stunnel 4.43 released
Dear Users, I have released version 4.43 of stunnel. The ChangeLog entry: Version 4.43, 2011.09.07, urgency: MEDIUM: * New features - Updated Win32 DLLs for OpenSSL 1.0.0e. - Major optimization of the logging subsystem. Benchmarks indicate up to 15% performance improvement. * Bugfixes - Fixed WIN32 configuration file reload. - Fixed FORK and UCONTEXT threading models. - Corrected INSTALL.W32 file. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.43.tar.gz: 93a002d9e1652d7684756af75b44b00f99aa93574e8a5a2e69f88656221d5ce2 Best regards, Mike PGP.sig Description: This is a digitally signed message part
Re: Enable A Individual Cipher
Hi, I am trying to use the EXP1024-RC4-SHA cipher. But I am getting errors. The following is what I have done, 1. Dowloaded openssl-1.0.0d 2. Modified ssl/tls1.h and changed the value of TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES to 1 3. ./config enable-TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 4. make make test 5. make install 6. openssl ciphers -v But this list does not show any EXPORT1024 ciphers. Also when I try to use, 'openssl s_client -cipher EXP1024-RC4-SHA', I get the follwoing error, error setting cipher list 19359:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1204: Can anyone please help me. Thanks in advance, Rajib Mari-10 wrote: *Kyle and Dave, good afternoon!* I need to say *Thanks a lot to your help*. I change the file : *tls1.h* and the ciphers was enabled. #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 1 We are doing tests, when we finish I tell to everybody the results! Dave, I will answer your questions tomorrow... Again, Thanks a lot! * Best Regards, Mariana Hoffart Dias* -- View this message in context: http://old.nabble.com/Enable-A-Individual-Cipher-tp25819295p32421653.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: How to deal with new OIDs
Hi all, Hi Dominik, in a project I maintain I have to deal with OIDs not contained within OpenSSL. In particular, I use OpenSSL to parse ASN1 encoded data containing OIDs (using the Macros from asn1t.h) and do switch-case statements on the resulting NIDs. Until now I used to patch OpenSSL (adding the OIDs to objects.txt and running the objects.pl script to generate the NIDs) to contain my OIDs but this approach is far from ideal. Do you need to work with OIDs and other DER for ASN.1 encoded data and are using a specific part of OpenSSL as DER encoder/decoder? In this case you might take a look to http://lionet.info/asn1c/compiler.html It is free (BSD), is exists since many years and there is a lot of documentations and examples, one deals with X.509. Just in case it helps. oki, Steffen From the webpage: The asn1c is a free, open source compiler of ASN.1 specifications into C source code. It supports a range of ASN.1 syntaxes, including ISO/IEC/ITU ASN.1 1988, '94, '97, 2002 and later amendments. The supported sets of encoding rules are * BER: ITU-T Rec. X.690 | ISO/IEC 8825-1 (2002) (BER/DER/CER) * PER: X.691|8825-2 (2002) (PER). * XER: X.693|8825-3 (2001) (BASIC-XER/CXER). The compiler was written specifically to address security concerns while providing streaming decoding capabilities. ---[ End of Message ]--- About Ingenico: Ingenico is a leading provider of payment, transaction and business solutions, with over 15 million terminals deployed in more than 125 countries. Over 3,000 employees worldwide support merchants, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue. http://www.ingenico.com/. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to deal with new OIDs
On 09/07/2011 08:28 PM, Dr. Stephen Henson wrote: On Wed, Sep 07, 2011, Dominik Oepen wrote: Are these OIDs are by chance the ones described in ticket 1794? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to deal with new OIDs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 08.09.2011 11:49, schrieb Peter Sylvester: On 09/07/2011 08:28 PM, Dr. Stephen Henson wrote: On Wed, Sep 07, 2011, Dominik Oepen wrote: Are these OIDs are by chance the ones described in ticket 1794? Thanks for the hint, but I'm not using the SRP OIDs. I need two families of OIDs for my project: The OIDs for the elliptic curves defined in RFC 5639 and the OIDs used for the new german identity card, defined in the technical guidelines of the Federal Office for Information Security (BSI). I once submitted a patch for the RFC 5639 curves (http://rt.openssl.org/Ticket/Display.html?id=2239user=guestpass=guest) but there seemed to be no interest in it, even though a similar patch was subsequently submitted by somebody else (http://old.nabble.com/-openssl.org--2359---PATCH--td29927422.html). If there is any interest I can supply a patch for the BSI OIDs. They might also be of interest to people outside of Germany, since they have been incorporated by the ICAO in a technical guideline (http://www2.icao.int/en/MRTD/Downloads/Technical%20Reports/Technical%20Report.pdf). Best regards, Dominik -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5o0bEACgkQ8RP9uQqpDVTEDwCdFng351tAtDSc6HkxO41II/rb 3vsAoK9L0B+r6ZQsrnzL4+qec02CvcOK =MQTC -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Unsupported prf error when reading an RSA private key
