Re: Cert / Key storage

2002-01-23 Thread Lutz Jaenicke 

On Wed, Jan 23, 2002 at 10:43:22AM -0800, Michael Shanzer wrote:
> --- Lutz Jaenicke <[EMAIL PROTECTED]>
> > SSL_load_client_CA_file() reads in a file
> > and obtains the X509 certificates. From each X509
> > certificate the
> > subject name is extracted and put onto a
> > STACK_OF(X509_NAMES).
> > I am confident that you will find it simple to use
> > the function
> > as a template and replace the reading of the file
> > with appropriate
> > database operations. (ssl/ssl_cert.c)
> I started looking there and got bogged down with all
> the BIO stuff.  Which I was not really in the mood to
> deal with. But if there is no other option ... 
> Thanks for the info.

Actually: forget the BIO stuff. It is just a generalized I/O layer,
that is used inside OpenSSL at all places.
What you do have to take a look at are the X509_* operations...
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Building crypto library

2002-01-23 Thread Andrew T. Finnell 

Hello all,

I want to compile an executable that will only support
EDH-DSS-DES-CBC3-SHA. I tried configuring with these options:  no-idea
no-rsa no-cast no-bf no-rc4 no-rc5 no-rc2 no-des but when I go to compile I
get errors in evp.h because a union is defined and it is empty because of
the all #defines..
Basically I want one application that will support EDH-DSS-DES-CBC3-SHA
and another that will support EXP1024-DHE-DSS-DES-CBC-SHA. So I figured I
would create two libcrypto builts but I cannot find the configuration
options to make it work the way I want. Any ideas?

-
Andrew T. Finnell
ActiveSol.net
[EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

SSL.PM question

2002-01-23 Thread Ron . Flolid 

I'm using SSLeay along with Open SSl to retrieve https pages via SSL.pm.
I'm not using a proxy, but in the runtime I get the familiar "unitialized
variable" message being displayed for a line in SSL.pm. I normally like to
keep my executions clean and don't want "uninit" messages from coming up,
so I would like to resolve this problem. I'm using 2.75 SSL.pm and the
error is coming from line 363 "$proxy_server =~ s|^https?://||i; First, I
haven't a clue as to what this statement is doing from the syntax. I'm
guessing that it is doing a pattern search but the "|" are throwing me off.
I too see from the code that it is trying to parse HTTPS_PROXY key value
from the ENV hash. I put a value into the key value, (i.e. HTTPS_PROXY) but
I still get the "unit" message. Could someone be so kind as to tell me what
the statement is doing and how I might eliminate the message. Yes, I do
know that I could remove "-w" on the execution to suppress the message.

Thanks in advance for any help.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

libssl.so.2

2002-01-23 Thread Michel Hendriks 




Hi there,



I've removed OpenSSL 0.9.6.b ( which was installed during the RH72 installation ) and

I installed OpenSSL 0.9.6.c.



Now I have the problem that certain applications ( sendmail as an example ) is complaining

that it can not find the library libssl.so.2



Now this library will not be installed with OpenSSL 0.9.6.c . 



Can anybody tell me what to do to solve this problem ( without a downgrade to 0.9.6.b )



Thanks,



Mich

Re: SSL.PM question

2002-01-23 Thread Philip Shanks 

On Wed, 23 Jan 2002 [EMAIL PROTECTED] wrote:

> I'm using SSLeay along with Open SSl to retrieve https pages via SSL.pm.
> I'm not using a proxy, but in the runtime I get the familiar "unitialized
> variable" message being displayed for a line in SSL.pm. I normally like to
> keep my executions clean and don't want "uninit" messages from coming up,
> so I would like to resolve this problem. I'm using 2.75 SSL.pm and the
> error is coming from line 363 "$proxy_server =~ s|^https?://||i; First, I
> haven't a clue as to what this statement is doing from the syntax.
> I'm guessing that it is doing a pattern search but the "|" are
> throwing me off. I too see from the code that it is trying to parse
> HTTPS_PROXY key value from the ENV hash. I put a value into the key
> value, (i.e. HTTPS_PROXY) but I still get the "unit" message. Could
> someone be so kind as to tell me what the statement is doing and how I
> might eliminate the message. Yes, I do know that I could remove "-w"
> on the execution to suppress the message.
>
> Thanks in advance for any help.
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

This line is attempting a substitution -- the "|" characters are the
regular expression delimiters (Perl is quite liberal in what characters
are used in this context).  The 'http' (with optional 's') and '://' are
being replaced by a null string.  The trailing 'i' indicates "ignore
case."  So it is actually stripping the protocol information from the URL.
The complaint is probably coming from the variable $proxy_server not being
properly defined somewhere before this line, hence it cannot be bound to
the substitution operator.

Philip Shanks
[EMAIL PROTECTED]
-
If you find a solution and become attached to it,
the solution may become your next problem.
(more wisdom from /usr/games/fortune)

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Correct way to expire certificate

2002-01-23 Thread Gertraud Unterreitmeier 

Hello,

both "E" and "R" could be used.
"E" means expired
"R" means revoked

Both values in the index.txt file have the effect
that you can recreate or prolong this
certificate.

Regards,

Gertraud

"Roach, Mark R." wrote:
> 
> On Tue, 2002-01-22 at 18:28, Michael Richardson wrote:
> >
> >   I had to change the "V" to an "R" and enter a date when the certificate
> > was to have expired. This goes in a field that is normally blank, e.g:
> 
> Hmm, so I could just parse all the certificates via cron, and make it
> insert the appropriate timestamp...
> 
> Are you sure that an 'R' is the right character? I saw in my searches
> some pages that indicated an 'E' was appropriate.
> 
> Thanks,
> 
> Mark Roach
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Gertraud Unterreitmeier
Development

Activis
Gutenbergstr. 1
D-85737 Ismaning
Tel: +49-89-94573-453
Fax: +49-89-94573-479

  

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Can't start Apache server / expecting an asn1 sequence

2002-01-23 Thread Jeff Slonaker 

I'm running:
apache_1.3.22
mod_perl-1.26
mod_ssl-2.8.5-1.3.22
openssl-0.9.6c.

