symbol lookup error libssl.so.4 undefined symbol: krb5_cc_get_principal

2012-01-31 Thread Marlee Kovacs
Hello,

I am getting an error while trying to use a self-signed certificate.

Server: RedHat Ent 4, 2.6.9-5.ELsmp
PWD: /usr/share/ssl/certs

Server-side:
# openssl s_server -key test-cert.pem -cert test-cert.pem -accept 9000 -www
Using default temp DH parameters
ACCEPT
19087:error:140780E5:SSL routines:SSL23_READ:ssl handshake
failure:s23_lib.c:180:

Client-side:
# openssl s_client -showcerts -connect localhost:9000
CONNECTED(0003)
openssl: symbol lookup error: /lib/libssl.so.4: undefined symbol:
krb5_cc_get_principal


Installed rpms:
openssl-0.9.7a-43.1
openssl-devel-0.9.7a-43.1
krb5-workstation-1.3.4-9
krb5-libs-1.2.7-8
krb5-libs-1.3.4-9
krb5-devel-1.3.4-9

Cert-gen process used:
# openssl req -x509 -nodes -days 365 -newkey rsa -keyout test-cert.pem 
-out
test-cert.pem

I am at a loss. This same processed worked on two other RedHat Ent4 servers,
one with the exact same rpms & architecture but here I am getting the symbol
error.

Any help would be appreciated greatly.

Marlee Kovacs

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


fips-capable libcrypto.so build in netbsd

2012-01-31 Thread Kevin Fowler
Using FIPS module and FIPS capable OpenSSL (2.0/1.0.1) on a NetBSD platform.

I build FIPS module by hand to follow the build instructions, and copy it
into a tips sub-directory in openssl directory. I would like to build the
libcrypto.so library as part of the NetBSD cross-compile build (i.e.,
launched from src/lib/libcrypto/Makefile), so it can be built as needed for
different processors.

NetBSD uses its own makefile approach using perl scripts to launch builds,
and using generic src/share/mk/bsd.*.mk makefiles. I was thinking I could
modify only the lib/libcrypto/Makefile file and leave the generic makefiles
alone, but am struggling with the final linking step rules using fipsld.

Has anyone else done this in NetBSD builds?

Alternatively, I could also build the library by hand and coax the main
build into just installing libcrypto.so instead of building it.

Suggestions welcome! I've searched but cannot find any sign of anyone
coping with similar issues.
Kevin


Facing issue while compiling openssl-1.0.0c on MIPS 64 big endian architectur

2012-01-31 Thread Shivam Agarwal
Hi Team,
   I have picked openssl tar from 
"http://cblfs.cross-lfs.org/index.php/OpenSSL#Note_2"; url and compiled after 
applying patched mentioned on this url.

   But I am unable to compile as I  following error is encountered.

"
making all in crypto/ts...
make[2]: Entering directory `/root/depend_resolv/openssl-1.0.0c/crypto/ts'
make[2]: Nothing to be done for `all'.
make[2]: Leaving directory `/root/depend_resolv/openssl-1.0.0c/crypto/ts'
if [ -n "libcrypto libssl" ]; then \
(cd ..; make libcrypto); \
fi
make[2]: Entering directory `/root/depend_resolv/openssl-1.0.0c'
make[3]: Entering directory `/root/depend_resolv/openssl-1.0.0c'
make[4]: Entering directory `/root/depend_resolv/openssl-1.0.0c'
make[4]: *** No rule to make target `link_a..so.1.0.0'.  Stop.
make[4]: Leaving directory `/root/depend_resolv/openssl-1.0.0c'
make[3]: *** [do_.so.1.0.0] Error 2
make[3]: Leaving directory `/root/depend_resolv/openssl-1.0.0c'
make[2]: *** [libcrypto] Error 2
make[2]: Leaving directory `/root/depend_resolv/openssl-1.0.0c'
make[1]: *** [shared] Error 2
make[1]: Leaving directory `/root/depend_resolv/openssl-1.0.0c/crypto'
make: *** [build_crypto] Error 1
"

Your help will be highly appreciated. As this issue is show stopper for us.

