Reading random bytes in blocking mode
Hello All, I am working with OpenSSL 0.9.7i on HPUX. I have a configure script which performs the following operations 1. Starts the prngd rc script # /sbin/init.d/prngd.rc start 2. Creates self signed certificate # /opt/openssl/bin/openssl req -new -x509 -out /opt/openssl/certs/host.pem -keyout /opt/openssl/private/hostkey.pem -nodes -subj /C=US/ST=CA/L=City/O=Company/CN=localhost/[EMAIL PROTECTED] /tmp/hostcert.out 21 This script executes during system reboot. Some times the creation ofthe self signed certificatefails due to lack of random bytes. This problem does not occur during manual script execution What can be the reason. Can reading random bytes from prngd in blocking mode solve this problem. regards, Prakash Yahoo! Mail Use Photomail to share photos without annoying attachments.
Is shared and static crypto libraries FIPS compliant
Hello All, Is both the static and shared crypto libraries FIPS compliant. 0.9.7e=The static crypto library is fips compliant.The integrity of libcrypto.a is checked using its HMAC-SHA1 fingerprint libcrypto.a.sha1 There is nochecking for shared library libcrypto.so 0.9.7j-dev==The shared crypto library is fips compliant.The integrity of libcrypto.so is checked using the HMAC-SHA1 fingerprint embedded into the library using fips_premain.c There is no checking for the static library libcrypto.a since libcrypto.sha1 is not generated. Why is this difference ? Thanks,Prakash Yahoo! Mail - Helps protect you from nasty viruses.
Reading RSA key fips and non fips mode
Hello All,I am using the OpenSSL 0.9.7j-fips-dev on HPUXI built the above version by enabling the fips optionI have a 512 bit rsa key in a file rsakey.pem# cat rsakey.pem-BEGIN RSA PRIVATE KEY-MIIBPAIBAAJBAJvyW3C7htCJYQ2sjXM1r4EgOc5uQFN6N62UstEn+8A8+YShdQ2wFcM7gRKNmTAtizyFP1i8sHO6YGEgkiA8Ye8CAwEAAQJAOQjlmpBrWR+1iEvAnA9Zde90VOSL0DwV2v1UfRyTfZX9N3j/LdU1F5pgmnBpOnHkHIbecGdEAPeYn9KFYwc4QQIhAMxYuMew0xMw7kRMpTTxn+79f4zsdTrKv6xHvpmn1uLhAiEAw12tdS9yJGNKvyQI16X1ytRz63Frape2mTu6wUoGrs8CIQC0UN3MqAW5e4XkktV9IHGGS/6PdeAEHwB/n1da8zW1QQIhAIY1KzyuXE4M+8M04PIrqx8sNXnPT4hJMoIvmwq/bLnXAiEAspklHVXuVhyQT/HGaMGpp7ll8OKVQsujpt0E8lxp1B8=-END RSA PRIVATE KEY-Case 1i, I set the OPENSSL_FIPS flag export OPENSSL_FIPS=1 ii I read the rsakey as # openssl rsa -in rsakey.pemwriting RSA key-BEGIN PRIVATE KEY-MIIBVgIBADANBgkqhkiG9w0BAQEFAASCAUAwggE8AgEAAkEAm/JbcLuG0IlhDayNczWvgSA5zm5AU3o3rZSy0Sf7wDz5hKF1DbAVwzuBEo2ZMC2LPIU/WLywc7pgYSCSIDxh7wIDAQABAkA5COWakGtZH7WIS8CcD1l173RU5IvQPBXa/VR9HJN9lf03eP8t1TUXmmCacGk6ceQcht5wZ0QA95if0oVjBzhBAiEAzFi4x7DTEzDuREylNPGf7v1/jOx1Osq/rEe+mafW4uECIQDDXa11L3IkY0q/JAjXpfXK1HPrcWtql7aZO7rBSgauzwIhALRQ3cyoBbl7heSS1X0gcYZL/o914AQfAH+fV1rzNbVBAiEAhjUrPK5cTgz7wzTg8iurHyw1ec9PiEkygi+bCr9sudcCIQCymSUdVe5WHJBP8cZowamnuWXw4pVCy6Om3QTyXGnUHw==-END PRIVATE KEY-This output does not match the one in rsakey.pemCase 2i. I unset the OPENSSL_FIPS flag# unset OPENSSL_FIPSii I read the rsakey as # /opt/openssl/bin/openssl rsa -in rsakey.pemwriting RSA key-BEGIN RSA PRIVATE KEY-MIIBPAIBAAJBAJvyW3C7htCJYQ2sjXM1r4EgOc5uQFN6N62UstEn+8A8+YShdQ2wFcM7gRKNmTAtizyFP1i8sHO6YGEgkiA8Ye8CAwEAAQJAOQjlmpBrWR+1iEvAnA9Zde90VOSL0DwV2v1UfRyTfZX9N3j/LdU1F5pgmnBpOnHkHIbecGdEAPeYn9KFYwc4QQIhAMxYuMew0xMw7kRMpTTxn+79f4zsdTrKv6xHvpmn1uLhAiEAw12tdS9yJGNKvyQI16X1ytRz63Frape2mTu6wUoGrs8CIQC0UN3MqAW5e4XkktV9IHGGS/6PdeAEHwB/n1da8zW1QQIhAIY1KzyuXE4M+8M04PIrqx8sNXnPT4hJMoIvmwq/bLnXAiEAspklHVXuVhyQT/HGaMGpp7ll8OKVQsujpt0E8lxp1B8=-END RSA PRIVATE KEY-This output matches the one in rsakey.pemIs reading a rsakey in fips mode different from reading the rsa key in non fips mode.Thanks,Prakash Yahoo! Mail - Helps protect you from nasty viruses.
OpenSSL FIPS validation of source files
Hello All, I am using OpenSSL 0.9.7e with fips configure option. I edited one of the fips source files and tried to build OpenSSL and I got the error"Your source code does not match the FIPS validated source." This error can be overcomeas follows i. Edit the fips source files.ii. Generate the HMAC finger print for the new source file using the following command # openssl sha1 -hmac etaonrishdlcupfm file_name.c HMAC-SHA1(file_name.c)= b70bbbd675efe0613da0d57055310926a0104d55iii. Replace this value with the original value in fingerprint.sha1 file.iv. Now the product builds successfully with the modified fips source v libcrypto.a and libcrypto.a.sha1 are generated successfully. Suppose I call this library afips compliant library(though it is not).How cana user who uses this libraryensure that it was built from the FIPS validated sources Thanks, Prakash What are the most popular cars? Find out at Yahoo! Autos
OpenSSL FIPS Certification
Hello All, I came to know that OpenSSL is in its final stage of getting FIPS certification. http://trends.newsforge.com/trends/06/01/23/0429219.shtml Congrats to all the developers and contributors from the OpenSource community for making this happen. I have a couple of question in this regard. 1. Once OpenSSL is FIPS certified will a new version be released or an existing version (eg 0.9.7i) can be called FIPS certified. 2. Are there any security policy document that have been published, which contains steps to be followed while creating an application from FIPS certified OpenSSL. Thanks,Prakash What are the most popular cars? Find out at Yahoo! Autos
Performance increase for rc4
Hello All,I am working on HP-UX and using OpenSSL 0.9.7iI used the speed command to measure the performance of the crypto graphic algorithms I compared the results with that of 0.9.7eFor rc4 the performance has increased around 3 times.0.9.7e : rc4(16 byte block) : 62718.04k (kb processed per second)0.9.7i : rc4(16 byte block) : 185010.57k (kb processed per second)Can anybody tell me the reason why the performance increases.Thanks,Prakash__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Building OpenSSL 0.9.89a
Hello Josh, The problem I suspect is AES_cbc_encrypt function is defined in aes_cbc.c and that is not compiled and added to the libcrypto library. You can either edit the openssl-0.9.8a/Makefile Line 92: Before : AES_ASM_OBJ= aes-ia64.o After : AES_ASM_OBJ= aes_core.o aes_cbc.o aes-ia64.o or use the hpux64-ia64-cc (CC compiler) option. Regards,Prakash"Fenlason, Josh" [EMAIL PROTECTED] wrote: I'm running into problems building a shared distribution of OpenSSL 0.9.8a on HPUX Itanium. On Solaris I've successfully used the following config: ./config --openssldir=/opensslSharedDist threads shared When I try the same config on HPUX Itanium, I get the following error: Operating system: ia64-hp-hpux1x WARNING! 64-bit ABI is the default configured ABI on HP-UXi. If you wish to build 32-bit library, the you have to invoke './Configure hpux-ia64-cc' *manually*. You have about 5 seconds to press Ctrl-C to abort. Next I tried the following config, which seemed to work fine,: ./Configure hpux-ia64-gcc --openssldir=/openSSLSharedDist threads shared Unfortunately, make failed with the following error: if [ "${shlib_target}" = "darwin-shared" ] ; then \ LIBRARIES="../libssl.a ../libcrypto.a" ; \ else \ LIBRARIES="../libssl.a ../libcrypto.a" ; \ fi; \ make -f ../Makefile.shared -e \ APPNAME=openssl OBJECTS="openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o prime.o" \ LIBDEPS=" $LIBRARIES -ldl" \ link_app.${shlib_target} make[2]: Entering directory `/home/snow/jfenlason/hp/openssl-0.9.8a/apps' ld: Unsatisfied symbol "AES_cbc_encrypt" in file speed.o ld: Unsatisfied symbol "AES_set_encrypt_key" in file speed.o ld: Unsatisfied symbol "AES_set_decrypt_key" in file ../libcrypto.a[e_aes.o] 3 errors. collect2: ld returned 1 exit status make[2]: *** [link_app.hpux] Error 1 make[2]: Leaving directory `/home/snow/jfenlason/hp/openssl-0.9.8a/apps' make[1]: *** [openssl] Error 2 make[1]: Leaving directory `/home/snow/jfenlason/hp/openssl-0.9.8a/apps' make: *** [build_apps] Error 1 I'm building with gcc 3.3.1 and gnu make 3.79.1. Any thoughts on what is wrong? Thanks in advance. , Josh. Yahoo! FareChase - Search multiple travel sites in one click.
