Re: What is OpenSSL Engine ?
the engine is a design architecture to allow the use of hardware crypto devices On Thu, Mar 15, 2001 at 10:10:20AM -0500, Aslam wrote: Hi, What exactly is the difference between a OpenSSL and OpenSSL Engine ? Thanks Aslam __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Steven A. Bade AIX E-Commerce/Network Security Cryptographic Strategy and Development Architecture [EMAIL PROTECTED] T/L 678-4799 (512)-838-4799 -- To convert from Hogsheads to Cubic Feet - Multiply by 8.4219 "Two-way communication is necessary to proactively facilitate acceptance and involvement and to get insights about the journey it takes to get where we want" __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to reduce size of OpenSSL LIB file
Kim, You can modify the do_masm.bat file in the ms\ directory. You need to tell the perl script util\mk1mf.pl which cryptogrpahy to eliminate. Here is a fragment that could be in do_masm.bat showing one way to do it. SET SKIPS=no-rc5 no-bf no-cast no-idea no-ripemd no-dh no-dsa perl util\mk1mf.pl %SKIPS% VC-WIN32 ms\nt.mak Look through the perl script and maybe a few other places to see what no-*** options are supported. Please post the results to the list. I think it is of general interest. Good luck, _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: "Hellan,Kim KHE" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 15, 2001 6:33 AM Subject: VS: How to reduce size of OpenSSL LIB file Yes, in some applications (like COM objects) I'm statically linking, because I need a "one-file" application. In other apps. I use the DLL's. I'm sure it is possible to exclude the code for some algorithms, I just need to know how. Kim Hellan You are statically linking libeay32.lib by the sounds of things. It would probably be better to make the dll and link in the stub library. My libeay32.lib and libeay32.dll are 367KB and 645KB (debug) respectively. "Hellan,Kim KHE" wrote: I'm building a static OpenSSL library using MS VC++ 6 on Windows NT4. Using the standard OpenSSL makefiles this all works fine, but the libeay32.lib file becomes very big (about 2.3 MB for a release build and 4 MB for a debug build). This of course drastically increases the size of my applications when this file is linked. Is there a way to exclude some code that I never use? Some algorithms like DSA or DH I never use (basically I only use 3DES and RSA), so how can I exclude all this "unused" code when building the lib? I can see that a lot of the code for example contains a NO_DSA define, but how can I use this when building the lib. TIA Kim Hellan KMD / KMD-CA http://www.kmd-ca.dk Mailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OCSP stuff required ...
Hi, I downloaded the openssl-0.9.6, and I compiled it, and after that I'm not having the OCSP app. Can any one give a reson for this. Does OpenSSL supports OCSP ? Thanks Aslam __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Crypto Hardwares and LDAP Support
Hi, I am trying to find out if OpenSSL supports CryptoHardwares that perform cryptographic operations, stores private keys etc like IBM 4758? Can different CSPs (Cryptographic Service Providers) plug and play into OpenSSL? Next question is : Is OpenSSL integrated with directory (LDAP)services like getting the CRLs, Certificates, etc from a directory? Would appreciate any kind of input on the above two issues. Thanks, Ranga.
