Re: Crypt::SSLeay Raven conflict using apache and web services.
Title: Re: Crypt::SSLeay Raven conflict using apache and web services. on 11/29/02 8:13, [EMAIL PROTECTED] purportedly said: Myself and one of my companies¹ associates are in the process of implementing a connection between our systems using web services. Our associates are using Apache with the Raven SSL module and mod_perl. They are trying to connect to our system via a call through SOAP::Lite via HTTPS this required the introduction of Crypt:SSLeay and OpenSSL. The problem is that when apache is running Raven and the web service client, implemented in perl, running under mod perl, tries to make a call via HTTPS it fails and gives an error stating this ³child pid 14308 exit signal Segmentation Fault (11).² If we disable raven the web service client connects without error also if we make the call over standard HTTP it connects without error it is just when Apache and the web service client are running SSL simultaneously. I am under the opinion that the two are fighting for a resource lower down the chain, but I do not have the expertise in these particular implementations of SSL software to know what both are precisely doing. I would like to know if anyone has heard of such a conflict and if there is possibly a known remedy for this problem. Any help would be greatly appreciated. IIRC, mod_perl must be loaded in httpd.conf before Raven SSL. Also, Raven should probably be loaded as a DSO, as historically they have had many conflicts when installed statically. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet
Re: [Crypt::SSLeay] make test fails on Linux
on 10/29/02 11:44 AM, [EMAIL PROTECTED] purportedly said: I've just found another post on the ml archives concerning my problem, but didn't find any reply, so: root@hwsx:~/.cpan/build/Crypt-SSLeay-0.45# make test PERL_DL_NONLAZY=1 /usr/bin/perl -Iblib/arch -Iblib/lib -I/usr/lib/perl5/i386-linux -I/usr/lib/perl5 -e 'use Test::Harness qw(runtests $verbose); $verbose=0; runtests @ARGV;' t/*.t t/net_ssl...dubious Test returned status 0 (wstat 11, 0xb) t/ssl_context...dubious Test returned status 0 (wstat 11, 0xb) FAILED--2 test scripts could be run, alas--no output ever seen make: *** [test_dynamic] Error 2 It can be many things. What URL did you provide for testing? Can you access that URL through your browser? Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HTML works fine, PHP...not so good
This is not an SSL/openssl issue, but an Apache configuration issue. Make sure that your port 80 configuration (default host configuration or virtualhost configuration, as the case may be) is correct. Chances are, your document root directive is bad (doesn't hurt also to check permissions to make sure the Apache daemon can read its own document root). If you can't seem to figure it out, please submit your question to the appropriate list. This list is not for dealing with Apache configuration issues. on 7/3/02 7:29 AM, [EMAIL PROTECTED] purportedly said: At 03:18 PM 7/3/2002 +0200, you wrote: Ryan Hagan [EMAIL PROTECTED] writes: Greetings, I've installed OpenSSL (0.9.6c-2) along with sslwrap (2.0.6-5) and apache (1.3.24-3) and PHP (4.1.2-4) on a debian system. I created my own certificate with no problems, installed the necessary lines into my /etc/services file and ran the deamon in inetd.conf. did you use debian packages? or you compiled packages your self? I used debian packages. Everything works great when I try to pull up HTML files using the HTTPS on my server, but as soon as I try to open up a PHP file, my browser says it can't find the file. So far, this happens with EVERY SINGLE php file. The exact error I get is: The requested URL /test/test.php was not found on this server. With /test/test.php being whatever php file I've tried to open. But as soon as I change the URL from HTTPS to HTTP it works fine. Any suggestions? Thanks a million! do you have two servers? apache and apache-ssl? or just one? Just one server. Ryan Hagan Pacificom Multimedia [EMAIL PROTECTED] 540-553-2135 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Crypt::SSLeay - net_ssl_test - Perl
on 6/6/02 9:45 AM, [EMAIL PROTECTED] purportedly said: Hi. When using the net_ssl_test script I get this error: WEB SITE: www.nwoasis.org:443 CIPHER: RC4-MD5 THIS IS: /C=US/O=BONNEVILLE POWER ADMINISTRATION/OU=BONNEVILLE POWER ADMINISTRATION/CN=www.nwoasis.org CERTIFIED BY: /C=US/O=Digital Signature Trust Co./OU=TrustID Server/CN=TrustID Server CA A5 #!/usr/bin/ksh export HTTPS_CA_FILE='./dt_ca.crt'; export HTTPS_CA_DIR='.'; export HOST='https://www.nwoasis.org'; ./net_ssl_test -cert=./dt_cl.crt -key=./dt.key -d GET $HOST SSL_connect:error in SSLv3 read server certificate B SSL_connect:before/connect initialization SSL_connect:SSLv2 write client hello A SSL_connect:error in SSLv2 read server hello B == FAILED TO CONNECT == Error: SSL negotiation failed: error:1407E086:SSL routines:SSL2_SET_CERTIFICATE:certificate verify failed at /usr/local/lib/perl5/site_perl/5.6.1/sun4-solaris/Net/SSL.pm line 215. ; at /usr/local/lib/perl5/site_perl/5.6.1/sun4-solaris/Net/SSL.pm line 146. If I understand the process correctly, you must have the proper CA file for the particular CA, in this case Digital Signature Trust Co.. If you are not acting as your own CA, you need to download the proper root CA from the certificate vendor. Keary Suska (719) 473-6431 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: accept of SSLeay hangs up.
