Where can I get the SSL_set_cert_store patch to OpenSSL ?
Where can I get the SSL_set_cert_store patch to OpenSSL ? Larry Strickland Lead Systems Administrator lawrence-strickl...@uiowa.edu University of Iowa Hospitals and Clinics
Re: Problems using openssl through an ffi.
On 7/27/06, Lawrence Oluyede [EMAIL PROTECTED] wrote: I'm trying to use openssl library through a foreign function interface (ctypes in Python) but it seems that: BIO_set_nbio and SSL_CTX_set_options/SSL_set_options are not exported in the dynamic library. Is that a bug ? An implementation decision or what? I tried with 0.9.7 and 0.9.8b and neither of them export those API. Didn't notice it was a macro :-( -- Lawrence http://www.oluyede.org/blog __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problems using openssl through an ffi.
I'm trying to use openssl library through a foreign function interface (ctypes in Python) but it seems that: BIO_set_nbio and SSL_CTX_set_options/SSL_set_options are not exported in the dynamic library. Is that a bug ? An implementation decision or what? I tried with 0.9.7 and 0.9.8b and neither of them export those API. -- Lawrence http://www.oluyede.org/blog __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
64 bit build problems
Dear OpenSSL: I previously made successful 32-bit build/installs of OpenSSL on four different OS's (linux/sunos/hpux/irix) without problem. Now I'm trying to do 64-bit builds - successful on hpux and linux but make test fails (for different reasons) on both sunos and irix after non-erroneous builds. Tests uneventful 'till the below occurrences. Any guidance most appreciated! $ uname -a SunOS lynx 5.8 Generic_108528-26 sun4u sparc SUNW,Sun-Fire-15000 $ ./Configure solaris64-sparcv9-gcc --openssldir=$OPENSSL_DIR $ make $ make test . error calculating RIPEMD160 on '12345678901234567890123456789012345678901234567890123456789012345678901234567890' got 18a8b851274903cab646e6a9897a829dfaa8180d instead of 9b752e45573d4b39f4dbd3323cab82bf63326bfb *** Error code 1 make: Fatal error: Command failed for target `test_rmd' $ uname -a IRIX64 fry 6.5 07121149 IP27 $ ./Configure irix64-mips4-gcc --openssldir=$OPENSSL_DIR $ make $ make test . 2220 tests passed test a^b%c implementations ../util/shlib_wrap.sh ./exptest *** Termination code 10 (bu21) *** Error code 1 (bu21) -- larry Lawrence L. Rose ATT Labs - Research Florham Park, NJ
irix64 bus error on exptest
Hi all: Hi all: I had no problems with a 32-bit build/test/install of OpenSSL on irix, but today when I tried a 64-bit build I produced a bus error in the midst of make test. Everything was squeaky-clean until this point. I saved all outputs if you require them ... any ideas? Am I linking with a 2-bit lib somewhere? $ ./Configure irix64-mips4-gcc --openssldir=$OPENSSL_DIR $ make clean $ make build $ make test verify BN_GF2m_mod_sqr verify BN_GF2m_mod_inv verify BN_GF2m_mod_div verify BN_GF2m_mod_exp verify BN_GF2m_mod_sqrt verify BN_GF2m_mod_solve_quad 2220 tests passed test a^b%c implementations ../util/shlib_wrap.sh ./exptest *** Termination code 10 (bu21) *** Error code 1 (bu21) -- larry Lawrence L. Rose ATT Labs - Research Florham Park, NJ
Re: Certificate error
