subject:"openssL error\:"

Re: intermittent Apache/OpenSSL error hangs server

2020-01-09 Thread Hubert Kario


On Thursday, 9 January 2020 17:42:47 CET, Jerry Blasdel wrote:

Here is more information.  On the server that is having this issue, prior
to the FIPS_drbg_generate errors (these show up every time that worker pid
is selected to serve a request) we have a single OpenSSL error that shows
up in the logs.

SSL Library Error: error:2D06A07F: FIPS routines: FIPS_CHECK_EC:pairwise
test failed

Once we get that error, every time we try to serve a request in Apache
using that pid, it errors out.  So, it seems like something randomly
corrupts that PID.  Can someone provide some information about
FIPS_CHECK_EC: pairwise test failed.


I would try to eliminate hardware issue as a possible cause: run memcheck, 
cpu

stress tests, etc.


Thanks

On Tue, Jan 7, 2020 at 7:21 AM Jerry Blasdel  wrote:


I have several servers configured the same, running Apache
2.4X/OpenSSL1.02 fips-enabled.

On one server we periodically get the following errors in the Apache logs:

SSL Library Error: error:xx:FIPS_drbg_generate:selftest failed.  In
some cases, the server continues to service requests, but in 
other cases ...





--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

Re: intermittent Apache/OpenSSL error hangs server

2020-01-09 Thread Salz, Rich via openssl-users

>Once we get that error, every time we try to serve a request in Apache using 
>that pid, it errors out.  So, it seems like something randomly corrupts that 
>PID.  Can someone provide some information about FIPS_CHECK_EC: pairwise test 
>failed.

Once FIPS detects an error, it will stay stuck in error-state until you 
re-initialize.  Sorry, can’t provide more details about the specific test 
that’s failing.

Re: intermittent Apache/OpenSSL error hangs server

2020-01-09 Thread Jerry Blasdel

Here is more information.  On the server that is having this issue, prior
to the FIPS_drbg_generate errors (these show up every time that worker pid
is selected to serve a request) we have a single OpenSSL error that shows
up in the logs.

SSL Library Error: error:2D06A07F: FIPS routines: FIPS_CHECK_EC:pairwise
test failed

Once we get that error, every time we try to serve a request in Apache
using that pid, it errors out.  So, it seems like something randomly
corrupts that PID.  Can someone provide some information about
FIPS_CHECK_EC: pairwise test failed.

Thanks

On Tue, Jan 7, 2020 at 7:21 AM Jerry Blasdel  wrote:

> I have several servers configured the same, running Apache
> 2.4X/OpenSSL1.02 fips-enabled.
>
> On one server we periodically get the following errors in the Apache logs:
>
> SSL Library Error: error:xx:FIPS_drbg_generate:selftest failed.  In
> some cases, the server continues to service requests, but in other cases
> the server hangs and will not process requests until the worker pid
> receiving the error is killed, or a kill -HUP is issues on the Apache root
> pid.
>
> I see someone else had a similar issue but I can't find any resolution.
>
> https://mta.openssl.org/pipermail/openssl-users/2016-October/004657.html
>
> Other information...
>
> We have looked at the entropy on the server when it is working properly vs
> when it hangs and could not find any big differences.
>
> Also, SSLRandomSeed is configured for startup and connect in Apache.
>
> Any help would be appreciated.
>
> Thanks
>

intermittent Apache/OpenSSL error hangs server

2020-01-07 Thread Jerry Blasdel

I have several servers configured the same, running Apache 2.4X/OpenSSL1.02
fips-enabled.

On one server we periodically get the following errors in the Apache logs:

SSL Library Error: error:xx:FIPS_drbg_generate:selftest failed.  In
some cases, the server continues to service requests, but in other cases
the server hangs and will not process requests until the worker pid
receiving the error is killed, or a kill -HUP is issues on the Apache root
pid.

I see someone else had a similar issue but I can't find any resolution.

https://mta.openssl.org/pipermail/openssl-users/2016-October/004657.html

Other information...

We have looked at the entropy on the server when it is working properly vs
when it hangs and could not find any big differences.

Also, SSLRandomSeed is configured for startup and connect in Apache.

Any help would be appreciated.

Thanks

Re: [openssl-users] [EXTERNAL] Re: OpenSSL error message when decrypting Ethereum encrypted private key

2018-01-18 Thread Chris B

Thank you to everyone that has weighed in on my question.  Unfortunately, I
have yet to find an answer that I'm fully satisfied with.

I'm trying a different approach: I would like to create a sample encrypted
Ethereum private key that shares the same 132 character PEM format as the
string I'm trying to decrypt.  I can then attempt to decrypt that string
with an incorrect password, and see if I get the EVP_DecryptFinal_ex:wrong
final block length error.  Does that make sense?

Here's my basic approach.  I'm starting with Vincent Kobel's excellent
"Create a Full Ethereum Wallet, Keypair and Address" article (
https://kobl.one/blog/create-full-ethereum-keypair-and-address/)

He creates a 132-character PEM formatted unencrypted private key with this
command:

openssl ecparam -name secp256k1 -genkey -noout

Unless I have completely failed at reading the man page correctly, there's
no way to assign a password from the ecparam command.

I write the 132 character unencrypted private key (not the -BEGIN/END
EC PRIVATE KEY-  characters) to a file named sample_pk.pem and I
encrypt it with openssl:

openssl enc -e -aes-256-cbc -a -in sample_pk.pem -out sample_epk.pem -pass
pass:secret

I now have a 256 character encrypted private string.  (Note, the string
length is 256 characters whether I use AES-128 or AES-256.  That's probably
obvious to all of you, but it wasn't to me).

If I decrypt that string with the correct password

openssl enc -d -aes256 -a -in sample_epk.pem -out recovered.key -pass
pass:secret

I get my original unencrypted private key back.  Excellent!

However, If I decrypt that string with an incorrect password:

openssl enc -d -aes256 -a -in sample_epk.pem -out recovered.key -pass
pass:secr3t

I get a new error message:

EVP_DecryptFinal_ex:bad decrypt

And, that message does not match the EVP_DecryptFinal_ex:wrong final block
length error message I was hoping to get.

I think that all that I have proven with this exercise is that the original
unencrypted private key was:

   - not a 132 character PEM formatted unencrypted private key
   - and/or
   - it was not encrypted using the -aes-256-cbc encryption algorithm

So, on to the question!  Can anyone help me figure out how to create an
Ethereum private key such that when it is encrypted it is a 132 character
long PEM formatted string?

Alternately, is there a process for taking an encrypted string, and
"backing in" to the details of how it was created?  (ie what algorithm,
etc?)

Thanks,
Chris

On Mon, Jan 15, 2018 at 2:01 PM, Chris B 
wrote:

> Hi Daniel,
>
> >Option #1 from the possibilities you mentioned below seems to be the
> most logical to me.
> Thank you, that's very helpful.
>
> Thanks,
> Chris
>
> On Mon, Jan 15, 2018 at 1:29 PM, Sands, Daniel  wrote:
>
>> On Sun, 2018-01-14 at 18:26 -0500, Chris B wrote:
>>
>> Hi Matt,
>>
>> >If you *are* using 1.1.0 then the default digest was changed between
>> 1.0.2 and 1.1.0.
>> Awesome thought, but I'm also using 1.0.2:
>>
>> $ openssl version
>>
>> OpenSSL 1.0.2k-fips  26 Jan 2017
>>
>> (I also tried adding -md md5 to the previous command, but I got the same
>> error message).
>>
>>
>> Option #1 from the possibilities you mentioned below seems to be the most
>> logical to me. If you use the wrong key, the padding data in the last block
>> will also be decrypted to the wrong values, so the padding block check will
>> fail. The padding is a necessary part of decryption because it needs to
>> know how much plaintext is actually represented by that last block.
>>
>>
>> > I'm not sure how to interpret that output. I could interpret it as:
>> > o Your system for decrypting the password is perfect, but: this is not
>> > the right password.
>> > o There's something wrong with the EPK -- its length must be a multiple
>> > of the AES block length.
>> > o There's something wrong with the unencrypted private key -- its length
>> > must be a multiple of the AES block length.
>> > o Something else entirely
>>
>>
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [EXTERNAL] Re: OpenSSL error message when decrypting Ethereum encrypted private key

2018-01-15 Thread Chris B

Hi Daniel,

>Option #1 from the possibilities you mentioned below seems to be the most
logical to me.
Thank you, that's very helpful.

Thanks,
Chris

On Mon, Jan 15, 2018 at 1:29 PM, Sands, Daniel  wrote:

> On Sun, 2018-01-14 at 18:26 -0500, Chris B wrote:
>
> Hi Matt,
>
> >If you *are* using 1.1.0 then the default digest was changed between
> 1.0.2 and 1.1.0.
> Awesome thought, but I'm also using 1.0.2:
>
> $ openssl version
>
> OpenSSL 1.0.2k-fips  26 Jan 2017
>
> (I also tried adding -md md5 to the previous command, but I got the same
> error message).
>
>
> Option #1 from the possibilities you mentioned below seems to be the most
> logical to me. If you use the wrong key, the padding data in the last block
> will also be decrypted to the wrong values, so the padding block check will
> fail. The padding is a necessary part of decryption because it needs to
> know how much plaintext is actually represented by that last block.
>
>
> > I'm not sure how to interpret that output. I could interpret it as:
> > o Your system for decrypting the password is perfect, but: this is not
> > the right password.
> > o There's something wrong with the EPK -- its length must be a multiple
> > of the AES block length.
> > o There's something wrong with the unencrypted private key -- its length
> > must be a multiple of the AES block length.
> > o Something else entirely
>
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [EXTERNAL] Re: OpenSSL error message when decrypting Ethereum encrypted private key

2018-01-15 Thread Sands, Daniel

On Sun, 2018-01-14 at 18:26 -0500, Chris B wrote:
Hi Matt,

>If you *are* using 1.1.0 then the default digest was changed between 1.0.2 and 
>1.1.0.
Awesome thought, but I'm also using 1.0.2:

$ openssl version

OpenSSL 1.0.2k-fips  26 Jan 2017

(I also tried adding -md md5 to the previous command, but I got the same error 
message).

Option #1 from the possibilities you mentioned below seems to be the most 
logical to me. If you use the wrong key, the padding data in the last block 
will also be decrypted to the wrong values, so the padding block check will 
fail. The padding is a necessary part of decryption because it needs to know 
how much plaintext is actually represented by that last block.

> I'm not sure how to interpret that output. I could interpret it as:
> o Your system for decrypting the password is perfect, but: this is not
> the right password.
> o There's something wrong with the EPK -- its length must be a multiple
> of the AES block length.
> o There's something wrong with the unencrypted private key -- its length
> must be a multiple of the AES block length.
> o Something else entirely

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL error message when decrypting Ethereum encrypted private key

2018-01-14 Thread Chris B

Hi Matt,

>If you *are* using 1.1.0 then the default digest was changed between 1.0.2
and 1.1.0.
Awesome thought, but I'm also using 1.0.2:

$ openssl version

OpenSSL 1.0.2k-fips  26 Jan 2017

(I also tried adding -md md5 to the previous command, but I got the same
error message).

Thanks,
Chris

On Sun, Jan 14, 2018 at 6:03 PM, Matt Caswell  wrote:

>
>
> On 14/01/18 15:26, Chris B wrote:
> > I'm trying to help someone recover his password for an older format
> > ethereum encrypted private key (EPK). My plan has been to use his best
> > guess at the password to brute force the actual password.
> >
> > The EPK is a 132 character string, and it looks something like this:
> > U2FsdGV0X185M9YAa/27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ
> 9s8DzeGuBtYJPDCKDy0m80yvHdQYDMPa+Hwv2JPbuGJNoUMhFWpcQW1VF+
> EAy0tYb7Wtv2+IRWZzcpsE8e2a
> >
> > (That is: 128 ASCII digits and/or letters, plus three "+" and a "/".)
> >
> > This article
> > (https://www.reddit.com/r/Bitcoin/comments/3gwdge/
> importing_old_encrypted_private_keys/)
> > seems to describe a very similar EPK. The author of that post decrypted
> > their key with the following command:
> >
> > openssl enc -in FILE_OF_KEYS -a -d -salt -aes256 -pass
> pass:"PASSWORD_HERE"
> >
> > I have tried this same approach, but I'm getting an error:
> >
> > EVP_DecryptFinal_ex:wrong final block length
>
> What version of OpenSSL are you using. The quoted article was written 2
> years ago so definitely wasn't using OpenSSL 1.1.0. If you *are* using
> 1.1.0 then the default digest was changed between 1.0.2 and 1.1.0. Old
> OpenSSL "enc" output defaulted to md5. The current default is sha256:
>
> https://www.openssl.org/docs/faq.html#USER3
>
> Try adding "-md md5" onto your command line.
>
> Matt
>
>
> >
> > Here's an example:
> >
> > /usr/bin/openssl enc -d -aes-256-cbc -a -in enc_private_key.txt -out
> > recovered.key -pass pass:TheBig7ebowski
> >
> > And here's the output:
> >
> > bad decrypt
> >
> > 140220549330848:error:0606506D:digital envelope
> > routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:581:
> >
> > I'm not sure how to interpret that output. I could interpret it as:
> > o Your system for decrypting the password is perfect, but: this is not
> > the right password.
> > o There's something wrong with the EPK -- its length must be a multiple
> > of the AES block length.
> > o There's something wrong with the unencrypted private key -- its length
> > must be a multiple of the AES block length.
> > o Something else entirely
> >
> > Can anyone help me understand how to interpret this error message?
> >
> > Thanks,
> > Chris
> >
> >
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL error message when decrypting Ethereum encrypted private key

2018-01-14 Thread Matt Caswell



On 14/01/18 15:26, Chris B wrote:
> I'm trying to help someone recover his password for an older format
> ethereum encrypted private key (EPK). My plan has been to use his best
> guess at the password to brute force the actual password.
> 
> The EPK is a 132 character string, and it looks something like this:
> U2FsdGV0X185M9YAa/27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ9s8DzeGuBtYJPDCKDy0m80yvHdQYDMPa+Hwv2JPbuGJNoUMhFWpcQW1VF+EAy0tYb7Wtv2+IRWZzcpsE8e2a
> 
> (That is: 128 ASCII digits and/or letters, plus three "+" and a "/".)
> 
> This article
> (https://www.reddit.com/r/Bitcoin/comments/3gwdge/importing_old_encrypted_private_keys/)
> seems to describe a very similar EPK. The author of that post decrypted
> their key with the following command:
> 
> openssl enc -in FILE_OF_KEYS -a -d -salt -aes256 -pass pass:"PASSWORD_HERE"
> 
> I have tried this same approach, but I'm getting an error:
> 
> EVP_DecryptFinal_ex:wrong final block length

What version of OpenSSL are you using. The quoted article was written 2
years ago so definitely wasn't using OpenSSL 1.1.0. If you *are* using
1.1.0 then the default digest was changed between 1.0.2 and 1.1.0. Old
OpenSSL "enc" output defaulted to md5. The current default is sha256:

https://www.openssl.org/docs/faq.html#USER3

Try adding "-md md5" onto your command line.

Matt


> 
> Here's an example:
> 
> /usr/bin/openssl enc -d -aes-256-cbc -a -in enc_private_key.txt -out
> recovered.key -pass pass:TheBig7ebowski
> 
> And here's the output:
> 
> bad decrypt
> 
> 140220549330848:error:0606506D:digital envelope
> routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:581:
> 
> I'm not sure how to interpret that output. I could interpret it as:
> o Your system for decrypting the password is perfect, but: this is not
> the right password.
> o There's something wrong with the EPK -- its length must be a multiple
> of the AES block length.
> o There's something wrong with the unencrypted private key -- its length
> must be a multiple of the AES block length.
> o Something else entirely
> 
> Can anyone help me understand how to interpret this error message?
> 
> Thanks,
> Chris
> 
> 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL error message when decrypting Ethereum encrypted private key

2018-01-14 Thread Chris B

>Any chance this is data corruption?

Brilliant!  You caught me.  Although this key is encrypted I wasn't
comfortable making it public on the interwebs.  So, I randomly changed
several of the characters.  If I run openssl base64 -d... on the *actual*
key it does indeed begin with Salted__:

$ openssl base64 -d -in enc_private_key.txt | od -c


000   S   a   l   t   e   d   _   _


>You could try a dictionary attack on the actual 132-byte string, after
base64-decoding,
>provided it is not corrupted.

This is basically what I was trying to do, although I was simply running a
few hundred thousand strings that are related to the best guess password,
rather using a dictionary attack.

Is there a better command to proceed with a brute force attack than this
one?