on 4/30/02 10:33 PM, [EMAIL PROTECTED] purportedly said: Hi, if anybody know this problem, please give me some advice. I made a simple web server with SSLeay in perl, but sometime it hangs up. It hangs up in accept(). accept() calls read() system call and the read() system call is always waiting for coming data when it hangs up. I read a manual of SSLeay and I found Net::SSLeay::slowly. I set 1 on it. It looks slowdown, but hanging up doesn't happen so far. Did I choose a right solution? Thank you, Atsushi I haven't done this, but it doesn't sound like this is the best solution. You may want to review the section on timing out slow operations as well as blocking/non-blocking I/O in the Programming Perl book. IIRC, this behavior with read() is not uncommon. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: libcrypto.so.2
on 2/11/02 9:13 PM, [EMAIL PROTECTED] purportedly said: I am trying to install a VPN software package that requires libcrypto.so.2 and I having problems locating it... I have upgraded my openssl package to openssl.0.9.6.c and apparently libcrypto.so.2 did not come with that package. Does anyone know where I can get the libcrypto.so.2. ??? Did you build one yourself? I could never find an up to date RPM. I had to roll my own, and force RPM to recognize legacy .so files. But of course, you can get the kaboom mentioned, but it's really just a matter of getting the source rpm's of the problem apps and rebuilding. That generally forces the app to re-link to the new libs, and I haven't had any problems doing this. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Getting OpenSSL with Apache
on 2/1/02 2:22 PM, [EMAIL PROTECTED] purportedly said: Cannot load /usr/local/apache_test/libexec/libssl.so into server Have you verified that the usual symbolic links exist? /usr/local/apache_test/libexec/libssl.so - libssl.so.0 /usr/local/apache_test/libexec/libssl.so.0 - libssl.so.0.9.6 and that the actual file is readable, non-empty, etc.? Where does the system search for libssl.so.0.9.6? Whereever it's told to. :-) Linux uses ld.so.conf; I don't recall what Solaris uses for the same purpose. But the error message suggests that it's looking in the right place, but some symbolic links are missing. Actually, this is a confusing issue with mod_ssl. Mod_ssl creates its own dso for Apache, which it happen to call libssl.so. This is not the same as or has any relation to (besides possibly loading) the openssl shared library by the same name. If the mod_ssl dso exists in the required location, there was a problem with the compile, and there should be more log entries describing why it can't be loaded. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: mod_ssl + OpenSSL + Apache
on 2/1/02 11:23 PM, [EMAIL PROTECTED] purportedly said: I recently have compiled Apache 1.3.22 with PHP 4.1.1, mod_ssl-2.8.5-1.3.22, mm-1.1.3, and OpenSSL 0.9.6c. The server starts fine with startssl, and the I believe the httpd.conf has been setup correctly, but if I try to pull up a https://domain that is hosted on the box, I receive the following error: [Sat Feb 2 01:05:37 2002] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System and OpenSSL library errors follow) [Sat Feb 2 01:05:37 2002] [error] System: Connection reset by peer (errno: 54) [Sat Feb 2 01:05:37 2002] [error] OpenSSL: error:0200100D:system library:fopen:Permission denied [Sat Feb 2 01:05:37 2002] [error] OpenSSL: error:20074002:BIO routines:FILE_CTRL:system lib [Sat Feb 2 01:05:37 2002] [error] OpenSSL: error:0B06F002:x509 certificate routines:X509_load_cert_file:system lib Has anyone else ever seen this before? Or have ideas of what to try to resolve this? In my experience this problem is most likely because SSL session caching is not enabled or configured properly. Some browsers, most notably IE, require caching enabled on the server. Another issue could be the unclean shutdown habit of certain IE (again) versions. Normally, there are Apache directives to get around this. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OffTopic: Base64 over HTTPS
on 1/30/02 7:03 AM, [EMAIL PROTECTED] purportedly said: I am having trouble sending Base64 data over HTTPS POST. Does anybody have any sample code that can encode the Base64 to remove the reserved characters so that HTTP POST is possible What's the problem you are having? As far as I know, there are no restrictions on the data portion of a post request. Since SSL is basically a tunneling protocol, it does not impact the content of HTTP messages. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SQL DB instead of index.txt