Ted: Thanks for the s_server/s_client suggestion. Here is the complete output. The server appears to be ok but not the client??? $ openssl x509 -subject -issuer -dates -noout -in client.pem subject= /C=US/ST=NJ/L=Florham Park/O=ATT Labs - Research/CN=solarium.research.att.com issuer= /C=US/ST=New Jersey/L=Florham Park/O=ATT Research/OU=Project Daytona/CN=Root CA/[EMAIL PROTECTED] notBefore=May 29 13:32:47 2006 GMT notAfter=Aug 27 13:32:47 2006 GMT $ openssl s_client -cert solar_client.pem -CAfile private/root.pem Enter pass phrase for solar_client.pem: CONNECTED(0003) depth=0 /C=US/ST=NJ/L=Florham Park/O=ATT Research/CN=solarium.research.att.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=NJ/L=Florham Park/O=ATT Research/CN=solarium.research.att.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=NJ/L=Florham Park/O=ATT Research/CN=solarium.research.att.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=NJ/L=Florham Park/O=ATT Research/CN=solarium.research.att.com i:/C=US/ST=New Jersey/L=Florham Park/O=ATT Research/OU=Project Daytona/CN=Server CA/[EMAIL PROTECTED] --- Server certificate -BEGIN CERTIFICATE- MIIDITCCAoqgAwIBAgIJAO6mHI2tDrICMA0GCSqGSIb3DQEBBQUAMIGnMQswCQYD VQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEVMBMGA1UEBxMMRmxvcmhhbSBQ YXJrMRYwFAYDVQQKFA1BVCZUIFJlc2VhcmNoMRgwFgYDVQQLEw9Qcm9qZWN0IERh eXRvbmExEjAQBgNVBAMTCVNlcnZlciBDQTEmMCQGCSqGSIb3DQEJARYXbGxyb3Nl QHJlc2VhcmNoLmF0dC5jb20wHhcNMDYwNTExMTkzOTE4WhcNMDYwNjEwMTkzOTE4 WjBtMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkoxFTATBgNVBAcTDEZsb3JoYW0g UGFyazEWMBQGA1UEChQNQVQmVCBSZXNlYXJjaDEiMCAGA1UEAxMZc29sYXJpdW0u cmVzZWFyY2guYXR0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnZ6G ABZn1fiZSKm9qKAqgBgUcAc+KGfl5tjYntI8/FDuChb1DfyV4pVe2pFAwW+ygoja 6PysSOgKyv4+gXV30oJlf15t5+lgUZcD5qcDxxB8veXLj0mGHC0Ix5MkIYGUug3o P+li2El3jL8A2X6EX48Tnl/4yfNS6Y4Aylz9CqUCAwEAAaOBjTCBijAJBgNVHRME AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0 ZTAdBgNVHQ4EFgQUWNSJ0NTZ0pQfv9Plw/FQYfCQO1EwHwYDVR0jBBgwFoAUu+EG Tw2pfgNkGn+0R4NXgMIBffgwDwYDVR0RBAgwBoIERlFETjANBgkqhkiG9w0BAQUF AAOBgQAxhA6JbbWbtEWhUOYBcKzY2J+ma9ehlKVyIdgG125mBYENpvgqUCJI5LRq rPaJIiTR4ZPnvGZPmPnyExMc60qDRIVVz0eHS4N8DTMWCWl8UEGdZGgp2nIKRBI+ QYy11KyUTha4DbqkClqoDek8uH6KCBERIJmXbGk3w1t/94QoQw== -END CERTIFICATE- subject=/C=US/ST=NJ/L=Florham Park/O=ATT Research/CN=solarium.research.att.com issuer=/C=US/ST=New Jersey/L=Florham Park/O=ATT Research/OU=Project Daytona/CN=Server CA/[EMAIL PROTECTED] --- No client certificate CA names sent --- SSL handshake has read 1241 bytes and written 282 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 65D362077A58400D5948A09B439192B7CDD4D93659DD16AC66243A77D8327F58 Session-ID-ctx: Master-Key: 015592B02BAFBC6AD70BBBA597B25D5BEA50A78F7A7DCA23A2555B4E46748382C1E11F1FCD28216510AA3923807AB5CD Key-Arg : None Start Time: 1148910284 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- -- larry Lawrence L. Rose 190 Park Avenue Daytona Development Florham Park, NJ 07932 ATT Labs - Research Tel: 793.360.8606 [EMAIL PROTECTED] Cell: 908.463.3155 Bernhard Froehlich wrote: Lawrence Rose wrote: Hi: I setup the four openSSL examples in Viega et al with certs and ran fine until the 30 day certs expired. Now after I cut a new root.pem and sereverCA.pem I cannot pass certificate verification. Where have I gone wrong? I've tried everything these past several days altering the cnf, recutting certs - any help most appreciated! err 19:self signed certificate in certificate chain ** client2.c:69 Error connecting SSL object 1:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:894: The most simple explanation would be that you forgot to tell the client to use the new serverCA.pm... If this is not the case I'd need some more information, about how you tried to connect your server. What do you use as a server? Have you tried with "openssl s_server" and "openssl s_client""? If yes, what is the complete output of openssl s_client? Hope it helps, Ted ;)
Re: Certificate error FIXED
