Re: We want to add a switch to openssl's zlib compression methord
Thor Lancelot Simon wrote: On Thu, Jun 09, 2011 at 05:08:30PM +0200, Ludwig Nussel wrote: Thor Lancelot Simon wrote: Again, I think this should be configured via an option on the SSL_CTX. There is no way to set the default context options via config file though, right? So every application would need to be patched. If that's wanted, just rebuild OpenSSL without zlib support, no? Well, that's not really a viable solution for a distribution. We prefer to have one binary package rather every setting :-) A way to set default context options via config file would be nice for other settings too. If applications could rely on a sane default config provided by the distro/admin the individual calls to SSL_CTX_set_options, SSL_CTX_set_cipher_list, SSL_CTX_set_default_verify_paths/SSL_CTX_load_verify_locations, etc in each and every applications were no longer be necessary. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL and VeraCode
On 09/06/2011 20:43, Andreas Probst wrote: Hi community, I found an email about VeraCode having found issues in OpenSSL (see http://www.mail-archive.com/openssl-dev@openssl.org/msg25491.html). Have there been follow-up activities? Did someone review or address the VeraCode results? IIRC, the vulnerabilities they found was (were?) an untriaged list of static code analysis output. As usual, mostly false positives. -- http://www.apache-ssl.org/ben.html http://www.links.org/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: openssl with zlibwapi plus some patch hints
is noone interested in this issue? i've sent this mail more than 2 months ago and i haven't received a single response. if this problem is abandoned (which is really sad coz this renders the truly native windows version of openssl useless) then i need to unsubscribe from this list coz i get a huge amount of unwanted emails just because i wait for a single reply to my message... -Original Message- From: Berke Viktor berkevik...@aol.com To: openssl-dev openssl-dev@openssl.org Sent: Mon, Mar 28, 2011 4:04 am Subject: openssl with zlibwapi plus some patch hints hi, i'm trying to compile openssl and zlib with visual studio 2010. the problem is, at the end of the build process, ssltest gives me errors, and so does xchat when i try to connect via ssl+zlib (using the binaries built previously). here's some debug info: http://img155.imageshack.us/img155/490/zlibfail2.png yes, it works with zlib1.dll, which is built with mingw (i guess) and doesn't use wapi. steps to reproduce: -- 1) install visual studio 2010 2) grab zlib 1.2.5 src: http://zlib.net/zlib-1.2.5.tar.gz extract it to somewhere. open contrib/vstudio/vc10/zlibvc.sln 3) in visual studio, set build config to win32/releasewithoutasm, then press f7 (build solution). now zlibwapi.dll and zlibwapi.lib is built in the x86 subfolder. 4) grab the openssl source code, i used 1.0.0d, for your convenience: http://openssl.org/source/openssl-1.0.0d.tar.gz extract it to somewhere. 5) create a folder called zlib-x86 inside the openssl source code. also create the bin, lib, include subfolders in zlib-x86. 6) copy your freshly built zlibwapi.dll to bin, zlibwapi.lib to lib, and zlib.h + zconf.h to include. 7) download this script and save it to the openssl source code root as build-x86.bat: http://pastebin.com/RneQKMpC modify it according to your setup (PERL_PATH, NASM_PATH). in case you don't have them yet, perl download: http://www.activestate.com/activeperl/downloads nasm: http://www.nasm.us/pub/nasm/releasebuilds/?C=M;O=D the install part contains some quirks but never mind, it's just for my setup, and you won't need to install it anyway as it will already fail in the testing stage. 8) open crypto\comp\c_zlib.c and replace the zlib_dso = DSO_load(NULL, ZLIB1, NULL, 0); line with zlib_dso = DSO_load(NULL, ZLIBWAPI, NULL, 0); here's a nicer *patch* for it (it should be committed imho): http://pastebin.com/KRg7HFSq 9) open util\pl\VC-32.pl and replace this line: $zlib_lib=zlib1.lib; with $zlib_lib=zlibwapi.lib; this also shouldn't be hardcoded, but i can't provide a patch as i'm unfamiliar with perl. 10) open a visual studio 2010 x86 command prompt and navigate to the openssl source code root. 11) run build-x86.bat and wait for the tests to load. you should see zlib when it displays available compression. after a few tests involving zlib windows will display an ssltest.exe has stopped working message. if you then click the debug button, you'll see the same as what i provided a shot of in the beginning of my message. -- i'd like to point it out that the build process now only runs in 1 thread. it could be speeded up significantly by allowing multiple processes to run simultaneously. all you need to do is add -MP to the compiler flags in (ROOT)\Configure. i tested it with VC-WIN32 and VC-WIN64A, it seems to work. any questions, please refer to: http://msdn.microsoft.com/en-us/library/bb385193.aspx -- greetings, viktor __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: We want to add a switch to openssl's zlib compression methord
