Remove me please
Sorry to use this list for this. But I have tried every way I know to get off the list suggestions?? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI Sent: Friday, December 03, 2010 1:04 PM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store Hi, In order to enable the CAPI engine, you have to use the enable-capieng switch : this will compile the CAPI engine statically inside OpenSSL. Here is a example of configure command line for this : perl Configure VC-WIN32 --prefix=c:/openssl enable-capieng I hope this will help. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 12/3/2010 6:21 PM, Fili, Tom wrote: Ok, so I realized if I run Configure with no-static-engine I'll get the separate dlls. These are the commands I run C:\Documents and Settings\tfili\Desktop\openssl-0.9.8kperl Configure VC-WIN32 --prefix=c:\temp\openssl no-static-engine ms\do_ms.bat nmake -f ms\ntdll.mak Unfortunately I now get the following errors: link /debug /nologo /subsystem:console /opt:ref /debug /dll /out:out32dl l.dbg\4758cca.dll @C:\DOCUME~1\tfili\LOCALS~1\Temp\nm2E34.tmp Creating library out32dll.dbg\4758cca.lib and object out32dll.dbg\4758cca.exp e_4758cca.obj : error LNK2019: unresolved external symbol _RSA_get_ex_data referenced in function _cca_rsa_pub_enc e_4758cca.obj : error LNK2019: unresolved external symbol _RSA_size referenced in function _cca_rsa_pub_enc e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_free referenced in function _cca_rsa_verify e_4758cca.obj : error LNK2019: unresolved external symbol _OPENSSL_cleanse referenced in function _cca_rsa_verify e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_malloc referenced in function _cca_rsa_verify e_4758cca.obj : error LNK2019: unresolved external symbol _i2d_X509_SIG referenced in function _cca_rsa_verify e_4758cca.obj : error LNK2019: unresolved external symbol _OBJ_nid2obj referenced in function _cca_rsa_verify e_4758cca.obj : error LNK2019: unresolved external symbol _ERR_put_error referenced in function _ERR_CCA4758_error e_4758cca.obj : error LNK2019: unresolved external symbol _ERR_get_next_error_library referenced in function _ERR_CCA4758_error e_4758cca.obj : error LNK2019: unresolved external symbol _ERR_set_implementation referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_ex_data_implementation referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_dynlock_destroy_callback referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_dynlock_lock_callback referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_dynlock_create_callback referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_add_lock_callback referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_locking_callback referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_mem_functions referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_get_static_state referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_cmd_defns referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_load_pubkey_function referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_load_privkey_function referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_ctrl_function referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_finish_function referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_init_function referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_destroy_function referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_RAND referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_RSA referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_name referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_id referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ERR_load_strings referenced in function _ERR_load_CCA4758_strings e_4758cca.obj :
Issue with clients Operating System on certs
I sent this situation off to the help team but maybe it is either that stupid or that hard. I have installed 2 SSL Certs on my server. I am using a naming convention for apache configuration for each cert. Server: Windows server 2008, Apache/2.2.14 (Win32) mod_ssl/2.2.14 OpenSSL/0.9.8k PHP/5.2.11 httpd-vhost.conf ___ NameVirtualHost *:443 VirtualHost *:443 SSLEngine on SSLCertificateFile C:\\certs\\ServerA.crt SSLCertificateKeyFile C:\\certs\\ ServerA.key ServerName www. ServerA.com SSLOptions StrictRequire SSLProtocol all -SSLv2 ServerAdmin notice@ ServerA.com DocumentRoot C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\www\\html\\ ServerA ErrorLog C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\logs\\ssl-access- ServerA.log CustomLog logs/access-ssl-www. ServerA.com common /VirtualHost VirtualHost *:443 SSLEngine on SSLCertificateFile C:\\certs\\ ServerB.crt SSLCertificateKeyFile C:\\certs\\ ServerB.key ServerName www. ServerB.com SSLOptions StrictRequire