSL.
I started with 1.1.1-pre6, and my Perl client will tell me that I 
don't have NASM even if I have it installed (If I use VC-WIN64A)


Is NASM on your execution path? If not, try with it added to the path.

or output "If you want to report a building issue, please include the 
output from this command: Perl configdata.pl  
--dump" when I use VC-WIN64I


As others have pointed out, that would configure to build for Itanium 
which you don't want to do - VC-WIN64A is the one you want for x64.


With 1.0.2o, Perl compiles the program, but however, I can't use Dmake 
to compile it, as Dmake will state:


"dmake.exe:  makefile:  line 275:  Warning: -- Found non-white space 
character after '[' in [@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) 
$(THIS) -e $(BUILDENV)].
dmake.exe:  makefile:  line 307:  Warning: -- Found non-white space 
character after '[' in [[ -z "$(FIPSCANLIB)" ] || $(CC) $(CFLAG) 
-Iinclude \

    -DFINGERPRINT_PREMAIN_DSO_LOAD -o $@  \
    $(FIPSLIBDIR)fips_premain.c $(FIPSLIBDIR)fipscanister.o \
    libcrypto.a $(EX_LIBS)].
dmake.exe:  makefile:  line 307:  Error: -- New group recipe begin 
found within group recipe."


I don't know anything about dmake, but this suggests it's not close 
enough to the expected version of make. I wouldn't be surprised if the 
VC builds effectively require nmake - they're certainly more likely to 
work with nmake.



Here are my programs:
A make implementation: Dmake from Perl
Perl 5 with core modules: ActivePerl 5.22.4.2205 with text::template 
installed

ANSI C Compiler: MinGW from Perl
A development environment in the form of in the form of development 
libraries and C header files: (I'm guessing) Visual Studio 2017 (I 
can't use Nmake with it for some reason)

Netwide Assembler: NASM 2.13.03
Operating system: Windows 10 x64


I'd find out what's stopping nmake working and fix it; then try with 
NASM on the path, configure with VC-WIN64A, and build with nmake.


Regards,
  jjf

--
J. J. Farrell
Not speaking for Oracle.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] MinGW64 / MSYS2 and ./Configure : use of Windows style path causing failures to 'make'

[Jeremy Farrell]

So you're not using the MSYS version of Perl - compare your output of 
'perl -v' with that given by Richard. That's very likely your problem, 
as Matt Caswell pointed out in the stackoverflow thread referred to earlier.


On 28/12/2016 00:52, Ron Gaw  via 
openssl-users wrote:

See below.

Jeremy Farrell>> What output do you get when you run the same commands 
as Richard? That is:

Jeremy Farrell>>
Jeremy Farrell>> type perl

$ type perl
perl is hashed (/mingw64/bin/perl)

Jeremy Farrell>>
Jeremy Farrell>> perl -v

$ perl -v

This is perl 5, version 22, subversion 0 (v5.22.0) built for 
MSWin32-x64-multi-thread


Copyright 1987-2015, Larry Wall

Perl may be copied only under the terms of either the Artistic License 
or the

GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl". If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.

Jeremy Farrell>>
Jeremy Farrell>> perl -e 'print $^X,"\n";'

C:\msys64\mingw64\bin\perl.exe


--
J. J. Farrell
Not speaking for Oracle

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] MinGW64 / MSYS2 and ./Configure : use of Windows style path causing failures to 'make'

[Jeremy Farrell]

What output do you get when you run the same commands as Richard? That is:

type perl

perl -v

perl -e 'print $^X,"\n";'


On 27/12/2016 20:05, Ron Gaw  via 
openssl-users wrote:

I wondered about that as well.

First, regarding my msys64: The root '/' is mapped to "C:\msys64", and 
"/mingw64" is the directory where I keep all things MinGW64 w64.


Second: I do have multiple Perl's installed, though only one in the 
/mingw64 tree.  In essence, I *think* all the non-mingw64 per stuff I 
list below is irrelevant, but I'm not ruling those out as possible 
culprits in this issue...



So here's what I see (spoiler alert : nothing is jumping out at me as 
the culprit):


$ type /mingw64/bin/perl
/mingw64/bin/perl is /mingw64/bin/perl

$ /mingw64/bin/perl -v

This is perl 5, version 22, subversion 0 (v5.22.0) built for 
MSWin32-x64-multi-thread


Copyright 1987-2015, Larry Wall

Perl may be copied only under the terms of either the Artistic License 
or the

GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl".  If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.

$ pacman -Ss perl  /*--- NOTE: I cut out all the extraneous stuff and 
narrowed it to only what's [installed]


mingw64/mingw-w64-x86_64-perl 5.22.0-1 [installed]
A highly capable, feature-rich programming language (mingw-w64)
msys/libpcre 8.38-1 (libraries) [installed]
A library that implements Perl 5-style regular expressions
msys/libpcre16 8.38-1 (libraries) [installed]
A library that implements Perl 5-style regular expressions
msys/libpcre32 8.38-1 (libraries) [installed]
A library that implements Perl 5-style regular expressions
msys/libpcrecpp 8.38-1 (libraries) [installed]
A library that implements Perl 5-style regular expressions
msys/libpcreposix 8.38-1 (libraries) [installed]
A library that implements Perl 5-style regular expressions
msys/pcre 8.38-1 [installed]
A library that implements Perl 5-style regular expressions
msys/perl 5.22.1-1 (base-devel) [installed]
A highly capable, feature-rich programming language
msys/perl-Authen-SASL 2.16-2 (perl-modules) [installed]
Perl/CPAN Module Authen::SASL : SASL authentication framework
msys/perl-Convert-BinHex 1.123-2 [installed]
Perl module to extract data from Macintosh BinHex files
msys/perl-Encode-Locale 1.04-1 (perl-modules) [installed]
Determine the locale encoding
msys/perl-File-Listing 6.04-2 (perl-modules) [installed]
parse directory listing
msys/perl-HTML-Parser 3.71-3 (perl-modules) [installed]
Perl HTML parser class
msys/perl-HTML-Tagset 3.20-2 (perl-modules) [installed]
Data tables useful in parsing HTML
msys/perl-HTTP-Cookies 6.01-2 (perl-modules) [installed]
HTTP cookie jars
msys/perl-HTTP-Daemon 6.01-2 (perl-modules) [installed]
A simple http server class
msys/perl-HTTP-Date 6.02-2 (perl-modules) [installed]
Date conversion routines
msys/perl-HTTP-Message 6.06-2 (perl-modules) [installed]
HTTP style messages
msys/perl-HTTP-Negotiate 6.01-2 (perl-modules) [installed]
choose a variant to serve
msys/perl-IO-Socket-SSL 2.016-1 (perl-modules) [installed]
Nearly transparent SSL encapsulation for IO::Socket::INET
msys/perl-IO-stringy 2.111-1 (perl-modules) [installed]
I/O on in-core objects like strings/arrays
msys/perl-LWP-MediaTypes 6.02-2 (perl-modules) [installed]
Guess the media type of a file or a URL
msys/perl-MIME-tools 5.506-1 [installed]
Parses streams to create MIME entities
msys/perl-MailTools 2.14-1 [installed]
Various e-mail related modules
msys/perl-Module-Build 0.4212-1 [installed]
Build, test, and install Perl modules
msys/perl-Net-HTTP 6.09-1 (perl-modules) [installed]
Low-level HTTP connection (client)
msys/perl-Net-SMTP-SSL 1.02-1 (perl-modules) [installed]
SSL support for Net::SMTP
msys/perl-Net-SSLeay 1.72-1 (perl-modules) [installed]
Perl extension for using OpenSSL
msys/perl-TermReadKey 2.33-1 (perl-modules) [installed]
Provides simple control over terminal driver modes
msys/perl-Test-Pod 1.50-1 (perl-modules) [installed]
Check for POD errors in files
msys/perl-TimeDate 2.30-2 [installed]
Date formating subroutines
msys/perl-URI 1.68-1 (perl-modules) [installed]
Uniform Resource Identifiers (absolute and relative)
msys/perl-WWW-RobotRules 6.02-2 (perl-modules) [installed]
Database of robots.txt-derived permissions
msys/perl-YAML-Syck 1.29-1 (perl-modules) [installed]
Fast, lightweight YAML loader and dumper
msys/perl-libwww 6.13-1 (perl-modules) [installed]
The World-Wide Web library for Perl


*
*
*From:* Richard Levitte 
**


levitte>> The PERL definition is a bit odd for a mingw perl.  That 
path comes

levitte>> mingw64/mingw-w64-x86_64-perl 5.22.0-1 [installed]
levitte>> A highly capable, feature-rich 

Re: [openssl-users] big endian vs little endian

[Jeremy Farrell]

On 18/12/2016 16:21, sahorwitz wrote:

I am obviosly a newbie and missing something. How then do I encrypt the file
on one machine (little endian), transmit it to another machine (big endian)
and decrypt it there?


What problem are you actually seeing? In what way does the decryption 
fail on the destination machine? Please include the commands you are 
using in the problem scenario, and any messages put out by the commands. 
The endianness of the machines isn't relevant.


--
J. J. Farrell
Not speaking for Oracle

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Problem in compiling OpenSSL on Windows-7-32-bit

[Jeremy Farrell]

What version of OpenSSL? What version of nasm (nasm -v)? People are more 
likely to be able to help if you provide such basic information.


Regards,
   jjf

On 07/11/2016 11:42, Ajay Garg wrote:


Oops... pardon me.
The e) step was not done.

The errors came right after step d)


On 7 Nov 2016 3:36 p.m., "Ajay Garg" > wrote:


Hi All.

Following are the steps I followed :


###
a)
Downloaded nasm.exe from internet, and placed it in the include-path.

b)
*perl Configure VC-WIN32*

c)
*ms\do_nasm.bat

*
d)*
nmake -f ms\nt.mak

*
e)*
*
*make*

*###


*
Compilation runs fine for some time, but then I get hundreds of
IDENTICAL errors as follows ::


###
*tmp32\sha1-586.asm:3964: warning: `PTR' is not a NASM keyword
tmp32\sha1-586.asm:3964: error: comma, colon, decorator or end of
line expecte
after operand
tmp32\sha1-586.asm:3970: error: symbol
`__sha1_block_data_order_avx' redefined
tmp32\sha1-586.asm:3970: error: parser: instruction expected
tmp32\sha1-586.asm:3972: error: parser: instruction expected
tmp32\sha1-586.asm:3983: error: parser: instruction expected
tmp32\sha1-586.asm:3985: error: parser: instruction expected
tmp32\sha1-586.asm:3986: error: parser: instruction expected
tmp32\sha1-586.asm:3987: warning: label alone on a line without a
colon might
 in error
NMAKE : fatal error U1077: '"C:\Program Files\Microsoft Visual
Studio 14.0\VC\
N\nasm.EXE"' : return code '0x1'
Stop.*

*###

*
Any pointers how to solve this?
I will heartfully grateful.

Thanks and Regards,
Ajay



--
J. J. Farrell
Not speaking for Oracle

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] libraries after the build for WIn platform

[Jeremy Farrell]

I'd recommend using the official releases rather than the 
work-in-progress code at the head of git. Whoever looks after the 
library which needs OpenSSL should be able to tell you what version it 
needs, but from those names it's the 1.0.2 branch or earlier. 1.0.2 will 
be supported until the end of 2019, and its latest release is 1.0.2j. 
It's available from the downloads page at 
https://www.openssl.org/source/ and there may be built binary 
distributions available elsewhere.


Regards,
  jjf

On 01/11/2016 09:25, Ernst Maurer wrote:

Thank you for the reply,
I've tried to build dynamic version (import lib + dll) so I see the 
libs like:

openssl.lib
libcrypto.lib
capi.lib
and some other ones,

so do you mean that libeay32 and ssleay32 some depricated version ? 
and recommend me to go throu the git history for a looking for? (of 
course, I built from the head of git.)


P.S. I need this for the linking with Microsoft REST SDK (aka Casablanca)

Rgds,
Ernst

On Tue, Nov 1, 2016 at 7:30 AM Jeremy Farrell 
<jeremy.farr...@oracle.com <mailto:jeremy.farr...@oracle.com>> wrote:


I think this depends on what version of OpenSSL you're using and
whether you're using static or dynamic libraries, none of which
you mention. There were changes in library names in recent
releases. Try reviewing the various NOTES, INSTALL, and README
files for whichever version of OpenSSL you are working with.

Note also that there are substantial API changes between major
releases of OpenSSL; if the thing you are building expects
particular names for the static or import library files, that
suggests it probably expects a particular API version (not the
newest one if it's expecting those names). If you use whatever
version of OpenSSL the other library is expecting, it should have
files with the expected names.

Regards,
jjf

On 31/10/2016 11:41, Ernst Maurer wrote:

hi

I'm not using openssl daily , just need to build and link it with
another library.
that lib requires libeay32.lib and ssleay32.lib.
Are these  ones from OpenSSL distribution?
I've tried two options:
1. download a few pre-built versions of the  binaries
2. build own binaries from latest git

both cases don't contain these lib (and dll) files.
please assist

Rgds,
Ernst




--
J. J. Farrell
Not speaking for Oracle

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] libraries after the build for WIn platform

[Jeremy Farrell]

I think this depends on what version of OpenSSL you're using and whether 
you're using static or dynamic libraries, none of which you mention. 
There were changes in library names in recent releases. Try reviewing 
the various NOTES, INSTALL, and README files for whichever version of 
OpenSSL you are working with.


Note also that there are substantial API changes between major releases 
of OpenSSL; if the thing you are building expects particular names for 
the static or import library files, that suggests it probably expects a 
particular API version (not the newest one if it's expecting those 
names). If you use whatever version of OpenSSL the other library is 
expecting, it should have files with the expected names.


Regards,
jjf

On 31/10/2016 11:41, Ernst Maurer wrote:

hi

I'm not using openssl daily , just need to build and link it with 
another library.

that lib requires libeay32.lib and ssleay32.lib.
Are these  ones from OpenSSL distribution?
I've tried two options:
1. download a few pre-built versions of the  binaries
2. build own binaries from latest git

both cases don't contain these lib (and dll) files.
please assist

Rgds,
Ernst


--
J. J. Farrell
Not speaking for Oracle.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Unable to run Configure for msys/mingw

[Jeremy Farrell]

What do you expect that huge amount of lines to say?

In what ways did the subsequent make depend, build, and test stages fail?

On 28/05/2016 10:45, 杨岑 wrote:

No, it's not normal.

I copied the exact output, no truncation. There should be a huge amount
of lines before "Configured for mingw".

在 2016/5/28 16:51, Matt Caswell 写道:


On 28/05/16 05:13, 杨春雷 wrote:

DES_UNROLL used
BN_LLONG mode
RC4_INDEX mode
RC4_CHUNK is undefined


Configured for mingw.


*** Because of configuration changes, you MUST do the following before
*** building:


 make depend

The configure script abruptly stops at "RC4_CHUNK is undefined", and no other 
error messages are given.

I'm not a familiar with Shell script so I am not able to locate the bug. Need 
help.


This looks like normal output to me (what makes you think it isn't?).

Just run "make depend" and "make" as normal.

Matt


--
J. J. Farrell
Not speaking for Oracle

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Diffie-Hellman Questions

[Jeremy Farrell]

Interesting; is this a server-side requirement? I ask because with 
1.0.2g my client using "AECDH+AES:ADH+AES" makes a TLS 1.2 connection 
with AECDH-AES256-SHA without calling this function or similar.


Regards,
   jjf

On 25/05/2016 21:31, Norm Green wrote:
Yes!  That was the problem.  In order to use cipher "AECDH", 
SSL_CTX_set_ecdh_auto(ctx, 1) must be called first.


Thanks Michael!!

Norm


On 5/24/16 15:52, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On 
Behalf

Of Norm Green
Sent: Tuesday, May 24, 2016 13:40

I've tried both:

SSL_CTX_set_cipher_list("AECDH")

and:

SSL_CTX_set_cipher_list("AECDH-AES256-SHA")

on both the client and server side, both of which result in the dreaded
"no shared cipher" error:

error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
cipher:s3_srvr.c:1417:
You might run a wire trace to see what suites the client is actually 
advertising.


And you are using TLS, right?

For AECDH* (or any ECC suite), don't you have to tell OpenSSL what 
curve to use? I haven't implemented that bit myself in any 
applications, but my understanding is that with OpenSSL 1.0.2 you can 
just call SSL_CTX_set_ecdh_auto(ctx, 1). With 1.0.1 you have to 
specify a particular named curve with SSL_CTX_set_tmp_ecdh.


--
J. J. Farrell
Not speaking for Oracle

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Regarding s_client -proxy option

[Jeremy Farrell]

The page you looked at says "master manpages" in bold at the top of the 
right hand column with "1.0.2 version" as one of the links for several 
different versions below. The URL you gave includes "manmaster" where 
the one you needed has "man1.0.2". It seems clear to me, though I 
suppose the use of "master" is jargon which is not necessarily obvious 
to everyone - it could be taken to mean "authoritative" for example. 
Perhaps "development" or "future release" would be clearer.


On 08/04/2016 09:01, Markus Reusch wrote:

Hello Viktor,

from what I can see there is no number wether in the URL nor on the page 
itself, that shows this docu is meant for the upcoming version 1.1.0.
Though it's clear now.

Thanks a lot for the hint!

Cheers
Markus

Von: Viktor Dukhovni


On Apr 8, 2016, at 2:52 AM, Markus Reusch  wrote:

I am in search of the –proxy option for s_client. According to 
https://www.openssl.org/docs/manmaster/apps/s_client.html it should be 
implemented

That's the documentation for the upcoming 1.1.0 release.  The related
1.0.2 document is:

https://www.openssl.org/docs/man1.0.2/apps/s_client.html

which makes no mention of the "-proxy" option, refreshingly, not for
lack of documentation, but rather because it is in fact not available.


--
J. J. Farrell
Not speaking for Oracle.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-dev] Low level API call to digest SHA1 forbidden in FIPS mode - within openssl code

[Jeremy Farrell]

This is a question about using the OpenSSL libraries; should be in 
openssl-users, copied and reply-to'd.


On 23/03/2016 17:25, Glen Matthews wrote:


We’re receiving this assertion at the start of negotiating an SSL 
connection:


c:\s\15\src\openssl\build\openssl-1.0.2f\crypto\sha\sha_locl.h(128): 
OpenSSL internal error, assertion failed: Low level API call to digest 
SHA1 forbidden in FIPS mode!




I notice the assertion message mentions a header from what looks like a 
1.0.2f tree, but the references below are all to a 1.0.2g tree. I've no 
idea if this is relevant to the problem, but I wonder if this is a 
self-consistent build of the libraries.


The last 2 lines of this stack trace shows that we are performing a 
BIO_read at this point.