on 1/28/02 9:10 AM, [EMAIL PROTECTED] purportedly said: why not use an existing database abstraction layer such as libdbi or ODBC? Too abstract - queries are done with SQL statements. That's not a problem with a RDBMS backend, but requires a lot of extra code with everything else. Even if you identify a set of standard query strings and use hardcoded strcmp(), maintenance is a nightmare. Actually, not necessarily. As with other software that can use DB backends, simply expanding the configuration file options to include table and column names (notwithstanding connectivity parameters) will give a great amount of flexibility and at the same time liberate the details from the core code. All you really need is a simple api: store(), remove(), lookup(), revoke() (or update()?), maybe a few more, and a dynamic library loader. And some configuration code that allows the user to specify which dynamic library to load. (Then again, in this case it may be okay to just create a symlink from some standard name to the desired dynamic library.) I would imagine this is how it would be done internally in any case, whether as loadable or by a compile-time option. The issue would then be whether the openssl team would create the plugins, or leave it to third party developers. I suppose it is a quality control issue. But functionality such as I mention above will have to be incorporated into the core code or users will have to use whatever schema conventions the authors choose, or be forced to develop their own plugins. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL.PM question
on 1/23/02 7:07 PM, [EMAIL PROTECTED] purportedly said: On Wed, 23 Jan 2002 [EMAIL PROTECTED] wrote: I'm using SSLeay along with Open SSl to retrieve https pages via SSL.pm. I'm not using a proxy, but in the runtime I get the familiar unitialized variable message being displayed for a line in SSL.pm. I normally like to keep my executions clean and don't want uninit messages from coming up, so I would like to resolve this problem. I'm using 2.75 SSL.pm and the error is coming from line 363 $proxy_server =~ s|^https?://||i; First, I haven't a clue as to what this statement is doing from the syntax. I'm guessing that it is doing a pattern search but the | are throwing me off. I too see from the code that it is trying to parse HTTPS_PROXY key value from the ENV hash. I put a value into the key value, (i.e. HTTPS_PROXY) but I still get the unit message. Could someone be so kind as to tell me what the statement is doing and how I might eliminate the message. Yes, I do know that I could remove -w on the execution to suppress the message. This line is attempting a substitution -- the | characters are the regular expression delimiters (Perl is quite liberal in what characters are used in this context). The 'http' (with optional 's') and '://' are being replaced by a null string. The trailing 'i' indicates ignore case. So it is actually stripping the protocol information from the URL. The complaint is probably coming from the variable $proxy_server not being properly defined somewhere before this line, hence it cannot be bound to the substitution operator. Actually, that is not exactly the issue. Perl has no problem using the variable, that's why it is issuing a warning instead of an error. The warning message is a very common one. It means that an operation is being performed on a variable that has a currently undefined value. Since Perl doesn't initialize variables on declaration, this has to be done manually. You can search the code for where $proxy_server is declared (by a my(), local(), or our() statement), and right after it initialize it to an empty value: $proxy_server = ''; That will remove the warning message. However, you should be aware that the code may expect the value to be undefined under certain circumstances. You may want to search for a call to defined on that variable. If you find one, you should change the troublesome line of code to: $proxy_server =~ s|^https?://||i if defined $proxy_server; and *not* initialize the variable as specified above. On second thought, you should do this anyway, as it is much safer overall. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: sslwrap prograqmm developed from Rick Kaseguma (www.rickk.com)
on 1/24/02 8:21 AM, [EMAIL PROTECTED] purportedly said: Does anyone kwow about ssl proxy? and how can I find it? The programm does know nothing about ssl and the sslproxy does the job. I want to connect to another ssl proxy which is based on the above programm. Sorry if my question has no mean. I haven't used ssl_proxy, but you can find it here: http://www.obdev.at/products/ssl-proxy/ Another product is stunnel, which you can find at: http://www.stunnel.org/ Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Certificate validation
