OpenSSL mail server issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! Due to a misunderstanding within the OpenSSL team we ran into trouble with our mail and mailing service still hosted at the old server (hopefully I will be able to complete the migration to the new server over the Christmas break). Caused by a software upgrade on Monday, Dec 2, 2013 around noon GMT the following problems occured: 1 mail was not received due to software failure (which is ok as mail is queued at the sender) 2 a malfunction of the majordomo mailing list software lost mails received (which is not ok as these mails seem to be lost permanently). As soon as issue 2 was noted the mail server was shut down again to prevent further loss of mails. As a consequence we seem to have lost mailing list contributions between Monday noon GMT and Tuesday morning GMT. If you have made any submissions that did not yet make it to the lists, please resend them. Most issues are fixed now except for minor effects (I have seen at least one mail passing throught the moderation queue that only reached the list truncated. Sorry for any inconvenience caused, Lutz -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQCVAwUBUp7qUniZOxScWKZtAQJmegP/ax8LfFbPsqg3JKDVQ4zokNBQcCg9v6Tg Wy82nqeVDK+14SUgsDJcGDRiVkFYcMHoUANPSvfyprbt/sdbEFaF+1VpsA1Zlzxr f4UM7TkXUhh+7be5wMorG1eQNHs8afQbvFjQ9tMxk84ESxNQ7FmAqAain4pVw7Bk obNOqEy+8as= =+QSD -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[winlinke...@gmail.com: update openssl error]
Forwarded to openssl-users for discussion. - Forwarded message from gate Bill winlinke...@gmail.com - Date: Tue, 6 Aug 2013 17:22:54 +0800 From: gate Bill winlinke...@gmail.com To: openssl-b...@openssl.org Subject: update openssl error hello my linux env: centos 6.4 x64 gcc 4.8.1 2.6.32-358.6.2.el6.x86_64 compile step: wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz tar zxf openssl-1.0.1e.tar.gz cd openssl-1.0.1e ./config zlib shared threads --prefix=/usr --openssldir=/etc/pki/tls make make test make install ldconfig cd ../ echo 'OK!' the commandopenssl version -a display is right but when i exec this /etc/init.d/ssh restart,display this error: OpenSSL version mismatch. Built against so i think maybe need to upgrade the openssh,so i do like this echo Updateting Openssh yum -y install libedit libedit-devel libbsd libbsd-devel pam pam-devel krb5-devel audit-libs audit-libs-devel cd openssh-6.2p2 ./configure --sysconfdir=/etc/ssh --prefix=/usr --with-cflags --with-cppflags --with-ldflags --with-libs --with-Werror --with-solaris-contracts --with-solaris-projects --with-osfsia --with-zlib=/usr --with-tcp-wrappers=/usr --with-libedit=/usr --with-audit=linux --with-ssl-dir=/etc/pki/tls --with-ssl-engine --with-pam --with-selinux --with-kerberos5=/usr --with-md5-passwords --with-bsd-auth --with-ipaddr-display --with-4in6 but the still the same problem,so,what should i do? i'm waiting your answer???thank u - End forwarded message - __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL server downtime
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! The new server currently hosting the www, git, rt, ftp, and cvs services is going to be moved within the installation of our hoster. As a consequence, the system will be assigned a new IP address. Old: 178.16.220.54 New: 185.9.166.106 The move is planned to happen around 12.30 UTC on Sunday, 17 Mar 2013. Users are expected to see a short outage of the service. An additional delay may be caused by the old IP address being cached in the DNS. Best regards, Lutz -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQCVAwUBUUNJd3iZOxScWKZtAQJlvwQAqZ6o8X70R5gElvX8929c5y+TtU7ViHr3 ClzteUdISun5zK1wCIhewCBEz92s8kCu0RtNk6t6D7g+LNOlAd9T2HO+wB0+WvC1 HMfTHJg3vNW5PgVaEzVEm69Nk4r3zfuXoginuQLHm3qIHopzrQMEy1DWxRD/Aysu AfrtmWYs74A= =TwV7 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Dead indirect link to http://www.openssl.org in lucky 13 security advisory
On 02/22/2013 04:13 PM, Jakob Bohm wrote: Att. openssl.org web server maintenance team. The latest security advisory for OpenSSL links to the research site for the lucky 13 attack analysis, which links to their report in pdf format. That report in its list of references includes a link to an old (2004) document by Bodo Moeller at http://www.openssl.org/~bodo/tls-cbc.txt However that document seems to be missing. I have copied over the files from the old to the new server. Would you mind restoring the document, even if you are not otherwise allowing Mr. Moeller to host stuff on www.openssl.org? There is no reason why Bodo might not be able to copy his own stuff from the old to the new server. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL infrastructure migration
On 01/25/2013 07:54 PM, Jakob Bohm wrote: The all-important download page http://www.openssl.org/source/ is no longer sorted properly. This may be due to the backend code relying on the implicit sorting in readdir() results for some file systems not happening with more recent file systems such as ext4. One look at that page should show you what I mean. Running ls -U on both servers should show you the underlying cause. It seems that during the initial transfer of the openssl*tar.gz* files the timestamps were truncated. I have transferred again and do no longer see any difference between the old and the new page. Thanks, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Web site: Send to Majordomo broken
On 01/16/2013 03:29 PM, Memmott, Lester wrote: It appears that the web site went through a few changes recently and some aren't working quite right yet. Another case is on the FIPS page (http://www.openssl.org/docs/fips/) the link for the User Guide is also broken. Thanks, Lester -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Bruce Cran Sent: Wednesday, January 16, 2013 7:02 AM To: openssl-users@openssl.org Subject: Web site: Send to Majordomo broken On http://www.openssl.org/support/community.html the mailing list subscription feature is broken - clicking Send to Majordomo just displays the majordomo.cgi script. -- Thanks for your update. I have fixed the links. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL infrastructure migration
Hi! As you will already have noted, the OpenSSL project is currently moving its infrastructure to a new server. This migration is combined with a change and/or upgrade of the tools (CVS - GIT, RT 3.x - 4.x, ...) so we have decided to set up the new server first and to perform a step by step migration. Most of the porting work is now done and I will now start to redirect the DNS entries (one at a time) such that the new services will be enabled. Current status is: * CVS has been retired and is now replaced by git. The last CVS commit was in December. The git repository is available for cloning via git clone git://git.openssl.org/openssl.git and for browsing via http://git.openssl.org/ or https://git.openssl.org/ All commits to the source code in 2013 have already been made using git and the commit mails in the respective new format have been sent via the already existing openssl-cvs mailing list. For obvious reasons we encourage contributors to provide patch and extension proposals using git format... * RT has been upgrade from an outdated version of the 3.x series to 4.0 and is now (again) available via http://rt.openssl.org/ and https://rt.openssl.org/ with the guest account being guest with password guest like before. The other services (web, ftp, mail) are still provided by the old server but will also be migrated soon. I will not update the old web pages to reflect the new setup as I do not intend to keep this state for long. Best regards on behalf of the OpenSSL team, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL infrastructure migration
On 01/15/2013 12:50 PM, Lutz Jaenicke wrote: Hi! As you will already have noted, the OpenSSL project is currently moving its infrastructure to a new server. This migration is combined with a change and/or upgrade of the tools (CVS - GIT, RT 3.x - 4.x, ...) so we have decided to set up the new server first and to perform a step by step migration. Most of the porting work is now done and I will now start to redirect the DNS entries (one at a time) such that the new services will be enabled. Current status is: * CVS has been retired and is now replaced by git. The last CVS commit was in December. The git repository is available for cloning via git clone git://git.openssl.org/openssl.git and for browsing via http://git.openssl.org/ or https://git.openssl.org/ All commits to the source code in 2013 have already been made using git and the commit mails in the respective new format have been sent via the already existing openssl-cvs mailing list. For obvious reasons we encourage contributors to provide patch and extension proposals using git format... * RT has been upgrade from an outdated version of the 3.x series to 4.0 and is now (again) available via http://rt.openssl.org/ and https://rt.openssl.org/ with the guest account being guest with password guest like before. The other services (web, ftp, mail) are still provided by the old server but will also be migrated soon. I will not update the old web pages to reflect the new setup as I do not intend to keep this state for long. In the meantime I have also changed the DNS entries for www.openssl.org, ftp.openssl.org, and rsync.openssl.org have been modified to point to the new server. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL RT instance migration
Hi, in the process of upgrading and migrating our server infrastructure I have just put the updated Request Tracker into operation. The request tracker stays reachable via r...@openssl.org (or the alias openssl-b...@openssl.org). While the migration is still in progress, the web interface is temporarily available via http[s]://rt.openssl.net/ (please note the .net at the end). Once we have finished updating our infrastructure, the server will move back to openssl.org. Hint: the certificate of the webserver is the openssl.org one so please be prepared for a warning :-) If you are experiencing any problems, please report. Thank you very much for your patience, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] Bug report
Forwarded to openssl-users for discussion Best regards, Lutz -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ ---BeginMessage--- Hello There, We are facing an issue with OpenSSL. Please see the following description. Version of OpenSSL being effected *OpenSSL 1.0.1c* * *Version of the operating system being used* Windows XP* * * Seems there is a limitation to the size of text that can be encrypted through Openssl command prompt via Echo ex: echo 'test string 1' | openssl enc -aes-256-cbc -a -salt -pass pass:mypassword When we are trying to encrypt large text using the above command it fails, where as if we keep the same text in a plain text file and use the following command openssl aes-256-cbc -in c:\attack-plan.txt -out c:\encryptedmessage.txt -pass pass:mypassword Can you please help me on this? -- Regards Satya _ ** ** *Satyanarayana Godugula* *Project Cordillera , Technical Integration Team* *ESS, Inc* | *E*: satyanarayana.godug...@essit.comyour%20ess%20email%2...@essit.com | *T*: +1 732 572 7400 Ext 1229 | *M*: +91 8985 068166 *Unilever* | *E*: satyanarayana.godug...@unilever.comyour%20unilever%20email%2...@unilever.com | *Skype*: Satya.Godugula image001.png---End Message---
[FWD] problem about HW_Rand_Engine
Forwarded to openssl-user for discussion. Best regards, Lutz -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ ---BeginMessage--- Hello, I have a problem about using HW_Rand Engine. Would you please give me some suggestion? [description] I got entlen = 0 when called fips_get_entropy, and got failed in function ssleay_rand_bytes because the variable entropy is 0 after RAND_poll() in the file openssl-1.0/crypto/engine/eng_rdrand.c, it didn't implement function add in RAND_METHOD Did it make me failed? Please give me some suggestion. I would report other imformation for you if you need. [information] 1. compiled openssl-1.0 with openssl-fips-2.0 2. static const char *engine_e_rdrand_name = Intel RDRAND engine [call trace] OPENSSL_init RAND_init_fips FIPS_drbg_instantiate fips_get_entropy drbg_get_entropy ssleay_rand_nopseudo_bytes ssleay_rand_bytes RAND_poll RAND_add Thanks a lot. ---End Message---
[FWD] About SSL_connect error
Forwarded to openssl-users for discussion Best regards, Lutz -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ ---BeginMessage--- Dear OpenSSL developers About the following source,I have 2 questions: 1.In OpenSSL library 0.9.8d, when executing more than 2 threads at the same time, the following error sometimes appears: SSL_connect error, ip=192.168.1.xxx,err:error:0001:lib(0):func(0):reason(1) why? 2. But in OpenSSL OpenSSL1.0.1c, the error never happened.I want know the diference between the two version OpenSSL lib,Can you help me? -- main() { SSL_library_init(); SSL_load_error_strings(); m_ctx = SSL_CTX_new(TLSv1_method()); SSL_CTX_set_options(m_ctx, SSL_OP_ALL); mutex_buf = (MUTEX_TYPE *)malloc(CRYPTO_num_locks( ) * sizeof(MUTEX_TYPE)); if (!mutex_buf) { return 0; } for (i = 0; i CRYPTO_num_locks( ); i++) { MUTEX_SETUP(mutex_buf[i]); } CRYPTO_set_id_callback(id_function); CRYPTO_set_locking_callback(locking_function); CRYPTO_set_dynlock_create_callback(dyn_create_function); CRYPTO_set_dynlock_lock_callback(dyn_lock_function); CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function); for(nIndex = 0; nIndex nThreadNum; nIndex++) { nErrorNo = pthread_create(thread_id[nIndex], NULL, ThreadProcess, diskArray[nIndex] ); .. } } ThreadProcess() { call socket(); set non-block; call connect(); call select(); call BIO_new_socket(); call SSL_new(); call SSL_set_bio(); while( TRUE != nEndFlag ) { nStatus = SSL_connect(pstSocketInfo-m_ssl); if(nStatus = 0) { nErrorNo = SSL_get_error(pstSocketInfo-m_ssl, nStatus); if((SSL_ERROR_WANT_WRITE == nErrorNo)||(SSL_ERROR_WANT_READ == nErrorNo)) { Sleep(1000); nTrySSLConTimes++; if ( MAX_SSL_CON_TRY_TIMES nTrySSLConTimes ) { CleanSocket( pstSocketInfo ); return ERR; } continue; } else { ★★★ printf([ID:%04lx]SSL_connect error, ip=%s, err: %s\n,id_function(),szIPStr, ERR_error_string(nErrorNo, NULL)); CleanSocket( pstSocketInfo ); return ERR; ★★★ } } else { nEndFlag = TRUE; } } } best regards liuyb ---End Message---
[FWD] BUG: base64
Forwarded to openssl-users for public discussion Best regards, Lutz -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ ---BeginMessage--- I found a possible bug with base64 decoding, the following block can't be decoded by openssl: IpNxhjGxdGInsW02lYU/fM/GEobiwQTkaRypNb7LnNJ1W1qj2QYbTm2vFEL28LX+BRL84Ns44w9jnj0n qVlHWDhqbHXBGvxYYkR/39FWnFjY5oQRoGGT5m7A7pPJyey+bmKiT2e/+/MMawCu4zybYzFnGH7UXPww g4AA6NB8o8fWcBvYaMlPfKZ7fGeXBl0TRzArxlE9sbZeYzBogZ9mXPYzHZDfjwFUYnrTpEvXg5SdMr7e SHVLPgB6kbyHKT1p+Ks4a1whZxiOCsup6YnH2hBoa5G21CKnFwNtNO312MmgjR911DiOfagn5x+h347U 7RXO7+frqYIwkuvZJIpLHoW1AXqTp4Dlgr01IGnFts0ZXsXYUTlWaikK4dyVfqAyclCSdBo1pLJru1X2 TFDOCa1Z4QWPooKSuFICGjgi6ElYFy4BETDZScSn3nviARThQn8VKT3gvFLictlw7inkd6fS0HZC4XV3 GaGXpOwc7gvXzDPAU85A+aK03BQI/usfK9w7eukTwP4/6fZHIyTt29VI54vpCPWQ+gmyR5uaKnS/6HBs ZG9i3C9qWc1JxolsdNGZtpE7omeuI/s68YiC3m16u5B/+BNbFwLtLgr4IPivXeRFXcPEzI37Fw6M1oRZ dmhGk6exFHlpBtwB012++geQHOmAqPFQ+UKvYsQm3dSOR6L7wsLC8NNiZH/ZLjVCERRU2CtJrhSLLyQ2 8P6dbuDaY2p0aAGcrNSI413Ey71fL0bAYjGOWnSeYFW2tX02vrocnMqcDbpZSv2dx0JZRSsOMvuoO8XV U0QOLoQMFgt5qLQqRQni3XDYMtGTTX4qncS94JVv49iRYBihn9UPz1ULS+08zeoo8HCrOtSUmgVvqntv aB+CSrYsut3ZcgME22IB6gECBySUNIYwSlhVgo45bWJ0/KFDe9oXvGtJ http://pastebin.com/raw.php?i=nrnQgAhq However it is possible to decode it with base64_decode (from php), base64 (from gnu utils) and libb64 (from Chris Venter) -- Paco ---End Message---
Re: virus or hoax in test/asn1test.exe ?
