EVP_CipherInit_ex because cipher-do_cipher is NULL
Hi all, I am using the EVP API for encryption and decryption (Code snippet below). The encrypion works fine, but the decryption fails in EVP_CipherInit_ex. Both the codes are identical except that the said function uses 1 as the last argument for encryption and 0 for decryption. I am on Redhat Linux, OpenSSL 0.9.8h 28 May 2008, and g++ 3.3.2 compiler. (C++ compiler) The EVP_CipherInit_ex function returned 0 - indicating failure. Upon investigation, I found out that the context cipher function pointer do_cipher is NULL. I have no clue why this will be NULL. In encryption, do_cipher is not NULL; only in decryption, this pointer is NULL. Is there any way to resolve/fix this issue? Do I need to do anything else? I could not find the definition of EVP_des_ede3_cbc() in the openssl codebase. unsigned char initVector[8] = {0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10};//The init vector will be derived from this unsigned char iv[EVP_MAX_IV_LENGTH], key[EVP_MAX_KEY_LENGTH]; EVP_CIPHER_CTX ctx; unsigned char keyInput[24] = {0x3F,0x6F,0x6B,0x69,0x20,0x5E,0x5F,0x45,0x65,0x54,0x5D,0x56,0x63,0x68,0x6E, 0x6F,0x14,0x32,0x2C,0x41,0x3F,0xD3,0x9B,0xA3}; memcpy(iv,initVector,sizeof(iv)); EVP_CIPHER_CTX_init(ctx); int r2 = EVP_CipherInit_ex(ctx, EVP_des_ede3_cbc(), NULL, keyInput, iv, 0); fprintf(stderr, cipher initEX ret =%d\n,r2); if (ctx.cipher-do_cipher == NULL) fprintf(stderr, do_cipher is NULL!!\n); // This prints, meaning do_cipher is NULL!! // //.. CipherUpdate/Final follow. Not shown here. // DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RFC 4130 checksum in SHA1
On Wednesday August 6th 2008 at 20:42 javierm wrote: [ RFC 4130 calculating MIC, mostly offtopic for OpenSSL ] Sorry about the lengthy post, but it's worth to seem or be redundant. I give proofs I have read it all, but will comment on just a few points. ... I found that commercial packages agree that THIS messageDigest is the VALID MIC to return on the MDN There really is only one way to calculate the MIC (the message digest) so of course they should all agree! I know the RFC says to canonicalize the contents, but as far as I know this doesn't happen in practice. Canonicalizing the contents would be impossible to begin with, because you would have to know which is text (so has line endings) and which isn't. Strictly speaking you should have a Content-type: header in every RFC 4130 (AS2) message, but as far as I know no canonicalization of the contents takes place. The MIME headers might be a different story. A certified AS2 product that I have made _never_ canonicalizes received MIME headers and works fine. On sending we always generate MIME headers with \r\n (DOS line endings) but that is because RFC 2616 (HTTP) requires (or advises) this. There might be products that canonicalize \n MIME headers to \r\n before calculating the MIC; I don't know that, it will be safest to just generate the MIME headers (and MIME boundaries of course) with \r\n. If you make your message and you sign it, you will find this. I think there might be a problem with your signing which is the problem. ... Notice that ALL 3 signatures have the same MESSAGE DIGEST So there is a problem with your signing, it's as simple as that. Different byte sequences should always result in different message digests. At least separate the canonicalization (which I maintain isn't necessary) from the calculation of the MIC itself. This makes analysing what's going on much clearer. Calculating an MIC is basically just feeding a bunch of bytes to some OpenSSL routine, and always results in the exact same answer, which is also exactly the same as the value encoded in the PKCS7 encapsulation. Notice that EVERY one of the MICs CALCULATED FIRST are different AMMONG THEMSELVES, this is what you said, and I agree, because data is different But also notice that ONLY ONE OF THE MICs MATCH THE messageDigest inside all signatures Yes, because your signing uses canonicalization, so the input to the message digest calculation is not three different messages but rather only one. And of course the only one that matches will be the one that happens to be the same before and after your canonicalization. Which ONES MATCH? Not the one from the text not canonicalized Not the one from the text WITH ONLY MIME HEADERS canonicalized BUT THE ONE from text WITH ***ALL CANONICALIZED*** So your signing process uses full canonicalization. That's wrong and explains the failure with other products. I have gone through another test about weird UTF-8 encoding but without success. They send me UTF-8 data (containing a,e,i,o,u acute and n with tilde in their UTF-8 encoding) and all that is further encoded again in UTF-8. I've done the double decoding, again the