Re: How to reduce size of OpenSSL LIB file
I'd love to see a list of the minimum algorithms to: (or a maximum list of algorithms to exclude:-) * Run https with a the majority of browsers (RSA, DES, 3DES, SHA-1 and RC-4 is my guess) * Run openssh * Get a libcrypto that supports both https and openssh /Johan - Original Message - From: Greg Stark [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 15, 2001 16:37 Subject: Re: How to reduce size of OpenSSL LIB file Kim, You can modify the do_masm.bat file in the ms\ directory. You need to tell the perl script util\mk1mf.pl which cryptogrpahy to eliminate. Here is a fragment that could be in do_masm.bat showing one way to do it. SET SKIPS=no-rc5 no-bf no-cast no-idea no-ripemd no-dh no-dsa perl util\mk1mf.pl %SKIPS% VC-WIN32 ms\nt.mak Look through the perl script and maybe a few other places to see what no-*** options are supported. Please post the results to the list. I think it is of general interest. Good luck, _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: "Hellan,Kim KHE" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 15, 2001 6:33 AM Subject: VS: How to reduce size of OpenSSL LIB file Yes, in some applications (like COM objects) I'm statically linking, because I need a "one-file" application. In other apps. I use the DLL's. I'm sure it is possible to exclude the code for some algorithms, I just need to know how. Kim Hellan You are statically linking libeay32.lib by the sounds of things. It would probably be better to make the dll and link in the stub library. My libeay32.lib and libeay32.dll are 367KB and 645KB (debug) respectively. "Hellan,Kim KHE" wrote: I'm building a static OpenSSL library using MS VC++ 6 on Windows NT4. Using the standard OpenSSL makefiles this all works fine, but the libeay32.lib file becomes very big (about 2.3 MB for a release build and 4 MB for a debug build). This of course drastically increases the size of my applications when this file is linked. Is there a way to exclude some code that I never use? Some algorithms like DSA or DH I never use (basically I only use 3DES and RSA), so how can I exclude all this "unused" code when building the lib? I can see that a lot of the code for example contains a NO_DSA define, but how can I use this when building the lib. TIA Kim Hellan KMD / KMD-CA http://www.kmd-ca.dk Mailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: warning: overflow in ....
What compiler are you using ? Also, you probably want to use -fPIC for a config option. Finally, note that Solaris 8 does not have a random/urandom device. Search the archive for possible solutions (an old SUN package, or ANDIRand) My .02... Satoshi Seto wrote: Hellow. My name is Satoshi. I live in Japan I used solaris 8(SPARC). I downloaded openssl-0.9.6.tar.gz.Then I put following comand. Some warning messages outputed. # gzip -dc openssl-0.9.6.tar.gz | tar xvf - # cd openssl-0.9.6 # ./config # make ar: creating ../libcrypto.a bss_bio.c: In function `bio_nread': bss_bio.c:258: warning: overflow in implicit constant conversion bss_bio.c: In function `bio_nwrite': bss_bio.c:419: warning: overflow in implicit constant conversion Did it success for compile? Please help me! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] begin:vcard adr;dom:;;;Lawrenceville;NJ;08648; adr:;;2083 Lawreceville Road;Lawrenceville;NJ;08648; n:Stella;Ricardo tel;fax:1-609-219-4994 tel;work:1-609-896-5000 x7436 x-mozilla-html:FALSE url:http://poseidon.rider.edu org:Rider University;O.I.T. version:2.1 title:Manager x-mozilla-cpt:;-9584 fn:Ricardo Stella end:vcard
Re: Crypto Hardwares and LDAP Support
On Thu, Mar 15, 2001 at 10:43:54AM -0500, Ranga wrote: Hi, I am trying to find out if OpenSSL supports CryptoHardwares that perform cryptographic operations, stores private keys etc like IBM 4758? Can different CSPs (Cryptographic Service Providers) plug and play into OpenSSL? At this time there is no support for the IBM 4758 card It is possible, however there are some issues with dealing with the key storage and key representations. I've been toying with actualy working on enabling openSSL to use PKCS#11 hardware tokens to be able to access other crypto hardware besides the 4758 (which supports PKCS#11)... PKCS#11 is NOT necessarily the best API, but it is commonly offered by Crypto hardware vendors My initial take would be to create an engine architecture module, which would have to do some things with managing the keys etc, taking them from the openSSL calls and caching them as PKCS#11 objects, the first time that a key was used would incur the overhead of creating the object, but subsequent uses of the same key would only have to do the PKCS#11 calls... Next question is : Is OpenSSL integrated with directory (LDAP) services like getting the CRLs, Certificates, etc from a directory? Would appreciate any kind of input on the above two issues. Thanks, Ranga. -- Steven A. Bade AIX E-Commerce/Network Security Cryptographic Strategy and Development Architecture [EMAIL PROTECTED] T/L 678-4799 (512)-838-4799 -- To convert from Hogsheads to Cubic Feet - Multiply by 8.4219 "Two-way communication is necessary to proactively facilitate acceptance and involvement and to get insights about the journey it takes to get where we want" __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Netscape 6.01 and SSL: crash?
