Re: openssl-0.9.2b on RPM (intel)
In article <[EMAIL PROTECTED]> you wrote: > also? i am wrong? or openssl-0.9.2b undoes previous security patch from > openssl-0.9.1c? on bnrec patch?, is BN working ok now with recursion? OpenSSL 0.9.2b includes a different variant of the patch. Recursion is disabled only for a subpart of the BN library which actually caused the problem. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
New Tools Proposal
Hi, I am implementing a new ca ( for the OpenCA Project ) and I have the need to access the signing routines and signing verification ones. Actually I didn't found any command line tool able to generate and/or verify PKCS#7 signatures (such as generated by signed forms by Netscape and other tools ...) What I am asking is if there is altready such a tool included in OpenSSL or if I have to write it by myself (and obviously adding it to the Project). Another Tool I need is one that gives me the ability to know the exact size (in bits) of the key in a SPKAC ( Netscaper Request ) file before signing it. I am Asking it to you because I didn't found anything in the documentation. Thank you in advance, Massimiliano Pala ([EMAIL PROTECTED]) __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL Error Handling
Can anybody tell me how to get and interpret errors in OpenSSL ? For Example I call SSL_Connect() and get a return code of -1. How do I get the error code and error string associated with the error, I can't find any documentation on this and all of the examples don't even care if it fails ? Thank YOU ! Jeff Roberts [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: New Tools Proposal
Mark J Cox wrote: > > > Actually I didn't found any command line tool able to generate and/or > > verify PKCS#7 signatures (such as generated by signed forms by Netscape > > and other tools ...) > > We've (C2Net) got a set of stand-alone command line programs for PKCS#7 > encrypt/decrypt that seem to work well. They need a little tidying but we > should be able to submit these to the project. > I think this would be best !!! Anyway can you send me the code so I can try it ? Just for testing ... Did you tested it with signatures generated by Signed Forms (use of Netscape Javascript crypto functions ) ?? Thank you in advance, Hope to hear you soon on the BitStream, Massimiliano Pala ( [EMAIL PROTECTED] ) __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to Revoke a Certificate ???
Hi, I have the need to revoke a certificate, anyway I cannot find the revoke facility to manage the job ( including altering the index.txt that I think is used to manage the CRL (??)). Where do I find it?? ( command line tool... ). Thanks for your attention, See you on the bit Stream, Massimiliano Pala ( [EMAIL PROTECTED] ) __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Server certificate chain in TLS.
Marc Jadoul wrote: > > Hi, > > >From RFC2246 (TLS V1.0) > > certificate_list >This is a sequence (chain) of X.509v3 certificates. The sender's >certificate must come first in the list. Each following >certificate must directly certify the one preceding it. Because >certificate validation requires that root keys be distributed >independently, the self-signed certificate which specifies the >root certificate authority may optionally be omitted from the >chain, under the assumption that the remote end must already >possess it in order to validate it in any case. > > In mod_ssl there is a chain for client auhentication > (SSLCACertificatePath, > SSLCACertificateFile ), but i do not see where to configure the chain > for the server certificate. > > Is there somewhere a possibility to configure this chain to send with > the server certificate ? > Isn't it the SSLCACertificatePath ?? See ya, Massimiliano Pala ([EMAIL PROTECTED]) __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
win32 port?
is there a windows port of openSSL? -- Son C. To | Systems Programmer The Wharton School, University of Penn. | Core Systems Group, phone : (215)898-5858 | Wharton Comp. and Info. Technology beeper: (215)330-9084 | email : [EMAIL PROTECTED] | fax : (215)573-6073 | __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: win32 port?