On 02/17/2012 12:29 PM, Jakob Bohm wrote: On 2/16/2012 11:42 PM, David H. Lipman wrote: From: Johan Samyn johan.sa...@gmail.com 48 hours later my replies have NOT made it to Gmane. Mark: 2/16/12 @ 1742 hrs I guess that would be 2012-02-16 17:42 -0500 aka 2012-02-16 22:42 UTC? It arrived here on our European mailserver 2012-02-17 11:01:12 UTC From 2012-02-16 22:43:05 UTC to 2012-02-17 22:43:10 UTC it spent all of 5 seconds on gmane servers. From 2012-02-16 22:43:10 UTC to 2012-02-17 10:56:02 UTC it was stuck somewhere inside master.openssl.org master.openssl.org uses anti-spam measures that may cause some short delay. Mails posted by non-subscribers or being caught in additional anti-spam measures go to the moderation queue and I am not around 24/7. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] bug report
Forwarded to openssl-users Best regards, Lutz -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ ---BeginMessage--- Hi, I can’t seem to run make on my Ubuntu machine. Have been trying with the openssl-1.0.0g.tar.gz I’ve also tried to make clean before, and to run ./config no-asm Here’s what I’m getting when I run make after the above (I tried to search for the file called stdlib.h, and indeed I don’t find it…): making all in crypto... make[1]: Entering directory `/root/setup/openssl-1.0.0g/crypto' ( echo #ifndef MK1MF_BUILD; \ echo ' /* auto-generated by crypto/Makefile for crypto/cversion.c */'; \ echo ' #define CFLAGS gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall'; \ echo ' #define PLATFORM linux-elf'; \ echo #define DATE \`LC_ALL=C LC_TIME=C date`\; \ echo '#endif' ) buildinf.h gcc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -c -o cryptlib.o cryptlib.c In file included from cryptlib.c:117: cryptlib.h:62:20: error: stdlib.h: No such file or directory cryptlib.h:63:20: error: string.h: No such file or directory In file included from cryptlib.h:65, from cryptlib.c:117: ../e_os.h:447:30: error: unistd.h: No such file or directory ../e_os.h:452:29: error: sys/types.h: No such file or directory In file included from cryptlib.h:72, from cryptlib.c:117: ../include/openssl/crypto.h:125:19: error: stdio.h: No such file or directory In file included from cryptlib.h:72, from cryptlib.c:117: ../include/openssl/crypto.h:175: error: expected specifier-qualifier-list before גsize_tג ../include/openssl/crypto.h:465: warning: parameter names (without types) in function declaration ../include/openssl/crypto.h:465: error: expected declaration specifiers or ג...ג before גsize_tג ../include/openssl/crypto.h:466: warning: parameter names (without types) in function declaration ../include/openssl/crypto.h:467: error: expected ג)ג before גconstג ../include/openssl/crypto.h:468: error: expected ג;ג, ג,ג or ג)ג before גvoidג ../include/openssl/crypto.h:470: error: expected ג)ג before גconstג ../include/openssl/crypto.h:471: error: expected ג;ג, ג,ג or ג)ג before גvoidג ../include/openssl/crypto.h:477: warning: parameter names (without types) in function declaration ../include/openssl/crypto.h:477: error: expected declaration specifiers or ג...ג before גsize_tג ../include/openssl/crypto.h:478: warning: parameter names (without types) in function declaration ../include/openssl/crypto.h:479: error: expected ג)ג before גconstג ../include/openssl/crypto.h:480: error: expected ג;ג, ג,ג or ג)ג before גvoidג ../include/openssl/crypto.h:482: error: expected ג)ג before גconstג ../include/openssl/crypto.h:483: error: expected ג;ג, ג,ג or ג)ג before גvoidג ../include/openssl/crypto.h:500: error: expected declaration specifiers or ג...ג before גsize_tג ../include/openssl/crypto.h:535: error: expected ג)ג before ג*ג token In file included from cryptlib.h:74, from cryptlib.c:117: ../include/openssl/bio.h:579: error: expected ג)ג before ג*ג token ../include/openssl/bio.h:648: error: expected ג)ג before ג*ג token ../include/openssl/bio.h:649: error: expected ג)ג before ג*ג token In file included from ../include/openssl/err.h:127, from cryptlib.h:75, from cryptlib.c:117: ../include/openssl/lhash.h:186: error: expected declaration specifiers or ג...ג before גFILEג ../include/openssl/lhash.h:187: error: expected declaration specifiers or ג...ג before גFILEג ../include/openssl/lhash.h:188: error: expected declaration specifiers or ג...ג before גFILEג In file included from cryptlib.h:75, from cryptlib.c:117: ../include/openssl/err.h:140:19: error: errno.h: No such file or directory In file included from cryptlib.h:75, from cryptlib.c:117: ../include/openssl/err.h:343: error: expected ג)ג before ג*ג token cryptlib.c: In function גCRYPTO_THREADID_set_numericג: cryptlib.c:426: warning: implicit declaration of function גmemsetג cryptlib.c:426: warning: incompatible implicit declaration of built-in function גmemsetג cryptlib.c: In function גCRYPTO_THREADID_set_pointerג: cryptlib.c:437: warning: incompatible implicit declaration of built-in function גmemsetג cryptlib.c: In function גCRYPTO_THREADID_currentג: cryptlib.c:503: error: גerrnoג undeclared (first use in this function) cryptlib.c:503: error: (Each undeclared identifier is reported only once cryptlib.c:503: error: for each function it appears in.) cryptlib.c: In function גCRYPTO_THREADID_cmpג: cryptlib.c:509: warning: implicit declaration of function גmemcmpג cryptlib.c: In function
[FWD] Crash in SSL_CTX_free() in OpenSSL 0.9.8e
Forwarded to openssl-users for discussion. Best regards, Lutz -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ ---BeginMessage--- Hi, I am using SSL_CTX_free(ctx) call in our OpenHPI application and getting a crash in SSL_CTX_free(ctx) while free. I am using gcc version 4.1.2 20080704 (Red Hat 4.1.2-44). We are initializing the SSL_CTX structure as ctx = SSL_CTX_new(). After initialization ctx has some value((SSL_CTX *) 0xb626900) and not NULL means getting initialized properly. Next in our application we are trying to open the ssl connection and when are going to close this connections, while freeing SSL_CTX structure, there I am getting the crash in SSL_CTX_free(ctx) call. OpenSSL version is: OpenSSL 0.9.8e Could you please provide me any pointers or suggestions. Thanks! Praveen Information transmitted by this e-mail is proprietary to MphasiS, its associated companies and/ or its customers and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please notify us immediately at mailmas...@mphasis.com and delete this mail from your records. ---End Message---
openssl.org web site certificate renewed
Hi! I have just installed a new 3 year wildcard *.openssl.org certificate to our web site. Thanks to GlobalSign for the new donation. The migration should work more or less unnoted for the users. If you experience any problems please drop me a message. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] Request for help in building the open ssl for embedded environment
Forwarded to openssl-users for public discussion. Best regards, Lutz -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ ---BeginMessage--- Hi, We are trying to build the open ssl for the embedded environment on power pc processor. Could you please provide us any information on source files / source folders which needs be included in workspace to build the libraries / Open ssl library. Thank you Harish G email: haris...@in.abb.com---End Message---
Re: Client Hello too large ?
Am 21.06.2011 20:38, schrieb Alban Diquet: Yes, strange isn't it ? I guess it doesn't matter for 99% of the SSL clients, but for what I'm doing (a SSL scanner) it's kind of annoying. Well it's probably not going to change anytime soon, but now I want to know what's going on. When sending a Client Hello message that's larger than 270 bytes (not sure what the exact limit is, 255 maybe?), lots of servers on the internet don't send back any Server Hello, but keep the connection open, so my client ends up returning a timeout. It's really weird, has anyone seen that behavior ? You can get to a 275 byte client hello for example by using OpenSSL 1.0.0.d with a TLS1 hello, all the cipher suites explicitly enabled 'ALL:NULL:@STRENGTH', and a non empty session ID field. Is that session ID still valid on the server when this happens? Is it a session ID that the server issued to your client? I can reproduce this problem, perhaps it is an issue with the load balancers that terminate TLS at many large-scale HTTPS-enabled sites. For facebook, try: $ openssl s_client -msg -cipher 'ALL:NULL:@STRENGTH' -tls1 -reconnect -connect 69.171.224.40:443 http://69.171.224.40:443 The above hangs on the reconnect client hello, while: $ openssl s_client -msg -cipher 'RC4-MD5:NULL:@STRENGTH' -tls1 -reconnect -connect 69.171.224.40:443 http://69.171.224.40:443 yields: It may actually be worth connecting the respective system administrator(s). Finally you are not just wasting your system's rescources. You are also wasting theirs. We don't know what kind of resources you are wasting. It will most likely only be a file descriptor on the other side (hopefully for a service like facebook they have plenty of these :-). If you are triggering more resource hungry effects (memory, CPU cycles) while you see no response, you might have found a DoS on their side. Best regards, Lutz
[FWD] [Bug Reports] Encrypt a file text on unix (Aix 5.3, Aix 6.0,SUN5.8,....) to decrypt on Windows Error
Forwarded to openssl users for discussion. Best regards, Lutz - Forwarded message from DUBUC Franck franck.b.du...@socgen.com - From: DUBUC Franck franck.b.du...@socgen.com To: r...@openssl.org r...@openssl.org Date: Mon, 9 May 2011 17:12:45 +0200 Subject: [Bug Reports] Encrypt a file text on unix (Aix 5.3, Aix 6.0,SUN5.8,) to decrypt on Windows Error Thread-Topic: [Bug Reports] Encrypt a file text on unix (Aix 5.3, Aix 6.0,SUN 5.8,) to decrypt on Windows Error Thread-Index: AcwOW4x3R9oL/wkLQ/+aFh+02Bwp4w== Accept-Language: fr-FR acceptlanguage: fr-FR Hie, I create a encrypted file, with openssl, on unix server to encrypted it on windows Version Windows : OpenSSL 0.9.8h 28 May 2008 UNIX : OpenSSL 0.9.8i 15 Sep 2008 Command to encrypt the file on unix /usr/linux/bin/openssl enc -e -aes-256-cbc -salt -in encrypted file -pass pass:PassPhrase Command to uncrypt the file on windows c:\openssl\openssl.exe enc -d -a -aes-256-cbc -salt -in encrypted file -pass pass:PassPhrase Error to uncrypt it unix to windows error reading input file window sto unix bad magic number Is it a bug or is not possible to uncrypt a file crypted on unix ? Best regards [http://www.socgen.com/sites/default/files/socgen_logo.gif] Franck DUBUC RESG/GTS/RET/API Tel : +33 (0)1 64 85 70 31 e-mail : franck.b.du...@socgen.commailto:franck.b.du...@socgen.com www.socgen.comhttp://www.socgen.com/ = Ce message et toutes les pieces jointes (ci-apres le message) sont confidentiels et susceptibles de contenir des informations couvertes par le secret professionnel. Ce message est etabli a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee interdite. Tout message electronique est susceptible d'alteration. La SOCIETE GENERALE et ses filiales declinent toute responsabilite au titre de ce message s'il a ete altere, deforme falsifie. = This message and any attachments (the message) are confidential, intended solely for the addressees, and may contain legally privileged information. Any unauthorised use or dissemination is prohibited. E-mails are susceptible to alteration. Neither SOCIETE GENERALE nor any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified. = - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] RE: [Bug Reports] Encrypt a file text on unix (Aix 5.3, Aix 6.0,SUN5.8,....) to decrypt on Windows Error
- Forwarded message from DUBUC Franck franck.b.du...@socgen.com - From: DUBUC Franck franck.b.du...@socgen.com To: r...@openssl.org r...@openssl.org Date: Tue, 10 May 2011 11:54:59 +0200 Subject: RE: [Bug Reports] Encrypt a file text on unix (Aix 5.3, Aix 6.0,SUN5.8,) to decrypt on Windows Error Thread-Topic: [Bug Reports] Encrypt a file text on unix (Aix 5.3, Aix 6.0,SUN 5.8,) to decrypt on Windows Error Thread-Index: AcwOW4x3R9oL/wkLQ/+aFh+02Bwp4wAnKjhA Accept-Language: fr-FR acceptlanguage: fr-FR I found the answer. We need to use the -K option to define the file format [outbind://33/http://www.socgen.com/sites/default/files/socgen_logo.gif] Franck DUBUC RESG/GTS/RET/API Tel : +33 (0)1 64 85 70 31 e-mail : franck.b.du...@socgen.commailto:franck.b.du...@socgen.com www.socgen.comhttp://www.socgen.com/ De : DUBUC Franck ResgGtsRetApiLor Envoyé : lundi 9 mai 2011 17:13 À : 'r...@openssl.org' Objet : [Bug Reports] Encrypt a file text on unix (Aix 5.3, Aix 6.0,SUN 5.8,) to decrypt on Windows Error Hie, I create a encrypted file, with openssl, on unix server to encrypted it on windows Version Windows : OpenSSL 0.9.8h 28 May 2008 UNIX : OpenSSL 0.9.8i 15 Sep 2008 Command to encrypt the file on unix /usr/linux/bin/openssl enc -e -aes-256-cbc -salt -in encrypted file -pass pass:PassPhrase Command to uncrypt the file on windows c:\openssl\openssl.exe enc -d -a -aes-256-cbc -salt -in encrypted file -pass pass:PassPhrase Error to uncrypt it unix to windows error reading input file window sto unix bad magic number Is it a bug or is not possible to uncrypt a file crypted on unix ? Best regards [http://www.socgen.com/sites/default/files/socgen_logo.gif] Franck DUBUC RESG/GTS/RET/API Tel : +33 (0)1 64 85 70 31 e-mail : franck.b.du...@socgen.commailto:franck.b.du...@socgen.com www.socgen.comhttp://www.socgen.com/ = Ce message et toutes les pieces jointes (ci-apres le message) sont confidentiels et susceptibles de contenir des informations couvertes par le secret professionnel. Ce message est etabli a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee interdite. Tout message electronique est susceptible d'alteration. La SOCIETE GENERALE et ses filiales declinent toute responsabilite au titre de ce message s'il a ete altere, deforme falsifie. = This message and any attachments (the message) are confidential, intended solely for the addressees, and may contain legally privileged information. Any unauthorised use or dissemination is prohibited. E-mails are susceptible to alteration. Neither SOCIETE GENERALE nor any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified. = - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] some problem in compiling Openssl 1.0.0d for WCE
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from 詹晨辉 zch...@hotmail.com - From: 詹晨辉 zch...@hotmail.com To: r...@openssl.org Subject: some problem in compiling Openssl 1.0.0d for WCE Date: Wed, 16 Mar 2011 10:39:42 +0800 Importance: Normal Disposition-Notification-To: 詹晨辉 zch...@hotmail.com I compiled openssl 1.0.0d with VS2008 and wcecompat for WCE but failed . the error code is C2079 and I find a solution from tr, it says to forbidden the ipv6. I try “prel configure VC-CE ?CDOPENSSL_USE_IPV6 =0 “ and rebuid again . so disappointed,the error still exists. 詹晨辉 - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] Intermediate certificate chain not included when exporting as pkcs12
Forwarded to openssl-users for discussion. Best regards, Lutz - Forwarded message from Alexander Mills alexander.mi...@psycle.com - From: Alexander Mills alexander.mi...@psycle.com To: r...@openssl.org Subject: Intermediate certificate chain not included when exporting as pkcs12 Date: Thu, 17 Feb 2011 09:15:37 + Recently I was tasked with using a .crt and .key used in Apache for use with Apache Tomcat. I searched around and the solution was to use the following command, where the p7b file is the intermediate certificate provided by Thawte. openssl pkcs12 -export -in myCert.crt -inkey myKey.key -out mypkcs12.p12 -name tomcat -CAfile ssl_pkcs7.p7b -caname root -chain For some reason, which I am yet to fathom, the above command will not export the intermediate chain, and thus the certificate becomes untrustworthy. The only solution I have been able to find is to use Internet Explorer. I've written the instructions for IE below, but I'm perplexed as to why openssl isn't behaving as I thought it would have (and clearly others feel this way). Open IE Click Tools Click Internet Options Click Content Click Certificates Import the p12 file into the Personal Store Go to the Truster Root Certification Authorities tab Delete “Thawte Primary Root CA” issued by “Thawte Primary Root CA” Import the intermediate file from the following link into the Intermediate Certification tab: https://search.thawte.com/support/ssl-digital-certificates/index?page=contentactp=CROSSLINKid=AR1373 Right click 'Download the PKCS#7 CA' and save the file and import that file into the Intermediate Certification AUthorities tab Then go back to the Personal Store tab Double click the certificate Click the certification path tab There should be 4 certificates in the certificate hierarchy at this stage Highlight the certificate in the Personal Store Click on Export Click 'Yes, export private key' Click Next Put a tick in the first checkbox only, not the other two Finish the wizard Rename the PFX file you create to have a p12 extension Use the new .p12 file in Tomcat - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL server failure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! unfortunately the OpenSSL project has been hit by a hardware defect (hard disk and power supply). The project hence had to be migrated to a different server using a later version of the operating system and tools. Services are currently being restored: * source code repositories have not been affected(!) * mailing list services should now be up and running again, messages sent between Sunday evening and Tuesday afternoon that have not yet made it to the list are most likely lost. * RT still seems to have some issues. We apologize for any inconvenience. Many thanks to Ralf S. Engelschall who is currently very busy on restoring the services. Best regards, Lutz (on behalf of the team) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBTVFgH3iZOxScWKZtAQLM1QP/bTl9bn2cXxikm07AoVJhLv2jaZEXhdqJ WkBYh8CTaB/FH8FK7K6NntIeyqLK/LjTolU1qpyDxeTRWfxQk/Eiv3Oy6qajJ6tX tHWrwsKlC1mK07BmzNJnabR/YV1BIcAoCA3Y9oK/0Z4+oB3UjI/ehtnK23N9sgKn EY3MqVk/T1Y= =oC9H -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] Apache 2.2.17 and OpenSSL 1.0.0c - Crash with SSLVirtualHost ServerName set.
