RE: [BUGFIX], was "Re: Problems with SHMCB session caching"
And there is one more type of SIGBUS problems around line 1103/line 1001 of ssl_scache_shmcb.c - some wierd optimization being done by gcc and the resulting pointer is not aligned correctly (Geoff - I'd contacted you in late August regarding this).. I'd resolved it by opting 'cc' - and now, I'm not able to reproduce the problem again with gcc :-(.. Has anybody faced a similar problem because of gcc optimizations.. -Madhu -Original Message- From: Geoff Thorpe [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 13, 2001 8:43 PM To: [EMAIL PROTECTED] Subject: Re: [BUGFIX], was "Re: Problems with SHMCB session caching" Ah, thanks Joe. I was trying to track down where I'd seen "another" such SIGBUS problem and couldn't for the life of me find it. I will roll this other case in together with the other stuff that's come up of late and resubmit it all back to Ralf ASAP. Cheers, Geoff On Friday 14 December 2001 01:51, Joe Orton wrote: > Anyone seeing SIGBUS's with shmcb might want to try this patch: we found > some versions of gcc on some platforms could do dangerous optimisations. [snip] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
CRLs
Hi lists, This is a repost, Are ReasonCode & CRLReason CRL Extensions implemented in openssl-0.9.6b? idem with: cRLNumber, deltaCRLIndicator how to configure CRL extensions section in openssl.cnf ? And last, there is an "unknown" field in openssl index.txt database field, could it be possile to write here "cRLNumber"? Regards -- # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- # Averroes A. Aysha # Think Linux, Think Slackware! # e-fingerprint = 63:B0:7D:A1:23:BC:25:96:AE:B7:76:36:F3:07:1F:88 # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BUGFIX], was "Re: Problems with SHMCB session caching"
Ah, thanks Joe. I was trying to track down where I'd seen "another" such SIGBUS problem and couldn't for the life of me find it. I will roll this other case in together with the other stuff that's come up of late and resubmit it all back to Ralf ASAP. Cheers, Geoff On Friday 14 December 2001 01:51, Joe Orton wrote: > Anyone seeing SIGBUS's with shmcb might want to try this patch: we found > some versions of gcc on some platforms could do dangerous optimisations. [snip] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Hello there, Thanks a lot for your help and input. Actually i found a solution to the problem. Entrust allows partitioned CRLs by default (CRLs are splited for scalability purposes) but you can enable the combined CRL which will not be splitted (for compatibilty, as the partioned CRL is only an option in the standard). So this one works well with openssl/mod_ssl. Those 2 CRLs (combined and partitioned) will work both at the same time without problems. If you want more info on that, don't hesitate to ask me. Cheers, Alec >From "Schaefer,Lorrayne J." <[EMAIL PROTECTED]> on 12 December 2001 9:07:02 To : [EMAIL PROTECTED] Copy To : [EMAIL PROTECTED] Subject : Re: Multiple CRLs with same CA Hi everyone. I was chatting with an Entrust engineer yesterday about partitioned CRLs (this is where you can break it down my something such as size). The only CA that currently do this to my knowledge is Entrust. I agree with Rich Salz's response. OCSP is a great way to go (and, Valicert offers an Apache plug-in). :-) Lorrayne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
i'd ask a valicert person, actually. -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Rich, I'll check w/ an Entrust engineer today to see if I can get an honest (ha!) answer from him regarding your concerns. Lorrayne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