How can we work around this issue? We’re using the self-validated FIPS 
module and openssl 1.0.2g.


glen

user32!ZwUserWaitMessage+0xa

 user32!DialogBox2+0x212

 user32!InternalDialogBox+0x132

 user32!SoftModalMessageBox+0xee1

 user32!MessageBoxWorker+0x2eb

 user32!MessageBoxTimeoutW+0xba

 user32!MessageBoxW+0x4e

 libeay32f!OPENSSL_showfatal+0x25e 
[c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\cryptlib.c @ 979]


 libeay32f!OpenSSLDie+0x22 
[c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\cryptlib.c @ 1008]


 libeay32f!SHA1_Init+0x33 
[c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\sha\sha_locl.h @ 128]


 libeay32f!EVP_DigestInit_ex+0x269 
[c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\evp\digest.c @ 241]


 libeay32f!EVP_Digest+0x7a 
[c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\evp\digest.c @ 359]


 libeay32f!ASN1_item_digest+0x6a 
[c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\asn1\a_digest.c @ 107]


 libeay32f!X509_digest+0x44 
[c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\x509\x_all.c @ 414]


 libeay32f!x509v3_cache_extensions+0x43 
[c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\x509v3\v3_purp.c @ 407]


 libeay32f!X509_check_purpose+0x47 
[c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\x509v3\v3_purp.c @ 134]


 libeay32f!X509_verify_cert+0x180 
[c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\x509\x509_vfy.c @ 249]


 ssleay32f!ssl_verify_cert_chain+0x14a 
[c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\ssl_cert.c @ 759]


 ssleay32f!ssl3_get_server_certificate+0x1bb 
[c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s3_clnt.c @ 1255]


 ssleay32f!ssl3_connect+0x258 
[c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s3_clnt.c @ 345]


 ssleay32f!ssl23_get_server_hello+0x44a 
[c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s23_clnt.c @ 799]


 ssleay32f!ssl23_connect+0x1f2 
[c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s23_clnt.c @ 228]


 ssleay32f!ssl23_read+0x44 
[c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s23_lib.c @ 134]


 ssleay32f!ssl_read+0x5e 
[c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\bio_ssl.c @ 167]


 libeay32f!BIO_read+0xbf 
[c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\bio\bio_lib.c @ 212]


 hclftpx!CAsyncSslSocketLayer::OnReceive+0x1a8 
[c:\s\15\src\montreal\inc\asyncsslsocketlayer.cpp @ 357]



--
J. J. Farrell
Not speaking for Oracle.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-dev] openssl 1.0.1p PEM_write_bio_RSAPrivateKey fail. error: ASN1_get_object:too long

[Jeremy Farrell]

On 17/03/2016 06:32, Ranjith Kumar A. wrote:

> Need help.
This is a question about using the OpenSSL libraries, further discussion 
should be on openssl-users; I've set 'reply-to' appropriately, but I 
don't know what the mailing list will do with it.


I’m not able to encrypt a key using passphrase, below is the error  > message. > > **"error:0D07209B:asn1 encoding 
routines:ASN1_get_object:too long"** > > Have already googled for error 
but couldn't got much info > > unsigned char pass[] = "123456"; > > BIO 
*priv_bio = BIO_new( BIO_s_mem() ); > > RSA *rsa = RSA_generate_key( 
2048, 65537, NULL, NULL ) ret = > PEM_write_bio_RSAPrivateKey( priv_bio, 
rsa, EVP_aes_256_cbc(), pass, 64, NULL, NULL );
I don't know if or how it's related to your problem, but you have 
defined a 7 byte array as the passphrase then told the function to use 
64 bytes at that location. There's no saying what values the other 57 
bytes of the passphrase will have, assuming they're accessible at all.



...  > The same piece of code is working on openssl-0.9.8zg.

More luck than good judgement I suspect.


...

--
J. J. Farrell
Not speaking for Oracle.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Verifying the sha1 of fipscanister.o with what is embedded in libcrypto.so

[Jeremy Farrell]

On 15/03/2016 21:24, Satya Das wrote:

Even if a vendor letter is good for CMVP, how is the vendor supposed to know ?


By remembering whether or not he followed the required procedure; it's 
the only way for him to know.



I would say openssl should give such a tool so that vendor and the testing Lab 
can know such things. It is more than critical that the applications link to 
the intended crypto module.


You miss the point. It is no more or less critical that 'the application 
link to the intended crypto module' than countless other things. Many of 
the other things cannot be checked by running a tool. How would a tool 
check that the vendor had executed 'make' at the appropriate stage as 
opposed to (say) '/usr/bin/make'? How would a tool check that the vendor 
had got the original tar file from the OSF CD rather than by downloading it?



This convoluted and complex object module linking etc. with 207 page user guide 
is specific to openssl's approach to FIPS, and therefore should be addressed by 
the project. It should not come down to some vendor document written in good 
faith.


How can it come down to anything else? What other possible means are 
there for a customer to know that an OpenSSL-based product is FIPS 140-2 
validated?


--
J. J. Farrell
Not speaking for Oracle.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl 1.0.2g build fails with 'no-comp' or 'no-comp no-bio' configure options?

[Jeremy Farrell]

On 10/03/2016 17:04, PGNet Dev wrote:

I'm building openssl 1.0.2g on linux64

With my usual

./config ...

I end up with a successful build/install
...
If I add

./config no-comp ...

subsequent 'make' fails

make
...
enc.c:(.text+0x1253): undefined reference to `BIO_f_zlib'


Adding one or both of no-zlib no-zlib-dynamic should handle that.


Adding further

./config no-comp no-bio ...

'make' fails again, differently
...
Are additional/different config options required to enable/support the 
'no-comp' & 'no-bio' options?




I've not built with no-bio, suspect it is much more intimately entangled 
and may not be practical in 1.0.2g; there's been a lot of work done in 
master to clean up various optional exclusions, I think no-bio is 
expected to be working there.


--
J. J. Farrell
Not speaking for Oracle.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to fix OpenSSL 1.0.1q Windows x86_64 build failure?

[Jeremy Farrell]

Go to https://git.openssl.org/?p=openssl.git and scroll down to the 
'heads' section. Click 'shortlog' for OpenSSL_1_0_1-stable, scroll down 
to around the date quoted in Viktor's message, and you'll find a commit 
with the description he quoted. Clicking on 'commitdiff' takes you to 
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=d724616f682cb374b613d7fbd57e4c2bf749469c


Regards,
  jjf

On 16/01/2016 08:26, Aaron wrote:

Hello Viktor,

Thank you very much for your response. I believe you are right.

As I am new to OpenSSL, I don't know how to check what is updated in commit
9501418ea2287658d1a11ce888ff97fa49e9164d.

I could not even find the commit in the list:
http://git.openssl.org/?p=openssl.git;a=shortlog

I wonder if you could show me what is updated in the commit or let me know
how to check it? Your help is appreciated.

Thanks again,
Aaron


--
J. J. Farrell

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] mailing list issues? Re: CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

[Jeremy Farrell]

A few zombie messages today:

Received: from mta.openssl.org (localhost [127.0.0.1])
by mta.openssl.org (Postfix) with ESMTP id 14CB4201BB;
Thu,  7 Jan 2016 12:13:22 + (UTC)
X-Original-To: openssl-us...@mta.openssl.org
Delivered-To: openssl-us...@mta.openssl.org
Received: by mta.openssl.org (Postfix, from userid 106)
 id 0F2632725F; Thu, 10 Dec 2015 11:50:15 + (UTC)

On 10/12/2015 11:50, Jayalakshmi bhat wrote:

Hi Matt

Thanks for the patch. Unfortunately patch did not work. ...


--
J. J. Farrell

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Windows Compile Fails

[Jeremy Farrell]

From: Jay Foster Sent: Friday, June 19, 2015 15:51

I got my application to compile  and link.  It seemed to run OK, but

 when I tried to run it on a different Windows machine, it failed
 with a pop up dialog complaining it could not find LIBEAY32.dll.  I
 'thought' I was statically linking this library, but apparently not.
  I have no idea how it worked on the one machine.  What is the magic
 incantation to get Visual Studio to statically link the OpenSSL
 libraries?

You'd save us a lot of guesswork, and probably get where you want to be 
more quickly, if you would

1) tell us what version of OpenSSL you're trying to build
2) tell us what build environment you're using (presumably some command 
prompt started from VS)
3) tell us the exact sequence of commands you're executing to build it, 
starting from the tarball


Have you read INSTALL.W32? It's probably well out of date in detail, but 
still valuable to point you in the right direction. As long as you're 
using the nt.mak makefile, you should get static libraries.


Regards,
jjf

--
J. J. Farrell

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FW: Getting Apache to Recognize New OpenSSL Install

[Jeremy Farrell]

There might be people on the OpenSSL list who can answer this, but your 
question is really about Apache configuration or installation. You'll 
probably get more knowledgable answers on an Apache list.


Regards,
   jjf

On 06/04/2015 17:04, Cathy Fauntleroy wrote:


A follow-up question…Should I have installed Apache 2.2.25 with no 
OpenSSL (instead of the one I did install with OpenSSL 0.9.8)?  I’m 
thinking that perhaps with the no ssl install, Apache would more 
easily recognize my OpenSSL 1.0.2 instance.  I appreciate your 
thoughts and suggestions.


Thanks…

*/Cathy Fauntleroy,/**Security+*

*Van Dyke Technology Group*

*Email:**cathy.fauntle...@vdtg.com mailto:cathy.fauntle...@vdtg.com*

*Office:  (443) 832-4768*

*From:* openssl-users [mailto:openssl-users-boun...@openssl.org] *On 
Behalf Of *Cathy Fauntleroy

*Sent:* Monday, April 6, 2015 11:35 AM
*To:* openssl-users@openssl.org
*Subject:* [openssl-users] Getting Apache to Recognize New OpenSSL Install

Hello Users,

I am in need of some assistance/documentation.  My current setup is:  
Windows 2008 R2, Apache 2.2.25 w/OpenSSL 0.9.8.  I need to enable 
TLS1.1, 1.2 but understand that 0.9.8 does not support those 
protocols.  So, I installed OpenSSL 1.0.2a and made system environment 
mappings to the CNF and CFG files.  The install was successful but 
Apache is not recognizing the updated OpenSSL version.  I am not very 
familiar with the intricacies of configuring this product.  Can anyone 
tell me how (or point me to documentation) I can get Apache to 
recognize the updated OpenSSL installation?


Thanks…**



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
J. J. Farrell
w: +44 161 493 4838

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] AES CBC approved encryption algorithm/option in FIPS

[Jeremy Farrell]

I assume it says it is a FIPS 140-2 approved mode because it is approved 
by FIPS 140-2 ;). Don't confuse the concepts of being 'FIPS approved' or 
'FIPS compliant' with being 'secure'. They are not the same thing, and 
can sometimes conflict.


On 20/03/2015 12:01, Philip Bellino wrote:


Hello,

I am using the Openssl-1.0.2 with openssl-fips-2.0.9 and have a question?

If AES CBC Encryption is considered vulnerable to an attacker with the 
capability to inject arbitrary traffic into the plain-text stream, 
then why is it listed as an approved algorithm/option in table 4A on 
page 14 of the OpenSSL Security Policy: 
http://openssl.org/docs/fips/SecurityPolicy-2.0.9.pdf


I am just looking for a clarification.

Thanks,

Phil

*Phil Bellino*

*Principal Software Engineer| **MRV Communications Inc.*

300 Apollo Drive *| *Chelmsford, MA 01824

Phone: 978-674-6870*| *Fax: 978-674-6799

www.mrv.com



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL with 64bit Instruction-Set and libraries for Windows?

[Jeremy Farrell]

I'm not sure what you're missing, but 64-bit Windows (both x64 and Itanium) has 
been working fine for many years (since early in the 0.9.8 series at least). 
Shining Light ship an x64 binary package. Many of the comments in INSTALL.W64 
are out of date.

I use a site-specific build process with unusual tools, but it's based closely 
on INSTALL.W64. What command sequence are you using exactly? I don't understand 
The compiled libraries remain being build against the 32-bit versions; do you 
mean that you are doing a shared build, but the resulting DLLs are 32-bit?

Regards,
jjf

 From: Christian Weber [mailto:we...@infotech.de]
 Sent: Friday, December 05, 2014 4:19 PM
 
 Dear folks,
 
 as far as i can see, there is no true 64-bit support for building
 openssl (current version 1.0.1j).
 
 The contained file INSTALL.W64 states Win64 support as initial.
 Following the build instructions i get a resulting makefile which is
 almost identical with the
 one generated for VC-WIN32.
 
 The compiled libraries remain being build against the 32-bit versions.
 
 So what am i missing? Is there any real support for Win64?
 
 Thanks in advance
 
 --
 Christian Weber
 Security Software
 Abteilungsleiter Entwicklung
 mailto:we...@infotech.de
 --
 Infotech Gesellschaft für
 Informations- und Datentechnik mbH
 Tel. +49-2361-9130-0
 Fax +49-2361-9130-105
 
 Geschäftsführer
 Rainer Hans
 
 Gerichtsstand Recklinghausen
 Amtsgericht Recklinghausen HRB 1912
 USt.-IdNr. DE-811565628
___
openssl-users mailing list
openssl-users@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-users

RE: sign data and verify it

[Jeremy Farrell]

Please read all of Jeff's message. As well as checking that OpenSSL is 
installed, he told you that you need to link against OpenSSL's libcrypto as 
well as against OpenSSL's libssl. In the linker command you show below, change 
'-lssl' to '-lssl -lcrypto'.

 

Regards,

 jjf

 

From: Amir Reda [mailto:amirale...@gmail.com] 
Sent: Monday, November 03, 2014 2:43 PM



dear sir i already installed ssl lib 

i use this command
amir@amir-Master:~$ sudo apt-get install libssl-dev
[sudo] password for amir: 
Reading package lists... Done
Building dependency tree   
Reading state information... Done
libssl-dev is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
amir@amir-Master:~$ 

as you can see it is already installed

are there any solution

 

On Fri, Oct 31, 2014 at 4:14 PM, Jeffrey Walton HYPERLINK 
mailto:noloa...@gmail.com; \nnoloa...@gmail.com wrote:

On Fri, Oct 31, 2014 at 6:57 AM, Amir Reda HYPERLINK 
mailto:amirale...@gmail.comamirale...@gmail.com wrote:
 dear all i made a code for sign some data and verify it i am using eclipse
 as IDE and ubuntu 13.10 i have linked eclipse with ssl lib and crypto++
 which i use in this code i got an error

 Invoking: Cross G++ Linker
 g++ -L/usr/include/openssl -L/usr/include/cryptopp -L/usr/include/crypto++
 -L/usr/include -o sign  ./src/sign.o   -lssl -lcryptopp -lcrypto++
 /usr/bin/ld: ./src/sign.o: undefined reference to symbol
 'RSA_sign@@OPENSSL_1.0.0'
 /lib/i386-linux-gnu/libcrypto.so.1.0.0: error adding symbols: DSO missing
 from command line
 collect2: ld returned 1 exit status
Be sure you have the dev package installed for Ubuntu. I think that's
'sudo apt-get install libssl-dev'.(See
https://packages.debian.org/search?keywords=libssl-dev).

Add '-lss -lcrypto'. They are the OpenSSL libraries. Add them in the
order shown.

'-lcryptopp -lcrypto++' are Wei Dai's Crypto++ libraries. Are you sure
you need them?

 

RE: Make depend issue in Openssl-1.0.1j/ssl

[Jeremy Farrell]

Suggest you try again starting from a new download (or after checking the 
digest of your current download). This works fine for me, and many people must 
have done similar builds without reporting this.

 

If that doesn't work, you'll need to specify the platform you're trying to 
build on and the compiler and other build tools and versions you are using.

 

Regards,

  jjf

 

From: Philip Bellino [mailto:pbell...@mrv.com] 
Sent: Thursday, October 30, 2014 7:41 PM



Hello,

I am running in the following issue when I do a make depend (after the 
./config shared no-ssl3):

 

making depend in ssl...

make[3]: Entering directory '.../openssl-1.0.1j/ssl'

s3_lib.c:3370:4: #error Code needs update for SSLv23_method() support beyond 
TLS1_2_VERSION.

d1_lib.c:274:4: #error Code needs update for DTLS_method() support beyond 
DTLS1_VERSION.

make[3]: *** [depend] Error 1

 

In  ssl/s3_lib.c, there is a new case statement in openssl-1.0.1j:

 

   case SSL_CTRL_CHECK_PROTO_VERSION:

 /* For library-internal use; checks that the current protocol

  * is the highest enabled version (according to 

s-ctx-method,

  * as version negotiation may have changed s-method). */

 if (s-version == s-ctx-method-version)

 return 1;

 /* Apparently we're using a version-flexible SSL_METHOD

  * (not at its highest protocol version). */

 if (s-ctx-method-version == SSLv23_method()-version)

 {

#if TLS_MAX_VERSION != TLS1_2_VERSION

#  error Code needs update for SSLv23_method() support beyond TLS1_2_VERSION.

#endif

 if (!(s-options  SSL_OP_NO_TLSv1_2))

 return s-version == TLS1_2_VERSION;

 if (!(s-options  SSL_OP_NO_TLSv1_1))

 return s-version == TLS1_1_VERSION;

 if (!(s-options  SSL_OP_NO_TLSv1))

 return s-version == TLS1_VERSION;

 if (!(s-options  SSL_OP_NO_SSLv3))

 return s-version == SSL3_VERSION;

 if (!(s-options  SSL_OP_NO_SSLv2))

 return s-version == SSL2_VERSION;

 }

 return 0; /* Unexpected state; fail closed

--

 

A grep -ri TLS_MAX_VERSION *

 

include/openssl/tls1.h:#define TLS_MAX_VERSIONTLS1_2_VERSION

ssl/s23_clnt.c:/* ensure that TLS_MAX_VERSION is up-to-date */

ssl/s23_clnt.c:OPENSSL_assert(s-version = TLS_MAX_VERSION);

ssl/s3_lib.c:#if TLS_MAX_VERSION != TLS1_2_VERSION

ssl/tls1.h:#define TLS_MAX_VERSIONTLS1_2_VERSION

 

and a  grep -ri  DTLS_MAX_VERSION  *

 

include/openssl/dtls1.h:#define DTLS_MAX_VERSIONDTLS1_VERSION

ssl/dtls1.h:#define DTLS_MAX_VERSIONDTLS1_VERSION

ssl/d1_lib.c:#if DTLS_MAX_VERSION != DTLS1_VERSION

ssl/d1_lib.c:return s-version == DTLS_MAX_VERSION;

 

This leads me to believe that the code should never have the above error 
conditions occur, but in fact it is.

 

Any help would be most appreciated and I apologize if I am missing something in 
my analysis.

Thanks,

Phil 

Phil Bellino

Principal Software Engineer | MRV Communications Inc.

300 Apollo Drive |  Chelmsford, MA 01824 

Phone: 978-674-6870  |   Fax: 978-674-6799

www.mrv.com

 

MRV-email
 

The contents of this message, together with any attachments, are intended only 
for the use of the person(s) to whom they are addressed and may contain 
confidential and/or privileged information. If you are not the intended 
recipient, immediately advise the sender, delete this message and any 
attachments and note that any distribution, or copying of this message, or any 
attachment, is prohibited.

RE: [EXTERNAL] howto get a .so.X.Y.Z file rather than indivdual .o files in a libSOMETHING.a

[Jeremy Farrell]

I don't understand what you mean by but not, by default, that the .so files 
expect dependancies in another archive(member) search request. It sounds like 
the core of your issue is that you're trying to build AIX shared libraries, so 
you need to configure shared. If that's producing .so files (which can be 
used in that form on AIX) but you'd prefer them wrapped in a .a archive (which 
is common on AIX), then use the ar command to create a .a containing the .so.

