Getting 'no shared ciphers' while connecting to the server
Hi All, I'm using Apache 1.3.31 with mod_ssl 2.8.17 and OpenSSL 0.9.7d binaries. I use RSA based self signed certificates for SSL communication. My httpd.conf has the following SSLCipherSuite configured SSLSessionCacheTimeout 600 SSLOptions +StdEnvVars +ExportCertData SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL But, in a freshly installed server, the server doesn't accept any requests and I get the following errors repeatedly in the Apache error log mod_ssl: SSL handshake failed (server 198.149.32.40:443, client 198.149.32.32) (OpenSSL library error follows) [Mon May 23 13:37:43 2005] [error] OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher [Hint: Too restrictive SSLCipherSuite or using DSA server certificate?] I browsed the modssl FAQ and got, that sometimes regenerating certificates helps. I regenerated the server certificates, but I'm still facing the same issue. Has anybody experienced such an error ? Any help is appreciated. Thanks in advance, -Alaka __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SHA512
`/var/local/src/libs/openssl-0.9.8/crypto/sha' cc -I.. -I../.. -I../../include -DOPENSSL_THREADS -Kthread -DFILIO_H -DNO_STRINGS_H -c sha_dgst.c UX:acomp: ERROR: ../../include/openssl/sha.h, line 172: invalid type combination UX:acomp: ERROR: ../../include/openssl/sha.h, line 173: invalid type combination UX:acomp: ERROR: ../../include/openssl/sha.h, line 175: invalid type combination gmake[2]: *** [sha_dgst.o] Error 1 This problem still exists with the OpenSSL_0_9_8-stable branch pulled Mon May 30 19:47:25 PDT 2005. Can you confirm that problem persists even if you './config no-sha512'(*)? If you can confirm this, then you would have to speculate why does it happen in your opinion. A. (*) it will advice to run 'make depend', it might fail with your make [working on it], but it's safe to compile without running 'make depend'. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: gcc performance regression on md2 from gcc-2.95.3?
I'm looking into http://gcc.gnu.org/PR19923 which claims that gcc-4.0 is slower on 'openssl speed' than earlier versions. The only huge regression seems to be in md2. Note that most of the code involved in the report in question is hand-coded assembler. Meaning that the report [or your conclustion that md2 is the only one suffering] doesn't necessarily representative in respect to compiler optimizations per se. If you want to perform more fair comparison between compiler versions configure toolkit with no-asm option to compare compiler-generated codes. Has anyone else looked at this yet? No. A. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: AIX 64-bit build.
I have built a 64-bit version of OpenSSL on AIX 5, and it is failing the test on bn_sqr. It looks like the bn_sqr or bn_div functions are not working for very large numbers. Has wnyone else ran into this problem? Has anyone ran into this problem? BN_sqr test failure is mentioned in FAQ, so that you can bet that some has ran into similar problem:-) Note that FAQ discusses additional information you're supposed to provide. Additional to one mentioned in SUPPORT section of README file. Without this it's quite impossible to tell why it fails in your particular case. A. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to debug under Solaris-x86?
On 2005.05.25 at 23:53:13 +0200, Andy Polyakov wrote: I guess it was erroneously omitted in some newer release. Try to patch your run-time environment by executing http://www.openssl.org/~appro/values.c and report back. The patch is designed to work with both old and new GCC releases. A. With this patch it works on both my Solaris x86 machines == first one == uname -a SunOS elk 5.8 Generic_108529-23 i86pc i386 i86pc as -V as: Sun WorkShop 6 99/08/16 ld -V ld: Software Generation Utilities - Solaris-ELF (4.0) gcc -v Reading specs from /usr/local/lib/gcc-lib/i386-pc-solaris2.8/3.3/specs Configured with: ../configure --disable-nls --with-as=/usr/ccs/bin/as --with-ld=/usr/ccs/bin/ld Thread model: posix gcc version 3.3 == second one === uname -a SunOS sol9 5.9 Generic_112234-03 i86pc i386 i86pc as -V as: Forte Developer 7 Compiler Common 7.0 IA32-iteam 2001/12/12 ld -V ld: Software Generation Utilities - Solaris Link Editors: 5.9-1.276 gcc -v Reading specs from /usr/local/lib/gcc-lib/i386-pc-solaris2.9/3.3.2/specs Configured with: ../configure --with-as=/usr/ccs/bin/as --with-ld=/usr/ccs/bin/ld --disable-nls Thread model: posix gcc version 3.3.2 == Interesting thing is that I have compiled lots of various sofware on both these machines but never before encountered this problem with GCC runtime. What makes OpenSSL so special that it hits this bug in the GCC runtime? __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to debug under Solaris-x86?
