Re: OpenSSL Security Advisory

[monloi perez]

True. Thanks for the quick reply.


On Wednesday, April 9, 2014 3:33 PM, Alan Buxey  wrote:
 
https://www.openssl.org/news/changelog.html

1.0.1 introduced the heartbeat support.

1.0.0 and earlier are fortunate in that they didnt have it.but then they 
didnt have things to stop you from being BEASTed so some you win, some you 
lose. ;)

alan

stunnel 5.01 released

[Michal Trojnara]

Dear Users,

I have released version 5.01 of stunnel.

The ChangeLog entry:

Version 5.01, 2014.04.08, urgency: HIGH:
* Security bugfixes
  - OpenSSL DLLs updated to version 1.0.1g.
This version mitigates TLS heartbeat read overrun (CVE-2014-0160).
* New features
  - X.509 extensions added to the created self-signed stunnel.pem.
  - "FIPS = no" also allowed in non-FIPS builds of stunnel.
  - Search all certificates with the same subject name for a matching
public key rather than only the first one (thx to Leon Winter).
  - Create logs in the local application data folder if stunnel folder
is not writable on Win32.
* Bugfixes
  - close_notify not sent when SSL still has some data buffered.
  - Protocol negotiation with server-side SNI fixed.
  - A Mac OS X missing symbols fixed.
  - Win32 configuration file reload crash fixed.
  - Added s_pool_free() on exec+connect service retires.
  - Line-buffering enforced on stderr output.

Home page: https://www.stunnel.org/
Download:  https://www.stunnel.org/downloads.html

SHA-256 hash for stunnel-5.01.tar.gz:
2565bf58ffe8a612304c64df621105b2e42d6e389e815ed4205dbeec4f3f886b

Best regards,
Mike



signature.asc
Description: OpenPGP digital signature

Re: How to swap engines / register functionality on the fly

[axisofevil]

I call a EVP-based verify function (that works), I then call a
HSM/dynamic/OpenSC/pkcs11-based sign function ( works too ) , but then a
second call to my verify functions complains with 

ecc_ssl_gen_EC_KEY EC_KEY_generate_key FAIL error:2D06D075:FIPS
routines:fips_pkey_signature_test:test failure

I'm concluding something in the sign() is causing this but have no clue. I
do set fips off too. 

openssl version -> OpenSSL 1.0.1e-fips 11 Feb 2013



--
View this message in context: 
http://openssl.6102.n7.nabble.com/How-to-swap-engines-register-functionality-on-the-fly-tp48982p49159.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Help me for ECDHE algorithm

[chetan]

 I am newer to this and i want to make ECDHE algorithm for cilient-server.
Can anyone tell me basic steps and functions to do this. all response are
acceptable.
  Thankss in advance



--
View this message in context: 
http://openssl.6102.n7.nabble.com/Help-me-for-ECDHE-algorithm-tp49168.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL vs. SSH in the context of CVE 2014-0160

[Chris Hill]

Thanks Wim.


On Tue, Apr 8, 2014 at 10:36 PM, Wim Lewis  wrote:

>
> On 8 Apr 2014, at 7:14 PM, Chris Hill wrote:
> > Team, I am having a discussions with a few friends about why this
> OpenSSL vuln (CVE 2014-0160) does not affect SSH. This may be TOO basic for
> many of you (apologize in advance), but can't think of any other way to
> prove my point other than speaking to the folks who really know (that's u).
> Or maybe I am the one wrong, wouldn't be the first time ;).
> >
> > A quick response to my frieds could be simply diffing the files for the
> actual OpenSSL change, e.g. ssl/d1_both.c and ssl/t1_lib.c, but I want a
> more classy answer.
> >
> > Is the below ok or am I completely off?
> >
> > Thank you in advance
> >
> > SSH and SSL/TLS are simply different protocols (doh). They may share
> some similar underlying crypto implementations, but as of their respective
> RFCs, they are just different protocols. The TLS Heartbeat TLS extension
> would not apply to SSH. SSH "may" have its own way to keep alive, but that
> would be a different one.
> >
> > Chris.
>
> This is correct as I understand it. ssh uses openssl mostly for crypto
> operations, but the ssh protocol does not have anything in common with
> ssl/tls (other than some fairly general design aspects). The heartbeat bug
> is particular to the openssl implementation of the heartbeat feature in
> tls, and that code isn't used by openssh.
>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

about ecdsa patent in openssl code

[shixin]

Hi all,
I have a question on openssl ECDSA code. Can ECDSA be safely used without 
infringing on patents? The ECDSA  implementation which is patent-free in 
openssl ?
I would like to make use of ECDSA in embedded system, so I porting code from 
openssl. Will there be any problem?


Best Wishes!

about ecdsa patent in openssl code

[shixin]

Hi all,
I have a question on openssl ECDSA code. Can ECDSA be safely used without 
infringing on patents? The ECDSA  implementation which is patent-free in 
openssl ?
I would like to make use of ECDSA in embedded system, so I porting code from 
openssl. Will there be any problem?


Best Wishes!

Error in `openssl': munmap_chunk(): invalid pointer: 0x00007ffffc1065af

[Igor Sverkos]

Hi,

when you set the "-host" parameter as last, you will get the following error:

 ~/cert-test/ $ openssl ocsp -CApath /etc/ssl/certs -no_nonce -issuer
issuer.crt -cert cert.crt -url http://ocsp2.globalsign.com/gsalphag2
-host ocsp2.globalsign.com

