[openssl.org #434] duplicate execution of callback with non-blocking SSL_accept
[jaenicke - Wed Jan 15 12:28:24 2003]: > [[EMAIL PROTECTED] - Fri Jan 3 08:21:38 2003]: > > > When a non-blocking SSL_accept() returns -1 with SSL_ERROR_WANT_READ > > or > > SSL_ERROR_WANT_WRITE set, the appropriate thing to do is to call > > SSL_accept() again. > I have analyzed your request. For me it seems, that s3_srvr.c already > contains all the code necessary: the certificate is verified only once > by ssl3_get_client_certificate() which is handled by its own state. > It calls ssl_verify_cert_chain(), which performs the verification of > the complete chain in one operation without being influenced by a > blocking or non-blocking setup. > I am using a non-blocking setup myself in Postfix/TLS and did not > observe the verify_callback() being called twice for the same purpose. According to my research, the behaviour matches the documentation and the verify_callback() is not called more often than necessary. As no new information came in with respect to this issue, I suppose that the problem was a misunderstanding of the expected behaviour. -> Ticket resolved. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #436] openssl-0.9.7 inconsistency error
[jaenicke - Wed Jan 15 12:30:08 2003]: > Any new information? No response for another week. I therefore close the ticket. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #472] Exception when running "openssl req" command after Jan 18th
[[EMAIL PROTECTED] - Wed Jan 22 09:20:19 2003]: > I have tried this with both 0.9.7-beta 3 and the official 0.9.7 > release. > > Under windows, running the "openssl req" command causes an exception > in > libeay32.dll. I found this on a machine that had been working > perfectly and > then suddenly started exceptioning. On the advice of a co-developer, > I > tried setting the date back on my PC. > > Lo and behold, I find that it works when I have my PC set to Jan 18th, > 2003 > or earlier, but the second I am on Jan 19th or later I get the > exception. > > > Please let me know if there is any other useful information I can > obtain. I > have not had a chance to try this on a Linux system yet, only Windows. Are the OpenSSL DLL versions the same as the openssl utility? That is is the openssl utility picking up a different version of the DLLs? You say 'openssl req': what was the precise command you ran? That is, options etc. What did you use to compile OpenSSL? If VC++ did you add any service packs or the processor add on? What version of Windows is this? Steve. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with signing X509 certificate.
On Wed, Jan 22, 2003, Jaco Kroon wrote:
> Hallo all
>
> I have a little problem atm where I have to sign certificates. I have both
> the private key, and the ca certificate loaded as cacert and cakey
> respectively. Here is the part of the code where I suspect
> things break.
>
> /*
> * Variables to be used:
> * X509 *cacert; // contains CA certificate.
> * EVP_PKEY *cakey; // contains CA private key.
> */
> X509 *usrcert = X509_new();
> if(!usrcert)
> {
> log_ssl_errors("X509_new");
> return ERROR_NULL;
> }
>
> if(!X509_set_version(usrcert,USRCERTVERSION))
> {
> log_ssl_errors("X509_set_version");
> return ERROR_SSL;
> }
>
> if(!X509_set_issuer_name(usrcert,X509_get_subject_name(cacert)))
> {
> log_ssl_errors("X509_set_issuer_name/X509_get_subject_name");
> return ERROR_SSL;
> }
>
> X509_gmtime_adj(X509_get_notBefore(usrcert),0);
> X509_gmtime_adj(X509_get_notAfter(usrcert),(long)60*60*24*TRIALPERIOD);
>
> X509_NAME *subject = X509_NAME_new();
> if(!subject)
> {
> log_ssl_errors("X509_NAME_new");
> return ERROR_NULL;
> }
>
> if(
>
> !X509_NAME_add_entry_by_NID(subject,NID_pkcs9_emailAddress,MBSTRING_ASC,(uns
> igned char*)email,-1,-1,0) ||
>
> !X509_NAME_add_entry_by_NID(subject,NID_commonName,MBSTRING_ASC,(unsigned
> char*)uname,-1,-1,0)
> )
> {
> log_ssl_errors("X509_NAME_add_entry_by_NID");
> return ERROR_SSL;
> }
>
> if(!X509_set_subject_name(usrcert,subject))
> {
> log_ssl_errors("X509_set_subject_name");
> return ERROR_SSL;
> }
> X509_NAME_free(subject);
>
> if(!X509_set_pubkey(usrcert,pkey))
> {
> log_ssl_errors("X509_set_pubkey");
> return ERROR_SSL;
> }
>
> EVP_MD *dgst = USR_DGST();
> res = X509_sign(usrcert,cakey,dgst);
>
> /*
> * res now equals 128 - the size of the private rsa key.