I am wondering if openssl can be used in an application such that a certificate is checked locally on application startup as a license verification measure. My idea is to install a certificate, then have the application validate it during launch to verify that execution is permitted. Is this possible to do without allowing a user on the machine to modify the certificate to circumvent this measure? Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Apache mod-ssl: VirtualHost and certificates
More specifically, each SSL-enabled virtual host must have as unique public IP with certificates that include the domain name that corresponds to the address. You cannot have an SSL-enabled name-based virtual host. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet From: Vadim Fedukovich [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 30 Nov 2001 11:00:07 +0200 (EET) To: OpenSSL User List [EMAIL PROTECTED] Subject: RE: Apache mod-ssl: VirtualHost and certificates hi, this will work for unique port numbers only. Here's no chance to run a bunch of standard-SSL virtual hosts on one single 443 port and I guess it was the question. One could do that on different IP numbers regards, Vadim On Fri, 30 Nov 2001, Amol Natu wrote: Hi Shlomi You would need to include certificate related directives under the section defined for each virtual host within the httpd.conf. e.g: VirtualHost server_name:port_number Port 'port_number' ServerName server_name SSLCertificateFile /location/certificate_file_name SSLCertificateKeyFile /location/key_file_name SSLCertificateChainFile /location/certchain_file_name SSLCipherSuite ... .. /VirtualHost Regards Amol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Shlomi Sent: Friday, November 30, 2001 2:00 AM To: [EMAIL PROTECTED] Subject: Apache mod-ssl: VirtualHost and certificates Hi all, Is someone know if there is a way to use a certificate for each domain on a server which configured to use VirtualHost (a single IP for all of the domains) ? I am trying to configure Apache (mod-ssl) to use a certificate for each VirtualHost but without success. Each VirtualHost needs a private key and a certificate, but the browser receives the main certificate for all of the domains. How can I set it to send the relevant certificate for each domain ? Thank you in advance, Shlomi. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems with loading mod_ssl.so in Apache
It's been a while since I compiled mod_ssl but on my machine the .so is named libssl.so. The error message would seem to be indicative of a problem in the conf file, especially the invocation of mod_ssl, and not mod_ssl itself. But of course Microsoft hasn't cornered the market on uninformative error messages ;-) Have you verified that you have both a loadmodule and addmodule directive for mod_ssl? Have you verified that indeed the mod_ssl loadable is called mod_ssl.so and is located where the directive says it is relative to the server root (unless it is an absolute path)? Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet From: J. Schroeder [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Sun, 25 Nov 2001 18:54:33 +0100 To: [EMAIL PROTECTED] Subject: Problems with loading mod_ssl.so in Apache Hi there, i have a problem with Apache 1.3.20 and Mod_SSL. Apache is set up correctly, but when I try to load the mod_ssl.dso in Apache I get the error message: Syntax error on line xyz in ... httpd.conf: Cannot load ... /modules/mod_ssl.so into server.. The module mod_ssl.so could not be found. But why? This module is in the modules folder. When I try to load other modules into the server I do not get any errors. So please help me, what can I do to get this thing running... Thank you! Johnny __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: https
Your CPAN is out of date. The current Crypt::SSleay version is 0.35. Additionally, LWP recommends Crypt::SSleay (see README.SSL in the source tree). I had problems in the past with both Net::SSLeay and Crypt::SSLeay installed when using LWP, which is why I recommended removing it. It's your choice which to use, though the read me states that Net::SSLeay doesn't directly support LWP, so I imagine you will get better results with LWP if you use the library recommended by the author. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet From: Sean O'Riordain [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 21 Nov 2001 08:44:40 + To: [EMAIL PROTECTED] Subject: Re: https Keary Suska wrote: I would recommend that you remove Net::SSLeay and install Crypt::SSLeay. The former is no longer being maintained (and is considered deprecated), and may not function properly with newer openssl versions, but the latter is being actively maintained and I have been having good results from it. 'cording to my local CPAN, Net_SSLeay.pm-1.09.tar.gz is dated 25 Sep 2001 and Crypt-SSLeay-0.31.tar.gz is dated 21 Sep 2001 so not much difference there :-) Sean __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Installation problem with OpenSSL..
