Re: How do I add my CA to the ca-bundle file?
I met this question too. - Original Message - From: "Louis LeBlanc" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 04, 2000 2:43 PM Subject: How do I add my CA to the ca-bundle file? Hello, All. I am trying to verify the SSL certificate verification procedure. A bit redundant, I know, but there we are. I need to add the signature to the ca cert I created to the ca-bundle file I am testing with. I keep thinking I have it right, but I can't make it work. Here is what I am using to extract the info from the cert: openssl x509 -in ca.crt -noout -text and the md5 fingerprint and PEM data: openssl x509 -in ca.crt -md5 -fingerprint This output is appended to the ca-bundle file used by my app. So, any certificate signed with this ca should be verifiable, right? What am I doing wrong? TIA Lou __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Browser's signature function
you can verify your signature using openssl/crypto/pkcs7/verify.c . according to my experience, Netscape make a standand pkcs7 digital signature and encode it in base64 format. but I don't know how to sign a form in the IE too. who can help us? tom tang - Original Message - From: "Erwann ABALEA" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, September 29, 2000 2:46 AM Subject: Re: Browser's signature function Yes, we use the Netscape signtext method here to provide signed data... The result can be verified using OpenSSL, and as you noted it, the data is not stored inside the PKCS#7 message, since it can be also transmitted with the signature itself. You then have to recompute (or get) the signed data, and set the p7 data to what you got. On Thu, 28 Sep 2000, Mario Fabiano wrote: ¾G¹ÅÂ× wrote: Hi, As we know, SSL protocol do not support signature function. But Netscape does it by signtext javascript function call. How about IE? Does IE support signature function? If IE does not, is it possible that writing a Microsoft Crypto API ActiveX which access the IE key/cert db and sign the text? Is this idea working? Any one has that kind of experience? Thanks! kevub One more question. Has anybody been able to decrypt Netscape signtext method signature using Openssl? The format should be PKCS#7 version 1.5 with signature and data put in different files. -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Crypt::SSLeay does work under Linux but not under Solaris
Hi, have perl 5.005_03, openssl-0.9.5a and LWP (whatever version). And Crypt::SSLeay Version 0.16 and/or 0.17 The following code works perfectly under Linux, but under Solaris 2.6 oder 2.7 I get the timeout ... #!/usr/bin/perl5 use LWP::UserAgent; my $ua = new LWP::UserAgent; my $req = new HTTP::Request('GET', 'https://www.powerweb.de'); my $res = $ua-request($req); if ($res-is_success()) { print $res-content(); } else { print "timeout"; } Please reply via email ... Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:[EMAIL PROTECTED] Otto-Nagel-Str. 1afon: +49 331 2370780 14467 Potsdam, Germanyfax: +49 331 2370781 == PowerWeb = Deutschlands Pauschal-Webhoster mit freiem Platz im Netz Speicherplatz UND freiem Uebertragungsvolumen. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How do I add my CA to the ca-bundle file?
On Wed, Oct 04, 2000 at 05:43:06PM -0400, Louis LeBlanc wrote: Hello, All. I am trying to verify the SSL certificate verification procedure. A bit redundant, I know, but there we are. I need to add the signature to the ca cert I created to the ca-bundle file I am testing with. I keep thinking I have it right, but I can't make it work. Here is what I am using to extract the info from the cert: openssl x509 -in ca.crt -noout -text and the md5 fingerprint and PEM data: openssl x509 -in ca.crt -md5 -fingerprint This output is appended to the ca-bundle file used by my app. So, any certificate signed with this ca should be verifiable, right? What am I doing wrong? I don't know... Actually, the ca-bundle file contains the certificates, which are PEM encoded (base64 with special markers for begin and end) everything in between these PEM coded certificates is just descriptive text that should make maintainance easier for you but it does not have any importance for the verification. Since yesterday there is a http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html available (which is hence not in 0.9.6 :-)... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
IBM payment gateway connectivity problems
Hi, I'm currently testing connectivity between a IBM payment gateway and openssl. IBM tells me that connections are dropped because openssl doesn't send the rigth header size. Does anyone know of this problem ??? mvh, Carsten Rhod Gregersen, Email: [EMAIL PROTECTED], Web: http://www.rgm.dk Tlf. 86 159 111 Fax 87 44 10 14 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Fwd: How do I debug when using the library?