> */
>
> I then go ahead and dump the certificate using X509_print and get
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number: 0 (0x0)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=ZA, ST=Gauteng, L=Pretoria, O=InterExcel, OU=BackupServer,
> [EMAIL PROTECTED]
> Validity
> Not Before: Jan 22 19:20:46 2003 GMT
> Not After : Feb 21 19:20:46 2003 GMT
> Subject: [EMAIL PROTECTED], CN=6feffc9edd8be3e8
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:b9:d5:be:8b:1e:f2:9e:6c:4b:88:5a:84:23:c5:
> ec:3e:be:7c:97:1d:e4:c1:f8:c4:45:b5:a6:1e:45:
> b9:57:d2:84:36:21:ec:53:35:94:65:18:c9:f8:f5:
> ef:da:10:c1:25:14:04:fa:14:77:83:a7:8b:79:ac:
> d2:c7:51:f2:6f:8e:83:19:ba:20:8d:ed:96:24:fd:
> ad:e9:9c:68:78:92:76:64:c0:b9:54:08:2c:5c:6a:
> d0:70:15:75:4c:57:b6:9e:f9:68:b1:44:8e:2a:16:
> 2e:90:85:73:63:30:43:21:28:f2:46:5d:f7:40:d5:
> 8a:a5:72:a2:00:0d:f9:7c:d7
> Exponent: 65537 (0x10001)
> Signature Algorithm: sha1WithRSAEncryption
> 4c:7b:eb:10:3b:70:7f:d6:96:67:96:2d:55:e6:ce:ab:48:ee:
> cc:28:dc:81:9e:2a:b1:80:ac:e5:bf:84:e6:71:b7:56:dd:39:
> 41:2b:1d:fb:dc:8e:16:85:2a:f0:f7:96:6f:b1:c9:69:38:bc:
> 46:2e:13:cc:28:5e:95:72:81:81:f7:83:97:80:98:96:35:73:
> c7:4e:3b:48:b9:99:60:ae:c8:8f:4f:57:74:73:fb:09:0c:19:
> c5:00:37:71:40:1f:cb:2c:3e:11:c5:c8:88:a5:53:f7:d6:61:
> e2:f6:76:e7:3b:d8:bb:35:9d:24:21:55:bd:fe:09:81:ee:6b:
> 70:bc
>
> Which is what I want. Except that when I perform the command "openssl
> verify -CAfile cacert.pem gencert.pem" I get the output:
>
> error 7 at 0 depth lookup:certificate signature failure
>
> And my own program gives more detail:
>
> rsa routines::RSA_verify failed with error code 0x4077068 (bad signature).
> asn1 encoding routines::ASN1_verify failed with error code 0xd079006 (bad
> get asn1 object call).
> Certificate failed.
>
> I output the X509 certificate using PEM_write_X509(stdout,usrcert) which I
> then pipe into a file.
>
One problem is probably that you aren't setting the certificate serial number.
You will get the default of zero which will clash with the CA certificate
serial number. The issuer_name and serial number combination should be unique.
Steve.