 From: Michael [mailto:regis...@felt.demon.nl]
 Sent: Monday, August 04, 2014 10:00 PM
 
 I was - perhaps - not clear enough. Want I want is all the .o files
 together in a single file that can be a single member of an archive.
 Using the ./config shared got it to make .so files with everything
 combined - but not, by default, that the .so files expect dependancies
 in another archive(member) search request.
 
 I hope my post, and the extra bit (to you only) makes that clearer.
 
 Thanks for your reply to my first message!
 
 Michael
 
 On 8/4/2014 7:06 PM, Sands, Daniel wrote:
  To generate a .a of shared objects instead of static objects, really
 all you do is build the shared object(s) and create an archive out of
 them.  There is no special magic about it beyond creating the shared
 object in the first place.  When linking a new program to an archive of
 shared objects, and if you didn't specify an import file, AIX will just
 use the standard static object rules when it searches an archive for
 likely candidates to link in:  First logical member of the archive that
 has the desired symbol will be chosen for inclusion.  The difference is
 that the static linker will see the shared flag and just add that
 member of the archive to the file's dynamic loader table instead of
 statically linking it in.
 
 
  On Mon, 2014-08-04 at 08:45 +0200, Michael wrote:
 
 
  Dear all,
 
  I wish I knew better - howto use ld to craft an archive member, but I
 do
  not. (Below was sent to openssl-dev, if it arrived, please ignore for
  now - however, once I understand this AND if I figure out a simple
  change, I shall submit a patch for future AIX builds.)
 
  ===
 
  To be compatible with the standard AIX libraries I would like to
 learn
  howto generate a single
  .so file that goes into the .a file.
 
  FYI: AIX supports multiple versions of the ssl libraries using this
  convention:
 
  root@x093:[/data/prj/openssl/openssl-0.9.8.27]ar tv
 /usr/lib/libcrypto.a
  | head
  rwxr-xr-x 370769/647632 2192276 Nov 09 07:44 2009 libcrypto.so.0.9.8
 
  michael@x054:[/data/prj/apache/httpd/test]ar tv /usr/lib/libcrypto.a
  rwxrwxr-x 435159/781431 2965832 May 01 06:57 2014 libcrypto.so.1.0.0
  rwxrwxr-x 435159/781431 2253655 May 01 06:58 2014 libcrypto.so.0.9.8
 
  Members are, as expected, object modules
  michael@x054:[/data/prj/apache/httpd/test]ar xv /usr/lib/libcrypto.a
  x - libcrypto.so.1.0.0
  x - libcrypto.so.0.9.8
  michael@x054:[/data/prj/apache/httpd/test]file libcrypto*
  libcrypto.so.0.9.8: executable (RISC System/6000) or object module
 not
  stripped
  libcrypto.so.1.0.0: executable (RISC System/6000) or object module
 not
  stripped
 
  Unfortunately, the archive created by the tarball ./config and make
 are
  individual .o named object modules.
 
  Again, for compatibility I would like to have them contained in a .so
 
  root@x093:[/data/prj/openssl/openssl-0.9.8.27]ar tv libcrypto.a |
 head
  rw-r--r-- 0/0   6346 Aug 03 15:13 2014 cryptlib.o
  rw-r--r-- 0/0   8585 Aug 03 15:13 2014 dyn_lck.o
  rw-r--r-- 0/0  11602 Aug 03 15:13 2014 mem.o
  rw-r--r-- 0/0   1303 Aug 03 15:13 2014 mem_clr.o
  rw-r--r-- 0/0  13806 Aug 03 15:13 2014 mem_dbg.o
  rw-r--r-- 0/0   2048 Aug 03 15:13 2014 cversion.o
  rw-r--r-- 0/0  13170 Aug 03 15:13 2014 ex_data.o
  rw-r--r-- 0/0   2443 Aug 03 15:13 2014 tmdiff.o
  rw-r--r-- 0/0   1782 Aug 03 15:13 2014 cpt_err.o
  rw-r--r-- 0/0630 Aug 03 15:13 2014 ebcdic.o
 
  And applications expect the .so.$version as member name
 
  michael@x054:[/data/prj/apache/httpd/test]dump -H /usr/sbin/sshd
 
  /usr/sbin/sshd:
 
***Loader Section***
  Loader Header Information
  VERSION# #SYMtableENT #RELOCentLENidSTR
  0x0001   0x0196   0x08cc   0x006f
 
  #IMPfilIDOFFidSTR LENstrTBLOFFstrTBL
  0x0006   0x8fc0   0x0dde   0x902f
 
 
***Import File Strings***
  INDEX  PATH  BASEMEMBER
  0  /usr/lib:/lib
  1libc.a  shr.o
  2libcrypto.a
 libcrypto.so.1.0.0
  3libz.a  libz.so.1
  4libpam.ashr.o
  5libdl.a shr.o
 
  ===
 
  I 

RE: DTLS aborts

[Jeremy Farrell]

 From: Jeffrey Walton [mailto:noloa...@gmail.com]
 Sent: Tuesday, July 22, 2014 3:03 PM
 
 On Tue, Jul 22, 2014 at 9:42 AM, Brian Hassink
 brian.hass...@oracle.com wrote:
  ...
  I sent an email to r...@openssl.org yesterday, shortly after
  receiving the reply below, but received nothing in return
  and did not see a forward on openssl-...@openssl.org.

 I'm not sure if the bug report is forwarded to the devs.

New bugs and updates sent to RT should automatically get copied
as email to openssl-dev, and usually do.

 However, the devs actively monitor the queue. See
 https://www.openssl.org/about/roadmap.html and
 https://groups.google.com/forum/#!msg/mailing.openssl.users/mDrMrd3zOuQ/BRS_VLZB_mYJ.

That's only useful if a new report finds its way onto the queue.
Lack of email suggests that this one hasn't, and a search of RT
says the last new report to mention DTLS was raised 11 months
ago which seems to confirm it.

  I sent another email to r...@openssl.org about an hour ago and
  still see nothing.

 I don't believe there's a need to send multiple emails.
 
  I'm following the procedure documented here.  Have I missed
  something?

 Patience.

Possibly, but this does seem inordinately slow. If it were me, I'd
assume something was wrong.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: OPENSSL_NO_SSL3 defined

[Jeremy Farrell]

When you configure the build with no-ssl3.

 

From: Sanju Gurung [mailto:sanju.gur...@gmail.com] 
Sent: Wednesday, July 16, 2014 11:03 AM



I was going through ssl23_client_hello function in ss23_clnt.c 
Does anyone know when OPENSSL_NO_SSL3 is defined?

Regards,
Sanju.

RE: Possible Issue

[Jeremy Farrell]

From: Me [mailto:ugobejishv...@gmail.com] 
Sent: Monday, April 14, 2014 7:34 AM

 possible vulnerable file: openssl-1.0.1g/ssl/d1_clnt.c
 Line: 155 unsigned char sctpauthkey[64];

 fixed sized arrays can be overflowed.

True, but only because ALL arrays can be overflowed no matter
how they are sized or allocated.

 To fix the problem

What problem?

 use functions that limit length, or ensure that the size is
 larger than the maximum possible length.

So show us the problem. What code accesses this array without either:
- explicitly limiting the length to the length of this array; or
- never accessing more than 64 bytes?

 It's avoid us attack like buffer overflow!

To avoid buffer overflow attacks, the code must never overflow
buffers. The sizes of the buffers and the ways they are allocated
are not directly relevant.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: New and bleeding - Install Win64 problems

[Jeremy Farrell]

Or there's always the semi-official Shining Light binary distribution for
32-bit and x64 Windows at http://slproweb.com/products/Win32OpenSSL.html


 From: Ricardo Villegas [mailto:ric...@rickyv.tk]
 Sent: Tuesday, April 15, 2014 1:49 AM
 
 If you want, I *can* provide you with a precompiled binary of OpenSSL
 1.0.1g, unless you MUST have 64-bit native. (I have compiled it using
 Visual Studio .NET 2002, on Windows 2000. It's a 32-bit DLL.)
 
 Cheers,
 _RVX
 
 -Original Message-
 From: Aaron Bahmer
 Sent: Monday, April 14, 2014 6:22 PM
 To: openssl-users@openssl.org
 Subject: New and bleeding - Install Win64 problems
 
 Sorry for the newbie question, but the archives didn't provide me any
 help. I'm dealing with the heartbleed bug, so updating openssl from
 1.0.1e to 1.0.1g on a Windows box where I run Apache/Tomcat.
 
 I downloaded the new openssl tarball (albeit with non-matching MD5
 signatures) and unpacked it to my server. I then opened the
 Install.w64 file for guidance. Here's an excerpt where I am working:
 
 
 Compiling procedure
  ---
 
  You will need Perl. You can run under Cygwin or you can download
  ActiveState Perl from http://www.activestate.com/ActivePerl.
 
  You will need Microsoft Platform SDK, available for download at
  http://www.microsoft.com/msdownload/platformsdk/sdkupdate/. As per
  April 2005 Platform SDK is equipped with Win64 compilers, as well
  as assemblers, but it might change in the future.
 
  To build for Win64/x64:
 
   perl Configure VC-WIN64A
   ms\do_win64a
   nmake -f ms\ntdll.mak
   cd out32dll
   ..\ms\test
 
 
 So, I downloaded and installed ActivePerl and installed the Windows SDK
 for Win 7 and .NET 4. I had to play with the Windows PATH environment
 variable a bit to get things to work.
 
 The Configure command seems to work.
 The ms\do_win64a has a problem on one line:
C:\Installers\openssl-1.0.1gml64 -c -Foms\uptable.obj
 ms\uptable.asm
'ml64' is not recognized as an internal or external command,
operable program or batch file.
 
 ...but I threw caution to the wind and tried to proceed anyhow.
 
 The nmake command is where I crash and burn. It seems to get most of
 the way through, then chokes out with this error message:
NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft
 Visual Studio 10.0
\VC\bin\cl.EXE' : return code '0xc135'
 
 ...in researching this, it sounds like I need to run devenv.exe to work
 within the VS environment and then execute the cl command. However,
 having only installed the runtime libraries for VS9 and VS10, I don't
 have a devenv.exe to run.
 
 If I change to the 32bit installation from its instruction file, the
 nmake command still fails with this same error.
 
 Could this still be a path problem? Or???
 Thanks.
 
 ==
 Aaron Bahmer
 Director, Instructional Technology
 Eastern Wyoming College
 http://ewc.wy.edu | (307) 532-8284
 1-866-327-8996 (1-866-EAST WYO) x8284
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: OpenSSL version 1.0.1g fails to link on Win32

[Jeremy Farrell]

Perhaps, if you already have the source tree available in an environment where 
you can run findstr on it, and know about findstr. Google does a much quicker 
and easier job on this problem for everyone else, and is arguably more 
informative since it gives the check-in comments as well as at least some of 
the definitions and uses.

 From: Thomas J. Hruska [mailto:shineli...@shininglightpro.com]
 Sent: Thursday, April 10, 2014 8:53 AM
 
 On 4/9/2014 8:03 PM, Jeremy Farrell wrote:
  Googling check_winnt suggests openssl/e_os.h.
 
 findstr /sic:check_winnt *
 
 Is, IMO, easier and more informative than using Google.  Results in:
 
 apps\apps.c:if (check_winnt())
 crypto\bio\bss_log.c:   if (check_winnt())
 crypto\cryptlib.c:if (check_winnt()  OPENSSL_isservice()  0)
 crypto\rand\rand_win.c:  if (check_winnt()  OPENSSL_isservice()0)
 e_os.h:#  define check_winnt() (1)
 e_os.h:#  define check_winnt() (GetVersion()  0x8000)
 
 Used four times, has two #defines.
 
 --
 Thomas Hruska
 Shining Light Productions
 
 Home of BMP2AVI and Win32 OpenSSL.
 http://www.slproweb.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: OpenSSL version 1.0.1g fails to link on Win32

[Jeremy Farrell]

Googling check_winnt suggests openssl/e_os.h.

 From: Geoffrey Coram [mailto:gjco...@gmail.com]
 Sent: Thursday, April 10, 2014 3:27 AM
 
 Thanks for the report.  Is check_winnt() in the Windows libraries or
 in OpenSSL?  I tried Googling it, but didn't come up with anything,
 and I didn't find a declaration in the OpenSSL source code.
 
 I do nmake -f ntlib.mak, which makes some static libraries for me,
 using only code in crypto/ and ssl/  I suppose if check_winnt() is in
 a different directory, that would be my problem (and my fault for not
 re-running perl Configure).
 
 -Geoffrey
 
 On 04/09/2014 21:58, Steven Kneizys sknei...@ferrilli.com wrote:
 
  I just compiled 32 bit with ntdll.mak with nasm 2.11.02 and
  Visual Studio Express 2013 with no issues, with and without the
  DOPENSSL_NO_HEARTBEATS option.  I was making it to drop the keys
  files
  into Apache 2.2.26:
  openssl.exe
  ssleay32.dll
  libeay32.dll
 
  I am doing this to compile:
perl Configure VC-WIN32 --prefix=C:\ApacheSoftware\Apache22\bin
  --openssldir=C:\ApacheSoftware\Apache22\conf
ms\do_nasm
nmake -f ms\ntdll.mak
 
  I know this is in the docs and such but so many people are working
  in this right now I just thought I'd post that it can work OK with a
  newer VS version.
 
  Steve...
 
 
  On Wed, Apr 9, 2014 at 9:36 PM, Geoffrey Coram gjco...@gmail.com
  wrote:
 
   Hi -
   I just compiled OpenSSL 1.0.1g for Win32 using Visual Studio 2005;
  my
   application failed to link because of an unresolved external
   _check_winnt
  
   In crypto/rand/rand_win.c, function readscreen, this line:
 if (GetVersion()  0x8000  OPENSSL_isservice()0)
  
   was changed to
 if (check_winnt()  OPENSSL_isservice()0)
  
  
   And also in crypto/cryptlib.c, function OPENSSL_showfatal, this
  line:
   if (GetVersion()  0x8000  OPENSSL_isservice()  0)
  
   was changed to
   if (check_winnt()  OPENSSL_isservice()  0)
  
  
   I can't seem to find where check_winnt() is declared/defined.  So,
   I just changed it back.  This seems to work for me, but I thought
   I should mention it for other users.
  
   -Geoffrey
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Openssl 1.01f installs broken headers using VC++ 2013

[Jeremy Farrell]

 From: Michael Wojcik [mailto:michael.woj...@microfocus.com]
 Sent: Wednesday, March 05, 2014 9:33 PM
 
  From: Robin Rowe
  Sent: Wednesday, 05 March, 2014 14:55
 
  Trying to build Qt with openssl. Built openssl with VC++ 2013 without
  incident. However, the header files don't look right.
 
  The file openssl/include/ssl.h contains one line:
 
  ../../ssl/ssl.h
 
  This doesn't look like C++ to me.
 
 It isn't. It's a symlink.
 ...
 Some Windows Perl implementations work; some don't. With OpenSSL 1.0.1c
 on 32- and 64-bit versions of Win7 and Win2008, we've had to use
 ActiveState Perl (as opposed to, say, Cygwin Perl) *and* wrap it in a
 trivial program that sleeps for a couple of seconds after the real perl
 binary exits, if the latter's exit code was zero, to work around
 another Windows-and-Perl issue.
 
 (That second issue, if anyone's curious, is the dreaded missing-END-
 statement error from masm or ml64, apparently caused by Windows' lazy
 filesystem-cache writing policy.)
 ...

Strawberry Perl worked for me with 1.0.1e and previous versions, without 
needing any added workarounds. I don't use VC++ 2013, though I don't think the 
compiler is relevant to this problem.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Openssl 1.01f installs broken headers using VC++ 2013

[Jeremy Farrell]

 From: Robin Rowe [mailto:robin.r...@cinepaint.org]
 Sent: Wednesday, March 05, 2014 11:51 PM
 
 On 3/5/2014 2:36 PM, Jeremy Farrell wrote:
  Strawberry Perl worked for me with 1.0.1e and previous versions,
  without needing any added workarounds.
 
 Interesting, I used Strawberry, not ActiveState Perl, and got broken
 symlinks.

Strawberry version 5.12.3.0 is what worked for me, I guess versions
are likely to be relevant. I had used ActiveState to build OpenSSL
in the dim and distant past, but moved to Strawberry to avoid some
problem which I can't recall.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Unclear how to free 'data' allocated in ERR_get_error_line_data()

[Jeremy Farrell]

 From: Dr. Stephen Henson [mailto:st...@openssl.org]
 Sent: Tuesday, January 28, 2014 6:41 PM
 On Tue, Jan 28, 2014, Adam M wrote:
 
  Hi,
 
  I'm reading the documentation for ERR_get_error_line_data() here:
  http://www.openssl.org/docs/crypto/ERR_get_error.html
 
  The comments say that 'data' is dynamically allocated with
  OPENSSL_malloc() if the ERR_TXT_MALLOCED bit is set in 'flags'. I
  presume this means that we need to call OPENSSL_free() to free
 'data',
  but the documentation isn't clear on that.
 
  I'm running into two issues in this regard. For one, 'data' is a
 'const
  char*', but OPENSSL_free() takes a 'void*', so we get a type
 mismatch.
  See my sample code here, which includes the compiler error message:
  http://pastebin.com/VNdkwf0G
 
  The second issue is that I've been looking around on the web (in
  particular on Ohloh) for usage of ERR_get_error_line_data(), and no
 one
  seems to be checking for the ERR_TXT_MALLOCED bit in 'flags'. Maybe
  doing so isn't necessary, but the documentation seems to suggest that
 it
  is.
 
  Can someone please help clarify what exactly to do here?
 
 
 You can see and example of how it is used internally in the library in
 crypto/err/err_prn.c all you need to check is that ERR_TXT_STRING is
 set. The
 flag ERR_TXT_MALLOCED is an internal flag which indicates whether the
 string
 should be freed when the error queue is emptied: applications must not
 free the
 string themselves.
 
 Steve.

Surely ERR_get_error_line_data() passes ownership of the data to the caller, 
and removes it from the error queue? How would the library know to free it 
subsequently? I remember analyzing the source in some detail a while ago when I 
was wondering the same as Adam, and that's the conclusion I came to at least.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Unclear how to free 'data' allocated in ERR_get_error_line_data()

[Jeremy Farrell]

In C:

if ( data != NULLflags  ERR_TXT_STRING ) {

  PRINT(data);

  if ( flags  ERR_TXT_MALLOCED ) {
OPENSSL_free((void *)data);
  }
}

 From: Adam M [mailto:open...@irotas.net]
 Sent: Tuesday, January 28, 2014 5:47 PM
 To: openssl-users@openssl.org
 
 I'm reading the documentation for ERR_get_error_line_data() here:
 http://www.openssl.org/docs/crypto/ERR_get_error.html
 
 The comments say that 'data' is dynamically allocated with
 OPENSSL_malloc() if the ERR_TXT_MALLOCED bit is set in 'flags'. I
 presume this means that we need to call OPENSSL_free() to free 'data',
 but the documentation isn't clear on that.
 