Forwarded to openssl-users for discussion. Best regards, Lutz - Forwarded message from Ryan Wehrle ryaner...@gmail.com - DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=3SVqXgi7XU2AyKoIAg/VcZOohkhWLoGcOoKp1DiDvDk=; b=ZUJ6eCdhqG0h+ngPIKyLyMlCq01n0oosXtQsTZcHpCtbUAQf56BS9QqlL4FExWbv37 B6JGAP655zKncgyS3jNI5Vc2SPcPb/VOWyRuEX41X9D5ZY5t8JK2w32kC4UvQnp1IfS+ zRM7B8vBpRxg59oMVSN6RTm614C6EpCHmykWk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=YOwcRm54U5D8GeoTmcDzmBYbFXUFV0B1cFp2JVd95Us2SNfo4mnypM8kAwrTXLAcU8 vrWYlHFFdnrEw2IHqoZxNanZP3Cp8ZNGD5y+oUgw/s4PZlFVtjRRY4IHvHi/NOgVjjGR B2pIaT7YHgSOyqbilSsPzmMHsMYHaGXYpXUzE= Date: Mon, 31 Jan 2011 03:40:12 -0600 Subject: Apache 2.2.17 and OpenSSL 1.0.0c - Crash with SSLVirtualHost ServerName set. From: Ryan Wehrle ryaner...@gmail.com To: openssl-b...@openssl.org Essentially here are my results: In other browsers (IE/FF/Chrome): If I set the ServerName property to RFiles.org - then try to goto https://RFiles.org, apache will crash. - then try to goto https://MilesMilitusCallidus.com, I can connect perfectly fine. If I set the ServerName property to MilesMilitusCallidus.com - then try to goto https://MilesMilitusCallidus.com, apache will crash. - then try to goto https://RFiles.org, I can connect perfectly fine. In Opera 11.01: If I set the ServerName property to RFiles.org - then try to goto https://RFiles.org, apache will crash. - then try to goto https://MilesMilitusCallidus.com, the page loads forever. If I set the ServerName property to MilesMilitusCallidus.com - then try to goto https://MilesMilitusCallidus.com, apache will crash. - then try to goto https://RFiles.org, the page loads forever. For some odd reason, apache/openssl doesn't like the ServerName property under the SSL virutal host. If I set it, whatever the domain is set to (example rfiles.org), then type that domain in for https, apache will crash. (httpd.exe crashes because of ssleay32.dll from OpenSSL 1.0.0c) The config that makes it crash (httpd-ssl.conf), then try to visit RFiles.org since that is the property set for ServerName: -httpd-ssl.conf Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCacheshmcb:Z:/Apache/logs/ssl_scache(512000) SSLSessionCacheTimeout 300 SSLMutex default TraceEnable Off VirtualHost *:443 DocumentRoot Z:/Apache/_MilesMilitusCallidus.com_SSL ServerName RFiles.org ServerAdmin cae...@milesmilituscallidus.com ErrorLog Z:/Apache/logs/_MilesMilitusCallidus.com_SSL/error_ssl.log TransferLog Z:/Apache/logs/_MilesMilitusCallidus.com_SSL/access_ssl.log LogLevel debug SSLEngine on SSLProtocol -All +SSLv3 +TLSv1 #SSLCipherSuite HIGH:MEDIUM SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile Z:/Apache/conf/_OpenSSL/_SSL/certs/mmc.com-cert.pem SSLCertificateKeyFile Z:/Apache/conf/_OpenSSL/_SSL/pkeys/mmc.com-key.pem SSLCACertificateFile Z:/Apache/conf/_OpenSSL/_SSL/certs/ca-RFiles.org-cert.pem SSLCARevocationFile Z:/Apache/conf/_OpenSSL/_SSL/crl/ca-RFiles.org-crl.pem FilesMatch \.(cgi|shtml|phtml|php)$ SSLOptions +StdEnvVars /FilesMatch Directory Z:/Apache/cgi-bin SSLOptions +StdEnvVars /Directory BrowserMatch .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog Z:/Apache/logs/_MilesMilitusCallidus.com_SSL/ssl_request.log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b /VirtualHost - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] problem in privete key
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from praveen kumar kapraveen1...@indiatimes.com - Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=private; d=indiatimes.com; b=dD+HXBj14rLD29R6lgucpGQSSko3eDZ3iy+mf5ruwak/rNVEH9kuetEhjJCUVtVt ; Date: Sat, 29 Jan 2011 14:49:21 +0530 (IST) From: praveen kumar kapraveen1...@indiatimes.com To: r...@openssl.org Subject: problem in privete key Dear friend This is praveenkumar working as a app developer from Linkwell telesystems,hyderabad,India. i have a problem in ssl while hitting the server with the certificate provided by server.i am using openssl tool in linux. When i tried to execute client with the certificate in the command line ,i am getting the error like this openSSLs_client -connect ip:port -cert certfile.crt ERROR: unable to load client certificate private key file 3077682908:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: ANY PRIVATE KEY error in s_client This is the sample certificate file file name:certfile.crt date inside the file like this -BEGIN CERTIFICATE- MIICsTCCAhqgAwIBAAIETPcsXzANBgkqhkiG9w0BAQUFADCBnDEoMCYGCSqGSIb3 DQEJARYZY2FAb2xpdmVjcnlwdG9zeXN0ZW1zLmNvbTELMAkGA1UEBhMCSU4xCzAJ BgNVBAgTAktBMRIwEAYDVQQHEwlCYW5nYWxvcmUxITAfBgNVBAoTGE9saXZlIENy eXB0byBTeXN0ZW1zIExMUDEPMA0GA1UECxMGU3dpdGNoMQ4wDAYDVQQDEwVPbGl2 ZTAeFw0xMDEyMDIwNTE5MjdaFw0yMDEyMDIwNTE5MjdaMIGcMSgwJgYJKoZIhvcN AQkBFhljYUBvbGl2ZWNyeXB0b3N5c3RlbXMuY29tMQswCQYDVQQGEwJJTjELMAkG A1UECBMCS0ExEjAQBgNVBAcTCUJhbmdhbG9yZTEhMB8GA1UEChMYT2xpdmUgQ3J5 cHRvIFN5c3RlbXMgTExQMQ8wDQYDVQQLEwZTd2l0Y2gxDjAMBgNVBAMTBU9saXZl MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJ7Qfr4rXC8H77UIgP5YGEtQTr hU3qVZtN+X5ysZVjITyyuxiqkXPzWASvNQK5NwO4VB05SwGNEop2NEIY8d+P87Hg qDGL5f9D5qPg7nvkzPQcZZkJhpGJ79Vvdz6+fQGkiQNBN8dgwXXCi0L2HMaec2V0 IUB7lAwAck16umfhqQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAMJXmsV22EYUJ6GD hx0lVlj23wwvdGeGqRWU3zFE/7d9kRWxG0YrTkYBKwerN4DflkCm1Glodt6Rhkwy Jvspbc7dell11wy+YeXl4c7zsumQcXOgSuWtiaLiiJw12uZVjFYmEBfdZ4zrJpYW mcaIGD1l4WsXGEesFA859g3ZiK52 -END CERTIFICATE- This is file sent by the server.please any one help me to connect to the server. Thanksregards K.A.Praveenkumar - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] OpenSSL error message
Forwarded to openssl-users for discussion. Best regards, Lutz - Forwarded message from Diogo Monteiro diogo.monte...@arquiconsult.com - From: Diogo Monteiro diogo.monte...@arquiconsult.com To: r...@openssl.org r...@openssl.org Date: Wed, 12 Jan 2011 10:21:39 -0800 Subject: OpenSSL error message Thread-Topic: OpenSSL error message Thread-Index: AcuyhY5hD3GzNEg2TC+Fc7dNv8AfsQ== Accept-Language: pt-PT, en-US acceptlanguage: pt-PT, en-US Hi all, [cid:image001.png@01CBB285.8E61A6F0] I received this error, after the installation the OpenSSL: OpenSSL information: · Win32 OpenSSL v1.0.0c SO information: · Microsoft Windows Server 2003 R2 Standard Edition Service Pack 2, 32 bits. Diogo Monteiro diogo.monte...@arquiconsult.commailto:diogo.monte...@arquiconsult.com TLM +351 96 433 0767 [cid:image002.png@01CBB285.8E61A6F0] - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] OPENSSL - Windows CE
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Cerriman Lima cerri...@hotmail.com - From: Cerriman Lima cerri...@hotmail.com To: r...@openssl.org Subject: OPENSSL - Windows CE Date: Tue, 21 Dec 2010 03:25:42 + Importance: Normal Hello I have an project in windows CE that i need to sign the message and verify the signature. I need to compile full OpenSSL? How to compile a short version? Can you help me, please. Thanks, Cerriman. - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] Bug report: ntdll.mak file is not present
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Philippe Palazon cestlab...@gmail.com - DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=E7Dp7SiYSQG3A4ZV4depFf/jH5SffEUW2fNMhi6GY+E=; b=XDRLT8c2YlZH2vuV3Fyb9hx0+AW1IBsoA1eoYr6lXSI0sRlCZskbTTgc+lG32jJtgn xRfmPt6Uhh75SjV+fz43FjETjtjdSvN8eMXidVRZaMU55CvN+pWcrhhoudkkjBcNN0ZS d2zNnlfLPHgLox0sic4zdhc7bt6RI2KhkqRkM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=u+QwjddI4suAz1y5sKeFikoFpLozinw96S14lE9ou046R0KUYNQHRy+LgLEvIiXns/ 5ySklyXLOSEwnxwS867qspUoK1VyN/GGFJ1EcATRXr9FaplSCyLAMXsxHLJ6YpA303NS N40kVII5c3tSiyiW0QOly8+Y87zXMnMJLxnXg= Date: Mon, 20 Dec 2010 15:51:34 +0100 Subject: Bug report: ntdll.mak file is not present From: Philippe Palazon cestlab...@gmail.com To: r...@openssl.org Hello Madam, Sir, I donwload the *1.0.0c* version of OpenSsl. I have wanted to install it on Windows (seven) but under the *ms*sub-directory the * ntdll.mak* file is not present. Thanks. Best regards, Philippe. - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] Crash inside libeay32.dll
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Yu, Eleanor eleanor...@siemens-enterprise.com - From: Yu, Eleanor eleanor...@siemens-enterprise.com To: r...@openssl.org r...@openssl.org Date: Tue, 14 Dec 2010 20:46:05 +0100 Subject: Crash inside libeay32.dll Thread-Topic: Crash inside libeay32.dll Thread-Index: Acubx4u+8bEwbiTnTCW6vNwui8t7fw== Accept-Language: en-US acceptlanguage: en-US Hi, I am currently working on sending a request from a client to a server through gSoap 2.7.17, and OpenSSL 0.9.8o on a Window 2008. However, we experienced a crash inside the libeay32.dll. Is there a way we can gather more information where exactly the crash is, and to isolate the problem? Thanks. Regards, Eleanor - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] openssl 1.0.0a make FAIL @ multiple missing/redefined header errors, only on Ubuntu 10 LTS
of ‘struct timeval’ cryptlib.c: In function ‘CRYPTO_THREADID_set_numeric’: cryptlib.c:426: warning: implicit declaration of function ‘memset’ cryptlib.c:426: warning: incompatible implicit declaration of built-in function ‘memset’ cryptlib.c: In function ‘CRYPTO_THREADID_set_pointer’: cryptlib.c:437: warning: incompatible implicit declaration of built-in function ‘memset’ cryptlib.c: In function ‘CRYPTO_THREADID_current’: cryptlib.c:503: error: ‘errno’ undeclared (first use in this function) cryptlib.c:503: error: (Each undeclared identifier is reported only once cryptlib.c:503: error: for each function it appears in.) cryptlib.c: In function ‘CRYPTO_THREADID_cmp’: cryptlib.c:509: warning: implicit declaration of function ‘memcmp’ cryptlib.c: In function ‘CRYPTO_THREADID_cpy’: cryptlib.c:514: warning: implicit declaration of function ‘memcpy’ cryptlib.c:514: warning: incompatible implicit declaration of built-in function ‘memcpy’ cryptlib.c: In function ‘CRYPTO_thread_id’: cryptlib.c:548: warning: implicit declaration of function ‘getpid’ make[1]: *** [cryptlib.o] Error 1 make[1]: Leaving directory `/usr/local/src/openssl/openssl-1.0.0a/crypto' make: *** [build_crypto] Error 1 - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] default_crl_days= 365
Forwarded to openssl-users for discussion. Best regards, Lutz - Forwarded message from Santhosh AP apsanthosh.ku...@sifycorp.com - Reply-To: santhosh...@sifycorp.com From: Santhosh AP apsanthosh.ku...@sifycorp.com To: r...@openssl.org Subject: default_crl_days= 365 Date: Tue, 19 Oct 2010 10:16:09 +0530 Thread-Index: ActvSItTKvsOwU5sQvG6vwyuLJ0ymA== Hi Team, We had 1x server in our organization, one difficulty we are facing is default validity of digital certificate is 365 days. Is it possible to edit the same to 2 or 3 years? Requesting to revert on this default_crl_days configuration in openssl.conf. Regards Santhosh AP Sify Ltd, Chennai. Get your world in your inbox! Mail, widgets, documents, spreadsheets, organizer and much more with your Sifymail WIYI id! Log on to http://www.sify.com ** DISCLAIMER ** Information contained and transmitted by this E-MAIL is proprietary to Sify Limited and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Company. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited. If you have received this communication in error, please delete this mail notify us immediately at ad...@sifycorp.com - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] cert problem
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Taint themexicanta...@gmail.com - Date: Thu, 7 Oct 2010 10:48:15 -0400 Subject: cert problem From: Taint themexicanta...@gmail.com To: openssl-b...@openssl.org I have been trying to connect to more than one ssl enabled network on irc and I get an error saying invalid cert. The people at x-chat tell me that it is not on their end but on the openssl end that the root certificates are not present or something to that effect. Do you know when and if there will be an update on this? Thanks http://code.google.com/p/xchat-wdk/issues/detail?id=18 - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] Question
Forwarded for public discussion. Best regards, Lutz - Forwarded message from Ramon Madera ramonjmad...@yahoo.com - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=DKIM-Signature:Received:X-Yahoo-SMTP:X-YMail-OSG:X-Yahoo-Newman-Proper ty:Subject:From:Content-Type:X-Mailer:Message-Id:Date:To:Content-Transfe r-Encoding:Mime-Version; b=lamw1PkA937XuY1GyWBvtWcY2aI2hGOY1+feuVXQ9NcdoTtaTQ0ZgGWyPyb/yK6ZX1vs+u Fgx5zpiUyrTA9mPVKYwjlJxqZYfuV4QSsB7Knzclrz73Ql0P55BXtQRsE8WRsn4RsdPAr3sK nrfInPz5Q+z3LyjQOCngxcM5NLkN4= ; DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1285948859; bh=CMZ0mN+PYlrmbzXopbtTrQmFMHRgA24oYJjvQZFQdzI=; h=Received:X-Yahoo-SMTP:X-YMail-OSG:X-Yahoo-Newman-Property:Subject:From :Content-Type:X-Mailer:Message-Id:Date:To:Content-Transfer-Encoding:Mime -Version; b=EDG3/auYD/ap6sWcuhMbTpHTzdGR7DhsfA2By1ohu0GZlzDzA3SKZFttASLM7eBn3HsJmB mSUgUGxfQHAc9lbJ2jxJsnuVPjGZZNu1P+9u/FXwjW+dl260zMZiLVuiOUGNjMJKCFdGobQ7 BGEpPFMGQm3+x3dKBmX1D6Xj7A7m0= Subject: Question From: Ramon Madera ramonjmad...@yahoo.com Date: Fri, 1 Oct 2010 11:59:56 -0400 To: r...@openssl.org r...@openssl.org Hello, My Name is Ramon Madera and I have a question related to md5 Why Am I not getting the same digest result when running the same command in windows vs unix? See below. openssl dgst - md5 -out string.dgst string.txt Thank you for your attention to this issue. Ramon Madera - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] help
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Sujatha S sujatha.subb...@gmail.com - DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=/vXERMmOu9R0vvBLwXJ+tkwAWtdwLee6xFcJ3ev6rB8=; b=mApb3QoSr7nvOJJHMS+/cLSZRbDT4IydKwN45n4YoVT7I3htzJYKHgkf00BZKD7Aqr HeKpg9EUsMEiLdvfNLI8y8TabXXz/4iKMu6PaRF+SpwBAT/vwN1GTJ7NkrFvrNhG4oZL rBTRM5AM2ajcTvstyHkqfnHxs7PP371j8xKco= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=Bba+6hsTfBGIl8MkpcYwjXbQE8WC+pGKk8H6RReycMMaw3/u4VBK1rZOfbXD2dKENY Bq2iA74YXiW/C3PtNQixde4KV32d9LIDVU9xxmyvV04sCX2cayKeoxS3i0rYVWCjuPyP RpfiMxt77WaCLOvVcrzoHS+msmawjwbDuUY4I= Date: Wed, 15 Sep 2010 18:13:33 +0530 Subject: help From: Sujatha S sujatha.subb...@gmail.com To: r...@openssl.org Hi, pls help me resolve the below issues if run the following command openssl x509 -noout -text -in ca.crt i'm getting the below error: unable to load certificate 5880:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:647:Expecting: TRUSTED CERTIFICATE error in x509 Regards, sujatha - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] install openssl on a ox 10.6.x
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from jsl j...@xtok.com - From: jsl j...@xtok.com Subject: install openssl on a ox 10.6.x Date: Tue, 14 Sep 2010 11:27:57 +0100 To: openssl-b...@openssl.org Dear Sirs Can you help us to install the app openssl ona mac os x? Thanks José Lourenço - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] How to user Configure with 64 bit compliation option
Forwarded to openssl-users for discussion. Best regards, Lutz - Forwarded message from Rudraprasad Sinha Roy rudrac...@gmail.com - DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=vpaGTdddOf460whIhLEyXnCwe+VV5pdcX3v/W5oy8Cc=; b=h0F7WgUyLku1eh0w4iSVBNTxNxq9oUz/mbPZOt0BPVEsw24Rd5UZrxXbTudB7KpGMb ycRepaUKwLhxmmp3Tcy/PmS6RvcxfneRgRhJT8hQ5hHZpHwVe1V+sOlK5LRcvijSomtY 5J02mMZ2LxedM8wlh9f9Dlh4SxlM1dIooMGiE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=ZLW/MzP+b+iYx5GeDlkqwXN9Mez+mP2PMe+Pn71HYHnAYodhaNkP9D4T0HIgQ5f9zn 1w93JZdkliJlszjjELwlBptyrkkUswiCNcmV571FkOABnrFwlrx8tf24U+w5ehGt1JWA iNCWVo8ISAxwz4uI5hamoSEDTOUiWsiWO4rKY= Date: Wed, 7 Jul 2010 12:57:55 +1200 Subject: How to user Configure with 64 bit compliation option From: Rudraprasad Sinha Roy rudrac...@gmail.com To: r...@openssl.org Hi, I am using openssl 1.0.0 in SunOS 5.10 Generic_137111-08 sun4v sparc SUNW,Sun-Fire-T1000. machine is using 32 bit MSB file format. but i require to build openssl using 64 bit option in this machine. how can i achieve that? - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] make: don't know how to make /usr/local/ssl/fips-1.0/lib/fipscanister.o. Stop
Forwarding to openssl-users for discussion. Best regards, Lutz - Forwarded message from Pamela Pomary ppom...@ug.edu.gh - Date: Thu, 10 Jun 2010 18:09:07 - (GMT) Subject: make: don't know how to make /usr/local/ssl/fips-1.0/lib/fipscanister.o. Stop From: Pamela Pomary ppom...@ug.edu.gh To: openssl-b...@openssl.org User-Agent: SquirrelMail/1.4.9a Importance: Normal Hello folks, i'm installing openssl-0.9.8l on freebsd 8.0. It complains about the following: making all in crypto/ui... making all in crypto/krb5... making all in crypto/store... making all in crypto/pqueue... making all in fips... make: don't know how to make /usr/local/ssl/fips-1.0/lib/fipscanister.o. Stop *** Error code 2 Stop in /usr/ports/security/openssl/work/openssl-0.9.8l/fips. *** Error code 1 Stop in /usr/ports/security/openssl/work/openssl-0.9.8l. *** Error code 1 Stop in /usr/ports/security/openssl. *** Error code 1 Stop in /usr/ports/security/openssl. I googled but have not found any help with the error yet. I read the README file and it said all bugs could be reported to this email address. i'm sure if its a bug though. i need help to complete the installation. i will be grateful for help on this error. cheers! -- Pamela Pomary ICT Assistant (Network Administration) ICT Directorate University of Ghana Tel:+233 244 994 020 g-mail:ppom...@gmail.com yahoo-mail: mawua2...@yahoo.com skype:ppomary -- Pamela Pomary ICT Assistant (Network Administration) ICT Directorate University of Ghana Tel:+233 244 994 020 g-mail:ppom...@gmail.com yahoo-mail: mawua2...@yahoo.com skype:ppomary - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] VeriSign Intermediate Certificate missing
Forwarded to openssl-users for discussion. Best regards, Lutz - Forwarded message from Marcus Franke m.fra...@cytainment.de - Date: Fri, 11 Jun 2010 10:21:26 +0200 From: Marcus Franke m.fra...@cytainment.de User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100423 Thunderbird/3.0.4 To: r...@openssl.org Subject: VeriSign Intermediate Certificate missing -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, the intermediate certificates used by VeriSign to sign certificates are not included in the default ssl packages. The missing keys can be found at this site: http://www.verisign.com/support/verisign-intermediate-ca/extended-validation/index.html Due to the missing certificates software like wget/curl is failing the cert-chain-checks. kind regards, Marcus - -- Email: sysad...@cytainment.de Tel: ++49 (0)40 23706153 Cytainment AG Co KG Nordkanalstraße 52 20097 Hamburg Sitz und Registergericht Hamburg HRA 98121 HRB 86068 Ust-ID: DE213009476 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMEfH/AAoJEH6ybUO+nC95J/cIAL4/5RO6zlQ7C1bpt/h8DK5f f6wyJg2z7uhoGFTLzK4EvI25OTgo3Qfi6G5pyfJhliojg1uypPRmPjBMf/oRdOZn wT/mSDhYlJP3k/CYGKaNw1GA+z6YTp3kDlfnuvi3IGGsbhKemokZNE+mITXUzOv8 ylP3eh6mSD2iollepgABoW1hkL5yPYSbLlm6xyKF8oJkGc0UrQJoor/CM6VfA2bN bHvIv/7/YLhTJ5UbSDH1cw2/kURIScAdO1Ire/z95u4JFIQJJ0RzXsnxrDNtWrTG T01RsKd1Qvuwr+HCYlwx1ywPdd55PWcGytYFsYZDPdf+6Kl7ZIqn90bPW/W0awA= =tZQZ -END PGP SIGNATURE- - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] error:140773E8:SSL routines:SSL23_GET_SERVER_HELLO:reason(1000)
Forwarded to openssl-users for discussion. Best regards, Lutz - Forwarded message from venki venky.payidima...@apere.com - Date: Thu, 22 Apr 2010 17:48:40 +0530 From: venki venky.payidima...@apere.com User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) To: r...@openssl.org Subject: error:140773E8:SSL routines:SSL23_GET_SERVER_HELLO:reason(1000) Hi, OS : Redhat 9 kernel: Linux imag 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux Openn SSL: OpenSSL 0.9.7a Feb 19 2003 I am getting error like when i try command wget * syntax:* wget -d https://10.228.3.7:443/debugtool output: DEBUG output created by Wget 1.8.2 on linux-gnu. --12:30:05-- https://10.228.3.7/debugtool = `debugtool' Connecting to 10.228.3.7:443... connected. Created socket 4. Releasing 0x8080518 (new refcount 0). Deleting unused 0x8080518. Unable to establish SSL connection. OpenSSL: error:140773E8:SSL routines:SSL23_GET_SERVER_HELLO:reason(1000) Closing fd 4 How can i produce above problem and solution of porblem? Thanks Regards, --VenkiP - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] Error: SSL: couldn't create a context!