Error querying OCSP responsder
139638328587920:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server
response error:ocsp_ht.c:250:Code=403,Reason=Forbidden
*** Error in `openssl': munmap_chunk(): invalid pointer: 0x7fff0b82859d ***
=== Backtrace: =
/lib64/libc.so.6(+0x741bf)[0x7f001440e1bf]
/lib64/libc.so.6(+0x79ace)[0x7f0014413ace]
/usr/lib64/libcrypto.so.1.0.0(CRYPTO_free+0x1d)[0x7f00148874cd]
openssl[0x45981b]
openssl[0x418e78]
openssl[0x418bc6]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f00143bbb15]
openssl[0x418c4b]
=== Memory map: 
0040-00478000 r-xp  fe:03 303689
  /usr/bin/openssl
00678000-00679000 r--p 00078000 fe:03 303689
  /usr/bin/openssl
00679000-0067e000 rw-p 00079000 fe:03 303689
  /usr/bin/openssl
0067e000-0067f000 rw-p  00:00 0
025fb000-0263d000 rw-p  00:00 0  [heap]
7f0013d6a000-7f0013d7f000 r-xp  fe:03 192002
  /usr/lib64/gcc/x86_64-pc-linux-gnu/4.8.2/libgcc_s.so.1
7f0013d7f000-7f0013f7e000 ---p 00015000 fe:03 192002
  /usr/lib64/gcc/x86_64-pc-linux-gnu/4.8.2/libgcc_s.so.1
7f0013f7e000-7f0013f7f000 r--p 00014000 fe:03 192002
  /usr/lib64/gcc/x86_64-pc-linux-gnu/4.8.2/libgcc_s.so.1
7f0013f7f000-7f0013f8 rw-p 00015000 fe:03 192002
  /usr/lib64/gcc/x86_64-pc-linux-gnu/4.8.2/libgcc_s.so.1
7f0013f8-7f0013f95000 r-xp  fe:03 160220
  /lib64/libz.so.1.2.8
7f0013f95000-7f0014194000 ---p 00015000 fe:03 160220
  /lib64/libz.so.1.2.8
7f0014194000-7f0014195000 r--p 00014000 fe:03 160220
  /lib64/libz.so.1.2.8
7f0014195000-7f0014196000 rw-p 00015000 fe:03 160220
  /lib64/libz.so.1.2.8
7f0014196000-7f0014198000 r-xp  fe:03 667133
  /lib64/libdl-2.19.so
7f0014198000-7f0014398000 ---p 2000 fe:03 667133
  /lib64/libdl-2.19.so
7f0014398000-7f0014399000 r--p 2000 fe:03 667133
  /lib64/libdl-2.19.so
7f0014399000-7f001439a000 rw-p 3000 fe:03 667133
  /lib64/libdl-2.19.so
7f001439a000-7f0014539000 r-xp  fe:03 667200
  /lib64/libc-2.19.so
7f0014539000-7f0014739000 ---p 0019f000 fe:03 667200
  /lib64/libc-2.19.so
7f0014739000-7f001473d000 r--p 0019f000 fe:03 667200
  /lib64/libc-2.19.so
7f001473d000-7f001473f000 rw-p 001a3000 fe:03 667200
  /lib64/libc-2.19.so
7f001473f000-7f0014743000 rw-p  00:00 0
7f0014743000-7f00148ea000 r-xp  fe:03 301863
  /usr/lib64/libcrypto.so.1.0.0
7f00148ea000-7f0014aea000 ---p 001a7000 fe:03 301863
  /usr/lib64/libcrypto.so.1.0.0
7f0014aea000-7f0014b04000 r--p 001a7000 fe:03 301863
  /usr/lib64/libcrypto.so.1.0.0
7f0014b04000-7f0014b0f000 rw-p 001c1000 fe:03 301863
  /usr/lib64/libcrypto.so.1.0.0
7f0014b0f000-7f0014b13000 rw-p  00:00 0
7f0014b13000-7f0014b72000 r-xp  fe:03 301866
  /usr/lib64/libssl.so.1.0.0
7f0014b72000-7f0014d72000 ---p 0005f000 fe:03 301866
  /usr/lib64/libssl.so.1.0.0
7f0014d72000-7f0014d76000 r--p 0005f000 fe:03 301866
  /usr/lib64/libssl.so.1.0.0
7f0014d76000-7f0014d7d000 rw-p 00063000 fe:03 301866
  /usr/lib64/libssl.so.1.0.0
7f0014d7d000-7f0014d9e000 r-xp  fe:03 666577
  /lib64/ld-2.19.so
7f0014f8e000-7f0014f92000 rw-p  00:00 0
7f0014f9b000-7f0014f9d000 rw-p  00:00 0
7f0014f9d000-7f0014f9e000 r--p 0002 fe:03 666577
  /lib64/ld-2.19.so
7f0014f9e000-7f0014f9f000 rw-p 00021000 fe:03 666577
  /lib64/ld-2.19.so
7f0014f9f000-7f0014fa rw-p  00:00 0
7fff0b808000-7fff0b829000 rw-p  00:00 0  [stack]
7fff0b991000-7fff0b992000 r-xp  00:00 0  [vdso]
ff60-ff601000 r-xp  00:00 0
  [vsyscall]
Aborted (core dumped)


 $ openssl version
OpenSSL 1.0.1g 7 Apr 2014

gcc-4.8.2, glibc-2.19


-- 
Regards,
Igor
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

STORE support

[Vladimir Zatsepin]

Hi all,

Since 1.0.0 version the STORE functionallity has been removed from openssl
distirbutive by default.

We may see in CHANGES

  *) Removed effectively defunct crypto/store from the build.
 [Ben Laurie]

Does anybody know why the STORE support has been disabled?

Re: OpenSSL Security Advisory

[Ted Byers]

How do I determine whether or not the web servers I run are affected?  They
are Apache 2.4, built for 64 bit Windows and downloaded from Apachelounge.
I have no idea what version of openssl it was built with.  Does anyone here
know if the feature that introduces the risk can be turned off, without
introducing other risks?  If so, how?

Also, could the security keys we bought have been compromised?

Any advice on how I can protect my servers better would be appreciated.

Thanks

Ted

-- 
R.E.(Ted) Byers, Ph.D.,Ed.D.


