Re: EVP_PKEY_get_raw_public_key fails with OpenSSL 3.0

[James Muir]

On 2022-11-10 18:35, f...@plutonium24.de wrote:
I have been using EVP_PKEY_get_raw_public_key with OpenSSL 1.1.1 without 
any problems to extract a raw public key (secp521r1, NIST curve P-521). 
With OpenSSL 3.0 this fails. I'm using this call to get the raw public 
key and to compare it with a reference value I have and I also check 
that the group name is "secp521r1".


That doesn't work in 3.0.

Quoting from 
https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_new.html  :



EVP_PKEY_get_raw_public_key() fills the buffer provided by pub with raw 
public key data. The size of the pub buffer should be in *len on entry 
to the function, and on exit *len is updated with the number of bytes 
actually written. If the buffer pub is NULL then *len is populated with 
the number of bytes required to hold the key. The calling application is 
responsible for ensuring that the buffer is large enough to receive the 
public key data. This function only works for algorithms that support 
raw public keys. Currently this is: EVP_PKEY_X25519, EVP_PKEY_ED25519, 
EVP_PKEY_X448 or EVP_PKEY_ED448.



You were reading the P521 public-key previously (with 1.1.1), but in 
what format was it sent you?  Do you want just the bytes of the public 
EC point?


-James M

webpages not available

[James Muir]

https://www.openssl.org/docs/manmaster/man7/provider.html  ("service 
unavailable")

https://wiki.openssl.org/index.php/OpenSSL_3.0  ("unable to connect")

The urls above do not seem to work.  Is this a consequence with the 
recent release withdrawal?


The main web page, www.openssl.org, seems to work as normal.

-James M

Re: Strange problem: openssl verify not working on Proxmox VM, works on a bare metal system

[Roger James via openssl-users]

As I mentioned in an earlier post you need version 1.1 or later of openssl 
to successfully validate post September 30, 2021 Lets Encrypt certificates. 
The version on your Centos system is 1.0.

Re: Strange problem: openssl verify not working on Proxmox VM, works on a bare metal system

[Roger James]

On 3 September 2022 19:26:50 Shawn Heisey via openssl-users 
 wrote:



On 9/2/22 21:42, Shawn Heisey via openssl-users wrote:

Other bare metal systems and their results with the same PEM file:

Verifies on Proxmox (the one running the VM) with openssl 1.1.1n
Verifies on Ubuntu 22.04 with openssl 3.0.2
Fails on CentOS 7.5.1804 with openssl 1.0.2k-fips


Additional tests done with an identical PEM file and the results:

Passed on Ubuntu Server 22.04 VM, openssl 3.0.2, installed on the same
proxmox host as the Alma VM that fails.
Passed on Ubuntu 22.04 desktop bare metal, openssl 3.0.2
Failed on Centos 7 VM running in qemu on that Ubuntu desktop, openssl
1.0.2k-fips
Failed on Fedora35 VM running in qemu on that Ubuntu desktop, openssl 1.1.1q
Passed on Ubuntu Server 22.04 bare metal, using quictls openssl version
3.0.5+quic

Looks like there is something about RPM-based distros that breaks part
of openssl.

One other bit of info.  I ran another test on the Alma VM where I
compiled the master branch of https://github.com/openssl/openssl to
/usr/local/ossl3 and used that to try the verify. This is the failure
output:

[root@certs ~]# /usr/local/bin/ossl verify -CAfile
/etc/ssl/certs/local/DOMAIN.wildcards.pem
/etc/ssl/certs/local/DOMAIN.wildcards.pem
C=US, O=Let's Encrypt, CN=R3
error 2 at 1 depth lookup: unable to get issuer certificate
error /etc/ssl/certs/local/DOMAIN.wildcards.pem: verification failed
[root@certs ~]# /usr/local/bin/ossl version
OpenSSL 3.1.0-dev  (Library: OpenSSL 3.1.0-dev )


Thoughts?

Thanks,
Shawn


You need openssl version 1.1 or later to successfully validate this 
certificate. 
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Re: Strange problem: openssl verify not working on Proxmox VM, works on a bare metal system

[Roger James]

On 3 September 2022 19:26:50 Shawn Heisey via openssl-users 
 wrote:



On 9/2/22 21:42, Shawn Heisey via openssl-users wrote:

Other bare metal systems and their results with the same PEM file:

Verifies on Proxmox (the one running the VM) with openssl 1.1.1n
Verifies on Ubuntu 22.04 with openssl 3.0.2
Fails on CentOS 7.5.1804 with openssl 1.0.2k-fips


Additional tests done with an identical PEM file and the results:

Passed on Ubuntu Server 22.04 VM, openssl 3.0.2, installed on the same
proxmox host as the Alma VM that fails.
Passed on Ubuntu 22.04 desktop bare metal, openssl 3.0.2
Failed on Centos 7 VM running in qemu on that Ubuntu desktop, openssl
1.0.2k-fips
Failed on Fedora35 VM running in qemu on that Ubuntu desktop, openssl 1.1.1q
Passed on Ubuntu Server 22.04 bare metal, using quictls openssl version
3.0.5+quic

Looks like there is something about RPM-based distros that breaks part
of openssl.

One other bit of info.  I ran another test on the Alma VM where I
compiled the master branch of https://github.com/openssl/openssl to
/usr/local/ossl3 and used that to try the verify. This is the failure
output:

[root@certs ~]# /usr/local/bin/ossl verify -CAfile
/etc/ssl/certs/local/DOMAIN.wildcards.pem
/etc/ssl/certs/local/DOMAIN.wildcards.pem
C=US, O=Let's Encrypt, CN=R3
error 2 at 1 depth lookup: unable to get issuer certificate
error /etc/ssl/certs/local/DOMAIN.wildcards.pem: verification failed
[root@certs ~]# /usr/local/bin/ossl version
OpenSSL 3.1.0-dev  (Library: OpenSSL 3.1.0-dev )


Thoughts?

Thanks,
Shawn
R3 is a lets encrypt intermediate cert. This could be due to the retirement 
of the ISRG X1 certificate last year. I would check that  /etc/ssl/certs or 
wherever the default ca store is on your systems, is up to date.

Re: Serializing SSL state

[Rouzier, James via openssl-users]

Hi Matt,

What would it take to expose this?
Also would you accept a patch if we implement what’s missing?

Thank You
James

On 6/20/22, 10:13 AM, "Matt Caswell"  wrote:



On 20/06/2022 15:11, Rouzier, James via openssl-users wrote:
> Hey Guys,
> 
> Is it possible to serialize/deserialize an ongoing TLS session in any way?
> 
> We are trying to create a stateless RADIUS server.
> Where we place multiple RADIUS servers behind a UDP loader balancer.
> Each part of EAP-TLS process could hit a different server.
> The plan is to save the current state of the TLS handshake so that any 
> server can pickup where the previous server left off.
> Is this possible with the current API of openssl?

No. This currently not possible.

Matt

Serializing SSL state

[Rouzier, James via openssl-users]

Hey Guys,

Is it possible to serialize/deserialize an ongoing TLS session in any way?

We are trying to create a stateless RADIUS server.
Where we place multiple RADIUS servers behind a UDP loader balancer.
Each part of EAP-TLS process could hit a different server.
The plan is to save the current state of the TLS handshake so that any server 
can pickup where the previous server left off.
Is this possible with the current API of openssl?

James

QUIC support in OpenSSL 3.0

[James M Snell]

Hello all,

I'm newly registered to this group. To get the introductions out of the
way, I'm a long time contributor to various open source and open standards
projects, including sitting on the Technical Steering Committee for Node.js.

I understand that Rich Salz recently posted the following note:
https://mta.openssl.org/pipermail/openssl-users/2020-February/011776.html

Over the past year I've been involved with implementing QUIC protocol
support for Node.js and we are making use of the QUIC APIs proposed in
https://github.com/openssl/openssl/pull/8797 backported to the OpenSSL
1.1.1 version that we use in Node.js.

I read this morning that a decision was apparently made to defer landing
#8797 until after 3.0 and I would like to strongly encourage and request
that the decision be revisited. Our goal in Node.js is to be able to move
to OpenSSL 3.0 as quickly as possible and the QUIC support is a key
motivator for that. We will be unable to bring QUIC out of experimental
status until we have a version of OpenSSL with stable and supported QUIC
support.

As I'm new to this particular list, I am unfamiliar with the process norms
here so please forgive me if there's anything I'm missing something
important, but I at least wanted to voice my support for getting #8797
landed.

Thank you,

James M Snell, jasn...@gmail.com

OpenSSL 1.1.1b installation

[DeCaro, James John (Jim) CIV DISA SD (US) via openssl-users]

Hello,

I am working on a Solaris 11.4 x86 64bit virtual server.  There are no specific 
applications loaded on it yet.  I am preparing it to be a BIND server 
eventually.

To that end, I downloaded and installed OpenSSL 1.1.1b so I have the latest and 
greatest to work with.

The installation seemed to go well.  Installed a gcc compiler, ran ./configure, 
make, make test and make install accepting the defaults.  No errors.  When I 
run the #openssl version -a it shows the previous version of openssl.

I have tried researching the issue, and attempting to set additional PATH 
variables in the root .profile to include /usr/local.  I think I may need to 
set symbolic links, but I am not sure.

Any assistance would be appreciated.


V/R
Jim DeCaro
DISA
Systems Administrator
SE62/Server Operations
☎ 301-225-8180 
☎ 301-375-8180 
james.j.decaro3@mail.mil
james.j.decaro3@mail.smil.mil

[openssl-users] OpenSSL version 1.1.0i make test fails - 80-test_cms.t

[James Brown via openssl-users]

Running ‘make test’ for 1.1.0i fails with:

Test Summary Report
---
../test/recipes/80-test_cms.t(Wstat: 256 Tests: 4 Failed: 1)
  Failed test:  4
  Non-zero exit status: 1
Files=99, Tests=561, 83 wallclock secs ( 0.94 usr  0.23 sys + 49.59 cusr 22.30 
csys = 73.06 CPU)
Result: FAIL
make[1]: *** [_tests] Error 1
make: *** [tests] Error 2

I first ran:

./Configure --prefix=/usr/local shared darwin64-x86_64-cc 
enable-ec_nistp_64_gcc_128 no-ssl2 no-ssl3

then

make depend

then: make test

macOS X 10.7.5

Any suggestions?

Thanks,

James.-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] What is the output format of `openssl pkcs12`? How can I make it output a PKCS#1 private key?

[James Fisher]

Hi,

I have a `Certificates.p12` file that I wish to convert to a
`certificates.pem` containing an unencrypted private key in PKCS#1 format.
I have previously been able to do this by running:

openssl pkcs12 -in Certificates.p12 -out certificates.pem -nodes
-clcerts

The resulting `certificates.pem` file has a `PRIVATE KEY` PEM block, as
expected. However, the library I'm using

does
not understand this PEM block, because it expects it to be a PKCS#1 private
key. The ASN.1 structure of a PKCS#1 private key is defined by RFC 3447
 as:

RSAPrivateKey ::= SEQUENCE {
version   Version,
modulus   INTEGER,  -- n
publicExponentINTEGER,  -- e
privateExponent   INTEGER,  -- d
prime1INTEGER,  -- p
prime2INTEGER,  -- q
exponent1 INTEGER,  -- d mod (p-1)
exponent2 INTEGER,  -- d mod (q-1)
coefficient   INTEGER,  -- (inverse of q) mod p
otherPrimeInfos   OtherPrimeInfos OPTIONAL
}

The bad private key block in my `certificates.pem` does not have this
PKCS#1 structure! Instead, its ASN.1 structure looks like this:

$ openssl asn1parse -i -in badprivatekey.pem
0:d=0  hl=4 l=1212 cons: SEQUENCE
4:d=1  hl=2 l=   1 prim:  INTEGER   :00
7:d=1  hl=2 l=  13 cons:  SEQUENCE
9:d=2  hl=2 l=   9 prim:   OBJECT:rsaEncryption
   20:d=2  hl=2 l=   0 prim:   NULL
   22:d=1  hl=4 l=1190 prim:  OCTET STRING  [HEX
DUMP]:308204A...very long hex...

What is the above format? The documentation for `openssl pkcs12`
 only vaguely says
that its output is "written in PEM format." I need a stronger guarantee
that the private key PEM block is in PKCS#1 format.

The strange thing is that `openssl rsa` understands the strange format of
the "bad" private key, and can convert it to the right PKCS#1 structure
with:

openssl rsa -in badprivatekey.pem -out goodprivatekey.pem

Although `openssl rsa` understands the input file, the tool seems unable to
tell me _why_, i.e. what the format of the input file is.

What is the output format of `openssl pkcs12`? Specifically what is the
format of its private key block? How do I make `openssl pkcs12` output a
correct PKCS#1 private key?

Thanks,
Jim
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] NMAKE error

[James Condren]

Thanks for the prompt response.  Just a little background:  I am trying to 
install OpenSSL on a Windows PC so I can view a server cert.

I have verified that the file exists and is part of the source.  I set SRCDIR 
in makefile to "C:\Workspaces\ Harmony\openssl1" (it was set to ".") and by 
doing so, it got me past the issues I originally logged but now I am getting 
"NMAKE : fatal error U1073: don't know how to make '""'".

Not sure where the makefile is erroring out.  I tried to add console output to 
the makefile but it is erroring on the @echo lines.


-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Richard Levitte
Sent: Monday, May 1, 2017 11:58 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] NMAKE error

Can you verify that crypto\include\internal\bn_conf.h.in exists?  It should, 
it's part of the source.  Can you check if there's a file with a similar name 
in crypto\include\internal?

Cheers,
Richard ( am wondering if there are tar implementations that screw up file name 
with more than one period... )


In message 
<bn6pr17mb1233a4f4fcd18348875fd668d1...@bn6pr17mb1233.namprd17.prod.outlook.com>
 on Mon, 1 May 2017 15:02:41 +, James Condren <jcond...@hcpci.com> said:

jcondren> Getting the following error when attempting to make:
jcondren> 
jcondren> NMAKE : fatal error U1073: don't know how to make 
jcondren> '"crypto\include\internal\bn_conf.h.in"'
jcondren> 
jcondren> Stop.
jcondren> 
jcondren> Here¢s the lines from the makefile that are creating the error:
jcondren> 
jcondren> crypto\include\internal\bn_conf.h:
jcondren> "crypto\include\internal\bn_conf.h.in" "configdata.pm"
jcondren> 
jcondren> "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util\dofile.pl" \
jcondren> 
jcondren> "-omakefile" "crypto\include\internal\bn_conf.h.in" > $@
jcondren> 
jcondren> If I remove '"crypto\include\internal\bn_conf.h.in"', it then 
jcondren> gives me the following error:
jcondren> 
jcondren> NMAKE : fatal error U1073: don't know how to make '".\Configure"'
jcondren> 
jcondren> Stop.
jcondren> 
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] NMAKE error

[James Condren]

Thanks for the prompt response.  Just a little background:  I am trying to 
install OpenSSL on a Windows PC so I can view a server cert.

I downloaded the latest openssl version from github.

Here are the steps I performed so far:

  1.  Downloaded latest version of openssl from git to 
C:\Workspaces\Harmony\openssl1
  2.  Downloaded NASM
  3.  Added Test::More and Text::Template perl modules to Perl location
  4.  SET PATH=%PATH%;C:\Workspaces\Harmony\openssl1
  5.  Executed perl Configure VC-WIN64A (got makefile)
  6.  Set SRCDIR in makefile to "C:\Workspaces\ Harmony\openssl1"

Doing step #6 got me past the issues I originally logged but now I am getting 
"NMAKE : fatal error U1073: don't know how to make '""'".

Not sure where the makefile is erroring out.  I tried to add console output to 
the makefile but it is erroring on the @echo lines.


From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Benjamin Kaduk via openssl-users
Sent: Monday, May 1, 2017 11:38 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] NMAKE error

On 05/01/2017 10:02 AM, James Condren wrote:

Getting the following error when attempting to make:
NMAKE : fatal error U1073: don't know how to make 
'"crypto\include\internal\bn_conf.h.in"'
Stop.

Here's the lines from the makefile that are creating the error:
crypto\include\internal\bn_conf.h: "crypto\include\internal\bn_conf.h.in" 
"configdata.pm"
   "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util\dofile.pl" \
   "-omakefile" "crypto\include\internal\bn_conf.h.in" > $@


If I remove '"crypto\include\internal\bn_conf.h.in"', it then gives me the 
following error:
NMAKE : fatal error U1073: don't know how to make '".\Configure"'
Stop.



What version of openssl?  What steps did you take prior to running nmake?

-Ben
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] NMAKE error

[James Condren]

Getting the following error when attempting to make:
NMAKE : fatal error U1073: don't know how to make 
'"crypto\include\internal\bn_conf.h.in"'
Stop.

Here's the lines from the makefile that are creating the error:
crypto\include\internal\bn_conf.h: "crypto\include\internal\bn_conf.h.in" 
"configdata.pm"
   "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util\dofile.pl" \
   "-omakefile" "crypto\include\internal\bn_conf.h.in" > $@


If I remove '"crypto\include\internal\bn_conf.h.in"', it then gives me the 
following error:
NMAKE : fatal error U1073: don't know how to make '".\Configure"'
Stop.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FW: problem with missing STDINT.H file

[Carter, James M. (MSFC-ES34)]

The attached text file is a snippet from attempting to install openssl-1.1.0c 
on a Solaris 8 machine. As can be seen, failed when  could not be 
found. There is no such file anywhere on this machine. As root, searched from 
the root directory for the file. Do have  in more than one location, 
/usr/include   /opt/SUNWSpro/prod/include/CC/std   
/opt/SUNWSpro/prod/include/CC/stlport4

I found this file on GITHUB. Can it be downloaded and put in /usr/include or 
/opt/SUNWspro/prod/CC/std.

