Re: [RE]Re: About RSA_public_encrypt()

[Holger Reif]

ÃÖ¿ë»ï schrieb:
> 
> >>To answer your question it would be interesting which
> >>padding method (last parameter of the encrypt function)
> >>do you use and how long your RSA modulus is.
> >>
> >>ÃÖ¿ë»ï schrieb:
> >>>
> >>> Can RSA_public_encrypt() encrypt only 20-bytes long "from"?
> >>>
> >>> When I pass less than 20bytes string to it, it works well,
> >>> But, if I pass more than 20bytes string, it returns -1.
> >>>
> >>> And one more thing,
> >>> for less than 20byte-long input, it returns 32 always.
> >>> Is it right?
> >>>
> >>> I am working on Linux box.
> 
> Thanks for your information,
> padding is RSA_PKCS1_PADDING like below;

Then it is clear. Your modulus is obviously 32 Bytes (256 Bit) long.
The output will always have the same length as the modulus.

Second, the PKCS#1 formatting always adds at least 11 bytes of
formatting.
That's why you get the error about data to long. Have you tried popping
up the errors?

Perhaps the solution for you would be to use the RSA_NONE padding
method and make yourself sure that the buffer you want to encrypt
is equal the the size of the modulus.
 
> unsigned char from[BUFSIZ*10] = "Some text of which the length is big enough";
> int siz;
> unsigned char to[BUFSIZ*10];
> 
> siz = strlen(from);
> 
> RSA_public_encrypt(siz, from, to, pub_rsa, RSA_PKCS1_PADDING);
> 
> The same error occurs whether on Linux or on HP-UX.

No surprise ;-)

-- 
Holger Reif  Tel.: +49 361 74707-0
SmartRing GmbH   Fax.: +49 361 7470720
Europaplatz 5 [EMAIL PROTECTED]
D-99091 ErfurtWWW.SmartRing.de
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [RE]Re: About RSA_public_encrypt()

[Ulf Möller]

> Perhaps the solution for you would be to use the RSA_NONE padding
> method and make yourself sure that the buffer you want to encrypt
> is equal the the size of the modulus.

RSA_NONE should be used only if you have implemented a cryptographically
sound padding method in your application. OpenSSL supports PKCS#1 v1.5
and PKCS#1 v2.0 padding, which should be sufficient for almost all purposes.

If the modulus size causes problems, why not just use a larger key?

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [RE]Re: About RSA_public_encrypt()

[Holger Reif]

Ulf Möller schrieb:
> 
> > Perhaps the solution for you would be to use the RSA_NONE padding
> > method and make yourself sure that the buffer you want to encrypt
> > is equal the the size of the modulus.
> 
> RSA_NONE should be used only if you have implemented a cryptographically
> sound padding method in your application. 

Right, I forgot to stress this point. I should have 
done it, especially since he might be a newbie to 
crypto too.

-- 
Holger Reif  Tel.: +49 361 74707-0
SmartRing GmbH   Fax.: +49 361 7470720
Europaplatz 5 [EMAIL PROTECTED]
D-99091 ErfurtWWW.SmartRing.de
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RE: RE: bug in EVP_MD_CTX_copy()

[T Bharath]

I would appreciate if you use my personal id and not the list

- Original Message -
From: "Rakesh.R" <[EMAIL PROTECTED]>
Date: Monday, April 23, 2001 4:51 am
Subject: RE: RE: bug in EVP_MD_CTX_copy() 

> Where you a student of SRM engineering college (MCA 2001 bacth).
> Raks
> 
> -Original Message-
> From: T Bharath [mailto:[EMAIL PROTECTED]]
> Sent: Monday, April 23, 2001 2:07 PM


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Re: document

[Bruce Christensen]

It is inherently NOT SAFE to open attachments from people you
do not know.  Please do not send attachments to the list unless
the moderator approves it (and he probably will not).

Bruce

You wrote on 24/03/2004 3:47:59 PM:

>Please read the document.
>


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Re: document

[Steven Reddie]

That was one of the worms doing the rounds at the moment.  It sends a
20-30KB zipfile and fakes the sender's email address.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Bruce Christensen
Sent: Thursday, 25 March 2004 12:22 PM
To: [EMAIL PROTECTED]
Subject: Re: Re: document


It is inherently NOT SAFE to open attachments from people you do not know.
Please do not send attachments to the list unless the moderator approves it
(and he probably will not).

Bruce

You wrote on 24/03/2004 3:47:59 PM:

>Please read the document.
>


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Re: openssl

[Buchs Christian]

> You'd probably better look at Cryptix if you neeed Java.

Cryptix implements JCE only. There's no free SSL in Java...
Maybe I'll be forced to use OpenSSL, though I don't think it's
a good (=pure, portable) solution to build a .DLL and use it from
Java.

To come back to my previous email, I just wanted to say that I was
surprised that there is no link or information about using OpenSSL
with Java. I think it would be a good idea to keep track of the matter
on the OpenSSL web site while there is still no free SSL in Java. 
Maybe you could have a look a the following links about using SSLeay
from java:
http://www.bpsinfo.com/javassl/
http://noc.kpnw.org/~scott/
But these pages are not maintained...

Cheers,
Ch. Buchs
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Re: WSAEventSelect

[kalikali]

This mail is addressed to Dr Stephen N. Henson in connection with his previous 
post.


> I have never come across a report of a deadlock in that situation and several
> applications have reported using WSAEventSelect() in the past. There are
> several possible reasons...
>


There is very,very little chance the application to deadlock. 'send' command 
fails very rare. I have made a test - I've sent about 100 Mb at one time using 
nonblocking socket and windows consumed whole buffer at one time and 
immediately returned without  any error and with 100 Mb send (the data wasn't 
send of course) - it means that it has large enough buffer to consume big 
amount of data. I'm using windows xp, i don't know how it works on older 
systems (NT,98,me) maybe there is bigger probability to 'send' failure.  That's 
not all, i'm coding simple jabber client (i hope you know what is jabber). I've 
downloaded source code for one of the freeware clients recommended by main 
jabber.org site (by the way, this client is recommended at first place as 
windows client). I've looked at source and it seems that it uses openSSL 
improperly - in winsock fashion (which is good for unencrypted connection - it 
depends on jabber server),using 2 thread one for reading and one for writing, 
without any openSSL command serialization. (This is my opinion, maybe i've 
missed something but i don't think so, it's written in delphi and it uses indy 
components) But even using this rather improper for openSSL style, it seems 
that it doesn't cause much trouble. Probability of reading and writing exactly 
at the same time for communicator application is rather small, additionally 
scheduler must switch the threads in special moment of their work to cause race 
condition. So, deadlocks for most application are very rare and it is rather 
matter of correctness then real problem in real applications causes me to find 
proper way of implementing OpenSSL app.

> 1. The application works because of the feature mentioned in KB186245.
> 

I'm using XP

> 2. The send() function never returns any of the other BIO_sock_non_fatal_error
> codes so this is not an issue in practice. The documentation seems to suggest
> this but that's no guarantee.
> 

Well, that's the problem. I have no certainty that this is true and it will be 
true for further openSSL implementations, so i have to develop code to deal 
with it.


> Call select() with a zero second timeout. If it indicates socket is
> writable retry the opertion, if not call WSAEventSelect().


Theoretically this should be true since if openSSL returns error WANT_WRITE and 
it is not caused by WSAEWOULBLOCK (FD_WRITE event won't be send) it means that 
operation should just be immediatelly repeated and 'select' can be used to 
check this situation. But very theoretically i some case WANT_WRITE will not be 
send since windows can't check when writing will be possible. Windows signals 
this returning error other then WSAEWOULDBLOCK and some other checking method 
should be used, for example: repeated socket polling ('select' with timeout > 
0).(I hope you know what i mean) I know this is very abstract case, but it 
should reminded that OS API is something what is developed by many years for 
different OS versions, sometimes API is imported for compatibility from 
diffrent OSes, etc. So using only good sense is not reliable way to success. 
(for example why 'select' doesn't support socket and pipes at the same time? 
Won't it be better then implementing WSAXXX framework?). The only reliable way 
is to implement excactly with OS API specyfication.

> 
> Call WSAGetLastError() to confirm the error code.
> 

Yes,i have seen this method in some thread of this mailing list, but i think 
that it's not reliable method. I have no certainty that OpenSSL doesn't reset 
error code or some other windows command is not invoked after 'send' failure.

> 
> One is to write a custom socket BIO. In this case it would be very simple
> because it would copy all the existing methods *except* the write behaviour
> which would set the retry flag only if the error is WSAEWOULDBLOCK.
>

Unfortunately i'm using Delphi and openSSL is written in c, so it's not such 
easy for me.

 
> The second alternative is BIO pairs this give an application total flexibility
> on all socket I/O but is more complex to handle.
> 

Yes, much more.


I've developed some method, but i has limited usage, it can be used for some 
special kind of applications using one socket for reading and writing. (but 
this is exactly my case) Application must wait for 3 events: reading event,user 
event(used to tell that user want write) and write event(used only if 
WANT_WRITE occured). This trick is tightly connected with application 
logic.When app starts it waits for 2 events: FD_READ event and user event, it 
does it using 'WaitForMultipleObjects' command. It uses this construction all 
time till WANT_WRITE error will occur, then it can switch to loop which uses 
'se

Re: RE: WSAEventSelect

[kalikali]

This mail is addressed to Davis Schwartz.

Well, I have asked my question on this developer mailing list and I have got 
answer from one of the openSSL main developers. In this answer he suggested me 
possible solutions, confirmed (by giving answer) that my problem is real. He 
did it in his FIRST POST!

So,how do you think? Where is the problem? On my site or your?

Second, if your answers have satisfied my needs, did i cut previous thread
(and started other)?
It's not a question from openSSL area it's rather from human communication.

Could you not answer for my questions in this thread?

Thanks.

Lucas 
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Fwd: Re: Fwd: Re: OS/390

[Richard Levitte - VMS Whacker]

From: [EMAIL PROTECTED]

n2xjk> As far as I can tell, the ebcdic translation itself is working OK.
n2xjk> Apparently, there are functions which use ebcdic translation
n2xjk> which don't include ebcdic.h.  Whatever the case, the deletion
n2xjk> of the defines in ebcdic.h gets around it.

But that approach is counter-productive for OpenSSL.  What one has to
do is find the modules that do EBCDIC translation but do not include
ebcdic.h.  If you put back those defines, won't you get a list of
modules that complain about unresolved references?  In that case,
could you send us a copy of that list?  That's far easier than doing
an (exhaustive) check by hand, trust me.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Re: Compiling Failed

[EDWARD.JIANG]

FYI, I compiled this version successfully by setting -no-asm flag.
> > Got error when compiling 0.9.7 beta 6:> >> > --> >> > gcc -E -DOUT asm/dx86unix.cpp | as -o asm/dx86-out.o> > des-586.s: Assembler messages:> > des-586.s:2458: Error: Unimplemented segment type 135296 in> > parse_operand(.L009cbc_enc_jmp_table-.L008PIC_point(%edx))> >> > --> >> > Any comments?> > 4. Document this case and advise to either use no-asm or upgrade> assembler.A new entry is being added to FAQ list which reads as following:* Why does OpenBSD-i386 build fail on des-586.s with "Unimplementedsegment type"?As of 0.9.7 assembler routines were overhauled for position independencyof the machine code, which is essential for shared library support. Nowfor some reason OpenBSD is equipped with out-of-date GNU assembler whichfinds the new code offending. To work the problem around configure withno-asm (and sacrifice a great deal of performance) or upgrade /usr/bin/as.For your convenience a pre-compiled replacement binary is provided ashttp://www.openssl.org/~appro/i386-openbsd3-as, which is compiled frombinutils-2.8 released in 1997.Cheers. A.__OpenSSL Project http://www.openssl.orgDevelopment Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]

Re: RE : faster connexion

[Pablo Royo Moreno]

Or perhaps socket buffer size on the other side was low?(Just curiosity...)
May be increasing it you could reach even more speed because a 3.3Mb/(2*100Mb) = 
0.016secs ping time seems high in a 100Mb ethernet.

Pablo J. Royo

-- Original Message --
From: "p b" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date:  Wed, 22 Jan 2003 16:00:34 +0100

>In fact, it was the size of the buffer used to send the data which was too
>large!!
>Now I reach 3,3 Mo/s
>
>Thanks for your help,
>
>
>-Message d'origine-
>De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] De
>la part de Pablo J Royo
>Envoyé : mardi 21 janvier 2003 17:11
>À : [EMAIL PROTECTED]
>Objet : Re: faster connexion
>
>I don´t know, but I think your socket buffer may be very low, (default about
>8192 bytes or so) so your socket will never send to net as much bytes as he
>can.
>You can try to increase to 128Kb or 1Mb with setsockopt( ) function. (In
>fact it should be 2*(Bandwidth)*(ping time) to keep a full link)
>
>Try something like this:
>
>socket = socket( );
>
>int level = IPPROTO_TCP;
>
>#ifdef WIN32
> int retval = setsockopt((SOCKET)sock,SOL_SOCKET,SO_RCVBUF,(char
>*)optval,optlen);
>#else
> int retval = setsockopt(sock,level,SO_RCVBUF,(char *)optval,optlen);
>#endif
>
>Hope this helps
>
>Pablo J. Royo
>
>- Original Message -
>From: "p b" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Tuesday, January 21, 2003 9:57 AM
>Subject: faster connexion
>
>
>> Hi,
>>
>> I have made a connexion between 2 computers linked by a 100Mb net.
>> I use BIO_s_connect and BIO_s_accept, but I can't transmit data faster
>> than 100ko/s (Even without SSL)! How can I "boost" my connexion :-)
>>
>> Thanks!
>>
>
>__
>OpenSSL Project http://www.openssl.org
>Development Mailing List   [EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>
>
>__
>OpenSSL Project http://www.openssl.org
>Development Mailing List   [EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE : RE : faster connexion

[p b]

It's exactly the same soft on the both side, but the speed is now at 3.3
Moctets, not 3.3 Mbytes !!


-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] De
la part de Pablo Royo Moreno
Envoyé : mercredi 22 janvier 2003 20:22
À : [EMAIL PROTECTED]; [EMAIL PROTECTED]
Objet : Re: RE : faster connexion



Or perhaps socket buffer size on the other side was low?(Just curiosity...)
May be increasing it you could reach even more speed because a
3.3Mb/(2*100Mb) = 0.016secs ping time seems high in a 100Mb ethernet.

