RE: Which version of 0.9.9 is stable enough to use?
Kyle H wrote : Make sure that the OpenSSL includes that your program is compiled with are the ones from the 0.9.9 snapshot you built, not the ones from /usr/include or /usr/include/openssl. -Kyle H On Sun, Nov 16, 2008 at 12:11 PM, Vishnu Param [EMAIL PROTECTED] wrote: I have followed your advice, and tried compiling the latest snapshot of 0.9.9. It finishes compiling, and even installs on my system. My system is Ubuntu 8.04. These are the steps i took to compile OpenSSL : ./config --prefix=/home/zero/test --openssldir=/home/zero/test/openssl no-shared make make test make install However, when I link my program to the static library, I get these errors : /home/zero/test/lib/libssl.a(s3_enc.o): In function `ssl3_change_cipher_state': s3_enc.c:(.text+0xa38): undefined reference to `COMP_CTX_free' s3_enc.c:(.text+0xa4e): undefined reference to `COMP_CTX_new' s3_enc.c:(.text+0xa9e): undefined reference to `EVP_CIPHER_CTX_cleanup' s3_enc.c:(.text+0xad5): undefined reference to `COMP_CTX_free' s3_enc.c:(.text+0xaeb): undefined reference to `COMP_CTX_new' I get these in addition to a whole load of other undefined references. So, to make sure I was doing the compilation steps properly, I tried again with 0.9.8i. No luck either, it seems I still get the same problem. Seems like I am doing something wrong in my compilation steps. Can anyone point me in the right direction? Thanks, Vishnu I am sure I am pointing to the 0.9.9 libraries/headers, because I wouldn't get these errors if I wasn't. What could possibly cause all these undefined references? It also happens when I compile 0.9.8i myself. I think there is something wrong with my compilation steps, even though openssl compiles just fine. Here is my error (when linking to openssl libraries) : Invoking: GCC C Linker gcc -static -L/home/zero/test/lib -oSSLclient ./client.o -lcrypto -lpthread -lssl /home/zero/test/lib/libcrypto.a(b_sock.o): In function `BIO_get_host_ip': b_sock.c:(.text+0x532): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /home/zero/test/lib/libcrypto.a(b_sock.o): In function `BIO_get_port': b_sock.c:(.text+0x733): warning: Using 'getservbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /home/zero/test/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_globallookup': dso_dlfcn.c:(.text+0x2d): undefined reference to `dlopen' dso_dlfcn.c:(.text+0x43): undefined reference to `dlsym' dso_dlfcn.c:(.text+0x4d): undefined reference to `dlclose' /home/zero/test/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_pathbyaddr': dso_dlfcn.c:(.text+0x8f): undefined reference to `dladdr' dso_dlfcn.c:(.text+0xe8): undefined reference to `dlerror' /home/zero/test/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_func': dso_dlfcn.c:(.text+0x445): undefined reference to `dlsym' dso_dlfcn.c:(.text+0x526): undefined reference to `dlerror' /home/zero/test/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_var': dso_dlfcn.c:(.text+0x5b1): undefined reference to `dlsym' dso_dlfcn.c:(.text+0x68d): undefined reference to `dlerror' /home/zero/test/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_unload': dso_dlfcn.c:(.text+0x6f3): undefined reference to `dlclose' /home/zero/test/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_load': dso_dlfcn.c:(.text+0x7c7): undefined reference to `dlopen' dso_dlfcn.c:(.text+0x838): undefined reference to `dlclose' dso_dlfcn.c:(.text+0x87d): undefined reference to `dlerror' /home/zero/test/lib/libssl.a(t1_lib.o): In function `tls1_process_ticket': t1_lib.c:(.text+0x64e): undefined reference to `EVP_aes_128_cbc' /home/zero/test/lib/libssl.a(t1_enc.o): In function `tls1_change_cipher_state': t1_enc.c:(.text+0x1271): undefined reference to `COMP_CTX_free' t1_enc.c:(.text+0x128a): undefined reference to `COMP_CTX_new' t1_enc.c:(.text+0x1348): undefined reference to `COMP_CTX_free' t1_enc.c:(.text+0x1361): undefined reference to `COMP_CTX_new' And a whole lot more undefined references. Please help. Thanks, Vishnu. _ Easily edit your photos like a pro with Photo Gallery. http://get.live.com/photogallery/overview
Re: help
As u said that if u use already provided certificates then it work fine right... it means that your certificates are not proper at both end.. means may be there is any mismatching of the certificates.. may be u r missing something.. it just my assumptions.. Also u sent me the errors that shows there is some reading problem could u please send me the flow of API's u r using for the ur client and server... On Mon, Nov 17, 2008 at 4:34 PM, naveen.bn [EMAIL PROTECTED]wrote: vinni rathore wrote: What is ur failure error messages can u please send them... On Fri, Nov 14, 2008 at 10:21 PM, Michael Simms [EMAIL PROTECTED]wrote: I am a new to SSL. I have installed openssl and using the SSL APIs , I have written a small client - server program in C, but SSL_connect fails from client end and SSL_accept fails from server. I have generated the root CA certificate, which I have used to sign both the client and server certificate. Are you aware you need to call SSL_connect and SSL_accept a number of times, checking the