On Wed, Sep 7, 2011 at 4:09 PM, Dr. Stephen Henson st...@openssl.org wrote: Hmm... that's peculiar. Do you get the same error with the openssl utility on a private key you created? For example: openssl rsa -in key.pem Nope, no error on that, with either of the openssl packages installed on my machine. In case it's useful, I've attached the PEM file generated by the most recent run of the test. The passphrase is cartman. Thanks, -- Shawn. rsa.pem Description: Binary data
Re: How to deal with new OIDs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Steffen, Am 08.09.2011 11:16, schrieb Steffen DETTMER: Hi all, Hi Dominik, in a project I maintain I have to deal with OIDs not contained within OpenSSL. In particular, I use OpenSSL to parse ASN1 encoded data containing OIDs (using the Macros from asn1t.h) and do switch-case statements on the resulting NIDs. Until now I used to patch OpenSSL (adding the OIDs to objects.txt and running the objects.pl script to generate the NIDs) to contain my OIDs but this approach is far from ideal. Do you need to work with OIDs and other DER for ASN.1 encoded data and are using a specific part of OpenSSL as DER encoder/decoder? That's exactly what I'm doing. In this case you might take a look to http://lionet.info/asn1c/compiler.html It is free (BSD), is exists since many years and there is a lot of documentations and examples, one deals with X.509. Just in case it helps. Thanks for the tip. The code is already written (and working) using OpenSSLs ASN1 macros. I just want to stop patching OpenSSL in order to deal with OIDs not contained within OpenSSL. Using a new tool would probably mean that I will have to rewrite quite a lot of code. That's why I will try Steve's suggestions first. If I fail I'll have a look at the ASN1 compiler you suggested. Again, thanks for the help, Dominik -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5o0/wACgkQ8RP9uQqpDVTe4ACfVb/yHExWm5tfVV+UXJMCefES +YkAn0VjUJesMHmUbUc2jG5f5FX8kC6A =drw6 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to deal with new OIDs
On 09/08/2011 04:31 PM, Dominik Oepen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 08.09.2011 11:49, schrieb Peter Sylvester: On 09/07/2011 08:28 PM, Dr. Stephen Henson wrote: On Wed, Sep 07, 2011, Dominik Oepen wrote: Are these OIDs are by chance the ones described in ticket 1794? Actually I meant 2239. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to deal with new OIDs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 08.09.2011 16:41, schrieb Peter Sylvester: On 09/08/2011 04:31 PM, Dominik Oepen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 08.09.2011 11:49, schrieb Peter Sylvester: On 09/07/2011 08:28 PM, Dr. Stephen Henson wrote: On Wed, Sep 07, 2011, Dominik Oepen wrote: Are these OIDs are by chance the ones described in ticket 1794? Actually I meant 2239. Yup, this is the RFC 5639 patch I was mentioning. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5o2d4ACgkQ8RP9uQqpDVTGfgCfa9y2/CCwqGt+uzuGHQO/sBDk +lcAoIDW5tobv+fi9mYmjQKqVoVbTxWz =yB89 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to Check Whether the resources of X509 has been freed when it is freed by X509_free()
Hi All, I have several questions associated with freeing resources of X509 struct. snippet of my code: X509 *x509Cert = X509_new(); if (x509Cert == NULL) printf(Error instantiating X509 object\n); /* do some processing with my x509Cert object */ /* Cleaning up resources of x509Cert */ if(x509Cert != NULL) X509_free(x509Cert); My questions are: 1. How to check that x509Cert resources have been freed? I notice that X509_free(x509Cert) does not set the x509Cert to NULL, therefore I can not rely on if(x509Cert != NULL) to verify that x509Cert resources has been freed. this a bug or there are other method for verifying whether x509Cert resources have been freed. 2. Does X509_free() also free all the internal objects that are part of the X509 struct; e.g. X509_ALGOR, X509_NAME, ASN1_INTEGER, ASN1_TIME, etc Thanks, Erwin