Verify a certificate
Hi, I need to verify the attached certificate (cert.bin) and read the asn1 info stored in it. I'm using the following commands: openssl smime -verify -in cert.pem -inform pem -CAfile signer.pem cert.data and then: openssl asn1parse -inform DER -in cert.data now if the signer give me signer.pem all is fine. Some signer put their public certificate inside the binary certificate (see cert.bin attached), in this cases I'm unable to verify the certificate. I get this error: Verification failure 10280:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found:pk7_smime.c:378: Attached are: 1) cert.bin, the original binary certificate 2) cert.pem, obtained with the command: openssl pkcs7 -in cert.bin -out cert.pem -inform DER 3) as signer certificate (signer.pem) I'm using the certificate found at the end of cert.cer. cert.cer is obtained with the command: openssl pkcs7 -in cert.bin -inform DER -print_certs -text cert.cer any hints would be appreciated, thanks Nicola certs.tar.gz Description: GNU Zip compressed data
Re: revoking crt
Am 07/18/2011 08:09 PM, schrieb y...@inbox.lv: is that really a self signed certificate? For self signed certificates names of issuer are the same as names of subject. In your example OU and CN are not the same. Also, according to wikipedia, self signed certificates (root certificates) cannot be revoked, although I do not understand why. (CRL could be signed by certificates own key). yes, I think its a self-signed certificate. I did this years ago with a HowTo for OpenVPN. I revoked a certificate 2 years ago on an other machine There the entry in index.txt lokks like this: R 191122112605Z 100607152858Z 0B unknown /C=DE/ST=BY/O=xxx/OU=Ben Zuhause/CN=Ben Zuhause/Email=xxx Regards Daniel Citējot *Daniel Spannbauer d...@marco.de mailto:d...@marco.de*: Hello, I use self-signed certificates for my VPN. Now, I try to revoke a crt. I called: openssl ca -revoke edge.crt -config vpn.conf But I get the error: ERROR:name does not match /C=DE/ST=BY/O=xxx/OU=edge am/CN=edge am/emailAddress=xxx The header of the crt: Certificate: Data: Version: 3 (0x2) Serial Number: 8 (0x8) Signature Algorithm: md5WithRSAEncryption Issuer: C=DE, ST=BY, L=yyy, O=xxx, OU=gate tun1, CN=gate tun1/Email=xxx Validity Not Before: May 14 11:12:27 2010 GMT Not After : May 11 11:12:27 2020 GMT Subject: C=DE, ST=BY, O=xxx, OU=edge am, CN=edge am/Email=xxx Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) The entry in index.txt: V 20051227Z 08 unknown /C=DE/ST=BY/O=xxx/OU=edge am/CN=edge am/Email=xxx In my opinion, there is no error in crt or index.txt. Can anybody help me to find the error? Regards Daniel -- Daniel Spannbauer Software Entwicklung marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11 Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220 http://www.marco.de/ Email d...@marco.de Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- Daniel Spannbauer Software Entwicklung marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11 Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220 http://www.marco.de/ Email d...@marco.de Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: revoking crt
Revoking CA issued certificate requires CA private key. It is necessary to sign CRL. Maybe on that other machine were located your CA? Citējot *Daniel Spannbauer d...@marco.de [1]*: Am 07/18/2011 08:09 PM, schrieb y...@inbox.lv: is that really a self signed certificate? For self signed certificates names of issuer are the same as names of subject. In your example OU and CN are not the same. Also, according to wikipedia, self signed certificates (root certificates) cannot be revoked, although I do not understand why. (CRL could be signed by certificates own key). yes, I think its a self-signed certificate. I did this years ago with a HowTo for OpenVPN. I revoked a certificate 2 years ago on an other machine There the entry in index.txt lokks like this: R 191122112605Z 100607152858Z 0B unknown /C=DE/ST=BY/O=xxx/OU=Ben Zuhause/CN=Ben Zuhause/Email=xxx Regards Daniel Citējot *Daniel Spannbauer d...@marco.de mailto:d...@marco.de*: Hello, I use self-signed certificates for my VPN. Now, I try to revoke a crt. I called: openssl ca -revoke edge.crt -config vpn.conf But I get the error: ERROR:name does not match /C=DE/ST=BY/O=xxx/OU=edge am/CN=edge am/emailAddress=xxx The header of the crt: Certificate: Data: Version: 3 (0x2) Serial Number: 8 (0x8) Signature Algorithm: md5WithRSAEncryption Issuer: C=DE, ST=BY, L=yyy, O=xxx, OU=gate tun1, CN=gate tun1/Email=xxx Validity Not Before: May 14 11:12:27 2010 GMT Not After : May 11 11:12:27 2020 GMT Subject: C=DE, ST=BY, O=xxx, OU=edge am, CN=edge am/Email=xxx Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) The entry in index.txt: V 20051227Z 08 unknown /C=DE/ST=BY/O=xxx/OU=edge am/CN=edge am/Email=xxx In my opinion, there is no error in crt or index.txt. Can anybody help me to find the error? Regards Daniel -- Daniel Spannbauer Software Entwicklung marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11 Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220 http://www.marco.de/ Email d...@marco.de Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- Daniel Spannbauer Software Entwicklung marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11 Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220 http://www.marco.de/ Email d...@marco.de Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org Links: -- [1] mailto:d...@marco.de
Re: [openssl-users] RE: revoking crt