When I try to start apache, this shows in the error log:
mod_ssl: Init: Unable to read server certificate from file
/usr/local/www/conf/ssl.crt/server.crt (Open SSL library error follows)
OpenSSL: error: 0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1
sequence.

FWIW, everything works, if I don't use mod_perl.

Thanks.

Jeff Slonaker
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Correct way to expire certificate

2002-01-23 Thread Michael Richardson 


> "Roach," == Roach, Mark R <[EMAIL PROTECTED]> writes:
Roach,> On Tue, 2002-01-22 at 18:28, Michael Richardson wrote:
>> 
>> I had to change the "V" to an "R" and enter a date when the certificate
>> was to have expired. This goes in a field that is normally blank, e.g:

Roach,> Hmm, so I could just parse all the certificates via cron, and make it
Roach,> insert the appropriate timestamp...

Roach,> Are you sure that an 'R' is the right character? I saw in my searches
Roach,> some pages that indicated an 'E' was appropriate.

  You could be right.

  I did this on advice from Rodney Thayer when my email relaying-permitted
certificate expired while at IETF.

]   ON HUMILITY: to err is human. To moo, bovine.   |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: creating shared libs on hp-ux 11

2002-01-23 Thread Robert Pungello 

Madhu,

I originally ran the config script  as "./config shared threads
-D_REENTRANT".  However, I was unable to run anything in the apps
directory, so I'm assuming that this was not quite right.  I just tried the
config options you gave, but -fPIC  is an unknown option and is being
ignored by the machine I'm building on.

Rob



   
  
  "MATHIHALLI,MADHUSUD 
  
  AN  To:   
"'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
  (HP-Cupertino,ex1)" cc:  
  
 
  
  Sent by: 
  
  owner-openssl-users@ 
  
  openssl.org  
  
   
  
   
  
  01/23/2002 01:36 PM  
  
  Please respond to
  
  openssl-users
  
   
  
   
  



Rob,
 What are the last couple of lines of your build output ??..
BTW,
what options did you give to the config script ?.. I used "./config -fPIC
--openssldir=$DESTDIR shared", and the last couple of lines of my build is
something like :

+ rm -f libssl.sl.0
+ rm -f libssl.sl
+ rm -f libssl.sl.0.9.6
libs='-L/proj/middleware/madhum/src/openssl-0.9.6c -lcrypto'; for i in ssl;
do \
( set -x; /usr/ccs/bin/ld +vnocompatwarnings \
-b -z -o lib$i.sl.0.9.6 \
+h lib$i.sl.0.9.6 \
-Fl lib$i.a $libs -L/proj/middleware/madhum/src/openssl-0.9.6c
-L/usr/local/lib/gcc-lib/hppa1.1-hp-hpux11.00/2.9-hppa-991112 -lgcc
-L/proj/middleware/madhum/src/openssl-0.9.6c -lcrypto -lm -ldld -lc ) ||
exit 1; \
libs="$libs -L. -l$i"; \
done
+ /usr/ccs/bin/ld +vnocompatwarnings -b -z -o libssl.sl.0.9.6 +h
libssl.sl.0.9.6 -Fl libssl.a -L/proj/middleware/madhum/src/openssl-0.9.6c
-lcrypto -L/proj/middleware/madhum/src/openssl-0.9.6c
-L/usr/local/lib/gcc-lib/hppa1.1-hp-hpux11.00/2.9-hppa-991112 -lgcc
-L/proj/middleware/madhum/src/openssl-0.9.6c -lcrypto -lm -ldld -lc
+ ln -f -s libssl.sl.0.9.6 libssl.sl.0
+ ln -f -s libssl.sl.0 libssl.sl
make[2]: Leaving directory
`/tmp_mnt/proj/middleware/madhum/src/openssl-0.9.6c'
make[1]: Leaving directory
`/tmp_mnt/proj/middleware/madhum/src/openssl-0.9.6c'

 In the worst case, you can atleast use the above ld options :
-)..
Thanks
-Madhu


-Original Message-
From: Robert Pungello [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 23, 2002 5:51 AM
To: [EMAIL PROTECTED]
Subject: Re: creating shared libs on hp-ux 11


Madhu,

I am indeed building openssl 0.9.6c on hp-ux 11

Rob





  L Nehring

cc:

  Sent by:Subject:  Re: creating
shared libs on hp-ux 11
  owner-openssl-users@

  openssl.org





  01/22/2002 06:33 PM

  Please respond to

  openssl-users








Hi Madhu,
I was speaking in general terms for building shared libs on HP-UX.  I have
some
in-depth experience with ANSI C on HP-UX 10.x and 11.0 in a previous life.
Personally, I currently use openssl 0.9.6b on Linux Intel and will soon
upgrade.   I still have a couple clients running HP-UX that I do consulting
for, but not using openssl.

I'm not sure what version of openssl Rob is using (or which version of his
compiler.).  He did say he was running on HP-UX 11 though.
-Lance

"MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)" wrote:

> Hi Lance,
> Can you pl. confirm that you're using OpenSSL 0.9.6c ??..I just
> built it and was successful in creating a shared library for both crypto
and
> ssl..
>
> -Madhu
>
> -