--
Dr. Stephen Henson [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE : RE : faster connexion
It's exactly the same soft on the both side, but the speed is now at 3.3 Moctets, not 3.3 Mbytes !! -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] De la part de Pablo Royo Moreno Envoyé : mercredi 22 janvier 2003 20:22 À : [EMAIL PROTECTED]; [EMAIL PROTECTED] Objet : Re: RE : faster connexion Or perhaps socket buffer size on the other side was low?(Just curiosity...) May be increasing it you could reach even more speed because a 3.3Mb/(2*100Mb) = 0.016secs ping time seems high in a 100Mb ethernet. Pablo J. Royo -- Original Message -- From: "p b" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Wed, 22 Jan 2003 16:00:34 +0100 >In fact, it was the size of the buffer used to send the data which was too >large!! >Now I reach 3,3 Mo/s > >Thanks for your help, > > >-Message d'origine- >De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] De >la part de Pablo J Royo >Envoyé : mardi 21 janvier 2003 17:11 >À : [EMAIL PROTECTED] >Objet : Re: faster connexion > >I don´t know, but I think your socket buffer may be very low, (default about >8192 bytes or so) so your socket will never send to net as much bytes as he >can. >You can try to increase to 128Kb or 1Mb with setsockopt( ) function. (In >fact it should be 2*(Bandwidth)*(ping time) to keep a full link) > >Try something like this: > >socket = socket( ); > >int level = IPPROTO_TCP; > >#ifdef WIN32 > int retval = setsockopt((SOCKET)sock,SOL_SOCKET,SO_RCVBUF,(char >*)optval,optlen); >#else > int retval = setsockopt(sock,level,SO_RCVBUF,(char *)optval,optlen); >#endif > >Hope this helps > >Pablo J. Royo > >- Original Message - >From: "p b" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Tuesday, January 21, 2003 9:57 AM >Subject: faster connexion > > >> Hi, >> >> I have made a connexion between 2 computers linked by a 100Mb net. >> I use BIO_s_connect and BIO_s_accept, but I can't transmit data faster >> than 100ko/s (Even without SSL)! How can I "boost" my connexion :-) >> >> Thanks! >> > >__ >OpenSSL Project http://www.openssl.org >Development Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > > >__ >OpenSSL Project http://www.openssl.org >Development Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem with signing X509 certificate.
Hallo all
I have a little problem atm where I have to sign certificates. I have both
the private key, and the ca certificate loaded as cacert and cakey
respectively. Here is the part of the code where I suspect
things break.
/*
* Variables to be used:
* X509 *cacert; // contains CA certificate.
* EVP_PKEY *cakey; // contains CA private key.
*/
X509 *usrcert = X509_new();
if(!usrcert)
{
log_ssl_errors("X509_new");
return ERROR_NULL;
}
if(!X509_set_version(usrcert,USRCERTVERSION))
{
log_ssl_errors("X509_set_version");
return ERROR_SSL;
}
if(!X509_set_issuer_name(usrcert,X509_get_subject_name(cacert)))
{
log_ssl_errors("X509_set_issuer_name/X509_get_subject_name");
return ERROR_SSL;
}
X509_gmtime_adj(X509_get_notBefore(usrcert),0);
X509_gmtime_adj(X509_get_notAfter(usrcert),(long)60*60*24*TRIALPERIOD);
X509_NAME *subject = X509_NAME_new();
if(!subject)
{
log_ssl_errors("X509_NAME_new");
return ERROR_NULL;
}
if(
!X509_NAME_add_entry_by_NID(subject,NID_pkcs9_emailAddress,MBSTRING_ASC,(uns
igned char*)email,-1,-1,0) ||
!X509_NAME_add_entry_by_NID(subject,NID_commonName,MBSTRING_ASC,(unsigned
char*)uname,-1,-1,0)
)
{
log_ssl_errors("X509_NAME_add_entry_by_NID");
return ERROR_SSL;
}
if(!X509_set_subject_name(usrcert,subject))
{
log_ssl_errors("X509_set_subject_name");
return ERROR_SSL;
}
X509_NAME_free(subject);
if(!X509_set_pubkey(usrcert,pkey))
{
log_ssl_errors("X509_set_pubkey");
return ERROR_SSL;
}
EVP_MD *dgst = USR_DGST();
res = X509_sign(usrcert,cakey,dgst);
/*
* res now equals 128 - the size of the private rsa key.