Hodie XIV Kal. Aug. MMXI, y...@inbox.lv scripsit: If that CRL is trying to revoke that root certificate, what in that CRL could ber forged? If that CRL tells the private key is compromised, how could you trust this CRL (since it was signed by a compromised private key)? CRL can only revoke a CRT, not unrevoke, right? Yes, it can. A CRL is a present state of revoked certificates. Remove a certificate's serial number from a CRL, it is no longer revoked. A root CA can not be revoked, that's all. Think of revocation as an automatic way to suspend trust in a certificate. PKI only transfers trust, it doesn't create it. The trust that is transferred (by signing and/or revoking certificates) is explicitely (and manually) placed into the root, by an off-band method. Revocation of the root would consist of removal of this trust, and as it was manually added, it also must be manually removed. I know, that when revoking a certificate, CRL is signed by certificate issuer (CA), is there a reason, why a (small) CRL could not be signed by cartificate itself? CRL scope. Read X.509. (after all, anyone using leaked private key would be intereseted to delay revocation, but they have no means of preventing it) -- Erwann ABALEA erwann.aba...@keynectis.com Département RD KEYNECTIS 11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex - France Tél.: +33 1 55 64 22 07 http://www.keynectis.com - All wiyht. Rho sritched mg kegtops awound? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Trying to Link Statically to Libcrypto
On 19.07.2011 07:20, brandon...@aol.com wrote: Actually, I was advised to put libssl after libcrypto. I'm afraid that is the wrong order. See below. I don't recall being told to put libssl after libldap. Yep, may be. The rule is that libs with objects that are used by another lib must be placed after that lib. Since libldap uses libssl, libldap must be placed before libssl. Also, knowing that order matters is of little use if you don't grasp what the order should be. That's true, but sometimes you can guess or you see that one library needs another one by looking at the error messages: *From:* brandon...@aol.com mailto:brandon...@aol.com *Sent:* Monday, July 18, 2011 4:46 PM I put the -static where it belongs. Here is a partial list of the output: /usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function `tlso_sb_close': (.text+0xa6): undefined reference to `SSL_shutdown' Here you see that the function tlso_sb_close needs SSL_shutdown and that tlso_sb_close is in tls_o.o, which is in libldap.a. Guess, where you can find SSL_shutdown? ;-) Here is a simplified example that links statically with libssl (and libcrypto), but not with libldap: g++ -o my_prog.exe my_prog.o ../../my_lib/mylib.a \ -static /usr/local/xx/lib/libtiff.a \ /usr/local/xx/lib/libssl.a /usr/local/xx/lib/libcrypto.a \ -lws2_32 Since libldap needs libssl, you can put it where the example has libtiff.a (you won't need that anyway, it's only an example), and you should be done ... unless libldap has other dependencies on libs that are not mentioned here. You'd need to look up this in the libldap docs. HTH -- Regards Albrecht __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Trust Chain Loading and signature verification of a certificate
hi i am having 10 Different CA Root certificates and each having depth of 3 intermediate Certificate in a Folder. i want to verify the Signature of the incoming certificate which P7b file which can have certificates need to validate (3 different certificates to validate) or one certificate need to validate with its intermediate CA. Intermediate certificates also can be in the P7b file but not the Root Certificate or Self Signed Certificates. pls can any one tell me how to load the Trust Chain and verify . i am not able to understand the X509_STORE and X509_STORE_CTX concepts. (i am using c++ ) Thanks Regards Balamurugan -- View this message in context: http://old.nabble.com/Trust-Chain-Loading-and-signature-verification-of-a-certificate-tp32088489p32088489.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Trying to Link Statically to Libcrypto
On Tue July 19 2011, Albrecht Schlosser wrote: On 19.07.2011 07:20, brandon...@aol.com wrote: Actually, I was advised to put libssl after libcrypto. I'm afraid that is the wrong order. See below. I don't recall being told to put libssl after libldap. Yep, may be. The rule is that libs with objects that are used by another lib must be placed after that lib. Since libldap uses libssl, libldap must be placed before libssl. Also, knowing that order matters is of little use if you don't grasp what the order should be. That's true, but sometimes you can guess or you see that one library needs another one by looking at the error messages: *From:* brandon...@aol.com mailto:brandon...