Re: rc2 encryption with 128 bit key
Hi, I think the problem lies with the browser. The browser seems to be an export version so strong encryption algorithms have been disabled. This means that in the client_hello the browser's list of available ciphers will be null and so the connection fails. What you could do is run openssl tool s_server in the debug mode and actually find out the cipher list that the browser sends to the server. :) Amit. vijay karthik wrote: > Hi! > > I selected the "RC2/RC4 encryption with 128 bit key" > cipher for SSL connection from my browser. > I tried to connect to the apache listener(with > openssl), and it fails to connect. whereas RC2/RC4 > with 40bit key succeeds. Does this mean the apache > server is a 40 bit server ? > > Is there anything i should do during the Build, > to get a 128 bit apache-openssl server ? > > Is there a way of finding out if the server > i am using is a 40 bit or 128 bit one ? > > thanks > Vijay > __ > Do You Yahoo!? > Talk to your friends online with Yahoo! Messenger. > http://im.yahoo.com > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
"expecting an asn1 sequence" error - HELP!
Hi guys! I'm having the following problem when trying to start apache 1.3.11 with mod_ssl 2.5.0 and openssl 0.9.4: mod_ssl: Init: Unable to read server certificate from file /usr/local/ssl/certs/compras.uol.com.br.gid (OpenSSL library error follows) OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence In my apache conf file: --- SSLEnable SSLCertificateFile /usr/local/ssl/certs/server.gid SSLCertificateKeyFile /usr/local/ssl/private/server.key SSLCertificateChainFile /usr/local/ssl/certs/verisign.chain SSLLogLevel trace --- Where server.gid is a base64 pem encoded global id certificate and "verisign.chain" is the chain file that I've got from Verisign. I can do a "openssl verify verisign.chain" but when I try a "openssl verify server.gid" I got the error: server.gid: unable to load certificate file 927:error:0D0A2007:asn1 encoding routines:d2i_X509_CINF:expecting an asn1 sequence:x_cinf.c:106:address=1131914 offset=0 927:error:0D09F004:asn1 encoding routines:d2i_X509:nested asn1 error:x_x509.c:99:address=1131912 offset=2 927:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:239: Anyone who had this problem solved it ? I hope so :) But how ? Thanks in advance! Sergio Salvi. Sao Paulo/SP/Brazil. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to build OpenSSL license free?
> Can you please tell me what i should be doing > to avoid patent/license related issues ! Hire a lawyer and have them tell you. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Netscape 4.51 crashes with Client Certs
David Peele wrote: > > We have a very perplexing problem... > > Everything is fine so far ... BUT, when they visit the site which requires > client certificates, Netscape crashes. Looking at the apache/mod_ssl trace > logs it appears that the initial SSL handshake completes. The server then > requests a client cert and no further communication is received. It would > appear that Netscape is crashing when parsing the certificates to display > the certificate choices to the user. > > If we export the certificate from Netscape and import it into Internet > Explorer, it works as expected... > > Anyone have any ideas?? > I have seen this kind of thing from time to time. Netscape doesn't like certain certificates. There's no obvious pattern but things like '&' or '-' characters in them can stuff things up. I suggest you try with different CA and/or client certificates. Start with something simple and see how much it will tolerate. Keep a PKCS#12 file for a broken certificate though: it may be useful when there's enough of the communicator security source around to diagnose some of these things. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Netscape 4.51 crashes with Client Certs
We have a very perplexing problem... We are implementing a CA (using OpenSSL 0.9.4, apache 1.3.9, and mod_ssl-2.4.10-1.3.9) and our users are using Netscape 4.51 (no upgrade option currently exists for them). They can successfully generate a certificate request which is delivered to our CA which we can successfully sign and then make the resulting certificate available for pick-up. The users are then able to retrieve the certificate, which is then visible as a personal certificate and validates properly when the Verify button is pressed. Everything is fine so far ... BUT, when they visit the site which requires client certificates, Netscape crashes. Looking at the apache/mod_ssl trace logs it appears that the initial SSL handshake completes. The server then requests a client cert and no further communication is received. It would appear that Netscape is crashing when parsing the certificates to display the certificate choices to the user. If we export the certificate from Netscape and import it into Internet Explorer, it works as expected... Anyone have any ideas?? Thanks! ___ Get 100% FREE Internet Access powered by Excite Visit http://freeworld.excite.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to build OpenSSL license free?
hi, I didnt know that i should remove RC5, IDEA, RSA from the crypto directorie to avoid license/patent problems before commercially shipping apache-openssl. I thought the only problem is while linking in the rsaref library. I have license for bsafe and i am linking in bsafe library instead of rsaref library. I thought this should not create any patent/license related issue ! Can you please tell me what i should be doing to avoid patent/license related issues ! Let me know if i am doing anything legally wrong ! Thanks to Tim for raising this issue ! Thanks Vijay --- Tim Milligan <[EMAIL PROTECTED]> wrote: > Does anyone know what is required to build OpenSSL > without patent protected > (in the US) encryption? I think I need to remove > RC5, IDEA, and RSA. Is > that right? If so, how? Sorry if this is a common > question. I looked > through the archive and didn't see any answer. > > Thanks, > TIm Milligan > __ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager > [EMAIL PROTECTED] > __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to build OpenSSL license free?