Re: problem creatin pkcs12 file
Hello Bob The problem is that your private key does not match the certificate. Though you specified the password correctly,the key specified using the -inkey optiondoes not match the certificate specified using the -in option. I think you have specified the opposite values for -inand -certfile Assuming cacert.pem and cakey.pem are the corresponding certificate and key files use the following command. # openssl pkcs12 -export -in cacert.pem -inkey private/cakey.pem -certfile newcert.pem -name "Laser" -out testcert.pem Thanks, Prakash Robert Kwiencien [EMAIL PROTECTED] wrote: I try to create the pkcs12 file with:[EMAIL PROTECTED] CA]$ openssl pkcs12 -export -in newcert.pem -inkey private/cakey.pem -certfile cacert.pem -name "Laser" -out testcert.pemEnter pass phrase for private/cakey.pem:My pass phrase is corrent, but then I get:No certificate matches private keyCan anyone give some advice?Bob Kwiencien__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
CA.pl works in 0.9.7x but fails on 0.9.8
Hello All, I am using OpenSSL 0.9.8. I created a self signed certificate using # openssl req -x509 -out cacert.pem -new -keyout cacert.pem -days 365 -nodes -subj /C=US/ST=California/L=Cupertino/O=test/CN=ca I tried to setup the CA using# echo "cacert.pem"|perl /opt/openssl/misc/CA.pl -newca There serial file is not created in the demoCA directory. 0.9.7x:# cat demoCA/serialBA1098D6DC316744 0.9.8:#cat demoCA/serialcat: Cannot open demoCA/serial: No such file or directory In order to create the serial file the lines between the ### marks can be added to the CA.pl fileLine 105 : if ($FILE) { cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE"); cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE"); $RET=$?; # if (! -f "${CATOP}/serial" ) { system ("$X509 -in ${CATOP}/$CACERT -noout " .. "-next_serial -out ${CATOP}/serial"); } # } else { print "Making CA certificate \n"; system ("$REQ -new -keyout " .. "${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ"); system ("$CA -create_serial " .. "-out ${CATOP}/$CACERT $CADAYS -batch " .. "-keyfile ${CATOP}/private/$CAKEY -selfsign " .. "-infiles ${CATOP}/$CAREQ "); $RET=$?; } One more thing, the CA.sh is very outdated and has a number of bugs I have filed a bug report and given a patch athttp://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=1209Please share your suggestions on this. Thanks,Prakash Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
OpenSSL 0.9.8 compatibility
Hello all, I have a few clarifications regarding OpenSSL 0.9.8's compatibility 1. Is OpenSSL 0.9.8 compatible with 0.9.7 (i.e) will all the existing applicationswritten for 0.9.7 will continue to work with 0.9.8 without any source code changes ? 2. Does 0.9.8 have all the functionality of 0.9.7 ? Your response to these questions will help me choose the appropriate version of OpenSSL Thanks,Prakash Yahoo! for Good Click here to donate to the Hurricane Katrina relief effort.
Re: Verify a signed private key pair
Hello Rajeshwar , let cacert.pem be your CA certificatelet ksbcert.pem and ksbkey.pem be your certificate and private/public key pair To verify you certificate #openssl verify -CAfile cacert.pem ksbcert.pem To verify the consistency of your private key#openssl rsa -in ksbkey.pem -check -- Prakash Rajeshwar Singh Jenwar [EMAIL PROTECTED] wrote: Hi, How to verify a signed certificate by a CA(.pem) coresponding private key(.pem) ? It is just to verify that someone has played with private key or not. Thx. Rajeshwar Singh Start your day with Yahoo! - make it your home page
Re: Format of file index.txt database of a CA
Hi The index.txt is an ascii file consisting of four fields eg ) V051213070133ZB3500880020644B6unknown /C=IN/ST=TamilNadu/O=cbe/CN=test where: V - Certificate is Valid (R for revoked certificates )051213070133Z - Date upto which the certificate is validB3500880020644B6 - Serial number of the certificate/C=IN/ST=TamilNadu/O=cbe/CN=test - subject of the certificateThanks, Prakash Marco Klasmeyer [EMAIL PROTECTED] wrote: Hello,is the format for "index.txt" database file of a CA defined somewhere?I want to run "openssl ocsp" as a small test OCSP responder, whichneeds this index file as input. For testing purposes I would like tomanipulate some lines of this file, but I can't find any documentationabout the format?By the way, is there a possibility to use a real database insteadof this plain ASCII file?Thanks in advance,Marco__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Start your day with Yahoo! - make it your home page
Re: please help me on OCSP
Hi, The -Vafile option is used for explicitly trusting the responder certificate of the ocsp serverSo if you omit this option you will get the "unable to get local issuer certificate" error. To get this command workingopenssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem 1. First you must get a certificate from Verisign -User.pem2. Get the CA certificate that was used to sign your request - ROOT_CA.pem3. Trust the Verisign OCSP responder certficate - OCSPServer.pem --Prakash varma d [EMAIL PROTECTED] wrote: Hi,Today i was very much excited to see this mailing list on openSSL. I searched several messages and its great to see that people here are helping others.I need your help.I read tutorials on OCSP from http://openvalidation.org about using OCSP in openssl,I have couple of questions.1) I used the following command to send OCSP request and get response from OCSP responder.openSSLocsp -url http://ocsp.openvalidation.org -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pemWhen i am executing this command , i am getting response from OCSP responder stating that certificate status is good. (i have taken this command/files from openvalidation.org (http://www.openvalidation.org/useserviceopenssl.htm) )But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pem file.If i give my URL as http://ocsp.verisign.com, how can i get verisign's OCSPServer.pem. Also how can i getlatest OCSPServer.pem file for the given URL. 2)I tested by giving latest user certificates other than openvalidation.org certificates, but i am getting this erroruser.pem:WARNING: Status times invalid.3220:error:270730 7D:OCSP routines:OCSP_check_validity:statusexpired:.\crypto\ocsp\ocsp_cl.c:357:unknownThis Update: Oct 24 06:00:11 2004 GMTNext Update: Oct 25 06:00:11 2004 GMTFor this do i need to update my OCSPServer.pem fileThank you for your time and considerationI would be grateful to you if you would help me out as i am spending a lot of time on understanding this.Please help me out.Thanks,vv__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Runpath definition missing for libssl.so
Hi, I would suggest you two solutions Solution 1 : Create a symbolic link in the system directory for libcrypto.so and libssl.so ln -s /usr/local/openssl-0.9.7g/lib/libcrypto.so /usr/lib/libcrypto.soln -s /usr/local/openssl-0.9.7g/lib/libssl.so /usr/lib/libssl.so Solution 2 Specify a embedded pathfor the library using the flag -Wl,+b /usr/local/openssl-0.9.7g/lib (not sure for SunCC) --Prakash, Laurent Blume [EMAIL PROTECTED] wrote: Hello all,I've got a relatively minor problem with OpenSSL linking, it may be a flaw in the configure script, or just me not finding the right option.Here is is: I want to build OpenSSL with an integrated linker runpath, so I don't need LD_LIBRARY_PATH or crle hacks.Since some OpenSSL binaries depend on the library itself, I built it this way:./config --prefix=/usr/local/openssl-0.9.7g shared \-R/usr/local/openssl-0.9.7g/libHowever, it seems it's not using my -R parameter when linking libssl.so:$ ldd lib/libssl.solibcrypto.so.0.9.7 = (file not found)libsocket.so.1 = /usr/lib/libsocket.so.1It does work for the openssl binary, though:$ ldd bin/openssllibssl.so.0.9.7 = /usr/local/openssl-0.9.7g/lib/libssl.so.0.9.7libcrypto.so.0.9.7 = /usr/local/openssl-0.9.7g/lib/libcrypto.so.0.9.7I did a very small hack to my Makefile:$ diff Makefile.bak Makefile268c268 $(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \--- $(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto -R/usr/local/openssl-0.9.7g/lib' build-shared; \And now that works:$ ldd lib/libssl.solibcrypto.so.0.9.7 = /usr/local/openssl-0.9.7g/lib/libcrypto.so.0.9.7Any idea on what would be the Right Way to do it? Is there another parameter I could give to ./config?This on a Solaris 9 box, using SunCC.Laurent__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: Automation question