I've written a little test program based on the code in the tutorial at www.darkspell.com and am seeing the following: SSL_connect returns 0 SSL_write returns -1 Can anyone point me in the direction of the correct API functions to use to diagnose the problem? Thanks Mike Cunningham *** Attachments in this message have been swept by NAI's TVD (version 4.0.4097) for the presence of known computer viruses. * _ This message has been checked for all known viruses by Star Internet delivered through the MessageLabs Virus Control Centre. For further information visit http://www.star.net.uk/stats.asp __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificates problem with Netscape
Hi Sergio, thanks for your response. I have some more questions and would greatly appreciate it if you, or somebody else could help me some more. Sergio Rabellino wrote: Jacobus van der Merwe wrote: ... [Netscape says certs are accepted for 'People' but there is nothing there] ... Can anyone give me some idea of what is wrong with my certs? probably you can find these certificates under the "signers" list... Nope, there is no sign of them. This is due to the absence of the "netscapeCertType" extension in the certificate emitted by your CA... Ok, I tried to figure this one out, but I am stuck. In my openssl.cnf file, there is a CA_EmailCerts. In the section for CA_EmailCerts the extension is specified as : x509_extensions = x509v3_ext_EmailCerts And x509v3_ext_EmailCerts looks like this : [ x509v3_ext_EmailCerts ] keyUsage = nonRepudiation, digitalSignature nsComment = "This certificate is used for e-mail." nsBaseUrl = "https://comint.dec.mil.za/" nsCaRevocationUrl = cgi-bin/pyca/get-cert.py/EmailCerts/crl nsRevocationUrl = cgi-bin/pyca/ns-check-rev.py/EmailCerts? nsRenewalUrl= cgi-bin/pyca/ns-renewal.py/EmailCerts? nsCaPolicyUrl = TestCA/policy/EmailCerts-policy.html nsCertType = email A certificate I have produced looks like this: "" Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Gauteng, L=Pretoria, O=DEC, CN=CA Admin (email)/Email=c [EMAIL PROTECTED] Validity Not Before: Oct 4 10:15:51 2000 GMT Not After : May 27 10:15:51 2002 GMT Subject: C=ZA, ST=Gauteng, L=Pretoria, O=DEC, CN=Jacobus vd Merwe/Email= [EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit) [ ... ] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Non Repudiation Netscape Comment: This certificate is used for e-mail. Netscape Base Url: https://comint.dec.mil.za/ Netscape CA Revocation Url: cgi-bin/pyca/get-cert.py/EmailCerts/crl Netscape Revocation Url: cgi-bin/pyca/ns-check-rev.py/EmailCerts? Netscape Renewal Url: cgi-bin/pyca/ns-renewal.py/EmailCerts? Netscape CA Policy Url: TestCA/policy/EmailCerts-policy.html Netscape Cert Type: S/MIME Signature Algorithm: md5WithRSAEncryption [ ...] -BEGIN CERTIFICATE- [ ... ] -END CERTIFICATE- In the certificate I see the Netscape cert type is "S/MIME". Is this the problem?? What should it be? Where can I find more info? Can you refer me to specific docs? Thanks a lot. Jacobus Good Luck. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] S/MIME Cryptographic Signature
PB of cert for european browser
Hy, I've generated two csr for two certificate with openssl and my apache server only accept to do SSL with american version of browsers. I think this is a problem of size of bits which is limited to 40 or 56 in europe rather than 128 in USA. Perhaps do you know the word of domestic or exchangeable, but for me it's not clear enough. Somebody told me also about the modulus size. My question is : could somebody explain me how can I create a crs (in order to submit it to verisign and get a valid certificate) that will work with european browser ? I think this must be a FAQ, but I didn't find it in the documentation. this is the two command line I use to create my csr : openssl genrsa -out www_bar_com.key 1024 openssl req -new -key www_bar_com.key -out www_bar_com.csr please, can somebody help me ? My problem is urgent. -- Julien CANON -- AlphaCSP Direction du Système d'Information / Consultant Technique Linux http://www.alphacsp.com Tel +(33) 1 39 22 63 11 mailto:[EMAIL PROTECTED] Fax +(33) 1 39 22 63 12 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Using with Redhat6.2
Hi. I just got Dell server with Redhat6.2 installed. I tried to install openssl and modssl with mm. However, I simply dose not seems to be work properly. Browser points right page at port 80 but 443, nothing happened. Is someone be able to provide me an advise?? Please, J.Motegi __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
followup to problem I posted
I have found that using a .crt bundle instead of a hashed directory works. Perhaps is this code broken in 0.9.6? -- George Staikos __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: followup to problem I posted