Hi there, we tried the (newest) Netscape 6.01 on a Linux (SuSE 6.x and 7.0 distributions) platform connecting to a SSL-encrypted document on an Apache Webserver. The result was a crash. We guess that the SSL implementation is not stable yet. Is there anybody who shares my experience? Is there a way to bypass the problem NOW or should we wait for an improved version? Thanks, Hubert Frhlich -- --- Dr.-Ing. Hubert Frhlich Tel. :+49 (0)89 / 2190 - 2580 Bezirksfinanzdirektion MnchenFax :+49 (0)89 / 2190 - 2459 Alexandrastr. 3 [EMAIL PROTECTED] D-80538 Mnchen GERMANY __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
wildcard certificates
Is it possible to create wildcard certificates using openssl? Chaz Rigamonti Technical Support Engineer Intel Corporation http://support.intel.com/ (503)264-7154 fax (503)264-1750 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Netscape 6.01 and SSL: crash?
Hubert, I'm not sure exactly what your question is because you have given so little information. At a minimum, please include all the version information of the software in question and all error information from the "crash". My guess is that you believe that you are connecting to a version of Apache (which version?) which is SSL-enabled (using apache_ssl; mod_ssl; which version). The OpenSSL implementation of SSL/TLS is very stable from what I can tell; this is especially true when you examine SSLv3 and TLS. It even includes workarounds to allow communication with broken or buggy commercial SSL implementations. _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: "Hubert Froehlich" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 15, 2001 12:00 PM Subject: Netscape 6.01 and SSL: crash? Hi there, we tried the (newest) Netscape 6.01 on a Linux (SuSE 6.x and 7.0 distributions) platform connecting to a SSL-encrypted document on an Apache Webserver. The result was a crash. We guess that the SSL implementation is not stable yet. Is there anybody who shares my experience? Is there a way to bypass the problem NOW or should we wait for an improved version? Thanks, Hubert Frhlich -- -- - Dr.-Ing. Hubert Frhlich Tel. :+49 (0)89 / 2190 - 2580 Bezirksfinanzdirektion MnchenFax :+49 (0)89 / 2190 - 2459 Alexandrastr. 3 [EMAIL PROTECTED] D-80538 Mnchen GERMANY __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: wildcard certificates
Chaz, Creation should be no problem; see (http://www.mail-archive.com/openssl-users@openssl.org/msg15592.html) for a discussion of some other issues that may arise. _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: "Rigamonti, Cesare" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 15, 2001 12:16 PM Subject: wildcard certificates Is it possible to create wildcard certificates using openssl? Chaz Rigamonti Technical Support Engineer Intel Corporation http://support.intel.com/ (503)264-7154 fax (503)264-1750 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Vc++ workspace for openssl
If you look carefully in the INSTALL.W32 file (look under Tweaks:), you will see how to do it. _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: "Eli Zvik" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 15, 2001 10:12 AM Subject: Vc++ workspace for openssl Dear openssl developers. I am a new user of OpenSSL. I am working with WinNT and VC++ I was followed the instruction and successfully compiled OpenSSL sources to DLL. Unfortunately, I am unable to compile them with debug information. My questions are: 1) Is there any way to compile the openSSL in debug mode, using the current make file ? 2) Is there any workspace for VC++ (dsp, dsw) available? I'll be grateful if someone can give me a link to download this workspace. looking forward to receiving your quick response. thanks in advance. Eli Zvick Finjan Software Inc. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problems with real Certificate File
Hi all, I'm using Apache 1.3.12 / mod_ssl 2.6.5 / OpenSSL 0.9.5a under Solaris 8. I sent my Certificate Signing Request (CSR) to a CA (certisign) and received my real Certificate (CRT) File to use. But before to put it under Apache, I tried to see it's details with the openssl command (see below) but it didn't worked with the file I receveid. I got the following errors: ./openssl x509 -noout -text -in server.crt unable to load certificate 12779:error:0D0A2007:asn1 encoding routines:d2i_X509_CINF:expecting an asn1 sequ ence:x_cinf.c:106:address=1270034 offset=0 12779:error:0D09F004:asn1 encoding routines:d2i_X509:nested asn1 error:x_x509.c: 102:address=1270032 offset=2 12779:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:290: Does anyone knows what's the problem? Is my certificate file bad? Any comments will be very appreciated! thanks, -- Claudio Higashi Software Engineer Phone: +55 19 3737-4540 Fax : +55 19 3737-4501 CIT - software enabling the e-world http://www.cit.com.br __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: wildcard certificates
