I'm building a ca cert following .../demos/mkcert.c. The program is failing at:
X509_EXTENSION* ex4 =
X509V3_EXT_conf_nid(NULL, NULL, NID_subject_key_identifier, hash);
err = ERR_get_error();
...
$ openssl errstr 0x22073072
error:22073072:X509 V3 routines:S2I_SKEY_ID:no public key
The
)
{
sk_SSL_COMP_free(ssl_comp_methods);
ssl_comp_methods = NULL;
}
}
#endif
On Mon, Feb 24, 2014 at 9:40 PM, Jeffrey Walton noloa...@gmail.com wrote:
ssl/ssl_ciphr.c has the following:
static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
ssl_comp_methods is allocated with SSL_library_init
On Wed, Feb 26, 2014 at 5:23 PM, Viktor Dukhovni
openssl-us...@dukhovni.org wrote:
On Wed, Feb 26, 2014 at 04:41:33PM -0500, Jeffrey Walton wrote:
This worked well under Linux with GCC. It cleared the Valgrind squawks.
Why is anyone obsessed about freeing memory that is assigned to
static
What are the limits on PEM_write_RSAPrivateKey and EVP_CIPHER? Is it
possible to use 256-bit security levels with authentication tags?
I could not get AES-256-HMAC-SHA-256 or AES-256-CBC-HMAC-SHA1 to
work, and I could not get AES-256-GCM to work.
AES-256-HMAC-SHA-256 and AES-256-HMAC-SHA-384:
ssl/ssl_ciphr.c has the following:
static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
ssl_comp_methods is allocated with SSL_library_init, but it does not
appear to be freed with any of the cleanup functions (ENGINE_cleanup,
CONF_modules_unload, EVP_cleanup, CRYPTO_cleanup_all_ex_data,
, Feb 10, 2014 at 7:50 PM, Jeffrey Walton noloa...@gmail.com wrote:
I'm trying to remediate a couple of memory leaks on shutdown. I'm
having trouble: (1) locating a definitive guide that lists what should
be called during cleanup; and (2) what order they should be called in.
The closest I've find
I'm trying to remediate a couple of memory leaks on shutdown. I'm
having trouble: (1) locating a definitive guide that lists what should
be called during cleanup; and (2) what order they should be called in.
The closest I've find to answering the questions are (1) OpenSSL
source code; and (2)
OpenSSL has the following defined in thl1.h. They are used in
s_server.c for the SNI callback.
#define SSL_TLSEXT_ERR_OK 0
#define SSL_TLSEXT_ERR_ALERT_WARNING 1
#define SSL_TLSEXT_ERR_ALERT_FATAL 2
#define SSL_TLSEXT_ERR_NOACK 3
SSL_TLSEXT_ERR_OK 0 is self explanatory. It appears
I've set a servername callback using SSL_CTX_set_tlsext_servername_callback.
SSL_CTX_set_tmp_dh_callback(ctx, edh_cb);
SSL_CTX_set_tlsext_servername_callback(ctx, servername_cb);
I verified the callback was set in the context object:
gdb p *server_ctx
...
client_cert_engine
I know OpenSLL has DH_check and RSA_check_key.
Does OpenSSL have a generic key verification routine that can be used
for, say, any key in a EVP_PKEY?
Thanks in advance.
__
OpenSSL Project
I can create a CSR with the following:
$ openssl req -out ./test.csr -new -newkey rsa:2048 -nodes -keyout
./test.key -subj /emailAddress=j...@example.com/CN=John Does/C=US
However, the custom subject causes the CSR to lack other fields, like
State, Locality and Organization.
Is there a way to
On Wed, Jan 29, 2014 at 12:51 AM, Devchandra L Meetei dlmee...@gmail.comwrote:
when I run ./config, The final lines says following things
Since you've disabled or enabled at least one algorithm, you need to do
the following before building:
make depend
is there any way to check
... for = TLSv1.2, protocol should be selected as SSLv23_method()?
Yes, but as Viktor pointed out, you also need:
options = SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1 |SSL_OP_NO_SSLv2
Jeff
On Sat, Jan 25, 2014 at 10:40 AM, Devchandra L Meetei dlmee...@gmail.comwrote:
Just one more thing, for =
I'm having a heck of a time getting the SAN into a server's CSR.