On Thu, Oct 05, 2000 at 10:16:58AM -0400, George Staikos wrote: I have found that using a .crt bundle instead of a hashed directory works. Perhaps is this code broken in 0.9.6? What do you mean by "broken"? I performed some tests myself, cannot see a problem. Did you remember to perform a "c_rehash /name/of/directory/"? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: followup to problem I posted
On Thu, 05 Oct 2000, Lutz Jaenicke wrote: On Thu, Oct 05, 2000 at 10:16:58AM -0400, George Staikos wrote: I have found that using a .crt bundle instead of a hashed directory works. Perhaps is this code broken in 0.9.6? What do you mean by "broken"? I performed some tests myself, cannot see a problem. Did you remember to perform a "c_rehash /name/of/directory/"? Yes I did... The problem only seems to be reproducible on Redhat 7.0 so far, but I haven't had enough people test it yet. Basically, RSA/Verisign signed certificates all are determined to be expired by the X509 verification code. Thawte certificates work fine. Also if I print the notBefore and notAfter dates, they are ok. This is visible on sites like www.verisign.com and www.microsoft.com. I still don't know if this is related to a bug in the compiler or not. -- George Staikos __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
how to use RSA_public_decrypt and RSA_private_encrypt pair?
Hi,everyone: I want to use RSA_public_decrypt and RSA_private_encrypt to sign and verify .But I cannot get it work . For RSA_public_encrypt and RSA_private_decrypt there is a good example in RSA/rsatest.c ,can anyone send me an example like rsatest.c but using RSA_public_decrypt and RSA_private_encrypt (predefined key rather than load them from a file)? I have blocked here several days ,so ,anybody can help please ? Many many thanks!!! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: followup to problem I posted
On Thu, Oct 05, 2000 at 10:37:05AM -0400, George Staikos wrote: On Thu, 05 Oct 2000, Lutz Jaenicke wrote: On Thu, Oct 05, 2000 at 10:16:58AM -0400, George Staikos wrote: I have found that using a .crt bundle instead of a hashed directory works. Perhaps is this code broken in 0.9.6? What do you mean by "broken"? I performed some tests myself, cannot see a problem. Did you remember to perform a "c_rehash /name/of/directory/"? Yes I did... The problem only seems to be reproducible on Redhat 7.0 so far, but I haven't had enough people test it yet. Basically, RSA/Verisign signed certificates all are determined to be expired by the X509 verification code. Thawte certificates work fine. Also if I print the notBefore and notAfter dates, they are ok. This is visible on sites like www.verisign.com and www.microsoft.com. I still don't know if this is related to a bug in the compiler or not. Hmm, I just took the Verisign certificates from the ca-bundle included in mod_ssl, unpacked them into a directory and performed on HP-UX: c_rehash . openssl s_client -verify 5 -CApath . -connect www.verisign.com:https I did not get any verification errors. Unfortunately I don't have any Linux box with 0.9.6 around. A check will have to wait until I come home... (SuSE 6.4, 0.9.6 installed) Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Certificate usage (how IE determines)
Hello, when I create server certificate, install it into apache, when viewing certificate from IE, it shows every possible usage, but in my openssl.cnf is only keyUsage=nonRepudiation [for test purposes]. What am I doing wrong and how to do it correctly ;) Regards, Paulius -- Paulius Bulotas CSDL IT Department http://www.csdl.lt __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Browser's signature function
tangquan wrote: you can verify your signature using openssl/crypto/pkcs7/verify.c . according to my experience, Netscape make a standand pkcs7 digital signature and encode it in base64 format. You can but that's not advisable. With OpenSSL 0.9.6 you should use the 'smime' application. but I don't know how to sign a form in the IE too. who can help us? You can't, IE doesn't support it. You could write an ActiveX control using CryptoAPI to do it but that's difficult. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate usage (how IE determines)
Paulius Bulotas wrote: Hello, when I create server certificate, install it into apache, when viewing certificate from IE, it shows every possible usage, but in my openssl.cnf is only keyUsage=nonRepudiation [for test purposes]. What am I doing wrong and how to do it correctly ;) The usages IE displays are reflected in the extended key usage extension, see doc/openssl.txt Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: followup to problem I posted