/usr/bin/openssl enc -d -aes-256-cpc -a -in enc_private_key.txt -out
recovered.key


As I understand:

   - openssl enc -d => decrypt using openssl
   - -aes-256-cpc   => use the AES 256 CPC algorithm
   - -a => base64 decrypt
   - -in=> read the encrypted string from enc_private_key.txt
   - -out   => write the unencrypted string to recovered.key

I tried running openssl in two steps: first doing the base64 decoding, then
decrypting with -aes256, which I believe is functionally the same as the
command mentioned above:

$ openssl base64 -d -in enc_private_key.txt | openssl enc -d -aes256 -out
recovered.key

enter aes-256-cbc decryption password:

bad decrypt

139845090879392:error:0606506D:digital envelope
routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:581:

Which brings me back to the original question.  Does anyone know how to
interpret "EVP_DecryptFinal_ex:wrong final block length"

Thanks!
-Chris

On Sun, Jan 14, 2018 at 11:21 AM, Viktor Dukhovni <
openssl-us...@dukhovni.org> wrote:

>
>
> > On Jan 14, 2018, at 10:26 AM, Chris B 
> wrote:
> >
> > I'm trying to help someone recover his password for an older format
> ethereum encrypted private key (EPK). My plan has been to use his best
> guess at the password to brute force the actual password.
> >
> > The EPK is a 132 character string, and it looks something like this:
> U2FsdGV0X185M9YAa/27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ
> 9s8DzeGuBtYJPDCKDy0m80yvHdQYDMPa+Hwv2JPbuGJNoUMhFWpcQW1VF+
> EAy0tYb7Wtv2+IRWZzcpsE8e2a
> >
> > (That is: 128 ASCII digits and/or letters, plus three "+" and a "/".)
>
> This input is base64 encoded:
>
> $ openssl base64 -d < U2FsdGV0X185M9YAa/27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ9s8DzeGuBtYJPDCK
> Dy0m80yvHdQYDMPa+Hwv2JPbuGJNoUMhFWpcQW1VF+EAy0tYb7Wtv2+IRWZzcpsE
> 8e2a
> END
> 000S   a   l   t   e   t   _   _   9   3 326  \0   k 375 273 246
> 020a   / 027   0 271 246 242 310 343 025 253 003 252   . 031   P
> 040  261 320   G 211 366 317 003 315 341 256 006 326  \t   <   0 212
> 060  017   -   & 363   L 257 035 324 030  \f 303 332 370   |   /ؓ
> 100   **   ۸  **   b   M 241   C   ! 025   j   \   A   m   U 027 000
> 120   \0 313   K   X   o 265 255 277   o 210   E   f   s   r 233 004
> 140  361 100 232
>
> This does indeed look a lot like "openssl enc" output:
>
> $ echo foobar | openssl enc -aes256 -pass pass:foobar | od -c
> 000S   a   l   t   e   d   _   _ 263   f 243  \0 242   ~ 031   3
> 020  266 035   Y 310 367 300 366 264 247   :   $   s 236 266   4 340
> 040
>
> Except that for some reason the "d" in "Salted" is a "t".  Funny that these
> are the voiced and unvoiced variants of the same consonant, but note also
> that the ASCII code for 'd' = 0x64 and 't' = 0x74, so this is a 1 bit
> change.
> Any chance this is data corruption?
>
> >
> > This article (https://www.reddit.com/r/Bitcoin/comments/3gwdge/
> importing_old_encrypted_private_keys/)
> > seems to describe a very similar EPK.
>
> In that sample, the base64-decoded data starts with "Salted__" as expected.
>
> > The author of that post decrypted their key with the following command:
> >
> > openssl enc -in FILE_OF_KEYS -a -d -salt -aes256 -pass
> pass:"PASSWORD_HERE"
>
> Hard to say whether that's correct, rather depends on the format of
> "FILE_OF_KEYS".
> You could try a dictionary attack on the actual 132-byte string, after
> base64-decoding,
> provided it is not corrupted.
>
> --
> Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL error message when decrypting Ethereum encrypted private key

2018-01-14 Thread Viktor Dukhovni



> On Jan 14, 2018, at 10:26 AM, Chris B  wrote:
> 
> I'm trying to help someone recover his password for an older format ethereum 
> encrypted private key (EPK). My plan has been to use his best guess at the 
> password to brute force the actual password.
> 
> The EPK is a 132 character string, and it looks something like this: 
> U2FsdGV0X185M9YAa/27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ9s8DzeGuBtYJPDCKDy0m80yvHdQYDMPa+Hwv2JPbuGJNoUMhFWpcQW1VF+EAy0tYb7Wtv2+IRWZzcpsE8e2a
> 
> (That is: 128 ASCII digits and/or letters, plus three "+" and a "/".)

This input is base64 encoded:

$ openssl base64 -d < 
> This article 
> (https://www.reddit.com/r/Bitcoin/comments/3gwdge/importing_old_encrypted_private_keys/)
> seems to describe a very similar EPK.

In that sample, the base64-decoded data starts with "Salted__" as expected.

> The author of that post decrypted their key with the following command:
> 
> openssl enc -in FILE_OF_KEYS -a -d -salt -aes256 -pass pass:"PASSWORD_HERE"

Hard to say whether that's correct, rather depends on the format of 
"FILE_OF_KEYS".
You could try a dictionary attack on the actual 132-byte string, after 
base64-decoding,
provided it is not corrupted.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL error message when decrypting Ethereum encrypted private key

2018-01-14 Thread Chris B

Hi Rich,

Thank you very much for the reply.

I get the same error message using -aes256 as -aes-256-cbc

/usr/bin/openssl enc -d -aes256 -a -in enc_private_key.txt -out
recovered.key -pass pass:TheBig7ebowski


bad decrypt

140383648536480:error:0606506D:digital envelope
routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:581:

Thanks,
Chris

On Sun, Jan 14, 2018 at 10:39 AM, Salz, Rich via openssl-users <
openssl-users@openssl.org> wrote:

> For CBC the encrypted text will be a multiple of the cipher size.  So your
> use of CBC is wrong.  The quoted post uses aes256; you were using aes-cbc
>
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL error message when decrypting Ethereum encrypted private key

2018-01-14 Thread Salz, Rich via openssl-users

For CBC the encrypted text will be a multiple of the cipher size.  So your use 
of CBC is wrong.  The quoted post uses aes256; you were using aes-cbc

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL error message when decrypting Ethereum encrypted private key

2018-01-14 Thread Chris B

I'm trying to help someone recover his password for an older format
ethereum encrypted private key (EPK). My plan has been to use his best
guess at the password to brute force the actual password.

The EPK is a 132 character string, and it looks something like this:
U2FsdGV0X185M9YAa/27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ9s8DzeGuBtYJPDCKDy0m80yvHdQYDMPa+Hwv2JPbuGJNoUMhFWpcQW1VF+EAy0tYb7Wtv2+IRWZzcpsE8e2a

(That is: 128 ASCII digits and/or letters, plus three "+" and a "/".)

This article (
https://www.reddit.com/r/Bitcoin/comments/3gwdge/importing_old_encrypted_private_keys/)
seems to describe a very similar EPK. The author of that post decrypted
their key with the following command:

openssl enc -in FILE_OF_KEYS -a -d -salt -aes256 -pass pass:"PASSWORD_HERE"

I have tried this same approach, but I'm getting an error:

EVP_DecryptFinal_ex:wrong final block length

Here's an example:

/usr/bin/openssl enc -d -aes-256-cbc -a -in enc_private_key.txt -out
recovered.key -pass pass:TheBig7ebowski

And here's the output:

bad decrypt

140220549330848:error:0606506D:digital envelope
routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:581:

I'm not sure how to interpret that output. I could interpret it as:
o Your system for decrypting the password is perfect, but: this is not the
right password.
o There's something wrong with the EPK -- its length must be a multiple of
the AES block length.
o There's something wrong with the unencrypted private key -- its length
must be a multiple of the AES block length.
o Something else entirely

Can anyone help me understand how to interpret this error message?

Thanks,
Chris
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt in FIPS mode

2016-02-19 Thread Dr. Stephen Henson

On Fri, Feb 19, 2016, Neptune wrote:

> failedcert.crt <http://openssl.6102.n7.nabble.com/file/n63828/failedcert.crt> 
>  
> 
> Hello all,
> I've attached a .crt certificate file that we are experiencing a problem
> with. When trying to process this certificate using the PKCS7_decrypt( )
> function. The error string is:
> 
> OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt:decrypt error
> 
> This only happens in FIPS mode so we suspect a weak cipher, but I'm unable
> to glean any specified error that would verify this suspicion. I was hoping
> someone would be nice enough to inspect this file and verify if there is any
> non-FIPS-iness. I don't want to point fingers at the environment without
> proof.
> 

Well that link is not an certificate but a PKCS#7 signed data structure whose
content is itself a PKCS#7 enveloped data structure.

You mentioned PKCS7_decrypt() so that may be a referenceto the inner content.
Analysing that with asn1parse shows that it is using single DES as the content
encryption algorithm (56 bits) which is not approved in FIPS mode. So I
suspect that is the cause.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt in FIPS mode

2016-02-19 Thread Neptune

failedcert.crt <http://openssl.6102.n7.nabble.com/file/n63828/failedcert.crt>  

Hello all,
I've attached a .crt certificate file that we are experiencing a problem
with. When trying to process this certificate using the PKCS7_decrypt( )
function. The error string is:

OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt:decrypt error

This only happens in FIPS mode so we suspect a weak cipher, but I'm unable
to glean any specified error that would verify this suspicion. I was hoping
someone would be nice enough to inspect this file and verify if there is any
non-FIPS-iness. I don't want to point fingers at the environment without
proof.

Thanks for any help!



--
View this message in context: 
http://openssl.6102.n7.nabble.com/OPENSSL-error-21072077-PKCS7-routines-PKCS7-decrypt-in-FIPS-mode-tp63828.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Cannot clear error OpenSSL Error Stack

2015-01-29 Thread Tsakiridis, Antonios

Hello,

After getting an error in the verify callback of my server saying that the 
presented client certificate is expired, I cannot clear the openssl error stack.

The reason I want to do that is because I want to be able to override (under 
specific circumstances) the default OpenSSL behavior that rejects a connection 
from a client who presents an expired certificate. The way I have tried to do 
that is to return 1 from the verification callback when openssl passes 'ok' 
argument as 0 (i.e. failed verification). I would expect that returning 1 
signifies success and hence the error stack is cleared, however I found out 
that calling SSL_get_verify_result() after the verification callback still 
returns an error. Why is that?

Please note that I'm using openssl 0.9.8

Thanks a lot in advance,
Antonis
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: openssl error

2013-10-23 Thread eurospoofer

I was getting the same error.  Changed a setting in the openssl.cnf that
fixed it:

Locate the line:
default_md  = default

Change it to:

default_md  = md5





--
View this message in context: 
http://openssl.6102.n7.nabble.com/openssl-error-tp1994p47008.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: openssl error

2013-10-23 Thread Aleks

tks for the response, but didn't worked, same error.


2013/10/23 eurospoofer eurospoo...@gmail.com

 I was getting the same error.  Changed a setting in the openssl.cnf that
 fixed it:

 Locate the line:
 default_md  = default

 Change it to:

 default_md  = md5





 --
 View this message in context:
 http://openssl.6102.n7.nabble.com/openssl-error-tp1994p47008.html
 Sent from the OpenSSL - User mailing list archive at Nabble.com.
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org

Re: Strange OpenSSL error when my server accepts a new OpenSSL connection while existing ones are active

2013-10-10 Thread Viktor Dukhovni

On Wed, Oct 09, 2013 at 10:46:35PM -0700, Jeremy Friesner wrote:

  With SSL sessions created via SSLv23_method(), use of this primitive
  will lead to the failure in question when invoked before the SSL
  session has switched to SSLv3, TLSv1, ?
 
 Aha!  Yes, that appears to be my problem.  As a simple workaround,
 I changed my code to call SSLv3_method() instead, and now everything
 is working perfectly.  Thanks so much for your help!  :^)

A better solution is to not call SSL_pending() until the SSL
handshake completes.  For now you should keep track of whether
SSL_accept() has completed for a given session, and refrain from
SSL_pending() until then.

By using SSLv3_method() you don't get to take advantage of improvements
in TLSv1, TLSv1.1 or TLSv1.2.  You only get SSLv3.  SSLv3 is
obsolete, you should be using TLS 1.0 or later.

It is perhaps by now a reasonable feature request to ask the OpenSSL
developers for an alternative to SSLv23_method() that also negotiates
multiple protocol versions, but starts with TLSv1 as the lowest
supported version.  Perhaps call it TLS_method().  One gets a close
approximation to this with the options SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3,
but as we see some subtle differences remain.

Also perhaps the SSL_pending() function should not fail in such a
surprising way.  When called before the handshake has completed,
it should perhaps simply return 0.

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Strange OpenSSL error when my server accepts a new OpenSSL connection while existing ones are active

2013-10-10 Thread Jeremy Friesner


On Oct 9, 2013, at 10:59 PM, Viktor Dukhovni openssl-us...@dukhovni.org wrote:
 A better solution is to not call SSL_pending() until the SSL
 handshake completes.  For now you should keep track of whether
 SSL_accept() has completed for a given session, and refrain from
 SSL_pending() until then.

Agreed, but my code never calls SSL_accept(); instead it just calls 
SSL_set_accept_state() during setup.
Given that, I'm not sure how to detect that the handshake has completed.  Is 
there a way to know?

 By using SSLv3_method() you don't get to take advantage of improvements
 in TLSv1, TLSv1.1 or TLSv1.2.  You only get SSLv3.  SSLv3 is
 obsolete, you should be using TLS 1.0 or later.

I see.

 Also perhaps the SSL_pending() function should not fail in such a
 surprising way.  When called before the handshake has completed,
 it should perhaps simply return 0.

Agreed.  I've sent a bug report to r...@openssl.org requesting that.

-Jeremy__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Strange OpenSSL error when my server accepts a new OpenSSL connection while existing ones are active

2013-10-09 Thread elaine ossipov

Jeremy,
I am very interested in the 25% scenario's you are referring to here.
What browser where you using?  Where were you trying to connect to, what 
Operating system were you trying to connect to,
I was reading up on extended cert's today and found out some interesting 
information from the Gibson Research Corp.

Best Regards,
~elaine.

-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of jeremyf
Sent: Wednesday, October 09, 2013 3:24 PM
To: openssl-users@openssl.org
Subject: Strange OpenSSL error when my server accepts a new OpenSSL connection 
while existing ones are active

Hi all,

I'm working on adding OpenSSL support to my server program, and generally it's 
working pretty well, but I have come across a problem.

First, some background:  The server is single-threaded and uses non-blocking 
I/O and a select() loop to handle multiple clients simultaneously.  The server 
is linked to libssl.0.9.8.dylib and lib crypto.0.9.8.dylib (i.e. the libraries 
provided in /usr/lib by MacOS/X 10.8.5).  The client-server protocol is a 
proprietary full-duplex messaging protocol; that is, the clients and the 
server are all allowed to send and receive data at any time, and the 
client-server TCP connections remain connected indefinitely (i.e. until the 
client or server decides to disconnect).

The issue is this:  my clients can connect to the server, and sending and 
receiving data works fine (now that I got the SSL_ERROR_WANT_WRITE and 
SSL_ERROR_WANT_READ logic sorted out). but if a the server accept()'s a new 
client connection *while* other clients are in the middle of sending or 
receiving data, the SSL layer seems to break.  In particular, immediately 
after the server runs the setup routine below to set up the newly-accepted 
socket, SSL_read() on one or more of the other (pre-existing) clients' sockets 
will return -1, and ERR_print_errors_fp(stderr) gives this output:

SSL_read() ERROR:  5673:error:140F3042:SSL 
routines:SSL_UNDEFINED_CONST_FUNCTION:called a function you should not 
call:/SourceCache/OpenSSL098/OpenSSL098-47.2/src/ssl/ssl_lib.c:2248:

After this error first appears, the server largely stops working.  Data 
movement stops, and if I try to connect another client I often get this error:

SSL_read() ERROR: 5673:error:140760FC:SSL 
routines:SSL23_GET_CLIENT_HELLO:unknown 
protocol:/SourceCache/OpenSSL098/OpenSSL098-47.2/src/ssl/s23_srvr.c:578:

This happens about 25% of the time in my test scenario.  If I make sure that 
my pre-existing client connections are idle (no data being sent or received) 
at the moment when the new client connects, it never happens.  Does anyone 
know what might be going wrong here?  Have I found an OpenSSL bug, or is there 
some detail that I'm overlooking?  Some relevant code from my program is 
pasted below, in case it's helpful.

Thanks,
Jeremy

---

// Socket setup routine, called when the server accepts a new TCP socket int 
SSLSession :: SetupSSL(int sockfd) {
  _ctx = SSL_CTX_new(SSLv23_method());
  if (_ctx)
  {
 SSL_CTX_set_mode(_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);

 _ssl = SSL_new(_ctx);
 if (_ssl)
 {
_sbio = BIO_new_socket(sockfd, BIO_NOCLOSE);
if (_sbio)
{
   SSL_set_bio(_ssl, _sbio, _sbio);
   SSL_set_accept_state(_ssl);

   BIO_set_nbio(_sbio, !blocking);
   ERR_print_errors_fp(stderr);

   return RESULT_SUCCESS;
}
else fprintf(stderr, SSLSession:  BIO_new_socket() failed!\n);
 }
 else fprintf(stderr, SSLSession:  SSL_new() failed!\n);
  }
  else fprintf(stderr, SSLSession:  SSL_CTX_new() failed!\n);

  return RESULT_FAILURE;
}

// Socket read routine -- returns number of bytes read from SSL-land
int32 SSLSession :: Read(void *buffer, uint32 size) {
  if (_ssl == NULL) return -1;

  int32 bytes = SSL_read(_ssl, buffer, size);
  if (bytes  0)
  {
 _sslState = ~(SSL_STATE_READ_WANTS_READABLE_SOCKET | 
SSL_STATE_READ_WANTS_WRITEABLE_SOCKET);
  }
  else if (bytes == 0) return -1;  // connection was terminated
  else
  {
 int err = SSL_get_error(_ssl, bytes);
 if (err == SSL_ERROR_WANT_WRITE)
 {
// We have to wait until our socket is writeable, and then repeat our 
SSL_read() call.
_sslState = ~SSL_STATE_READ_WANTS_READABLE_SOCKET;
_sslState |=  SSL_STATE_READ_WANTS_WRITEABLE_SOCKET;
bytes = 0;
 }
 else if (err == SSL_ERROR_WANT_READ)
 {
// We have to wait until our socket is readable, and then repeat our 
SSL_read() call.
_sslState |=  SSL_STATE_READ_WANTS_READABLE_SOCKET;
_sslState = ~SSL_STATE_READ_WANTS_WRITEABLE_SOCKET;
bytes = 0;
 }
 else
 {
fprintf(stderr, SSL_read() ERROR:  );
ERR_print_errors_fp(stderr);
 }
  }
  return bytes;
}

// Socket write routine -- returns number of bytes written to SSL-land
int32 SSLSession :: Write(const

Re: Strange OpenSSL error when my server accepts a new OpenSSL connection while existing ones are active

2013-10-09 Thread Jeremy Friesner

Hi Elaine,

No browser, just a client and server program I wrote myself (in C++) that I'm 
trying to upgrade to support SSL.   (They both previously worked over vanilla 
TCP connections only, but I'm adding SSL transport as an option)

For this test, both the client and server are running on my Mac Mini (OS/X 
10.8.5), but I've seen similar problems when testing the same software under 
Linux, so I don't think the problem is operating-system specific.

If you're interested in trying to reproduce the fault yourself, let me know and 
I can upload the code I'm testing with.