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from sumit sengupta sumit_sn...@yahoo.co.in - DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.in; s=s1024; t=1271681043; bh=EWieRuvM759TV601L/2vGiP1boYErqP6lbAkC+avdWQ=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME- Version:Content-Type; b=1/f80QspsxSnB3VtXzWaPcwSKu1AVEVnKmnVaDFKVLqcrwkwOiVi2iBmGdz/wuL7OTuDHM Q2ZGPjWPE1WxFFeI3kHjsQSlt6zS8oKKz/WI2hE/s+PJxETfog0kxgfCRtRzPOss8PFxjDkA 20cVfd6q6oE+Gp2EDAy63JxpTLbaA= DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.in; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME- Version:Content-Type; b=P8R5R0/zKRh5lxYKNGJsyoaV2nOflyWyw/mTvYaEbyPOqGxuQhlB8gfWapy1zBuwFVtuHD 0eHA9n+EeBBTng0YNrVNJbxmeqtZZmSl3XJnX+GPKfkDlM4Ej4lFUv6u0uWZWC6C9f330lgN j0C5otx4uTTpDHI4uwCJoUzZg+5F4=; Date: Mon, 19 Apr 2010 05:44:03 -0700 (PDT) From: sumit sengupta sumit_sn...@yahoo.co.in Subject: Error: SSL: couldn't create a context! To: r...@openssl.org Cc: sumit_sn...@yahoo.co.in System: FreeBSD4 openssl-0.9.7g_1 and latest versions Type of Request: Bug report Description: Throwing an error SSL: couldn't create a context! intermittently when the OpenSSL function SSL_CTX_new() fails. As of now couldn't figure out the actual reason which causing this error to come up. If you have any experience on how to debug, please share. Thanks, Sumit Sengupta - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] openssl-0.9.8 make error
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -c -o o_time.o o_time.c gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -c -o o_str.o o_str.c gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -c -o o_dir.o o_dir.c perl x86cpuid.pl elf -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM x86cpuid-elf.s gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -c -o x86cpuid-elf.o x86cpuid-elf.s ar r ../libcrypto.a cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o o_dir.o x86cpuid-elf.o ar: creating ../libcrypto.a true ../libcrypto.a || echo Never mind. making all in crypto/objects... make[2]: Entering directory `/sources/openssl-0.9.8g/crypto/objects' perl obj_dat.pl obj_mac.h obj_dat.h gcc -I.. -I../.. -I../../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -c -o o_names.o o_names.c cc1: error: ../lib/gcc/i686-pc-linux-gnu/4.1.2/include: Not a directory cc1: error: ../lib/gcc/i686-pc-linux-gnu/4.1.2/../../../../i686-pc-linux-gnu/include: Not a directory make[2]: *** [o_names.o] Error 1 make[2]: Leaving directory `/sources/openssl-0.9.8g/crypto/objects' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/sources/openssl-0.9.8g/crypto' make: *** [build_crypto] Error 1 when I type -p gcc,it prompts /usr/bin/gcc when I gcc -print-libgcc-file-name,it gets /usr/lib/gcc/i686-pc-linux-gnu/4.1.2/libgcc.a when I ls -l $(dirname $(gcc -print-libgcc-file-name)),output as follows: total 10816 -rwxr-xr-x 1 root root 5111230 Apr 14 07:25 cc1 -rwxr-xr-x 1 root root 5647468 Apr 14 07:25 cc1plus -rwxr-xr-x 1 root root 102868 Apr 14 07:25 collect2 -rw-r--r-- 1 root root1560 Apr 14 07:25 crtbegin.o -rw-r--r-- 1 root root2128 Apr 14 07:25 crtbeginS.o -rw-r--r-- 1 root root1968 Apr 14 07:25 crtbeginT.o -rw-r--r-- 1 root root1264 Apr 14 07:25 crtend.o -rw-r--r-- 1 root root1508 Apr 14 07:25 crtendS.o -rw-r--r-- 1 root root1296 Apr 14 07:25 crtfastmath.o drwxr-xr-x 3 root root4096 Apr 13 07:09 include drwxr-xr-x 3 root root4096 Apr 14 07:25 install-tools -rw-r--r-- 1 root root 75972 Apr 14 07:25 libgcc.a -rw-r--r-- 1 root root 34538 Apr 14 07:25 libgcc_eh.a -rw-r--r-- 1 root root 25166 Apr 14 07:25 libgcov.a and my gcc test when Re-adjusting the Toolchain,the result are all the same ashttp://www.linuxfromscratch.org/lfs/view/stable/chapter06/gcc.html so what's wrong with it on earth???Help me please - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL server problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! In the past few days we had some problems with the hardware of the OpenSSL server providing the public services (web, mail, etc). We are now closely monitoring the system and preparing to migrate to another server if necessary. Thank you very much for your patience. Best regards, Lutz -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBS5Y9+XiZOxScWKZtAQL7RwP/R+FK3C8MCUDFDYADupddZS01Qx1yBAEf 4G5gdT6N9Hhr1F9LCDRk0liD7E9kERnD/0pYLYH0sV4B9FAWq5JuaekwwrnoSCqu tiJ/y7py/mPKHFA9vPx+/4GyC0AlnOTUcNrUnahXi7lQp5sRq78/Uk2w6RXZX2iY UfpFnI+yqL0= =2kO7 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] Building Win64 0.9.8l on VS2008
scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] OPENSSL error
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from rejoy vm rejo...@gmail.com - Date: Mon, 18 Jan 2010 19:15:28 +0530 Subject: OPENSSL error From: rejoy vm rejo...@gmail.com To: openssl-b...@openssl.org Sir when i type make command in openssl I am getting the following messages in the last few lines before termination. Could you please tell me how to sort these things out. bn-586.s:(.text+0x6b0): multiple definition of `bn_sub_words' ../libcrypto.a(bn_asm.o):bn_asm.c:(.text+0x5ca): first defined here collect2: ld returned 1 exit status make[2]: *** [link_app.] Error 1 make[2]: Leaving directory `/home/rejoy/Desktop/intel/lat/openssl-0.9.8g/test' make[1]: *** [bntest] Error 2 make[1]: Leaving directory `/home/rejoy/Desktop/intel/lat/openssl-0.9.8g/test' make: *** [tests] Error 2 by REJOY - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] enhancement request:tls without sockets
Forwarded to openssl-users@openssl.org for public discussion. Best regards, Lutz - Forwarded message from cuiji...@ceopen.cn - From: cuiji...@ceopen.cn To: r...@openssl.org Date: Mon, 18 Jan 2010 22:25:57 +0800 Reply-To: cuiji...@ceopen.cn Subject: enhancement request:tls without sockets Hi, I have a quirky app that while connection based is not tcp based. I am looking for some way to usel tls for authentication of both ends of the connection. Is there an example of how to use OpenSSL without it managing the socket? Thanks - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] RE: Help Request
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Vincenzo Giarratana vincenzo.giarrat...@gmail.com - From: Vincenzo Giarratana vincenzo.giarrat...@gmail.com To: r...@openssl.org Subject: RE: Help Request Date: Tue, 12 Jan 2010 17:57:02 +0100 Thread-Index: AcqToX9nGNbClrvkRoCvNYvYVzWmuQAABiAgAABPPXA= In-Reply-To: Hi, following my previous request, let me add a fragment of the VLC source code, the line where I got the compiler error is: dialog_Fatal( p_input, _(Streaming / Transcoding failed), %s, _(VLC could not open the packetizer module.) ); this is the function containing the line: decoder_t *input_DecoderNew( input_thread_t *p_input, es_format_t *fmt, input_clock_t *p_clock, sout_instance_t *p_sout ) { decoder_t *p_dec = NULL; int i_priority; #ifdef ENABLE_SOUT /* If we are in sout mode, search for packetizer module */ if( p_sout ) { /* Create the decoder configuration structure */ p_dec = CreateDecoder( p_input, fmt, VLC_OBJECT_PACKETIZER, p_sout ); if( p_dec == NULL ) { msg_Err( p_input, could not create packetizer ); dialog_Fatal( p_input, _(Streaming / Transcoding failed), %s, _(VLC could not open the packetizer module.) ); return NULL; } } .. Thank you for your help Vincenzo Giarratana vincenzo.giarrat...@gmail.com _ From: Vincenzo Giarratana [mailto:vincenzo.giarrat...@gmail.com] Sent: martedì 12 gennaio 2010 17.11 To: 'r...@openssl.org' Subject: Help Request Hi, I am doing a VLC 1.0.4 build under Ubuntu 9.10. I did first sudo apt-get install libssl-dev then I inserted the following line into VLC decoder.c souce code #include openssl/des.h Then I run ./configure LDFLAGS='-lssl -lcrypto' make and I got the following error: input/decoder.c: In function input_DecoderNew: input/decoder.c:292: error: implicit declaration of function _ input/decoder.c:292: warning: passing argument 2 of dialog_Fatal makes pointer from integer without a cast ../include/vlc_dialog.h:43: note: expected const char * but argument is of type int input/decoder.c:292: warning: format %s expects type char *, but argument 4 has type int If I do the make without inserting #include openssl/des.h the compilation is successfull. Why this include causes the error: implicit declaration of function _ Is it a bug in the openssl/des.h or in the VLC ? Thank you for your help Vincenzo Giarratana vincenzo.giarrat...@gmail.com - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] Question on SSL_shutdown timeout
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Xavier De Kepper xavier.dekep...@kabira.com - From: Xavier De Kepper xavier.dekep...@kabira.com To: r...@openssl.org r...@openssl.org Date: Fri, 27 Nov 2009 02:15:17 -0800 Subject: Question on SSL_shutdown timeout Thread-Topic: Question on SSL_shutdown timeout Thread-Index: AcpvSoR93gXfC8xGT46vvjF0PlcdBQ== Accept-Language: fr-FR, en-US acceptlanguage: fr-FR, en-US Hello, I have a question concerning SSL_shutdown in case of SSLv3/TLSv1 connection. In my usecase, I send a request to a HTTPS server but got no response, therefore my application timeouts. Then the application is closing the connection with two calls to SSL_shutdown. Unfortunately the server doesn't respond to the close notify therefore the SSL_shutdown call timeout. My question is what is the value of this timeout and how can it be configured ? I noticed that this timeout doesn't have always the same value. I did a search on the web but didn't find anything on this topic. Thank you very much, Xavier - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: New blackout
Chris Wilson wrote: On Wed, 25 Nov 2009, The Doctor wrote: I was able to see openssl.org last night MST but not at this current time. Works fine for me. We did have filesystem full problems in the last days which led to system panics. These issues should be sorted out now (thanks to Ralf S. Engelschall who is technically operating the server hardware). Please excuse any inconvenience. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] SSL_write returned SSL_ERROR_SSL
Forwarding to openssl-users for public discussion. Best regards, Lutz - Forwarded message from sandeep.kuma...@wipro.com - Subject: SSL_write returned SSL_ERROR_SSL Date: Tue, 3 Nov 2009 19:25:03 +0530 Thread-Topic: SSL_write returned SSL_ERROR_SSL Thread-Index: AcpcjT4Rk9sPCTZ0QEaWqLVTn71DBQ== From: sandeep.kuma...@wipro.com To: r...@openssl.org I am facing some weird problem in SSL_write(). Most of the times it returned with SSL_ERROR_SSL. Can anyone explain what is this error and how can we fix this. I am using 0.9.8g openssl version. Any assistance (including temporary workarounds) appreciated. Thanks Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] Build incorrect crypt/decrypt in Win32. x86. MSVC 2003. MinGW.
= ERR_get_error(); break; } }while(1); free(buff); BIO_flush(bout); BIO_free_all(cipher); return ret; } - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] Failed for target 'build_crypto'
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Dan Chan pk.c...@qinetics.net - Date: Wed, 26 Aug 2009 16:48:22 +0800 From: Dan Chan pk.c...@qinetics.net User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) To: openssl-b...@openssl.org Subject: Failed for target 'build_crypto' Output of 'make report' : Checking compiler... Can't exec ar: No such file or directory at util/selftest.pl line 89. OpenSSL self-test report: OpenSSL version: 0.9.8k Last change: Don't set val to NULL when freeing up structures, it is... Options: no-camellia no-capieng no-cms no-gmp no-jpake no-krb5 no-mdc2 no-montasm no-rc5 no-rfc3779 no-seed no-shared no-zlib no-zlib-dynamic OS (uname): SunOS windrunner 5.10 Generic_127127-11 sun4v sparc SUNW,Sun-Fire-T1000 OS (config): sun4v-whatever-solaris2 Target (default): solaris-sparcv9-gcc Target: solaris-sparcv9-gcc Compiler: Configured with: ../configure --with-as=/usr/ccs/bin/as --with-ld=/usr/ccs/bin/ld --enable-shared --enable-languages=c,c++,f77 Thread model: posix gcc version 3.4.6 Check your archive tool (ar). Please ask your system administrator/vendor for more information. [Problems with your operating system setup should not be reported to the OpenSSL project.] Test report in file testlog Hi there, I am running on SunOS and followings are the error message printed while executing 'make' : making all in crypto... ar r ../libcrypto.a cryptlib.o dyn_lck.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o o_dir.o o_init.o fips_err.o sh: ar: not found *** Error code 1 make: Fatal error: Command failed for target `../libcrypto.a' Current working directory /home/pkchan/openssl-0.9.8k/crypto *** Error code 1 make: Fatal error: Command failed for target `build_crypto' Hope you can help me out. Thanks. - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] crash on aix and win. memory issue ?