Pablo J. Royo

-- Original Message --
From: "p b" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date:  Wed, 22 Jan 2003 16:00:34 +0100

>In fact, it was the size of the buffer used to send the data which was too
>large!!
>Now I reach 3,3 Mo/s
>
>Thanks for your help, 
>
>
>-Message d'origine-
>De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
De
>la part de Pablo J Royo
>Envoyé : mardi 21 janvier 2003 17:11
>À : [EMAIL PROTECTED]
>Objet : Re: faster connexion
>
>I don´t know, but I think your socket buffer may be very low, (default
about
>8192 bytes or so) so your socket will never send to net as much bytes as he
>can.
>You can try to increase to 128Kb or 1Mb with setsockopt( ) function. (In
>fact it should be 2*(Bandwidth)*(ping time) to keep a full link)
>
>Try something like this:
>
>socket = socket( );
>
>int level = IPPROTO_TCP;
>
>#ifdef WIN32
> int retval = setsockopt((SOCKET)sock,SOL_SOCKET,SO_RCVBUF,(char
>*)optval,optlen);
>#else
> int retval = setsockopt(sock,level,SO_RCVBUF,(char *)optval,optlen);
>#endif
>
>Hope this helps
>
>Pablo J. Royo
>
>- Original Message -
>From: "p b" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Tuesday, January 21, 2003 9:57 AM
>Subject: faster connexion
>
>
>> Hi,
>>
>> I have made a connexion between 2 computers linked by a 100Mb net.
>> I use BIO_s_connect and BIO_s_accept, but I can't transmit data faster
>> than 100ko/s (Even without SSL)! How can I "boost" my connexion :-)
>>
>> Thanks!
>>
>
>__
>OpenSSL Project http://www.openssl.org
>Development Mailing List   [EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>
>
>__
>OpenSSL Project http://www.openssl.org
>Development Mailing List   [EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Re: MinGW compilation

[Jato]

On Jun 4 2004, Mateus wrote:
>> 
 Have anyone ever tried to compile openssl-0.9.7c (or any other) with 
>>  MinGW?
 
Yes, I have compiled openssl-0.9.7 from CVS for MingW and used it to 
compile a MingW port of the lynx browser. Did you have trouble? I am away 
from home, so I don't have access to the machine with the configuration 
options until next week. I did the compilation under Cygwin with the 
-mno-cygwin directive.
 Doug
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

How to make a shared library with MinW or Cygwin?

Re: [Re: SSL_CTX_use_PrivateKey_file(...) fails]

[Guy Sagy]

Hey, thanks!
I didn't supply the right password for the private key file through the
SSL_CTX_set_default_passwd_cb() 2nd parameter. Now that I do - it works. 

Thanks!
Guy

Lutz Jaenicke <[EMAIL PROTECTED]> wrote:
> On Mon, Apr 23, 2001 at 07:41:11PM -0400, Guy Sagy wrote:
> ...
> > pass = password;
> > SSL_CTX_set_default_passwd_cb( pSSLContext, password_cb );
> > if ( !( SSL_CTX_use_PrivateKey_file( pSSLContext, "servkey.pem",
> > SSL_FILETYPE_PEM )))
> ...
> > But the function call SSL_CTX_use_PrivateKey_file(...) above fails
internally
> > inside pem_lib.c , on line 451 , line
> > PEMerr(PEM_F_PEM_DO_HEADER,PEM_R_BAD_DECRYPT) .
> 
> Hmm. I just had a look into the source and would guess, that something
> is odd with the passphrase. Unfortunately you do not supply your
password_cb.
> 
> Best regards,
>   Lutz
> -- 
> Lutz Jaenicke [EMAIL PROTECTED]
> BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
> Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
> Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]



Get free email and a permanent address at http://www.netaddress.com/?N=1
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RE : RE : Old mail currently unaccessible to me...

[Dr. Stephen Henson]

On Wed, May 28, 2003, p b wrote:

> 
> 
> I had made some test: in fact when I changed the iv, I only changed few
> bits, so the uncrypted file "seams" to be the same. (whatever the value of
> iv, only the first bloc change). It's ok.
> 
> 

That's expected behaviour for CBC mode.

> > phbgt> In the man, when you write EVP_CipherInit " always use the
> > phbgt> default cipher implementation", is that mean that even using
> > phbgt> EVP_get_cipherbyname("aes-256-cbc"), the cipher is not set to
> > phbgt> "aes-256-cbc"?
> > 
> 
> With this type of initialisation, EVP_CipherInit use aes-256-cbc. In fact,
> it seams that there's no default cipher in openssl.
> 

What it means is that it uses the default implementation *of that cipher*.
This will normally be the builting software version.

There can however be multiple implementations of a given cipher for example
hardware implementations in ENGINEs.

An ENGINE can replace the default implementation so that for example an
accelerated hardware version is used by default instead of the software one.

It is also possible for an application to specify non default implementations
of ciphers if they wish to.

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Re: AES counter mode

[Stephen Sprunk]

Thus spake "Thierry Boivin" <[EMAIL PROTECTED]>
> http://archives.seul.org/mixminion/cvs/May-2002/msg00072.html shows
> that the problem seems to have been submitted to the openssl team one
> year ago.I agree with Nick and go to the same conclusion : as the
> openssl aes counter mode routines wants to count by 2**64 instead of
> by 1, the current implementation is not correct.
>
> The source of disagreement seems to be the interpretation of a NIST
> document (Michael pointed such a document when replying at first).

In the specification of CTR mode, as proposed for AES, you will find the
statement "The number /nonce/ is incremented following each encryption."  I
interpreted this to mean that the top 2^64 bits are to be incremented for
each successive block, and this is how I implemented the code.

Further review has indicated everyone else seems to think this means the
nonce is incremented only between streams and it's the counter that is
incremented between blocks; is there anyone out there who _disagrees_ with
this?  If not, it is a trivial matter to shift which bits in the counter are
touched.

On the matter of overflowing the lower 64 bits, this is not specifically
addressed in the submission (I think they assumed nobody would exceed 2^64
blocks per stream, which is reasonable) and thus I think wrapping is the
correct failure.  To increment the nonce introduces a more insidious failure
mode where the user unintentionally reuses nonces.

Other specifications have suggested that nonce be of unspecified length, not
exactly 64 bits; this implies that the lower bits wrap in an overflow
condition, otherwise there would be no need to specify a boundary between
the different parts of counter at all.  Unfortunately, implementing this (as
has been requested) would require more significant changes to the API than I
know how to make,as passing parameters to a mode doesn't appear to be
supported today.

S

Stephen Sprunk "God does not play dice."  --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSSdice at every possible opportunity." --Stephen Hawking

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: verify_locations and Re: ssl_sess.c

[Bodo Moeller]

On Wed, Nov 17, 1999 at 12:40:55PM +, Geoff Thorpe wrote:

>>>  It seems that
>>> everything works if you make the calls the way the authors had intended
>>> rather than making the calls the way the authors made available.

>> How can you tell what is the "intended" way?  For SSL_get_session, the
>> code consistently assumes that no free-ing is necessary (cf. apps/s_*.c),
>> althoughly surely it would have made sense to demand it.

> Intended way = (i) an SSL_SESSION pointer is not supposed to outlive the
> SSL pointer from which it came.

Ok, yes; I thought you meant it the other way around.

> (ii) an SSL poiner is only supposed to
> have one reference to it and programs that wish to have multiple
> references (whether in the same thread or otherwise) had best work out
> their own way of doing it using one reference.
> 
> Available way = reference counts, gets, sets, adds, and frees.
>
> Available way = reference counts, gets, sets, adds, and frees. If it looks
> like reference counting and it talks like reference counting then callers
> will reasonably hope it *is* reference counting.

I agree, however it's not as if the library had consistent behaviour
with just this one exception ... (and with the examples in
e.g. s_client.c it's very easy to find out how one is supposed to use
this -- at least compared with, say, finding out how the "copy"
parameter for session cache callbacks works :-)
Using new function names that state explicitly whether the caller
gets their own reference or not is what we should do, not break
exisiting code.

[...]
>> The trouble is that 0.9.4 has various bugs which should be fixed for
>> all applications before upgrading to the new library version becomes
>> too difficult.

> fair enough. The only thing I'd like to add though is that the behaviour
> *IS* changing inside 0.9.5-dev and I noted an example on openssl-dev a
> while back about it and ended up giving up on that piece of the API and
> cutting down below it myself. Namely the SSL_CTX_load_verify_locations
> behaviour changed in a way that broke my code *and* (as it turns out)
> broke ssltest (if you specify a -CAfile). The only reason it didn't break
> s_client and s_server was that its calls were being back-doored by;
> 
> [s_server.c:643]
> if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
> (!SSL_CTX_set_default_verify_paths(ctx)))
> 
> and because set_default_verify_paths succeeds, the fact that passing a
> CAfile into load_verify_locations fails is ignored.

This behaviour change probably should not have happened -- your
message about it is still in my queue; I haven't yet found time to
track down exactly what is happening and why, and to determine how
things would make more sense.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [Re: Windows NT Version]

[Deva Seetharam]

Thanks in advance,
Deva

Actually the distribution will compile on NT but I am assuming that you would
like project files and workspaces for VC++. Someone built some very nice ones
and I'll check on Monday if I can find the link at work. Those would help you
out as they helped me out quite a bit.

>Hi,
>Is there a windows NT version of OpenSSL available?
>If so, where can I get it?
>Thanks
>Deva
>
>
>Get free email and a permanent address at http://www.amexmail.com/?A=1
>__
>OpenSSL Project http://www.openssl.org
>Development Mailing List   [EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>
>
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Get free email and a permanent address at http://www.amexmail.com/?A=1
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RE: Private Key problem

[alois74]

Thanks for your answer.
Opps sorry, wrong list...  i just subscribed to users and will resubmit there.
anyway, just in case , since im posting here again anyway, heres what i did 
with xxd , and some more infos about the key. if anyone has any ideas how i 
could get this to work i would greatly appreciate any hints. offlist, if you 
prefer, as this is dev , i know... so, ignore if you like. this was my last 
post here;) 

my private key looks *something* like this (no need to delete, this is not a 
real key here):

064DA77A8E7CFA65EDCE641

(but much longer)
just one long string of hex values.

in xxd, i cant seem to find the option i need. i pasted the output of -help for 
xxd below. I tried:
xxd -r infile outfile 
but had to learn that a hexdump is not quite what my key is in..
i can do a binary digit dumb, and then -r that, but that doesnt make sense, 
does it? :S
too many trees to see the forest for me here atm.
thanks, 
Alois
   
xxd [options] [infile [outfile]]
or
xxd -r [-s [-]offset] [-c cols] [-ps] [infile [outfile]]
Options:
-a  toggle autoskip: A single '*' replaces nul-lines. Default off.
-b  binary digit dump (incompatible with -p,-i,-r). Default hex.
-c cols format  octets per line. Default 16 (-i: 12, -ps: 30).
-E  show characters in EBCDIC. Default ASCII.
-g  number of octets per group in normal output. Default 2.
-h  print this summary.
-i  output in C include file style.
-l len  stop after  octets.
-ps output in postscript plain hexdump style.
-r  reverse operation: convert (or patch) hexdump into binary.
-r -s off   revert with  added to file positions found in hexdump.
-s [+][-]seek  start at  bytes abs. (or +: rel.) infile offset.
-u  use upper case hex letters.



 Original-Nachricht 
Datum: Wed, 2 May 2007 13:31:30 -0700
Von: "David Schwartz" <[EMAIL PROTECTED]>
An: openssl-dev@openssl.org, [EMAIL PROTECTED]
Betreff: RE: Private Key problem

> 
> > Im tearing my hair out here with what is probably a stupid problem.
> > I'm new to openssl , rsa, etc... , so bear with me please:)
> [snip]
> > Ok then, i know the key needs to be in PEM format, for PHP  /
> > openssl... but, i can't get it recognized at all by openssl.
> [snip]
> > Ok, so i guess i do somehow have to convert that hex data into
> > binary, right?
> > i tried to do that with xxd , but failed.
> > how can i do that?
> > Sorry if this is a stupid question, but i seem unable to find
> > infos on this with google, for whatever reason...
> 
> Describing a result as "failed" is not helpful. You really give us nothing
> to go on. How about some example files? How about what the input and
> output
> was to 'xxd' and what parameters you passed to it? Something.
> 
> Also, what does this have to do with OpenSSL development? Perhaps you
> wanted
> the users mailing list?
> 
> DS
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   openssl-dev@openssl.org
> Automated List Manager   [EMAIL PROTECTED]

-- 
"Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ...
Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Fwd: Re: OS/390

[Richard Levitte - VMS Whacker]

From: [EMAIL PROTECTED]

n2xjk> I just modified ebcdic.h so that I didn't get unresolved references on the 
n2xjk> names _openssl_os_toascii  
n2xjk> _openssl_os_toebcdic 
n2xjk> _openssl_ebcdic2ascii
n2xjk> _openssl_ascii2ebcdic.
n2xjk> The names os_toascii  
n2xjk> os_toebcdic 
n2xjk> ebcdic2ascii
n2xjk> ascii2ebcdic resolve fine.

Hmm, that's odd.  ebcdic.c includes ebcdic.h, so the function names
should be mapped to the _openssl_* variants...

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: re[2]: Openssl Documentation

[Jeffrey Altman]

The OpenSSL API is documented in the .pod files located in the doc
subdirectory.  The apps directory provides source code that provide
examples of how the API is used in real life situations.  There is no
tutorial provided on how to write a Telnet client or server that
implements START_TLS.