*/
I then go ahead and dump the certificate using X509_print and get
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ZA, ST=Gauteng, L=Pretoria, O=InterExcel, OU=BackupServer,
[EMAIL PROTECTED]
Validity
Not Before: Jan 22 19:20:46 2003 GMT
Not After : Feb 21 19:20:46 2003 GMT
Subject: [EMAIL PROTECTED], CN=6feffc9edd8be3e8
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b9:d5:be:8b:1e:f2:9e:6c:4b:88:5a:84:23:c5:
ec:3e:be:7c:97:1d:e4:c1:f8:c4:45:b5:a6:1e:45:
b9:57:d2:84:36:21:ec:53:35:94:65:18:c9:f8:f5:
ef:da:10:c1:25:14:04:fa:14:77:83:a7:8b:79:ac:
d2:c7:51:f2:6f:8e:83:19:ba:20:8d:ed:96:24:fd:
ad:e9:9c:68:78:92:76:64:c0:b9:54:08:2c:5c:6a:
d0:70:15:75:4c:57:b6:9e:f9:68:b1:44:8e:2a:16:
2e:90:85:73:63:30:43:21:28:f2:46:5d:f7:40:d5:
8a:a5:72:a2:00:0d:f9:7c:d7
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
4c:7b:eb:10:3b:70:7f:d6:96:67:96:2d:55:e6:ce:ab:48:ee:
cc:28:dc:81:9e:2a:b1:80:ac:e5:bf:84:e6:71:b7:56:dd:39:
41:2b:1d:fb:dc:8e:16:85:2a:f0:f7:96:6f:b1:c9:69:38:bc:
46:2e:13:cc:28:5e:95:72:81:81:f7:83:97:80:98:96:35:73:
c7:4e:3b:48:b9:99:60:ae:c8:8f:4f:57:74:73:fb:09:0c:19:
c5:00:37:71:40:1f:cb:2c:3e:11:c5:c8:88:a5:53:f7:d6:61:
e2:f6:76:e7:3b:d8:bb:35:9d:24:21:55:bd:fe:09:81:ee:6b:
70:bc
Which is what I want. Except that when I perform the command "openssl
verify -CAfile cacert.pem gencert.pem" I get the output:
error 7 at 0 depth lookup:certificate signature failure
And my own program gives more detail:
rsa routines::RSA_verify failed with error code 0x4077068 (bad signature).
asn1 encoding routines::ASN1_verify failed with error code 0xd079006 (bad
get asn1 object call).
Certificate failed.
I output the X509 certificate using PEM_write_X509(stdout,usrcert) which I
then pipe into a file.
Jaco
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: ASN1_TIME inconsistent function behaviour
On Tue, Jan 14, 2003 at 12:14:52PM +0100, [EMAIL PROTECTED] wrote: > The following code results in an ASN1_TIME structure with internal length field > of 14. >date = ASN1_TIME_new(); >ASN1_GENERALIZEDTIME_set_string(date, "20020819093712"); > > When extracting time out an existing certificate however with this date/time > would result in a length of 15. >ASN1_GENERALIZEDTIME *gentime = ASN1_TIME_to_generalizedtime > (X509_get_notBefore(cert), NULL); > > Consequently ASN1_STRING_cmp(date1, date2) fails, although the strings are > exactly the same, 14 characters that make up the date followed by \0. > > Have I missed something or is there a bug somewhere? Please check out http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=429 If this covers your problem, it should be fixed in recent snapshots. If it is not, please file a bug report to [EMAIL PROTECTED] Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RE : faster connexion
Or perhaps socket buffer size on the other side was low?(Just curiosity...) May be increasing it you could reach even more speed because a 3.3Mb/(2*100Mb) = 0.016secs ping time seems high in a 100Mb ethernet. Pablo J. Royo -- Original Message -- From: "p b" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Wed, 22 Jan 2003 16:00:34 +0100 >In fact, it was the size of the buffer used to send the data which was too >large!! >Now I reach 3,3 Mo/s > >Thanks for your help, > > >-Message d'origine- >De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] De >la part de Pablo J Royo >Envoyé : mardi 21 janvier 2003 17:11 >À : [EMAIL PROTECTED] >Objet : Re: faster connexion > >I don´t know, but I think your socket buffer may be very low, (default about >8192 bytes or so) so your socket will never send to net as much bytes as he >can. >You can try to increase to 128Kb or 1Mb with setsockopt( ) function. (In >fact it should be 2*(Bandwidth)*(ping time) to keep a full link) > >Try something like this: > >socket = socket( ); > >int level = IPPROTO_TCP; > >#ifdef WIN32 > int retval = setsockopt((SOCKET)sock,SOL_SOCKET,SO_RCVBUF,(char >*)optval,optlen); >#else > int retval = setsockopt(sock,level,SO_RCVBUF,(char *)optval,optlen); >#endif > >Hope this helps > >Pablo J. Royo > >- Original Message - >From: "p b" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Tuesday, January 21, 2003 9:57 AM >Subject: faster connexion > > >> Hi, >> >> I have made a connexion between 2 computers linked by a 100Mb net. >> I use BIO_s_connect and BIO_s_accept, but I can't transmit data faster >> than 100ko/s (Even without SSL)! How can I "boost" my connexion :-) >> >> Thanks! >> > >__ >OpenSSL Project http://www.openssl.org >Development Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > > >__ >OpenSSL Project http://www.openssl.org >Development Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #463] PATCH