 I'm running into two issues in this regard. For one, 'data' is a 'const
 char*', but OPENSSL_free() takes a 'void*', so we get a type mismatch.
 See my sample code here, which includes the compiler error message:
 http://pastebin.com/VNdkwf0G
 
 The second issue is that I've been looking around on the web (in
 particular on Ohloh) for usage of ERR_get_error_line_data(), and no one
 seems to be checking for the ERR_TXT_MALLOCED bit in 'flags'. Maybe
 doing so isn't necessary, but the documentation seems to suggest that
 it
 is.
 
 Can someone please help clarify what exactly to do here?
 
 Thanks,
 Adam
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Unclear how to free 'data' allocated in ERR_get_error_line_data()

[Jeremy Farrell]

 From: Dr. Stephen Henson [mailto:st...@openssl.org]
 Sent: Tuesday, January 28, 2014 10:19 PM
 To: openssl-users@openssl.org
 
 On Tue, Jan 28, 2014, Adam McLaurin wrote:
 
  I suspect this will result in a double free bug, as I don't think
 memory
  ownership of 'data' is actually passed back to the caller (which is
 why
  it's 'const char**'). The error isn't really 'popped' from the queue
 -
  the queue just gets some indexes adjusted but the structure itself
 seems
  unmodified by ERR_get_error_line_data(). What is still moderately
  unclear is exactly at what point the OpenSSL library goes in and
 cleans
  out the error queue. My guess (as I said in my previous email) is
 that
  the user should call ERR_clear_error() when the error queue becomes
  empty, to actually go through and clean out the internal structures.
  I'll let the OpenSSL experts clarify that, however. In any case, the
  documentation could definitely be improved in this regard.
 
 Yes the documention is rather old and could be clearer.
 
 I had to double check with the source to see what was happening. The
 functions
 that retrieve errors all end up calling get_error_values in
 crypto/err/err.c .
 
 Errors are stored in a per-thread circular buffer.
 
 In the case of ERR_get_error_line_data:
 
 If you don't retrieve the extra error data then it is freed
 immediately.
 
 Otherwise you get an internal pointer into the error queue (which is
 why it is
 const). The memory will be freed either when you clear the queue
 explicitly
 with ERR_clear_error() or a new entry is added which overwrites the
 internal
 extra data pointer.
 
 Additionally when thread cleanup is performed using
 ERR_remove_thread_state()
 the whole table for that thread is freed which includes any extra error
 data
 which hasn't been already freed.

Ugh. Thanks for checking Steve, that's rather different from the
understanding I'd built up. I suggest a quick fix to improve the
documentation would be simply to delete the sentence If it has been
allocated by OPENSSL_malloc(), *flagsERR_TXT_MALLOCED is true.
At the moment, that appears to be giving a hint that the caller must
free it, whereas it's actually an internal detail of no use to the
caller and rather dangerous for him to know.

If I remember correctly, few (if any) bits of code malloc the string
at the moment, so it's not currently a big issue in practice.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Unclear how to free 'data' allocated in ERR_get_error_line_data()

[Jeremy Farrell]

 From: Dr. Stephen Henson [mailto:st...@openssl.org]
 Sent: Wednesday, January 29, 2014 12:50 AM
 To: openssl-users@openssl.org
 
 On Tue, Jan 28, 2014, Jeremy Farrell wrote:
 
 
  Ugh. Thanks for checking Steve, that's rather different from the
  understanding I'd built up. I suggest a quick fix to improve the
  documentation would be simply to delete the sentence If it has been
  allocated by OPENSSL_malloc(), *flagsERR_TXT_MALLOCED is true.
  At the moment, that appears to be giving a hint that the caller must
  free it, whereas it's actually an internal detail of no use to the
  caller and rather dangerous for him to know.
 
  If I remember correctly, few (if any) bits of code malloc the string
  at the moment, so it's not currently a big issue in practice.
 
 Actually just about everything mallocs the extra data string. It is
 almost
 exclusively used used when additional data is added to an error code.
 
 The code in question is ERR_add_error_data which calls
 ERR_add_error_vdata
 which concatenates strings into a OPENSSL_malloc'ed buffer and then
 sets it
 using ERR_set_error_data which includes ERR_TXT_MALLOCED.
 
 Steve.

Man, my memory's getting worse than a ... a ... what d'you call it.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Unclear how to free 'data' allocated in ERR_get_error_line_data()

[Jeremy Farrell]

 From: Jeremy Farrell
 Sent: Wednesday, January 29, 2014 1:39 AM
 
  From: Dr. Stephen Henson [mailto:st...@openssl.org]
  Sent: Wednesday, January 29, 2014 12:50 AM
  To: openssl-users@openssl.org
 
  On Tue, Jan 28, 2014, Jeremy Farrell wrote:
 
  
   Ugh. Thanks for checking Steve, that's rather different from the
   understanding I'd built up. I suggest a quick fix to improve the
   documentation would be simply to delete the sentence If it has
 been
   allocated by OPENSSL_malloc(), *flagsERR_TXT_MALLOCED is true.
   At the moment, that appears to be giving a hint that the caller
 must
   free it, whereas it's actually an internal detail of no use to the
   caller and rather dangerous for him to know.
  
   If I remember correctly, few (if any) bits of code malloc the
 string
   at the moment, so it's not currently a big issue in practice.
 
  Actually just about everything mallocs the extra data string. It is
  almost
  exclusively used used when additional data is added to an error code.
 
  The code in question is ERR_add_error_data which calls
  ERR_add_error_vdata
  which concatenates strings into a OPENSSL_malloc'ed buffer and then
  sets it
  using ERR_set_error_data which includes ERR_TXT_MALLOCED.
 
  Steve.
 
 Man, my memory's getting worse than a ... a ... what d'you call it.

And thanks for the quick doc fixes Steve, should prevent others making
my mistake.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Unclear how to free 'data' allocated in ERR_get_error_line_data()

[Jeremy Farrell]

 From: Adam M [mailto:open...@irotas.net]
 Sent: Wednesday, January 29, 2014 2:56 AM
 
 On Tue, Jan 28, 2014, at 05:18 PM, Dr. Stephen Henson wrote:
 
  Yes the documention is rather old and could be clearer.
 
  I had to double check with the source to see what was happening.
  ...
 
 Thanks, this makes it 100% clear what needs to be done here. I have to
 wonder though how many double-free bugs exist out there in the wild due
 to the misleading documentation.

Well I've stamped on one just before it escaped, thanks for raising
this. Having looked at the code now, it's nothing like what I remember;
I suspect I'm confused by some other how is this API meant to work
search. Perhaps I just got my bad understanding from the doc.

 In any case, thanks for updating the online docs so quickly!

Indeed, very clear now.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: How to shut down or terminate openSSL server other than ctrl-c.

[Jeremy Farrell]

In what way is the s_server documentation page for the openssl s_client?

 

You can exit s_server by sending it a command over a connection from any 
client, as described in the s_server documentation section which Dave linked to 
below; or you can use any ordinary local method to kill the s_server process 
(such as hitting control-c in common configurations on many OSes).

 

What problem are you trying to solve? Why would typing Shift-Q on the keyboard 
be acceptable when typing Ctrl-C isn't?

 

 

From: Sri Ramya [mailto:ramya.1...@gmail.com] 
Sent: Sunday, December 08, 2013 2:21 PM
To: openssl-users@openssl.org
Subject: Re: How to shut down or terminate openSSL server other than ctrl-c.

 

Thanks for your reply.

What ever u sent is for the openssl s_client.

I need commands to stop the openssl s_server other than ctrl+c

 

On Sat, Dec 7, 2013 at 5:42 AM, Dave Thompson HYPERLINK 
mailto:dthomp...@prinpay.com; \ndthomp...@prinpay.com wrote:

Assuming you mean the commandline server 'openssl s_server' 

(there are lots of other things that could be described as 'openssl server'):

 

man s_server or 
http://www.openssl.org/docs/apps/s_server.html#CONNECTED_COMMANDS

except just now when I tried to confirm I got flaky DNS results so if necessary 
use 185.9.166.106 .

 

Although I notice that the manpage says 'neither -www nor -WWW' but the code 
also disables 

this logic if -quiet (apparently because this is considered 'session' output?).

 

 

From: HYPERLINK mailto:owner-openssl-us...@openssl.org; 
\nowner-openssl-us...@openssl.org [mailto:HYPERLINK 
mailto:owner-openssl-us...@openssl.org; \nowner-openssl-us...@openssl.org] On 
Behalf Of Sri Ramya
Sent: Friday, December 06, 2013 03:45
To: HYPERLINK mailto:openssl-users@openssl.org; \nopenssl-us...@openssl.org
Subject: *** Spam *** How to shut down or terminate openSSL server other than 
ctrl-c.

 

hi all,

How can i stop running opesSSL server with out pressing ctrl-c.

Is there a way to terminate it like the way we did for openSSL client preeing 
Q.

Please help me in this regards.



Thank you

 

RE: Thread safe callbacks never actually called

[Jeremy Farrell]

A crash in crypto_free most likely means that some code outside the OpenSSL 
library has corrupted the heap, perhaps by freeing an area more than once or 
simply scribbling over its control data. One of the usual memory allocation 
debugging tools should be able to help you pin down the guilty party.

Regards,
   jjf


 From: Ludwig O'Hallorans [mailto:lohallor...@magaya.com]
 Sent: Thursday, August 15, 2013 7:45 PM
 
 I don't mean the type, I mean the data
 And not, I di mutythread in C++ for a while now, and work fine by the
 way
 This is the first time I use OpenSSL though.
 
 Any way in my case It shpuldn't be the same data because each time the
 dll is call, it should have a different set of data, and how can you
 explain the crash in crypto_free?
 For what I read this was something that shoild be patched for a while
 already.
 
 Regards,
 
 
 
 Ludwig O'Hallorans
 Software Developer
 
 Phone 1.786.454.8472
 Fax 1.786.363.1784
 email: lohallor...@magaya.com
 
 www.magaya.com
 
 This email message and any files transmitted with it are confidential
 and intended solely for the use of the individual or entity to whom
 they are addressed. If you have received this email in error, please
 notify the sender via returned email. Please note that any views or
 opinions expressed in this email are solely those of the author and do
 not necessarily represent those of the company. Although Magaya
 Corporation operates anti-virus programs, it does not accept
 responsibility for any damage whatsoever that is caused by viruses
 being passed. Please consider the environment before printing this
 email.
 
 
 -Original Message-
 From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
 us...@openssl.org] On Behalf Of Salz, Rich
 Sent: Thursday, August 15, 2013 2:39 PM
 
  There should be a way.
 
 There isn't.
 
  There are syncronization method to keep the same structure used by
 many threads at the same time, and ussually this is transaparent to
 developers.
 
 Are you new to multi-threaded C programming?
 
 
 --
 Principal Security Engineer
 Akamai Technology
 Cambridge, MA
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: How do I mount a NAS device?

[Jeremy Farrell]

I guess you sent this to the wrong list ...

Regards,
   jjf

 -Original Message-
 From: Ted Byers [mailto:r.ted.by...@gmail.com]
 Sent: Thursday, August 08, 2013 7:29 PM
 To: openssl-users@openssl.org
 Subject: How do I mount a NAS device?
 
 I obtained a NAS, with a view toward running MySQL on a sever running
 MS Small Business Server 2003 (yes, I know, it is old, but I don't
 have authority to upgrade it or wipe it and install Linux on it).
 Anyway, the latest version of MySQL will not run on that machine.
 Therefore, I intend to run MySQL on the latest Suse (12.3) on a much
 newer server that I have almost fixed (this machine will have a 256 GB
 SSD).  So, unless I can mount the NAS in such a way that MySQL on Suse
 can find it, the 4 TB NAS goes to waste (even though all machines on
 my LAN can see it and browse to it, which is fine if I only want to
 use Windows Explorer, or it's Linux equivalents, to copy files to it -
 but even on Windows, MySQL doesn't seem to see it unless I have mapped
 a specific MAS folder to a local drive letter, so I assume something
 similar is true on Linux).  Hence my question.
 
 NB: I am a programmer, not a system administrator, so I am at a loss
 as to how to do this.
 NB: I did a Google search, which resulted in a very poor signal to
 noise ratio, but ended up confused by the different instructions given
 for the different distributions.  And, worse, a lot of the pages I
 found were as old as that ancient SBS machine I can't use for this
 purpose.  Obviously, things have changes a lot since then.
 
 So, then, how do I do this on the latest Suse releases (12.x)?
 
 Thanks
 
 Ted
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Openssl update

[Jeremy Farrell]

Read the file called README.

 

Regards,

   jjf

 

From: Harris, Steve D [mailto:steved.har...@fda.hhs.gov] 
Sent: Tuesday, July 09, 2013 3:26 PM
To: openssl-users@openssl.org
Subject: Openssl update

 

How do you install openssl on AIX

 

I have downloaded the latest 

I have unzip the file

And tar command 

I have a directory with the data

What do I do next

 

Steve

RE: using openssl API in commercial apps

[Jeremy Farrell]

Have you tried googling for 'openssl license' or reading the second paragraph 
of the OpenSSL home page on the web?

 

Regards,

  jjf

 

From: LN [mailto:lnicu...@yahoo.com] 
Sent: Monday, June 10, 2013 3:25 PM
To: openssl-users@openssl.org
Subject: using openssl API in commercial apps

 

Hi,

 

Is it allowed to use the OpenSSL API in commercial applications ? What license 
governs the OpenSSL library ?

 

Thanks!

RE: SSL_read() seems to close my connection

[Jeremy Farrell]

I've not been through your code properly, but this line grabbed my eye as I 
skimmed over it:

  len = SSL_read(ctx-ssl, buffer + buf_offset, sizeof(BUFFER_SIZE) -
 buf_offset);

You don't show the definition of BUFFER_SIZE anywhere, but sizeof(BUFFER_SIZE) 
is likely to be 4 or 8 or similar; are you sure that's what you mean?

Regards,
 jjf

 From: Mario [mailto:m...@kernelobjects.org]
 
 I have an issue with a try of my implementation of a secure
 communication software.
 
 I´m compiling everything on Debian 6.0.7 (openssl 0.9.8o-4squeeze14 and
 its dev package).
 
 For the application I´m dealing with non-blocking IO for the socket. I
 can communicate a few bytes between server and client. However when my
 server answers too much, the conneciton will be closed for both sides
 when I try to read (SSL_read() returns 0 and the SSL-Error is 5 but the
 systems errno is 0 all the time). The last SSL_write will always return
 the amount of bytes I have to send, but ins this setup only 4 Bytes are
 transmitted to the client. I case I send more than those 4 Bytes the
 connection will be closed as described.
 
 Here is my SSL relevant code of my server part:
 --- SNIP
 /* setup our crypto environment */
 SSL_load_error_strings();
 SSL_library_init();
 OpenSSL_add_all_ciphers();
 if((ctx-ssl_ctx = SSL_CTX_new(TLSv1_server_method())) == NULL) {
tproxy_error_die(unable to initialize SSLv3 methods, 1);
 }
 SSL_CTX_set_options(ctx-ssl_ctx, SSL_OP_ALL);
 SSL_CTX_set_timeout(ctx-ssl_ctx, 300);
 if(!SSL_CTX_use_certificate_chain_file(ctx-ssl_ctx, ctx-cert_bundle))
 {
tproxy_error_die(unable to read certificate bundle file, 1);
 }
 if(strlen(ctx-key_file_pw)) {
SSL_CTX_set_default_passwd_cb(ctx-ssl_ctx,
 private_key_pass_callback);
SSL_CTX_set_default_passwd_cb_userdata(ctx-ssl_ctx, (void *)ctx);
 }
 if(!SSL_CTX_use_RSAPrivateKey_file(ctx-ssl_ctx, ctx-key_file,
 SSL_FILETYPE_PEM)) {
tproxy_error_die(unable to read key file, 1);
 }
 SSL_CTX_set_verify(ctx-ssl_ctx, SSL_VERIFY_NONE, NULL);
 SSL_CTX_set_info_callback(ctx-ssl_ctx, apps_ssl_info_callback);
 [...]
 con-sock = accept(ctx-socket[i], (struct sockaddr *)in_socket,
 s_size);
 /* make the accepted socket non-blocking */
 if(ioctl(con-sock, FIONBIO, (char *)enable)  0) {
tproxy_error_die(cannot set socket flags, 1);
 }
 /* create a new SSL context to handle the connection with the peer */
 con-ssl = SSL_new(ctx-ssl_ctx);
 SSL_set_mode(con-ssl, SSL_MODE_AUTO_RETRY |
 SSL_MODE_ENABLE_PARTIAL_WRITE);
 
 /* complete ssl connection */
 con-sbio = BIO_new_socket(con-sock, BIO_NOCLOSE);
 SSL_set_bio(con-ssl, con-sbio, con-sbio);
 /* set chipher */
 if (SSL_set_cipher_list(con-ssl,AES128-SHA) = 0) {
tproxy_error_die(unable to set chipher, 1);
 }
 /* do not require a valid client certificate */
 SSL_set_verify(con-ssl, SSL_VERIFY_NONE, NULL);
 add_connection(ctx, con);
 [...]
 
 /* later in the connection worker thread */
 
 [...]
 while(cur) {
 switch(cur-state) {
 case CSTATE_SSL_HANDSHAKE:
/* wait for the client to accept */
if(1 != SSL_accept(cur-ssl)) {
  if(SSL_get_error(cur-ssl, -1) != SSL_ERROR_WANT_READ 
 SSL_get_error(cur-ssl, -1) != SSL_ERROR_WANT_WRITE) {
/* an SSL error occured */
cur-state = CSTATE_TERMINATING;
  }
} else {
  cur-state = CSTATE_T_SETUP;
}
break;
 case CSTATE_T_SETUP:
len = SSL_read(cur-ssl, cur-data + cur-data_offset,
 TPROXY_BUFFER_SIZE - cur-data_offset);
if(len  0) {
  cur-data_offset += len;
} else if(len == 0){
  cur-state = CSTATE_TERMINATING;
} else {
  if(SSL_get_error(cur-ssl, -1) != SSL_ERROR_WANT_READ 
 SSL_get_error(cur-ssl, -1) != SSL_ERROR_WANT_WRITE) {
cur-state = CSTATE_TERMINATING;
  } else {
if(cur-data_offset) {
  [... do something with the data for application handshake...]
  }
}
break;
 case CSTATE_CONNECTED:
if(SSL_want(cur-ssl) == SSL_NOTHING) {
  [...] check if something is in the pipe to send [...]
  if(proto_data-len != SSL_write(cur-ssl, proto_data,
 proto_data-len)) {
[...handle the partial send (never notices)...]
  }
}
len = SSL_read(cur-ssl, cur-data + cur-data_offset,
 TPROXY_BUFFER_SIZE - cur-data_offset);
if(len  0) {
  cur-data_offset += len;
} else if(len == 0){
  [...here is the actual error I´m talking about...]
} else {
  if(SSL_get_error(cur-ssl, -1) != SSL_ERROR_WANT_READ 
 SSL_get_error(cur-ssl, -1) != SSL_ERROR_WANT_WRITE) {
cur-state = CSTATE_TERMINATING;
  } else {
if(cur-data_offset) {
  [... do something with the data for application ...]
  }
}
break;
 [...]
 SNIP
 
 I guess there was nothing special about it. The client is almost equal
 - except that it do not handle multiple connections in a structure
 (cur)
 as it only has one ssl connection a time to the server:
 
 SNIP
/* setup ssl stuff */
SSL_load_error_strings();
 

RE: Question regarding openssl program to compute the hashes and finger-prints.