If I would offer my best guess, I would say that your openssl libs were compiled for a CISC architecture (such as Intel), the key words 586 and little endian giving clue. I can't imagine how if you compiled the openssl libs yourself, but it could happen if you installed an RPM built for CISC. Another possibility is that the configure script couldn't correctly guess your architecture (isn't hardhat for embedded systems?), and made a bad guess, though I am surprised the compile would have succeeded. I would recommend to recompile openssl with linux-ppc as the target, and see if you get better results. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet From: Sujatha Mukunthan [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 21 Nov 2001 10:08:23 +0100 To: [EMAIL PROTECTED] Subject: Installation problem with OpenSSL.. Dear OpenSSL team, I am a user of OpenSSH and when I try to self-compile openssh for my PowerPC, it needs also the OpenSSL libraries. So, due to the above reasons, I had to also get OpenSSL installed on my powerPC inorder to get a running version of openSSL. But during the installation (at make) of openSSL, I have a problem. I have just pasted down the output which appeared after the make process on my PowerPC. Please do suggest me with some solutions. PS: I had mounted the sources required for the OpenSSL for my PowerPC from a PC, where already a pre-complied version of openSSH and OpenSSL were existing. Your's sincerely, Suja. Output: File in wrong format: failed to merge target specific data of file ../libcrypto.a(rc5_skey.o) sh: syntax error near unexpected token `../libcrypto.a(r' root:/openssh-2.9p1 /usr/powerpc-hardhat-linux/bin/ld: r586-elf.o: compiled for a little endian system and target is big endian sh: /usr/powerpc-hardhat-linux/bin/ld:: No such file or directory root:/openssh-2.9p1 File in wrong format: failed to merge target specific data of file ../libcrypto.a(r586-elf.o) -- Sujatha Mukunthan SW-Technology(PTT) ++41 (0)1 / 922 - 69 42 (Tel) Siemens Building Technology AG ++41 (0)1 / 922 - 69 69 (Fax) CH-8708, Switzerland. mailto: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: https
Yes, I am probably mistaken in that regard about the status of Net::SSLeay. I believe it was actually shelved for a while, and then picked up again, but this was some time ago and memory may not serve me. In any case, the issue is not operability with openssl, but with LWP. And as you can see from my previous email, it is best to use Crypt::SSLeay with LWP, at least according to the author of LWP. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet From: Marko Asplund [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 21 Nov 2001 23:12:14 +0200 (EET) To: OpenSSL [EMAIL PROTECTED] Subject: Re: https On Tue, 20 Nov 2001, Keary Suska wrote: ... I would recommend that you remove Net::SSLeay and install Crypt::SSLeay. The former is no longer being maintained (and is considered deprecated), and may not function properly with newer openssl versions, but the latter is being actively maintained and I have been having good results from it. i'm using the latest Net::SSLeay version (1.08) with no problems and it does support OpenSSL v0.9.6b quite well. Net::SSLeay is maintained and not depricated at all, IMHO. -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Questions - new compilation of mod_ssl-2.8.5
It is probably an Apache configuration issue. If there was a problem with your mod_ssl binary, Apache probably wouldn't load. Apache doesn't do SSL automatically. You have to specify it in the configuration. Have you looked at httpd.apache.org for documentation? Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet From: Cdowns [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Mon, 19 Nov 2001 21:58:03 -0500 To: [EMAIL PROTECTED] Subject: Questions - new compilation of mod_ssl-2.8.5 Evening, Im new to the list. I have an openssl quesion pointed to mod_ssl. I have compiled as stated by the INSTALL Doc in the mod_perl-2.8.5 /src tree. Everything seems to compile fine with no errors at all. When I issue /usr/local/apache/bin/apachectl startssl apache starts up and here is the connection status: [root@mail1 bin]# ./apachectl startssl ./apachectl startssl: httpd started [root@mail1 bin]# ps ax | grep httpd 5057 ?S 0:00 /usr/local/apache/bin/httpd -DSSL 5058 ?S 0:00 /usr/local/apache/bin/httpd -DSSL 5059 ?S 0:00 /usr/local/apache/bin/httpd -DSSL 5060 ?S 0:00 /usr/local/apache/bin/httpd -DSSL 5061 ?S 0:00 /usr/local/apache/bin/httpd -DSSL 5062 ?S 0:00 /usr/local/apache/bin/httpd -DSSL when I check for port 443 its not starting up for some reason: [root@mail1 bin]# netstat -na | grep 80 tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN [root@mail1 bin]# netstat -na | grep 443 [root@mail1 bin]# Anyone have and Idea ? Im sure this is a simple solution im just dong something wrong I guess ? Sincerely, ~D __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl compile won't make .so