Maybe it will change when all legal issues are resolved, I hope. For now, I want to be sure that all possible combinations for aix shared build are tested (so far successfully) and when corresponding changes could be included into the next release? I hope everything is OK. Vladimir -Original Message- From: Rich Salz via RT [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 22, 2003 11:15 AM To: Shklover, Vladimir Cc: [EMAIL PROTECTED] Subject: Re: [openssl.org #463] PATCH > 2)Perhaps I did not make it clear but our policy is not to include > any cryptographic software directly into our applications. You might want to reconsider this policy. Do you expect much revenue from the banned country list? Is it worth the development and support cost of keeping track with openssl versions? Are you sure that you are not in violation if you say "install openssl on your own"? (The answer to that last question *used* to be: yes, you are in violation. Now, I don't know.) /r$ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #463] PATCH
> 2)Perhaps I did not make it clear but our policy is not to include > any cryptographic software directly into our applications. You might want to reconsider this policy. Do you expect much revenue from the banned country list? Is it worth the development and support cost of keeping track with openssl versions? Are you sure that you are not in violation if you say "install openssl on your own"? (The answer to that last question *used* to be: yes, you are in violation. Now, I don't know.) /r$ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #463] PATCH
2)Perhaps I did not make it clear but our policy is not to include any cryptographic software directly into our applications. You might want to reconsider this policy. Do you expect much revenue from the banned country list? Is it worth the development and support cost of keeping track with openssl versions? Are you sure that you are not in violation if you say "install openssl on your own"? (The answer to that last question *used* to be: yes, you are in violation. Now, I don't know.) /r$ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #463] PATCH
1)I checked "env OBJECT_MODE=64 make" in openssl-0.9.7-snapshot... for 2 cases: -automatically configured by "./Configure aix64-cc ... shared", using *.exp files -when Makefile.org is modified to use -bautoexp instead of using *.exp files (the changes are the same which you asked for 32 bit) and then "./Configure aix64-cc ... shared" is run In both cases static and shared libraries were successfully built. As I said earlier, usual "make" can also work for aix64-cc, with *.exp (ld -b64 -r -o ..., nm -X 64 ...) as well as with -bautoexp (I have already sent you corresponding changes). Now, whether you want to build by usual "make", "env OBJECT_MODE=64 make", with *.exp or -bautoexp, is up to you. Does it finally cover all possible combinations you wanted to test? ***Mainly for US based developers** 2)Perhaps I did not make it clear but our policy is not to include any cryptographic software directly into our applications. The reason is that one of the latest US laws prohibits exporting cryptography to certain countries (especially those supporting terrorism). OpenSSL itself, as I understand, is legally OK for public availability because it is non-commersial and already posted on the Web. However, we are not in the position to export it (although using it is always OK). This, in fact, is said in references from openssl README files http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html http://w3.access.gpo.gov/bis/ear/pdf/740.pdf Section 740.13(e), p.25 Therefore, the acceptable legal solution for us is to build application which can use openssl but in such a way that the user himself would be responsible for installation of openssl, creating libssl.so & libcrypto.so which would then be dynamically loaded by our application. Those who started before the mentioned law was adopted, didn't have to worry at that time. Of course, you can say that openssl is accessible to everyone from the Web but that is another question because you are allowed to export your own, non-commersial product (although I am not a lawyer to give any legal conclusion). Maybe, we