Re: intermittent Apache/OpenSSL error hangs server
On Thursday, 9 January 2020 17:42:47 CET, Jerry Blasdel wrote: Here is more information. On the server that is having this issue, prior to the FIPS_drbg_generate errors (these show up every time that worker pid is selected to serve a request) we have a single OpenSSL error that shows up in the logs. SSL Library Error: error:2D06A07F: FIPS routines: FIPS_CHECK_EC:pairwise test failed Once we get that error, every time we try to serve a request in Apache using that pid, it errors out. So, it seems like something randomly corrupts that PID. Can someone provide some information about FIPS_CHECK_EC: pairwise test failed. I would try to eliminate hardware issue as a possible cause: run memcheck, cpu stress tests, etc. Thanks On Tue, Jan 7, 2020 at 7:21 AM Jerry Blasdel wrote: I have several servers configured the same, running Apache 2.4X/OpenSSL1.02 fips-enabled. On one server we periodically get the following errors in the Apache logs: SSL Library Error: error:xx:FIPS_drbg_generate:selftest failed. In some cases, the server continues to service requests, but in other cases ... -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
Re: intermittent Apache/OpenSSL error hangs server
>Once we get that error, every time we try to serve a request in Apache using >that pid, it errors out. So, it seems like something randomly corrupts that >PID. Can someone provide some information about FIPS_CHECK_EC: pairwise test >failed. Once FIPS detects an error, it will stay stuck in error-state until you re-initialize. Sorry, can’t provide more details about the specific test that’s failing.
Re: intermittent Apache/OpenSSL error hangs server
Here is more information. On the server that is having this issue, prior to the FIPS_drbg_generate errors (these show up every time that worker pid is selected to serve a request) we have a single OpenSSL error that shows up in the logs. SSL Library Error: error:2D06A07F: FIPS routines: FIPS_CHECK_EC:pairwise test failed Once we get that error, every time we try to serve a request in Apache using that pid, it errors out. So, it seems like something randomly corrupts that PID. Can someone provide some information about FIPS_CHECK_EC: pairwise test failed. Thanks On Tue, Jan 7, 2020 at 7:21 AM Jerry Blasdel wrote: > I have several servers configured the same, running Apache > 2.4X/OpenSSL1.02 fips-enabled. > > On one server we periodically get the following errors in the Apache logs: > > SSL Library Error: error:xx:FIPS_drbg_generate:selftest failed. In > some cases, the server continues to service requests, but in other cases > the server hangs and will not process requests until the worker pid > receiving the error is killed, or a kill -HUP is issues on the Apache root > pid. > > I see someone else had a similar issue but I can't find any resolution. > > https://mta.openssl.org/pipermail/openssl-users/2016-October/004657.html > > Other information... > > We have looked at the entropy on the server when it is working properly vs > when it hangs and could not find any big differences. > > Also, SSLRandomSeed is configured for startup and connect in Apache. > > Any help would be appreciated. > > Thanks >
intermittent Apache/OpenSSL error hangs server
I have several servers configured the same, running Apache 2.4X/OpenSSL1.02 fips-enabled. On one server we periodically get the following errors in the Apache logs: SSL Library Error: error:xx:FIPS_drbg_generate:selftest failed. In some cases, the server continues to service requests, but in other cases the server hangs and will not process requests until the worker pid receiving the error is killed, or a kill -HUP is issues on the Apache root pid. I see someone else had a similar issue but I can't find any resolution. https://mta.openssl.org/pipermail/openssl-users/2016-October/004657.html Other information... We have looked at the entropy on the server when it is working properly vs when it hangs and could not find any big differences. Also, SSLRandomSeed is configured for startup and connect in Apache. Any help would be appreciated. Thanks
Re: [openssl-users] [EXTERNAL] Re: OpenSSL error message when decrypting Ethereum encrypted private key
Thank you to everyone that has weighed in on my question. Unfortunately, I have yet to find an answer that I'm fully satisfied with. I'm trying a different approach: I would like to create a sample encrypted Ethereum private key that shares the same 132 character PEM format as the string I'm trying to decrypt. I can then attempt to decrypt that string with an incorrect password, and see if I get the EVP_DecryptFinal_ex:wrong final block length error. Does that make sense? Here's my basic approach. I'm starting with Vincent Kobel's excellent "Create a Full Ethereum Wallet, Keypair and Address" article ( https://kobl.one/blog/create-full-ethereum-keypair-and-address/) He creates a 132-character PEM formatted unencrypted private key with this command: openssl ecparam -name secp256k1 -genkey -noout Unless I have completely failed at reading the man page correctly, there's no way to assign a password from the ecparam command. I write the 132 character unencrypted private key (not the -BEGIN/END EC PRIVATE KEY- characters) to a file named sample_pk.pem and I encrypt it with openssl: openssl enc -e -aes-256-cbc -a -in sample_pk.pem -out sample_epk.pem -pass pass:secret I now have a 256 character encrypted private string. (Note, the string length is 256 characters whether I use AES-128 or AES-256. That's probably obvious to all of you, but it wasn't to me). If I decrypt that string with the correct password openssl enc -d -aes256 -a -in sample_epk.pem -out recovered.key -pass pass:secret I get my original unencrypted private key back. Excellent! However, If I decrypt that string with an incorrect password: openssl enc -d -aes256 -a -in sample_epk.pem -out recovered.key -pass pass:secr3t I get a new error message: EVP_DecryptFinal_ex:bad decrypt And, that message does not match the EVP_DecryptFinal_ex:wrong final block length error message I was hoping to get. I think that all that I have proven with this exercise is that the original unencrypted private key was: - not a 132 character PEM formatted unencrypted private key - and/or - it was not encrypted using the -aes-256-cbc encryption algorithm So, on to the question! Can anyone help me figure out how to create an Ethereum private key such that when it is encrypted it is a 132 character long PEM formatted string? Alternately, is there a process for taking an encrypted string, and "backing in" to the details of how it was created? (ie what algorithm, etc?) Thanks, Chris On Mon, Jan 15, 2018 at 2:01 PM, Chris Bwrote: > Hi Daniel, > > >Option #1 from the possibilities you mentioned below seems to be the > most logical to me. > Thank you, that's very helpful. > > Thanks, > Chris > > On Mon, Jan 15, 2018 at 1:29 PM, Sands, Daniel wrote: > >> On Sun, 2018-01-14 at 18:26 -0500, Chris B wrote: >> >> Hi Matt, >> >> >If you *are* using 1.1.0 then the default digest was changed between >> 1.0.2 and 1.1.0. >> Awesome thought, but I'm also using 1.0.2: >> >> $ openssl version >> >> OpenSSL 1.0.2k-fips 26 Jan 2017 >> >> (I also tried adding -md md5 to the previous command, but I got the same >> error message). >> >> >> Option #1 from the possibilities you mentioned below seems to be the most >> logical to me. If you use the wrong key, the padding data in the last block >> will also be decrypted to the wrong values, so the padding block check will >> fail. The padding is a necessary part of decryption because it needs to >> know how much plaintext is actually represented by that last block. >> >> >> > I'm not sure how to interpret that output. I could interpret it as: >> > o Your system for decrypting the password is perfect, but: this is not >> > the right password. >> > o There's something wrong with the EPK -- its length must be a multiple >> > of the AES block length. >> > o There's something wrong with the unencrypted private key -- its length >> > must be a multiple of the AES block length. >> > o Something else entirely >> >> >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> >> > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Re: OpenSSL error message when decrypting Ethereum encrypted private key
Hi Daniel, >Option #1 from the possibilities you mentioned below seems to be the most logical to me. Thank you, that's very helpful. Thanks, Chris On Mon, Jan 15, 2018 at 1:29 PM, Sands, Danielwrote: > On Sun, 2018-01-14 at 18:26 -0500, Chris B wrote: > > Hi Matt, > > >If you *are* using 1.1.0 then the default digest was changed between > 1.0.2 and 1.1.0. > Awesome thought, but I'm also using 1.0.2: > > $ openssl version > > OpenSSL 1.0.2k-fips 26 Jan 2017 > > (I also tried adding -md md5 to the previous command, but I got the same > error message). > > > Option #1 from the possibilities you mentioned below seems to be the most > logical to me. If you use the wrong key, the padding data in the last block > will also be decrypted to the wrong values, so the padding block check will > fail. The padding is a necessary part of decryption because it needs to > know how much plaintext is actually represented by that last block. > > > > I'm not sure how to interpret that output. I could interpret it as: > > o Your system for decrypting the password is perfect, but: this is not > > the right password. > > o There's something wrong with the EPK -- its length must be a multiple > > of the AES block length. > > o There's something wrong with the unencrypted private key -- its length > > must be a multiple of the AES block length. > > o Something else entirely > > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Re: OpenSSL error message when decrypting Ethereum encrypted private key
On Sun, 2018-01-14 at 18:26 -0500, Chris B wrote: Hi Matt, >If you *are* using 1.1.0 then the default digest was changed between 1.0.2 and >1.1.0. Awesome thought, but I'm also using 1.0.2: $ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 (I also tried adding -md md5 to the previous command, but I got the same error message). Option #1 from the possibilities you mentioned below seems to be the most logical to me. If you use the wrong key, the padding data in the last block will also be decrypted to the wrong values, so the padding block check will fail. The padding is a necessary part of decryption because it needs to know how much plaintext is actually represented by that last block. > I'm not sure how to interpret that output. I could interpret it as: > o Your system for decrypting the password is perfect, but: this is not > the right password. > o There's something wrong with the EPK -- its length must be a multiple > of the AES block length. > o There's something wrong with the unencrypted private key -- its length > must be a multiple of the AES block length. > o Something else entirely -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL error message when decrypting Ethereum encrypted private key
Hi Matt, >If you *are* using 1.1.0 then the default digest was changed between 1.0.2 and 1.1.0. Awesome thought, but I'm also using 1.0.2: $ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 (I also tried adding -md md5 to the previous command, but I got the same error message). Thanks, Chris On Sun, Jan 14, 2018 at 6:03 PM, Matt Caswellwrote: > > > On 14/01/18 15:26, Chris B wrote: > > I'm trying to help someone recover his password for an older format > > ethereum encrypted private key (EPK). My plan has been to use his best > > guess at the password to brute force the actual password. > > > > The EPK is a 132 character string, and it looks something like this: > > U2FsdGV0X185M9YAa/27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ > 9s8DzeGuBtYJPDCKDy0m80yvHdQYDMPa+Hwv2JPbuGJNoUMhFWpcQW1VF+ > EAy0tYb7Wtv2+IRWZzcpsE8e2a > > > > (That is: 128 ASCII digits and/or letters, plus three "+" and a "/".) > > > > This article > > (https://www.reddit.com/r/Bitcoin/comments/3gwdge/ > importing_old_encrypted_private_keys/) > > seems to describe a very similar EPK. The author of that post decrypted > > their key with the following command: > > > > openssl enc -in FILE_OF_KEYS -a -d -salt -aes256 -pass > pass:"PASSWORD_HERE" > > > > I have tried this same approach, but I'm getting an error: > > > > EVP_DecryptFinal_ex:wrong final block length > > What version of OpenSSL are you using. The quoted article was written 2 > years ago so definitely wasn't using OpenSSL 1.1.0. If you *are* using > 1.1.0 then the default digest was changed between 1.0.2 and 1.1.0. Old > OpenSSL "enc" output defaulted to md5. The current default is sha256: > > https://www.openssl.org/docs/faq.html#USER3 > > Try adding "-md md5" onto your command line. > > Matt > > > > > > Here's an example: > > > > /usr/bin/openssl enc -d -aes-256-cbc -a -in enc_private_key.txt -out > > recovered.key -pass pass:TheBig7ebowski > > > > And here's the output: > > > > bad decrypt > > > > 140220549330848:error:0606506D:digital envelope > > routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:581: > > > > I'm not sure how to interpret that output. I could interpret it as: > > o Your system for decrypting the password is perfect, but: this is not > > the right password. > > o There's something wrong with the EPK -- its length must be a multiple > > of the AES block length. > > o There's something wrong with the unencrypted private key -- its length > > must be a multiple of the AES block length. > > o Something else entirely > > > > Can anyone help me understand how to interpret this error message? > > > > Thanks, > > Chris > > > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL error message when decrypting Ethereum encrypted private key
On 14/01/18 15:26, Chris B wrote: > I'm trying to help someone recover his password for an older format > ethereum encrypted private key (EPK). My plan has been to use his best > guess at the password to brute force the actual password. > > The EPK is a 132 character string, and it looks something like this: > U2FsdGV0X185M9YAa/27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ9s8DzeGuBtYJPDCKDy0m80yvHdQYDMPa+Hwv2JPbuGJNoUMhFWpcQW1VF+EAy0tYb7Wtv2+IRWZzcpsE8e2a > > (That is: 128 ASCII digits and/or letters, plus three "+" and a "/".) > > This article > (https://www.reddit.com/r/Bitcoin/comments/3gwdge/importing_old_encrypted_private_keys/) > seems to describe a very similar EPK. The author of that post decrypted > their key with the following command: > > openssl enc -in FILE_OF_KEYS -a -d -salt -aes256 -pass pass:"PASSWORD_HERE" > > I have tried this same approach, but I'm getting an error: > > EVP_DecryptFinal_ex:wrong final block length What version of OpenSSL are you using. The quoted article was written 2 years ago so definitely wasn't using OpenSSL 1.1.0. If you *are* using 1.1.0 then the default digest was changed between 1.0.2 and 1.1.0. Old OpenSSL "enc" output defaulted to md5. The current default is sha256: https://www.openssl.org/docs/faq.html#USER3 Try adding "-md md5" onto your command line. Matt > > Here's an example: > > /usr/bin/openssl enc -d -aes-256-cbc -a -in enc_private_key.txt -out > recovered.key -pass pass:TheBig7ebowski > > And here's the output: > > bad decrypt > > 140220549330848:error:0606506D:digital envelope > routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:581: > > I'm not sure how to interpret that output. I could interpret it as: > o Your system for decrypting the password is perfect, but: this is not > the right password. > o There's something wrong with the EPK -- its length must be a multiple > of the AES block length. > o There's something wrong with the unencrypted private key -- its length > must be a multiple of the AES block length. > o Something else entirely > > Can anyone help me understand how to interpret this error message? > > Thanks, > Chris > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL error message when decrypting Ethereum encrypted private key