> I know where telnet is documented.  Where is Openssl documented ?
> I.E.  Where is SSL_connect() documented ??  I see a prototype of it,
> but I don't see and type of description on what it performs, what
> other openssl calls are prerequisites , etc


  Jeffrey Altman * Sr.Software Designer
 The Kermit Project * Columbia University
   612 West 115th St * New York, NY * 10025 * USA
 http://www.kermit-project.org/ * [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RE: bug in EVP_MD_CTX_copy()

[T Bharath]

yes

- Original Message -
From: "Rakesh.R" <[EMAIL PROTECTED]>
Date: Monday, April 23, 2001 4:27 am
Subject: RE: bug in EVP_MD_CTX_copy() 

> Bharath are u from Chennai?
> 
> -Original Message-
> From: T Bharath [mailto:[EMAIL PROTECTED]]
> Sent: Monday, April 23, 2001 1:34 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: bug in EVP_MD_CTX_copy() 
> 
> Iam trying to use openssl in my app and boundschecker was giving the
> following error
>stack memory overrun
>Copying 96 bytes to ctx.digest
>Starting offset 0,destination size:4 bytes
> The callstack details are
> 
> EVP_MD_CTX_copy() \crypto\evp\digest.c   line no 90
> ssl3_handshake_mac()   \ssl\s3_enc.c 434
> ssl3_final_finish_mac()  \ssl\s3_enc.c   419
> ssl3_send_finished() \ssl\s3_both.c 155
> ssl3_connect()  \ssl\s3_clnt.c  329
> SSL_connect()   \ssl\ssl_lib.c  727
> ssl23_get_server_hello() \ssl\s23_clnt.c469
> ssl23_connect()  \ssl\ssl_clnt.c179
> SSL_connect()\ssl\ssl_lib.c 727
> 
> Taking a closer look i found that in
> ssl3_handshake_mac() we have instantiated  EVP_MD_CTX ctx;
> and then call EVP_MD_CTX_copy(&ctx,in_ctx) inside which we do a memcpy
> Now ctx has a pointer memberconst EVP_MD *digest;
> When we instantiate ctx ,digest being a member pointer does not get
> allocated any memory and when we do the memcpy inside EVP_MD_CTX_copy
> we are copying data into a dangling pointer.Shouldnt we allocate 
> memoryto ctx.digest before calling EVP_MD_CTX_copy.
> Iam using openssl-0.9.5a but i checked the latest openssl-0.9.6
> engine.This bug is still there
> 
> 
> 
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RE: bug in EVP_MD_CTX_copy()

[Rakesh.R]

Title: RE: RE: bug in EVP_MD_CTX_copy() 





Where you a student of SRM engineering college (MCA 2001 bacth).
Raks


-Original Message-
From: T Bharath [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 23, 2001 2:07 PM
To: [EMAIL PROTECTED]
Subject: Re: RE: bug in EVP_MD_CTX_copy() 


yes


- Original Message -
From: "Rakesh.R" <[EMAIL PROTECTED]>
Date: Monday, April 23, 2001 4:27 am
Subject: RE: bug in EVP_MD_CTX_copy()    


> Bharath are u from Chennai?
>
> -Original Message-
> From: T Bharath [mailto:[EMAIL PROTECTED]]
> Sent: Monday, April 23, 2001 1:34 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: bug in EVP_MD_CTX_copy()
>
> Iam trying to use openssl in my app and boundschecker was giving the
> following error
>    stack memory overrun
>    Copying 96 bytes to ctx.digest
>    Starting offset 0,destination size:4 bytes
> The callstack details are
>
> EVP_MD_CTX_copy() \crypto\evp\digest.c   line no 90
> ssl3_handshake_mac()   \ssl\s3_enc.c 434
> ssl3_final_finish_mac()  \ssl\s3_enc.c   419
> ssl3_send_finished() \ssl\s3_both.c 155
> ssl3_connect()  \ssl\s3_clnt.c  329
> SSL_connect()   \ssl\ssl_lib.c  727
> ssl23_get_server_hello() \ssl\s23_clnt.c    469
> ssl23_connect()  \ssl\ssl_clnt.c    179
> SSL_connect()    \ssl\ssl_lib.c 727
>
> Taking a closer look i found that in
> ssl3_handshake_mac() we have instantiated  EVP_MD_CTX ctx;
> and then call EVP_MD_CTX_copy(&ctx,in_ctx) inside which we do a memcpy
> Now ctx has a pointer member    const EVP_MD *digest;
> When we instantiate ctx ,digest being a member pointer does not get
> allocated any memory and when we do the memcpy inside EVP_MD_CTX_copy
> we are copying data into a dangling pointer.Shouldnt we allocate
> memoryto ctx.digest before calling EVP_MD_CTX_copy.
> Iam using openssl-0.9.5a but i checked the latest openssl-0.9.6
> engine.This bug is still there
>
>
>
>
>
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Re: doubt regarding X509_verify_cert

[Chandu]

 Hi all and Hello Dr. Henson,

please find attached files:
cacert.pem - trusted certificate
cakey.pem - trusted certificate's private key.
selfcert.pem - certificate signed by the given trusted certificate.

The following is the output when we try to use openssl verify utility:

$ openssl verify -CApath /usr/local/lib/openscep/ -CAfile
cacert.pem -verbose -issuer_checks tmp.pem
tmp.pem: /unstructuredName=3.com
error 29 at 0 depth lookup:subject issuer mismatch
/unstructuredName=3.com
error 29 at 0 depth lookup:subject issuer mismatch
/unstructuredName=3.com
error 29 at 0 depth lookup:subject issuer mismatch
/C=CH/ST=Ticino/L=Bosco/Gurin/O=othello
error 31 at 0 depth lookup:authority and issuer serial number mismatch
/C=CH/ST=Ticino/L=Bosco/Gurin/O=othello
error 31 at 0 depth lookup:authority and issuer serial number mismatch
/C=CH/ST=Ticino/L=Bosco/Gurin/O=othello
error 31 at 0 depth lookup:authority and issuer serial number mismatch
/C=CH/ST=Ticino/L=Bosco/Gurin/O=othello
error 31 at 0 depth lookup:authority and issuer serial number mismatch
/C=CH/ST=Ticino/L=Bosco/Gurin/O=othello
error 2 at 1 depth lookup:unable to get issuer certificate


We could not make any progress with the OpenSSL verify utility as well.  I
request u to help us in this regard...

Awaiting your valuable Response

Regards
Suram

> I have a doubt regarding the x509_verify_cert().  When we have a TRUSTED
> certificate with the authority-key-identifier extension, and when we are
> trying to verify a SELF certificate using the function X509_verify_cert(),
> the verification is failing.

Upon a deeper look into the function, the function is failing as follows...

When we call the X509_verify_cert() with the CTX,
Before calling this function we are initializing the CTX->cert with the
self-certificate, and we are adding the trusted-certificates in X509_STORE
using the function X509_STORE_add_cert().

In the X509_verify_cert()
1. checks whether CTX->cert (self-certificate) is self-signed certificate or
not by PUSHing the certificates into a chain.
2. It is looking for Trusted certificates whose subject name is same as the
Issuer Name of CTX->cert(ie., self-certificate) and pushing the certificates
into the chain in the CTX. Now we are checking the Trusted certificates are
Self-signed or not by calling the function X509_check_issued( ).
3. We are passing the subject and issuer certificates the same Trusted
Certificate.  In this function we are checking the Serial Number of the
Issuer certificate with the Serial number in the extension Authorithy Key
Identifier of the Subject Certificate.
Here we are facing problem.  The problem is ASN1_INTEGER_cmp( ) is failing.

The QUESTION is whether the Serial Number in the Trusted Certificate should
be SAME as the Serial Number in the Authority Key Identifier extension?

If the two need not be the same then we feel that there is a bug in the
X509_check_issued ( ) function as we are using it to verify whether the
certificate is self-signed or not.

I would be thankful for any help regarding this question..

Regards
Suram

I've already responded to this in openssl-dev:

Does this fail with the OpenSSL verify utility? If so what is the
failure reason? Also try it with the -issuer_checks command line option.
If that doesn't help much then if you could send me the certificate(s)
causing the trouble I'll investigate further.

Steve.
--
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

---

--
Rama Krishna Prasad  Chunduru
Software engineer
Intoto Software(I) Pvt Ltd
Kharkhana
Secundrabad

 selfcert.pem
 cacert.pem
 cakey.pem

RE:

[salzr]

to realize an ocsp responder
to verify client certificate, during client 
authentication. It works with LDAP directory v2 and look
for the client cert in the directory: if 
it's present set ocsp status GOOD  else set ocsp status
SUSPENDED. 
This seems interesting, but please DO NOT call 
this an OCSP responder.
Looking to see if a certificate has been 
published is useful, but it does
nothing to indicate the certificate's true 
status.
 
There is currently only one way to make an OCSP 
request, and is defined in the
(soon-to-be) RFC.
 
What you have is interesting and useful, but 
it's not yet OCSP.  Please change the name.
    
/r$
 

RE:

[Titchener, Tom]

Andrea -
 
> where is the best place to take value to compose a correct OCSP request
> and response, during client authentication and how ?
> (values like X_509_NAME*, STACK*, EVP_MD*, EVP_PKEY* )
>  I think to take them in function get_client_certificates in module
s3_srvr.c and
>  I'm trying to do it. Is that right ?
 
Hmm.  This question has a complicated answer that involves some 
OpenSSL code that's currently being enhanced.  Nevertheless, let me
give you my answer about how I'd integrate OCSP into the OpenSSL 
server code.  I'm sure others and particularly Stephen Henson will have
their own ideas about this.
 
The first part is easy.  No, I wouldn't say
s3_srvr.c:get_client_certificate()
is the right place to put the OCSP client call.  If you believe this belongs
in the SSL code at all, then I'd argue a better place to put it would be
with
the functions that begin with the nest of verify routines that starts with 
ssl_cert.c:verify_cert_chain().  One approach would be to write your
own callback (app_verify_callback, which is reached from the s->ctx).
A more integrated approach would be to enhance the routine 
x509_vfy.c:X509_verify_cert().  After some fancy foot-work to build
a cert chain, this routine boils down to yet another routine, 
x509_vfy.c:internal_verify().  Although X509_verify_cert() allows for
the option of a per-context verify routine (and there's even a macro
to initialize it), it never gets called (particulary not by the SSL code).
The internal_verify routine does the x509-thing, e.g. check the signatures
on the certs, and check the dates.
 
And then, on x509_vfy.c, line 392, there's a comment /* CRL CHECK */.
*That's* the place I'd put the OCSP call.  
 
On the other hand, others might argue this kind of thing should be done
at the application level, e.g. from within your Apache server.  If that'd be
a help, we have a guy, John Rousseau, who's working on doing that 
right now.  Send mail to him at [EMAIL PROTECTED]
 .
 
> How can i send the response to the browser Netscape or to another
>  server Apache (OCSP client) ?
  
I'm not quite sure what this question means.  If it means "When I do an
OCSP query and I find the certificate has been revoked, how do I signal
the client?" then the answer depends on the protocol you're running.  If
the protocol has an "Unauthorized" error, then that's what you should send.
With HTTP you could pretty things up a little by translating the OCSP
error information (if there is any) into some HTML, so the client would know
just who disapproves of his or her certificate... 
 
Hope this helps.
 
TT

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re:

[Ben Laurie]

Anonymous wrote:
> Has anybody intentionally removed 16-bit support from OpenSSL? When?

It hasn't been intentionally removed, but none of the developers support
it. I see no reason that patches to fix it shouldn't be accepted.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
 - Indira Gandhi
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE:

[Jon Parry-McCulloch]

Construct a memory BIO and write your cert to it. You can then read straight
out of this memory BIO into a buffer.

Summat like this:

/***


Function: get_certificate_as_buffer()

Input   : const char* file - pointer to the name of the file

Output  : nothing

Returns : const char* - pointer to the certificate buffer




***/

const char *
get_certificate_as_buffer(const char *file, char * data)
{
  BIO *fbio = 0;
  BIO *mbio = 0;
  X509 *cert = 0;
 
  if (file == 0 || data == 0 ) {
return NULL;
  }

  if ((fbio = BIO_new(BIO_s_file())) == 0) {
return NULL;
  }
  if ((mbio = BIO_new(BIO_s_mem())) == 0) {
BIO_free(fbio); 
BIO_free(mbio);
return NULL;
  }
  if (BIO_read_filename(fbio, (char *) file) == 0) {
BIO_free(fbio);
BIO_free(mbio);
return NULL;
  }
  if (PEM_read_bio_X509(fbio, &cert, 0) == 0) {
BIO_free(fbio);
BIO_free(mbio);
return NULL;
  }
  if (PEM_write_bio_X509(mbio, cert) == 0) {
BIO_free(fbio);
BIO_free(mbio);
return NULL;
  }
  
  if(BIO_read(mbio, data, BIO_number_written(mbio))<=0) {
BIO_free(fbio);
BIO_free(mbio);
return NULL; 
  }

   /* 
  can't remember if you use BIO_number_written() or assign a value from
the 
  call to PEM_write_bio_X509(mbio, cert). I seem to recall one of them
  doesn't do what you'd expect
   */

  BIO_free(fbio);
  BIO_free(mbio);
  X509_free(cert);

  return data;
}


-Original Message-
From:   Andrea e Luca Giacobazzi [SMTP:[EMAIL PROTECTED]]
Sent:   Monday, May 10, 1999 5:24 PM
To: [EMAIL PROTECTED]
Subject:

Hi,
how can I convert a certificate from X509*xs structure format to DER
format,
and put it in a char * string in C, without using a temporary file ?
 
Thanks everibody in advance.
 
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re:

[Dr Stephen Henson]

> Andrea e Luca Giacobazzi wrote:
> 
> Hi,
> how can I convert a certificate from X509*xs structure format to DER
> format,
> and put it in a char * string in C, without using a temporary file ?
> 
> Thanks everibody in advance.
> 

You can use a memory BIO but the easiest way is to directly use the ASN1
functions.

Something like this will do it:

unsigned char *buf, *p;
int len;

len = i2d_X509(xs, NULL);
buf = Malloc(len);
p = buf;
i2d_X509(xs, &p);

... DER encoded cert in 'buf' ...

You need the temporary pointer 'p' because the ASN1 functions
automatically increment the passed pointer.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE:

[Salz, Rich]

I patched ssl_engine_kernel.c to realize an OCSP responder function
that check cert status on ldap v2 directory.
I am sorry to be a pain in the neck (or lower down :), but you did not.
Your code does not do OCSP. OCSP is a status query protocol defined by
the IETF. You added "cert lookup" to mod_ssl. Many people will find this
useful, but it is not adding OCSP to Apache.
 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re:

[Dr Stephen Henson]

> Erik Aronesty wrote:
> 
> // v3_lib.c
> 
> void X509V3_EXT_cleanup()
> {
>  sk_pop_free(ext_list, ext_list_free);
>  ext_list = NULL;// added to fix problem in openssl.exe
> command line (and others who free/reuse the ctx list)
> }
> 
> 

Thanks for the report. This fix has now been added.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re:

[Andy Polyakov]

> small bug in  opensssl-0.9.4:
> 
> Using the 'enc' program present on the crypto/pkcs7 directory, I do:
> - take a string of 6 or less chars and save it on a file
> - apply the 'enc' prg to this file
> - apply the 'dec' prg to this file
> 
> the result is an empty message.
> 
> If the length of the string is >= 7, it works ok
this isn't correct statement. message shorter than 8 characters comes
out empty. you've forgotten to count the end-of-line. and it looks like
only block ciphers exhibit this behaviour. if you encrypt with rc4 it
comes out right. andy.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re:

[Dr Stephen Henson]

Andy Polyakov wrote:
> 
> > small bug in  opensssl-0.9.4:
> >
> > Using the 'enc' program present on the crypto/pkcs7 directory, I do:
> > - take a string of 6 or less chars and save it on a file
> > - apply the 'enc' prg to this file
> > - apply the 'dec' prg to this file
> >
> > the result is an empty message.
> >
> > If the length of the string is >= 7, it works ok
> this isn't correct statement. message shorter than 8 characters comes
> out empty. you've forgotten to count the end-of-line. and it looks like
> only block ciphers exhibit this behaviour. if you encrypt with rc4 it
> comes out right. andy.

Ouch! 

Like most "small" bugs it is a bit nasty. It is a bug in the encrypt
BIOs (enc_read) which can occur when EOF occurs at the start of a read.
You can see another more serious consequence by modifying 'dec.c' to
read in 16 byte chunks and then encrypting/decrypting something of
length 17 bytes: the last byte will get truncated.

I'll work on a fix.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re:

[Dr Stephen Henson]

Manuel Mollar Villanueva wrote:
> 
> small bug in  opensssl-0.9.4:
> 
> Using the 'enc' program present on the crypto/pkcs7 directory, I do:
> - take a string of 6 or less chars and save it on a file
> - apply the 'enc' prg to this file
> - apply the 'dec' prg to this file
> 
> the result is an empty message.
> 
> If the length of the string is >= 7, it works ok
> 

Should be fixed in the latest snapshot. It comes under the category "how
the hell wasn't this noticed before?". The fix is in
crypto/evp/bio_enc.c so you can just copy the one file if you don't
trust snapshots.

