Re: Help trying to understand a failure condition

[Mark Hatle]

Sorry for this, after a lot more googling, I found this is intentional and 
adding the -DPURIFY option resolves this type of uninitialized data access.


--Mark

On 5/19/14, 6:22 PM, Mark Hatle wrote:

I'm working on signing (and then of course verifying) some data using OpenSSL.
I'm getting an occasional failure on the verifying part and I'm trying to figure
out why.  (Either my software is faulty or there is something worse going on.)

I've used valgrind to attempt to point me at a problem and found the following
stack trace showing use of uninitialized data.  (Note, I'm using the openssl -
git branch OpenSSL_1_0_1-stable, as of commit
d6934a02b5e97c6548d18a74e7b6667dd2617c96.)

Can anyone point me at the problem being on my end, or if there might be an
issue inside of OpenSSL?  (I've gotten other valgrind warnings as well.. but I
don't know how accurate they are, as the code in question is in #defines...)

==7540== Use of uninitialised value of size 8
==7540==at 0x820BB04: BN_num_bits_word (bn_lib.c:170)
==7540==by 0x820BCD2: BN_num_bits (bn_lib.c:235)
==7540==by 0x8213E6E: BN_rshift (bn_shift.c:188)
==7540==by 0x821811D: BN_is_prime_fasttest_ex (bn_prime.c:310)
==7540==by 0x8217BC8: BN_generate_prime_ex (bn_prime.c:199)
==7540==by 0x82460F2: rsa_builtin_keygen (rsa_gen.c:135)
==7540==by 0x8245E0D: RSA_generate_key_ex (rsa_gen.c:97)
==7540==by 0x824CDFE: pkey_rsa_keygen (rsa_pmeth.c:680)
==7540==by 0x8280D37: EVP_PKEY_keygen (pmeth_gn.c:156)
==7540==by 0x5869821: sslGenerate (myssl.c:522)

The sslGenerate function is roughly:

static unsigned char * mysslBN2bin(const char * msg, const BIGNUM * s, size_t 
maxn)
{
  unsigned char * t = (unsigned char *) calloc(1, maxn);
  size_t nt = BN_bn2bin(s, t);

  if (nt < maxn) {
  size_t pad = (maxn - nt);
  memmove(t+pad, t, nt);
  memset(t, 0, pad);
  }
  return t;
}

... sslGenerate(RSA * rsa, BIGNUM * hm, BIGNUM * c)
{
  size_t maxn;
  unsigned char * hm;
  unsigned char *  c;
  size_t nb;

  maxn = BN_num_bytes(rsa->n);
  hm = mysslBN2bin("hm", hm, maxn);
  c = mysslBN2bin(" c", c, maxn);
  nb = RSA_public_decrypt((int)maxn, c, c, rsa, RSA_PKCS1_PADDING);
}

Thanks for any help.
--Mark
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org



__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Help in loading EC_KEY

[Jeffrey Walton]

On Thu, Dec 13, 2012 at 4:04 AM, jeetendra gangele  wrote:
> HI,
>
> I am trying to sign the data using EC-DSA algorithm.
> i have the private key to sign the data and I could load using
> EC_KEY_set_private_key.
> But when check the loaded key its failing with the error code below.
> error:100B1043:lib(16):func(177):reason(67)
> EC_KEY_check_key failed:
>
> That means key not proper.
> I am trying to use the curve NID_secp224r1.
...
>  37 if(NULL == pub_key)
>  38 printf("pub failed");
>  39
>  40 if (!EC_KEY_check_key(pkey)) {
>  41   printf("EC_KEY_check_key failed:\n");
>  42   printf("%s\n",ERR_error_string(ERR_get_error(),NULL));
>  43 }
Is it pub_key or pkey?

Jeff
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

RE: Help in loading EC_KEY

[Dave Thompson]

> From: owner-openssl-...@openssl.org On Behalf Of redpath
> Sent: Thursday, 13 December, 2012 10:00

> This list of commands will help you

> openssl ecparam -out ec_key.pem -name secp224r1 -genkey 
> 
> Generate the certificate x509
> Your certificate will be in ecdsapublic.x509 and 
> the corresponding private key will be in ecdsapriv.pem.
> 
>openssl req -newkey ec:ec_key.pem -x509 -nodes -days 365 -keyout
> ecdsapriv.pem -out ecdsapublic.x509
> 
This is redundant. ecparam -genkey already generated a key.
Either use that key, maybe renamed, as in the form just below, 
or omit -genkey from the ecparam.
> 
> addition commands
>openssl req -new -key ecdsapriv.pem -inform pem -x509 
> -days 3650 -out ecdsapriv.x509

There is no significant difference between a cert created for 
a new key with -newkey -x509 or one created for an existing key 
with -new -x509, so naming it "priv" instead of "public" is 
confusing and misleading. Since the cert is really the content 
not the format -- certs can be either pem or der -- I would 
instead name it ecdsa_cert.pem or ecdsa_x509.pem .