I guess it was erroneously omitted in some newer release. Try to patch your run-time environment by executing http://www.openssl.org/~appro/values.c and report back. The patch is designed to work with both old and new GCC releases. A. With this patch it works on both my Solaris x86 machines SunOS elk 5.8 Generic_108529-23 i86pc i386 i86pc Linker bug is apparently elder than this and I can confirm that it's still present in SunOS 5.10 x86[_64]. What makes OpenSSL so special that it hits this bug in the GCC runtime? Custom .init segment which claims 16-byte alignment. Not aligning it makes it SEGV with elder GCC compilations, and aligning - with newer ones:-( Suggested patch to run-time environment makes an arrangement so that it works with either:-) A. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1081] 0.9.8 beta 2 on solaris 10
OpenSSL self-test report: OpenSSL version: 0.9.8-beta2 Last change: Add attribute functions to EVP_PKEY structure. Modify... Options: enable-threads enable-shared enable-zlib no-gmp no-krb5 no-mdc2 no-rc5 no-zlib-dynamic OS (uname): SunOS shadow 5.10 Generic_118844-01 i86pc i386 i86pc OS (config): i86pc-whatever-solaris2 Target (default): solaris-x86-gcc Target: solaris-x86-gcc Compiler: Configured with: /usr/gcc-3.4.4/configure --with-as=/usr/local/bin/as --with-gnu-as --with-ld=/usr/ccs/bin/ld --without-gnu-ld --enable-threads --enable-shared --enable-multilib --with-cpu=pentium4 --enable-languages=c,c++ --disable-nls Thread model: posix gcc version 3.4.4 Test skipped. Test report in file testlog - During build: make[2]: Entering directory `/junk/openssl-0.9.8-beta2/apps' make[2]: Leaving directory `/junk/openssl-0.9.8-beta2/apps' (cd ..; \ OPENSSL=`pwd`/util/opensslwrap.sh; export OPENSSL; \ /usr/bin/perl tools/c_rehash certs) Doing certs Segmentation Fault eng1.pem = .0 Segmentation Fault WARNING: Skipping duplicate certificate eng2.pem Segmentation Fault WARNING: Skipping duplicate certificate eng3.pem Segmentation Fault WARNING: Skipping duplicate certificate eng4.pem Segmentation Fault WARNING: Skipping duplicate certificate eng5.pem Segmentation Fault WARNING: Skipping duplicate certificate RegTP-5R.pem Segmentation Fault WARNING: Skipping duplicate certificate RegTP-6R.pem Segmentation Fault WARNING: Skipping duplicate certificate thawteCb.pem Segmentation Fault WARNING: Skipping duplicate certificate thawteCp.pem Segmentation Fault WARNING: Skipping duplicate certificate wellsfgo.pem Segmentation Fault WARNING: Skipping duplicate certificate vsign1.pem Segmentation Fault WARNING: Skipping duplicate certificate vsign3.pem Segmentation Fault WARNING: Skipping duplicate certificate vsignss.pem make[1]: Leaving directory `/junk/openssl-0.9.8-beta2/apps' making all in test... make[1]: Entering directory `/junk/openssl-0.9.8-beta2/test' Build finishes Then: # make test Doing certs Segmentation Fault eng1.pem = .0 Segmentation Fault WARNING: Skipping duplicate certificate eng2.pem Segmentation Fault WARNING: Skipping duplicate certificate eng3.pem Segmentation Fault WARNING: Skipping duplicate certificate eng4.pem Segmentation Fault WARNING: Skipping duplicate certificate eng5.pem Segmentation Fault WARNING: Skipping duplicate certificate RegTP-5R.pem Segmentation Fault WARNING: Skipping duplicate certificate RegTP-6R.pem Segmentation Fault WARNING: Skipping duplicate certificate thawteCb.pem Segmentation Fault WARNING: Skipping duplicate certificate thawteCp.pem Segmentation Fault WARNING: Skipping duplicate certificate wellsfgo.pem Segmentation Fault WARNING: Skipping duplicate certificate vsign1.pem Segmentation Fault WARNING: Skipping duplicate certificate vsign3.pem Segmentation Fault WARNING: Skipping duplicate certificate vsignss.pem touch rehash.time testing... make[1]: Entering directory `/junk/openssl-0.9.8-beta2/test' make[2]: Entering directory `/junk/openssl-0.9.8-beta2' making all in apps... make[3]: Entering directory `/junk/openssl-0.9.8-beta2/apps' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/junk/openssl-0.9.8-beta2/apps' make[2]: Leaving directory `/junk/openssl-0.9.8-beta2' ../util/shlib_wrap.sh ./destest make[1]: *** [test_des] Segmentation Fault make[1]: Leaving directory `/junk/openssl-0.9.8-beta2/test' make: *** [tests] Error 2 Should you have any other question or concern, please don't hesitate to contact me. -- J.D. Bronson Information Services - Telecom Aurora West Allis Memorial Hospital Office: 414.978.8282 Fax: 414.328.8787 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1081] 0.9.8 beta 2 on solaris 10
Target: solaris-x86-gcc Compiler: Configured with: /usr/gcc-3.4.4/configure --with-as=/usr/local/bin/as --with-gnu-as --with-ld=/usr/ccs/bin/ld --without-gnu-ld --enable-threads --enable-shared --enable-multilib --with-cpu=pentium4 --enable-languages=c,c++ --disable-nls Thread model: posix gcc version 3.4.4 (cd ..; \ OPENSSL=`pwd`/util/opensslwrap.sh; export OPENSSL; \ /usr/bin/perl tools/c_rehash certs) Doing certs Segmentation Fault eng1.pem = .0 Download http://www.openssl.org/~appro/values.c and patch your run-time it by issuing 'ksh -f values.c'. This is not formally problem with OpenSSL, but *between* OpenSSL, Solaris ld and GCC. A. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1082] PATCH: Solaris-sparcv8 openssl-0.9.8-beta2 compilation error