things of the canonicalization but still the MIC and messageDigest don't match. For calculating the MIC al this characterset encoding and possibly transfer encoding like quoted-printable (yes even this happens!) is completely irrelevant. Just take the bytes as an opaque structure, calculate the MIC and compare with the original. These are just facts (not opinions) placed in words meaning this happens if only MIME headers are canonicalized: THE BUSINESS PARTNER'S certified software WILL REJECT your calculated MIC unless you watch the messageDigest inside the signature and make it MATCH with the MIC calculated. (more práctical if you forget about calculating MIC and simply fetch the messageDigest inside the signature and send it back in the MDN's MIC. The wording of the RFC 4130 is sometimes a little vague and there are lots of details only determined in practice but calculating the MIC is possible. As with many RFC's, only see it as a common starting point and concentrate on the way it is used in practice, which often differs. And as they say don't attribute to malice which can be explained by sheer incompetence! ;-) So my advice: on sending use MIME headers and MIME boundaries (and HTTP headers, although not relevant for the MIC) with \r\n headers, and do not do any further canonicalization, either on sending or receiving. So in OpenSSL (finally something on topic!) always use the PKCS7_BINARY flag in the relevant function calls. -- Marco Roeland __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problems with certificate chain
Goetz Babin-Ebell escribió: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sergio wrote: | Hi people, Hello Sergio, | client.pem are signed by | server.pem, and server.pem are signed by ca.pem. It is a bad bad idea to sign a client certificate with a server certificate. Usually server certificates don't have the extensions to sign certificates but have extensions explicitly signaling that they are not to be used to sign certificates. Try to sign the client certs with the ca certificate. Then check the freeradius configuration that the CA used to verify client certificates is the CA certificate. If you insist on an intermediate certificate between the CA and the client certificates you must either configure the server to also use the intermediate CA as a CA or you must configure the clients to send the intermediate back to the server. Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFImiXp2iGqZUF3qPYRAtZWAJ94AfIAI3FVrIpgBCmloWl7ea4RFgCfRgV+ DwRAYGxBD//EitviXnMdAhA= =NyUw -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Hi Goetz, I think so and you're right. Signing a client cert with a server cert is inefficient and all my problems would solve itself if radius has ocsp support. If i sign all the certs with ca private key everything works ok but people at freeradius mailing list are insisting on the fact that default configuration works. Also, if i put a both.pem file with server cert and ca cert and put both.pem into CA_file, works. But because of this, i think i'd have problems to check the crl because the hash value of CA_file isn't ca file. Is it true? Last question :) how i can to know what's my openssl.cnf file? I have /etc/ssl/openssl.cnf, /usr/local/ssl and one more which i've forgotten. During this month, i've been using -config option with openssl ca command because editing above files doesn't take effect. Thank you very much __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Newbie : is it possible to use SSL on multiple targets with just IP addresses ?
We are designing a new embedded system which runs its own web server. When installed in the field, the majority of the units will *not* have a domain-name, just a local IP address, since they will be mostly be used on company intranets (and so could be *any* ip address I guess). Most units will not have static IP addresses, but will rely on zeroconf or dhcp for address allocation. I guess some companies may wish to expose units to the internet and probably will have some form of domain name setup for each one (e.g. unit1.foobar.com, unit2.foobar.com, etc) So my question is this ... Can SSL + Certs be used / generated to work on such a dynamic type of network setup ? TBH, all we are requiring is to obtain a secure connection to the web server, rather than certifying that the embedded units are who they say they are. Is there some other way of doing this (either via SSL or some other web technology) ? I apologise if this is too open a question, but I've not managed to find a suitable Google search phrase that comes anywhere near to answering my question(s). Thank in advance Mark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie : is it possible to use SSL on multiple targets with just IP addresses ?