>Any chance this is data corruption? Brilliant! You caught me. Although this key is encrypted I wasn't comfortable making it public on the interwebs. So, I randomly changed several of the characters. If I run openssl base64 -d... on the *actual* key it does indeed begin with Salted__: $ openssl base64 -d -in enc_private_key.txt | od -c 000 S a l t e d _ _ >You could try a dictionary attack on the actual 132-byte string, after base64-decoding, >provided it is not corrupted. This is basically what I was trying to do, although I was simply running a few hundred thousand strings that are related to the best guess password, rather using a dictionary attack. Is there a better command to proceed with a brute force attack than this one? /usr/bin/openssl enc -d -aes-256-cpc -a -in enc_private_key.txt -out recovered.key As I understand: - openssl enc -d => decrypt using openssl - -aes-256-cpc => use the AES 256 CPC algorithm - -a => base64 decrypt - -in=> read the encrypted string from enc_private_key.txt - -out => write the unencrypted string to recovered.key I tried running openssl in two steps: first doing the base64 decoding, then decrypting with -aes256, which I believe is functionally the same as the command mentioned above: $ openssl base64 -d -in enc_private_key.txt | openssl enc -d -aes256 -out recovered.key enter aes-256-cbc decryption password: bad decrypt 139845090879392:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:581: Which brings me back to the original question. Does anyone know how to interpret "EVP_DecryptFinal_ex:wrong final block length" Thanks! -Chris On Sun, Jan 14, 2018 at 11:21 AM, Viktor Dukhovni < openssl-us...@dukhovni.org> wrote: > > > > On Jan 14, 2018, at 10:26 AM, Chris B> wrote: > > > > I'm trying to help someone recover his password for an older format > ethereum encrypted private key (EPK). My plan has been to use his best > guess at the password to brute force the actual password. > > > > The EPK is a 132 character string, and it looks something like this: > U2FsdGV0X185M9YAa/27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ > 9s8DzeGuBtYJPDCKDy0m80yvHdQYDMPa+Hwv2JPbuGJNoUMhFWpcQW1VF+ > EAy0tYb7Wtv2+IRWZzcpsE8e2a > > > > (That is: 128 ASCII digits and/or letters, plus three "+" and a "/".) > > This input is base64 encoded: > > $ openssl base64 -d < U2FsdGV0X185M9YAa/27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ9s8DzeGuBtYJPDCK > Dy0m80yvHdQYDMPa+Hwv2JPbuGJNoUMhFWpcQW1VF+EAy0tYb7Wtv2+IRWZzcpsE > 8e2a > END > 000S a l t e t _ _ 9 3 326 \0 k 375 273 246 > 020a / 027 0 271 246 242 310 343 025 253 003 252 . 031 P > 040 261 320 G 211 366 317 003 315 341 256 006 326 \t < 0 212 > 060 017 - & 363 L 257 035 324 030 \f 303 332 370 | /ؓ > 100 ** ۸ ** b M 241 C ! 025 j \ A m U 027 000 > 120 \0 313 K X o 265 255 277 o 210 E f s r 233 004 > 140 361 100 232 > > This does indeed look a lot like "openssl enc" output: > > $ echo foobar | openssl enc -aes256 -pass pass:foobar | od -c > 000S a l t e d _ _ 263 f 243 \0 242 ~ 031 3 > 020 266 035 Y 310 367 300 366 264 247 : $ s 236 266 4 340 > 040 > > Except that for some reason the "d" in "Salted" is a "t". Funny that these > are the voiced and unvoiced variants of the same consonant, but note also > that the ASCII code for 'd' = 0x64 and 't' = 0x74, so this is a 1 bit > change. > Any chance this is data corruption? > > > > > This article (https://www.reddit.com/r/Bitcoin/comments/3gwdge/ > importing_old_encrypted_private_keys/) > > seems to describe a very similar EPK. > > In that sample, the base64-decoded data starts with "Salted__" as expected. > > > The author of that post decrypted their key with the following command: > > > > openssl enc -in FILE_OF_KEYS -a -d -salt -aes256 -pass > pass:"PASSWORD_HERE" > > Hard to say whether that's correct, rather depends on the format of > "FILE_OF_KEYS". > You could try a dictionary attack on the actual 132-byte string, after > base64-decoding, > provided it is not corrupted. > > -- > Viktor. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL error message when decrypting Ethereum encrypted private key
> On Jan 14, 2018, at 10:26 AM, Chris Bwrote: > > I'm trying to help someone recover his password for an older format ethereum > encrypted private key (EPK). My plan has been to use his best guess at the > password to brute force the actual password. > > The EPK is a 132 character string, and it looks something like this: > U2FsdGV0X185M9YAa/27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ9s8DzeGuBtYJPDCKDy0m80yvHdQYDMPa+Hwv2JPbuGJNoUMhFWpcQW1VF+EAy0tYb7Wtv2+IRWZzcpsE8e2a > > (That is: 128 ASCII digits and/or letters, plus three "+" and a "/".) This input is base64 encoded: $ openssl base64 -d < > This article > (https://www.reddit.com/r/Bitcoin/comments/3gwdge/importing_old_encrypted_private_keys/) > seems to describe a very similar EPK. In that sample, the base64-decoded data starts with "Salted__" as expected. > The author of that post decrypted their key with the following command: > > openssl enc -in FILE_OF_KEYS -a -d -salt -aes256 -pass pass:"PASSWORD_HERE" Hard to say whether that's correct, rather depends on the format of "FILE_OF_KEYS". You could try a dictionary attack on the actual 132-byte string, after base64-decoding, provided it is not corrupted. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL error message when decrypting Ethereum encrypted private key
Hi Rich, Thank you very much for the reply. I get the same error message using -aes256 as -aes-256-cbc /usr/bin/openssl enc -d -aes256 -a -in enc_private_key.txt -out recovered.key -pass pass:TheBig7ebowski bad decrypt 140383648536480:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:581: Thanks, Chris On Sun, Jan 14, 2018 at 10:39 AM, Salz, Rich via openssl-users < openssl-users@openssl.org> wrote: > For CBC the encrypted text will be a multiple of the cipher size. So your > use of CBC is wrong. The quoted post uses aes256; you were using aes-cbc > > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL error message when decrypting Ethereum encrypted private key
For CBC the encrypted text will be a multiple of the cipher size. So your use of CBC is wrong. The quoted post uses aes256; you were using aes-cbc -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL error message when decrypting Ethereum encrypted private key
I'm trying to help someone recover his password for an older format ethereum encrypted private key (EPK). My plan has been to use his best guess at the password to brute force the actual password. The EPK is a 132 character string, and it looks something like this: U2FsdGV0X185M9YAa/27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ9s8DzeGuBtYJPDCKDy0m80yvHdQYDMPa+Hwv2JPbuGJNoUMhFWpcQW1VF+EAy0tYb7Wtv2+IRWZzcpsE8e2a (That is: 128 ASCII digits and/or letters, plus three "+" and a "/".) This article ( https://www.reddit.com/r/Bitcoin/comments/3gwdge/importing_old_encrypted_private_keys/) seems to describe a very similar EPK. The author of that post decrypted their key with the following command: openssl enc -in FILE_OF_KEYS -a -d -salt -aes256 -pass pass:"PASSWORD_HERE" I have tried this same approach, but I'm getting an error: EVP_DecryptFinal_ex:wrong final block length Here's an example: /usr/bin/openssl enc -d -aes-256-cbc -a -in enc_private_key.txt -out recovered.key -pass pass:TheBig7ebowski And here's the output: bad decrypt 140220549330848:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:581: I'm not sure how to interpret that output. I could interpret it as: o Your system for decrypting the password is perfect, but: this is not the right password. o There's something wrong with the EPK -- its length must be a multiple of the AES block length. o There's something wrong with the unencrypted private key -- its length must be a multiple of the AES block length. o Something else entirely Can anyone help me understand how to interpret this error message? Thanks, Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt in FIPS mode
On Fri, Feb 19, 2016, Neptune wrote: > failedcert.crt <http://openssl.6102.n7.nabble.com/file/n63828/failedcert.crt> > > > Hello all, > I've attached a .crt certificate file that we are experiencing a problem > with. When trying to process this certificate using the PKCS7_decrypt( ) > function. The error string is: > > OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt:decrypt error > > This only happens in FIPS mode so we suspect a weak cipher, but I'm unable > to glean any specified error that would verify this suspicion. I was hoping > someone would be nice enough to inspect this file and verify if there is any > non-FIPS-iness. I don't want to point fingers at the environment without > proof. > Well that link is not an certificate but a PKCS#7 signed data structure whose content is itself a PKCS#7 enveloped data structure. You mentioned PKCS7_decrypt() so that may be a referenceto the inner content. Analysing that with asn1parse shows that it is using single DES as the content encryption algorithm (56 bits) which is not approved in FIPS mode. So I suspect that is the cause. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt in FIPS mode
failedcert.crt <http://openssl.6102.n7.nabble.com/file/n63828/failedcert.crt> Hello all, I've attached a .crt certificate file that we are experiencing a problem with. When trying to process this certificate using the PKCS7_decrypt( ) function. The error string is: OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt:decrypt error This only happens in FIPS mode so we suspect a weak cipher, but I'm unable to glean any specified error that would verify this suspicion. I was hoping someone would be nice enough to inspect this file and verify if there is any non-FIPS-iness. I don't want to point fingers at the environment without proof. Thanks for any help! -- View this message in context: http://openssl.6102.n7.nabble.com/OPENSSL-error-21072077-PKCS7-routines-PKCS7-decrypt-in-FIPS-mode-tp63828.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Cannot clear error OpenSSL Error Stack
Hello, After getting an error in the verify callback of my server saying that the presented client certificate is expired, I cannot clear the openssl error stack. The reason I want to do that is because I want to be able to override (under specific circumstances) the default OpenSSL behavior that rejects a connection from a client who presents an expired certificate. The way I have tried to do that is to return 1 from the verification callback when openssl passes 'ok' argument as 0 (i.e. failed verification). I would expect that returning 1 signifies success and hence the error stack is cleared, however I found out that calling SSL_get_verify_result() after the verification callback still returns an error. Why is that? Please note that I'm using openssl 0.9.8 Thanks a lot in advance, Antonis ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: openssl error
I was getting the same error. Changed a setting in the openssl.cnf that fixed it: Locate the line: default_md = default Change it to: default_md = md5 -- View this message in context: http://openssl.6102.n7.nabble.com/openssl-error-tp1994p47008.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl error
tks for the response, but didn't worked, same error. 2013/10/23 eurospoofer eurospoo...@gmail.com I was getting the same error. Changed a setting in the openssl.cnf that fixed it: Locate the line: default_md = default Change it to: default_md = md5 -- View this message in context: http://openssl.6102.n7.nabble.com/openssl-error-tp1994p47008.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Strange OpenSSL error when my server accepts a new OpenSSL connection while existing ones are active
On Wed, Oct 09, 2013 at 10:46:35PM -0700, Jeremy Friesner wrote: With SSL sessions created via SSLv23_method(), use of this primitive will lead to the failure in question when invoked before the SSL session has switched to SSLv3, TLSv1, ? Aha! Yes, that appears to be my problem. As a simple workaround, I changed my code to call SSLv3_method() instead, and now everything is working perfectly. Thanks so much for your help! :^) A better solution is to not call SSL_pending() until the SSL handshake completes. For now you should keep track of whether SSL_accept() has completed for a given session, and refrain from SSL_pending() until then. By using SSLv3_method() you don't get to take advantage of improvements in TLSv1, TLSv1.1 or TLSv1.2. You only get SSLv3. SSLv3 is obsolete, you should be using TLS 1.0 or later. It is perhaps by now a reasonable feature request to ask the OpenSSL developers for an alternative to SSLv23_method() that also negotiates multiple protocol versions, but starts with TLSv1 as the lowest supported version. Perhaps call it TLS_method(). One gets a close approximation to this with the options SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3, but as we see some subtle differences remain. Also perhaps the SSL_pending() function should not fail in such a surprising way. When called before the handshake has completed, it should perhaps simply return 0. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Strange OpenSSL error when my server accepts a new OpenSSL connection while existing ones are active
On Oct 9, 2013, at 10:59 PM, Viktor Dukhovni openssl-us...@dukhovni.org wrote: A better solution is to not call SSL_pending() until the SSL handshake completes. For now you should keep track of whether SSL_accept() has completed for a given session, and refrain from SSL_pending() until then. Agreed, but my code never calls SSL_accept(); instead it just calls SSL_set_accept_state() during setup. Given that, I'm not sure how to detect that the handshake has completed. Is there a way to know? By using SSLv3_method() you don't get to take advantage of improvements in TLSv1, TLSv1.1 or TLSv1.2. You only get SSLv3. SSLv3 is obsolete, you should be using TLS 1.0 or later. I see. Also perhaps the SSL_pending() function should not fail in such a surprising way. When called before the handshake has completed, it should perhaps simply return 0. Agreed. I've sent a bug report to r...@openssl.org requesting that. -Jeremy__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Strange OpenSSL error when my server accepts a new OpenSSL connection while existing ones are active