Problem: build fails on any Solaris sparcv8 because sparcv8.o is not built. FIX: add the compilation step to crypto/bn/Makefile *** openssl-0.9.8-beta2/crypto/bn/Makefile.orig Mon May 16 12:55:19 2005 --- openssl-0.9.8-beta2/crypto/bn/Makefile Mon May 30 08:22:58 2005 *** *** 79,84 --- 79,85 (cd asm; $(PERL) co-586.pl a.out $(CFLAGS) ../$@) sparcv8.o:asm/sparcv8.S + $(CC) $(CFLAGS) -c asm/sparcv8.S sparcv8plus.o:asm/sparcv8plus.S $(CC) $(CFLAGS) -c asm/sparcv8plus.S Andrew Sherman Executive Director, IT Security Morgan Stanley 1 Pierrepont Plaza Brooklyn, NY 11201 +1 (718) 754-2276 (Voice) +1 (212) 507-2046 (FAX) [EMAIL PROTECTED] NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1083] Compilation error in crypto/pqueue/pqueue.c on hpux-parisc-cc shared
cc: pqueue.h, line 73: error 1000: Unexpected symbol: BN_ULLONG. cc: pqueue.h, line 73: error 1573: Type of priority is undefined due to an i llegal declaration. cc: pqueue.h, line 73: error 1578: Size of struct or union member is unknown. cc: pqueue.h, line 80: error 1000: Unexpected symbol: priority. cc: pqueue.h, line 80: error 1573: Type of priority is undefined due to an i llegal declaration. cc: pqueue.h, line 89: error 1000: Unexpected symbol: BN_ULLONG. cc: pqueue.h, line 89: error 1573: Type of priority is undefined due to an i llegal declaration. cc: pqueue.c, line 71: error 1000: Unexpected symbol: priority. cc: pqueue.c, line 71: error 1573: Type of priority is undefined due to an i llegal declaration. cc: pqueue.c, line 77: error 1531: Invalid member of struct or union. cc: pqueue.c, line 77: error 1554: Indirection must be through a pointer. cc: pqueue.c, line 77: error 1554: Indirection must be through a pointer. cc: pqueue.c, line 127: error 1531: Invalid member of struct or union. cc: pqueue.c, line 127: error 1554: Indirection must be through a pointer. cc: pqueue.c, line 127: error 1531: Invalid member of struct or union. cc: pqueue.c, line 127: error 1554: Indirection must be through a pointer. cc: pqueue.c, line 127: error 1563: Expression in if must be scalar. cc: pqueue.c, line 139: error 1531: Invalid member of struct or union. cc: pqueue.c, line 139: error 1554: Indirection must be through a pointer. cc: pqueue.c, line 139: error 1531: Invalid member of struct or union. cc: pqueue.c, line 139: error 1554: Indirection must be through a pointer. cc: pqueue.c, line 139: error 1563: Expression in if must be scalar. cc: pqueue.c, line 167: error 1000: Unexpected symbol: BN_ULLONG. cc: pqueue.c, line 167: error 1573: Type of priority is undefined due to an illegal declaration. cc: pqueue.c, line 178: error 1531: Invalid member of struct or union. cc: pqueue.c, line 178: error 1554: Indirection must be through a pointer. cc: pqueue.c, line 178: error 1554: Indirection must be through a pointer. cc: pqueue.c, line 178: error 1563: Expression in if must be scalar. cc: pqueue.c, line 186: error 1531: Invalid member of struct or union. cc: pqueue.c, line 186: error 1554: Indirection must be through a pointer. cc: pqueue.c, line 186: error 1554: Indirection must be through a pointer. cc: pqueue.c, line 186: error 1563: Expression in if must be scalar. cc: pqueue.c, line 210: error 1531: Invalid member of struct or union. cc: pqueue.c, line 210: warning 563: Argument #2 is not the correct type. *** Error exit code 1 Stop. *** Error exit code 1 Stop. *** Error exit code 1 Stop. *** Error exit code 1 Stop. Heymen Nicolaij Technisch Specialist Getronics PinkRoccade Luchthavenweg 54, 5657 EB Eindhoven Postbus 57010, 5605 AA Eindhoven T: 040-2562685 E: [EMAIL PROTECTED] I: www.pinkroccade.nl --- Op deze e-mail is een disclaimer van toepassing/ This e-mail is subject to a disclaimer: http://www.pinkroccade.nl/emaildisclaimer --- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1084] Incorrect RIPEMD160 calculation on Solaris/Sparc-64 bit
Attempt to build Openssl-0.9.8-stable-SNAP-20050530 on Solaris 8 sparc using 64-bit mode (solaris64-sparcv9-gcc target) results in error in RIEMD160 tests. If test_rmd target is excluded from the tests, all other tests pass correctly -- output of make test ../util/shlib_wrap.sh ./rmdtest error calculating RIPEMD160 on '' got f5d0d8106761315059ae6b26b7b8f8d709bbad31 instead of 9c1185a5c5e9fc54612808977ee8f548b2258d31 error calculating RIPEMD160 on 'a' got b043ec680ea550029fa8c516614e87e4b12b6e76 instead of 0bdc9d2d256b3ee9daae347be6f4dc835a467ffe error calculating RIPEMD160 on 'abc' got 0f60a77c70133e49f0e9673a01cc2a3594576b5e instead of 8eb208f7e05d987a9b044a8e98c6b087f15a0bfc error calculating RIPEMD160 on 'message digest' got 7e0241d14c654e046a285674449a450c0a525228 instead of 5d0689ef49d2fae572b881b123a85ffa21595f36 error calculating RIPEMD160 on 'abcdefghijklmnopqrstuvwxyz' got b15da71470095d6395c53a3522a99154000ec885 