will add some addiditional measures which would not allow unauthorized users to use SSL in our software. Anyway, this our policy based on the law and for now it remains in effect. Do I understand that binary compatibility for shared libraries is expected since 1.0 release? Vladimir -Original Message- From: Andy Polyakov via RT [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 21, 2003 3:14 PM To: Shklover, Vladimir Cc: [EMAIL PROTECTED] Subject: Re: [openssl.org #463] PATCH > 1)I just got aix64-cc shared build succeed with -bautoexp. It was possible to > modify Makefile pretty similar to aix43-cc. ^^ But the challenge is to construct the rule which can be parametrized through configure line. But as already mentioned, I'd appreciate if you could verify if 'env OBJECT_MODE=64 make' works with snapshot configured with './Configure aix64-cc shared'. > 2)You are right, the version openssl-0.9.7 did not contain 0.9.7 > extention for aix but in my changes (which appear to be in snapshot > version) I included these extentions to be consistent with other > platforms where shared build contain these extention. Right! Without access I'm bound to miss such things:-) > I made experimental builds without extentions just for myself; > I didn't send you such changes to Makefile. The reason I did that for > myself is that if you link a module, say module.so with soname ^^ Does AIX support soname or similar option? There was nothing of that sort in ld manual page I've found on the web... > libcrypto.so.0.9.6, you can not then dynamically load it with > libcrypto.so.0.9.7. And that is *intentional*! We don't want users to load 0.9.7 library into an application originally linked with 0.9.6. > (we are not physically including libssl.so... & libcrypto.so... into > our software and SSL connection will work if the user installs openssl > himself). You should *not* rely on this and should consider providing copy of shared libs with your application. Yes, it might appear a bit meaningless, you could as well link it statically, but that's the way it. Binary compatibility is *not* provided across OpenSSL releases and interchanging .so modules *might* result in unpredictable result and it will be hell to troubleshoot. A. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #474] [PATCH]
__ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
using SSL_CTX_set_cert_verify_callback
Hi all, We want to verify the certificate chain without using the built-in function to verify the peer's certificate chain automatically. So we try to changed from the default via a call to SSL_CTX_set_cert_verify_callback and implement our own verify function. Our own verify function need to work asynchronous. Can we return to the SSl_verify_cert_chain function something like a "PENDING" answer and to return later with the verification result ? Tzvika Visman Spearhead Ltd. Haavoda 11 Rosh-Hayin Tel: 972-3-9030590 Fax: 972-3-9030593 www.sphd.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #444] Win32 crash in PEM_read_X509
Yes, that is a common one, though it was more prevalent in early MSVC7
(.NET) than in MSVC6. Another common problem is nested for loops.
If you just can't figure out why a particular function is generating bad
asm code, it is also possible to use #pragma optimize("off",0) (syntax
might be slightly off) around just the function(s) that is failing, rather
than turn off optimizations globally. But then you have to remember to go
fix it some day and remove the #pragma.
michael
At 02:58 PM 1/15/2003 +0100, Andy Polyakov via RT wrote:
> One is that AES using 192 or 256 bit ciphers produces the wrong result.
>
> > Have you traced into it at all?
Try this:-)
--- ./crypto/aes/aes_core.c.origWed Nov 13 15:01:18 2002
+++ ./crypto/aes/aes_core.c Wed Jan 15 01:54:08 2003
@@ -750,7 +750,7 @@
rk[2] = GETU32(userKey + 8);
rk[3] = GETU32(userKey + 12);
if (bits == 128) {
- for (;;) {
+ while (1) {
temp = rk[3];
rk[4] = rk[0] ^
(Te4[(temp >> 16) & 0xff] & 0xff00) ^
@@ -770,7 +770,7 @@
rk[4] = GETU32(userKey + 16);
rk[5] = GETU32(userKey + 20);
if (bits == 192) {
- for (;;) {
+ while (1) {
temp = rk[ 5];
rk[ 6] = rk[ 0] ^
(Te4[(temp >> 16) & 0xff] & 0xff00) ^
@@ -792,7 +792,7 @@
rk[6] = GETU32(userKey + 24);
rk[7] = GETU32(userKey + 28);
if (bits == 256) {
- for (;;) {
+ while (1) {
temp = rk[ 7];
rk[ 8] = rk[ 0] ^
(Te4[(temp >> 16) & 0xff] & 0xff00) ^
Well, just to get through the ms\test, only last change is sufficient.