@aol.com *Sent:* Monday, July 18, 2011 4:46 PM I put the -static where it belongs. Here is a partial list of the output: /usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function `tlso_sb_close': (.text+0xa6): undefined reference to `SSL_shutdown' Here you see that the function tlso_sb_close needs SSL_shutdown and that tlso_sb_close is in tls_o.o, which is in libldap.a. Guess, where you can find SSL_shutdown? ;-) Here is a simplified example that links statically with libssl (and libcrypto), but not with libldap: g++ -o my_prog.exe my_prog.o ../../my_lib/mylib.a \ -static /usr/local/xx/lib/libtiff.a \ /usr/local/xx/lib/libssl.a /usr/local/xx/lib/libcrypto.a \ -lws2_32 Since libldap needs libssl, you can put it where the example has libtiff.a (you won't need that anyway, it's only an example), and you should be done ... unless libldap has other dependencies on libs that are not mentioned here. You'd need to look up this in the libldap docs. Good advice: Read the docs. But a quicker answer to just a symbol or a few: use the toolchain. I am beginning to think that somewhere along the line you stopped using Eclipse with the CDT plug-in (for C/C++ coding) since it has a window for this object/library relationship exploring. (or you have that window closed.) This really isn't a mailing list for HowTo use gnu toolchain, or HowTo use Eclipse, but we have come this far. . . . . Open your terminal window; enter: whereis libldap libldap: /usr/lib/libldap.a /usr/lib/libldap.so Now enter: nm /usr/lib/libldap.a be rewarded with a listing 1,830 lines long of the symbols defined and the external symbols referenced. Of course, entering: nm --help will give you the command options, and man nm will give you all of the sicken details (the manual man command is your friend on any *nix type system). But for those readers interested in the instant answer - The symbols this library provides (meaning this library is __before__ the users of these symbols in the link command), Enter: nm --defined /usr/lib/libldap.a The symbols this library requires (meaning this library is __after__ the providers of these symbols in the link command), Enter: nm --undefined-only /usr/lib/libldap.a Note: The nm (names) utility will do the same for dynamic libraries (*.so), object files (*.o) along with the static libraries (*.a). Mike PS: The Eclipse CDT plug-in uses the toolchain to draw that explorer tree window - I am not sure why your installation isn't doing the above for you. HTH __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDSA public key token to/from binary
owner-openssl-us...@openssl.org wrote on 07/18/2011 09:49:33 AM: From: Billy Brumley bbrum...@gmail.com To: openssl-users@openssl.org Date: 07/18/2011 10:00 AM Subject: Re: ECDSA public key token to/from binary Sent by: owner-openssl-us...@openssl.org Dear Ken, One way to accomplish this is something along the lines of EC_POINT *EC_KEY_get0_public_key(const EC_KEY *); where EC_KEY is the key structure, returning the point as an EC_POINT structure, followed by int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *, const EC_POINT *, BIGNUM *x, BIGNUM *y, BN_CTX *); where EC_GROUP is setup for P-521 (have a look at EC_GROUP_new_by_curve_name), EC_POINT is the public key from the previous call; it dumps the coordinates to x and y, where you can use BN_bn2bin or whatever you like. You'd reverse it with Thanks for the response. Are X and Y the public key? I tried this and it seems to work. Error checking omitted for easier reading. Comments? Getting the public key: group = EC_KEY_get0_group(eckey); ec_point = EC_KEY_get0_public_key(eckey); *publicKeyLength = EC_POINT_point2oct(group, ec_point, POINT_CONVERSION_UNCOMPRESSED, *publicKey, *publicKeyLength, NULL); Setting the public key: *ecPubKey = EC_KEY_new(); group = EC_GROUP_new_by_curve_name(nid); ec_point = EC_POINT_new(group); EC_KEY_set_group(*ecPubKey, group); EC_POINT_oct2point(group, ec_point, publicKey, publicKeyLength, NULL); EC_KEY_set_public_key(*ecPubKey, ec_point); int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *, EC_POINT *, const BIGNUM *x, const BIGNUM *y, BN_CTX *); followed by int EC_KEY_set_public_key(EC_KEY *, const EC_POINT *); While this is the manual way to do it that you've asked for, there are a few caveats that can affect security so if possible I'd consider standard (ANSI? P1363?) methods like EC_POINT_point2bn and so on. Those also easily allow point compression if that's needed. In general, poke around in include/openssl/ec.h and there is lots of useful functionality, although not as much documentation. I've been doing that poking.
Re: Trying to Link Statically to Libcrypto
On 19.07.2011 13:30, Michael S. Zick wrote: But a quicker answer to just a symbol or a few: use the toolchain. ... Now enter: nm /usr/lib/libldap.a be rewarded with a listing 1,830 lines long of the symbols defined and the external symbols referenced. Of course, entering: nm --help will give you the command options, and man nm will give you all of the sicken details (the manual man command is your friend on any *nix type system). But for those readers interested in the instant answer - I'm afraid you got it the wrong way around: The symbols this library provides (meaning this library is __before__ This should read __after__ ... the users of these symbols in the link command), Enter: nm --defined /usr/lib/libldap.a The symbols this library requires (meaning this library is __after__ ... and this should read __before__ . the providers of these symbols in the link command), Enter: nm --undefined-only /usr/lib/libldap.a -- Regards Albrecht __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Trying to Link Statically to Libcrypto