Hi, If I understand what you want to do, the answer is yes, it can be done. You can create a generic certificate with a given CN to be used in the embedded web server. The next question is... who will use this web server? If it's a program, so your system is used as an update server (for instance, although in this case identification would be critical), you can deactivate the CN checking, so that even if your CN does not correspond to the host name used in the URL the program will not complain. If you want a user to connect via a browser, the problem is that he will get a warning every time he connects (I'm not sure if this can be avoided just by accepting the certificate in the browser, as this is a CN problem, and not that the certificate is self-signed), although maybe this is not a problem for you depends on your application and who will use it. Well, any way the answer to your question is yes, a generic certificate can be used to create an SSL connection if you don't care about authentication. Best regards, Ion Larrañaga Mark Jackson(e)k dio: We are designing a new embedded system which runs its own web server. When installed in the field, the majority of the units will *not* have a domain-name, just a local IP address, since they will be mostly be used on company intranets (and so could be *any* ip address I guess). Most units will not have static IP addresses, but will rely on zeroconf or dhcp for address allocation. I guess some companies may wish to expose units to the internet and probably will have some form of domain name setup for each one (e.g. unit1.foobar.com, unit2.foobar.com, etc) So my question is this ... Can SSL + Certs be used / generated to work on such a dynamic type of network setup ? TBH, all we are requiring is to obtain a secure connection to the web server, rather than certifying that the embedded units are who they say they are. Is there some other way of doing this (either via SSL or some other web technology) ? I apologise if this is too open a question, but I've not managed to find a suitable Google search phrase that comes anywhere near to answering my question(s). Thank in advance Mark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL3_accept makes Server stuck
Kyle is right, I didn't set SO_KEEPALIVE on the socket in my server. Do I have to set SO_KEEPALIVE to avoid this situation in server side? Since I use select in the main loop to deal with time out situation, is there any other way to prevent OpenSSL library to wait for reading a socket indefinitely? Thanks -J Du On Tue, Aug 5, 2008 at 2:11 PM, Kyle Hamilton [EMAIL PROTECTED] wrote: Because no data has been transmitted on the socket, the client didn't send an RST, and SO_KEEPALIVE wasn't set on the socket. -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL3_accept makes Server stuck
Put your sockets into nonblocking mode (with fcntl()). If they would block and you try to read them, the system call will return with EWOULDBLOCK. Other than that, you can set an alarm; a signal will interrupt a system call. You might wish to set your signal handler to be a function that resets itself as the signal handler for SIGALRM and returns, because: a) the default action for SIGALRM is to terminate the process b) some UNIX implementations clear or disable the signal handler when the signal is raised You should, of course, clear and reset the alarm after you read the data, so that the timeout is per-read and not per-process. -Kyle H On Thu, Aug 7, 2008 at 2:36 PM, Du, Jinsong [EMAIL PROTECTED] wrote: Kyle is right, I didn't set SO_KEEPALIVE on the socket in my server. Do I have to set SO_KEEPALIVE to avoid this situation in server side? Since I use select in the main loop to deal with time out situation, is there any other way to prevent OpenSSL library to wait for reading a socket indefinitely? Thanks -J Du On Tue, Aug 5, 2008 at 2:11 PM, Kyle Hamilton [EMAIL PROTECTED] wrote: Because no data has been transmitted on the socket, the client didn't send an RST, and SO_KEEPALIVE wasn't set on the socket. -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problems with certificate chain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sergio wrote: | I think so and you're right. Signing a client cert with a server cert is | inefficient and all my problems would solve itself if radius has ocsp | support. The missing support for OCSP is not your problem. Your problem is the broken certificate hierarchy. You should not sign client certificates with a server certificate. You should sign client certificates with a CA certificate. That CA certificate may or may not be identical with that CA that signed your server certificate. | If i sign all the certs with ca private key everything works ok | but people at freeradius mailing list are insisting on the fact that | default configuration