On Wed, Jun 08, 2011, Thor Lancelot Simon wrote: On Tue, Jun 07, 2011 at 10:58:20PM -0600, Guan Jun He wrote: Hi, Openssl Developpers: We have a platform with cryptographic hardware,and we try to take advantage of the platform's hardware cryptographic features.But openSSL compresses data before the encryption, having a massive performance impact(throughput decrease, CPU load increase) on platforms with cryptographic hardware. There are probably two methords to work-around it: * environment variable, the attached patch is written for this methord. it's produced against oepnssl version 0.9.8, it other versions also need the patch,we are glad to submit it. * add an item to configure file openssl.cnf. What do you think about this? Again, I think this should be configured via an option on the SSL_CTX. There is SSL_OP_NO_COMPRESSION. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
OpenSSL FIPS Module 2.0 status update
When the current effort to obtain a FIPS 140-2 validation began in January we announced an expected completion in Q4 of this year, based on our planned strategy of developing the FIPS module first, submitting it for validation, and then developing the corresponding FIPS capable OpenSSL 1.0.x. The FIPS module development is now essentially complete, and we were preparing to actively engage the test lab in the validation review process. However, our primary sponsors have requested a change in the original project strategy. We have been asked to implement some additional cryptographic algorithms and to focus on early release of a working FIPS module plus FIPS capable OpenSSL combination, at the expense of the formal validation award. That working code (less the new cryptographic algorithms which will not be of significant interest to most users) will be available sooner than originally planned. We have now shifted our resources to completing the FIPS capable development. That effort is expected to be substantially complete in approximately three weeks, at which point the results will be available for testing by any interested parties. Next we will implement the new cryptographic algorithms, an effort expected to take another 4-6 weeks, at which point we will then commence the FIPS validation review process with the test lab. As a consequence of this new project strategy we are now predicting availability of the formally validated module in early 2012. To summarize: 1) Working but unvalidated code should be available within a month. 2) The formally validated module should be available by Q1 2012. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: We want to add a switch to openssl's zlib compression methord
On Fri, Jun 10, 2011 at 01:01:49PM +0200, Dr. Stephen Henson wrote: There is SSL_OP_NO_COMPRESSION. In that case, the suggestion to provide a config file setting for default options seems particularly excellent. Thor __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Questions Regarding Openssl versions 0.9.8r and OpenSSL 0.9.8e-fips-rhel5
Hi All, I am Govind and I am currently working on a project, a part of which involves validating certificates. I do have a cacert.pem file to check against and I tried to verify using the openssl s_client command as below. * openssl s_client -verify 100 -CAfile cacert.pem -showcerts -CApath ./ -connect facebook.com:443* This succeds with a return code of 0(ok) in 0.9.8e-fips-rhel5. However the production machine of my organization recently had to upgrade to openssl version 0.9.8r and when I try to execute it for the same cacert.pem file, the same command returns *Verify return code: 27 (certificate not trusted) *. And if the verify option is not given it returns an error code*verify error:num=20:unable to get local issuer certificate *. I do not know the reasons for this and I would love to know if there were any substantial changes that caused this. Also I would greatly appreciate if you can provide me with an insight of how to go about with this problem since I am very new to openssl and open source programming in general. Regards Govind
Re: [CVS] OpenSSL: OpenSSL_1_0_1-stable: openssl/util/ libeay.num
On Fri, Jun 10, 2011, Ben Laurie wrote: Hmm. This looks like the start of a version fight between FIPS and non-FIPS builds! The ordinals will be synced between builds so anything in 1.0.1 has the same ordinal in head. That can be done by just copying libeay.num from 1.0.1 to HEAD before make update. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org