Hi, While creating self signed certificates and certificate requests use -subj to specify the the subject name and -nodes for not prompting for password (private key will not be encrypted) If you want the password to be encrypted generate the rsakey using genrsa command with -passout option and use this key to generate the certificate While signing certificate requests using ca command use -batch option (In this mode no questions will be asked and all certificates will be certified automatically) Try using the following script.## ssl_dir="usr/local/openssl" if [ ! d $ssl_dir ]then echo "OpenSSL not installed in $ssl_dir" exit 1fi cd $ssl_dir##Set up the CA# echo "Create a self signed certificate for the CA"openssl req -x509 -out $ssl_dir/bin/cacert.pem -new -keyout $ssl_dir/bin/cakey.pem -subj /C=IN/ST=TamilNadu/L=Coimbatore/O=test/CN=prakash -nodes echo "Set us the CA using the CA.pl script"echo "$ssl_dir/bin/cacert.pem" | $ssl_dir/misc/CA.pl -newca echo "Copy the CA private key to the private directory"cp $ssl_dir/bin/cakey.pem $ssl_dir/demoCA/private/ Generete Number of Requests### echo "Create certificate request for user 1..\n"openssl req -out cert_req_user1.pem -new -keyout priv_key_user1.pem -subj /C=IN/ST=TamilNadu/L=Coimbatore/O=test/CN=user1 -nodes echo "Create certificate request for user 2..\n"openssl req -out cert_req_user2.pem -new -keyout priv_key_user2.pem -subj /C=IN/ST=TamilNadu/L=Coimbatore/O=test/CN=user2 -nodes ##Issue Certificate#echo "Issue Certificate for the first user"openssl ca -in cert_req_user1.pem -batch echo "Issue Certificate for the secon user"openssl ca -in cert_req_user2.pem -batch ## regards, Prakash Brian DeGeeter [EMAIL PROTECTED] wrote: You need to set the cnf so it won't prompt.Here's a little excerpt from a shell script:cat @eof $CONFFILE# openssl x509 extfile paramsextensions = extend[req] # openssl req paramsprompt = nodistinguished_name = dn-param[dn-param] # DN fieldsC = USST = WAL = YaddaO = YaddaOU = Chain OneCN = chain-one.dig.netemailAddress = [EMAIL PROTECTED][extend] # openssl extensions#subjectKeyIdentifier = hash#authorityKeyIdentifier = keyid:always#basicConstraints = critical,CA:true#keyUsage = keyCertSign,cRLSign#nsCertType = sslCA,emailCA,objCA#certificatePolicies = ia5org,@policy[policy]@eofecho 01 $SNUMFILE $OPENSSL req -config $CONFFILE \-newkey rsa:2048 -passout pass:yadda -keyout inter.key.pem |$OPENSSL x509 -req -sha1 -extfile $CONFFILE \-CAserial $SNUMFILE -days 364 -passin pass:yadda \-CA /root/ssl/file.crt -CAkey /root/ssl/file.key -out inter.cert.pem-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of McCann, BrianSent: Tuesday, 23 August, 2005 1:00 PMTo: openssl-users@openssl.orgSubject: RE: Automation questionIn reply to you both, the PHP part I got down..that's not the problem.It's what to tell openssl to do. I'm trying now to make a cnf file tomake a CA without prompting, then to make a certificate req and sign itwithout prompting...at least now I know I'm in the right direction.Thanks!--Brian-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of Thomas J. HruskaSent: Tuesday, August 23, 2005 15:59To: openssl-users@openssl.orgSubject: Re: Automation questionOliver Leitner wrote: -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 McCann, Brian wrote: | Hi all...I'm new to the list and for the most part OpenSSL aswell...so | sorry if I use the wrong terminology. I've searched the listarchives, | as well as Google, and cannot figure this out. I'm trying to createa | CA certificate, as well as certificates for users using a script(called | from a web browser). For the life of me, I cannot figure out how to | send the "openssl req" and "openssl ca" command the answers to the | questions it needs (O,OU,State,etc) through a text file or stdin...I'm | sure this is possible...I just can't find how! Any help would be | greatly appreciated! | | Thanks, | --Brian McCann | | |__ | OpenSSL Projecthttp://www.openssl.org | User Support Mailing Listopenssl-users@openssl.org | Automated List Manager[EMAIL PROTECTED] | | you could use the system(); command from php for one, on the otherhand, you may want to try to run some background cgi theres plenty of ways to call commands from a webpage... Greetings OliverThat didn't answer the OP's question. You should specify what platformyou are working under. Under Windows, using stdin to fill in the fieldsis difficult (if not impossible) because the password field does not usestdin but rather the Console APIs.Personally, I think there should be a command-line option to definethose fields in a
Re: COMP_zlibd don't return a valid method
Hello Ignacio, You can also use the installed libraries but make sure that your program uses them # gmake install # gcc test.c -LOpenSSLInstall Directory/lib -IOpenSSLInstallDirectory/include -lssl -lcrypto -lz -ldl thanks, PrakashIgnacio Butler [EMAIL PROTECTED] wrote: thank you, it worked!but, why don't use the installed openssl library and i have to put thesource directory?thanksignacioOn 8/17/05, prakash babu <[EMAIL PROTECTED]>wrote: Hi Ignacio , I think that the problem is that your are not linking the appropriate libraries. Try the following steps # ./config zlib # gmake # gcc test.c -L -I Directory/include -lssl -lcrypto -lz -ldl #./a.out compression name: zlib compression Your Method #gcc test.c -lssl -lcrypto //this will use the crypto and ssl libraries that comes OS which is present in the /usr/lib directory and this may not be built with zlib support # ./a.out compression name: (nu ll) Thanks, Prakash Ignacio Butler <[EMAIL PROTECTED]>wrote: hi, well, i'm using Linux, with a 2.4.xx kernel and the 0.9.8 version of the ssl library, to compile it i do: gcc -o master master.c -lssl -lcrypto -lpthread (same as you do it) i've compiled the library configurating using "./config zlib" the library is compiled with this parameter... thanks prakash, ignacio On 8/16/05, prakash babu wrote: Hello Ignacio, I tried the program you attached and it seems to work fine . #include #include int main() { COMP_METHOD *comp_method; comp_method = COMP_zlib(); if(comp_method != NULL) { printf("compression name: %s\n", (comp_method-name != NULL? comp_method-name:"")); if (comp_method-type != NID_undef) SSL_COMP_add_compression_method(1, comp_method); else printf("Compression not suported"); exit(1); } }# cc test2.c -lcrypto -lssl # ./a.out compression name: zlib compression Can you give me more details such as the platform, compilation steps etc ?Thanks, Prakash Ignacio Butler wrote: Hello,first of all, sorry by my english...The problem is, i have started to develop a simple application that uses SSL with compression, but when i try to add the zlib compression method to my server it is imposiblethe code that i use is:comp_method = COMP_zlib();if(comp_method != NULL) { printf("compression name: %s\n", (comp_method-name != NULL? comp_method-name:"")); if (comp_method-type != NID_undef) SSL_COMP_add_compression_method(COMP_ZLIB, comp_method); else warning2("Compression not suported");exit(1); }obiuosly, the output is "Compression not suported"...i recompiled my openSSL library with zlib support and nothing... my openssl version is 0.9.8thank all! ignacio -- -o) / \\ _\_V cuando no tenes paredes, no necesitas ventanas __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com-- -o) / \\ _\_V cuando no tenes paredes, no necesitas ventanas __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- -o)/ \\_\_Vcuando no tenes paredes, no necesitas ventanas__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Yahoo! Mail Stay connected, organized, and protected. Take the tour
Re: COMP_zlibd don't return a valid method
Hi Ignacio , I think that the problem is that your are not linking the appropriate libraries. Try the following steps # ./config zlib# gmake# gcc test.c -LOpenSSL Source Directory -IOpenSSL Source Directory/include -lssl -lcrypto -lz -ldl#./a.outcompression name: zlib compression Your Method #gcc test.c -lssl -lcrypto //this will use the crypto and ssl libraries that comes OS which is present in the /usr/lib directory and this may not be built with zlib support # ./a.outcompression name: (null) Thanks, Prakash Ignacio Butler [EMAIL PROTECTED] wrote: hi,well, i'm using Linux, with a 2.4.xx kernel and the 0.9.8 version ofthe ssl library,to compile it i do: gcc -o master master.c -lssl -lcrypto -lpthread(same as you do it)i've compiled the library configurating using "./config zlib" thelibrary is compiled with this parameter...thanks prakash,ignacioOn 8/16/05, prakash babu <[EMAIL PROTECTED]>wrote: Hello Ignacio, I tried the program you attached and it seems to work fine . #include #include int main() { COMP_METHOD *comp_method; comp_method = COMP_zlib(); if(comp_method != NULL) { printf("compression name: %s\n", (comp_method-name != NULL? comp_method-name:"")); if (comp_method-type ! = NID_undef) SSL_COMP_add_compression_method(1, comp_method); else printf("Compression not suported"); exit(1); } } # cc test2.c -lcrypto -lssl # ./a.out compression name: zlib compression Can you give me more details such as the platform, compilation steps etc ? Thanks, Prakash Ignacio Butler <[EMAIL PROTECTED]>wrote: Hello, first of all, sorry by my english... The problem is, i have started to develop a simple application that uses SSL with compression, but when i try to add the zlib compression method to my server it is imposible the code that i use is: comp_method = COMP_zlib(); if(comp_method != NULL) { printf("compression name: %s\n", (comp_method-name != NULL? comp_method-name:"")); if (comp_method-type != NID_undef) SSL_COMP_add_compression_method(COMP_ZLIB, comp_method); else warning2("Compression not suported"); exit(1); } obiuosly, the output is "Compression not suported"... i recompiled my openSSL library with zlib support and nothing... my openssl version is 0.9.8 thank all! ignacio -- -o) / \\ _\_V cuando no tenes paredes, no necesitas ventanas __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around ; http://mail.yahoo.com -- -o)/ \\_\_Vcuando no tenes paredes, no necesitas ventanas__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: question about error message: unable to write 'random state'