instead of f71c27109c692c1b56bbdceb5b9d2865b3708dbc error calculating RIPEMD160 on 'abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq' got a9cf9607242ef0bfddf85d5505a17ff806e01f6e instead of 12a053384a9c0c88e405a06c27dcf49ada62eb2b error calculating RIPEMD160 on 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' got c7b9e967202835df2eb3309032e3937c95c46f07 instead of b0e20b6e3116640286ed3a87a5713079b21f5189 error calculating RIPEMD160 on '12345678901234567890123456789012345678901234567890123456789012345678901234567890' got 9dd5182e0f4062f7dbfcee9b300a26e94bd99301 instead of 9b752e45573d4b39f4dbd3323cab82bf63326bfb make[1]: *** [test_rmd] Error 8 -- output of make report OpenSSL self-test report: OpenSSL version: 0.9.8-beta3 Last change: Correct naming of the 'chil' and '4758cca' ENGINEs. Thi... Options: enable-shared -R/usr/local/lib/sparcv9 -L/usr/local/lib/sparcv9 no-gmp no-krb5 no-mdc2 no-rc5 no-zlib no-zlib-dynamic OS (uname): SunOS sundae 5.8 Generic_108528-23 sun4u sparc SUNW,Ultra-1 OS (config): sun4u-whatever-solaris2 Target (default): solaris-sparcv9-gcc Target: solaris64-sparcv9-gcc Compiler: Configured with: ../configure --disable-nls --with-as=/usr/ccs/bin/as --with-ld=/usr/ccs/bin/ld Thread model: posix gcc version 3.3 Test skipped. -- output of as -V as: Sun WorkShop 6 99/08/18 -- output of ld -V ld: Software Generation Utilities - Solaris Link Editors: 5.8-1.283 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1082] PATCH: Solaris-sparcv8 openssl-0.9.8-beta2 compilation error
Problem: build fails on any Solaris sparcv8 because sparcv8.o is not built. FIX: add the compilation step to crypto/bn/Makefile *** openssl-0.9.8-beta2/crypto/bn/Makefile.orig Mon May 16 12:55:19 2005 --- openssl-0.9.8-beta2/crypto/bn/Makefile Mon May 30 08:22:58 2005 *** *** 79,84 --- 79,85 (cd asm; $(PERL) co-586.pl a.out $(CFLAGS) ../$@) sparcv8.o:asm/sparcv8.S + $(CC) $(CFLAGS) -c asm/sparcv8.S sparcv8plus.o:asm/sparcv8plus.S $(CC) $(CFLAGS) -c asm/sparcv8plus.S I don't quite understand this... Both Solaris make and gmake have built-in rules for transforming .S to .o, and it worked for ages for me... How come it became problem? A. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1084] Incorrect RIPEMD160 calculation on Solaris/Sparc-64 bit
Attempt to build Openssl-0.9.8-stable-SNAP-20050530 on Solaris 8 sparc using 64-bit mode (solaris64-sparcv9-gcc target) results in error in RIEMD160 tests. If test_rmd target is excluded from the tests, all other tests pass correctly -- output of make test ../util/shlib_wrap.sh ./rmdtest error calculating RIPEMD160 on '' got f5d0d8106761315059ae6b26b7b8f8d709bbad31 instead of 9c1185a5c5e9fc54612808977ee8f548b2258d31 Not again! This was discussed couple of times. It's sparc64-specific gcc bug. Upgrade compiler or drop optimization level. A. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1082] PATCH: Solaris-sparcv8 openssl-0.9.8-beta2 compilation error
rule added, case dismissed. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1084] Incorrect RIPEMD160 calculation on Solaris/Sparc-64 bit
Not OpenSSL problem. Explicitly mentioned in ./PROBLEMS, case dismissed. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1081] 0.9.8 beta 2 on solaris 10
One can argue if it's GCC, Solaris or OpenSSL problem. The bug and workaround is mentioned in ./PROBLEMS, case dismissed. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: DOS patch for 0.9.8 beta 2 (was Re: [ANNOUNCE] OpenSSL 0.9.8 beta 2 released)
The beta 2 of 0.9.8 requires a small patch to compile with DJGPP under DOS. mtu and sock_type are defined by headers from the WATT-32 library and need to be undefined. The backslash in the definition of DEVRANDOM (encoding the $) also causes an error when compiling. I don't think that these changes will have an adverse effect on other platforms. The latter proposed change, quoting DEVRANDOM, shall have adverse effect on other platforms. Can you elaborate on the error during compilation instead? As for mtu and sock_type. Is it possible to resolve it by modifying e_os[2].h instead? It would be more elegant... A. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1084] Ticket Resolved
On 2005.05.31 at 14:40:46 +0200, Andy Polyakov via RT wrote: Hello According to our records, your request has been resolved. If you have any further questions or concerns, please respond to this message. Bug 1084 was resolved with following diagnositics Not OpenSSL problem. Explicitly mentioned in ./PROBLEMS, case dismissed But I cannot find anything related to my situation: solaris64-sparcv9-gcc, gcc version 3.3, RIPEMD160 algorithm. As far as I can understand, each problem description in the PROBLEMS file starts with asterisk at first position of line. grep -n '^\*' PROBLEMS shows: 1:* System libcrypto.dylib and libssl.dylib are used by system ld on MacOS X. 42:* Parallell make leads to errors 51:* Bugs in gcc 3.0 triggered 66:* solaris64-sparcv9-cc SHA-1 performance with WorkShop 6 compiler. 74:* Problems with hp-parisc2-cc target when used with no-asm flag 93:* Problems building shared libraries on SCO OpenServer Release 5.0.6 Obvoisly, problem mentioned on line 66 is irrelevant. Problem, mentioned in line 51 seems to not to be relevant to gcc 3.3 too. Please point me out line number which describes my problem. I'm using openssl-0.9.8-stable-SNAP-20050530 With best regards, Victor. P.S. Note a typo on line 42 of PROBLEMS file. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1084] Ticket Resolved