works. Do I get you right: The people on the freeradius mailing list insist on client certs should be signed by the server certificate ? That is hard for me to believe. It seems here is a mayor misunderstanding. | Also, if i put a both.pem file with server | cert and ca cert and put both.pem into CA_file, works. In the CA_file you put all (CA) certificates that issue certificates you may trust. If the server certificate issues client certificates it belongs there. But as I mentioned: That is a sign of a terrible broken concept. | But because of | this, i think i'd have problems to check the crl because the hash value | of CA_file isn't ca file. Is it true? ?? CA_file (or whatever this config option is named) contains a list of all trusted CA certificates. This file is especially needed on the server if you use client authentication: It contains the list of CA names the server sends to the client to show which CAs it accepts (at least in SSL/TLS) There may be another option, called CA_dir (or something like that). It contains every CA certificate in a separate file and optionally all CRLs to use. You run c_rehash on this directory to create special links OpenSSL can use to find CA certificates and their CRLs... These links contain a 8 byte hash value and a extension to differentiate between CA files and CRL files. This 8 byte hash is not calculated on the file, but on the subject DN. So is should be quite clear that every CA file in this directory should contain only one certificate. | Last question :) | how i can to know what's my openssl.cnf file? I have | /etc/ssl/openssl.cnf, /usr/local/ssl and one more which i've forgotten. strings `which openssl` | grep openssl.cnf should show the default configuration file your openssl version. You can always overwrite this with the -config option. | During this month, i've been using -config option with openssl ca | command because editing above files doesn't take effect. If in doubt, set the -config option. Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIm4L32iGqZUF3qPYRAnQcAJ4wySVZVOEWH1lFbZIPejQmnbd8iQCghmcj +JFEgQWet/KhV4IAeDFn+LU= =fpp+ -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Certificate creation stuck at 256 certificates
Hey there, I have a server running Redhat 9 with openssl-0.9.7a-20.2 It has been happily running along creating certificates via webpage scripts for external access for clients. However, as of today it will not create certificates properly, giving an error when trying to create the certificate. When trying to read the subsequent pem file, I get: unable to load certificate 6364:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE I have had a look around and it appears that the serial number for the last certificate created was FF (hex), indicating 256 certificates have so far been created. The next number in the serial file is 0100, which would seem the logical next number, however the certificate signing bails out on me. Any ideas - I have been trying to get an updated version of openssl for RedHat9 without any luck so far ... David Skeen __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Certificate creation stuck at 256 certificates
I have had a look around and it appears that the serial number for the last certificate created was FF (hex), indicating 256 certificates have so far been created. The next number in the serial file is 0100, which would seem the logical next number, however the certificate signing bails out on me. FF is not a legal certificate number. Certificate numbers must not be negative. (0xFF has the sign bit set and hence is negative.) DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Certificate creation stuck at 256 certificates
Thanks for response! Not sure what U are referring to about illegal cert number. Here is some more info: [EMAIL PROTECTED] demoCA]# ls cacert.pem crlindex.txt.old pem serial certs index.txt newcerts private serial.old [EMAIL PROTECTED] demoCA]# cat serial 0100 [EMAIL PROTECTED] demoCA]# cat serial.old FF [EMAIL PROTECTED] demoCA]# ls newcerts 01.pem 1B.pem 35.pem 4F.pem 69.pem 83.pem 9D.pem B7.pem D1.pem EB.pem 02.pem 1C.pem 36.pem 50.pem 6A.pem 84.pem 9E.pem B8.pem D2.pem EC.pem 03.pem 1D.pem 37.pem 51.pem 6B.pem 85.pem 9F.pem B9.pem D3.pem ED.pem 04.pem 1E.pem 38.pem 52.pem 6C.pem 86.pem A0.pem BA.pem D4.pem EE.pem 05.pem 1F.pem 39.pem 53.pem 6D.pem 87.pem A1.pem BB.pem D5.pem EF.pem 06.pem 20.pem 3A.pem 54.pem 6E.pem 88.pem A2.pem BC.pem D6.pem F0.pem 07.pem 21.pem 3B.pem 55.pem 6F.pem 89.pem A3.pem BD.pem D7.pem F1.pem 08.pem 22.pem 3C.pem 56.pem 70.pem 8A.pem A4.pem BE.pem D8.pem F2.pem 09.pem 23.pem 3D.pem 57.pem 71.pem 8B.pem A5.pem BF.pem D9.pem F3.pem 0A.pem 24.pem 3E.pem 58.pem 72.pem 8C.pem A6.pem C0.pem DA.pem F4.pem 0B.pem 25.pem 3F.pem 59.pem 73.pem 8D.pem A7.pem C1.pem DB.pem F5.pem 0C.pem 26.pem 40.pem 