Word on the street is that Tim Milligan said: > Does anyone know what is required to build OpenSSL without patent protected > (in the US) encryption? I think I need to remove RC5, IDEA, and RSA. Is > that right? If so, how? Sorry if this is a common question. I looked > through the archive and didn't see any answer. ./config no-rsa no-rc2 no-rc4 no-rc5 no-idea make Skye __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Error building Win32 DLL
Hi All, I've got all I need now from a response to another message. thanks, Margaret -Original Message- From: Margaret Avis [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 16 February 2000 18:34 To: '[EMAIL PROTECTED]' Subject: Error building Win32 DLL Hi all, The perl stuff in the installation notes for in install.w32 worked without problems but I've managed to get stuck compiling with borland c++ builder. I get to the instruction : * Run make: > make -f bcb.mak and then I get the following error : "MAKE version 5.2 ... Fatal: 'banner' does not exist - don't know how to make it" I'm sorry if this is a really simple error I havn't used C++ before. thanks in advance, Margaret __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL & FTP client
Thankyou thankyou thankyou! :o) cheers, Margaret -Original Message- From: Ng Pheng Siong [mailto:[EMAIL PROTECTED]] Sent: Thursday, 17 February 2000 2:07 To: [EMAIL PROTECTED] Subject: Re: OpenSSL & FTP client On Wed, Feb 16, 2000 at 05:40:09PM +1100, Margaret Avis wrote: > I need a SSLFTP client for a Windows NT platform... > I'm a Delphi programmer... Take a look at http://mujweb.cz/web/tomasek/myssl/index_en.html A Delphi interface to OpenSSL. Cheers. -- Ng Pheng Siong <[EMAIL PROTECTED]> * http://www.post1.com/home/ngps __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to build OpenSSL license free?
Does anyone know what is required to build OpenSSL without patent protected (in the US) encryption? I think I need to remove RC5, IDEA, and RSA. Is that right? If so, how? Sorry if this is a common question. I looked through the archive and didn't see any answer. Thanks, TIm Milligan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with SSL Netscape: ...no common encryption algorithm...??
Dear Steve, You're right: I've downloaded a 128bit IEX security upgrade and now it works. But, now we've to find out how to install 'weak' encryption. Thanks again Jon Petersen Dr Stephen Henson wrote: > [EMAIL PROTECTED] wrote: > > > > Hi all, > > > > Our first attempt to install a secure webserver was not succesfull. We > > did install Openssl (0.9.4) and WN webserver (2.3.3) on a Linux box. > > > > After installing a Verisign test certificate; when testing with > > ./openssl s_client -connect www.takeitnow.nl:443 and GET / HTTP/1.0 > > everything seems to work; the HTTP GET is recorded in the server > > logging. But when accessing the server with Netscape (4.5) I get a popup > > box 'Netscape and this server cannot communicate securely because they > > have no common encryption algorithms'. > > > > What could cause this > > > > Err they have no common encryption algorithms? :-) > > Possibly the server only supports strong encryption or has been > configured to only support strong encryption and you are using an export > grade browser? > > Steve. > -- > Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ > Personal Email: [EMAIL PROTECTED] > Senior crypto engineer, Celo Communications: http://www.celocom.com/ > Core developer of the OpenSSL project: http://www.openssl.org/ > Business Email: [EMAIL PROTECTED] PGP key: via homepage. > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Multiple threads handling one connection
On Wed, 16 Feb 2000, Oliver King wrote: > Hi, > > I sent the message below last week, asking about multiple threads accessing > a single SSL connection, but didn't receive any replies. I can't find > anything relating to this on the list archives. > > Has anyone tried this, or is it not supported? For an unrelated reason I'd heard that sharing of an SSL "object" across threads was not recommended ... in my case it was the scenario of having each thread running one or more SSL objects, but a separate thread keeping an eye on all of them for various stats and monitoring. However, the synchronisation in OpenSSL seems to happen at a type scope rather than an object scope (somebody please correct me if I'm wrong). Ie. there are locks like CRYPTO_LOCK_509 that are used when synchronising on X509 operations - however they're global and not bound to the object being accessed. You can certainly ensure your app is thread safe when accessing SSL objects by; (a) upping the reference count on the SSL object each time you have a distinct thread that will access it (this means it will not be deallocated until each thread has free'd it's own reference) by doing; CRYPTO_r_lock(CRYPTO_LOCK_SSL); your_x509_pointer->references++; CRYPTO_r_unlock(CRYPTO_LOCK_SSL); (b) wrapping up all calls to your SSL object with the same locking. Of course, this would probably be next to useless if most of your threads' job is to perform operations on