Cheers,
Jeremy

On Oct 9, 2013, at 7:19 PM, elaine ossipov ela...@aspwired.com wrote:

 Jeremy,
 I am very interested in the 25% scenario's you are referring to here.
 What browser where you using?  Where were you trying to connect to, what 
 Operating system were you trying to connect to,
 I was reading up on extended cert's today and found out some interesting 
 information from the Gibson Research Corp.
 
 Best Regards,
 ~elaine.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Strange OpenSSL error when my server accepts a new OpenSSL connection while existing ones are active

2013-10-09 Thread Viktor Dukhovni

On Wed, Oct 09, 2013 at 07:54:34PM -0700, Jeremy Friesner wrote:

 If you're interested in trying to reproduce the fault yourself,
 let me know and I can upload the code I'm testing with.

Are you using SSL_pending(), BIO_pending() or anything similar
anywhere in your code?

With SSL sessions created via SSLv23_method(), use of this primitive
will lead to the failure in question when invoked before the SSL
session has switched to SSLv3, TLSv1, ...

Though I would expect the failure to occur on access to just the
new session, not already established sessions, unless they're in
the middle of a handshake...

ssl/ssl_locl.h:

#define IMPLEMENT_ssl23_meth_func(func_name, s_accept, s_connect, 
s_get_meth) \
const SSL_METHOD *func_name(void)  \
{ \
static const SSL_METHOD func_name##_data= { \
TLS1_2_VERSION, \
tls1_new, \
tls1_clear, \
tls1_free, \
s_accept, \
s_connect, \
ssl23_read, \
ssl23_peek, \
ssl23_write, \
ssl_undefined_function, \
ssl_undefined_function, \
ssl_ok, \
ssl3_get_message, \
ssl3_read_bytes, \
ssl3_write_bytes, \
ssl3_dispatch_alert, \
ssl3_ctrl, \
ssl3_ctx_ctrl, \
ssl23_get_cipher_by_char, \
ssl23_put_cipher_by_char, \
ssl_undefined_const_function, \
...

The ssl_undefined_const_function above is the ssl_pending
function for the SSL method in question.  Presumably it is updated
to a more approriate value (typically ssl3_pending) once a particular
protocol is selected.

int ssl_undefined_const_function(const SSL *s)
{

SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return(0);
}

The method-specific ssl_pending function is used in:

int SSL_pending(const SSL *s)
{
/* SSL_pending cannot work properly if read-ahead is enabled
 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)),
 * and it is impossible to fix since SSL_pending cannot report
 * errors that may be observed while scanning the new data.
 * (Note that SSL_pending() is often used as a boolean value,
 * so we'd better not return -1.)
 */
return(s-method-ssl_pending(s));
}

...

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Strange OpenSSL error when my server accepts a new OpenSSL connection while existing ones are active

2013-10-09 Thread jeremyf

Hi all,

I'm working on adding OpenSSL support to my server program, and generally it's 
working pretty well, but I have come across a problem.

First, some background:  The server is single-threaded and uses non-blocking 
I/O and a select() loop to handle multiple clients simultaneously.  The server 
is linked to libssl.0.9.8.dylib and lib crypto.0.9.8.dylib (i.e. the libraries 
provided in /usr/lib by MacOS/X 10.8.5).  The client-server protocol is a 
proprietary full-duplex messaging protocol; that is, the clients and the server 
are all allowed to send and receive data at any time, and the client-server 
TCP connections remain connected indefinitely (i.e. until the client or server 
decides to disconnect).

The issue is this:  my clients can connect to the server, and sending and 
receiving data works fine (now that I got the SSL_ERROR_WANT_WRITE and 
SSL_ERROR_WANT_READ logic sorted out)… but if a the server accept()'s a new 
client connection *while* other clients are in the middle of sending or 
receiving data, the SSL layer seems to break.  In particular, immediately after 
the server runs the setup routine below to set up the newly-accepted socket, 
SSL_read() on one or more of the other (pre-existing) clients' sockets will 
return -1, and ERR_print_errors_fp(stderr) gives this output:

SSL_read() ERROR:  5673:error:140F3042:SSL 
routines:SSL_UNDEFINED_CONST_FUNCTION:called a function you should not 
call:/SourceCache/OpenSSL098/OpenSSL098-47.2/src/ssl/ssl_lib.c:2248:

After this error first appears, the server largely stops working.  Data 
movement stops, and if I try to connect another client I often get this error:

SSL_read() ERROR: 5673:error:140760FC:SSL 
routines:SSL23_GET_CLIENT_HELLO:unknown 
protocol:/SourceCache/OpenSSL098/OpenSSL098-47.2/src/ssl/s23_srvr.c:578: 

This happens about 25% of the time in my test scenario.  If I make sure that my 
pre-existing client connections are idle (no data being sent or received) at 
the moment when the new client connects, it never happens.  Does anyone know 
what might be going wrong here?  Have I found an OpenSSL bug, or is there some 
detail that I'm overlooking?  Some relevant code from my program is pasted 
below, in case it's helpful.

Thanks,
Jeremy

---

// Socket setup routine, called when the server accepts a new TCP socket
int SSLSession :: SetupSSL(int sockfd)
{
   _ctx = SSL_CTX_new(SSLv23_method());
   if (_ctx)
   {
  SSL_CTX_set_mode(_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);

  _ssl = SSL_new(_ctx);
  if (_ssl)
  {
 _sbio = BIO_new_socket(sockfd, BIO_NOCLOSE);
 if (_sbio)
 {
SSL_set_bio(_ssl, _sbio, _sbio);
SSL_set_accept_state(_ssl);
  
BIO_set_nbio(_sbio, !blocking);
ERR_print_errors_fp(stderr);

return RESULT_SUCCESS;
 }
 else fprintf(stderr, SSLSession:  BIO_new_socket() failed!\n);
  }
  else fprintf(stderr, SSLSession:  SSL_new() failed!\n);
   }
   else fprintf(stderr, SSLSession:  SSL_CTX_new() failed!\n);

   return RESULT_FAILURE;
}

// Socket read routine -- returns number of bytes read from SSL-land
int32 SSLSession :: Read(void *buffer, uint32 size)
{
   if (_ssl == NULL) return -1;

   int32 bytes = SSL_read(_ssl, buffer, size);
   if (bytes  0) 
   {
  _sslState = ~(SSL_STATE_READ_WANTS_READABLE_SOCKET | 
SSL_STATE_READ_WANTS_WRITEABLE_SOCKET);
   }
   else if (bytes == 0) return -1;  // connection was terminated
   else
   {
  int err = SSL_get_error(_ssl, bytes);
  if (err == SSL_ERROR_WANT_WRITE)
  {
 // We have to wait until our socket is writeable, and then repeat our 
SSL_read() call.
 _sslState = ~SSL_STATE_READ_WANTS_READABLE_SOCKET;
 _sslState |=  SSL_STATE_READ_WANTS_WRITEABLE_SOCKET;
 bytes = 0;
  }
  else if (err == SSL_ERROR_WANT_READ)
  {
 // We have to wait until our socket is readable, and then repeat our 
SSL_read() call.
 _sslState |=  SSL_STATE_READ_WANTS_READABLE_SOCKET;
 _sslState = ~SSL_STATE_READ_WANTS_WRITEABLE_SOCKET;
 bytes = 0;
  }
  else
  {
 fprintf(stderr, SSL_read() ERROR:  );
 ERR_print_errors_fp(stderr);
  }
   }
   return bytes;
}

// Socket write routine -- returns number of bytes written to SSL-land
int32 SSLSession :: Write(const void *buffer, uint32 size)
{
   if (_ssl == NULL) return -1;

   int32 bytes = SSL_write(_ssl, buffer, size);
   if (bytes  0) 
   {
  _sslState = ~(SSL_STATE_WRITE_WANTS_READABLE_SOCKET | 
SSL_STATE_WRITE_WANTS_WRITEABLE_SOCKET);
   }
   else if (bytes == 0) return -1;  // connection was terminated
   else
   {
  int err = SSL_get_error(_ssl, bytes);
  if (err == SSL_ERROR_WANT_READ)
  {
 // We have to wait until our socket is readable, and then repeat our 
SSL_write() call.
 _sslState |=  SSL_STATE_WRITE_WANTS_READABLE_SOCKET;
 _sslState =

Re: Strange OpenSSL error when my server accepts a new OpenSSL connection while existing ones are active

2013-10-09 Thread Jeremy Friesner

Hi Viktor,

On Oct 9, 2013, at 9:16 PM, Viktor Dukhovni openssl-us...@dukhovni.org wrote:

 On Wed, Oct 09, 2013 at 07:54:34PM -0700, Jeremy Friesner wrote:
 
 If you're interested in trying to reproduce the fault yourself,
 let me know and I can upload the code I'm testing with.
 
 Are you using SSL_pending(), BIO_pending() or anything similar
 anywhere in your code?

Yes, I call SSL_pending() to see if there is data to available for me to read 
(since select()-ing for ready-to-read on the socket isn't quite sufficient).

 With SSL sessions created via SSLv23_method(), use of this primitive
 will lead to the failure in question when invoked before the SSL
 session has switched to SSLv3, TLSv1, …

Aha!  Yes, that appears to be my problem.  As a simple workaround, I changed my 
code to call SSLv3_method() instead, and now everything is working perfectly.  
Thanks so much for your help!  :^)

Jeremy

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: [winlinke...@gmail.com: update openssl error]

2013-08-12 Thread Jakob Bohm


On 07-08-2013 17:57, Lutz Jaenicke wrote:

Forwarded to openssl-users for discussion.

- Forwarded message from gate Bill winlinke...@gmail.com -

Date: Tue, 6 Aug 2013 17:22:54 +0800
From: gate Bill winlinke...@gmail.com
To: openssl-b...@openssl.org
Subject: update openssl error

hello
my linux env:
 centos 6.4 x64
 gcc 4.8.1
 2.6.32-358.6.2.el6.x86_64
 compile step:
  wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz
  tar zxf openssl-1.0.1e.tar.gz
  cd openssl-1.0.1e   ./config zlib shared threads --prefix=/usr
--openssldir=/etc/pki/tls  make  make test  make install  ldconfig
 cd ../  echo 'OK!'
   the commandopenssl version -a display is right
but when i exec this /etc/init.d/ssh restart,display this error:
 OpenSSL version mismatch. Built against

(And there you clipped out the final part of the message).

The problem is that you have overwritten the OpenSSL shared libraries in
/usr/lib with the one you just compiled, thus breaking all programs linked
against the OpenSSL libraries that came with your distribution.

So you need to reinstall the original CentOS 6.4 OpenSSL packages, then
compile your own copy of OpenSSL in a location other than /usr, perhaps
/usr/local/

so i think maybe need to upgrade the openssh,so i do like this
echo Updateting Openssh
yum -y install libedit libedit-devel libbsd libbsd-devel  pam  pam-devel
krb5-devel audit-libs audit-libs-devel
cd openssh-6.2p2  ./configure --sysconfdir=/etc/ssh --prefix=/usr
--with-cflags --with-cppflags --with-ldflags --with-libs --with-Werror
--with-solaris-contracts --with-solaris-projects --with-osfsia
--with-zlib=/usr --with-tcp-wrappers=/usr --with-libedit=/usr
--with-audit=linux --with-ssl-dir=/etc/pki/tls --with-ssl-engine --with-pam
--with-selinux --with-kerberos5=/usr --with-md5-passwords --with-bsd-auth
--with-ipaddr-display --with-4in6

but the still the same problem,so,what should i do?
i'm waiting your answer???thank u

- End forwarded message -



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

[winlinke...@gmail.com: update openssl error]

2013-08-08 Thread Lutz Jaenicke

Forwarded to openssl-users for discussion.

- Forwarded message from gate Bill winlinke...@gmail.com -

Date: Tue, 6 Aug 2013 17:22:54 +0800
From: gate Bill winlinke...@gmail.com
To: openssl-b...@openssl.org
Subject: update openssl error

hello
   my linux env:
centos 6.4 x64
gcc 4.8.1
2.6.32-358.6.2.el6.x86_64
compile step:
 wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz
 tar zxf openssl-1.0.1e.tar.gz
 cd openssl-1.0.1e   ./config zlib shared threads --prefix=/usr
--openssldir=/etc/pki/tls  make  make test  make install  ldconfig
 cd ../  echo 'OK!'
  the commandopenssl version -a display is right
   but when i exec this /etc/init.d/ssh restart,display this error:
OpenSSL version mismatch. Built against
so i think maybe need to upgrade the openssh,so i do like this
echo Updateting Openssh
yum -y install libedit libedit-devel libbsd libbsd-devel  pam  pam-devel
krb5-devel audit-libs audit-libs-devel
cd openssh-6.2p2  ./configure --sysconfdir=/etc/ssh --prefix=/usr
--with-cflags --with-cppflags --with-ldflags --with-libs --with-Werror
--with-solaris-contracts --with-solaris-projects --with-osfsia
--with-zlib=/usr --with-tcp-wrappers=/usr --with-libedit=/usr
--with-audit=linux --with-ssl-dir=/etc/pki/tls --with-ssl-engine --with-pam
--with-selinux --with-kerberos5=/usr --with-md5-passwords --with-bsd-auth
--with-ipaddr-display --with-4in6

but the still the same problem,so,what should i do?
i'm waiting your answer???thank u

- End forwarded message -
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

cross compiled openssl error on the target

2013-07-24 Thread Indtiny s

Hi,

I have added AES_CCM cipher suite support to the openssl and tested with
curl client with  Nginx web server  .
It works well when I tested on the PC , then I cross compiled openssl and
curl for ARM and tried to run curl client application from the target , but
I get the below error .

**Peer certificate cannot be authenticated with given CA certificates**
..
I am using the same certificates which I used on the PC ..

Now my my set-up is :
Running web server(nginx included with openssl on ubuntu pc) and curl(https
with openssl ) on my arm target board .

I need some help to figure out the exact problem .

Rgds
Indra

openssl error

2011-05-10 Thread Pushkar Pathak

Hi,

I am using openssl on win xp 32. When I try to sign a request, openssl
throws an error to the effect


c:\openssl ca -config openssl.cfg -policy policy_anything -out test.crt
-key p  -batch -infiles test.csr
Using configuration from openssl.cfg
0 entries loaded from the database
generating index
default is an unsupported message digest type
5748:error:0E06D06C:configuration file routines:NCONF_get_string:no
value:conf_lib.c:329:group= name=unique_subject

I copied the openssl.cfg from the openssl installation directory and
modified just one line - path of the ca which originally was ./demoCA to
.


Openssl version
OpenSSL 0.9.8e 23 Feb 2007


thanks.

RE: openssl error: 0.9.8e ca config

2011-05-10 Thread Dave Thompson

   From: owner-openssl-us...@openssl.org On Behalf Of Pushkar Pathak
   Sent: Tuesday, 10 May, 2011 13:57

   I am using openssl on win xp 32. When I try to sign a request, 
 openssl throws an error to the effect

   c:\openssl ca -config openssl.cfg -policy policy_anything 
 -out test.crt -key p  -batch -infiles test.csr
   Using configuration from openssl.cfg
   0 entries loaded from the database
   generating index
   default is an unsupported message digest type
   5748:error:0E06D06C:configuration file routines:NCONF_get_string:
 no value:conf_lib.c:329:group= name=unique_subject

   I copied the openssl.cfg from the openssl installation directory 
 and modified just one line - path of the ca which originally was 
 ./demoCA to .

Aside: Putting data files like these in c:\ is usually a poor idea.
Howsomever, that's not an openssl problem as such.

How and from where was the installation on your machine done? 
It kinda looks like the ShiningLight packaging (see below);
if not, did you build from source, or who did?
Configure, and how? Customize the config? 

0.9.8e distro apps/openssl.cnf has default_md=sha1 which is valid 
(so do all other 0.9.8* I have on hand to check, which is most).
It also has unique_subject commented out, but that should be okay 
because the code has a default, and tries to clear the error info, 
which seems nevertheless to be left over when the later 
unsupported digest goes to err: and does ERR_print_errors(), 
thus giving you a confusing error display.

ShiningLight (at least?) renames this to openssl.cfg, presumably 
because .cnf is treated specially and unhelpfully by Explorer, 
but does not apparently make any other changes in the 

1.0.0 distros add code to handle 'default' and change openssl.cnf 
to use it. Did you maybe install 1.0.0* and then regress to 0.9.8*? 
Install 1.0.0* on some machine(s) and not other(s)? Sometime in the past 
get a copy of openssl.cnf|cfg from some other source, like a website?

   Openssl version 
   OpenSSL 0.9.8e 23 Feb 2007

StdCaveat: 0.9.8e is way old, and there have been several security fixes 
since then. SL is currently up to date with 0.9.8r (and 1.0.0d).



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

[FWD] OpenSSL error message

2011-01-13 Thread Lutz Jaenicke

Forwarded to openssl-users for discussion.

Best regards,
Lutz

- Forwarded message from Diogo Monteiro diogo.monte...@arquiconsult.com 
-

From: Diogo Monteiro diogo.monte...@arquiconsult.com
To: r...@openssl.org r...@openssl.org
Date: Wed, 12 Jan 2011 10:21:39 -0800
Subject: OpenSSL error message
Thread-Topic: OpenSSL error message
Thread-Index: AcuyhY5hD3GzNEg2TC+Fc7dNv8AfsQ==
Accept-Language: pt-PT, en-US
acceptlanguage: pt-PT, en-US

Hi all,

[cid:image001.png@01CBB285.8E61A6F0]

I received this error, after the installation the OpenSSL:

OpenSSL information:

· Win32 OpenSSL v1.0.0c
SO information:

· Microsoft Windows Server 2003 R2 Standard Edition Service Pack 2, 32 
bits.

Diogo Monteiro
diogo.monte...@arquiconsult.commailto:diogo.monte...@arquiconsult.com
TLM +351 96 433 0767
[cid:image002.png@01CBB285.8E61A6F0]






- End forwarded message -
--
Lutz Jaenicke   jaeni...@openssl.org
OpenSSL Project http://www.openssl.org/~jaenicke/
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: OpenSSL Error Handling

2010-05-29 Thread David Schwartz


Pankaj Aggarwal wrote:

 I am able to think about the following approaches :
 
 1. Keep a record a threads which are spawned.
 
 2. Expose a function from our library for cleanup when the thread exits 

 Is there any other way to avoid the memory leak caused by error queues ?