Bug 1084 was resolved with following diagnositics Not OpenSSL problem. Explicitly mentioned in ./PROBLEMS, case dismissed But I cannot find anything related to my situation: You're got to read between lines. Explicitly mentioned in ./PROBLEMS might as well mean ./PROBLEMS file was just modified to explicitly mention the problem in question. Also note that your situation is indirectly covered by SUPPORT section in ./README file: If you have any problems with OpenSSL then please take the following steps *first*: ... - Remove compiler optimisation flags So that we shouldn't have this discussion at all:-) grep -n '^\*' PROBLEMS shows: 1:* System libcrypto.dylib and libssl.dylib are used by system ld on MacOS X. 42:* Parallell make leads to errors 51:* Bugs in gcc 3.0 triggered If you have to know this paragraph now reads: * Bugs in gcc triggered ... - According to multiple problem reports, some of our message digest implementations trigger bug[s] in code optimizer in gcc 3.3 for sparc64 and gcc 2.96 for ppc. Former fails to complete RIPEMD160 test, while latter - SHA one. The recomendation is to upgrade your compiler. This naturally applies to other similar cases. A. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
DJGPP patch for 0.9.8-beta3
There is one problem with beta-3 which also occurred in earler versions, but which I had overlooked, since no errors were generated. On DJGPP, install_docs stops after installing man1/CA.pl.1. No other man pages were installed. The rest of the installation went fine. I believe that this occurs because of non-portable assumptions about return values made by the makefile. The attached patch fixes it for DJGPP. I had previously reported this problem (see rt tickets #932 and 989). Doug -- Doug Kaufman Internet: [EMAIL PROTECTED] --- Makefile.org.ori2005-05-21 08:37:38.0 -0800 +++ Makefile.org2005-05-31 06:46:58.0 -0800 @@ -511,7 +511,7 @@ if [ $(PLATFORM) = DJGPP -o $(PLATFORM) = Cygwin -o $(PLATFORM) = mingw ]; then \ filecase=-i; \ fi; \ - set -e; for i in doc/apps/*.pod; do \ + for i in doc/apps/*.pod; do \ fn=`basename $$i .pod`; \ sec=`$(PERL) util/extract-section.pl 1 $$i`; \ echo installing man$$sec/$$fn.$${sec}$(MANSUFFIX); \ @@ -528,7 +528,7 @@ $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) $$n.$${sec}$(MANSUFFIX); \ done); \ done; \ - set -e; for i in doc/crypto/*.pod doc/ssl/*.pod; do \ + for i in doc/crypto/*.pod doc/ssl/*.pod; do \ fn=`basename $$i .pod`; \ sec=`$(PERL) util/extract-section.pl 3 $$i`; \ echo installing man$$sec/$$fn.$${sec}$(MANSUFFIX); \
Re: DOS patch for 0.9.8 beta 2 (was Re: [ANNOUNCE] OpenSSL 0.9.8 beta 2 released)
On Tue, 31 May 2005, Andy Polyakov wrote: The beta 2 of 0.9.8 requires a small patch to compile with DJGPP under DOS. mtu and sock_type are defined by headers from the WATT-32 library and need to be undefined. The backslash in the definition of DEVRANDOM (encoding the $) also causes an error when compiling. I don't think that these changes will have an adverse effect on other platforms. The latter proposed change, quoting DEVRANDOM, shall have adverse effect on other platforms. Can you elaborate on the error during compilation instead? As for mtu and sock_type. Is it possible to resolve it by The quoting of DEVRANDOM was incorporated into beta3, so the problems on other platforms should be reported soon. I just reverted the quoting and did make. Here is the log from the compilation attempt. This uses the value of DEVRANDOM given for DJGPP in the Configure script. I am using gcc version 3.3.2. The DJGPP equivalent for /dev/urandom is /dev/urandom$. An equivalent that should also work (if that will help the syntax) would be URANDOM$ instead of /dev/urandom$. gcc -I.. -I../.. -I../../include -I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall -DDEVRANDOM=/dev/urandom\x24 -DOPENSSL_BN_ASM_PART_WORDS -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -c -o rand_unix.o rand_unix.c rand_unix.c: In function `RAND_poll': rand_unix.c:156: error: parse error before '/' token rand_unix.c:156: error: stray '\' in program make.exe[2]: *** [rand_unix.o] Error 1 make.exe[2]: Leaving directory `d:/djgpp/ssl98-beta2/openssl-0.9.8-beta3/crypto/rand' make.exe[1]: *** [subdirs] Error 1 make.exe[1]: Leaving directory `d:/djgpp/ssl98-beta2/openssl-0.9.8-beta3/crypto' make.exe: *** [build_crypto] Error 1 modifying e_os[2].h instead? It would be more elegant... A. I'll try to do this soon. Doug -- Doug Kaufman Internet: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: gcc performance regression on md2 from gcc-2.95.3?
