RE: openssl connection problem...
Hi Carol, I believe you can add -state as a parameter to the client and server side to see what phase things are happening in. Kevin. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Carol Walter Sent: Thursday, January 29, 2009 11:28 AM To: openssl-users@openssl.org Subject: openssl connection problem... Hello, I'm new to this list, so I hope this is the correct place to post this problem. I'm trying to use openssl to connect to postgres. The process is not working. When I try to connect using s_client without any of the postgres bits, I get an error message as follows: walt...@cat:~$ openssl s_client -connect db:5433 CONNECTED(0005) 12210:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:../../../../common/openssl/ssl/s23_lib.c:226: I issued the same command with the debug option and get an error as follows: walt...@cat:~$ openssl s_client -debug -connect db:5433 CONNECTED(0005) write to 0008C418 [0008F170] (142 bytes = 142 (0x8E)) - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00 ..c... .. 9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00 .. 3..2../.f. 0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00 .c.. 0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40 b..a...@ 0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00 ..e..d..`... 0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 0b fd 0070 - 56 53 2f a4 76 0b 02 c4-d9 fd 4e fd 06 fa 3b 65 VS/.v.N...;e 0080 - b4 9c 5f fb 8d 6b 25 5b-68 aa b3 90 ec d7 .._..k%[h. read from 0008C418 [000946D0] (7 bytes = 0 (0x0)) 12245:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:../../../../common/openssl/ssl/s23_lib.c:226: Is there a verbose command that will give me more information? While the hex dump is a lot of detailed information, I don't what it's telling me. Thank you for your help. Carol Walter __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Question about V_CHECK in ENGINE.H
Hi, I am hoping somebody can set me straight on this. I haven't been able to figure it out over the last few days. I have ported to 0.9.8E from 0.9.7E, and am having trouble getting the CRYPTO shareable image to link. Probably serves me right for waiting for so long to port. ;-) I am trying to do this on OpenVMS V7.3-2, with DEC C V7.1. The error that I am seeing is shown below. To me, it looks like there is no global declaration of V_CHECK, only external declarations: $ search crypto$res:[ossl.build_0300_alpha_64]makevms.log -W- %LINK-W-NUDFSYMS, 9 undefined symbols: %LINK-W-USEUNDEFSYMV, undefined symbol ENGINE_LOAD_UBSEC referenced in symbol vector option %LINK-W-USEUNDEFSYMV, undefined symbol ENGINE_LOAD_CSWIFT referenced in symbol vector option %LINK-W-USEUNDEFSYMV, undefined symbol ENGINE_LOAD_NURON referenced in symbol vector option %LINK-W-USEUNDEFSYMV, undefined symbol ENGINE_LOAD_CHIL referenced in symbol vector option %LINK-W-USEUNDEFSYMV, undefined symbol ENGINE_LOAD_ATALLA referenced in symbol vector option %LINK-W-USEUNDEFSYMV, undefined symbol ENGINE_LOAD_AEP referenced in symbol vector option %LINK-W-USEUNDEFSYMV, undefined symbol ENGINE_LOAD_SUREWARE referenced in symbol vector option %LINK-W-USEUNDEFSYMV, undefined symbol ENGINE_LOAD_4758CCA referenced in symbol vector option %LINK-W-USEUNDEFSYMV, undefined symbol ENGINE_LOAD_GMP referenced in symbol vector option %LINK-W-SHRWRNERS, compilation warnings in shareable image file CRYPTO$RES:[OSSL.BUILD_0300_ALPHA_64.ALPHA.EXE.CRYPTO]SSL$LIBCRYPTO_SHR.EXE;11 $ I also found the following change in the CVS history for ENGINE.H. To me this looks like it is changing V_CHECK from a global declaration to an external reference: --- engine.h2005/07/16 11:13:06 1.57.2.1 +++ engine.h2005/11/06 17:48:59 1.57.2.2 @@ -637,7 +637,7 @@ * can be fully instantiated with IMPLEMENT_DYNAMIC_CHECK_FN(). */ typedef unsigned long (*dynamic_v_check_fn)(unsigned long ossl_version); #define IMPLEMENT_DYNAMIC_CHECK_FN() \ - unsigned long v_check(unsigned long v) { \ + OPENSSL_EXPORT unsigned long v_check(unsigned long v) { \ if(v = OSSL_DYNAMIC_OLDEST) return OSSL_DYNAMIC_VERSION; \ return 0; } @@ -659,6 +659,7 @@ typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id, const dynamic_fns *fns); #define IMPLEMENT_DYNAMIC_BIND_FN(fn) \ + OPENSSL_EXPORT \ int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { \ if(ENGINE_get_static_state() == fns-static_state) goto skip_cbs; \ if(!CRYPTO_set_mem_functions(fns-mem_fns.malloc_cb, \ Any comments or clarifications will be appreciated. Thanks, Kevin Greaney