There are several:

3. Only call OpenSSL functions from threads whose lifetimes are managed by
your library. Dispatch requests that require calls into the library to your
handler threads. So the functions called from the outside look like this:
Allocate and fill out a request object, put it on a processing queue,
unblock/signal an event to wake a worker thread wait for the object to
complete, extract the results.

4. Call ERR_remove_state before any function that put things on the OpenSSL
error stack is permitted to return.

5. Hook the system's thread shutdown logic (in a platform specific way) so
that you can run ERR_remove_state when a thread terminates. On POSIX
platforms, for example, you can create some thread-specific data whose
destructor calls ERR_remove_state.

DS

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL Error Handling

2010-05-29 Thread Pankaj Aggarwal

Thanks David,

#4 seems to be the simplest solution to me.
while trying #4, I get exception on windows platform. Usually the excpetion
occurs in ERR_clear_error while allocating memory.
I call ERR_remove_state() at end of library functions. With single thread it
works find. But as soon as I increase the no. of threads, I start to get
exception.  Is there any kind of locking requirement that is expected?

Pankaj

On Sun, May 30, 2010 at 5:28 AM, David Schwartz dav...@webmaster.comwrote:


 Pankaj Aggarwal wrote:

  I am able to think about the following approaches :

  1. Keep a record a threads which are spawned.

  2. Expose a function from our library for cleanup when the thread exits

  Is there any other way to avoid the memory leak caused by error queues ?

 There are several:

 3. Only call OpenSSL functions from threads whose lifetimes are managed by
 your library. Dispatch requests that require calls into the library to your
 handler threads. So the functions called from the outside look like this:
 Allocate and fill out a request object, put it on a processing queue,
 unblock/signal an event to wake a worker thread wait for the object to
 complete, extract the results.

 4. Call ERR_remove_state before any function that put things on the OpenSSL
 error stack is permitted to return.

 5. Hook the system's thread shutdown logic (in a platform specific way) so
 that you can run ERR_remove_state when a thread terminates. On POSIX
 platforms, for example, you can create some thread-specific data whose
 destructor calls ERR_remove_state.

 DS

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org

OpenSSL Error Handling

2010-05-26 Thread Pankaj Aggarwal

Hi,

Our library uses OpenSSL(v  0.9.8k) in multithreaded environment. Recently I
observed memory leak resulting from not calling ERR_remove_state().
After reading the documentation of this function, I see that
ERR_remove_state should be called when a thread exits. Since we are using
OpenSSL within a library, we can't determine when a thread is going to exit.


I am able to think about the following approaches :

1. Keep a record a threads which are spawned. when the library is unloaded
call ERR_remove_state() for every thread. This approach has the drawback of
taking too much memory for error queues of openssl, since the library may
not ever get unloaded.

2. Expose a function from our library for cleanup when the thread exits.
This approach has the drawback of changing the API. In certain scenarios it
may be hard to find out when a thread exits.

Is there any other way to avoid the memory leak caused by error queues ?

Pankaj

[FWD] OPENSSL error

2010-01-18 Thread Lutz Jaenicke

Forwarded to openssl-users for public discussion.

Best regards,
Lutz

- Forwarded message from rejoy vm rejo...@gmail.com -

Date: Mon, 18 Jan 2010 19:15:28 +0530
Subject: OPENSSL error
From: rejoy vm rejo...@gmail.com
To: openssl-b...@openssl.org

Sir when i type make command in openssl  I am getting the following messages
in the last few lines before termination.

Could you please tell me how to sort these things out.

bn-586.s:(.text+0x6b0): multiple definition of `bn_sub_words'
../libcrypto.a(bn_asm.o):bn_asm.c:(.text+0x5ca): first defined here
collect2: ld returned 1 exit status
make[2]: *** [link_app.] Error 1
make[2]: Leaving directory
`/home/rejoy/Desktop/intel/lat/openssl-0.9.8g/test'
make[1]: *** [bntest] Error 2
make[1]: Leaving directory
`/home/rejoy/Desktop/intel/lat/openssl-0.9.8g/test'
make: *** [tests] Error 2



by

REJOY

- End forwarded message -
--
Lutz Jaenicke   jaeni...@openssl.org
OpenSSL Project http://www.openssl.org/~jaenicke/
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

trying to compile libssh2 and get openssl error

2009-02-25 Thread clump


I'm following instructions in this pdf:

curl.haxx.se/libcurl/c/Using-libcurl-with-SSH-support-in-Visual-Studio-2008.pdf

In compiling libssh2 per the instructions, I get this error in VSC++2008:

Cannot open include file: 'openssl/opensslconf.h': No such file or directory

In fact I get that same error repeated 16 times.  But, the file is sitting
there in the very place it's searching for it. The include path is correct. 
Has anyone been around this block?
-- 
View this message in context: 
http://www.nabble.com/trying-to-compile-libssh2-and-get-openssl-error-tp22197487p22197487.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Openssl Error Code Translation

2009-01-29 Thread tanu dutt

Hi,

Can anybody tell how can I translate Openssl Error code to error description.
I am calling ERR_peak_last_error(). The error code that I am receiving is 
b901.
Is this a valid error code. How can I verify it.

Thanks
Tanu

RE: Openssl Error Code Translation

2009-01-29 Thread Dave Thompson

 From: owner-openssl-us...@openssl.org On Behalf Of tanu dutt
 Sent: Thursday, 29 January, 2009 08:31

 Can anybody tell how can I translate Openssl Error code to error
description.
 I am calling ERR_peak_last_error(). The error code that I am receiving is
b901.
 Is this a valid error code. How can I verify it.

I assume that's a typo and you mean 'peek'.

That value is in the ERR_LIB_USER range, so it's up to your application.
If it has (set-up and) done the appropriate ERR_load_strings,
then ERR_error_string and friends should expand/explain it for you.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: openssl error while retreaving key from smartcard from wpa_supplicant?

2008-08-28 Thread Sergio


Hi,

first, until 0.6.4 devel version of wpa_supplicant, it requires a copy 
of client cert sitting on hard disk. 0.6.4 has cert_id field.
at this moment i have got exactly the same error. Using wpa_supplicant 
under linux client works. With openssl engine, i only need to indicate 
key_id, cert_id and pin, and then authentication is performed.
Using wpa_supplicant under windows, the things are different. Really 
only two fields into wpa_supplicant.conf change, that is:


pkcs11_engine_path=C:\Archivos de programa\Smart card 
bundle\engine_pkcs11.dll
pkcs11_module_path=C:\Archivos de programa\Smart card 
bundle\UsrPkcs11.dll, a module provided for a spanish authority, who 
provides my smartcard. With this module i can do some operations like 
list objects and so on. Under linux, was enough to put opensc-pkcs11.so 
because opensc has specific drivers to my smartcard, but not under 
windows, because of this, i put the dll directly.


I have got two errors:

1.- pin - hexdump_ascii(len=6): [REMOVED] during the parse of 
configuration file


2.- TLS: Failed to load private key
EAPOL: EAP parameter needed
CTRL-REQ-PIN-0:PIN needed for SSID kely
EAP-TLS: Failed to initialize SSL.
EAP-TLS: Requesting Smartcard PIN
EAPOL: EAP parameter needed
CTRL-REQ-PIN-0:PIN needed for SSID kely
EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)
EAP: Pending PIN/passphrase request - skip Nak

but really i think here is not the correct place to ask for this
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Need help on OpenSSL error

2008-06-03 Thread Phakin Chirachinda

Dear Sir/Madam,

I'm currently using Crypt::OpenSSL::RSA module with perl linking with OpenSSL 
0.9.8h to encrypt/decrypt message and transport over HTTP POST request to Java 
application on the other side.  When Encrypting with the given public key, Java 
application can receive the data perfectly.  But when Java side encrypt message 
with private key (which is the pair for our public key), and reply back, we 
found the following error while trying to decrypt message:

RSA.xs:202: OpenSSL error: block type is not 01 at ...

Please kindly suggest how we could get around this issue.

Currently, we use PKCS1 padding.  Please kindly see below for our perl script 
used.

  $RSA_Decrypt = Crypt::OpenSSL::RSA-new_public_key( $PublicKey );
  $RSA_Decrypt-use_pkcs1_padding();
  my $TmpText = decode_base64( $CipherText );

  my $PlainText = $RSA_Decrypt-public_decrypt( $TmpText ); 
  #-- Error on the line above

Thank you and Best Regards,
Phakin Ch.


  
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Need help on OpenSSL error

2008-06-03 Thread Marek . Marcola

Hello,

[EMAIL PROTECTED] wrote on 06/03/2008 04:40:10 AM:

 Dear Sir/Madam,
 
 I'm currently using Crypt::OpenSSL::RSA module with perl linking with 
OpenSSL 0.9.8h to 
 encrypt/decrypt message and transport over HTTP POST request to Java 
application on the 
 other side.  When Encrypting with the given public key, Java application 
can receive the
 data perfectly.  But when Java side encrypt message with private key 
(which is the pair 
 for our public key), and reply back, we found the following error while 
trying to decrypt message:
 
 RSA.xs:202: OpenSSL error: block type is not 01 at ...
 
 Please kindly suggest how we could get around this issue.
 
 Currently, we use PKCS1 padding.  Please kindly see below for our perl 
script used.
 
   $RSA_Decrypt = Crypt::OpenSSL::RSA-new_public_key( $PublicKey );
   $RSA_Decrypt-use_pkcs1_padding();
   my $TmpText = decode_base64( $CipherText );
 
   my $PlainText = $RSA_Decrypt-public_decrypt( $TmpText ); 
   #-- Error on the line above
Double check that public key used to decrypt java message is really pair
to private key on encryption side.

You may use NO PADDING and look at decrypted data to check that this data
looks reasonable or not.

You should consider also that data encrypted with private key may by 
decrypted
by anyone with public key (if public key is really public).

Best regards,
--
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

[SOLVED] Re: Strange OpenSSL error when trying to use OpenVPN

2008-03-26 Thread Richard Hartmann

My certificate uses a SHA256 hash and the client has OpenSSL 0.9.7.
0.9.8 is needed to support SHA256 hashes.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Strange OpenSSL error when trying to use OpenVPN

2008-03-25 Thread Richard Hartmann

Hi all,

I have my own CA tree, with the relevant part being:

 root CA {1}
 \- VPN CA {2}
\- server CA {3}
   |- server certificate {4}
   \- client certificate {5}

I put 1  2 into /etc/ssl/certs/ of the server and 3 into
/etc/openvpn/default/default-ca.pem . The server does, of course, use
its server certificate  privkey.

The client has a single CA file with 1, 2  3's certificates
concatenated. It also has its own client certificate  privkey.

Verifying the trust chain with openssl verify -verbose -CAfile foo works
for all five certificates with foo holding 1, 2  3.


Yet, when I want to connect to the server, OpenVPN dies with:

Tue Mar 25 15:04:53 2008 us=886000 Incoming Ciphertext - TLS
Tue Mar 25 15:04:53 2008 us=886000 VERIFY OK: depth=3, /CN=root_CA
Tue Mar 25 15:04:53 2008 us=886000 VERIFY ERROR: depth=2,
error=certificate signature failure: /CN=VPN_CA
Tue Mar 25 15:04:53 2008 us=886000 SSL alert (write): fatal: decrypt error
Tue Mar 25 15:04:53 2008 us=886000 TLS_ERROR: BIO read
tls_read_plaintext error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Mar 25 15:04:53 2008 us=886000 TLS Error: TLS object - incoming
plaintext read error
Tue Mar 25 15:04:53 2008 us=886000 TLS Error: TLS handshake failed

(The name strings for 1  2 being shortened to root_CA  VPN_CA respectively)


man verify tells me:

7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure
the signature of the certificate is invalid.

which does not make sense, seeing as the path verifies OK when doing the
same thing manually and even using the very same file for the
verification that the OpenVPN client is using.


So, if anyone has any idea or an educated guess about the cause or hints
to get better debug output, please tell me.


Thanks in advance :)
Richard
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

openssL error:

2008-03-10 Thread Arp22


hi i am getting the following error when i run the command: 

gcc -o client client.o -lcrypto -lssl 

In function 'main': undefined reference to 'init_OpenSSL' undefined
reference to 'handle_error' --- what shud i do? please help!
-- 
View this message in context: 
http://www.nabble.com/openssL-error%3A-tp15949473p15949473.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: openssL error:

2008-03-10 Thread jimmy bahuleyan


Arp22 wrote:
hi i am getting the following error when i run the command: 

gcc -o client client.o -lcrypto -lssl 


In function 'main': undefined reference to 'init_OpenSSL' undefined
reference to 'handle_error' --- what shud i do? please help!


I hope the fact that these are not Openssl functions should clear things 
up for you.


So, basically find the code for those two missing functions and add it 
to your build. (Or you could remove references to the two functions; 
your action should depend on your code)


-jb
--
I used to think I was indecisive, but now I'm not so sure.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

OpenSSL error:

2008-03-03 Thread Arp222


hi 
i am getting the following error when i run the command:

gcc -o client client.o -lcrypto -lssl

In function 'main':
undefined reference to 'init_OpenSSL'
undefined reference to 'handle_error'

--- what shud i do?
please help!
-- 
View this message in context: 
http://www.nabble.com/OpenSSL-error%3A-tp15764487p15764487.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.

Re: OpenSSL Error

2008-02-28 Thread Subhankar Katyayan

What are these errors and any solution for the below mentioned error. I am 
using Win32OpenSSL-0_9_8g.exe.

libeay32MDd.lib(b_print.obj) : error LNK2001: unresolved external symbol 
__ftol2
libeay32MDd.lib(b_print.obj) : error LNK2001: unresolved external symbol 
__aulldvrm


Subhankar Kumar Katyayan
Tata Consultancy Services
Mailto: [EMAIL PROTECTED]
Website: http://www.tcs.com

Experience certainty.   IT Services
Business Solutions
Outsourcing




Subhankar Katyayan [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
02/27/2008 07:27 PM
Please respond to
openssl-users@openssl.org


To
openssl-users@openssl.org
cc
[EMAIL PROTECTED]
Subject
OpenSSL Error







I have downloaded and installed Win32OpenSSL-0_9_8g.exe in C:\OpenSSL 
and I have linked it as follows, and my workpspace is C:\dhsmv1\api2 

Project - Settings - C/C++ (tab) - Preprocessor (Category:) - 
Additional include directories - ../../OpenSSL/include/openssl 

Project - Settings - C/C++ (tab) - Preprocessor (Category:) - 
Preprocessor definitions - ENABLE_SSL 

Project - Settings - Link (tab) - Input (Category:) - Additional 
library path - ../../OpenSSL/lib/VC 

Project - Settings - Link (tab) - Input (Category:) - Object/library 
modules -  libeay32.lib ssleay32.lib libeay32MD.lib libeay32MDd.lib 
libeay32MT.lib libeay32MTd.lib ssleay32MD.lib ssleay32MDd.lib 
ssleay32MT.lib ssleay32MTd.lib 

But still I am getting following error. Please let me know, if I am doing 
something worng in settings or somewhere else. 

digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] 
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] 

digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] 
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] 
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] 

digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] 
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] 
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] 
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] 

Subhankar Kumar Katyayan
Tata Consultancy Services
Mailto: [EMAIL PROTECTED]
Website: http://www.tcs.com

Experience certainty.IT Services
   Business Solutions
   Outsourcing
 


[EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED] 
02/27/2008 01:38 AM 

Please respond to
openssl-users@openssl.org


To
openssl-users@openssl.org 
cc
openssl-users@openssl.org, [EMAIL PROTECTED] 
Subject
Re: OpenSSL Error








Hello,
 I am facing some problem when I tried to compile the application. This 
application was 
 building fine, but after adding a file called digestclient.c (to 
support HTTPs), it's 
 throwing the following error. Can anyone give some input on this. 
 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol [EMAIL 
 PROTECTED] 


 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol [EMAIL 
 PROTECTED] 
 digestclient.obj : error LNK2001

OpenSSL Error

2008-02-27 Thread Subhankar Katyayan

I have downloaded and installed Win32OpenSSL-0_9_8g.exe in C:\OpenSSL 
and I have linked it as follows, and my workpspace is C:\dhsmv1\api2

Project - Settings - C/C++ (tab) - Preprocessor (Category:) - 
Additional include directories - ../../OpenSSL/include/openssl

Project - Settings - C/C++ (tab) - Preprocessor (Category:) - 
Preprocessor definitions - ENABLE_SSL

Project - Settings - Link (tab) - Input (Category:) - Additional 
library path - ../../OpenSSL/lib/VC

Project - Settings - Link (tab) - Input (Category:) - Object/library 
modules -  libeay32.lib ssleay32.lib libeay32MD.lib libeay32MDd.lib 
libeay32MT.lib libeay32MTd.lib ssleay32MD.lib ssleay32MDd.lib 
ssleay32MT.lib ssleay32MTd.lib

But still I am getting following error. Please let me know, if I am doing 
something worng in settings or somewhere else.

digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED]

Subhankar Kumar Katyayan
Tata Consultancy Services
Mailto: [EMAIL PROTECTED]
Website: http://www.tcs.com

Experience certainty.   IT Services
Business Solutions
Outsourcing




[EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
02/27/2008 01:38 AM
Please respond to
openssl-users@openssl.org


To
openssl-users@openssl.org
cc
openssl-users@openssl.org, [EMAIL PROTECTED]
Subject
Re: OpenSSL Error






Hello,
 I am facing some problem when I tried to compile the application. This 
application was 
 building fine, but after adding a file called digestclient.c (to 
support HTTPs), it's 
 throwing the following error. Can anyone give some input on this. 
 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol [EMAIL 
 PROTECTED] 


 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol [EMAIL 
 PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol [EMAIL 
 PROTECTED] 


 digestclient.obj : error LNK2001: unresolved external symbol [EMAIL 
 PROTECTED] 

Add -lcrypto -lssl libraries to linking process.