Hello Dave, Try setting your environment variable HOME since the seedfile will be written to the file $HOME/.rnd or set the variable RANDFILE in the openssl.cnf file to an existing location. Thanks, Prakash Dave Peterson [EMAIL PROTECTED] wrote: I hope this isn't a repeat of a previous posting, and apologizeif it is (I tried posting this question a couple of days ago andthink the email may not have actually been sent). Anyway, I'mhaving trouble using openssl to encrypt email messages, and wouldgreatly appreciate any advice anyone may have. I'm trying towrite a PERL CGI script that uses openssl to send an encryptedemail. The script is executing the following command, piping thebody of the message to the command's standard input:openssl smime -subject 'subject' -encrypt /path/to/cert.pem outfile 21Standard error is redirected to standard output for debugging.The command's output (written to outfile) looks like this:Subject: subjectMIME-Version: 1.0Content-Disposition: attachment; filename="smime.p7m"Content-Type: application/x-pkcs7-mime; name="smime.p7m"Content-Transfer-Encoding: base64MIIBnQYJKoZIhvcNAQcDoIIBjjCCAYoCAQAxggE4MIIBNAIBADCBnDCBlDEaMBgGA1UEChMRTGVuZGluZyBSZXNvdXJjZXMxKDAmBgkqhkiG9w0BCQEWGXBldGVAbGVuZGluZ3Jlc291cmNlcy5uZXQxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzARBgNVBAgTCkNhbGlmb3JuaWExCzAJBgNVBAYTAlVTMRIwEAYDVQQDEwlQZXRlciBZZWUCAxAAATANBgkqhkiG9w0BAQEFAASBgKBPMjrDgbB0c6yVAboSeMrBHdKClgajJ53IkkOA0UZqut71DJsoCm5LPRGJ73bEiydY9R9y2OrsLMPEZ0dNC2JEBTfP1EL1gNomUkbRpYRpa9liAq2QFEjflcFZBw4d8vIDrMCDJSrEUCWAW3U57nLl6RU5M01V/MuK3dgWkXhGMEkGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIAoAQILKEDpzpFXQmAIJ6P3o41/T4Tq5J2ak7vHpmGI94Inf/2ObSCXYaCtYMnunable to write 'random state'I was reading some info about the "unable to write 'random state'"message. Apparently this indicates a problem accessing a seedingfile for random number generation. The info I am reading says thatopenssl tries to use /dev/urandom by default, and starting with version0.9.7, tries /dev/random if /dev/urandom is unavailable.The web server executing the CGI script is running FreeBSD 4.11-STABLEand the version of openssl installed on the server is 0.9.7d(17 Mar 2004). I wrote a little CGI script that does an"ls -l /dev | grep random" and the result looks like this:crw-r--r-- 1 root wheel 2, 3 Apr 15 11:11 randomcrw-r--r-- 1 root wheel 2, 4 Apr 15 11:11 urandomAs shown above, both /dev/urandom and /dev/random exist and areworld-readable. Therefore I do not know why openssl is printing theerror message. Does anyone know why this is happening? Anysuggestions on how to solve this problem are greatly appreciated.When replying, please cc [EMAIL PROTECTED]Thanks,Dave__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Odd PRNG behavior between 0.9.7g and 0.9.8
Hello Robert, I think the problem is with your Pseudo Random Number Generator and not OpenSSL 0.9.8 i. Check if you system has the /dev/random or /dev/urandom ii. If /dev/random and /dev/urandom are not present then make sure prngd is running iii. If your answer is yes to question i or ii then check if the random seed file is created in $HOME/.rnd. If it is not created set you environment variable $HOME or set the RANDFILE variable in the openssl.cnf to an existing location. Thanks, PrakashRobert Zilbauer [EMAIL PROTECTED] wrote: Hello. I ran into some odd PRNG related errors after switching from OpenSSL 0.9.7g to 0.9.8 on Solaris 2.7 today. I checked through the archives of this mailing list that I could find and I didn't see an answer in the FAQ, but if there's a place I missed please let me know. I'd happily RTFM.Compiling 0.9.8 worked perfectly and all of the post-compilation tests went off without a hitch.When compiling Apache with the latest mod_ssl in place, however, doing a "make certificate" (just to generate a dummy cert) fails with a "PRNG not seeded" error. That was the first clue that something had possibly changed.Using the old 0.9.7g binary, I can create a key and self-signed cert the way I've been doing it for a while: charlie openssl versionOpenSSL 0.9.7g 11 Apr 2005charlie openssl genrsa -out filename.key 1024Generating RSA private key, 1024 bit long modulus.++..++e is 65537 (0x10001)charlie openssl req -new -key filename.key -x509 -out filename.crtYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:testOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:testCommon Name (eg, YOUR name) []:testtestEmail Address []:[EMAIL PROTECTED]charlie ls -l filename*-rw-r--r-- 1 zilbauer user 1338 Aug 11 16:44 filename.crt-rw-r--r-- 1 zil bauer user 887 Aug 11 16:43 filename.keyHowever, with the new OpenSSL, that process fails.charlie openssl versionOpenSSL 0.9.8 05 Jul 2005charlie openssl genrsa -out filename.key 1024Generating RSA private key, 1024 bit long modulus.++...++e is 65537 (0x10001)charlie openssl req -new -key filename.key -x509 -out filename.crtYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:testOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational U nit Name (eg, section) []:testCommon Name (eg, YOUR name) []:testtestEmail Address []:[EMAIL PROTECTED]15574:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:503:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html15574:error:04088003:rsa routines:RSA_setup_blinding:BN lib:rsa_lib.c:407:15574:error:04066044:rsa routines:RSA_EAY_PRIVATE_ENCRYPT:internal error:rsa_eay.c:364:15574:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:276:Using a different command line method will result in the generation of the key and the self-signed certificate. Using: openssl req -nodes -new -keyout filename.key -x509 -out filename.crtin OpenSSL 0.9.8 combines my usual two steps into one step and works like a charm. No PRNG errors.So, nothing's "broken" I'm just curious if this is indeed a change in the OpenSSL command or if I've got something w onky on my system.Thanks!-- "Kids today need discipline. It's not a popular word these days:discipline. I know Principal Flutie would have said, 'Kids needunderstanding. Kids are human beings.' That's the kind of wooly-headed liberal thinking that leads to being eaten." - Principal Snyder, Buffy the Vampire Slayer #9__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: COMP_zlibd don't return a valid method
Hello Ignacio, I tried the program you attachedand it seems to work fine . #include openssl/comp.h#include openssl/obj_mac.hint main(){COMP_METHOD *comp_method;comp_method = COMP_zlib();if(comp_method != NULL) { printf("compression name: %s\n", (comp_method-name !=NULL? comp_method-name:"")); if (comp_method-type != NID_undef) SSL_COMP_add_compression_method(1, comp_method); else printf("Compression not suported"); exit(1); }} # cc test2.c -lcrypto -lssl# ./a.outcompression name: zlib compression Can you give me more details such as the platform, compilation steps etc ? Thanks, PrakashIgnacio Butler [EMAIL PROTECTED] wrote: Hello,first of all, sorry by my english...The problem is,i have started to develop a simple application that uses SSL withcompression, but when i try to add the zlib compression method to myserver it is imposiblethe code that i use is:comp_method = COMP_zlib();if(comp_method != NULL){printf("compression name: %s\n", (comp_method-name !=NULL? comp_method-name:""));if (comp_method-type != NID_undef)SSL_COMP_add_compression_method(COMP_ZLIB, comp_method);elsewarning2("Compression not suported");exit(1);}obiuosly, the output is "Compression not suported"...i recompiled my openSSL library with zlib support and nothing...my openssl version is 0.9.8thank all!ignacio-- -o)/ \\_\_Vcuando no tenes paredes, no necesitas ventanas__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Is this a bug with the -subj option of the req command
Hello All, I am using OpenSSL 0.9.8 The -subj option of the req command does not refer the openssl.cnf file to check the maximum and minimum values of each field. When creating a self signed certificate using req commandwe can specify the X509 name either by using -subj option or prompting the userto enter the values. i. prompting the userto enter the values eg # openssl req -x509 -out cacert.pem -new -keyout cakey.pem -nodes Country Name (2 letter code) [AU]:INN string is too long, it needs to be less than 2 bytes long Here the values entered by the user are checked with minimum and maximum limits of each field specified in the openssl.conf file Reason: req_check_len function is called to verify the field length Flow : make_REQ( ) --- prompt_info( ) --- add_DN_object( ) --- req_check_len() ii -subj option eg # openssl req -x509 -out cacert.pem -new -keyout cakey.pem -subj /C=IN/ST=TamilNadu/L=CBE/O=test/CN=test -nodes Here the values entered by the user are not checked with minimum and maximum limits of each field specified in the openssl.conf file Reason: req_check_len function is not called Flow : make_REQ( ) --- build_subject( ) --- parse_name( ) //req_check_len is not called Is this a bug ? Suggestion for OpenSSL 0.9.8 : The following code can be added in file apps/apps.c between lines 2135 and 2137 to checkthe minimum and maximum limits of each field specified in the openssl.conf file 2133 BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_types[i]); 2134 continue; 2135 } //--- // const char *longname;char buffer[100];char longname_min[256],longname_max[256],*p;long n_min,n_max,j;long errline;int len_buf;static CONF *req_conf=NULL;char *dn_sect,*value; //Get the longname from the NIDlongname=OBJ_nid2ln(nid); //Load the default configuration filep=make_config_name();req_conf=NCONF_new(NULL);j=NCONF_load(req_conf, p, errline);if (j == 0){BIO_printf(bio_err,"error on line %ld of %s\n",errline,req_conf);goto error;} dn_sect=NCONF_get_string(req_conf,"req","distinguished_name"); if (dn_sect == NULL){BIO_printf(bio_err,"unable to find distinguished_name in config %s\n",p);goto error;} if ((value=NCONF_get_string(req_conf,dn_sect,longname)) == NULL){ERR_clear_error();value=NULL;} //Get the min length of the field from config fileBIO_snprintf(buffer,sizeof buffer,"%s_min",longname);if (!NCONF_get_number(req_conf,dn_sect,buffer, n_min)){ERR_clear_error();n_min = -1;} //Get the max length of the field from config fileBIO_snprintf(buffer,sizeof buffer,"%s_max",longname);if (!NCONF_get_number(req_conf,dn_sect,buffer, n_max)){ERR_clear_error();n_max = -1;} //Compare the length of field against against the allowable minimum and maximum len_buf=strlen(ne_values[i]);if ((n_min 0) (len_buf n_min)) { BIO_printf(bio_err,"%s is too short, it needs to be at least %d bytes long\n",longname,n_min); goto error; }if ((n_max = 0) (len_buf n_max)) { BIO_printf(bio_err,"%s is too long, it needs to be less than %d bytes long\n",longname,n_max); goto error; } //--- // 2137 if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_values[i], -1,-1,mval[i])) 2138 goto error; 2139 } Thanks, Prakash Babu Start your day with Yahoo! - make it your home page