On Mon, Apr 7, 2014 at 4:31 PM, OpenSSL  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> OpenSSL Security Advisory [07 Apr 2014]
> 
>
> TLS heartbeat read overrun (CVE-2014-0160)
> ==
>
> A missing bounds check in the handling of the TLS heartbeat extension can
> be
> used to reveal up to 64k of memory to a connected client or server.
>
> Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
> 1.0.1f and 1.0.2-beta1.
>
> Thanks for Neel Mehta of Google Security for discovering this bug and to
> Adam Langley  and Bodo Moeller  for
> preparing the fix.
>
> Affected users should upgrade to OpenSSL 1.0.1g. Users unable to
> immediately
> upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
>
> 1.0.2 will be fixed in 1.0.2-beta2.
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQIcBAEBCAAGBQJTQt1bAAoJENNXdQf6QOniGhkP/AjjZgV+g7ZyxnxdnvA2+sdV
> sxNso208Cod8DKnDONtXHuPTkTFfyHl72FM1ea99woe3X6JWj3PyiZGvSfeo4Jj/
> QiDJvvcHc5Xq00gAr6MIarhMJbRtYkM+Th6PPXyqODYcb/pDoqy5VWo/R9QkZTPn
> zaiXPyapJB/qSYo4UqXWerT9YTLdYmiro//kQN0U/SedF/fNz4CEBcMyz6z7YJAC
> LFoE6Vf54PAkNvxjcX9ugIKluBMk5YONRG8PB0X/UDwf9Kj4L6OTT51x1yeFw3Sg
> GzTqvKD+2JWzFDCcfJULRCSCEwHhKbjR7n3sI1RPaaEWp5E63+9HSMRYjVOFIwt/
> OTrMPbW1BEiX0A7NB7HSrrvddnYd3sz8A44v00oesr+XaW5nyu79IndQwLhPkKYF
> Dkb67quw/tfV6Y1r4sETqSd2FrM7MpFzltywMKzVKWNpMSwOAWSBGUl7VH0m84Ty
> zAufUSEnYIA3dMC2DnHie+ot4WnjJlTErBmfUb/QNbNYDt0vjhS60oydP1NJ8AlG
> aoUK7mslOlVCauAIeGNbi4PzJ+LvWYmyFFGT+M1/UOBZFFvG7jsReBjTIu9dg3Za
> S7NE7CeMvRRpOEm1+T9L8a26/c6C9dwF7JPQvMpTR3BeT2jjkYe8rdTCkT91g1sd
> J37YgDNuefzrsA+B5/o7
> =szjb
> -END PGP SIGNATURE-
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: OpenSSL Security Advisory

[Ali Jawad]

http://filippo.io/Heartbleed/#www.unlocator.com


On Wed, Apr 9, 2014 at 2:05 PM, Ted Byers  wrote:

> How do I determine whether or not the web servers I run are affected?
> They are Apache 2.4, built for 64 bit Windows and downloaded from
> Apachelounge.  I have no idea what version of openssl it was built with.
> Does anyone here know if the feature that introduces the risk can be turned
> off, without introducing other risks?  If so, how?
>
> Also, could the security keys we bought have been compromised?
>
> Any advice on how I can protect my servers better would be appreciated.
>
> Thanks
>
> Ted
>
> --
> R.E.(Ted) Byers, Ph.D.,Ed.D.
>
>
> On Mon, Apr 7, 2014 at 4:31 PM, OpenSSL  wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> OpenSSL Security Advisory [07 Apr 2014]
>> 
>>
>> TLS heartbeat read overrun (CVE-2014-0160)
>> ==
>>
>> A missing bounds check in the handling of the TLS heartbeat extension can
>> be
>> used to reveal up to 64k of memory to a connected client or server.
>>
>> Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
>> 1.0.1f and 1.0.2-beta1.
>>
>> Thanks for Neel Mehta of Google Security for discovering this bug and to
>> Adam Langley  and Bodo Moeller  for
>> preparing the fix.
>>
>> Affected users should upgrade to OpenSSL 1.0.1g. Users unable to
>> immediately
>> upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
>>
>> 1.0.2 will be fixed in 1.0.2-beta2.
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v1.4.11 (GNU/Linux)
>>
>> iQIcBAEBCAAGBQJTQt1bAAoJENNXdQf6QOniGhkP/AjjZgV+g7ZyxnxdnvA2+sdV
>> sxNso208Cod8DKnDONtXHuPTkTFfyHl72FM1ea99woe3X6JWj3PyiZGvSfeo4Jj/
>> QiDJvvcHc5Xq00gAr6MIarhMJbRtYkM+Th6PPXyqODYcb/pDoqy5VWo/R9QkZTPn
>> zaiXPyapJB/qSYo4UqXWerT9YTLdYmiro//kQN0U/SedF/fNz4CEBcMyz6z7YJAC
>> LFoE6Vf54PAkNvxjcX9ugIKluBMk5YONRG8PB0X/UDwf9Kj4L6OTT51x1yeFw3Sg
>> GzTqvKD+2JWzFDCcfJULRCSCEwHhKbjR7n3sI1RPaaEWp5E63+9HSMRYjVOFIwt/
>> OTrMPbW1BEiX0A7NB7HSrrvddnYd3sz8A44v00oesr+XaW5nyu79IndQwLhPkKYF
>> Dkb67quw/tfV6Y1r4sETqSd2FrM7MpFzltywMKzVKWNpMSwOAWSBGUl7VH0m84Ty
>> zAufUSEnYIA3dMC2DnHie+ot4WnjJlTErBmfUb/QNbNYDt0vjhS60oydP1NJ8AlG
>> aoUK7mslOlVCauAIeGNbi4PzJ+LvWYmyFFGT+M1/UOBZFFvG7jsReBjTIu9dg3Za
>> S7NE7CeMvRRpOEm1+T9L8a26/c6C9dwF7JPQvMpTR3BeT2jjkYe8rdTCkT91g1sd
>> J37YgDNuefzrsA+B5/o7
>> =szjb
>> -END PGP SIGNATURE-
>> __
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing Listopenssl-users@openssl.org
>> Automated List Manager   majord...@openssl.org
>>
>
>
>
>

RE: OpenSSL Security Advisory

[Eisenacher, Patrick]

Hi Ted,

> -Original Message-
> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> 
> How do I determine whether or not the web servers I run are affected?
> They are Apache 2.4, built for 64 bit Windows and downloaded from
> Apachelounge.  I have no idea what version of openssl it was built with.  Does
> anyone here know if the feature that introduces the risk can be turned off,
> without introducing other risks?  If so, how?

you can check for yourself:
- http://filippo.io/Heartbleed/
- http://possible.lv/tools/hb/
- https://github.com/noxxi/p5-scripts/blob/master/check-ssl-heartbleed.pl

> Also, could the security keys we bought have been compromised?

Certainly yes. You should replace them. I read today that some CAs offer free 
replacements.