I believe the relevant sections are:
[ req ]
req_extensions= server_req_extensions
[ server_req_extensions ]
subjectKeyIdentifier= hash
basicConstraints = CA:FALSE
keyUsage = nonRepudiation,
On Fri, Jan 24, 2014 at 12:02 PM, Dr. Stephen Henson st...@openssl.org wrote:
On Fri, Jan 24, 2014, Jeffrey Walton wrote:
I'm having a heck of a time getting the SAN into a server's CSR.
...
Any ideas what I'm doing wrong?
Hmm... it isn't adding any extensions at all. What version
I don't see a dumb mistake with this one
First, the CSR has multiple SANs:
$ openssl req -text -noout -verify -in servercert.csr
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=XX, ST=XX, L=XX, CN=Test Server/emailAddress=t...@example.com
Subject
On Fri, Jan 24, 2014 at 1:18 PM, Jakob Bohm jb-open...@wisemo.com wrote:
On 1/24/2014 6:54 PM, Jeffrey Walton wrote:
I don't see a dumb mistake with this one
...
[ signing_req ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints = CA:FALSE
keyUsage
What is the name of the function to set the callback described below?
*) Add certificate callback. If set this is called whenever a certificate
is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
I'm having trouble retrieving the random method being used after a
call to FIPS_mode_set.
ENGINE_get_default_RAND is returning NULL, so I can't use ENGINE_get_name.
RAND_get_rand_method is returning a pointer, but its not supposed to
be used and it has not way to fetch a name.
There is a
I'm trying to declare a BN_CTX on the stack (with a subsequent call to
BN_CTX_init) to stay out of the memory manager.
When I do, I get an error:
aggregate ‘BN_CTX’ has incomplete type and cannot be defined
I've included openssl/bn.h, so I'm kind of surprised I can't
compile. (openssl/bn.h
From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on
behalf of Jeffrey Walton [noloa...@gmail.com]
Sent: 16 January 2014 20:28
To: OpenSSL Users List
Subject: Declare BN_CTX on stack (not BN_CTX*)
I'm trying to declare a BN_CTX
On Fri, Jan 17, 2014 at 11:16 AM, Viktor Dukhovni
openssl-us...@dukhovni.org wrote:
On Fri, Jan 17, 2014 at 09:57:00AM -0500, Jeffrey Walton wrote:
BN_CTX_init() (deprecated) initializes an existing uninitialized
BN_CTX. This should not be used for new programs. Use BN_CTX_new()
instead
snip
*) Integrate hostname, email address and IP address checking with certificate
verification. New verify options supporting checking in opensl utility.
[Steve Henson]
*) Fixes and wildcard matching support to hostname and email checking
functions. Add manual page.
Can anyone confirm that ENGINE_rdrand is no longer a default engine
(if available).
The change log does not mention it.
http://www.openssl.org/news/changelog.html (the ENGINE is not
mentioned anywhere, including the change from 1.0.1e).
Thanks in advance.
I can't seem to find information on using the hostname and email
verification functionality.
* SSL_CTX_set_verify does not discuss it
* www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
* No mention if it was rolled into SSL_VERIFY_PEER
* s_client does not have any new switches
*
On Mon, Jan 6, 2014 at 11:48 PM, Viktor Dukhovni
openssl-us...@dukhovni.org wrote:
On Mon, Jan 06, 2014 at 08:49:15PM -0500, Jeffrey Walton wrote:
I can't seem to find information on using the hostname and email
verification functionality.
* SSL_CTX_set_verify does not discuss
On Tue, Jan 7, 2014 at 12:58 AM, Jeffrey Walton noloa...@gmail.com wrote:
On Mon, Jan 6, 2014 at 11:48 PM, Viktor Dukhovni
openssl-us...@dukhovni.org wrote:
On Mon, Jan 06, 2014 at 08:49:15PM -0500, Jeffrey Walton wrote:
I can't seem to find information on using the hostname and email
On Sat, Jan 4, 2014 at 2:42 PM, Viktor Dukhovni
openssl-us...@dukhovni.org wrote:
... A substantive comment that argues that DANE adds
nothing new to SMTP would begin by explaining in detail how SMTP
to MX TLS security is possible without DNS data integrity (thus
making it possible to not
How does one verify use of AES-NI at runtime?