Jeremy, I am very interested in the 25% scenario's you are referring to here. What browser where you using? Where were you trying to connect to, what Operating system were you trying to connect to, I was reading up on extended cert's today and found out some interesting information from the Gibson Research Corp. Best Regards, ~elaine. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of jeremyf Sent: Wednesday, October 09, 2013 3:24 PM To: openssl-users@openssl.org Subject: Strange OpenSSL error when my server accepts a new OpenSSL connection while existing ones are active Hi all, I'm working on adding OpenSSL support to my server program, and generally it's working pretty well, but I have come across a problem. First, some background: The server is single-threaded and uses non-blocking I/O and a select() loop to handle multiple clients simultaneously. The server is linked to libssl.0.9.8.dylib and lib crypto.0.9.8.dylib (i.e. the libraries provided in /usr/lib by MacOS/X 10.8.5). The client-server protocol is a proprietary full-duplex messaging protocol; that is, the clients and the server are all allowed to send and receive data at any time, and the client-server TCP connections remain connected indefinitely (i.e. until the client or server decides to disconnect). The issue is this: my clients can connect to the server, and sending and receiving data works fine (now that I got the SSL_ERROR_WANT_WRITE and SSL_ERROR_WANT_READ logic sorted out). but if a the server accept()'s a new client connection *while* other clients are in the middle of sending or receiving data, the SSL layer seems to break. In particular, immediately after the server runs the setup routine below to set up the newly-accepted socket, SSL_read() on one or more of the other (pre-existing) clients' sockets will return -1, and ERR_print_errors_fp(stderr) gives this output: SSL_read() ERROR: 5673:error:140F3042:SSL routines:SSL_UNDEFINED_CONST_FUNCTION:called a function you should not call:/SourceCache/OpenSSL098/OpenSSL098-47.2/src/ssl/ssl_lib.c:2248: After this error first appears, the server largely stops working. Data movement stops, and if I try to connect another client I often get this error: SSL_read() ERROR: 5673:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-47.2/src/ssl/s23_srvr.c:578: This happens about 25% of the time in my test scenario. If I make sure that my pre-existing client connections are idle (no data being sent or received) at the moment when the new client connects, it never happens. Does anyone know what might be going wrong here? Have I found an OpenSSL bug, or is there some detail that I'm overlooking? Some relevant code from my program is pasted below, in case it's helpful. Thanks, Jeremy --- // Socket setup routine, called when the server accepts a new TCP socket int SSLSession :: SetupSSL(int sockfd) { _ctx = SSL_CTX_new(SSLv23_method()); if (_ctx) { SSL_CTX_set_mode(_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); _ssl = SSL_new(_ctx); if (_ssl) { _sbio = BIO_new_socket(sockfd, BIO_NOCLOSE); if (_sbio) { SSL_set_bio(_ssl, _sbio, _sbio); SSL_set_accept_state(_ssl); BIO_set_nbio(_sbio, !blocking); ERR_print_errors_fp(stderr); return RESULT_SUCCESS; } else fprintf(stderr, SSLSession: BIO_new_socket() failed!\n); } else fprintf(stderr, SSLSession: SSL_new() failed!\n); } else fprintf(stderr, SSLSession: SSL_CTX_new() failed!\n); return RESULT_FAILURE; } // Socket read routine -- returns number of bytes read from SSL-land int32 SSLSession :: Read(void *buffer, uint32 size) { if (_ssl == NULL) return -1; int32 bytes = SSL_read(_ssl, buffer, size); if (bytes 0) { _sslState = ~(SSL_STATE_READ_WANTS_READABLE_SOCKET | SSL_STATE_READ_WANTS_WRITEABLE_SOCKET); } else if (bytes == 0) return -1; // connection was terminated else { int err = SSL_get_error(_ssl, bytes); if (err == SSL_ERROR_WANT_WRITE) { // We have to wait until our socket is writeable, and then repeat our SSL_read() call. _sslState = ~SSL_STATE_READ_WANTS_READABLE_SOCKET; _sslState |= SSL_STATE_READ_WANTS_WRITEABLE_SOCKET; bytes = 0; } else if (err == SSL_ERROR_WANT_READ) { // We have to wait until our socket is readable, and then repeat our SSL_read() call. _sslState |= SSL_STATE_READ_WANTS_READABLE_SOCKET; _sslState = ~SSL_STATE_READ_WANTS_WRITEABLE_SOCKET; bytes = 0; } else { fprintf(stderr, SSL_read() ERROR: ); ERR_print_errors_fp(stderr); } } return bytes; } // Socket write routine -- returns number of bytes written to SSL-land int32 SSLSession :: Write(const
Re: Strange OpenSSL error when my server accepts a new OpenSSL connection while existing ones are active
Hi Elaine, No browser, just a client and server program I wrote myself (in C++) that I'm trying to upgrade to support SSL. (They both previously worked over vanilla TCP connections only, but I'm adding SSL transport as an option) For this test, both the client and server are running on my Mac Mini (OS/X 10.8.5), but I've seen similar problems when testing the same software under Linux, so I don't think the problem is operating-system specific. If you're interested in trying to reproduce the fault yourself, let me know and I can upload the code I'm testing with. Cheers, Jeremy On Oct 9, 2013, at 7:19 PM, elaine ossipov ela...@aspwired.com wrote: Jeremy, I am very interested in the 25% scenario's you are referring to here. What browser where you using? Where were you trying to connect to, what Operating system were you trying to connect to, I was reading up on extended cert's today and found out some interesting information from the Gibson Research Corp. Best Regards, ~elaine. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Strange OpenSSL error when my server accepts a new OpenSSL connection while existing ones are active
On Wed, Oct 09, 2013 at 07:54:34PM -0700, Jeremy Friesner wrote: If you're interested in trying to reproduce the fault yourself, let me know and I can upload the code I'm testing with. Are you using SSL_pending(), BIO_pending() or anything similar anywhere in your code? With SSL sessions created via SSLv23_method(), use of this primitive will lead to the failure in question when invoked before the SSL session has switched to SSLv3, TLSv1, ... Though I would expect the failure to occur on access to just the new session, not already established sessions, unless they're in the middle of a handshake... ssl/ssl_locl.h: #define IMPLEMENT_ssl23_meth_func(func_name, s_accept, s_connect, s_get_meth) \ const SSL_METHOD *func_name(void) \ { \ static const SSL_METHOD func_name##_data= { \ TLS1_2_VERSION, \ tls1_new, \ tls1_clear, \ tls1_free, \ s_accept, \ s_connect, \ ssl23_read, \ ssl23_peek, \ ssl23_write, \ ssl_undefined_function, \ ssl_undefined_function, \ ssl_ok, \ ssl3_get_message, \ ssl3_read_bytes, \ ssl3_write_bytes, \ ssl3_dispatch_alert, \ ssl3_ctrl, \ ssl3_ctx_ctrl, \ ssl23_get_cipher_by_char, \ ssl23_put_cipher_by_char, \ ssl_undefined_const_function, \ ... The ssl_undefined_const_function above is the ssl_pending function for the SSL method in question. Presumably it is updated to a more approriate value (typically ssl3_pending) once a particular protocol is selected. int ssl_undefined_const_function(const SSL *s) { SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return(0); } The method-specific ssl_pending function is used in: int SSL_pending(const SSL *s) { /* SSL_pending cannot work properly if read-ahead is enabled * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), * and it is impossible to fix since SSL_pending cannot report * errors that may be observed while scanning the new data. * (Note that SSL_pending() is often used as a boolean value, * so we'd better not return -1.) */ return(s-method-ssl_pending(s)); } ... -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Strange OpenSSL error when my server accepts a new OpenSSL connection while existing ones are active
Hi all, I'm working on adding OpenSSL support to my server program, and generally it's working pretty well, but I have come across a problem. First, some background: The server is single-threaded and uses non-blocking I/O and a select() loop to handle multiple clients simultaneously. The server is linked to libssl.0.9.8.dylib and lib crypto.0.9.8.dylib (i.e. the libraries provided in /usr/lib by MacOS/X 10.8.5). The client-server protocol is a proprietary full-duplex messaging protocol; that is, the clients and the server are all allowed to send and receive data at any time, and the client-server TCP connections remain connected indefinitely (i.e. until the client or server decides to disconnect). The issue is this: my clients can connect to the server, and sending and receiving data works fine (now that I got the SSL_ERROR_WANT_WRITE and SSL_ERROR_WANT_READ logic sorted out)… but if a the server accept()'s a new client connection *while* other clients are in the middle of sending or receiving data, the SSL layer seems to break. In particular, immediately after the server runs the setup routine below to set up the newly-accepted socket, SSL_read() on one or more of the other (pre-existing) clients' sockets will return -1, and ERR_print_errors_fp(stderr) gives this output: SSL_read() ERROR: 5673:error:140F3042:SSL routines:SSL_UNDEFINED_CONST_FUNCTION:called a function you should not call:/SourceCache/OpenSSL098/OpenSSL098-47.2/src/ssl/ssl_lib.c:2248: After this error first appears, the server largely stops working. Data movement stops, and if I try to connect another client I often get this error: SSL_read() ERROR: 5673:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-47.2/src/ssl/s23_srvr.c:578: This happens about 25% of the time in my test scenario. If I make sure that my pre-existing client connections are idle (no data being sent or received) at the moment when the new client connects, it never happens. Does anyone know what might be going wrong here? Have I found an OpenSSL bug, or is there some detail that I'm overlooking? Some relevant code from my program is pasted below, in case it's helpful. Thanks, Jeremy --- // Socket setup routine, called when the server accepts a new TCP socket int SSLSession :: SetupSSL(int sockfd) { _ctx = SSL_CTX_new(SSLv23_method()); if (_ctx) { SSL_CTX_set_mode(_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); _ssl = SSL_new(_ctx); if (_ssl) { _sbio = BIO_new_socket(sockfd, BIO_NOCLOSE); if (_sbio) { SSL_set_bio(_ssl, _sbio, _sbio); SSL_set_accept_state(_ssl); BIO_set_nbio(_sbio, !blocking); ERR_print_errors_fp(stderr); return RESULT_SUCCESS; } else fprintf(stderr, SSLSession: BIO_new_socket() failed!\n); } else fprintf(stderr, SSLSession: SSL_new() failed!\n); } else fprintf(stderr, SSLSession: SSL_CTX_new() failed!\n); return RESULT_FAILURE; } // Socket read routine -- returns number of bytes read from SSL-land int32 SSLSession :: Read(void *buffer, uint32 size) { if (_ssl == NULL) return -1; int32 bytes = SSL_read(_ssl, buffer, size); if (bytes 0) { _sslState = ~(SSL_STATE_READ_WANTS_READABLE_SOCKET | SSL_STATE_READ_WANTS_WRITEABLE_SOCKET); } else if (bytes == 0) return -1; // connection was terminated else { int err = SSL_get_error(_ssl, bytes); if (err == SSL_ERROR_WANT_WRITE) { // We have to wait until our socket is writeable, and then repeat our SSL_read() call. _sslState = ~SSL_STATE_READ_WANTS_READABLE_SOCKET; _sslState |= SSL_STATE_READ_WANTS_WRITEABLE_SOCKET; bytes = 0; } else if (err == SSL_ERROR_WANT_READ) { // We have to wait until our socket is readable, and then repeat our SSL_read() call. _sslState |= SSL_STATE_READ_WANTS_READABLE_SOCKET; _sslState = ~SSL_STATE_READ_WANTS_WRITEABLE_SOCKET; bytes = 0; } else { fprintf(stderr, SSL_read() ERROR: ); ERR_print_errors_fp(stderr); } } return bytes; } // Socket write routine -- returns number of bytes written to SSL-land int32 SSLSession :: Write(const void *buffer, uint32 size) { if (_ssl == NULL) return -1; int32 bytes = SSL_write(_ssl, buffer, size); if (bytes 0) { _sslState = ~(SSL_STATE_WRITE_WANTS_READABLE_SOCKET | SSL_STATE_WRITE_WANTS_WRITEABLE_SOCKET); } else if (bytes == 0) return -1; // connection was terminated else { int err = SSL_get_error(_ssl, bytes); if (err == SSL_ERROR_WANT_READ) { // We have to wait until our socket is readable, and then repeat our SSL_write() call. _sslState |= SSL_STATE_WRITE_WANTS_READABLE_SOCKET; _sslState =
Re: Strange OpenSSL error when my server accepts a new OpenSSL connection while existing ones are active
Hi Viktor, On Oct 9, 2013, at 9:16 PM, Viktor Dukhovni openssl-us...@dukhovni.org wrote: On Wed, Oct 09, 2013 at 07:54:34PM -0700, Jeremy Friesner wrote: If you're interested in trying to reproduce the fault yourself, let me know and I can upload the code I'm testing with. Are you using SSL_pending(), BIO_pending() or anything similar anywhere in your code? Yes, I call SSL_pending() to see if there is data to available for me to read (since select()-ing for ready-to-read on the socket isn't quite sufficient). With SSL sessions created via SSLv23_method(), use of this primitive will lead to the failure in question when invoked before the SSL session has switched to SSLv3, TLSv1, … Aha! Yes, that appears to be my problem. As a simple workaround, I changed my code to call SSLv3_method() instead, and now everything is working perfectly. Thanks so much for your help! :^) Jeremy __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [winlinke...@gmail.com: update openssl error]
On 07-08-2013 17:57, Lutz Jaenicke wrote: Forwarded to openssl-users for discussion. - Forwarded message from gate Bill winlinke...@gmail.com - Date: Tue, 6 Aug 2013 17:22:54 +0800 From: gate Bill winlinke...@gmail.com To: openssl-b...@openssl.org Subject: update openssl error hello my linux env: centos 6.4 x64 gcc 4.8.1 2.6.32-358.6.2.el6.x86_64 compile step: wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz tar zxf openssl-1.0.1e.tar.gz cd openssl-1.0.1e ./config zlib shared threads --prefix=/usr --openssldir=/etc/pki/tls make make test make install ldconfig cd ../ echo 'OK!' the commandopenssl version -a display is right but when i exec this /etc/init.d/ssh restart,display this error: OpenSSL version mismatch. Built against (And there you clipped out the final part of the message). The problem is that you have overwritten the OpenSSL shared libraries in /usr/lib with the one you just compiled, thus breaking all programs linked against the OpenSSL libraries that came with your distribution. So you need to reinstall the original CentOS 6.4 OpenSSL packages, then compile your own copy of OpenSSL in a location other than /usr, perhaps /usr/local/ so i think maybe need to upgrade the openssh,so i do like this echo Updateting Openssh yum -y install libedit libedit-devel libbsd libbsd-devel pam pam-devel krb5-devel audit-libs audit-libs-devel cd openssh-6.2p2 ./configure --sysconfdir=/etc/ssh --prefix=/usr --with-cflags --with-cppflags --with-ldflags --with-libs --with-Werror --with-solaris-contracts --with-solaris-projects --with-osfsia --with-zlib=/usr --with-tcp-wrappers=/usr --with-libedit=/usr --with-audit=linux --with-ssl-dir=/etc/pki/tls --with-ssl-engine --with-pam --with-selinux --with-kerberos5=/usr --with-md5-passwords --with-bsd-auth --with-ipaddr-display --with-4in6 but the still the same problem,so,what should i do? i'm waiting your answer???thank u - End forwarded message - Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[winlinke...@gmail.com: update openssl error]
Forwarded to openssl-users for discussion. - Forwarded message from gate Bill winlinke...@gmail.com - Date: Tue, 6 Aug 2013 17:22:54 +0800 From: gate Bill winlinke...@gmail.com To: openssl-b...@openssl.org Subject: update openssl error hello my linux env: centos 6.4 x64 gcc 4.8.1 2.6.32-358.6.2.el6.x86_64 compile step: wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz tar zxf openssl-1.0.1e.tar.gz cd openssl-1.0.1e ./config zlib shared threads --prefix=/usr --openssldir=/etc/pki/tls make make test make install ldconfig cd ../ echo 'OK!' the commandopenssl version -a display is right but when i exec this /etc/init.d/ssh restart,display this error: OpenSSL version mismatch. Built against so i think maybe need to upgrade the openssh,so i do like this echo Updateting Openssh yum -y install libedit libedit-devel libbsd libbsd-devel pam pam-devel krb5-devel audit-libs audit-libs-devel cd openssh-6.2p2 ./configure --sysconfdir=/etc/ssh --prefix=/usr --with-cflags --with-cppflags --with-ldflags --with-libs --with-Werror --with-solaris-contracts --with-solaris-projects --with-osfsia --with-zlib=/usr --with-tcp-wrappers=/usr --with-libedit=/usr --with-audit=linux --with-ssl-dir=/etc/pki/tls --with-ssl-engine --with-pam --with-selinux --with-kerberos5=/usr --with-md5-passwords --with-bsd-auth --with-ipaddr-display --with-4in6 but the still the same problem,so,what should i do? i'm waiting your answer???thank u - End forwarded message - __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
cross compiled openssl error on the target
Hi, I have added AES_CCM cipher suite support to the openssl and tested with curl client with Nginx web server . It works well when I tested on the PC , then I cross compiled openssl and curl for ARM and tried to run curl client application from the target , but I get the below error . **Peer certificate cannot be authenticated with given CA certificates** .. I am using the same certificates which I used on the PC .. Now my my set-up is : Running web server(nginx included with openssl on ubuntu pc) and curl(https with openssl ) on my arm target board . I need some help to figure out the exact problem . Rgds Indra
openssl error
Hi, I am using openssl on win xp 32. When I try to sign a request, openssl throws an error to the effect c:\openssl ca -config openssl.cfg -policy policy_anything -out test.crt -key p -batch -infiles test.csr Using configuration from openssl.cfg 0 entries loaded from the database generating index default is an unsupported message digest type 5748:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group= name=unique_subject I copied the openssl.cfg from the openssl installation directory and modified just one line - path of the ca which originally was ./demoCA to . Openssl version OpenSSL 0.9.8e 23 Feb 2007 thanks.