5A.pem 74.pem 8E.pem A8.pem C2.pem DC.pem F6.pem 0D.pem 27.pem 41.pem 5B.pem 75.pem 8F.pem A9.pem C3.pem DD.pem F7.pem 0E.pem 28.pem 42.pem 5C.pem 76.pem 90.pem AA.pem C4.pem DE.pem F8.pem 0F.pem 29.pem 43.pem 5D.pem 77.pem 91.pem AB.pem C5.pem DF.pem F9.pem 10.pem 2A.pem 44.pem 5E.pem 78.pem 92.pem AC.pem C6.pem E0.pem FA.pem 11.pem 2B.pem 45.pem 5F.pem 79.pem 93.pem AD.pem C7.pem E1.pem FB.pem 12.pem 2C.pem 46.pem 60.pem 7A.pem 94.pem AE.pem C8.pem E2.pem FC.pem 13.pem 2D.pem 47.pem 61.pem 7B.pem 95.pem AF.pem C9.pem E3.pem FD.pem 14.pem 2E.pem 48.pem 62.pem 7C.pem 96.pem B0.pem CA.pem E4.pem FE.pem 15.pem 2F.pem 49.pem 63.pem 7D.pem 97.pem B1.pem CB.pem E5.pem FF.pem 16.pem 30.pem 4A.pem 64.pem 7E.pem 98.pem B2.pem CC.pem E6.pem 17.pem 31.pem 4B.pem 65.pem 7F.pem 99.pem B3.pem CD.pem E7.pem 18.pem 32.pem 4C.pem 66.pem 80.pem 9A.pem B4.pem CE.pem E8.pem 19.pem 33.pem 4D.pem 67.pem 81.pem 9B.pem B5.pem CF.pem E9.pem 1A.pem 34.pem 4E.pem 68.pem 82.pem 9C.pem B6.pem D0.pem EA.pem I am not fully comprehending the whole demoCA procedure, however it is rather odd that things have stopped working as the serial number ticks over to 0100 from FF. Was hoping someone might have come across this before ... Also, as a potential solution, is there a method for simply copying over a demoCA from an old server to a new server? David Skeen JDS Solutions On Thu, 2008-08-07 at 20:19 -0700, David Schwartz wrote: I have had a look around and it appears that the serial number for the last certificate created was FF (hex), indicating 256 certificates have so far been created. The next number in the serial file is 0100, which would seem the logical next number, however the certificate signing bails out on me. FF is not a legal certificate number. Certificate numbers must not be negative. (0xFF has the sign bit set and hence is negative.) DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Compilation errors in openssl 0.9.8h version
Hello All, Am trying to compile openssl 0.9.8h version. I am getting following errors during compilation. C:\Apache_2.2.9\httpd-2.2.9\srclib\opensslnmake -f ms\ntdll.mak Microsoft (R) Program Maintenance Utility Version 6.00.8168.0 Copyright (C) Microsoft Corp 1988-1998. All rights reserved. Building OpenSSL cl /Fotmp32dll\cversion.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN - DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_CPUI D_OBJ -DOPENSSL_IA32_SSE2 -DAES_ASM -DBN_ASM -DOPENSSL_BN_ASM_PART_WORDS -DMD5_A SM -DSHA1_ASM -DRMD160_ASM -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_ID EA -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -D OPENSSL_NO_TLSEXT -DOPENSSL_NO_CMS -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -DMK1MF_BUILD -DMK1MF_PLATFORM_VC_WIN32 -c .\crypto\cversion.c cversion.c .\crypto\cversion.c(105) : error C2220: warning treated as error - no object fil e generated .\crypto\cversion.c(105) : warning C4129: 'o' : unrecognized character escape se quence NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. Any thoughts? Thanks in advance, Prathima.
RE: Compilation errors in openssl 0.9.8h version
Hello All, Am trying to compile openssl 0.9.8h version. I am getting following errors during compilation. C:\Apache_2.2.9\httpd-2.2.9\srclib\opensslnmake -f ms\ntdll.mak Microsoft (R) Program Maintenance Utility Version 6.00.8168.0 Copyright (C) Microsoft Corp 1988-1998. All rights reserved. Building OpenSSL cl /Fotmp32dll\cversion.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX AM: /WX tells the compiler to treat a warning as an error. /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN - DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_ CPUI D_OBJ -DOPENSSL_IA32_SSE2 -DAES_ASM -DBN_ASM -DOPENSSL_BN_ASM_PART_WORDS -DM D5_A SM -DSHA1_ASM -DRMD160_ASM -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_ID EA -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC 2 -D OPENSSL_NO_TLSEXT -DOPENSSL_NO_CMS -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_EN GINE -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -DMK1MF_BUILD -DMK1MF_PLATFORM_VC_WI N32 -c .\crypto\cversion.c cversion.c .\crypto\cversion.c(105) : error C2220: warning treated as error - no object fil e generated .\crypto\cversion.c(105) : warning C4129: 'o' : unrecognized character escape se quence --- AM: This tells it all. In the code, you have somewhere \o - which is not recognized as an escape sequence. Escape seq examples are \n, \t, \r ... Since you have used /WX, this warning is treated as an error, and the compiler aborts. Correct this portion of the code, or remove /WX from compiler option. Thanks, Ambarish. NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. Any thoughts? Thanks in advance, Prathima. DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Compilation errors in openssl 0.9.8h version