I know I can get 'capability' with:
crypto/evp/e_aes.c:#define AESNI_CAPABLE \
(OPENSSL_ia32cap_P[1](1(57-32)))
But grepping the sources for a runtime test does not produce anything
that looks useful:
$ grep -R -i AESNI *
and
, Jeffrey Walton noloa...@gmail.com wrote:
I'm testing the FIPS Capable OpenSSL library with nginx. nginx start a
master process which calls:
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
The master then starts a number of child processes. It does so
I'm testing the FIPS Capable OpenSSL library with nginx. nginx start a
master process which calls:
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
The master then starts a number of child processes. It does so by
forking without an exec (if I am reading
? Or
is it more undocumented, broken cruft lying around?
Jeff
On Wed, Oct 2, 2013 at 4:56 PM, Jeffrey Walton noloa...@gmail.com wrote:
Hi All,
I fetched StartCom's ca-bundle from http://www.startssl.com/certs/. I
then connected to api.pagepeeker.com, which uses StartCom.
When I use s_client
Hi All,
I fetched StartCom's ca-bundle from http://www.startssl.com/certs/. I
then connected to api.pagepeeker.com, which uses StartCom.
When I use s_client and -CAfile, the verification completes
successfully. When I use c_client and SSL_CERT_FILE, verification
fails with Verify return code: 19
Hi All,
I'm trying to run OpenSSL through Clang's scan-build
(http://clang-analyzer.llvm.org/scan-build.html). According to the
page, I should be configuring and building a debug configuration (both
through scan-build).
Does OpenSSL supply a 'generic' debug configuration? Or should I use
Ben
the
makefile does not specify full pathnames:
sudo -E make install \
CC=$ANDROID_TOOLCHAIN/arm-linux-androideabi-gcc \
RANLIB=$ANDROID_TOOLCHAIN/arm-linux-androideabi-ranlib \
On Tue, Jun 25, 2013 at 8:46 PM, Jeffrey Walton noloa...@gmail.com wrote:
Hi All,
When linking to the FIPS
Hi All,
When linking to the FIPS Capable shared object, the program fails its
fingerprint check:
$ arm-linux-androideabi-gcc --sysroot=$ANDROID_SYSROOT
-I/usr/local/ssl/android-14/include fips_hmac.c -o fips_hmac.exe
/usr/local/ssl/android-14/lib/libcrypto.so.1.0.0
$ adb push
Hi All,
I'm using openssl-fips-2.0.4 and openssl-1.0.1e. I'm working in an
Android environment with cross compilation. Both the FIPS Object
Module and FIPS Capable library built and installed without much
effort.
I'm trying to build a simple command line application which statically
links to the
On Sat, Jun 22, 2013 at 6:57 AM, Dr. Stephen Henson st...@openssl.org wrote:
On Sat, Jun 22, 2013, Jeffrey Walton wrote:
Hi All,
I'm using openssl-fips-2.0.4 and openssl-1.0.1e. I'm working in an
Android environment with cross compilation. Both the FIPS Object
Module and FIPS Capable
On Sat, Jun 22, 2013 at 4:24 PM, Dr. Stephen Henson st...@openssl.org wrote:
On Sat, Jun 22, 2013, Jeffrey Walton wrote:
On Sat, Jun 22, 2013 at 6:57 AM, Dr. Stephen Henson st...@openssl.org
wrote:
On Sat, Jun 22, 2013, Jeffrey Walton wrote:
Hi All,
I'm using openssl-fips-2.0.4
On Mon, Mar 4, 2013 at 11:19 PM, Jeffrey Walton noloa...@gmail.com wrote:
Hi All,
OpenSSL 1.0.1e is not loading Intel's hardware random number
generator. ENGINE_load_rdrand() silently fails:
/*** eng_rand.c ***/