HTH,
Patrick Eisenacher
:��I"Ϯ��r�m
(Z+�K�+1���x��h[�z�(Z+���f�y���f���h��)z{,���

RE: OpenSSL Security Advisory

[Salz, Rich]

Ø  How do I determine whether or not the web servers I run are affected?

Here's a simple way:
echo B | openssl s_client -connect $HOST:$PORT
if you see "heartbeating" at the end, then $HOST is vulnerable.

How can you tell if private keys have been taken?  You can't, really. You can 
estimate the likelihood by looking closely at how OpenSSL_Malloc() return 
values are used and layed out.  The risk is that an allocated ssl-record buffer 
is right up against a private key being stored.

/r$

--
Principal Security Engineer
Akamai Technology
Cambridge, MA

CVE 2014-0160 and FIPS 140-2 module

[Chris Bare]

Can anyone confirm my understanding that the FIPS 140-2 certified module is
NOT affected by the CVE 2014-0160 vulnerability?

-- 
Chris Bare

Re: OpenSSL Security Advisory

[Ted Byers]

Thanks Rich,

I have obtained the new, patched, release of Apache from Apache lounge, and
applied the patch to one server, which the online services say fix the
problem on it, but your simple way of checking still says heartbeating at
the end.  Does that mean that the patch didn't truly work?

I get the heartbeating message on both unpatched and patched servers.
Should that make me worry about the patched machines?

Thanks

Ted


-- 
R.E.(Ted) Byers, Ph.D.,Ed.D.


On Wed, Apr 9, 2014 at 9:54 AM, Salz, Rich  wrote:

> Ø  How do I determine whether or not the web servers I run are affected?
>
>
>
> Here's a simple way:
>
> echo B | openssl s_client -connect $HOST:$PORT
>
> if you see "heartbeating" at the end, then $HOST is vulnerable.
>
>
>
> How can you tell if private keys have been taken?  You can't, really. You
> can estimate the likelihood by looking closely at how OpenSSL_Malloc()
> return values are used and layed out.  The risk is that an allocated
> ssl-record buffer is right up against a private key being stored.
>
>
>
> /r$
>
>
>
> --
>
> Principal Security Engineer
>
> Akamai Technology
>
> Cambridge, MA
>
>
>

Re: OpenSSL Security Advisory

[Ted Byers]

Thanks Patrick.

Apache lounge already has a patched release released.  So, once I deploy
that, and get my certificates reissued, I ought to be OK.

Thanks

Ted



-- 
R.E.(Ted) Byers, Ph.D.,Ed.D.

On Wed, Apr 9, 2014 at 8:37 AM, Eisenacher, Patrick <
patrick.eisenac...@bdr.de> wrote:

> Hi Ted,
>
> > -Original Message-
> > From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> >
> > How do I determine whether or not the web servers I run are affected?
> > They are Apache 2.4, built for 64 bit Windows and downloaded from
> > Apachelounge.  I have no idea what version of openssl it was built with.
>  Does
> > anyone here know if the feature that introduces the risk can be turned
> off,
> > without introducing other risks?  If so, how?
>
> you can check for yourself:
> - http://filippo.io/Heartbleed/
> - http://possible.lv/tools/hb/
> - https://github.com/noxxi/p5-scripts/blob/master/check-ssl-heartbleed.pl
>
> > Also, could the security keys we bought have been compromised?
>
> Certainly yes. You should replace them. I read today that some CAs offer
> free replacements.
>
>
> HTH,
> Patrick Eisenacher
>

Re: CVE 2014-0160 and FIPS 140-2 module

[ag@gmail]

It is not.

-ag

--
sent via 100% recycled electrons from my mobile command center.

> On Apr 9, 2014, at 7:22 AM, Chris Bare  wrote:
> 
> Can anyone confirm my understanding that the FIPS 140-2 certified module is 
> NOT affected by the CVE 2014-0160 vulnerability?
> 
> -- 
> Chris Bare
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Reading an "otherName" value from a "subjectAltName" certificate extension

[Dustin Oprea]

It looks like OpenSSL always shows "unsupported" for a subjectAltName of
"otherName".

The string that was written (both via M2Crypto, and directly at the
commandline via openssl.cnf):

1.2.3.4;UTF8:some other identifier

Dumped (openssl x509 -in test.crt -noout -text):

c3:88:36:93:82:58:0c:08:7f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
othername:
Signature Algorithm: sha1WithRSAEncryption
05:76:d5:fc:d0:44:50:af:39:76:05:b4:cb:b6:99:9f:7c:c0:

Grepping through the OpenSSL source for "otherName", this stood out to me
(in v3_alt.c):

1:

STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret)
{
unsigned char *p;
char oline[256], htmp[5];
int i;
switch (gen->type)
{
case GEN_OTHERNAME:
X509V3_add_value("othername","", &ret);
break;

case GEN_X400:
X509V3_add_value("X400Name","", &ret);
break;

case GEN_EDIPARTY:
X509V3_add_value("EdiPartyName","", &ret);
break;

2:

int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
{
unsigned char *p;
int i;
switch (gen->type)
{
case GEN_OTHERNAME:
BIO_printf(out, "othername:");
break;

case GEN_X400:
BIO_printf(out, "X400Name:");
break;

case GEN_EDIPARTY:
/* Maybe fix this: it is supported now */
BIO_printf(out, "EdiPartyName:");
break;

So, I'm willing to bet that both this and the empirical knowledge coming
from my attempts above mean that I shouldn't ever expect that the
"otherName" values will *ever* be properly rendered via the command-line or
library calls. This might be because they're actual, encoded ASN.1 strings.
So, how can I do it? How do people extract these values? If they are actual
ASN.1 strings, is it up to the developer to decode them?



Dustin

Re: OpenSSL Security Advisory

[Viktor Dukhovni]

On Wed, Apr 09, 2014 at 10:55:23AM -0400, Ted Byers wrote:

> I get the heartbeating message on both unpatched and patched servers.
> Should that make me worry about the patched machines?

No, unfortunately both patched and unpatched systems respond the
same way to valid heartbeat requests as send by s_client(1).