>  Platform: Mac OSX 10.7 
> 
> cc -o signECDSA -Wno-deprecated-declarations signECDSA.c -lcrypto



>  fp =fopen(args[2], "rb");
>  EVP_PKEY *pevpkey= PEM_read_PrivateKey(fp, &pevpkey, NULL, NULL);
>  if (pevpkey==NULL){

>  peckey= EVP_PKEY_get1_EC_KEY(pevpkey); 
>  if (peckey==NULL){

> ret= EC_KEY_set_group(peckey,EC_GROUP_new_by_curve_name(curvetype) );

The key already identifies (or contains, if explicit) the group.
Setting it again to the correct value is a waste of time, 
and setting it to a wrong value would screw it up totally.
If for some reason you want to ensure a key uses a particular 
(named) group, *get* the "name" (really NID) and compare it.



> cc -o verifyECDSA -Wno-deprecated-declarations 
> verifyECDSA.c -lcrypto
> 


Minor point:

> unsigned char *b= (unsigned char *) malloc(avail+1);
> if (fread (b,1,avail,fp)!=avail){

You don't need to cast the return of malloc in correct C 
but you should check for failure (null) before using it.


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Help in loading EC_KEY

[redpath]

Well here is one I can answer. First I generate the ECDSA keys
This list of commands will help you

Show the type of curves:

openssl ecparam -list_curves

Use the secp224r1 curve

openssl ecparam -out ec_key.pem -name secp224r1 -genkey 

Generate the certificate x509
Your certificate will be in ecdsapublic.x509 and 
the corresponding private key will be in ecdsapriv.pem.

   openssl req -newkey ec:ec_key.pem -x509 -nodes -days 365 -keyout
ecdsapriv.pem -out ecdsapublic.x509


addition commands
   openssl req -new -key ecdsapriv.pem -inform pem -x509 -days 3650 -out
ecdsapriv.x509
   openssl x509 -in ecdsapriv.x509 -noout -text


Then I have code to sign something reading a file also the compile command
is below.

 Platform: Mac OSX 10.7 

cc -o signECDSA -Wno-deprecated-declarations signECDSA.c -lcrypto

#include 
#include 
#include 
#include 

#include 
#include 
#include 
#include 
#include 





/***
 * Get the data form a file and return a malloced buffer and size.
 **/
unsigned char *getdata(char *filename, int *length){
FILE *fp =fopen(filename, "rb");
long avail;

*length=0;
if (fp==(FILE *)0){
  printf("Get Data JPG %s File error %d\n",filename,errno);
  return NULL;
}

fseek(fp, 0L, SEEK_END);
avail = ftell(fp);
fseek(fp, 0L, SEEK_SET);
unsigned char *b= (unsigned char *) malloc(avail+1);
if (fread (b,1,avail,fp)!=avail){
printf("INPUT JPG fail %s read error %d\n",filename, errno);
return NULL;
}
b[avail]=0;// added one byte for debug if you use a text file
*length=(int)avail;  // but length returned is true length of data
fclose(fp);
return b;
}




/**
 * Simple help
 */
void help(){
printf("\n");
printf("Usage  \n");
printf("eg:\n");
printf("signECDSA  myfile.doc  ecdsapriv.pem\n\n");
}

unsigned char *sha256(char *data, int  length)
{
static unsigned char hash[SHA256_DIGEST_LENGTH];

printf("**SHA2 digest follows length=%d:\n",length);
SHA256_CTX sha256;
SHA256_Init(&sha256);
SHA256_Update(&sha256, data, length);
SHA256_Final(hash, &sha256);
int i = 0;
for(i = 0; i < SHA256_DIGEST_LENGTH; i++)
printf("%02x", hash[i]);
printf("\n");
return hash;
}


int main(int argc, char **args){
char buffer[256];
long  avail;
int   len;
unsigned char *b,*m;
FILE *fp;
int ret;
EC_KEY*peckey;  //I want to load private

int curvetype= NID_secp224r1;  //FYI redpath
char *curvename= "NID_secp224r1";

if (argc<3){
  help();
  return 0;
}


printf("\n");
if  ( (m= getdata(args[1],&len))==NULL)
  return 1;
printf("\nUSING CURVENAME: %s\n",curvename);
printf("INPUT file %s length %d \n",args[1],len);