[Jeremy Farrell]

Jakob Bohm gave a complete answer a few hours after your original question, see 
http://openssl.6102.n7.nabble.com/Question-regarding-openssl-program-to-compute-the-hashes-and-finger-prints-tt45095.html#none

 

 

From: Khadija Amin (khamin) [mailto:kha...@cisco.com] 
Sent: Monday, May 20, 2013 9:42 PM
To: openssl-users@openssl.org
Subject: Re: Question regarding openssl program to compute the hashes and 
finger-prints.

 

 

Re-trying..

From: Microsoft Office User HYPERLINK 
mailto:kha...@cisco.comkha...@cisco.com
Date: Mon, 13 May 2013 23:34:56 -0700
To: HYPERLINK mailto:openssl-users@openssl.orgopenssl-users@openssl.org
Subject: Question regarding openssl program to compute the hashes and 
finger-prints.

 

Hello All ,

 

I have a question regarding c_rehash utility used to  create symbolic links to 
files named by the hash values.

I understand that c_rehash calls openssl to compute the hash by invoking the 
following command : 

 

$OPENSSL x509 -hash -fingerprint -noout -in $file

 

What I noticed, recent openssl versions(1.0) are producing hash that is 
different from the earlier openssl versions (0.9.8u). Has the hash algorithm 
that the above command uses has changed ? (for e.g : from md5 to sha1??). Is it 
possible to specify the hash algorithm explictly in the above command so that I 
can have both versions of openssl create the same .0 file ?

 

Any pointers are greatly appreciated as this is affecting back compatibility of 
my application.

 

Thank you.

Khadija

RE: Build error with 1.0.1e on Win64 with VC++ 2010 and nasm

[Jeremy Farrell]

It might be better if you specify how you set up your environment, what 
versions of perl and nasm you used, and what sequence of commands you used.

I usually do a cut-down static build in an environment based on the Windows 
Driver Kit, and I've built 1.0.1e using nasm without problems. I just tried a 
default DLL build in the same environment; it assembled x86_64-gf2m.asm and 
built libeay32.dll with no issues; it failed on its way to the other DLL for 
reasons which I think are caused by my peculiar build environment.

The Shining Light distribution says it is a default build, makes no mention of 
having had to disable assembler. They don't give a lot of details of the build 
process, but I'd have thought disabling assembler would get a mention. I'm sure 
an x64 assembler DLL build is possible with the right tools.

 From: Phillip Hellewell [mailto:ssh...@gmail.com]
 Sent: Tuesday, May 21, 2013 1:04 AM
 
 On Mon, May 20, 2013 at 1:12 PM, Phillip Hellewell ssh...@gmail.com
 wrote:
  Should I try to patch it myself?
 
 FYI, the linker error is occurring because nasm is failing with a ton
 of errors on x86_64-g2m.asm, I think maybe because it is creating the
 wrong type of asm.
 
 So I tried masm instead, and it is working sometimes, but sometimes I
 get this:
 tmp32dll\x86_64-gf2m.asm(1) : error A2088:END directive required at end
 of file
 
 Assuming I can get past that, the conclusion is that I have to use
 masm for 64-bit and nasm for 32-bit.  And since do_win64a.bat and
 other spots are set up to just use nasm automatically when available,
 I have to play a silly game in my build script where I hide nasm.exe
 from my path while building 64-bit, then put it back in my path while
 building 32-bit.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: BN_new/BN_init/BN_free

[Jeremy Farrell]

 From: Tom marchand [mailto:tpmarch...@gmail.com]
 Sent: Friday, May 03, 2013 2:55 AM
 
 I am using the following code to create a temporary BIGNUM  to hold
 the result of multiplication:
 
 BIGNUM*Res;
 
 while(!Done)
 {
   Res=BN_new();
   BN_init(Res);
 
   BN_mul(Res,A,B,Ctx);
 
   BN_free();
 
 }
 
 This code works with the exception that BN_free() is not releasing the
 memory allocated to Res.  I already have a workaround but I am
 wondering why the memory isn't being released. In production the code
 runs for hours and is causing a significant memory leak.  I am I
 misusing BN_new and BN_free? The code is running on OSX 10.5.8,
 Openssl 0.9.7l.  I get the same result with OpenSSL 1.0.1e.

BN_free(Res);  ???
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

1.0.1d

[Jeremy Farrell]

Thanks for the new release, and all the ongoing work.

How does the release relate to the source under git as viewed through 
http://git.openssl.org/gitweb/ ? I don't see any mention of 1.0.1d in there, 
and the latest change in 1_0_1-stable was 13 days ago.

Is the web view of the repository lagging behind, or is the real source tree 
currently elsewhere? Can we assume that all changes in 1_0_1-stable in git as 
of 13 days ago are present in the 1.0.1d release?

A minor point (something I assume hasn't been got to yet) the ChangeLog at 
http://www.openssl.org/news/changelog.html is out of date, doesn't mention all 
the 1.0.1d changes mentioned in the tarball's CHANGES.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Ciphers: disabling

[Jeremy Farrell]

 From: Serhiy Ivanov [mailto:serhiy.i.iva...@globallogic.com]
 Sent: Wednesday, January 09, 2013 12:03 PM
 
 Tried to turn off one cipher via:
 #!/bin/bash
 make clean  ./config -no-CAMELLIA-128-CBC  make depend  make
 
 But still cannot turn it off (as i see output of openssl
 list-cipher-algorithms or even
 ./apps/openssl list-cipher-algorithms for new compiled client). I
 don't see way to really turn off ciphers. Hoew to turn them off

Follow the style specified in the INSTALL file - -no-camellia should disable 
all Camellia ciphers. I'm not aware of any easy way to disable individual 
cipher suites at library build time.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Openssl crypto-only (? libcrypto) (visual studio?)

[Jeremy Farrell]

 From: Nou Dadoun [mailto:ndad...@teradici.com]
 Sent: Tuesday, December 04, 2012 5:50 PM
 
 How about a simpler question, I've found a Stack Overflow article which
 mentions
 no-sock   -DOPENSSL_NO_SOCK No socket code.
 
 as a build option to exclude socket code and even has an example! I'd
 like a build option which excludes assembler code as well (to allow for
 cross-compilation), anyone know what that might be?  Or even better, a
 list of config options that I can use to tailor my build?
 
 This seems like basic information that should be in a man page or
 readme file somewhere, is it?

Did you miss all the discussion of building without assembler code in the 
installation and build instructions which come with the source?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: masm support in latest 1.x release?

[Jeremy Farrell]

 From: Pierre Joye [mailto:pierre@gmail.com]
 Sent: Monday, December 03, 2012 9:22 AM
 
 While upgrading openssl to 1.x serie, I noticed that ms\do_masm.bat is
 not present anymore.
 
 Running:
 
 perl Configure --openssldir=C:/phpbuild/apps_install/ VC-WIN32 enable-
 camillia
 
 forces nasm in the makefile:
 
 52: ASM=nasm -f win32
 
 Is it on purpose or is ml still supported?

I recommend reading the build and installation documentation before attempting 
to build and install new versions. INSTALL.W32 says:

- Netwide Assembler, a.k.a. NASM, available from http://nasm.sourceforge.net/
  is required if you intend to utilize assembler modules. Note that NASM
  is now the only supported assembler.
...
 If you want to compile in the assembly language routines with Visual
 C++, then you will need already mentioned Netwide Assembler binary,
 nasmw.exe or nasm.exe, to be available on your %PATH%.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: EVP Padding size

[Jeremy Farrell]

 From: coderl [mailto:forumme5...@subdomain10.info]
 Sent: Wednesday, November 21, 2012 2:34 PM
 
 So how do I fix this?
 --
 View this message in context: http://openssl.6102.n7.nabble.com/EVP-
 Padding-size-tp42413p42447.html

You change whatever you're doing wrong and do it right instead.

As always, if you were to present the minimal subset of your code showing 
exactly what you are doing someone might be able to help you find what you are 
doing wrong - or perhaps even to nail a bug in OpenSSL and advise on a fix or 
workaround.

You'd likely benefit from absorbing 
http://www.catb.org/~esr/faqs/smart-questions.html

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: linking error

[Jeremy Farrell]

 From: Priyaranjan Nayak [mailto:priyaranjan4...@gmail.com] 
 Sent: Thursday, November 22, 2012 2:36 PM

 While build the tls server I got this link error.Below I mentioned bild log .
 Can any one help me ?

 Linking console executable: bin/Debug/dtlsServer
 ../openssl-1.0.1c/libssl.a(ssl_algs.o): In function `SSL_library_init':
 ssl_algs.c:(.text+0x1e): undefined reference to `EVP_idea_cbc'
 ...

At a guess, you're not linking against libcrypto.a. If you are linking against 
libcrypto.a, then some versions of some linkers on some OSes are fussy about 
the order of libraries in the link command, and you'd need to make sure that 
libcrypto.a is listed after libssl.a.

If neither of those do it, then provide some basic information - what OS are 
you building on, what compiler and linker are you using, and what exactly is 
the linker command line you are running?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: thread-safety questions on 1.0.1c

[Jeremy Farrell]

 From: Thomas Eckert [mailto:thomas.eck...@sophos.com]
 Sent: Tuesday, November 20, 2012 9:44 AM
 
 I am seeing lots of errors whose error message reads
   S server_ip: 2851965808:error:14092105:SSL
 routines:SSL3_GET_SERVER_HELLO:wrong cipher returned:s3_clnt.c:963:
 if I run it in at least several (8+) threads. Single threaded it's all
 doing fine, so I guess the kind of issue is obvious.
 
 I assumed this was related to my code initiating OpenSSL thread-safety
 with deprecated calls, e.g.
  CRYPTO_set_locking_callback(ssl_lock);
  CRYPTO_set_id_callback(ssl_get_thread_id);
 where ssl_lock() simply uses glib mutexes to do the locking and
 ssl_get_thread_id() uses pthread_self() to return the thread's id.
 These
 have worked perfectly in the past for a long time so I didn't expect
 them to be the source of the problem. Anyway, since the docs at
 http://www.openssl.org/docs/crypto/threads.html advise to use the new
 calls with any version = 1.0.0 I replaced
  CRYPTO_set_locking_callback(ssl_lock);
 with
  CRYPTO_THREADID_set_callback(threadid_func));
 where threadid_func is just
  CRYPTO_THREADID_set_numeric(id, pthread_self());

That threads man page got updated as part of these changes, which was a great 
idea, but unfortunately it got mangled in the process. In particular, while it 
talks in detail about locking and thread ID callbacks it apparently no longer 
gives any clue how to actually set the locking callback. It also now contains a 
lot of stuff which appears to be internal implementation detail and APIs which 
are private to the library, getting in the way of finding the required 
information for the external APIs (the most important bit of which is no longer 
there, or it's ended up so well hidden that I can't find it at least).

My understanding is that you still need to call CRYPTO_set_locking_callback() 
to register your locking function, as before. Without that you have no locking, 
leading to what you're seeing.

What's really changed is the thread ID mechanism. The biggest change for people 
working on normal OSes (such as Windows, and UNIX and other POSIXy things) is 
that you no longer need thread ID callbacks at all. If your OS is Windows, or 
if errno has a different address in each thread, then the built-in thread ID 
mechanism is all you need.

My code runs only on such server OSes, and my change when moving up to 1.0.0 
and later was simply to remove my dodgy thread ID callback function and the 
call to CRYPTO_set_id_callback(). All the standard and dynamic locking stuff 
stays the same.

I can't say for certain that this is correct, and I've only just made the 
change and haven't yet tested it thoroughly, but it's my understanding after 
some thinking and digging.

Not that this explains why you started seeing the problem when you still had 
your original locking callback in place, that is worrying ...

Regards,
 jjf


 and also added the dynamic locking functions. Before, though, I checked
 the OpenSSL sources and I got the feeling those dynamic locks would
 only
 rarely (if at all) get get called. So far, my dynamic locks have not
 been called once by OpenSSL - confirming this here
 http://fixunix.com/openssl/359957-re-clarification-questions-openssl-
 thread-safe-support.html
 
 In my application, there is only one global context and it is used to
 set up all SSL sessions. To be able to do so, it is modified heavily
 (read: for every connection) prior to calling SSL_new(ssl_ctx). This
 may
 include setting the ciphers, the certificates, SNI, etc., depending on
 the situation and the needs for that connection. Since I couldn't find
 a
 locking callback inside the SSL_CTX, the whole code is protected by a
 mutex on my end so I am fairly sure concurrent access on the SSL_CTX in
 my code is not the problem. But maybe after calling SSL_new(ssl_ctx)
 there's some magic going on behind the doors which accesses the context
 again ? Of course, such access would no longer be safe and would need
 to
 be controlled (how?).
 
 As a side note: Am I correct in assuming the 'old'
 CRYPTO_set_locking_callback() function did not get a replacement, as
 did
 CRYPTO_set_id_callback() ? I couldn't find any such replacement in the
 sources and I suppose that's one of the places where the dyn locks are
 supposed to come in, in future versions.
 
 Anyone got an idea on how to procede ?
 
 Regards,
   Thomas
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Need input for Certificate generation

[Jeremy Farrell]

 From: Jeffrey Walton [mailto:noloa...@gmail.com]
 
 On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai pravesh@gmail.com
 wrote:
 ...
  #define SEED_SIZE 128
 ...
  //RAND_seed(buf, SEED_SIZE);
  RAND_add(buf, SEED_SIZE, (20/100) * SEED_SIZE);
 
k = RAND_status();
 
  }
 I'm not sure 20% effective entropy is a good estimate here. If its
 coming from the OS, its likely higher. If its coming from an Entrop
 Key or other hardware device, I would estimate it nearly 100% (if not
 100%)
 
 Plus, there may be a bug there. Perform a cast to a double before the
 divide:
 ((double)20/100) * SEED_SIZE

Good catch, definitely a bug - '(20/100) * SEED_SIZE' is just a long-winded way 
of saying '0'.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: How can I pass data to a running instance of OpenSSL CLI on Windows within a batch file?

[Jeremy Farrell]

If you start openssl.exe, that's the mode it's in by default - waiting for 
commands from stdin, writing the output from those commands to stdout. Isn't 
that what you're looking for?

 

If you're looking for advice on the programming details of attaching to its 
stdin and stdout and sending/receiving that data from another program, you'd 
probably be better asking on a general Windows programming list where there'll 
be more people with that sort of expertise.

 

Regards,

  jjf

 

From: Funnell, Leon [mailto:leon.funn...@catlin.com] 
Sent: Monday, October 22, 2012 10:52 AM
To: openssl-users@openssl.org
Subject: How can I pass data to a running instance of OpenSSL CLI on Windows 
within a batch file?

 

We have Windows application which passes data to OpenSSL.exe to encrypt as a 
Windows command, then scrapes the encrypted data back from the output.  The 
Windows app can call external Windows commands but we cannot call APIs or 
extend the functionality programmatically.   Functionally it works, but it 
doesn't scale as each time you call OpenSSL.exe it takes about a second and 
spikes the CPU.  The application we are using is required to process 6000 
records every hour.  

 

I have two tests set up:

1.   A batch file which runs 6000 times, repeatedly running the following 
command:

Openssl.exe aes-256-cbc -a -e -k eiccmkjd94jfgniw03ljkdlfutcnv320 -in test.txt

 

2.   A text file with the following line repeated 6000 times, which I paste 
into the OpenSSL CLI:

aes-256-cbc -a -e -k eiccmkjd94jfgniw03ljkdlfutcnv320 -in test.txt

 

When I use the batch file which invokes OpenSSL.exe 6000 times, it takes 
several hours to complete and spikes the CPU significantly.  It seems to be the 
initialisation of the OpenSSL.exe program rather than the encryption however, 
as if I paste in the text file to the OpenSSL.exe CLI it completes in several 
seconds and takes very little CPU.

 

What I need is a way of running OpenSSL.exe as a process which I can pass 
parameters to on STDIN, and output parameters to STDOUT.  I would like to be 
able to call another batch file or program with the unencrypted data as the 
input parameter which would then pass this to the running service, retrieve 
the  encrypted data result from this service and pass it as the output.

 

Can anyone enlighten me on a potential solution for this?

 

Thanks and Regards,

 

Leon Funnell



This e-mail is confidential and intended solely for the use of the 
individual(s) to whom it is addressed. If you are not the intended recipient, 
be advised that you have received this e-mail in error and that any use, 
dissemination, forwarding, printing, copying of, or any action taken in 
reliance upon it, is strictly prohibited and may be illegal.

Catlin Underwriting Agencies Limited and Catlin Insurance Company (UK) Ltd. are 
authorised and regulated by the Financial Services Authority.

The registered office of Catlin Underwriting Agencies Limited (incorporated and 
registered in England and Wales with company number 1815126) and Catlin 
Insurance Company (UK) Ltd. (incorporated and registered in England and Wales 
with company number 5328622) is 20 Gracechurch Street, London, EC3V 0BG.

Catlin Risk Solutions Limited is an Appointed Representative of Catlin 
Underwriting Agencies Limited.

RE: win32 exe linked with -lssl -lcrypt

[Jeremy Farrell]

 From: ml [mailto:m...@smtp.fakessh.eu]
 Sent: Sunday, October 14, 2012 11:33 PM

 Le dimanche 14 octobre 2012 à 18:10 -0400, Dave Thompson a écrit :
   From: owner-openssl-us...@openssl.org On Behalf Of ml
   Sent: Sunday, 14 October, 2012 17:54
 
   i am a little question concerning the presence of libssl.dll
   libcrypt.dll into the win32 standard system or OS
  
   into linux this lib are very standard
   its the same when are the poor win32 OS  is ready
 
  OpenSSL is not provided with (any version of) Windows.
 
  Convenient Windows-style installers for current default builds
  are available from http://slproweb.com/products/Win32OpenSSL.html
  or you can build from source if you want.
 
  For historical reasons, the default library names on Windows
  are libeay32 and ssleay32 instead of libcrypt and libssl.
 
 donc microsoft and openssl are not welcome
  and what are the chances of finding the system openssl
 I understand that- -lssl -lcrypt and must be installed but what are the
 chances of finding already installed on a system can be normal
 
 any percentage of chance for common systeme

Approximately zero.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: OpenSSL running on Windows XP/2003/7

[Jeremy Farrell]

What methods did you try? Googling for

 

openssl windows

 

brings up a variety of information and download pages as the first six hits, 
all of them directly relevant to what you want.

 

Regards,

  jjf

 

From: engineermike [mailto:engineerm...@mindspring.com] 
Sent: Friday, October 05, 2012 2:37 PM
To: openssl-users@openssl.org
Subject: OpenSSL running on Windows XP/2003/7

 

Hello,

  I've been asked to create a certificate following a video that was made with 
step by step instructions.  The video is using OpenSSL on a windows machine.  I 
can't seem to locate the program for a windows machine.  Can someone send me a 
link to the version of the program that will run on Windows?

Thanks in advance

Mike

RE: facing problem in installation of openssl-0.9.7d

[Jeremy Farrell]

You're probably using a much more recent version of the tool-chain, headers, 
and libraries than that version of OpenSSL was developed with - it was released 
nine or so years ago. One way would be to get hold of tools and headers which 
were in use back then. Another is to go through the sources and makefiles to 
port them to work with current tool-chains - perhaps looking at the 
configuration and make files from a recent OpenSSL release would help.