Regards
Shivam Agrawal






===
Please refer to http://www.aricent.com/legal/email_disclaimer.html
for important disclosures regarding this electronic communication.
===


Safari and application/x-x509-user-cert

2012-01-31 Thread Graham Leggett
Hi all,

I have some openssl code that creates a certificate based on a SPKAC, and then 
attempts to send the certificate back to the browser. This works fine in 
Firefox, but doesn't working in Safari, or at least it does work, except that 
Safari doesn't recognise the MIME type of the certificate, and tries to 
"download" the certificate and save it to the downloads folder instead.

I am struggling with the lack of documentation on this stuff, what is the 
expected certificate format when delivering a certificate as 
application/x-x509-user-cert?

Most specifically, is this code correct:

BIO *b = BIO_new(BIO_s_mem());
char buf[LEN];
int len;

set_content_type(r, "application/x-x509-user-cert");
i2d_X509_bio(b, cert);

while ((len = BIO_gets(b, buf, sizeof(buf))) > 0) {
// write buf
}

BIO_free(b);

Or should I be using something other than i2d_X509_bio()?

Regards,
Graham
--



smime.p7s
Description: S/MIME cryptographic signature


Re: [openssl-users] Support for certificates other than the X509 standard Reg.

2012-01-31 Thread Erwann Abalea

Bonjour,

Out of my head, there's ISO7816-6 certificates, used at least in eID 
projects (EAC passports).
One can also mention PGP/GPG (which can now include X.509), with a 
marginal use (in corporate/business world).


OpenSSL has a great support for X.509, of course, but since it also 
includes complete ASN.1 and crypto API, you can easily work with 
ISO7816-6 certificates. I haven't used PGP/GPG since a few years so I 
don't really know if there's an ASN.1 description, but the crypto is the 
same, for sure.


Le 31/01/2012 17:07, Ashok C a écrit :

I understand that X509 is the preferred ITU-T standard for PKI.
But what would be the other certificate standards which are available 
and those which a PKI solution needs to support?
First question would be whether there are any certificates which do 
not belong to the X509 standard?
Also, what all standards of certificates does the openSSL 
implementation support?


--
Erwann ABALEA
-
Depuis ce matin, j'ai une IP en 213.@@@.@@@ et des plumes.
C'est devenu apparement une IP statique.
Mon contrat me donne droit à une IP dynamique..
-+- TW in  : Neuneu se fixe -+-

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Support for certificates other than the X509 standard Reg.

2012-01-31 Thread Ashok C
Hi,

I understand that X509 is the preferred ITU-T standard for PKI.
But what would be the other certificate standards which are available and
those which a PKI solution needs to support?
First question would be whether there are any certificates which do not
belong to the X509 standard?
Also, what all standards of certificates does the openSSL implementation
support?


Regds,
Ashok


Renegotiation question (one more try)

2012-01-31 Thread Jason Schultz

My apologies again, my posts were somehow got attached to an earlier 
conversation.  Posting one more time to place the message at the top of the 
list:
 
I have implemented a server using OpenSSL 0.9.8r.  If I use s_client to open a 
connection to a listenening SSL port on the server, and use the R commend to 
initiate a rehandshake, the rehandshake completes successfully(as expected).  I 
have verified this using both SSL 3.0 and TLS 1.0. 

 
Another client(non-OpenSSL) opens a connection to my server with a successful 
initial handshake as well.  The client is basically an FTP client, and it then 
initiates a data transfer with a get, so my server is sending data to the 
client.  During this transfer, the client sends a Client Hello to renegotiate.  
My server, using poll() to look for activated sockets, ends up calling 
SSL_read() and reads in the Client Hello.  However, OpenSSL gets an error, 
“SSL3_WRITE_PENDING:bad write retry”.  I’ve dug around a little in the OpenSSL 
code and added some debug code to try to follow what is happening.  
 