Sure! It compiles without problems on NT... Check the docs. --Patrik [EMAIL PROTECTED] wrote: > is there a windows port of openSSL? > > -- > Son C. To | Systems Programmer > The Wharton School, University of Penn. | Core Systems Group, > phone : (215)898-5858 | Wharton Comp. and Info. Technology > beeper: (215)330-9084 | > email : [EMAIL PROTECTED] | > fax : (215)573-6073 | > > __ > OpenSSL Project http://www.openssl.org > Development Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
0.9.2b Sparc problem
OpenSSL 0.9.2b, Solaris 2.5.1, SunPRO C 5.0, ./Configure solaris-sparc-sc4 All of the SunPRO C Configure entries suffer from the delusion that asm/sparc.o serves some useful purpose. This, of course, leads to: cc -o openssl -DMONOLITH -I../include -xO5 -Xa -DB_ENDIAN openssl.o verify.o asn1pars.o req.o dgst.o dh.o enc.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o version.o sess_id.o ciphers.o nseq.o -L. -L.. -L../.. -L../../.. -L.. -lssl -L.. -lcrypto -lsocket -lnsl Undefined first referenced symbol in file bn_mul_comba4 ../libcrypto.a(bn_mul.o) bn_mul_comba8 ../libcrypto.a(bn_mul.o) bn_sqr_comba4 ../libcrypto.a(bn_sqr.o) bn_sqr_comba8 ../libcrypto.a(bn_sqr.o) bn_sub_words../libcrypto.a(bn_mul.o) bn_div_words../libcrypto.a(bn_word.o) ld: fatal: Symbol referencing errors. No output written to openssl Either asm/sparc.s needs to be fixed, or Configure needs to have all references to it removed. -- Carson Gaspar -- [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.cs.columbia.edu/~carson/home.html Queen Trapped in a Butch Body __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: 0.9.2b Sparc problem
On Fri, 26 Mar 1999 [EMAIL PROTECTED] wrote: I've been having the same problems under sparc as you have. I've moved down to SSLeay-0.8.1b (since I can get it to compile), but would like to use openssl. I haven't gotten any responses as to why this is happening, or how fo fix this. If anyone has information on how I would do this, I would be happy to hear about it. > Undefined first referenced > symbol in file > bn_mul_comba4 ../libcrypto.a(bn_mul.o) > bn_mul_comba8 ../libcrypto.a(bn_mul.o) > bn_sqr_comba4 ../libcrypto.a(bn_sqr.o) > bn_sqr_comba8 ../libcrypto.a(bn_sqr.o) > bn_sub_words../libcrypto.a(bn_mul.o) > bn_div_words../libcrypto.a(bn_word.o) > ld: fatal: Symbol referencing errors. No output written to openssl > > Either asm/sparc.s needs to be fixed, or Configure needs to have all > references to it removed. -- Albert Lai <[EMAIL PROTECTED]> 1018D East Campus Residential Computer Consultant 411 W. 116th St. Columbia University New York, NY 10027 http://www.columbia.edu/~aml61(212)853-4854 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: 0.9.2b Sparc problem
perl ./Configure no-asm ... worked for me with 0.9.2b on Solaris 2.6. -- Ed Kubaitis - [EMAIL PROTECTED] CCSO - University of Illinois at Urbana-Champaign Albert Max Lai wrote: > > On Fri, 26 Mar 1999 [EMAIL PROTECTED] wrote: > > I've been having the same problems under sparc as you have. I've moved > down to SSLeay-0.8.1b (since I can get it to compile), but would like to > use openssl. I haven't gotten any responses as to why this is happening, > or how fo fix this. If anyone has information on how I would do this, I > would be happy to hear about it. > > > Undefined first referenced > > symbol in file > > bn_mul_comba4 ../libcrypto.a(bn_mul.o) > > bn_mul_comba8 ../libcrypto.a(bn_mul.o) > > bn_sqr_comba4 ../libcrypto.a(bn_sqr.o) > > bn_sqr_comba8 ../libcrypto.a(bn_sqr.o) > > bn_sub_words../libcrypto.a(bn_mul.o) > > bn_div_words../libcrypto.a(bn_word.o) > > ld: fatal: Symbol referencing errors. No output written to openssl > > > > Either asm/sparc.s needs to be fixed, or Configure needs to have all > > references to it removed. > > -- > Albert Lai <[EMAIL PROTECTED]> 1018D East Campus > Residential Computer Consultant 411 W. 116th St. > Columbia University New York, NY 10027 > http://www.columbia.edu/~aml61(212)853-4854 > > __ > OpenSSL Project http://www.openssl.org > Development Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Strong Primes
"Chad C. Mulligan" <[EMAIL PROTECTED]>: > Hmmm... I don't know how _efficient_ it is, but in the tests I did > on it, the average time to create a 1024 bit strong prime (and one > _guaranteed_ strong, by construction) was 1014 seconds, as opposed > to 2301 seconds for BN_generate_prime() with "strong" set to 1. What exactly do you mean by "strong" primes? BN_generate_prime() uses the word "strong" for what is more commonly called a "safe" prime, namely one where (p - 1)/2 is also prime. The word "strong" is traditionally (and I would like to be able to say "historically") used for RSA factors satisfying certain properties; namely: A prime p is called "strong" if p - 1 has a large prime factor p', p' - 1 again has a large prime factor, and p + 1 has a large prime factor. These requirements, together with p - 1 and q - 1 having a small GCD, make an RSA modulus resistant against certain attacks, which however are now superseded by more efficient methods (such as elliptic curve factoring), rendering this property worthless. (See Bob Silverman's papers on this topic, e.g. an article in some issue of CryptoBytes -- http://www.rsa.com> -- and some paper referenced from there, which should also be available at the RSA Labs web-site.) This kind of "strong" primes is mainly nostalgia. "Safe" primes, where q := (p - 1)/2 is prime, imply that there is one very large (order q) subgroup of (Z/pZ)*. More generally, we want a large prime q to be some divisor of p - 1. The order of the generator selected must be q or a multiple of q (it is absolutely not necessary that it generate all of (Z/pZ)*, which is how the cryptographic schemes are described in the original Diffie-Hellman and ElGamal papers.) q selected like that and an appropriate generator offer optimal resistance against "generic" algorithms for discrete logarithms, whose runtime is the root of the size of this subgroup. (Subgroups whose order has only small prime factors don't add any security against this kind of attacks.) It's really (generally believed to be) enough to have q so large that other known attacks become more efficient than the generic ones. For example, for a 1024 bit prime p, a 165 bit q should be enough. (And even if q is larger, you can select secret DH/ElGamal exponents with smaller sizes.) PGP uses for ElGamal encryption primes p where q is only about 10 bits smaller than p. While such large q's are not really needed for security reasons, they make it easy to make sure that 2 or some other small number is a generator of a subgroup the order of which is divided by q. That's very convenient, because the exponentiation x^k is much easier to compute for x = 2 than for large x. (Note that while PGP chooses a quite large q, the secret exponents are chosen rather small.) Alternatively, one could construct p - 1 to be the product of primes none of which, except for the inevitable 2, is smaller than what we want for q -- then we can also guarantee that 2 is okay as a generator. In any case, either we need to know all factors of p - 1, or we can't use a small generator. > [...] because of the way the algorithm works, the size is somewhat > variable, though this can be made better with empirical adjustments to the > seed-data. For example, after asking for 1024 bit primes, I tended > to end up with 1032 bit ones. I don't know if this is a problem or > not. Is it? It is: Export cipher suites need Diffie-Hellman parameters of no more than 512 bits. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS@12 Support
I've read one of the primary objective is to include support for the PKCS#12. I've had some contact with Dr. Stephen Henson about his software: - Massimiliano Pala wrote: > > Hi! > > I have a question reguarding your software. I am working at the OpenCA > Project (www.openca.org) and I found your software useful to our needs. > I think it could be useful if it can be included in the OpenSSL package. > Anyway, I'd like to know if we can include your package in our > distribution. > I don't see any problem unless you think this is prohibited by the license: in which case let me know where you think there is a problem. You might want to wait a few days because a new version of the program will be coming out soon which fixes a few bugs. Steve. -- I think it could be usefull asking him to give us the possibility to include the code thus fully supporting OpenSSL. Who will contact him ? See you on the bit stream, Massimiliano Pala ([EMAIL PROTECTED]) __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: New Tools Proposal
> Actually I didn't found any command line tool able to generate and/or > verify PKCS#7 signatures (such as generated by signed forms by Netscape > and other tools ...) We've (C2Net) got a set of stand-alone command line programs for PKCS#7 encrypt/decrypt that seem to work well. They need a little tidying but we should be able to submit these to the project. Mark __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]