Many thanks for the report.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re:

[Manuel Mollar]

[EMAIL PROTECTED] wrote:
Should be fixed in the latest snapshot. It comes
under the category "how
the hell wasn't this noticed before?". The fix is in
crypto/evp/bio_enc.c so you can just copy the one file if you don't
trust snapshots.
 
Thanks,
It is obvious that is not really an important bug.
Also, considering that for some smime agents, like netscape, a non-signed-but-ciphered
message must always have a "Content-type" declaration, so any message has
more than 8 bytes.
-- 
    Manuel Mollar Villanueva
    Prof TEU depto informatica, UJI
    http://moon.act.uji.es
    mailto:[EMAIL PROTECTED]
    telf 964 72 8355
 

Re:

[Andy Polyakov]

> SunOS amber 5.7 Generic_106542-07 i86pc i386 i86pc
> gcc version 2.95.2 19991024 (release)
> openssl-0.9.4
> 
> ...
> making all in crypto/sha...
> gcc -I.. -I../../include -DTHREADS -D_REENTRANT -O3 -fomit-frame-pointer -m486 -Wall 
>-DL_ENDIAN -DSHA1_ASM -DMD5_ASM -DRMD160_ASM  -c  sha_dgst.c
> Assembler: sha_dgst.c
> aline 274   : Illegal mnemonic
rerun ./config with -DPEDANTIC option.

andy.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re:

[Krzysztof Czuma]

Hello,

It helps! Thanks very much.

Regards,
Krzysztof Czuma

On Sun, 31 Oct 1999, Andy Polyakov wrote:

> > SunOS amber 5.7 Generic_106542-07 i86pc i386 i86pc
> > gcc version 2.95.2 19991024 (release)
> > openssl-0.9.4
> > 
> > ...
> > making all in crypto/sha...
> > gcc -I.. -I../../include -DTHREADS -D_REENTRANT -O3 -fomit-frame-pointer -m486 
>-Wall -DL_ENDIAN -DSHA1_ASM -DMD5_ASM -DRMD160_ASM  -c  sha_dgst.c
> > Assembler: sha_dgst.c
> > aline 274   : Illegal mnemonic
> rerun ./config with -DPEDANTIC option.
> 
> andy.
> 
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re:

[Ulf Möller]

> > SunOS amber 5.7 Generic_106542-07 i86pc i386 i86pc

> rerun ./config with -DPEDANTIC option.

There should be #ifdefs (or at least something in the Configure script)
to catch this. Which macros does Solaris i86 define?
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re:

[Ben Laurie]

Ulf Möller wrote:
> 
> > > SunOS amber 5.7 Generic_106542-07 i86pc i386 i86pc
> 
> > rerun ./config with -DPEDANTIC option.
> 
> There should be #ifdefs (or at least something in the Configure script)
> to catch this. Which macros does Solaris i86 define?

Yeah, -DPENDATIC has a different purpose.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
 - Indira Gandhi
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re:

[Dr Stephen Henson]

Ana Isabel Lara wrote:
> 
> Country Name (2 letter code) [AU]:AU
> Organization Name (eg, company) []:Dodgy Brothers
> Common Name (eg, YOUR name) []:Brother 1
> Common Name (eg, YOUR name) []:Brother 2
> Request (and private key) is in newreq.pem
> Using configuration from ../apps/openssl.cnf
> error on line 6 of config file '../apps/openssl.cnf'
> 14041:error:0E065068:configuation file routines:STR_COPY:variable has no value:c
> onf.c:578:line 6
> cat: Cannot open newcert.pem: No such file or directory
> Signed certificate is in newcert.pem
> *** Error exit code 1
> 

Perhaps its saying there is an error on line 6 of openssl.cnf?

By default it has something like this there:

RANDFILE= $ENV::HOME/.rnd
oid_file= $ENV::HOME/.oid

which expects the HOME environment variable to be set. Either change
these values (you can comment out oid_file) or set HOME to something
sensible.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re:

[Krishnam Raju]

Hi,
I also hv posted a similar question. After getting the issuers name frm the
cert. u hv recvd u hv to read that issuers cert( CAs cert) and after this u
hv to verify various fields.
I belive there will be some api for doing this. i am looking for that.
regds
Krishnam Raju

Brajesh Tiwari wrote:

>  Hi:
>
>  I am writing a SSL client using openSSL. The
>  client talks to a Netscape secured web server. I am
>  able to get the certificate from the web server. From
>  the certificate, using
>
>  X509_get_subject_name()
>  and
>  X509_get_issuer_name()
>
>  I am able to get subject (certificate sender's) and
>  issuer's (certificate issuer's) details.
>
>  My question is what exactly should I do, and how, to verify/authenticate
>  the certificate sent to me so that I know that they are from the
>  correct web server.
>
> Thanks.
> Brajesh
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re:

[Andy Polyakov]

> OpenSSL version:  0.9.5
> Target:   hpux-parisc-gcc
> Compiler: gcc version cygnus-2.7-96q4
^^^ have never seen anything
like it...
> 
> Failure!
> -
> c_rehash: rehashing skipped ('openssl' program not available)
> touch rehash.time
> testing...
> gcc -I../include -DTHREADS  -O3 -DB_ENDIAN -DBN_DIV2W -c bntest.c
> gcc -o bntest -I../include -DTHREADS  -O3 -DB_ENDIAN -DBN_DIV2W bntest.o -L. 
>-L.. -L../.. -L../../.. -L.. -lcrypto
> /bin/ld: Unsatisfied symbols:
>BIO_new (code)
Well, you should look for the error earlier in the output. It looks like
something is really broken and whatever it is it's very likely have
nothing to do with OpenSSL. I mean you maybe can't link with *any*
libwhatever.a you create yourself...

Andy.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re:

[Ravi Kalyanaraman]

Hi:

i got around this problem by turning off the compiler optimization
flag "-O3" when trying to compile the file bn_asm.c in the crypto
directory.  Now, the build seems to be working okay. 

thanks for the help.

ravi

Andy Polyakov <[EMAIL PROTECTED]> wrote:
>> OpenSSL version:  0.9.5
>> Target:   hpux-parisc-gcc
>> Compiler: gcc version cygnus-2.7-96q4
>^^^ have never seen anything
>like it...
>> 
>> Failure!
>> 
>-
>> c_rehash: rehashing skipped ('openssl' program not available)
>> touch rehash.time
>> testing...
>> gcc -I../include -DTHREADS  -O3 -DB_ENDIAN -DBN_DIV2W -c bntest.c
>> gcc -o bntest -I../include -DTHREADS  -O3 -DB_ENDIAN -DBN_DIV2W bnte
>st.o -L. -L.. -L../.. -L../../.. -L.. -lcrypto
>> /bin/ld: Unsatisfied symbols:
>>BIO_new (code)
>Well, you should look for the error earlier in the output. It looks like
>something is really broken and whatever it is it's very likely have
>nothing to do with OpenSSL. I mean you maybe can't link with *any*
>libwhatever.a you create yourself...
>
>Andy.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE:

[Barnes, Michael L.]

Looks like you compiled openssl as a shared libraries.
make sure that you put the libs in either a standard
library path or export the LD_LIBRARY_PATH environment
variable to the directory that contains the libraries
prior to running the app.  (Or of course, recompile
openssl using static libs).

Mike

> -Original Message-
> From: Brajesh Tiwari [mailto:[EMAIL PROTECTED]]
> Sent: Monday, March 06, 2000 3:36 PM
> To: '[EMAIL PROTECTED]'
> Subject: 
> 
> 
> HI All,
> 
> I am trying to implement openSSL in my clinet Application. It 
> compilies
> successfully, but when i tried to run the application, it 
> gives me following
> error:
> 
> expCli: /sbin/loader: Fatal Error: Unresolved symbol in expCli:
> ERR_load_crypto_strings.
> 
> Please reply.
> 
> Thanks.
> Brajesh
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE:

[carson]

> "Mike" == Barnes, Michael L <[EMAIL PROTECTED]> writes:

Mike> Looks like you compiled openssl as a shared libraries.
Mike> make sure that you put the libs in either a standard
Mike> library path or export the LD_LIBRARY_PATH environment
Mike> variable to the directory that contains the libraries
Mike> prior to running the app.  (Or of course, recompile
Mike> openssl using static libs).

Or, if using an OS that supports it (such as SunOS 5.x), set the binaries'
RPATH correctly (either via LD_RUN_PATH or a link-line -R under SunOS 5.x)

-- 
Carson Gaspar -- [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
http://www.cs.columbia.edu/~carson/home.html
Queen Trapped in a Butch Body
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re:

[hazel Gao]

See openssl/crypto/x509/x509_vfy.c for reference. 
There are functions as X509_verfy_cert and
internal_verify just doing the same job as u wanted to
do.

Hazel 

--- Krishnam Raju <[EMAIL PROTECTED]> wrote:
> Hi,
> I also hv posted a similar question. After getting
> the issuers name frm the
> cert. u hv recvd u hv to read that issuers cert( CAs
> cert) and after this u
> hv to verify various fields.
> I belive there will be some api for doing this. i am
> looking for that.
> regds
> Krishnam Raju
> 
> Brajesh Tiwari wrote:
> 
> >  Hi:
> >
> >  I am writing a SSL client using openSSL. The
> >  client talks to a Netscape secured web server. I
> am
> >  able to get the certificate from the web server.
> From
> >  the certificate, using
> >
> >  X509_get_subject_name()
> >  and
> >  X509_get_issuer_name()
> >
> >  I am able to get subject (certificate sender's)
> and
> >  issuer's (certificate issuer's) details.
> >
> >  My question is what exactly should I do, and how,
> to verify/authenticate
> >  the certificate sent to me so that I know that
> they are from the
> >  correct web server.
> >
> > Thanks.
> > Brajesh
> >
>
__
> > OpenSSL Project
> http://www.openssl.org
> > Development Mailing List  
> [EMAIL PROTECTED]
> > Automated List Manager  
> [EMAIL PROTECTED]
> 
>
__
> OpenSSL Project
> http://www.openssl.org
> Development Mailing List  
> [EMAIL PROTECTED]
> Automated List Manager  
> [EMAIL PROTECTED]
> 
__
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re:

[arehn]

Hi,

You can use:

 SSL_CTX_set_verify(context,SSL_VERIFY_NONE,cert_verify_callback);

to "turn of" the authentication.

Brg

/Andreas





Arezki Hamouni <[EMAIL PROTECTED]> on 2000-09-28 18:19:15

Please respond to [EMAIL PROTECTED]

To:   [EMAIL PROTECTED]
cc:(bcc: Andreas Rehn/Nordic/Viewlocity)

Subject:



Hi,

I am using ITISSL 0.3 and Openssl 0.9.4.

My problem is, during the handshaking process , in my client
application, ITISSL (or openssl ???)  always verify  the  Server
certificate. Is it possible to not authenticate the server.

Thank you.

Arezki Hamouni
SurefireCommerce



Title: 





Hi,


I am using ITISSL 0.3 and Openssl 0.9.4.


My problem is, during the handshaking process , in my client application, ITISSL (or openssl ???)  always verify  the  Server certificate. Is it possible to not authenticate the server.

Thank you.


Arezki Hamouni
SurefireCommerce











  Andreas Rehn
  Software Engineer - Product Development
  _
  Viewlocity AB
  Tritonvägen 17, P.O. Box 13, S-171 18 Solna, Sweden
  Phone: +46 8 799 32 00, Direct: +46 8 799 32 38, Fax: +46 8 799 32 99
  Email: [EMAIL PROTECTED]

RE:

[Arezki Hamouni]

Title: RE: 





Hi Andreas,


Thank you for your help. 




-Original Message-
From:   [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
Sent:   Friday, September 29, 2000 3:20 AM
To: [EMAIL PROTECTED]
Subject:    Re:




Hi,


You can use:


 SSL_CTX_set_verify(context,SSL_VERIFY_NONE,cert_verify_callback);


to "turn of" the authentication.


Brg


/Andreas






Arezki Hamouni <[EMAIL PROTECTED]> on 2000-09-28 18:19:15


Please respond to [EMAIL PROTECTED]


To:   [EMAIL PROTECTED]
cc:    (bcc: Andreas Rehn/Nordic/Viewlocity)


Subject:




Hi,


I am using ITISSL 0.3 and Openssl 0.9.4.


My problem is, during the handshaking process , in my client
application, ITISSL (or openssl ???)  always verify  the  Server
certificate. Is it possible to not authenticate the server.


Thank you.


Arezki Hamouni
SurefireCommerce


 << File: Internet HTML >>  << File: ATT265753.txt >> 

Re:

[Frédéric Donnat]

 
Alex Cosic a écrit :
 
Hi,
My question is on how to connect JSSE
(java based client) with openssl based web
engine server.
I have tried so far and what I have
got is that I could not create SSL socket with my
opensl server, which works fine with  
my openssl client (even when I used JNI
approach to use C llibrary from Java.
Any suggestion?
Alex Cosic
Hi !
I've also an apache web server on linux and i have no probleme to connect
to from a win PC using the socket class ( i've also securised my Client
using SSL prtotocol ) but i've not try the SSLSocket class from JSSE !
Try to look at your configuration ! and see if the CipherSuite are available
or something like this !
I' gona try JSSE !
Bsets Regards Fred

Re:

[Frédéric Donnat]

 
 
My question is on
how to connect JSSE (java based client) with openssl based web
engine server.
I have tried so far and what I have
got is that I could not create SSL socket with my
opensl server, which works fine with  
my openssl client (even when I used JNI
approach to use C llibrary from Java.

In fact i'm afraid you're wrigth !
I tried too to connect a browser with the JSSE 1.0.2 without success
!
I havent try yet to connect a JSSE Client with an APAche Sever but
i think it would give the same result !
It seemes to be a question of implementation !
During handshake JSSE packed each message in a CipheText or a PlainText
insted of packing each group of message that's why handhsake fails !
Maybe it's a difference between "OpenSSL" and "SSL & TLS" but i'm
not sure and i can't find information about this !
Regards Fred

Re:

[steve.latif]

   I've been able to use JSSE servers with browser clients,
I would think that it would work the other way too: JSSE client to server. 
The problems with JSSE ussually come with certificate management
keytool is and keystores seem to be the cause of most problems:
You have to explicitly specifiy RSA for key generation,
and algorthims at almost all stages of key generation and 
certificate request, as it uses DSA by default.
There are also some problems with some of the JVM's that 
donw't seem to have a full complement of encryption algorithms
though the latest jdk1.3 seems to work.

I have some notes at http://www.latif.org/ssl
and there are some other notes in the SSL doc
for the Enhydra app server at http://www.enhydra.org

steve


> "Donnat" == Donnat   writes:

>> My question is on how to connect JSSE (java based client) with
>> openssl based web engine server.
>> 
>> I have tried so far and what I have got is that I could not
>> create SSL socket with my opensl server, which works fine with
>> my openssl client (even when I used JNI approach to use C
>> llibrary from Java.

