Trusted cert store
Hi, I'm validting a cert chain by first loading the certificates I trust into memory and using it durign validation by calling X509_STORE_CTX_trusted_stack() This is working, but I would like to be able to treat the trusted certs as two different types - trusted root certs and trusted intermediate certs. Is there are way to specify two different trusted_stack structures which the X509_verify_cert function will use in a way that it knows which are the root certs and which are the intermediate certs, or is this something that it somehow knows anyway simply by putting them all in the single trusted stack? Is it something that should instead be done by a verify callback function? If so, what should I be looking for to tell if the cert being used is root or inter, and if it is the end of the chain or not? Thanks for any help with this. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: SSL - Weak Encryption Test
> From: owner-openssl-us...@openssl.org On Behalf Of Nouefel > Sent: Friday, 25 February, 2011 15:08 > Need some help on testing if a server supports weak ciphers . > > Here is the command I ran : > > openssl s_client -connect HOSTNAME:443 -cipher LOW:EXP > > result : > Connected : err num=110 > > openssl s_client -connect HOSTNAME:8000 -cipher LOW:EXP > result : > Connected : err num=104 > What (version of) openssl are you using? I've never seen one (in almost ten years) that produces output in that format. 'openssl version' or even 'openssl version -a' may be helpful, although if this copy has been hacked up it might not truthfully indicate its status in its version string(s). Did you get it from anyplace other than: the OS supplier, or the www.openssl.org website or an authorized mirror, or another trustworthy packager like ShiningLight? > Should I understand that the host does not support weak > ciphers with above result. > Does it really say 'Connected' and not just 'connect'? The latter would be almost correct for a connection attempt that fails at TCP level, before starting SSL/TLS handshake. On the one Linux system I have to hand, 110 is ETIMEDOUT and 104 is ECONNRESET, which are the two most common errors (by far) on failed TCP connection attempts. (On other operating systems, error codes are different; the existence of some errors is standard but not the codes.) In the Good Old Days it was effectively impossible to get timeout and reset for different ports *on the same host*; you said 'a' server so I assume there's only one. But nowadays with lots of network infrastructure trying to be 'smart' and even 'helpful' the diagnostics you get are often misleading and sometimes even deceptive. If on Unix or an older Windows (or a newer Windows you have fixed appropriately) try telnet (or equivalent) from your (desired) client to the server to make sure TCP connectivity works. If it doesn't, try traceroute (Windows tracert) or other network tools to look for the problem. And/or try a client as close to the server as possible (either use as client a system that is already there, or move your client system to be there). (If it does connect, for standard telnet client just do ctrl-] q u i t RET.) If you do have connectivity, try s_client with -msg added (or -debug which is more verbose) and post what you get, at least the last good message and any subsequent error(s). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Open SSL installtion on Solaris - 10
On 02/27/11 9:13 AM, Sander Temme wrote: On Feb 27, 2011, at 2:02 AM, John R Pierce wrote: but, my Sol10 systems appear to already have an openssl in /usr/sfw/bin (and libraries in /usr/sfw/lib, etc) which is maintained by Oracle Last time I was on a Solaris box, that one seemed to be stuck at 0.9.7. yes, but its back patched against significant exploits. The solaris 10 development box I happened to look at has not had Solaris patches in about a year (it was taken off support when Oracle screwed with the pricing and wanted to only offer 'premiere' grade support we didn't want to pay for), it says... $ /usr/sfw/bin/openssl version OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2009-0590) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Open SSL installtion on Solaris - 10
On Feb 27, 2011, at 2:02 AM, John R Pierce wrote: > but, my Sol10 systems appear to already have an openssl in /usr/sfw/bin (and > libraries in /usr/sfw/lib, etc) which is maintained by Oracle Last time I was on a Solaris box, that one seemed to be stuck at 0.9.7. S. -- san...@temme.net http://www.temme.net/sander/ PGP FP: FC5A 6FC6 2E25 2DFD 8007 EE23 9BB8 63B0 F51B B88A View my availability: http://tungle.me/sctemme
RE: Open SSL installtion on Solaris - 10