RE: openssl error: 0.9.8e ca config
From: owner-openssl-us...@openssl.org On Behalf Of Pushkar Pathak Sent: Tuesday, 10 May, 2011 13:57 I am using openssl on win xp 32. When I try to sign a request, openssl throws an error to the effect c:\openssl ca -config openssl.cfg -policy policy_anything -out test.crt -key p -batch -infiles test.csr Using configuration from openssl.cfg 0 entries loaded from the database generating index default is an unsupported message digest type 5748:error:0E06D06C:configuration file routines:NCONF_get_string: no value:conf_lib.c:329:group= name=unique_subject I copied the openssl.cfg from the openssl installation directory and modified just one line - path of the ca which originally was ./demoCA to . Aside: Putting data files like these in c:\ is usually a poor idea. Howsomever, that's not an openssl problem as such. How and from where was the installation on your machine done? It kinda looks like the ShiningLight packaging (see below); if not, did you build from source, or who did? Configure, and how? Customize the config? 0.9.8e distro apps/openssl.cnf has default_md=sha1 which is valid (so do all other 0.9.8* I have on hand to check, which is most). It also has unique_subject commented out, but that should be okay because the code has a default, and tries to clear the error info, which seems nevertheless to be left over when the later unsupported digest goes to err: and does ERR_print_errors(), thus giving you a confusing error display. ShiningLight (at least?) renames this to openssl.cfg, presumably because .cnf is treated specially and unhelpfully by Explorer, but does not apparently make any other changes in the 1.0.0 distros add code to handle 'default' and change openssl.cnf to use it. Did you maybe install 1.0.0* and then regress to 0.9.8*? Install 1.0.0* on some machine(s) and not other(s)? Sometime in the past get a copy of openssl.cnf|cfg from some other source, like a website? Openssl version OpenSSL 0.9.8e 23 Feb 2007 StdCaveat: 0.9.8e is way old, and there have been several security fixes since then. SL is currently up to date with 0.9.8r (and 1.0.0d). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[FWD] OpenSSL error message
Forwarded to openssl-users for discussion. Best regards, Lutz - Forwarded message from Diogo Monteiro diogo.monte...@arquiconsult.com - From: Diogo Monteiro diogo.monte...@arquiconsult.com To: r...@openssl.org r...@openssl.org Date: Wed, 12 Jan 2011 10:21:39 -0800 Subject: OpenSSL error message Thread-Topic: OpenSSL error message Thread-Index: AcuyhY5hD3GzNEg2TC+Fc7dNv8AfsQ== Accept-Language: pt-PT, en-US acceptlanguage: pt-PT, en-US Hi all, [cid:image001.png@01CBB285.8E61A6F0] I received this error, after the installation the OpenSSL: OpenSSL information: · Win32 OpenSSL v1.0.0c SO information: · Microsoft Windows Server 2003 R2 Standard Edition Service Pack 2, 32 bits. Diogo Monteiro diogo.monte...@arquiconsult.commailto:diogo.monte...@arquiconsult.com TLM +351 96 433 0767 [cid:image002.png@01CBB285.8E61A6F0] - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL Error Handling
Pankaj Aggarwal wrote: I am able to think about the following approaches : 1. Keep a record a threads which are spawned. 2. Expose a function from our library for cleanup when the thread exits Is there any other way to avoid the memory leak caused by error queues ? There are several: 3. Only call OpenSSL functions from threads whose lifetimes are managed by your library. Dispatch requests that require calls into the library to your handler threads. So the functions called from the outside look like this: Allocate and fill out a request object, put it on a processing queue, unblock/signal an event to wake a worker thread wait for the object to complete, extract the results. 4. Call ERR_remove_state before any function that put things on the OpenSSL error stack is permitted to return. 5. Hook the system's thread shutdown logic (in a platform specific way) so that you can run ERR_remove_state when a thread terminates. On POSIX platforms, for example, you can create some thread-specific data whose destructor calls ERR_remove_state. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL Error Handling
Thanks David, #4 seems to be the simplest solution to me. while trying #4, I get exception on windows platform. Usually the excpetion occurs in ERR_clear_error while allocating memory. I call ERR_remove_state() at end of library functions. With single thread it works find. But as soon as I increase the no. of threads, I start to get exception. Is there any kind of locking requirement that is expected? Pankaj On Sun, May 30, 2010 at 5:28 AM, David Schwartz dav...@webmaster.comwrote: Pankaj Aggarwal wrote: I am able to think about the following approaches : 1. Keep a record a threads which are spawned. 2. Expose a function from our library for cleanup when the thread exits Is there any other way to avoid the memory leak caused by error queues ? There are several: 3. Only call OpenSSL functions from threads whose lifetimes are managed by your library. Dispatch requests that require calls into the library to your handler threads. So the functions called from the outside look like this: Allocate and fill out a request object, put it on a processing queue, unblock/signal an event to wake a worker thread wait for the object to complete, extract the results. 4. Call ERR_remove_state before any function that put things on the OpenSSL error stack is permitted to return. 5. Hook the system's thread shutdown logic (in a platform specific way) so that you can run ERR_remove_state when a thread terminates. On POSIX platforms, for example, you can create some thread-specific data whose destructor calls ERR_remove_state. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL Error Handling
Hi, Our library uses OpenSSL(v 0.9.8k) in multithreaded environment. Recently I observed memory leak resulting from not calling ERR_remove_state(). After reading the documentation of this function, I see that ERR_remove_state should be called when a thread exits. Since we are using OpenSSL within a library, we can't determine when a thread is going to exit. I am able to think about the following approaches : 1. Keep a record a threads which are spawned. when the library is unloaded call ERR_remove_state() for every thread. This approach has the drawback of taking too much memory for error queues of openssl, since the library may not ever get unloaded. 2. Expose a function from our library for cleanup when the thread exits. This approach has the drawback of changing the API. In certain scenarios it may be hard to find out when a thread exits. Is there any other way to avoid the memory leak caused by error queues ? Pankaj
[FWD] OPENSSL error
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from rejoy vm rejo...@gmail.com - Date: Mon, 18 Jan 2010 19:15:28 +0530 Subject: OPENSSL error From: rejoy vm rejo...@gmail.com To: openssl-b...@openssl.org Sir when i type make command in openssl I am getting the following messages in the last few lines before termination. Could you please tell me how to sort these things out. bn-586.s:(.text+0x6b0): multiple definition of `bn_sub_words' ../libcrypto.a(bn_asm.o):bn_asm.c:(.text+0x5ca): first defined here collect2: ld returned 1 exit status make[2]: *** [link_app.] Error 1 make[2]: Leaving directory `/home/rejoy/Desktop/intel/lat/openssl-0.9.8g/test' make[1]: *** [bntest] Error 2 make[1]: Leaving directory `/home/rejoy/Desktop/intel/lat/openssl-0.9.8g/test' make: *** [tests] Error 2 by REJOY - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
trying to compile libssh2 and get openssl error
I'm following instructions in this pdf: curl.haxx.se/libcurl/c/Using-libcurl-with-SSH-support-in-Visual-Studio-2008.pdf In compiling libssh2 per the instructions, I get this error in VSC++2008: Cannot open include file: 'openssl/opensslconf.h': No such file or directory In fact I get that same error repeated 16 times. But, the file is sitting there in the very place it's searching for it. The include path is correct. Has anyone been around this block? -- View this message in context: http://www.nabble.com/trying-to-compile-libssh2-and-get-openssl-error-tp22197487p22197487.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Openssl Error Code Translation
Hi, Can anybody tell how can I translate Openssl Error code to error description. I am calling ERR_peak_last_error(). The error code that I am receiving is b901. Is this a valid error code. How can I verify it. Thanks Tanu
RE: Openssl Error Code Translation
From: owner-openssl-us...@openssl.org On Behalf Of tanu dutt Sent: Thursday, 29 January, 2009 08:31 Can anybody tell how can I translate Openssl Error code to error description. I am calling ERR_peak_last_error(). The error code that I am receiving is b901. Is this a valid error code. How can I verify it. I assume that's a typo and you mean 'peek'. That value is in the ERR_LIB_USER range, so it's up to your application. If it has (set-up and) done the appropriate ERR_load_strings, then ERR_error_string and friends should expand/explain it for you. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl error while retreaving key from smartcard from wpa_supplicant?
Hi, first, until 0.6.4 devel version of wpa_supplicant, it requires a copy of client cert sitting on hard disk. 0.6.4 has cert_id field. at this moment i have got exactly the same error. Using wpa_supplicant under linux client works. With openssl engine, i only need to indicate key_id, cert_id and pin, and then authentication is performed. Using wpa_supplicant under windows, the things are different. Really only two fields into wpa_supplicant.conf change, that is: pkcs11_engine_path=C:\Archivos de programa\Smart card bundle\engine_pkcs11.dll pkcs11_module_path=C:\Archivos de programa\Smart card bundle\UsrPkcs11.dll, a module provided for a spanish authority, who provides my smartcard. With this module i can do some operations like list objects and so on. Under linux, was enough to put opensc-pkcs11.so because opensc has specific drivers to my smartcard, but not under windows, because of this, i put the dll directly. I have got two errors: 1.- pin - hexdump_ascii(len=6): [REMOVED] during the parse of configuration file 2.- TLS: Failed to load private key EAPOL: EAP parameter needed CTRL-REQ-PIN-0:PIN needed for SSID kely EAP-TLS: Failed to initialize SSL. EAP-TLS: Requesting Smartcard PIN EAPOL: EAP parameter needed CTRL-REQ-PIN-0:PIN needed for SSID kely EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS) EAP: Pending PIN/passphrase request - skip Nak but really i think here is not the correct place to ask for this __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Need help on OpenSSL error
Dear Sir/Madam, I'm currently using Crypt::OpenSSL::RSA module with perl linking with OpenSSL 0.9.8h to encrypt/decrypt message and transport over HTTP POST request to Java application on the other side. When Encrypting with the given public key, Java application can receive the data perfectly. But when Java side encrypt message with private key (which is the pair for our public key), and reply back, we found the following error while trying to decrypt message: RSA.xs:202: OpenSSL error: block type is not 01 at ... Please kindly suggest how we could get around this issue. Currently, we use PKCS1 padding. Please kindly see below for our perl script used. $RSA_Decrypt = Crypt::OpenSSL::RSA-new_public_key( $PublicKey ); $RSA_Decrypt-use_pkcs1_padding(); my $TmpText = decode_base64( $CipherText ); my $PlainText = $RSA_Decrypt-public_decrypt( $TmpText ); #-- Error on the line above Thank you and Best Regards, Phakin Ch. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need help on OpenSSL error
Hello, [EMAIL PROTECTED] wrote on 06/03/2008 04:40:10 AM: Dear Sir/Madam, I'm currently using Crypt::OpenSSL::RSA module with perl linking with OpenSSL 0.9.8h to encrypt/decrypt message and transport over HTTP POST request to Java application on the other side. When Encrypting with the given public key, Java application can receive the data perfectly. But when Java side encrypt message with private key (which is the pair for our public key), and reply back, we found the following error while trying to decrypt message: RSA.xs:202: OpenSSL error: block type is not 01 at ... Please kindly suggest how we could get around this issue. Currently, we use PKCS1 padding. Please kindly see below for our perl script used. $RSA_Decrypt = Crypt::OpenSSL::RSA-new_public_key( $PublicKey ); $RSA_Decrypt-use_pkcs1_padding(); my $TmpText = decode_base64( $CipherText ); my $PlainText = $RSA_Decrypt-public_decrypt( $TmpText ); #-- Error on the line above Double check that public key used to decrypt java message is really pair to private key on encryption side. You may use NO PADDING and look at decrypted data to check that this data looks reasonable or not. You should consider also that data encrypted with private key may by decrypted by anyone with public key (if public key is really public). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[SOLVED] Re: Strange OpenSSL error when trying to use OpenVPN
My certificate uses a SHA256 hash and the client has OpenSSL 0.9.7. 0.9.8 is needed to support SHA256 hashes. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Strange OpenSSL error when trying to use OpenVPN
Hi all, I have my own CA tree, with the relevant part being: root CA {1} \- VPN CA {2} \- server CA {3} |- server certificate {4} \- client certificate {5} I put 1 2 into /etc/ssl/certs/ of the server and 3 into /etc/openvpn/default/default-ca.pem . The server does, of course, use its server certificate privkey. The client has a single CA file with 1, 2 3's certificates concatenated. It also has its own client certificate privkey. Verifying the trust chain with openssl verify -verbose -CAfile foo works for all five certificates with foo holding 1, 2 3. Yet, when I want to connect to the server, OpenVPN dies with: Tue Mar 25 15:04:53 2008 us=886000 Incoming Ciphertext - TLS Tue Mar 25 15:04:53 2008 us=886000 VERIFY OK: depth=3, /CN=root_CA Tue Mar 25 15:04:53 2008 us=886000 VERIFY ERROR: depth=2, error=certificate signature failure: /CN=VPN_CA Tue Mar 25 15:04:53 2008 us=886000 SSL alert (write): fatal: decrypt error Tue Mar 25 15:04:53 2008 us=886000 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Tue Mar 25 15:04:53 2008 us=886000 TLS Error: TLS object - incoming plaintext read error Tue Mar 25 15:04:53 2008 us=886000 TLS Error: TLS handshake failed (The name strings for 1 2 being shortened to root_CA VPN_CA respectively) man verify tells me: 7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure the signature of the certificate is invalid. which does not make sense, seeing as the path verifies OK when doing the same thing manually and even using the very same file for the verification that the OpenVPN client is using. So, if anyone has any idea or an educated guess about the cause or hints to get better debug output, please tell me. Thanks in advance :) Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssL error:
hi i am getting the following error when i run the command: gcc -o client client.o -lcrypto -lssl In function 'main': undefined reference to 'init_OpenSSL' undefined reference to 'handle_error' --- what shud i do? please help! -- View this message in context: http://www.nabble.com/openssL-error%3A-tp15949473p15949473.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssL error:
Arp22 wrote: hi i am getting the following error when i run the command: gcc -o client client.o -lcrypto -lssl In function 'main': undefined reference to 'init_OpenSSL' undefined reference to 'handle_error' --- what shud i do? please help! I hope the fact that these are not Openssl functions should clear things up for you. So, basically find the code for those two missing functions and add it to your build. (Or you could remove references to the two functions; your action should depend on your code) -jb -- I used to think I was indecisive, but now I'm not so sure. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL error:
hi i am getting the following error when i run the command: gcc -o client client.o -lcrypto -lssl In function 'main': undefined reference to 'init_OpenSSL' undefined reference to 'handle_error' --- what shud i do? please help! -- View this message in context: http://www.nabble.com/OpenSSL-error%3A-tp15764487p15764487.html Sent from the OpenSSL - User mailing list archive at Nabble.com.