Thanks Ted, Suresh, and Marek for your help! I'm back on the merry-go-round again. -- larry Lawrence L. Rose 190 Park Avenue Daytona Development Florham Park, NJ 07932 ATT Labs - Research Tel: 793.360.8606 [EMAIL PROTECTED] Cell: 908.463.3155 Marek Marcola wrote: Hello, $ openssl s_client -cert solar_client.pem -CAfile private/root.pem Enter pass phrase for solar_client.pem: CONNECTED(0003) depth=0 /C=US/ST=NJ/L=Florham Park/O=ATT Research/CN=solarium.research.att.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=NJ/L=Florham Park/O=ATT Research/CN=solarium.research.att.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=NJ/L=Florham Park/O=ATT Research/CN=solarium.research.att.com verify error:num=21:unable to verify the first certificate verify return:1 This looks like "incompatible" cert and CA cert certificates. Check that on both sides you have the same root.pem file AND that on both sides application certificates verifies against root.pem. You may check this with command: $ openssl verify -CAfile root.pem cert_to_check.pem Best regards,
Certificate error
Hi: I setup the four openSSL examples in Viega et al with certs and ran fine until the 30 day certs expired. Now after I cut a new root.pem and sereverCA.pem I cannot pass certificate verification. Where have I gone wrong? I've tried everything these past several days altering the cnf, recutting certs - any help most appreciated! err 19:self signed certificate in certificate chain ** client2.c:69 Error connecting SSL object 1:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:894: -- larry Lawrence L. Rose 190 Park Avenue Daytona Development Florham Park, NJ 07932 ATT Labs - Research Tel: 793.360.8606 [EMAIL PROTECTED] Cell: 908.463.3155
HP-UX build diagnostic
Hello: I'm trying a new OpenSSL build on an HP-UX Itanium (B.11.23 U ia64) and at the end, just before doing the Certs some unresolved refs are found: ./Configure hpux-ia64-gcc --openssldir=$OPENSSL_DIR threads shared make ... make -f ../Makefile.shared -e \ APPNAME=openssl OBJECTS="openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o prime.o" \ LIBDEPS=" $LIBRARIES -ldl" \ link_app.${shlib_target} ld: Unsatisfied symbol "AES_cbc_encrypt" in file speed.o ld: Unsatisfied symbol "AES_set_encrypt_key" in file speed.o ld: (Warning) Unsatisfied symbol "AES_set_decrypt_key" in file ../libcrypto.so.0.9.8 1 warnings. 2 errors Any help most appreciated! Thanks. Lawrence L. Rose Daytona Development ATT Labs - Research Florham Park, NJ 973.360.8606 work 908.463.3155 cell
OpenSSL method to determine connected client 'hostname'
This new OpenSSL user cannot determine what function to invoke for my server app to determine the hostname of who just connected to me. I'm not talking about the CommonName in the client license file ... I want the hostname assoc. with my BIO* or SSL* connection. (For the case of multiple clients from connecting from multiple ip's.) Any help most appreciated! -- larry Lawrence L. Rose Daytona Development ATT Labs - Research Florham Park, NJ 973.360.8606 work 908.463.3155 cell
Re: OpenSSL method to determine connected client 'hostname'
Many thanks, Marek! -- larry Lawrence L. Rose 190 Park Avenue Daytona Development Florham Park, NJ 07932 ATT Labs - Research Tel: 793.360.8606 [EMAIL PROTECTED] Cell: 908.463.3155 Marek Marcola wrote: Hello, This new OpenSSL user cannot determine what function to invoke for my server app to determine the hostname of who just connected to me. I'm not talking about the CommonName in the client license file ... I want the hostname assoc. with my BIO* or SSL* connection. (For the case of multiple clients from connecting from multiple ip's.) If you have "established" SSL object: SSL_get_fd(); getpeername(); gethostbyaddr(); Best regards,
Re: Using Unix Domain Sockets?