 

Regards,

 jjf

 

From: Ahmad [mailto:ahmadrath...@gmail.com] 
Sent: Wednesday, September 26, 2012 7:46 AM
To: openssl-users@openssl.org
Subject: facing problem in installation of openssl-0.9.7d

 

I am having some error when i try to install openssl-0.9.7d.
from the VC++ environment at a prompt  when i run this command

  nmake -f ms\ntdll.mak

I get following errors 

1 file(s) copied.
cl /Fotmp32dll\cryptlib.obj  -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2
/Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDI
AN -DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll -DOPENSSL_
NO_KRB5 -D_WINDLL  -DOPENSSL_BUILD_SHLIBCRYPTO -c .\crypto\cryptlib.c
cl : Command line warning D9002 : ignoring unknown option '/G5'
cryptlib.c
C:\Program Files\Microsoft Visual Studio 10.0\VC\INCLUDE\errno.h(92) : error C22
20: warning treated as error - no 'object' file generated
C:\Program Files\Microsoft Visual Studio 10.0\VC\INCLUDE\errno.h(92) : warning C
4005: 'EADDRINUSE' : macro redefinition
tmp32dll\e_os.h(156) : see previous definition of 'EADDRINUSE'
NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio 10.0\VC\BI
N\cl.EXE' : return code '0x2'
Stop.


How can these errors be solved ? Please help in this issue.

Regards,

-- 
Ahmad

RE: crash when calling ERR_print_errors_fp()

[Jeremy Farrell]

Your message suggests to me that you are calling the API and expecting it to 
cause subsequent errors to be written to the FILE. It doesn't work like that; 
the messages won't be written to the file during the handshake. The API writes 
out any messages which are queued up in the internal message buffers. You need 
to call the API after the handshake failure to dump out the errors which have 
been buffered internally.

 

Regards,

  jjf

 

From: Mithun Kumar [mailto:mithunsi...@gmail.com] 
Sent: Thursday, September 06, 2012 9:29 PM
To: openssl-users@openssl.org; openssl-...@openssl.org
Subject: crash when calling ERR_print_errors_fp()

 

Hello All,

When i give file pointer as input to API(ERR_print_errors_fp()) nothing is 
getting written to the FILE during a SSL handshake failure. Any inputs why 
things are failing.

-mithun

RE: rand in Windows

[Jeremy Farrell]

The simplest thing is simply to ignore the error. It's trying to write a file 
in a location which is not writeable by ordinary users. The file it's trying to 
write helps work around a deficiency in some ancient versions of Windows, 
helping ensure the randomness of future calls to the command. This is totally 
unnecessary with current versions of OpenSSL on current versions of Windows, so 
it doesn't matter at all that it can't create the file.

Regards,
 jjf

 -Original Message-
 From: John [mailto:jw72...@verizon.net]
 Sent: Friday, July 06, 2012 4:07 AM
 To: openssl-users@openssl.org
 Subject: rand in Windows
 
 Hello. I have OpenSSL-Win64 version 1.0.1c installed on 64-bit Win7.  I
 am
 trying to use it to create a random generated file for use in stunnel,
 using
 this command openssl rand -out filexyz.rnd -hex 2048 from the Windows
 CLI.
 Although it appears to succeed, but I also see this message when it
 finishes: unable to write 'random state'.  I looked at the online help,
 but
 nothing I read indicated how to prevent this as far as I can tell. Is
 this
 normal for Windows and not something to worry about, or what am I
 missing?
 Thanks.
 
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Win32OpenSSL.html

[Jeremy Farrell]

You'd be best raising this with whomever produced that installer. The OpenSSL 
project distributes OpenSSL in source form. Some third party built OpenSSL and 
packaged it into that installer, that's who decided and controls which versions 
of OS libraries it depends on.

 

Regards,

  jjf

 

From: John A. Wallace [mailto:jw72...@verizon.net] 
Sent: Wednesday, June 20, 2012 5:24 PM
To: openssl-users@openssl.org
Subject: Win32OpenSSL.html

 

Hello. 

 

In this instance I am using 64-bit Win7 on a laptop in a home network. When I 
downloaded this version of OpenSSL  
http://slproweb.com/download/Win64OpenSSL_Light-1_0_1c.exe, during installation 
it alerted me about not finding but needing the Visual C++ 2008 
Redistributable.  I was a bit surprised to see this alert because I could see 
that I already had several other such Redistributables installed on my system. 
These are what I currently had:

 

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

 

Apparently, this version of OpenSSL required a different one, so I went online 
hunting down what I could find along these lines until coming across another 
one that seemed to suffice, namely, this one: 

 

Microsoft Visual C++ Redistributable - x64 9.0.21022

 

I was lucky, I suppose, in that I did not have to spend much time looking 
around before I found one that would fit the bill and satisfy and satisfy its 
requirements. However, to be honest, I am no programmer and, therefore, I am 
not at all sure how many different versions of the 2008 Redistributable are 
floating around. In the alert that I got during the installation there was no 
mention of any specific version at all.

 

In general, how would a person know which of these version might be needed 
without having to go through a hunt and peck approach while looking for one of 
them? This is an awesome product, but it would be swell also, if possible, to 
tweak the installation process with a little more information about its 
dependencies under the circumstances. Or am I seeming too picky about it? 
Thanks.

 

John

 

 

 

RE: Query on availability the libeay64 dll

[Jeremy Farrell]

You'll need to ask whomever you got managedopenssl.dll from - that DLL is not 
part of OpenSSL. It's certainly possible to build 64-bit versions of OpenSSL 
for Windows, and I believe pre-built versions can be downloaded from various 
places on the Web (they're not provided by the OpenSSL project).  I've never 
heard of the managed wrapper DLL before.

 

From: sridevi.chilum...@tcs.com [mailto:sridevi.chilum...@tcs.com] 
Sent: Thursday, June 14, 2012 10:32 AM
To: openssl-users@openssl.org
Subject: Query on availability the libeay64 dll

 


Hi 

Currently in of the application we are using libeay32.dll with a wrapper 
managedopenssl.dll which is used in .net application for encryption and 
decryption 

It is supporting the 32 bit  operating system not supporting  64 bit . 

Is there any managed dll available for wrapper and libeay64.dll which supports 
my requirement 

Can you pls suggest the approach how to make the application run. 

Regards
Sridevi Chilumula
Tata Consultancy Services
Mailto: HYPERLINK mailto:sridevi.chilum...@tcs.comsridevi.chilum...@tcs.com
Website: HYPERLINK http://www.tcs.com/http://www.tcs.com

Experience certainty.IT Services
   Business Solutions
   Outsourcing


=-=-=
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you

RE: Problems installing

[Jeremy Farrell]

Just a guess, but Can't open /dev/null: No such file or directory could be 
causing utter confusion. That sounds like a pretty screwed-up system. v5.8.8 is 
fine for the perl, assuming it's on your path.

Regards,
jjf

 -Original Message-
 From: Curtis, John G [mailto:jcur...@alionscience.com]
 Sent: Saturday, June 02, 2012 6:50 PM
 To: openssl-users@openssl.org
 Subject: Problems installing
 
 I'm having an issue upgrading to 0.9.8x on Solaris 9 where ./config
 yields the following:
 
 Operating system: sun4u-whatever-solaris2
 NOTICE! If you *know* that your GNU C supports 64-bit/V9 ABI
 and wish to build 64-bit library, then you have to
 invoke './Configure solaris64-sparcv9-gcc' *manually*.
  You have about 5 seconds to press Ctrl-C to abort.
 Can't open /dev/null: No such file or directory
 Can't open /dev/null: No such file or directory
 You need Perl 5.
 
 A quick look with perl -v tells me:
 
 This is perl, v5.8.8 built for sun4-solaris
 
 Is Perl v5.8.8 not sufficent for Perl 5 or am I missing something
 here?
 
 Thanks in advance
 
 
 
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Custom free routine is invoked with NULL argument in openssl 1.0.1

[Jeremy Farrell]

 From: Jakob Bohm [mailto:jb-open...@wisemo.com]
 Sent: Tuesday, May 29, 2012 8:34 AM
 On 5/27/2012 2:29 AM, Jeremy Farrell wrote:
  From: Jakob Bohm [mailto:jb-open...@wisemo.com]
  On 5/25/2012 5:30 PM, Ken Goldman wrote:
  On 5/25/2012 3:33 AM, Jakob Bohm wrote:
 
  ANSI C and POSIX free() is NOT required to handle free(NULL)
  as a NOP.
  I checked reputable sources (Plauger, Harbison and Steele, the ANSI
  spec, and the IEEE POSIX spec).
 
  All agree that (e.g. ANSI)
 
  If ptr is a null pointer, no action occurs.
 
 
  Which version of the ANSI Spec, and where did you get a copy?
  I quoted from C99 in a recent message; can't remember where I got it
 (12 years ago ...), perhaps Techstreet. There are 'final drafts' of C99
 and C11 legally available for free on the web I believe.
 
  Various revisions of POSIX are available free for reference online;
 the current POSIX.1-2008 at
 http://pubs.opengroup.org/onlinepubs/9699919799/ and the older POSIX.1-
 2004 at http://pubs.opengroup.org/onlinepubs/009695399/
 
 
 Note that when considering portability, C99 is not yet
 fully implemented everywhere, so when I say ANSI C
 without qualification, I generally refer to C89 plus
 the two TR update documents that mostly focused on
 things many compilers were already doing.
 
 Having no current access to the C89 standard or its
 drafts, I am relying on the experience that many C89
 real world systems I have encountered did not tolerate
 free(NULL).  In contrast all recent C++ specifications
 (starting with The C++ Programming Language 2nd Ed.
 which preceded all published standards), insist that
 delete (char*)NULL must be a safe NOP.
 
 As C99 adopted many other features from C++ (such as
 declarations between statements), the free(NULL)
 behavior might also be new in C99.

C99 was what I had most conveniently to hand, but as I mentioned originally the 
requirement has been the same in all versions of Standard C from C89 through to 
the current C11. C89 has:

4.10.3.2 The free function

Synopsis
 #include stdlib.h
 void free(void *ptr);

Description
   The free function causes the space pointed to by ptr to be
deallocated, that is, made available for further allocation.  If ptr
is a null pointer, no action occurs.  Otherwise, if the argument does
not match a pointer earlier returned by the calloc , malloc , or
realloc function, or if the space has been deallocated by a call to
free or realloc , the behavior is undefined.

Returns
   The free function returns no value.

The Rationale for C89 states The null pointer is specified as a valid argument 
to this function to reduce the need for special-case coding.

Other standards documents of the time (XPG3, for example) mention adding the 
sentence on NULL for conformance with the draft C Standard, so it looks like 
the ANSI C committee was the driver for explicitly requiring this behaviour; I 
don't know if any earlier implementations worked that way, KR 1 didn't mention 
the free library function. I don't know C++, but Stroustrup's site says C++ 2 
was written in '91, so he'd be assuming the C89 library as the basis.

I'm a bit surprised you've come across systems at all recently which don't 
tolerate free of NULL. I've tended to assume they do without explicitly testing 
it (I'm fool enough to rely blindly on standards for some things), but I would 
usually only make such a call in unusual error paths; I guess it may come back 
to bite me sometime.

Regards,
   jjf
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Custom free routine is invoked with NULL argument in openssl 1.0.1

[Jeremy Farrell]

 From: Jakob Bohm [mailto:jb-open...@wisemo.com]
 On 5/25/2012 5:30 PM, Ken Goldman wrote:
  On 5/25/2012 3:33 AM, Jakob Bohm wrote:
 
  ANSI C and POSIX free() is NOT required to handle free(NULL)
  as a NOP.
 
  I checked reputable sources (Plauger, Harbison and Steele, the ANSI
  spec, and the IEEE POSIX spec).
 
  All agree that (e.g. ANSI)
 
  If ptr is a null pointer, no action occurs.
 
 
 Which version of the ANSI Spec, and where did you get a copy?

I quoted from C99 in a recent message; can't remember where I got it (12 years 
ago ...), perhaps Techstreet. There are 'final drafts' of C99 and C11 legally 
available for free on the web I believe.

Various revisions of POSIX are available free for reference online; the current 
POSIX.1-2008 at http://pubs.opengroup.org/onlinepubs/9699919799/ and the older 
POSIX.1-2004 at http://pubs.opengroup.org/onlinepubs/009695399/

Regards,
   jjf
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Custom free routine is invoked with NULL argument in openssl 1.0.1

[Jeremy Farrell]

 From: Jakob Bohm [mailto:jb-open...@wisemo.com]
 
 On 5/25/2012 12:30 AM, Richard Levitte wrote:
 
  sudarshan.t.raghavan  I am assuming the default
  sudarshan.t.raghavan  free routine ignores a NULL argument
 
  Your assumption is correct, OpenSSL expects the same semantics as
  malloc(), realloc() and free(), so you free() replacement must be
  able to handle a NULL argument.

 ANSI C and POSIX free() is NOT required to handle free(NULL)
 as a NOP.

I'm afraid you're wrong on that Jakob. Quoting from C99:

==
7.20.3.2 The free function

Synopsis
#include stdlib.h
void free(void *ptr);

Description
The free function causes the space pointed to by ptr to be deallocated,
that is, made available for further allocation. If ptr is a null pointer,
no action occurs. Otherwise, if the argument does not match a pointer
earlier returned by the calloc, malloc, or realloc function, or if the
space has been deallocated by a call to free or realloc, the behavior
is undefined.
==

The original and current C Standards say the same, as does POSIX.

Regards,
  jjf

 ANSI C++ operator delete() is required to do this, but this
 requirement does not extent to free() invoked from a C++ program.
 
 Some libc implementations provide this feature anyway, but it
 is not a required property of free(), and according to Dr.
 Henson's reply above it is not a requirement of the OpenSSL
 custom free() callback either.
 
 Enjoy
 
 Jakob
 --
 Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
 Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
 This public discussion message is non-binding and may contain errors.
 WiseMo - Remote Service Management for PCs, Phones and Embedded
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Looking for (easy) help.

[Jeremy Farrell]

This is a wild guess, no idea if it's relevant, but the array key32 consists of 
33 bytes, 32 containing 0x31 (assuming ASCII) followed by one containing 0x00. 
Is that how it's meant to be?

 

Regards,

   jjf

 

From: scott...@csweber.com [mailto:scott...@csweber.com] 
Sent: Friday, May 11, 2012 2:43 PM
To: openssl-users@openssl.org
Subject: Looking for (easy) help.

 

(resent, as I never saw this come through the list server)

I am looking for some assistance.  This should be really easy.  But it's not 
working.  Any quick advice I can get would be appreciated.

 

When I use the API, I get a different cypher text then I get from the command 
line.

And the command line appears to be the correct one, as it also matches the 
cypher text I get when I use the PHP interface.

(Once I get the encryption working, I assume the PHP would decrypt it easily, 
which is my goal)

 

The clear text I am using is simply 6 letters in a file.  The file does NOT 
contain a newline, and neither does the hardcoded buffer used in the C source.

 

The cypher I get is  (hex string):

from openssl EXE:       aed38175d75ea94e7e59833f11400dcf
From C code:               35709aab6f31555a378bc4a6107f3bd0 

 

 

So, here's the code.  Really easy stuff.  The Key and IV are the same, 

 

---  Command line 

openssl

    enc -aes-256-cbc

    -in infile.txt -K 
3131313131313131313131313131313131313131313131313131313131313131

    -iv fbd070327199c9df7760c5a113bed7a3

    -nosalt -out cypher.bin

 

 C code:

static unsigned char initVect[] = {

    0xfb,0xd0,0x70,0x32,0x71,0x99,0xc9,0xdf,

    0x77,0x60,0xc5,0xa1,0x13,0xbe,0xd7,0xa3

};

 

 

static const unsigned char key32[] = 

{};

 

 

void AES256Encrypt(unsigned char  *dst, const char *src, int len) {

 

AES_KEY aeskey;

unsigned char iv[sizeof(initVect)]; /* Our own personal copy of the 
initialization */

memcpy(iv,initVect,sizeof(initVect)); /* vector, to handle the fact that 
it's not CONST */

 

AES_set_encrypt_key(key32, 256, aeskey);

AES_cbc_encrypt((unsigned char *)src, (unsigned char *) dst, len, aeskey, 
iv, AES_ENCRYPT);

}

 

 

Any help is appreciated!

 

-Scott Weber

 

__ OpenSSL 
Project http://www.openssl.org User Support Mailing List HYPERLINK 
mailto:openssl-users@openssl.orgopenssl-users@openssl.org Automated List 
Manager HYPERLINK mailto:majord...@openssl.orgmajord...@openssl.org 

RE: header file for EC_KEY

[Jeremy Farrell]

 From: Ken Goldman [mailto:kgold...@us.ibm.com]
 
 On 5/8/2012 5:47 PM, Dr. Stephen Henson wrote:
 
  EVP_PKEY_cmp(), see the manual page for details.
 
 I just walked the man page starting with
 
 http://www.openssl.org/docs/crypto/evp.html#
 
 If it's there, it's not obvious.

First hit in Google, quicker than any mailing list ...
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: OS390 UNIX - openssl install questions

[Jeremy Farrell]

I suppose that might be useful for someone who's interested in installing 
OpenSSL on a Mac, though I can't imagine how they'd be supposed to guess to 
search that particular site.

What's it got to do with your subject line or the question you replied to 
though? And why is it of high importance?

 -Original Message-
 From: Jaaron Anderson [mailto:janders...@widener.edu]
 Sent: Thursday, April 05, 2012 2:28 PM
 To: openssl-users@openssl.org
 Cc: terri.e.shaf...@jpmchase.com
 Subject: RE: OS390 UNIX - openssl install questions
 Importance: High
 
 
 install openssl on mac
 
 http://lmgtfy.com/?q=install+openssl+on+mac+site%3Aexperts-exchange.com
 
 hth
 
 
 -Original Message-
 From: owner-openssl-us...@openssl.org
 [mailto:owner-openssl-us...@openssl.org] On Behalf Of Shaffer, Terri E
 Sent: Wednesday, April 04, 2012 3:15 PM
 To: openssl-users@openssl.org
 Subject: OS390 UNIX - openssl install questions
 
 
 Hi,
   I was wondering if anyone had any information on how to install
 openssl on
 z/OS UNIX?  I have been getting numerous errors with the config and/or
 Configure files and sortof at a loss.
 
 Thanks
 
 Ms. Terri E. Shaffer
 terri.e.shaf...@jpmchase.com
 Engineer
 J.P.Morgan Chase  Co.
 GTI DCT ECS Core Services zSoftware Group / Emerging Technologies
 Office: # 614-213-3467
 Cell: # 412-519-2592
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Random number generator

[Jeremy Farrell]

http://lmgtfy.com/?q=openssl+random+number

 From: Alex Chen [mailto:alex_c...@filemaker.com]
 
 There is a 'rand' command in the openssl command line tool to generate
 'pseudo' random number generator.  But I cannot find the API from
 either the 'ssl' or 'crypto' man pages.
 Can someone point me to the API page if it is available?
 