George Staikos wrote: The problem only seems to be reproducible on Redhat 7.0 so far, but I haven't had enough people test it yet. Basically, RSA/Verisign signed certificates all are determined to be expired by the X509 verification code. Thawte certificates work fine. Also if I print the notBefore and notAfter dates, they are ok. This is visible on sites like www.verisign.com and www.microsoft.com. I still don't know if this is related to a bug in the compiler or not. There may be an expired certificate in the directory which wouldn't have been noticed before OpenSSL 0.9.6 has the ability to search for multiple certificates matching given criteria and one of these may be an expired certificate as a result. A possible indication of this is the presence of some links in the directory of the form some hex stuff.n where n 1. Previous versions would just generate links of the form *.0 and the latest link would overwrite the previous one. So I suggest you look for links of the form *.1 *.2 etc in your certs directory. Then if you find X.1 look at what X.0 points to and it may well be expired. If this is the cause then its just pure luck that the unexpired certificate was the last one in the directory previously, otherwise this would have been apparent before. If you aren't using a directory then its possible that the file containing several certificates also has some that have expired. I suppose in future we should weed out expired certificates from the search earlier on. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: followup to problem I posted
On Thu, 05 Oct 2000, Dr S N Henson wrote: There may be an expired certificate in the directory which wouldn't have been noticed before OpenSSL 0.9.6 has the ability to search for multiple certificates matching given criteria and one of these may be an expired certificate as a result. A possible indication of this is the presence of some links in the directory of the form some hex stuff.n where n 1. Previous versions would just generate links of the form *.0 and the latest link would overwrite the previous one. So I suggest you look for links of the form *.1 *.2 etc in your certs directory. Then if you find X.1 look at what X.0 points to and it may well be expired. If this is the cause then its just pure luck that the unexpired certificate was the last one in the directory previously, otherwise this would have been apparent before. If you aren't using a directory then its possible that the file containing several certificates also has some that have expired. I suppose in future we should weed out expired certificates from the search earlier on. Bingo... There is an expired file in there. I guess it really should get moved to the expired/ directory :) Thanks! -- George Staikos __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Key Usage Extension
Frank Balluffi wrote: I am confused about how to check a key usage extension. I see that ca_check "calls" ku_reject, which uses the X509 ex_flags element. Is it necessary to use the ku_reject method or is it possible to call d2i_ASN1_BIT_STRING (to decode the KeyUsage BIT STRING) and then ASN1_BIT_STRING_get_bit to check specific bits? I am guessing there is a "history lesson" here. Does anyone know? This should be in openssl-users since it isn't a dev question... You can automatically get the ASN1_BIT_STRING decoded and handled properly using the X509_get_ext_d2i() function, see doc/openssl.txt from then on you can use ASN1_BIT_STRING_get_bit() and friends. This is portable and should work in future versions of OpenSSL. Alternatively you can check ex_flags but that involves messing around in internal structures which may not be regarded as "clean" and not guaranteed to work in future. This is done internally so that the required extensions can be cached in a form where the verify code can rapidly use them. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
is pgp the devil?
hi, sorry for my english, maybe i am doing stupid questions and i am not noticed about it, may be it is not the right mailing list (if this is the case please tell me) i don't know. but IS POSSIBLE SOME KIND OF INTERACTION BETWEEN OPENSSL AN PGP? SOME OF THE KEY OR CERTIFICATE FORMATS MANAGED FOR OPENSSL ARE PGP COMPATIBLE? thanks, Javier Baliosian __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Browser's signature function
Why is it not advisable to use openssl/crypto/pkcs7/verify.c ? Dr S N Henson wrote: tangquan wrote: you can verify your signature using openssl/crypto/pkcs7/verify.c . according to my experience, Netscape make a standand pkcs7 digital signature and encode it in base64 format. You can but that's not advisable. With OpenSSL 0.9.6 you should use the 'smime' application. but I don't know how to sign a form in the IE too. who can help us? You can't, IE doesn't support it. You could write an ActiveX control using CryptoAPI to do it but that's difficult. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: is pgp the devil?