To detect a difference, you need to send invalid heartbeat requests
whose payload is shorter than promised.  If you patch a copy of the
source code for OpenSSL 1.0.1 as below, and build statically linked
and run "./apps/openssl s_client ..." from the build tree:

--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2702,7 +2702,7 @@ tls1_heartbeat(SSL *s)
/* Message Type */
*p++ = TLS1_HB_REQUEST;
/* Payload length (18 bytes here) */
-   s2n(payload, p);
+   s2n(0x4000, p);
/* Sequence number */
s2n(s->tlsext_hb_seq, p);
/* 16 random bytes */

then you can detect the difference.  Patched systems won't respond
to the malformed heartbeat request.  Replace "echo B | " with something
like:

(sleep 10; echo B; sleep 10) | ...

to make sure that the handshake is complete by the time the request is sent,
and the client does not disconnect too quickly.

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: OpenSSL Security Advisory

[Salz, Rich]

Ø  I get the heartbeating message on both unpatched and patched servers.  
Should that make me worry about the patched machines?
Not necessarily.  If they updated to the 'g' release, then they are doing 
buffer-overrun checking and you're safe.  You can probably find out by 
connecting to your server (via s_client again) and seeing what it says in the 
server line, as in
echo HEAD / HTTP/1.0 | openssl s_client -connect $HOST:$PORT
The server usually says things like "apache/2.0 openssl/1.0.1g ..." and other 
modules that are bundled in.

To be safest, heartbeats should just be disabled.  Nobody really uses them.
/r$

--
Principal Security Engineer
Akamai Technology
Cambridge, MA

Re: Help me for ECDHE algorithm

[Matt Caswell]

On 9 April 2014 08:39, chetan  wrote:
>  I am newer to this and i want to make ECDHE algorithm for cilient-server.
> Can anyone tell me basic steps and functions to do this. all response are
> acceptable.
>   Thankss in advance
>

Its unclear from your question whether you are looking to
programatically use openssl's ECDHE capabilities directly, or whether
you are looking to set up an SSL/TLS communication using ECDHE based
ciphersuites. Assuming the former, then this page is a good start:

http://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman


Matt
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL Security Advisory

[Matthias Apitz]

> - Forwarded message from "Salz, Rich"  -
> 
> Date: Wed, 9 Apr 2014 09:54:25 -0400
> From: "Salz, Rich" 
> To: "openssl-users@openssl.org" 
> Subject: RE: OpenSSL Security Advisory
> 
> Ø  How do I determine whether or not the web servers I run are affected?
> 
> Here's a simple way:
> echo B | openssl s_client -connect $HOST:$PORT
> if you see "heartbeating" at the end, then $HOST is vulnerable.
> 
> How can you tell if private keys have been taken?  You can't, really. You can 
> estimate the likelihood by looking closely at how OpenSSL_Malloc() return 
> values are used and layed out.  The risk is that an allocated ssl-record 
> buffer is right up against a private key being stored.
> 
> /r$

Hello Rich,

Can you please post a "good" and a "bad" server example. I have tested a
lot of servers, including 'akamai.com', and they all show HEARTBEATING
at the end:

$ echo B | openssl s_client -connect akamai.com:https
...
Verify return code: 20 (unable to get local issuer certificate)
---
HEARTBEATING
675358796:error:1413B16D:SSL routines:SSL_F_TLS1_HEARTBEAT:peer does
not accept

heartbearts:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/t1_lib.c:2562:

Thanks for clarification.

matthias

-- 
Sent from my FreeBSD netbook

Matthias Apitz, , http://www.unixarea.de/ f: +49-170-4527211
UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370)
UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: OpenSSL Security Advisory

[Salz, Rich]

> Can you please post a "good" and a "bad" server example. I have tested a lot 
> of servers, including 'akamai.com', and they all show HEARTBEATING at the end:

Look at Victor's recent post about how to patch openssl/s_client to make your 
own test.  That's the simplest.  My example tests only for those who have 
disabled TLs heartbeats, which is the safest thing, but not necessarily the 
only thing, to do.


--  
Principal Security Engineer
Akamai Technology
Cambridge, MA

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL version 1.0.1g release signed with unauthorized key???

[Jakob Bohm]

Attention: The .asc file I downloaded directly from openssl.org for the 
1.0.1g tarball was signed with a key NOT authorized by the 
fingerprints.txt file distributed in previous tarballs, nor by the 
(unverifiable) fingerprints.txt available from


   http://www.openssl.org/docs/misc/

Specifically, it was signed by a PGP key purporting to belong to Dr. 
Henson, but with a different identifier and a different e-mail address

than the authorized key listed for him in fingerprints.txt.

I suspect this is just a mixup at your end, but one cannot feel too
sure without a valid file signature consistent with the securely 
distributed signature list.


For now, I will have to avoid installing this critical security update
and try the workaround instead.

On 4/7/2014 7:38 PM, OpenSSL wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


OpenSSL version 1.0.1g released
===

OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/

The OpenSSL project team is pleased to announce the release of
version 1.0.1g of our open source toolkit for SSL/TLS. For details
of changes and known issues see the release notes at:

 http://www.openssl.org/news/openssl-1.0.1-notes.html

OpenSSL 1.0.1g is available for download via HTTP and FTP from the
following master locations (you can find the various FTP mirrors under
http://www.openssl.org/source/mirror.html):

  * http://www.openssl.org/source/
  * ftp://ftp.openssl.org/source/

The distribution file name is:

 o openssl-1.0.1g.tar.gz
   Size: 4509047
   MD5 checksum: de62b43dfcd858e66a74bee1c834e959
   SHA1 checksum: b28b3bcb1dc3ee7b55024c9f795be60eb3183e3c