Thank you for your assistance

James

James Carter  PhD
ES34 Bldg 4487 Rm B117
Optics & Imaging Branch
Space Systems Department
Marshall Space Flight Center, AL 35812
P: 256-544-3469
C: 256-425-2068
F: 256-544-5629



script_tail
Description: script_tail
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] rpmbuild openssl-1.0.1u

[James Marcus]

Hi,
I'm trying to build a rpm for openssl-1.0.1u on CentOS 7 x86_64.  To get
the rpmbuild to run, I had to remove several comments in changelog, because
they weren't formatted correctly. The second problem I ran into is one
during the rpm staging:

The tail end of the output from rpmbuild -ba openssl.spec is:

+ cp -pr README
/root/rpmbuild/BUILDROOT/openssl-1.0.1u-1.x86_64/usr/share/doc/openssl-1.0.1u
+ exit 0


RPM build errors:
Explicit %attr() mode not applicaple to symlink:
/root/rpmbuild/BUILDROOT/openssl-1.0.1u-1.x86_64/usr/bin/ssleay
File not found by glob:
/root/rpmbuild/BUILDROOT/openssl-1.0.1u-1.x86_64/usr/lib/*.so*
Explicit %attr() mode not applicaple to symlink:
/root/rpmbuild/BUILDROOT/openssl-1.0.1u-1.x86_64/usr/man/man1/dss1.1ssl.gz
Explicit %attr() mode not applicaple to symlink:
/root/rpmbuild/BUILDROOT/openssl-1.0.1u-1.x86_64/usr/man/man1/md2.1ssl.gz
Explicit %attr() mode not applicaple to symlink:
/root/rpmbuild/BUILDROOT/openssl-1.0.1u-1.x86_64/usr/man/man1/md4.1ssl.gz
Explicit %attr() mode not applicaple to symlink:
/root/rpmbuild/BUILDROOT/openssl-1.0.1u-1.x86_64/usr/man/man1/md5.1ssl.gz
Explicit %attr() mode not applicaple to symlink:
/root/rpmbuild/BUILDROOT/openssl-1.0.1u-1.x86_64/usr/man/man1/mdc2.1ssl.gz
Explicit %attr() mode not applicaple to symlink:
/root/rpmbuild/BUILDROOT/openssl-1.0.1u-1.x86_64/usr/man/man1/ripemd160.1ssl.gz
Explicit %attr() mode not applicaple to symlink:
/root/rpmbuild/BUILDROOT/openssl-1.0.1u-1.x86_64/usr/man/man1/sha.1ssl.gz
Explicit %attr() mode not applicaple to symlink:
/root/rpmbuild/BUILDROOT/openssl-1.0.1u-1.x86_64/usr/man/man1/sha1.1ssl.gz
Explicit %attr() mode not applicaple to symlink:
/root/rpmbuild/BUILDROOT/openssl-1.0.1u-1.x86_64/usr/man/man1/sha224.1ssl.gz
Explicit %attr() mode not applicaple to symlink:
/root/rpmbuild/BUILDROOT/openssl-1.0.1u-1.x86_64/usr/man/man1/sha256.1ssl.gz
Explicit %attr() mode not applicaple to symlink:
/root/rpmbuild/BUILDROOT/openssl-1.0.1u-1.x86_64/usr/man/man1/sha384.1ssl.gz
Explicit %attr() mode not applicaple to symlink:
/root/rpmbuild/BUILDROOT/openssl-1.0.1u-1.x86_64/usr/man/man1/sha512.1ssl.gz

I'm assuming its related to this line in the openssl.spec file?

# Make backwards-compatibility symlink to ssleay

ln -sf /usr/bin/openssl $RPM_BUILD_ROOT/usr/bin/ssleay


Has anyone else ran into this problem?


Thanks!
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ssl connect failed

[james sqawz]

Hi all,

I want to add two extension field in CLIENT HELLO request.

Extension: next protocol  negotiation
Extension:application layer protocol negotiation

For that purpose which API/function of openssl I will call?

Thanks
Pranab


On Mon, Apr 18, 2016 at 6:16 PM, james sqawz <james.sq...@gmail.com> wrote:

> Hi all,
>
> Thanks for the providing the forum for discussion on TLS/OPENSSL related
> issue.
>
> I am very new to openssl.
>
> Currently I am trying to implement HTTP over TLS.(TLS Version 1.2)
> For that purpose I send connect request to the server,but connection is
> getting failed.
>
> Following fields are abscent in my ssl packet.
>
> Extension: server name present
> Extension:application layer protocol negotiation
>
> Apart from that I did not set path of Server Certificate.
>
> Shall these impact my connect request.
> Can somebody help.
>
> Thanks
> James
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl-users Digest, Vol 17, Issue 24

[james sqawz]

@danigrosu

Not exactly Apache server.
But from some different client it properly responded with "SERVER HELLO" .

Thanks

On Mon, Apr 18, 2016 at 6:22 PM, <openssl-users-requ...@openssl.org> wrote:

> Send openssl-users mailing list submissions to
> openssl-users@openssl.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://mta.openssl.org/mailman/listinfo/openssl-users
> or, via email, send a message with subject or body 'help' to
> openssl-users-requ...@openssl.org
>
> You can reach the person managing the list at
> openssl-users-ow...@openssl.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of openssl-users digest..."
>
>
> Today's Topics:
>
>1. API question; v3_asid/v3_addr (Salz, Rich)
>2. 1.1.0-pre4: openssl speed chacha (c^)
>    3. Unable to load/add a dynamic engine (danigrosu)
>4. Regarding TLS 1.3 (James)
>5. Re: Regarding TLS 1.3 (Matt Caswell)
>6. ssl connect failed (james sqawz)
>7. Re: ssl connect failed (danigrosu)
>
>
> --
>
> Message: 1
> Date: Thu, 14 Apr 2016 16:57:56 +
> From: "Salz, Rich" <rs...@akamai.com>
> To: "openssl-...@openssl.org" <openssl-...@openssl.org>,
> "openssl-users@openssl.org" <openssl-users@openssl.org>
> Subject: [openssl-users] API question; v3_asid/v3_addr
> Message-ID:
> <
> f583e20aef574e55a5761812440da...@usma1ex-dag1mb1.msg.corp.akamai.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Do you use the v3_asid_xxx or v3_addr_xxx API's?  Please let me know.
>
> (They are not going away, we just need to know if they're internal-only or
> if people are using them.)
>
> --
> Senior Architect, Akamai Technologies
> IM: richs...@jabber.at Twitter: RichSalz
>
> -- next part --
> An HTML attachment was scrubbed...
> URL: <
> http://mta.openssl.org/pipermail/openssl-users/attachments/20160414/052eaa82/attachment-0001.html
> >
>
> --
>
> Message: 2
> Date: Fri, 15 Apr 2016 15:29:16 +0100
> From: "c^" <c...@gryning.com>
> To: openssl-users@openssl.org
> Subject: [openssl-users] 1.1.0-pre4: openssl speed chacha
> Message-ID:
> 

[openssl-users] ssl connect failed

[james sqawz]

Hi all,

Thanks for the providing the forum for discussion on TLS/OPENSSL related
issue.

I am very new to openssl.

Currently I am trying to implement HTTP over TLS.(TLS Version 1.2)
For that purpose I send connect request to the server,but connection is
getting failed.

Following fields are abscent in my ssl packet.

Extension: server name present
Extension:application layer protocol negotiation

Apart from that I did not set path of Server Certificate.

Shall these impact my connect request.
Can somebody help.

Thanks
James
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Regarding TLS 1.3

[James]

Hi there,
In the below link I could see TLS 1.3 support will be added in future
releases
 https://www.openssl.org/policies/roadmap.html

I think the support is not yet added. From when it will be added

regards,
James Arivazhagan Ponnusamy
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Is SHA hashing algorithm reversable?

[James]

Hi,
I always use like this
Hash ( salt + password )
You can use like this also
Hash ( hash(salt) + password )
regards,
James

On Tue, Apr 5, 2016 at 1:52 PM, Sugumar <sugu.ec...@gmail.com> wrote:

> Hello,
>
> Ya you are correct James.
> But my doubt is what is the best method to hash the password securely with
> salt.
> I mean which method is preferred by openssl,
>
> HashValue = Hash(password + salt).
> HashValue = Hash( Hash(password) + salt). or something else?
> HashValue = Hash(password) + Hash(salt).
>
> or this is up to the user decision?
>
>
>
>
> --
> View this message in context:
> http://openssl.6102.n7.nabble.com/Is-SHA-hashing-algorithm-reversable-tp65408p65441.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Is SHA hashing algorithm reversable?

[James]

Hello Sugumar,
There are sites that store the commonly used strings and hashed strings.
For example for hello sha2 hash is this
2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

If you copy paste this in google, you would see hello

they dont do reverse of this hash but they hashed some commonly used
strings and kept in their DB, using this only they give the original string.

That is why we need to use a salt string along with your original string.

regards,
James

On Tue, Apr 5, 2016 at 11:44 AM, Sugumar <sugu.ec...@gmail.com> wrote:

> Thanks for all the information provided. Really its very nice information.
>
> And one more question, if i am using a salt with the password for computing
> a hash value i need to store the salt for future reference and what about
> the scenario when attacker gets that salt and hash. That time it may be
> reversible right?
>
> Please tell me the correct method to use a salt with password for storing a
> passwords in a secure manner.
>
>
>
> --
> View this message in context:
> http://openssl.6102.n7.nabble.com/Is-SHA-hashing-algorithm-reversable-tp65408p65439.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS Performance Question

[James M Takahashi]

https://www.openssl.org/docs/fipsnotes.html mentions the following:

  As a result of the POST performance issue we revisited the KAT (Known 
Answer Test) requirements in the POST process that were burning up most of 
those cycle. In consultation with a CMVP test lab we determined that it should 
be possible to substantially reduce that performance penalty in a new 
validation.

Can you please elaborate a bit on what this means?

Thanks in advance for any light you can shed.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL 1.0.2g compile fails on OS X 10.11.3 - make depend: Command not found

[James Brown]

Had no problems compiling on earlier versions of OS X, but on 10.11 I get:


Configured for darwin64-x86_64-cc.

*** Because of configuration changes, you MUST do the following before
*** building:

make depend
Web-Server:openssl-1.0.2g jlbrown$ make depend
making depend in crypto...
../util/domd: line 31: makedepend: command not found
mv: Makefile.new: No such file or directory
make[1]: *** [local_depend] Error 127
make: *** [depend] Error 1

after running:

./Configure --prefix=/usr/local shared darwin64-x86_64-cc 
enable-ec_nistp_64_gcc_128 no-ssl2


Shall I follow the recommendation at:

http://comments.gmane.org/gmane.comp.encryption.openssl.user/47242

and change the MAKEDEPPROG=makedepend to MAKEDEPPROG=$(CC) -M

?

Thanks,

James.




smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Errors building 1.0.2e on Mac OS X 10.7.5

[James Brown]

I know the OS is a bit old, but thought I’d better upgrade OpenSSL on it in now.

To configure I used:

./Configure --prefix=/usr/local shared darwin64-x86_64-cc

Running make gives lots of errors like this:

cc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include  -fPIC 
-fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN 
-DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM 
-DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM 
-DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -c  -o md5-x86_64.o md5-x86_64.s
ar  r ../../libcrypto.a md5_dgst.o md5_one.o md5-x86_64.o
/usr/bin/ranlib: file: ../../libcrypto.a(ebcdic.o) has no symbols
/usr/bin/ranlib: file: ../../libcrypto.a(fips_ers.o) has no symbols
/usr/bin/ranlib ../../libcrypto.a || echo Never mind.
/usr/bin/ranlib: file: ../../libcrypto.a(ebcdic.o) has no symbols
/usr/bin/ranlib: file: ../../libcrypto.a(fips_ers.o) has no symbols
making all in crypto/sha…

before ending:

x86_64-mont.s:957:2: error: invalid instruction mnemonic 'adoxq'
 adoxq %r15,%r10
 ^
x86_64-mont.s:959:2: error: invalid instruction mnemonic 'adcxq'
 adcxq %rax,%r10
 ^
x86_64-mont.s:960:2: error: invalid instruction mnemonic 'adoxq'
 adoxq %r15,%r11
 ^
x86_64-mont.s:962:2: error: invalid instruction mnemonic 'adcxq'
 adcxq %rax,%r11
 ^
x86_64-mont.s:963:2: error: invalid instruction mnemonic 'adoxq'
 adoxq %r15,%r12
 ^
x86_64-mont.s:966:2: error: invalid instruction mnemonic 'adcxq'
 adcxq %rax,%r12
 ^
x86_64-mont.s:967:2: error: invalid instruction mnemonic 'adoxq'
 adoxq %r15,%r13
 ^
x86_64-mont.s:972:2: error: invalid instruction mnemonic 'adcxq'
 adcxq %rax,%r13
 ^
x86_64-mont.s:973:2: error: invalid instruction mnemonic 'adoxq'
 adoxq %rbp,%r15
 ^
make[2]: *** [x86_64-mont.o] Error 1
make[1]: *** [subdirs] Error 1
make: *** [build_crypto] Error 1

This worked with 1.0.1 versions.

Any suggestions?

Thanks,

James.

smime.p7s
Description: S/MIME cryptographic signature
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Regarding the security of the keys

[James]

Hi there,
I have a concern regarding the private keys we use in the https (say
apache) server.
The https server links with openssl.so file, and uses the APIs provided by
it.
If some one build their own openssl and add few lines to print the keys
during encrypt and decrypt and put in the library in the LD_LIBRARY_PATH,
may result in compromising the security of the keys.

Does any of you faced this problem and if you could share the solution it
would be helpful.

regards,
James Arivazhagan Ponnusamy
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Vulnerability Disclosures

[James Billingham]

Hi,

I apologize if this is the wrong place for this email - it seemed to be the 
most suitable of the mailing lists.

I wanted to suggest that when notifying of new vulnerabilities, in addition to 
the severity level, information is also provided about how widespread the issue 
is expected to be.

For example, the statement might say this high severity bug is expected to 
affect around 70% of cases”, or for CVE-2015-1788 it would presumably state 
“around 1%” as it affects only client-side uses.

This would help OpenSSL users gauge whether the upcoming vulnerability is 
“heartbleed”-level, or less serious/widespread. Currently a wide variety of 
vulnerabilities are just indicated as “high” severity, which could mean 
anything from a relatively minor DoS affecting 5 implementations to MITM 
affecting all servers/browsers.

Thanks,
James
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Regarding the Support for TLS 1.3

[James]

Hi there,
I would like to know whether OpenSSL supports TLS 1.3, if supported from
which version of OpenSSL the implementation started.

regards,
James Arivazhagan Ponnusamy
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Disable SSL3 and enable TLS1? / Ambiguous DES-CBC3-SHA

[James]

Hi,
Can you try this option

SSL_CTX_set_options(m_SslCtx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);

instead of disabling using the cipher list




regards,

James Arivazhagan



On Tue, Apr 7, 2015 at 5:41 AM, David Rueter drue...@assyst.com wrote:

 I would like to disable SSL3 (to prevent POODLE attacks), but I would like
 to leave TLS1 enabled (particularly DES-CBC3-SHA, AES128-SHA and
 AES256-SHA).



 However disabling SSL3 with !SSLv3 disables TLSv1 also.  Furthermore,
 disabling SSL3 with -SSLv3 then adding in individual ciphers such as
 +DES-CBC3-SHA seems to re-enable SSLv3.



 In looking at https://www.openssl.org/docs/apps/ciphers.html it looks
 like SSL_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA are
 both referred to as DES-CBC3-SHA.



 Is this intentional? Are not SSL_RSA_WITH_3DES_EDE_CBC_SHA and
 TLS_RSA_WITH_3DES_EDE_CBC_SHA different ciphers?



 Is there no way to disable SSL3 while leaving
 TLS_RSA_WITH_3DES_EDE_CBC_SHA enabled?



 ___
 openssl-users mailing list
 To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Disable SSL3 and enable TLS1? / Ambiguous DES-CBC3-SHA

[James]

Hi,
Some time back, to fix POODLE, I tried to fix with cipher suite, but still
I can use the the protocol SSLv3.
The server responds with
openssl s_client -connect ip:port -ssl3

So The fix should come using SSL_CTX_set_options. I understand since you
are using the compiled binary, you may not be in a position to use this
API.
May be you can try with the latest version of openssl with the POODLE fix.

regards,
James

On Tue, Apr 7, 2015 at 8:14 AM, Viktor Dukhovni openssl-us...@dukhovni.org
wrote:

 On Mon, Apr 06, 2015 at 05:11:22PM -0700, David Rueter wrote:

  I would like to disable SSL3 (to prevent POODLE attacks), but I would
 like
  to leave TLS1 enabled (particularly DES-CBC3-SHA, AES128-SHA and
  AES256-SHA).

 You're confusing SSLv3 the protocol, with SSLv3 ciphersuites.  To disable
 the protocol set SSL_OP_NO_SSLv3 via SSL_CTX_set_options().

  Is there no way to disable SSL3 while leaving
 TLS_RSA_WITH_3DES_EDE_CBC_SHA
  enabled?

 Yes, disable the protocol, not the ciphers.

 --
 Viktor.
 ___
 openssl-users mailing list
 To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] HTTP / HTTPS on same port

[James]

Hi,
I suggested one such implementation in mongoose opensource web server
You can check it in .

https://groups.google.com/forum/#!msg/mongoose-users/IAzYHF0do-I/INc_VmLAe6gJ

This is the function I added
let me know if it is useful.


static int CheckSSL(int nSocket)
{
  /* taken from s23_svr.c int ssl23_get_client_hello(SSL *s) of openssl */
  char szData [12] ;
  int nRet = 0 ;
  int n;
  memset ( szData, 0, sizeof(szData));
  n = recv ( nSocket, szData, 11, MSG_PEEK ) ;

  if (n  2)
  {
 if((szData[0]  0x80)  (szData[2] == 1)) // SSL2_MT_CLIENT_HELLO
 {
   // SSLv2
   nRet = 1;
 }
 else if(n  9)
 {
if ((szData[0] == 22 )   // SSL3_RT_HANDSHAKE
   (szData[1] == 0x03)   // SSL3_VERSION_MAJOR
   (szData[5] == 1)  // SSL3_MT_CLIENT_HELLO
   ((szData[3] == 0  szData[4]  5)
|| (szData[9] == szData[1])))
{
  // SSLv3
  nRet = 1;
}
 }
  }
  return nRet;
}


On Sat, Apr 4, 2015 at 5:10 AM, James Cloos cl...@jhcloos.com wrote:

  JR == Joris Van Remoortere jo...@mesosphere.io writes:

 JR I would like to ask your opinion and advice on accepting HTTP / HTTPS
 JR connections on the same port.

 IPP support both w/ and w/o tls on port 631.

 Cups handles it like this:

   http://www.pwg.org/archives/ipp/2014/017906.html

 -JimC
 --
 James Cloos cl...@jhcloos.com OpenPGP: 0x997A9F17ED7DAEA6
 ___
 openssl-users mailing list
 To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] HTTP / HTTPS on same port

[James Cloos]

 JR == Joris Van Remoortere jo...@mesosphere.io writes:

JR I would like to ask your opinion and advice on accepting HTTP / HTTPS
JR connections on the same port.

IPP support both w/ and w/o tls on port 631.

Cups handles it like this:

  http://www.pwg.org/archives/ipp/2014/017906.html

-JimC
-- 
James Cloos cl...@jhcloos.com OpenPGP: 0x997A9F17ED7DAEA6
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: which cipher was chosen?

[James]

Hi,
Alternatively you can use the wireshark or tcpudmp to capture the packet
and decode the SSL - Client Hello and Sever Hello
That also may help to identify which protocol and cipher we use

regards,
James Arivazhagan Ponnusamy

On Sat, Nov 22, 2014 at 7:12 AM, Chris Bare chris.b...@gmail.com wrote:

 Thanks, that's just what I needed.

 By performance I mean the initial connection speed. It spends 4-5 seconds
 in ssl3_send_client_key_exchange () in the slow case, vs about 0.1 sec in
 the fast case.
 This is on a 200Mhz arm, so it's not a fast machine.

 On Fri, Nov 21, 2014 at 7:03 PM, Dr. Stephen Henson st...@openssl.org
 wrote:

 On Fri, Nov 21, 2014, Chris Bare wrote:

  Is there a way to query the BIO or SSL object to see which cipher is
 being
  used?
  I have a case where my openssl client's performance is significantly
 slower
  when talking to server A vs server B. AFAIK, the only difference
 between A
  and B is the level of Windows updates, so I'm suspicious that Windows
 has
  started to favor the slower ECC ciphers, but I need a way to prove it.
 