0.9.7M or 0.9.8E
Hi, I am about to upgrade to the latest OpenSSL baselevel, but I have one question: Which one should I choose 0.9.7M or 0.9,8E? I am currently running 0.9.7E with the security patches applied. 0.9.7M would be less work and give me FIPS, but I'm assuming 0.9.8E would also provide me with the FIPS code even though it has not been officially certified. Should I just put the work in now and go to 0.9.8E? Any comments, considerations, or experiences would be most welcome. Thank you, Kevin Greaney
RE: cipher list
Hi, I would start at the following page in the documentation: http://www.openssl.org/docs/ssl/SSL_get_ciphers.html It not only gives you the details for get_ciphers, but it also provides link to the related APIs. Kevin. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of kankedu Sent: Thursday, November 11, 2004 4:55 AM To: openssl-users Subject: cipher list Hi, I want to tell my client to only use certain ciphers, and I have found just the funtion for doing so: SSL_CTX_set_cipher_list(*ctx, RSA); However, this doesn't give me good enough control on exactly which ciphers to use, only classes. E.g. I cannot write TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA as a second argument to ONLY use that cipher. Does anyone know another way to solve this problem? Otherwise I'll put it down as a feature request, I guess. Thanks, Johannes __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Malloc failure error with OpenSSL
Title: Message Hi Kal, What version of OpenSSL are you using? What platform are you seeing this error on - Unix, VMS, Windows? And, it might help to know how you built it?!? Thanks, Kevin. Kevin Greaney SSL for OpenVMS Team Hewlett Packard Company OpenVMS Engineering Group 110 Spitbrook Road Nashua, NH 03062 (603) 884-5099 -Original Message-From: Kattamuri, Kal Sent: Tuesday, March 04, 2003 2:46 PMTo: '[EMAIL PROTECTED]'Subject: Malloc failure error with OpenSSLImportance: High Hi All, I am seeing the following error in my error logs after I installed/enabled SSL in my server. Please note that I was not seeing this error prior to enabling SSL on this server. Any help would be highly appreciated: [Mon Mar 3 20:43:17 2003] [error] mod_ssl: SSL handshake failed (server xxx.xxx.xxx.com:443, client 11.11.11.11) (System and OpenSSL library errors follow)[Mon Mar 3 20:43:17 2003] [error] System: Not enough space (errno: 12)[Mon Mar 3 20:43:17 2003] [error] OpenSSL: error:1409C021:SSL routines:SSL3_SETUP_BUFFERS:Malloc failure Thanks in advance. Best Regards,Kalyan Kattamuri,Web Hosting Services Delivery,Hewlett P-Cupertino.408-t447-4021
CRL checking prior to 0.9.7.
Title: CRL checking prior to 0.9.7. Hi, I noticed in the 0.9.7 announcement (www.openssl.org/news/announce.html) the following bullet: - CRL checking in verify code and openssl utility. I know I can check a certificate against a CA, but how would one check a certificate against a CRL, prior to 0.9.7? Thanks, Kevin. Kevin Greaney SSL for OpenVMS Team Hewlett Packard Company OpenVMS Engineering Group 110 Spitbrook Road Nashua, NH 03062 (603) 884-5099
RE: Any news on 0.9.7?
Hi Lutz, Thank you for the explanation as well as the insight. I realize it is not binding, but it is a great help. Thanks again, Kevin. -Original Message- From: Lutz Jaenicke [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 19, 2002 4:09 PM To: [EMAIL PROTECTED] Subject: Re: Any news on 0.9.7? On Thu, Sep 19, 2002 at 01:29:59PM -0400, Greaney, Kevin wrote: Has anybody heard when the 0.9.7 baselevel might be released? I am currently at 0.9.6B (with the Security patches), and know that I have to upgrade. I would like to go directly to 0.9.7, but will stop at 0.9.6G if 0.9.7 looks to be months away. I don't know, when 0.9.7 will be out. The OpenSSL team is currently running very slowly for several reasons. Some members are on vacation, I personally am going to move to another appartment in the next days and am currently spending all free time available with painting etc. I manage to maintain the request tracker but won't be able to do substantial work for the next 3-4 weeks. As you may notice, the number of unsolved issues collected in the request tracker is increasing slowly and with each ticket 0.9.7 seems to become more difficult to reach. There will be a beta4 release for which I don't want to predict a schedule, then beta5 or release. But I wouldn't expect the final release to be available before November. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Any news on 0.9.7?