Andy Polyakov wrote: I'm looking into http://gcc.gnu.org/PR19923 which claims that gcc-4.0 is slower on 'openssl speed' than earlier versions. The only huge regression seems to be in md2. Note that most of the code involved in the report in question is hand-coded assembler. Meaning that the report [or your conclustion that md2 is the only one suffering] doesn't necessarily representative in respect to compiler optimizations per se. If you want to perform more fair comparison between compiler versions configure toolkit with no-asm option to compare compiler-generated codes. I'm interested in the observed performance regression even with the hand-coded assembly; that simply should not be happening. But thanks for the tip; I will also look for performance regressions with the no-asm option. Has anyone else looked at this yet? No. Thanks for the info. - Dan -- Trying to get a job as a c++ developer? See http://kegel.com/academy/getting-hired.html __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1085] DJGPP patch for 0.9.8-beta3
There is one problem with beta-3 which also occurred in earler versions, but which I had overlooked, since no errors were generated. On DJGPP, install_docs stops after installing man1/CA.pl.1. No other man pages were installed. The rest of the installation went fine. I believe that this occurs because of non-portable assumptions about return values made by the makefile. The attached patch fixes it for DJGPP. I had previously reported this problem (see rt tickets #932 and 989). Doug -- Doug Kaufman Internet: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1086] openssl-0.9.8-beta3 on ULTRIX 4.5 (cc)
Environment: openssl-0.9.8-beta3, ULTRIX 4.5, ultrix-cc - crypto/sha/sha512.c fails to compile cc -I.. -I../.. -I../../include -DZLIB ... -DL_ENDIAN -c sha512.c cfe: Error: sha512.c, line 61: Syntax Error c-h[0]=0xcbbb9d5dc1059ed8ULL ; ^ long long is only partially supported, i.e. add/sub work, but mul/div/... not; see http://archive.apache.org/gnats/4940 - disabling SHA512 with no-sha512 does not work as expected ./Configure no-sha512 ... make depend make : cc -I.. -I../.. -I../../include -DZLIB ... -DL_ENDIAN -c sha512.c cfe: Error: sha512.c, line 59: Syntax Error int SHA384_Init (SHA512_CTX *c) ^ OPENSSL_NO_SHA512 gets defined in crypto/opensslconf.h, so the !defined(OPENSSL_NO_SHA512) comes too early in crypto/sha/sha512.c - or sha512.c should be compiled with -DOPENSSL_NO_SHA512 in this case. - crypto/pqueue/pqueue.c fails to compile cc -I.. -I../.. -I../../include -DZLIB ... -DL_ENDIAN -c pqueue.c cfe: Error: ./pqueue.h, line 73: Syntax Error BN_ULLONG priority; ^ In the THIRTY_TWO_BIT case, BN_ULLONG gets defined in crypto/bn/bn.h only if BN_LLONG is defined, there is no else for environments without 64-bit integer support. The VMS_TEST hack (?) in crypto/pqueue/pq_compat.h works on ULTRIX (Other environments ... can safely use the code developed for VMS.), crypto/pqueue/pqueue.c, ssl/d1_lib.c, and ssl/d1_pkt.c compile OK. Summary: With ./Configure no-sha512 -DOPENSSL_NO_SHA512 -DVMS_TEST ultrix-cc openssl-0.9.8-beta3 builds on ULTRIX 4.5 with cc. Bernhard Simon, TU Wien, ZID/StS __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1087] Memory leak - OpenSSL 0.9.7g
Hello, I would like to report a memory leak in SSL_connect(). Following code sample was check for memory leaks using Purify and show a 13K leak in SSL_connect(). 1. Am I doing something wrong? 2. Will there be a fix soon? Sincerely yours. Karim sharif - #include windows.h #include winsock.h #include stdio.h #include openssl/bio.h #include openssl/err.h #include openssl/ssl.h #include openssl/rand.h char sname[1024]; char iname[1024]; char peerCN[1024]; struct sockaddr_in RemoteAddress; main() { BIO *conn; SSL *servercon; SSL_CTX *ssl_ctx; SOCKET ThisSocket; int fd_width; int i; X509 *peer; SSL_METHOD *method; WORD wVersionRequested; WSADATA wsaData; int err; wVersionRequested = MAKEWORD( 2, 2 ); err = WSAStartup( wVersionRequested, wsaData ); if ( err != 0 ) { /* Tell the user that we could not find a usable */ /* WinSock DLL. */ return 0; } SSL_library_init(); SSL_load_error_strings(); ERR_load_crypto_strings(); conn = BIO_new(BIO_s_connect()); if (conn == NULL) { printf(BIO_new() failed\n); exit(0); } method = SSLv3_client_method(); if (method == NULL) { printf(SSLv3_client_method() failed\n); exit(0); } i = RAND_load_file(.rnd, 0x10); ssl_ctx = SSL_CTX_new(method); if (ssl_ctx == NULL) { printf(SSL_CTX_new() failed\n); exit(0); } SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, ); if (SSL_CTX_set_cipher_list(ssl_ctx, RC4-SHA) = 0) { printf(SSL_CTX_set_cipher_list() failed\n); exit(0); } servercon = SSL_new(ssl_ctx); if (servercon == NULL) { printf(SSL_new() failed\n); exit(0); } SSL_set_connect_state(servercon); SSL_set_bio(servercon, conn, conn); ThisSocket = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); WSAAsyncSelect(ThisSocket, 0, (WM_USER + 101), 63); RemoteAddress.sin_addr.s_net = 192; RemoteAddress.sin_addr.s_host = 138; RemoteAddress.sin_addr.s_lh = 179; RemoteAddress.sin_addr.s_impno = 221; RemoteAddress.sin_family = AF_INET; //Make connected true RemoteAddress.sin_port = htons(); i = connect(ThisSocket, RemoteAddress, sizeof(RemoteAddress)); fd_width = SSL_set_fd(servercon, ThisSocket) + 1; i = SSL_connect(servercon); if ( i 0) { printf(SSL_connect() failed\n); exit(0); } peer = SSL_get_peer_certificate(servercon); if (peer != NULL) { memset(sname, 0, sizeof(sname)); X509_NAME_oneline(X509_get_subject_name(peer), sname, 400); memset(iname, 0, sizeof(iname)); X509_NAME_oneline(X509_get_issuer_name(peer), iname, 400); memset(peerCN, 0, sizeof(peerCN)); X509_NAME_get_text_by_NID(X509_get_subject_name(peer), 13, peerCN, 256); } SSL_free(servercon); SSL_CTX_free(ssl_ctx); return 1; } __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: gcc performance regression on md2 from gcc-2.95.3?