Forwarding to openssl-users for public discussion. In any case you should use a debugger (gdb or appropriate in your case) to analyse the crash. strace is not of much help here. Best regards, Lutz - Forwarded message from robert.vandon...@gpcbv.com - From: robert.vandon...@gpcbv.com To: r...@openssl.org Subject: crash on aix and win. memory issue ? Date: Wed, 5 Aug 2009 14:24:14 +0200 thread-index: AcoVx6SlUzKhOURmSOSitUaaylaFrQ== execve(./gpccms, 0x2FF22C2C, 0x2000E538) argc: 3 open(GPCCMS.INI, O_RDONLY)= 3 kioctl(3, 22528, 0x, 0x)Err#25 ENOTTY sbrk(0x)= 0x20019DE4 vmgetinfo(0x2FF21A30, 7, 16)= 0 sbrk(0x)= 0x20019DE4 sbrk(0x000C)= 0x20019DE4 __libc_sbrk(0x) = 0x20019DF0 kioctl(3, 22528, 0x, 0x)Err#25 ENOTTY kread(3, 3 0 D 1 0 B E 3 9 0 7 6.., 4096)= 4096 kread(3, C\n B F F A 0 9 6 C 2 2.., 4096)= 84 kread(3, C\n B F F A 0 9 6 C 2 2.., 4096)= 0 close(3)= 0 open(/file.txt, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH) = 3 klseek(3, 0, 0, 0x0002) = 0 kioctl(3, 22528, 0x, 0x)Err#25 ENOTTY kioctl(3, 22528, 0x, 0x)Err#25 ENOTTY open(/opt/cbs/p/banks/ing_gateway/data/in/received/s1007393.9800436001.2009 0729.53101642.EDIFIN.P, O_RDONLY) = 4 kioctl(4, 22528, 0x, 0x)Err#25 ENOTTY close(4)= 0 __libc_sbrk(0x) = 0x20029E00 open(/bin/keys/cbsprod.pem, O_RDONLY) = 4 kioctl(4, 22528, 0x, 0x)Err#25 ENOTTY kioctl(4, 22528, 0x, 0x)Err#25 ENOTTY kread(4, - - - - - B E G I N C.., 4096)= 1570 open(/bin/keys/cbsprod.key, O_RDONLY) = 5 kioctl(5, 22528, 0x, 0x)Err#25 ENOTTY kioctl(5, 22528, 0x, 0x)Err#25 ENOTTY kread(5, - - - - - B E G I N R.., 4096)= 951 __libc_sbrk(0x) = 0x20039E10 open(/s1007393.9800436001.20090729.53101642.EDIFIN.P, O_RDONLY) = 6 kioctl(6, 22528, 0x, 0x)Err#25 ENOTTY open(/bin/temp/s1007393.9800436001.20090729.53101642.EDIFIN.P, O_WRONLY|O_CREAT|O_TRUNC, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH) = 7 kioctl(7, 22528, 0x, 0x)Err#25 ENOTTY kioctl(6, 22528, 0x, 0x)Err#25 ENOTTY kread(6, 08006\t *86 H86 ÷\r0107.., 4096)= 4096 kread(6, 4 Â93 Ç j g ¤ ² £ g á ..., 4096)= 4096 kread(6, P Ó ñ93 Ä M ©1E u ¿ z ¹.., 4096)= 4096 kread(6, T p07 â x A\v ÷ j\b À ³.., 4096)= 4096 kread(6, T8B ñ I ¿ º % Ø ½ µ õ Q.., 4096)= 4096 __libc_sbrk(0x) = 0x20049E20 kread(6, ñ J ø · e F\v Ä µ0599 ð.., 4096)= 4096 kread(6, Y / Ê i »8F ± W ¢ ` [ F.., 4096)= 4096 kread(6, 92 ¸ q T7F * ) I Ë12 ? G.., 4096)= 4096 kread(6, 8C ^ 1 S9E È h9E8C Ú Ô ¯.., 4096)= 4096 __libc_sbrk(0x) = 0x20059E30 kread(6, x + # à M868F d Ô01 4.., 4096)= 4096 kread(6, 121901 a Ò M ¶9F k8C s º.., 4096)= 4096 kread(6, f À W d § È J1F Ø Ø £ (.., 4096)= 4096 kread(6, 1 % ( ® Á ¥ 19D W £8695.., 4096)= 4096 kread(6, à C @ Ì8B ê Ó ö ! å C.., 4096)= 4096 kread(6, Ð ~1C ÿ 2 » J8E\n Ê Ä\f.., 4096)= 4096 kread(6, {01 ± » k ë92 q H Î8C.., 4096)= 4096 kread(6, á G u85\f 1 B02 ]90 ¢.., 4096)= 4096 kread(6, ( î M9B ¶061D © $ e ¥ «.., 4096)= 4096 kread(6, ( ²03 z í ü 9 5 d ë90 Ä.., 4096)= 4096 kread(6, d @ : á89 Ý â Q \ $ = Ý.., 4096)= 4096 kread(6, 87 9 192 ( z Ê1A87 × x D.., 4096)= 4096 kread(6, 79B J 3 á x031B $ ^ Ô.., 4096)= 4096 kread(6, 86 D æ9D12 / j ° |90 d Ò.., 4096)= 4096 kread(6, _99 í8992 Ð92 ¹989483 û.., 4096)= 4096 kread(6, º ë 9 ª 4 ÿ á À86 x á }.., 4096)= 4096 __libc_sbrk(0x) = 0x20079E40 kread(6, Æ µ Ð `87 Â Å Í x ã\t.., 4096)= 4096 kread(6, 81 [ è ó B k à ~ µ ' e.., 4096)= 4096 kread(6, \0 @05 ¹8F 9 ¬ Ä } Ò `\n.., 4096)= 4096 kread(6, \01F B F ú ó9C E ª s à i.., 4096)= 4096 kread(6, í @ ø L Á 313 ¸86 Á.., 4096)= 1346 kread(6, í @ ø L Á 313 ¸86 Á.., 4096)= 0 kread(6, í @ ø L Á 313 ¸86 Á.., 4096)= 0 kread(6, í @ ø L Á 313 ¸86 Á.., 4096)= 0 Received signal #11, SIGSEGV [default] *** process killed *** - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support
[FWD] Openssl-0.9.8i build fails with Aix5.3 64 bit
Forwarded to openssl-users for discussion Best regards, Lutz - Forwarded message from Jaiman, Yateendra yateendra.jai...@safenet-inc.com - Subject: Openssl-0.9.8i build fails with Aix5.3 64 bit Date: Mon, 1 Jun 2009 18:26:51 +0530 Thread-Topic: Openssl-0.9.8i build fails with Aix5.3 64 bit Thread-Index: AcnZQxWkTI+KJDUGSpakHdq0cjGSSQJdR8Ew From: Jaiman, Yateendra yateendra.jai...@safenet-inc.com To: r...@openssl.org HI, When I m executing this command I got this error, ./openssl req -engine LunaCA3 -new -nodes -key server.key -out server.req -days 120 can't use that engine 389234:error:2606B08C:engine routines:ENGINE_finish:dsa not implemented:e_lunaca3.c:670:DSO not set 389234:error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed:eng_table.c:161: Enter pass phrase for server.key: unable to load Private Key 389234:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:466: 389234:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425: Any help will be appreciated... Thanks Yateendra Jaiman From: Jaiman, Yateendra Sent: Wednesday, May 20, 2009 5:34 PM To: 'r...@openssl.org' Subject: Openssl-0.9.8e/i build fails with Aix5.3 64 bit Hi, I am Building Openssl-0.9.8e/Openssl-0.9.8i On AIX 5.3 64 bit. Steps that I am following are: 1. ./Configure aix64-gcc -maix64 -lpthreads no-mdc2 no-rc5 no-idea --prefix=/usr/local/ssl/ --openssldir=/usr/local/ssl/ 2. make 3. make test 4. make install Runs fine. When I am executing ./Openssl engine -t command from /usr/local/ssl/bin directory. The Out put Looks like this. (dynamic) Dynamic engine loading support [ unavailable ] (4758cca) IBM 4758 CCA hardware engine support [ unavailable ] (aep) Aep hardware engine support [ unavailable ] (atalla) Atalla hardware engine support [ unavailable ] (cswift) CryptoSwift hardware engine support [ unavailable ] (LunaCA3) Luna CA3 engine support [ unavailable ] (chil) CHIL hardware engine support [ unavailable ] (nuron) Nuron hardware engine support [ unavailable ] (sureware) SureWare hardware engine support [ unavailable ] (ubsec) UBSEC hardware engine support [ unavailable ] I have checked my gcc version. Output put of installed RPM on my system bash-3.2# rpm -qa cdrecord-1.9-7 mkisofs-1.13-4 conserver-8.1.7-2 info-4.6-1 gdbm-1.8.3-1 libgcc-4.0.0-1 gdbm-devel-1.8.3-1 libstdc++-devel-4.0.0-1 make-3.80-1 bash-3.2-1 expat-2.0.1-2 AIX-rpm-5.3.8.0-2 perl-IO-Multiplex-1.10-1 libxml2-2.6.17-3 osinstall-1.0-1 tk-8.5.6-1 perl-Crypt-Blowfish-2.10-1 libgcc-4.2.4-1 libstdc++-4.2.4-1 libstdc++-devel-4.2.4-1 gcc-4.2.4-1 gcc-cpp-4.2.4-1 gcc-c++-4.2.4-1 gettext-0.10.40-8 gdb-6.8-1 tcl-8.5.6-1 perl-5.8.8-1 perl-Crypt-CAST5-0.05-1 perl-Digest-CRC-0.14-1 perl-Crypt-CBC-2.29-1 egd-0.8-1 zlib-1.2.3-5 zlib-devel-1.2.3-5 dos2unix-3.1-1 prngd-0.9.29-1 zip-2.3-3 unzip-5.51-1 vim-common-6.3-1 vim-enhanced-6.3-1 I want to install Openssl with Apache on AIX 5.3 .So please provide me some details regarding this matter. ThanksRegards, Yateendra Jaiman Software Engineer HSM-Integrations SafeNet InfoTech Pvt Ltd. 25 Years of Information Security Leadership The information contained in this electronic mail transmission may be privileged and confidential, and therefore, protected from disclosure. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer without copying or disclosing it. - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Spam on this list
Rob Stradling wrote: Is it time to divide openssl-users into several lists? Maybe something like... openssl-fips for matters pertaining to OpenSSL/FIPS. openssl-build for reporting build errors with the OpenSSL sources. openssl-api for asking questions about how to use the OpenSSL C API. openssl-cmd for asking questions about how to use the OpenSSL command-line tool. openssl-users for anything else. On Tuesday 02 June 2009 09:02:51 Mark wrote: Hi, I would like to request that this list become moderated as it is now inundated by spam. I have a strict quota for email lists at work (which also includes the spam) and after the quota is up I get no more emails for the rest of the month. Last month it stopped on the 20th. Hi, so far we have been able to not have SPAM on the list (which is partly moderated). This is an open list for the discussion of user problems. Users may be more or less experienced so that not all questions may be of interest for anyone, yet they are worth to be considered and answered. Actually I think that the amount and the size of the mails are quite acceptable. WRT to splitting up this list I am afraid that we would see the same effect as with openssl-dev; a lot of posts are just sent to both lists as it is not always clear for everyone where some certain topics should be discussed. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] Openssl-0.9.8e/i build fails with Aix5.3 64 bit
Forwarded to openssl-users as this forum seems to be appropriate. Best regards, Lutz - Forwarded message from Jaiman, Yateendra yateendra.jai...@safenet-inc.com - Subject: Openssl-0.9.8e/i build fails with Aix5.3 64 bit Date: Wed, 20 May 2009 17:34:10 +0530 Thread-Topic: Openssl-0.9.8e/i build fails with Aix5.3 64 bit Thread-Index: AcnZQxWkTI+KJDUGSpakHdq0cjGSSQ== From: Jaiman, Yateendra yateendra.jai...@safenet-inc.com To: r...@openssl.org Hi, I am Building Openssl-0.9.8e/Openssl-0.9.8i On AIX 5.3 64 bit. Steps that I am following are: 1. ./Configure aix64-gcc -maix64 -lpthreads no-mdc2 no-rc5 no-idea --prefix=/usr/local/ssl/ --openssldir=/usr/local/ssl/ 2. make 3. make test 4. make install Runs fine. When I am executing ./Openssl engine -t command from /usr/local/ssl/bin directory. The Out put Looks like this. (dynamic) Dynamic engine loading support [ unavailable ] (4758cca) IBM 4758 CCA hardware engine support [ unavailable ] (aep) Aep hardware engine support [ unavailable ] (atalla) Atalla hardware engine support [ unavailable ] (cswift) CryptoSwift hardware engine support [ unavailable ] (LunaCA3) Luna CA3 engine support [ unavailable ] (chil) CHIL hardware engine support [ unavailable ] (nuron) Nuron hardware engine support [ unavailable ] (sureware) SureWare hardware engine support [ unavailable ] (ubsec) UBSEC hardware engine support [ unavailable ] I have checked my gcc version. Output put of installed RPM on my system bash-3.2# rpm -qa cdrecord-1.9-7 mkisofs-1.13-4 conserver-8.1.7-2 info-4.6-1 gdbm-1.8.3-1 libgcc-4.0.0-1 gdbm-devel-1.8.3-1 libstdc++-devel-4.0.0-1 make-3.80-1 bash-3.2-1 expat-2.0.1-2 AIX-rpm-5.3.8.0-2 perl-IO-Multiplex-1.10-1 libxml2-2.6.17-3 osinstall-1.0-1 tk-8.5.6-1 perl-Crypt-Blowfish-2.10-1 libgcc-4.2.4-1 libstdc++-4.2.4-1 libstdc++-devel-4.2.4-1 gcc-4.2.4-1 gcc-cpp-4.2.4-1 gcc-c++-4.2.4-1 gettext-0.10.40-8 gdb-6.8-1 tcl-8.5.6-1 perl-5.8.8-1 perl-Crypt-CAST5-0.05-1 perl-Digest-CRC-0.14-1 perl-Crypt-CBC-2.29-1 egd-0.8-1 zlib-1.2.3-5 zlib-devel-1.2.3-5 dos2unix-3.1-1 prngd-0.9.29-1 zip-2.3-3 unzip-5.51-1 vim-common-6.3-1 vim-enhanced-6.3-1 I want to install Openssl with Apache on AIX 5.3 .So please provide me some details regarding this matter. ThanksRegards, Yateendra Jaiman Software Engineer HSM-Integrations SafeNet InfoTech Pvt Ltd. 25 Years of Information Security Leadership The information contained in this electronic mail transmission may be privileged and confidential, and therefore, protected from disclosure. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer without copying or disclosing it. - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: I want you to do my homework for me.
David Loman wrote: Mods: Any way there can be some banning happening soon? Best way to end discussions like this one is to * step back * ignore what was written (annoying or offensive or not) * just do not write any more statements * enjoy doing something more useful Please understand that the original poster just achieved his/her goal by having other people react. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] witch version of pkcs can I use?