error return to see if it WANTS_READ or WANTS_WRITE, and reading/writing as appropriate? It can take a number of calls to to the connect/accept before it finishes the job. Thanks -- Michael Simms __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- regards, Vineeta Kumari Software engg Mobera Systems Chandigarh Hi , Thanks for the reply. After the SSL_connect(ssl) , I called SSL_get_error(ssl,ret) and the ret value is 0 always . At the server end SSL_accept returns 0 with SSL_ERROR_NONE. Is there any other way of debugging the client code to find out wher it is failing. If i use the same certificates with the command line server and client provided with the openssl tool it works. Thanks and regards naveen -- regards, Vineeta Kumari Software engg Mobera Systems Chandigarh
Re: help
Hi Vineeta, Thank you for your reply, Now the client code works, I had made a mistake in assigning the created socket to BIO. Thank You naveen. vinni rathore wrote: As u said that if u use already provided certificates then it work fine right... it means that your certificates are not proper at both end.. means may be there is any mismatching of the certificates.. may be u r missing something.. it just my assumptions.. Also u sent me the errors that shows there is some reading problem could u please send me the flow of API's u r using for the ur client and server... On Mon, Nov 17, 2008 at 4:34 PM, naveen.bn http://naveen.bn naveen.bn http://naveen.bn@globaledgesoft.com http://globaledgesoft.com wrote: vinni rathore wrote: What is ur failure error messages can u please send them... On Fri, Nov 14, 2008 at 10:21 PM, Michael Simms [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I am a new to SSL. I have installed openssl and using the SSL APIs , I have written a small client - server program in C, but SSL_connect fails from client end and SSL_accept fails from server. I have generated the root CA certificate, which I have used to sign both the client and server certificate. Are you aware you need to call SSL_connect and SSL_accept a number of times, checking the error return to see if it WANTS_READ or WANTS_WRITE, and reading/writing as appropriate? It can take a number of calls to to the connect/accept before it finishes the job. Thanks -- Michael Simms __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org mailto:openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- regards, Vineeta Kumari Software engg Mobera Systems Chandigarh Hi , Thanks for the reply. After the SSL_connect(ssl) , I called SSL_get_error(ssl,ret) and the ret value is 0 always . At the server end SSL_accept returns 0 with SSL_ERROR_NONE. Is there any other way of debugging the client code to find out wher it is failing. If i use the same certificates with the command line server and client provided with the openssl tool it works. Thanks and regards naveen -- regards, Vineeta Kumari Software engg Mobera Systems Chandigarh __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: help
Please take refrence file s_client.c and s_server.c from openssl project in folder apps. Thank you. Regards, --Ajeet Kumar Singh _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of vinni rathore Sent: Monday, November 17, 2008 2:10 PM To: openssl-users@openssl.org Subject: Re: help As u said that if u use already provided certificates then it work fine right... it means that your certificates are not proper at both end.. means may be there is any mismatching of the certificates.. may be u r missing something.. it just my assumptions.. Also u sent me the errors that shows there is some reading problem could u please send me the flow of API's u r using for the ur client and server... On Mon, Nov 17, 2008 at 4:34 PM, naveen.bn [EMAIL PROTECTED] wrote: vinni rathore wrote: What is ur failure error messages can u please send them... On Fri, Nov 14, 2008 at 10:21 PM, Michael Simms [EMAIL PROTECTED] wrote: I am a new to SSL. I have installed openssl and using the SSL APIs , I have written a small client - server program in C, but SSL_connect fails from client end and SSL_accept fails from server. I have generated the root CA certificate, which I have used to sign both the client and server certificate. Are you aware you need to call SSL_connect and SSL_accept a number of times, checking the error return to see if it WANTS_READ or WANTS_WRITE, and reading/writing as appropriate? It can take a number of calls to to the connect/accept before it finishes the job. Thanks -- Michael Simms __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- regards, Vineeta Kumari Software engg Mobera Systems Chandigarh Hi , Thanks for the reply. After the SSL_connect(ssl) , I called SSL_get_error(ssl,ret) and the ret value is 0 always . At the server end SSL_accept returns 0 with SSL_ERROR_NONE. Is there any other way of debugging the client code to find out wher it is failing. If i use the same certificates with the command line server and client provided with the openssl tool it works. Thanks and regards naveen -- regards, Vineeta Kumari Software engg Mobera Systems Chandigarh image001.jpg
Re: Which version of 0.9.9 is stable enough to use?