Hello, When you run Configure if you pass the prefix, you must use slashes (Unix) instead of backslashes (Windows), even if you are compiling in a Windows system. If you do something like this: perl Configure VC-WIN32 --prefix c:\openssl The compiler will complain because somewhere in the code, a string c:\openssl appears, so the compiler thinks that with '\o' you mean some kind of escape sequence (kind of '\n' and '\b'), and '\o' is not defined. You must use slashes. This is: perl Configure VC-WIN32 --prefix c:/openssl Even though you are compiling under Windows. Best regards, Ion Ambarish Mitra(e)k dio: Hello All, Am trying to compile openssl 0.9.8h version. I am getting following errors during compilation. C:\Apache_2.2.9\httpd-2.2.9\srclib\opensslnmake -f ms\ntdll.mak Microsoft (R) Program Maintenance Utility Version 6.00.8168.0 Copyright (C) Microsoft Corp 1988-1998. All rights reserved. Building OpenSSL cl /Fotmp32dll\cversion.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX AM: /WX tells the compiler to treat a warning as an error. /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN - DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_ CPUI D_OBJ -DOPENSSL_IA32_SSE2 -DAES_ASM -DBN_ASM -DOPENSSL_BN_ASM_PART_WORDS -DM D5_A SM -DSHA1_ASM -DRMD160_ASM -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_ID EA -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC 2 -D OPENSSL_NO_TLSEXT -DOPENSSL_NO_CMS -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_EN GINE -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -DMK1MF_BUILD -DMK1MF_PLATFORM_VC_WI N32 -c .\crypto\cversion.c cversion.c .\crypto\cversion.c(105) : error C2220: warning treated as error - no object fil e generated .\crypto\cversion.c(105) : warning C4129: 'o' : unrecognized character escape se quence --- AM: This tells it all. In the code, you have somewhere \o - which is not recognized as an escape sequence. Escape seq examples are \n, \t, \r ... Since you have used /WX, this warning is treated as an error, and the compiler aborts. Correct this portion of the code, or remove /WX from compiler option. Thanks, Ambarish. NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. Any thoughts? Thanks in advance, Prathima. DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Compilation errors in openssl 0.9.8h version
Thanks Ion for quick response. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ion Larrañaga Sent: Friday, August 08, 2008 11:24 AM To: openssl-users@openssl.org Subject: Re: Compilation errors in openssl 0.9.8h version Hello, When you run Configure if you pass the prefix, you must use slashes (Unix) instead of backslashes (Windows), even if you are compiling in a Windows system. If you do something like this: perl Configure VC-WIN32 --prefix c:\openssl The compiler will complain because somewhere in the code, a string c:\openssl appears, so the compiler thinks that with '\o' you mean some kind of escape sequence (kind of '\n' and '\b'), and '\o' is not defined. You must use slashes. This is: perl Configure VC-WIN32 --prefix c:/openssl Even though you are compiling under Windows. Best regards, Ion Ambarish Mitra(e)k dio: Hello All, Am trying to compile openssl 0.9.8h version. I am getting following errors during compilation. C:\Apache_2.2.9\httpd-2.2.9\srclib\opensslnmake -f ms\ntdll.mak Microsoft (R) Program Maintenance Utility Version 6.00.8168.0 Copyright (C) Microsoft Corp 1988-1998. All rights reserved. Building OpenSSL cl /Fotmp32dll\cversion.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX AM: /WX tells the compiler to treat a warning as an error. /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN - DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_ CPUI D_OBJ -DOPENSSL_IA32_SSE2 -DAES_ASM -DBN_ASM -DOPENSSL_BN_ASM_PART_WORDS -DM D5_A SM -DSHA1_ASM -DRMD160_ASM -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_ID EA -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC 2 -D OPENSSL_NO_TLSEXT -DOPENSSL_NO_CMS -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_EN GINE -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -DMK1MF_BUILD -DMK1MF_PLATFORM_VC_WI N32 -c .\crypto\cversion.c cversion.c .\crypto\cversion.c(105) : error C2220: warning treated as error - no object fil e generated .\crypto\cversion.c(105) : warning C4129: 'o' : unrecognized character escape se quence --- AM: This tells it all. In the code, you have somewhere \o - which is not recognized as an escape sequence. Escape seq examples are \n, \t, \r ... Since you have used /WX, this warning is treated as an error, and the compiler aborts. Correct this portion of the code, or remove /WX from compiler option. Thanks, Ambarish. NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. Any thoughts? Thanks in advance, Prathima. DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]