Problem creating self signed certifcate using -subj option
Hello All, I am using OpenSSL 0.9.8 When creating a self signed certificate using req commandwe can specify the X509 name either by using -subj option or prompting the userto enter the values. i. prompting the userto enter the values eg # openssl req -x509 -out cacert.pem -new -keyout cakey.pem -nodes Country Name (2 letter code) [AU]:INN string is too long, it needs to be less than 2 bytes long Here the values entered by the user are checked with minimum and maximum limits of each field specified in the openssl.conf file Reason: req_check_len function is called to verify the field length Flow : make_REQ( ) --- prompt_info( ) --- add_DN_object( ) --- req_check_len() ii -subj option eg # openssl req -x509 -out cacert.pem -new -keyout cakey.pem -subj /C=IN/ST=TamilNadu/L=CBE/O=test/CN=test -nodes Here the values entered by the user are not checked with minimum and maximum limits of each field specified in the openssl.conf file Reason: req_check_len function is not called Flow : make_REQ( ) --- build_subject( ) --- parse_name( ) //req_check_len is not called Is this a bug ? Suggestion for OpenSSL 0.9.8 : The following code can be added in file apps/apps.c between lines 2135 and 2137 to checkthe minimum and maximum limits of each field specified in the openssl.conf file 2133 BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_types[i]); 2134 continue; 2135 } //--- // const char *longname;char buffer[100];char longname_min[256],longname_max[256],*p;long n_min,n_max,j;long errline;int len_buf;static CONF *req_conf=NULL;char *dn_sect,*value; //Get the longname from the NIDlongname=OBJ_nid2ln(nid); //Load the default configuration filep=make_config_name();req_conf=NCONF_new(NULL);j=NCONF_load(req_conf, p, errline);if (j == 0){BIO_printf(bio_err,"error on line %ld of %s\n",errline,req_conf);goto error;} dn_sect=NCONF_get_string(req_conf,"req","distinguished_name"); if (dn_sect == NULL){BIO_printf(bio_err,"unable to find distinguished_name in config %s\n",p);goto error;} if ((value=NCONF_get_string(req_conf,dn_sect,longname)) == NULL){ERR_clear_error();value=NULL;} //Get the min length of the field from config fileBIO_snprintf(buffer,sizeof buffer,"%s_min",longname);if (!NCONF_get_number(req_conf,dn_sect,buffer, n_min)){ERR_clear_error();n_min = -1;} //Get the max length of the field from config fileBIO_snprintf(buffer,sizeof buffer,"%s_max",longname);if (!NCONF_get_number(req_conf,dn_sect,buffer, n_max)){ERR_clear_error();n_max = -1;} //Compare the length of field against against the allowable minimum and maximum len_buf=strlen(ne_values[i]);if ((n_min 0) (len_buf n_min)) { BIO_printf(bio_err,"%s is too short, it needs to be at least %d bytes long\n",longname,n_min); goto error; }if ((n_max = 0) (len_buf n_max)) { BIO_printf(bio_err,"%s is too long, it needs to be less than %d bytes long\n",longname,n_max); goto error; } //--- // 2137 if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_values[i], -1,-1,mval[i])) 2138 goto error; 2139 } Thanks, Prakash Babu Start your day with Yahoo! - make it your home page
Re: Problem loading engine module libgmp.so
Hello Nils, The configure option you suggested works fine for Linux. For HPUXit did not work.It worked only after adding -DENGINE_DYNAMIC_SUPPORT to the configure option. Thanks, PrakashNils Larsch [EMAIL PROTECTED] wrote: prakash babu wrote: Hello All, I am using OpenSSL version 0.9.8 beta. I built this version successfully in HPUX. While using the engine command I am able to load *all the engines* except *libgmp.so* *1. openssl engine - dynamic -pre SO_PATH:/usr/lib/engines/lib4758_cca.so -pre LOAD *(dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib//engines/lib4758_cca.so [Success]: LOAD Loaded: (4758cca) IBM 4758 CCA hardware engine support SO_PATH: Specifies the path to the '4758cca' shared library (input flags): STRING 2. While loading the libgmp.so I get the following error *# openssl engine - dynamic -pre SO_PATH:/usr/lib/engines/gmp.so -pre LOAD *(dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/engines/libgmp.so [Failure]: LOAD 3562:error:2506806A:DSO support routines:DL_BIND_FUNC:could not bind to the requested symbol name:dso_dl.c:235:symname(bind_engine): Error 0 3562:error:2506C06A:DSO support routines:DSO_bind_func:could not bind to the requested symbol name:dso_lib.c:294: 3562:error:260B6068:engine routines:DYNAMIC_LOAD:DSO failure:eng_dyn.c:462: The libgmp.so does not have the symbol *bind_engine *where as all the other libraries have that symbols. *Note* : I have included the options *-DOPENSSL_USE_GMP -lgmp * while configuring OpenSSL.hmm, works for me. I used./config --prefix=/home/nils/ enable-gmp -DOPENSSL_USE_GMP -lgmp sharedas the configure command.Nils__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Problem loading engine module libgmp.so
Hello All, I am using OpenSSL version 0.9.8 beta. I built this version successfully in HPUX. While using the engine command I am able to load all the engines except libgmp.so 1. openssl engine - dynamic -pre SO_PATH:/usr/lib/engines/lib4758_cca.so -pre LOAD(dynamic) Dynamic engine loading support[Success]: SO_PATH:/usr/lib//engines/lib4758_cca.so[Success]: LOADLoaded: (4758cca) IBM 4758 CCA hardware engine support SO_PATH: Specifies the path to the '4758cca' shared library (input flags): STRING 2. While loading the libgmp.so I get the following error# openssl engine - dynamic -pre SO_PATH:/usr/lib/engines/gmp.so -pre LOAD(dynamic) Dynamic engine loading support[Success]: SO_PATH:/usr/lib/engines/libgmp.so[Failure]: LOAD3562:error:2506806A:DSO support routines:DL_BIND_FUNC:could not bind to the requested symbol name:dso_dl.c:235:symname(bind_engine): Error 03562:error:2506C06A:DSO support routines:DSO_bind_func:could not bind to the requested symbol name:dso_lib.c:294:3562:error:260B6068:engine routines:DYNAMIC_LOAD:DSO failure:eng_dyn.c:462: The libgmp.so does not have the symbol bind_engine where as all the other libraries have that symbols. Note : I have includedthe options -DOPENSSL_USE_GMP -lgmp while configuring OpenSSL. Any suggestion would be helpful Thanks, Prakash __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Unreachable codes in OpenSSL 0.9.7f
Hello All, I find some unreachable codes in OpenSSL 0.9.7f . Their details are as follows. File Name Line No Code Snippet pk7_lib.c 187 break;p7-d.signed_and_enveloped-enc_data-content_type = OBJ_nid2obj(NID_pkcs7_data);break; evp_pkey.c 209 EVP_PKEY_free(pkey);return NULL;break; evp_pkey.c 291 p8-broken = PKCS8_OK;return p8;break; evp_pkey.c 297 p8-pkey-type = V_ASN1_SEQUENCE;return p8;break; evp_pkey.c 302 EVPerr(EVP_F_EVP_PKCS8_SET_BROKEN,EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE);return NULL;break; tasn_enc.c 125 return asn1_i2d_ex_primitive(pval, out, it, tag, aclass);break; tasn_enc.c 458 return i2c_ASN1_BIT_STRING((ASN1_BIT_STRING *)*pval, cout ? cout : NULL);break; tasn_enc.c 468 return i2c_ASN1_INTEGER((ASN1_INTEGER *)*pval, cout ? cout : NULL);break; tasn_dec.c 167 return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx);break; evp_enc.c 250 default:return 0;break; p12_kiss.c 289 return parse_bags(bag-value.safes, pass, passlen, pkey, cert, ca, keyid, keymatch); break; p12_kiss.c 293 default:return 1;break; s3_lib.c 1228 {SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);return(ret);}break; s3_lib.c 1264 {SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);return(ret);}break; s3_lib.c 1367 {SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);return(0);}break; s3_lib.c 1400 {SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);return(0);}break; pkcs12.c 838 BIO_printf (bio_err, "\n");return 1;break; Thanks, Prakash __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
unreachable l code in OpenSSL 0.9.7f
Hello All, I find some unreachable codes in OpenSSL 0.9.7f . Their details are as follows. File:pk7_lib.cLine: 187break;p7-d.signed_and_enveloped-enc_data-content_type =OBJ_nid2obj(NID_pkcs7_data);break; File : evp_enc.cLine : 250 default:return 0;break; File : evp_pkey.cLine : 209 EVP_PKEY_free(pkey);return NULL;break; File: evp_pkey.cLine: 291p8-broken = PKCS8_OK;return p8;break; File : evp_pkey.cLine : 297p8-pkey-type = V_ASN1_SEQUENCE;return p8;break; File : evp_pkey.cLine :302EVPerr(EVP_F_EVP_PKCS8_SET_BROKEN,EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE);return NULL;break; File : tasn_enc.cLine :125return asn1_i2d_ex_primitive(pval, out, it, tag, aclass);break; File: tasn_enc.cLine: 458return i2c_ASN1_BIT_STRING((ASN1_BIT_STRING *)*pval, cout ? cout : NULL);break; File:tasn_enc.cLine: 468return i2c_ASN1_INTEGER((ASN1_INTEGER *)*pval, cout ? cout : NULL);break; File: tasn_dec.cLine: 167return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx); break;File : p12_kiss.cLine : 289 return parse_bags(bag-value.safes, pass, passlen, pkey, cert, ca,keyid, keymatch); break; File : p12_kiss.cLine : 293default:return 1;break; File : s3_lib.cLine :1228{SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);return(ret);}break; File :s3_lib.cLine :1264{SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);return(ret);}break; File: s3_lib.cLine: 1367{SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);return(0);}break; File :s3_lib.cLine:1400{SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);return(0);}break; File: pkcs12.cLine: 838BIO_printf (bio_err, "\n");return 1;break; Thanks, Prakash Do you Yahoo!? Yahoo! Small Business - Try our new resources site!