> Valicert has listed Entrust as one of its partners. I would assume that > would mean that Valicert can interoperate with Entrust issued > certificates. I think it is stretching things to say that partnership implies full parsing of the various Entrust CRL's. How many partnerships do you know where full implmenetation or interop is implied? :) /r$ -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Valicert has listed Entrust as one of its partners. I would assume that would mean that Valicert can interoperate with Entrust issued certificates. Lorrayne Rich Salz wrote: > > Does Valicert support the various Entrust CRL extensions and > partitioning? > > If not, then they're useless for this problem. > /r$ > > -- > Zolera Systems, Your Key to Online Integrity > Securing Web services: XML, SOAP, Dig-sig, Encryption > http://www.zolera.com > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Yes, you can use OCSP with Entrust issued certificates. Lorrayne [EMAIL PROTECTED] wrote: > > Hello Lorrayne, > > Thanks for your input. > By any chance, do you know if i can use OCSP with an Entrust CA (instead of > CRLs)? > > Regards, > > Alec > > > > From "Schaefer,Lorrayne J." <[EMAIL PROTECTED]> on 12 December 2001 > 9:07:02 > To : [EMAIL PROTECTED] > Copy To : [EMAIL PROTECTED] > Subject : Re: Multiple CRLs with same CA > > Hi everyone. I was chatting with an Entrust engineer yesterday about > partitioned CRLs (this is where you can break it down my something such as > size). The only CA that currently do this to my knowledge is Entrust. > > I agree with Rich Salz's response. OCSP is a great way to go (and, > Valicert offers an Apache plug-in). :-) > > Lorrayne > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > > > > Alec Barea > PKI engineering team > Equant > Tel: +1 514 847-3436 > CVS: 225 3436 > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: > > Hello Lorrayne, > > Thanks for your input. > By any chance, do you know if i can use OCSP with an Entrust CA (instead of > CRLs)? > > Regards, > > Alec > > > > From "Schaefer,Lorrayne J." <[EMAIL PROTECTED]> on 12 December 2001 > 9:07:02 > To : [EMAIL PROTECTED] > Copy To : [EMAIL PROTECTED] > Subject : Re: Multiple CRLs with same CA > > Hi everyone. I was chatting with an Entrust engineer yesterday about > partitioned CRLs (this is where you can break it down my something such as > size). The only CA that currently do this to my knowledge is Entrust. > > I agree with Rich Salz's response. OCSP is a great way to go (and, > Valicert offers an Apache plug-in). :-) > > Lorrayne > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > > > > Alec Barea > PKI engineering team > Equant > Tel: +1 514 847-3436 > CVS: 225 3436 > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BUGFIX], was "Re: Problems with SHMCB session caching"
On Thu, Dec 13, 2001 at 04:56:34PM +1300, Geoff Thorpe wrote: > Thanks again, and please let me know if you observe any other problems. > FWIW: I'm currently looking to those SIGBUS problems. Anyone seeing SIGBUS's with shmcb might want to try this patch: we found some versions of gcc on some platforms could do dangerous optimisations. Geoff helped out with this patch too - thanks Geoff. --- pkg.sslmod/ssl_scache_shmcb.c.orig Fri Mar 30 11:00:34 2001 +++ pkg.sslmod/ssl_scache_shmcb.c Tue Jul 10 13:37:10 2001 @@ -354,6 +354,14 @@ return ret; } +/* This is necessary simply so that the size passed to memset() is not + * a compile-time constant, preventing the compiler from optimising + * it. */ +static void shmcb_safe_clear(void *ptr, size_t size) +{ +memset(ptr, 0, size); +} + static void shmcb_set_safe_time(time_t * ptr, time_t val) { unsigned char *to, *from; @@ -1174,7 +1182,7 @@ "internal error"); return FALSE; } -memset(idx, 0, sizeof(SHMCBIndex)); +shmcb_safe_clear(idx, sizeof(SHMCBIndex)); shmcb_set_safe_time(&(idx->expires), expiry_time); shmcb_set_safe_uint(&(idx->offset), new_offset); __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: 'multiply defined' errors in compile...