Lots of thanks, great link! -Original Message- From: Greg Stark [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 15, 2001 10:36 AM To: [EMAIL PROTECTED] Subject: Re: wildcard certificates Chaz, Creation should be no problem; see (http://www.mail-archive.com/openssl-users@openssl.org/msg15592.html) for a discussion of some other issues that may arise. _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: "Rigamonti, Cesare" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 15, 2001 12:16 PM Subject: wildcard certificates Is it possible to create wildcard certificates using openssl? Chaz Rigamonti Technical Support Engineer Intel Corporation http://support.intel.com/ (503)264-7154 fax (503)264-1750 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How do I get the remote IP after BIO_do_accept?
Just note that the IP address is not authenticated and thus is untrusted. Whether this matters or not depends on what you are doing with it. _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: "Christopher J. Madsen" [EMAIL PROTECTED] To: "OpenSSL Users" [EMAIL PROTECTED] Sent: Sunday, March 11, 2001 6:21 PM Subject: How do I get the remote IP after BIO_do_accept? I'm writing a simple server with openssl-0.9.6. It's going rather well so far, but I can't figure out how to get the IP address of the remote connection after I call BIO_do_accept. Poking around in the source code, it appears this information is being stored in the accept BIO, but there doesn't seem to be any way to retrieve it (except poking around in undocumented internal structures, which doesn't seem like a good idea). Am I missing something? PS: I wouldn't even be attempting this project without OpenSSL. Thanks for all your hard work. -- Chris Madsen[EMAIL PROTECTED] --- http://www.geocities.com/SiliconValley/Heights/3222/ --- __ There isn't a way to do this at the OpenSSL level. Presumably you can retrieve the remote IP address if you have the underlying socket? If so you can call BIO_get_fd() (which should really be BIO_get_socket() ) to get it from the socket BIO. See the BIO_s_socket manual page. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Need help with certificates
I am trying to setup IMAP with SSL suport. I have installed the latest verion of IMAP and Openssl on my linux 7.0 box. I can connect via IMAP using netscape without SSL and it works fine when I try it with SSL it cannot find the server. I followed the procedures for the certifiactes, but I am not sure if it worked. Any sugestions? Thanks in advance Darrin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Need help with certificates
On Thu, Mar 15, 2001 at 12:54:47PM -0500, Darrin Powell wrote: I am trying to setup IMAP with SSL suport. I have installed the latest verion of IMAP and Openssl on my linux 7.0 box. I can connect via IMAP using netscape without SSL and it works fine when I try it with SSL it cannot find the server. I followed the procedures for the certifiactes, but I am not sure if it worked. Any sugestions? Please check out all steps you made again. The error message you give does not indicate that your problem is related to certificates. - You should have a normal IMAP server on port 143. Telnet to port 143 and you should see host 24: telnet localhost 143 Trying... Connected to ... Escape character is '^]'. * OK [CAPABILITY IMAP4 IMAP4REV1 STARTTLS LOGIN-REFERRALS AUTH=LOGIN] localhost IMAP4rev1 2000.287 at Thu, 15 Mar 2001 21:26:57 +0100 (MET) - Due to the SSL support, you should now have another IMAP server wrapped with SSL on port 993. Use "openssl s_client" to connect to port 993. Once the handshake is finished, you should see the same line. - If you don't have success with the second step, check that you have installed an according entry in /etc/inetd.conf and that you have called "inetd -c" or sent the appropriate signal to inetd to re-read its configuration file. - Have a look into your logfiles. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OCSP stuff required ...