Thanks for the lesson. Highly informative. -Original Message- From: Michael S. Zick open...@morethan.org To: openssl-users openssl-users@openssl.org Sent: Tue, Jul 19, 2011 7:30 am Subject: Re: Trying to Link Statically to Libcrypto On Tue July 19 2011, Albrecht Schlosser wrote: On 19.07.2011 07:20, brandon...@aol.com wrote: Actually, I was advised to put libssl after libcrypto. I'm afraid that is the wrong order. See below. I don't recall being told to put libssl after libldap. Yep, may be. The rule is that libs with objects that are used by another lib must be placed after that lib. Since libldap uses libssl, libldap must be placed before libssl. Also, knowing that order matters is of little use if you don't grasp what the order should be. That's true, but sometimes you can guess or you see that one library needs another one by looking at the error messages: *From:* brandon...@aol.com mailto:brandon...@aol.com *Sent:* Monday, July 18, 2011 4:46 PM I put the -static where it belongs. Here is a partial list of the output: /usr/lib/gcc/i586-redhat-linux/4.4.1/../../../libldap.a(tls_o.o): In function `tlso_sb_close': (.text+0xa6): undefined reference to `SSL_shutdown' Here you see that the function tlso_sb_close needs SSL_shutdown and that tlso_sb_close is in tls_o.o, which is in libldap.a. Guess, where you can find SSL_shutdown? ;-) Here is a simplified example that links statically with libssl (and libcrypto), but not with libldap: g++ -o my_prog.exe my_prog.o ../../my_lib/mylib.a \ -static /usr/local/xx/lib/libtiff.a \ /usr/local/xx/lib/libssl.a /usr/local/xx/lib/libcrypto.a \ -lws2_32 Since libldap needs libssl, you can put it where the example has libtiff.a (you won't need that anyway, it's only an example), and you should be done ... unless libldap has other dependencies on libs that are not mentioned here. You'd need to look up this in the libldap docs. ood advice: Read the docs. But a quicker answer to just a symbol or a few: use the toolchain. I am beginning to think that somewhere along the line you stopped sing Eclipse with the CDT plug-in (for C/C++ coding) since it as a window for this object/library relationship exploring. or you have that window closed.) This really isn't a mailing list for HowTo use gnu toolchain, r HowTo use Eclipse, but we have come this far. . . . . Open your terminal window; enter: hereis libldap ibldap: /usr/lib/libldap.a /usr/lib/libldap.so Now enter: m /usr/lib/libldap.a e rewarded with a listing 1,830 lines long of the symbols defined nd the external symbols referenced. Of course, entering: m --help ill give you the command options, and an nm ill give you all of the sicken details (the manual man command is our friend on any *nix type system). But for those readers interested in the instant answer - The symbols this library provides (meaning this library is __before__ he users of these symbols in the link command), nter: m --defined /usr/lib/libldap.a The symbols this library requires (meaning this library is __after__ he providers of these symbols in the link command), nter: m --undefined-only /usr/lib/libldap.a Note: he nm (names) utility will do the same for dynamic libraries (*.so), bject files (*.o) along with the static libraries (*.a). Mike S: The Eclipse CDT plug-in uses the toolchain to draw that explorer tree indow - I am not sure why your installation isn't doing the above for you. HTH _ penSSL Project http://www.openssl.org ser Support Mailing Listopenssl-users@openssl.org utomated List Manager majord...@openssl.org
Re: Trying to Link Statically to Libcrypto
On Tue July 19 2011, Albrecht Schlosser wrote: On 19.07.2011 13:30, Michael S. Zick wrote: But a quicker answer to just a symbol or a few: use the toolchain. ... Now enter: nm /usr/lib/libldap.a be rewarded with a listing 1,830 lines long of the symbols defined and the external symbols referenced. Of course, entering: nm --help will give you the command options, and man nm will give you all of the sicken details (the manual man command is your friend on any *nix type system). But for those readers interested in the instant answer - I'm afraid you got it the wrong way around: You are correct, my bad. The linker makes an internal list of the __required__ symbols and then (actually, at the same time) tries to satisfy that list by the symbols provided in the __following listed__ libraries. I wrote those directions backwards - a major brain fart on my part. Very glad you spotted my error. Mike The symbols this library provides (meaning this library is __before__ This should read __after__ ... the users of these symbols in the link command), Enter: nm --defined /usr/lib/libldap.a The symbols this library requires (meaning this library is __after__ ... and this should read __before__ . the providers of these symbols in the link command), Enter: nm --undefined-only /usr/lib/libldap.a __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Trying to Link Statically to Libcrypto
Okay, it is acting like my /usr/lib/libssl.a is of no value. First, just for comparison, attempting to link with no reference to libssl at all: [root@linux Release]# g++ -oMy exe name my object file list /usr/lib/libcrypto.a /usr/lib/libldap.a /usr/lib/libxml2.a /usr/lib/liblber.a -lz -ldl -lm -lsasl2 21 /usr/lib/libldap.a(os-ip.o): In function `ldap_int_poll': (.text+0x9c4): warning: `sys_errlist' is deprecated; use `strerror' or `strerror_r' instead /usr/lib/libldap.a(os-ip.o): In function `ldap_int_poll': (.text+0x9ba): warning: `sys_nerr' is deprecated; use `strerror' or `strerror_r' instead ./LinuxAgent.o: In function `Agent::startCommandProcessor()': LinuxAgent.cpp:(.text+0x438): undefined reference to `pthread_create' ./LinuxAgent.o: In function `Agent::Run()': LinuxAgent.cpp:(.text+0x47b7): undefined reference to `pthread_create' ./Redirect.o: In function `Redirect::RunRedirect(char*, int, int, char*, int, int)': Redirect.cpp:(.text+0x19b): undefined reference to `pthread_create' ./VncRedirector.o: In function `Redir::RunVNC(char*, int, int)': VncRedirector.cpp:(.text+0x19b): undefined reference to `pthread_create' /usr/lib/libldap.a(tls_o.o): In function `tlso_sb_close': (.text+0xa6): undefined reference to `SSL_shutdown' /usr/lib/libldap.a(tls_o.o): In function `tlso_session_upflags': (.text+0x13b): undefined reference to `SSL_get_error' /usr/lib/libldap.a(tls_o.o): In function `tlso_sb_write': (.text+0x1cc): undefined reference to `SSL_write' /usr/lib/libldap.a(tls_o.o): In function `tlso_sb_write': (.text+0x1df): undefined reference to `SSL_get_error' /usr/lib/libldap.a(tls_o.o): In function `tlso_sb_read': (.text+0x2cc): undefined reference to `SSL_read' /usr/lib/libldap.a(tls_o.o): In function `tlso_sb_read': (.text+0x2df): undefined reference to `SSL_get_error' /usr/lib/libldap.a(tls_o.o): In function `tlso_sb_ctrl': (.text+0x409): undefined reference to `SSL_pending' ...more errors... /usr/lib/libldap.a(gssapi.o): In function `ldap_gssapi_bind_s': (.text+0x16e7): undefined reference to `gss_release_buffer' /usr/lib/libldap.a(gssapi.o): In function `ldap_gssapi_bind_s': (.text+0x177f): undefined reference to `gss_init_sec_context' /usr/lib/libldap.a(gssapi.o): In function `ldap_gssapi_bind_s': (.text+0x190d): undefined reference to `gss_release_buffer' collect2: ld returned 1 exit status Now, including /usr/lib/libssl.a at the end of the list of object file: [root@linux Release]# g++ -oMy exe name my object file list /usr/lib/libcrypto.a /usr/lib/libldap.a /usr/lib/libxml2.a /usr/lib/liblber.a /usr/lib/libssl.a -lz -ldl -lm -lsasl2 21 /usr/lib/libldap.a(os-ip.o): In function `ldap_int_poll': (.text+0x9c4): warning: `sys_errlist' is deprecated; use `strerror' or `strerror_r' instead /usr/lib/libldap.a(os-ip.o): In function `ldap_int_poll': (.text+0x9ba): warning: `sys_nerr' is deprecated; use `strerror' or `strerror_r' instead ./LinuxAgent.o: In function `Agent::startCommandProcessor()': LinuxAgent.cpp:(.text+0x438): undefined reference to `pthread_create' ./LinuxAgent.o: In function `Agent::Run()': LinuxAgent.cpp:(.text+0x47b7): undefined reference to `pthread_create' ./Redirect.o: In function `Redirect::RunRedirect(char*, int, int, char*, int, int)': Redirect.cpp:(.text+0x19b): undefined reference to `pthread_create' ./VncRedirector.o: In function `Redir::RunVNC(char*, int, int)': VncRedirector.cpp:(.text+0x19b): undefined reference to `pthread_create' /usr/lib/libldap.a(tls_o.o): In function `tlso_session_chkhost': (.text+0x8a6): undefined reference to `X509_get_ext_by_NID' /usr/lib/libldap.a(tls_o.o): In function `tlso_session_chkhost': (.text+0x8bd): undefined reference to `X509_get_ext' /usr/lib/libldap.a(tls_o.o): In function `tlso_session_chkhost': (.text+0x8c5): undefined reference to `X509V3_EXT_d2i' /usr/lib/libldap.a(tls_o.o): In function `tlso_session_chkhost': (.text+0x9be): undefined reference to `GENERAL_NAMES_free' /usr/lib/libldap.a(tls_o.o): In function `tlso_session_chkhost': (.text+0x9d7): undefined reference to `GENERAL_NAMES_free' /usr/lib/libldap.a(tls_o.o): In function `tlso_session_chkhost': (.text+0x9f5): undefined reference to `X509_get_subject_name' /usr/lib/libldap.a(tls_o.o): In function `tlso_session_chkhost': (.text+0xa00): undefined reference to `X509_NAME_entry_count' ...more errors... /usr/lib/libssl.a(s3_both.o): In function `ssl_cert_type': (.text+0x1e5): undefined reference to `EVP_PKEY_free' /usr/lib/libssl.a(s3_both.o): In function `ssl3_add_cert_to_buf': (.text+0x61e): undefined reference to `i2d_X509' /usr/lib/libssl.a(s3_both.o): In function `ssl3_add_cert_to_buf': (.text+0x677): undefined reference to `i2d_X509' /usr/lib/libssl.a(s3_both.o): In function `ssl3_output_cert_chain': (.text+0x854): undefined reference to `X509_STORE_CTX_init' /usr/lib/libssl.a(s3_both.o): In function `ssl3_output_cert_chain': (.text+0x86c): undefined reference to `X509_verify_cert' /usr/lib/libssl.a(s3_both.o): In function `ssl3_output_cert_chain':
Re: Trying to Link Statically to Libcrypto
On Tue July 19 2011, brandon...@aol.com wrote: Okay, it is acting like my /usr/lib/libssl.a is of no value. First, just for comparison, attempting to link with no reference to libssl at all: [root@linux Release]# g++ -oMy exe name my object file list /usr/lib/libcrypto.a /usr/lib/libldap.a /usr/lib/libxml2.a /usr/lib/liblber.a -lz -ldl -lm -lsasl2 21 /usr/lib/libldap.a(os-ip.o): In function `ldap_int_poll': (.text+0x9c4): warning: `sys_errlist' is deprecated; use `strerror' or `strerror_r' instead /usr/lib/libldap.a(os-ip.o): In function `ldap_int_poll': (.text+0x9ba): warning: `sys_nerr' is deprecated; use `strerror' or `strerror_r' instead ./LinuxAgent.o: In function `Agent::startCommandProcessor()': LinuxAgent.cpp:(.text+0x438): undefined reference to `pthread_create' ./LinuxAgent.o: In function `Agent::Run()': LinuxAgent.cpp:(.text+0x47b7): undefined reference to `pthread_create' ./Redirect.o: In function `Redirect::RunRedirect(char*, int, int, char*, int, int)': Redirect.cpp:(.text+0x19b): undefined reference to `pthread_create' ./VncRedirector.o: In function `Redir::RunVNC(char*, int, int)': VncRedirector.cpp:(.text+0x19b): undefined reference to `pthread_create' /usr/lib/libldap.a(tls_o.o): In function `tlso_sb_close': (.text+0xa6): undefined reference to `SSL_shutdown' /usr/lib/libldap.a(tls_o.o): In function `tlso_session_upflags': (.text+0x13b): undefined reference to `SSL_get_error' /usr/lib/libldap.a(tls_o.o): In function `tlso_sb_write': (.text+0x1cc): undefined reference to `SSL_write' /usr/lib/libldap.a(tls_o.o): In function `tlso_sb_write': (.text+0x1df): undefined reference to `SSL_get_error' /usr/lib/libldap.a(tls_o.o): In function `tlso_sb_read': (.text+0x2cc): undefined reference to `SSL_read' /usr/lib/libldap.a(tls_o.o): In function `tlso_sb_read': (.text+0x2df): undefined reference to `SSL_get_error' /usr/lib/libldap.a(tls_o.o): In function `tlso_sb_ctrl': (.text+0x409): undefined reference to `SSL_pending' ...more errors... /usr/lib/libldap.a(gssapi.o): In function `ldap_gssapi_bind_s': (.text+0x16e7): undefined reference to `gss_release_buffer' /usr/lib/libldap.a(gssapi.o): In function `ldap_gssapi_bind_s': (.text+0x177f): undefined reference to `gss_init_sec_context' /usr/lib/libldap.a(gssapi.o): In function `ldap_gssapi_bind_s': (.text+0x190d): undefined reference to `gss_release_buffer' collect2: ld returned 1 exit status Now, including /usr/lib/libssl.a at the end of the list of object file: [root@linux Release]# g++ -oMy exe name my object file list /usr/lib/libcrypto.a /usr/lib/libldap.a /usr/lib/libxml2.a /usr/lib/liblber.a /usr/lib/libssl.a -lz -ldl -lm -lsasl2 21 /usr/lib/libldap.a(os-ip.o): In function `ldap_int_poll': (.text+0x9c4): warning: `sys_errlist' is deprecated; use `strerror' or `strerror_r' instead /usr/lib/libldap.a(os-ip.o): In function `ldap_int_poll': (.text+0x9ba): warning: `sys_nerr' is deprecated; use `strerror' or `strerror_r' instead ./LinuxAgent.o: In function `Agent::startCommandProcessor()': LinuxAgent.cpp:(.text+0x438): undefined reference to `pthread_create' ./LinuxAgent.o: In function `Agent::Run()': LinuxAgent.cpp:(.text+0x47b7): undefined reference to `pthread_create' ./Redirect.o: In function `Redirect::RunRedirect(char*, int, int, char*, int, int)': Redirect.cpp:(.text+0x19b): undefined reference to `pthread_create' ./VncRedirector.o: In function `Redir::RunVNC(char*, int, int)': VncRedirector.cpp:(.text+0x19b): undefined reference to `pthread_create' /usr/lib/libldap.a(tls_o.o): In function `tlso_session_chkhost': (.text+0x8a6): undefined reference to `X509_get_ext_by_NID' /usr/lib/libldap.a(tls_o.o): In function `tlso_session_chkhost': (.text+0x8bd): undefined reference to `X509_get_ext' /usr/lib/libldap.a(tls_o.o): In function `tlso_session_chkhost': (.text+0x8c5): undefined reference to `X509V3_EXT_d2i' /usr/lib/libldap.a(tls_o.o): In function `tlso_session_chkhost': (.text+0x9be): undefined reference to `GENERAL_NAMES_free' /usr/lib/libldap.a(tls_o.o): In function `tlso_session_chkhost': (.text+0x9d7): undefined reference to `GENERAL_NAMES_free' /usr/lib/libldap.a(tls_o.o): In function `tlso_session_chkhost': (.text+0x9f5): undefined reference to `X509_get_subject_name' /usr/lib/libldap.a(tls_o.o): In function `tlso_session_chkhost': (.text+0xa00): undefined reference to `X509_NAME_entry_count' ...more errors... /usr/lib/libssl.a(s3_both.o): In function `ssl_cert_type': (.text+0x1e5): undefined reference to `EVP_PKEY_free' /usr/lib/libssl.a(s3_both.o): In function `ssl3_add_cert_to_buf': (.text+0x61e): undefined reference to `i2d_X509' /usr/lib/libssl.a(s3_both.o): In function `ssl3_add_cert_to_buf': (.text+0x677): undefined reference to `i2d_X509' /usr/lib/libssl.a(s3_both.o): In function `ssl3_output_cert_chain': (.text+0x854): undefined reference to `X509_STORE_CTX_init' /usr/lib/libssl.a(s3_both.o): In function
Re: Trying to Link Statically to Libcrypto
On 19.07.2011 16:49, brandon...@aol.com wrote: *Okay, it is acting like my /usr/lib/libssl.a is of no value. First, just for comparison, attempting to link with no reference to libssl at all:* Today at 14:23 you wrote Thanks for the lesson. Highly informative., but now you're still doing it wrong :-( Note that this will be my last message to this thread, since learning linking order is OT here. [root@linux Release]# g++ -oMy exe name my object file list /usr/lib/libcrypto.a /usr/lib/libldap.a /usr/lib/libxml2.a /usr/lib/liblber.a -lz -ldl -lm -lsasl2 21 Okay, libcrypto is *before* libldap, and libssl is missing (you wrote that). snipping unused error messages... /usr/lib/libldap.a(tls_o.o): In function `tlso_sb_close': (.text+0xa6): undefined reference to `SSL_shutdown' SSL_shutdown is still missing, because libssl is missing. *Now, including /usr/lib/libssl.a at the end of the list of object file:* [root@linux Release]# g++ -oMy exe name my object file list /usr/lib/libcrypto.a /usr/lib/libldap.a /usr/lib/libxml2.a /usr/lib/liblber.a /usr/lib/libssl.a -lz -ldl -lm -lsasl2 21 /usr/lib/libldap.a(tls_o.o): In function `tlso_session_chkhost': (.text+0x8a6): undefined reference to `X509_get_ext_by_NID' X509* functions are in libcrypto - you should have found that out meanwhile. They can't be found by the linker because libcrypto is *before* libldap! Furthermore, now that you added libssl, SSL_shutdown *is* found by the linker (not in the error list anymore). *Now, including /usr/lib/libssl.a at the beginning of the list of object file:* Another useless try... *Now, giving up and allowing it to choose the so version, suddenly everything works. There are two warnings, but no errors.* [root@linux Release]# g++ -oMy exe name my object file list /usr/lib/libcrypto.a /usr/lib/libldap.a /usr/lib/libxml2.a /usr/lib/liblber.a -lz -ldl -lm -lssl -lsasl2 21 /usr/lib/libldap.a(os-ip.o): In function `ldap_int_poll': (.text+0x9c4): warning: `sys_errlist' is deprecated; use `strerror' or `strerror_r' instead /usr/lib/libldap.a(os-ip.o): In function `ldap_int_poll': (.text+0x9ba): warning: `sys_nerr' is deprecated; use `strerror' or `strerror_r' instead [root@linux Release]# Anyone have an idea why the static version of the library doesn't seem to work? Because if you link with the shared libraries, the linker adds the entire libraries (symbols) to its internal list of known symbols, and thus it can resolve all references. Check the order again, and then you'll be able to link statically as well. Hint: ldap - ssl - crypto - others... -- Regards Albrecht __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Trying to Link Statically to Libcrypto