Best regards,
--
Marek Marcola [EMAIL PROTECTED

OpenSSL Error

2008-02-26 Thread Subhankar Katyayan

Dear All,

I am facing some problem when I tried to compile the application. This 
application was building fine, but after adding a file called 
digestclient.c (to support HTTPs), it's throwing the following error. 
Can anyone give some input on this.

digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED]
digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED]

Subhankar Kumar Katyayan
=-=-=
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you

Re: OpenSSL Error

2008-02-26 Thread Marek . Marcola

Hello,
 I am facing some problem when I tried to compile the application. This 
application was 
 building fine, but after adding a file called digestclient.c (to 
support HTTPs), it's 
 throwing the following error. Can anyone give some input on this. 
 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol [EMAIL 
 PROTECTED] 

 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol [EMAIL 
 PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol [EMAIL 
 PROTECTED] 

 digestclient.obj : error LNK2001: unresolved external symbol [EMAIL 
 PROTECTED] 

Add -lcrypto -lssl libraries to linking process.

Best regards,
--
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL Error

2008-02-26 Thread Subhankar Katyayan

Where I'll get these libraries   -lcrypto and -lssl. 

I am using Win32OpenSSL-0_9_8g.exe and I couldn't able to find those 
libraries you've mentioned.

Subhankar Kumar Katyayan
Tata Consultancy Services
Mailto: [EMAIL PROTECTED]
Website: http://www.tcs.com

Experience certainty.   IT Services
Business Solutions
Outsourcing




[EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
02/27/2008 01:38 AM
Please respond to
openssl-users@openssl.org


To
openssl-users@openssl.org
cc
openssl-users@openssl.org, [EMAIL PROTECTED]
Subject
Re: OpenSSL Error






Hello,
 I am facing some problem when I tried to compile the application. This 
application was 
 building fine, but after adding a file called digestclient.c (to 
support HTTPs), it's 
 throwing the following error. Can anyone give some input on this. 
 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol [EMAIL 
 PROTECTED] 


 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol [EMAIL 
 PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol [EMAIL 
 PROTECTED] 


 digestclient.obj : error LNK2001: unresolved external symbol [EMAIL 
 PROTECTED] 

Add -lcrypto -lssl libraries to linking process.

Best regards,
--
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

ForwardSourceID:NT4BDE 
=-=-=
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you

Re: OpenSSL Error

2008-02-26 Thread Subhankar Katyayan

To add on in my prev mail. The C file which I am trying to compile on 
window having some linking issue, but at the same time when I tried to 
build it on Linux it was building fine. 

Where I'll get these libraries   -lcrypto and -lssl. 

I am using Win32OpenSSL-0_9_8g.exe and I couldn't able to find those 
libraries you've mentioned.


Subhankar Kumar Katyayan
Tata Consultancy Services
Mailto: [EMAIL PROTECTED]
Website: http://www.tcs.com

Experience certainty.   IT Services
Business Solutions
Outsourcing




Subhankar Katyayan/CHN/TCS
Sent by: Subhankar Katyayan
02/27/2008 12:15 PM

To
openssl-users@openssl.org
cc
openssl-users@openssl.org, [EMAIL PROTECTED]
Subject
Re: OpenSSL Error





Where I'll get these libraries   -lcrypto and -lssl. 

I am using Win32OpenSSL-0_9_8g.exe and I couldn't able to find those 
libraries you've mentioned.

Subhankar Kumar Katyayan
Tata Consultancy Services
Mailto: [EMAIL PROTECTED]
Website: http://www.tcs.com

Experience certainty.   IT Services
Business Solutions
Outsourcing




[EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
02/27/2008 01:38 AM
Please respond to
openssl-users@openssl.org


To
openssl-users@openssl.org
cc
openssl-users@openssl.org, [EMAIL PROTECTED]
Subject
Re: OpenSSL Error






Hello,
 I am facing some problem when I tried to compile the application. This 
application was 
 building fine, but after adding a file called digestclient.c (to 
support HTTPs), it's 
 throwing the following error. Can anyone give some input on this. 
 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol [EMAIL 
 PROTECTED] 


 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol [EMAIL 
 PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol 
[EMAIL PROTECTED] 
 digestclient.obj : error LNK2001: unresolved external symbol [EMAIL 
 PROTECTED] 


 digestclient.obj : error LNK2001: unresolved external symbol [EMAIL 
 PROTECTED] 

Add -lcrypto -lssl libraries to linking process.

Best regards,
--
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

ForwardSourceID:NT4BDE 

ForwardSourceID:NT4C1E 
=-=-=
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you

openssl error

2007-09-19 Thread richard zhao

Hello, All,
  is anybody experienced the following error:
   
  error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record 
mac
   
  thank you for any help in advance.
   
  Richard

   
-
 Check out  the hottest 2008 models today at Yahoo! Autos.

Re: openssl error while retreaving key from smartcard from wpa_supplicant?

2007-07-03 Thread Carles Fernandez i Julia

En/na Nils Larsch ha escrit:
 Carles Fernandez i Julia wrote:
 ...
 That's the point : I have the private key certificate stored in the
 smartcard, not located in a plain file. That's why I commented the line
 above.

 the engine doesn't support using certificates stored on smart cards
 (and I don't even think that this extremly useful).
But this engine, pkcs11-opensc, is designed to do this (using
certificates on smartcards).

 Nils
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]




-- 

..
 __
/ /  Carles Fernàndez
  C E / S / C A  Dept. de Comunicacions
  /_/Centre de Supercomputació de Catalunya

  Gran Capità, 2-4 (Edifici Nexus) · 08034 Barcelona
  T. 93 205 6464 · F.  93 205 6979 · [EMAIL PROTECTED]
.. 

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: openssl error while retreaving key from smartcard from wpa_supplicant?

2007-07-03 Thread Nils Larsch


Carles Fernandez i Julia wrote:

En/na Nils Larsch ha escrit:

Carles Fernandez i Julia wrote:
...

That's the point : I have the private key certificate stored in the
smartcard, not located in a plain file. That's why I commented the line
above.

the engine doesn't support using certificates stored on smart cards
(and I don't even think that this extremly useful).

But this engine, pkcs11-opensc, is designed to do this (using
certificates on smartcards).


the engine is designed to use the token for the cryptographic
operation (i.e. signing, decrypting with the private key) and
not as a storage device for public objects (smartcards are terrible
slow so you normally want to reduce the communication with the
card as much as possible).

Nils
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: openssl error while retreaving key from smartcard from wpa_supplicant?

2007-07-02 Thread Nils Larsch


Carles Fernandez i Julia wrote:
...

That's the point : I have the private key certificate stored in the
smartcard, not located in a plain file. That's why I commented the line
above.


the engine doesn't support using certificates stored on smart cards
(and I don't even think that this extremly useful).

Nils
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: openssl error while retreaving key from smartcard from wpa_supplicant?

2007-06-26 Thread Carles Fernandez i Julia

En/na Marek Marcola ha escrit:
 Hello,
   
 I'm currently trying to authenticate using EAP-TLS using smartcard with
 wpa_supplicant and I get this error:

 OpenSSL: tls_connection_engine_private_key - Private key failed
 verification error:140A30B1:SSL routines:SSL_check_private_key:no
 certificate assigned

 I got some messages Error: can't open /var/run/openct/status: No such
 file or directory but I get these messages always when I use my
 smartcard reader (and it works).

 
 Looks like you have not configured X509 private key certificate.

   
 plain text document attachment (wpa_supplicant.conf)
 ctrl_interface=/var/run/wpa_supplicant
 ctrl_interface_group=0
 eapol_version=1
 fast_reauth=1
 pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so
 pkcs11_module_path=/usr/lib/opensc-pkcs11.so

 network={
 ssid=*
 key_mgmt=WPA-EAP
 eap=TLS
 proto=WPA
 pairwise=TKIP
 group=TKIP
 identity=[EMAIL PROTECTED]
 ca_cert=/etc/wpa_supplicant/CA_CATCertPP_GlobalTrust.crt
 #client_cert=/etc/cert/user.pem
 
 I'm not sure but this maybe the place to configure certificate.
 You should have your private key certificate. This certificate may be
 located in plain file. To check that your certificate certifies proper
 private key you may do something like that (test example):
   
That's the point : I have the private key certificate stored in the
smartcard, not located in a plain file. That's why I commented the line
above.

 $ openssl rsa -engine chil -in rsa-test2 -inform engine -modulus -noout
 engine chil set.
 Modulus=D14731D19EF32A3D458EE61B219A0E019...
 $ openssl x509 -in rsa-test2-crt.pem -modulus -noout
 Modulus=D14731D19EF32A3D458EE61B219A0E019

 and you should get the same numbers.

   
I've tried in all ways to try this with the pkcs11 module to use my
smartcard to do the test but I didn't reach. Maybe the structure is
different when not operating with files.
 Best regards,
   
Thank you for your effort!

-- 

..
 __
/ /  Carles Fernàndez
  C E / S / C A  Dept. de Comunicacions
  /_/Centre de Supercomputació de Catalunya

  Gran Capità, 2-4 (Edifici Nexus) · 08034 Barcelona
  T. 93 205 6464 · F.  93 205 6979 · [EMAIL PROTECTED]
.. 

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

openssl error while retreaving key from smartcard from wpa_supplicant?

2007-06-25 Thread Carles Fernandez i Julia

Hi
I'm currently trying to authenticate using EAP-TLS using smartcard with
wpa_supplicant and I get this error:

OpenSSL: tls_connection_engine_private_key - Private key failed
verification error:140A30B1:SSL routines:SSL_check_private_key:no
certificate assigned

I got some messages Error: can't open /var/run/openct/status: No such
file or directory but I get these messages always when I use my
smartcard reader (and it works).

I've googled and i got nothing useful. Any idea?

ps: I've ***ed personal data from attached files

thanks,
Carles



ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
fast_reauth=1
pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so
pkcs11_module_path=/usr/lib/opensc-pkcs11.so

network={
ssid=*
key_mgmt=WPA-EAP
eap=TLS
proto=WPA
pairwise=TKIP
group=TKIP
identity=[EMAIL PROTECTED]
ca_cert=/etc/wpa_supplicant/CA_CATCertPP_GlobalTrust.crt
#client_cert=/etc/cert/user.pem

#   scan_ssid=1
engine=1

# The engine configured here must be available. Look at
# OpenSSL engine support in the global section.
# The key available through the engine must be the private key
# matching the client certificate configured above.

# use the opensc engine
#engine_id=opensc
#key_id=45

# use the pkcs11 engine
engine_id=pkcs11
key_id=e451d1d1197caf4c74c33d9143986a28c9c34a55

# Optional PIN configuration; this can be left out and PIN will be
# asked through the control interface
pin=
}

[EMAIL PROTECTED]:~$ sudo wpa_supplicant -D wext -i eth1 -c 
/etc/wpa_supplicant/wpa_supplicant.conf -ddd
Initializing interface 'eth1' conf '/etc/wpa_supplicant/wpa_supplicant.conf' 
driver 'wext' ctrl_interface 'N/A' bridge 'N/A'
Configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' - 
'/etc/wpa_supplicant/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group='0' (DEPRECATED)
eapol_version=1
fast_reauth=1
pkcs11_engine_path='/usr/lib/engines/engine_pkcs11.so'
pkcs11_module_path='/usr/lib/opensc-pkcs11.so'
Line: 17 - start of a new network block
ssid - hexdump_ascii(len=7):
 ** ** ** ** **  *
key_mgmt: 0x1
eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00
proto: 0x1
pairwise: 0x8
group: 0x8
identity - hexdump_ascii(len=40):
 ** ** ** ** ** *** ** ** ***
ca_cert - hexdump_ascii(len=48):
 2f 65 74 63 2f 77 70 61 5f 73 75 70 70 6c 69 63   /etc/wpa_supplic
 61 6e 74 2f 43 41 5f 43 41 54 43 65 72 74 50 50   ant/CA_CATCertPP
 5f 47 6c 6f 62 61 6c 54 72 75 73 74 2e 63 72 74   _GlobalTrust.crt
engine=1 (0x1)
engine_id - hexdump_ascii(len=6):
 70 6b 63 73 31 31 pkcs11
key_id - hexdump_ascii(len=40):
 65 34 35 31 64 31 64 31 31 39 37 63 61 66 34 63   e451d1d1197caf4c
 37 34 63 33 33 64 39 31 34 33 39 38 36 61 32 38   74c33d9143986a28
 63 39 63 33 34 61 35 35   c9c34a55
pin - hexdump_ascii(len=4): [REMOVED]
Priority group 0
   id=0 ssid='***'
Initializing interface (2) 'eth1'
ENGINE: Loading dynamic engine
ENGINE: Loading pkcs11 Engine from /usr/lib/engines/engine_pkcs11.so
ENGINE: 'SO_PATH' '/usr/lib/engines/engine_pkcs11.so'
ENGINE: 'ID' 'pkcs11'
ENGINE: 'LIST_ADD' '1'
ENGINE: 'LOAD' '(null)'
ENGINE: 'MODULE_PATH' '/usr/lib/opensc-pkcs11.so'
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
SIOCGIWRANGE: WE(compiled)=21 WE(source)=16 enc_capa=0xf
  capabilities: key_mgmt 0xf enc 0xf
WEXT: Operstate: linkmode=1, operstate=5
Own MAC address: 00:13:02:61:79:24
wpa_driver_wext_set_wpa
wpa_driver_wext_set_key: alg=0 key_idx=0 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=1 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=2 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=3 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_countermeasures
wpa_driver_wext_set_drop_unencrypted
Setting scan request: 0 sec 10 usec
ctrl_interface_group=0
Added interface eth1
RTM_NEWLINK: operstate=0 ifi_flags=0x1002 ()
Wireless event: cmd=0x8b06 len=8
RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
RTM_NEWLINK, IFLA_IFNAME: Interface 'eth1' added
RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
RTM_NEWLINK, IFLA_IFNAME: Interface 'eth1' added
State: DISCONNECTED - SCANNING
Starting AP scan (broadcast SSID)
Trying to get current scan results first without requesting a new scan to speed 
up initial association
Received 1539 bytes of scan results (7 BSSes)
Scan results: 7
Selecting BSS from priority group 0
0:

Re: openssl error while retreaving key from smartcard from wpa_supplicant?

2007-06-25 Thread Marek Marcola

Hello,
 I'm currently trying to authenticate using EAP-TLS using smartcard with
 wpa_supplicant and I get this error:
 
 OpenSSL: tls_connection_engine_private_key - Private key failed
 verification error:140A30B1:SSL routines:SSL_check_private_key:no
 certificate assigned
 
 I got some messages Error: can't open /var/run/openct/status: No such
 file or directory but I get these messages always when I use my
 smartcard reader (and it works).
 
Looks like you have not configured X509 private key certificate.

 plain text document attachment (wpa_supplicant.conf)
 ctrl_interface=/var/run/wpa_supplicant
 ctrl_interface_group=0
 eapol_version=1
 fast_reauth=1
 pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so
 pkcs11_module_path=/usr/lib/opensc-pkcs11.so
 
 network={
 ssid=*
 key_mgmt=WPA-EAP
 eap=TLS
 proto=WPA
 pairwise=TKIP
 group=TKIP
 identity=[EMAIL PROTECTED]
 ca_cert=/etc/wpa_supplicant/CA_CATCertPP_GlobalTrust.crt
 #client_cert=/etc/cert/user.pem
I'm not sure but this maybe the place to configure certificate.
You should have your private key certificate. This certificate may be
located in plain file. To check that your certificate certifies proper
private key you may do something like that (test example):

$ openssl rsa -engine chil -in rsa-test2 -inform engine -modulus -noout
engine chil set.
Modulus=D14731D19EF32A3D458EE61B219A0E019...
$ openssl x509 -in rsa-test2-crt.pem -modulus -noout
Modulus=D14731D19EF32A3D458EE61B219A0E019

and you should get the same numbers.

Best regards,
-- 
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

compiling openssl: error with no-ssl2 flag

2007-06-11 Thread Smith, Steven G \(Steven\)

I posted earlier on a similar topic, and I have since found out that
no-ssl2 will build openssl without support for SSLv2 ciphers.
Unfortunately, I am using RedHat's Source RPM to do the build, and it
seems to be having an error due to the no-ssl2 flag.  You can see the
error below, and trying the else gcc statement below manually from the
command line produces the same error (however, the if gcc statement
does not produce the error).  

I'm not an expert in this area, so I am looking for a little direction.
Did I find a bug, or do I just have some problems in my configuration?
Are there any workarounds for this?

Thanks,
Steve



start of error
if [ linux-shared = hpux-shared -o linux-shared = darwin-shared
] ; then \
  gcc -o openssl -DMONOLITH -I.. -I../include -I/usr/kerberos/include
-fPIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-DKRB5_MIT -DOPENSSL_NO_ASM -DOPENSSL_NO_IDEA -DOPENSSL_NO_MDC2
-DOPENSSL_NO_RC5 -DOPENSSL_NO_EC -I/usr/kerberos/include
-DOPENSSL_NO_SSL2 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -m32
-march=i386 -mtune=pentium4 -Wa,--noexecstack openssl.o verify.o
asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o
ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.o
genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o
s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o
pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o  ../libssl.a
-L/usr/kerberos/lib -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto -lresolv
../libcrypto.a -L/usr/kerberos/lib -ldl -lz ; \
else \
  gcc -o openssl -DMONOLITH -I.. -I../include -I/usr/kerberos/include
-fPIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-DKRB5_MIT -DOPENSSL_NO_ASM -DOPENSSL_NO_IDEA -DOPENSSL_NO_MDC2
-DOPENSSL_NO_RC5 -DOPENSSL_NO_EC -I/usr/kerberos/include
-DOPENSSL_NO_SSL2 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -m32
-march=i386 -mtune=pentium4 -Wa,--noexecstack openssl.o verify.o
asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o
ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.o
genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o
s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o
pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o  -L.. -lssl
-L/usr/kerberos/lib -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto -lresolv
-L.. -lcrypto -L/usr/kerberos/lib -ldl -lz ; \
fi
../libssl.so: undefined reference to `SSLv2_method'
collect2: ld returned 1 exit status
make[1]: *** [openssl] Error 1
make[1]: Leaving directory
`/home/smithsg/src/rpm/BUILD/openssl-0.9.7a/apps'
make: *** [sub_all] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.70164 (%build)


RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.70164 (%build)
end of error

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Openssl Error + Apache

2006-10-09 Thread Siew San Yu

It means that the file that it's attempting to read
does not have the proper format of a .crt. Take a look
of your cert in notepad, does the first line shows
something like ---BEGIN CERTIFICATE .
If no, then regenerate your cert.