Re: OpenSSL Error
What are these errors and any solution for the below mentioned error. I am using Win32OpenSSL-0_9_8g.exe. libeay32MDd.lib(b_print.obj) : error LNK2001: unresolved external symbol __ftol2 libeay32MDd.lib(b_print.obj) : error LNK2001: unresolved external symbol __aulldvrm Subhankar Kumar Katyayan Tata Consultancy Services Mailto: [EMAIL PROTECTED] Website: http://www.tcs.com Experience certainty. IT Services Business Solutions Outsourcing Subhankar Katyayan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/27/2008 07:27 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc [EMAIL PROTECTED] Subject OpenSSL Error I have downloaded and installed Win32OpenSSL-0_9_8g.exe in C:\OpenSSL and I have linked it as follows, and my workpspace is C:\dhsmv1\api2 Project - Settings - C/C++ (tab) - Preprocessor (Category:) - Additional include directories - ../../OpenSSL/include/openssl Project - Settings - C/C++ (tab) - Preprocessor (Category:) - Preprocessor definitions - ENABLE_SSL Project - Settings - Link (tab) - Input (Category:) - Additional library path - ../../OpenSSL/lib/VC Project - Settings - Link (tab) - Input (Category:) - Object/library modules - libeay32.lib ssleay32.lib libeay32MD.lib libeay32MDd.lib libeay32MT.lib libeay32MTd.lib ssleay32MD.lib ssleay32MDd.lib ssleay32MT.lib ssleay32MTd.lib But still I am getting following error. Please let me know, if I am doing something worng in settings or somewhere else. digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] Subhankar Kumar Katyayan Tata Consultancy Services Mailto: [EMAIL PROTECTED] Website: http://www.tcs.com Experience certainty.IT Services Business Solutions Outsourcing [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/27/2008 01:38 AM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc openssl-users@openssl.org, [EMAIL PROTECTED] Subject Re: OpenSSL Error Hello, I am facing some problem when I tried to compile the application. This application was building fine, but after adding a file called digestclient.c (to support HTTPs), it's throwing the following error. Can anyone give some input on this. digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001
OpenSSL Error
I have downloaded and installed Win32OpenSSL-0_9_8g.exe in C:\OpenSSL and I have linked it as follows, and my workpspace is C:\dhsmv1\api2 Project - Settings - C/C++ (tab) - Preprocessor (Category:) - Additional include directories - ../../OpenSSL/include/openssl Project - Settings - C/C++ (tab) - Preprocessor (Category:) - Preprocessor definitions - ENABLE_SSL Project - Settings - Link (tab) - Input (Category:) - Additional library path - ../../OpenSSL/lib/VC Project - Settings - Link (tab) - Input (Category:) - Object/library modules - libeay32.lib ssleay32.lib libeay32MD.lib libeay32MDd.lib libeay32MT.lib libeay32MTd.lib ssleay32MD.lib ssleay32MDd.lib ssleay32MT.lib ssleay32MTd.lib But still I am getting following error. Please let me know, if I am doing something worng in settings or somewhere else. digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] Subhankar Kumar Katyayan Tata Consultancy Services Mailto: [EMAIL PROTECTED] Website: http://www.tcs.com Experience certainty. IT Services Business Solutions Outsourcing [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/27/2008 01:38 AM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc openssl-users@openssl.org, [EMAIL PROTECTED] Subject Re: OpenSSL Error Hello, I am facing some problem when I tried to compile the application. This application was building fine, but after adding a file called digestclient.c (to support HTTPs), it's throwing the following error. Can anyone give some input on this. digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] Add -lcrypto -lssl libraries to linking process. Best regards, -- Marek Marcola [EMAIL PROTECTED
OpenSSL Error
Dear All, I am facing some problem when I tried to compile the application. This application was building fine, but after adding a file called digestclient.c (to support HTTPs), it's throwing the following error. Can anyone give some input on this. digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] Subhankar Kumar Katyayan =-=-= Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
Re: OpenSSL Error
Hello, I am facing some problem when I tried to compile the application. This application was building fine, but after adding a file called digestclient.c (to support HTTPs), it's throwing the following error. Can anyone give some input on this. digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] Add -lcrypto -lssl libraries to linking process. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL Error
Where I'll get these libraries -lcrypto and -lssl. I am using Win32OpenSSL-0_9_8g.exe and I couldn't able to find those libraries you've mentioned. Subhankar Kumar Katyayan Tata Consultancy Services Mailto: [EMAIL PROTECTED] Website: http://www.tcs.com Experience certainty. IT Services Business Solutions Outsourcing [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/27/2008 01:38 AM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc openssl-users@openssl.org, [EMAIL PROTECTED] Subject Re: OpenSSL Error Hello, I am facing some problem when I tried to compile the application. This application was building fine, but after adding a file called digestclient.c (to support HTTPs), it's throwing the following error. Can anyone give some input on this. digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] Add -lcrypto -lssl libraries to linking process. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ForwardSourceID:NT4BDE =-=-= Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
Re: OpenSSL Error
To add on in my prev mail. The C file which I am trying to compile on window having some linking issue, but at the same time when I tried to build it on Linux it was building fine. Where I'll get these libraries -lcrypto and -lssl. I am using Win32OpenSSL-0_9_8g.exe and I couldn't able to find those libraries you've mentioned. Subhankar Kumar Katyayan Tata Consultancy Services Mailto: [EMAIL PROTECTED] Website: http://www.tcs.com Experience certainty. IT Services Business Solutions Outsourcing Subhankar Katyayan/CHN/TCS Sent by: Subhankar Katyayan 02/27/2008 12:15 PM To openssl-users@openssl.org cc openssl-users@openssl.org, [EMAIL PROTECTED] Subject Re: OpenSSL Error Where I'll get these libraries -lcrypto and -lssl. I am using Win32OpenSSL-0_9_8g.exe and I couldn't able to find those libraries you've mentioned. Subhankar Kumar Katyayan Tata Consultancy Services Mailto: [EMAIL PROTECTED] Website: http://www.tcs.com Experience certainty. IT Services Business Solutions Outsourcing [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/27/2008 01:38 AM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc openssl-users@openssl.org, [EMAIL PROTECTED] Subject Re: OpenSSL Error Hello, I am facing some problem when I tried to compile the application. This application was building fine, but after adding a file called digestclient.c (to support HTTPs), it's throwing the following error. Can anyone give some input on this. digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] digestclient.obj : error LNK2001: unresolved external symbol [EMAIL PROTECTED] Add -lcrypto -lssl libraries to linking process. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ForwardSourceID:NT4BDE ForwardSourceID:NT4C1E =-=-= Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
openssl error
Hello, All, is anybody experienced the following error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac thank you for any help in advance. Richard - Check out the hottest 2008 models today at Yahoo! Autos.
Re: openssl error while retreaving key from smartcard from wpa_supplicant?
En/na Nils Larsch ha escrit: Carles Fernandez i Julia wrote: ... That's the point : I have the private key certificate stored in the smartcard, not located in a plain file. That's why I commented the line above. the engine doesn't support using certificates stored on smart cards (and I don't even think that this extremly useful). But this engine, pkcs11-opensc, is designed to do this (using certificates on smartcards). Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- .. __ / / Carles Fernàndez C E / S / C A Dept. de Comunicacions /_/Centre de Supercomputació de Catalunya Gran Capità, 2-4 (Edifici Nexus) · 08034 Barcelona T. 93 205 6464 · F. 93 205 6979 · [EMAIL PROTECTED] .. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl error while retreaving key from smartcard from wpa_supplicant?
Carles Fernandez i Julia wrote: En/na Nils Larsch ha escrit: Carles Fernandez i Julia wrote: ... That's the point : I have the private key certificate stored in the smartcard, not located in a plain file. That's why I commented the line above. the engine doesn't support using certificates stored on smart cards (and I don't even think that this extremly useful). But this engine, pkcs11-opensc, is designed to do this (using certificates on smartcards). the engine is designed to use the token for the cryptographic operation (i.e. signing, decrypting with the private key) and not as a storage device for public objects (smartcards are terrible slow so you normally want to reduce the communication with the card as much as possible). Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl error while retreaving key from smartcard from wpa_supplicant?
Carles Fernandez i Julia wrote: ... That's the point : I have the private key certificate stored in the smartcard, not located in a plain file. That's why I commented the line above. the engine doesn't support using certificates stored on smart cards (and I don't even think that this extremly useful). Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl error while retreaving key from smartcard from wpa_supplicant?
En/na Marek Marcola ha escrit: Hello, I'm currently trying to authenticate using EAP-TLS using smartcard with wpa_supplicant and I get this error: OpenSSL: tls_connection_engine_private_key - Private key failed verification error:140A30B1:SSL routines:SSL_check_private_key:no certificate assigned I got some messages Error: can't open /var/run/openct/status: No such file or directory but I get these messages always when I use my smartcard reader (and it works). Looks like you have not configured X509 private key certificate. plain text document attachment (wpa_supplicant.conf) ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=0 eapol_version=1 fast_reauth=1 pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so pkcs11_module_path=/usr/lib/opensc-pkcs11.so network={ ssid=* key_mgmt=WPA-EAP eap=TLS proto=WPA pairwise=TKIP group=TKIP identity=[EMAIL PROTECTED] ca_cert=/etc/wpa_supplicant/CA_CATCertPP_GlobalTrust.crt #client_cert=/etc/cert/user.pem I'm not sure but this maybe the place to configure certificate. You should have your private key certificate. This certificate may be located in plain file. To check that your certificate certifies proper private key you may do something like that (test example): That's the point : I have the private key certificate stored in the smartcard, not located in a plain file. That's why I commented the line above. $ openssl rsa -engine chil -in rsa-test2 -inform engine -modulus -noout engine chil set. Modulus=D14731D19EF32A3D458EE61B219A0E019... $ openssl x509 -in rsa-test2-crt.pem -modulus -noout Modulus=D14731D19EF32A3D458EE61B219A0E019 and you should get the same numbers. I've tried in all ways to try this with the pkcs11 module to use my smartcard to do the test but I didn't reach. Maybe the structure is different when not operating with files. Best regards, Thank you for your effort! -- .. __ / / Carles Fernàndez C E / S / C A Dept. de Comunicacions /_/Centre de Supercomputació de Catalunya Gran Capità, 2-4 (Edifici Nexus) · 08034 Barcelona T. 93 205 6464 · F. 93 205 6979 · [EMAIL PROTECTED] .. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl error while retreaving key from smartcard from wpa_supplicant?
Hi I'm currently trying to authenticate using EAP-TLS using smartcard with wpa_supplicant and I get this error: OpenSSL: tls_connection_engine_private_key - Private key failed verification error:140A30B1:SSL routines:SSL_check_private_key:no certificate assigned I got some messages Error: can't open /var/run/openct/status: No such file or directory but I get these messages always when I use my smartcard reader (and it works). I've googled and i got nothing useful. Any idea? ps: I've ***ed personal data from attached files thanks, Carles ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=0 eapol_version=1 fast_reauth=1 pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so pkcs11_module_path=/usr/lib/opensc-pkcs11.so network={ ssid=* key_mgmt=WPA-EAP eap=TLS proto=WPA pairwise=TKIP group=TKIP identity=[EMAIL PROTECTED] ca_cert=/etc/wpa_supplicant/CA_CATCertPP_GlobalTrust.crt #client_cert=/etc/cert/user.pem # scan_ssid=1 engine=1 # The engine configured here must be available. Look at # OpenSSL engine support in the global section. # The key available through the engine must be the private key # matching the client certificate configured above. # use the opensc engine #engine_id=opensc #key_id=45 # use the pkcs11 engine engine_id=pkcs11 key_id=e451d1d1197caf4c74c33d9143986a28c9c34a55 # Optional PIN configuration; this can be left out and PIN will be # asked through the control interface pin= } [EMAIL PROTECTED]:~$ sudo wpa_supplicant -D wext -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -ddd Initializing interface 'eth1' conf '/etc/wpa_supplicant/wpa_supplicant.conf' driver 'wext' ctrl_interface 'N/A' bridge 'N/A' Configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' - '/etc/wpa_supplicant/wpa_supplicant.conf' Reading configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' ctrl_interface='/var/run/wpa_supplicant' ctrl_interface_group='0' (DEPRECATED) eapol_version=1 fast_reauth=1 pkcs11_engine_path='/usr/lib/engines/engine_pkcs11.so' pkcs11_module_path='/usr/lib/opensc-pkcs11.so' Line: 17 - start of a new network block ssid - hexdump_ascii(len=7): ** ** ** ** ** * key_mgmt: 0x1 eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 proto: 0x1 pairwise: 0x8 group: 0x8 identity - hexdump_ascii(len=40): ** ** ** ** ** *** ** ** *** ca_cert - hexdump_ascii(len=48): 2f 65 74 63 2f 77 70 61 5f 73 75 70 70 6c 69 63 /etc/wpa_supplic 61 6e 74 2f 43 41 5f 43 41 54 43 65 72 74 50 50 ant/CA_CATCertPP 5f 47 6c 6f 62 61 6c 54 72 75 73 74 2e 63 72 74 _GlobalTrust.crt engine=1 (0x1) engine_id - hexdump_ascii(len=6): 70 6b 63 73 31 31 pkcs11 key_id - hexdump_ascii(len=40): 65 34 35 31 64 31 64 31 31 39 37 63 61 66 34 63 e451d1d1197caf4c 37 34 63 33 33 64 39 31 34 33 39 38 36 61 32 38 74c33d9143986a28 63 39 63 33 34 61 35 35 c9c34a55 pin - hexdump_ascii(len=4): [REMOVED] Priority group 0 id=0 ssid='***' Initializing interface (2) 'eth1' ENGINE: Loading dynamic engine ENGINE: Loading pkcs11 Engine from /usr/lib/engines/engine_pkcs11.so ENGINE: 'SO_PATH' '/usr/lib/engines/engine_pkcs11.so' ENGINE: 'ID' 'pkcs11' ENGINE: 'LIST_ADD' '1' ENGINE: 'LOAD' '(null)' ENGINE: 'MODULE_PATH' '/usr/lib/opensc-pkcs11.so' EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portEnabled=0 EAPOL: External notification - portValid=0 SIOCGIWRANGE: WE(compiled)=21 WE(source)=16 enc_capa=0xf capabilities: key_mgmt 0xf enc 0xf WEXT: Operstate: linkmode=1, operstate=5 Own MAC address: 00:13:02:61:79:24 wpa_driver_wext_set_wpa wpa_driver_wext_set_key: alg=0 key_idx=0 set_tx=0 seq_len=0 key_len=0 wpa_driver_wext_set_key: alg=0 key_idx=1 set_tx=0 seq_len=0 key_len=0 wpa_driver_wext_set_key: alg=0 key_idx=2 set_tx=0 seq_len=0 key_len=0 wpa_driver_wext_set_key: alg=0 key_idx=3 set_tx=0 seq_len=0 key_len=0 wpa_driver_wext_set_countermeasures wpa_driver_wext_set_drop_unencrypted Setting scan request: 0 sec 10 usec ctrl_interface_group=0 Added interface eth1 RTM_NEWLINK: operstate=0 ifi_flags=0x1002 () Wireless event: cmd=0x8b06 len=8 RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP]) RTM_NEWLINK, IFLA_IFNAME: Interface 'eth1' added RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP]) RTM_NEWLINK, IFLA_IFNAME: Interface 'eth1' added State: DISCONNECTED - SCANNING Starting AP scan (broadcast SSID) Trying to get current scan results first without requesting a new scan to speed up initial association Received 1539 bytes of scan results (7 BSSes) Scan results: 7 Selecting BSS from priority group 0 0:
Re: openssl error while retreaving key from smartcard from wpa_supplicant?