No, it doesn't make sense, compiler bugs don't usually do. This is
already second occasion when I run into such problem. I.e. when
compiler generates bad code for "for(;;)," but not for "while(1)."
Last time it was egcs... A.
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
[PATCH]
Title: [PATCH] Textual explanation: this patch to OpenSSL 0.9.7 (official release) adds crypto engine support for Chrysalis-ITS, Inc. Luna CA3 token (and compatible tokens). Files modified: crypto/engine/eng_all.c crypto/engine/engine.h crypto/engine/Makefile.ssl crypto/engine/Makefile (actually, a symbolic link to crypto/engine/Makefile.ssl) Files added: crypto/engine/vendor_defns/chrysalis-its.h crypto/engine/hw_lunaca3.c crypto/engine/hw_lunaca3_err.h crypto/engine/hw_lunaca3_err.c <> Steve Woloszyn Software Developer mailto:[EMAIL PROTECTED] Chrysalis-ITS, Inc. One Chrysalis Way Ottawa, ON K2G 6P9 Phone: 613-723-5076 ext 3220 Fax: 613-274-6365 http://www.chrysalis-its.com openssl-lunaca3-patch-0.9.7.tar.gz Description: Binary data
Re: [openssl.org #451] SX6 port
Andy Polyakov via RT wrote: + "sx6", "cc:-g -DTERMIOS::(unknown):::SIXTY_FOUR_BIT DES_INT:::", No optimization? Not even lousy -O? -g overrides any optimization you give, and i think there's a problem with the optimizer anyway because with default optimization, aes-128-cbc test fails. it's fine with -g. SIXTY_FOUR_BIT? SIXTY_FOUR_BIT aims ILP32 ABIs implemented on 64-bit CPUs, N32 ABI on IRIX 6 is one example. If your sizeof(long)==8, then you should use SIXTY_FOUR_BIT_LONG. Please confirm. thank you for the note. yes, it should be SIXTY_FOUR_BIT_LONG. wendy -- wendy palm Cray OS Sustaining Engineering, Cray Inc. [EMAIL PROTECTED], 651-605-9154 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ASN1_TIME inconsistent function behaviour
The following code results in an ASN1_TIME structure with internal length field of 14. date = ASN1_TIME_new(); ASN1_GENERALIZEDTIME_set_string(date, "20020819093712"); When extracting time out an existing certificate however with this date/time would result in a length of 15. ASN1_GENERALIZEDTIME *gentime = ASN1_TIME_to_generalizedtime (X509_get_notBefore(cert), NULL); Consequently ASN1_STRING_cmp(date1, date2) fails, although the strings are exactly the same, 14 characters that make up the date followed by \0. Have I missed something or is there a bug somewhere? Paul __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #447] [Fwd: Bug#176058: openssl: Should askpassword only after basic input validation]
"Richard Levitte via RT" <[EMAIL PROTECTED]> writes: > It would be good to know exactly which openssl commands are involved > in this issue. I'm pretty sure this issue only applies for some of > them. "openssl ca" is one of them, and probably the most cumbersome. "openssl req -new -out $FILE" does not verify that $FILE is a writable file. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #456] openssl 0.9.7, bug in ui_lib.c:general_allocate_string
On Mon, Jan 13, 2003 at 03:16:46PM +0100, Richard Levitte via RT wrote: > > Hello, > > Thanks for the report. Unfortunately, your conclusions are > incorrect. The functions that you spotted in ui_lib.c return the > expected values, it's UI_UTIL_read_pw() that interprets those values > incorrectly. Ah, I see. There seems to be a bit of confusion about that. A quick survey of consumers of general_allocate_string: general_allocate_string In reality, returns negative for error UI_add_input_string Comment says `Returns the index to the place in the stack or 0 for error.' --> zero for error password_callback `ok >= 0' --> negative for error hwcrhk_get_pass ignores return value EVP_read_pw_string ignores return value UI_UTIL_read_pw `ok == 0' --> non-zero for error UI_dup_input_string Comment says `Same as UI_add_input_string()' --> zero for error UI_add_verify_string password_callback `ok >= 0' --> negative for error EVP_read_pw_string ignores return value UI_UTIL_read_pw `ok == 0' --> non-zero for error UI_dup_verify_string No callers UI_add_info_string No callers UI_dup_info_string hwcrhk_insert_card `ok >= 0' --> negative for error UI_add_error_string No callers UI_dup_error_string No callers So yeah, I guess UI_UTIL_read_pw and the comment for UI_add_input_string et. al. are incorrect. Previously I stopped looking after seeing that comment :-) oops > I'm committing a change that should fix this. Please try tomorrows > snapshot. > > This ticket is now resolved. Thanks much! Your fix looks correct to me. Cheers, -- Jacques A. Vidrine <[EMAIL PROTECTED]> http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos [EMAIL PROTECTED] . [EMAIL PROTECTED] . [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[no subject]