Donnat> In fact i'm afraid you're wrigth !  I tried too to connect
Donnat> a browser with the JSSE 1.0.2 without success !  I havent
Donnat> try yet to connect a JSSE Client with an APAche Sever but
Donnat> i think it would give the same result !  It seemes to be a
Donnat> question of implementation !  During handshake JSSE packed
Donnat> each message in a CipheText or a PlainText insted of
Donnat> packing each group of message that's why handhsake fails !
Donnat> Maybe it's a difference between "OpenSSL" and "SSL & TLS"
Donnat> but i'm not sure and i can't find information about this !

Donnat> Regards Fred  transitional//en">       TYPE=CITE>My question is
Donnat> on how to connect JSSE (java based client) with openssl
Donnat> based web  size=-1>engine server.  face="Arial">I have tried so far and what I
Donnat> have got is that I could not create SSL socket with
Donnat> my  size=-1>opensl server, which works fine with  
Donnat> my openssl client (even when I used JNI
Donnat> approach to use C
Donnat> llibrary from Java.

Donnat> In fact i'm afraid you're wrigth !  I tried too
Donnat> to connect a browser with the JSSE 1.0.2 without success !
Donnat> I havent try yet to connect a JSSE Client with an
Donnat> APAche Sever but i think it would give the same result !
Donnat> It seemes to be a question of implementation !
Donnat> During handshake JSSE packed each message in a
Donnat> CipheText or a PlainText insted of packing each group of
Donnat> message that's why handhsake fails !  Maybe it's a
Donnat> difference between "OpenSSL" and "SSL & TLS" but i'm
Donnat> not sure and i can't find information about this !
Donnat> Regards Fred
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re:

[StormWalker]

Is there anyway the list admin can block all this SPAM on the list?  It's
bad enough I get it from other places, but from the list...?
- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 19, 2001 6:52 AM


> < get your own 100 meg web site for only $11.95 per month today!
>
> STOP PAYING $19.95 or more PER MONTH for your web site, WHEN YOU
> CAN GET ONE FOR ONLY $11.95 PER MONTH!
>
> DO YOU ALREADY HAVE A WEBSITE? ALL YOU HAVE TO DO IS TRANSFER THE
> DOMAIN TO OUR SERVERS AND UPLOAD YOUR DATA AND YOU ARE READY TO
> GO! YOUR NEW WEB SPACE CAN BE CREATED INSTANTLY WITH JUST A
> SIMPLE PHONE CALL OUR OFFICE.
>
> YOU CAN CHANGE YOUR SITE AS MUCH AS YOU WANT with no extra
> charge!  UNLIMITED TRAFFIC -- no extra charge!
>
>
> A SET UP FEE OF $40.00 APPLIES for FIRST TIME CUSTOMERS.
>
> ALL FEES PREPAID IN ADVANCE FOR THE YEAR PLUS A $40.00 SET UP
> CHARGE.
>
> FOR DETAILS CALL 1 888 248 0765  or fax 240 337 8325
>
> WEB HOSTING INTERNATIONAL
>
>
>
>
>
>
>
>
>
>
>
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re:

[Ben Laurie]

I think you meant 0.9.6b!

Richard Levitte wrote:
> 
>   OpenSSL version 0.9.6a released
>   ===
> 
>   OpenSSL - The Open Source toolkit for SSL/TLS
>   http://www.openssl.org/
> 
>   The OpenSSL project team is pleased to announce the release of version
>   0.9.6a of our open source toolkit for SSL/TLS.  This new OpenSSL version
>   is mostly a bugfix release and incorporates at least 55 changes to the
>   toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES).
> 
>   The most significant changes are:
> 
>   o Security fix: PRNG improvements.
>   o Security fix: RSA OAEP check.
>   o Security fix: Reinsert and fix countermeasure to Bleichbacher's
> attack.
>   o MIPS bug fix in BIGNUM.
>   o Bug fix in "openssl enc".
>   o Bug fix in X.509 printing routine.
>   o Bug fix in DSA verification routine and DSA S/MIME verification.
>   o Bug fix to make PRNG thread-safe.
>   o Bug fix in RAND_file_name().
>   o Bug fix in compatibility mode trust settings.
>   o Bug fix in blowfish EVP.
>   o Increase default size for BIO buffering filter.
>   o Compatibility fixes in some scripts.
> 
>   We consider OpenSSL 0.9.6a to be the best version of OpenSSL available and we
>   strongly recommend that users of older versions, especially of old SSLeay
>   versions, upgrade as soon as possible.  OpenSSL 0.9.6a is available for
>   download via HTTP and FTP from the following master locations (you can find
>   the various FTP mirrors under http://www.openssl.org/source/mirror.html):
> 
> o http://www.openssl.org/source/
> o ftp://ftp.openssl.org/source/
> 
>   [1] OpenSSL comes in the form of two distributions this time.
>   The reasons for this is that we want to deploy the external crypto device
>   support but don't want to have it part of the "normal" distribution just
>   yet.  The distribution containing the external crypto device support is
>   popularly called "engine", and is considered experimental.  It's been
>   fairly well tested on Unix and flavors thereof.  If run on a system with
>   no external crypto device, it will work just like the "normal" distribution.
> 
>   The distribution file names are:
> 
>   o openssl-0.9.6a.tar.gz [normal]
>   o openssl-engine-0.9.6a.tar.gz [engine]
> 
>   Yours,
>   The OpenSSL Project Team...
> 
> Mark J. Cox Richard LevitteAndy Polyakov
> Ralf S. Engelschall Bodo MöllerHolger Reif
> Dr. Stephen Henson  Ulf Möller Geoff Thorpe
> Ben Laurie  Lutz Jänicke
> 
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

--
http://www.apache-ssl.org/ben.html

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re:

[vimarsh zutshi]

Title: Re: 




Hello maya..
One on the x509 extensions is the extendedKeyUsagewhich can be
specified in the openssl configuration file in the section [ usr_cert ]
(x509 extensions to be added to a certificate signed by the CA)for
example the oid specified below is for ipsecbut how do u go about
processing this field once the certificate is generated...i've no idea
abt thatif someone can help on this evn i will be benifited...
#Extended key usage for ipsec
extendedKeyUsage = 1.3.6.1.5.5.8.2.2
zutshi.

Original Message dated 9/14/01, 2:56:05
AM
Author: "Maya"
<[EMAIL PROTECTED]>
Re: :



Hello!
 
Is it
possible to add some new purpose to the alredy created certificate
request???
For
example Certificate purpose CodeSigning with OID= 1.3.6.1.5.5.7.3.3
 
I hope
somebody can help me?
 
Maya

Re:

[vimarsh zutshi]

Title: Re: 




Hello maya..
One on the x509 extensions is the extendedKeyUsagewhich can be
specified in the openssl configuration file in the section [ usr_cert ]
(x509 extensions to be added to a certificate signed by the CA)for
example the oid specified below is for ipsecbut how do u go about
processing this field once the certificate is generated...i've no idea
abt thatif someone can help on this evn i will be benifited...
#Extended key usage for ipsec
extendedKeyUsage = 1.3.6.1.5.5.8.2.2
zutshi.

Original Message dated 9/14/01, 2:56:05
AM
Author: "Maya"
<[EMAIL PROTECTED]>
Re: :



Hello!
 
Is it
possible to add some new purpose to the alredy created certificate
request???
For
example Certificate purpose CodeSigning with OID= 1.3.6.1.5.5.7.3.3
 
I hope
somebody can help me?
 
Maya

Re:

[Sean O'Riordain]

have a look in the demo directory of the source distribution!


hussein elharake wrote:
> 
> My problem that i dont have any source code example except those of the line
> command tool(ca, req, x509) wich they are too big
> 
> can you send me please a list of source codes examples ?
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: ?????????

[Mark W. Webb]

On Wednesday 28 November 2001 01:50 pm, you wrote:

will this ever stop ?!?

> ;;;
>
>
>
>
>
>
> ;;;
>
>
>
>
>
>
> ;;;
>
>
>
>
>
>
> ;;;
>
>
>
>
>
>
> ;;;
>
>
>
>
>
>
> ;;;
>
>
>
>
>
>
> ;;;
>
>
>
>
>
>
> ;;;
>
>
>
>
>
>
> ;;;
>
>
>
>
>
>
> ;;;
>
>;;

Re:

[Paul L. Allen]

You appear to be using some sort of BSD compatibility mode on Solaris.
If you have a cc binary /usr/ucb, *delete* it.  If you have /usr/ucblib
in your LD_LIBRARY_PATH, take it out.

Paul Allen

"Yarbrough, Jeff" wrote:
> 
> Keep getting a fatal error when trying to run the make command for openssl
> 
> Here is the error:
> 
> testing...
> cc -DMONOLITH -I../include -KPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN
> -DHAVE_DLFCN_H -xtarget=u
> ltra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W
> -DULTRASPARC -DMD5_ASM
>  -c  speed.c
> ucbcc: Warning: Option
> -YP,:/usr/ucblib:/opt/SUNWspro/WS6U2/bin/../lib:/opt/SUNWspro/WS6U2/bi
> n:/usr/ccs/lib:/usr/lib passed to ld, if ld is invoked, ignored otherwise
> ucbcc: Warning: "-Xa" redefines compatibility mode from "SunC transition" to
> "ANSI"
> "/usr/ucbinclude/signal.h", line 49: syntax error before or at: int
> "/usr/ucbinclude/signal.h", line 49: warning: undefined or missing type for:
> int
> *** Error code 2
> make: Fatal error: Command failed for target `speed.o'
> Current working directory /usr/openssl-0.9.6c/apps
> *** Error code 1
> make: Fatal error: Command failed for target `apps'
> Current working directory /usr/openssl-0.9.6c/test
> *** Error code 1
> make: Fatal error: Command failed for target `tests'
> 
> Please share any insight into this.
> 
> Jeffery M. Yarbrough
> [EMAIL PROTECTED]
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Boeing Phantom Works   \ Paul L. Allen, (425) 865-3297
Math & Computing Technology  \ [EMAIL PROTECTED]
POB 3707 M/S 7L-40, Seattle, WA 98124-2207 \ Prototype Systems Group
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: [SPAM] Re: [SPAM] Re: [openssl.org #961] typo in openssl.cnf

[[EMAIL PROTECTED] via RT]

I'm not sure what you mean. The Redhat part? The distros I have
been using to run openssl are mostly Redhat based. I mean no offense.
Just trying to help. :)
 Original Message Subject:
[SPAM] Re: [SPAM] Re: [openssl.org #961] typo in openssl.cnfFrom:
"Eugen Leitl via RT" <[EMAIL PROTECTED]>Date: Thu, October 28,
2004 8:51 amTo: [EMAIL PROTECTED]Cc:
[EMAIL PROTECTED]I don't think you really wanted to write
that:On Thu, Oct 28, 2004 at 04:39:49PM +0200, [EMAIL PROTECTED]
via RT wrote:> > <div>I have had trouble
with&nbsp;several versions of Redhat>
-&nbsp;RHEL3,&nbsp;Fedora core 1 and 2, and RH9. I had no
issues> compiling the package, however when trying
to&nbsp;sign the certs> openssl would error out with this
message:</div>> <div>&nbsp;</div>>
<div>12438:error:0906D06C:PEM routines:PEM_read_bio:no
start> line:pem_lib.c:632: Expecting ANY PRIVATE
KEY<BR></div>> <div>Adding a space before the
comment in&nbsp;line 46 in openssl.cnf> resolved this issue
and allowed me to sign the certs without any>
trouble.</div>> <div>&nbsp;</div>>
<div>scott</div>> <BLOCKQUOTE
style="PADDING-LEFT: 8px; MARGIN-LEFT: 8px; BORDER-LEFT:> blue
2px solid"><BR> Original Message
<BR>Subject:> [SPAM] Re: [openssl.org #961] typo
in openssl.cnf<BR>From: "Richard> Levitte - VMS Whacker
via RT" &lt;[EMAIL PROTECTED]&gt;<BR>Date: Wed,>
October 27, 2004 3:09 pm<BR>To:
[EMAIL PROTECTED]<BR>Cc:>
[EMAIL PROTECTED]<BR><BR>In message>
&lt;[EMAIL PROTECTED]&gt; on Wed, 27 Oct
2004> 22:44:56 +0200 (METDST), "[EMAIL PROTECTED] via RT">
&lt;[EMAIL PROTECTED]&gt; said:<BR><BR>rt&gt; This
may be old news, but> there is a typo in openssl.cnf included
with<BR>rt&gt; the latest> version of openssl that
will error out the cert creation.<BR>rt&gt;>
<BR>rt&gt; line 46 is: <BR>rt&gt; private_key
&nbsp; &nbsp; => $dir/private/cakey.pem# The private
key<BR>rt&gt; <BR>rt&gt; should be:>
<BR>rt&gt; private_key &nbsp; &nbsp; =
$dir/private/cakey.pem # The> private key<BR>rt&gt;
<BR>rt&gt; I have seen quite a few posts> regarding
the error that openssl throws if<BR>rt&gt; this isn't>
corrected.<BR><BR>Eh, are you sure about this? &nbsp;On
what> platform?<BR><BR>The reason I ask is that 1)
the tests (make test) run> well, at least<BR>on the
machines where I have tested, and they do use>
apps/openssl.cnf,<BR>and 2) in the source, there's nothing that I
can> see that requires the<BR>comment starter to be
preceeded with a>
whitespace.<BR><BR>Cheers,<BR>Richard<BR><BR>-<BR>Please
consider> sponsoring my work on free
software.<BR>See> http://www.free.lp.se/sponsoring.html
for details.<BR><BR>--> <BR>Richard Levitte
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp;> &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; [EMAIL PROTECTED]<BR>&nbsp; &nbsp;>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp;> &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp;>
&nbsp;http://richard.levitte.org/<BR><BR>"When I became
a man I put> away childish things, including<BR>the fear of
childishness and the> desire to be very grown up."<BR>--
C.S. Lewis </BLOCKQUOTE>> >
__>
OpenSSL Project                
               
http://www.openssl.org> Development Mailing List    
                 
[EMAIL PROTECTED]> Automated List Manager    
                   
  [EMAIL PROTECTED]-- Eugen* Leitl <a
href="http://leitl.org">leitl</a>;__ICBM:
48.07078, 11.61144          
 http://www.leitl.org8B29F6BE: 099D 78BA 2FD3 B014 B08A
 7779 75B0 2443 8B29 F6BEhttp://moleculardevices.org  
      http://nanomachines.net 

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #396] Re: AES cipher?

[Lutz Jaenicke]

On Thu, Dec 12, 2002 at 05:41:50PM +0100, Richard Levitte via RT wrote:
> I believe we can trace that back to ssl2.h, and remember that in SSL v2, there was 
>only RSA for authentication...
> 
> Is this enough to resolve the ticket, or at least give it the milestone 0.9.8?

I'll leave it open for the moment and will see to add a corresponding
remark to verify.1 for resolving it over the weekend (in time for 0.9.7).

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #396] Re: AES cipher?

[Lutz Jaenicke via RT]

On Thu, Dec 12, 2002 at 05:41:50PM +0100, Richard Levitte via RT wrote:
> I believe we can trace that back to ssl2.h, and remember that in SSL v2, there was 
>only RSA for authentication...
> 
> Is this enough to resolve the ticket, or at least give it the milestone 0.9.8?