SS
--- [EMAIL PROTECTED] wrote:

 I ran the command below and I did receive an error
 so it looks like something is indeed wrong with the
 SSL Certificate. If anyone has any ideas how what I
 can look at regarding this error I would appreciate
 it. Thanks
  
 2705:error:0906D06C:PEM routines:PEM_read_bio:no
 start line:pem_lib.c:662:Expecting: TRUSTED
 CERTIFICATE
 
 
 
 From: [EMAIL PROTECTED] on behalf of
 Dr. Stephen Henson
 Sent: Sun 10/8/2006 12:01 PM
 To: openssl-users@openssl.org
 Subject: Re: Openssl Error + Apache
 
 
 
 On Sat, Oct 07, 2006, [EMAIL PROTECTED] wrote:
 
  Hi there ~
  
  I have an Apache installation running mod_ssl and
 would like to setup another VirtualHost that runs
 under SSL on a different port (e.g. 8443). The
 default site on port 443 is running fine with SSL.
 The new certificate I have installed for the second
 site appears to be incorrect or the version of
 OpenSSL I have is not up to date. This causes Apache
 to crash. Can someone look at the error(s) below and
 please tell me where to start or how to fix it?
  
  Errors:
  [Fri Oct  6 13:37:21 2006] [error] mod_ssl: Init:
 Unable to read server certificate from file
 /apache/conf
 
  /mycertificatename.crt (OpenSSL library error
 follows)
 
  [Fri Oct  6 13:37:21 2006] [error] OpenSSL:
 error:0D0680A8:asn1 encoding
 routines:ASN1_CHECK_TLEN:wrong tag
 
  [Fri Oct  6 13:37:21 2006] [error] OpenSSL:
 error:0D07803A:asn1 encoding
 routines:ASN1_ITEM_EX_D2I:nested
 
  asn1 error
 
  Thanks in advance
  
 
 That indicates it doesn't like the certificate file
 in mycertificatename.crt.
 It may be corrupt or in the wrong format. Try the
 command:
 
 openssl x509 -in mycertificatename.crt
 
 to see if you get the same error.
 
 Steve.
 --
 Dr Stephen N. Henson. Email, S/MIME and PGP keys:
 see homepage
 OpenSSL project core developer and freelance
 consultant.
 Funding needed! Details on homepage.
 Homepage: http://www.drh-consultancy.demon.co.uk

__
 OpenSSL Project
 http://www.openssl.org
 User Support Mailing List   
 openssl-users@openssl.org
 Automated List Manager  
 [EMAIL PROTECTED]
 
 

__
 OpenSSL Project
 http://www.openssl.org
 User Support Mailing List   
 openssl-users@openssl.org
 Automated List Manager  
 [EMAIL PROTECTED]
 


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Openssl Error + Apache

2006-10-09 Thread gary.mack

It appears the certificate file was pasted in the file wrong. It was
missing the -BE of -BEGIN CERTIFICATE-. 

Thank you for the help everyone.



Gary Mack
Associate Systems Administrator
www.hubbardone.com
Phone:  (312) 873 - 6886
Fax:  (312) 873 - 6801
[EMAIL PROTECTED]

 

Hubbard One is a Thomson Elite Business.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Siew San Yu
Sent: Monday, October 09, 2006 3:28 AM
To: openssl-users@openssl.org
Subject: RE: Openssl Error + Apache

It means that the file that it's attempting to read
does not have the proper format of a .crt. Take a look
of your cert in notepad, does the first line shows
something like ---BEGIN CERTIFICATE .
If no, then regenerate your cert.

SS
--- [EMAIL PROTECTED] wrote:

 I ran the command below and I did receive an error
 so it looks like something is indeed wrong with the
 SSL Certificate. If anyone has any ideas how what I
 can look at regarding this error I would appreciate
 it. Thanks
  
 2705:error:0906D06C:PEM routines:PEM_read_bio:no
 start line:pem_lib.c:662:Expecting: TRUSTED
 CERTIFICATE
 
 
 
 From: [EMAIL PROTECTED] on behalf of
 Dr. Stephen Henson
 Sent: Sun 10/8/2006 12:01 PM
 To: openssl-users@openssl.org
 Subject: Re: Openssl Error + Apache
 
 
 
 On Sat, Oct 07, 2006, [EMAIL PROTECTED] wrote:
 
  Hi there ~
  
  I have an Apache installation running mod_ssl and
 would like to setup another VirtualHost that runs
 under SSL on a different port (e.g. 8443). The
 default site on port 443 is running fine with SSL.
 The new certificate I have installed for the second
 site appears to be incorrect or the version of
 OpenSSL I have is not up to date. This causes Apache
 to crash. Can someone look at the error(s) below and
 please tell me where to start or how to fix it?
  
  Errors:
  [Fri Oct  6 13:37:21 2006] [error] mod_ssl: Init:
 Unable to read server certificate from file
 /apache/conf
 
  /mycertificatename.crt (OpenSSL library error
 follows)
 
  [Fri Oct  6 13:37:21 2006] [error] OpenSSL:
 error:0D0680A8:asn1 encoding
 routines:ASN1_CHECK_TLEN:wrong tag
 
  [Fri Oct  6 13:37:21 2006] [error] OpenSSL:
 error:0D07803A:asn1 encoding
 routines:ASN1_ITEM_EX_D2I:nested
 
  asn1 error
 
  Thanks in advance
  
 
 That indicates it doesn't like the certificate file
 in mycertificatename.crt.
 It may be corrupt or in the wrong format. Try the
 command:
 
 openssl x509 -in mycertificatename.crt
 
 to see if you get the same error.
 
 Steve.
 --
 Dr Stephen N. Henson. Email, S/MIME and PGP keys:
 see homepage
 OpenSSL project core developer and freelance
 consultant.
 Funding needed! Details on homepage.
 Homepage: http://www.drh-consultancy.demon.co.uk

__
 OpenSSL Project
 http://www.openssl.org
 User Support Mailing List   
 openssl-users@openssl.org
 Automated List Manager  
 [EMAIL PROTECTED]
 
 

__
 OpenSSL Project
 http://www.openssl.org
 User Support Mailing List   
 openssl-users@openssl.org
 Automated List Manager  
 [EMAIL PROTECTED]
 


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Openssl Error + Apache

2006-10-08 Thread Dr. Stephen Henson

On Sat, Oct 07, 2006, [EMAIL PROTECTED] wrote:

 Hi there ~
  
 I have an Apache installation running mod_ssl and would like to setup another 
 VirtualHost that runs under SSL on a different port (e.g. 8443). The default 
 site on port 443 is running fine with SSL. The new certificate I have 
 installed for the second site appears to be incorrect or the version of 
 OpenSSL I have is not up to date. This causes Apache to crash. Can someone 
 look at the error(s) below and please tell me where to start or how to fix 
 it? 
  
 Errors:
 [Fri Oct  6 13:37:21 2006] [error] mod_ssl: Init: Unable to read server 
 certificate from file /apache/conf
 
 /mycertificatename.crt (OpenSSL library error follows)
 
 [Fri Oct  6 13:37:21 2006] [error] OpenSSL: error:0D0680A8:asn1 encoding 
 routines:ASN1_CHECK_TLEN:wrong tag
 
 [Fri Oct  6 13:37:21 2006] [error] OpenSSL: error:0D07803A:asn1 encoding 
 routines:ASN1_ITEM_EX_D2I:nested 
 
 asn1 error
 
 Thanks in advance
  

That indicates it doesn't like the certificate file in mycertificatename.crt.
It may be corrupt or in the wrong format. Try the command:

openssl x509 -in mycertificatename.crt

to see if you get the same error.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Openssl Error + Apache

2006-10-08 Thread gary.mack

I ran the command below and I did receive an error so it looks like something 
is indeed wrong with the SSL Certificate. If anyone has any ideas how what I 
can look at regarding this error I would appreciate it. Thanks
 
2705:error:0906D06C:PEM routines:PEM_read_bio:no start 
line:pem_lib.c:662:Expecting: TRUSTED CERTIFICATE



From: [EMAIL PROTECTED] on behalf of Dr. Stephen Henson
Sent: Sun 10/8/2006 12:01 PM
To: openssl-users@openssl.org
Subject: Re: Openssl Error + Apache



On Sat, Oct 07, 2006, [EMAIL PROTECTED] wrote:

 Hi there ~
 
 I have an Apache installation running mod_ssl and would like to setup another 
 VirtualHost that runs under SSL on a different port (e.g. 8443). The default 
 site on port 443 is running fine with SSL. The new certificate I have 
 installed for the second site appears to be incorrect or the version of 
 OpenSSL I have is not up to date. This causes Apache to crash. Can someone 
 look at the error(s) below and please tell me where to start or how to fix it?
 
 Errors:
 [Fri Oct  6 13:37:21 2006] [error] mod_ssl: Init: Unable to read server 
 certificate from file /apache/conf

 /mycertificatename.crt (OpenSSL library error follows)

 [Fri Oct  6 13:37:21 2006] [error] OpenSSL: error:0D0680A8:asn1 encoding 
 routines:ASN1_CHECK_TLEN:wrong tag

 [Fri Oct  6 13:37:21 2006] [error] OpenSSL: error:0D07803A:asn1 encoding 
 routines:ASN1_ITEM_EX_D2I:nested

 asn1 error

 Thanks in advance
 

That indicates it doesn't like the certificate file in mycertificatename.crt.
It may be corrupt or in the wrong format. Try the command:

openssl x509 -in mycertificatename.crt

to see if you get the same error.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Openssl Error + Apache

2006-10-07 Thread gary.mack

Hi there ~
 
I have an Apache installation running mod_ssl and would like to setup another 
VirtualHost that runs under SSL on a different port (e.g. 8443). The default 
site on port 443 is running fine with SSL. The new certificate I have installed 
for the second site appears to be incorrect or the version of OpenSSL I have is 
not up to date. This causes Apache to crash. Can someone look at the error(s) 
below and please tell me where to start or how to fix it? 
 
Errors:
[Fri Oct  6 13:37:21 2006] [error] mod_ssl: Init: Unable to read server 
certificate from file /apache/conf

/mycertificatename.crt (OpenSSL library error follows)

[Fri Oct  6 13:37:21 2006] [error] OpenSSL: error:0D0680A8:asn1 encoding 
routines:ASN1_CHECK_TLEN:wrong tag

[Fri Oct  6 13:37:21 2006] [error] OpenSSL: error:0D07803A:asn1 encoding 
routines:ASN1_ITEM_EX_D2I:nested 

asn1 error

Thanks in advance
 
 
Gary
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

OpenSSL error : 0D09F007

2005-11-18 Thread rajat.garg




Greetings,

We are using OpenSSL
with OpenOSP to set up a CA and getting following error. Would greatly
appreciate if you can throw some pointers :



22:57:56.499 01
ccmldap.c ccm_lookup_ldap_by_subje 0224 Checking for CA certificate
first22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje 0235 Found CA
cert; convert to internal format
22:57:56.499*01*ccmldap.c
*ccm_lookup_ldap_by_subje*0245*Failed to convert ASN.1 CA
cert22:57:56.499*01*ccmldap.c *ccm_lookup_ldap_by_subje*0245*OpenSSL:
error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1
sequence22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje
0445 )) Unlocking ccm.ldap.access_mutex22:57:56.499 01 ccmldap.c
ccm_lookup_ldap_by_subje 0445 Unlocked
ccm.ldap.access_mutex


The commands used to
create certificate are as per attached make_ca.sh file. The other attached files
are
decoded certificate,
openssl.cnf and openosp.cnf file that we are using in our setup. Kindly let
me
know what possibly
could be wrong.

Best
Regards,
Rajat




Confidentiality Notice 

The information contained in this electronic message and any attachments to this message are intended
for the exclusive use of the addressee(s) and may contain confidential or privileged information. If
you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately
and destroy all copies of this message and any attachments.
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME= .
RANDFILE= /usr/openosp/random
#RANDFILE   = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file   = $ENV::HOME/.oid
oid_section = new_oids

# To use this configuration file with the -extfile option of the
# openssl x509 utility, name here the section containing the
# X.509v3 extensions to use:
# extensions= 
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6


[ ca ]
default_ca  = CA_default# The default ca section


[ CA_default ]

dir = ./demoCA  # Where everything is kept
certs   = $dir/certs# Where the issued certs are kept
crl_dir = $dir/crl  # Where the issued crl are kept
database= $dir/index.txt# database index file.
new_certs_dir   = $dir/newcerts # default place for new certs.

certificate = $dir/cacert.pem   # The CA certificate
serial  = $dir/serial   # The current serial number
crl = $dir/crl.pem  # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE= $dir/private/.rand# private random number file

x509_extensions = usr_cert  # The extentions to add to the cert

name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions= crl_ext

default_days= 365   # how long to certify for
default_crl_days= 30# how long before next CRL
default_md  = md5   # which md to use.
preserve= no# keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy  = policy_match

# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName= match
organizationalUnitName  = optional
commonName  = supplied
emailAddress= optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName= optional
organizationName= optional
organizationalUnitName  = optional
commonName  = supplied
emailAddress= optional


[ req ]
default_bits= 1024
default_keyfile = privkey.pem
distinguished_name  = req_distinguished_name
attributes  = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

# Passwords for private keys if not present

OpenSSL error : 0D09F007

2005-11-18 Thread rajat.garg




Greetings,

We are using OpenSSL
with OpenOSP to set up a CA and getting following error while initializing the OSP
server.
Wewould greatly appreciate if you can
throw some pointers :


22:57:56.499 01
ccmldap.c ccm_lookup_ldap_by_subje 0224 Checking for CA certificate
first22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje 0235 Found CA
cert; convert to internal format
22:57:56.499*01*ccmldap.c
*ccm_lookup_ldap_by_subje*0245*Failed to convert ASN.1 CA
cert22:57:56.499*01*ccmldap.c *ccm_lookup_ldap_by_subje*0245*OpenSSL:
error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1
sequence22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje
0445 )) Unlocking ccm.ldap.access_mutex22:57:56.499 01 ccmldap.c
ccm_lookup_ldap_by_subje 0445 Unlocked
ccm.ldap.access_mutex


The commands used to
create certificate are as per attached make_ca.sh file. The other attached files
are
decoded certificate,
openssl.cnf and openosp.cnf file that we are using in our setup. Kindly let
me
know what possibly
could be wrong.

Best
Regards,
Rajat



Confidentiality Notice 

The information contained in this electronic message and any attachments to this message are intended
for the exclusive use of the addressee(s) and may contain confidential or privileged information. If
you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately
and destroy all copies of this message and any attachments.


openssl.cnf
Description: openssl.cnf


openosp.cnf
Description: openosp.cnf
# ./openssl x509 -in /usr/openosp/cacert.der -inform der -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=IN, O=Wipro, CN=OSPServer
Validity
Not Before: Nov 15 11:27:44 2005 GMT
Not After : Nov 15 11:27:44 2015 GMT
Subject: C=IN, O=Wipro, CN=OSPServer
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:cd:3e:e1:99:34:39:de:7e:5a:63:ab:65:7c:5f:
0d:14:6a:1a:00:89:91:32:35:64:67:b2:20:4e:9c:
f2:c0:13:f6:ab:e6:6d:a0:53:a7:23:d8:66:49:49:
2e:56:11:36:94:dc:d9:88:cf:34:d6:f1:4a:ff:41:
64:27:3d:3c:07:2c:a8:fa:81:82:7b:60:4e:7e:8b:
5a:0f:19:ad:7d:3d:b8:cc:7f:57:17:11:89:a8:e5:
b7:cf:00:70:9b:b4:ab:4c:e2:fc:d1:a5:3a:ac:66:
00:e1:bc:61:a8:5d:20:59:f0:fd:ca:e9:07:91:f1:
de:91:16:6f:d1:2d:2e:29:d9
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
c7:17:f5:b4:e2:f5:0d:bd:f5:17:7c:77:e2:1e:56:40:78:13:
34:52:d8:4f:be:43:24:d1:c2:3d:3f:16:53:0d:14:1e:be:0a:
cd:71:59:d3:b0:fd:c4:76:75:b6:72:7e:65:06:f0:e5:34:d1:
16:4c:67:14:eb:0e:52:a8:41:ff:3a:89:82:7d:43:d5:87:aa:
4d:d4:ef:b6:cc:bd:40:e6:ec:c2:cc:e0:b8:90:74:ca:41:ee:
ef:85:83:9e:2a:5b:b1:39:00:5d:b4:e1:b8:f8:e6:55:9b:d7:
04:22:0f:f5:14:32:69:31:da:24:6b:6e:f9:9a:6b:29:78:10:
1d:83
-BEGIN CERTIFICATE-
MIIB1jCCAT+gAwIBAgIBBTANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJJTjEO
MAwGA1UEChMFV2lwcm8xEjAQBgNVBAMTCU9TUFNlcnZlcjAeFw0wNTExMTUxMTI3
NDRaFw0xNTExMTUxMTI3NDRaMDExCzAJBgNVBAYTAklOMQ4wDAYDVQQKEwVXaXBy
bzESMBAGA1UEAxMJT1NQU2VydmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDNPuGZNDneflpjq2V8Xw0UahoAiZEyNWRnsiBOnPLAE/ar5m2gU6cj2GZJSS5W
ETaU3NmIzzTW8Ur/QWQnPTwHLKj6gYJ7YE5+i1oPGa19PbjMf1cXEYmo5bfPAHCb
tKtM4vzRpTqsZgDhvGGoXSBZ8P3K6QeR8d6RFm/RLS4p2QIDAQABMA0GCSqGSIb3
DQEBBAUAA4GBAMcX9bTi9Q299Rd8d+IeVkB4EzRS2E++QyTRwj0/FlMNFB6+Cs1x
WdOw/cR2dbZyfmUG8OU00RZMZxTrDlKoQf86iYJ9Q9WHqk3U77bMvUDm7MLM4LiQ
dMpB7u+Fg54qW7E5AF204bj45lWb1wQiD/UUMmkx2iRrbvmaayl4EB2D
-END CERTIFICATE-
#!/bin/ksh

# Shell script: make_ca.sh
#
# Purpose:  Make a CA certificate using OpenSSL commands
#
# (C) COPYRIGHT DATA CONNECTION LIMITED 2000
#
# $Revision::   1.2$ $Modtime::   Aug 02 2000 10:05:42   $

SSL_PATH=${SSL_PATH:-/usr/local/ssl}

#
# Create a request
#
$SSL_PATH/bin/openssl req -new -newkey rsa:1024 -config $SSL_PATH/openssl.cnf \
-out careq.pem -keyout cakey.pem -nodes

#
# Create a temporary self-signed cert that we can use as a CA cert
#
$SSL_PATH/bin/openssl x509 -req -in careq.pem -signkey cakey.pem \
-extfile $SSL_PATH/openssl.cnf -extensions v3_ca -out cacert0.pem

#
# Sign the request using the temporary CA cert that we just made.
# This effectively results in another CA cert, but this one has a
# serial number.
#
$SSL_PATH/bin/openssl x509 -req -in careq.pem -CAkey cakey.pem \
-CA cacert0.pem -CAserial serial.txt -CAcreateserial \
-extfile $SSL_PATH/openssl.cnf -extensions v3_ca -days 3652 -outform DER \
-out cacert.der

#
# Delete the files we no longer need.
#
rm careq.pem
rm cacert0.pem

OpenSSL error using xsupplicant

2005-05-13 Thread Mário Lopes

Hello!