the SSL object, as they'd all be serialising up behind each other. If they only touch the SSL object occasionally this may be the way to go? Otherwise, looking at SSL_write (and the various "method" functions it calls) reveals that there doesn't appear to be any locking implicit, so you'd have to synchronise it all yourself no matter how you decide to go. On the bright side, each SSL object has an "ex_data" member which is a CRYPTO_EX_DATA structure used for storing "application data" ... if you want to put some kind of synchronisation in on your SSL "objects" then you could perhaps utilise that to store pointers to mutexes or whatever. NB: Each SSL_CTX object has one of these ex_data things too if that helps :-) Good luck, Geoff -- Geoff ThorpeEmail: [EMAIL PROTECTED] Cryptographic Software Engineer, C2Net Europehttp://www.int.c2.net -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL & FTP client
On Wed, Feb 16, 2000 at 05:40:09PM +1100, Margaret Avis wrote: > I need a SSLFTP client for a Windows NT platform... > I'm a Delphi programmer... Take a look at http://mujweb.cz/web/tomasek/myssl/index_en.html A Delphi interface to OpenSSL. Cheers. -- Ng Pheng Siong <[EMAIL PROTECTED]> * http://www.post1.com/home/ngps __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: installation problem
Do you have the latest zlib library installed? Carl [EMAIL PROTECTED] "MARTIN Guy CNET/DMI/LAN" <[EMAIL PROTECTED]> on 02/15/2000 10:42:36 AM Please respond to [EMAIL PROTECTED] To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> cc:(bcc: Carl Hostrander/CSCKGO) Subject: installation problem Hi, just begining to use OpenSSL (or trying...), I have got some undefined references at compile time. Everything is allright during installation (make, make test, make install...), but just trying to compile one of the little example: gcc -g -I/usr/local/ssl/include -I/usr/local/ssl/include/openssl -Wall -c cli.cpp gcc -o cli cli.o -L/usr/local/ssl/lib -lcrypto -lssl /usr/local/ssl/lib/libssl.a(s3_clnt.o): In function `ssl3_get_key_exchange': s3_clnt.o(.text+0x17e6): undefined reference to `EVP_dss1' /usr/local/ssl/lib/libssl.a(s3_clnt.o): In function `ssl3_send_client_key_exchange': s3_clnt.o(.text+0x1e22): undefined reference to `d2i_DHparams' s3_clnt.o(.text+0x1e27): undefined reference to `i2d_DHparams' s3_clnt.o(.text+0x1e42): undefined reference to `DH_generate_key' s3_clnt.o(.text+0x1e5b): undefined reference to `DH_compute_key' and so on. /usr/local/ssl/bin/openssl version -a OpenSSL 0.9.4 09 Aug 1999 built on: lun f év 14 15:45:05 CET 2000 platform: linux-elf options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(idx) compiler: gcc -DTHREADS -D_REENTRANT -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM (As usually this kind of problem is due to user's incompetence, please don't hit me ;-) -- _/_/_/_/ Guy MARTIN - France Télécom _/_/_/_/ Branche Développement - Cnet - DMI/GRI _/_/_/_/ (+33) 2 96 05 25 70 - Fax : (+33) 2 96 05 32 86 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with SSL Netscape: ...no common encryption algorithm...??
[EMAIL PROTECTED] wrote: > > Hi all, > > Our first attempt to install a secure webserver was not succesfull. We > did install Openssl (0.9.4) and WN webserver (2.3.3) on a Linux box. > > After installing a Verisign test certificate; when testing with > ./openssl s_client -connect www.takeitnow.nl:443 and GET / HTTP/1.0 > everything seems to work; the HTTP GET is recorded in the server > logging. But when accessing the server with Netscape (4.5) I get a popup > box 'Netscape and this server cannot communicate securely because they > have no common encryption algorithms'. > > What could cause this > Err they have no common encryption algorithms? :-) Possibly the server only supports strong encryption or has been configured to only support strong encryption and you are using an export grade browser? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Multiple threads handling one connection
Hi, I sent the message below last week, asking about multiple threads accessing a single SSL connection, but didn't receive any replies. I can't find anything relating to this on the list archives. Has anyone tried this, or is it not supported? Thanks Ollie King Data Connection Ltd. -Original Message- From: Oliver King Sent: Thursday, February 10, 2000 10:33 AM To: '[EMAIL PROTECTED]' Subject: Multiple threads handling one connection Hi all, I've seen (and written) test programs that drive a number of SSL connections from multiple threads, but none of them seem to drive a single connection from more than one thread. Does OpenSSL support reading from a connection on one thread and writing to the same connection on another thread? I wrote a simple test app to try this using non-blocking sockets and it seems to work, but rather than rely entirely on my test I'd like to have a more definitive answer as to whether or not this is acceptable. If it turns out that this is a Bad Thing to do, what's the recommended alternative? Thanks in advance Ollie King __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