void ENGINE_load_rdrand (void)
{
extern unsigned int OPENSSL_ia32cap_P
Hi All,
OpenSSL 1.0.1e is not loading Intel's hardware random number
generator. ENGINE_load_rdrand() silently fails:
/*** eng_rand.c ***/
void ENGINE_load_rdrand (void)
{
extern unsigned int OPENSSL_ia32cap_P[];
if (OPENSSL_ia32cap_P[1] (1(62-32)))
{
ENGINE *toadd =
On Fri, Feb 15, 2013 at 9:25 AM, Ashok C ash@gmail.com wrote:
On Thu, Feb 14, 2013 at 5:31 PM, Jeffrey Walton noloa...@gmail.com wrote:
On Thu, Feb 14, 2013 at 5:58 AM, Ashok C ash@gmail.com wrote:
As part of implementing certificate expiry related alarms for my SSL
application, I
On Thu, Feb 21, 2013 at 1:37 AM, Nick nos...@codesniffer.com wrote:
On Mon, 2013-02-18 at 08:56 -0500, Jeffrey Walton wrote:
g++-4.7.2 -g -Wall -Wextra -Weffc++ -Wno-missing-field-initializers
-Wctor-dtor-privacy -Wnon-virtual-dtor -Wreorder -Wold-style-cast
-Woverloaded-virtual -Werror
On Wed, Feb 20, 2013 at 4:10 PM, Andreas Mattheiss
coochbeh...@googlemail.com wrote:
s_client doesn't like pipes
This works well for me:
$ echo GET / HTTP1.0 | openssl s_client -connect example.com:443
It looks like you need something more like a response file.
Jeff
On Mon, Feb 18, 2013 at 2:38 PM, Jeffrey Walton noloa...@gmail.com wrote:
Hi All,
$ uname -a
Linux ubuntu-12-x64 3.2.0-37-generic #58-Ubuntu SMP Thu Jan 24
15:28:10 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
Any ideas?
jeffrey@ubuntu-12-x64:~/openssl-1.0.1e$ ./Configure linux-generic64
On Mon, Feb 18, 2013 at 3:04 AM, Nick nos...@codesniffer.com wrote:
On Mon, 2013-02-18 at 00:37 +0100, Dr. Stephen Henson wrote:
That's because it is attempting to free up parts of a pointer that
haven't
been allocated with OPENSSL_malloc. See:
On Mon, Feb 18, 2013 at 7:58 AM, Nick nos...@codesniffer.com wrote:
On Mon, 2013-02-18 at 13:22 +0100, Dr. Stephen Henson wrote:
Here's what's happening in detail. If you pass a non-NULL pointer for
the
second parameter it will attempt to reuse the structure.
In the case of the RSA structure
On Mon, Feb 18, 2013 at 8:31 AM, Nick nos...@codesniffer.com wrote:
On Mon, 2013-02-18 at 08:12 -0500, Jeffrey Walton wrote:
It looks like the GCC tool chain has let you down: C/C++ Option to
Initialize Variables?,
http://gcc.gnu.org/ml/gcc/2013-02/msg00207.html.
Visual Studio has a similar
Hi wenxue,
Get hash failure
http://groups.google.com/group/mailing.openssl.users/browse_thread/thread/1025761add9b41dc?
NMAKE : fatal error U1077: 'c:\Perl\bin\perl.EXE' : return code '0x2'
Stop.
On Windows, ERROR_FILE_NOT_FOUND is 0x0002.
Jeff
On Fri, Feb 15, 2013 at 7:21 PM, nys2013
On Thu, Feb 14, 2013 at 5:58 AM, Ashok C ash@gmail.com wrote:
Hi,
As part of implementing certificate expiry related alarms for my SSL
application, I would kindly require few suggestions and clarifications from
the community.
Does that include OSCP checking? On a continuous basis? The CA
On Thu, Feb 14, 2013 at 5:12 AM, Gayathri Manoj
gayathri.an...@gmail.com wrote:
Hi All,
Please let me know if openssl version 1.0.0 is fips compliant?
http://www.openssl.org/docs/fips/UserGuide-2.0.pdf
__
OpenSSL Project
Hi All,
I'm probably doing something wrong here, but I don't see what it is.
I'm calling SSL_CTX_load_verify_locations() with a CAT of PEM files.