* Vishnu Param wrote on Mon, Nov 17, 2008 at 16:12 +0800: s3_enc.c:(.text+0xaeb): undefined reference to `COMP_CTX_new' I am sure I am pointing to the 0.9.9 libraries/headers, because I wouldn't get these errors if I wasn't. I think what you were supposed to ensure is that you have the right headers; maybe you have system-wide installed older in -isystem. Invoking: GCC C Linker gcc -static -L/home/zero/test/lib -oSSLclient ./client.o -lcrypto -lpthread -lssl -static with glibc? I think at least resolver remains using dynamic linking... dso_dlfcn.c:(.text+0x2d): undefined reference to `dlopen' ... and this module also seem to use dynamic linking. -ldl (for the others I don't know) oki, Steffen -- About Ingenico Throughout the world businesses rely on Ingenico for secure and expedient electronic transaction acceptance. Ingenico products leverage proven technology, established standards and unparalleled ergonomics to provide optimal reliability, versatility and usability. This comprehensive range of products is complemented by a global array of services and partnerships, enabling businesses in a number of vertical sectors to accept transactions anywhere their business takes them. www.ingenico.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Which version of 0.9.9 is stable enough to use?
Stephen wrote: Date: Mon, 17 Nov 2008 10:13:05 +0100 From: [EMAIL PROTECTED] To: openssl-users@openssl.org Subject: Re: Which version of 0.9.9 is stable enough to use? * Vishnu Param wrote on Mon, Nov 17, 2008 at 16:12 +0800: s3_enc.c:(.text+0xaeb): undefined reference to `COMP_CTX_new' I am sure I am pointing to the 0.9.9 libraries/headers, because I wouldn't get these errors if I wasn't. I think what you were supposed to ensure is that you have the right headers; maybe you have system-wide installed older in -isystem. Invoking: GCC C Linker gcc -static -L/home/zero/test/lib -oSSLclient ./client.o -lcrypto -lpthread -lssl -static with glibc? I think at least resolver remains using dynamic linking... dso_dlfcn.c:(.text+0x2d): undefined reference to `dlopen' ... and this module also seem to use dynamic linking. -ldl (for the others I don't know) oki, Steffen I removed static, and put in -ldl, I still get the errors : Invoking: GCC C Linker gcc -L/home/zero/test/lib -oSSLclient ./client.o -lcrypto -ldl -lpthread -lssl /home/zero/test/lib/libssl.a(t1_lib.o): In function `tls1_process_ticket': t1_lib.c:(.text+0x64e): undefined reference to `EVP_aes_128_cbc' /home/zero/test/lib/libssl.a(t1_enc.o): In function `tls1_change_cipher_state': t1_enc.c:(.text+0x1271): undefined reference to `COMP_CTX_free' t1_enc.c:(.text+0x128a): undefined reference to `COMP_CTX_new' t1_enc.c:(.text+0x1348): undefined reference to `COMP_CTX_free' t1_enc.c:(.text+0x1361): undefined reference to `COMP_CTX_new' /home/zero/test/lib/libssl.a(ssl_lib.o): In function `ssl_clear_cipher_ctx': ssl_lib.c:(.text+0xfaa): undefined reference to `COMP_CTX_free' ssl_lib.c:(.text+0xfc6): undefined reference to `COMP_CTX_free' /home/zero/test/lib/libssl.a(ssl_lib.o): In function `SSL_CTX_load_verify_locations': And of course, a whole load more undefined references. Any ideas? Please, any help is appreciated. Thanks, Vishnu. _ Easily edit your photos like a pro with Photo Gallery. http://get.live.com/photogallery/overview
Re: Create a new extension
Hello Omar: On November 16, 2008 07:21:01 pm Massive Cava wrote: Hi patrick my goal would be to create an X509 certificate who carry those exstension that i have described Infact i need the certificate to test an application that i made in java wich produce SAML Assertion. In this certificate it's mhy job to take care of these custom assertion, managung the new OID value ... the real problem i have is how to configure openssl because i have looked for some example aboutre creating custom extension but i have not found yet. I can also put a default value in those extension, the best wold be copy the value from an external source (for example the new field i told that are in the certificate request ... is possible using the in this sense ?) The right way to do this is to have the user log into the Identity Provider using their certificate with only the fields CertificatePolicy, KeyUsage