  /***
   Make a digest from Data
  /

unsigned char *result=sha256((char *)m,len);
   if (result==NULL){
 printf("SHA1 failed to create message digest\n");
 return 1;
   }



//private area
 fp =fopen(args[2], "rb");
 EVP_PKEY *pevpkey= PEM_read_PrivateKey(fp, &pevpkey, NULL, NULL);
 if (pevpkey==NULL){
printf("PEM for read private failed\n");
return 1;
 }
 else
printf("PEM for read private SUCCESS\n");

 peckey= EVP_PKEY_get1_EC_KEY(pevpkey); 
 if (peckey==NULL){
printf("ECKEY private failed\n");
return 1;
 }
 else
printf("got EC_KEY private success\n");
ret= EC_KEY_set_group(peckey,EC_GROUP_new_by_curve_name(curvetype) );
if (!ret){
   printf("error set group\n");
   return 1;
} 
printf("set group ret = %d \n",ret);

   unsigned int siglen = ECDSA_size(peckey);
   printf("Max signature length is %d \n",siglen);
   siglen = ECDSA_size(peckey);
   unsigned char *ptr  = OPENSSL_malloc(siglen);
   unsigned char *save= ptr;
   ECDSA_SIG *sig;
   ret= ECDSA_sign(0 ,result, SHA256_DIGEST_LENGTH, ptr, &siglen, peckey);  
//Do sign it dude
   if (!ret){
 printf("ERROR signing null\n");
 return 1;
   }
   printf(" Signature success \n");
   printf("Signature length is %d \n",siglen);

 /**
 * Write out Digital Signature File
 *
 ***/
 strcpy(buffer,args[1]);
 strcat(buffer,".ecdsa");
 fp = fopen(buffer,"wb");
 fwrite(save, 1, siglen, fp);
 fclose(fp);

 printf("OUTPUT signature file is  %s\n\n",buffer);

  return 0;

}



Then I have code to verify the file against the original that was signed

 Platform: Mac OSX 10.7 

cc -o verifyECDSA -Wno-deprecated-declarations verifyECDSA.c -lcrypto


#include 
#include 
#include 
#include 

#include 
#include 
#include 
#include 
#include 





/***
 * Get the data form a file and return a malloced buffer and size.
 **/
unsigned char *getdata(char *filename, int *length){
FILE *fp =fopen(filename, "rb");
long avail;

*length=0;
if (fp==(FILE *)0){
  printf("Get Data JPG %s File error %d\n",filename,errno);
  return NULL;
}

fs

Re: Help debugging openssl in fips mode.

[Davy Durham]

Thanks,  I actually had just figured it out.  "config -d was what I was 
looking for.  I found it confusing that config --help didn't list it.  
Then even more strange that config -h shows a different set of options. 
  Then I looked in the script at what -d does (just setting a PREFIX 
variable as far I can see), and it didn't look like it even did 
anything.  But it worked anyhow.  Still no idea why "file" said it 
wasn't stripped. nm would even show the symbols there.  But gdb was 
saying there was "no line number information".  Maybe that's an 
additional part of the information.


And I did config -d both when building the canister and openssl itself.

Thanks

On 10/19/2012 08:47 AM, Thomas Francis, Jr. wrote:


Generally speaking, you shouldn't be trying to do that. :)  However, 
I've found it useful on occasion when trying to determine why FIPS 
mode didn't work (usually to find out why fipsld.pl failed for a given 
set of non-C code).  In order to do this, you have to build 
fipscanister.o with debug symbols, which means you cannot follow the 
FIPS build instructions, so you can't use this one for any production 
purposes if you need FIPS mode.  You can't change any of the code 
inside fipscanister.o anyway, so that shouldn't be a big deal; you're 
probably doing this either to fix a bug outside the FIPS boundary, or 
to just learn more about how it works, right?


In order to do this, you generally have to follow the rules for 
building the fips canister from scratch, except that you first modify 
the Configure script to add the appropriate compiler option for 
generating debug symbols for your build (since you mention linux, I'm 
guessing it'll be "-g".  Don't be surprised if this takes a couple of 
tries to get it right -- there are a couple of misleading sections in 
that script.  Just watch the output carefully, and abort as soon as 
you see a compile line go by that doesn't include that option.