I'm not calling SSL_CTX_set_default_verify_paths():
/* http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html */
/* I've also tried with
On Tue, Feb 12, 2013 at 3:16 AM, Jeffrey Walton noloa...@gmail.com wrote:
...
I've used `openssl x509 -text -in AddTrust External CA Root.pem`
(copied out directly from s_client), and everything looks OK. CA is
TRUE, AKI is present, KU includes Certificate Sign, CRL Sign, etc.
$ openssl x509
I was missing Add Trust External CA Root,
https://support.comodo.com/index.php?_m=downloads_a=viewdownloaddownloaditemid=9nav=0,1.
On Tue, Feb 12, 2013 at 3:16 AM, Jeffrey Walton noloa...@gmail.com wrote:
Hi All,
I'm probably doing something wrong here, but I don't see what it is.
I'm
On Mon, Feb 11, 2013 at 12:41 AM, Viktor Dukhovni
openssl-us...@dukhovni.org wrote:
On Mon, Feb 11, 2013 at 12:01:49AM -0500, Jeffrey Walton wrote:
I'm trying to extract a public key (subjectPublicKeyInfo) form an X509
certificate.
from apps/x509.c in the openssl source
On Mon, Feb 11, 2013 at 5:15 PM, Dave Thompson dthomp...@prinpay.com wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton
Sent: Monday, 11 February, 2013 01:12
I'm trying to memory map a file. Does OpenSSL BIO's allow this?
I seem to be failing on BIO_read_filename
On Mon, Feb 11, 2013 at 5:15 PM, Dave Thompson dthomp...@prinpay.com wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni
Sent: Monday, 11 February, 2013 00:41
On Mon, Feb 11, 2013 at 12:01:49AM -0500, Jeffrey Walton wrote:
I'm trying to extract a public key
Hi All,
I'm trying to memory map a file. Does OpenSSL BIO's allow this?
I seem to be failing on BIO_read_filename with a `ret` of 0. The docs
state I should expect `ret` of 1. When I look for the problem, I'm
getting an error code of 0 (`err`, success).
I ask because the doc's appear to be
On Wed, Feb 6, 2013 at 2:40 PM, Memmott, Lester
lester.memm...@landesk.com wrote:
Jon,
I’m having trouble with fipslink as well and thought it might help to compare
notes. These are the linker errors I’m getting using Visual Studio 2008:
fips_premain.obj : error LNK2001: unresolved external
Hi All,
This relates to 'OpenSSL Security Advisory [05 Feb 2013]' and the
accompanying CVEs. The bulletin did not address combinations of FIPS
Object Module and FIPS Capable Library Combinations.
Please forgive my ignorance. I don't like to take a lot of latitude or
license on these things. I'm
On Mon, Jan 28, 2013 at 8:24 AM, René Klomp rene.kl...@os3.nl wrote:
Could someone tell me how i could disable *only* the EAS-NI instructions
when compiling openssl?
I don't believe AES-NI can be disable at compile time. `./config -t`
might offer some useful options (I can't check at the moment
On Tue, Jan 29, 2013 at 6:37 AM, Joseandro Luiz
joseandro.l...@gmail.com wrote:
Hello everyone,
I am using the OpenSSL user guide from
http://www.openssl.org/docs/fips/UserGuide-2.0.pdf in order to create a FIPS
140-2 compliant iOS app.
So far I've successfully built the Incore utility and
On Mon, Jan 28, 2013 at 7:18 AM, Rahul Godbole rahulmg1...@gmail.com wrote:
When I call the function FIPS_mode_set() from my code, the function returns
0. It returns 0 because the flag OPENSSL_FIPS is not set during compilation.
What option should I pass to the Configure or config script so
Hi All,
I just made a recommendation for Thomas Wu's Secure Remote Password (SRP).
I know Thomas Wu submitted patches some time ago
(http://rt.openssl.org/Ticket/Display.html?id=1794user=guestpass=guest).
What is the status of SRP in OpenSSL? Is it in mainline? Or does it
need to be pulled from
On Wed, Jan 23, 2013 at 1:20 PM, Smith, Russell (Shane), Contractor
russell.s.smith@sofsa.mil wrote:
I am looking for a way to disable weak ciphers in openssl.