There should be openssl and gnu GCC packages available on sunfreeware.com. They may not be the most recent but they are likely to be more recent then the ones bundled with Solaris 10 or the Sun Freeware Tools companion cd. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of David Kirkby Sent: Sunday, February 27, 2011 9:46 AM To: openssl-users@openssl.org Cc: John R Pierce Subject: Re: Open SSL installtion on Solaris - 10 On 27 February 2011 10:02, John R Pierce wrote: > On 02/27/11 12:03 AM, pattabi raman wrote: >> >> Hi, >> I need to install open ssl in our solaris-10 machine. Currently Solaris >> has GCC Compiler 2.95. >> As I checked from the site, mentioned that Openssl needs GCC compiler 3.3. >> So Open ssl will work only with gcc 3.3 ? Gcc upgrade is necessary ? Will >> solaris 10 supports gcc 3.3 >> > > while I've not attempted to build openssl, most things on solaris seem to > build better with the Sun CC compiler, which is now called Oracle Studio. > This is especially true for Sparc systems. If they are written in C, C++ or Fortran that is so. They will generally be faster. But if they are written in some GNU variant of one of these languages, rather than standard conforming code, then you may have a problem building it with anything other than GNU tools. The defaults for the GNU compilers allow GNU extensions, so people do not realise they are not writing C/C++/Fortran. They are in fact writing in GNU C, GNU C++ or GNU Fortran. > but, my Sol10 systems appear to already have an openssl in /usr/sfw/bin (and > libraries in /usr/sfw/lib, etc) which is maintained by Oracle Yes. It might be quite old though - depends on whether the system has been patched or not. Dave __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Open SSL installtion on Solaris - 10
On 27 February 2011 10:02, John R Pierce wrote: > On 02/27/11 12:03 AM, pattabi raman wrote: >> >> Hi, >> I need to install open ssl in our solaris-10 machine. Currently Solaris >> has GCC Compiler 2.95. >> As I checked from the site, mentioned that Openssl needs GCC compiler 3.3. >> So Open ssl will work only with gcc 3.3 ? Gcc upgrade is necessary ? Will >> solaris 10 supports gcc 3.3 >> > > while I've not attempted to build openssl, most things on solaris seem to > build better with the Sun CC compiler, which is now called Oracle Studio. > This is especially true for Sparc systems. If they are written in C, C++ or Fortran that is so. They will generally be faster. But if they are written in some GNU variant of one of these languages, rather than standard conforming code, then you may have a problem building it with anything other than GNU tools. The defaults for the GNU compilers allow GNU extensions, so people do not realise they are not writing C/C++/Fortran. They are in fact writing in GNU C, GNU C++ or GNU Fortran. > but, my Sol10 systems appear to already have an openssl in /usr/sfw/bin (and > libraries in /usr/sfw/lib, etc) which is maintained by Oracle Yes. It might be quite old though - depends on whether the system has been patched or not. Dave __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Open SSL installtion on Solaris - 10
On 02/27/11 12:03 AM, pattabi raman wrote: Hi, I need to install open ssl in our solaris-10 machine. Currently Solaris has GCC Compiler 2.95. As I checked from the site, mentioned that Openssl needs GCC compiler 3.3. So Open ssl will work only with gcc 3.3 ? Gcc upgrade is necessary ? Will solaris 10 supports gcc 3.3 while I've not attempted to build openssl, most things on solaris seem to build better with the Sun CC compiler, which is now called Oracle Studio. This is especially true for Sparc systems. but, my Sol10 systems appear to already have an openssl in /usr/sfw/bin (and libraries in /usr/sfw/lib, etc) which is maintained by Oracle __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Open SSL installtion on Solaris - 10
On 02/27/11 08:03 AM, pattabi raman wrote: Hi, I need to install open ssl in our solaris-10 machine. Currently Solaris has GCC Compiler 2.95. As I checked from the site, mentioned that Openssl needs GCC compiler 3.3. So Open ssl will work only with gcc 3.3 ? Gcc upgrade is necessary ? Will solaris 10 supports gcc 3.3 please help. Thanks, Pattabi Solaris 10 comes with gcc 3.4.3 in /usr/sfw/bin, so I don't know why anyone would want to install an older version. -bash-3.00$ uname -a SunOS kestrel 5.10 Generic_141444-09 sun4u sparc SUNW,UltraAX-i2 -bash-3.00$ /usr/sfw/bin/gcc -v Reading specs from /usr/sfw/lib/gcc/sparc-sun-solaris2.10/3.4.3/specs Configured with: /sfw10/builds/build/sfw10-patch/usr/src/cmd/gcc/gcc-3.4.3/configure --prefix=/usr/sfw --with-as=/usr/ccs/bin/as --without-gnu-as --with-ld=/usr/ccs/bin/ld --without-gnu-ld --enable-languages=c,c++ --enable-shared Thread model: posix gcc version 3.4.3 (csl-sol210-3_4-branch+sol_rpath) -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Dave __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Open SSL installtion on Solaris - 10
Hi, I need to install open ssl in our solaris-10 machine. Currently Solaris has GCC Compiler 2.95. As I checked from the site, mentioned that Openssl needs GCC compiler 3.3. So Open ssl will work only with gcc 3.3 ? Gcc upgrade is necessary ? Will solaris 10 supports gcc 3.3 please help. Thanks, Pattabi