i do not see why not since you have to listen for a socket connection at some point with common code like the following .. sock = socket(PF_LOCAL,SOCK_STREAM,0); // or you can . sock = socket(PF_UNIX, SOCK_STREAM,0); memset(sin,0,sizeof(sin)); sin.sin_addr.s_addr=INADDR_ANY; sin.sin_family=AF_INET; sin.sin_port=htons(PORT); setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,val,sizeof(val)); if(bind(sock,(struct sockaddr *)sin,sizeof(sin))0) berr_exit(Couldn't bind); listen(sock,5); David Brock wrote: I'm fairly new to openSSL so forgive me if this is a silly question. Is it possible to create a Unix Domain Socket and then attach it to a BIO (using BIO_set_fd)? I have tried to do it (for a server), but I keep getting a failure when I call BIO_do_accept(). Is there something I am missing, or can I only use AF_INET sockets with BIOs? Thanks in advance! -David- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL_read()
Straight from the man pages .. SSL_read() works based on the SSL/TLS records. The data are received in records (with a maximum record size of 16kB for SSLv3/TLSv1). Only when a record has been completely received, it can be processed (decryption and check of integrity). Therefore data that was not retrieved at the last call of SSL_read() can still be buffered inside the SSL layer and will be retrieved on the next call to SSL_read(). If num is higher than the number of bytes buffered, SSL_read() will return with the bytes buffered. If no more bytes are in the buffer, SSL_read() will trigger the processing of the next record. Only when the record has been received and processed completely, SSL_read() will return reporting success. At most the contents of the record will be returned. As the size of an SSL/TLS record may exceed the maximum packet size of the underlying transport (e.g. TCP), it may be necessary to read several packets from the transport layer before the record is complete and SSL_read() can succeed. it speaks to what you are inquiring about Edward Chan wrote: I have a question about SSL_read(). Am I correct in my understanding that SSL_read() will not read from the socket as long as there is data in the ssl buffers available for processing? And if there is data in the ssl buffer but it cannot be processed because we don't have a complete record, then I will get an SSL_ERROR_WANT_READ/WRITE, in which case, I need to issue SSL_read() again to read more data from the socket? Thanks, Ed __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL_read()
Normally, you have something like ... while(1) { select() call if (SOCKET is in read mode) { do { SSL_read() call } } if (SOCKET is in write mode) { do { SSL_write() call } } } once you end first loop make sure you close the socket and issue SSL_free(). You will have to find nifty way of ending the read/write operation, though. Yes, you will leave the eventually and also depends on the implementation you choose, threaded, using fork, single threaded, ... LDB Edward Chan wrote: Thanks for your reply. I read that, and I think I understand what it is saying. I'm just trying to get confirmation on my understanding of it. Put in a different way, if I have the following code where I do SSL_read() in a do-while loop, int iBytesRead = 0; do { int ret = SSL_read(ssl, buf, sizeof(buf)); int err = SSL_get_error(ssl, ret); if (err == SSL_ERROR_NONE) { iBytesRead += ret; } else if (err == SSL_ERROR_ZERO_RETURN) { return 0; // ssl connection was closed } else if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) { break; // need more data; break loop and add fd back to poll // and do another SSL_read() when there is more data // available on the socket. } else { return 0; // read failed } } while (SSL_pending(ssl)); // ssl buffer has been completely drained Assuming client is continuously sending me data, will I ever exit this loop? I assume that once the ssl buffer has been emptied, SSL_pending() will return 0 and I break the loop, or the ssl buffer can no longer be processed without more data, in which case I get an SSL_ERROR_WANT_READ/WRITE and break the loop, at which time I will add fd back to poll and wait for more data on the socket (which could be immediate). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, March 28, 2005 4:04 PM To: openssl-users@openssl.org Subject: Re: SSL_read() Straight from the man pages .. SSL_read() works based on the SSL/TLS records. The data are received in records (with a maximum record size of 16kB for SSLv3/TLSv1). Only when a record has been completely received, it can be processed (decryption and check of integrity). Therefore data that was not retrieved at the last call of SSL_read() can still be buffered inside the SSL layer and will be retrieved on the next call to SSL_read(). If num is higher than the number of bytes buffered, SSL_read() will return with the bytes buffered. If no more bytes are in the buffer, SSL_read() will trigger the processing of the next record. Only when the record has been received and processed completely, SSL_read() will return reporting success. At most the contents of the record will be returned. As the size of an SSL/TLS record may exceed the maximum packet size of the underlying transport (e.g. TCP), it may be necessary to read several packets from the transport layer before the record is complete and SSL_read() can succeed. it speaks to what you are inquiring about Edward Chan wrote: I have a question about SSL_read(). Am I correct in my understanding that SSL_read() will not read from the socket as long as there is data in the ssl buffers available for processing? And if there is data in the ssl buffer but it cannot be processed because we don't have a complete record, then I will get an SSL_ERROR_WANT_READ/WRITE, in which case, I need to issue SSL_read() again to read more data from the socket? Thanks, Ed __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Rijndael
Where do you hold your IVs for the C program? Are the Java and C programs seperate or are you using JNI? Also, I am not sure if IAIK is an actually optional Provider if you are using JCE, possibly an option using Bouncy Castle You also might try a different padding as well .. The big thing is that where are your IVs being written to and read from ? LDB Manuel Sánchez Cuenca wrote: Hello all, I have to write a C program which decrypts some data encrypted by a java program. The java program is the following: = KeyGenerator key_gen = KeyGenerator.getInstance(Rijndael); SecretKey aes_key = (SecretKey)key_gen.generateKey(); Cipher aes = Cipher.getInstance(Rijndael/CBC/PKCS5Padding, IAIK); aes.init(Cipher.ENCRYPT_MODE, aes_key); byte[] crypted = aes.doFinal(bb.array()); byte[] iv = aes.getIV(); = and the C program: = char byte_aes_key[16]; // the byte array obtained with aes_key.getEncoded() in java char byte_iv[16]; // The iv from the java program EVP_CIPHER_CTX ctx; EVP_DecryptInit(ctx, EVP_aes_128_cbc(), byte_aes_key, byte_iv); int outlen; res = EVP_DecryptUpdate(ctx, decrypted, outlen, encrypted, encryptedlen); = but the decrypted message isn't correct. Can anybody give me any suggestion? Thanks in advance. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Openssl in java
Try the native implementation bundled with Sun else you will have to use some JNI methods ... http://java.sun.com/products/jsse/ LDB [EMAIL PROTECTED] wrote: Hi, I am developing server application in java and client in vc++. How to use openssl from java. Thanks in abvance S.Suresh __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Openssl 0.9.7f test is looking for the wrong libssl.so
I have the same problem ... ./Configure --prefix=/opt shared threads zlib-dynamic --openssldir=/opt/ssl linux-pentium [EMAIL PROTECTED]:/work/Projects/CVS/work-openssl make tests /usr/bin/perl: error while loading shared libraries: /libssl.so: cannot open shared object file: No such file or directory make: *** [rehash.time] Error 127 Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Sun, 7 Nov 2004 05:36:48 -0700, The Doctor [EMAIL PROTECTED] said: doctor The test is looking for /libssl.so . doctor doctor should it not be looking for ../libssl.so ? Please send us a log and tell us what platform and how you configured. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: A little help please!!!