I'm looking into http://gcc.gnu.org/PR19923 which claims that gcc-4.0 is slower on 'openssl speed' than earlier versions. The only huge regression seems to be in md2. Note that most of the code involved in the report in question is hand-coded assembler. Meaning that the report [or your conclustion that md2 is the only one suffering] doesn't necessarily representative in respect to compiler optimizations per se. If you want to perform more fair comparison between compiler versions configure toolkit with no-asm option to compare compiler-generated codes. I'm interested in the observed performance regression even with the hand-coded assembly; that simply should not be happening. Well, hand-coded assembler doesn't do *all* the job, compiler-generated code is always involved in some degree, so that one can argue that if compiler managed to sink assembler performance, then it got to be really bad... Even more reason to test with no-asm:-) But seriously speaking, smaller differences in assembler performance [few percents] can as well be caused by different layout of resulting code in memory [different TLB and cache hit/miss pattern], which naturally varies from one compiler version to another, which in turn is not really something to worry about. no-asm is really the only representative option to compare compilers or compiler versions. A. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1078] OpenSSL 0.9.8-stable-SNAP-20050523 doesn't build with no-aes
I've committed a fix for no-aes, please test a new snapshot. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1088] bug: SSL_load_client_CA_file always leaves errors in the error queue
After battling for a while why one could not configure more than one SSL port in Squid when requesting client certificates it was found the culpit is SSL_load_client_CA_file() which always leaves an error in the error queue even if successful. This queued error then causes problems when trying to load the certificate for the next SSL port etc.. OpenSSL versions tested: 0.9.7f-6 (Fedora Core development) 0.9.7a-35 (Fedora Core 2) 0.9.6-19 (RedHat Linux 7.1) Trivial test program showing the error: #include openssl/ssl.h #include openssl/err.h int main(int argc, char **argv) { const char *ca; STACK_OF(X509_NAME) * cert_names; if (argc != 2) { fprintf(stderr, usage: %s ca.pem\n, argv[0]); exit(1); } ca = argv[1]; SSL_load_error_strings(); SSL_library_init(); cert_names = SSL_load_client_CA_file(ca); if (!cert_names) { ERR_print_errors_fp(stderr); exit(1); } printf(SSL_load_client_CA_file successful. Expeting empty error queue:\n); ERR_print_errors_fp(stderr); printf(-- END --\n); return 0; } Workaround: call ERR_clear_error() after a successful call to SSL_load_client_CA_file(). Regards Henrik __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Undefined symbol OPENSSL_ia32cap_P
On Tue, 31 May 2005, Andy Polyakov wrote: OpenSSL_0_9_8-stable branch pulled Mon May 30 19:47:25 PDT 2005. On my unixware-7 boxes configured with the shared no-sse2 options i'm getting this error. Undefinedfirst referenced symbol in file OPENSSL_ia32cap_P ../libcrypto.so You have to speculate why do you think this happens. OPENSSL_ia32cap_P is expected to be unconditionally declared on x86 and x86_64 platforms regardless no-sse2 or no-whatever. With sufficient no-everything it will remain uninitialized, but it's expected to be there. See crypto/cryptlib.c. Is it possible that target in question doesn't define __i386 or __i386__? When you pass -Kpentium_pro? A. With or without -Kpentium_pro it doesn't define __i386 or __i386__ It does define i386 If I ./config shared -D__i386__ -Kpentium_pro no-sse2 it builds fine. Perhaps add -D__i386__ to the unixware-7 target in Configure. Now to track down the test failure (test SSL protocol). test sslv3 with client authentication Available compression methods: NONE client authentication depth=1 /C=AU/O=Dodgy Brothers/CN=Dodgy CA depth=0 /C=AU/O=Dodgy Brothers/CN=Brother 1/CN=Brother 2 ERROR in SERVER 16395:error:1408E098:SSL routines:SSL3_GET_MESSAGE:excessive message size:s3_both.c:449: SSLv3, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 512 bit RSA 1 handshakes of 256 bytes done *** Error code 1 (bu21) -- Tim RiceMultitalents(707) 887-1469 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SHA512