I have a legacy program that uses the default SSL ciphers and is not
configurable like apache and httpd.conf etc.
Is there
On Wed, Jan 23, 2013 at 9:42 AM, Viktor Dukhovni
openssl-us...@dukhovni.org wrote:
On Wed, Jan 23, 2013 at 09:12:41AM -0500, Ken Goldman wrote:
My experience is that you should not expect binary compatibility.
Since errors will often be in little used corner cases, it's safer
to always
On Wed, Jan 23, 2013 at 3:02 PM, John A. Wallace jw72...@verizon.net wrote:
I also have questions about this issue. Am I correct in saying that IDEA,
which is a patented algorithm, has legal restrictions from our implementing
I believe IDEA is no longer encumbered in the US. I seem to recall it
On Sun, Jan 20, 2013 at 6:51 PM, jb-open...@wisemo.com wrote:
On 18-01-2013 20:26, Jeffrey Walton wrote:
On Fri, Jan 18, 2013 at 11:01 AM, Memmott, Lester
lester.memm...@landesk.com wrote:
All modern Versions of Microsoft's C Runtime are thread safe. That
occurred around Visual Studio 6.0
On Sat, Jan 19, 2013 at 11:42 AM, Ben Laurie b...@links.org wrote:
On 19 January 2013 16:31, Jeffrey Walton noloa...@gmail.com wrote:
On Sat, Jan 19, 2013 at 9:17 AM, Ben Laurie b...@links.org wrote:
On 26 December 2012 20:07, Jeffrey Walton noloa...@gmail.com wrote:
On Wed, Dec 26, 2012 at 9
On Sat, Jan 19, 2013 at 9:17 AM, Ben Laurie b...@links.org wrote:
On 26 December 2012 20:07, Jeffrey Walton noloa...@gmail.com wrote:
On Wed, Dec 26, 2012 at 9:57 AM, Ben Laurie b...@links.org wrote:
On Tue, Dec 25, 2012 at 1:35 PM, Jeffrey Walton noloa...@gmail.com wrote:
I fetched
On Fri, Jan 18, 2013 at 10:21 AM, Memmott, Lester
lester.memm...@landesk.com wrote:
I'm in the process of incorporating FIPS enabled OpenSSL into an application
when I realized that by default the FIPS module is built by dynamically
linking the C runtime, not statically linking. In my case,
On Fri, Jan 18, 2013 at 11:01 AM, Memmott, Lester
lester.memm...@landesk.com wrote:
All modern Versions of Microsoft's C Runtime are thread safe. That occurred
around Visual Studio 6.0 (circa 2000 or so).
From http://msdn.microsoft.com/en-us/library/abx4dbyh.aspx: The
single-threaded CRT
On Fri, Jan 18, 2013 at 5:53 PM, Hazrat Shah hs...@crestron.com wrote:
I am having problem with server certificate verification the
SSL_get_verify_result() returns
Error code 20.
From http://www.openssl.org/docs/apps/verify.html, that is
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.
I add a
On 1/17/13, Memmott, Lester lester.memm...@landesk.com wrote:
I've gone through the FIPS User Guide and have built OpenSSL 1.0.1c with the
FIPS module 2.0.2. From a practical perspective I'm trying to sort out in
my mind the following:
Be careful - its a bit dated and some information is not
On Thu, Jan 17, 2013 at 4:21 PM, MauMau maumau...@gmail.com wrote:
Hello,
I'm using OpenSSL 1.0.1c on Linux and Windows to implement encryption
feature of my software. I need to compare performance of cases where AES-NI
is enabled and where it is disabled on the same computer. If possible,
On Thu, Jan 17, 2013 at 9:17 PM, ask as...@yahoo.com wrote:
How can I print out result string from return code of
SSL_get_verify_result?
For example, for my test, I got 18,
ERR_error_string( return_code) does not yield any thing?
http://www.openssl.org/docs/ssl/SSL_get_verify_result.html
On Wed, Jan 16, 2013 at 9:02 AM, Bruce Cran br...@cran.org.uk wrote:
On http://www.openssl.org/support/community.html the mailing list
subscription feature is broken - clicking Send to Majordomo just displays
the majordomo.cgi script.