 SSL_get_cipher_name().

 What do you mean by peformance the initial connection speed or the data
 transfer rate? With ECC the curve used is also significant: you can query
 that
 using OpenSSL 1.0.2+ which allows you to get details of the server
 temporary
 key.

 Steve.
 --
 Dr Stephen N. Henson. OpenSSL project core developer.
 Commercial tech support now available see: http://www.openssl.org
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org




 --
 Chris Bare

Re: Donation from AirVPN

[James McMurry]

Thank you to AirVPN and Paolo for stepping up !



jim


==
Jim McMurry
Milton Security Group
261 Imperial Highway Suite 550
Fullerton CA 92835
http://www.miltonsecurity.com


On Jul 2, 2014, at 6:00 AM, Steve Marquess marqu...@opensslfoundation.com 
wrote:

 We have received a donation of US$1,327.00 from AirVPN
 (https://airvpn.org/aboutus). Co-founder Paolo Brini tells me that their
 community members propose a number of projects which are compatible with
 their mission (https://airvpn.org/mission). Those candidate projects for
 a donation enter a 2-4 weeks poll. The most voted project is awarded a
 donation (https://airvpn.org/topic/10122-guidelines). The OpenSSL
 project was the top contender for all the proposed May projects with a
 poll held in June.
 
 Thank you AirVPN, and AirVPN community!
 
 -Steve M.
 
 -- 
 Steve Marquess
 OpenSSL Software Foundation, Inc.
 1829 Mount Ephraim Road
 Adamstown, MD  21710
 USA
 +1 877 673 6775 s/b
 +1 301 874 2571 direct
 marqu...@opensslfoundation.com
 marqu...@openssl.com
 gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: OpenSSL Vulnerability CVE-2014-0195

[James]

Hi,
Do you use DTLS ?
it is secure mode of UDP transfer. If you are not using DTLS then you are
not vulnerable

regards,
James



On Mon, Jun 9, 2014 at 6:43 PM, Jaya Nageswar jaya.nages...@gmail.com
wrote:

 Hi All,

 We are currently using openssl 0.9.8 h version in one of our components. I
 would like to get some additional information about the vulnerability “DTLS
 invalid fragment vulnerability (CVE-2014-0195)”. I could get the
 information about all other vulnerabilities that are fixed in 0.9.8 za
 except this vulnerability at
 https://www.openssl.org/news/vulnerabilities.html
 At the above link, it was clearly mentioned about the 0.9.8 versions that
 are being affected for each of the vulnerabilities. However I could not
 find any information about CVE-2014-0195 here.

 As per my analysis, the DTLS fragment reassembly fixes have been added in
 openssl 0.9.8 o as part of “PR 2230:Fix various DTLS fragment reassembly
 bugs”.
 These fixes does not exist in openssl 0.9.8 h. The vulnerability fix for
 “CVE-2014-0195” is part of those fixes that were added in 0.9.8 o version.

 I would like to know if openssl 0.9.8 h is affected for the vulnerability
 CVE-2014-0195. Appreciate your quick feedback on this. Thanks in advance.

 regards,
 -Jay.

Getting error for libcrypto.a file in openssl-1.0.1g when making php

[James Butler]

I am getting this error from an openssl-1.0.1g file when trying to make
php-5.4.23

/usr/bin/ld: /opt/openssl-1.0.1g/lib/libcrypto.a(cversion.o): relocation
R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared
object; recompile with -fPIC
/opt/openssl-1.0.1g/lib/libcrypto.a: could not read symbols: Bad value
collect2: ld returned 1 exit status
make: *** [libphp5.la] Error 1

Can anyone tell me why this is happening? I was able to build php with
openssl-1.0.1f so why is this error coming up with 1.0.1g?

My system is RHEL6

Re: Getting error for libcrypto.a file in openssl-1.0.1g when making php

[James Butler]

Thanks. I did that and it worked fine.

Sent from my iPhone

 On Apr 17, 2014, at 8:06 PM, Michael Wojcik michael.woj...@microfocus.com 
 wrote:
 
 [Apologies for the top-post. Outlook does not properly handle bottom-posting 
 when replying to HTML email, and doesn't properly convert HTML email to plain 
 text, either. A pox on HTML email and Outlook and MIME and all their ilk.]
  
 You've built OpenSSL as a static library, and now you're trying to link it 
 into a shared object. The ELF object file format requires that all code 
 linked into a shared object be position-independent. Static libraries (i.e., 
 ar archives of object files) can contain objects that are compiled as 
 position-independent, but they can also contain objects that are not.
  
 In this case, you have an OpenSSL build that is not position-independent 
 code. You need to reconfigure to force the generation of position-independent 
 code  (via the -fPIC flag, as the error message says) and rebuild OpenSSL.
  
 If memory serves, just adding the shared token to your Configure command 
 line should suffice, since I think in that mode the OpenSSL makefiles compile 
 with -fPIC (on platforms where that's appropriate) and then create both 
 shared objects and static libraries.
  
 If that doesn't work, you could just edit Configure, find the target you're 
 using, and add -fPIC to its compiler options list.
  
 Michael Wojcik
 Technology Specialist
 Micro Focus
  
 michael.woj...@microfocus.com
 519 West Ash Street
 Mason, MI 48854-1553
 Direct:+1 517 639 0892
 Mobile : +1 517 862 9464
  
  
  
  
 From: owner-openssl-us...@openssl.org 
 [mailto:owner-openssl-us...@openssl.org] On Behalf Of James Butler
 Sent: Thursday, 17 April, 2014 09:51
 To: openssl-users@openssl.org
 Subject: Getting error for libcrypto.a file in openssl-1.0.1g when making php
  
 I am getting this error from an openssl-1.0.1g file when trying to make 
 php-5.4.23
  
 /usr/bin/ld: /opt/openssl-1.0.1g/lib/libcrypto.a(cversion.o): relocation 
 R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared 
 object; recompile with -fPIC
 /opt/openssl-1.0.1g/lib/libcrypto.a: could not read symbols: Bad value
 collect2: ld returned 1 exit status
 make: *** [libphp5.la] Error 1
  
 Can anyone tell me why this is happening? I was able to build php with 
 openssl-1.0.1f so why is this error coming up with 1.0.1g?
 
 
 This message has been scanned for malware by Websense. www.websense.com

Debugging cause of unable to get local issuer certificate - one cert works, one doesn't

[James Crowley]

Hi everyone,

I'm hitting a unable to get local issuer certificate error on a specific
SSL certificate, and I was wondering how I can best debug this? It's via
NXLog which uses OpenSSL so a bit disconnected from the underlying library
at the moment, and I'm not too familar with OpenSSL.

I've exported the full SSL certificate chain for both logs-01.loggly.comand
collectors.sumologic.com using Firefox, each into their own pem file. When
establishing a connection, the first works fine, the second gives me:

SSL certificate verification failed: unable to get local issuer certificate
(err: 20)

The only difference I can spot is the second is an EV certificate, and is
for sumologic.com whereas the first is explicitly *.loggly.com. If I
deliberately mis-match the certificates then I get

SSL certificate verification failed: self signed certificate in
certificate chain (err: 19)

so it's definitely something specific to the SumoLogic certificate
verification chain as far as I can tell?

Any help would be much appreciated.

J

Re: Debugging cause of unable to get local issuer certificate - one cert works, one doesn't

[James Crowley]

Thank you so much, I would never have figured that out in a million years!
It works perfectly following those instructions. And always good to know
the how in case I trip over it again, much appreciated.

Apologies for the richtext, I blame Google for that one...



On 23 September 2013 22:25, Dave Thompson dthomp...@prinpay.com wrote:

 Sorry for top-posting but you apparently posted richtext and my new
 “improved” Outlook 

 can no longer impoverish text correctly nor reply inline to richtext. Bah.
 

 ** **

 You don’t need the full chain(s), only the root(s), since both servers
 send chain as they should.

 The difference is that the sumologic chain uses “GeoTrust Primary
 Certification Authority” 

 which appears to be both self-signed and (cross)signed by Equifax probably
 for transition 

 (although 2006 is a while back now) and the server actually sends the
 cross-signed one.

 Firefox (at least the current version 24 I can check) has the self-signed
 version “built-in” 

 which it uses (and exports). OpenSSL on the contrary will not (yet)
 override a received cert 

 with a truststore one, so it needs the Equifax root. Which is also in FF
 24; under Authorities 

 find Equifax Secure CA, export that and use that.

 ** **

 If you really want to know how (as asked) not just what, if you have
 openssl commandline 

 the easiest way is to run openssl s_client -connect host:port and look at
 the cert chaining

 (0 s: and i:, 1 s: and i:, and so on), and in this case compare to what FF
 displays. If you need 

 the contents of the non-leaf certs (here you don’t really) add -showcerts .
 

 ** **

 Note the sumologic leaf cert has Subject CN sumologic.com, but
 SubjectAlternativeNames correctly 

 specifying other names including collectors.sumologic.com. EV certs
 aren’t allowed to use wildcard names.

 ** **

 ** **

 *From:* owner-openssl-us...@openssl.org [mailto:
 owner-openssl-us...@openssl.org] *On Behalf Of *James Crowley
 *Sent:* Monday, September 23, 2013 14:28
 *To:* openssl-users@openssl.org
 *Subject:* *** Spam *** Debugging cause of unable to get local issuer
 certificate - one cert works, one doesn't

 ** **

 Hi everyone,

 ** **

 I'm hitting a unable to get local issuer certificate error on a specific
 SSL certificate, and I was wondering how I can best debug this? It's via
 NXLog which uses OpenSSL so a bit disconnected from the underlying library
 at the moment, and I'm not too familar with OpenSSL.

 ** **

 I've exported the full SSL certificate chain for both logs-01.loggly.comand
 collectors.sumologic.com using Firefox, each into their own pem file.
 When establishing a connection, the first works fine, the second gives me:
 

 ** **

 SSL certificate verification failed: unable to get local issuer
 certificate (err: 20)

 ** **

 The only difference I can spot is the second is an EV certificate, and is
 for sumologic.com whereas the first is explicitly *.loggly.com. If I
 deliberately mis-match the certificates then I get

 ** **

 SSL certificate verification failed: self signed certificate in
 certificate chain (err: 19)

 ** **

 so it's definitely something specific to the SumoLogic certificate
 verification chain as far as I can tell?

 ** **

 Any help would be much appreciated.

 ** **

 J

 ** **




-- 

---
James Crowley
CTO, FundApps - a new generation in financial services software -
http://www.fundapps.co/
Founder, developerFusion - the global developer community -
http://www.developerfusion.com/

linkedin: http://linkedin.com/in/jamescrowley
twitter: http://twitter.com/jamescrowley

Re: Interleaving SSL_write() and SSL_read()

[James Marshall]

My understanding is that yes, on that given socket, you have to do only
what it needs according to the error code.  In this case,
SSL_ERROR_WANT_WRITE indicates you should select on write and try
SSL_write() again before doing an SSL_read() on that socket.  Of course,
you can read and write on other sockets in the meantime.

For an implementation, an SSL_ERROR_WANT_WRITE means add the socket to the
list of sockets to select() for writing and delete from the list for
reading, and SSL_ERROR_WANT_READ means add the socket for reading and
delete it for writing.  But note that SSL_ERROR_WANT_WRITE doesn't imply
SSL_write() comes next, and SSL_ERROR_WANT_READ doesn't imply SSL_read()
comes next, because the interrupting handshake is two-way.  Also note that
SSL_accept() and SSL_shutdown() require similar handling.

For non-blocking IO, here's a simple set of tables consolidated from the
docs that is useful for a possible general switch structure:
http://jmarshall.com/wiki/bin/view/Main/NonBlockingIOinOpenSSL  .  I'm
pretty sure it's correct, but I'm not an expert.  It could definitely be
improved-- as I recall my structure was to select(), then for each socket
switch on its error code, then do the appropriate next operation (which for
SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE is just a repeat of its
previous operation).

Good luck,
James



On Thu, Sep 19, 2013 at 2:02 AM, Krzysztof Kwiatkowski krzys...@leeds.plwrote:

 Hi,

 I'm a bit confused about usage of SSL_write()/SSL_read() in non-blocking
 connectors. Let say I do SSL_write() and I get SSL_ERROR_WANT_WRITE. It
 means I have to do SSL_write() again. But does it mean that I can't do
 SSL_read() until SSL_write() returns with success?

 Any idea?

 Kris
 __**__**__
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org

Re: simple https client application

[James Marshall]

Yes, very possible.  What language are you using?

I use Perl, and there's a CPAN module called Net::SSLeay that provides Perl
wrappers for all the OpenSSL functions.  That module also includes a simple
example client, which you can see at
http://search.cpan.org/~mikem/Net-SSLeay-1.55/lib/Net/SSLeay.pod#EXAMPLES .
 Because these functions are wrappers, the C version would be roughly the
same sequence.

I have other sample clients and servers; ask if you need any more.  The
OpenSSL site documents each C function, which are named the same as the
Perl functions in the example above.

Cheers,
James



On Wed, Sep 18, 2013 at 4:44 AM, Indtiny s indt...@gmail.com wrote:

 Hi,
 I want to use a openssl api and use that as http client .
 currently I am using the c-curl lib with opebssl to do this .

 and I am running a Nginx server with openssl to support server funs.

 I want to remove the curl, and use only openssl to talk to the HTTPS
 server to do GET or PUT .

 is it possible to implement a simple https client using openssl-APIs ?
 if so pls help me how to start ..?

 Rgds
 Indra

Re: simple https server using openssl

[James Marshall]

Not clear if you need to learn HTTP, but a quick tutorial is at
http://www.jmarshall.com/easy/http/ .  It covers the requirements of
writing compliant clients and servers.

James


On Fri, May 17, 2013 at 11:34 PM, Indtiny s indt...@gmail.com wrote:

 Hi Dave,
 I do not need to handle all of HTTP stuffs , In my requirement I would be
 having maximum of 3 clients which always perform HTTP Post operation only .


 Where do I need to look in s_server code to start on ..?

 --Indra

Re: Re: Issue with 1.0.1d with Apache 2.2.23

[James]

 Original Message 
From: James ja...@nixsecurity.org
To: openssl-users@openssl.org
Cc: openssl-users@openssl.org
Sent: Wed, Feb 6, 2013, 3:51 PM
Subject: Re: Issue with 1.0.1d with Apache 2.2.23

 Original Message 
From: James ja...@nixsecurity.org
To: openssl-users@openssl.org
Sent: Wed, Feb 6, 2013, 2:50 PM
Subject: Issue with 1.0.1d with Apache 2.2.23

I recently upgraded our application to OpenSSL 1.0.1d with FIPS compiled in 
but disabled, which has always been the case in the past. Our application 
runs in a browser using Apache 2.2.23 and mod_ssl which is compiled against 
OpenSSL. Testing has revealed that HTTP requests work fine, however, HTTPS 
requests throw a 403. The following is exhibited in the access_log

a.b.c.d - - [06/Feb/2013:14:18:39 -0500] GlET / HTTP/1.1 403 202
a.b.c.d - - [06/Feb/2013:14:18:41 -0500] \xf2G:ET /favicon.ico HTTP/1.1 403 
213
a.b.c.d - - [06/Feb/2013:14:32:00 -0500] GVET / HTTP/1.1 403 202
a.b.c.d - - [06/Feb/2013:14:32:01 -0500] \xb3G\xc1ET /favicon.ico HTTP/1.1 
403 213
a.b.c.d - - [06/Feb/2013:14:32:01 -0500] \x1aG\x9eET / HTTP/1.1 403 202
a.b.c.d - - [06/Feb/2013:14:32:01 -0500] tG\xfcET /favicon.ico HTTP/1.1 403 
213
a.b.c.d - - [06/Feb/2013:14:32:01 -0500] \x8bG\x02ET / HTTP/1.1 403 202
a.b.c.d - - [06/Feb/2013:14:32:02 -0500] \bGdET /favicon.ico HTTP/1.1 403 
213
a.b.c.d - - [06/Feb/2013:14:32:02 -0500] \xabG\xacET / HTTP/1.1 403 202
a.b.c.d - - [06/Feb/2013:14:32:02 -0500] \xb2G\tET /favicon.ico HTTP/1.1 
400 226

Testing was performed under a Redhat 6 x86_64 system and no errors were 
obvious in the compilation process.

Thanks.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

To add to this, I've tested under four systems; RHEL5 i686/x86_64 and RHEL6 
i686/x86_64 where only the 64bit systems are exhibiting the issue. The 32bit 
systems are fine.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Just an update, using a SSLCipherSuite in the SSL configuration file for Apache 
of RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 works fine. The ciphers we're 
using are 
DES-CBC3-MD5:RC2-CBC-MD5:RC4-MD5:DES-CBC3-SHA:RC4-MD5:RC4-SHA:DES-CBC3-SHA:AES128-SHA:AES256-SHA:RC4-MD5:RC4-SHA
 which is where I see the issue. I suppose I'll have to go through each cipher 
to determine the culprit. If I'm on the wrong path here and should be posting 
to the Apache mailing list, let me know but as I've stated previously, OpenSSL 
1.0.1c-FIPS works fine with our current cipher suite.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Re: Issue with 1.0.1d with Apache 2.2.23

[James]

 Original Message 
From: Bruce Cran br...@cran.org.uk
To: openssl-users@openssl.org
Cc: James ja...@nixsecurity.org
Sent: Thu, Feb 7, 2013, 9:48 AM
Subject: Re: Issue with 1.0.1d with Apache 2.2.23

On 07/02/2013 14:36, James wrote:

 Just an update, using a SSLCipherSuite in the SSL configuration file for 
 Apache of RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 works fine. The ciphers 
 we're using are 
 DES-CBC3-MD5:RC2-CBC-MD5:RC4-MD5:DES-CBC3-SHA:RC4-MD5:RC4-SHA:DES-CBC3-SHA:AES128-SHA:AES256-SHA:RC4-MD5:RC4-SHA
  which is where I see the issue. I suppose I'll have to go through each 
 cipher to determine the culprit. If I'm on the wrong path here and should be 
 posting to the Apache mailing list, let me know but as I've stated 
 previously, OpenSSL 1.0.1c-FIPS works fine with our current cipher suite.

This is probably the same bug that has been discussed recently - see
Major OpenSSL 1.0.1d regression from 1.0.1c on openssl-dev and ticket
2975 Regression in OpenSSL 1.0.1d x86_64: Corrrupted data stream. From
that ticket:

A serious regression was introduced in 1.0.1d that corrupts the data
stream under certain circumstances.

Firefox requests to an Apache server running on Linux/X86_64 with
OpenSSL-1.0.1d result in 501 Server Error responses.  OpenSSL versions
1.0.1c and earlier are not affected.  i686 (32 bit) versions are also
not affected.

And a comment:

Stop gap measure for now is to revert commit 125093b59f3c

We're looking into the proper fix.


--
Bruce Cran


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Thank you - next time I have an issue I'll look at the bug tracker first.