try -L/path/to/crypto/lib in front of -lcrypto LDB Marcos Paraiso wrote: I used the command -- gcc -o test test.c -lcrypto -- and the following message was prompted: C:\MinGW\bin\..\lib\gcc-lib\mingw32\3.2.3\..\..\..\..\mingw32\bin\ld.exe: cannot find -lcrypto This is the structure of MinGW on my HD: C:\MinGW\Bin C:\MinGW\include C:\MinGW\lib C:\MinGW\minGW C:\MinGW\minGW32 I really don´t have a clue about what should I do... Dunceor hmm [EMAIL PROTECTED] wrote: compile with: gcc -o test test.c -lcrypto - Original Message - From: Marcos Paraiso Date: Thu, 9 Sep 2004 15:25:09 -0300 (ART) Subject: A little help please!!! To: [EMAIL PROTECTED] Hi everybody, I just started studying the OpenSSL library and I already have a problem... I´m using minGW and the OpenSSL package from http://www.slproweb.com/products/Win32OpenSSL.html on Windows 2000. I´m having problems when I try to compile a simple application, like the one below: #include openssl/bio.h #include openssl/ssl.h #include openssl/err.h int main(){ SSL_load_error_strings(); ERR_load_BIO_strings(); OpenSSL_add_all_algorithms(); return 1; } I get these error messages: undefined reference to ´SSL_load_error_strings´ undefined reference to ´ERR_load_BIO_strings´ undefined reference to ´OpenSSL_add_all_algorithms´ I´ve been told to use the -llibssl32.a, -llibeay32.a commands, but nothing changed... I use the following command to compile a file: gcc -o test test.c If anyone knows anything about this, P.L.E.A.S.E. help!!! Thanks!!! Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade! __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Yahoo! Acesso Grátis http://br.rd.yahoo.com/mail/taglines/*http://br.acesso.yahoo.com/ - navegue de graça com conexão de qualidade! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: DES-EDE3-CBC
Just type: man enc des-ede3-cbc Three key triple DES EDE in CBC mode des-ede3 Alias for des-ede3-cbc des3 Alias for des-ede3-cbc des-ede3-cfb Three key triple DES EDE CFB mode des-ede3-ofb Three key triple DES EDE in OFB mode [EMAIL PROTECTED] wrote: Does someone know which 3DES algorithms openssl supports? As far as I know there are various possiblites to apply Tripple DES: with 2 keys with 3 keys Encryption Decryption Encryption (EDE) Encryption Encryption Encryption (EEE) thx. Karsten __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: EOFException when connecting to ldap server with jndi
You need to post to http://forum.java.sun.com/index.jsp at the Java Secure Socket Extensions section. Also, the EOFException means your connection closed unexpectedly .. I would lose tls.close(); ctx.close(); LDB mark brophy wrote: Hi all: This is my first post, so please redirect me if I'm in the wrong place. I've been having the same problem for weeks, and I can't seem to get around it. I'm connecting to an openldap server using tls/ssl (openssl), and I'm constantly getting an eofexception around the time of tls READ on the client side, and I can't figure out whether it's ssl or tls that's dying. If anyone has any idea what's going on, I'd really appreciate the input. He's some relevant java output with debugging on: .. setting up default SSLSocketFactory use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImp l class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded keyStore is : /path/to/mycert keyStore type is : jks keyStore provider is : init keystore init keymanager of type SunX509 trustStore is: /path/to/mycert trustStore type is : jks trustStore provider is : init truststore adding as trusted cert: **removed sensitive info here** Algorithm: RSA; Serial number: 0x0 Valid from Mon Mar 17 20:28:46 NST 2003 until Tue Mar 16 20:28:46 NST 2004 init context trigger seeding of SecureRandom done seeding SecureRandom instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryI mpl export control - checking the cipher suites export control - no cached value available... export control - storing legal entry into cache... %% No cached client session *** ClientHello, TLSv1 RandomCookie: GMT: 1069503884 bytes = { 7, 48, 141, 114, 165, 47, 223, 142, 90, 51, 199, 37, 149, 8, 3, 229, 3, 181, 2, 201, 24, 205, 74, 133, 18, 50, 70, 121 } Session ID: {} Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH _AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC _SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_ DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SH A, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_ WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WI TH_DES40_CBC_SHA] Compression Methods: { 0 } *** [write] MD5 and SHA1 hashes: len = 73 : 01 00 00 45 03 01 40 BF 56 8C 07 30 8D 72 A5 2F [EMAIL PROTECTED]/ 0010: DF 8E 5A 33 C7 25 95 08 03 E5 03 B5 02 C9 18 CD ..Z3.