It also looks like its injectable:
$query_string =
On Mon, Jan 14, 2013 at 5:52 AM, Rahul Godbole rahulmg1...@gmail.com wrote:
1) I am trying to build OpenSSL for FIPS. When I link to the below
functions from an external program linking to libcrypto.a, I get a linking
error for them. When I grepped for the below functions in libcrypto.a and
On Mon, Jan 14, 2013 at 7:24 AM, Rahul Godbole rahulmg1...@gmail.com wrote:
Thanks Jeff. Please see inline.
Did you build the FIPS Object Module first?
$ rm -rf openssl-fips-2.0.1/
$ tar xzf openssl-fips-2.0.1.tar.gz
$ cd openssl-fips-2.0.1/
$ ./config
$ make
$ sudo make install
Hi Dr. Henson,
On Mon, Jan 14, 2013 at 10:04 AM, Dr. Stephen Henson st...@openssl.org wrote:
On Mon, Jan 14, 2013, Rahul Godbole wrote:
Hi
Can someone please help me on the following 2 issues? I am using FIPS 2.0
1) I am trying to build OpenSSL for FIPS. When I link to the below
On Thu, Jan 10, 2013 at 3:07 AM, Nayna Jain naynj...@in.ibm.com wrote:
Hi,
I want to use FIPS compliant algorithms and keys. For that I understand, I
need to have Openssl FIPS object library along with default openssl.
However, I am not understanding how to install them. My questions are :
On Thu, Jan 10, 2013 at 6:13 AM, Tayade, Nilesh
nilesh.tay...@netscout.com wrote:
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Jakob Bohm
Sent: Friday, December 21, 2012 8:23 PM
To: openssl-users@openssl.org
Subject:
On Thu, Jan 10, 2013 at 9:01 AM, Tayade, Nilesh
nilesh.tay...@netscout.com wrote:
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Jakob Bohm
Sent: Thursday, January 10, 2013 6:56 PM
To: openssl-users@openssl.org
Subject:
)
AES-128
SHA-256
So, you have to plug in the required parameters.
Jeff
From: Jeffrey Walton noloa...@gmail.com
To: openssl-users@openssl.org
Date: 01/10/2013 04:01 PM
Subject:Re: How to link openssl FIPS 140-2 object module with openssl
binary
Sent
On Thu, Jan 10, 2013 at 5:50 PM, Ribhi Kamal rbhka...@gmail.com wrote:
Never mind, the application (virtualbox) was incorrectly trying to use the
32bit version of openssl. But I still don't understand why a 32bit version
has different symbols that the 64bit one.
The message is probably similar
_FIPS_set_locking_callbacks
U _FIPS_set_malloc_callbacks
U _RAND_init_fips
...
Jeff
On Thu, Jan 10, 2013 at 6:09 PM, Jeffrey Walton noloa...@gmail.com wrote:
On Thu, Jan 10, 2013 at 5:50 PM, Ribhi Kamal rbhka...@gmail.com wrote:
Never mind, the application (virtualbox) was incorrectly trying
On Wed, Jan 9, 2013 at 7:02 AM, Serhiy Ivanov
serhiy.i.iva...@globallogic.com wrote:
Tried to turn off one cipher via:
#!/bin/bash
make clean ./config -no-CAMELLIA-128-CBC make depend make
Try make dclean
Jeff
__
OpenSSL
On Wed, Jan 9, 2013 at 10:42 AM, Jakob Bohm jb-open...@wisemo.com wrote:
On 1/8/2013 7:59 PM, Jeffrey Walton wrote:
On Tue, Jan 8, 2013 at 1:14 PM, Carson Gaspar car...@taltos.org wrote:
On 1/8/13 9:52 AM, Jeffrey Walton wrote:
...
OT: Do you think the tools will ever catch up?
Autoconf
On Tue, Jan 8, 2013 at 11:13 AM, Florian Weimer fwei...@redhat.com wrote:
On 01/08/2013 04:34 PM, Serhiy Ivanov wrote:
Is there way to get some 3rd party documentation about advanced
configuration of ssl.