On Sun July 17 2011, brandon...@aol.com wrote: Although I've been programming on various platforms for quite awhile, I don't know much about the principles involved here - i.e. Linux or static vs dynamix linking. You are right, it is linking to libldap. When in doubt, ask Google: http://stackoverflow.com/questions/45135/linker-order-gcc The first of 6 million answers to those questions. Mike What I am trying to do is remove all dependencies on libraries on the diverse target machines, so that it works right out of the box without the necessity of the user installing libraries. On several machines where people have installed my program, it complained that it couldn't find libcrypto.so.8. I fixed that on those occasions by creating a symbolic link to their actual version of libcrypto, but I just want it to stop looking for any library at all on the box where I'm putting it, and this is one step towards that. I had hoped that by forcing it to take libcrypto.a, rather than libcrypto.so, it would stop looking for libcrypto.so.8. -Original Message- From: Andreas Mueller andreas.muel...@othello.ch To: openssl-users openssl-users@openssl.org Sent: Sun, Jul 17, 2011 2:45 pm Subject: Re: Trying to Link Statically to Libcrypto Brandon, Am 16.07.2011 um 10:59 schrieb brandon...@aol.com: Actually, I believe it said that openldap.so was complaining that they were t would certainly help if you actually knew what it was saying, ot just believed it! And wasn't it rather libldap.so, not penldap.so. Of course, libldap.so is usually provided by some penldap package. I am already linking in -lldap. Will -lopenldap work better? e certainly meant -lldap (the library is called libldap.so, so he linker flag is called -lldap). If your library really is alled openldap.so (which I very much doubt), then you can not ink it with the -l option, you have to add the fully qualified ath name of that library to the linker command line. Any idea what library I can link in to define the above two references? Link to OpenSSL first, and then OpenLdap (order matters): gcc ... -lcrypto -lopenldap hat was meant is -lldap -lcrypto. Libraries later in later lags have to satisfy references left open by earlier libraries. I am writing some C++ on Linux with g++. When I try to link statically to libcrypto, by using the libcrypto.a library, it complains that ou are linking statically to a library that some other library, amely libldap, want's to link dynamically. How's that supposed o work? Static linking means you have a copy of libcrypto in our binary, with the symbols of that library removed, because hey have already been resolved. Then libldap gets linked, and ants to know about the same symbols once again, so a shared copy f the library libcrypto has to be added to the address space. hat a mess. So the real question is: WTH are you trying to link tatically! Mit herzlichem Gruss Andreas Müller -- rof. Dr. Andreas Müller, Beratung und Entwicklung ubental 53, CH - 8852 Altendorf mail: andreas.muel...@othello.ch oice: +41 55 4621483 Fax: +41 55 4621482 __ penSSL Project http://www.openssl.org ser Support Mailing Listopenssl-users@openssl.org utomated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Trying to Link Statically to Libcrypto
Thanks. I had eventually succeeded by fixing my list of object files. -Original Message- From: Albrecht Schlosser ml-...@go4more.de To: openssl-users openssl-users@openssl.org Sent: Tue, Jul 19, 2011 12:24 pm Subject: Re: Trying to Link Statically to Libcrypto On 19.07.2011 16:49, brandon...@aol.com wrote: *Okay, it is acting like my /usr/lib/libssl.a is of no value. First, just for comparison, attempting to link with no reference to libssl at all:* Today at 14:23 you wrote Thanks for the lesson. Highly informative., ut now you're still doing it wrong :-( Note that this will be my last message to this thread, since learning inking order is OT here. [root@linux Release]# g++ -oMy exe name my object file list /usr/lib/libcrypto.a /usr/lib/libldap.a /usr/lib/libxml2.a /usr/lib/liblber.a -lz -ldl -lm -lsasl2 21 Okay, libcrypto is *before* libldap, and libssl is missing (you wrote that). nipping unused error messages... /usr/lib/libldap.a(tls_o.o): In function `tlso_sb_close': (.text+0xa6): undefined reference to `SSL_shutdown' SSL_shutdown is still missing, because libssl is missing. *Now, including /usr/lib/libssl.a at the end of the list of object file:* [root@linux Release]# g++ -oMy exe name my object file list /usr/lib/libcrypto.a /usr/lib/libldap.a /usr/lib/libxml2.a /usr/lib/liblber.a /usr/lib/libssl.a -lz -ldl -lm -lsasl2 21 /usr/lib/libldap.a(tls_o.o): In function `tlso_session_chkhost': (.text+0x8a6): undefined reference to `X509_get_ext_by_NID' X509* functions are in libcrypto - you should have found hat out meanwhile. They can't be found by the linker because ibcrypto is *before* libldap! Furthermore, now that you added libssl, SSL_shutdown is* found by the linker (not in the error list anymore). *Now, including /usr/lib/libssl.a at the beginning of the list of object file:* Another useless try... *Now, giving up and allowing it to choose the so version, suddenly everything works. There are two warnings, but no errors.