>From what I can tell, the following is taking place: 

-  Client and server establish a connection and my server is sending 
data with repeated calls to SSL_write() 
-  While server is writing data, client initiates a renegotiation, and 
sends a Client Hello 
-  SSL_write() on the server returns -1 with SSL_ERROR_WANT_READ, 
presumably after the Client Hello comes in 
-  Server calls SSL_read() and reads in the Client Hello 
(I have info_cb functionality implemented that dump out handshake messages, the 
message looks OK) 
-  OpenSSL calls ssl3_get_client_hello(); I added a syslog() when the 
state changes to SSL3_ST_SR_CLNT_HELLO_B 
-  ssl3_get_client_hello() returns successfully; I added a syslog when 
the state gets changed to SSL3_ST_SW_SRVR_HELLO_A to verify this. 
-  ssl3_send_server_hello() is called 
-  The ssl3_send_server_hello() will lead to calls to the following 
functions, in order: ssl3_write_bytes(), do_ssl3_write(), and 
ssl3_write_pending(). 
-  Meanwhile, the previous calls to SSL_write have data left to send 
and a call to ssl3_write_pending() is being made from do_ssl3_write().  I’m not 
sure of the code path from the server calling SSL_write() to 
do_ssl3_write()/ssl3_write_pending(), but I see do_ssl3_write() calling 
ssl3_write_pending() several times during the file transfer. 

 
Does this scenario sound like it should be working?  I’m not sure what my 
server could be doing wrong?  A couple notes, 
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER is not set on my server.  I’m not sure that 
it should or needs to be, I did notice in the code that that mode is one of the 
conditions that is checked for when throwing the SSL_R_BAD_WRITE_RETRY error.  
From what I’ve read, the SSL3_WRITE_PENDING error is caused by calling 
SSL_write() after getting SSL_ERROR_WANT_READ/WRITE with a different buffer 
than before.  However, my server is not calling SSL_write() after it gets the 
SSL_ERROR_WANT_READ error when the Client Hello comes in.  So it seems to me 
the error is being thrown because OpenSSL is internally calling 
ssl3_write_pending() incorrectly. 

 
I have some traces of the scenario but I did not include them, they may make 
things more confusing.  They exists in two different places, logging in my 
server before/after SSL_read and SSL_write 
calls(SSL_get_error()/ERR_error_string() calls) as well as info_cb and msg_cb 
message that display the SSL records coming in and going out.  A separate trace 
exists of some syslog() calls I added to the OpenSSL code.  I know there is a 
way to build OpenSSL in debug mode, but I haven’t taken the time to do this 
yet.  Please advise if I should look at doing that, or include the logging I do 
have. 

Thanks in advance. 

  

RE: Renegotiation question

2012-01-31 Thread Jason Schultz

My apologies for accidently spamming the list with this message, my web based 
email was having issues.
 
I am still unable to successfully rehandshake in the scenario below, and was 
wondering if anyone might have some ideas.  Is this the proper list for this 
email?
 
Thanks.
 



From: jetso...@hotmail.com
To: openssl-users@openssl.org
Subject: Renegotiation question
Date: Fri, 27 Jan 2012 15:33:36 +






I have implemented a server using OpenSSL 0.9.8r.  If I use s_client to open a 
connection to a listenening SSL port on the server, and use the R commend to 
initiate a rehandshake, the rehandshake completes successfully(as expected).  I 
have verified this using both SSL 3.0 and TLS 1.0.
 
Another client(non-OpenSSL) opens a connection to my server with a successful 
initial handshake as well.  The client is basically an FTP client, and it then 
initiates a data transfer with a get, so my server is sending data to the 
client.  During this transfer, the client sends a Client Hello to renegotiate.  
My server, using poll() to look for activated sockets, ends up calling 
SSL_read() and reads in the Client Hello.  However, OpenSSL gets an error, 
“SSL3_WRITE_PENDING:bad write retry”.  I’ve dug around a little in the OpenSSL 
code and added some debug code to try to follow what is happening.  From what I 
can tell, the following is taking place:
 