Title: Any news on 0.9.7? Hi, Has anybody heard when the 0.9.7 baselevel might be released? I am currently at 0.9.6B (with the Security patches), and know that I have to upgrade. I would like to go directly to 0.9.7, but will stop at 0.9.6G if 0.9.7 looks to be months away. Thanks, Kevin Greaney.
Two certs created when signing .CSR with OPENSSL CA.
Hi, I searched through the archives but could not find an answer to this one. I am trying to sign a certificate request using the OPENSSL CA command. Here is how I am specifying it: $ openssl ca -config SSL$CA.CNF -out SIGNED.CRT -infiles REQUEST.CSR This appears to work fine, creating a signed certificate called SIGNED.CRT. However, I also get a 01.PEM file that is an exact copy of SIGNED.CRT. Why am I getting this extra PEM file? Thanks, Kevin Greaney __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
C++ and E_OS2.H
Hi, I was wondering if anybody has tried building the OpenSSL sources with Compaq's C++? I am running into a problem with the E_OS2.H file specifically. Below is the segment of code that is giving me a problem: /* Definitions of OPENSSL_GLOBAL and OPENSSL_EXTERN, to define and declare certain global symbols that, with some compilers under VMS, have to be defined and declared explicitely with globaldef and globalref. On other OS:es, these macros are defined with something sensible. */ #if defined(VMS) !defined(__DECC) # define OPENSSL_EXTERN globalref # define OPENSSL_GLOBAL globaldef #else # define OPENSSL_EXTERN extern # define OPENSSL_GLOBAL #endif Looking at this code, I believe the !defined(__DECC) should actually be defined(__DECC) ( no ! ). C++ does not recognize globaldef and globalref, but it does recognize extern. Am I reading this correctly? OpenSSL 0.9.5a 1 Apr 2000 built on: 12-FEB-2001 08:19:59.98 platform: VMS options: bn(64,64) md2(int) des(ptr,risc1,16,long) blowfish(idx) compiler: The DECC compiler built the version above. Thank you for your time. Kevin. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [ANNOUNCEMENT] OpenSSL 0.9.6a Beta 1 released
Hi, I was able to download and build the OpenSSL 0.9.6A Engine kit on an OpenVMS V7.1-2 Alpha system with DEC C V6.0-001 and TCP/IP Services for OpenVMS Alpha V5.0A on a AlphaStation 200 4/166. But I ran into a problem when running the tests. I used the following commands to build it: $ define/system openssl_no_asm true $ define/system openssl_no_idea true $ @makevms/output=makevms.log all norsaref nodebug decc ucx nothread I did receive the error about the undefined symbol OPENSSL_ISSETUGID. When I attempted to run the tests, @[.TEST]TESTS, I received the following error from TESTSS.COM. Is this the result of the undefined symbol?? I have included the log file of the build below. Thanks, Kevin . . . make a certificate request using 'req' Using configuration from CAss.cnf Generating a 512 bit RSA private key . writing new private key to 'keyCA.ss' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:AU Organization Name (eg, company) []:Dodgy Brothers Common Name (eg, YOUR name) []:Dodgy CA convert the certificate request into a self signed certificate using 'x509' %SYSTEM-F-ACCVIO, access violation, reason mask=00, virtual address=, PC=, PS=001B Improperly handled condition, image exit forced. Signal arguments: Number = 0005 Name = 000C 0001 001B Register dump: R0 = R1 = 0001 R2 = 00037DA0 R3 = 7AFF0E80 R4 = 00C8 R5 = R6 = R7 = 0003 R8 = R9 = 0001 R10 = R11 = 00070100 R12 = 004B652E R13 = 004B654A R14 = R15 = R16 = 7AFF0E80 R17 = 00C8 R18 = R19 = R20 = 00F1 R21 = 79656B00 R22 = 0001 R23 = R24 = 004B655D R25 = R26 = 0013FB38 R27 = R28 = 79656B00 R29 = 7AFF0E30 SP = 7AFF0E30 PC = PS = 301B MAKEVMS.LOG
RE: make a ssl .pem cert
Jim, Try out this link. I think you will find it useful. If not, please let me know. http://www.openvms.compaq.com/openvms/products/ips/apache/csws_ssldoc.html Kevin Greaney OpenVMS Engineering Compaq Computer Corp. -Original Message-From: Jim Hibbits [mailto:[EMAIL PROTECTED]]Sent: Monday, March 05, 2001 11:04 PMTo: [EMAIL PROTECTED]Subject: Fw: make a ssl .pem cert Hello group. Newbie here. I have the same question, but I'm on OpenVMS. I can't get a cert file to pass muster, the cert file reads fail, and the SSL_accept fails. Rather thanput the details of the errors here, I'd think that I'd rather have a cookbook for a place to start, just so that the SSL code will be happy. Thanks, Jim Hibbits - Original Message - From: Scott Grayban To: [EMAIL PROTECTED] Sent: Monday, March 05, 2001 9:21 PM Subject: make a ssl .pem cert OkI have Openssl compiled on my windows machine. And i want to make a ssl cert for my webserver's what is the process i need to go through make a self-signed cert in the .pem format? I have tried the examples but i didnt understand them so maybe someone can explain the steps i need to go through. any help would be thankfull.