I'm using OpenSSL along with xsupplicant in order to authenticate on a
802.1x protected wireless network. This network makes use of eap-ttls
and everything runs fine until I get my first disconnection. After
that, xsupplicant tries to reconnect again, but fails after getting
the following error from OpenSSL (/var/log/xsupplicant.log):

OpenSSL Error -- error:14095044:lib(20):func(149):reason(68)

I don't know, at all, which one is faulty: if xsupplicant is causing
the error or if it is just a problem with openssl. Strangely, a
fellowship of mine is using Ubuntu with the same packages and he
doesn't have this error (so, xsupplicant successfully reconnects).

I'm using SuSE 9.3 and I've update openssl from 0.9.7e-3 to version
0.97g to see if this would work, but without results, the error keeps
on showing up. I'm using xsupplicant 1.0.1 and the wireless card is a
ipw2200 with the latest drivers available (1.0.3) and firmware too.

My mate has exacly the same configuration: Ubuntu with xsupplicant
1.0.1, ipw2200 with the same drivers/firmware and openssl0.9.7e-3 and
he doesn't get that error. Apart from that, the logs generated on
/var/log/messages and /var/log/xsupplicant are exacly the same to
mine.

I hope you can get me further details in what could be generating that error.

Best Regards,

Mário Lopes
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

OpenSSL error: sslv3 alert bad record mac (fwd)

2004-05-04 Thread Jason A. Pfeil

Hrm...I am curious if anyone on the list has any idea about what might
be going on with this error.  I saw a prior thread that just ended over
a year ago with no resolution or explanation.

Thanks!

-- 
Jason A. Pfeil   jason=at=jasonpfeil.com.NOSPAM

-- Forwarded message --
Date: Thu, 22 Apr 2004 14:47:16 -0400 (EDT)
From: Jason A. Pfeil [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: OpenSSL error: sslv3 alert bad record mac

Greetings, List!

I am having difficulty with pine connecting from one of my machines to
my SSL IMAP server.  What happens is that when I start pine, it asks for
my password and I give it.  It connects to the server and then tells me
that there was an error and the connection vanishes.  Then I go back to
the folder list, reselect the folder, and voila!  It works just fine.

When the first connection vanishes, I get this error in my logfile:

imapd-ssl: couriertls: read: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert 
bad record mac

I have tracked this down with the courier-imap people and they can't
figure out the issue.  I cannot replicate it with the exact same version
of pine and openssl on another box.  I have rebuild openssl *and* pine
on the affected box many times.

I am using pine 4.58 and openssl:

% openssl version
OpenSSL 0.9.7d 17 Mar 2004

Pine is linked against it:

% ldd /usr/bin/pine
libldap.so.2 = /usr/lib/libldap.so.2 (0x40036000)
liblber.so.2 = /usr/lib/liblber.so.2 (0x4006d000)
libresolv.so.2 = /lib/libresolv.so.2 (0x40079000)
libncurses.so.5 = /lib/libncurses.so.5 (0x4008b000)
libpam.so.0 = /lib/libpam.so.0 (0x400d)
libdl.so.2 = /lib/libdl.so.2 (0x400d8000)
libgssapi_krb5.so.2 = /usr/lib/libgssapi_krb5.so.2 (0x400dc000)
libkrb5.so.3 = /usr/lib/libkrb5.so.3 (0x400ef000)
libcrypto.so.0.9.7 = /usr/lib/libcrypto.so.0.9.7 (0x40155000)
libcom_err.so.3 = /usr/lib/libcom_err.so.3 (0x4024f000)
libssl.so.0.9.7 = /usr/lib/libssl.so.0.9.7 (0x40251000)

libc.so.6 = /lib/libc.so.6 (0x40282000)
libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0x403b1000)
/lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x4000)
libk5crypto.so.3 = /usr/lib/libk5crypto.so.3 (0x403c4000)


I am running gentoo linux and it is up to date as of a few days ago.

Any suggestions that anyone here may have will be *extremely* welcome.

Thanks!

--Jason

-- 
Jason A. Pfeil   jason=at=jasonpfeil.com.NOSPAM
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

OpenSSL error: sslv3 alert bad record mac

2004-04-22 Thread Jason A. Pfeil

Greetings, List!

I am having difficulty with pine connecting from one of my machines to
my SSL IMAP server.  What happens is that when I start pine, it asks for
my password and I give it.  It connects to the server and then tells me
that there was an error and the connection vanishes.  Then I go back to
the folder list, reselect the folder, and voila!  It works just fine.

When the first connection vanishes, I get this error in my logfile:

imapd-ssl: couriertls: read: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert 
bad record mac

I have tracked this down with the courier-imap people and they can't
figure out the issue.  I cannot replicate it with the exact same version
of pine and openssl on another box.  I have rebuild openssl *and* pine
on the affected box many times.

I am using pine 4.58 and openssl:

% openssl version
OpenSSL 0.9.7d 17 Mar 2004

Pine is linked against it:

% ldd /usr/bin/pine
libldap.so.2 = /usr/lib/libldap.so.2 (0x40036000)
liblber.so.2 = /usr/lib/liblber.so.2 (0x4006d000)
libresolv.so.2 = /lib/libresolv.so.2 (0x40079000)
libncurses.so.5 = /lib/libncurses.so.5 (0x4008b000)
libpam.so.0 = /lib/libpam.so.0 (0x400d)
libdl.so.2 = /lib/libdl.so.2 (0x400d8000)
libgssapi_krb5.so.2 = /usr/lib/libgssapi_krb5.so.2 (0x400dc000)
libkrb5.so.3 = /usr/lib/libkrb5.so.3 (0x400ef000)
libcrypto.so.0.9.7 = /usr/lib/libcrypto.so.0.9.7 (0x40155000)
libcom_err.so.3 = /usr/lib/libcom_err.so.3 (0x4024f000)
libssl.so.0.9.7 = /usr/lib/libssl.so.0.9.7 (0x40251000)

libc.so.6 = /lib/libc.so.6 (0x40282000)
libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0x403b1000)
/lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x4000)
libk5crypto.so.3 = /usr/lib/libk5crypto.so.3 (0x403c4000)


I am running gentoo linux and it is up to date as of a few days ago.

Any suggestions that anyone here may have will be *extremely* welcome.

Thanks!

--Jason

-- 
Jason A. Pfeil   jason=at=jasonpfeil.com.NOSPAM
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: openssl error (unable to load certificate)

2002-12-06 Thread Wolfgang Ziegler

At 22:44 06.12.2002 +0100, Richard Levitte - VMS Whacker wrote:
In message [EMAIL PROTECTED] on Fri, 06 Dec 2002 
19:51:04 +0100, Wolfgang Ziegler [EMAIL PROTECTED] said:

Wolfgang.Ziegler when trying to get the subject out of a certificate
Wolfgang.Ziegler from our local test CA I get the following error:
Wolfgang.Ziegler 
Wolfgang.Ziegler openssl x509 -noout -in usercert.pem -subject
Wolfgang.Ziegler unable to load certificate
Wolfgang.Ziegler 26416:error:0D081072:asn1 encoding 
routines:d2i_ASN1_OBJECT:expecting an object:a_object.c:217:
Wolfgang.Ziegler 26416:error:0D084070:asn1 encoding routines:d2i_ASN1_SET:error 
parsing set element:a_set.c:198:address=134815299 offset=-134815267
Wolfgang.Ziegler 26416:error:0D11D004:asn1 encoding 
routines:d2i_X509_CERT_AUX:nested asn1 error:x_x509a.c:82:address=134815295 offset=4
Wolfgang.Ziegler 26416:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 
lib:pem_lib.c:290:

Hmm, I've seen something similar.  If you do the following, what do
you get?

openssl asn1parse -i -in usercert.pem

nothing, there is no output at all

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See http://www.stacken.kth.se/~levitte/mail/ for more info.

--
 Fraunhofer-Institute for Algorithms and Scientific Computing (SCAI)
   Schloss Birlinghoven, D-53754 Sankt Augustin, Germany
Tel: +49 2241 14 2258Fax: +49 2241 14 2889   http://www.scai.fraunhofer.de
 Heut ist nicht so kalt wie gestern, trotzdem dass heut kaelter ist
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

openssl error (in grid ftp) with non-Globus certificate

2002-11-27 Thread Wolfgang Ziegler

Hi,

when trying to use a certificate from our local test CA I encountered
the following error:

wolf@packcs-e0:~/.globus  /opt/globus/bin/openssl x509 -noout -in 
usercert.pem -subject
unable to load certificate
26416:error:0D081072:asn1 encoding routines:d2i_ASN1_OBJECT:expecting an 
object:a_object.c:217:
26416:error:0D084070:asn1 encoding routines:d2i_ASN1_SET:error parsing set 
element:a_set.c:198:address=134815299 offset=-134815267
26416:error:0D11D004:asn1 encoding routines:d2i_X509_CERT_AUX:nested asn1 
error:x_x509a.c:82:address=134815295 offset=4
26416:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:290:

Doing a verification of the certificate results in:

wolf@packcs-e0:~/.globus  /opt/globus/bin/openssl verify -CApath 
/etc/grid-security/certificates usercert.pem
usercert.pem: OK
wolf@packcs-e0:~/.globus 

Doing the same with my (outdated) Globus certificate works well, the first 
command
results the Subject string, the second tells me that my certificate has 
expired.

The openssl version is: OpenSSL 0.9.6g 9 Aug 2002

Does anybody see what is going wrong?

Thanks,

Wolfgang


--
  Fraunhofer-Institute for Algorithms and Scientific Computing (SCAI)
   Schloss Birlinghoven, D-53754 Sankt Augustin, Germany
Tel: +49 2241 14 2258Fax: +49 2241 14 2889http://www.scai.fraunhofer.de
  Heut ist nicht so kalt wie gestern, trotzdem dass heut kaelter ist
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL Error (Apache + mod_ssl)

2002-11-16 Thread David Schwartz


On Fri, 15 Nov 2002 22:51:05 +, Manoj Kithany wrote:
Hi:

My Apache is NOT working.the log file shows:

[Fri Nov 15 15:35:57 2002] [error] mod_ssl: Init: Failed to generate
temporary 512 bit RSA private key (OpenSSL library error follows)
[Fri Nov 15 15:35:57 2002] [error] OpenSSL: error:24064064:random number
generator:SSLEAY_RAND_BYTES:PRNG not seeded
[Fri Nov 15 15:35:57 2002] [error] OpenSSL: error:04069003:rsa
routines:RSA_generate_key:BN lib


I am using Apache 1.3.27, mod_ssl 2.8.11 on IBM AIX 5.1 box.

Check the FAQ. This is quite possibly the most frequently asked OpenSSL 
question.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Apache + mod_ssl (OpenSSL Error)

2002-11-15 Thread Lutz Jaenicke

On Thu, Nov 14, 2002 at 10:52:00PM +, Manoj Kithany wrote:
 
 Hi Experts!
 
 I want to INSTALL and CONFIGURE my APACHE 1.3.27 for SSL. I am using IBM 
 AIX box.
 So, I got mod_ssl from the IBM site and installed it in following way(after 
 READing INSTALL file for 2 hrs;-(
 
 
 #pwd
 /opt/freeware/src/packages/SOURCES/mod_ssl-2.8.11-1.3.27

 So, I finally READ the LOG file error_log and checked it shows:
 
 [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key 
 (OpenSSL library error follows)
 [error] OpenSSL: error:24064064:random number 
 generator:SSLEAY_RAND_BYTES:PRNG not seeded
 [error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib
 
 
 Do you know what this error would be? I have already installed EGD entrophy 
 and is it stored in /dev/egd-pool
 Any links/pointers on this is appreciated.

/dev/egd-pool is only queried automatically starting with OpenSSL 0.9.7.
For 0.9.6x you have to enter the appropriate path using the SSLRandomSeed
directive in httpd.conf. Details are found in the manual.

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

OpenSSL Error (Apache + mod_ssl)

2002-11-15 Thread Manoj Kithany

Hi:

My Apache is NOT working.the log file shows:

[Fri Nov 15 15:35:57 2002] [error] mod_ssl: Init: Failed to generate 
temporary 512 bit RSA private key (OpenSSL library error follows)
[Fri Nov 15 15:35:57 2002] [error] OpenSSL: error:24064064:random number 
generator:SSLEAY_RAND_BYTES:PRNG not seeded
[Fri Nov 15 15:35:57 2002] [error] OpenSSL: error:04069003:rsa 
routines:RSA_generate_key:BN lib


I am using Apache 1.3.27, mod_ssl 2.8.11 on IBM AIX 5.1 box.







_
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

libcurl / openssl error

2002-11-15 Thread Moffet, Scott

I'm having a strange error with libCurl in HP-UX 11.00, using OpenSSL 0.9.6g.

I have my wrapper class in two projects.  One is a standalone project and it works 
fine.  The other is inside a server that uses OpenSSL for the inbound client 
connections, so the SSL_library_init() and such are in the main() function.  The SSL 
descriptors that set the input method to TLS server occur inside threads.

Then, from inside that thread, my wrapper class tries to post to a web page and gets 
an error, shutting down the connection.  The VEBOSE output is:

CUROPT_VEBOSE is set to TRUE
* About to connect() to ah1hpux1.linkpoint.com:443
* Connected to ah1hpux1.linkpoint.com (192.168.40.32) port 443
* SSL: error::lib(0):func(0):reason(0)* Closing connection #0

I put the errors into a text string and the text is:
curl_errors = SSL: error::lib(0):func(0):reason(0)

libcURL SHOULD be using a seperate instance of OpenSSL, but is it possible that the 
client and server are colliding?  This indicates SSL had no error ... any guess why 
it's shutting down the connection?
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Apache + mod_ssl (OpenSSL Error)

2002-11-14 Thread Manoj Kithany


Hi Experts!

I want to INSTALL and CONFIGURE my APACHE 1.3.27 for SSL. I am using IBM AIX 
box.
So, I got mod_ssl from the IBM site and installed it in following way(after 
READing INSTALL file for 2 hrs;-(


#pwd
/opt/freeware/src/packages/SOURCES/mod_ssl-2.8.11-1.3.27

# ./configure --with-apache=../apache_1.3.27 
--with-ssl=/Downloads/openssl-0.9.6g --with-crt=/usr/local/ssl/bin/cert.cer 
--with-key=/usr/local/ssl/bin/private.key --prefix=/kit --enable-shared=ssl

#cd ..
#cd apache_1.3.27
#make
#make certificate
#make install

This DOCUMENTATION was given in README file in the above directory.

Later, I start my APACHE for SSL as shown below and get ERROR:

#./apachectl startssl
./apachectl startssl: httpd could not be started


So, I finally READ the LOG file error_log and checked it shows:

[error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key 
(OpenSSL library error follows)
[error] OpenSSL: error:24064064:random number 
generator:SSLEAY_RAND_BYTES:PRNG not seeded
[error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib


Do you know what this error would be? I have already installed EGD entrophy 
and is it stored in /dev/egd-pool
Any links/pointers on this is appreciated.

Thanks!

_
Tired of spam? Get advanced junk mail protection with MSN 8. 
http://join.msn.com/?page=features/junkmail

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Apache+SSL Not working ---OpenSSL Error?

2002-11-12 Thread Manoj Kithany

Hi Experts:

I have Apache(with SSL) on my IBM AIX Box. I installed it using RPM.
When I run my APACHE as ssl using: ./apachectl startssl I get following 
error:
--
# ./apachectl startssl
./apachectl startssl: httpd could not be started
#
--

So, when I check following LOG files - I have following:


Filename: error_log

[Tue Nov 12 10:04:37 2002] [error] mod_ssl: Init: Unable to read server 
certificate from file /usr/local/ssl/bin/public.csr (OpenSSL library error 
follows)
[Tue Nov 12 10:04:37 2002] [error] OpenSSL: error:0D09F007:asn1 encoding 
routines:d2i_X509:expecting an asn1 sequence




Filename: ssl_engine_log

[12/Nov/2002 10:04:37 28132] [info]  Server: Apache/1.3.27, Interface: 
mod_ssl/2.8.11, Library: OpenSSL/0.9.6e
[12/Nov/2002 10:04:37 28132] [info]  Init: 1st startup round (still not 
detached)
[12/Nov/2002 10:04:37 28132] [info]  Init: Initializing OpenSSL library
[12/Nov/2002 10:04:37 28132] [info]  Init: Loading certificate  private key 
of SSL-aware server www.kithany.com:443
[12/Nov/2002 10:04:37 28132] [error] Init: Unable to read server certificate 
from file /usr/local/ssl/bin/public.csr (OpenSSL library error follows)
[12/Nov/2002 10:04:37 28132] [error] OpenSSL: error:0D09F007:asn1 encoding 
routines:d2i_X509:expecting an asn1 sequence


Do anyone of you Experts know what is the above ERROR for and how to remove 
that?

THANKS!






_
STOP MORE SPAM with the new MSN 8 and get 2 months FREE* 
http://join.msn.com/?page=features/junkmail

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Apache+SSL Not working ---OpenSSL Error?