hi i am trying to sign a document in the smime format,i did this either by using the command smime or using the PKCS7_sign and SMIME_write_PKCS7 but when i tried to verify the signed file with "smime -verify" i obtain a message : Segmentation fault (core dumped) and when i tried with the function : PKCS7_verify, it always return zero (fail) ,well i follow the source code debugging and i found that the problem was in the funcion PKCS7_signatureVerify and precisely in the function (memcmp(message_digest->data,md_dat,md_len)) when it try to compare the digests , this function return a non zero value (the two digests are not the same) please could someone tell me what is the problem, and if there is a bug or an error , and if someone could give me an example about how to make a tested S/MIME signing/verifying procedure thanx _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL connection openssl.0.9.7 with openssl.0.9.7-beta5
to all, i imprement SSL with openssl.0.9.7 it work and i upgrade to openssl.0.9.7-beta5 it work too but it use openssl.0.9.7 mix with openssl.0.9.7-beta5 it not work (client 0.9.7 ,server beta5 / or / client beta5 ,server 0.9.7) i confuse why same SSL but not work thank for answer. ** Message from InterScan E-Mail VirusWall NT ** ** No virus found in attached file noname.htm * End of message ***
RE : faster connexion
In fact, it was the size of the buffer used to send the data which was too large!! Now I reach 3,3 Mo/s Thanks for your help, -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] De la part de Pablo J Royo Envoyé : mardi 21 janvier 2003 17:11 À : [EMAIL PROTECTED] Objet : Re: faster connexion I don´t know, but I think your socket buffer may be very low, (default about 8192 bytes or so) so your socket will never send to net as much bytes as he can. You can try to increase to 128Kb or 1Mb with setsockopt( ) function. (In fact it should be 2*(Bandwidth)*(ping time) to keep a full link) Try something like this: socket = socket( ); int level = IPPROTO_TCP; #ifdef WIN32 int retval = setsockopt((SOCKET)sock,SOL_SOCKET,SO_RCVBUF,(char *)optval,optlen); #else int retval = setsockopt(sock,level,SO_RCVBUF,(char *)optval,optlen); #endif Hope this helps Pablo J. Royo - Original Message - From: "p b" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, January 21, 2003 9:57 AM Subject: faster connexion > Hi, > > I have made a connexion between 2 computers linked by a 100Mb net. > I use BIO_s_connect and BIO_s_accept, but I can't transmit data faster > than 100ko/s (Even without SSL)! How can I "boost" my connexion :-) > > Thanks! > __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #473] generalized X500 name compare
Hi, would it be possible to implement a slightly more general X500 name compare in OpenSSL ? Currently OpenSSL accepts only strings with the same encoding type (i.e. OpenSSL compares only PRINTABLE with PRINTABLE and not PRINTABLE with T61STRING, although every PRINTABLE string is also a T61STRING). Could OpenSSL be modified (see attached patch) to allow a comparison between PRINTABLE and T61STRING, IA5STRING or UTF8STRING (<=> with supersets of PRINTABLE) ? Comments are welcome. Regards, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #472] Exception when running "openssl req" command after Jan 18th
I have tried this with both 0.9.7-beta 3 and the official 0.9.7 release. Under windows, running the "openssl req" command causes an exception in libeay32.dll. I found this on a machine that had been working perfectly and then suddenly started exceptioning. On the advice of a co-developer, I tried setting the date back on my PC. Lo and behold, I find that it works when I have my PC set to Jan 18th, 2003 or earlier, but the second I am on Jan 19th or later I get the exception. Please let me know if there is any other useful information I can obtain. I have not had a chance to try this on a Linux system yet, only Windows. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