Speed RSA4096 on VMS returns PRNG not seeded error.
Hi, I have run into a problem with one of the OpenSSL Apps. When attempting to run the Speed App with the RSA4096 option, I ran into a PRNG not seeded error (see log below). I have setup a RANDFILE and it is pointed to be a system-wide logical. I also setup a .RND in my SYS$LOGIN directory and ran Speed from there. Neither random file made a difference. The other thing that I can't explain is why when I just use $ OPENSSL SPEED or $ OPENSSL SPEED RSA, it does attempt the RSA4096 option. I'm sure it is because the code is smarter than I am. ;-) I am running this on a VMS machine, AlphaStation400, running VMS V7.2. I am using OpenSSL 0.9.5A which was compiled with DEC C V6.2-008. BSAFE is patched in, and it happens if the /POINTER_SIZE is equal to 32 bits or 64 bits. Any help will be greatly appreciated. Thank you. Kevin. $ openssl speed rsa4096 First we calculate the approximate speed ... Doing 1 4096 bit private rsa's: RSA private encrypt failure 580911271:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:MD_RAND:546: 580911271:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:MD_RAND:546: 580911271:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:MD_RAND:546: 580911271:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:MD_RAND:546: 580911271:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:MD_RAND:546: 580911271:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:MD_RAND:546: 580911271:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:MD_RAND:546: 580911271:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:MD_RAND:546: 580911271:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:MD_RAND:546: 580911271:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:MD_RAND:546: 580911271:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:MD_RAND:546: 580911271:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:MD_RAND:546: 580911271:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:MD_RAND:546: 580911271:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:MD_RAND:546: 580911271:error:27067215::lib(39) :func(103) :reason(533):BSAFE:388: 1 4096 bit private RSA's in 0.50s Doing 20 4096 bit public rsa's: RSA verify failure 580911271:error:04077077:rsa routines:RSA_verify:wrong signature length:RSA_SIGN:149: 580911271:error:04077077:rsa routines:RSA_verify:wrong signature length:RSA_SIGN:149: 1 4096 bit public RSA's in 0.00s OpenSSL 0.9.5a 1 Apr 2000 built on: 14-FEB-2001 09:20:32.26 options:bn(64,64) md2(int) des(ptr,risc1,16,long) blowfish(idx) compiler: signverifysign/s verify/s rsa 4096 bits 0.0500s 0.0010s 20.0 1000.0 $ $ $ openssl speed rsa First we calculate the approximate speed ... Doing 327 512 bit private rsa's: 327 512 bit private RSA's in 15.20s Doing 1638 512 bit public rsa's: 1638 512 bit public RSA's in 6.72s Doing 40 1024 bit private rsa's: 40 1024 bit private RSA's in 9.34s Doing 409 1024 bit public rsa's: 409 1024 bit public RSA's in 5.38s Doing 5 2048 bit private rsa's: 5 2048 bit private RSA's in 8.18s Doing 102 2048 bit public rsa's: 102 2048 bit public RSA's in 4.89s OpenSSL 0.9.5a 1 Apr 2000 built on: 14-FEB-2001 09:20:32.26 options:bn(64,64) md2(int) des(ptr,risc1,16,long) blowfish(idx) compiler: signverifysign/s verify/s rsa 512 bits 0.0465s 0.0041s 21.5243.8 rsa 1024 bits 0.2335s 0.0132s 4.3 76.0 rsa 2048 bits 1.6360s 0.0479s 0.6 20.9 $ $ $ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]