On Tue, 31 May 2005, Andy Polyakov wrote: `/var/local/src/libs/openssl-0.9.8/crypto/sha' cc -I.. -I../.. -I../../include -DOPENSSL_THREADS -Kthread -DFILIO_H -DNO_STRINGS_H -c sha_dgst.c UX:acomp: ERROR: ../../include/openssl/sha.h, line 172: invalid type combination UX:acomp: ERROR: ../../include/openssl/sha.h, line 173: invalid type combination UX:acomp: ERROR: ../../include/openssl/sha.h, line 175: invalid type combination gmake[2]: *** [sha_dgst.o] Error 1 This problem still exists with the OpenSSL_0_9_8-stable branch pulled Mon May 30 19:47:25 PDT 2005. Can you confirm that problem persists even if you './config no-sha512'(*)? If you can confirm this, then you would have to speculate why does it happen in your opinion. A. Adding no-sha512 to the config line is not enough. I also have to add -DOPENSSL_NO_SHA512 Now the UnixWare 2.03 box bombs at ... making all in crypto/pqueue... cc -I.. -I../.. -I../../include -DOPENSSL_THREADS -Kthread -DOPENSSL_NO_ SHA512 -DFILIO_H -DNO_STRINGS_H -c pqueue.c UX:acomp: ERROR: ./pqueue.h, line 73: Syntax error before or at: BN_ULLONG UX:acomp: ERROR: ./pqueue.h, line 73: cannot recover from previous errors *** Error code 1 (bu21) ... Another no 64bit data type error. (PQ_64BIT) I don't see any way to disable that section. Maybe at some point you just want to say We no longer support older compilers that do not have some 64bit data type. I'd be OK with that (OpenSSH is already there). It would just need to be documented and then I'd just have to patch Configure to remove a couple of cc targets and add gcc targets. -- Tim RiceMultitalents(707) 887-1469 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1072] Assertion failure in bn_div_words (bn_asm.c)
The correct assertion should be assert((i == BN_BITS2) || (h = (BN_ULONG)1i)); as it should prevent an overflow (the result doesn't fit into a single BN_ULONG). Please test a recent snapshot. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1087] Memory leak - OpenSSL 0.9.7g
Karim Sharif via RT wrote: Hello, I would like to report a memory leak in SSL_connect(). Following code sample was check for memory leaks using Purify and show a 13K leak in SSL_connect(). did you read the * I think I've detected a memory leak, is this a bug? item in the FAQ ? Didn't purify give you a somewhat more precise description where the mem leak is ? ... peer = SSL_get_peer_certificate(servercon); if (peer != NULL) { memset(sname, 0, sizeof(sname)); X509_NAME_oneline(X509_get_subject_name(peer), sname, 400); memset(iname, 0, sizeof(iname)); X509_NAME_oneline(X509_get_issuer_name(peer), iname, 400); memset(peerCN, 0, sizeof(peerCN)); X509_NAME_get_text_by_NID(X509_get_subject_name(peer), 13, peerCN, 256); } SSL_free(servercon); SSL_CTX_free(ssl_ctx); at least a X509_free(peer); is missing here, as SSL_get_peer_certificate increases the reference counter of the X509 object. return 1; } Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
version in X509_REQ_print_ex
Hi, openssl req -text shows version like: Certificate Request: Data: Version: 0 (0x0) ... I guess it should be 1. -- gotoyuzo --- t_req.c~2005-05-16 19:10:58.0 +0900 +++ t_req.c 2005-06-01 06:27:14.0 +0900 @@ -117,7 +117,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ l=0; for (i=0; iri-version-length; i++) { l=8; l+=ri-version-data[i]; } - if(BIO_printf(bp,%8sVersion: %s%lu (%s0x%lx)\n,,neg,l,neg, + if(BIO_printf(bp,%8sVersion: %s%lu (%s0x%lx)\n,,neg,l+1,neg, l) = 0) goto err; } __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: AIX 64-bit build.
This is usually caused by configuring/building for the wrong architecture or wordlength first. make clean doesn't work properly in those circumstances. either rm -rf include;make clean;Configure, or preferably start with a clean extract. I've embarassed myself with this one a few times. Peter Peter Waltenberg Andy Polyakov [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 31/05/2005 09:17 PM Please respond to openssl-dev To openssl-dev@openssl.org cc Subject Re: AIX 64-bit build. I have built a 64-bit version of OpenSSL on AIX 5, and it is failing the test on bn_sqr. It looks like the bn_sqr or bn_div functions are not working for very large numbers. Has wnyone else ran into this problem? Has anyone ran into this problem? BN_sqr test failure is mentioned in FAQ, so that you can bet that some has ran into similar problem:-) Note that FAQ discusses additional information you're supposed to provide. Additional to one mentioned in SUPPORT section of README file. Without this it's quite impossible to tell why it fails in your particular case. A. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Undefined symbol OPENSSL_ia32cap_P
On Tue, 31 May 2005, Tim Rice wrote: [snip] Now to track down the test failure (test SSL protocol). That was me forgeting about UnixWare 7.1.1 having an optimizer bug when you use the -Kpentium_pro flag. Tests fine without it. . test sslv3 with client authentication Available compression methods: NONE client authentication depth=1 /C=AU/O=Dodgy Brothers/CN=Dodgy CA depth=0 /C=AU/O=Dodgy Brothers/CN=Brother 1/CN=Brother 2 ERROR in SERVER 16395:error:1408E098:SSL routines:SSL3_GET_MESSAGE:excessive message size:s3_both.c:449: SSLv3, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 512 bit RSA 1 handshakes of 256 bytes done *** Error code 1 (bu21) . -- Tim RiceMultitalents(707) 887-1469 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]