SSLProtocol all -SSLv2 ServerAdmin notice@ ServerB.com DocumentRoot C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\www\\html\\ ServerB ErrorLog C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\logs\\ssl-access- ServerB.log CustomLog logs/access-ssl-www. ServerB.com common /VirtualHost Here is where my senerio goes very weird. A computer with windows 7 browses to both location and everything is perfect. A computer with windows XP browses to the siteA no issue. But if they go to siteB, the cert for Site A is used on SiteB's load every time no matter what computer they are on. The siteB does show the proper site but the cert is the wrong cert. This fails in Firefox, IE, Safari, Google Chrome on windows XP. Any suggestions ? Does this make sense what I am saying? Richard L. Buskirk Senior Software Developer
RE: Issue with clients Operating System on certs
This makes sense to me. Mounir IDRASSI talked about the SNI which made sense but the solution was not an option. Your suggestion is a little complex to setup in my load balancer, but very doable and does not create a OS or Browser requirement. I am very new to this list but you guys rock, I guess I was expecting the typical list responses, not intellegent ones like you guys gave. Thank you. Richard L. Buskirk Senior Software Developer Indatus -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: Friday, July 16, 2010 10:07 AM To: openssl-users@openssl.org Subject: Re: Issue with clients Operating System on certs On 16-07-2010 15:31, Richard Buskirk wrote: I sent this situation off to the help team but maybe it is either that stupid or that hard. I have installed 2 SSL Certs on my server. I am using a naming convention for apache configuration for each cert. Server: Windows server 2008, Apache/2.2.14 (Win32) mod_ssl/2.2.14 OpenSSL/0.9.8k PHP/5.2.11 httpd-vhost.conf ___ NameVirtualHost *:443 VirtualHost *:443 SSLEngine on SSLCertificateFile C:\\certs\\ServerA.crt SSLCertificateKeyFile C:\\certs\\ ServerA.key ServerName www. ServerA.com SSLOptions StrictRequire SSLProtocol all -SSLv2 ServerAdmin notice@ ServerA.com DocumentRoot C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\www\\html\\ ServerA ErrorLog C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\logs\\ssl-access- ServerA.log CustomLog logs/access-ssl-www. ServerA.com common /VirtualHost VirtualHost *:443 SSLEngine on SSLCertificateFile C:\\certs\\ ServerB.crt SSLCertificateKeyFile C:\\certs\\ ServerB.key ServerName www. ServerB.com SSLOptions StrictRequire SSLProtocol all -SSLv2 ServerAdmin notice@ ServerB.com DocumentRoot C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\www\\html\\ ServerB ErrorLog C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\logs\\ssl-access- ServerB.log CustomLog logs/access-ssl-www. ServerB.com common /VirtualHost Here is where my senerio goes very weird. A computer with windows 7 browses to both location and everything is perfect. A computer with windows XP browses to the siteA no issue. But if they go to siteB, the cert for Site A is used on SiteB's load every time no matter what computer they are on. The siteB does show the proper site but the cert is the wrong cert. This fails in Firefox, IE, Safari, Google Chrome on windows XP. Any suggestions ? Does this make sense what I am saying? It looks like you are trying to serve up two different certificates on the same IP address (all addresses of your sever=*) and port (443), depending on the DNS name the browser used to locate the server. This is a very recent extension to the SSL/TLS protocols and is probably only implemented by a few very new browsers, such as the IE version in Windows 7. Older browsers not implementing this recent standard just have no way of telling the server which certificate they want, and so the server uses the first one in its configuration. There are two standard solutions to this problem (until most of the worlds SSL clients implement the extensions): A) Give your server two IP addresses (such as 10.0.0.1 and 10.0.0.2), make www.ServerA.com point to 10.0.0.1 and www.ServerB.com point to 10.0.0.2. Finally, in your Apache config, specify those addresses in place of the * for the different configurations. Benefit: Traditional. Problem: Uses more IPv4 addresses. B) Get the CA to issue a single certificate valid for both server names (e.g. by specifying both names in various certificate fields). Then tell Apache to do normal virtual hosting but with a single SSL certificate. Benefit: Uses only one IPv4 address per server. Problem: Not all combinations of server names can be combined in a single certificate if compatibility with many browser implementations is needed. Others on this list can probabably say which combinations are technically possible, and how. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