The checksums were calculated using the following commands:

 openssl md5 openssl-1.0.1g.tar.gz
 openssl sha1 openssl-1.0.1g.tar.gz

Yours,

The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJTQtiiAAoJENNXdQf6QOniC/EQALRkau9Gx+qzyp1nx1FDTJI1
ox93n7SKC3QIjX4veVuFjpaPymNQXVRM8IbgET5tE4GPT5w+PrscpyGSJJr8yvWN
TKy48JSKl13GVMODnEC6nEffsS/sci5o2PHXhDYa7aC+xRF6UUSMa8tqXnhGJP7e
uv7a1tYjtgE8Ix9tdoK32UkPOM0Z1qr11lPFDdG0GrIs+mbjPirdKSgvQm22w4IU
jyn5AmmReA6ZnIpffOHGQY5OgpGTg4yg+aaFKenisOfIL80raNZlVuWrzDkTUS9k
+gikqtBRg1pFMd1UGpl0S7sIXZNm01yv4K4aO3a9aykXqPQLOc8WmvfDgf99+8HR
zUrowh7Xf1CvHsgIs4s0XaggZdXhkXpMpSWdWpVh7ZVm/TPInoPWwyj8Zp/TL8XF
N/GrNHRLuWvSgCuyA7qhkee33FmtCblnYTHSLyGQrVpfq/cVEzvpznsZnObjFG+/
4Gss0qUVQZ0LJUUKZHx5cGvHliXYEeZQaBz/VLJ7J8fvy6Fsp0vKFjbrobG6srB6
pa6NYQKjHhobx+eEW380j3r60iBiz1GjdMSOdLvnSOA9dOcWmXFxl5GLcASnM+F0
kGtZBjLXsaImnp749V50sme+bNgQ/ErUvikTLXefk0rtUnfjCmJec44Kn5Gh7J1k
iI/CjhJrI2B83C48m2kE
=lxo1
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
Announcement Mailing List openssl-annou...@openssl.org
Automated List Manager   majord...@openssl.org




Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL version 1.0.1g release signed with unauthorized key???

[Dustin Oprea]

On Apr 9, 2014 7:30 PM, "Jakob Bohm"  wrote:
>
> Attention: The .asc file I downloaded directly from openssl.org for the
1.0.1g tarball was signed with a key NOT authorized by the fingerprints.txt
file distributed in previous tarballs, nor by the (unverifiable)
fingerprints.txt available from
>
>http://www.openssl.org/docs/misc/
>
> Specifically, it was signed by a PGP key purporting to belong to Dr.
Henson, but with a different identifier and a different e-mail address
> than the authorized key listed for him in fingerprints.txt.
>
> I suspect this is just a mixup at your end, but one cannot feel too
> sure without a valid file signature consistent with the securely
distributed signature list.
>
> For now, I will have to avoid installing this critical security update
> and try the workaround instead.

Not great timing.

Dustin

>
> On 4/7/2014 7:38 PM, OpenSSL wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>>
>> OpenSSL version 1.0.1g released
>> ===
>>
>> OpenSSL - The Open Source toolkit for SSL/TLS
>> http://www.openssl.org/
>>
>> The OpenSSL project team is pleased to announce the release of
>> version 1.0.1g of our open source toolkit for SSL/TLS. For details
>> of changes and known issues see the release notes at:
>>
>>  http://www.openssl.org/news/openssl-1.0.1-notes.html
>>
>> OpenSSL 1.0.1g is available for download via HTTP and FTP from the
>> following master locations (you can find the various FTP mirrors
under
>> http://www.openssl.org/source/mirror.html):
>>
>>   * http://www.openssl.org/source/
>>   * ftp://ftp.openssl.org/source/
>>
>> The distribution file name is:
>>
>>  o openssl-1.0.1g.tar.gz
>>Size: 4509047
>>MD5 checksum: de62b43dfcd858e66a74bee1c834e959
>>SHA1 checksum: b28b3bcb1dc3ee7b55024c9f795be60eb3183e3c
>>
>> The checksums were calculated using the following commands:
>>
>>  openssl md5 openssl-1.0.1g.tar.gz
>>  openssl sha1 openssl-1.0.1g.tar.gz
>>
>> Yours,
>>
>> The OpenSSL Project Team.
>>
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v1.4.11 (GNU/Linux)
>>
>> iQIcBAEBCAAGBQJTQtiiAAoJENNXdQf6QOniC/EQALRkau9Gx+qzyp1nx1FDTJI1
>> ox93n7SKC3QIjX4veVuFjpaPymNQXVRM8IbgET5tE4GPT5w+PrscpyGSJJr8yvWN
>> TKy48JSKl13GVMODnEC6nEffsS/sci5o2PHXhDYa7aC+xRF6UUSMa8tqXnhGJP7e
>> uv7a1tYjtgE8Ix9tdoK32UkPOM0Z1qr11lPFDdG0GrIs+mbjPirdKSgvQm22w4IU
>> jyn5AmmReA6ZnIpffOHGQY5OgpGTg4yg+aaFKenisOfIL80raNZlVuWrzDkTUS9k
>> +gikqtBRg1pFMd1UGpl0S7sIXZNm01yv4K4aO3a9aykXqPQLOc8WmvfDgf99+8HR
>> zUrowh7Xf1CvHsgIs4s0XaggZdXhkXpMpSWdWpVh7ZVm/TPInoPWwyj8Zp/TL8XF
>> N/GrNHRLuWvSgCuyA7qhkee33FmtCblnYTHSLyGQrVpfq/cVEzvpznsZnObjFG+/
>> 4Gss0qUVQZ0LJUUKZHx5cGvHliXYEeZQaBz/VLJ7J8fvy6Fsp0vKFjbrobG6srB6
>> pa6NYQKjHhobx+eEW380j3r60iBiz1GjdMSOdLvnSOA9dOcWmXFxl5GLcASnM+F0
>> kGtZBjLXsaImnp749V50sme+bNgQ/ErUvikTLXefk0rtUnfjCmJec44Kn5Gh7J1k
>> iI/CjhJrI2B83C48m2kE
>> =lxo1
>> -END PGP SIGNATURE-
>> __
>> OpenSSL Project http://www.openssl.org
>> Announcement Mailing List openssl-annou...@openssl.org
>> Automated List Manager   majord...@openssl.org
>>
>
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
> Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org

OpenSSL version 1.0.1g fails to link on Win32

[Geoffrey Coram]

Hi -
I just compiled OpenSSL 1.0.1g for Win32 using Visual Studio 2005; my 
application failed to link because of an unresolved external 
_check_winnt

In crypto/rand/rand_win.c, function readscreen, this line:
  if (GetVersion() < 0x8000 && OPENSSL_isservice()>0)

was changed to
  if (check_winnt() && OPENSSL_isservice()>0)


And also in crypto/cryptlib.c, function OPENSSL_showfatal, this line:
if (GetVersion() < 0x8000 && OPENSSL_isservice() > 0)

was changed to
if (check_winnt() && OPENSSL_isservice() > 0)


I can't seem to find where check_winnt() is declared/defined.  So, I 
just changed it back.  This seems to work for me, but I thought I 
should mention it for other users.