Javier Baliosian wrote: IS POSSIBLE SOME KIND OF INTERACTION BETWEEN OPENSSL AN PGP? SOME OF THE KEY OR CERTIFICATE FORMATS MANAGED FOR OPENSSL ARE PGP COMPATIBLE? (I hear you ;-) ) I have done just a little bit testing with PGP 7.0 for Windows. I was able to import OpenSSL certificates in .pem format, but if I wanted both cert and private key, I had to have it in .p12 format. -- Peter 'Luna' Runestig (fd. Altberg), Sweden [EMAIL PROTECTED] PGP Key ID: 0xD07BBE13 Fingerprint: 7B5C 1F48 2997 C061 DE4B 42EA CB99 A35C D07B BE13 AOL Instant Messenger Screenname: PRunestig __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question about make install of OpenSSL
From: "Antai Ning" [EMAIL PROTECTED] antai *** Error code 139 antai make: Fatal error: Command failed for target `install_docs' antai antai Any idea about that? I actually searched the FAQ archive, I antai didn't find a answer there. *sigh* Nope. No idea at all, except that you might not have write access to the directory you want to install in. The reason I sigh is that you had to cut away everything above the two last lines, although I'm quite sure there's more error text above it, error text that probably is crucial to know exactly what went wrong! -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question about make install of OpenSSL
If you want to use 'mod_ssl' I strongly suggest you follow the instructions there for compiling both openssl and apache. They are very straight forward... My .02... Antai Ning wrote: Hi there, I'm quite new to OpenSSL. I'm trying to build and set up a SSL enabled Apache on Sun solaries 2.6. I encountered problems in building OpenSSL. I downloaded OpenSSL 0.9.6. I'm successful in the first three steps, "configure", "make", and "make test". But I got this error when I run "make install". The output is like this: *** Error code 139 make: Fatal error: Command failed for target `install_docs' Any idea about that? I actually searched the FAQ archive, I didn't find a answer there. Thank you in advance! -- Antai(Andy) Ning Enterprise Solutions, Nortel Networks Email:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- -- Ricardo Stella O.I.T. (609)896-5000 x7436 _suAve_ Rider University *** Remove 'no-spam' from e-mail address before replying. *** begin:vcard adr;dom:;;;Lawrenceville;NJ;08648; adr:;;2083 Lawreceville Road;Lawrenceville;NJ;08648; n:Stella;Ricardo tel;fax:1-609-219-4994 tel;work:1-609-896-5000 x7436 x-mozilla-html:FALSE url:http://poseidon.rider.edu org:Rider University;O.I.T. version:2.1 title:Manager x-mozilla-cpt:;-9584 fn:Ricardo Stella end:vcard
Re: Question about make install of OpenSSL
Thanks first Richard, Ok, I paste all the lines before that this time: -- wcars12f-32 make install making all in crypto... making all in crypto/md2... making all in crypto/md4... making all in crypto/md5... making all in crypto/sha... making all in crypto/mdc2... making all in crypto/hmac... making all in crypto/ripemd... making all in crypto/des... making all in crypto/rc2... making all in crypto/rc4... making all in crypto/rc5... making all in crypto/idea... making all in crypto/bf... making all in crypto/cast... making all in crypto/bn... making all in crypto/rsa... making all in crypto/dsa... making all in crypto/dh... making all in crypto/dso... making all in crypto/buffer... making all in crypto/bio... making all in crypto/stack... making all in crypto/lhash... making all in crypto/rand... making all in crypto/err... making all in crypto/objects... making all in crypto/evp... making all in crypto/asn1... making all in crypto/pem... making all in crypto/x509... making all in crypto/x509v3... making all in crypto/conf... making all in crypto/txt_db... making all in crypto/pkcs7... making all in crypto/pkcs12... making all in crypto/comp... making all in ssl... making all in rsaref... making all in apps... making all in test... making all in tools... installing man 1 and man 5 *** Error code 139 make: Fatal error: Command failed for target `install_docs' wcars12f-33 --- I'm not root user. I used "./config --prefix=/u/antai/ssl --openssldir=/u/antai/ssl/openssl" for configuration. I have full read and write and x permission to /u/antai dir. Actually, I found that /u/antai/ssl and /u/antai/ssl/open have been created. But only /u/antai/ssl/openssl/man/man1 has a file: -rw-r- 1 antaimagellan 0 Oct 5 14:49 CA.pl.1 All the other dirs are empty. BTW, /u/antai dir is a network dir mounted on my machine. Thanks again! Richard Levitte - VMS Whacker wrote: From: "Antai Ning" [EMAIL PROTECTED] antai *** Error code 139 antai make: Fatal error: Command failed for target `install_docs' antai antai Any idea about that? I actually searched the FAQ archive, I antai didn't find a answer there. *sigh* Nope. No idea at all, except that you might not have write access to the directory you want to install in. The reason I sigh is that you had to cut away everything above the two last lines, although I'm quite sure there's more error text above it, error text that probably is crucial to know exactly what went wrong! -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Antai(Andy) Ning Enterprise Solutions, Nortel Networks Phone:(613)765-9824ESN:395-9824 Email:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question about make install of OpenSSL
Sorry Richardo, I'm little confused. I read that OpenSSL is not mod_ssl. So, hmmm, how can I follow the instrutions for mod_ssl to compile OpenSSL? BTW, where can I find those information about how to intergret OpenSSL into an application like Apache? I know that the general idea is tp apply some patches to Apache code, add OpenSSL code to it, and them compile them. (I could be wrong anyway) Excuse me if I look stupid. Thanks. Ricardo Stella wrote: If you want to use 'mod_ssl' I strongly suggest you follow the instructions there for compiling both openssl and apache. They are very straight forward... My .02... Antai Ning wrote: Hi there, I'm quite new to OpenSSL. I'm trying to build and set up a SSL enabled Apache on Sun solaries 2.6. I encountered problems in building OpenSSL. I downloaded OpenSSL 0.9.6. I'm successful in the first three steps, "configure", "make", and "make test". But I got this error when I run "make install". The output is like this: *** Error code 139 make: Fatal error: Command failed for target `install_docs' Any idea about that? I actually searched the FAQ archive, I didn't find a answer there. Thank you in advance! -- Antai(Andy) Ning Enterprise Solutions, Nortel Networks Email:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- -- Ricardo Stella O.I.T. (609)896-5000 x7436 _suAve_ Rider University *** Remove 'no-spam' from e-mail address before replying. *** -- Antai(Andy) Ning Enterprise Solutions, Nortel Networks Phone:(613)765-9824ESN:395-9824 Email:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Question about make install of OpenSSL
This site offers a quick walk trough in setting up a apache/php4/mod_ssl site. It`s linux oriented but with a little bit of thought, it should be fairly easy to follow this installation and adapt it to Solaris. Offcourse you can skip the php4/mysql parts ... http://www.devshed.com/Server_Side/PHP/SoothinglySeamless/ Regards, David -Original Message- From: Antai Ning [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 05, 2000 9:34 PM To: [EMAIL PROTECTED] Subject: Re: Question about "make install" of OpenSSL Sorry Richardo, I'm little confused. I read that OpenSSL is not mod_ssl. So, hmmm, how can I follow the instrutions for mod_ssl to compile OpenSSL? BTW, where can I find those information about how to intergret OpenSSL into an application like Apache? I know that the general idea is tp apply some patches to Apache code, add OpenSSL code to it, and them compile them. (I could be wrong anyway) Excuse me if I look stupid. Thanks. Ricardo Stella wrote: If you want to use 'mod_ssl' I strongly suggest you follow the instructions there for compiling both openssl and apache. They are very straight forward... My .02... Antai Ning wrote: Hi there, I'm quite new to OpenSSL. I'm trying to build and set up a SSL enabled Apache on Sun solaries 2.6. I encountered problems in building OpenSSL. I downloaded OpenSSL 0.9.6. I'm successful in the first three steps, "configure", "make", and "make test". But I got this error when I run "make install". The output is like this: *** Error code 139 make: Fatal error: Command failed for target `install_docs' Any idea about that? I actually searched the FAQ archive, I didn't find a answer there. Thank you in advance! -- Antai(Andy) Ning Enterprise Solutions, Nortel Networks Email:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- -- Ricardo Stella O.I.T. (609)896-5000 x7436 _suAve_ Rider University *** Remove 'no-spam' from e-mail address before replying. *** -- Antai(Andy) Ning Enterprise Solutions, Nortel Networks Phone:(613)765-9824ESN:395-9824 Email:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question about make install of OpenSSL