Prompt for pass phrases when appropriate for PKCS12 input format
Hello All, In the change log of OpenSSL 0.9.7f. I see the following line Prompt for pass phrases when appropriate for PKCS12 input format Can someone explain what it exactly means ? Is there any test that I can run inorder to see the difference between OpenSSL 0.9.7e and OpenSSL 0.9.7f ? Thanks, Prakash Do you Yahoo!? Yahoo! Small Business - Try our new resources site!
Zeroes padded with the decimal encoding of a big number
Hello All, i. The following program prints the hexadecimal and decimal encoding of a big number ***#include stdio.h#include openssl/rsa.hint main() { RSA *public; unsigned int bits, len; char *buf, *uu; unsigned char *blob; public = RSA_generate_key(1024, 35, NULL, NULL); buf = BN_bn2dec(public-p); printf(" %s\n\n\n", buf); OPENSSL_free(buf); return 0;}***ii. I am working on an IPF(Itanium Processor Family) HPUX machine. iii. Using the configure option hpux-ia64-cc would be the appropriate configure option while building OpenSSL in this platform iv. But when I run the above program using libcrypto built using hpux-ia64-cc configure option I get the following output 11802285201956016660343580261586973900011464653032568359250 09756643390285562550301395876489 Note : consecutive zeroes are padded in between the valuesv. But when I run the above program using libcrypto built using hpux-cc configure option I get the correct output as shown below. 118382378347801240286276628367033231341809881244945669022666053107124660030841713319834690848920139 9696675874196822730489605584601813591627576050450163vi. The main difference between these two configure options is the definition of SIXTY_FOUR_BIT in hpux-ia64-cc and THIRTY_TWO_BIT in hpux-cc Note : In /usr/include/openssl/bn.hthese two macros are defined as below. SIXTY_FOUR_BIT #undef BN_LLONG #undef BN_ULLONG #define BN_ULONG unsigned long long #define BN_LONG long long #define BN_BITS 128 #define BN_BYTES 8 #define BN_BITS2 64 #define BN_BITS4 32 #define BN_MASK2 (0xLL) #define BN_MASK2l (0xL) #define BN_MASK2h (0xLL) #define BN_MASK2h1 (0x8000LL) #define BN_TBIT (0x8000LL) #define BN_DEC_CONV (1000ULL) #define BN_DEC_FMT1 "%llu" #define BN_DEC_FMT2 "%019llu" #define BN_DEC_NUM 19 THIRTY_TWO_BIT #define BN_ULLONG unsigned long long #define BN_ULONG unsigned long #define BN_LONG long #define BN_BITS 64 #define BN_BYTES 4 #define BN_BITS2 32 #define BN_BITS4 16 #define BN_MASK (0xLL) #define BN_MASK2 (0xL) #define BN_MASK2l (0x) #define BN_MASK2h1 (0x8000L) #define BN_MASK2h (0xL) #define BN_TBIT (0x8000L) #define BN_DEC_CONV (10L) #define BN_DEC_FMT1 "%lu" #define BN_DEC_FMT2 "%09lu" #define BN_DEC_NUM 9 What may be the reason for the padding of zeroeswhen I usehpux-ia64-cc option ? Thanks, Prakash __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RSA Key verification failure
Hello All, I am working on an IPF(Itanium Processor Family) HPUX machine. Using the configure option hpux-ia64-cc would be the appropriate configure option while building OpenSSL in this platform. But I have problems withOpenSSH authentication when I use this option. OpenSSH uses libcrypto of OpenSSL to generate the RSA key pair.Scenario 1 - SSH builtusing OpenSSL configured with hpux-ia64-cc i. Generate RSA key pair #/usr/bin/ssh-keygen -t rsa1 ii.View the public key #cat //.ssh/identity.pub 1024 35 132930209076564001780747579042635122330299057445902509467023000 00349019205201074514728005030360980059713439703168643901029 101753840270447636402448290262026362746390202877148500919047739 [EMAIL PROTECTED] iii. Run the sshd daemon #/opt/ssh_hpux-cc/sbin/sshd -o'protocol 1' -ddd -e iv. Run the client #/opt/ssh_hpux-cc/bin/ssh -1 -l root -o 'PreferredAuthentications="pubkey"' localhost -vvv The sshd daemon rejects this key as a result the client authentication fails The compiler options for hpux-ia64-cc "hpux-ia64-cc","cc:-Ae +DD32 +O1 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_U NROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", Scenario 2 -SSH builtusing OpenSSL configured with hpux-cc i. Generate RSA key pair #/usr/bin/ssh-keygen -t rsa1 ii. View the public key #cat //.ssh/identity.pub 1024 35 1437122910944460067534870792490584153638875494206294171941680796472959390850506068660764130660092003114 6511827709926115182557164733137352007577919492698063416540177245308126918665480672846829658795559358482 1448512729384759808648867203588282392206887007723304276717097798871889974434155451797730883704857498211 [EMAIL PROTECTED] iii. Run the sshd daemon #/opt/ssh_hpux-cc/sbin/sshd -o'protocol 1' -ddd -e iv. Run the client #/opt/ssh_hpux-cc/bin/ssh -1 -l root -o 'PreferredAuthentications="pubkey"' localhost -vvv The sshd daemon accepts this key as a result the client authentication passes The Compiler options for hpux-cc are as follows : hpux-cc "hpux-cc", "cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O1 -z::(unknown)::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROL L DES_RISC1::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", My Analysis of the problem so far. 1. The problem occurs while creation ofn in the public key part of the rsa key n=p*q (where p and q areprime big numbers) 2 . The value of dmax in the bignumber structure indicates the size of the big number 3. The following functionreturnsthe value of dmax #define bn_expand(a,bits) ((bits+BN_BITS2-1))/BN_BITS2)) = (a)-dmax)? (a):bn_expand2((a),(bits)/BN_BITS2+1)) In this macro dmax is calculated as (bits)/BN_BITS2+1 OpenSSL configure option is hpux-cc dmax=(512)/32 +1 = 17 OpenSSL configure option is hpux-ia64-cc dmax=(512)64 +1= 9 Is this change in the value of dmax causes the variation in the public key. 4. The compileroptions SIXTY_FOUR_BIT andasm/ia64-cpp.o in hpux-ia64-cc causes this problem. When SIXTY_FOUR_BITis replaced by BN_LLONGand the asm/ia64-cpp.o option is removed then hpux-ia64-cc configure option works fine. Please correct me if I am wrong ? Thanks, Prakash __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RSA key generation problems with OpenSSH built with libcrypto of OpenSSL
Hello All, I am working on an IPF(Itanium Processor Family) HPUX machine. Using the configure option hpux-ia64-cc would be the appropriate configure option while building OpenSSL in this platform. But I have problems withOpennSSH authentication when I use this option. OpenSSH uses libcrypto of OpenSSL to generate the RSA key pair.Scenario 1 - SSH builtusing OpenSSL configured with hpux-ia64-cc i. Generate RSA key pair #/usr/bin/ssh-keygen -t rsa1 ii.View the public key #cat //.ssh/identity.pub 1024 35 132930209076564001780747579042635122330299057445902509467023000 00349019205201074514728005030360980059713439703168643901029 101753840270447636402448290262026362746390202877148500919047739 [EMAIL PROTECTED] iii. Run the sshd daemon #/opt/ssh_hpux-cc/sbin/sshd -o'protocol 1' -ddd -e iv. Run the client #/opt/ssh_hpux-cc/bin/ssh -1 -l root -o 'PreferredAuthentications="pubkey"' localhost -vvv The sshd daemon rejects this key as a result the client authentication fails The compiler options for hpux-ia64-cc "hpux-ia64-cc","cc:-Ae +DD32 +O1 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_U NROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", Scenario 2 -SSH builtusing OpenSSL configured with hpux-cc i. Generate RSA key pair #/usr/bin/ssh-keygen -t rsa1 ii. View the public key #cat //.ssh/identity.pub 1024 35 1437122910944460067534870792490584153638875494206294171941680796472959390850506068660764130660092003114 6511827709926115182557164733137352007577919492698063416540177245308126918665480672846829658795559358482 1448512729384759808648867203588282392206887007723304276717097798871889974434155451797730883704857498211 [EMAIL PROTECTED] iii. Run the sshd daemon #/opt/ssh_hpux-cc/sbin/sshd -o'protocol 1' -ddd -e iv. Run the client #/opt/ssh_hpux-cc/bin/ssh -1 -l root -o 'PreferredAuthentications="pubkey"' localhost -vvv The sshd daemon accepts this key as a result the client authentication passes The Compiler options for hpux-cc are as follows : hpux-cc "hpux-cc", "cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O1 -z::(unknown)::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROL L DES_RISC1::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", My Analysis of the problem so far. 1. The problem occurs while creation ofn in the public key part of the rsa key n=p*q (where p and q areprime big numbers) 2 . The value of dmax in the bignumber structure indicates the size of the big number 3. The following functionreturnsthe value of dmax #define bn_expand(a,bits) ((bits+BN_BITS2-1))/BN_BITS2)) = (a)-dmax)? (a):bn_expand2((a),(bits)/BN_BITS2+1)) In this macro dmax is calculated as (bits)/BN_BITS2+1 OpenSSL configure option is hpux-cc dmax=(512)/32 +1 = 17 OpenSSL configure option is hpux-ia64-cc dmax=(512)64 +1= 9 Is this change in the value of dmax causes the variation in the public key. 4. The compileroptions SIXTY_FOUR_BIT andasm/ia64-cpp.o in hpux-ia64-cc causes this problem. When SIXTY_FOUR_BITis replaced by BN_LLONGand the asm/ia64-cpp.o option is removed then hpux-ia64-cc configure option works fine. Please correct me if I am wrong ? Thanks, Prakash __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RSA key generation problems in OpenSSH