 Is this RNG implementation different in the regular distribution  and
 the FIPS Object module?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: OpenSSL 1.0.1 libraries have 1.0.0 in the names

[Jeremy Farrell]

opensslv.h

 

From: dave.mclel...@emc.com [mailto:dave.mclel...@emc.com] 
Sent: Thursday, March 22, 2012 8:43 PM
To: openssl-users@openssl.org
Subject: OpenSSL 1.0.1 libraries have 1.0.0 in the names

 

I'm seeing 1.0.0 used in the library (.so) names for crypto and ssl versions. 
  I expected to see 1.0.1, consistent with the 0.9.X stream, where the version 
number agrees with version in the library name (as referenced in the link of 
the openssl executable for example). 

 

Can someone help me understand why it shouldn't 1.0.1 in the library 
reference names?   I'm sorry if I've missed the mention of this in the CHANGES, 
README, etc. 

 

I have the official release kit, having moved on from beta3 kit. 

 

Thanks.  

 

+-+-+-+-+-+-+ 
Dave McLellan, Symmetrix Software Engineering
EMC Corporation, 176 South St, Hopkinton MA
Mail Stop 176-B1 1/P-36
office 508-249-1257, fax 508-497-8027
cell 978-500-2546
+-+-+-+-+-+-+ 

 

RE: missing symbols when building openssl1.0.0g as static library..

[Jeremy Farrell]

 From: JonathonS [mailto:thejunk...@gmail.com]
 
 I am building openssl as a static library, and when I link to it, I am
 getting a bunch of missing symbols that *should* be defined by
 openssl.
 
 Here is the command I used to build openssl:
 
 ./Configure --prefix=/home/user/openssl_release
 --openssldir=/home/user/openssl_release no-asm threads zlib shared
 linux-x86_64
 
 After the binaries have been built, it produces libcrypto.a and
 libssl.a.  When I try to link against it, I get a bunch of missing
 symbols -- *some* are listed below.  There are a lot more.
 
 
   [cc] /home/user/downloads/curl-7.24.0/lib/ssluse.c:1462:
 undefined reference to `SSLv23_client_method'
 ...
 
 These all look like they belong to openssl.  How would I produce a
 fully functional static library that has all the symbols defined?

The way you did. Are you sure you're linking against the libraries? What OS, 
what linker, what command line?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: missing symbols when building openssl1.0.0g as static library..

[Jeremy Farrell]

 From: JonathonS [mailto:thejunk...@gmail.com]
 
 Thanks guys for all your help.
 
 I am using 64-bit linux Centos.  The binaries were built with GCC
 4.4.4.
 
 I am not currently linking against libcurl.  I am just linking against
 my own project.  I am pretty sure the cause of the problem is that the
 symbols are not defined in the binaries produced.
 
 see below.
 
 [user@localhost lib]$ nm libcrypto.a | fgrep X509_STORE
  U X509_STORE_add_lookup
 00ac T X509_STORE_load_locations
  T X509_STORE_set_default_paths
 3f26 T X509_STORE_CTX_cleanup
 3a12 T X509_STORE_CTX_free
 376a T X509_STORE_CTX_get0_current_crl
 3755 T X509_STORE_CTX_get0_current_issuer
 4140 T X509_STORE_CTX_get0_param
 377f T X509_STORE_CTX_get0_parent_ctx
 40d0 T X509_STORE_CTX_get0_policy_tree
 36b4 T X509_STORE_CTX_get1_chain
  U X509_STORE_CTX_get1_issuer
 369f T X509_STORE_CTX_get_chain
 368a T X509_STORE_CTX_get_current_cert
 3648 T X509_STORE_CTX_get_error
 3676 T X509_STORE_CTX_get_error_depth
 361f T X509_STORE_CTX_get_ex_data
 35a3 T X509_STORE_CTX_get_ex_new_index
 40e5 T X509_STORE_CTX_get_explicit_policy
 3a38 T X509_STORE_CTX_init
 39a5 T X509_STORE_CTX_new
 3838 T X509_STORE_CTX_purpose_inherit
 37c8 T X509_STORE_CTX_set0_crls
 4152 T X509_STORE_CTX_set0_param
 3794 T X509_STORE_CTX_set_cert
 37ae T X509_STORE_CTX_set_chain
 40f9 T X509_STORE_CTX_set_default
 403a T X509_STORE_CTX_set_depth
 365c T X509_STORE_CTX_set_error
 35ee T X509_STORE_CTX_set_ex_data
 4060 T X509_STORE_CTX_set_flags
 37e2 T X509_STORE_CTX_set_purpose
 4089 T X509_STORE_CTX_set_time
 380c T X509_STORE_CTX_set_trust
 40b6 T X509_STORE_CTX_set_verify_cb
 3efd T X509_STORE_CTX_trusted_stack
  U X509_STORE_get1_certs
  U X509_STORE_get1_crls
 13ab T X509_STORE_CTX_get1_issuer
 0928 T X509_STORE_add_cert
 0a6e T X509_STORE_add_crl
 0714 T X509_STORE_add_lookup
 0639 T X509_STORE_free
 0e4c T X509_STORE_get1_certs
 106a T X509_STORE_get1_crls
 07d5 T X509_STORE_get_by_subject
 0484 T X509_STORE_new
 1670 T X509_STORE_set1_param
 15f9 T X509_STORE_set_depth
 15d0 T X509_STORE_set_flags
 1624 T X509_STORE_set_purpose
 164a T X509_STORE_set_trust
 1699 T X509_STORE_set_verify_cb
  U X509_STORE_add_cert
  U X509_STORE_add_crl
  U X509_STORE_CTX_cleanup
  U X509_STORE_CTX_init
  U X509_STORE_CTX_set_purpose
  U X509_STORE_CTX_cleanup
  U X509_STORE_CTX_get_error
  U X509_STORE_CTX_init
  U X509_STORE_CTX_set0_crls
  U X509_STORE_CTX_set_default
  U X509_STORE_CTX_cleanup
  U X509_STORE_CTX_get1_chain
  U X509_STORE_CTX_get_error
  U X509_STORE_CTX_init
  U X509_STORE_CTX_set_purpose
  U X509_STORE_CTX_set_trust
  U X509_STORE_CTX_cleanup
  U X509_STORE_CTX_get_error
  U X509_STORE_CTX_init
  U X509_STORE_CTX_set0_crls
  U X509_STORE_CTX_set_default
  U X509_STORE_CTX_cleanup
  U X509_STORE_CTX_get1_chain
  U X509_STORE_CTX_get_error
  U X509_STORE_CTX_init
  U X509_STORE_CTX_set_purpose
  U X509_STORE_free
 
 see all the U in libcrypto.a?

Yep.

 These are the undefined symbols I believe.

Why do you believe that? You quote below the following comment from Wim:

! (there should be several 'U'ndefined references and one defined
! reference to [each] symbol).

I don't see any undefined symbols in the output you provide.

As several people have already implied, the most likely cause of the problem by 
far is that you're not linking against the libraries. As several people have 
asked, what is your linker command line when linking your program?


 Thanks again for all the help.
 
 J
 
 On Tue, Feb 28, 2012 at 10:39 AM, Wim Lewis w...@omnigroup.com wrote:
 
  On 28 Feb 2012, at 9:57 AM, JonathonS wrote:
  Here is the command I used to build openssl:
 
  ./Configure --prefix=/home/user/openssl_release
  --openssldir=/home/user/openssl_release no-asm threads zlib shared
  linux-x86_64
 
  After the binaries have been built, it produces libcrypto.a and
  libssl.a.  When I try to link against it, I 

RE: hello!

[Jeremy Farrell]

 From: Jakob Bohm [mailto:jb-open...@wisemo.com]
 Sent: Tuesday, November 15, 2011 2:28 PM
 
 On 11/15/2011 11:39 AM, Henrik Grindal Bakken wrote:
  Jonas Schnelli
  jonas.schne...@include7.ch  writes:
 
  #includeopenssl-1.0.0e/include/openssl/hmac.h
  #includeopenssl-1.0.0e/include/openssl/evp.h
  #includestring.h
 
  char  key[20] = { 0 };
 
  int
  main()
  {
  HMAC_CTX *  context;
 
  context = (HMAC_CTX *) malloc(sizeof(*context));
 
  Do you need to malloc the context (a pointer) ?
  I don't think so.
  Remove the line?
 
  That won't work, but you can do
HMAC_CTX context;
 
  and usecontext instead of context.

 Why would that be any different?
 
 When OpenSSL gets a HMAC_CTX*, it shouldn't care if it points to
 memory on the stack or the heap, as long as that memory is
 sizeof(HMAC_CTX) big and maybe appropriately initialized.

Err ... yes, that's the point. The original code used malloc to allocate memory 
for an HMAC_CTX, and did it right (apart from not checking that malloc 
succeeded). Henrik's version allocated memory for an HMAC_CTX structure 
automatically, and was equally right. Jonas's version didn't allocate memory 
for an HMAC_CTX at all, and passed an uninitialized pointer to subsequent 
function calls instead of a pointer to an HMAC_CTX.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: RE: Open SSL API's Support For IPv6.

[Jeremy Farrell]

 From: Akanksha Shukla [mailto:akshu...@cisco.com]
 
 Hi Carl,
 
 I added the API's call as mentioned by you in the else part to get the
 dump
 of the error. But this time also, I am not successful.
   else
   {
  SSL_load_error_strings();
  SSL_library_init();
  FILE * pFile1;
  pFile1 = fopen (result.txt,a);
  if (pFile1!=NULL)
  {
 ERR_print_errors_fp(pFile1);
 fclose(pFile1);
  }
  cout   The Bio_do_connect failed  endl;
  break;
   }
 
 This time also, I got blank file without having any output in it. Am is
 missing something here or using them in incorrect way?
 
 Please suggest.
 
 Thanks
 Akanksha Shukla.
 
 -Original Message-
 From: carlyo...@keycomm.co.uk [mailto:carlyo...@keycomm.co.uk]
 
  On Mon 31/10/11 4:25 PM , Akanksha Shukla akshu...@cisco.com sent:
  Hi Michael,
 
  Thanks for the reply. But I think the issue is not from the C
 perspective.
  As I already mentioned, that if I use fputs to directly write a
 string to
  file, then I am able to do that successfully. But when I try to write
 the
  error code thrown by Bio_do_connect() API, then nothing is getting
 written
  in file and for that I have used the API suggested by Stephen in the
 forum
  (ERR_print_errors_fp(pFile)).
 
 Are you loading the strings?
 
 From:http://www.openssl.org/docs/ssl/SSL_library_init.htmlEXAMPLES
 
 A typical TLS/SSL application will start with the library
 initialization, and provide readable error messages.
 SSL_load_error_strings();/* readable error
 messages
 */
 SSL_library_init();  /* initialize library
 */
 
 Carl

Did you read the page he referred you to? Did you read the text he quoted? Did 
you think about what it said at all?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: starting point for learning to use OpenSSL

[Jeremy Farrell]

From: Mithun Kumar
Sent: Friday, October 07, 2011 5:54 PM

Hello All,

I want to use OpenSSL for the application that i am writing. Could someone 
direct me what is the best starting point. I tried Google but failed to find 
any examples.

PS: I hope i am posting on the right forum.

-Thanks
 mithun

http://shop.oreilly.com/product/9780596002701.do

RE: Trying to Link Statically to Libcrypto

[Jeremy Farrell]

From: brandon...@aol.commailto:brandon...@aol.com
Actually, I was advised to put libssl after libcrypto.  I don't recall being 
told to put libssl after libldap.  Also, knowing that order matters is of 
little use if you don't grasp what the order should be.
You were told the right order a few times along the way; on reviewing the 
messages though, I see you were also told the wrong order a few times along the 
way.  Not at all surprising that you were confused.
I did show  the link command in a previous post, but admittedly not up to date 
with this particular set of errors.  I'll remember to include my link command 
with every example of error messages.
Yes, that's always a good idea.  Glad to see it's sorted now.

RE: Trying to Link Statically to Libcrypto

[Jeremy Farrell]

The output is little or no help in knowing specifically what you've done wrong, 
What link command line did you use?

The most likely explanation of this is that you still haven't done what several 
different people here have advised you several times, including in the messages 
quoted below - made sure that the reference to the OpenSSL libraries comes 
_AFTER_ the references to the ldap library in the link command. As everyone 
keeps saying, _order_matters_.

I don't recognise the names of some of the missing references below; they may 
be OpenSSL references I'm not aware of, or they may be to some other library 
which the ldap library needs. If its the latter, you'll need to look at the 
documentation of the ldap library to see what it needs, and include it on the 
link command line. Since _order_matters_, you'll need to include it _after_ the 
reference to the ldap library.
From: brandon...@aol.commailto:brandon...@aol.com
Sent: Monday, July 18, 2011 4:46 PM
I put the -static where it belongs.  Here is a partial list of the output:

/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_sb_close':
(.text+0xa6): undefined reference to `SSL_shutdown'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_session_upflags':
(.text+0x13b): undefined reference to `SSL_get_error'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_sb_write':
(.text+0x1cc): undefined reference to `SSL_write'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_sb_write':
(.text+0x1df): undefined reference to `SSL_get_error'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_sb_read':
(.text+0x2cc): undefined reference to `SSL_read'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_sb_read':
(.text+0x2df): undefined reference to `SSL_get_error'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_sb_ctrl':
(.text+0x409): undefined reference to `SSL_pending'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_sb_remove':
(.text+0x4ab): undefined reference to `SSL_free'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_sb_setup':
(.text+0x58f): undefined reference to `SSL_set_bio'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_session_strength':
(.text+0x769): undefined reference to `SSL_get_current_cipher'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_session_strength':
(.text+0x779): undefined reference to `SSL_CIPHER_get_bits'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_get_cert':
(.text+0x7ad): undefined reference to `SSL_get_verify_result'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_get_cert':
(.text+0x7bd): undefined reference to `SSL_get_peer_certificate'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_session_chkhost':
(.text+0x8a6): undefined reference to `X509_get_ext_by_NID'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_session_chkhost':
(.text+0x8bd): undefined reference to `X509_get_ext'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_session_chkhost':
(.text+0x8c5): undefined reference to `X509V3_EXT_d2i'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_session_chkhost':
(.text+0x9be): undefined reference to `GENERAL_NAMES_free'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_session_chkhost':
(.text+0x9d7): undefined reference to `GENERAL_NAMES_free'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_session_chkhost':
(.text+0x9f5): undefined reference to `X509_get_subject_name'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_session_chkhost':
(.text+0xa00): undefined reference to `X509_NAME_entry_count'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_session_chkhost':
(.text+0xa1b): undefined reference to `X509_NAME_get_entry'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_session_chkhost':
(.text+0xa98): undefined reference to `X509_free'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_session_chkhost':
(.text+0xc62): undefined reference to `X509_NAME_ENTRY_get_data'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_session_peer_dn':
(.text+0xe04): undefined reference to `X509_get_subject_name'
/usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function 
`tlso_session_peer_dn':
(.text+0xe17): undefined reference to `i2d_X509_NAME'

RE: Questions: Building crypto libraries to link with Visual C++

[Jeremy Farrell]

From: rick freitag

Questions include:

Why do I need ActivePerl not plain Perl?
No idea, depends what you're using it for.
I am only using the Cryptolibrary functions from Visual C++.
So how is OpenSSL involved?

RE: when to use CRYPTO_set_locking_callback and CRYPTO_set_dynlock_create_callback

[Jeremy Farrell]

From: Arunkumar Manickam
Sent: Thursday, July 07, 2011 8:14 AM

We are using openssl 1.0.0d in our multi threaded application.
I would like to know when to set CRYPTO_set_locking_callback and when to set 
CRYPTO_set_dynlock_* callbacks

The openssl document says that *dyn* call backs are required to improve 
performance. From openssl code, it seems only e_chill engine is using them. Pls 
correct if I am wrong here.

Is the application required to set all the callbacks or just 
CRYPTO_set_locking_callback and CRYPTO_THREADID_set_callback.

Also if *dyn* callbacks are set, does the application still need to set 
CRYPTO_set_locking_callback and CRYPTO_THREADID_set_callback.

Why not just do them all? It's quicker and easier than spending time worrying 
about which and whether to do, and won't do any harm.

RE: Convert perl file to asm fie

[Jeremy Farrell]

Try taking a step back and explaining what you are actually trying to do 
overall, instead of asking a particular question which sounds very strange. Are 
you just trying to build the OpenSSL libraries for ARM perhaps? In that case 
your question would have been better phrased as how do I build the OpenSSL 
libraries for an ARM device, for example.



From: ty hawk

 Sorry for I have done.
 I found these files on website. I paste these links

I have compile completely openssl on windows, found it used 
aes-586.plhttp://aes-586.pl 
http://www.opensource.apple.com/source/OpenSSL098/OpenSSL098-35/src/crypto/aes/asm/aes-586.pland
 it had been converted aes-586.asm in compiler
process
Now I need use it device, so I used 
aes-arm4v.plhttp://aes-arm4v.plhttp://www.opensource.apple.com/source/OpenSSL098/OpenSSL098-32/src/crypto/aes/asm/aes-armv4.pl
replace for aes-586.plhttp://aes-586.pl






Best Wishes

Hawkes
2011/06/30




2011/6/30 Tim Watts t...@dionic.netmailto:t...@dionic.net
On 30/06/11 10:53, ty hawk wrote:
Hi Tim

I have compile completely openssl on windows, found it used 
aes-586.plhttp://aes-586.pl
http://aes-586.pl and it had been converted aes-586.asm in compiler
process
Now I need use it device, so I used aes-armv4.plhttp://aes-armv4.pl 
http://aes-armv4.pl
replace for aes-586.plhttp://aes-586.pl http://aes-586.pl.





Best Wishes!

Hawkes

2011/06/30


2011/6/30 Tim Watts t...@dionic.netmailto:t...@dionic.net 
mailto:t...@dionic.netmailto:t...@dionic.net


   On 30/06/11 09:43, ty hawk wrote:

   Hi  :
  I want to use openssl on device that used arm.
  How could I convert aes-armv4.plhttp://aes-armv4.pl
   http://aes-armv4.pl http://aes-armv4.pl/


   to aes-armv4.asm?
  Could you you help me?



Yes - on one condition - please listen and STOP trying to paste links to 
files into email messages I can't see any of those files to know what 
you're problem actually is about...

RE: Compiling OpenSSL on linux-ia64-icc - Problem with SHA1 Asm

[Jeremy Farrell]

 From: Philipp Berger
 
 I am trying to compile OpenSSL 0.9.8r on Debian 6.01 AMD64
 (2.6.32-5-amd64) using the Intel C++ Compiler (icc version 12.0.4).
 My ./Configure command was: ./Configure linux-ia64-icc shared
 enable-static-engine
 
 When I try to make it fails ...
 
 Additionally, a lot of warnings are being emitted:
 icc: command line remark #10148: option '-no-cpprt' not supported
 
 What am I doing wrong? Is ICC not supported? Is there a simple
 workaround? Am I dump?

You are configuring for the Itanium processor but building on x86-64. Is that 
what you're meaning to do? Is icc properly set up as a cross compiler to target 
Itanium?__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Tutorial to start with openssl.

[Jeremy Farrell]

 From: Igor Galic
 
  I am a newbie, any tutorial to start with openssl?
 