Aslam wrote: Hi, I downloaded the openssl-0.9.6, and I compiled it, and after that I'm not having the OCSP app. Can any one give a reson for this. Does OpenSSL supports OCSP ? The OCSP code is not in OpenSSL 0.9.6 it is only in the current development version, so try that instead. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Crypto Hardwares and LDAP Support
Are there standard interfaces that allow plug and play of different crypto modules (Hardwares, crypto softwares, etc - basically CSPs)? Also, I am looking for an answer for this question : Is OpenSSL integrated with directory (LDAP) services like getting the CRLs, Certificates, etc from a directory? I am a newbie to OpenSSL and would really appreciate your input on this. Thanks, Ranga. - Original Message - From: "Steven A. Bade" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 15, 2001 11:20 AM Subject: Re: Crypto Hardwares and LDAP Support On Thu, Mar 15, 2001 at 10:43:54AM -0500, Ranga wrote: Hi, I am trying to find out if OpenSSL supports CryptoHardwares that perform cryptographic operations, stores private keys etc like IBM 4758? Can different CSPs (Cryptographic Service Providers) plug and play into OpenSSL? At this time there is no support for the IBM 4758 card It is possible, however there are some issues with dealing with the key storage and key representations. I've been toying with actualy working on enabling openSSL to use PKCS#11 hardware tokens to be able to access other crypto hardware besides the 4758 (which supports PKCS#11)... PKCS#11 is NOT necessarily the best API, but it is commonly offered by Crypto hardware vendors My initial take would be to create an engine architecture module, which would have to do some things with managing the keys etc, taking them from the openSSL calls and caching them as PKCS#11 objects, the first time that a key was used would incur the overhead of creating the object, but subsequent uses of the same key would only have to do the PKCS#11 calls... Next question is : Is OpenSSL integrated with directory (LDAP) services like getting the CRLs, Certificates, etc from a directory? Would appreciate any kind of input on the above two issues. Thanks, Ranga. -- Steven A. Bade AIX E-Commerce/Network Security Cryptographic Strategy and Development Architecture [EMAIL PROTECTED] T/L 678-4799 (512)-838-4799 -- To convert from Hogsheads to Cubic Feet - Multiply by 8.4219 "Two-way communication is necessary to proactively facilitate acceptance and involvement and to get insights about the journey it takes to get where we want" __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Bugs in openssl.spec file.