* [root@linux Release]# g++ -oMy exe name my object file list /usr/lib/libcrypto.a /usr/lib/libldap.a /usr/lib/libxml2.a /usr/lib/liblber.a -lz -ldl -lm -lssl -lsasl2 21 /usr/lib/libldap.a(os-ip.o): In function `ldap_int_poll': (.text+0x9c4): warning: `sys_errlist' is deprecated; use `strerror' or `strerror_r' instead /usr/lib/libldap.a(os-ip.o): In function `ldap_int_poll': (.text+0x9ba): warning: `sys_nerr' is deprecated; use `strerror' or `strerror_r' instead [root@linux Release]# Anyone have an idea why the static version of the library doesn't seem to work? Because if you link with the shared libraries, the linker adds the entire ibraries (symbols) to its internal list of known symbols, and thus it an resolve all references. Check the order again, and then you'll be ble to link statically as well. Hint: ldap - ssl - crypto - others... -- egards lbrecht __ penSSL Project http://www.openssl.org ser Support Mailing Listopenssl-users@openssl.org utomated List Manager majord...@openssl.org
Re: Trying to Link Statically to Libcrypto
Thanks again. -Original Message- From: Michael S. Zick open...@morethan.org To: openssl-users openssl-users@openssl.org Sent: Tue, Jul 19, 2011 2:03 pm Subject: Re: Trying to Link Statically to Libcrypto On Sun July 17 2011, brandon...@aol.com wrote: Although I've been programming on various platforms for quite awhile, I don't now much about the principles involved here - i.e. Linux or static vs dynamix inking. You are right, it is linking to libldap. When in doubt, ask Google: ttp://stackoverflow.com/questions/45135/linker-order-gcc The first of 6 million answers to those questions. Mike What I am trying to do is remove all dependencies on libraries on the diverse arget machines, so that it works right out of the box without the necessity of he user installing libraries. On several machines where people have installed y program, it complained that it couldn't find libcrypto.so.8. I fixed that on hose occasions by creating a symbolic link to their actual version of ibcrypto, but I just want it to stop looking for any library at all on the box here I'm putting it, and this is one step towards that. I had hoped that by orcing it to take libcrypto.a, rather than libcrypto.so, it would stop looking or libcrypto.so.8. -Original Message- From: Andreas Mueller andreas.muel...@othello.ch To: openssl-users openssl-users@openssl.org Sent: Sun, Jul 17, 2011 2:45 pm Subject: Re: Trying to Link Statically to Libcrypto Brandon, Am 16.07.2011 um 10:59 schrieb brandon...@aol.com: Actually, I believe it said that openldap.so was complaining that they were t would certainly help if you actually knew what it was saying, ot just believed it! And wasn't it rather libldap.so, not penldap.so. Of course, libldap.so is usually provided by some penldap package. I am already linking in -lldap. Will -lopenldap work better? e certainly meant -lldap (the library is called libldap.so, so he linker flag is called -lldap). If your library really is alled openldap.so (which I very much doubt), then you can not ink it with the -l option, you have to add the fully qualified ath name of that library to the linker command line. Any idea what library I can link in to define the above two references? Link to OpenSSL first, and then OpenLdap (order matters): gcc ... -lcrypto -lopenldap hat was meant is -lldap -lcrypto. Libraries later in later lags have to satisfy references left open by earlier libraries. I am writing some C++ on Linux with g++. When I try to link statically to libcrypto, by using the libcrypto.a library, it complains that ou are linking statically to a library that some other library, amely libldap, want's to link dynamically. How's that supposed o work? Static linking means you have a copy of libcrypto in our binary, with the symbols of that library removed, because hey have already been resolved. Then libldap gets linked, and ants to know about the same symbols once again, so a shared copy f the library libcrypto has to be added to the address space. hat a mess. So the real question is: WTH are you trying to link tatically! Mit herzlichem Gruss Andreas Müller -- rof. Dr. Andreas Müller, Beratung und Entwicklung ubental 53, CH - 8852 Altendorf mail: andreas.muel...@othello.ch oice: +41 55 4621483 Fax: +41 55 4621482 __ penSSL Project http://www.openssl.org ser Support Mailing Listopenssl-users@openssl.org utomated List Manager majord...@openssl.org _ penSSL Project http://www.openssl.org ser Support Mailing Listopenssl-users@openssl.org utomated List Manager majord...@openssl.org
RE: Trying to Link Statically to Libcrypto
From: brandon...@aol.commailto:brandon...@aol.com Actually, I was advised to put libssl after libcrypto. I don't recall being told to put libssl after libldap. Also, knowing that order matters is of little use if you don't grasp what the order should be. You were told the right order a few times along the way; on reviewing the messages though, I see you were also told the wrong order a few times along the way. Not at all surprising that you were confused. I did show the link command in a previous post, but admittedly not up to date with this particular set of errors. I'll remember to include my link command with every example of error messages. Yes, that's always a good idea. Glad to see it's sorted now.