> but when it gets to src/modules, it bombs... Has anyone > encountered these 'multiply defined' errors, and figured > out a way around them? I had something similar the other day. Fundamentally it's a simple problem, but I know from my teaching days that people find this aspect of compilation a bit mysterious, so I'll go into grim detail. The error is happening at the link stage of compilation. The makefile has called gcc over and over to compile all the bits of C and produced object code and libraries. Now it calls gcc again to put the bits together to produce the executable program httpd. The arguments to the linker are shown on the gcc call below. It's found a symbol (a global variable or function name) in the library /usr/local/lib/libssl.a which it has already seen. The symbol is called SSL_SESSION_get_time. A library is an archived collection of object code files and it was scanning the object code file ssl_sess.o when it came across this symbol for the second time. It doesn't know which one to use. A couple of possibilities: the symbol might be defined in another bit of object code or library that the linker has already scanned OR the object code file ssl_sess.o has been put into the library twice. The problem is almost certainly to do with the way you have configured the build (using the configure script). In my case, the config builder script had screwed up and put an object code file into the list twice - my gcc link command was effectively: gcc foo.o foo.o -o thing so it saw every symbol in foo.o twice. My version of gcc produced a more helpful message, saying that a symbol in foo.o was multiply defined, previously defined in foo.o. If the thing would tell you where it saw the symbol before, that would help you a lot. Are you using the latest version of gcc? I notice that the list below contains "modules/ssl/libssl.a" and then "-lssl". The second expands into "scan the library libssl.a". Is this the problem? A quick and dirty way to find out is to cut and paste the gcc command, fix it by removing one of the references to the library, issue it manually and see if the error goes away. If it does, start looking at your configuration to see why the problem occurs. Simon > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Peter Losher > Sent: 12 December 2001 01:54 > To: [EMAIL PROTECTED] > Subject: 'multiply defined' errors in compile... > > > > I am trying to compile Apache v1.3.22 (w/ mod_ssl, PHP4 and > mod_auth_krb5) on a DEC True64 v5.0 system, and most of the compile goes > along smoothly, but when it gets to src/modules, it bombs... > > -=- > <=== src/modules > [...] > gcc -DOSF1 -DMOD_SSL=208105 -I/home/plosher/httpd/php-4.1.0 > -I/home/pl/httpd/php-4.1.0/main -I/home/pl/httpd/php-4.1.0/main > -I/home/pl/httpd/php-4.1.0/Zend -I/home/pl/httpd/php-4.1.0/Zend > -I/home/pl/httpd/php-4.1.0/TSRM -I/home/pl/httpd/php-4.1.0/TSRM > -I/home/pl/httpd/php-4.1.0 -DEAPI -DUSE_EXPAT -I./lib/expat-lite > -DKRB5 -DKRB_DEF_REALM=\"DEFAULT\" `./apaci` -L/usr/local/lib-o httpd > buildmark.o modules.o modules/ssl/libssl.a modules/extra/libextra.a > modules/php4/libphp4.a modules/standard/libstandard.a main/libmain.a > ./os/unix/libos.a ap/libap.a lib/expat-lite/libexpat.a > -L/usr/local/krb5/lib -lkrb5 /usr/local/krb5/lib/libk5crypto.a -lcom_err > -Wl,-rpath,/usr/local/pgsql/lib -L/usr/local/pgsql/lib -Lmodules/php4 > -L../modules/php4 -L../../modules/php4 -lmodphp4 -lpq -lresolv -lm > -lresolv -lm -ldbm -lssl -lcrypto -lm > /usr/bin/ld: > /usr/local/lib/libssl.a(ssl_sess.o): SSL_SESSION_get_time: > multiply defined > /usr/local/lib/libssl.a(ssl_sess.o): SSL_SESSION_set_timeout: > multiply defined > /usr/local/lib/libssl.a(ssl_sess.o): SSL_SESSION_free: multiply defined > /usr/local/lib/libssl.a(ssl_sess.o): SSL_get_session: multiply defined > /usr/local/lib/libssl.a(ssl_lib.o): SSL_CTX_set_cipher_list: > multiply defined > /usr/local/lib/libssl.a(ssl_lib.o): SSL_CTX_new: multiply defined > /usr/local/lib/libssl.a(ssl_lib.o): SSL_CTX_free: multiply defined > /usr/local/lib/libssl.a(ssl_lib.o): SSL_CTX_get_cert_store: > multiply defined > /usr/local/lib/libssl.a(ssl_lib.o): SSL_clear: multiply defined > /usr/local/lib/libssl.a(ssl_lib.o): SSL_get_current_cipher: > multiply defined > [...] > collect2: ld returned 1 exit status > *** Exit 1 > Stop. > *** Exit 1 > Stop. > *** Exit 1 > Stop. > -=- > > Has anyone encountered these 'multiply defined' errors, and figured out a > way around them? > > Thanks - Peter Losher > -- > [EMAIL PROTECTED] - Internet Software Consortium - http://www.isc.org/ > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > _