Re: [openssl-users] Migrating to openssl 1.1.1 in real life linux server

On Tue, Sep 11, 2018, 13:10 Kurt Roeckx wrote: > On Tue, Sep 11, 2018 at 04:59:45PM +0200, Juan Isoza wrote: > > Hello, > > > > What is the better way, for anyone running, by example, Apache or nginx > on > > a popular Linux districution (Ubuntu, Debian, Suse) and want support TLS > > 1.3 ? > >

Re: [openssl-users] Static FIPS Library with Address Randomization

On Fri, Mar 17, 2017 at 12:06 PM, Michael Wojcik wrote: > >> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf >> Of Neptune >> Sent: Friday, March 17, 2017 09:26 >> To: openssl-users@openssl.org >> Subject: [openssl-users] Static FIPS Library

Re: [openssl-users] Removing some systems

Just FTR... http://www.osnews.com/story/28933/Blue_Lion_new_OS_2_distribution_due_2016 Not that I'd take that as a mandate to preserve support... We are having the same internal dialog at the ASF httpd project and coming to the same conclusions. On Mar 17, 2016 1:36 PM, "Salz, Rich"

Re: FIPS enabled OpenSSL fails to load libeay32.dll in Windows CE 6

On Tue, 21 May 2013 16:12:45 +0530 Abhijit Ray Chaudhury abhijit.ray.chaudh...@gmail.com wrote: Hi, I have compiled openssl-fips and openssl in Windows CE 6. But when I run fips_premain_dso.exe libeay32.dll in target environment I get following error: =

Re: FIPS enabled OpenSSL fails to load libeay32.dll in Windows CE 6

On Tue, 21 May 2013 16:12:45 +0530 Abhijit Ray Chaudhury abhijit.ray.chaudh...@gmail.com wrote: Which means GetProcAddress is failing for symbol name FINGERPRINT_premain. But if I do dumpbin /exports libeay32.dll, I can see the symbol FINGERPRINT_premain exported. Quote that output line from

Re: Can't start Apache when ssl is enabled on RHEL v5.7

/dev/random is your culprit... your config isn't 100% transportable between Solaris and linux. Sent from my Verizon Wireless 4G LTE Phone -Original message- From: Ruiyuan Jiang ruiyuan_ji...@liz.com To: openssl-users@openssl.org openssl-users@openssl.org Sent: Mon, Jan 23, 2012

Re: Failing to build OpenSSL 1.0.0f on obsolete Debian box (i386, kernel 2.0.36)

On 1/18/2012 9:57 AM, Brooke, Simon wrote: Sadly, removing -fomit-frame-pointer does not work. Isn't that the default behavior for -O3? __ OpenSSL Project http://www.openssl.org User Support

Re: FW: FIPS validation and TLS 1.2

On 11/1/2011 8:35 PM, Bin Lu wrote: Do you have an answer for my question below? Is the fips-2.0-test code branched off from a FIPS-capable version? Which version is it based on if yes? AIUI, fipscanister doesn't include TLS 1.2. Nor 1.0, nor SSLv3 or v2. That's the beauty of proper

Re: FIPS-capable OpenSSL that works on Windows NT

On 10/5/2011 10:08 AM, Dr. Stephen Henson wrote: On Tue, Oct 04, 2011, William A. Rowe Jr. wrote: On 10/4/2011 10:45 PM, Bill Durant wrote: But when I run it under Windows NT, I get the following run-time error: The procedure entry point Module32NextW could not be located

Re: FIPS-capable OpenSSL that works on Windows NT

On 10/4/2011 10:45 PM, Bill Durant wrote: Does anyone know how to produce a FIPS-capable OpenSSL that works on Windows NT? It's likely not possible... But when I run it under Windows NT, I get the following run-time error: The procedure entry point Module32NextW could not be

Re: OpenSSL 1.0.0 BIO_new_accept _only_ binds to IPV6 interface?

On 5/7/2011 7:16 AM, Justin Schoeman wrote: It does not matter which of these I try, openssl always binds to '::1:8008', which does not accept IPV4. I have tried various combinations of: BIO_new_accept(0.0.0.0:8008) This syntax should have bound to all IPv4 interfaces alone, so as

Re: FIPS compliance question regarding openssl distributions

On 3/6/2011 3:48 PM, Tim Hudson wrote: In the example of building the openssl FIPS *capable* distribution, it seems one should take the distribution from the official openssl.org/source website and validate it using PGP. However, FreeBSD ships openssl distribution within its source tree.

Re: OpenSSL with Managed C++

On 1/31/2011 1:07 PM, John R Pierce wrote: On 01/31/11 10:55 AM, Harshvir Sidhu wrote: Hi, Can we use OpenSSL lib with Managed C++? Thanks. can you call native C style DLL's from this 'Managed C++' (whatever that is) ? my initial google of 'Managed C++' indicates its a Microsoft .NET

Re: OpenSSL 0.9.7

On 1/6/2011 12:23 PM, Garry S Ditzler wrote: Can you tell me if OpenSSL 0.9.7 is still supported? Yes, the answer is no, it is not. __ OpenSSL Project http://www.openssl.org User Support Mailing

Re: OpenSSL 1.0.0b testssl fails

On 11/18/2010 10:36 AM, Dr. Stephen Henson wrote: A 1.0.0c release is planned in the next few days. We're just seeing if any other issues arise before the release: a couple have been fixed already. Have any observed issues affected 0.9.8p? If so, is there a planned .8q?

Re: OpenSSL 1.0.0b testssl fails

On 11/18/2010 12:05 PM, Victor Duchovni wrote: None that are publically visible. You can check for yourself: No commits to the 0.9.8 branch after the release of 0.9.8p. http://cvs.openssl.org/chngview?cn=19996 I was aware of this. It's why I raised the question, if any of these were

Re: Building FIPS-capable OpenSSL as a universal binary on Mac OS X

On 10/13/2010 3:31 PM, Bill Durant wrote: I am interested in building the static version of the FIPS-capable OpenSSL as an universal binary. Three builds, per spec, of the FIPS canister. No tweaks, no exceptions to the security policy. Then it's possible but non-trivial to integrate these

Re: Building FIPS-capable OpenSSL as a universal binary on Mac OS X

On 10/13/2010 7:22 PM, Bill Durant wrote: On Oct 13, 2010, at 5:19 PM, William A. Rowe Jr. wrote: On 10/13/2010 3:31 PM, Bill Durant wrote: I am interested in building the static version of the FIPS-capable OpenSSL as an universal binary. Three builds, per spec, of the FIPS canister

Re: DLL issues with Windows

On 9/30/2010 11:42 AM, Jakob Bohm wrote: In Windows XP, Microsoft introduced their own badly designed idea of versioned so-names in the form of so-called Assemblies. Unless you are writing .NET code, you should really avoid that nonsense. I expect SxS packages for openssl (and several other

Re: Differences between openssl-0.9.8o and openssl-fips-1.2.tar.gz

On 8/3/2010 1:17 PM, William A. Rowe Jr. wrote: On 8/3/2010 10:05 AM, Bryan wrote: I see a fips directory in 0.9.8o. If I'm building OpenSSL with FIPS on cygwin, should I use the openssl-fips, or use the 0.9.8o tarfile? This is well documented in the FIPS user guide and security policy

Re: Differences between openssl-0.9.8o and openssl-fips-1.2.tar.gz

On 8/3/2010 10:05 AM, Bryan wrote: I see a fips directory in 0.9.8o. If I'm building OpenSSL with FIPS on cygwin, should I use the openssl-fips, or use the 0.9.8o tarfile? This is well documented in the FIPS user guide and security policy, and if you haven't read them in detail, what you are

Re: RPMBuild for FIPS OpenSSL

On 7/9/2010 9:05 AM, Steve Marquess wrote: Mark Parr wrote: Use of the FIPS OpenSSL is a mandated thing and not just something that we are looking to do for the fun of it. In fact, the base OpenSSL was working fine using the FIPS AES 256 encryption in a non FIPS Certified mode. ... Yes,

Re: error from generated code in ntdll.mak

On 6/24/2010 4:04 AM, Deckers, Rob wrote: Creating library out32dll\libeay32.lib and object out32dll\libeay32.exp IF EXIST out32dll\libeay32.dll.manifest mt -nologo -manifest out32dll\libeay32.dll.manifest -outputresource:out32dll\libeay32.dll;2 mt: Unknown option -n Usage: mt

Re: How to attach source code in a debug build(Win32 Visual C++)?

On 6/17/2010 10:10 PM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of JC Yang Sent: Wednesday, 16 June, 2010 23:53 Hi, I'm new to openssl. I've just compiled openssl with Visual C++ 2008, I've read the installation guide and added the debug

Re: Up-to-date Tutorial

On 6/16/2010 12:10 PM, Dr. Stephen Henson wrote: Those for the bleeding egde development version are also available online too, see: http://www.openssl.org/docs/ the API doesn't change that much so those will be largely accurate for older versions of OpenSSL. The examples at the bottom of

Re: unable to build dynamic library on HP-UX RISC and Itanium

On 6/2/2010 11:08 AM, Alona Rossen wrote: Building dynamic library on HP-UX fails despite I explicitly specify ‘shared’ as Configure argument: ./Configure hpux64-ia64-cc -D_REENTRANT shared Why are you adding -D for _REENTRANT? I did a very similar build last week, no such problems, would

Re: unable to build dynamic library on HP-UX RISC and Itanium

On 6/2/2010 4:04 PM, Alona Rossen wrote: This is a suggested configuration. -D stands for preprocessor define. The reason I ask is that the entries in Configure should provide the necessary defines, and if not, that is a bug. As it was 'suggested', we'll just presume things are fine w/w-o it.

Re: server side renegotiation

On 4/15/2010 12:42 PM, Adam Grossman wrote: hello, i had my code running on 0.9.8e without any issues. i upgraded to 0.9.8n, and now when my server initiates a renegotiation with the client (which is either IE or Firefox), SSL_renegotiation returns a 0. i understand from the CHANGELOG the

Re: ERROR LINK2019

On 4/13/2010 4:49 PM, 芦翔 wrote: Dear all, I am trying to add the security flavor to an application. To achieve this objective, I wrote the codes to establish a security tunnel between the server and the client with VC2008. When I build the whole project, there are tens of similar errors.

Re: does bio_get_mem_data handle unicode?

On 4/7/2010 12:33 PM, Ryan Pfeifle wrote: While we are on the subject of Unicode, there are other areas of OpenSSL that need Unicode support added, in particular handling of paths and filenames on UTF16-based filesystems that require wchar_t* parameters. For instance, on Windows, OpenSSL

Re: OpenSSL 1.0.0 and FIPS

On 3/30/2010 10:58 AM, Gatewood (Woody) Green wrote: I assume the 2010 limit on new validations is the impending finalization of 140-3. What you are thinking of won't be designated 140-3, it's not sequential, there is such a FIPS level already. Probably FIPS-{new}-2 or FIPS-140-2 2010 or

Re: OpenSSL 1.0.0 and FIPS

On 3/31/2010 4:21 PM, Gatewood (Woody) Green wrote: Actually, no 140-3 will be successor to 140-2 which is successor to 140-1. The hyphenated number is a release version. Woody, thanks for this clarification... You are trying to talk about FIPS 140-2, Level 3 certification in your

Re: FIPS linked as a shared library

On 1/18/2010 2:42 PM, Kyle Hamilton wrote: The way that the FIPS module verifies its signature is that it forces itself to load (via a pre-main() section) and then calculate the checksum of the image in-core. Probably the reason why you're running into issues is because of the fixup step of

Re: CryptoAPI calls failing in rand_win on Windows 7

James Baker wrote: The problem does occur with full admin privileges. To be 100% clear, this is full admin with no UAC? UAC will drop privilege of an app seemingly running as 'administrator'. __ OpenSSL Project

Re: FIPS OpenSSL compilation error

Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Pankaj Aggarwal Sent: Tuesday, 25 August, 2009 05:06 I am using cygwin on windows xp to compile FIPS Openssl 1.2 using Visual studio 2005. Apparently you mean cygwin _perl_. The MS compiler and

Re: FIPS OpenSSL compilation error

William A. Rowe, Jr. wrote: Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Pankaj Aggarwal Sent: Tuesday, 25 August, 2009 05:06 I am using cygwin on windows xp to compile FIPS Openssl 1.2 using Visual studio 2005. Apparently you mean cygwin _perl_

Re: openssl 0.9.8D, Solaris 10 difficulties

[EMAIL PROTECTED] wrote: In the previous post, another subscriber suggested patching SunStudio 11. I applied all the patches I could find on SunSolve (namely, 120761-03, 121023-04, and 122142-03.) I'm getting the same result, so I'm really baffled at this point. Any suggestions would be

Re: 0.9.8d compile and/or test problems with Solaris 10 compiler on sparc v9

Michael Durket wrote: There seem to be a few problems successfully building OpenSSL on a Sun T2000 running Solaris 10 using the Sun Studio 11 compiler suite. I ignored those warnings and ran make which appeared to work. However, after doing a 'make test' I received this error:

Re: SSLv3 handshaking fails on solaris

Because Solaris has a loop unroll optimization bug. Apply all the latest patches to SunStudio 11 and it should work. Please check back in to let us know. It's a really high level bug - because it hit both sparc and x86 :) Donny Dinh wrote: I managed to get the solaris build to work properly

Re: WIN32 winsock vs winsock2 coexistence?

Michael - just to rest your mind - you might want to examine both wsock32.dll and winsock2.dll using DEPENDS.EXE. You'll find the results are interesting :) __ OpenSSL Project

Re: WIN32 winsock vs winsock2 coexistence?

Brown, Michael A wrote: I’m looking at an app where the app and all libs/DLLs it uses EXCEPT openssl use ws2_32, and openssl uses wsock32. Is this a problem or can the two coexist peacefully? It makes me somewhat uneasy. Well, using winsock period makes me uneasy ;-) Seriously - no - there's

Re: Question reagrding OpenSSL recent security advisory

Marek Marcola wrote: Hello, I have read the advisory an I am a bit puzzled regarding the there are CAs using exponent 3 in wide use comment, I have tried to check and could not found any CA using this exponent, all the CA’s I have seen are using 0x10001 (CA’s I have generate by OpenSSL using

Re: license question

Ryan Shon wrote: I work for nFocal, a company in Rochester, New York. We want to develop a variant of OpenSSL in which we optimize the cryptography library to run on a particular DSP. The other components of OpenSSL would remain unchanged except where needed to utilize our custom library.

Re: Hiding headers for OpenSSL

Thomas J. Hruska wrote: Now compare that number to how many hackers know and care about the same information. None. If an exploit exists, it will be exploited. You are a fool if you expect that a hacker would rely on the reported version number to elect one of the dozens of past exploits.

Re: CHecking the version of OpenSSL

Randy Turner wrote: I would probably consider the publishing of the openssl version on the web server announcment message as a security issue. And some of us would laugh in your general direction ;-) Exploiters don't need to know, they can just persist till they find a known exploit.

Re: Last call to BIO_read in loop freezes

David Schwartz wrote: Notice the two persistent connection headers returned? And, in practice, the connection is in fact persistent. If you were correct, the server would ignore the Connection header since it has no meaning. Try it without a connection header and you will see the

Re: How to verify OpenSSL lib version from autoconf?

httpd's scripts are known to the autoconf community as gross bastardizations of intent of autoconf, so forwared ;-) But they do illustrate verifying the version of openssl, take a look at APACHE_CHECK_SSL_TOOLKIT in; http://svn.apache.org/repos/asf/httpd/httpd/trunk/acinclude.m4 Matt England

Re: Reading/Writing to disk files on Windows...

Kendall, Jerry wrote: Now, I have a Unix Project that runs wonderfully on Linux/Aix/Solaris….. There are two lines of code that cause a windows exception. PEM_write_PrivateKey(fp, NewKeyReq, Cipher, GetCode(0),strlen(GetCode(0)), NULL, NULL); PEM_write_X509(fp, x509_Cert); Did you

Re: FIPS 1.1 module availability

I heard 'very soon now' :) Tinnerello, Richard wrote: Can anyone say when the openssl-fips-1.1.tar.gz distribution announced on Saturday will be available for download? Thanks! Richard __ OpenSSL Project

Re: Is FIPS 140-2 Validation violated

Kyle Hamilton wrote: It will violate the FIPS security policy. That much has been stated, but there's been no workaround that I'm aware of to select alternate options like that. Right, not with openssl ./config. However, some folks might want to consider if their compiler environment can be

Re: 0.9.8b windows binaries

hunter wrote: On 5/7/06, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Typically one links to the static library then, which of course will only link in .obj files that are consumed. One bit of OpenSSL magic are the seperate objects which create a (relatively) quite small binary

Re: 0.9.8b windows binaries

Mike Ehlert wrote: but what I'm after now is some information on any tricks to compiling the DLL's with only the features needed for my application to reduce their size. Typically one links to the static library then, which of course will only link in .obj files that are consumed. One bit of

Re: setup question

Bill Angus wrote: I'm having a little trouble with setting up a secure server on windows with openssl and Apache2 + Mod_SSL. Well, you are in the wrong place, this should be on [EMAIL PROTECTED] Neverminding that blunder, and possibly aggrivating your good openssl user supporters by

Re: setup question

William A. Rowe, Jr. wrote: Bill Angus wrote: I'm having a little trouble with setting up a secure server on windows with openssl and Apache2 + Mod_SSL. The config I am attempting to use for the secure directory is as below. listen 443 ... VirtualHost *:443 Why *:443? stop and consider

Re: OpenSSL fips 1.0 Borland Builder 5

Rovan, Jim (IMS) wrote: When I attempt to follow the instructions from the Compilation of OpenSSL-fips-1.0 under Windows thread (2006-03-31) to build fips OpenSSL for Borland Builder 5, I can make it through the point where I run ms\do_nasm fips to create bcb.mak for the 0.9.7 snapshot. But

Re: Addendum, make report included

[EMAIL PROTECTED] wrote: I am unable to install openssl 0.9.8a as I sent earlier. Here is make report: Compiler: gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) EEEK! 2.91? Really? Try a more modern compiler that understands modern assembly syntax.

Re: How to debug into the OpenSSL(openssl-0.9.8a) source code

Jie Zhang wrote: Hello everybody, I am not able to debug into the OpenSSL library(openssl-0.9.8a) with my Microsoft Visual C++ .net IDE. But during my application execution, I got: 'alfssl2_server.exe': Loaded 'C:\Jie\vscode\alfssl2_work_client\Debug\ssleay32.dll', Symbols loaded.

Re: How to debug into the OpenSSL(openssl-0.9.8a) source code

Venkata Sairam wrote: I am also encountering the same problem. I tried adding in options as suggested. I had modified the CFLAG and LFLAG as below. CFLAG= /MD /Ox /O2 /Zi /Oy /Ob2 /W3 /WX /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32

Re: Updating OPENSSL

Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Sat, 18 Mar 2006 02:27:18 -0500, Hector Santos [EMAIL PROTECTED] said: ssluser I have multiple applications using OPENSSL 0.9.7c and I'm finally getting ssluser around to updating it. ssluser ssluser Can I just use the new

Re: GNU C (MinGW) - Error 2

Doug Frippon wrote: I mean instead of just writting tmp\e_os.h in your config file ( there one probably) write down c:\openssl-0.9.8a\tmp\e_os.h maybe mingw32 couldn't find tmp\e_os.h and need the full path to that file Certain that \o isn't a quoted o in this context? Forward or doubled-back

Re: Compiled on windows but lacking symbols

Chandi Bernier wrote: My point was... why on Linux did I need only libssl and to compile the same client on Windows/MinGW requires libssl and libeay32. Something's wrong. You either want libssl + libcrypto, or libssl32 + libeay32. On Linux the reason it -probably- worked is that 1.

Re: Compiled on windows but lacking symbols

William A. Rowe, Jr. wrote: Chandi Bernier wrote: My point was... why on Linux did I need only libssl and to compile the same client on Windows/MinGW requires libssl and libeay32. Something's wrong. You either want libssl + libcrypto, or libssl32 + libeay32. Whoops - you either want

Re: compile error in randfile.c on Solaris 10 Opteron

Tinnerello, Richard wrote: Hello, I'm having trouble building 0.9.7i on a Solaris 10 on x86 (Opteron) machine. I configured manually with: ./Configure solaris-x86-gcc --prefix=/sci/openssl-0.9.7i no-idea no-rc5 no-mdc2 fiips make depend is OK, but make gets this compile error:

Re: Trying to build OpenSSL 0.9.8a from source

Fabro, Loic wrote: Hum... I remove support for IDEA (and no fPIC) and now the test is segfaulting.. make clean make depends ? __ OpenSSL Project http://www.openssl.org User Support Mailing List

Re: function PEM_read_RSAPrivateKey not returning

Matthias wrote: Kyle Hamilton wrote: Did you make sure to remove %SYSTEMROOT%\system32\ssleay32.dll and libeay32.dll? Just running the uninstaller doesn't get rid of them. No, I forgot that. Sorry, my fault. I now replaced those two DLLs with the ones I compiled myself. Good news: in

Re: function PEM_read_RSAPrivateKey not returning

Matthias wrote: I deleted all ssl-related DLLs on my system now. When I compile OpenSSL as described in INSTALL.W32, point the include library directory of my example program on openssl\out32dll, recompile my example program, copy the 2 DLLs from openssl\out32dll to my example project

Re: Problems with deprecated kbhit() under MS VC/C++ V8.0 (Visual Studio 2005)

Daniel Maag wrote: Hi, I am trying to compile OpenSSL V0.9.8a. Visual Studio 2005 has several functions deprecated (read,write,fileno). Honestly, I don't believe that OpenSSL should waste cycles to support any compiler that deliberate moves away from posix. Fairly certain it's MS's goal

Re: SSL v2/3 and TLS.. How to be flexible?

TLSv1_server_methods() do not speak the crufty old SSLv2 garbage, you can't connect to it using a multi-protocol handshake. For maxiumum portability use SSLv23_server_methods() On the client side it doesn't matter, if you want a TLSv1 connection only, then by all means use

Re: servername extension and apache 2.2.0

If you want to submit and have considered by the httpd project, perhaps you ment to submit it there? Nice work b.t.w. Bill Peter Sylvester wrote: Hello, I just have put together the small patch for apache 2.2.0 which allows to use the sernername extension logic in the development snapshot

Re: how to install MOD_SSL on Windows2003 server .. plz help!

kadir iscmng wrote: I downloaded and installed SFU35SEL_EN.exe (Windows Services for UNIX) software I'll just warn you you've wandered deep, deep into uncharted waters :) The native win32 build is the only one most folks support. Some have invested effort and energy into getting 1.3 cygwin

Re: How to build openssl for Mac-Intel computers

Jörg Eyring wrote: Hi everybody, we have a new platform - Macs with Intel processors. Is there a chance to build a static library (i386 code) for linking in Xcode 2.2? A static library with ppc code has been done already. I'd like to end up with a Universal Binary of my code. For fun;

Re: OpenSA patching

Bernhard Froehlich wrote: Dan Peacock wrote: I've got a production site running OpenSA 1.0.4 (which uses OpenSSL 0.9.6c, Apache 1.3.27, and mod_ssl 2.8.11) and we need to upgrade it to plug the security holes that this version has. Is there anything that I can do to upgrade this install? Can

Re: (export control) AES 128 bit

Dudue Doo wrote: I would like to implement a C++ program that will use openssl to encrypt packets using AES 128 bit key. However, the problem is that I live in the US. Does this mean that I will be breaking the export control law if I put the program on a server for others to download? I