 That highly depends on what you want to achieve.
 There *is* documentation. http://openssl.org/docs/
 
 You probably want to start with the
 http://openssl.org/docs/HOWTO/ which explains some of the
 essential concepts you'll need to know.

And there's always The Book of course, which Google finds immediately:

  http://www.opensslbook.com/

A little dated but very useful all the same.

The range of different things which can be done with the various programs and 
libraries which make up OpenSSL is huge though, so as Igor says the best source 
of information depends very much on what you want to 
do.__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Download fips 1.2.3

[Jeremy Farrell]

 From: John R Pierce
 Sent: Tuesday, May 24, 2011 9:20 PM
 
 On 05/24/11 12:53 PM, Kyle Hamilton wrote:
  I don't think that Solaris's tar hits the bug every time.  Do you 
  think Oracle (nee Sun) would ship something that failed 100% of the 
  time instead of 0.1% of the time? 
 
 bug? no, this is not a bug.
 
 native posix tar doesn't read gzip files, gzip does.
 gnu tar munged gzip into tar to create a hybrid.
 
  gunzip -c filename.tar.gz | tar xvf -
 
 or
  gunzip filename.tar.gz
  tar xvf filename.tar
 
 works just great on Solaris and any other Unix platform.

... except when it doesn't, such as in the case in 
question.__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Multiple connection from 1 client

[Jeremy Farrell]

From: Harshvir Sidhu

Hi,

   I have a server application, which accepts normal sockets and ssl socket 
connections. I am trying to make 3 connections to server from 1 client machine, 
on same server port.
   When i connect on normal sockets then it works with any number of 
connections.
   When i tried to connect SSL then they dont work. If i connect 1 client then 
it works.

   In my listen socket, I have SO_REUSEADDR socket option, at first i thought 
might be this is causing issue, but i tried to use SO_EXCLUSIVEADDRUSE even 
then it dont work.

   Has someone seen some issue like this, any possible suggestion for this?

Thanks,

// Harshvir

http://www.catb.org/~esr/faqs/smart-questions.html

RE: OpenSSL and multithreaded programs

[Jeremy Farrell]

 From: Chris Dodd
 
 Is the OpenSSL library supposed to be at all reentrant?  I've had odd
 problems (intermittent errors) when trying to use OpenSSL in 
 a multithreaded
 program (multiple threads each dealing with independent SSL 
 connections),
 and have apparently solved them by creating a single global mutex and
 wrapping a mutex acquire around every call into the library.  Is
 this kind of locking expected to be needed?

http://lmgtfy.com/?q=openssl+locking__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: leak memory with SSL_load_error_strings

[Jeremy Farrell]

From: ikuzar
Hi,
When I tracked memory leak ( with valgrind ), it is said that memory allocated 
by SSL_load_error_strings is not released.
what function should I use to free memory allocated by SSL_load_error_strings ?
Thanks for your help
http://lmgtfy.com/?q=SSL_load_error_strings

RE: Re: Best book with examples for OpenSSL

[Jeremy Farrell]

From: derleader mail
Sent: Thursday, April 28, 2011 10:11 PM
I am looking for specific information on using the library in a
multi-threaded / asynchronous IO server (Windows - using IOCP).
I'd appreciate any information on the subject. An example would be great.

Best regards,
Andre

Hi,
   I'm too looking for multi-threaded example but for synchronous IO server for 
Linux.

Has anyone know are there example code?

Regards
Peter
I'd search the archives of this list. These subjects have been discussed in 
detail several times (though I don't recall use of IOCPs in particular, I must 
admit).

RE: OpenSSL for Unix

[Jeremy Farrell]

It would help if you specified which of the many thousands of releases and 
versions of UNIX you are talking about, and what 
architecture/processor/bit-width you need. There won't be compiled versions 
available for most combinations. You'd need to follow the instructions which 
come with it if you find a suitable version.

Why not just follow the instructions to install it from source?


From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of João Alpande
Sent: Tuesday, April 19, 2011 11:41 AM
To: openssl-users@openssl.org
Subject: OpenSSL for Unix

Good Morning,
Where can I get a compiled version of OpenSSL for Unix?
how to install openssl in unix ?
Thanks´s

João Alpande

RE: double free or corruption

[Jeremy Farrell]

 From:  Kyle
 Sent: Wednesday, April 06, 2011 10:12 AM
 
 Hi, when trying to compile openssl 1.0.0d with this configure:
 
 ./Configure mingw64 no-shared 
 --openssldir=/home/kyle/software/ffmpeg/external-libraries/win64
 
 and then this make:
 
 make CC=x86_64-w64-mingw32-gcc RANLIB=x86_64-w64-mingw32-ranlib
 
 I get this error:
 
...
 *** glibc detected *** 
 /home/kyle/software/mingw-w64/mingw-w64-x86_64/lib/gcc/x86_64-
 w64-mingw32/4.6.0/../../../../x86_64-w64-mingw32/bin/ld: 
 double free or corruption (!prev): 0x02a8aaa0 ***
 === Backtrace: =
 /lib/libc.so.6(+0x774b6)[0x2b65b045a4b6]
 /lib/libc.so.6(cfree+0x73)[0x2b65b0460c83]
 /home/kyle/software/mingw-w64/mingw-w64-x86_64/lib/gcc/x86_64-
 w64-mingw32/4.6.0/../../../../x86_64-w64-mingw32/bin/ld[0x4592bc]
...
 
 Does anyone have any ideas about this?

The program 'ld', which judging from the path is part of mingw, has a bug.

 I managed to build the same 
 openssl version before, using the same command line, and the same 
 version of binutils. The only thing that has changed is my 
 gcc version, 
 I'm not using 4.6.0 and updated my mingw-w64 toolchain.

Then I'd either get the bug fixed or revert to a version of mingw which 
works.__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Examples to encrypt/decrypt

[Jeremy Farrell]

 From: Jeffrey Walton
 Sent: Friday, March 25, 2011 8:45 PM
 On Fri, Mar 25, 2011 at 3:56 PM, Anthony Gabrielson 
 agabriels...@comcast.net wrote:
  This will do what you want:
  
  http://agabrielson.wordpress.com/2010/07/15/openssl-an-example-from-the-command-line/
 
 memset(plaintext,0,sizeof(plaintext));
 
 The optimizer might remove your zeroization.
 
 Jeff

But only if has a bug, in which case it might do 
anything.__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Examples to encrypt/decrypt

[Jeremy Farrell]

 From: David Schwartz [mailto:dav...@webmaster.com] 
 Sent: Friday, March 25, 2011 11:44 PM
 
 On 3/25/2011 4:17 PM, Jeremy Farrell wrote:
 
  From: Jeffrey Walton
  Sent: Friday, March 25, 2011 8:45 PM
  On Fri, Mar 25, 2011 at 3:56 PM, Anthony 
 Gabrielsonagabriels...@comcast.net  wrote:
 
  This will do what you want:
 
  
  http://agabrielson.wordpress.com/2010/07/15/openssl-an-example-from-the-command-line/
 
   memset(plaintext,0,sizeof(plaintext));
 
  The optimizer might remove your zeroization.
 
  Jeff
 
  But only if has a bug, in which case it might do anything.
 
 It can remove it even without a bug. It's a common optimization to 
 remove an assignment that the optimizer can prove has no 
 effects. Since the 'memset' is the last reference to 'plaintext',
 the optimizer can legally remove it.

I think there must be some confusion here. The compiler can certainly do 
anything strange that it likes as long as the program can't tell by any 
C-conformant means that it has done so. Stripping pointless code is one of the 
simplest example of that. In this case though 'plaintext' is referenced again 
after both calls to 'memset'.

The code in question is at http://web.me.com/agabrielson/code/test_AES.c, 
linked from the page mentioned 
above.__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Windows CE and FIPS

[Jeremy Farrell]

From: ryan.sm...@gdc4s.com
 Dr. Stephen Henson wrote:
  On Wed, Mar 23, 2011, Greaves, Ed (GE Healthcare) wrote:
On Wed, Mar 23, 2011, Greaves, Ed (GE Healthcare) wrote:
Any plans for the OpenSSL FIPS module to support Windows CE? 
What is the issue preventing this?
   
Well it can't be added to the existing module due to the rule
change at the start of 2011.
   
A new validation is underay but so far no sponsor has 
expressed an interest in Windows CE. For more details see:
   
http://www.openssl.org/docs/fips/fipsvalidation.html
   
   Thanks, this is helpful.  Is the plan still to support 
   only Linux on ARM?
 
  Ah I see that needs updating. Linux on ARM was he initial platform.
  The additional platforms mentioned in the Sponsors list are 
  also included. So far no one has sponsored Windows CE.
 
 So no support is currently planned for Linux x86 (32-bit)?  That seems
 like a gaping exclusion.

You'd think so, but if no-one is interested enough to stump up the money to 
make it happen then perhaps it 
isn't.__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Base64 Encoding and Decoding error

[Jeremy Farrell]

 

 From: Dave Thompson
 Sent: Thursday, March 03, 2011 10:35 PM
 To: openssl-users@openssl.org
 
 Also, the byte that terminates a C (narrow) string is a null 
 character or null byte, sometimes called NUL (note 3 letters).
 But this character is not IN the string, it is AFTER the string.

If we're being pedantic, the null character is part of the string as far as C 
is 
concerned.__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Error: relocations based on the ABS44 coding model can not be used in building a shared object

[Jeremy Farrell]

As the first line of output from 'ldd s2_meth.o' says, the file is not an 
executable. Why are you running that command, and why are you expecting it to 
do anything useful? GIGO applies here, the output from the command is as 
meaningless as the command.

I'd do a standard dynamic build of OpenSSL and carefully note the sequence of 
the commands and their parameters and order. Then set up your makefiles to do 
exactly the same commands except for including just the objects you want to 
include.

Regards,
 jjf


From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of BISHT, SEEMANT (SEEMANT)
Sent: Thursday, August 19, 2010 7:36 AM
To: Tim Hudson; t...@cryptsoft.com
Cc: 'openssl-users@openssl.org'
Subject: RE: Error: relocations based on the ABS44 coding model can not be used 
in building a shared object

Hi Time,
Iam still facing the same issue. Actually I need to have .so similar to 
libssl.so  libcrypto.so but just single one. And also I need to have the same 
in 64 Bit. Iam still getting the same error:
ld: fatal: relocation error: R_SPARC_H44: file ssl/s2_meth.o: symbolunknown: 
relocations based on the ABS44 coding model can not be used in building a 
shared object

One more theing to mention while doing ldd s2_math.o Iam having the following 
error:
GNM056 linus cd ssl
GNM056 linus pwd
/osp/sde/Icc50_mnt_V01_view/lib/velizy/standard/openssl2/openssl2-0.9.8o/ssl
GNM056 linus ldd s2_meth.o
warning: ldd: s2_meth.o: is not executable
ld.so.1: /usr/lib/sparcv9/lddstub: fatal: relocation error: R_SPARC_H44: file 
./s2_meth.o: symbol unknown: relocations based on the ABS44 coding model can 
not be used in building a shared object
ldd: s2_meth.o: execution failed due to signal 11 (core dumped)
GNM056 linus
That's why I think there is some problem in compilation of openssl because of 
which Iam having this error in ldd.

Please help me out. Thanks.


From: Tim Hudson [mailto:tim.hud...@pobox.com]
Sent: 19 August 2010 09:43
To: BISHT, SEEMANT (SEEMANT)
Subject: Re: Error: relocations based on the ABS44 coding model can not be used 
in building a shared object

On 19/08/2010 2:01 AM, BISHT, SEEMANT (SEEMANT) wrote:
Hi Tim,
Thank you very much. I moved forward using your suggestion. But again Iam stuck 
at one point.

(1) Iam facing problem in creating my specific .so. Iam having error:
ld: fatal: relocation error: R_SPARC_H44: file ssl/s2_meth.o: symbolunknown: 
relocations based on the ABS44 coding model can not be used in building a 
shared object
Iam using makefile:
INCSO +=  -lsocket -lnsl -ldl -lkstat -lsunmath -lm
CFLAGS = -xO4 -xarch=v9 -xcode=abs64 -G
export CFLAGS

Remove the -xcode=abs64

(actually I'd remove most of your CFLAGS definition - you should not need it - 
except perhaps the -G)

You are now dealing with build issues in your code and not openssl.

ar t libssl.a shows the list of objects in libssl.a
ar t libcrypto.a will show the objects in libcrypto.a which libssl.a needs

I haven't built an openssl solaris shared library configuration in a while - so 
I'd have to power on some of my solaris machines to check 0 however I don't 
think it is anything to do with openssl.

BTW I didn't get the direct email to 
t...@cryptsoft.commailto:t...@cryptsoft.com so I've switched to an address 
which you might find easier to reach.

Tim

RE: verify certificate in c

[Jeremy Farrell]

 From: Behalf Of Michael S. Zick
 Sent: Saturday, July 03, 2010 6:51 PM
 
 On Sat July 3 2010, Dr. Stephen Henson wrote:
  On Sat, Jul 03, 2010, belo wrote:
   
   Damn!
   how can be possible that in the official openssl 
   documentation there's
   nothing about this OpenSSL_add_all_algorithms()?!?!?!?
  
  http://www.openssl.org/support/faq.html#PROG8
 
 The OP does have a point -
 That faq says: see the openssl manual -

Not that I can see. The destination of that link refers to 
OpenSSL_add_all_algorithms and immediately afterwards says See the manual page 
for more information.

 I just typed in: man openssl
 
 and there is no mention of OpenSSL_add_all_algorithms.

Not surprising, but what might lead you to do that? If I'm advised to look at 
the manual page for OpenSSL_add_all_algorithms, and I want to use the man 
command to do it, I type:

   man OpenSSL_add_all_algorithms

If I'm on the web as in this case I'd either click on the hyperlink given in 
the FAQ answer, or use Google:

   http://lmgtfy.com/?q=OpenSSL_add_all_algorithms

 How about a fag#8.5 ? -
 By openssl manual we mean here: _ _ _ _

Perhaps the thing linked to by the link adjacent to the reference to the 
manual? Though since the phrase openssl manual doesn't occur on the FAQ 
page, it's moot.

 Note: In case this has changed with openssl versions -
 I am looking at 0.9.8g which is the version currently
 provided by the Debian/Stable (Lenny) distribution.

The man page is there with 
0.9.8a.__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: is openssl library thread safe

[Jeremy Farrell]

See http://lmgtfy.com/?q=openssl+thread+safe


From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Arunkumar Manickam
Sent: Thursday, June 10, 2010 8:18 AM
To: openssl-users@openssl.org; openssl-...@openssl.org
Subject: is openssl library thread safe

Hi,

Is openssl library thread safe so that it can be used in an multithreaded 
environment as is.

Thanks,
Arun

RE: unable to build dynamic library on HP-UX RISC and Itanium

[Jeremy Farrell]

That's a long-superseded OpenSSL release from 5 years ago; it's unlikely that 
anyone will be able to remember issues building for HP-UX on IA64 with that 
release, especially when they're required to guess or mind-read most of what 
you're doing and what problem you're seeing.

In another message you show output from a PA-RISC system running HP-UX 11i v1, 
but you're trying to build for IA64. Are you using a cross-build system of some 
sort?

I recommend understanding and applying 
http://www.catb.org/~esr/faqs/smart-questions.html before going further.

 -Original Message-
 From: owner-openssl-us...@openssl.org 
 [mailto:owner-openssl-us...@openssl.org] On Behalf Of Alona Rossen
 Sent: Wednesday, June 02, 2010 10:20 PM
 To: William A. Rowe Jr.
 Cc: openssl-users@openssl.org
 Subject: RE: unable to build dynamic library on HP-UX RISC and Itanium
 
 Extra -DXXX does not heart the preprocessor :-)
 
 This OpenSSL 0.9.8
 
 
 -Original Message-
 From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net] 
 Sent: June 2, 2010 5:11 PM
 To: Alona Rossen
 Cc: openssl-users@openssl.org
 Subject: Re: unable to build dynamic library on HP-UX RISC and Itanium
 
 On 6/2/2010 4:04 PM, Alona Rossen wrote:
  This is a suggested configuration. -D stands for preprocessor
 define.
 
 The reason I ask is that the entries in Configure should provide the
 necessary defines, and if not, that is a bug.  As it was 'suggested',
 we'll just presume things are fine w/w-o it.
 
 You still failed to identify the openssl package you were configuring,
 which doesn't give anyone much to go on, especially those who are in
 some position to look at the problem.
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
 __
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Multi Threaded questions

[Jeremy Farrell]

   However do you really need to use multiple concurrent threads
   with the same SSL object? Think of it as a TCP socket, each 
   thread has a list of open sockets, or SSL objects, there is
   no need to share it with other threads.

 David Schwartz dav...@webmaster.com wrote:
 
  Actually, it's pretty common to do that with TCP connections.
  You may have one thread that's blocked trying to read from the 
  connection all the time while another thread tries write to the
  connection as it discovers data that needs to be sent. You can't
  do this with OpenSSL. (At least, not precisely the same way.)

Sad Clouds wrote:
 
 It's a bad way of doing network programming.

No, it's a perfectly good, sensible, straightforward and simple way
to do network programming.

 A server can potentialy
 have 1000s of open sockets, if you have two threads for each sockets,
 (one for reading, one for writing), pretty soon you'll run out of
 memory. Scheduling all those threads will have a negative impact on
 performance.

Indeed. That makes two-threads-per-connection inappropriate for use
with thousands of connections on most systems. Many network programs
have a maximum of one or two connections, or another small number;
for such programs having separate read and write threads can be a
simple elegant solution.

 The usual way to handle concurrent connections is to set sockets
 non-blocking and use event notification - poll, epoll, kqueue, ports,
 etc.

That's the usual way to handle significant numbers of connections.
For many programs handling a small number of connections, two threads
per connection is the normal approach. It's simpler, and much easier
to port between OSes. Horses for courses.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: ERROR LINK2019

[Jeremy Farrell]

 

 From: William A. Rowe Jr.
 
 On 4/13/2010 4:49 PM, 芦翔 wrote:
  Dear all,
 I am trying to add the security flavor to an 
 application. To achieve
  this objective, I wrote the codes to establish a security 
 tunnel between
  the server and the client with VC2008. When I build the 
 whole project,
  there are tens of similar errors. All of them are as follows:
   
 SSLServer.obj : error LNK2019: unresolved external symbol _BIO_free
  referenced in function int __cdecl
  SSL_CTX_use_PrivateKey_file_pass(struct ssl_ctx_st *,char *,char *)
  (?SSL_CTX_use_PrivateKey_file_pass@@YAHPAUssl_ctx_st@@p...@z
  
 mailto:?SSL_CTX_use_PrivateKey_file_pass@@YAHPAUssl_ctx_st@@p...@z)
 
 That signature is consistent with C++ argument folding.
 
 The openssl headers you've used probably were missing this decoration
 
 #ifdef __cplusplus
 extern C {
 #endif
 
 ...
 
 #ifdef __cplusplus
 }
 #endif
 
 So you should put your #include references in between the 
 snippets above
 (in place of the ... elipses).

He's clearly calling then from C++, but the names it can't find don't look C++ 
decorated to me - _BIO_free looks like a normal Microsoft C reference.

Isn't the problem here just that he's not linking against the OpenSSL libraries?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org