Hello All, I am working on an IPF(Itanium Processor Family) HPUX machine. Using the configure option hpux-ia64-cc would be the appropriate configure option while building OpenSSL in this platform. But I have problems withOpennSSH authentication when I use this option. OpenSSH uses libcrypto of OpenSSL to generate the RSA key pair.Scenario 1 - SSH builtusing OpenSSL configured with hpux-ia64-cc i. Generate RSA key pair #/usr/bin/ssh-keygen -t rsa1 ii.View the public key #cat //.ssh/identity.pub 1024 35 132930209076564001780747579042635122330299057445902509467023000 00349019205201074514728005030360980059713439703168643901029 101753840270447636402448290262026362746390202877148500919047739 [EMAIL PROTECTED] iii. Run the sshd daemon #/opt/ssh_hpux-cc/sbin/sshd -o'protocol 1' -ddd -e iv. Run the client #/opt/ssh_hpux-cc/bin/ssh -1 -l root -o 'PreferredAuthentications="pubkey"' localhost -vvv The sshd daemon rejects this key as a result the client authentication fails The compiler options for hpux-ia64-cc "hpux-ia64-cc","cc:-Ae +DD32 +O1 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_U NROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", Scenario 2 -SSH builtusing OpenSSL configured with hpux-cc i. Generate RSA key pair #/usr/bin/ssh-keygen -t rsa1 ii. View the public key #cat //.ssh/identity.pub 1024 35 1437122910944460067534870792490584153638875494206294171941680796472959390850506068660764130660092003114 6511827709926115182557164733137352007577919492698063416540177245308126918665480672846829658795559358482 1448512729384759808648867203588282392206887007723304276717097798871889974434155451797730883704857498211 [EMAIL PROTECTED] iii. Run the sshd daemon #/opt/ssh_hpux-cc/sbin/sshd -o'protocol 1' -ddd -e iv. Run the client #/opt/ssh_hpux-cc/bin/ssh -1 -l root -o 'PreferredAuthentications="pubkey"' localhost -vvv The sshd daemon accepts this key as a result the client authentication passes The Compiler options for hpux-cc are as follows : hpux-cc "hpux-cc", "cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O1 -z::(unknown)::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROL L DES_RISC1::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", My Analysis of the problem so far. 1. The problem occurs while creation ofn in the public key part of the rsa key n=p*q (where p and q areprime big numbers) 2 . The value of dmax in the bignumber structure indicates the size of the big number 3. The following functionreturnsthe value of dmax #define bn_expand(a,bits) ((bits+BN_BITS2-1))/BN_BITS2)) = (a)-dmax)? (a):bn_expand2((a),(bits)/BN_BITS2+1)) In this macro dmax is calculated as (bits)/BN_BITS2+1 OpenSSL configure option is hpux-cc dmax=(512)/32 +1 = 17 OpenSSL configure option is hpux-ia64-cc dmax=(512)64 +1= 9 Is this change in the value of dmax causes the variation in the public key. 4. The compileroptions SIXTY_FOUR_BIT andasm/ia64-cpp.o in hpux-ia64-cc causes this problem. When SIXTY_FOUR_BITis replaced by BN_LLONGand the asm/ia64-cpp.o option is removed then hpux-ia64-cc configure option works fine. Please correct me if I am wrong ? Thanks, Prakash Do you Yahoo!? Yahoo! Mail - Easier than ever with enhanced search. Learn more.
RSA key generation problems with OpenSSH built with libcrypto of OpenSSL
Hello All, I am working on an IPF(Itanium Processor Family) HPUX machine. Using the configure option hpux-ia64-cc would be the appropriate configure option while building OpenSSL in this platform. But I have problems withOpennSSH authentication when I use this option. OpenSSH uses libcrypto of OpenSSL to generate the RSA key pair.Scenario 1 - SSH builtusing OpenSSL configured with hpux-ia64-cc i. Generate RSA key pair #/usr/bin/ssh-keygen -t rsa1 ii.View the public key #cat //.ssh/identity.pub 1024 35 132930209076564001780747579042635122330299057445902509467023000 00349019205201074514728005030360980059713439703168643901029 101753840270447636402448290262026362746390202877148500919047739 [EMAIL PROTECTED] iii. Run the sshd daemon #/opt/ssh_hpux-cc/sbin/sshd -o'protocol 1' -ddd -e iv. Run the client #/opt/ssh_hpux-cc/bin/ssh -1 -l root -o 'PreferredAuthentications="pubkey"' localhost -vvv The sshd daemon rejects this key as a result the client authentication fails The compiler options for hpux-ia64-cc "hpux-ia64-cc","cc:-Ae +DD32 +O1 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_U NROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", Scenario 2 -SSH builtusing OpenSSL configured with hpux-cc i. Generate RSA key pair #/usr/bin/ssh-keygen -t rsa1 ii. View the public key #cat //.ssh/identity.pub 1024 35 1437122910944460067534870792490584153638875494206294171941680796472959390850506068660764130660092003114 6511827709926115182557164733137352007577919492698063416540177245308126918665480672846829658795559358482 1448512729384759808648867203588282392206887007723304276717097798871889974434155451797730883704857498211 [EMAIL PROTECTED] iii. Run the sshd daemon #/opt/ssh_hpux-cc/sbin/sshd -o'protocol 1' -ddd -e iv. Run the client #/opt/ssh_hpux-cc/bin/ssh -1 -l root -o 'PreferredAuthentications="pubkey"' localhost -vvv The sshd daemon accepts this key as a result the client authentication passes The Compiler options for hpux-cc are as follows : hpux-cc "hpux-cc", "cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O1 -z::(unknown)::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROL L DES_RISC1::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", My Analysis of the problem so far. 1. The problem occurs while creation ofn in the public key part of the rsa key n=p*q (where p and q areprime big numbers) 2 . The value of dmax in the bignumber structure indicates the size of the big number 3. The following functionreturnsthe value of dmax #define bn_expand(a,bits) ((bits+BN_BITS2-1))/BN_BITS2)) = (a)-dmax)? (a):bn_expand2((a),(bits)/BN_BITS2+1)) In this macro dmax is calculated as (bits)/BN_BITS2+1 OpenSSL configure option is hpux-cc dmax=(512)/32 +1 = 17 OpenSSL configure option is hpux-ia64-cc dmax=(512)64 +1= 9 Is this change in the value of dmax causes the variation in the public key. 4. The compileroptions SIXTY_FOUR_BIT andasm/ia64-cpp.o in hpux-ia64-cc causes this problem. When SIXTY_FOUR_BITis replaced by BN_LLONGand the asm/ia64-cpp.o option is removed then hpux-ia64-cc configure option works fine. Please correct me if I am wrong ? Thanks, Prakash Do you Yahoo!? Yahoo! Mail - Easier than ever with enhanced search. Learn more.
Doubt on OpenSSL FIPS Compliance
Hello All, i. OpenSSL 0.9.7e supports FIPS-140. ii. OpenSSL contains the FIPS 140 specific cryptographic API and algorithm implementations only for low level algorithms (RSA, AES, 3DES, DSA, SHA-1) in the fips subdirectory. iii. When we build OpenSSL with FIPS support the FIPS implementations of the above algorithms and the normal implementations for the other algorithms are added to the crypto library. My question is Can we call this crypto library FIPS compliant (or) should we disable the unsupported algorithms using no-CIPHER to call it FIPS compliant ? Thanks, Prakash Do you Yahoo!? Yahoo! Sports - Sign up for Fantasy Baseball.