I need to
1) Get rid from linkage
b75d6000-b75e6000 r-xp 08:03 54611
On Tue, Jan 8, 2013 at 1:14 PM, Carson Gaspar car...@taltos.org wrote:
On 1/8/13 9:52 AM, Jeffrey Walton wrote:
That seems like a really odd requirement. Is there any reading on the
topic?
man nsswitch.conf
Generally, I prefer static linking in high integrity software. And I
oppose plug
On Fri, Jan 4, 2013 at 10:56 AM, Steve Marquess
marqu...@opensslfoundation.com wrote:
On 01/04/2013 03:45 AM, Jeffrey Walton wrote:
Hi All,
I'm wondering how the single pass linker affects symbol resolution. If
I specify:
fipscanister.o libcrpyto.a
the linker will resolve symbols
On Fri, Jan 4, 2013 at 11:21 AM, Jeffrey Walton noloa...@gmail.com wrote:
On Fri, Jan 4, 2013 at 10:56 AM, Steve Marquess
marqu...@opensslfoundation.com wrote:
On 01/04/2013 03:45 AM, Jeffrey Walton wrote:
Either the libcrypto.a is from a FIPS
capable OpenSSL build, in which case
Hi All,
Is it possible to configure a build that does not include documentations?
I'm working on Mac OSX, and I have three targets under /usr/local/ssl/
(iphoneos, iphonesimulator, and macosx). There's no reason to install
the documentation over top itself multiple times.
Jeff
On Mon, Dec 31, 2012 at 7:00 AM, Ben Laurie b...@links.org wrote:
On Mon, Dec 31, 2012 at 11:39 AM, Jeffrey Walton noloa...@gmail.com wrote:
On Sun, Dec 30, 2012 at 3:20 PM, jb-open...@wisemo.com wrote:
On 30-12-2012 21:01, Jeffrey Walton wrote:
Configure should test `makeddepend
On Wed, Jan 2, 2013 at 5:07 AM, Jakob Bohm jb-open...@wisemo.com wrote:
On 1/2/2013 9:34 AM, Jeffrey Walton wrote:
On Mon, Dec 31, 2012 at 7:00 AM, Ben Laurie b...@links.org wrote:
On Mon, Dec 31, 2012 at 11:39 AM, Jeffrey Walton noloa...@gmail.com
wrote:
On Sun, Dec 30, 2012 at 3:20 PM
On Sun, Dec 30, 2012 at 3:20 PM, jb-open...@wisemo.com wrote:
On 30-12-2012 21:01, Jeffrey Walton wrote:
Hi All,
While working on Apple with Mac OS X and iOS, I found I needed to
patch OpenSSL 1.0.1c's Makefile.
Makefile.org has the following line, and it was copied directly
On Mon, Dec 31, 2012 at 8:39 AM, Jakob Bohm jb-open...@wisemo.com wrote:
On 12/31/2012 12:39 PM, Jeffrey Walton wrote:
On Sun, Dec 30, 2012 at 3:20 PM, jb-open...@wisemo.com wrote:
On 30-12-2012 21:01, Jeffrey Walton wrote:
...
Configure should test `makeddepend`. If 'makedepend' succeeds
On Mon, Dec 31, 2012 at 1:58 PM, Walter H. walte...@mathemainzel.info wrote:
Hello,
why does the following makefile not succeed?
...
I have isolated the problem:
openssl crl -noout -text -in $ $@
exits with exit code 1 instead of 0, why?
openssl crl -noout -text -in $ -out $@
does the
Hi All,
I'm trying to work through a couple of issues on Mac OS X. The steps
are below, all performed in openssl-1.0.1c/ directory.
The problem with ERR_load_COMP_strings has showed up on at *least* two
Apple platforms now. I've also had to fix MAKEDEPEND on two Apple
platforms.
Looking through
On Sun, Dec 30, 2012 at 8:23 AM, Jeffrey Walton noloa...@gmail.com wrote:
Hi All,
I'm trying to work through a couple of issues on Mac OS X. The steps
are below, all performed in openssl-1.0.1c/ directory.
The problem with ERR_load_COMP_strings has showed up on at *least* two
Apple
401 - 500 of 744 matches
Mail list logo