I'll leave it open for the moment and will see to add a corresponding
remark to verify.1 for resolving it over the weekend (in time for 0.9.7).

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: FW: Re: as/400 port?

[Brian C Morris]

George -

I built using the same tools - gmake,
icc, etc. I used the "standard" perl, the one that came with
the iSeries Tools for Developers, and did not recompile it. All the source
and perl files were marked CCSID 437, and everything was built for CCSID
37. 

My source modifications included ASCII/EBCDIC
translation tables from the QTCPASC and QTCPEBC tables in QUSRSYS. All
the tests run (via "make test") and pass (I did need to make
a few changes). I also convert all the test .cnf and .pem files to CCSID
37 to get the tests to pass.

The actual calling application I'm using
is built for CCSID 850; it just converts parameter data where necessary
when making openssl calls. Could you do the same from your CCSID 500 application?
I think it's only necessary when specifying filenames and such.

BTW, I'm unable to run the "openssl
speed" program - the process quits when it gets a SIGALRM. Did you
get this working? 

Thanks
Brian




-Original Message-
From: George Shaw [mailto:[EMAIL PROTECTED]
Sent: 22 August 2003 17:25
To: '[EMAIL PROTECTED]'
Subject: Re: as/400 port?


Hi Brian,

I started work on an AS/400 port last year, but was unable to complete
the
task.  I had OpenSSL compiled (that was the easy part) and running
some
manual tests, but had been unable to get the test environment working.
 The
reason for this is that my project needed to build OpenSSL to run under
CCSID 500, and I was not able at the time to get Perl built for CCSID 500.
Then I was diverted onto other priorities (yes, for over a year).

As it happens, by coincidence, I now have some customers who need OpenSSL
on
the AS/400, and I was just browsing the mailing lists to look at the current
status when I saw your latest contribution.

So a few quick questions.

1.  How does your port of OpenSSL to the AS/400 handle CCSIDs?

2.  What build environment are you using?  I used the IBM-supplied
GNU
utilities, which includes gmake, gawk and icc (cc/gcc emulator), re-built
for use with CCSID 500, which means that I can use the standard OpenSSL
build method.

3.  Did you get the OpenSSL test environment working, i.e. using Perl?
 If
so, was this a standard Perl, or a re-built Perl for a different CCSID?

If your work has not covered other CCSIDs, then I'd be happy to contribute
some work to make a CCSID 500 port, and possibly work towards getting
OpenSSL working on other CCSIDs.

G.


---
George Shaw
Senior Software Engineer
Axway
a Sopra Group company
Tel: +44 (0) 7802 452186
Fax: +44 (0) 1454 299684
email: [EMAIL PROTECTED]
www.axway.com
---

Ce message est exclusivement destiné aux personnes dont le nom figure
ci-dessus. Il peut contenir des informations confidentielles dont la
divulgation est à ce titre rigoureusement interdite. Dans l'hypothèse où
vous avez reçu ce message par erreur, merci de le renvoyer à l'adresse
e-mail ci-dessus et de détruire toute copie.

This message may contain confidential and proprietary material for the
sole
use of the intended recipient. Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact
the sender and delete all copies.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Brian C Morris
Sent: 21 August 2003 12:57
To: [EMAIL PROTECTED]
Subject: Re: as/400 port?

I'm wrapping up my iSeries port and am wondering how best to submit it?
I've modified the 0.9.7b source - would diffs against this be easiest to
integrate?

Thanks
Brian

Re: [prcs] Re: prcs 2.0 security

[Achim Bohnet]

>>>Ben Laurie wrote:
 > Josh MacDonald wrote:
 > > The system will use authentication only, built upon the openssl library,
 > > which is available from outside the U.S.  Though SSL contains support for
 > > encryption, it will be disabled by selecting a NULL encryption cipher
 > > (which uses only a MAC, no confidentiality).  It is our belief that since
 > > PRCS will not itself contain any crypto code, and since it is only
 > > uses authication, it will not be classified as an Encryption Item, and
 > > it can be freely exported.  I will obtain a formal opinion statement from
 > > another lawyer (my next legal fee) before going too far, for protection in
 > > case the BXA makes any action.
 > 
 > I'm sure everyone except me knows, but, errr, what is PRCS?

PRCS is like CVS.  But PRCS is much easier to use/understand IMHO.

>From PRCS home page: http://www.XCF.Berkeley.EDU/~jmacd/prcs.html

...
PRCS, the Project Revision Control System, is the front end to a set of tools
that (like CVS) provide a way
to deal with sets of files and directories as an entity,
preserving coherent versions of the entire set. 
...
Future Enhancements

There are two "big" enhancements that are currently planned for PRCS.
The first, and most important, is to
add client/server functionality. The second is to add a programmable
interface -- once which allows the base
feature set to be extended in ways that are transparent to the user. 

We are currently working on the PRCS client/server design. Here is a brief discussion 
of what we have in
mind. 
...


Achim
 > 
 > Cheers,
 > 
 > Ben.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: re[2]: OpenSSL Error Handling

[Bodo Moeller]

> [...] I do not have a file called error.doc on my hard drive.

Actually, it's now part of doc/ssleay.txt.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: intro and Re: (const) des_ctype

[Bodo Moeller]

On Sat, May 15, 1999 at 06:12:25PM -0400, D. Hugh Redelmeier wrote:

> | From: Bodo Moeller <[EMAIL PROTECTED]>
> | Reply-To: [EMAIL PROTECTED]
> | Subject: (const) des_ctype
> | 
> | I have prepared a set of patches to the DES library that should solve
> | the const problem.
> 
> Pluto currently uses EAY's libdes.  I'd like to use OpenSSL for other
> things, perhaps conditionally.  I'd very much like it if the
> interfaces were identical.

I think with my patches it would be somewhere inbetween the libdes
interface and the current OpenSSL interface.  Originally,
SSLeay/OpenSSL used pointers to arrays, but the functions then used
lots of evil casts to convert those pointers into pointers to char.
Currently, there are pointers to the first elements of those arrays
(that's an incompatible pointer type, but the values look the same to
the processor).
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: intro and Re: (const) des_ctype

[Bodo Moeller]

"D. Hugh Redelmeier" <[EMAIL PROTECTED]>:

[...]
> I had a hard time finding documentation (I'm not alone in this).
> Ariel's documentation is very useful.  Is there something more
> tutorial?

I don't think so.

> I've downloaded openssl-0.9.2b.tar.gz to use.  I don't wish to be
> playing with unstable versions while I'm a newbie.  Is this a mistake?
> Is the latest snapshot likely to be a better bet?

OpenSSL 0.9.3 is scheduled to be released in eight days, and we have a
code-freeze now, so you might want to look at the current snap-shot
even if you are new to OpenSSL -- several problems of earlier versions
have been solved, and if there are problems left or if there are new
problems, we certainly want to hear about those so that we can fix
them in the released version.

> To use OpenSSL routines, I need to use OpenSSL headers.  The
> installation seems to put them in /usr/local/ssl/include/.  I think it
> would be good to put them in a directory "openssl" so that I can use
>   #include 
> if I add /usr/local/ssl/include/ to my search path.

I introduced exactly his kind of #include filenames three weeks ago;
see current snapshot.  We don't use #include  any more.

Also the configuration process is now configurable so that you can
choose other locations.  "./config --prefix=/usr/local" results in
the header files being installed in /usr/local/include/openssl, the
library files in /usr/local/lib, the "openssl" binary and the
"c_rehash" script in /usr/local/bin, and everything else under
/usr/local/ssl.

> Now that I've added header files from OpenSSL, I get a bunch
> of warnings.  Most of them seem to be of the form:
>   openssl_include/stack.h:73: warning: function declaration isn't a prototype
> The header line that provoked this is in the middle of a struct
> declaration:
> int (*comp)();
> This would be much improved by specifying the types of the arguments.
> This would allow the compiler to do better type checking and even
> appropriate argument conversions.  It would aid the user in figuring
> out what arguments are required.

We're currently discussing things like these -- there's a lot of such
cases left.  (Certainly this won't yet be completely done in the 0.9.3
release.)

> Another example I find particularly surprising is:
>   openssl_include/stack.h:82: warning: function declaration isn't a prototype
> STACK *sk_new(int (*cmp)());

> This declaration is inside #ifndef NOPROTO!

The NOPROTO macro is gone now, the library is being ANSIfied more and
more; but there are still function calls left where no argument list
has been declared.  In its last days, the NOPROTO was not meant to be
actually defined -- it was just there because the header files have to
be parseable by a certain Perl script that produces .def files for
Windows DLLs, and this Perl script couldn't handle function
prototypes.  But now we have a new version that can.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: intro and Re: (const) des_ctype

[Dave Clark]

At 06:12 PM 05/15/1999 , you wrote:
>I'm new to OpenSSL.  I'm interested in using it to add more
>authentication capabilities to FreeS/WAN's Pluto.  FreeS/WAN is a free
>implementation of IPSEC; Pluto is the IKE daemon.  Scary fact: I'm
>trying to get this done this week for testing at the VPN Interop.
>Luckily, Kasper Langkilde has made a start at this.
>
>As a newbie, I'm going to say naive things.  I hope you find this
>useful.
>
>I had a hard time finding documentation (I'm not alone in this).
>Ariel's documentation is very useful.  Is there something more
>turorial?  Something that gives more of an overview?  Is there a
>reason not to include Ariel's documentation in the distribution?

I'm also a newbie who's interested in finding the most recent
OpenSSL documentation, particularly the X509[v3] component.

Where is "Ariel's documentation?"

- thanks
  Dave
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: intro and Re: (const) des_ctype

[Bodo Moeller]

On Sun, May 16, 1999 at 09:04:28AM -0400, Dave Clark wrote:

> I'm also a newbie who's interested in finding the most recent
> OpenSSL documentation, particularly the X509[v3] component.
> 
> Where is "Ariel's documentation?"

At http://www.columbia.edu/~ariel/ssleay/> (see "Related" area at
www.openssl.org).  But it's not quite up-to-date, I'm afraid.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: intro and Re: (const) des_ctype

[Ulf Moeller]

> Ariel's documentation is very useful.  Is there something more
> turorial?  Something that gives more of an overview?  Is there a
> reason not to include Ariel's documentation in the distribution?

One reason is that we still don't know whether or not we can include
it without violating American law.

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: intro and Re: (const) des_ctype

[Hugh Daniel]

  While the USSA goverment has succeeded in FUD'ing you and preventing
the online publication of your documentatoin there is still the
possibility of publishing your doc in a useful paper form.

||ugh Daniel
[EMAIL PROTECTED]

Systems Testing & Project mis-Management
The Linux FreeS/WAN Project
http://www.xs4all.nl/~freeswan
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [OpenSSL@dcWWW.mch.sni.de: Re: SSLeay EBCDIC]

[Ralf S. Engelschall]

In article <[EMAIL PROTECTED]> you wrote:

> I tried to Cc this to <[EMAIL PROTECTED]>, but it bounced.
> I'll re-try with <[EMAIL PROTECTED]>.
> You don't happen to use sendmail, do you?

We use Sendmail 8.9, but the Email addresses are case-sensitive.

   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: [Fwd: Re: Certificate date validation]

[morchid fatima]

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Lev Walkin
Envoyé : samedi 9 avril 2005 06:31
À : openssl-dev@openssl.org
Objet : [Fwd: Re: Certificate date validation]



Bommareddy, Satish (Satish) wrote:

> How do I check to see how many days are left for the validity of a
> certificate. Is there a openssl command which tells me the days or time
> left? 
> 
>  
> 
> X509_cmd_current_time returns a positive integer if a certificate is
> till valid?

No.

> What does this signify?

It's "cmp" (compare), not "cmd". It just returns -1, 0 or 1 when the
given time is less than, equal to, or greater than the current
wall clock time value. Consequently, you can't just use its return
value directly, as you'll have to compare TWO time values from the
certificate with the current wall clock.

1. Get the current wall clock time (time(3))
2. Fetch the notBefore and notAfter time values from the certificate.
These time values indicate the time range when the certificate is
valid. (Use X509_get_notBefore and X509_get_notAfter for fetching).
3. Compare the notBefore time with the wall clock time using
X509_cmp_time (which takes the time_t argument instead of re-evaluating
the wall clock time each time, as X509_cmp_current_time does).
If result is positive, then the notBefore time is greater than the
current time, hence the certificate is not _yet_ valid. Abort.
4. Compare the notAfter time with the wall clock time using
X509_cmp_time. If result is negative, then the notAfter time is
earlier than the current clock time, hence the certificate is
not valid anymore; abort.

> Is there a way to convert this to the time left?

No.

> What I am trying to do is write a app to check the certificate and give
> me the days left.

For this task, you'll have to

1. Extract the notAfter time value from the certificate
(X509_get_notAfter).
2. Convert that time into the number of seconds from epoch
(the same thing time(3) or gettimeofday(2) returns).
That is quite easy in case of valid DER encoded certificates,
which may not always be this way.
3. Substract the time(3) value from the value from step 2.
4. Divide by 86400.
5. Voila, that would be the (possible negative) number of days
left.


-- 
Lev Walkin
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Re[2]: GMP vs BigNum

[prakash babu]

Hi Tony,
 
1. Build OpenSSL with an additional configure option "DOPENSSL_USE_GMP  -lgmp"
2. This will build an engine for gmp
3. Use the switch -engine gmp to make use of this engine at command line
 
--Prakash
[EMAIL PROTECTED] wrote:
Hello Jack,Wednesday, August 10, 2005, 8:29:26 PM, you wrote:JL> OpenSSL does actually support GNU MP, as an engine, which means itJL> can be used if available, and if not, OpenSSL still works fine.I do have GMP v4.1.4 ported, how to tell OpenSSL 0.9.8 to use it?Tony.__OpenSSL Project http://www.openssl.orgDevelopment Mailing List openssl-dev@openssl.orgAutomated List Manager [EMAIL PROTECTED]
		 Start your day with Yahoo! - make it your home page 

Re: Re: [openssl.org #1521] bug report

[[EMAIL PROTECTED] via RT]

Hi Dmitri,

I guess you have raised this issue. I am also facing the same issue with the 
x86_64 Linux.

Did your problem got resolved? If yes please let me know the solution for it.

Thanks!!
With Best Regards
Rahul



--
This message was sent on behalf of [EMAIL PROTECTED] at openSubscriber.com
http://www.opensubscriber.com/message/openssl-dev@openssl.org/6758716.html


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Re: [openssl.org #1521] bug report

[Dmitri Dmitrienko]

Did your problem got resolved? If yes please let me know the solution for 
it.


Not yet.
For x86_64 I still link my library with 0.9.7 but didn't try the latest 
snapshot.
I'll give it a try soon and we'll see if anything has changed since my last 
attempt.
BTW, you can try to configure without asm and probably it will work. But 
performance won't be as good as it could.

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Re: [openssl.org #1521] bug report

[chandok . r]

Hello Andy,  
 
Thanks for the feedback on the issue. I am also facing the same issue with 
openssl 0.9.8 with x86_64 Linux. And the issue is only specific to x86_64 as i 
am using the lib for different platform and they are compiling fine.
 