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from new conf newcon...@gmail.com - DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=qeUk1Azqn1NrRkXUbh3jYlkBJi2KBuaiTNkjLAUgcKY=; b=ikN6IR1XJoRtzypIWKpwQ8fKBdW/6l0ZXjEchNe2l1oOVGvmVnKE63OcCrA3QxR6Uw SbuN4MWH9qcaIAYwQLyI5BIbyLaY7HZQC24VrMbn5h/OqxLVglvEUv9kCKrK2ArmPcbv b4aEvmQlREsp3rG9wXZY/ds1skDb5Qa/4aXfo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=CC3Qh4RgDBh/XODumTGu9PHpDfgHuINdi8aCftrPehw4/duWID67sVoiwotw0s9f4O LozxsDfq+rmbTb+SxY5WjdcaTn/WKoMs5DUZ6UyX2FB8ckP1llE2mViWxcee5vkDvrZe BwRiix2FHDPAg5Vj7LTOJfiD9zRZlon2ASeNQ= Date: Sat, 4 Apr 2009 22:20:25 +0200 Subject: witch version of pkcs can I use? From: new conf newcon...@gmail.com To: r...@openssl.org hello , I'm a new user of openssl.. I succeeded to create my keys to use EAP-TLS protocol in a my plateform.. and I made communication between server (eap+Radius) and clients to authenticate them. now I have to store my private keys in a smart card.. I'm using openssl 0.9.8g, I see that there is an *API called pkcs1*1 that can extract information from smart card to be used by my radius server.. but when serching, I found that there is pkcs11, pkcs12 and pkcs15 that was used for the same aim!! can you please call me what pkcs have I to use? and why this choice? I'll be very greatful for your help.. waiting for your replay! W. - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] Question: using OpenSSL without DLL
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Guillaume Blais weej...@msn.com - From: Guillaume Blais weej...@msn.com To: r...@openssl.org Subject: Question: using OpenSSL without DLL Date: Sun, 5 Apr 2009 17:33:02 + Importance: Normal hi, I'm Using OpenSSL for Windows (Win32OpenSSL-0_9_8i.exe) and a use it in a standard c++ application. Everything work fine but I would like to use it without the SLLeay32.DLL, I don't want to bring it everywhere with the application.. I tried to convert this DLL into a lib with a tool DLL to Lib, it compiled fine and the program started fine too, but it crash when using Some SSL function. There is a way where I can use OpenSSL only with static lib??? thank you! Guillaume _ Créez un personnage à votre image pour votre WL Messenger http://go.microsoft.com/?linkid=9656622 - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] How to disable SSL
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Victor Yepez yepez.vic...@gmail.com - Date: Tue, 24 Mar 2009 17:31:55 -0430 From: Victor Yepez yepez.vic...@gmail.com Subject: How to disable SSL To: r...@openssl.org User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) Hello guys, I really appreciate your help in the following issue: One of our customers has installed Solaris 10 on his SUN machine. Solaris 10 has installed open SSL and our customer wants to disable all the cifrates levels below 128 bits. I was looking at google but i still wondering how to do that. So, please i really appreciate your help, any clue, any link. Thanks! - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] About OpenSSL crashed in 0.9.8g
Forwarded to openssl-users for public discussion on how to debug the problem. Best regards, Lutz - Forwarded message from zlgodguy zlgod...@163.com - Date: Tue, 10 Mar 2009 17:22:21 +0800 (CST) From: zlgodguy zlgod...@163.com To: r...@openssl.org Subject: About OpenSSL crashed in 0.9.8g hi all: my OpenSSL version is 0.9.8g. i find a crashed in OpenSSL. but it can not reproduced. the backtraces list as blow: Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libz.so.1 Reading symbols from /opt/ah/lib/libitk.so...(no debugging symbols found)...done. Loaded symbols for /opt/ah/lib/libitk.so Reading symbols from /lib64/libc.so.6... (no debugging symbols found)...done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /lib64/ld.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/ld.so.1 Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libdl.so.2 Core was generated by `/opt/ah/bin/capwap'. Program terminated with signal 6, Aborted. #0 0x005556ecc13c in raise () from /lib64/libc.so.6 (gdb) bt #0 0x005556ecc13c in raise () from /lib64/libc.so.6 #1 0x005556ecd998 in abort () from /lib64/libc.so.6 #2 0x005556a27818 in OpenSSLDie () from /opt/ah/lib/libcrypto.so.0.9.8 #3 0x005556a27818 in OpenSSLDie () from /opt/ah/lib/libcrypto.so.0.9.8 Previous frame identical to this frame (corrupt stack?) who can give me the suggestion ? - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 0.9.8j build problem on ia64 SuSE 9.2
Mark Lavi wrote: On Tue, Jan 13, 2009, Dr. Stephen Henson wrote: In these three lines in crypto/sha/Makefile: (cd asm; $(PERL) sha1-ia64.pl ../$@ $(CFLAGS)) (cd asm; $(PERL) sha512-ia64.pl ../$@ $(CFLAGS)) (cd asm; $(PERL) sha512-ia64.pl ../$@ $(CFLAGS)) Try changing ../$@ to ../$@ Dr. Steve: I have done so and that has improved things, but the build progresses further and breaks. I tried this on a fresh extract of the released source code to be sure there were no artifacts from previous builds. I also have brought down optimization to -O2 and reduced the configure arguments to just --prefix in order to simplify the build. I believe what follows is enough relevant output, I've omitted the ./config output and initial portion of make ... making all in crypto/md5... make[2]: Entering directory `/content2/development/mlavi/content/webplatform/src/build/dev/bootstrap /openssl-0.9.8j/crypto/md5' gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O2 -Wall -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -c -o md5_dgst.o md5_dgst.c gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O2 -Wall -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -c -o md5_one.o md5_one.c ar r ../../libcrypto.a md5_dgst.o md5_one.o /usr/bin/ranlib ../../libcrypto.a || echo Never mind. make[2]: Leaving directory `/content2/development/mlavi/content/webplatform/src/build/dev/bootstrap /openssl-0.9.8j/crypto/md5' making all in crypto/sha... make[2]: Entering directory `/content2/development/mlavi/content/webplatform/src/build/dev/bootstrap /openssl-0.9.8j/crypto/sha' gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O2 -Wall -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -c -o sha_dgst.o sha_dgst.c gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O2 -Wall -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -c -o sha1dgst.o sha1dgst.c gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O2 -Wall -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -c -o sha_one.o sha_one.c gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O2 -Wall -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -c -o sha1_one.o sha1_one.c gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O2 -Wall -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -c -o sha256.o sha256.c gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O2 -Wall -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -c -o sha512.o sha512.c (cd asm; /data/current/bin/perl sha1-ia64.pl ../sha1-ia64.s -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O2 -Wall -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM) gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O2 -Wall -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -c -o sha1-ia64.o sha1-ia64.s (cd asm; /data/current/bin/perl sha512-ia64.pl ../sha256-ia64.s -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O2 -Wall -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM) nonsense -I.. at sha512-ia64.pl line 95. make[2]: *** [sha256-ia64.s] Error 255 make[2]: Leaving directory `/content2/development/mlavi/content/webplatform/src/build/dev/bootstrap /openssl-0.9.8j/crypto/sha' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/content2/development/mlavi/content/webplatform/src/build/dev/bootstrap /openssl-0.9.8j/crypto' make: *** [build_crypto] Error 1 Should I provide anything else? Without having ia64 available for testing I would rather modify (cd asm; $(PERL) sha1-ia64.pl ../$@ $(CFLAGS)) to (cd asm; $(PERL) sha1-ia64.pl $(CFLAGS) ../$@) so that the CFLAGS argument is available to the perl script. It does not make any sense in the redirection context. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] An error appears when run ./CA.sh -sign
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from fastrunn...@sina.com - Date: Fri, 12 Dec 2008 14:20:21 +0800 From: fastrunn...@sina.com To: r...@openssl.org Subject: An error appears when run ./CA.sh -sign 1??The env is solaris9+openssl0.9.8i 2??The error message is below: Using configuration from /usr/local/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Error reading certificate request in newreq.pem 29809:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:746: Signed certificate is in newcert.pem 3??The CSR File is newreq.pem??it's content is below?? -BEGIN NEW CERTIFICATE REQUEST- MIIBnjCCAQcCAQAwXjELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAmJqMQswCQYDVQQH EwJiajENMAsGA1UEChMEbWRjbDEMMAoGA1UECxMDbWdzMRgwFgYDVQQDEw9iam1v Y2hhLWh1YW5nd3AwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKrc553GG7Zr MwF4ZMpHFuKOQIt7f1XGLa0Cb2EFt+bAe5iXwg+bI9qOOy3p4UA7SRddzU8cCw5E miU076PI9eT2UsA1xwOxCJKAgYLQAjA04cgPzZ5w3EmvBYnxkawG+8PK5IvX2Voj JN+zV56BVMcEYLensOXv/lvdfIVZ3IADAgMBAAGgADANBgkqhkiG9w0BAQQFAAOB gQBR04JMtcpHZHEB+DlMiHS/466mvExHxVU6NuEmxdkXLhwpbjAqFBPDuWIahgv+ tv59ZhkpNQEcXr0YUKcfpx8g/8dw7MCbsg1gMHPkzQkhOLFJZBnJX7XuasR7HD63 8P1oYSNMXAuFttUt46z7iK1wBE3sq/u11MUljR0oBHukSw== -END NEW CERTIFICATE REQUEST- --- ??(http://space.sina.com.cn/ ) - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] Make report error openssl-fips-1.2 on Linux machine running Centos 4.7
Forwarded to openssl-users for public discussion Best regards, Lutz - Forwarded message from Daciek, Kevin (KDACIEK) [EMAIL PROTECTED] - Subject: Make report error openssl-fips-1.2 on Linux machine running Centos 4.7 Date: Thu, 11 Dec 2008 10:58:00 -0500 Thread-Topic: Make report error openssl-fips-1.2 on Linux machine running Centos 4.7 Thread-Index: AclbqT3bar0OxSeCRvCgHZsbpI6PHQ== From: Daciek, Kevin (KDACIEK) [EMAIL PROTECTED] To: [EMAIL PROTECTED] unable to find /usr/local/ssl/lib/fips-1.0//fipscanister.o make[2]: *** [link_app.] Error 1 make[2]: Leaving directory `/home/kdaciek/Desktop/openssl-fips-1.2/test' make[1]: *** [ssltest] Error 2 make[1]: Leaving directory `/home/kdaciek/Desktop/openssl-fips-1.2/test' make: *** [build_tests] Error 1 - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[FWD] How to add X509v3 Subject Alternative Name into cert created by openssl
Forwareded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from mohammed khan [EMAIL PROTECTED] - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Conten t-Type:Content-Transfer-Encoding:Message-ID; b=gEFees/Gyz+WZgZiPHQWMyqfgQob8jk7vy6qH+RsIvYvZQSQ0zv3gDuXIMpeuNKZNTPuc+ RaBEmAUHGXof8hrBpabF4Un9SVFwUuADgV/d1l+DnRR8vONR30sDfSg8Z9AX3+0Yde+7jBu8 lsf+MzhrQ1btgNkXdzahPJbkmClL8=; Date: Mon, 24 Nov 2008 15:30:11 -0800 (PST) From: mohammed khan [EMAIL PROTECTED] Subject: How to add X509v3 Subject Alternative Name into cert created by openssl To: [EMAIL PROTECTED] Hi, I need to create a certificate having Subject Alternative name in it but don't know how. I am using OpenSSL 0.9.8b 04 May 2006 I???d really appreciate your help. Thanks Mike - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[FWD] I have a concatenate certificate problem
Forwarded to openssl-users for public discussion Best regards, Lutz - Forwarded message from liau ching huang [EMAIL PROTECTED] - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.tw; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Conten t-Type:Message-ID; b=Snswhb6cHhWIpIwohcWO/AGTkUxIVfjWmmLWYNruDxPQz1FfdlSQSmBDxkOWIOaa4OQ2X4 hj1WBNqt27vy7MEtCLoxFrbRYEpWi75Vlrg0yfK8bjSR5xdO2xBjuPyNOUNUDQQKdUBRhCtv jicktufw/B8d2YzC+OYlcb3FCXvX4=; Date: Thu, 4 Dec 2008 16:17:30 +0800 (CST) From: liau ching huang [EMAIL PROTECTED] Subject: I have a concatenate certificate problem To: [EMAIL PROTECTED] Dear all: I have a concatenate certificate file including device certificate ,sub CA certificate , root CA certificate with PEM Format. I trace supplicant log ,then it shows that only sign the one certificate ( I think that it is the device certificate) and send to server. Then, server can not verify it. What I must call or modify OpenSSL function? Let it can work. Thanks. BR Loubot __ ???Yahoo!??2.0??? http://tw.mg0.mail.yahoo.com/dc/landing - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[FWD] request for SSL
Forwarded to openssl-users for discussion. Best regards, Lutz - Forwarded message from Pradeep Kumar [EMAIL PROTECTED] - Date: Wed, 3 Dec 2008 16:29:40 +0530 From: Pradeep Kumar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: request for SSL Hi, I am looking SSL Request for my website. Please Let me khow how to implement SSL. I have created SSL Request through IIS Server. What is the next Step? I am using ASP.NET 2.0,C# Technology. Thanks and Regards Pradeep Kumar Tamar +91-9711579560 - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[FWD] Bug report
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Swaraj G Tati [EMAIL PROTECTED] - To: [EMAIL PROTECTED] Cc: Sudarshan Yeddula [EMAIL PROTECTED], Chalapathy Sarangapani [EMAIL PROTECTED] Subject: Bug report From: Swaraj G Tati [EMAIL PROTECTED] Date: Fri, 28 Nov 2008 04:27:31 +0530 Hi, I was trying to Install Openssl for 32-bit libraries on a HP-Ux 11.11 server,However when I run ./config I am getting the following error.. Is there any diffrence in the installation process of 64-bit libraries and 32-bit libraries,,? Please Assist me.. [EMAIL PROTECTED]:/openssl-0.9.8e: ./config Operating system: 9000/800-hp-hpux1x WARNING! If you wish to build 64-bit library then you have to invoke './Configure hpux64-parisc2-cc' *manually*. You have about 5 seconds to press Ctrl-C to abort. Can't locate strict.pm in @INC (@INC contains: /opt/perl5/lib/5.00502/PA-RISC1.1 /opt/perl5/lib/5.00502 /opt/perl5/lib/site_perl/5.005/PA-RISC1.1 /opt/perl5/lib/site_perl/5.005 .) at ./Configure line 9. BEGIN failed--compilation aborted at ./Configure line 9. Can't locate strict.pm in @INC (@INC contains: /opt/perl5/lib/5.00502/PA-RISC1.1 /opt/perl5/lib/5.00502 /opt/perl5/lib/site_perl/5.005/PA-RISC1.1 /opt/perl5/lib/site_perl/5.005 .) at ./Configure line 9. BEGIN failed--compilation aborted at ./Configure line 9. This system (hpux-parisc2-cc) is not supported. See file INSTALL for details. *** Reply to [EMAIL PROTECTED] *** Best Regards, Swaraj Swaraj G Tati, Operations Lead Specialist - ITD ??? Global Delivery , India + : DLF IT Park (DC1-1A-048, Extn: 20545), Chennai - 600032. India. ) (M) : 91- 93814 08670 , : : [EMAIL PROTECTED], P Save a tree. Please don???t print this email or Documents unless it is really necessary. - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: pq_compat.h
Alex Chen wrote: The header file crypto/pqueue/pq_compat.h does not have the following directive #ifndef HEADER_PQ_COMPAT_H #define HEADER_PQ_COMPAT_H #enedif The effect is that we get warnings about PQ_64BIT being redefined because ssl.h includes ssl3.h, which includes pq_compat.h, and dtls1.h, which also reference pq_compat.h eventually. I have modifed the respective file in the 0.9.8 branch respectively. Thanks, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[FWD] DNS Error while doing SSL handshake - bad gethostbyaddr
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Joy, Byju (GE Healthcare, consultant) [EMAIL PROTECTED] - Subject: DNS Error while doing SSL handshake - bad gethostbyaddr Date: Fri, 10 Oct 2008 15:00:51 +0200 Thread-Topic: DNS Error while doing SSL handshake - bad gethostbyaddr thread-index: Ackq2DkNLX4Go5QUSQWx6NJWZ9B4Hw== From: Joy, Byju (GE Healthcare, consultant) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Dear OpenSSL experts, I am trying to run OpenSSL version OpenSSL 0.9.8i 15 Sep 2008 on Windows Server 2003 Standard Edition Version 5.2.3790. Could you please help me with bad gethostbyaddr error message while doing SSL handshake? Log is given below: D:\OpenSSL2\binopenssl OpenSSL s_server -accept 443 -verify 2 -cert D:\my_crt.pem -key D:\my_key.pem -debug -msg -state -CAfile D:\CAcerts.pem -ssl3 verify depth is 2 Enter pass phrase for D:\my_key.pem: my_pass_phrase Loading 'screen' into random state - done Using default temp DH parameters Using default temp ECDH parameters ACCEPT bad gethostbyaddr SSL_accept:before/accept initialization read from 0xa533d0 [0xa6fc10] (5 bytes = 0 (0x0)) SSL_accept:failed in SSLv3 read client hello B ERROR shutting down SSL CONNECTION CLOSED ACCEPT bad gethostbyaddr SSL_accept:before/accept initialization read from 0xa533d0 [0xa6fc10] (5 bytes = 0 (0x0)) SSL_accept:failed in SSLv3 read client hello B ERROR shutting down SSL CONNECTION CLOSED ACCEPT bad gethostbyaddr Thanks Regards, Byju Joy +91-9902511344, +91-80-67245657, *7098068 - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Simple patch to crypto/sha/Makefile avoiding compile crash on IA64
Amadeu A. Barbosa Jr wrote: Hi all, I got a problem on compile of openssl-SNAP-20081003 on IA64 (same on older versions of 0.9.9 dev source) like this: ... The following patch on crypto/sha/Makefile makes all right: openssl-SNAP-20081003$ diff -up crypto/sha/Makefile crypto/sha/Makefile.new --- crypto/sha/Makefile 2008-01-13 21:00:27.0 -0200 +++ crypto/sha/Makefile.new 2008-10-03 16:47:35.0 -0300 @@ -50,7 +50,7 @@ sha512-586.s: asm/sha512-586.pl ../perla $(PERL) asm/sha512-586.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) $@ sha1-ia64.s: asm/sha1-ia64.pl - (cd asm; $(PERL) sha1-ia64.pl $(CFLAGS) ) $@ + (cd asm; $(PERL) sha1-ia64.pl ../$@ $(CFLAGS)) sha256-ia64.s: asm/sha512-ia64.pl (cd asm; $(PERL) sha512-ia64.pl ../$@ $(CFLAGS)) sha512-ia64.s: asm/sha512-ia64.pl The first argument for sha1-ia64.pl should be the .s file and not the $CFLAGS. I tested and works fine for me. Is it enough report this here? Should I report this someplace else? The best place to report bugs is [EMAIL PROTECTED] Posts to the mailing list(s) tend to slip through the fingers :-) I would recommend to send patches as attachments as they are easier to process with common mail clients. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem Related to Peer cetificate verification.