Hello, I'm currently trying to authenticate using EAP-TLS using smartcard with wpa_supplicant and I get this error: OpenSSL: tls_connection_engine_private_key - Private key failed verification error:140A30B1:SSL routines:SSL_check_private_key:no certificate assigned I got some messages Error: can't open /var/run/openct/status: No such file or directory but I get these messages always when I use my smartcard reader (and it works). Looks like you have not configured X509 private key certificate. plain text document attachment (wpa_supplicant.conf) ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=0 eapol_version=1 fast_reauth=1 pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so pkcs11_module_path=/usr/lib/opensc-pkcs11.so network={ ssid=* key_mgmt=WPA-EAP eap=TLS proto=WPA pairwise=TKIP group=TKIP identity=[EMAIL PROTECTED] ca_cert=/etc/wpa_supplicant/CA_CATCertPP_GlobalTrust.crt #client_cert=/etc/cert/user.pem I'm not sure but this maybe the place to configure certificate. You should have your private key certificate. This certificate may be located in plain file. To check that your certificate certifies proper private key you may do something like that (test example): $ openssl rsa -engine chil -in rsa-test2 -inform engine -modulus -noout engine chil set. Modulus=D14731D19EF32A3D458EE61B219A0E019... $ openssl x509 -in rsa-test2-crt.pem -modulus -noout Modulus=D14731D19EF32A3D458EE61B219A0E019 and you should get the same numbers. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
compiling openssl: error with no-ssl2 flag
I posted earlier on a similar topic, and I have since found out that no-ssl2 will build openssl without support for SSLv2 ciphers. Unfortunately, I am using RedHat's Source RPM to do the build, and it seems to be having an error due to the no-ssl2 flag. You can see the error below, and trying the else gcc statement below manually from the command line produces the same error (however, the if gcc statement does not produce the error). I'm not an expert in this area, so I am looking for a little direction. Did I find a bug, or do I just have some problems in my configuration? Are there any workarounds for this? Thanks, Steve start of error if [ linux-shared = hpux-shared -o linux-shared = darwin-shared ] ; then \ gcc -o openssl -DMONOLITH -I.. -I../include -I/usr/kerberos/include -fPIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DOPENSSL_NO_ASM -DOPENSSL_NO_IDEA -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_EC -I/usr/kerberos/include -DOPENSSL_NO_SSL2 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -m32 -march=i386 -mtune=pentium4 -Wa,--noexecstack openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o ../libssl.a -L/usr/kerberos/lib -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto -lresolv ../libcrypto.a -L/usr/kerberos/lib -ldl -lz ; \ else \ gcc -o openssl -DMONOLITH -I.. -I../include -I/usr/kerberos/include -fPIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DOPENSSL_NO_ASM -DOPENSSL_NO_IDEA -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_EC -I/usr/kerberos/include -DOPENSSL_NO_SSL2 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -m32 -march=i386 -mtune=pentium4 -Wa,--noexecstack openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o -L.. -lssl -L/usr/kerberos/lib -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto -lresolv -L.. -lcrypto -L/usr/kerberos/lib -ldl -lz ; \ fi ../libssl.so: undefined reference to `SSLv2_method' collect2: ld returned 1 exit status make[1]: *** [openssl] Error 1 make[1]: Leaving directory `/home/smithsg/src/rpm/BUILD/openssl-0.9.7a/apps' make: *** [sub_all] Error 1 error: Bad exit status from /var/tmp/rpm-tmp.70164 (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.70164 (%build) end of error __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Openssl Error + Apache
It means that the file that it's attempting to read does not have the proper format of a .crt. Take a look of your cert in notepad, does the first line shows something like ---BEGIN CERTIFICATE . If no, then regenerate your cert. SS --- [EMAIL PROTECTED] wrote: I ran the command below and I did receive an error so it looks like something is indeed wrong with the SSL Certificate. If anyone has any ideas how what I can look at regarding this error I would appreciate it. Thanks 2705:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expecting: TRUSTED CERTIFICATE From: [EMAIL PROTECTED] on behalf of Dr. Stephen Henson Sent: Sun 10/8/2006 12:01 PM To: openssl-users@openssl.org Subject: Re: Openssl Error + Apache On Sat, Oct 07, 2006, [EMAIL PROTECTED] wrote: Hi there ~ I have an Apache installation running mod_ssl and would like to setup another VirtualHost that runs under SSL on a different port (e.g. 8443). The default site on port 443 is running fine with SSL. The new certificate I have installed for the second site appears to be incorrect or the version of OpenSSL I have is not up to date. This causes Apache to crash. Can someone look at the error(s) below and please tell me where to start or how to fix it? Errors: [Fri Oct 6 13:37:21 2006] [error] mod_ssl: Init: Unable to read server certificate from file /apache/conf /mycertificatename.crt (OpenSSL library error follows) [Fri Oct 6 13:37:21 2006] [error] OpenSSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Fri Oct 6 13:37:21 2006] [error] OpenSSL: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error Thanks in advance That indicates it doesn't like the certificate file in mycertificatename.crt. It may be corrupt or in the wrong format. Try the command: openssl x509 -in mycertificatename.crt to see if you get the same error. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Openssl Error + Apache
It appears the certificate file was pasted in the file wrong. It was missing the -BE of -BEGIN CERTIFICATE-. Thank you for the help everyone. Gary Mack Associate Systems Administrator www.hubbardone.com Phone: (312) 873 - 6886 Fax: (312) 873 - 6801 [EMAIL PROTECTED] Hubbard One is a Thomson Elite Business. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Siew San Yu Sent: Monday, October 09, 2006 3:28 AM To: openssl-users@openssl.org Subject: RE: Openssl Error + Apache It means that the file that it's attempting to read does not have the proper format of a .crt. Take a look of your cert in notepad, does the first line shows something like ---BEGIN CERTIFICATE . If no, then regenerate your cert. SS --- [EMAIL PROTECTED] wrote: I ran the command below and I did receive an error so it looks like something is indeed wrong with the SSL Certificate. If anyone has any ideas how what I can look at regarding this error I would appreciate it. Thanks 2705:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expecting: TRUSTED CERTIFICATE From: [EMAIL PROTECTED] on behalf of Dr. Stephen Henson Sent: Sun 10/8/2006 12:01 PM To: openssl-users@openssl.org Subject: Re: Openssl Error + Apache On Sat, Oct 07, 2006, [EMAIL PROTECTED] wrote: Hi there ~ I have an Apache installation running mod_ssl and would like to setup another VirtualHost that runs under SSL on a different port (e.g. 8443). The default site on port 443 is running fine with SSL. The new certificate I have installed for the second site appears to be incorrect or the version of OpenSSL I have is not up to date. This causes Apache to crash. Can someone look at the error(s) below and please tell me where to start or how to fix it? Errors: [Fri Oct 6 13:37:21 2006] [error] mod_ssl: Init: Unable to read server certificate from file /apache/conf /mycertificatename.crt (OpenSSL library error follows) [Fri Oct 6 13:37:21 2006] [error] OpenSSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Fri Oct 6 13:37:21 2006] [error] OpenSSL: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error Thanks in advance That indicates it doesn't like the certificate file in mycertificatename.crt. It may be corrupt or in the wrong format. Try the command: openssl x509 -in mycertificatename.crt to see if you get the same error. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Openssl Error + Apache
On Sat, Oct 07, 2006, [EMAIL PROTECTED] wrote: Hi there ~ I have an Apache installation running mod_ssl and would like to setup another VirtualHost that runs under SSL on a different port (e.g. 8443). The default site on port 443 is running fine with SSL. The new certificate I have installed for the second site appears to be incorrect or the version of OpenSSL I have is not up to date. This causes Apache to crash. Can someone look at the error(s) below and please tell me where to start or how to fix it? Errors: [Fri Oct 6 13:37:21 2006] [error] mod_ssl: Init: Unable to read server certificate from file /apache/conf /mycertificatename.crt (OpenSSL library error follows) [Fri Oct 6 13:37:21 2006] [error] OpenSSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Fri Oct 6 13:37:21 2006] [error] OpenSSL: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error Thanks in advance That indicates it doesn't like the certificate file in mycertificatename.crt. It may be corrupt or in the wrong format. Try the command: openssl x509 -in mycertificatename.crt to see if you get the same error. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Openssl Error + Apache
I ran the command below and I did receive an error so it looks like something is indeed wrong with the SSL Certificate. If anyone has any ideas how what I can look at regarding this error I would appreciate it. Thanks 2705:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expecting: TRUSTED CERTIFICATE From: [EMAIL PROTECTED] on behalf of Dr. Stephen Henson Sent: Sun 10/8/2006 12:01 PM To: openssl-users@openssl.org Subject: Re: Openssl Error + Apache On Sat, Oct 07, 2006, [EMAIL PROTECTED] wrote: Hi there ~ I have an Apache installation running mod_ssl and would like to setup another VirtualHost that runs under SSL on a different port (e.g. 8443). The default site on port 443 is running fine with SSL. The new certificate I have installed for the second site appears to be incorrect or the version of OpenSSL I have is not up to date. This causes Apache to crash. Can someone look at the error(s) below and please tell me where to start or how to fix it? Errors: [Fri Oct 6 13:37:21 2006] [error] mod_ssl: Init: Unable to read server certificate from file /apache/conf /mycertificatename.crt (OpenSSL library error follows) [Fri Oct 6 13:37:21 2006] [error] OpenSSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Fri Oct 6 13:37:21 2006] [error] OpenSSL: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error Thanks in advance That indicates it doesn't like the certificate file in mycertificatename.crt. It may be corrupt or in the wrong format. Try the command: openssl x509 -in mycertificatename.crt to see if you get the same error. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Openssl Error + Apache
Hi there ~ I have an Apache installation running mod_ssl and would like to setup another VirtualHost that runs under SSL on a different port (e.g. 8443). The default site on port 443 is running fine with SSL. The new certificate I have installed for the second site appears to be incorrect or the version of OpenSSL I have is not up to date. This causes Apache to crash. Can someone look at the error(s) below and please tell me where to start or how to fix it? Errors: [Fri Oct 6 13:37:21 2006] [error] mod_ssl: Init: Unable to read server certificate from file /apache/conf /mycertificatename.crt (OpenSSL library error follows) [Fri Oct 6 13:37:21 2006] [error] OpenSSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Fri Oct 6 13:37:21 2006] [error] OpenSSL: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error Thanks in advance Gary __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL error : 0D09F007
Greetings, We are using OpenSSL with OpenOSP to set up a CA and getting following error. Would greatly appreciate if you can throw some pointers : 22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje 0224 Checking for CA certificate first22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje 0235 Found CA cert; convert to internal format 22:57:56.499*01*ccmldap.c *ccm_lookup_ldap_by_subje*0245*Failed to convert ASN.1 CA cert22:57:56.499*01*ccmldap.c *ccm_lookup_ldap_by_subje*0245*OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje 0445 )) Unlocking ccm.ldap.access_mutex22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje 0445 Unlocked ccm.ldap.access_mutex The commands used to create certificate are as per attached make_ca.sh file. The other attached files are decoded certificate, openssl.cnf and openosp.cnf file that we are using in our setup. Kindly let me know what possibly could be wrong. Best Regards, Rajat Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME= . RANDFILE= /usr/openosp/random #RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the -extfile option of the # openssl x509 utility, name here the section containing the # X.509v3 extensions to use: # extensions= # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca' and 'req'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 [ ca ] default_ca = CA_default# The default ca section [ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs# Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database= $dir/index.txt# database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE= $dir/private/.rand# private random number file x509_extensions = usr_cert # The extentions to add to the cert name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions= crl_ext default_days= 365 # how long to certify for default_crl_days= 30# how long before next CRL default_md = md5 # which md to use. preserve= no# keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName= optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] default_bits= 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present
OpenSSL error : 0D09F007
Greetings, We are using OpenSSL with OpenOSP to set up a CA and getting following error while initializing the OSP server. Wewould greatly appreciate if you can throw some pointers : 22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje 0224 Checking for CA certificate first22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje 0235 Found CA cert; convert to internal format 22:57:56.499*01*ccmldap.c *ccm_lookup_ldap_by_subje*0245*Failed to convert ASN.1 CA cert22:57:56.499*01*ccmldap.c *ccm_lookup_ldap_by_subje*0245*OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje 0445 )) Unlocking ccm.ldap.access_mutex22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje 0445 Unlocked ccm.ldap.access_mutex The commands used to create certificate are as per attached make_ca.sh file. The other attached files are decoded certificate, openssl.cnf and openosp.cnf file that we are using in our setup. Kindly let me know what possibly could be wrong. Best Regards, Rajat Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. openssl.cnf Description: openssl.cnf openosp.cnf Description: openosp.cnf # ./openssl x509 -in /usr/openosp/cacert.der -inform der -text Certificate: Data: Version: 3 (0x2) Serial Number: 5 (0x5) Signature Algorithm: md5WithRSAEncryption Issuer: C=IN, O=Wipro, CN=OSPServer Validity Not Before: Nov 15 11:27:44 2005 GMT Not After : Nov 15 11:27:44 2015 GMT Subject: C=IN, O=Wipro, CN=OSPServer Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:cd:3e:e1:99:34:39:de:7e:5a:63:ab:65:7c:5f: 0d:14:6a:1a:00:89:91:32:35:64:67:b2:20:4e:9c: f2:c0:13:f6:ab:e6:6d:a0:53:a7:23:d8:66:49:49: 2e:56:11:36:94:dc:d9:88:cf:34:d6:f1:4a:ff:41: 64:27:3d:3c:07:2c:a8:fa:81:82:7b:60:4e:7e:8b: 5a:0f:19:ad:7d:3d:b8:cc:7f:57:17:11:89:a8:e5: b7:cf:00:70:9b:b4:ab:4c:e2:fc:d1:a5:3a:ac:66: 00:e1:bc:61:a8:5d:20:59:f0:fd:ca:e9:07:91:f1: de:91:16:6f:d1:2d:2e:29:d9 Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption c7:17:f5:b4:e2:f5:0d:bd:f5:17:7c:77:e2:1e:56:40:78:13: 34:52:d8:4f:be:43:24:d1:c2:3d:3f:16:53:0d:14:1e:be:0a: cd:71:59:d3:b0:fd:c4:76:75:b6:72:7e:65:06:f0:e5:34:d1: 16:4c:67:14:eb:0e:52:a8:41:ff:3a:89:82:7d:43:d5:87:aa: 4d:d4:ef:b6:cc:bd:40:e6:ec:c2:cc:e0:b8:90:74:ca:41:ee: ef:85:83:9e:2a:5b:b1:39:00:5d:b4:e1:b8:f8:e6:55:9b:d7: 04:22:0f:f5:14:32:69:31:da:24:6b:6e:f9:9a:6b:29:78:10: 1d:83 -BEGIN CERTIFICATE- MIIB1jCCAT+gAwIBAgIBBTANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJJTjEO MAwGA1UEChMFV2lwcm8xEjAQBgNVBAMTCU9TUFNlcnZlcjAeFw0wNTExMTUxMTI3 NDRaFw0xNTExMTUxMTI3NDRaMDExCzAJBgNVBAYTAklOMQ4wDAYDVQQKEwVXaXBy bzESMBAGA1UEAxMJT1NQU2VydmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQDNPuGZNDneflpjq2V8Xw0UahoAiZEyNWRnsiBOnPLAE/ar5m2gU6cj2GZJSS5W ETaU3NmIzzTW8Ur/QWQnPTwHLKj6gYJ7YE5+i1oPGa19PbjMf1cXEYmo5bfPAHCb tKtM4vzRpTqsZgDhvGGoXSBZ8P3K6QeR8d6RFm/RLS4p2QIDAQABMA0GCSqGSIb3 DQEBBAUAA4GBAMcX9bTi9Q299Rd8d+IeVkB4EzRS2E++QyTRwj0/FlMNFB6+Cs1x WdOw/cR2dbZyfmUG8OU00RZMZxTrDlKoQf86iYJ9Q9WHqk3U77bMvUDm7MLM4LiQ dMpB7u+Fg54qW7E5AF204bj45lWb1wQiD/UUMmkx2iRrbvmaayl4EB2D -END CERTIFICATE- #!/bin/ksh # Shell script: make_ca.sh # # Purpose: Make a CA certificate using OpenSSL commands # # (C) COPYRIGHT DATA CONNECTION LIMITED 2000 # # $Revision:: 1.2$ $Modtime:: Aug 02 2000 10:05:42 $ SSL_PATH=${SSL_PATH:-/usr/local/ssl} # # Create a request # $SSL_PATH/bin/openssl req -new -newkey rsa:1024 -config $SSL_PATH/openssl.cnf \ -out careq.pem -keyout cakey.pem -nodes # # Create a temporary self-signed cert that we can use as a CA cert # $SSL_PATH/bin/openssl x509 -req -in careq.pem -signkey cakey.pem \ -extfile $SSL_PATH/openssl.cnf -extensions v3_ca -out cacert0.pem # # Sign the request using the temporary CA cert that we just made. # This effectively results in another CA cert, but this one has a # serial number. # $SSL_PATH/bin/openssl x509 -req -in careq.pem -CAkey cakey.pem \ -CA cacert0.pem -CAserial serial.txt -CAcreateserial \ -extfile $SSL_PATH/openssl.cnf -extensions v3_ca -days 3652 -outform DER \ -out cacert.der # # Delete the files we no longer need. # rm careq.pem rm cacert0.pem