-Geoffrey
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL version 1.0.1g fails to link on Win32

[Steven Kneizys]

I just compiled 32 bit with "ntdll.mak" with "nasm 2.11.02" and Visual
Studio Express 2013 with no issues, with and without the
"DOPENSSL_NO_HEARTBEATS" option.  I was making it to drop the keys files
into Apache 2.2.26:
openssl.exe
ssleay32.dll
libeay32.dll

I am doing this to compile:
  perl Configure VC-WIN32 --prefix=C:\ApacheSoftware\Apache22\bin
--openssldir=C:\ApacheSoftware\Apache22\conf
  ms\do_nasm
  nmake -f ms\ntdll.mak

I know this is in the docs and such but so many people are working in this
right now I just thought I'd post that it can work OK with a newer VS
version.

Steve...


On Wed, Apr 9, 2014 at 9:36 PM, Geoffrey Coram  wrote:

> Hi -
> I just compiled OpenSSL 1.0.1g for Win32 using Visual Studio 2005; my
> application failed to link because of an unresolved external
> _check_winnt
>
> In crypto/rand/rand_win.c, function readscreen, this line:
>   if (GetVersion() < 0x8000 && OPENSSL_isservice()>0)
>
> was changed to
>   if (check_winnt() && OPENSSL_isservice()>0)
>
>
> And also in crypto/cryptlib.c, function OPENSSL_showfatal, this line:
> if (GetVersion() < 0x8000 && OPENSSL_isservice() > 0)
>
> was changed to
> if (check_winnt() && OPENSSL_isservice() > 0)
>
>
> I can't seem to find where check_winnt() is declared/defined.  So, I
> just changed it back.  This seems to work for me, but I thought I
> should mention it for other users.
>
> -Geoffrey
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>



-- 
Steve Kneizys
Senior Business Process Engineer
Voice: (610) 256-1396  [For Emergency Service (888)864-3282]
Ferrilli Information Group -- Quality Service and Solutions for Higher
Education
web: http://www.ferrilli.com/ 

Making you a success while exceeding your expectations.

Re: OpenSSL version 1.0.1g fails to link on Win32

[Geoffrey Coram]

Thanks for the report.  Is "check_winnt()" in the Windows libraries or
in OpenSSL?  I tried Googling it, but didn't come up with anything, 
and I didn't find a declaration in the OpenSSL source code.

I do nmake -f ntlib.mak, which makes some static libraries for me, 
using only code in crypto/ and ssl/  I suppose if check_winnt() is in 
a different directory, that would be my problem (and my fault for not 
re-running perl Configure).

-Geoffrey




On 04/09/2014 21:58, Steven Kneizys  wrote:
>
> I just compiled 32 bit with "ntdll.mak" with "nasm 2.11.02" and 
> Visual Studio Express 2013 with no issues, with and without the
> "DOPENSSL_NO_HEARTBEATS" option.  I was making it to drop the keys 
> files
> into Apache 2.2.26:
> openssl.exe
> ssleay32.dll
> libeay32.dll
> 
> I am doing this to compile:
>   perl Configure VC-WIN32 --prefix=C:\ApacheSoftware\Apache22\bin
> --openssldir=C:\ApacheSoftware\Apache22\conf
>   ms\do_nasm
>   nmake -f ms\ntdll.mak
> 
> I know this is in the docs and such but so many people are working 
> in this right now I just thought I'd post that it can work OK with a
> newer VS version.
> 
> Steve...
> 
> 
> On Wed, Apr 9, 2014 at 9:36 PM, Geoffrey Coram  
> wrote:
> 
> > Hi -
> > I just compiled OpenSSL 1.0.1g for Win32 using Visual Studio 2005;
> my
> > application failed to link because of an unresolved external
> > _check_winnt
> >
> > In crypto/rand/rand_win.c, function readscreen, this line:
> >   if (GetVersion() < 0x8000 && OPENSSL_isservice()>0)
> >
> > was changed to
> >   if (check_winnt() && OPENSSL_isservice()>0)
> >
> >
> > And also in crypto/cryptlib.c, function OPENSSL_showfatal, this 
> line:
> > if (GetVersion() < 0x8000 && OPENSSL_isservice() > 0)
> >
> > was changed to
> > if (check_winnt() && OPENSSL_isservice() > 0)
> >
> >
> > I can't seem to find where check_winnt() is declared/defined.  So,
> > I just changed it back.  This seems to work for me, but I thought 
> > I should mention it for other users.
> >
> > -Geoffrey
> > 
> 
> __
> > OpenSSL Project 
> http://www.openssl.org
> > User Support Mailing List
> openssl-users@openssl.org
> > Automated List Manager   
> majord...@openssl.org
> >
> 
> 
> 
> -- 
> Steve Kneizys
> Senior Business Process Engineer
> Voice: (610) 256-1396  [For Emergency Service (888)864-3282]
> Ferrilli Information Group -- Quality Service and Solutions for 
> Higher
> Education
> web: http://www.ferrilli.com/ 
> 
> Making you a success while exceeding your expectations.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL version 1.0.1g release signed with unauthorized key???

[Wim Lewis]

On 9 Apr 2014, at 4:12 PM, Jakob Bohm wrote:
> Attention: The .asc file I downloaded directly from openssl.org for the 
> 1.0.1g tarball was signed with a key NOT authorized by the fingerprints.txt 
> file distributed in previous tarballs, nor by the (unverifiable) 
> fingerprints.txt available from
> 
>   http://www.openssl.org/docs/misc/
> 
> Specifically, it was signed by a PGP key purporting to belong to Dr. Henson, 
> but with a different identifier and a different e-mail address
> than the authorized key listed for him in fingerprints.txt.
> 
> I suspect this is just a mixup at your end, but one cannot feel too
> sure without a valid file signature consistent with the securely distributed 
> signature list.