Hi, I am trying to build a useable version of openssl using the specfile included with the source distribution. Everything builds fine, and the rpms are created but there are problems related to the /usr/lib/libcrypto* and /usr/lib/libssl* files. -rwxr-xr-x root root 894917 Mar 15 13:07 /usr/lib/libcrypto.so -rwxr-xr-x root root 894917 Mar 15 13:07 /usr/lib/libcrypto.so.0 -rwxr-xr-x root root 894917 Mar 15 13:07 /usr/lib/libcrypto.so.0.9 .6 -rwxr-xr-x root root 202177 Mar 15 13:07 /usr/lib/libssl.so -rwxr-xr-x root root 202177 Mar 15 13:07 /usr/lib/libssl.so.0 -rwxr-xr-x root root 202177 Mar 15 13:07 /usr/lib/libssl.so.0.9.6 For some reason the files are being installed that way during make install. The libcrypto.so, libcrypto.so.0, libssl.so, and libssl.so.0 should be symlinks to their respective {libcrypto,libssl}.so.0.9.6 file. These files already exist before the "# Install shared libs" section. Attached is a script session of the build. I am too busy today to figure out the exact cause of this bug. But if I find it I will post the fix. Also, just for technical sakes. This system is redhat 6.2 rpm 3.0.5. I have tried this on a different system with the same results. -miah typescript.gz
Re: Two-way authentication
Hi Carlos, - Original Message - From: "Carlos Serro" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, 14 March, 2001 20:57 Subject: Two-way authentication Hi all, can someone provide please a working example of a two-way authetication program using OpenSSL ? Sorry, I can't provide you with a 'working example' straight away. Nevertheless, here're a few leads how to get it done. Note: I assume that you mean you want both these actions when an SSL connection is being established: - server verifies client, using a certificate passed by the client to the server - client verifies server, using a certificate passed by the server to the client you may wish to check out the 'verify_callback()' function in apps/s_cb.c and roll your own version of that one (as the current one is very forgiving ;-) ) The basic verify_callback() shown in the OpenSSL distrib. does a few things based on verify_depth. I tweaked that code for my own use so I can have the OpenSSL standard functionality, next to 'anal retentive mode' (using negative verify_depth values) forcing both apps/s_client and apps/s_server to reject ANY connection which does not not provide a certificate chain of the exact 'depth' I desire. This way, I can easily differentiate between self-signed and CA-signed certs. I can also check if incoming certs are signed by the CA in my -CApath, and if they aren't, kick them off the line :-) If you want to check specific contents of certificates passed for verification by either client or server, you can add additional code there to look for and check those elements. I didn't do that (yet), however. To force both client and server to use a certificate, invoke s_client -cert myccert.pem -verify 1 and s_server -cert myscert.pem -Verify 1 (Note the capital 'V' in the s_server -Verify parameter: it means: server wants *mandatory* client cert upon connection. s_client -verify does the same for the client: mandatory server cert.) I included my s_cb.c tweaked sourcecode (based on OpenSSL-0.9.6). Do with it whatever you like (look for the '[i_a]' comments to find the spots I messed around with.) You don't need to change s_server.c or s_client.c themselves as they already, ahem, support decoding negative verify_depth values. Try s_client -cert myccert.pem -verify -1 and s_server -cert myscert.pem -Verify -1 with self-signed certs for both client and server: they should be accepted. Use other (CA-signed) certs for either client or server and the connection will fail. s_server -cert myscert.pem -Cafile mycacert.pem -Verify -2 will accept only client certs, signed by the CA, identified by your mycacert.pem certificate, assuming mycacert.pem is a self-signed (root) CA certificate. Hope this helps... Groetjes/Greetinx, Ger -- Ger Hobbelt a.k.a. Insh_Allah mailto:[EMAIL PROTECTED] -- Peter Pan can fly when he thinks his Happy Thought. I want to fly too. My Happy Thought is... one part Prozac and one part LSD... Wow! Awesome, dude! s_cb.zip
Re: Need help with certificates