FIPS enabled OpenSSL
Hello all, 1. When we enable fips in our configure option,will only the FIPS supported algorithms like (aes, des, dh, dsa, rsa, sha1) get added to crypto library or whetherall ciphers get added to the crypto library.? 2. If the answer to question 1 is YES is there any option by which I can build the crypto library with onlythe FIPS supported algorithm or do I have to use the no-CIPHER option to manually disable the unsupported algorithms ?Thanks,Prakash __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
CRL Signature verification
Hello All, The following is a snippet from the code that creates a crl. * for (i=0; isk_num(db-db-data); i++) { pp=(char **)sk_value(db-db-data,i); /* Check if the first field is 'R' ie revoked .If so add the entry to the CRL using the X509_REVOKED structure */ if (pp[DB_type][0] == DB_TYPE_REV) { r=X509_REVOKED_new(); char *tmp,*p,*str; rtime_str = pp[DB_rev_date]; revDate =ASN1_UTCTIME_new(); ASN1_UTCTIME_set_string(revDate,rtime_str); /* Set the Revocation date in the X509_REVOKED structure */ X509_REVOKED_set_revocationDate(r,revDate); BN_hex2bn(serial, pp[DB_serial]); tmpser = BN_to_ASN1_INTEGER(serial, NULL); /* Set the Serial number in the X509_REVOKED structure */ X509_REVOKED_set_serialNumber(r, tmpser); X509_CRL_add0_revoked(crl,r); } /* Sort the CRL */ X509_CRL_sort(crl); /*Sign the CRL */ X509_CRL_sign(crl,pkey,EVP_md5()); ** * The CRL is sorted before creating the CRL signature. * So the signature is that of the sorted CRL . Why do we need to original order for CRL Signature verification ? Thanks, Prakash Do you Yahoo!? Yahoo! Mail - You care about security. So do we.
SSL server for CRL verification
Hello all, I run a SSL server that does CRL verification for the client certificates.** Load CRL and CA file //X509_LOOKUP_load_file(); for(; ;) { Accept client connections //SSL_accept (); Request client certificate //SSL_CTX_set_verify() Do client certificate CRL verification } Once my server starts running and if my CRL gets updated in the meantime. Is there a way I can load the updated CRL without restarting the server ?. Thanks, Prakash __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
CRL Race condition few more doubts
Hello Steve, Thanks for your reply but a few doubts still exist, 1. Suppose we request for the revocation status of many certificates in a single request eg (openssl verify -crl_check -CAfile demoCA/crl/chain cert1 cert2 cert3 .) threads are created for each request.So during the first certificate verification the revoked list is sorted. During this time all the remaining threads must not interfere the sorting process so we are locking the CRL structure inside the sorting function. Am I right ? Only if the application is multithreaded. The openssl verify utility isn't1. Can we improve the CRL lookup performance by implementing threading in OpenSSL verify utility.? 2. Is there any applications available with thread support for verifying CRL ? 3. In a multithreaded application we perform the lock so thatwhen one thread sorts the CRL, the other thread do not interfere this sorting process. Am I right ? 2. Suppose we request for the revocation status of many certificates in a single request eg. (openssl verify -crl_check -CAfile demoCA/crl/chain cert1 cert2 cert3 .) Do we have to verify the CRL signature for each certificate (or) is it enough to verify the CRL signature only once? The current verify function will verify the signature each time, the cached encoding will make this quicker than before though. Is the CRLsignature verification necessary for every certificate or can we limit it to just a single CRL signature verification.? 4. Does ASN1_ENCODING_enc element added to X509_crl_info_st structure used for caching the original CRL encoded list for verification ? Well it stores the original encoding of the signed portion of the CRL which is effectively the same thing. So the encoding we cache is a replica of the original encoded CRL list or just the signed portion ?Thanks,Prakash __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
CRL Race condition clarification
Hello Steve, Thanksfor your explanation. It wasvery informative, In OpenSSL 0.9.7e while doing the CRL checking, the following steps are performed a. Caching the original CRL list into cache b. Sorting the CRL list. c. Searching the given certificate in the sorted CRL list. d. Verify the signature using the original CRL list from cache. Please clarify the following doubts. 1. Suppose we request for the revocation status of many certificates in a single request eg (openssl verify -crl_check -CAfile demoCA/crl/chain cert1 cert2 cert3 ) threads are created for each request.So during the first certificate verificationthe revoked list is sorted. During this time all the remaining threads must notinterferethesorting process so we are locking the CRL structure inside the sorting function. Am I right ? 2. Suppose we request for the revocation status of many certificates in a single request eg.(openssl verify -crl_check -CAfile demoCA/crl/chain cert1 cert2 cert3 ) Do we have to verify the CRL signature for each certificate (or) is it enough to verify the CRL signature only once? 3. We uses quick sort and binary search for sorting and searching respectively.Can wego forhashing algorithm (or) indexed search algorithms which do not need any sorting ?4. Does ASN1_ENCODING_enc element added to X509_crl_info_st structureused for caching the original CRL encoded list for verification ? Thanks, Prakash Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. Learn more.
CRL Race condition
Hello all, There has been a tremendous performance during CRL check between 0.9.7d and 0.9.7e I measured the time for checking the crl with 1,00,000 entries using the following command time openssl verify -crl_check -CAfile $ssl_crl_dir/chain $ssl_dir/bin/${demoCA}/newcerts/$serial The elapsed time is 0.9.7d 0m1.14s 0.9.7e 0m0.69s 1. What is the reason for the improvement in performance ? 2. There has been an new encoding element added to the X509_crl_info_st structure. What is it used for ? 3. Are we caching the encoded CRL structure ? 4. Why do we write lockwhile sorting the crl ? Thanks,Prakash Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses.
openssl 0.9.7e prime coredumps
Hello Developers, The prime option that has been added to openssl 0.9.7e core dumps when no argument is given. eg) openssl prime Memory fault(coredump) Thereason for this is BN_dec2bnin apps/prime.c function returns a null structure when no argument is passed.We we must terminate when a NULL structure is returned. If the following changes are made to theapps/prime.c then it does not core dump. [EMAIL PROTECTED] prime_patch]# diff -Naur prime.c prime_new.c --- prime.c 2004-11-28 03:29:20.0 +0530 +++ prime_new.c 2004-11-28 03:17:13.0 +0530 @@ -110,6 +110,12 @@ else BN_dec2bn(bn,argv[0]); + if ( bn == NULL ) + { + BIO_printf(bio_err,"The number to be checked cannot be NULL\n"); + goto bad; + } + BN_print(bio_out,bn); BIO_printf(bio_out," is %sprime\n", BN_is_prime(bn,checks,NULL,NULL,NULL) ? "" : "not "); Please verify whether the above change is correct and correct me if I am wrong. Thanks, Prakash Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses.
serial number file not created in 0.9.7e
Hello all, In 0.9.7d the serial number file is created as follows 1. Create a certificate request openssl req -out ksb_cert_req.pem -new -keyout ksb_priv_key.pem -rand rand_file -subj /C=US/ST=xxx/L=xxx/O=xxx/CN=ca -nodes 2. Create a self signed certificate openssl req -x509 -out ca_cert.pem -new -keyout ca_priv_key.pem -subj /C=US/ST=xxx/L=xxx/O=xxx/CN=req -nodes -passout pass:pass 3. Sign the certificate request using the self signed certificateopenssl x509 -req -passin pass:pass -in ksb_cert_req.pem -CA ca_cert.pem -CAkey ca_priv_key.pem -CAcreateserial -out ksb_cert.pem -days 365 It creates the serial file ca_cert.srl But in 0.9.7e this serial file is not created . What may be the reason? Thanks, Prakash Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com
OpenSSL Core Dump Errors
Hello All, I get 3 core dump errors while using the openssl command line tool.Error 1:1) I generated a self signed certificate using the following commandopenssl req -x509 -out ca_cert.pem -new -keyout cacert_priv_key.pem -subj /C=US/ST=California/L=Cupertino/O=test/CN=myname -nodes 2)I parse it using the asn1parse command and specified the offset value of type NULLopenssl asn1parse -in ca_cert.pem -strparse 29Memory fault(coredump)Error 2:1)Specifying 1 as the multi count value for the speed commandopenssl speed -multi 1+DT:md2:3:16Memory fault(coredump)Note:After the core dump the openssl process keeps on running Error 3:1)I generated an rsakey using the following commandopenssl genrsa -out rsakey 2)I tried to convert it to pkcs8 standard using rc4 as the v2 algorithmopenssl pkcs8 -in rsakey -topk8 -v2 rc4Enter Encryption Password:Verifying - Enter Encryption Password:Memory fault(coredump)Note:it accepts and verifies the password but fails during encryptionMy question why am i not getting a failure message but a coredump error.Thanks,Prakash Yahoo! India Matrimony: Find your partner online.
Re: OpenSSL: exchanging DH parameters
Hi, I would suggest to have a copy of the same DH params before hand than to exchange during key exchange process because exchanging the key values always exposes you to the man-in-the-middle problem. man-in-the-middle problem. The Diffie-Hellman key exchange is vulnerable to a man-in-the-middle attack. In this attack, an opponent Carol intercepts Alice's public value and sends her own public value to Bob. When Bob transmits his public value, Carol substitutes it with her own and sends it to Alice. Carol and Alice thus agree on one shared key and Carol and Bob agree on another shared key. After this exchange, Carol simply decrypts any messages sent out by Alice or Bob, and then reads and possibly modifies them before re-encrypting with the appropriate key and transmitting them to the other party. This vulnerability is present because Diffie-Hellman key exchange does not authenticate the participants Reference: http://www.hack.gr/users/dij/crypto/overview/diffie.html regards, Prakash Babu www.visolve.com Olia Kerzhner [EMAIL PROTECTED] wrote: Hi all,I have a question about DH parameters. From what Iunderstand, they can either be exchanged during keyexchange, or both Server and Client can have a copy ofthe same DH params before hand.Which way is better -- more efficient and more secure?Since I'm coding both the Server and the Client, Icould easily have a copy available on each.Also, do the DH params ever need to change? In otherwords, is it OK to use the same DH params for years,or is that a security hole?thanks for your help,Olia__Do you Yahoo!?Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakeshttp://hotjobs.sweepstakes.yahoo.com/signingbonus__OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED] Yahoo! India Mobile: Ringtones, Wallpapers, Picture Messages and more. Download now.