*From:*owner-openssl-...@openssl.org 
[mailto:owner-openssl-...@openssl.org] *On Behalf Of *Davy Durham

*Sent:* Thursday, October 18, 2012 12:31 PM
*To:* openssl-dev@openssl.org
*Subject:* Help debugging openssl in fips mode.

Hi,
 On linux, with gdb, I'm trying to trace into openssl while it's going 
into FIPS mode.  I've built the canister and then the openssl tree 
(which includes the openssl cmd line utility).


Here's the output I'm getting:

*$ export OPENSSL_FIPS=1*
*$ gdb openssl*
GNU gdb 6.6-5.1bgr ()
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and 
you are
welcome to change it and/or distribute copies of it under certain 
conditions.

Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for 
details.

This GDB was configured as ""...
Using host libthread_db library "/lib/tls/libthread_db.so.1".
*(gdb) break FIPS_mode_set*
Function "FIPS_mode_set" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (FIPS_mode_set) pending.
(gdb) r
Starting program: /usr/bin/openssl
Breakpoint 2 at 0x777efee0
Pending breakpoint "FIPS_mode_set" resolved

*Breakpoint 2, 0x777efee0 in FIPS_mode_set () from 
/usr/lib/libcrypto.so.0.9.8*

*(gdb) step**
Single stepping until exit from function FIPS_mode_set, *
which has no line number information.
0x77753567 in __i686.get_pc_thunk.bx () from /usr/lib/libcrypto.so.0.9.8
(gdb) step
Single stepping until exit from function __i686.get_pc_thunk.bx,
which has no line number information.
0x777efeec in FIPS_mode_set () from /usr/lib/libcrypto.so.0.9.8
(gdb) step
Single stepping until exit from function FIPS_mode_set,
which has no line number information.
main (Argc=1, Argv=0x7fe146c4) at openssl.c:245

As you can see, after I hit the break point, and try to step into it, 
It seems to skip over actually going into the routine.


The file command says that /usr/lib/libcrypto.so.0.9.8 is not stripped:

$ file /usr/lib/libcrypto.so.0.9.8
/usr/lib/libcrypto.so.0.9.8: ELF 32-bit LSB shared object, Intel 
80386, version 1 (SYSV), not stripped


And the FIPS canister that was build doesn't appear to be stripped:

$ file fipscanister.o
fipscanister.o: ELF 32-bit LSB relocatable, Intel 80386, version 1 
(SYSV), not stripped


And, I don't see anything in the Makefile that pulls in the canister 
that is stripping it.


So, I'm a little confused as to why I'm unable to trace into the source..

It there some documentation that explains how to build things for 
debugging?  Are there some config flags I need to pass?


Thanks.  Any help would be appreciated.

Re: help with thread lib - x86/BSD

[Kevin Fowler]

Thanks for the suggestions. I put the modified specs file in the libgcc
location and it worked fine if I removed the rule line for pthread. If I
simply replaced -lpthread with -lc_r in the specs file, I got all kinds of
"reference to compatibility" warnings from libc.so. But if I removed the
line (it only expanded to the -lprhread replacement initially), then
everything built and the fips_test_suite ran successfully on the target.

Assuming that is ok, then apparently my problem is resolved.
Kevin


On Wed, Jun 27, 2012 at 12:54 PM,  wrote:

>
>
> - Mail original -
> > De: "Kevin Fowler" 
> > À: openssl-dev@openssl.org
> > Envoyé: Mercredi 27 Juin 2012 17:39:08
> > Objet: Re: help with thread lib - x86/BSD
> >
>
> >
> >
> > From what I can tell, the specs file is "built-in" to gcc. Yes I can
> > look at it with -dumpspecs, and I can override it with, e.g.,
> > -specs=myspecs, but then I am back to having to modify Configure
> > script (and config to point to a new unique platform. I don't think
> > gcc automatically loads a specs file from some known location - it
> > uses what is built into it or what is specified with the -specs
> > option. Maybe there is another way?
> >
>
> # savec original specs
> gcc -dumpspecs > myspecsbackup
>
> # switch to new specs , beware ccache do not have a way to see that change
> cat mynewspecs > `dirname $(gcc --print-libgcc-file-name)`/specs
>
> # restore original specs
> cat myspecsbackup > `dirname $(gcc --print-libgcc-file-name)`/specs
>
> Gilles
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   openssl-dev@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: help with thread lib - x86/BSD

[g . esp]