%.. 0020: 4A 85 12 32 46 79 00 00 1E 00 04 00 05 00 2F 00 J..2Fy/. 0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2. 0040: 03 00 08 00 14 00 11 01 00 . Thread-0, WRITE: TLSv1 Handshake, length = 73 [write] MD5 and SHA1 hashes: len = 98 : 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00 9... ... 0010: 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 /..3..2. 0020: C0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15 [EMAIL PROTECTED] 0030: 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00 0040: 00 11 40 BF 56 8C 07 30 8D 72 A5 2F DF 8E 5A 33 [EMAIL PROTECTED]/..Z3 0050: C7 25 95 08 03 E5 03 B5 02 C9 18 CD 4A 85 12 32 .%..J..2 0060: 46 79 Fy Thread-0, WRITE: SSLv2 client hello message, length = 98 Thread-0, received EOFException: error Thread-0, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake Thread-0, SEND TLSv1 ALERT: fatal, description = handshake_failure Thread-0, WRITE: TLSv1 Alert, length = 2 Thread-0, called closeSocket() main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake Problem getting attribute:javax.naming.CommunicationException: simple bind failed: **.ca:389 [Root exception is javax.net.ssl.SSLHandshakeException: Re mote host closed connection during handshake] Also, here's the code: import javax.naming.NamingEnumeration; import javax.naming.Context; import javax.naming.directory.InitialDirContext; import javax.naming.directory.Attributes; import javax.naming.NamingException; import javax.naming.ldap.*; import java.util.Hashtable; import javax.net.ssl.*; import java.security.*; import java.io.IOException; import java.io.EOFException; public class LdapFetchName{ public static void main(String[] args){ try{ Hashtable env = new Hashtable(); System.setProperty(javax.net.debug,all); //System.setProperty(java.protocol.handler.pkgs,javax.net.ssl); String c_truststore = /source/sandbox/mbrophy/munCA/mycert; System.setProperty(javax.net.ssl.trustStore,c_truststore);
Re: OpenSSL with Java?
Yes, the JDK from http://java.sun.com supports SSL. The package is called JSSE. It integrates really well. LDB Elie Lalo wrote: Hi, I know that OpenSSL supports both windows and Unix, and it is used from C and C++ programs. My question is the following: Can we use OpenSSL from Java programs as well ( I am a new OpenSSL user)? I am planning on using OpenSSL on Linux and Windows OS, C++ and Java programs. Thanks Elie Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Using VB to call SSL DLL
Anyone try to use Visual Basic with compiled SSL DLL? Any sample source code available? Need to refer urgently. Thanks and Regards, LAWRENCE LOW -Original Message- From: Jared Clinton [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 3:15 PM To: '[EMAIL PROTECTED]' Subject: RE: How to use OpenSSL in MS-Windows Environment Lawrence, Download the Tar : http://www.openssl.org/source/openssl-0.9.6b.tar.gz Untar this to your local hard disk and follow the instructions in the INSTALL.W32 file. You will need to compile the source so that you can get the program, but the make process is quite straight forward. Jared Clinton. -Original Message- From: lawrence [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 17 October 2001 4:58 PM To: '[EMAIL PROTECTED]' Subject: How to use OpenSSL in MS-Windows Environment I would like to use SSL in my project. However, I don't have any idea how to do it. I have some questions listed below: 1. What is the files that I need to download in order to use OpenSSL in my program? 2. Is there any compiled DLL for MS-Windows? If yes, where can I download the DLL, DLL source code and the documentation? Thanks and Regards, LAWRENCE LOW __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Windows Demo for SSL