1. There is a specific reason that I am using rev a instead of rev b, and I didn't think it relevant to the problem. For the heck of it, I d/l and compiled rev b, with the exact same result. 2. I always do. That way I can archive it with the tarball for later inspection in case I need information on configuration and installation. For your information, the line is thus: ./Configure shared linux-ppc 3. You are not addressing my question. I have good reason to believe that openssl *won't* create shared objects on my system, for whatever reason. There is no indication in the configure or make output that indicates that it tries and fails, or addresses it at all, so I am relying on the Configure code itself. This is my assumption, rather erroneous or not, and hence my question is not why is make failing but how can I get openssl to create shared objects even though it won't according to its configure script. I was hoping someone out there with superior programming experience could tell me how to hack the makefile to get shared objects created. I imagine it takes a bit more than just specifying -ldl and -fPIC to gcc, so I hoped someone could shed light on this. There doesn't appear to be anything untoward happening, it is simply openssl does not even attempt to create a shared object. I would expect that if it tried to make an .so and failed, the make would fail, but the make always succeed except that I only get static (.a) objects. Relevant lines from Configure output: Configuring for linux-ppc IsWindows=0 CC=gcc CFLAG =-DTHREADS -D_REENTRANT -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall EX_LIBS = BN_ASM=bn_asm.o DES_ENC =des_enc.o fcrypt_b.o BF_ENC=bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM = RMD160_OBJ_ASM= PROCESSOR = RANLIB=/usr/bin/ranlib PERL =/usr/local/bin/perl THIRTY_TWO_BIT mode BN_LLONG mode RC4_CHUNK is undefined As you can see, the required parameters -ldl and -fPIC for gcc to create .so are missing. They are also not present in the make output. And since these options above are exactly what the Configure script appears to set for my system in its code, I concluded that openssl won't create .so for my system. If you would like to look at my config ands make output in detail, I will gladly send it, though I don't think you will find anything untoward in it either. I may not be an expert *nix programmer, but I am no dummy, and I have been doing this for a while. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet From: J. Johnson [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 15 Nov 2001 22:57:23 -0800 (PST) To: OpenSSL [EMAIL PROTECTED] Subject: Re: openssl compile won't make .so On Thu, 15 Nov 2001, Keary Suska wrote: I need to have openssl 0.9.6a create dynamically shared libcrypto libssl, but it won't for my system (linux-ppc). Just about every other software I have compiled can create .so on my system without complaining, but why can't openssl? I tried to modify the Configure script, which hasn't worked, but I'm shooting in the dark since I don't know how the pieces are finally put together in the makefile. There have been RPMs for my system which install .so, so it has to be possible. Does anyone know how to force openssl to build shared objects (gcc 2.9.5, elf support available)? Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet 1- Start over again with a clean install, this time of openssl-0.9.6b. 2- Put your configure command in a file, so that it's documented (and thoroughly examined before running). 3- Capture all of your output to a file, so you can you meticuously examine it for errors and oddities afterwards, and so you'll have something to show us, so that _we_ don't have to shoot in the dark. === JJ = __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl compile won't make .so
I need to have openssl 0.9.6a create dynamically shared libcrypto libssl, but it won't for my system (linux-ppc). Just about every other software I have compiled can create .so on my system without complaining, but why can't openssl? I tried to modify the Configure script, which hasn't worked, but I'm shooting in the dark since I don't know how the pieces are finally put together in the makefile. There have been RPMs for my system which install .so, so it has to be possible. Does anyone know how to force openssl to build shared objects (gcc 2.9.5, elf support available)? Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Man in the middle attacks ?