I also noticed this--- previous tarballs were all signed by the F295C759 key 
(fingerprint ending in D57EE597), but this announcement and the 1.0.1g tarball 
were both signed by the FA40E9E2 key. However, the new key (all three of its 
userids) *is* signed by the old key, so there is I think some assurance that 
the new key also belongs to Dr Stephen Henson and that the release is 
legitimate.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: OpenSSL version 1.0.1g fails to link on Win32

[Jeremy Farrell]

Googling "check_winnt" suggests openssl/e_os.h.

> From: Geoffrey Coram [mailto:gjco...@gmail.com]
> Sent: Thursday, April 10, 2014 3:27 AM
> 
> Thanks for the report.  Is "check_winnt()" in the Windows libraries or
> in OpenSSL?  I tried Googling it, but didn't come up with anything,
> and I didn't find a declaration in the OpenSSL source code.
> 
> I do nmake -f ntlib.mak, which makes some static libraries for me,
> using only code in crypto/ and ssl/  I suppose if check_winnt() is in
> a different directory, that would be my problem (and my fault for not
> re-running perl Configure).
> 
> -Geoffrey
> 
> On 04/09/2014 21:58, Steven Kneizys  wrote:
> >
> > I just compiled 32 bit with "ntdll.mak" with "nasm 2.11.02" and
> > Visual Studio Express 2013 with no issues, with and without the
> > "DOPENSSL_NO_HEARTBEATS" option.  I was making it to drop the keys
> > files
> > into Apache 2.2.26:
> > openssl.exe
> > ssleay32.dll
> > libeay32.dll
> >
> > I am doing this to compile:
> >   perl Configure VC-WIN32 --prefix=C:\ApacheSoftware\Apache22\bin
> > --openssldir=C:\ApacheSoftware\Apache22\conf
> >   ms\do_nasm
> >   nmake -f ms\ntdll.mak
> >
> > I know this is in the docs and such but so many people are working
> > in this right now I just thought I'd post that it can work OK with a
> > newer VS version.
> >
> > Steve...
> >
> >
> > On Wed, Apr 9, 2014 at 9:36 PM, Geoffrey Coram 
> > wrote:
> >
> > > Hi -
> > > I just compiled OpenSSL 1.0.1g for Win32 using Visual Studio 2005;
> > my
> > > application failed to link because of an unresolved external
> > > _check_winnt
> > >
> > > In crypto/rand/rand_win.c, function readscreen, this line:
> > >   if (GetVersion() < 0x8000 && OPENSSL_isservice()>0)
> > >
> > > was changed to
> > >   if (check_winnt() && OPENSSL_isservice()>0)
> > >
> > >
> > > And also in crypto/cryptlib.c, function OPENSSL_showfatal, this
> > line:
> > > if (GetVersion() < 0x8000 && OPENSSL_isservice() > 0)
> > >
> > > was changed to
> > > if (check_winnt() && OPENSSL_isservice() > 0)
> > >
> > >
> > > I can't seem to find where check_winnt() is declared/defined.  So,
> > > I just changed it back.  This seems to work for me, but I thought
> > > I should mention it for other users.
> > >
> > > -Geoffrey
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: CVE 2014-0160 and FIPS 140-2 module

[Scott Ruffner]

From heartbleed.com:


Does OpenSSL's FIPS mode mitigate this?

No, OpenSSL Federal Information Processing Standard (FIPS) mode has no 
effect on the vulnerable heartbeat functionality.



==
Scott Ruffner
Computer Systems Senior Engineer   Computer Science Department
ruff...@cs.virginia.spam.eduUniversity of Virginia
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

OpenSSL 1.0.1g Upgarade Issue

[Dedhia, Pratik]

Hi Team,

I'm trying to upgrade OpenSSL to 1.0.1g version from 1.0.1f version to resolve 
security issue but getting error while restarting Apache server.

Below are the steps of OpenSSL upgradation:

1.   Extracted the tarball downloaded from OpenSSL site using command "tar 
xzvf openssl-1.0.1g.tar.gz"

2.   Changed directory to openssl-1.0.1g

3.   Executed "./config --prefix=/usr/local/application/openssl/ 
enable-shared -fPIC" command to compile openssl

4.   Executed make clean command after successful execution of step 3

5.   Executed make command

6.   Executed make install command

7.   Changed directory to extracted httpd-2.4.7

8.   Executed "./configure --prefix=/usr/local/application/apache 
--enable-rewrite --enable-proxy --enable-so 
--with-ssl=/usr/local/application/openssl --enable-ssl 
--with-pcre=/usr/local/application/pcre" to compile apache with upgraded 
OpenSSL.

9.   Executed make clean command after successful execution of step 8

10.   Executed make command

11.   Executed make install command

12.   After successful execution of above step tried to stop the apache with 
"sudo /usr/local/application/apache/bin/apachectl stop" command

On execution of step 12 getting below error:
httpd: Syntax error on line 125 of 
/usr/local/application/apache/conf/httpd.conf: Cannot load modules/mod_ssl.so 
into server: libssl.so.1.0.0: cannot open shared object file: No such file or 
directory

Please help for above issue.

Thanks,
Pratik Dedhia
O (91) 22-41634197
M (91)9870919056

FIRST DATA - CONFIDENTIAL COMMUNICATION 
===

“All rights reserved.  No part of this email or any documents attached may be 
reproduced or transmitted, by any form or by any means, without the prior 
written consent of First Data.”

This e-mail and any files transmitted with it are confidential and are intended 
solely for the use of the individual or entity to whom it is addressed.  If you 
are not the intended recipient be advised that you have received this e-mail in 
error and that any use, dissemination, forwarding, printing, or copying of this 
e-mail and any file attachments is strictly prohibited.  If you have received 
this e-mail in error, please destroy the original transmission (including any 
attachments) and immediately notify the sender by telephone at +612 9959 7333 
or by reply e-mail.

First Data takes all care to ensure that data transmitted is free from viruses 
or other faults/defects but does not represent or warrant that this 
communication or any attached file(s) is free from such computer viruses or 
other faults or defects.  First Data will not be liable to the recipient or any 
other person for any loss or damage (including direct, consequential or 
economic loss or damage) however caused which may result directly or indirectly 
from the receipt or use of this communication or any files attached to it.  It 
is the responsibility of any person using this communication or opening any 
files attached to this communication to implement appropriate measure to ensure 
the integrity of their environment is maintained.