Hi, Anyone have windows based SSL Demo program and source code written in C, VB or VC++? I really urgently need it to start my project. I'm really too new to this. Thanks for your help! Lawrence __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Compiled Win32 version
I like to have a copy also. LAWRENCE LOW -Original Message- From: LaDon L Harrison [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 18, 2001 7:06 AM To: [EMAIL PROTECTED] Subject: Compiled Win32 version Hi, I'm trying to use openssl-0.9.6b in conjunction with Win2K/Apache/THe Exchange Project to enable an e-commerce site. Does anyone there have a compiled version of this code I can download? I do not possess the necessaru skills to compile it on my own. Thanks much. LaDon __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Bug in (possibly) BN or (probably) DH routines
Hi: I have been having spurious problems with one of my client server programs. It uses a DH Key exchange to generate a blowfish key and encrypts the data using that key. I believe I have isolated the problem to the minimum of code. I'm attaching the test program, Makefile, and a bash script that runs the program 1000 times. It uses BN_new() and BN_hex2bn() to convert two strings to BIGNUMs, stuffs them into a DH, and then calls DH_generate_key() to generate the private/public key pair. When you run the program 1000 times, somewhere between 3 and 8 times the length of the public key will be 55 bytes instead of 56, as it should be. This breaks my client:-( Once, the key was actually 54 bytes. Am I doing something dopey or is this a bug? -- Lawrence ~ Lawrence MacIntyre Center for Information Infrastructure Technology [EMAIL PROTECTED] http://www.ciit.y12.doe.gov/~lpz 865.574.8696 # $Id: Makefile,v 1.2 2000/10/04 19:25:19 lpz Exp $ # # Changes: #CC = kgcc #for RH 7.0 CC = gcc CFLAGS = -g -Wall COMMONOBJS = INCLUDES = INCLUDEDIRS = -I/usr/local/ssl/include OBJS = dhtst.o LIBDIRS = -L/usr/local/ssl/lib LIBS = -lcrypto RM = rm -f EXES = dhtst TAR = tar ZIP = zip SRCS = Makefile.dhtst dhtst.c dhtstloop.sh all:dhtst dhtst: dhtst.o $(CC) $(CFLAGS) -o dhtst dhtst.o $(COMMONOBJS) $(LIBDIRS) $(LIBS) .PHONY: clean tar zip clean: $(RM) $(OBJS) $(COMMONOBJS) $(EXES) *.tar *.zip tar: $(TAR) czvf openssltst.tgz $(SRCS) zip: $(ZIP) openssltst.zip $(SRCS) dhtst.o:dhtst.c Makefile.dhtst $(CC) $(CFLAGS) -c $(INCLUDEDIRS) dhtst.c dhtstloop.sh #include stdio.h #include string.h #include openssl/bn.h #include openssl/dh.h #include openssl/err.h int main(int argc, char **argv) { int status; DH *a = NULL; char p1[113]; char g[3]; memcpy(p1, "CA9C3CB3E239845076ACC3963634A02F1A5003209B29B1BF317E18A0D2440A630825C0C3E3F7225859629117C7DF2899493C7C49B10F8937", 112); p1[112] = '\0'; memcpy(g, "05", 2); g[2] = '\0'; a = DH_new(); if(a == NULL) { perror("DH_new(a): "); status = ERR_get_error(); goto err; } a-p = BN_new(); if(a-p == NULL) { status = ERR_get_error(); goto err; } status = BN_hex2bn((a-p), p1); if(status != 112) { printf("P is bogus\n"); if(status == 0) { status = ERR_get_error(); goto err; } } a-g = BN_new(); if(a-g == NULL) { status = ERR_get_error(); goto err; } status = BN_hex2bn((a-g), g); if(status != 2) { printf("G is bogus\n"); if(status == 0) { status = ERR_get_error(); goto err; } } if(!DH_generate_key(a)) { perror("DH_generate key: "); status = ERR_get_error(); goto err; } status = BN_num_bytes(a-pub_key); if(status != 56) { printf("local pub key bytes: %d\n", status); } status = 0; err: if(status != 0) { printf("Status: %d\n", status); } return(status); }
Import CRL to Netscape Communicator
I have generated a crl and converted it to DER format by the following commands: openssl ca -gencrl -crldays 30 -out crl.pem openssl crl -in crl.pem -outform DER -out crl.der Then, I tried to import the crl to the Netscape Communicator through my web page. Following is part of my html source code: tr NOSAVE td NOSAVE centera href="crl.der"TESTCA's CRL/a brnbsp; However, this didn't work. I don't know whether this is the right way to generate and import crl or not. Can anyone help me? Regards, Lawrence Wong __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]