Probably not, as long as the client can properly respond to a changed server key. For instance, in SSH2, the ssh client remembers the server's key on the first connection. The client can be configured to abort server connections when the key changes from a known value, or at the minimum the client is alerted that the server key has changed and has the option to abort, which they should unless they have received instructions otherwise from the sys admin. This flouts the traditional MITM attack. In SSL, this is prevented by peer certificate verification by the PKI system. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet From: Pascal Janse van Vuuren [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 13 Nov 2001 08:36:47 +1300 To: [EMAIL PROTECTED] Subject: Man in the middle attacks ? Hi all, I'm not a real crypto expert. But, I'm facing a potential (?) problem. I've used OpenSSL to negotiate a secure control channel between two nodes of a private network. The generated private keys are encrypted with a specific password. Naturally, any secure system is only as strong as it's weakest link, but yesterday one of our developers raised the following concern. (I've included his email below) MITM is particularly an issue for a proxy product, particularly with a nat. One could write a proxy that provided this functionality! Consider this situation, a standard man in the middle: 1 Bob connects to the master. 2 Mary intercepts the connection, and makes her own connection to the master. Bob - Mary - Master Mary is acting like a transparent proxy, and Bob does not know. 3 Master send Bob the public key. 4 Mary grabs it 5 Mary creates her own key pair and send the public one to Bob. 6 Bob Encrypts a new session key with Marys public key, that he thinks is Masters key. 7 Mary decrypts the data, re-encrypts it with the Real Qbik master key and sends it. 8 Master is happy, and the session starts with the session key. Mary has all the pieces of the puzzle. We can easily overcome this by using an extra level of security: Encrypting with a shared secret the initial public key that is transmitted. Our key pairs are pre-generated, along with the associated, self-signed certifcates. They won't be used in any other instance, but for negotiating this connection. After the control-channel has been negotiated, we do normal user/node authentication, etc. Is this a vulnerability, or something we should be concerned about ? __ Pascal Qbik New Zealand __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with installing Crypt::SSLeay
It appears that the SSLeay loadable is not being created: 'blib/arch/auto/Crypt/SSLeay/SSLeay.so' If this file isn't there, try just running 'make' and look again. You could also do a 'find' in the source tree to see if it is being created elsewhere, but it shouldn't. Perhaps the makfile isn't making before make test. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet From: Feng, James [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 31 Oct 2001 11:02:33 -0500 To: [EMAIL PROTECTED] Subject: Problem with installing Crypt::SSLeay Hi All, When I tried to install Crypt::SSLeay on a Solaris 8 box, I got the following error at doing make test. PERL_DL_NONLAZY=1 /usr/local/bin/perl -Iblib/arch -Iblib/lib -I/usr/local/lib/perl5/5.6.1/sun4-solaris -I/usr/local/lib/perl5/5.6.1 -e 'use Test::Harness qw(runtests $verbose); $verbose=0; runtests @ARGV;' t/*.t t/ssl_context...Can't load 'blib/arch/auto/Crypt/SSLeay/SSLeay.so' for module Crypt::SSLeay: ld.so.1: /usr/local/bin/perl: fatal: libgcc_s.so.1: open failed: No such file or directory at /usr/local/lib/perl5/5.6.1/sun4-solaris/DynaLoader.pm line 206. at blib/lib/Crypt/SSLeay/CTX.pm line 2 Compilation failed in require at blib/lib/Crypt/SSLeay/CTX.pm line 2. Compilation failed in require at blib/lib/Crypt/SSLeay/MainContext.pm line 9. BEGIN failed--compilation aborted at blib/lib/Crypt/SSLeay/MainContext.pm line 9. Compilation failed in require at t/ssl_context.t line 3. BEGIN failed--compilation aborted at t/ssl_context.t line 3. t/ssl_context...dubious Test returned status 255 (wstat 65280, 0xff00) FAILED--1 test script could be run, alas--no output ever seen make: *** [test_dynamic] Error 2 I have installed openssl 0.9.6 and tried to install Crypt::SSLeay 0.31. Please help and thanks in advance. James Feng Systems Architect Covisint Tel: (248)827-6031 Cell: (248)219-2565 Fax: (248)827-1731 e-mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with installing Crypt::SSLeay