Ajeet kumar.S wrote: Dear All, I want to verify the peer certificate (server certificate). For that we need CA Certificate, Let me know we required ROOT CA certificate in PEM format or in any other format, open ssl will support. Actually I called *SSL_CTX_load_verify_locations()* after that I called *SSL_CTX_set_verify()*. But I saw response: certificate expire. But I saw in certificate it is mention end validation date in 2014.Actually I converted *.der* format certificate to *.pem* format using openssl utility. I tried *.der* certificate directly but also not get success. Please let me know what is reason behind it? How we can remove this error? You can use the openssl verify command line tool to verify the state of the certificate chain (expiry, purpose, completeness of the chain). The internal verification mechanisms called during SSL session setup use the same routines. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
Gerd Schering wrote: Lutz Jaenicke wrote: Gerd Schering wrote: Hello, we purchased a hrng for the generation of RSA keys for instance. It is an USB device an shows up as /dev/qrandom. So, in order to generate rsa keys, is it sufficient to use it as a replacement for /dev/urandom and to call genrsa as openssl genrsa -rand /dev/qrandom 2048 ? Yes, it is sufficient. Please note that a source not having a definite EOF (End Of File) will lead to an infinite loop reading from the source. It may therefore be necessary to read a specified amount of entropy first into an intermediate file to be fed via -rand. So , if I get it right: we have a true random source to seed the PRNG and this produces true random numbers? To my best knowledge there does not exist a mathematical proof for the quality of the used entropy pool with hash mixing PRNG. We believe that it is of very high quality. You may also have a look into the thread Fix VIA Padlock RNG support on the openssl-dev mailing list. It discusses the point that OpenSSL does handle RNGs provided via engine interface in fact completely replace the built-in PRNG with the external entropy source. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
F. wrote: If the true random generator is in /dev/random, and I want use only this device for random data using openssl.cnf: RANDFILE = /dev/random Is this correct? This is nearly correct. OpenSSL will read 2048 bytes from it (2048 is hardcoded for device files to avoid endless loops, seems my statement below was not completely up-to-date). The first attempt to generate a pseudo random number will however still read an additonal amount of bytes from /dev/urandom. Best regards, Lutz El vie, 19-09-2008 a las 23:21 +0200, Gerd Schering escribió: Yes, it is sufficient. Please note that a source not having a definite EOF (End Of File) will lead to an infinite loop reading from the source. It may therefore be necessary to read a specified amount of entropy first into an intermediate file to be fed via -rand. So , if I get it right: we have a true random source to seed the PRNG and this produces true random numbers? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
F. wrote: Any way to collect only from HRNG? This can be a choice or not? e_os.h #ifndef DEVRANDOM /* set this to a comma-separated list of 'random' device files to try out. * My default, we will try to read at least one of these files */ #define DEVRANDOM /dev/random #endif Yes, this will assure that additional entropy will be mixed in from /dev/random only. Please not that still the OpenSSL internal PRNG will be used, it is just the seed that is used from specific sources. If you add seed explicitly the part loaded via DEVRANDOM is only on top. We also add process ids, system time etc for good measure just to stir the pool as on top does not hurt. If you do not agree with this policy you can add an engine code to provide the internally used random numbers according to your policy. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
Gerd Schering wrote: Hello, we purchased a hrng for the generation of RSA keys for instance. It is an USB device an shows up as /dev/qrandom. So, in order to generate rsa keys, is it sufficient to use it as a replacement for /dev/urandom and to call genrsa as openssl genrsa -rand /dev/qrandom 2048 ? Yes, it is sufficient. Please note that a source not having a definite EOF (End Of File) will lead to an infinite loop reading from the source. It may therefore be necessary to read a specified amount of entropy first into an intermediate file to be fed via -rand. Note: if /dev/urandom is available, OpenSSL will read an additional amount of random bytes from it whether an explicit seed source is available or not. This however does not reduce the quality of the entropy provided by your source. I am not shure about the role of /dev/urandom: does it deliver a (pseudo) random number or the salt for the PRNG? It is used to seed OpenSSL's internal PRNG. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
Steffen DETTMER wrote: * Lutz Jaenicke wrote on Fri, Sep 19, 2008 at 14:22 +0200: we purchased a hrng for the generation of RSA keys for instance. It is an USB device an shows up as /dev/qrandom. Note: if /dev/urandom is available, OpenSSL will read an additional amount of random bytes from it whether an explicit seed source is available or not. This however does not reduce the quality of the entropy provided by your source. I am not shure about the role of /dev/urandom: does it deliver a (pseudo) random number or the salt for the PRNG? It is used to seed OpenSSL's internal PRNG. This means the internal PRNG is seeded with /dev/urandom data, but it is not used at all and /dev/urandom is not used elsewhere (if external entropy source is used) -- is this correct? All random values used by OpenSSL like keys generated with genrsa are generated using OpenSSL's internal PRNG. This internal PRNG is seeded from different sources. These external sources can be provided explicitly (as with the -rand option of genrsa) or via RAND_add() within an application. As on several occasions people were given bad advice to abuse -rand or RAND_add() with bad entropy sources we have decided to always add additional bytes from /dev/urandom if available on the system. OpenSSL's internal PRNG uses a 1024 byte pool mixing entropy with SHA-1 so the more bytes a mixed in, the better. At least it cannot hurt to add any input to it as the entropy in the pool can never decrease by mixing in more bytes. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
Steffen DETTMER wrote: * Lutz Jaenicke wrote on Fri, Sep 19, 2008 at 16:46 +0200: OpenSSL's internal PRNG uses a 1024 byte pool mixing entropy with SHA-1 so the more bytes a mixed in, the better. At least it cannot hurt to add any input to it as the entropy in the pool can never decrease by mixing in more bytes. ok, I just think that at least the last sentence is not neccesarily correct, namely when the entropy sources depend on each other. We assume independent sources here. I guess if SHA-1 is assumed perfect here (and because of the kind of mix which is using it) it might be impossible to construct the data dependency in a way to abuse that because no reversion of SHA-1 should be know, so practically no impact. But in another (general) case it could harm, for instance in worst case the mix function could be an XOR and the dependency of input sources could be a symbolic link, leading to infinite zeros as entropy. Of course this is very artificial, but maybe other dependencies could lead to a weakness of entropy when mixing it with dependent/derived entropy? This seems to be quite artificial. The logic behind it is a bit different you can XOR any information into a random stream without reducing the entropy of the random stream: the stream will look different but it will be as unpredictable as before. The setup you describe here indeed has a systematic flaw in that XOR would kill of the entropy from the random stream... From the mathematical point of view the analysis should still be correct. As the XORed bytes would be the same as the random ones, the random ones would not contain entropy: they are predictibly identical to the XORed bytes. Having this said: the SHA-1'ed pool should be resistant to this problem. Best regards, Lutz oki, Steffen About Ingenico Throughout the world businesses rely on Ingenico for secure and expedient electronic transaction acceptance. Ingenico products leverage proven technology, established standards and unparalleled ergonomics to provide optimal reliability, versatility and usability. This comprehensive range of products is complemented by a global array of services and partnerships, enabling businesses in a number of vertical sectors to accept transactions anywhere their business takes them. www.ingenico.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL Web Server Certificate renewed
Hi! I have just installed a new (2048bit) certificate and key to the OpenSSL Project webserver. It is a wildcard certifcate for *.openssl.org catching both www.openssl.org and rt.openssl.org. Many thanks go to Steve Roylance from Globalsign for donating a 3 year wildcard SSL certificate!! Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL_session_reused api
Krishna M Singh wrote: Hi All I have been using this API to dump in my statistics logs whether the SSL session is reused or not in a windows openSSL based client. Everything was good till i was using 9.7e. The session reuse works fine and the logs were correctly showing session reused as 1 and sniffer traces reconfirms that indeed my client reuses the SSL session.. But once I upgraded the Openssl libeay32.dll and ssleay32.dll to 9.8b the session is still getting reused as per sniffer traces (i checked the 32 byte session Id in client hello and server hello and they match). but the return value of SSL_session_reused API returns session reused as one. With same client code, once I revert back to old OpenSSL APIs, the session reused is indicated as 1 and thus good. Thus surely either I am using some old (obsolete) API that shouldn't be used or there is some issues introduced in between 9.7e and 9.8b. Please allow me to clarify: according to your statement the function returns one in one case and 1 in the other? Probably you meant something different??? Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Regarding DES_xwhite_in2out() API
Kundile, Gayathri wrote: HI all, Anybody tell me about when we upgrading the openssl version from 0-9.8.g to openssl-0.9.8h, how the applications will affect which are using DES_xwhite_in2out() API The application will fail to link with an unresolved reference. This will however only happen on rare occasions. During a web search (which tends to travers source of many projects due to web interfaces to repositories like CVSweb etc being available) I did not find a single reference to the function. As the function was broken anyway we decided to simply remove it. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: DES-only OpenSSL version
Kyle Hamilton wrote: Well, the question becomes: Which government are you trying to work around the restrictions of? OpenSSL is open-source. In the United States, while it may fall under the export class EI on the CCR, it also falls under export exemption TSU (see http://www.access.gpo.gov/bis/ear/txt/740.txt (section 740.13(e)(1)) and http://www.access.gpo.gov/bis/ear/txt/734.txt (section 734.3(b)(3))). OpenSSL is not US-origin (it is Australia- and United Kingdom-origin), and every new release has had the notification requirement (734.3(e)(3)) met by the release manager. The US was, for a long time, considered the most hard-nosed of the governments as related to cryptography. This changed in 2000. Finally we don't know what the actual circumstances are and it may well be that export restrictions apply. Please note that even though OpenSSL itself is open source it my be incorporated by static linking into an application that is not open source (the OpenSSL license does allow that) or it may be used on an (embedded) appliance. In both cases the export control regulations have to be considered for the final product not for the base technology. Been there, seen that. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: DES-only OpenSSL version: technical aspects
Fred Picher wrote: Hello, Thanks for your reply. If this is not sufficient you may check out ssl/sslv3.c etc and actually remove the ciphers you don't want to support in your libssl from the registration tables. As a test, I've commented out every cipher definition in ssl/s3_lib.c, like this example: The list is: OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ [...] } And a typical commented entry is: /* Cipher 05 */ /* { 1, SSL3_TXT_RSA_RC4_128_SHA, SSL3_CK_RSA_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, */ None are left uncommented. But still, after make clean, Configure, make depend, make and installation, the system reports: openssl ciphers -v DES-CBC3-MD5SSLv2 Kx=RSA Enc=3DES(168) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Enc=RC4(128) Mac=MD5 DES-CBC-MD5 SSLv2 Kx=RSA Enc=DES(56) Mac=MD5 EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Enc=RC4(40) Mac=MD5 export Which is much less than before but, where are these coming from since eveything is commented out ? I do not mind that much the low encryption ciphers, but the first three are a bother. I can add more of the low encryption ciphers by uncommenting their respective declaration, but I cannot get rid of the first three. Now, 3DES might by somehow dynamically added to the list when DES is present. That could make sense and would mean that the actual DES-specific code would have to be modified to separate 3DES. Would that be also the case for the two high-crypto RC2 and RC4 ? Can they be variations added dynamically to the cipher list and not have a proper static definition in ssl/s3_lib.c You did not read the fine print :-) The ciphers listed apply to SSLv2 second column of the output above. Hence you have to edit ssl/s2_lib.c as well (that was the etc :-) Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Working with Strings on a SSL Server
Carolin Latze wrote: Hi everybody, I have a very strange problem and hope that somebody is able to help me. I wrote a simple client and server in C that authenticate each other mutually using SSL. The SSL connection itself is working and I was able to exchange messages using SSL_write and SSL_read. The client sends X509 extensions as strings to the server. The server is able to read them and prints them to stdout. Those extensions contain some special values I want to check on the server. The general idea is that the client has some certificates, he wants to check. But those certificates contain some special values, he cannot check. Therefore he establishes a SSL connection to a verification server that will verify those values and send the result to the client. As I said, I am able to send those values using SSL_write to the server who is able to read them using SSL_read. In order to verify those values, the server has to open some local files. In order to do so, I create the filename: sprintf(filename,certs/%s,dirpt-d_name); This will create a null-terminated string. Even if I never use this string, just because I created it, SSL_clear will coredump with *** glibc detected *** ./server: free(): invalid pointer: 0x0806ed48 *** ... I tried to create the filename string also using memcpy. Everything is fine until this string becomes null-terminated... I know, that sounds very strange, but does anybody have any idea how to solve that problem?? free() showing an invalid pointer is most likely the consequence of the heap memory management running into corrupted data structures. * Using sprintf() is a bad idea. Use snprintf() which will enforce a a length check preventing the buffer (filename) from overrun. * You don't say in which way filename or dirpt-d_name are allocated. * Use a dynamic memory allocation debugger like Efence to help in tracking down this issue. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: DES-only OpenSSL version: technical aspects
Fred Picher wrote: Hello all, I'd like to get all of the ciphers that are tagged 'export' as well as the 56-bit ones that are not. Eg.: (list somewhat shortened in width) EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Enc=DES(56) EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Enc=DES(56) DES-CBC-SHA SSLv3 Kx=RSA Enc=DES(56) DES-CBC-MD5 SSLv2 Kx=RSA Enc=DES(56) EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Enc=DES(40) export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Enc=DES(40) export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Enc=DES(40) export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Enc=RC2(40) export EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Enc=RC2(40) export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Enc=RC4(40) export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Enc=RC4(40) export I've tried using these names for Configure, as in: ../Configure no-DHE-RSA-AES256-SHA no-AES256-SHA no-EDH-RSA-DES-CBC3-SHA no-DES-CBC3-SHA (...) but that results in syntax errors such as: .../../include/openssl/opensslconf.h:75:31: error: missing ')' after defined .../../include/openssl/opensslconf.h:75:32: error: missing binary operator before token SHA Which are due to the presence of dashes in defines such as: openssl/opensslconf.h if defined(OPENSSL_NO_AES128-SHA) if defined(OPENSSL_NO_DHE-RSA-AES128-SHA) So on so forth. So, that's seemingly not the way to call ./Configure with the 'no-' option. Then I tried using: ../Configure no-aes no-rsa no-dss no-rc4 no-rc2 This works, but gives only these two ciphers: openssl ciphers -v EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Enc=DES(56) EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Enc=DES(40) export What I'm trying to find is how to precisely have all of the 'export' ciphers along with the 56-bit ones not tagged as exportable. What would be the proper way to use the Configure 'no-' option to achieve this ? Thanks again for any suggestions/hints/comments ! The OpenSSL configuration tools do not support such limitation. libcrypto does not support any limitation at all beyond removing algorithms with the side effects you already noted. RC4 is a 128bit algorithm. Its 40bit incarnation just uses 88 known bits to fill the key. You could adjust the ciphers supported by your own software by selecting only the export ciphers openssl ciphers -v EXP see man SSL_CTX_set_cipher_list. If this is not sufficient you may check out ssl/sslv3.c etc and actually remove the ciphers you don't want to support in your libssl from the registration tables. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[FWD] Re: Convert a DER certificate to PEM certificate
Forwarded mail missing the correct mailing list due to a typo. Best regards, Lutz - Forwarded message from [EMAIL PROTECTED] - In-Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Convert a DER certificate to PEM certificate From: [EMAIL PROTECTED] Date: Fri, 8 Aug 2008 13:42:05 -0400 Please help me with the command line to convert a DER Certificate to PEM Certificate. Also please confirm when I convert it to PEM will the certificate have the private key or not. Regards, Mandira Sen 900 Chelmsford Street Tower 2, Floor 11 Lowell, MA 01851 (978) 805-1816 Lutz Jaenicke [EMAIL PROTECTED] 08/08/2008 10:05 AM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject Re: Convert a DER certificate to PEM certificate Dear Sir or Madam, please direct your question to openssl-users@openssl.org (after subscribing at http://www.openssl.org/support/ It will then be publicly discussed on the mailing list. Best regards, Lutz On Fri, Aug 08, 2008, [EMAIL PROTECTED] wrote: Please help me with the command line to convert a DER Certificate to PEM Certificate. Also please confirm when I convert it to PEM will the certificate have the private key or not? Regards, Mandira Sen 900 Chelmsford Street Tower 2, Floor 11 Lowell, MA 01851 (978) 805-1816 - This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of JPMorgan Chase Co., its subsidiaries and affiliates. This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. Please refer to http://www.jpmorgan.com/pages/disclosures for disclosures relating to UK legal entities.-- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ - This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of JPMorgan Chase Co., its subsidiaries and affiliates. This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. Please refer to http://www.jpmorgan.com/pages/disclosures for disclosures relating to UK legal entities. - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List
Re: SSL_get_peer_certificate() failing