James

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Issue with 1.0.1d with Apache 2.2.23

[James]

I recently upgraded our application to OpenSSL 1.0.1d with FIPS compiled in but 
disabled, which has always been the case in the past. Our application runs in a 
browser using Apache 2.2.23 and mod_ssl which is compiled against OpenSSL. 
Testing has revealed that HTTP requests work fine, however, HTTPS requests 
throw a 403. The following is exhibited in the access_log

a.b.c.d - - [06/Feb/2013:14:18:39 -0500] GlET / HTTP/1.1 403 202
a.b.c.d - - [06/Feb/2013:14:18:41 -0500] \xf2G:ET /favicon.ico HTTP/1.1 403 
213
a.b.c.d - - [06/Feb/2013:14:32:00 -0500] GVET / HTTP/1.1 403 202
a.b.c.d - - [06/Feb/2013:14:32:01 -0500] \xb3G\xc1ET /favicon.ico HTTP/1.1 
403 213
a.b.c.d - - [06/Feb/2013:14:32:01 -0500] \x1aG\x9eET / HTTP/1.1 403 202
a.b.c.d - - [06/Feb/2013:14:32:01 -0500] tG\xfcET /favicon.ico HTTP/1.1 403 
213
a.b.c.d - - [06/Feb/2013:14:32:01 -0500] \x8bG\x02ET / HTTP/1.1 403 202
a.b.c.d - - [06/Feb/2013:14:32:02 -0500] \bGdET /favicon.ico HTTP/1.1 403 213
a.b.c.d - - [06/Feb/2013:14:32:02 -0500] \xabG\xacET / HTTP/1.1 403 202
a.b.c.d - - [06/Feb/2013:14:32:02 -0500] \xb2G\tET /favicon.ico HTTP/1.1 400 
226

Testing was performed under a Redhat 6 x86_64 system and no errors were obvious 
in the compilation process.

Thanks.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Issue with 1.0.1d with Apache 2.2.23

[James]

 Original Message 
From: James ja...@nixsecurity.org
To: openssl-users@openssl.org
Sent: Wed, Feb 6, 2013, 2:50 PM
Subject: Issue with 1.0.1d with Apache 2.2.23

I recently upgraded our application to OpenSSL 1.0.1d with FIPS compiled in 
but disabled, which has always been the case in the past. Our application runs 
in a browser using Apache 2.2.23 and mod_ssl which is compiled against 
OpenSSL. Testing has revealed that HTTP requests work fine, however, HTTPS 
requests throw a 403. The following is exhibited in the access_log

a.b.c.d - - [06/Feb/2013:14:18:39 -0500] GlET / HTTP/1.1 403 202
a.b.c.d - - [06/Feb/2013:14:18:41 -0500] \xf2G:ET /favicon.ico HTTP/1.1 403 
213
a.b.c.d - - [06/Feb/2013:14:32:00 -0500] GVET / HTTP/1.1 403 202
a.b.c.d - - [06/Feb/2013:14:32:01 -0500] \xb3G\xc1ET /favicon.ico HTTP/1.1 
403 213
a.b.c.d - - [06/Feb/2013:14:32:01 -0500] \x1aG\x9eET / HTTP/1.1 403 202
a.b.c.d - - [06/Feb/2013:14:32:01 -0500] tG\xfcET /favicon.ico HTTP/1.1 403 
213
a.b.c.d - - [06/Feb/2013:14:32:01 -0500] \x8bG\x02ET / HTTP/1.1 403 202
a.b.c.d - - [06/Feb/2013:14:32:02 -0500] \bGdET /favicon.ico HTTP/1.1 403 213
a.b.c.d - - [06/Feb/2013:14:32:02 -0500] \xabG\xacET / HTTP/1.1 403 202
a.b.c.d - - [06/Feb/2013:14:32:02 -0500] \xb2G\tET /favicon.ico HTTP/1.1 400 
226

Testing was performed under a Redhat 6 x86_64 system and no errors were 
obvious in the compilation process.

Thanks.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

To add to this, I've tested under four systems; RHEL5 i686/x86_64 and RHEL6 
i686/x86_64 where only the 64bit systems are exhibiting the issue. The 32bit 
systems are fine.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL wikibook

[James Marshall]

I think a good wiki for OpenSSL would be great!

I had some trouble getting non-blocking IO to work-- the details were
all there, but spread across many pages.  So I put together this,
which lists how to handle various return codes for various
non-blocking calls:

http://jmarshall.com/wiki/bin/view/Main/HandlingNonBlockingIOErrorsInOpenSSL

It could be simpler (e.g. you could handle most of it with on
SSL_ERROR_WANT_READ/WRITE select on R/W and do same operation again)
but I wanted a general structure to accommodate any outlying cases,
plus something tabular that could be echoed in switch blocks.

All comments welcome.  I'd feel more comfortable if someone who knows
better could verify it.  Anything missing?  If it's accurate, I'm
happy to transfer it to Patrick's wiki.

Cheers,
James


On Fri, Feb 1, 2013 at 9:29 PM, Patrick Pelletier
c...@funwithsoftware.org wrote:
 Since the quality of OpenSSL documentation, and the ease of contributing to
 it, has been a subject of discussion on both the openssl-users list and the
 cryptography list in the past few months, and since the only commercial book
 on OpenSSL is over a decade old now, I thought it would be worthwhile to
 start an OpenSSL wikibook:

 https://en.wikibooks.org/wiki/OpenSSL

 All I have in place right now is a skeleton of a table of contents, but I'm
 hoping that OpenSSL users will contribute to the book in their areas of
 expertise, or as they learn new things that they wish had been documented.

 --Patrick

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: I can't believe how much this sucks

[james]

 For things that the peer support forum and the existing documentation 
don't cover, you have the source code, which is definitive.


The source code can tell you what it DOES do - but the cost of 
understanding that can be very high in some cases, and the problem 
domain of OpenSSL almost guarantees it.


But what raw source will not tell you is WHY it does what it does, or 
what the INTENT was when it was written, or what non-obvious assumptions 
are in play and necessary for correct operation.


Nor does it tell you how to use it, and that is not necessarily obvious 
from the source code, even if it contains embedded documentation 
(comments) that address the points above.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: I can't believe how much this sucks

[james]

 the 'many eyes make all bugs shallow' views

You don't believe that, do you?

The number of counter-examples of long-standing bugs in widely available 
and active open-source systems should be large enough to call it now. 
Especially in subtle, complex systems where there is no documentation of 
the design itself - just code.


Bugs in code generators and race conditions in kernels do not become 
shallow by making the source available to millions of developers with no 
experience in those domains.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Add 509v3 certificatePolicies in C

[James Burton]

I am trying add certificatePolicies in C code  and I got this  Error on 
certificatePolicies = 2.2.2.2
** sign1.c:163 Error creating X509 extension object
5432:error:22097088:X509 V3 routines:DO_EXT_NCONF:no config database:.\crypto\x5
09v3\v3_conf.c:156:
5432:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:.\crypt
o\x509v3\v3_conf.c:93:name=certificatePolicies, value=2.2.2.2   struct entry 
ext_ent[EXT_COUNT] = { {extendedKeyUsage, serverAuth,clientAuth},
  {certificatePolicies, 2.2.2.2},
  {subjectAltName, DNS:www.url2.co.uk,DNS:url2.co.uk },
  {authorityInfoAccess, 
OCSP;URI:http://ocsp.url2.co.uk,caIssuers;URI:http://my.ca/ca.html},
  {crlDistributionPoints, URI:http://crl.url2.co.uk/ssl.crl},
  {subjectKeyIdentifier, hash},
  {authorityKeyIdentifier, keyid},
  {basicConstraints, CA:FALSE},
  {keyUsage, digitalSignature,keyEncipherment} };   
  

Re: Cert issue with 64 bit build on Windows

[James Swift]

 Try running the OpenSSL tests using: nmake -f ms\ntdll.mak test


rsa_test
PKCS #1 v1.5 encryption/decryption ok
OAEP decryption (test vector data) failed!
PKCS #1 v1.5 encryption/decryption ok
OAEP decryption (test vector data) failed!
PKCS #1 v1.5 encryption/decryption ok
OAEP decryption (test vector data) failed!
PKCS #1 v1.5 encryption/decryption ok
OAEP decryption (test vector data) failed!
PKCS #1 v1.5 encryption/decryption ok
OAEP decryption (test vector data) failed!
PKCS #1 v1.5 encryption/decryption ok
OAEP decryption (test vector data) failed!
problems.

Anyone else experience these?

Build machine: Windows 7 Enterprise 64 bit, SP 1, Core i7 3930
Visual Studio 2010 Professional SP 1

perl Configure no-idea no-mdc2 no-rc5 VC-WIN64A
call ms\do_win64a
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak test


James

On 28 September 2012 19:00, Dr. Stephen Henson st...@openssl.org wrote:
 On Fri, Sep 28, 2012, James Swift wrote:

 Hi,

 I have also posted this issue in the OpenSSL mailing list but it
 occurs down in the OpenSSL libraries and this is probably the place to
 ask.

 This issue doesn't occur in a 32 bit compile of OpenSSL 1.0.1c (with
 libcurl 7.27.0) but
 does when running the same code in 64 bit.*

 When I do something like this...

 curl -G https://myserver.com --cacert path-to-pem-file

 ...in 64 bit builds I get the following error

 error:04091068:rsa routines:INT_RSA_VERIFY:bad signature

 as stated in 32 bit it's fine and the cert is accepted and the transfer 
 occurs.


 Try running the OpenSSL tests using: nmake -f ms\ntdll.mak test

 Steve.
 --
 Dr Stephen N. Henson. OpenSSL project core developer.
 Commercial tech support now available see: http://www.openssl.org
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Cert issue with 64 bit build on Windows

[James Swift]

Tests passed with no-asm
I checked my nasm version and I was using an old release candidate
from 2010, 2.09rc6
Updated to version 2.10.05 from
http://www.nasm.us/pub/nasm/releasebuilds/?C=M;O=D

Tests passed without the no-asm option in this case so we can say that
a newer version of nasm than 2.09rc6 is required

Thanks for your help. I haven't checked yet but it seems likely this
will fix my curl problem.

May I suggest updating the INSTALL.W32 file to point to
http://www.nasm.us instead of the old sourceforge address and perhaps
suggest some recent version of nasm known to work.

thanks again,

James

On 1 October 2012 13:55, Dr. Stephen Henson st...@openssl.org wrote:
 On Mon, Oct 01, 2012, James Swift wrote:

  Try running the OpenSSL tests using: nmake -f ms\ntdll.mak test


 rsa_test
 PKCS #1 v1.5 encryption/decryption ok
 OAEP decryption (test vector data) failed!
 PKCS #1 v1.5 encryption/decryption ok
 OAEP decryption (test vector data) failed!
 PKCS #1 v1.5 encryption/decryption ok
 OAEP decryption (test vector data) failed!
 PKCS #1 v1.5 encryption/decryption ok
 OAEP decryption (test vector data) failed!
 PKCS #1 v1.5 encryption/decryption ok
 OAEP decryption (test vector data) failed!
 PKCS #1 v1.5 encryption/decryption ok
 OAEP decryption (test vector data) failed!
 problems.

 Anyone else experience these?

 Build machine: Windows 7 Enterprise 64 bit, SP 1, Core i7 3930
 Visual Studio 2010 Professional SP 1

 perl Configure no-idea no-mdc2 no-rc5 VC-WIN64A
 call ms\do_win64a
 nmake -f ms\ntdll.mak
 nmake -f ms\ntdll.mak test


 Could be a compiler and/or assembler issue. Are you using nasm for the build
 or ml64?

 Try using a no-asm option to Configure and install nasm if you haven't
 already.

 Steve.
 --
 Dr Stephen N. Henson. OpenSSL project core developer.
 Commercial tech support now available see: http://www.openssl.org
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Cert issue with 64 bit build on Windows

[James Swift]

Hi,

I have also posted this issue in the OpenSSL mailing list but it
occurs down in the OpenSSL libraries and this is probably the place to
ask.

This issue doesn't occur in a 32 bit compile of OpenSSL 1.0.1c (with
libcurl 7.27.0) but
does when running the same code in 64 bit.*

When I do something like this...

curl -G https://myserver.com --cacert path-to-pem-file

...in 64 bit builds I get the following error

error:04091068:rsa routines:INT_RSA_VERIFY:bad signature

as stated in 32 bit it's fine and the cert is accepted and the transfer occurs.

I've debugged this down to code in OpenSSL, more specifically in
libeay, the call to RSA_public_decrypt in rsa_sign.c line 199 where
after that on line 221 the memcmp fails as s and m are not the same.

No idea if this helps understand the problem but I also noticed that
every time the two buffers are the same up to s[15] and m[15]

I'm kind of stuck at this stage, I've tried to debug into
RSA_public_decrypt but I'm just not familiar with any of these inner
workings to know what to look for. I did however notice plenty of
warnings when compiling about conversions from __int64 to smaller
types and a possible loss of data in conversion but found none of them
in code called up to this point.

Any help here would be greatly appreciated.

James

*
Compiled curl 7.27.0 as instructed in the docs with the following options

 mode=static VC=10 WITH_SSL=dll WITH_ZLIB=static USE_IDN=no
ENABLE_WINSSL=no MACHINE=x64

openssl 1.0.1c with options

 perl Configure no-idea no-mdc2 no-rc5 VC-WIN64A

zlib 1.2.7 with options

 AS=ml64 LOC=-DASMV -DASMINF -I. OBJA=inffasx64.obj gvmat64.obj
inffas8664.obj
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Openssl ca application

[James Burton]

Hello
 
Can you tell me what I am doing wrong , I am build a window application ( .exe )
 
 
and I got this error:
 
igncl.exe sign.c 
Microsoft (R) C/C++ Optimizing Compiler Version 17.00.50727.1 for x64 
Copyright (C) Microsoft Corporation.  All rights reserved. 

sign.c 
Microsoft (R) Incremental Linker Version 11.00.50727.1 
Copyright (C) Microsoft Corporation.  All rights reserved. 

/out:sign.exe 
sign.obj 
sign.obj : error LNK2019: unresolved external symbol EVP_DigestUpdate 
referenced 
 in function main 
sign.obj : error LNK2019: unresolved external symbol EVP_DigestInit referenced 
i 
n function main 
sign.obj : error LNK2019: unresolved external symbol EVP_SignFinal referenced 
in 
 function main 
sign.obj : error LNK2019: unresolved external symbol EVP_VerifyFinal referenced 
in function main 
sign.obj : error LNK2019: unresolved external symbol EVP_sha1 referenced in 
func 
tion main 
sign.obj : error LNK2019: unresolved external symbol EVP_PKEY_free referenced 
in 
 function main 
sign.obj : error LNK2019: unresolved external symbol X509_get_pubkey referenced 
in function main 
sign.obj : error LNK2019: unresolved external symbol ERR_print_errors_fp 
referen 
ced in function main 
sign.obj : error LNK2019: unresolved external symbol ERR_load_crypto_strings 
ref 
erenced in function main 
sign.obj : error LNK2019: unresolved external symbol PEM_read_X509 referenced 
in 
 function main 
sign.obj : error LNK2019: unresolved external symbol PEM_read_PrivateKey 
referen 
ced in function main 
sign.exe : fatal error LNK1120: 11 unresolved externals 
 
 
Thank you
 
From
 
James Burton


  

Tables for handling various non-blocking I/O errors

[James Marshall]

For my own benefit and that of others, I made a page at
http://jmarshall.com/stuff/handling-nbio-errors-in-openssl.html listing
various error conditions after SSL_accept(), SSL_connect(), SSL_read(),
SSL_write(), and SSL_shutdown(), all on *non-blocking* sockets.  The tables
show what to do after the given function returns the given result, also
considering the response from SSL_get_error().  The info is consolidated
from the docs for those six functions.

I'm new to OpenSSL, so I'd love it if someone who knows this stuff could
review it.  Corrections, additions, and suggestions all very welcome.

Thanks!

James

Meanings of various return codes with non-blocking I/O?

[James Marshall]

I'm trying to write a secure embedded HTTP server using OpenSSL.  I'm using
non-blocking I/O, and the main functions I'm using are SSL_accept(),
SSL_read(), SSL_write(), and SSL_shutdown().   After each one, I want to
handle all possible return codes, but I can't find docs that describe the
meaning of them all.  I've read many pages under
http://www.openssl.org/docs/ssl/ and reviewed s_server.c .

For example, SSL_accept() sometimes returns 0, with SSL_get_error()
returning SSL_ERROR_SYSCALL .  No errors show up from ERR_get_error().  How
should I handle this?  Merely trying the SSL_accept() again results in a
busy loop with the same results.

Here's the block of code in question, in Perl and using the Net::SSLeay
module (which is basically wrappers around OpenSSL functions with the
SSL_ prefixes removed).  $select_read and $select_write are IO::Select
objects, which are collections of handles to use in a select() call:

==
my $rv= Net::SSLeay::accept($ssl) ;
if ($rv=0) {
my $err= Net::SSLeay::get_error($ssl, $rv) ;
if ($err==Net::SSLeay::ERROR_WANT_READ() or
$err==Net::SSLeay::ERROR_WANT_ACCEPT()) {
$select_read-add($socket) ;
$select_write-remove($socket) ;
} elsif ($err==Net::SSLeay::ERROR_WANT_WRITE()) {
$select_write-add($socket) ;
$select_read-remove($socket) ;
} elsif ($err==Net::SSLeay::ERROR_SYSCALL()) {
warn Net::SSLeay::ERR_error_string($err) . \n  while
$err= Net::SSLeay::ERR_get_error() ;
}
return 0 ;

# Upon success, do stuff.
} else {
# do stuff
   .
   .
   .
}
==

The zero+SSL_ERROR_SYSCALL busy-loop result comes when using Chrome
19.0.1084.56, but not Firefox 13.0.  When I kill the server process, either
browser immediately displays the resulting page correctly.  Does this
behavior ring any bells?  This is all on Linux 3.1.10 (openSUSE).
SSL_read(), SSL_write(), and SSL_shutdown() are each handled with a similar
block.

That's one of several questions I have.  A more general question is:  Where
can I find descriptions of all return codes when using non-blocking I/O?

Thanks for any help!

Cheers,
James

A few questions about non-blocking I/O in a secure HTTP server

[James Marshall]

I'm trying to write a secure HTTP server with pipelining, using OpenSSL.
It uses non-blocking I/O, and I have a few questions.

The behavior I'm seeing is:  I start the server on localhost, then I open a
browser and try to access the server.  The browser hangs with Waiting for
localhost...; the full response has been written successfully by
SSL_write() but the browser doesn't show the page.  I then kill the server
process, and the page displays immediately in the browser.  Is this
behavior familiar to anyone?

More details:  It's a master-slave architecture with a pool of slave
processes, with each slave process handling one client connection, and the
master process doing little but multiplexing HTTP messages among the
sockets and pipes to/from the slaves.  The basic structure of the master
code is:

- select() on read and write;
- loop through write-ready file descriptors, and for any client sockets
call one of try_accept(), try_shutdown(), try_SSL_read(), or
try_SSL_write(), depending on flags that have been set for that file
descriptor;
- loop through read-ready file descriptors in a similar manner.

Each of the four try_xxx() routines calls the appropriate OpenSSL library
routine, and on return code = 0 handles each error code from
SSL_get_error().  For example, the raw socket is selected for reading upon
SSL_ERROR_WANT_READ, or for writing upon SSL_ERROR_WANT_WRITE.  Upon
success of each SSL routine, various flags and other state variables are
set.