On Thu, 15 Mar 2001, you wrote: On Thu, Mar 15, 2001 at 12:54:47PM -0500, Darrin Powell wrote: I am trying to setup IMAP with SSL suport. I have installed the latest verion of IMAP and Openssl on my linux 7.0 box. I can connect via IMAP using netscape without SSL and it works fine when I try it with SSL it cannot find the server. I followed the procedures for the certifiactes, but I am not sure if it worked. Any sugestions? Please check out all steps you made again. The error message you give does not indicate that your problem is related to certificates. - You should have a normal IMAP server on port 143. Telnet to port 143 and you should see host 24: telnet localhost 143 Trying... Connected to ... Escape character is '^]'. * OK [CAPABILITY IMAP4 IMAP4REV1 STARTTLS LOGIN-REFERRALS AUTH=LOGIN] localhost IMAP4rev1 2000.287 at Thu, 15 Mar 2001 21:26:57 +0100 (MET) - Due to the SSL support, you should now have another IMAP server wrapped with SSL on port 993. Use "openssl s_client" to connect to port 993. Once the handshake is finished, you should see the same line. - If you don't have success with the second step, check that you have installed an according entry in /etc/inetd.conf and that you have called "inetd -c" or sent the appropriate signal to inetd to re-read its configuration file. - Have a look into your logfiles. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Lutz Hi thanks for your help. This is my response to telnet to port 143. My 993 port is listening, but still will not allow a connection? -- [root@powell apps]# telnet mail.uiop.net 143 Trying 192.168.2.49... Connected to powell (192.168.2.49). Escape character is '^]'. * OK powell IMAP4rev1 v12.264 server ready * BYE Autologout; idle for too long Connection closed by foreign host. This is the output if I try to telnet to 993 [root@powell apps]# telnet mail.uiop.net 993 Trying 192.168.2.49... Connected to powell (192.168.2.49). Escape character is '^]'. Connection closed by foreign host. What do I need to change in my /etc/inetd.conf file? Also this is my output from trying to get a certificate [root@powell /root]# /usr/bin/openssl x509 -req -days 999 -in /openssl-0.9.6/apps/cert.csr -signkey /op enssl-0.9.6/apps/ -out /openssl-0.9.6/apps/test.crt Signature ok subject=/C=US/ST=North [EMAIL PROTECTED] Getting Private key unable to load Private Key Thanks again in advance Darrin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Need help with certificates
On Thu, Mar 15, 2001 at 03:20:19PM -0500, Darrin Powell wrote: -- [root@powell apps]# telnet mail.uiop.net 143 Trying 192.168.2.49... Connected to powell (192.168.2.49). Escape character is '^]'. * OK powell IMAP4rev1 v12.264 server ready * BYE Autologout; idle for too long Connection closed by foreign host. That looks ok. This is the output if I try to telnet to 993 [root@powell apps]# telnet mail.uiop.net 993 Trying 192.168.2.49... Connected to powell (192.168.2.49). Escape character is '^]'. Connection closed by foreign host. Telnet does not help you for port 993 because of the SSL protocol, it requires the client to send first and immediatly start the TLS negotiation. What do I need to change in my /etc/inetd.conf file? Also this is my output from trying to get a certificate imaps stream tcp nowait root /usr/local/lbin/imapd imapd [root@powell /root]# /usr/bin/openssl x509 -req -days 999 -in /openssl-0.9.6/apps/cert.csr -signkey /op enssl-0.9.6/apps/ -out /openssl-0.9.6/apps/test.crt Signature ok subject=/C=US/ST=North [EMAIL PROTECTED] Getting Private key unable to load Private Key In order to track down things, you may consider using the "server.pem" key in the openssl apps/ directory. It does not match your host, but at least it is known to work. Once you have this thing working, you know that the rest of your setup (inetd.conf etc) is ok and you can concentrate on the certificate issue. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
REMOVE
__ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
problem run test after installing ssleay 0.8.1b
Title: problem run test after installing ssleay 0.8.1b Hi, I am new to openssl and I install ssleay 0.8.1b on to NT4, the compiler is VC++6. Following is what I encounter. perl Confirure VC-WIN32 nmake -f ms\ntdll.mak (everything is fine so far) cd ms test and get the following error: testpem test crl ..\test\testcrl.pem ..\test\testcrl.pem and pem.out are different 0D 0A diff at char 25 of 954 problem . Anyone know why? Will this cause a problem? Thanks a lot?
problems doing connections with ssh
I just install openssh on a red-hat machine, I was doing slogin to it fine, but I reboot the machine and I ca not longer do ssh to that machine it gives a message: "Secure connection to 'host' refused" What could it be? Does it have to be related to the firewall? or I have to open the port 22 How do I do that? Or I have to set something in the network settings to let secure connections Thanks, Carlos Santana[EMAIL PROTECTED]UPR-RUMEE/CPE
Re: problems doing connections with ssh
ps -aef | grep ssh If sshd doesn't show-up, it isn't configured to start sshd automatically after reboot. Hence the problem. Either start sshd manually each time after reboot or put startup scripts. suri. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PEM pass phrase
Hi, When creating a client certificate using command "CA.pl -newreq", it prompts for entering a PEM pass phrase before generating the newreq.pem file. What is the usage/purpose of this password? It seems to me that it is the password for accessing data (like private key?) in the newreq.pem file. Is it correct? Thanks Patrick __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Netscape 6.01 and SSL: crash?