OpenSSL error using xsupplicant
Hello! I'm using OpenSSL along with xsupplicant in order to authenticate on a 802.1x protected wireless network. This network makes use of eap-ttls and everything runs fine until I get my first disconnection. After that, xsupplicant tries to reconnect again, but fails after getting the following error from OpenSSL (/var/log/xsupplicant.log): OpenSSL Error -- error:14095044:lib(20):func(149):reason(68) I don't know, at all, which one is faulty: if xsupplicant is causing the error or if it is just a problem with openssl. Strangely, a fellowship of mine is using Ubuntu with the same packages and he doesn't have this error (so, xsupplicant successfully reconnects). I'm using SuSE 9.3 and I've update openssl from 0.9.7e-3 to version 0.97g to see if this would work, but without results, the error keeps on showing up. I'm using xsupplicant 1.0.1 and the wireless card is a ipw2200 with the latest drivers available (1.0.3) and firmware too. My mate has exacly the same configuration: Ubuntu with xsupplicant 1.0.1, ipw2200 with the same drivers/firmware and openssl0.9.7e-3 and he doesn't get that error. Apart from that, the logs generated on /var/log/messages and /var/log/xsupplicant are exacly the same to mine. I hope you can get me further details in what could be generating that error. Best Regards, Mário Lopes __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL error: sslv3 alert bad record mac (fwd)
Hrm...I am curious if anyone on the list has any idea about what might be going on with this error. I saw a prior thread that just ended over a year ago with no resolution or explanation. Thanks! -- Jason A. Pfeil jason=at=jasonpfeil.com.NOSPAM -- Forwarded message -- Date: Thu, 22 Apr 2004 14:47:16 -0400 (EDT) From: Jason A. Pfeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: OpenSSL error: sslv3 alert bad record mac Greetings, List! I am having difficulty with pine connecting from one of my machines to my SSL IMAP server. What happens is that when I start pine, it asks for my password and I give it. It connects to the server and then tells me that there was an error and the connection vanishes. Then I go back to the folder list, reselect the folder, and voila! It works just fine. When the first connection vanishes, I get this error in my logfile: imapd-ssl: couriertls: read: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac I have tracked this down with the courier-imap people and they can't figure out the issue. I cannot replicate it with the exact same version of pine and openssl on another box. I have rebuild openssl *and* pine on the affected box many times. I am using pine 4.58 and openssl: % openssl version OpenSSL 0.9.7d 17 Mar 2004 Pine is linked against it: % ldd /usr/bin/pine libldap.so.2 = /usr/lib/libldap.so.2 (0x40036000) liblber.so.2 = /usr/lib/liblber.so.2 (0x4006d000) libresolv.so.2 = /lib/libresolv.so.2 (0x40079000) libncurses.so.5 = /lib/libncurses.so.5 (0x4008b000) libpam.so.0 = /lib/libpam.so.0 (0x400d) libdl.so.2 = /lib/libdl.so.2 (0x400d8000) libgssapi_krb5.so.2 = /usr/lib/libgssapi_krb5.so.2 (0x400dc000) libkrb5.so.3 = /usr/lib/libkrb5.so.3 (0x400ef000) libcrypto.so.0.9.7 = /usr/lib/libcrypto.so.0.9.7 (0x40155000) libcom_err.so.3 = /usr/lib/libcom_err.so.3 (0x4024f000) libssl.so.0.9.7 = /usr/lib/libssl.so.0.9.7 (0x40251000) libc.so.6 = /lib/libc.so.6 (0x40282000) libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0x403b1000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x4000) libk5crypto.so.3 = /usr/lib/libk5crypto.so.3 (0x403c4000) I am running gentoo linux and it is up to date as of a few days ago. Any suggestions that anyone here may have will be *extremely* welcome. Thanks! --Jason -- Jason A. Pfeil jason=at=jasonpfeil.com.NOSPAM __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL error: sslv3 alert bad record mac
Greetings, List! I am having difficulty with pine connecting from one of my machines to my SSL IMAP server. What happens is that when I start pine, it asks for my password and I give it. It connects to the server and then tells me that there was an error and the connection vanishes. Then I go back to the folder list, reselect the folder, and voila! It works just fine. When the first connection vanishes, I get this error in my logfile: imapd-ssl: couriertls: read: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac I have tracked this down with the courier-imap people and they can't figure out the issue. I cannot replicate it with the exact same version of pine and openssl on another box. I have rebuild openssl *and* pine on the affected box many times. I am using pine 4.58 and openssl: % openssl version OpenSSL 0.9.7d 17 Mar 2004 Pine is linked against it: % ldd /usr/bin/pine libldap.so.2 = /usr/lib/libldap.so.2 (0x40036000) liblber.so.2 = /usr/lib/liblber.so.2 (0x4006d000) libresolv.so.2 = /lib/libresolv.so.2 (0x40079000) libncurses.so.5 = /lib/libncurses.so.5 (0x4008b000) libpam.so.0 = /lib/libpam.so.0 (0x400d) libdl.so.2 = /lib/libdl.so.2 (0x400d8000) libgssapi_krb5.so.2 = /usr/lib/libgssapi_krb5.so.2 (0x400dc000) libkrb5.so.3 = /usr/lib/libkrb5.so.3 (0x400ef000) libcrypto.so.0.9.7 = /usr/lib/libcrypto.so.0.9.7 (0x40155000) libcom_err.so.3 = /usr/lib/libcom_err.so.3 (0x4024f000) libssl.so.0.9.7 = /usr/lib/libssl.so.0.9.7 (0x40251000) libc.so.6 = /lib/libc.so.6 (0x40282000) libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0x403b1000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x4000) libk5crypto.so.3 = /usr/lib/libk5crypto.so.3 (0x403c4000) I am running gentoo linux and it is up to date as of a few days ago. Any suggestions that anyone here may have will be *extremely* welcome. Thanks! --Jason -- Jason A. Pfeil jason=at=jasonpfeil.com.NOSPAM __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl error (unable to load certificate)
At 22:44 06.12.2002 +0100, Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Fri, 06 Dec 2002 19:51:04 +0100, Wolfgang Ziegler [EMAIL PROTECTED] said: Wolfgang.Ziegler when trying to get the subject out of a certificate Wolfgang.Ziegler from our local test CA I get the following error: Wolfgang.Ziegler Wolfgang.Ziegler openssl x509 -noout -in usercert.pem -subject Wolfgang.Ziegler unable to load certificate Wolfgang.Ziegler 26416:error:0D081072:asn1 encoding routines:d2i_ASN1_OBJECT:expecting an object:a_object.c:217: Wolfgang.Ziegler 26416:error:0D084070:asn1 encoding routines:d2i_ASN1_SET:error parsing set element:a_set.c:198:address=134815299 offset=-134815267 Wolfgang.Ziegler 26416:error:0D11D004:asn1 encoding routines:d2i_X509_CERT_AUX:nested asn1 error:x_x509a.c:82:address=134815295 offset=4 Wolfgang.Ziegler 26416:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:290: Hmm, I've seen something similar. If you do the following, what do you get? openssl asn1parse -i -in usercert.pem nothing, there is no output at all -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. -- Fraunhofer-Institute for Algorithms and Scientific Computing (SCAI) Schloss Birlinghoven, D-53754 Sankt Augustin, Germany Tel: +49 2241 14 2258Fax: +49 2241 14 2889 http://www.scai.fraunhofer.de Heut ist nicht so kalt wie gestern, trotzdem dass heut kaelter ist __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl error (in grid ftp) with non-Globus certificate
Hi, when trying to use a certificate from our local test CA I encountered the following error: wolf@packcs-e0:~/.globus /opt/globus/bin/openssl x509 -noout -in usercert.pem -subject unable to load certificate 26416:error:0D081072:asn1 encoding routines:d2i_ASN1_OBJECT:expecting an object:a_object.c:217: 26416:error:0D084070:asn1 encoding routines:d2i_ASN1_SET:error parsing set element:a_set.c:198:address=134815299 offset=-134815267 26416:error:0D11D004:asn1 encoding routines:d2i_X509_CERT_AUX:nested asn1 error:x_x509a.c:82:address=134815295 offset=4 26416:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:290: Doing a verification of the certificate results in: wolf@packcs-e0:~/.globus /opt/globus/bin/openssl verify -CApath /etc/grid-security/certificates usercert.pem usercert.pem: OK wolf@packcs-e0:~/.globus Doing the same with my (outdated) Globus certificate works well, the first command results the Subject string, the second tells me that my certificate has expired. The openssl version is: OpenSSL 0.9.6g 9 Aug 2002 Does anybody see what is going wrong? Thanks, Wolfgang -- Fraunhofer-Institute for Algorithms and Scientific Computing (SCAI) Schloss Birlinghoven, D-53754 Sankt Augustin, Germany Tel: +49 2241 14 2258Fax: +49 2241 14 2889http://www.scai.fraunhofer.de Heut ist nicht so kalt wie gestern, trotzdem dass heut kaelter ist __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL Error (Apache + mod_ssl)
On Fri, 15 Nov 2002 22:51:05 +, Manoj Kithany wrote: Hi: My Apache is NOT working.the log file shows: [Fri Nov 15 15:35:57 2002] [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key (OpenSSL library error follows) [Fri Nov 15 15:35:57 2002] [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [Fri Nov 15 15:35:57 2002] [error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib I am using Apache 1.3.27, mod_ssl 2.8.11 on IBM AIX 5.1 box. Check the FAQ. This is quite possibly the most frequently asked OpenSSL question. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Apache + mod_ssl (OpenSSL Error)
On Thu, Nov 14, 2002 at 10:52:00PM +, Manoj Kithany wrote: Hi Experts! I want to INSTALL and CONFIGURE my APACHE 1.3.27 for SSL. I am using IBM AIX box. So, I got mod_ssl from the IBM site and installed it in following way(after READing INSTALL file for 2 hrs;-( #pwd /opt/freeware/src/packages/SOURCES/mod_ssl-2.8.11-1.3.27 So, I finally READ the LOG file error_log and checked it shows: [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key (OpenSSL library error follows) [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib Do you know what this error would be? I have already installed EGD entrophy and is it stored in /dev/egd-pool Any links/pointers on this is appreciated. /dev/egd-pool is only queried automatically starting with OpenSSL 0.9.7. For 0.9.6x you have to enter the appropriate path using the SSLRandomSeed directive in httpd.conf. Details are found in the manual. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL Error (Apache + mod_ssl)
Hi: My Apache is NOT working.the log file shows: [Fri Nov 15 15:35:57 2002] [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key (OpenSSL library error follows) [Fri Nov 15 15:35:57 2002] [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [Fri Nov 15 15:35:57 2002] [error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib I am using Apache 1.3.27, mod_ssl 2.8.11 on IBM AIX 5.1 box. _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
libcurl / openssl error
I'm having a strange error with libCurl in HP-UX 11.00, using OpenSSL 0.9.6g. I have my wrapper class in two projects. One is a standalone project and it works fine. The other is inside a server that uses OpenSSL for the inbound client connections, so the SSL_library_init() and such are in the main() function. The SSL descriptors that set the input method to TLS server occur inside threads. Then, from inside that thread, my wrapper class tries to post to a web page and gets an error, shutting down the connection. The VEBOSE output is: CUROPT_VEBOSE is set to TRUE * About to connect() to ah1hpux1.linkpoint.com:443 * Connected to ah1hpux1.linkpoint.com (192.168.40.32) port 443 * SSL: error::lib(0):func(0):reason(0)* Closing connection #0 I put the errors into a text string and the text is: curl_errors = SSL: error::lib(0):func(0):reason(0) libcURL SHOULD be using a seperate instance of OpenSSL, but is it possible that the client and server are colliding? This indicates SSL had no error ... any guess why it's shutting down the connection? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Apache + mod_ssl (OpenSSL Error)
Hi Experts! I want to INSTALL and CONFIGURE my APACHE 1.3.27 for SSL. I am using IBM AIX box. So, I got mod_ssl from the IBM site and installed it in following way(after READing INSTALL file for 2 hrs;-( #pwd /opt/freeware/src/packages/SOURCES/mod_ssl-2.8.11-1.3.27 # ./configure --with-apache=../apache_1.3.27 --with-ssl=/Downloads/openssl-0.9.6g --with-crt=/usr/local/ssl/bin/cert.cer --with-key=/usr/local/ssl/bin/private.key --prefix=/kit --enable-shared=ssl #cd .. #cd apache_1.3.27 #make #make certificate #make install This DOCUMENTATION was given in README file in the above directory. Later, I start my APACHE for SSL as shown below and get ERROR: #./apachectl startssl ./apachectl startssl: httpd could not be started So, I finally READ the LOG file error_log and checked it shows: [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key (OpenSSL library error follows) [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib Do you know what this error would be? I have already installed EGD entrophy and is it stored in /dev/egd-pool Any links/pointers on this is appreciated. Thanks! _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Apache+SSL Not working ---OpenSSL Error?
Hi Experts: I have Apache(with SSL) on my IBM AIX Box. I installed it using RPM. When I run my APACHE as ssl using: ./apachectl startssl I get following error: -- # ./apachectl startssl ./apachectl startssl: httpd could not be started # -- So, when I check following LOG files - I have following: Filename: error_log [Tue Nov 12 10:04:37 2002] [error] mod_ssl: Init: Unable to read server certificate from file /usr/local/ssl/bin/public.csr (OpenSSL library error follows) [Tue Nov 12 10:04:37 2002] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence Filename: ssl_engine_log [12/Nov/2002 10:04:37 28132] [info] Server: Apache/1.3.27, Interface: mod_ssl/2.8.11, Library: OpenSSL/0.9.6e [12/Nov/2002 10:04:37 28132] [info] Init: 1st startup round (still not detached) [12/Nov/2002 10:04:37 28132] [info] Init: Initializing OpenSSL library [12/Nov/2002 10:04:37 28132] [info] Init: Loading certificate private key of SSL-aware server www.kithany.com:443 [12/Nov/2002 10:04:37 28132] [error] Init: Unable to read server certificate from file /usr/local/ssl/bin/public.csr (OpenSSL library error follows) [12/Nov/2002 10:04:37 28132] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence Do anyone of you Experts know what is the above ERROR for and how to remove that? THANKS! _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Apache+SSL Not working ---OpenSSL Error?