2002-11-12 Thread Charles B Cranston

Manoj Kithany wrote:

 [12/Nov/2002 10:04:37 28132] [error] Init: Unable to read server certificate
 from file /usr/local/ssl/bin/public.csr (OpenSSL library error follows)
 [12/Nov/2002 10:04:37 28132] [error] OpenSSL: error:0D09F007:asn1 encoding
 routines:d2i_X509:expecting an asn1 sequence

 Do anyone of you Experts know what is the above ERROR for and how to remove
 that?

My guess is that public.csr is a Certificate Signing Request
(csr) and not a Certificate?  They are very different objects.

To remove the error you would send the csr to a Certificate Authority
and get a Server Certificate, which Apache would be able to use.

Don't expect this to be free.

-- 

Charles B. (Ben) Cranston
mailto:zben;umd.edu
http://www.wam.umd.edu/~zben
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Apache+SSL Not working ---OpenSSL Error?

2002-11-12 Thread Tim Regovich

To make sure that this is an openssl issue, and not
your apache configuration, or the hardware that you
are using (I noticed the ssl_engine_log), try running
the test server program that is with the openssl
distribution.

Regards,

Tim
--- Manoj Kithany [EMAIL PROTECTED] wrote:
 Hi Experts:
 
 I have Apache(with SSL) on my IBM AIX Box. I
 installed it using RPM.
 When I run my APACHE as ssl using: ./apachectl
 startssl I get following 
 error:

--
 # ./apachectl startssl
 ./apachectl startssl: httpd could not be started
 #

--
 
 So, when I check following LOG files - I have
 following:
 


 Filename: error_log
 
 [Tue Nov 12 10:04:37 2002] [error] mod_ssl: Init:
 Unable to read server 
 certificate from file /usr/local/ssl/bin/public.csr
 (OpenSSL library error 
 follows)
 [Tue Nov 12 10:04:37 2002] [error] OpenSSL:
 error:0D09F007:asn1 encoding 
 routines:d2i_X509:expecting an asn1 sequence


 
 


 Filename: ssl_engine_log
 
 [12/Nov/2002 10:04:37 28132] [info]  Server:
 Apache/1.3.27, Interface: 
 mod_ssl/2.8.11, Library: OpenSSL/0.9.6e
 [12/Nov/2002 10:04:37 28132] [info]  Init: 1st
 startup round (still not 
 detached)
 [12/Nov/2002 10:04:37 28132] [info]  Init:
 Initializing OpenSSL library
 [12/Nov/2002 10:04:37 28132] [info]  Init: Loading
 certificate  private key 
 of SSL-aware server www.kithany.com:443
 [12/Nov/2002 10:04:37 28132] [error] Init: Unable to
 read server certificate 
 from file /usr/local/ssl/bin/public.csr (OpenSSL
 library error follows)
 [12/Nov/2002 10:04:37 28132] [error] OpenSSL:
 error:0D09F007:asn1 encoding 
 routines:d2i_X509:expecting an asn1 sequence


 
 Do anyone of you Experts know what is the above
 ERROR for and how to remove 
 that?
 
 THANKS!
 
 
 
 
 
 

_
 STOP MORE SPAM with the new MSN 8 and get 2 months
 FREE* 
 http://join.msn.com/?page=features/junkmail
 

__
 OpenSSL Project
 http://www.openssl.org
 User Support Mailing List   
 [EMAIL PROTECTED]
 Automated List Manager  
[EMAIL PROTECTED]


__
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Apache+SSL Not working ---OpenSSL Error?

2002-11-12 Thread Manoj Kithany

Hi Tim:

THANKS for your email.

What is TEST SERVER Program?






To make sure that this is an openssl issue, and not
your apache configuration, or the hardware that you
are using (I noticed the ssl_engine_log), try running
the test server program that is with the openssl
distribution.

Regards,

Tim
--- Manoj Kithany [EMAIL PROTECTED] wrote:
 Hi Experts:

 I have Apache(with SSL) on my IBM AIX Box. I
 installed it using RPM.
 When I run my APACHE as ssl using: ./apachectl
 startssl I get following
 error:

--
 # ./apachectl startssl
 ./apachectl startssl: httpd could not be started
 #

--

 So, when I check following LOG files - I have
 following:



 Filename: error_log

 [Tue Nov 12 10:04:37 2002] [error] mod_ssl: Init:
 Unable to read server
 certificate from file /usr/local/ssl/bin/public.csr
 (OpenSSL library error
 follows)
 [Tue Nov 12 10:04:37 2002] [error] OpenSSL:
 error:0D09F007:asn1 encoding
 routines:d2i_X509:expecting an asn1 sequence






 Filename: ssl_engine_log

 [12/Nov/2002 10:04:37 28132] [info]  Server:
 Apache/1.3.27, Interface:
 mod_ssl/2.8.11, Library: OpenSSL/0.9.6e
 [12/Nov/2002 10:04:37 28132] [info]  Init: 1st
 startup round (still not
 detached)
 [12/Nov/2002 10:04:37 28132] [info]  Init:
 Initializing OpenSSL library
 [12/Nov/2002 10:04:37 28132] [info]  Init: Loading
 certificate  private key
 of SSL-aware server www.kithany.com:443
 [12/Nov/2002 10:04:37 28132] [error] Init: Unable to
 read server certificate
 from file /usr/local/ssl/bin/public.csr (OpenSSL
 library error follows)
 [12/Nov/2002 10:04:37 28132] [error] OpenSSL:
 error:0D09F007:asn1 encoding
 routines:d2i_X509:expecting an asn1 sequence



 Do anyone of you Experts know what is the above
 ERROR for and how to remove
 that?

 THANKS!



_
Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Apache+SSL Not working ---OpenSSL Error?

2002-11-12 Thread Himanshu Soni

You can also check to make sure that the certificate that apache+mod_ssl
is trying to read is in Base64...Everytime, I get these errors, 9 times
of 10, its because my certificate is in DER format where apache is
expecting it in PEM (Base64).


-Original Message-
From: [EMAIL PROTECTED]
[mailto:owner-openssl-users;openssl.org] On Behalf Of Manoj Kithany
Sent: Tuesday, November 12, 2002 3:19 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Apache+SSL Not working ---OpenSSL Error?

Hi Tim:

THANKS for your email.

What is TEST SERVER Program?





To make sure that this is an openssl issue, and not
your apache configuration, or the hardware that you
are using (I noticed the ssl_engine_log), try running
the test server program that is with the openssl
distribution.

Regards,

Tim
--- Manoj Kithany [EMAIL PROTECTED] wrote:
  Hi Experts:
 
  I have Apache(with SSL) on my IBM AIX Box. I
  installed it using RPM.
  When I run my APACHE as ssl using: ./apachectl
  startssl I get following
  error:
 
--
  # ./apachectl startssl
  ./apachectl startssl: httpd could not be started
  #
 
--
 
  So, when I check following LOG files - I have
  following:
 
 
---
-
  Filename: error_log
 
  [Tue Nov 12 10:04:37 2002] [error] mod_ssl: Init:
  Unable to read server
  certificate from file /usr/local/ssl/bin/public.csr
  (OpenSSL library error
  follows)
  [Tue Nov 12 10:04:37 2002] [error] OpenSSL:
  error:0D09F007:asn1 encoding
  routines:d2i_X509:expecting an asn1 sequence
 
---
-
 
 
 
---
-
  Filename: ssl_engine_log
 
  [12/Nov/2002 10:04:37 28132] [info]  Server:
  Apache/1.3.27, Interface:
  mod_ssl/2.8.11, Library: OpenSSL/0.9.6e
  [12/Nov/2002 10:04:37 28132] [info]  Init: 1st
  startup round (still not
  detached)
  [12/Nov/2002 10:04:37 28132] [info]  Init:
  Initializing OpenSSL library
  [12/Nov/2002 10:04:37 28132] [info]  Init: Loading
  certificate  private key
  of SSL-aware server www.kithany.com:443
  [12/Nov/2002 10:04:37 28132] [error] Init: Unable to
  read server certificate
  from file /usr/local/ssl/bin/public.csr (OpenSSL
  library error follows)
  [12/Nov/2002 10:04:37 28132] [error] OpenSSL:
  error:0D09F007:asn1 encoding
  routines:d2i_X509:expecting an asn1 sequence
 
---
-
 
  Do anyone of you Experts know what is the above
  ERROR for and how to remove
  that?
 
  THANKS!


_
Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

OpenSSL Error: [links] Segmentation fault on Configure

2002-09-19 Thread Ron Parker


I have a Linux Redhat 6.2 system running apache web server.  I'm trying 
to update my existing ssl implementation with openssl-0.9.6g.  Existing 
config was compiled from source tar.

When I type in configure I get:

Operating system: i586-whatever-linux2
This system (linux-elf) is not supported. See file INSTALL for details.

I thought this was wierd since it is a linux-elf system and this was 
exactly what I typed in for previous implementation which is 0.9.3a.

So, I moved on to: ./Configure linux-elf, which give me the following:

[root@dns openssl-0.9.6g]# ./Configure linux-elf
Configuring for linux-elf
IsWindows=0
CC=gcc
CFLAG =-fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H 
-DL_ENDIA
N -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM 
-DRMD160_AS
M
EX_LIBS   =-ldl
BN_ASM=asm/bn86-elf.o asm/co86-elf.o
DES_ENC   =asm/dx86-elf.o asm/yx86-elf.o
BF_ENC=asm/bx86-elf.o
CAST_ENC  =asm/cx86-elf.o
RC4_ENC   =asm/rx86-elf.o
RC5_ENC   =asm/r586-elf.o
MD5_OBJ_ASM   =asm/mx86-elf.o
SHA1_OBJ_ASM  =asm/sx86-elf.o
RMD160_OBJ_ASM=asm/rm86-elf.o
PROCESSOR =
RANLIB=/usr/bin/ranlib
PERL  =/usr/bin/perl5
THIRTY_TWO_BIT mode
DES_PTR used
DES_RISC1 used
DES_UNROLL used
BN_LLONG mode
RC4_INDEX mode
RC4_CHUNK is undefined
Makefile = Makefile.ssl
make: *** [links] Segmentation fault (core dumped)
[root@dns openssl-0.9.6g]#

This also happens when I go back and try to run ./config or ./Configure 
linux-elf from original source tar (the one which is now running).  I 
have no idea what to do from here.  Could someone please give me some 
suggestions on what may be causing this, and what to do about it?  Thanks.

-ron

-- 
Ron Parker
Software Creations http://www.scbbs.com
Self-Administration Web Site   http://saw.scbbs.com
Civil War Online Library   http://civilwar.scbbs.com
VSB Interest Group http://vsb.scbbs.com



-- 
Ron Parker
Software Creations http://www.scbbs.com
Self-Administration Web Site   http://saw.scbbs.com
Civil War Online Library   http://civilwar.scbbs.com
VSB Interest Group http://vsb.scbbs.com


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Dreaded OpenSSL: error:140890C7

2002-03-07 Thread Jean-Claude Bourut


Hi,

I'am trying to authenticate clients connecting to my server.

[06/Mar/2002 18:45:19 25124] [info]  Connection to child 3 established
(server hub-1.trema.com:443, client 66.54.34.7)
[06/Mar/2002 18:45:19 25124] [info]  Seeding PRNG with 512 bytes of
entropy
[06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Handshake: start
[06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Loop: before/accept
initialization
[06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Loop: SSLv3 read client
hello A
[06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Loop: SSLv3 write server
hello A
[06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Loop: SSLv3 write
certificate A
[06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Loop: SSLv3 write
certificate request A
[06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Loop: SSLv3 flush data
[06/Mar/2002 18:45:20 25124] [trace] OpenSSL: Write: SSLv3 read client
certificate B
[06/Mar/2002 18:45:20 25124] [trace] OpenSSL: Exit: error in SSLv3 read
client certificate B
[06/Mar/2002 18:45:20 25124] [trace] OpenSSL: Exit: error in SSLv3 read
client certificate B
[06/Mar/2002 18:45:20 25124] [error] SSL handshake failed (server
hub-1.trema.com:443, client 66.54.34.7) (OpenSSL library error follows)
[06/Mar/2002 18:45:20 25124] [error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]

From the error message I can imagine two problems:
- the client has not sent any certificate
- the client has sent an unknown certificate.

Can anybody help me sorting out this ?

A Google lookup retrieves a lot of  OpenSSL: error:140890C7.
Most of the time, people have invoked the ClientAuthentication by
mistake.

Regards

--
Jean-Claude Bourut
Trema
1300, routes des Crêtes
Sophia Antipolis
06560 Valbonne FRANCE
Tel +33 4 92 38 81 04
Fax +33 4 92 38 81 99



begin:vcard 
n:Bourut;Jean-Claude
tel;fax:+33 (0) 9238 8199
tel;work:+33 (0) 9238 8100
x-mozilla-html:TRUE
org:Trema Laboratories
adr:;;1300 route des cretes;Sophia Antipolis;;06560;FRANCE
version:2.1
email;internet:[EMAIL PROTECTED]
title:Senior Software Engineer
note;quoted-printable:  (=0D=0A   ))=0D=0A C|~~|=0D=0A `--'
end:vcard

OpenSSL error

2001-12-10 Thread Hardej, Andrew



I compiled OpensSSL 0.9.6b on Solaris 2.7 successfully.

When I now try to compile OpenSSH (specifically ./configure) I get the
following error:

checking for OpenSSL directory... configure: error: Could not find working
OpenSSL library, please install or check config.log

Are you able to tell me what I am doing wrong?



*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL error

2001-12-10 Thread Lutz Jaenicke


On Mon, Dec 10, 2001 at 12:08:51PM -0500, Hardej, Andrew  wrote:
 
 I compiled OpensSSL 0.9.6b on Solaris 2.7 successfully.
 
 When I now try to compile OpenSSH (specifically ./configure) I get the
 following error:
 
 checking for OpenSSL directory... configure: error: Could not find working
 OpenSSL library, please install or check config.log
 
 Are you able to tell me what I am doing wrong?

Yes! You don't follow the directive given. It tells you to check out the
error messages in config.log.

Regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: openssl error

2001-11-16 Thread Glover Barker



I hate to distract from the original issue, but what is ethereal?  Some
kind of dump or sniffer?  Where can it be found?


   
   
Rod Gilchrist  
   
[EMAIL PROTECTED]To: [EMAIL PROTECTED]  
   
Sent by:cc:
   
owner-openssl-users@o   Subject: Re: openssl error 
   
penssl.org 
   
   
   
   
   
11/15/2001 02:36 PM
   
Please respond to  
   
openssl-users  
   
   
   
   
   






MacDonald, Allan R [AMSTA-AR-FSF-A] wrote:

 I am using openssl with Oracle Webtogo and the Apache 1.3.12 server. When
I
 implemented SSL on the server I thought all was well until we had to turn
 off port 80. Then my webtogo app stopped working and gave me the error
 listed below. Any help with this would be very helpful. Thanks.

 [14/Nov/2001 11:57:12 00621] [error] SSL handshake failed: HTTP spoken on
 HTTPS port; trying to send HTML error page (OpenSSL library error
follows)
 [14/Nov/2001 11:57:12 00621] [error] OpenSSL: error:1407609C:SSL
 routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to
HTTPS
 port!?]

Forgive the obvious answer...

Your apache is listening on port 443 and your app is configured to
only send SSL (HTTPS) on that port?

Download ethereal and have a look at what's happening on the wire.
Its a good investment of a half hour.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: openssl error

2001-11-16 Thread Rod Gilchrist




Glover Barker wrote:

 I hate to distract from the original issue, but what is ethereal?  Some
 kind of dump or sniffer?  Where can it be found?


It comes up at the top of the google hit list on the name.

www.ethereal.com.

Yes, its great. 10 minute install, hit capture-start and
select an interface. Runs on most platforms.

Read the documentation about the reset button. Its
confusing at first as to what its doing, and you need
to know.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

OpenSSL error in mod_ssl.

2001-04-27 Thread Jason Aras



I do not know if this is the correct place to post this, but the only
error message I see is OpenSSL errors in apache's output.

here goes...

[Fri Apr 27 18:06:19 2001] [error] mod_ssl: SSL handshake failed (server
www.hidden.com:443, client hidden) (OpenSSL library error
follows)
[Fri Apr 27 18:06:19 2001] [error] OpenSSL: error:0607C084:digital
envelope routines:func(124) :reason(132)
[Fri Apr 27 18:06:19 2001] [error] OpenSSL: error:0607B086:digital
envelope routines:func(123) :reason(134)
[Fri Apr 27 18:06:19 2001] [error] OpenSSL: error:1408F071:SSL
routines:SSL3_GET_RECORD:bad mac decode [Hint: Browser still remembered
details of a re-created server certificate?]

I just built the server with both 9.6 and 9.6a with the same results.

Here is what ver of apache It is running w/ mods

 Apache/1.3.19 (Unix) AuthPG/1.2 PHP/4.0.4pl1 mod_ssl/2.8.2 OpenSSL/0.9.6


thank you

Jason

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

OpenSSL Error: expecting an asn1 sequence

2001-01-29 Thread Wenzel, Markus


Hi OpenSSL Users,

After replacing the self-signed certificate by a real Verisign certificate I
get the following error
message in ssl_engine_log:

[29/Jan/2001 10:30:46 05379] [error] Init: Unable to read server certificate
frm file /usr/local/apache_t3.1/conf/ssl.crt/server.crt (OpenSSL library
error follows)

[29/Jan/2001 10:30:46 05379] [error] OpenSSL: error:0D09F007:asn1 encoding
routines:d2i_X509:expecting an asn1 sequence

Used packages are:
Apache 1.3.12
OpenSSL 0.9.5a
mod_ssl 2.6.6.-1.3.12

Operating System is Linux RH6.1

Thank you for your help in advance

best regards,

Markus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

openssl error

1999-10-28 Thread Joe Schiavone



Hello,

AM trying to test my openssl enabled apache server using the
following command;
openssl s_client -connect MYHOSTNAME:443   
I get some good info followed by some that looks "not so good".
can anyone explain this error or tell me where to go to
look it up?  Results are as follows;

CONNECTED(0004)
depth=0 /C=US/ST=X/L=X/O=XX 
[EMAIL PROTECTED]
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=XXX/L=/O=XXX 
[EMAIL PROTECTED]
verify return:1
673:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake 
failure:s3_pkt.c:774:SSL alert number 40
673:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:203


--
Joseph J. Schiavone Jr.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

92 matches

Mail list logo