Does it sound like this basic architecture can accommodate all the cases
needed for non-blocking I/O and OpenSSL?  Is handling the error codes from
those four routines sufficient, or are there others I need to handle?

Is there a way to check for EOF on the raw socket or SSL structure?

Is there a way to flush output written with SSL_write(), so that the
recipient can read it?  Would a rehandshaking do this, and if so how can
one trigger that?

When SSL_shutdown() returns 0 and SSL_ERROR_SYSCALL, how should one
select() on the underlying socket?  The docs I have found are unclear on
this.

Do I need to delve in to the BIO routines to get what I need?  (I know very
little about BIOs.)

The program is in Perl, but the main Perl API to OpenSSL (the Net::SSLeay
module) is mostly just wrappers, and I'm pretty sure these questions would
still apply if the program were in C.

I'm attaching the extracted code, in case anyone wants to look at it.  It's
500 lines including comments, but you can see e.g. just the error-handling
in try_SSL_read() by searching for sub try_SSL_read.  The full program is
available upon request.

Thanks a lot for any clues!  I appreciate all help.

Cheers,
James


embedded-server.pl
Description: Binary data

OpenSSL 1.0.1 handshake timeout

[James Earl]

I recently had a timeout issue with a service provider we connect to
over HTTPS.  I found downgrading to OpenSSL 1.0.0 solved the problem.
I'm not sure how to determine if it's a bug, an Arch Linux package
issue, or a problem with the service providers server?

I tested using Python and Ruby (multiple versions):

With OpenSSL 1.0.1-1 under Arch Linux, this times out:

python
 import requests
 r = requests.get('https://esqa.moneris.com', timeout=5)

With OpenSSL 1.0.0 under Arch Linux, it works.

OpenSSL 1.0.1 does work however connecting to other HTTPS servers such
as Google, and Thawte's test server.

My original post on ruby-forum:
http://www.ruby-forum.com/topic/3944461#new
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL 1.0.1 handshake timeout

[James Earl]

On Wed, Mar 28, 2012 at 10:16 AM, Dr. Stephen Henson st...@openssl.org wrote:
 On Wed, Mar 28, 2012, James Earl wrote:

 I recently had a timeout issue with a service provider we connect to
 over HTTPS.  I found downgrading to OpenSSL 1.0.0 solved the problem.
 I'm not sure how to determine if it's a bug, an Arch Linux package
 issue, or a problem with the service providers server?

 I tested using Python and Ruby (multiple versions):

 With OpenSSL 1.0.1-1 under Arch Linux, this times out:

 python
  import requests
  r = requests.get('https://esqa.moneris.com', timeout=5)

 With OpenSSL 1.0.0 under Arch Linux, it works.

 OpenSSL 1.0.1 does work however connecting to other HTTPS servers such
 as Google, and Thawte's test server.


 There is a known issue with some servers mentioned in PR#2771.

 See this link for more details:

 http://rt.openssl.org/Ticket/Display.html?id=2771user=guestpass=guest

Thanks, looks like there's also a thread on the Arch Linux forum which
I should have noticed:

https://bbs.archlinux.org/viewtopic.php?id=138103
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Cannot decrypt file - maybe wrong key?

[James Coldwell]

Hello List,

I'm trying to decrypt a backup file, using
openssl enc -d -aes-256-cbc -in etc.bz2.aes256 -out etc.tar.bz2 -pass
file:autobackup.aeskey
It returns
bad decrypt
34560:error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad
decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/evp/evp_enc.c:330:

I encrypted the file using
openssl enc -aes-256-cbc -salt -in etc.bz2 -out etc.bz2.aes256 -pass
file:autobackup.aeskey

Now, I'm fairly certain that it's the same key but not 100%.
Is there some other reason the decrypt could fail?

Regards,
James
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

September 6th Security Advisory

[james]

I noticed that the advisory mentions OpenSSL 0.9.8s, however, I haven't seen an announcement or tarball posted for this version, yet. Can we expect this version to be released or was the mention of OpenSSL 0.9.8s a mere typo?"This issue applies to OpenSSL 0.9.8 through 0.9.8s (experimental "ECCdraft" ciphersuites) and to OpenSSL 1.0.0 through 1.0.0d."Unfortunately, we cannot upgrade to the 1.0.0 series until the new FIPS module is released, since 1.0.0 doesn't compile with the current FIPS module.Thanks!James

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: CMS signing with engine

[James Berry]

Steve, I'm sorry but I don't understand can you be a bit more explicit?

Best wishes
James


-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Dr. Stephen Henson
Sent: 06 July 2011 20:26
To: openssl-users@openssl.org
Subject: Re: CMS signing with engine

On Wed, Jul 06, 2011, James Berry wrote:

 I am trying to sign a file using the opensc pkcs11 engine.  I will be doing 
 this in code ultimately, but I thought I would make it work from the command 
 line first.

 I have the pkcs11 engine working ok and can make a certificate request, for 
 example, using the key on the smartcard.

 This works fine and produces a signed file in the format that I want
  cms -sign -in sign.txt -out signout.txt -signer signer.pem -outform
  DER


 This does not work, as it tries to open the key id on the card as a
 file; I assume that I need a different parameter to indicate the key
 id to use, but I can't find the right magic
  cms -engine pkcs11 -sign -in sign.txt -signer
  8320eb4fa0f91a25b9febcbe47845ba168055622 -keyform engine -out
  signout.txt -outform DER


The signing certificate needs to be specified as a file, the value you pass as 
the key will be used to access the engine. So try -signer and -inkey options.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Advanced Health and Care Limited part of Advanced Computer Software Group. 
Registered in England at Munro House, Portsmouth Road, Cobham, Surrey, KT11 
1TF. Registration number 02939302
This message (and any associated files) is intended only for the use of the 
stated recipient and may contain information that is confidential, subject to 
copyright or constitutes a trade secret. If you are not the intended recipient 
you are hereby notified that any dissemination, copying or distribution of this 
message, or files associated with this message, is strictly prohibited. If you 
have received this message in error or are not the intended recipient please 
notify us immediately by replying to the message or calling 01233 722700 and 
deleting it from your computer. Any views or opinions presented are solely 
those of the author and do not necessarily represent those of the company.
We advise that in keeping with good computing practice the recipient of this 
email should ensure that it is virus free. We do not accept responsibility for 
any virus that may be transferred by way of this email.
Email may be susceptible to data corruption, interception and unauthorised 
amendment, and we do not accept liability for any such corruption, interception 
or amendment or any consequences thereof.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

CMS signing with engine

[James Berry]

I am trying to sign a file using the opensc pkcs11 engine.  I will be doing 
this in code ultimately, but I thought I would make it work from the command 
line first.

I have the pkcs11 engine working ok and can make a certificate request, for 
example, using the key on the smartcard.

This works fine and produces a signed file in the format that I want
 cms -sign -in sign.txt -out signout.txt -signer signer.pem -outform DER


This does not work, as it tries to open the key id on the card as a file; I 
assume that I need a different parameter to indicate the key id to use, but I 
can't find the right magic
 cms -engine pkcs11 -sign -in sign.txt -signer 
 8320eb4fa0f91a25b9febcbe47845ba168055622 -keyform engine -out signout.txt 
 -outform DER


Can anyone help please?

Best wishes
James


Advanced Health and Care Limited part of Advanced Computer Software Group. 
Registered in England at Munro House, Portsmouth Road, Cobham, Surrey, KT11 
1TF. Registration number 02939302
This message (and any associated files) is intended only for the use of the 
stated recipient and may contain information that is confidential, subject to 
copyright or constitutes a trade secret. If you are not the intended recipient 
you are hereby notified that any dissemination, copying or distribution of this 
message, or files associated with this message, is strictly prohibited. If you 
have received this message in error or are not the intended recipient please 
notify us immediately by replying to the message or calling 01233 722700 and 
deleting it from your computer. Any views or opinions presented are solely 
those of the author and do not necessarily represent those of the company.
We advise that in keeping with good computing practice the recipient of this 
email should ensure that it is virus free. We do not accept responsibility for 
any virus that may be transferred by way of this email.
Email may be susceptible to data corruption, interception and unauthorised 
amendment, and we do not accept liability for any such corruption, interception 
or amendment or any consequences thereof.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Getting started to create PKCS7 message with PKCS11 provider

[James Berry]

Hi:



I need to sign a challenge string using the private key present on a smartcard. 
 The smartcard has a PKCS11-compliant library and I have been able to open the 
card etc with the PKCS11 driver.



Now I would like to sign a message in PKCS7 format to be sent elsewhere for 
verification. That verification is going to happen on a server running .net 
using the System.Cryptography.Pkcs.SignedCms class.



Whilst I can find reference on the net to openssl being able to create PKCS7 
signed messages, and also plug in a PKCS11 provider I can't find any good 
example code for either, and being a beginner at openssl I don't really know 
where to start.  Do I need to use the open-sc PKCS11 engine?



Can someone point me to some good examples that I can follow, or outline what 
I'll need to do to put together what I would imagine is quite a simple process 
when you know how :-)



Best wishes

James


James Berry
Chief Technical Officer

Advanced Health  Care
Unit 4 Eurogate Business Park, Ashford, Kent TN24 8SB
m: +44 (0) 7768 021031 t: +44 (0) 1233 722700 f: +44 (0) 1233 722701
www.advancedcomputersoftware.com/ahchttp://www.advancedcomputersoftware.com/ahc



Advanced Health and Care Limited part of Advanced Computer Software Group. 
Registered in England at Munro House, Portsmouth Road, Cobham, Surrey, KT11 
1TF. Registration number 02939302
This message (and any associated files) is intended only for the use of the 
stated recipient and may contain information that is confidential, subject to 
copyright or constitutes a trade secret. If you are not the intended recipient 
you are hereby notified that any dissemination, copying or distribution of this 
message, or files associated with this message, is strictly prohibited. If you 
have received this message in error or are not the intended recipient please 
notify us immediately by replying to the message or calling 01233 722700 and 
deleting it from your computer. Any views or opinions presented are solely 
those of the author and do not necessarily represent those of the company.
We advise that in keeping with good computing practice the recipient of this 
email should ensure that it is virus free. We do not accept responsibility for 
any virus that may be transferred by way of this email.
Email may be susceptible to data corruption, interception and unauthorised 
amendment, and we do not accept liability for any such corruption, interception 
or amendment or any consequences thereof.

Re: issue with p12 creation and network solutions EV SSL

[James Chase]

Well my results are quite different, and I guess point to my p12 not being
correctly created. Strangely, the p12 I am running this test on works in
production and doesn't produce a warning (I re-created last years
certificate as a new p12 using the same process I am trying with this
years).

I also tried running this on my test apache site, where I am just using the
plain old certificate, key and network solutions supplied chain file -- and
the openssl s_client command returns better output but I still get a
warning!

[me@myserver ~]$ openssl s_client -connect www.example.com:443
CONNECTED(0003)
depth=0 /serialNumber=03-11-

1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1.3.6.1.4.1.311.60.2.1.1=A
City/2.5.4.15=V1.0, Clause

5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A
Company International Ltd
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /serialNumber=03-11-

1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1.3.6.1.4.1.311.60.2.1.1=A
City/2.5.4.15=V1.0, Clause

5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A
Company International Ltd
verify error:num=27:certificate not trusted
verify return:1
depth=0 /serialNumber=03-11-

1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1.3.6.1.4.1.311.60.2.1.1=A
City/2.5.4.15=V1.0, Clause

5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A
Company International Ltd
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/serialNumber=03-11-

1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1.3.6.1.4.1.311.60.2.1.1=A
City/2.5.4.15=V1.0, Clause

5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A
Company International Ltd/OU=Book

Sales/OU=Secure Link EV SSL/CN=www.example.com
   i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV SSL CA
---

On Mon, Apr 25, 2011 at 6:16 PM, Rob Stradling rob.stradl...@comodo.comwrote:

 On Monday 25 Apr 2011 20:07:03 James Chase wrote:
  I simplified the issue a bit in order to try and understand what is going
  on here and found that the SSL certificate that Network Solutions is
  providing, along with the intermediate chain file cannot be verified by
  newer installs of Firefox.

 Hi James.  That seems unlikely.  Try browsing to NetSol's own EV site
 (https://www.networksolutions.com) in FF4.  I see the EV green bar and no
 browser warnings.

 Could you post the top part of the output from openssl s_client -connect
 yourdomain:yourport ?

 Then we can compare it with...

 $ openssl s_client -connect www.networksolutions.com:443
 CONNECTED(0003)
 depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
 AddTrust External CA Root
 verify error:num=19:self signed certificate in certificate chain
 verify return:0
 ---
 Certificate chain
  0

 s:/serialNumber=3713002/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private
 Organization/C=US/ST=VA/L=Herndon/O=Network Solutions, LLC/OU=Technology
 Services/OU=Secure Link EV SSL/CN=www.networksolutions.com
   i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server CA
  1 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server CA
   i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate
 Authority
  2 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate
 Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
 External
 CA Root
  3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
 External
 CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
 External
 CA Root
 ---

  It doesn't have anything to do with the p12
  file I am creating (I loaded up the network solutions files in apache and
  tested).
 
  Who would be at fault here? Am I still doing something wrong, or is this
  Mozilla's fault for not including a needed root ca file? It seems the
  missing link is the AddTrustExternalCARoot certificate.
 
  I tried adding the AddTrustExternalCARoot cert to the top of my
 certificate
  chain, but this causes apache to break, and then not start complaining of
  [error] Failed to configure CA certificate chain!. I used a chain file
  that I have used in previous years, and that did allow apache to start
 but
  I still cannot verify with Firefox. Then I tried using last years (and
  soon expiring) certificate for my site and that works FINE. So ...
 Network
  Solutions screwed something up when issuing my certificate (this is the
  second one I have had re-issued) or am I doing something wrong. I have no
  idea what that could be at this point -- I have never had so much trouble
  with an SSL certificate and am not an expert by any means.
 
  Anyone have any thoughts? I called NS earlier in this process and they
 said
  not our problem but perhaps I will try

Re: issue with p12 creation and network solutions EV SSL

[James Chase]

DgECAQgBMFMwUQYIKwYBBQUHAgEWRWh0dHA6Ly93d3cubmV0d29ya3NvbHV0aW9u
cy5jb20vbGVnYWwvU1NMLWxlZ2FsLXJlcG9zaXRvcnktZXYtY3BzLmpzcDBEBgNV
HR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVROLVVTRVJG
aXJzdC1IYXJkd2FyZS5jcmwwDQYJKoZIhvcNAQEFBQADggEBACxMoyanvTB6+D/Q
KLDQy/VRsYJooOHm//6GvIzUV4nV/waBUxvyCq/EVf+c1ugqWbE1imdUrn+jhPNJ
1g1T3hCjyNW4wZpY7lG19DGb2L/ycEiOpVkvE7hBuWg00Hl6lH05YDW0So5Ufbpw
EJX4sN7K9x3pgQJxELZP7e75+3IIDgOUo1H/Bbf5MrH042oU1stz3ABhCNIAJ4yN
i1iLJaqWl4dOnFn0jpGbIC9UcUcYeCiZmi8hzukmrzdW9VXgGdIIl+GjofIt8E78
ivkyIOC3hciok9UkjzP1CDM76hwBGwgjsEDyDhuybDlmrHxBo9Y4I5rrTkI9htf4
a7Mda4U=
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEaDCCA1CgAwIBAgIQMx840QfzOzsXUMTLCf7RjTANBgkqhkiG9w0BAQUFADBi
MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMu
MTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkwHhcNMDYxMjAxMDAwMDAwWhcNMTkxMjMxMjM1OTU5WjBWMQswCQYDVQQGEwJV
UzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMSQwIgYDVQQDExtO
ZXR3b3JrIFNvbHV0aW9ucyBFViBTU0wgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCyN4yhG+2yfihSSOW2DpRkSNFZ9qtX5vgDPLrdl/91GT6um4Sh
C25q28nkyauxj0zHD/X2Zh9PJRibJDrM4e7xFLwLeRzgooVAHAUTRGjguss5R8zs
ak9ZVYPryO1zkGHvwlq/coGsE/ZXH4QCRy9Gq5KYz/0rqhMKmX+INRY4u5LhtdMe
+d7cZgeICZYmIjnfQuOJuPmQqBnB3HWWc9TRHEPXDM8WevW/7E41rOYRkIQI0dKh
SpBPJzuJvSg8oGZSJSwr4i5tnk6R6vTx3YsKL4Bh83Xyl5pskmzpDcO3kCdHSw6Q
IrgP/rW3yAAkZaxfLo09Dm6YMwwCN8jd8171AgMBAAGjggEkMIIBIDAfBgNVHSME
GDAWgBQhMMn7ANdOmNqHqirQpy6xQDGnTDAdBgNVHQ4EFgQUtk6FnYQfGx3UUolO
B5Yt+d7xj8wwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwZgYD
VR0gBF8wXTBbBgRVHSAAMFMwUQYIKwYBBQUHAgEWRWh0dHA6Ly93d3cubmV0d29y
a3NvbHV0aW9ucy5jb20vbGVnYWwvU1NMLWxlZ2FsLXJlcG9zaXRvcnktZXYtY3Bz
LmpzcDBSBgNVHR8ESzBJMEegRaBDhkFodHRwOi8vY3JsLm5ldHNvbHNzbC5jb20v
TmV0d29ya1NvbHV0aW9uc0NlcnRpZmljYXRlQXV0aG9yaXR5LmNybDANBgkqhkiG
9w0BAQUFAAOCAQEAt67r9Jc4wmqrIbOSf9cag1TfZZFPfe+Pz8nQugXQLlcQMtsq
Ccd96MLPg1vdaWLglqmlfilrI8xkbj8P5DBVQnGLkxxpCV4Nard07eWpghjIEWcl
DSpoJSSy8ieH7U4/kuZE79tAWQw5EvgfyL6fpMLHvNT63G6bW7ekRuSEjA0njqpC
y/Bbi7gDW2FzQ8Y0gMyYKtHVTBFz7vyr2hwB37bUWq009kMRVUhhHYpF6fAnByZC
phBXxfqQaC1XmE7tnyt8QLI2NBXDpDTTMtaEcU0VKnsb6X0p+u1r6S+/I2pjan9m
G0pID0nsP9iH2xyG+8F+Fxcxt7ve0T2YGYfgMg==
-END CERTIFICATE-

On Tue, Apr 26, 2011 at 8:19 AM, James Chase chase1...@gmail.com wrote:

 Well my results are quite different, and I guess point to my p12 not being
 correctly created. Strangely, the p12 I am running this test on works in
 production and doesn't produce a warning (I re-created last years
 certificate as a new p12 using the same process I am trying with this
 years).

 I also tried running this on my test apache site, where I am just using the
 plain old certificate, key and network solutions supplied chain file -- and
 the openssl s_client command returns better output but I still get a
 warning!