-  Client and server establish a connection and my server is sending 
data with repeated calls to SSL_write()
-  While server is writing data, client initiates a renegotiation, and 
sends a Client Hello
-  SSL_write() on the server returns -1 with SSL_ERROR_WANT_READ, 
presumably after the Client Hello comes in
-  Server calls SSL_read() and reads in the Client Hello
(I have info_cb functionality implemented that dump out handshake messages, the 
message looks OK)
-  OpenSSL calls ssl3_get_client_hello(); I added a syslog() when the 
state changes to SSL3_ST_SR_CLNT_HELLO_B
-  ssl3_get_client_hello() returns successfully; I added a syslog when 
the state gets changed to SSL3_ST_SW_SRVR_HELLO_A to verify this.
-  ssl3_send_server_hello() is called
-  The ssl3_send_server_hello() will lead to calls to the following 
functions, in order: ssl3_write_bytes(), do_ssl3_write(), and 
ssl3_write_pending().
-  Meanwhile, the previous calls to SSL_write have data left to send 
and a call to ssl3_write_pending() is being made from do_ssl3_write().  I’m not 
sure of the code path from the server calling SSL_write() to 
do_ssl3_write()/ssl3_write_pending(), but I see do_ssl3_write() calling 
ssl3_write_pending() several times during the file transfer.
 
Does this scenario sound like it should be working?  I’m not sure what my 
server could be doing wrong?  A couple notes, 
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER is not set on my server.  I’m not sure that 
it should or needs to be, I did notice in the code that that mode is one of the 
conditions that is checked for when throwing the SSL_R_BAD_WRITE_RETRY error.  
From what I’ve read, the SSL3_WRITE_PENDING error is caused by calling 
SSL_write() after getting SSL_ERROR_WANT_READ/WRITE with a different buffer 
than before.  However, my server is not calling SSL_write() after it gets the 
SSL_ERROR_WANT_READ error when the Client Hello comes in.  So it seems to me 
the error is being thrown because OpenSSL is internally calling 
ssl3_write_pending() incorrectly.
 
I have some traces of the scenario but I did not include them, they may make 
things more confusing.  They exists in two different places, logging in my 
server before/after SSL_read and SSL_write 
calls(SSL_get_error()/ERR_error_string() calls) as well as info_cb and msg_cb 
message that display the SSL records coming in and going out.  A separate trace 
exists of some syslog() calls I added to the OpenSSL code.  I know there is a 
way to build OpenSSL in debug mode, but I haven’t taken the time to do this 
yet.  Please advise if I should look at doing that, or include the logging I do 
have.
 
Thanks in advance. 
  

Re:How to disable weak/export ciphers

2012-01-31 Thread Ziyu Liu
HI, Sheng Liang
You may reference the following APIs:
  intSSL_CTX_set_cipher_list(SSL_CTX *,const char *str);
  intSSL_set_cipher_list(SSL *s, const char *str);

These two functions use a cipher list string to customize ciphers during the 
handshake.The default is as follows:
#define SSL_DEFAULT_CIPHER_LIST"AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" /* 
low priority for RC4 */
There are some rules about it.You may see the documentation for more details.
doc ref:
http://www.openssl.org/docs/apps/ciphers.html#



At 2012-01-31 17:27:35,"Sheng Liang"  wrote:

Hi:
  I am doing some development work with openssl. My application is a server and 
will support SSL v3 protocol.
 
  I want to disable those weak/export ciphers during the SSL handshake session 
key generation. Unfortunately I don't find how to do it with openssl. The 
information found in internet are all about how to disable them with other SW, 
like apache.
 
  Could anyone please help me on this point?
 
 

Best Regards
_
Sheng Liang


How to disable weak/export ciphers

2012-01-31 Thread Sheng Liang
Hi:
  I am doing some development work with openssl. My application is a server and 
will support SSL v3 protocol.

  I want to disable those weak/export ciphers during the SSL handshake session 
key generation. Unfortunately I don't find how to do it with openssl. The 
information found in internet are all about how to disable them with other SW, 
like apache.

  Could anyone please help me on this point?



Best Regards
_
Sheng Liang