My bad, I was misreading the output. I think the other posters have it covered... Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet From: Mark Strong [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 1 Nov 2001 08:44:19 +1100 To: [EMAIL PROTECTED] Subject: RE: Problem with installing Crypt::SSLeay Looks like your loader can't find libgcc_s.so.1 which is used by SSLeay.so, make a sym link to a lib path that it will look in (like /usr/local/lib). And then recompile Crypt::SSLeay Then make test should work. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Feng, James Sent: Thursday, 1 November 2001 7:49 To: Keary Suska Cc: [EMAIL PROTECTED] Subject: RE: Problem with installing Crypt::SSLeay Hi Keary, After I recompiled perl 5.6.1, I installed modules, URI, MIME-Base64, HTML-Parser, libnet and Digest-MD5, then I installed libwww-perl. When I tried to install SSLeay, at the point of 'make test' I still got the error I previously got but this time I did 'make install' any way. It looked like installed the module without complain. Unfortunately when I tried to use LWP call to a https site I got the following error. Any ideas? Thanks. Error:501 Can't locate object method new via package LWP::Protocol::https (perhaps you forgot to load LWP::Protocol::https?) -Original Message- From: Keary Suska [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 31, 2001 1:26 PM To: [EMAIL PROTECTED]; Feng, James Subject: Re: Problem with installing Crypt::SSLeay It appears that the SSLeay loadable is not being created: 'blib/arch/auto/Crypt/SSLeay/SSLeay.so' If this file isn't there, try just running 'make' and look again. You could also do a 'find' in the source tree to see if it is being created elsewhere, but it shouldn't. Perhaps the makfile isn't making before make test. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet From: Feng, James [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 31 Oct 2001 11:02:33 -0500 To: [EMAIL PROTECTED] Subject: Problem with installing Crypt::SSLeay Hi All, When I tried to install Crypt::SSLeay on a Solaris 8 box, I got the following error at doing make test. PERL_DL_NONLAZY=1 /usr/local/bin/perl -Iblib/arch -Iblib/lib -I/usr/local/lib/perl5/5.6.1/sun4-solaris -I/usr/local/lib/perl5/5.6.1 -e 'use Test::Harness qw(runtests $verbose); $verbose=0; runtests @ARGV;' t/*.t t/ssl_context...Can't load 'blib/arch/auto/Crypt/SSLeay/SSLeay.so' for module Crypt::SSLeay: ld.so.1: /usr/local/bin/perl: fatal: libgcc_s.so.1: open failed: No such file or directory at /usr/local/lib/perl5/5.6.1/sun4-solaris/DynaLoader.pm line 206. at blib/lib/Crypt/SSLeay/CTX.pm line 2 Compilation failed in require at blib/lib/Crypt/SSLeay/CTX.pm line 2. Compilation failed in require at blib/lib/Crypt/SSLeay/MainContext.pm line 9. BEGIN failed--compilation aborted at blib/lib/Crypt/SSLeay/MainContext.pm line 9. Compilation failed in require at t/ssl_context.t line 3. BEGIN failed--compilation aborted at t/ssl_context.t line 3. t/ssl_context...dubious Test returned status 255 (wstat 65280, 0xff00) FAILED--1 test script could be run, alas--no output ever seen make: *** [test_dynamic] Error 2 I have installed openssl 0.9.6 and tried to install Crypt::SSLeay 0.31. Please help and thanks in advance. James Feng Systems Architect Covisint Tel: (248)827-6031 Cell: (248)219-2565 Fax: (248)827-1731 e-mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Can not make it with OpenSSL 0.9.6b
I don't know about #1, but #2 is because the ar command either isn't installed or isn't in your path. It is usually under /usr/ccs/bin/ on Solaris, which isn't normally in your path. You can use whereis or find to see if it's installed, and modify PATH accordingly. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet From: Jie Dai [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Mon, 29 Oct 2001 18:13:35 -0800 To: [EMAIL PROTECTED] Subject: Can not make it with OpenSSL 0.9.6b Hi, I am really new. Tried to install OpenSSL 0.9.6b on Solaris, the following has happened: 1. when config the system, sun4u-whatever-solaris2, solaris-sparcv9-gcc was detected. However, at the end, I have got a warning: Makefile = Makefile.ssl make[1]: Leaving directory `/home/.../jiedai/openssl-engine-0.9.6b/tools' make: warning: Clock skew detected. Your build may be incomplete. Configured for solaris-sparcv9-gcc. Does it affect anything? 2. Even worse, when I run make, the following has happened: ... gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -mcpu=ultraspar c -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM -c -o ex_dat a.o ex_data.c gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -mcpu=ultraspar c -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM -c -o tmdiff .o tmdiff.c ar r ../libcrypto.a cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdi c.o uid.o make[1]: ar: Command not found make[1]: *** [lib] Error 127 make[1]: Leaving directory `/home/.../jiedai/openssl-engine-0.9.6b/crypto' make: *** [sub_all] Error 1 Based on the information in the Archive (27. 2000-10-26 Link problems on Solaris, solution), I have tried to change the Configure file accordingly. But still get the same error. Can anybody help me out. Thanks very much. Jie Dai __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]