Hi I use Netscape 6.01 on win2000 connect to IIS is ok, to openssl s_server is ok. but to another program based on openssl lib is crash. i guess not the SSL but the https implementation is not stable, because it put the following message on brower HTTP/1.1 500 Internal Server Error Server: Microsoft-IIS/5.0 Date: Fri, 16 Mar 2001 00:50:20 GMT Content-Length: 6136 Content-Type: text/html Set-Cookie: ASPSESSIONIDQQGGQKDQ=LJHHHAHDDOMMELKOGLOMAKHG; path=/ Cache-control: private Hi there, we tried the (newest) Netscape 6.01 on a Linux (SuSE 6.x and 7.0 distributions) platform connecting to a SSL-encrypted document on an Apache Webserver. The result was a crash. We guess that the SSL implementation is not stable yet. Is there anybody who shares my experience? Is there a way to bypass the problem NOW or should we wait for an improved version? Thanks, Hubert Frhlich -- --- Dr.-Ing. Hubert Frhlich Tel. :+49 (0)89 / 2190 - 2580 Bezirksfinanzdirektion MnchenFax :+49 (0)89 / 2190 - 2459 Alexandrastr. 3 [EMAIL PROTECTED] D-80538 Mnchen GERMANY __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PEM pass phrase
yes "Patrick Li" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent by: cc: owner-openssl-users@oSubject: PEM pass phrase penssl.org 2001.03.16 01:46 Please respond to openssl-users Hi, When creating a client certificate using command "CA.pl -newreq", it prompts for entering a PEM pass phrase before generating the newreq.pem file. What is the usage/purpose of this password? It seems to me that it is the password for accessing data (like private key?) in the newreq.pem file. Is it correct? Thanks Patrick __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Netscape 6.01 and SSL: crash?
Don't use Netscape 6.01! Use Mozilla in stead (latest milestone is 0.8). It is much more stable and with features that Netscape does not have. -- (~._.~) s ^ (Qun-Ying) (65) 874-6643 ( O ) ()~*~() (_)-(_)[EMAIL PROTECTED] * [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re:warning: overflow in ....
To: Ricardo Stella Thank you for your advice. My compiler is gcc 2.95.2(pre-compiled binaries of public-domain Solaris application). I tried your advice. But warnig message did not clear. I am going to try to search the solutions from some archive. Thank you! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Netscape 6.01 and SSL: crash?
Yes, I also tried Netscape 6.x on Solaris 7 (Intel) https connections crash. Netscape 6 is totally screwed up. I personally think Netscape 6.x still needs a lot of work. suri. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Repeated SSL Record header
As I've understood from RFC, record header shouldn't be repeated in one handshake record. For example, the Server Hello handshake record should only be having one record header. This handshake record contains 4 handshake messages that are: 1. server_hello 2. certificate 3. certificate request (opt.) 4. server_hello_done So, the packet byte dump looks like: 16 03 00 XX XX 02(server_hello) .. .. .. 0B(certificate) .. .. .. 0E(server_hello_done) without the record header (16 03 00 XX XX) repeated. I did a packet capture on the SSL demo programs that came with openssl (openssl-0.9.6\demos\ssl\cli.cpp and serv.cpp) and found that the record header is repeated for each of the handshake messages of the same handshake record: The Server Hello handshake record: 16 03 00 XX XX 02(server_hello) .. .. .. 16 03 00 XX XX 0B(certificate) .. .. .. 16 03 00 XX XX 0E(server_hello_done) Why is this so? __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]