From the mail thread I take it that your problem is visible at the client side of the connection, so a server certificate should always be send as long as you are not using an anonymous cipher (which need to be enabled specifically). Are you using SSL_connect() to explicitly connect to the server? Did you check the return value of SSL_connect() to be 1 for success? There must be a session established between the client and the server as the session object contains the premaster secret from which the secret keys for the communication are derived. Therefore the s-session object cannot be 0 for an established connection. You should also consider to use ssldump to analyze your connection attempt on the wire. It also seems that wireshark is now quite powerful in analyzing SSL protocol communication. Best regards, Lutz M wrote: I know that s isn't null because I check its value before I call SSL_get_peer_certificate(). I've also verified that s-session is infact NULL before the call to SSL_get_peer_certificate(). I can still send data across the link - I've tested using BIO_read() and BIO_write() to see if the machines can communicate and I was able to successfully write/read messages. One thing I did notice, and thanks for pointing this out, is that my SSL_set_verify callback function is never getting called which is strange. I'm using OpenSSL 0.9.8f running on AIX. Thanks, John M. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[FWD] Compiling error
Forwarded to openssl-users for discussion. Best regards, Lutz - Forwarded message from Raghu K [EMAIL PROTECTED] - DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=w6Ngr1jTuDnt8JtfG6iFPvLqh4+Gd81x+3TR49GPWc8=; b=c8xtqyAauSepmCTYOtGpqTeuBrMbZnEeFMQJYTZk3uNuzcxVDru52CGuzNTI2Vj7SL 1L6UlHxOi0jDbYGWWOP9CjdQx0wc3JtbktNZfxTRku0ItWh+9dLZ9YG/gbBvjerFrmJ3 c7mfpnHfUPmHq7mCS/gzI4I5skxoOckOQ+LGc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=vpsTXqXqbUmMnxKZ69XdpWqBPariTOFDHaAjOFGge7WmvVuDAnN52MnMlIEMw1401K pW16JZ3ImUV4L85G5X1BF5wCUaqRzwDgoGwvseqJcLtL8Lml9T16B50kHkVsDGwGqqsC i0psvwkKsfugufLurIh62Tj+94qRkxbLam/WI= Date: Thu, 24 Jul 2008 11:48:17 +0530 From: Raghu K [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Compiling error Hi all, Can you please tell me the reason? In our project we have used openssl and I am getting this error /bin/sh: line 1: openssl.static: command not found make[1]: *** [openssl] Error 127 make[1]: Leaving directory `/data/rkorada/gate/mwar/utils/openssl-0.9.7l/apps' make: *** [sub_all] Error 1 make: Leaving directory `/data/rkorada/gate/mwar/utils/openssl-0.9.7l' So please let me know if you know the reason Raghu - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Website correction request: only subscribers can post to openssl-users
Frank J. Iannarilli wrote: Hi, On the following page: http://www.openssl.org/support/ it declares that anybody can post to the openssl-users. But evidently (from my experience), that's not true; only subscribers can. Unfortunately, browsing the website doesn't unambiguously indicate whom I should notify about this. So this post is the next best thing, I hope. As you have already noted SPAM protection required some changes. I have just updated the webpage. Note: all posts from non-subscribers are put into a moderation queue so they tend to pop up eventually. It just takes more time depending on my schedule :-) Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[FWD] Not able to use openssl
Forwareded to openssl-users for public discussion Best regards, Lutz - Forwarded message from Satya Narayan [EMAIL PROTECTED] - DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=Yvc6CBMi1XB9hiQM+9Mo/A9oXYcu+HfjaMI3XLLMLt0=; b=IDKXR2yk6MKxDtLZugwdLbjbPehvOx9UycmLMUvKvJAuW8qCdHmWCW8/D9pm+sKt/P MsoEE5qLLVL/WTiTnj1GurBR+F2eiri4YyMpWDyCC4xUaVgnRpkSXWHF3JpBSp4CF7Hn Xp0GPfsW1Ffrmk9ISDK31J9dD89brhWJy/22s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=mqQZ2rjxCTMOHUeMuJgq+31i9cbgx2ZRpuFBi/JDl7BaFBHyxl/HFI8JnWhSi4QTGu 8QczVwLhs4XNJuX7vFeuiFm/JermjMD76A8wci4Q25zWUtL4Gz1zYFdc3eb7LtNxWw6O BtUv+aetnf0WOrrUT9bdaLDBasvVoDq5fb8DI= Date: Tue, 1 Jul 2008 17:12:41 +0200 From: Satya Narayan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Not able to use openssl Hi i have downloaded OpenSSL'Win32 OpenSSL v0.9.8hhttp://www.slproweb.com/download/Win32OpenSSL-0_9_8h.exe' for windows(XP) and installed on my local machine, now i am trying to open 'openSSL.exe' from command prompt it is giving the error like: the application has failed to start, the application configuration is incorrect. Is there any system requirement VC++ ? or any extra thingy i need to perform? Please help me out Thanks Regards Satya N Tailor - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[FWD] openssl command propt
Forwarded to openssl-users for public discussion Best regards, Lutz - Forwarded message from richard jonik [EMAIL PROTECTED] - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Conte nt-Transfer-Encoding:Message-ID; b=vBBzEPZaiZTIah8JHRbzeAxZJVAr0wUKpTQtpm8NPuq2kS5PXMll/twaYA909NIud5TxJV mTNcygBfqD9MEbJv6OukLsdWu0RbxiYewUoRFEWWR+ASvYbdvhiu8Hrdsua5VEY7SH9sL3eZ AcQPtdnpq08UmGxyvkpDyDkSLSzxY=; Date: Tue, 1 Jul 2008 13:19:07 -0700 (PDT) From: richard jonik [EMAIL PROTECTED] Subject: openssl command propt To: [EMAIL PROTECTED] i am trying to use the a sandbox account with paypal. my command propt wont allow me to enter a password at all ! for: openssl pkcs12 -export -in cert_key_pem.txt -out fileout.p12 when asked for the password my keyboard is completely frozen. this also happens for passwd -1 i have tried all versions and cannot get this to work? how frustrating. any ideas. version 0.9.8g 19 oct 2007. __ Not happy with your email address?. Get the one you really want - millions of new email addresses available now at Yahoo! http://uk.docs.yahoo.com/ymail/new.html - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[FWD] request UP UX openssl A.00.09.07l
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Soverini Luca [EMAIL PROTECTED] - Importance: normal Priority: normal From: Soverini Luca [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Fri, 27 Jun 2008 15:46:56 +0200 Subject: request UP UX openssl A.00.09.07l Thread-Topic: request UP UX openssl A.00.09.07l thread-index: AcjYXEOhcfCnezkxSVmEAjNRSa5lIQ== Accept-Language: it-IT, en-US acceptlanguage: it-IT, en-US Can i have a help? How I can disable in openssl, HPUX platform SSV2 and weak cipher in favour of large encryption keys? Cordiali saluti Luca Soverini T.IO.DC.NE Delivery Operations/Server Unix Le informazioni contenute o allegate alla mail sono classificate :TELECOM S.p.A. - Uso interno - e sono dirette unicamente al destinatario in indirizzo che si impegna a mantenere riservate le informazioni relative alla presente. Chiunque riceva questa mail per errore è tenuto ad informare immediatamente il mittente ed a distruggere le informazioni in essa contenute. Si ringrazia per la collaborazione. CONFIDENTIALITY NOTICE This message and its attachments are addressed solely to the persons above and may contain confidential information. If you have received the message in error, be informed that any use of the content hereof is prohibited. Please return it immediately to the sender and delete the message. Should you have any questions, please contact us by replying to [EMAIL PROTECTED] Thank you www.telecomitalia.it - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: No error messages on Linksys Openwrt
Thomas Mangold wrote: Hello calling i2d_RSAPublicKey() I get on a linksys running OpenWrt kamikaze 7.09 the following errors. error:0D07207B:lib(13):func(114):reason(123) error:0D068066:lib(13):func(104):reason(102) error:0D07803A:lib(13):func(120):reason(58) Can anybody please tell me what this means? In the beginning I load ERR_load_crypto_strings(); SSL_load_error_strings(); but that seems somehow not to work. In which header file of the OpenSSL source are those number defined? Marek Marcola already proposed openssl errstr. The missing error strings indicate that the libraries were configured/compiled with -no-err. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Certificate verification fails on MIPS architecture
Till Elsner wrote: I tried to track down the problem, but it still seems that , when it comes to certificate verification, on the OpenWRT fails what works on a standard linux desktop PC. I wrote a short program that validates certificates, that I'll append to this mail. If someone has some MIPSEL platform available please verify my results since I really need to know if this errors is caused by a programming mistake on my side, by some bug in OpenSSL or simply by a lack of understanding. I used the OpenWRT's SDK for cross compilation (the whiterussian one, because the Kamikaze version doesn't include OpenSSL). The problem still existing is that it seems to work on both platform, but on the MIPSEL it's not validating (valid) certificate, while it does on Linux. Your example program is still missing the verify_callback(). The verify_callback() is called for each certificate in the chain that is checked. Once with success if no problem was encountered and if problems with the validation are encountered it is called so that the respective error can be treated (maybe just printed). Without the verify_callback you will never find out why the verification fails. Having this said, there is another threat being discussed about OpenWRT that indicates that at least non-standard configurations are using in the compilation of the toolkit (-no-err in the case mentioned to save the memory for the error strings). I am working in an embedded environment myself and we once had a problem when we disabled an algorithm (to save memory) at build time that later on was needed for certificate verification because some certificates were signed with it. Best regards, Lutz Thanks in advance Till --- BEGIN CERTTEST.C --- /* * verifies a certificate (PEM format) using a CA's certificate * * compile: gcc certtest.c -o certtest -lssl -lcrypto * * place the resulting executable into the same directory as the certificate * files: *- certificate: client.pem *- CA file: cacert.pem * */ #include stdio.h #include stdlib.h #include errno.h #include openssl/ssl.h #include openssl/x509.h #include openssl/x509_vfy.h #include openssl/pem.h #include openssl/err.h char *cert_file, *ca_file; FILE *cert_fp; X509 *x509; X509_STORE_CTX *x509_ctx; X509_STORE *x509_store; X509_LOOKUP *x509_lookup; X509_NAME *x509_name; int main() { cert_file = client.pem; ca_file = cacert.pem; SSL_library_init(); ERR_load_crypto_strings(); // open certificate file if (!(cert_fp = fopen(cert_file, r))) { printf(ERR: Error opening certificate file: %s. Exiting.\n, strerror(errno)); exit(2); } else{ printf(Certificate file opened.\n); } // read certificate if (!(x509 = PEM_read_X509(cert_fp, NULL, NULL, NULL))) { printf(ERR: Error reading certificate from file: %s\n, ERR_error_string(ERR_get_error(), NULL)); exit(2); } else { printf(Certificate read.\n); } fclose(cert_fp); // create the cerificate storing object if (!(x509_store = X509_STORE_new())) { printf(ERR: Error creating X509_STORE object: %s. Exiting.\n, ERR_error_string(ERR_get_error(), NULL)); exit(2); } else { printf(Certificate storing object created.\n); } // add CA attributes to X509_STORE object if (X509_STORE_load_locations(x509_store, ca_file, NULL) != 1) { printf(ERR: Error loading CA file: %s. Exiting.\n, ERR_error_string(ERR_get_error(), NULL)); exit(2); } else { printf(CA certificate added to storing object.\n); } if (!(x509_lookup = X509_STORE_add_lookup(x509_store, X509_LOOKUP_file( { printf(ERR: Error creating X509 lookup object: %s. Exiting.\n, ERR_error_string(ERR_get_error(), NULL)); exit(2); } else { printf(X509 lookup object created.\n); } // create and initialize X509 vertification context if (!(x509_ctx = X509_STORE_CTX_new())) { printf(ERR: Error creating X509 verification context, %s. Exiting.\n, ERR_error_string(ERR_get_error(), NULL)); exit(2); } else { printf(X509 verification context object created.\n); } if (X509_STORE_CTX_init(x509_ctx, x509_store, x509, NULL) != 1) { printf(ERR: Error initializing X509 verification context: %s. Exiting\n., ERR_error_string(ERR_get_error(), NULL)); exit(2); } else { printf(X509 verification context object initialized.\n); } // verify certificate if (X509_verify_cert(x509_ctx) != 1) { printf(Error: Certificate invalid!\n); exit(1); } else { printf(Certificate checked and validated!\n); exit(0); } } --- END CERTTEST.C --- __ OpenSSL Project http://www.openssl.org
Re: Certificate verification fails on MIPS architecture
Till Elsner wrote: Am 26.05.2008 um 13:13 schrieb Lutz Jaenicke: Till Elsner wrote: Ok, after verifying what platform I'm actually compiling for, it's definitely little-endian (Linksys WRT54G running on Broadcom BCM4712). So what else could be the problem here? Am 24.05.2008 um 22:23 schrieb Lutz Jänicke: I am not aware of any specific problems of OpenSSL on MIPS platforms. As long as OpenSSL is configured correctly (big or little endian) everything should work just out of the box. As I already wrote: I am not aware of any specific problems in MIPS. Having this said, your problem report does not really help much in tracking down the problem. It reads: Hey, it fails, what might be wrong? Without any more details we cannot help you. What exactly happens? Your application does crash? When verifying certificates, against which CAs? Is your filesystem layout containing the CA certificates the same? Ok, I see this was really not very detailed and not very helpful for finding a solution. So what happens is the following: I have a self-signed certificate used as CA and some certificates signed by this CA. Checking the signature with OpenSSL on the command line verifies the certificates correctly. Now in the software I've build, the certificates get verified agains my CA using X509_verify_cert (which should work quite similar to what OpenSSL does on the command line, I think). Now when I run the program on standard linux desktop machines (tried on debian distros), everything works fine, the certificates get verified just like they should. But when I compile the program for a router and run it there, it also starts, but the verification of the certificates fails. No crashes, no error messages saying something is wrong with OpenSSL, just the failing verification. The router is a Linksys WRT54G running OpenWRT 7.09. If your application is using X509_verify_cert() it uses a X509_STORE_CTX that must be initialized with the certificates to verify against and can be initialized with a verification callback function that is fed with the error codes and finally decides about whether a certificate is accepted or not. Unfortunately there is no manual page for X509_verify_cert(), but it is the same function that is used internally for SSL certificate verification and the behaviour and the callback function are described in the SSL_CTX_set_verify() manpage.# A good source of information might be ssl/ssl_cert.c:ssl_verify_cert_chain() Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Certificate verification fails on MIPS architecture
Till Elsner wrote: Ok, after verifying what platform I'm actually compiling for, it's definitely little-endian (Linksys WRT54G running on Broadcom BCM4712). So what else could be the problem here? Am 24.05.2008 um 22:23 schrieb Lutz Jänicke: I am not aware of any specific problems of OpenSSL on MIPS platforms. As long as OpenSSL is configured correctly (big or little endian) everything should work just out of the box. As I already wrote: I am not aware of any specific problems in MIPS. Having this said, your problem report does not really help much in tracking down the problem. It reads: Hey, it fails, what might be wrong? Without any more details we cannot help you. What exactly happens? Your application does crash? When verifying certificates, against which CAs? Is your filesystem layout containing the CA certificates the same? Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[FWD] Build fips test fails
-DTERMIO -O3 -fomit-frame-pointer -mcpu=pentium -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM fips_desmovs.o -ldl fips_desmovs.o: In function `DESTest':fips_desmovs.c:(.text+0x33f): undefined reference to `EVP_des_ede3_ofb' :fips_desmovs.c:(.text+0x417): undefined reference to `EVP_des_ede3_cbc' :fips_desmovs.c:(.text+0x421): undefined reference to `EVP_des_ede3_cfb64' :fips_desmovs.c:(.text+0x43a): undefined reference to `EVP_CipherInit' :fips_desmovs.c:(.text+0x479): undefined reference to `EVP_des_cfb64' :fips_desmovs.c:(.text+0x4ae): undefined reference to `EVP_des_ecb' :fips_desmovs.c:(.text+0x4b8): undefined reference to `EVP_des_cfb1' :fips_desmovs.c:(.text+0x4c2): undefined reference to `EVP_des_ofb' :fips_desmovs.c:(.text+0x4cc): undefined reference to `EVP_des_cbc' :fips_desmovs.c:(.text+0x4d6): undefined reference to `EVP_des_cfb8' :fips_desmovs.c:(.text+0x4e0): undefined reference to `EVP_des_ede3_ecb' :fips_desmovs.c:(.text+0x4ea): undefined reference to `EVP_des_ede3_cfb8' :fips_desmovs.c:(.text+0x4f4): undefined reference to `EVP_des_ede3_cfb1' :fips_desmovs.c:(.text+0x508): undefined reference to `ERR_print_errors_fp' fips_desmovs.o: In function `do_mct':fips_desmovs.c:(.text+0x146b): undefined reference to `DES_set_odd_parity' :fips_desmovs.c:(.text+0x1478): undefined reference to `DES_set_odd_parity' :fips_desmovs.c:(.text+0x1485): undefined reference to `DES_set_odd_parity' fips_desmovs.o: In function `main':fips_desmovs.c:(.text+0x2be8): undefined reference to `ERR_load_crypto_strings' collect2: ld returned 1 exit status make[2]: *** [fips_desmovs] Error 1 make[2]: Leaving directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/test' make[1]: *** [tests] Error 2 make[1]: Leaving directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2' - - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: The rules of SSL-Certificate validation?
Anri Lau wrote: Hi Luzt, On 18/04/2008, *Lutz Jaenicke* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Anri Lau wrote: Hi All, Anyone know how many rules should be performed when build TLS connection? I have some test case. The certificate time is not valid, validation failed. But the certificate passed if the validity dates of the child certificate are not contained within the validity dates of the parent certificate. As i know, both of above are the standard rules of digital certificate. I am not sure whether I understand you correctly. If the validity dates of the child certificate are not contained within the parent certificate, there should be no date at which both of them are valid at the same time!? Or do you mean that they somewhat overlap and the current date is within the overlapping region? This rule is independent of current time. e.g. If the validity dates of the parent certificate is 2008/04/18~2009/04/18 and the ones of child certificate is 2008/06/18~2009/06/18 or 2008/03/18~2009/03/18, the certificate chain should be invalid. The validity dates of child certificate should be between the ones of parent(2008/04/18~2009/04/18). Ok, so we are facing a violation of policies at the CA. At the date of certificate verification we are however checking whether all components of the certificate chain are valid at this day. Even though the overlapping dates are a violation of the standard the question is whether we actually should actually enforce this inside the library. It might lead to a communication failure with site a lot of poor souls set up without taking care of this fact... Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: The rules of SSL-Certificate validation?
Anri Lau wrote: Hi All, Anyone know how many rules should be performed when build TLS connection? I have some test case. The certificate time is not valid, validation failed. But the certificate passed if the validity dates of the child certificate are not contained within the validity dates of the parent certificate. As i know, both of above are the standard rules of digital certificate. I am not sure whether I understand you correctly. If the validity dates of the child certificate are not contained within the parent certificate, there should be no date at which both of them are valid at the same time!? Or do you mean that they somewhat overlap and the current date is within the overlapping region? Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL trusted root store
Steve Roylance wrote: Dear list, One of my responsibilities is to ensure that GlobalSign’s roots are embedded within devices and operating systems. Recently a major browser provider indicated the following:- /“However, for the most part we integrate with third party SSL/TLS libraries. On these devices we do not generally control what goes into the root store of the device. In these cases I think you will have to talk to the various device manufacturers we integrate with, and sometimes the SSL/TLS library provider./ /A few typical ones; Certicom, *OpenSSL*, MatrixSSL, etc.”/ Can someone point me in the right direction please to ensure future OpenSSL versions have the correct GlobalSign Roots. We’ve recently updated our roots and therefore have new ones to embed. I’m not sure to whom I need to direct my request. If the respective CA certificate is not already included in latest snapshots, the official way have your request processed is to send it to OpenSSL's request tracker: http://www.openssl.org/support/rt.html Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]