It all worked fine with openssl 0.9.7 under the  
same platform. Do you have an idea why it did not conflict and why it  
started conflicting with 0.9.8?  
 
Please let me know in case there is any solution for this.

Thanks!!
Rahul  


--
This message was sent on behalf of [EMAIL PROTECTED] at openSubscriber.com
http://www.opensubscriber.com/message/openssl-dev@openssl.org/6758716.html
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Re-installing on win prob

[Shashank]

but conio.h is there and in path confirmed..

Shashank wrote:

> I am following each line from install.win32 file..
>
> am using cygwin32
>
> > perl Configure VC-WIN32
>  > ms\do_ms
> >vcvars32
> >nmake -f ms\ntdll.mak
>  all are successful.
>
> > cd out32dll
>  > ..\ms\test
> fine..
>
> now for compiling OpenSSL for creating lib and bin when I do
>
> > ms\mingw32   or
> > ms\mingw32 no-asm
>  gives me fillowing error
>
> /crypto/des/read_pwd.c:165: conio.h: No such file or directory
> make: *** [tmp/read_pwd.o] Error 1
>
> help me..
>
> shashank
>
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Re-installing on win prob

[Richard Levitte - VMS Whacker]

From: Shashank <[EMAIL PROTECTED]>

shashank> but conio.h is there and in path confirmed..

Where exactly is conio.h?

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Re-installing on win prob

[Shashank]

> conio.h is here:

C:\Program Files\Microsoft Visual Studio\VC98\Include\CONIO.H

>
>
>




>
> >
> > shashank> but conio.h is there and in path confirmed..
> >
> > Where exactly is conio.h?
> >
> > --
> > Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
> > Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
> > Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
> > Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
> > Member of the OpenSSL development team: http://www.openssl.org/
> > Software Engineer, Celo Communications: http://www.celocom.com/
> >
> > Unsolicited commercial email is subject to an archival fee of $400.
> > See  for more info.

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Re: Incomplete implementation of ASN1_GENERALIZEDTIME

[zero . knowledge]

> I've just checked in a fix to the development version. Let me know of
> any problems.

> Steve.

I've just tried your fix and it works correctly. 
Thank you very much.

Regards,
MD




__
Abbonati a Tiscali!
Con VoceViva puoi anche ascoltare ed inviare email al telefono.
Chiama VoceViva all' 892 800http://voceviva.tiscali.it




__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RE: RE: RE: [openssl.org #1520] request for checking if -in and -out files are same

[Victor B. Wagner]

On 2007.04.25 at 01:55:23 -0700, David Schwartz wrote:

> 
> > For example, if we are running under Unix-style kernel, we can make
> > stat calls on both files. And if both st_dev and st_ino fields of
> > the resulting stat structures are same, we should consider files same.
> 
> Why? Suppose the filesystem internally uses inodes larger than the st_ino
> field. Is it guaranteed that a matching st_dev and st_ino field means the
> files are the same? Where is this guarantee?

Because these fields are intended for that very purpose we are using it.
So, if some operating system doesn't do it this way, it may be
considered bug in OS.

> Suppose the filesystem uses internal file versioning and the output file is
> a new version of the input. Will they have the same inodes or different
> ones? Do you know? I sure don't. (And I could think of reasons to do it
> either way.)

This should be conceptually considered overwriting file and require same
syntax. Any way, report an error is much better than silently corrupt
the file trying to read unencrypted data and write encrypted data into
it same time.

> Trying to keep the user from shooting himself in the foot risks shooting the
> user in the foot even when he did not ask.

User can easily work around this check using IO redirection,
so there is nothing wrong with too much strictness.

> > If we are running under DOS/Windows kernel, it is impossible to delete
> > open file. So, if we open input file, we can than try to unlink output
> > file, and if this fails, we should consider this fatal error (not
> > neccessary files are same, but it is not safe to write to this file
> > anyway)
> 
> Why unlink the output file if the user didn't ask us to do that? That could
> destroy version history the user wanted to keep.
 
Yes, this is valid reason. It is not good to perform destructive
operation just for checking purpose. But DOS/Windows systems since DOS
2.0 have mandatory file locking (and OpenSSL wouldn't work on DOS 2.0
and early anyway). So, if we open input file in deny write mode (User
has asked us to read contents of this file hasn't he?) and then try open
output file in write mode, we should get sharing violation. 

> You can perhaps solve this problem by adding complexity, but the problem is
> that you are forcing the user to to anticipate your "smart algorithm", how

Why anticipate? It should be documented. I think that saving user from
common mistake which can destroy data, deserves adding a bit of
complexity which may require some workaround in rare cases.

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #75] Re: [openssl.org #101] Re: [ANNOUNCE] OpenSSL0.9.7 beta 2 released

[Doug Kaufman]

On Sun, 23 Jun 2002, Richard Levitte - VMS Whacker via RT wrote:

> In message <[EMAIL PROTECTED]> on Mon, 17 Jun 2002 10:01:27 
>+0200 (METDST), "Lutz Jaenicke via RT" <[EMAIL PROTECTED]> said:
> 
> rt> Obviously Richard missed your submission before leaving for a short
> rt> vacation (he took responsibility for Ticket #75, so I didn't want to
> rt> interfere with him).
> rt> I have bounced your submissions into the request tracker (they were
> rt> sent to openssl-dev instead of rt) so that they won't get lost.
> rt> Probably Richard will take care of it once he is back, so that
> rt> the fixes will be part of beta3.
> 
> I'll take care of it in the next few days...

I just discovered that the latest patch I submitted for DOS was
dependent on the SHELL environment variable being set to the bash
binary, which will frequently not be the case. This revised patch
(attached) should work regardless of the SHELL setting in DOS. This
does not include the CYGWIN changes I submitted for ticket #76.

Doug
__ 
Doug Kaufman
Internet: [EMAIL PROTECTED]


--- openssl-0.9.7/Configure.orig2002-06-14 12:11:26.0 -0800
+++ openssl-0.9.7/Configure 2002-06-23 22:10:14.0 -0800
@@ -7,6 +7,7 @@
 
 require 5.000;
 use strict;
+use Cwd;
 
 # see INSTALL for instructions.
 
@@ -520,7 +521,7 @@
 "Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 
-Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} 
${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:::.dll",
 
 # DJGPP
-"DJGPP", "gcc:-I/dev/env/DJDIR/watt32/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer 
-O2 -Wall:::MSDOS:-L$ENV{DJDIR}/watt32/lib -lwatt:BN_LLONG ${x86_gcc_des} 
${x86_gcc_opts}::",
+"DJGPP", "gcc:-I/dev/env/DJDIR/watt32/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer 
+-O2 -Wall:::MSDOS:-L/dev/env/DJDIR/watt32/lib -lwatt:BN_LLONG ${x86_gcc_des} 
+${x86_gcc_opts}::",
 
 # Ultrix from Bernhard Simon <[EMAIL PROTECTED]>
 "ultrix-cc","cc:-std1 -O -Olimit 1000 -DL_ENDIAN::(unknown):::",
@@ -1441,10 +1442,17 @@
 } else {
my $make_command = "make -f Makefile.ssl PERL=\'$perl\'";
my $make_targets = "";
+   my $skip_dir;
+   my $crypto = "crypto/";
+   my $curr_dir = cwd;
$make_targets .= " links" if $symlink;
$make_targets .= " depend" if $depflags ne "" && $make_depend;
(system $make_command.$make_targets) == 0 or exit $?
if $make_targets ne "";
+   foreach $skip_dir (@skip) {
+   chdir $crypto.$skip_dir && system ("make links PERL=\'$perl\' -f 
+Makefile.ssl");
+   chdir $curr_dir;
+}
if ( $perl =~ m@^/@) {
&dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' 
. $openssldir . '";');
&dofile("apps/der_chop",$perl,'^#!/', '#!%s');
--- openssl-0.9.7/Makefile.org.orig 2002-06-20 12:09:38.0 -0800
+++ openssl-0.9.7/Makefile.org  2002-06-23 17:27:38.0 -0800
@@ -600,7 +600,7 @@
do \
if [ -d "$$i" ]; then \
(cd $$i && echo "making dependencies $$i..." && \
-   $(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' 
MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' PERL='${PERL}' depend ) 
|| exit 1; \
+   $(MAKE) SDIRS='${SDIRS}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' 
+MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' PERL='${PERL}' depend ) 
+|| exit 1; \
fi; \
done;
 
--- openssl-0.9.7/crypto/engine/hw_aep.c.orig   2002-03-07 20:07:44.0 +
+++ openssl-0.9.7/crypto/engine/hw_aep.c2002-06-14 20:22:30.0 +
@@ -60,7 +60,7 @@
 #include 
 
 #include 
-#ifndef OPENSSL_SYS_MSDOS
+#if !defined(OPENSSL_SYS_MSDOS) || defined(__DJGPP__)
 #include 
 #include 
 #else
--- openssl-0.9.7/util/domd.orig2002-06-05 00:09:16.0 -0800
+++ openssl-0.9.7/util/domd 2002-06-14 07:54:22.0 -0800
@@ -17,7 +17,7 @@
 if [ "$MAKEDEPEND" = "gcc" ]; then
 sed -e '/^# DO NOT DELETE.*/,$d' < Makefile.ssl > Makefile.tmp
 echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp
-gcc -D OPENSSL_DOING_MAKEDEPEND -M $@ >> Makefile.tmp
+gcc -D OPENSSL_DOING_MAKEDEPEND -M ${CFLAG} $@ >> Makefile.tmp
 ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new
 rm -f Makefile.tmp
 else

Re: Openssl-SNAP-20050129 Re: Openssl-SNAP-20050125 Re: Openssl-SNAP-20050124

[Andy Polyakov]

... ./sha512t
Illegal instruction
*** Error code 132
This means that your kernel does not support SSE2 and you have to other 
choice but to configure with no-sse2 and give up SSE2 enhancements. I'm 
sorry if I've lead you to wrong expectations, but my BSD experience was 
not broad enough to foresee this. A.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Openssl-SNAP-20050129 Re: Openssl-SNAP-20050125 Re: Openssl-SNAP-20050124

[The Doctor]

On Sat, Jan 29, 2005 at 06:23:29PM +0100, Andy Polyakov wrote:
> >... ./sha512t
> >
> >Illegal instruction
> >
> >*** Error code 132
> 
> This means that your kernel does not support SSE2 and you have to other 
> choice but to configure with no-sse2 and give up SSE2 enhancements. I'm 
> sorry if I've lead you to wrong expectations, but my BSD experience was 
> not broad enough to foresee this. A.

Will future openssl releases have the no-sse2 option?

> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   openssl-dev@openssl.org
> Automated List Manager   [EMAIL PROTECTED]

-- 
Member - Liberal International  
This is [EMAIL PROTECTED]   Ici [EMAIL PROTECTED]
God Queen and country! Beware Anti-Christ rising!
Birthdate: 29 Jan 1969 Redhill, Surrey, England, UK
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Openssl-SNAP-20050129 Re: Openssl-SNAP-20050125 Re: Openssl-SNAP-20050124

[Ted Mittelstaedt]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Andy Polyakov
> Sent: Saturday, January 29, 2005 9:23 AM
> To: openssl-dev@openssl.org
> Subject: Re: Openssl-SNAP-20050129 Re: Openssl-SNAP-20050125 Re:
> Openssl-SNAP-20050124
> 
> 
> > ... ./sha512t
> > 
> > Illegal instruction
> > 
> > *** Error code 132
> 
> This means that your kernel does not support SSE2 and you have 
> to other 
> choice but to configure with no-sse2 and give up SSE2 
> enhancements. I'm 
> sorry if I've lead you to wrong expectations, but my BSD 
> experience was 
> not broad enough to foresee this. A.

Andy, please put the following in the README for OpenSSL:

FreeBSD SSE Support:

FreeBSD's kernel can be recompiled with one or more of the following
options to enable SSE2 instructions, depending on the level of
brokenness of your motherboard:

#
# CPU_ATHLON_SSE_HACK tries to enable SSE instructions when the BIOS has
# forgotten to enable them.
# 
# CPU_ENABLE_SSE enables SSE/MMX2 instructions support.
#

See the LINT file for your version of FreeBSD, kernel recompilation
instructions are in the FreeBSD Handbook.



Ted



__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #148] Re: 0.9.7 PATCH (strcasecmp)

[Tim Rice]

On Tue, 16 Jul 2002, Richard Levitte via RT wrote:

>
> Quick question: does string.h in Unixware define strcasecmp()?

It's not defined in string.h but that wouldn't really matter.
strcasecmp() returns an int

I just tested changing to string.h and it works fine.

Hmm loking at the apps/apps.c and apps/ca.c again I see string.h was
allready included.

So this should be fine.

--- apps.c.orig Tue Jun 18 10:44:01 2002
+++ apps.c  Tue Jul 16 13:10:21 2002
@@ -128,8 +128,6 @@

 #ifdef OPENSSL_SYS_WINDOWS
 #define strcasecmp _stricmp
-#else
-#include 
 #endif

 #ifdef OPENSSL_SYS_WINDOWS
--- ca.c.orig   Sun May 19 09:32:20 2002
+++ ca.cTue Jul 16 13:10:40 2002
@@ -79,8 +79,6 @@

 #ifdef OPENSSL_SYS_WINDOWS
 #define strcasecmp _stricmp
-#else
-#include 
 #endif

 #ifndef W_OK

>
> strings.h is non-standard while string.h is standard, as far as I
> know.  We should change that in any case, unless someone has a
> different opinion.
>
> [[EMAIL PROTECTED] - Mon Jul 15 09:33:16 2002]:
>
> >
> > This patch seems to have been lost. I'm resending the patch
> > against the OpenSSL_0_9_7-stable branch (Jul 13)
> >
> > I'd like to have my UnixWare platforms working before I look at
> > my SCO platforms.
> >
> > On Sun, 17 Feb 2002, Tim Rice wrote:
> >
> > >
> > > Attached is a patch against the OpenSSL_0_9_7-stable branch (Feb
> 17)
> > > that fixes the build on UnixWare 2.x
> > >
> > > Files changed: Configure, apps/apps.c, and apps/ca.c
> > >
> > > I've added -lresolv so it can find strcasecmp().
> > >
> > > UnixWare 2.0x does not have strings.h so I changed apps.c and
> ca.c
> > It has string.h
> > > ...
> > > #  ifdef NO_STRINGS_H
> > > int   strcasecmp();
> > > #  else
> > > #include 
> > > #  endif /* NO_STRINGS_H */
> > > ...
> > >

-- 
Tim RiceMultitalents(707) 887-1469
[EMAIL PROTECTED]



__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #148] Re: 0.9.7 PATCH (strcasecmp)

[Tim Rice via RT]

On Tue, 16 Jul 2002, Richard Levitte via RT wrote:

>
> Quick question: does string.h in Unixware define strcasecmp()?

It's not defined in string.h but that wouldn't really matter.
strcasecmp() returns an int

I just tested changing to string.h and it works fine.

Hmm loking at the apps/apps.c and apps/ca.c again I see string.h was
allready included.