 [me@myserver ~]$ openssl s_client -connect www.example.com:443
 CONNECTED(0003)
 depth=0 /serialNumber=03-11-

 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1.3.6.1.4.1.311.60.2.1.1=A
 City/2.5.4.15=V1.0, Clause

 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A
 Company International Ltd
 verify error:num=20:unable to get local issuer certificate
 verify return:1
 depth=0 /serialNumber=03-11-

 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1.3.6.1.4.1.311.60.2.1.1=A
 City/2.5.4.15=V1.0, Clause

 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A
 Company International Ltd
 verify error:num=27:certificate not trusted
 verify return:1
 depth=0 /serialNumber=03-11-

 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1.3.6.1.4.1.311.60.2.1.1=A
 City/2.5.4.15=V1.0, Clause

 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A
 Company International Ltd
 verify error:num=21:unable to verify the first certificate
 verify return:1
 ---
 Certificate chain
  0 s:/serialNumber=03-11-

 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1.3.6.1.4.1.311.60.2.1.1=A
 City/2.5.4.15=V1.0, Clause

 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A
 Company International Ltd/OU=Book

 Sales/OU=Secure Link EV SSL/CN=www.example.com
i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV SSL CA
 ---

 On Mon, Apr 25, 2011 at 6:16 PM, Rob Stradling 
 rob.stradl...@comodo.comwrote:

 On Monday 25 Apr 2011 20:07:03 James Chase wrote:
  I simplified the issue a bit in order to try and understand what is
 going
  on here and found that the SSL certificate that Network Solutions is
  providing, along with the intermediate chain file cannot be verified by
  newer installs of Firefox.

 Hi James.  That seems unlikely.  Try browsing to NetSol's own EV site
 (https://www.networksolutions.com) in FF4.  I see the EV green bar and no
 browser warnings.

 Could you post the top part of the output from openssl s_client -connect
 yourdomain:yourport ?

 Then we can compare it with...

 $ openssl s_client -connect www.networksolutions.com:443

Re: issue with p12 creation and network solutions EV SSL

[James Chase]

 You've got the wrong chain file.  I understand that NetSol switched to a
 new
 EV Issuing CA a few months ago.  Are you definitely using the chain file
 that
 they supplied with your latest site cert?


I am using the chain file that they suggest downloading which already has
the intermediate files concatenated into a file -- but apparently it is
wrong. I checked the .crt file that they include with my site certificate
and they are the same certs that are in the chain file they have
precompiled. I can't believe how much time I have spent on this issue and
could the root of the issue be that they are not packaging the right files
with my new certificate? wtf

Mounir, where did you get those certificates?? The only cert that you used
that came with my certificate is the last one, AddTrustExternalCARoot -- the
other two are NOT included and are not in NetSol's precompiled chain file.
Your chain file works when I test with apache, and I have just created a p12
from those chain files and that works too! Halellujah.

But seriously, how did you synthesize that chain file? And how would I be
expected to create that on my own?? I spent an hour and a half on the phone
with NetSol telling them their was something wrong with their files and they
just kept saying it was my fault and they will bill me $120/hour to fix it.





  On Tue, Apr 26, 2011 at 8:19 AM, James Chase chase1...@gmail.com
 wrote:
   Well my results are quite different, and I guess point to my p12 not
   being correctly created. Strangely, the p12 I am running this test on
   works in production and doesn't produce a warning (I re-created last
   years certificate as a new p12 using the same process I am trying with
   this years).
  
   I also tried running this on my test apache site, where I am just using
   the plain old certificate, key and network solutions supplied chain
 file
   -- and the openssl s_client command returns better output but I still
   get a warning!
  
   [me@myserver ~]$ openssl s_client -connect www.example.com:443
   CONNECTED(0003)
   depth=0 /serialNumber=03-11-
  
  
 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1
   .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause
  
   5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park
 St/O=A
   Company International Ltd
   verify error:num=20:unable to get local issuer certificate
   verify return:1
   depth=0 /serialNumber=03-11-
  
  
 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1
   .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause
  
   5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park
 St/O=A
   Company International Ltd
   verify error:num=27:certificate not trusted
   verify return:1
   depth=0 /serialNumber=03-11-
  
  
 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1
   .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause
  
   5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park
 St/O=A
   Company International Ltd
   verify error:num=21:unable to verify the first certificate
   verify return:1
   ---
   Certificate chain
  
0 s:/serialNumber=03-11-
  
  
 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1
   .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause
  
   5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park
 St/O=A
   Company International Ltd/OU=Book
  
   Sales/OU=Secure Link EV SSL/CN=www.example.com
  
  i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV SSL CA
  
   ---
  
   On Mon, Apr 25, 2011 at 6:16 PM, Rob Stradling
 rob.stradl...@comodo.comwrote:
   On Monday 25 Apr 2011 20:07:03 James Chase wrote:
I simplified the issue a bit in order to try and understand what is
  
   going
  
on here and found that the SSL certificate that Network Solutions is
providing, along with the intermediate chain file cannot be verified
by newer installs of Firefox.
  
   Hi James.  That seems unlikely.  Try browsing to NetSol's own EV site
   (https://www.networksolutions.com) in FF4.  I see the EV green bar
 and
   no browser warnings.
  
   Could you post the top part of the output from openssl s_client
   -connect yourdomain:yourport ?
  
   Then we can compare it with...
  
   $ openssl s_client -connect www.networksolutions.com:443
   CONNECTED(0003)
   depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network,
 CN
   = AddTrust External CA Root
   verify error:num=19:self signed certificate in certificate chain
   verify return:0
   ---
   Certificate chain
  
0
  
  
 s:/serialNumber=3713002/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2
   .1.2=Delaware/businessCategory=Private
   Organization/C=US/ST=VA/L=Herndon/O=Network Solutions,
   LLC/OU=Technology Services/OU=Secure Link EV
   SSL/CN=www.networksolutions.com
  
 i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server CA
  
1 s:/C=US/O=Network Solutions L.L.C./CN

Re: issue with p12 creation and network solutions EV SSL

[James Chase]

 I got the the correct certificate chain from my Windows 7 box. Microsoft
 tends to update its trusted CA certificates store more quickly and regularly
 than Mozilla or Linux distros: the latest update was last month on March
 23rd 2011.
 It is sad that even Network Solutions guys are not aware of this
 update...This issue should not have existed at the first place!

 Good luck,

 I really can't thank you enough. I wouldn't have known how to follow the
chain and find which files were needed to build up their intermediate
certificate chain (though thanks to your notes, I do now).

I still can't believe how badly Network Solutions screwed this situation up
and the extremely poor level of support I received from them. They should
have been able to figure out I was using the wrong chain files -- they
supposedly ran scripts on my ssl certificate when I called them.

Hope someone else can benefit from being aware of this issue. Thanks for all
your help guys!

Re: issue with p12 creation and network solutions EV SSL

[James Chase]

I did run the verification, and didn't have an issue there. Still am not
able to figure out how to correctly create this as the only way the p12
compiles is by dropping the -chain command but that creates ssl
verifications warnings in Firefox web browsers.

openssl req -verify -in www.example.com.csr -key www.example.com.key
verify OK
-BEGIN CERTIFICATE REQUEST-
CERTIFICATE DATA HERE
-END CERTIFICATE REQUEST-

On Sat, Apr 23, 2011 at 4:41 PM, James Chase chase1...@gmail.com wrote:

 I am using the same system -- I have tried with last years chain file as
 well. The only thing that would be different to my knowledge are possibly
 the version of openssl and the renewed crt file if it possibly requires new
 CA's (I did use their most current certificates before I tried using my old
 cafile).

 openssl verify never returns, I'm not sure what the syntax I am shooting
 for there is.

 When i try without using the -chain command then it compiles the p12 and
 it does seem to load in Chrome and IE ,but in FF3 I get:

 secure.example.com uses an invalid security certificate.

 The certificate is not trusted because the issuer certificate is unknown.

 (Error code: sec_error_unknown_issuer)

 And in FF4 I get:

 store.innertraditions.com uses an invalid security certificate.

 The certificate is not trusted because no issuer chain was provided.

 (Error code: sec_error_unknown_issuer)


 I have always used the -chain and -CAfile options together when creating
 p12's.

 On Sat, Apr 23, 2011 at 12:32 PM, Crypto Sal crypto@gmail.com wrote:

  On 04/21/2011 06:51 PM, James Chase wrote:

 I have done this multiple years in a row with the exact same process but
 now I get the following error when I try to create my SSL:

 openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12
 -inkey my.domain.com.key -in MY.DOMAIN.COM.crt
 Error unable to get local issuer certificate getting chain.

 I concatenated all the intermediate files in the order they suggest, and
 according to the process I have documented that has worked the past few
 years. I also downloaded the pre-built chain file where they already
 concatenated the needed files together but I get the same error. I also
 tried the same chain file I used last year -- same results. Googling is not
 helping me understand this error. Anyone know what could be going on here
 with the EV SSL creation for Network Solutions?


 --
 Beware of all enterprises that require new clothes.
   --  Henry David Thoreau



 James,

 You don't need to include the -chain' option since you are providing the
 chain with the '-CAfile' option. '-chain' is if you want OpenSSL to build
 the chain for you.

 --Crypto.Sal




 --
 Beware of all enterprises that require new clothes.
   --  Henry David Thoreau




-- 
Beware of all enterprises that require new clothes.
  --  Henry David Thoreau

Re: issue with p12 creation and network solutions EV SSL

[James Chase]

I simplified the issue a bit in order to try and understand what is going on
here and found that the SSL certificate that Network Solutions is providing,
along with the intermediate chain file cannot be verified by newer installs
of Firefox. It doesn't have anything to do with the p12 file I am creating
(I loaded up the network solutions files in apache and tested).

Who would be at fault here? Am I still doing something wrong, or is this
Mozilla's fault for not including a needed root ca file? It seems the
missing link is the AddTrustExternalCARoot certificate.

I tried adding the AddTrustExternalCARoot cert to the top of my certificate
chain, but this causes apache to break, and then not start complaining of
[error] Failed to configure CA certificate chain!. I used a chain file
that I have used in previous years, and that did allow apache to start but I
still cannot verify with Firefox. Then I tried using last years (and soon
expiring) certificate for my site and that works FINE. So ... Network
Solutions screwed something up when issuing my certificate (this is the
second one I have had re-issued) or am I doing something wrong. I have no
idea what that could be at this point -- I have never had so much trouble
with an SSL certificate and am not an expert by any means.

Anyone have any thoughts? I called NS earlier in this process and they said
not our problem but perhaps I will try again.

On Mon, Apr 25, 2011 at 11:01 AM, James Chase chase1...@gmail.com wrote:

 I did run the verification, and didn't have an issue there. Still am not
 able to figure out how to correctly create this as the only way the p12
 compiles is by dropping the -chain command but that creates ssl
 verifications warnings in Firefox web browsers.

 openssl req -verify -in www.example.com.csr -key www.example.com.key
 verify OK
 -BEGIN CERTIFICATE REQUEST-
 CERTIFICATE DATA HERE
 -END CERTIFICATE REQUEST-

 On Sat, Apr 23, 2011 at 4:41 PM, James Chase chase1...@gmail.com wrote:

 I am using the same system -- I have tried with last years chain file as
 well. The only thing that would be different to my knowledge are possibly
 the version of openssl and the renewed crt file if it possibly requires new
 CA's (I did use their most current certificates before I tried using my old
 cafile).

 openssl verify never returns, I'm not sure what the syntax I am shooting
 for there is.

 When i try without using the -chain command then it compiles the p12 and
 it does seem to load in Chrome and IE ,but in FF3 I get:

 secure.example.com uses an invalid security certificate.

 The certificate is not trusted because the issuer certificate is unknown.

 (Error code: sec_error_unknown_issuer)

 And in FF4 I get:

 store.innertraditions.com uses an invalid security certificate.

 The certificate is not trusted because no issuer chain was provided.

 (Error code: sec_error_unknown_issuer)


 I have always used the -chain and -CAfile options together when creating
 p12's.

 On Sat, Apr 23, 2011 at 12:32 PM, Crypto Sal crypto@gmail.comwrote:

  On 04/21/2011 06:51 PM, James Chase wrote:

 I have done this multiple years in a row with the exact same process but
 now I get the following error when I try to create my SSL:

 openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12
 -inkey my.domain.com.key -in MY.DOMAIN.COM.crt
 Error unable to get local issuer certificate getting chain.

 I concatenated all the intermediate files in the order they suggest, and
 according to the process I have documented that has worked the past few
 years. I also downloaded the pre-built chain file where they already
 concatenated the needed files together but I get the same error. I also
 tried the same chain file I used last year -- same results. Googling is not
 helping me understand this error. Anyone know what could be going on here
 with the EV SSL creation for Network Solutions?


 --
 Beware of all enterprises that require new clothes.
   --  Henry David Thoreau



 James,

 You don't need to include the -chain' option since you are providing the
 chain with the '-CAfile' option. '-chain' is if you want OpenSSL to build
 the chain for you.

 --Crypto.Sal




 --
 Beware of all enterprises that require new clothes.
   --  Henry David Thoreau




 --
 Beware of all enterprises that require new clothes.
   --  Henry David Thoreau




-- 
Beware of all enterprises that require new clothes.
  --  Henry David Thoreau

Re: issue with p12 creation and network solutions EV SSL

[James Chase]

  openssl verify -CAfile chain.crt my.cert.crt

 IF you have installed some 'common' or 'standard' CAs in your
 system's default truststore -- or if you're using a packaged
 build that does so for you -- turn that off to make sure it
 doesn't silently 'fill in' certs for you, something like:

  openssl verify -CAfile chain.crt -CApath /dev/null my.cert.crt

Thanks, that make sense. However the output is basically the same as the
original error when I was using the -chain command.

error 20 at 0 depth lookup:unable to get local issuer certificate

I spent a long time on the phone with Network Solutions today and they claim
up and down the river that it is not their problem. However when I generate
a p12 file with the chain files they supplied and last years certificate, it
works fine. When I create a p12 with the same chain files and options but
use this years certificate -- doesn't work.

OR using the verify comparison, last years crt w/ this years chain file:
../p12/www.example.com.crt: OK
versus the above error ouput

The only way they will give any feedback is at $60/half hour. Nice support
team.




 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org




-- 
Beware of all enterprises that require new clothes.
  --  Henry David Thoreau

Re: issue with p12 creation and network solutions EV SSL

[James Chase]

 I have done this multiple years in a row with the exact same process but
 now I get the following error when I try to create my SSL:

 openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12
 -inkey my.domain.com.key -in MY.DOMAIN.COM.crt
 Error unable to get local issuer certificate getting chain.

 I just tried requesting a new certificate with a new CSR and re-downloaded
all the files but still have the same results. Can someone offer any advice?
I'm at a total loss here.

The only way I can get the p12 created is by not including the chain, but
then the SSL is worthless


 --
 Beware of all enterprises that require new clothes.
   --  Henry David Thoreau




-- 
Beware of all enterprises that require new clothes.
  --  Henry David Thoreau

Re: issue with p12 creation and network solutions EV SSL

[James Chase]

I am using the same system -- I have tried with last years chain file as
well. The only thing that would be different to my knowledge are possibly
the version of openssl and the renewed crt file if it possibly requires new
CA's (I did use their most current certificates before I tried using my old
cafile).

openssl verify never returns, I'm not sure what the syntax I am shooting for
there is.

When i try without using the -chain command then it compiles the p12 and
it does seem to load in Chrome and IE ,but in FF3 I get:

secure.example.com uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.

(Error code: sec_error_unknown_issuer)

And in FF4 I get:

store.innertraditions.com uses an invalid security certificate.

The certificate is not trusted because no issuer chain was provided.

(Error code: sec_error_unknown_issuer)


I have always used the -chain and -CAfile options together when creating
p12's.

On Sat, Apr 23, 2011 at 12:32 PM, Crypto Sal crypto@gmail.com wrote:

  On 04/21/2011 06:51 PM, James Chase wrote:

 I have done this multiple years in a row with the exact same process but
 now I get the following error when I try to create my SSL:

 openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12
 -inkey my.domain.com.key -in MY.DOMAIN.COM.crt
 Error unable to get local issuer certificate getting chain.

 I concatenated all the intermediate files in the order they suggest, and
 according to the process I have documented that has worked the past few
 years. I also downloaded the pre-built chain file where they already
 concatenated the needed files together but I get the same error. I also
 tried the same chain file I used last year -- same results. Googling is not
 helping me understand this error. Anyone know what could be going on here
 with the EV SSL creation for Network Solutions?


 --
 Beware of all enterprises that require new clothes.
   --  Henry David Thoreau



 James,

 You don't need to include the -chain' option since you are providing the
 chain with the '-CAfile' option. '-chain' is if you want OpenSSL to build
 the chain for you.

 --Crypto.Sal




-- 
Beware of all enterprises that require new clothes.
  --  Henry David Thoreau

issue with p12 creation and network solutions EV SSL

[James Chase]

I have done this multiple years in a row with the exact same process but now
I get the following error when I try to create my SSL:

openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12
-inkey my.domain.com.key -in MY.DOMAIN.COM.crt
Error unable to get local issuer certificate getting chain.

I concatenated all the intermediate files in the order they suggest, and
according to the process I have documented that has worked the past few
years. I also downloaded the pre-built chain file where they already
concatenated the needed files together but I get the same error. I also
tried the same chain file I used last year -- same results. Googling is not
helping me understand this error. Anyone know what could be going on here
with the EV SSL creation for Network Solutions?


-- 
Beware of all enterprises that require new clothes.
  --  Henry David Thoreau

Re: opensll-0.9.8q.tar.gz corrupted.

[james]

The tarball doesn't appear to be corrupted for me, what errors are you getting?Under Redhat EL4 and EL5 VMs,tar zxf openssl-0.9.8q.tar.gz, works perfectly fine for me. Original Message From: Brent Evans brent.ev...@gmail.comTo: openssl-users@openssl.orgSent: Fri, Dec 3, 2010, 8:48 AMSubject: opensll-0.9.8q.tar.gz corrupted.It would appear that the opensll-0.9.8q.tar.gz file is corrupt. 
un-tar fails.

Cheers,

Brent


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

OpenSSL 1.0.0 FIPS module

[james]

Hello,Aside from searching the net, I've learned that the FIPS module for OpenSSL 1.0.0 requires funding for the project and availability of the next FIPS revision (I think). I'm curious if there's an ETA on the module at all? I've also noticed that Redhat (Fedora) is pushing OpenSSL 1.0.0 with FIPS, I'm assuming they've either modified the FIPS module to be compatible with OpenSSL 1.0.0, they've obtained their own module by other means or some other method.Any information on this would be helpful.Thanks in advanced,James

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Re: OpenSSL 1.0.0 FIPS module

[james]

I completely understand and appreciate your quick response :) For the time 
being, we'll stick with using the latest version of the 0.9.X series of OpenSSL.

Thanks again,
James

 Original Message 
From: Steve Marquess marqu...@opensslfoundation.com
To: openssl-users@openssl.org
Sent: Thu, Jul 29, 2010, 11:29 AM
Subject: Re: OpenSSL 1.0.0 FIPS module

ja...@nixsecurity.org wrote:
 Hello,

 Aside from searching the net, I've learned that the FIPS module for
 OpenSSL 1.0.0 requires funding for the project and availability of the
 next FIPS revision (I think). I'm curious if there's an ETA on the
 module at all? I've also noticed that Redhat (Fedora) is pushing
 OpenSSL 1.0.0 with FIPS, I'm assuming they've either modified the FIPS
 module to be compatible with OpenSSL 1.0.0, they've obtained their own
 module by other means or some other method.