of Digital Signature, and EKU of Client Authentication, and then, based on that authentication, lookup the attribute in a directory somewhere and populate the SAML assertion with the value from the directory. As I said, having this information in the certificate is definitely not the best way to do what you are looking to accomplish. The best way to think of it is: X.509 Certificates are for proving Identity. Federation Directories and assertions are for providing attributes about that particular identity. When you try and mix the two concepts, you *WILL* run into problems. Have fun. Patrick. Thank you Omar PS sorry for my bad english Date: Sun, 16 Nov 2008 16:29:19 -0500 From: [EMAIL PROTECTED] To: openssl-users@openssl.org Subject: Re: Create a new extension Massive Cava wrote: Hi to alli nedd to configure correctly he file openssl.cnf to create new extension, i can modify the config. file and add some new field at the certificate request, for example date of birth, uniqe ID of student and his level, but how can i switch these field to X509 extension when i sign the certificate with the command ca ... ??? Please tell me that you are not encoding these values into an extension in the certificate??? Unless you are doing Attribute Certificates, encoding these values in as arbitrary extensions is probably NOT what would be considered best practice, and will definitely cause implementation details. First of all, encoding some of those values (Student Birthdays, etc.) in a format whose design is to assist in making a value public (the Public Key) is possibly against the educational or general privacy laws in a number of countries (US, Canada, Most of Europe). What you most likely want to do is either use Attribute Certificates (not supported by very many implementations of anything outside of the US DoD), or Federated Attributes using a technology like WS-Fed, or the Liberty Alliance SAML specifications. This would allow you to only provide those attributes to only those sources that you know have a pre-existing relationship with the student, and thus a need to know about those attributes. On a more practical note, if you encode those kinds of values as arbitrary extensions in a certificate, then you would have to write code into your Relying party code, to correctly interpret those custom extensions. Most organisations that I know don't want to maintain their own mod_ssl patches or ISAPI filters (assuming that you are going to be doing some sort of web application with these certificates). All of that said, if you DO want help to implement something like this, then please provide the ASN.1 encoding that you would like to use for the extensions, and we can probably help you encode those custom extensions. Just some advice from someone who has been there, seen that, seen what happens 6 months later. Patrick. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] _ Tutto il mondo MSN in un clic. Scarica la Toolbar! http://toolbar.msn.com/overview.aspx?loc=it-it -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Setting up Open-SSL to use a proxy server
Hi, I am using openssl to make HTTPS connection to other-websites. Now I want to make these connections via a proxy server. Any ideas? regards, Sugandh
Re: Setting up Open-SSL to use a proxy server
On Mon, Nov 17, 2008 at 08:37:05PM +0530, Sugandh Rakha wrote: I am using openssl to make HTTPS connection to other-websites. Now I want to make these connections via a proxy server. Any ideas? Make the proxied connection, then start TLS on the already connected socket. The OpenSSL library does not AFAIK include code to make the proxied connection, so you do that by other means. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
how to verify if the public_key is valid to decrypt data using RSA_public_decrypt()
I'm using RSA to encrypt/decrypt some text. I encrypt the data using the private key and then decrypt it using RSA_public_decrypt(). One thing i noticed was that if the data was not encrypted using the correct private key that RSA_public_decrypt() will just set the output to giberish. Is there anyway to check if the public_key is the correct key to decrypt that data before actually decrypting it? That way i can bail out early and say invalid data file rather than parsing through a bunch of giberish? ~Shaun __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AES CTR mode via EVP