So this should be fine.

--- apps.c.orig Tue Jun 18 10:44:01 2002
+++ apps.c  Tue Jul 16 13:10:21 2002
@@ -128,8 +128,6 @@

 #ifdef OPENSSL_SYS_WINDOWS
 #define strcasecmp _stricmp
-#else
-#include 
 #endif

 #ifdef OPENSSL_SYS_WINDOWS
--- ca.c.orig   Sun May 19 09:32:20 2002
+++ ca.cTue Jul 16 13:10:40 2002
@@ -79,8 +79,6 @@

 #ifdef OPENSSL_SYS_WINDOWS
 #define strcasecmp _stricmp
-#else
-#include 
 #endif

 #ifndef W_OK

>
> strings.h is non-standard while string.h is standard, as far as I
> know.  We should change that in any case, unless someone has a
> different opinion.
>
> [[EMAIL PROTECTED] - Mon Jul 15 09:33:16 2002]:
>
> >
> > This patch seems to have been lost. I'm resending the patch
> > against the OpenSSL_0_9_7-stable branch (Jul 13)
> >
> > I'd like to have my UnixWare platforms working before I look at
> > my SCO platforms.
> >
> > On Sun, 17 Feb 2002, Tim Rice wrote:
> >
> > >
> > > Attached is a patch against the OpenSSL_0_9_7-stable branch (Feb
> 17)
> > > that fixes the build on UnixWare 2.x
> > >
> > > Files changed: Configure, apps/apps.c, and apps/ca.c
> > >
> > > I've added -lresolv so it can find strcasecmp().
> > >
> > > UnixWare 2.0x does not have strings.h so I changed apps.c and
> ca.c
> > It has string.h
> > > ...
> > > #  ifdef NO_STRINGS_H
> > > int   strcasecmp();
> > > #  else
> > > #include 
> > > #  endif /* NO_STRINGS_H */
> > > ...
> > >

-- 
Tim RiceMultitalents(707) 887-1469
[EMAIL PROTECTED]



__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RE : DH and RSA for TLS

[Lutz Jaenicke]

On Wed, Jan 15, 2003 at 01:27:58PM +0100, p b wrote:
> I use now the DH-RSA-AES128-SHA cipher.
> 
> I have made a .pem file with my DH parameters. I load them using the
> PEM_read_DHparams function.
> 
> HOW DO YOU PUT THOSES PARAMETERS IN THE SSL_CTX (if needed)?

man SSL_CTX_set_tmp_dh_callback

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RE : Build openssl-SNAP-20030529 (Windows)

[Richard Levitte - VMS Whacker]

In message <[EMAIL PROTECTED]> on Sat, 31 May 2003 14:54:09 +0200, "p b" <[EMAIL 
PROTECTED]> said:

phbgt> "When I configure openssl-SNAP-20030529 with ms/do_ms, and then I compile
phbgt> with nmake -f ms\nt.mak, store.h is not copied in /inc32/openssl
phbgt> 
phbgt> 
phbgt> If I copy that file, there's an incompatibility signed/unsigned in
phbgt> crypto/ecdh/ech_ossl.c line 193.
phbgt> 
phbgt> I had made a cast (size_t), 
phbgt> 
phbgt> Then in crypto\engine\eng-ctrl.c line 281, I get the message :
phbgt> 
phbgt> Warning C4113 : 'void <_cdecl *><>' is different than 'void <_cdecl
phbgt> *>' 
phbgt> For the 5th parameters 
phbgt> "

I've fixes for that in my work directory, just haven't committed yet.
I'm currently running a test compile to make sure I got everything
right.

-- 
Richard Levitte   \ Tunnlandsvägen 3  \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RE : Patch: cswift engine openssl-0.9.7c

[Richard Levitte - VMS Whacker]

In message <[EMAIL PROTECTED]> on Thu, 12 Feb 2004 17:52:18 +0100, "Frederic Donnat" 
<[EMAIL PROTECTED]> said:

frederic.donnat> Je constate que vous avez pu resoudre le probleme! ;)
frederic.donnat> J'espere que notre "engine" a pu vous aider.
frederic.donnat> Belle analyse de votre part dans tous les cas! ;)
frederic.donnat> Cependant cette restriction vient d'un probleme d'alignement 32bits 
du chip et donc driver, etc ... et je ne suis pas sur que votre patch reste valable 
sur platform 64bits (notamment avec les formata little et big endian)

If anyone needs a translation, let me know :-).

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 3  \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE : RE : using DES hardware with openssl

[Frédéric Donnat]

Hi,

In fact, we load our driver in the "zencod_init()" function using the 
ptr_zencod_board_status() fct call.
This function performs a test (board status), and load the driver (if not loaded) 
through a small crypto API named zenbridge.

Fred

-Message d'origine-
De : Ioannis Liverezas [mailto:[EMAIL PROTECTED] 
Envoyé : mardi 29 juin 2004 15:45
À : Frédéric Donnat; [EMAIL PROTECTED]
Objet : RE : using DES hardware with openssl


Thanx to all for your help.
I 've studied the engine API and the zencod code and I began coding 
using zencod as an example.
I 'm not sure if this is the way that things work, but if I 'm right, 
each time the engine needs for example
to encrypt or decrypt a data buffer, it has to open and close the device 
(eg /dev/encdev). This is done
by the zencod library, each time, eg for the case of cbc, the function  
ptr_zencod_xdes_cipher  is called. Is this right or wrong?
If it is correct, this will cause a performance loss. If so, how should 
the device be opened and closed
for the best performance?
If  I am wrong, I was unable to find out where the engine opens or 
closes the device.  Could  you please
tell me how and where this is done (in the case of zencod)?


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RE : using DES hardware with openssl

[Michal Ludvig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ioannis Liverezas told me that:

> I 've studied the engine API and the zencod code and I began coding
> using zencod as an example.
> I 'm not sure if this is the way that things work, but if I 'm right,
> each time the engine needs for example
> to encrypt or decrypt a data buffer, it has to open and close the device
> (eg /dev/encdev).

What kind of hardware device do you have? Maybe you could do all the
stuff in the engine module itself, similar to what I do in the VIA
PadLock engine module: http://www.logix.cz/michal/devel/padlock/
(I'm not using any external libraries nor calls to the kernel)

Or leave it in the separate shared library, but entirely in the
userspace, i.e. no context switches to kernel through /dev/something.

It only depends on what the hardware needs and offers...

Michal Ludvig
- --
* A mouse is a device used to point at the xterm you want to type in.
* Personal homepage - http://www.logix.cz/michal
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFA5XiVDDolCcRbIhgRAkfDAKCKbNFP6wUcruFVC7UfE8ZPKwur3gCbBnno
kcjG4EHCE6rT+YyUJ+nNNUM=
=mzK6
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [ID 19990731.002] Re: mod_perl + openssl (fwd)

[CyberPsychotic]

[openssl people: sorry for crosspost, I just hope you could have something
to add to our discussion. We basically talk about the problem with compiling
openssl+apache+mod_perl. Since crypto/des/des.h file defines _ as ks._ (if
my memory doesn't fail) and perl's config.h file uses `_' symbol for ansi
prototypes definition, which I felt was rather non-standard (I suggested
__P instead)]

~~ 
~~ It's funny that I just hit this too... but I don't fault it to perl... I
~~ fault it to openssl. What kind of product has an include file that it intends
~~ to be used by others define '_' to 'x._' or whatever it was?

:-) actually I haven't figured out if openssl needed that at all. At least I
grepped source with find and didn't find any referense on `_' definition.
Maybe DES requires this name to be defined(or maybe I missed something)?
 
~~ Why can't openssl just be fixed?

no ideas. I mailed to openssl list while ago, but the only responces I've
been getting were private mails asking how did I fix this problem myself.

~~ In my experience, both _, and __P are used for ansi prototypes. Heck, I've
~~ used both before.

Well, recenly I've been into BSD alot, and __P is the only symbol used for
ansi prototypes there. Not quite sure of other Unix clones.

~~ 
~~ mark (who when after compiling openssl, just removed the "define _" section
~~   as it doesn't seem to be necessary for compilation of apache...)

Well, as you probably have noticed from my patch, I did approximately the
same (just added #ifdef MOD_PERL there ;-))


 regards
~Fyodor
-- 
http://www.kalug.lug.net/  PGP key: hkp://keys.pgp.com/cyberpsychotic
http://www.kalug.lug.net/fygrave  email:[EMAIL PROTECTED]

``the government isn't solution to our problems. The government is the problem.''
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [ID 19990731.002] Re: mod_perl + openssl (fwd)

[Bodo Moeller]

On Tue, Aug 03, 1999 at 03:50:01PM +0400, CyberPsychotic wrote:

> [openssl people: sorry for crosspost, I just hope you could have something
> to add to our discussion. We basically talk about the problem with compiling
> openssl+apache+mod_perl. Since crypto/des/des.h file defines _ as ks._ (if
> my memory doesn't fail) and perl's config.h file uses `_' symbol for ansi
> prototypes definition, which I felt was rather non-standard (I suggested
> __P instead)]

This definition does no longer exist in OpenSSL.  Please get a recent
snapshot from  (OpenSSL 0.9.4
is going to be released soon, so the codebase is quite stable now --
and if there are any problems with the current code, they'll hopefully 
be found before the new version is released).

> What kind of product has an include file that it intends
> ~~ to be used by others define '_' to 'x._' or whatever it was?

> :-) actually I haven't figured out if openssl needed that at all. At least I
> grepped source with find and didn't find any referense on `_' definition.
> Maybe DES requires this name to be defined(or maybe I missed something)?

That definition existed for compatibility with the DES implementation
in Kerberos (the SSLeay/OpenSSL libraries use a union that contains a
struct where Kerberos has directly the struct with that _ member).

There are other programs too that use some _ macro -- as I wrote
in an earlier message,

< For some reason, everyone thinks that noone else would be so stupid as
< to call a macro _, and this results in lots of conflicts when you're
< trying to mix software of different origin.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Fw: Re: memory leaks in SSLeay_add_all_algorithms?

[Bodo Moeller]

Richard Levitte - VMS Whacker <[EMAIL PROTECTED]>:

> Might be a good idea...

> From: "Richard Dykiel" <[EMAIL PROTECTED]>
> To: "Richard Levitte - VMS Whacker" <[EMAIL PROTECTED]>
>
> A suggestion however?
> 
> Not a top priority, but it would be nice to clean up these leaks, [...]

There are no known leaks.  Run openssl s_client or anything in a debugging
configuration with -DCRYPTO_MDEBUG_ALL and you'll see it yourself.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [Pkg-openssl-devel] Re: symbol versioning

[Christoph Martin]

Hi Johnny,

Johnny C. Lam schrieb:
> I think we could solve this by just properly versioning the shared
> libraries?  Currently, the shared library versions match the OpenSSL
> version number, which is completely wrong for platforms that use ELF or
> a.out linkage.  The fact that 0.9.8 and 0.9.7 have conflicting ABIs
> should imply that the shared libraries for 0.9.8 need to have a higher
> major version number than the shared libraries for 0.9.7.

We had this discussion before. The openssl teams still declares openssl
as not ready. They said that they will not use another versioning scheme
until 1.0 is out. At the moment 0.9.7 or 0.9.8 are the "major versions".
The characters behind the numbers are the minor version numbers.
Normally the ABI does not change between the "major versions". (Well
they actually did in the late 0.9.7 versions for ia64). All the
distributions (I know) use these version numbers as sonames. So this is
correct.

But it is not enough, because as I said, different libraries could link
against different (major) versions of openssl and so cause conflicts.

Christoph

-- 

Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail:  [EMAIL PROTECTED]
  Telefon: +49-6131-3926337
  Fax: +49-6131-3922856


signature.asc
Description: OpenPGP digital signature

Re: [openssl.org #1494] Re: Openssl Installation Error

[Andy Polyakov via RT]

> I tried to install the Openssl and failed on the "make test" step. Would you
> help me with the error message?

./README contains instruction on how to collect information required 
when you file problem report.

 > ../util/shlib_wrap.sh ./destest
 > make[2]: *** [test_des] Segmentation Fault

But if you run Solaris x86 and compile with gcc, then you most likely 
want to have closer look at ./PROBLEMS, "Bugs in gcc triggered" section, 
last entry. A.


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: re[2]: .NET version of OpenSSL

[Geoff Thorpe]

Hi there,

On Thursday 14 March 2002 10:13, Jeff Roberts wrote:
> A .NET port of OpenSSL would require replacing the C style DLL interface
> with a .NET Object DLL.  The OpenSSL source code would have to be able to
> be compiled under the C# (pronounced c sharp) compiler.  Microsoft has
> just released Visual Studio 7.0.  Version 7.0 produces .NET dll's. exe's,
> etc.  The new framework that is required to execute a .NET component (dll
> or exe) is called the common language runtime (CLR).  A .NET component
> gets just in time compiled (JIT) when it is needed and optimized for the
> operating system and hardware it is running under.  When future 64 bit
> versions of Windows arrive, .NET components will already be 64 bit when
> run under the new operating system.

This sounds absolutely horrible. Why don't we just port OpenSSL to java 
which has already been doing this same thing for a while now?

> The C# language is NOT a superset of the C or C++ languages.  Porting
> OpenSSL would be a real job!

A real *painful* job. But by all means, go ahead.

> I believe that most future software development is and will be done as a
> .NET component and that if OpenSSL is not ported to it, then OpenSSL will
> die the same fate as Windows 3.1

Ah yes, I forgot; Win64/.NET - the enterprise platform of the future.

We have nothing against you porting OpenSSL (or any part of it) to toy 
operating systems and/or half-baked enterprise-windows-beans (or "windows 
enterprise baked beans", if you prefer) but don't expect OpenSSL itself to 
*move* to this new language ... the real business of computing, and 
*especially* security-related computing tasks, lives in a predominantly 
more unix/C/C++ world than you probably believe. There's no way we'll move 
wholesale over to Microsoft's toy language + platform, forsaking all of 
that on the off-chance that, contrary to all Microsoft innovation in the 
past, .NET and C# will actually revolutionise the industry and take us to 
unparalleled network bliss.

If you can isolate the required changes to support C#/.NET, and provide a 
non-intrusive way to support that in OpenSSL's source tree, we would be 
happy to incorporate your contributions.

Cheers,
Geoff

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: re[2]: .NET version of OpenSSL

[Neff Robert A]

>I believe that most future software development is and will
>be done as a .NET component and that if OpenSSL is not ported
>to it, then OpenSSL will die the same fate as Windows 3.1 

You're joking, right?  You don't honestly believe that .NET
is going to eliminate the need for real UNIX servers, which
by the way, power the majority of commercial Internet sites,
and are written in C/C++.

.NET performance?  Stability?  Maturity?  Security?
M'think you've succumbed to reading way too many Microsoft
Marketecture material lately.
*
DISCLAIMER:   The information contained in this e-mail may be confidential
and is intended solely for the use of the named addressee.  Access, copying
or re-use of the e-mail or any information contained therein by any other
person is not authorized.  If you are not the intended recipient please
notify us immediately by returning the e-mail to the originator.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]