 Any information on this would be helpful.

 Thanks in advanced,
 James

I'll have to speculate here as I've had no contact with Red Hat, but it
appears that they have obtained their own proprietary validation based
on OpenSSL
(http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1320).
This is a pretty common thing for proprietary software vendors to do,
and obtaining such a binary validation is much easier than for the open
source based ones (e.g. the OpenSSL FIPS Object Module v1.2, #1051).
I've been told by those in the know that the *majority* of all software
validations are based on OpenSSL.

There is no schedule for a new open source based 1.0 compatible
validation because we have no funding.  In fairness to the commercial
vendors like Red Hat, it isn't to their economic advantage to support a
validation that could be leveraged by their competitors.  To those
vendors who do have validated crypto modules the FIPS 140-2 procurement
requirements are a marvelous advantage that lock out a lot of potential
competition, well worth the (significant) expense.

Not such a good deal for the U.S. and Canadian taxpayers, as they
indirectly pay for many validations of essentially the same software,
but there is currently no one really representing that interest (the
previous validations did receive significant financial support from the
U.S. government and DoD, but that was all done on a one-off basis).

-Steve M.

--
Steve Marquess
The OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Missing Headers

[James, Voyle E Mr CTR US USA HQDA ITA BSS]

Harshvir,

 

Include/openssl is populated with links during the make phase. It always
starts empty.

 

Ed

 

 

Ed James, Contractor ed.jam...@us.army.mil 703-588-8736-voice
703-693-7507-fax

ITA BSS/TCS

1777 North Kent Street, Suite 4100, Arlington, VA 22209

 

 

 

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Harshvir Sidhu
Sent: Thursday, June 17, 2010 12:01 PM
To: openssl-users@openssl.org
Subject: Missing Headers

 

I just downloaded the openssl-1.0.0a, and all the header files in
include\openssl are empty.

I checked couple of old version also like 0.9.8o, n, m, all of them have
this folder empty.

Is there something i need to do get them?

 

// Harshvir

Re: building OpenSSL 0.9.8/1.0.0 on Solarisx86

[James, Voyle E Mr CTR US USA HQDA ITA BSS]

We were able to get 32 and 64 bit OpenSSL on Solaris 10 x86 with these
config files:

32 bit:

/usr/local/bin/perl ./Configure \
shared \
zlib-dynamic \
386 \
--prefix=/usr/sfw \
--openssldir=/usr/sfw/openssl \
-I/usr/sfw/include \
-I/usr/local/include \
-L/usr/sfw/lib \
-L/usr/local/lib \
-R/usr/sfw/lib:/usr/local/lib \
-m32 \
solaris-x86-gcc

64 bit:

/usr/local/bin/perl ./Configure \
shared \
zlib-dynamic \
--prefix=/usr/sfw \
--openssldir=/usr/sfw/openssl \
-I/usr/sfw/include \
-I/usr/local/include \
-L/usr/sfw/lib \
-L/usr/local/lib \
-R/usr/sfw/lib:/usr/local/lib \
solaris64-x86_64-gcc

The difference is:

32:386 -m32 solaris-x86-gcc
64:solaris64-x86_64-gcc

Ed James, Contractor ed.jam...@us.army.mil 703-588-8736-voice
703-693-7507-fax
ITA BSS/TCS
1777 North Kent Street, Suite 4100, Arlington, VA 22209


In fact, we were able to create usable 32-bit with SunStudio compilers
(C++ 5.0, 5.5, 5.8) on Solaris8/9/10 on SPARC.

-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. David Kirkby
Sent: April 23, 2010 3:13 PM
To: openssl-users@openssl.org
Subject: Re: building OpenSSL 0.9.8/1.0.0 on Solarisx86

Alona Rossen wrote:
 Specifyng solaris64-x86_64-gcc as a target results in a 64-bit
library,
 while we need a 32-bit library.

Oh, sorry i missed that.

I also failed to create a 32-bit library. It so happened that in the
software I 
wanted to develop, 64-bit was more sensible, so I ignored the fact I was
unable 
to create a 32-bit library.

I believe you are correct in saying this will not work. You will
probably need 
the assistance of a developer in that case. It might be easier if you
can give 
them access to a Solaris system, though with VirtualBox, they should be
able to 
set one up easily.

dave

 
 -Original Message-
 From: owner-openssl-us...@openssl.org
 [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. David Kirkby
 Sent: April 23, 2010 1:33 PM
 To: openssl-users@openssl.org
 Subject: Re: building OpenSSL 0.9.8/1.0.0 on Solarisx86
 
 Alona Rossen wrote:
  

 Hello,

  

 I built 32-bit OpenSSL 0.9.8 and OpenSSL 1.0.0 on Solaris10x86_64 
 (64-bit kernel on Intel) with gcc compiler. Makefiles were generated 
 with the following command:

  

 Configure solaris-x86-gcc
 
 Try solaris64-x86_64-gcc as the target, which was the default when I
run
 Configure.
 
 I've built 0.9.8l on a Sun Ultra 27 (quad core 3.33 GHz Xeon
processor)
 using 
 OpenSolaris 06/2009 and gcc 4.3.4. It builds fine and passes tests
 
 DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024
 bit RSA
 DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024
 bit RSA
 DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024
 bit RSA
 10 handshakes of 256 bytes done
 Approximate total server time:   0.05 s
 Approximate total client time:   0.00 s
 Test IGE mode
 ../util/shlib_wrap.sh ./igetest
 Test JPAKE
 ../util/shlib_wrap.sh ./jpaketest
 No JPAKE support
 make[1]: Leaving directory `/export/home/drkirkby/openssl-0.9.8l/test'
 util/opensslwrap.sh version -a
 OpenSSL 0.9.8l 5 Nov 2009
 built on: Fri Apr 23 18:24:58 BST 2010
 platform: solaris64-x86_64-gcc
 options:  bn(64,64) md2(int) rc4(1x,char) des(idx,cisc,16,int)
idea(int)
 
 blowfish(ptr2)
 compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
-DHAVE_DLFCN_H
 -m64 -O3 
 -Wall -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM
 -DSHA256_ASM 
 -DSHA512_ASM -DMD5_ASM -DAES_ASM
 OPENSSLDIR: /usr/local/ssl
 drkir...@hawk:~/openssl-0.9.8l$
 
 
 I have not tried this on Solaris 10 though - at least not on x86. I
have
 built 
 versions on SPARC before, but that is less relevant to you.
 
 dave
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
 

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Using OpenSsl in a .Net server (ongoing opensource project)

[James Mansion]

Amit Ben Shahar wrote:
The .Net.Security.SslStream is not working in asynchronous calls, 
meaning we'd have to implement it in a thread-per-connection paradigm, 
which is obviously not an option.
Why 'obviously'? You might be surprised by how many threads can be 
managed by Windows before it all falls down, especially if you can build 
for 64 bit.  You can't expect to support an enormous number of 
concurrently communicating SSL connections with an event-based system 
either.  I certainly accept that its desirable to have C10k support.  
You always have the option of placing OpenSSL in a coprocess and talking 
to it with a message interface over mapped memory.  Or you could 
investigate rolling your own with the kit available from 
System.Security.Cryptography.


 


2) Why can't you 'compile with the applink.c file'?  You need a
talk to it through p/invoke - you may need to write another glue
DLL to do this.  If you can locate an OpenSSL implementation that
has been wrapped as a free-threaded COM service, you might find
things easier if you don't know how to write such glue.  You could
try looking in Mono's runtime, too, which I suspect delegates to
OpenSsl (tho I haven't checked).

 
As far as i understood it, openSsl looks for the applink 
implementation in the actual application and not in dlls, but i could 
have misread that, anyhow i'm not sure i would know how to do that, 
can you maybe directly to such an implmentation (free-threaded COM) ?
Why do you think applink support can't be in a DLL?  From the look of 
what it does, you might need to create additional bridging between it 
and your .net code for good integration. Its trying to use C library 
functions but none of them look like they aren't available with the DLL 
C runtime - though its likely that some of them won't do quite what you 
might expect in a non-console application. The important bit seems to be 
that applink should be accessing the application's choice of C runtime 
version in the case where you are wanting to mix and the openssl dll 
wasn't compiled against the same one.  Since you can see which runtime 
is being used by the .Net runtime, that shouldn't be too hard.


I suspect that you are going to have to write some C or C++ bridging 
code.  How comfortable are you with that?  Microsoft's Managed C++ 
should be able to help, but you'll give up any likelihood of running on 
Mono in that case, while a coprocess with a messaging interface - which 
has extra copying costs - can isolate you entirely and a portable 
coprocess (or coprocesses - you can mux sessions across several) can be 
quite a portable solution.


You are trying to use a C library - you can expect to need C/C++ skills 
for this to work well.
- in the meantime i'll try checking in Mono, though i've never ever 
looked at it yet. maybe i'll get lucky ;)
 
thanks


You could also try this: http://openssl-net.sourceforge.net/

I have no idea how well it works - I just stumbled across it.

James

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Using OpenSsl in a .Net server (ongoing opensource project)

[James Mansion]

Amit Ben Shahar wrote:
One of the crucial ingredients is ssl using OpenSsl. but we are 
encountering a problem with the 'no OPENSSL_Applink' error.
as this is a .Net project, there is no way (i can think of) to compile 
with the applink.c file.
1) Why is that crucial?  Microsoft provide crypto support on Windows, 
albeit with a different interface.  What's wrong with 
System.Net.Security.SslStream?


2) Why can't you 'compile with the applink.c file'?  You need a talk to 
it through p/invoke - you may need to write another glue DLL to do 
this.  If you can locate an OpenSSL implementation that has been wrapped 
as a free-threaded COM service, you might find things easier if you 
don't know how to write such glue.  You could try looking in Mono's 
runtime, too, which I suspect delegates to OpenSsl (tho I haven't checked).


James


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

apps/Makefile - E_SRC

[James Mansion]

Why does E_EXE contain dhparam and E_OBJ contain dhparam.o, but E_SRC 
does not contain dhparam.c?


(OpenSSL 1.0.0 fwiw)


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Old unused code in 1.0.0 release?

[James Mansion]

Why is there code that will not compile still in the tarball?

Granted your makefiles don't try to build it - so why's it there?

Look at pkcs7/bio_ber.c:bio_ber_get_header

This function clearly doesn't compile (missing semicolon after 'unsigned 
long length'). Looks like its been like that for a very long time.


Note sure the LPdir stuff is used any more either is it?


(I'm trying to build openssl with a custom build system, BTW. Yes I know 
its not supported)


James

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

How to compile for 64-bit operation on Mac OS Intel?

[James Brown]

When I try to compile Postfix 2.7.0, sudo make install ends with:

cc -arch x86_64 -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl 
-DHAS_PCRE -I/usr/local/include -DHAS_SSL -I/usr/include/openssl -DHAS_MYSQL 
-I/usr/local/mysql/include/mysql -DBIND_8_COMPAT -DNO_NETINFO -DNO_KQUEUE -g -O 
-I. -I../../include -DMACOSX -o smtpd smtpd.o smtpd_token.o smtpd_check.o 
smtpd_chat.o smtpd_state.o smtpd_peer.o smtpd_sasl_proto.o smtpd_sasl_glue.o 
smtpd_proxy.o smtpd_xforward.o smtpd_dsn_fix.o smtpd_milter.o smtpd_resolve.o 
../../lib/libmaster.a ../../lib/libtls.a ../../lib/libdns.a 
../../lib/libxsasl.a ../../lib/libmilter.a ../../lib/libglobal.a 
../../lib/libutil.a -L/usr/lib -lldap -lsasl2 -L/usr/lib -llber 
-L/usr/local/lib -L/usr/local/lib -lpcre -lssl -L/usr/local/mysql/lib/mysql 
-lmysqlclient -lz -lm -flat_namespace
ld warning: in /usr/lib/libssl.dylib, file is not of required architecture
Undefined symbols:
  _SSL_CTX_sess_set_get_cb, referenced from:
  _tls_server_init in libtls.a(tls_server.o)
  _BIO_set_callback, referenced from:
  _tls_server_start in libtls.a(tls_server.o)
  _tls_server_start in libtls.a(tls_server.o)
  _SSL_CTX_set_info_callback, referenced from:
  _tls_server_init in libtls.a(tls_server.o)
  _SSL_CTX_sess_set_new_cb, referenced from:
  _tls_server_init in libtls.a(tls_server.o)
  _EVP_MD_size, referenced from:
  _tls_server_init in libtls.a(tls_server.o)
ld: symbol(s) not found
collect2: ld returned 1 exit status
make: *** [smtpd] Error 1
make: *** [update] Error 1

I've installed OpenSSL 0.9.8n using:

./config --prefix=/usr threads shared

The machine is a Mac Mini running OS X 10.5.8 (Leopard).

Any suggestions?

Thanks,

James.__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Heap32Next performance awful on 64-bit Win7 (Was: CryptoAPI calls failing in rand_win on Windows 7)

[James Baker]

 Ger Hobbelt g...@hobbelt.com wrote:
 Odd question maybe, but does the API call slowdown too when traversing
 other heaps (which carry fewer items)?

Yes.  This surprised me, but Heap32Next takes the same amount of time
to execute when traversing the 2nd heaplist (which has 15 items) as it
does the 1st heaplist (which has a million items).

 Are those time-per-API-call numbers averaged or does /each/ Heap32Next
 call take this long?!

Each and every call takes the same long amount of time.  To me, this
indicates that the time spent is not actually spent *finding* the next
heap entry (as if we were traversing a linked list to get to our
destination), but in allocating (to the nearest 2^N) space for and/or
recording info about every heap entry in every heap list.

 an adjustment to keep the rand collecting scan within reasonable
 bounds is well feasible (no hard upper limit, though, because, ah,
 'granularity' there is the time one (slowest) API call takes, no
 matter how the solution is coded.

It would definitely be easy to constrain the number of heap entries
checked even further, based on time spent in the inner loop, but
doesn't that run into this:

 Oh yeah, to answer one Q in first post: it's not a very smart idea to
 strip out entropy collecting code sections ...

If we limited the inner loop to 1 second as we do the outer loop, we'd
effectively be cutting out (in this case) 79 of the usual 80 bytes of
entropy which, as you say, makes one trepidatious.

RAND_poll appears to gather randomly varying amounts of entropy,
basically what it can grab in a few seconds.  Is there a minimum
effective amount of entropy that is known? The ideal thing is to add
another source of entropy to compensate, but that's not something
that's within my capabilities or time limits right now.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Heap32Next performance awful on 64-bit Win7 (Was: CryptoAPI calls failing in rand_win on Windows 7)

[James Baker]

Punchline: The time taken by a call to Heap32Next on 64-bit Windows-7
SCALES (roughly linearly?) with the number of heap entries in the heap
list.  This seems to be a serious problem that would affect (at least)
most 32-bit-compiled OpenSSL users on 64-bit Win7.

I've cleared my accusation against the CryptoAPI functions - those are
working fine.  The time is taken up by Heap32Next, even though good ==
1 and stoptime is set.  The 1-second constraint on the number of
heaplists walked is ineffective because the time is all spent in the
inner loop, walking the first 80 heap entries in the first heaplist.

By the time I got up to 4 million (2-byte) heap objects in my test
harness, each Heap32Next call was taking multiple seconds.  It is not
the overall size of the heap that counts, but the number of heap
objects.  The performance of each Heap32Next (the 1st versus the 80th)
is roughly the same.  I do not know whether the problem is specific to
only 64-bit Win7 (due to WoW), or whether it applies to all Windows 7
versions.

What then is the fix?  Sure, this may be a Windows problem, but
letting RAND_poll take dozens to hundreds of seconds is obviously not
acceptable.  This problem is sort of related to previous heap walking
is slooow threads on this list dealing with lines ~500-515 in
rand_win.c, but we can no longer get 80 entries from the first list in
anything near 1 second.  What would the cryptographic effect (on the
entropy of the randomness pool) be from cutting the heap traversal
entirely (i.e. cutting 80 bytes of entropy) - is that
cryptographically acceptable?  Is there some alternate way of
traversing large heaps, or some alternate source of entropy we could
turn to?

I have a single cpp repro file with a slightly chopped-down RAND_poll
ripped out of rand_win.c that I could pass on to any OpenSSL
developer/contributor.

Thanks,
James

my debugging output:

stoptime: 851485984
Got heaplist_first.
heap1st 

tickcount: 851624250
Exiting RAND_poll

On Wed, Nov 11, 2009 at 4:50 PM, James Baker j...@j-baker.org wrote:
 It's not the CryptoAPI calls that are taking time - nearly all of the
 time is spent within Heap32Next.  Thus my hypothesis is that
 CryptAcquireContextW or CryptGenRandom is failing, causing 'good' to
 be 0 and the heap traversal to be unbounded.

 I see the entrycnt = 80 constraint on walking the length of each
 heaplist, but there is no bound on the outer while loop calling
 Heap32ListNext?  You say that very first block of heap is retrieved
 when good is 0 - is that because GetTickCount()  stoptime is
 supposed to be a short-circuit when stoptime == 0?  (It's not -
 perhaps I should examine next whether GetTickCount is malfunctioning,
 or returning a signed negative int for comparison)

 The problem does occur with full admin privileges.  I might speculate
 about the effect the WoW layer has on using the Heap32* functions, but
 my investigation so far is focused on why the traversal isn't bounded
 (i.e. the CryptoAPI -- good relationship), as 4 seconds (1 each for
 heap/process/thread/module) would be tolerable.

 I have not yet written a standalone C program that simulates the same
 CryptoAPI call sequence.  If no one on this list can say Yes, the
 RAND_Poll CryptoAPI calls work on Windows-7, this will be my next
 step.

 Thanks,
 James
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Heap32Next performance awful on 64-bit Win7 (Was: CryptoAPI calls failing in rand_win on Windows 7)

[James Baker]

I've confirmed my linear performance conjecture w/r/t heap objects.
Click here to see pretty pictures graphing my results:

http://thenewjamesbaker.blogspot.com/2009/11/performance-of-heap32next-on-64-bit.html

On Thu, Nov 12, 2009 at 11:50 AM, James Baker j...@j-baker.org wrote:
 Punchline: The time taken by a call to Heap32Next on 64-bit Windows-7
 SCALES (roughly linearly?) with the number of heap entries in the heap
 list.  This seems to be a serious problem that would affect (at least)
 most 32-bit-compiled OpenSSL users on 64-bit Win7.

 I've cleared my accusation against the CryptoAPI functions - those are
 working fine.  The time is taken up by Heap32Next, even though good ==
 1 and stoptime is set.  The 1-second constraint on the number of
 heaplists walked is ineffective because the time is all spent in the
 inner loop, walking the first 80 heap entries in the first heaplist.

 By the time I got up to 4 million (2-byte) heap objects in my test
 harness, each Heap32Next call was taking multiple seconds.  It is not
 the overall size of the heap that counts, but the number of heap
 objects.  The performance of each Heap32Next (the 1st versus the 80th)
 is roughly the same.  I do not know whether the problem is specific to
 only 64-bit Win7 (due to WoW), or whether it applies to all Windows 7
 versions.