Hi, I'm using EVP_CipherInit and EVP_Cipher for AES-CBC encrypt/decrypt. I want to use AES-CTR too with EVP functions. But the EVP ctr funtions are undefined by #if 0 in evp.h since May 2002 (from the start). Is there a plan to implement it in future release? Thanks, -- NAGATA Shinya [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: how to verify if the public_key is valid to decrypt data using RSA_public_decrypt()
I'm using RSA to encrypt/decrypt some text. I encrypt the data using the private key and then decrypt it using RSA_public_decrypt(). One thing i noticed was that if the data was not encrypted using the correct private key that RSA_public_decrypt() will just set the output to giberish. Is there anyway to check if the public_key is the correct key to decrypt that data before actually decrypting it? That way i can bail out early and say invalid data file rather than parsing through a bunch of giberish? ~Shaun Feel free to implement this functionality any way that you want. You've specifically opted for the low-level APIs that don't provide this kind of functionality. So if you want it, either use it where it's provided or code it. Note that RSA_public_decrypt is only useful for signatures. Otherwise, you've turned RSA into a symmetric encryption algorithm and have to keep the public key secret. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl-0.9.8-stable-SNAP-20081115 and FIPS
On Mon, Nov 17, 2008 at 02:33:18PM -0500, Green, Paul wrote: Dear 'The Doctor', I am not on the OpenSSL team so I'm just speaking for myself here. But I have done work on many other open-source products, so I'm responding based on my overall experience with open-source development. When you find a problem in an open-source product, the accepted protocol is to boil the problem down to the smallest reproducible test case that reliably demonstrates the failure and then post just that information. Posting the entire output of the build procedure is incredibly lame and completely unhelpful. Posting to two different OpenSSL mailing lists is also clueless; they have different purposes. If I were a member of the OpenSSL team, I'd ignore your postings until you took the time to learn how to add value to the process instead of being a drag on other people's productivity. Well I moved everything to 0.9.9/dev so that is up to the programmers to find the rest. -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God, Queen and country! Beware Anti-Christ rising! Merry Christmas 2008 NOT 2o8 and Happy New Year 2009 NOT 2o9 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Which version of 0.9.9 is stable enough to use?
Steffen wrote : Hello again, just wondering, shouldn't -lssl the first of -l options? sry forgot in my first mail. Don't know if this makes any change (especially for the last error) but maybe worth a try? oki, Steffen Wow, that was great. Solved everything. Thanks Steffen. But how come this is not necessary with the version that is provided in my distro? Thanks, Vishnu. _ NEW! Get Windows Live FREE. http://www.get.live.com/wl/all
OpenSSL v0.9.9 connection refused error
I use Linux, and I custom compiled my OpenSSL 0.9.9. This is my BIO_connect code : conn = BIO_new_connect(SERVER : PORT); However, I get this error : ** ../client.c:66 Error connecting to remote machine 3084527244:error:0200206F:system library:connect:Connection refused:bss_conn.c:269:host=10.61.45.15:6001 3084527244:error:20073067:BIO routines:CONN_STATE:connect error:bss_conn.c:273: The server.c application seems to be listening, but it does not pick up any requests. This is my listening code : acc = BIO_new_accept(PORT); if (!acc) int_error(Error creating server socket); if (BIO_do_accept(acc) = 0) int_error(Error binding server socket); Both programs (server.c and client.c) compiles and runs perfectly using OpenSSL 0.9.8. Are there any changes that need to be made that i don't seem to realize? Thanks, Vishnu. _ Join the Fantasy Football club and win cash prizes here! http://fantasyfootball.malaysia.msn.com