I'm little confused. I read that OpenSSL is not mod_ssl. So, hmmm, how can I follow the instrutions for mod_ssl to compile OpenSSL? Three parts - OpenSSL -- mod_ssl -- Apache mod_ssl is the bridge between Apache and SSL. Since it cannot be built without OpenSSL, they have very nicely included instructions on building OpenSSL as part of the instructions for building mod_ssl. Tom Biggs '89 FJ1200 DoD #1146 "The whole aim of practical politics is to keep the populace alarmed - and hence clamorous to be led to safety - by menacing it with an endless series of hobgoblins, all of them imaginary." -- H.L. Mencken __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Removing RC5 from Openssl under Windows NT
Can anyone tell me how to remove RC5 from the OpenSSL build under Windows Microsoft VC+ ? Thank you __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Removing RC5 from Openssl under Windows NT
From: Jeff Roberts [EMAIL PROTECTED] jeffr Can anyone tell me how to remove RC5 from the OpenSSL build jeffr under Windows Microsoft VC+ ? Configure with no-rc5? -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HELP: Programming in Open SSL - where to start? Sample code?
Hey Ken, Here are a few links I've found helpful. http://www.netscape.com/info/SSL.html http://www.columbia.edu/~ariel/ssleay/ http://www2.psy.uq.edu.au/~ftp/Crypto/ssleay/ http://www2.psy.uq.edu.au/~ftp/Crypto/ssl.html http://developer.netscape.com/docs/manuals/security/sslin/index.htm Good luck, Mike Kurtinitis Mooshwerks [EMAIL PROTECTED] From: "k c" [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 04 Oct 2000 05:33:01 GMT To: [EMAIL PROTECTED] Subject: HELP: Programming in Open SSL - where to start? Sample code? Hi, I'm tasked to build an automated transaction client that communicates with a WEB server via SSL. We need to send some transactions information to the https server. In other words: open pipe to https send ID, password, send transaction, wait for response, error handling terminate. I am new to this SSL business and can't find documentation that explains to me where to start (probably my own problem) and if possible, some sample code block? your help is much appreciated because we are under the GUN right now ... Thanks in advance, Ken _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question about make install of OpenSSL
Yes, OpenSSL is not mod_ssl... mod_ssl is a module for apache that in conjunction with openssl, makes an SSL aware apache. There is another implementation I believe called ApacheSSL. Go to www.modssl.org, and look for the install instructions. They are extremely straight forward, and walk you thru compile and installation of Apache, mod_ssl and OpenSSL. Hope this helps... Antai Ning wrote: Sorry Richardo, I'm little confused. I read that OpenSSL is not mod_ssl. So, hmmm, how can I follow the instrutions for mod_ssl to compile OpenSSL? BTW, where can I find those information about how to intergret OpenSSL into an application like Apache? I know that the general idea is tp apply some patches to Apache code, add OpenSSL code to it, and them compile them. (I could be wrong anyway) Excuse me if I look stupid. Thanks. Ricardo Stella wrote: If you want to use 'mod_ssl' I strongly suggest you follow the instructions there for compiling both openssl and apache. They are very straight forward... My .02... Antai Ning wrote: Hi there, I'm quite new to OpenSSL. I'm trying to build and set up a SSL enabled Apache on Sun solaries 2.6. I encountered problems in building OpenSSL. I downloaded OpenSSL 0.9.6. I'm successful in the first three steps, "configure", "make", and "make test". But I got this error when I run "make install". The output is like this: *** Error code 139 make: Fatal error: Command failed for target `install_docs' Any idea about that? I actually searched the FAQ archive, I didn't find a answer there. Thank you in advance! -- Antai(Andy) Ning Enterprise Solutions, Nortel Networks Email:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- -- Ricardo Stella O.I.T. (609)896-5000 x7436 _suAve_ Rider University *** Remove 'no-spam' from e-mail address before replying. *** -- Antai(Andy) Ning Enterprise Solutions, Nortel Networks Phone:(613)765-9824ESN:395-9824 Email:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- -- Ricardo Stella O.I.T. (609)896-5000 x7436 _suAve_ Rider University *** Remove 'no-spam' from e-mail address before replying. *** begin:vcard adr;dom:;;;Lawrenceville;NJ;08648; adr:;;2083 Lawreceville Road;Lawrenceville;NJ;08648; n:Stella;Ricardo tel;fax:1-609-219-4994 tel;work:1-609-896-5000 x7436 x-mozilla-html:FALSE url:http://poseidon.rider.edu org:Rider University;O.I.T. version:2.1 title:Manager x-mozilla-cpt:;-9584 fn:Ricardo Stella end:vcard
(Sol2.7,openssl 0.9.6,imaps-2000)pine4.21 hangs
Okay, I'm not sure how much of a newbie question this is, but I'll try to be complete-- I have a Sparc LX running Solaris 2.7 on which I'm trying to build a secure imaps-enabled mail server (Sendmail 8.9.3+). Ordinary incoming and outgoing mail is functioning properly-- I built everything with GCC 2.95.2, and the rsarefs library-- Pine 4.21 was built on my desktop Sparc 20 (2.7 also) the same way, and with the SSL patch from UW's ftp site. This build is able to connect on the unsecured imap port (143) but will not connect on the secure port (993). At first pine gave me the error message "Invalid remote specification", but that error went away when I rebuilt the CA certificate with "CA.pl -newcert" on the server. Now pine just gives me the spinning bar forever, no error message. I don't see anything coming up in the messages file or in syslog to indicate any errors. I'm somewhat at a loss as to what I should try next-- Any help would be greatly appreciated! =Barry= -=Generic Sun guy and crypto-wet-behind-the-ears=- __ Do You Yahoo!? Yahoo! Photos - 35mm Quality Prints, Now Get 15 Free! http://photos.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
pkcs12 into IE5.5, stubborn priv keys
Hi, I import my pkcs12 personal certificate (openssl generated) into IE5.5. It takes it without a problem and puts everything in its place: CA cert, personal cert, private key. The problem is that once I set up the initial security level on the private key (low, medium, high, and the password for 'high'), I can no longer change it. Removing the associated personal certificate and CA certificate does not remove the private key. I had to nuke the registry and re-install to get the priv key security dialogs back. Is there a cleaner way? -Erik __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: pkcs12 into IE5.5, stubborn priv keys
admin wrote: Hi, I import my pkcs12 personal certificate (openssl generated) into IE5.5. It takes it without a problem and puts everything in its place: CA cert, personal cert, private key. The problem is that once I set up the initial security level on the private key (low, medium, high, and the password for 'high'), I can no longer change it. Removing the associated personal certificate and CA certificate does not remove the private key. I had to nuke the registry and re-install to get the priv key security dialogs back. Is there a cleaner way? The only documented way to change the level is to delete the container and recreate it. You can do things by deleting the key container at a CryptoAPI level, but you need a fair knowledge of CryptoAPI to do that. I recall Outlook (maybe Outlook express too) had an option to delete the key when it was exported, you could try that. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Question about make install of OpenSSL
Sorry Richardo, I'm little confused. I read that OpenSSL is not mod_ssl. So, hmmm, how can I follow the instrutions for mod_ssl to compile OpenSSL? Your Compaq computer may come with instructions on how to install NT. The fact that the computer is not NT is not an impediment to following the instructions. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]