 What then is the fix?  Sure, this may be a Windows problem, but
 letting RAND_poll take dozens to hundreds of seconds is obviously not
 acceptable.  This problem is sort of related to previous heap walking
 is slooow threads on this list dealing with lines ~500-515 in
 rand_win.c, but we can no longer get 80 entries from the first list in
 anything near 1 second.  What would the cryptographic effect (on the
 entropy of the randomness pool) be from cutting the heap traversal
 entirely (i.e. cutting 80 bytes of entropy) - is that
 cryptographically acceptable?  Is there some alternate way of
 traversing large heaps, or some alternate source of entropy we could
 turn to?

 I have a single cpp repro file with a slightly chopped-down RAND_poll
 ripped out of rand_win.c that I could pass on to any OpenSSL
 developer/contributor.

 Thanks,
 James
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: CryptoAPI calls failing in rand_win on Windows 7

[James Baker]

It's not the CryptoAPI calls that are taking time - nearly all of the
time is spent within Heap32Next.  Thus my hypothesis is that
CryptAcquireContextW or CryptGenRandom is failing, causing 'good' to
be 0 and the heap traversal to be unbounded.

I see the entrycnt = 80 constraint on walking the length of each
heaplist, but there is no bound on the outer while loop calling
Heap32ListNext?  You say that very first block of heap is retrieved
when good is 0 - is that because GetTickCount()  stoptime is
supposed to be a short-circuit when stoptime == 0?  (It's not -
perhaps I should examine next whether GetTickCount is malfunctioning,
or returning a signed negative int for comparison)

The problem does occur with full admin privileges.  I might speculate
about the effect the WoW layer has on using the Heap32* functions, but
my investigation so far is focused on why the traversal isn't bounded
(i.e. the CryptoAPI -- good relationship), as 4 seconds (1 each for
heap/process/thread/module) would be tolerable.

I have not yet written a standalone C program that simulates the same
CryptoAPI call sequence.  If no one on this list can say Yes, the
RAND_Poll CryptoAPI calls work on Windows-7, this will be my next
step.

Thanks,
James

On Sun, Nov 8, 2009 at 6:36 AM, sandeep kiran p sandeepkir...@gmail.com wrote:
RAND_poll runs very quickly with a near-empty heap.
 Do you mean that the calls
 to Heap32First, Heap32Next, Heap32ListFirst, Heap32ListNext are failing? Can
 you check the return values from these calls? (using GetLastError?). In any
 case, the heap traversals are bounded by the 1 sec limit. Even if the
 variable good is 0, the very first block of heap allocated by the current
 process is retrieved. Can you exactly specify which CryptoAPI is taking so
 much time?
 -Sandeep

 On Fri, Nov 6, 2009 at 11:45 AM, James Baker j...@j-baker.org wrote:

 Background:  Testing a Ruby app on 64-bit Windows 7 Ultimate, I found
 that OpenSSL::PKey::RSA.generate() was taking 98 seconds.  Jumping to
 C, sampling showed that the great majority of this time was spent in
 Heap32Next, which led me to the heap list and heap walking section
 of RAND_poll in crypto/rand/rand_win.c

 The heap walking (and thread and module walking) are limited to 1s
 unless the variable good is set, and advapi32.dll is loaded, which
 means that poll the CryptoAPI PRNG using the conjunction of
 CryptAcquireContextW and CryptGenRandom must be failing.

 The 98 seconds comes from walking the contents of the heap after
 loading a Rails environment - RAND_poll runs very quickly with a
 near-empty heap.  Are the crypo-API calls ever expected to fail under
 any Windows platform, or is this the abnormality? I'm not aware of any
 changes in Win7 that would break those calls (though I'm investigating
 whether something permission/security-related is in play here), but
 I'm not aware of much about Win7 in general.  I also don't see any
 Win7-related changes in the OpenSSL changelog - has this platform been
 validated already?

 Thanks,
 James
 __
 OpenSSL Project                                 http://www.openssl.org
 User Support Mailing List                    openssl-us...@openssl.org
 Automated List Manager                           majord...@openssl.org


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RSA Decryption Error

[James Richardson]

Hi,
I'm trying to use the openssl toolkit to decrypt a message that was encryted
using an RSA public key. I have the RSA private key and thus has generated
to the public key. so I have both. The string with the encrytped message is
held in a file called q2.enc:
a7jjYdmTJVFm9Lok2AHKEdBllkG+Lf0IbifXtB87gRExy7PmdyrFs/Cw3jVi5V/RPgNUYehUpxfKcgwWfE2/dg==

I have my private RSA key in file prvt.cey and my public RSA key in
pub.cey.
The command i am trying to use is this: 
openssl rsautl -in q2.enc -inkey prvt.cey -decrypt

However this gives me an error message:
RSA operation error
4384:error:0406506C:rsa routines:RSA_EAY_PRIVATE_DECRYPT:data greater than
mod len:./crypto/rsa/rsa_eay.c:512:

I don't understand how this can be the case. The input is only an 88byte
file. 

Any help would be much appreciated. Thanks in advance ~ Ax
-- 
View this message in context: 
http://www.nabble.com/RSA-Decryption-Error-tp21934088p21934088.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

What is the proper syntax to generate a certificate request.

[Chavez, James R.]

Hello list,
I am trying to imort a .der server cert into my Fedora directory
services certificate store.
I used the openssl utility to create the csr below.

openssl genrsa -des3 -out server.key 4096
openssl req -new  -key c00lsldap.key -out server.csr

I am using certutil to import the cert. 
Certutil -A -d . -n server-cert -t u,u,u -i /tmp/server.der

The cert does import, but the cert shows as having a broken chain. It
also shows as being a CA cert when it is supposed to be a regular server
certificate for ssl communications.
And, it shows as having no Certificate Trust Flags. It should have 
 Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User 

Is there something I am doing wrong?  Did I generate the csr wrong. I
thought surely it was the CA that decides the trust flags.
Any help is appreciated.

Thank you
James

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by 
the addressee(s) named herein and may contain legally privileged and/or 
confidential information. If you are not the intended recipient of this e-mail 
message, you are hereby notified that any dissemination, distribution or 
copying of this e-mail message, and any attachments thereto, is strictly 
prohibited.  If you have received this e-mail message in error, please 
immediately notify the sender and permanently delete the original and any 
copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT 
INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic 
Transactions Act or the applicability of any other law of similar substance and 
effect, absent an express statement to the contrary hereinabove, this e-mail 
message its contents, and any attachments hereto are not intended to represent 
an offer or acceptance to enter into a contract and are not otherwise intended 
to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or 
any other person or entity.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Problems with csr and importing certs.

[Chavez, James R.]

Hello list,
I am trying to imort a .der server cert into my Fedora directory
services certificate store.
I used the openssl utility to create the csr below.

openssl genrsa -des3 -out server.key 4096 
openssl req -new  -key server.key -out server.csr

I am using certutil to import the cert. 
Certutil -A -d . -n server-cert -t u,u,u -i /tmp/server.der

The cert does import, but the cert shows as having a broken chain. It
also shows as being a CA cert when it is supposed to be a regular server
certificate for ssl communications.
And, it shows as having no Certificate Trust Flags. It should have
Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User 

Is there something I am doing wrong?  Did I generate the csr wrong. I
thought surely it was the CA that decides the trust flags.
Any help is appreciated.

Thank you
James

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by 
the addressee(s) named herein and may contain legally privileged and/or 
confidential information. If you are not the intended recipient of this e-mail 
message, you are hereby notified that any dissemination, distribution or 
copying of this e-mail message, and any attachments thereto, is strictly 
prohibited.  If you have received this e-mail message in error, please 
immediately notify the sender and permanently delete the original and any 
copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT 
INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic 
Transactions Act or the applicability of any other law of similar substance and 
effect, absent an express statement to the contrary hereinabove, this e-mail 
message its contents, and any attachments hereto are not intended to represent 
an offer or acceptance to enter into a contract and are not otherwise intended 
to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or 
any other person or entity.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

[no subject]

[James J. O'Shea]

Can anyone tell me what version of OpenSSL works with my environment?

OS: OpenVMS v7.2-1
IP Stack: Multinet v5.0

Thanks,
Jim 
Chicago, IL



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

OWASP Hartford: February 2009 (Open Web Application Security Project)

[James McGovern]

BEGIN:VCALENDAR
METHOD:REQUEST
PRODID:Microsoft CDO for Microsoft Exchange
VERSION:2.0
BEGIN:VTIMEZONE
TZID:(GMT-05.00) Eastern Time (US  Canada)
X-MICROSOFT-CDO-TZID:10
BEGIN:STANDARD
DTSTART:16010101T02
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
RRULE:FREQ=YEARLY;WKST=MO;INTERVAL=1;BYMONTH=11;BYDAY=1SU
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:16010101T02
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
RRULE:FREQ=YEARLY;WKST=MO;INTERVAL=1;BYMONTH=3;BYDAY=2SU
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
DTSTAMP:20081125T200509Z
DTSTART;TZID=(GMT-05.00) Eastern Time (US  Canada):20090210T17
SUMMARY:OWASP Hartford: February 2009 (Open Web Application Security Projec
 t)
UID:04008200E00074C5B7101A82E0086015A2316121C901000
 010008755599A2D01DB488364749052F323A6
ATTENDEE;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP=TRUE;CN=openssl-u
 s...@openssl.org:MAILTO:openssl-users@openssl.org
ORGANIZER;CN=James McGovern:MAILTO:ja...@architectbook.com
LOCATION:The Hartford\, Tower Building: Atrium Conference Room
DTEND;TZID=(GMT-05.00) Eastern Time (US  Canada):20090210T19
DESCRIPTION:\NThe Open Web Application Security Project (OWASP) is a worldw
 ide free and open community focused on improving the security of applicati
 on software. Our mission is to make application security visible\, so th
 at people and organizations can make informed decisions about application 
 security risks. Everyone is free to participate in OWASP and all of our ma
 terials are available under a free and open software license. \N\NThe agen
 da for this meeting is posted at: http://www.owasp.org/index.php/Hartford\
 N\NTo receive future invites\, please subscribe to our mailing list at: ht
 tps://lists.owasp.org/mailman/listinfo/owasp-hartford\N
SEQUENCE:1
PRIORITY:5
CLASS:Company-Confidential
CREATED:20081212T200509Z
LAST-MODIFIED:20081212T200509Z
STATUS:CONFIRMED
TRANSP:OPAQUE
X-MICROSOFT-CDO-BUSYSTATUS:OOF
X-MICROSOFT-CDO-INSTTYPE:0
X-MICROSOFT-CDO-REPLYTIME:20081201T163100Z
X-MICROSOFT-CDO-INTENDEDSTATUS:OOF
X-MICROSOFT-CDO-ALLDAYEVENT:FALSE
X-MICROSOFT-CDO-IMPORTANCE:1
X-MICROSOFT-CDO-OWNERAPPTID:-1986226216
X-MICROSOFT-CDO-APPT-SEQUENCE:1
X-MICROSOFT-CDO-ATTENDEE-CRITICAL-CHANGE:20081212T174513Z
X-MICROSOFT-CDO-OWNER-CRITICAL-CHANGE:20081125T200509Z
BEGIN:VALARM
ACTION:DISPLAY
DESCRIPTION:REMINDER
TRIGGER;RELATED=START:-P3DT00H00M00S
END:VALARM
END:VEVENT
END:VCALENDAR

Mutual Authentication

[McGovern, James F (HTSC, IT)]

We are running into an issue with an application that is written in PERL
using SOAP:Lite and OpenSSL on Suse where a SOAP request is sent to a
server that requires mutual authentication. On the server side, the
server is throwing a message indicating that it is having a problem with
base64 decoding the certificate. 

We have validated the integrity of the certificates by writing an
application in Java that doesn't use OpenSSL and it works fine. Any
thoughts on how to troubleshoot?

This communication, including attachments, is for the exclusive use of 
addressee and may contain proprietary, confidential and/or privileged 
information.  If you are not the intended recipient, any use, copying, 
disclosure, dissemination or distribution is strictly prohibited.  If you are 
not the intended recipient, please notify the sender immediately by return 
e-mail, delete this communication and destroy all copies.

Re: build error vsc++express 2008 win32 openssl

[James Owen]

Duh. I see now you were showing your path...  Thanks again. 

James
--Original Message--
From: James Owen
To: openssl-users@openssl.org
ReplyTo: [EMAIL PROTECTED]
Subject: Re: build error vsc++express 2008 win32 openssl
Sent: Sep 11, 2008 09:56

That did it... Though the file was in source dir/crypto/perlasm

Thanks a lot!

James
James Owen

-Original Message-
From: Thomas Jansen [EMAIL PROTECTED]

Date: Thu, 11 Sep 2008 13:21:02 
To: openssl-users@openssl.org
Subject: Re: build error vsc++express 2008 win32 openssl


James Owen wrote:




 now I get a new failure only with openssl-0.9.8h:


  Assembling: .\crypto\sha\asm\s1_win32.asm
 .\crypto\sha\asm\s1_win32.asm(13) : error A2008:syntax error : integer
 NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio 
 9.0\VC\BIN
 \ml.EXE' : return code '0x1'
 Stop.
http://www.apachelounge.com/forum/viewtopic.php?t=2560

Quote:
For OpenSSL version 0.9.8h ONLY
Edit the file httpd-2.2.9\srclib\openssl\crypto\perlasm\x86ms.pl and 
remove line 273. Line 273 contains the single word $extra. This is a 
known problem with OpenSSL 0.9.8h, and should be fixed in future 
versions. ref: OpenSSL bug 1681, described here and here

Try this advice.
~tj


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


James Owen

Re: build error vsc++express 2008 win32 openssl

[James Owen]

That did it... Though the file was in source dir/crypto/perlasm

Thanks a lot!

James
James Owen

-Original Message-
From: Thomas Jansen [EMAIL PROTECTED]

Date: Thu, 11 Sep 2008 13:21:02 
To: openssl-users@openssl.org
Subject: Re: build error vsc++express 2008 win32 openssl


James Owen wrote:




 now I get a new failure only with openssl-0.9.8h:


  Assembling: .\crypto\sha\asm\s1_win32.asm
 .\crypto\sha\asm\s1_win32.asm(13) : error A2008:syntax error : integer
 NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio 
 9.0\VC\BIN
 \ml.EXE' : return code '0x1'
 Stop.
http://www.apachelounge.com/forum/viewtopic.php?t=2560

Quote:
For OpenSSL version 0.9.8h ONLY
Edit the file httpd-2.2.9\srclib\openssl\crypto\perlasm\x86ms.pl and 
remove line 273. Line 273 contains the single word $extra. This is a 
known problem with OpenSSL 0.9.8h, and should be fixed in future 
versions. ref: OpenSSL bug 1681, described here and here

Try this advice.
~tj


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

build error vsc++express 2008 win32 openssl

[James Owen]

I tried building the sources (openssl-0.9.7m, openssl-0.9.8g,  
openssl-0.9.8h) with 2008 express and failed every time with the same  
error.


cl /Fotmp32dll\cversion.obj  -Iinc32 -Itmp32dll /MD /W3 /WX / 
Ox /O2 /Ob2
 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN - 
DL_ENDIAN -
DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE - 
DBN_ASM -DMD5
_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll -DOPENSSL_NO_KRB5 -D_WINDLL  - 
DOPENSSL_
BUILD_SHLIBCRYPTO -DMK1MF_BUILD -DMK1MF_PLATFORM_VC_WIN32 -c .\crypto 
\cversion.c


cversion.c
.\crypto\cversion.c(108) : error C2220: warning treated as error - no  
'object' f

ile generated
.\crypto\cversion.c(108) : warning C4129: 'o' : unrecognized character  
escape se

quence
NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio  
9.0\VC\BIN

\cl.EXE' : return code '0x2'
Stop.

I was ready to pull out my eyes  and then i spotted the problem.

in the configure line:

C:\Src\openssl-0.9.8gperl Configure VC-WIN32 --prefix=c:\openssl   
failed


C:\Src\openssl-0.9.8gperl Configure VC-WIN32 --prefix=c:/openssl   
works...


even though you might expect to use a backslash on win32 I needed to  
use a forward slash




now I get a new failure only with openssl-0.9.8h:

cl /Fotmp32dll\sha1dgst.obj  -Iinc32 -Itmp32dll /MD /Ox /O2 / 
Ob2 /W3 /WX
 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN - 
DL_ENDIAN -
DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE - 
DOPENSSL_CPUI
D_OBJ -DOPENSSL_IA32_SSE2 -DAES_ASM -DBN_ASM - 
DOPENSSL_BN_ASM_PART_WORDS -DMD5_A
SM -DSHA1_ASM -DRMD160_ASM -DOPENSSL_USE_APPLINK -I. /Fdout32dll - 
DOPENSSL_NO_CA
MELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 - 
DOPENSSL_NO_TLSEXT
-DOPENSSL_NO_CMS -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE - 
D_WINDLL  -DOPEN

SSL_BUILD_SHLIBCRYPTO -c .\crypto\sha\sha1dgst.c
sha1dgst.c
ml /Cp /coff /c /Cx /Focrypto\sha\asm\s1_win32.obj .\crypto 
\sha\asm\s1_w

in32.asm
Microsoft (R) Macro Assembler Version 9.00.30729.01
Copyright (C) Microsoft Corporation.  All rights reserved.

 Assembling: .\crypto\sha\asm\s1_win32.asm
.\crypto\sha\asm\s1_win32.asm(13) : error A2008:syntax error : integer
NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio  
9.0\VC\BIN

\ml.EXE' : return code '0x1'
Stop.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

MAC

[Main, James J Civ USAF AMC DET 3 AMCAOS/DOHJ]

Is there a driver available for MAC  using ActivClient CAC 6.1?  If so
where is it available.

 

Thanks

 

Jim Main

C-130JMATS Simcert/QA

Detachment 3, AMCAOS

626 Sixth St.

Little Rock AFB AR, 72099

DSN 731-6606Comm. 501-987-6606

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

 

 

 

configuring a slave and client failover

[James Hartley]

I have a master and setup replication via syncrepl... It works but now
I would like to set up start_tls on the slave to not only encrypt
traffic during replication but to also to support users that will be
bound to the slave.

Currently my master supports start_tls and ldaps,  client contact the
master to authenticate either by openldap or solaris native client
using tls.

my slave is not setup for start_tls yet.  What I wish to do is use
start_tls and ldaps on both the master and the slave load balance
users against the master and slave and provide for failover if one
of the servers dies.

how do I setup the certificates and configure the clients appropriately.

thanks for any help or examples.

james
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

OpenSSL Porting to VxWorks 6.4 (SH4)

[James Wert]

Hello,

I need to port OpenSSL (0.9.8 or 0.9.7) to VxWorks 6.4 for SH4.  In my 
digging around, I see that people have done a linux-sh4 target, and 
there are some vxworks-ppc ports.  I don't know if I can combine them or 
what...


Can anyone give me some pointers on the best way to get the port 
started?  I have used OpenSSL for awhile, but never tried porting it.


Also, if anyone offers consulting services for porting, please send me 
an email.


Thanks,
Jim
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]