Manoj Kithany wrote: [12/Nov/2002 10:04:37 28132] [error] Init: Unable to read server certificate from file /usr/local/ssl/bin/public.csr (OpenSSL library error follows) [12/Nov/2002 10:04:37 28132] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence Do anyone of you Experts know what is the above ERROR for and how to remove that? My guess is that public.csr is a Certificate Signing Request (csr) and not a Certificate? They are very different objects. To remove the error you would send the csr to a Certificate Authority and get a Server Certificate, which Apache would be able to use. Don't expect this to be free. -- Charles B. (Ben) Cranston mailto:zben;umd.edu http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Apache+SSL Not working ---OpenSSL Error?
To make sure that this is an openssl issue, and not your apache configuration, or the hardware that you are using (I noticed the ssl_engine_log), try running the test server program that is with the openssl distribution. Regards, Tim --- Manoj Kithany [EMAIL PROTECTED] wrote: Hi Experts: I have Apache(with SSL) on my IBM AIX Box. I installed it using RPM. When I run my APACHE as ssl using: ./apachectl startssl I get following error: -- # ./apachectl startssl ./apachectl startssl: httpd could not be started # -- So, when I check following LOG files - I have following: Filename: error_log [Tue Nov 12 10:04:37 2002] [error] mod_ssl: Init: Unable to read server certificate from file /usr/local/ssl/bin/public.csr (OpenSSL library error follows) [Tue Nov 12 10:04:37 2002] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence Filename: ssl_engine_log [12/Nov/2002 10:04:37 28132] [info] Server: Apache/1.3.27, Interface: mod_ssl/2.8.11, Library: OpenSSL/0.9.6e [12/Nov/2002 10:04:37 28132] [info] Init: 1st startup round (still not detached) [12/Nov/2002 10:04:37 28132] [info] Init: Initializing OpenSSL library [12/Nov/2002 10:04:37 28132] [info] Init: Loading certificate private key of SSL-aware server www.kithany.com:443 [12/Nov/2002 10:04:37 28132] [error] Init: Unable to read server certificate from file /usr/local/ssl/bin/public.csr (OpenSSL library error follows) [12/Nov/2002 10:04:37 28132] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence Do anyone of you Experts know what is the above ERROR for and how to remove that? THANKS! _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Apache+SSL Not working ---OpenSSL Error?
Hi Tim: THANKS for your email. What is TEST SERVER Program? To make sure that this is an openssl issue, and not your apache configuration, or the hardware that you are using (I noticed the ssl_engine_log), try running the test server program that is with the openssl distribution. Regards, Tim --- Manoj Kithany [EMAIL PROTECTED] wrote: Hi Experts: I have Apache(with SSL) on my IBM AIX Box. I installed it using RPM. When I run my APACHE as ssl using: ./apachectl startssl I get following error: -- # ./apachectl startssl ./apachectl startssl: httpd could not be started # -- So, when I check following LOG files - I have following: Filename: error_log [Tue Nov 12 10:04:37 2002] [error] mod_ssl: Init: Unable to read server certificate from file /usr/local/ssl/bin/public.csr (OpenSSL library error follows) [Tue Nov 12 10:04:37 2002] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence Filename: ssl_engine_log [12/Nov/2002 10:04:37 28132] [info] Server: Apache/1.3.27, Interface: mod_ssl/2.8.11, Library: OpenSSL/0.9.6e [12/Nov/2002 10:04:37 28132] [info] Init: 1st startup round (still not detached) [12/Nov/2002 10:04:37 28132] [info] Init: Initializing OpenSSL library [12/Nov/2002 10:04:37 28132] [info] Init: Loading certificate private key of SSL-aware server www.kithany.com:443 [12/Nov/2002 10:04:37 28132] [error] Init: Unable to read server certificate from file /usr/local/ssl/bin/public.csr (OpenSSL library error follows) [12/Nov/2002 10:04:37 28132] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence Do anyone of you Experts know what is the above ERROR for and how to remove that? THANKS! _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Apache+SSL Not working ---OpenSSL Error?
You can also check to make sure that the certificate that apache+mod_ssl is trying to read is in Base64...Everytime, I get these errors, 9 times of 10, its because my certificate is in DER format where apache is expecting it in PEM (Base64). -Original Message- From: [EMAIL PROTECTED] [mailto:owner-openssl-users;openssl.org] On Behalf Of Manoj Kithany Sent: Tuesday, November 12, 2002 3:19 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Apache+SSL Not working ---OpenSSL Error? Hi Tim: THANKS for your email. What is TEST SERVER Program? To make sure that this is an openssl issue, and not your apache configuration, or the hardware that you are using (I noticed the ssl_engine_log), try running the test server program that is with the openssl distribution. Regards, Tim --- Manoj Kithany [EMAIL PROTECTED] wrote: Hi Experts: I have Apache(with SSL) on my IBM AIX Box. I installed it using RPM. When I run my APACHE as ssl using: ./apachectl startssl I get following error: -- # ./apachectl startssl ./apachectl startssl: httpd could not be started # -- So, when I check following LOG files - I have following: --- - Filename: error_log [Tue Nov 12 10:04:37 2002] [error] mod_ssl: Init: Unable to read server certificate from file /usr/local/ssl/bin/public.csr (OpenSSL library error follows) [Tue Nov 12 10:04:37 2002] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence --- - --- - Filename: ssl_engine_log [12/Nov/2002 10:04:37 28132] [info] Server: Apache/1.3.27, Interface: mod_ssl/2.8.11, Library: OpenSSL/0.9.6e [12/Nov/2002 10:04:37 28132] [info] Init: 1st startup round (still not detached) [12/Nov/2002 10:04:37 28132] [info] Init: Initializing OpenSSL library [12/Nov/2002 10:04:37 28132] [info] Init: Loading certificate private key of SSL-aware server www.kithany.com:443 [12/Nov/2002 10:04:37 28132] [error] Init: Unable to read server certificate from file /usr/local/ssl/bin/public.csr (OpenSSL library error follows) [12/Nov/2002 10:04:37 28132] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence --- - Do anyone of you Experts know what is the above ERROR for and how to remove that? THANKS! _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL Error: [links] Segmentation fault on Configure
I have a Linux Redhat 6.2 system running apache web server. I'm trying to update my existing ssl implementation with openssl-0.9.6g. Existing config was compiled from source tar. When I type in configure I get: Operating system: i586-whatever-linux2 This system (linux-elf) is not supported. See file INSTALL for details. I thought this was wierd since it is a linux-elf system and this was exactly what I typed in for previous implementation which is 0.9.3a. So, I moved on to: ./Configure linux-elf, which give me the following: [root@dns openssl-0.9.6g]# ./Configure linux-elf Configuring for linux-elf IsWindows=0 CC=gcc CFLAG =-fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIA N -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_AS M EX_LIBS =-ldl BN_ASM=asm/bn86-elf.o asm/co86-elf.o DES_ENC =asm/dx86-elf.o asm/yx86-elf.o BF_ENC=asm/bx86-elf.o CAST_ENC =asm/cx86-elf.o RC4_ENC =asm/rx86-elf.o RC5_ENC =asm/r586-elf.o MD5_OBJ_ASM =asm/mx86-elf.o SHA1_OBJ_ASM =asm/sx86-elf.o RMD160_OBJ_ASM=asm/rm86-elf.o PROCESSOR = RANLIB=/usr/bin/ranlib PERL =/usr/bin/perl5 THIRTY_TWO_BIT mode DES_PTR used DES_RISC1 used DES_UNROLL used BN_LLONG mode RC4_INDEX mode RC4_CHUNK is undefined Makefile = Makefile.ssl make: *** [links] Segmentation fault (core dumped) [root@dns openssl-0.9.6g]# This also happens when I go back and try to run ./config or ./Configure linux-elf from original source tar (the one which is now running). I have no idea what to do from here. Could someone please give me some suggestions on what may be causing this, and what to do about it? Thanks. -ron -- Ron Parker Software Creations http://www.scbbs.com Self-Administration Web Site http://saw.scbbs.com Civil War Online Library http://civilwar.scbbs.com VSB Interest Group http://vsb.scbbs.com -- Ron Parker Software Creations http://www.scbbs.com Self-Administration Web Site http://saw.scbbs.com Civil War Online Library http://civilwar.scbbs.com VSB Interest Group http://vsb.scbbs.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Dreaded OpenSSL: error:140890C7
Hi, I'am trying to authenticate clients connecting to my server. [06/Mar/2002 18:45:19 25124] [info] Connection to child 3 established (server hub-1.trema.com:443, client 66.54.34.7) [06/Mar/2002 18:45:19 25124] [info] Seeding PRNG with 512 bytes of entropy [06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Handshake: start [06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Loop: before/accept initialization [06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Loop: SSLv3 read client hello A [06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Loop: SSLv3 write server hello A [06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Loop: SSLv3 write certificate A [06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Loop: SSLv3 write certificate request A [06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Loop: SSLv3 flush data [06/Mar/2002 18:45:20 25124] [trace] OpenSSL: Write: SSLv3 read client certificate B [06/Mar/2002 18:45:20 25124] [trace] OpenSSL: Exit: error in SSLv3 read client certificate B [06/Mar/2002 18:45:20 25124] [trace] OpenSSL: Exit: error in SSLv3 read client certificate B [06/Mar/2002 18:45:20 25124] [error] SSL handshake failed (server hub-1.trema.com:443, client 66.54.34.7) (OpenSSL library error follows) [06/Mar/2002 18:45:20 25124] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?] From the error message I can imagine two problems: - the client has not sent any certificate - the client has sent an unknown certificate. Can anybody help me sorting out this ? A Google lookup retrieves a lot of OpenSSL: error:140890C7. Most of the time, people have invoked the ClientAuthentication by mistake. Regards -- Jean-Claude Bourut Trema 1300, routes des Crêtes Sophia Antipolis 06560 Valbonne FRANCE Tel +33 4 92 38 81 04 Fax +33 4 92 38 81 99 begin:vcard n:Bourut;Jean-Claude tel;fax:+33 (0) 9238 8199 tel;work:+33 (0) 9238 8100 x-mozilla-html:TRUE org:Trema Laboratories adr:;;1300 route des cretes;Sophia Antipolis;;06560;FRANCE version:2.1 email;internet:[EMAIL PROTECTED] title:Senior Software Engineer note;quoted-printable: (=0D=0A ))=0D=0A C|~~|=0D=0A `--' end:vcard
OpenSSL error
I compiled OpensSSL 0.9.6b on Solaris 2.7 successfully. When I now try to compile OpenSSH (specifically ./configure) I get the following error: checking for OpenSSL directory... configure: error: Could not find working OpenSSL library, please install or check config.log Are you able to tell me what I am doing wrong? * The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. * __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL error
On Mon, Dec 10, 2001 at 12:08:51PM -0500, Hardej, Andrew wrote: I compiled OpensSSL 0.9.6b on Solaris 2.7 successfully. When I now try to compile OpenSSH (specifically ./configure) I get the following error: checking for OpenSSL directory... configure: error: Could not find working OpenSSL library, please install or check config.log Are you able to tell me what I am doing wrong? Yes! You don't follow the directive given. It tells you to check out the error messages in config.log. Regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl error
I hate to distract from the original issue, but what is ethereal? Some kind of dump or sniffer? Where can it be found? Rod Gilchrist [EMAIL PROTECTED]To: [EMAIL PROTECTED] Sent by:cc: owner-openssl-users@o Subject: Re: openssl error penssl.org 11/15/2001 02:36 PM Please respond to openssl-users MacDonald, Allan R [AMSTA-AR-FSF-A] wrote: I am using openssl with Oracle Webtogo and the Apache 1.3.12 server. When I implemented SSL on the server I thought all was well until we had to turn off port 80. Then my webtogo app stopped working and gave me the error listed below. Any help with this would be very helpful. Thanks. [14/Nov/2001 11:57:12 00621] [error] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows) [14/Nov/2001 11:57:12 00621] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?] Forgive the obvious answer... Your apache is listening on port 443 and your app is configured to only send SSL (HTTPS) on that port? Download ethereal and have a look at what's happening on the wire. Its a good investment of a half hour. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl error
Glover Barker wrote: I hate to distract from the original issue, but what is ethereal? Some kind of dump or sniffer? Where can it be found? It comes up at the top of the google hit list on the name. www.ethereal.com. Yes, its great. 10 minute install, hit capture-start and select an interface. Runs on most platforms. Read the documentation about the reset button. Its confusing at first as to what its doing, and you need to know. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL error in mod_ssl.
I do not know if this is the correct place to post this, but the only error message I see is OpenSSL errors in apache's output. here goes... [Fri Apr 27 18:06:19 2001] [error] mod_ssl: SSL handshake failed (server www.hidden.com:443, client hidden) (OpenSSL library error follows) [Fri Apr 27 18:06:19 2001] [error] OpenSSL: error:0607C084:digital envelope routines:func(124) :reason(132) [Fri Apr 27 18:06:19 2001] [error] OpenSSL: error:0607B086:digital envelope routines:func(123) :reason(134) [Fri Apr 27 18:06:19 2001] [error] OpenSSL: error:1408F071:SSL routines:SSL3_GET_RECORD:bad mac decode [Hint: Browser still remembered details of a re-created server certificate?] I just built the server with both 9.6 and 9.6a with the same results. Here is what ver of apache It is running w/ mods Apache/1.3.19 (Unix) AuthPG/1.2 PHP/4.0.4pl1 mod_ssl/2.8.2 OpenSSL/0.9.6 thank you Jason __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL Error: expecting an asn1 sequence
Hi OpenSSL Users, After replacing the self-signed certificate by a real Verisign certificate I get the following error message in ssl_engine_log: [29/Jan/2001 10:30:46 05379] [error] Init: Unable to read server certificate frm file /usr/local/apache_t3.1/conf/ssl.crt/server.crt (OpenSSL library error follows) [29/Jan/2001 10:30:46 05379] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence Used packages are: Apache 1.3.12 OpenSSL 0.9.5a mod_ssl 2.6.6.-1.3.12 Operating System is Linux RH6.1 Thank you for your help in advance best regards, Markus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl error
Hello, AM trying to test my openssl enabled apache server using the following command; openssl s_client -connect MYHOSTNAME:443 I get some good info followed by some that looks "not so good". can anyone explain this error or tell me where to go to look it up? Results are as follows; CONNECTED(0004) depth=0 /C=US/ST=X/L=X/O=XX [EMAIL PROTECTED] verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=XXX/L=/O=XXX [EMAIL PROTECTED] verify return:1 673:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:774:SSL alert number 40 673:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:203 -- Joseph J. Schiavone Jr. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]