- Mail original -
> De: "Kevin Fowler" 
> À: openssl-dev@openssl.org
> Envoyé: Mercredi 27 Juin 2012 17:39:08
> Objet: Re: help with thread lib - x86/BSD
> 

> 
> 
> From what I can tell, the specs file is "built-in" to gcc. Yes I can
> look at it with -dumpspecs, and I can override it with, e.g.,
> -specs=myspecs, but then I am back to having to modify Configure
> script (and config to point to a new unique platform. I don't think
> gcc automatically loads a specs file from some known location - it
> uses what is built into it or what is specified with the -specs
> option. Maybe there is another way?
>

# savec original specs
gcc -dumpspecs > myspecsbackup

# switch to new specs , beware ccache do not have a way to see that change
cat mynewspecs > `dirname $(gcc --print-libgcc-file-name)`/specs

# restore original specs
cat myspecsbackup > `dirname $(gcc --print-libgcc-file-name)`/specs

Gilles
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: help with thread lib - x86/BSD

[Kevin Fowler]

Thanks Andy,
Yes, there is a discrepancy between the standard cross-compiler we use and
the fact that we currently still use libc_r, in that "-pthreads" resolves
to -lpthread. For our builds the -pthread option is not used so it never
came up, but to use the cross-compiler to build FIPS module and libcrypto
for the platform it is of course an issue. In the future we will move to
libpthread, but I have to resolve this issue now to prep for change letter
validation.

>From what I can tell, the specs file is "built-in" to gcc. Yes I can look
at it with -dumpspecs, and I can override it with, e.g., -specs=myspecs,
but then I am back to having to modify Configure script (and config to
point to a new unique platform. I don't think gcc automatically loads a
specs file from some known location - it uses what is built into it or what
is specified with the -specs option. Maybe there is another way?

I'm getting resistance here about changing the cross-compiler itself
because of our eventual switch to libpthread.

Kevin


On Wed, Jun 27, 2012 at 10:31 AM, Andy Polyakov  wrote:

> > both the FIPS module and OpenSSL use the -pthreads option for gcc when
> > building a *BSD/x86 target. With our cross-compiler, -pthreads results
> > in "-lpthread", although on our target we actually use libc_r for thread
> > support. While sorting out how I can resolve this in the
> > config/Configure scripts, I have been wondering why the thread library
> > is even needed to build a libcrypto containing the FIPS Module. Yes,
> > openssl provides multi-threading support, through the use of callbacks
> > set by an application. But I haven't seen any code that uses the
> > libpthread or libc_r API. If an application requires multithreading, it
> > will itself link in libc_r and libcrypto. But I don't understand why I
> > need that dependency built into libcrypto...
>
> -pthreads not only links with additional/alternative library but even
> can define a macro that might redefine some interface. *For example* on
> Solaris it changes 'errno' to '*(___errno())'. Former is single global
> variable, which is not multi-thread safe, while latter refers to
> thread-specific variable. It's perfectly possible [and appropriate] to
> use MT variant even in single-threaded application, but not vice versa.
> And therefore if one wants to have libcrypto.a that can be used in
> either context, multi- or single-threaded application, then it should be
> compiled with -pthreads. This is the reasoning for why. Note that *your*
> application doesn't have to be compiled/linked with -pthreads. At least
> no problems were ever reported that would indicate otherwise.
>
> As for -lpthread vs. -lc_r and what's right for your target
> cross-compiled platform (right?). Sounds like your cross-compiler
> doesn't do right. In such case Configure is probably not right place to
> solve this specific problem, gcc specs file is. I mean when gcc runs, it
> looks for specs file, which describes how different compiler options are
> threated, -pthreads included. You can examine current specs by running
> gcc -dumpspecs.
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   openssl-dev@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: help with thread lib - x86/BSD

[Andy Polyakov]

> both the FIPS module and OpenSSL use the -pthreads option for gcc when
> building a *BSD/x86 target. With our cross-compiler, -pthreads results
> in "-lpthread", although on our target we actually use libc_r for thread
> support. While sorting out how I can resolve this in the
> config/Configure scripts, I have been wondering why the thread library
> is even needed to build a libcrypto containing the FIPS Module. Yes,
> openssl provides multi-threading support, through the use of callbacks
> set by an application. But I haven't seen any code that uses the
> libpthread or libc_r API. If an application requires multithreading, it
> will itself link in libc_r and libcrypto. But I don't understand why I
> need that dependency built into libcrypto...

-pthreads not only links with additional/alternative library but even
can define a macro that might redefine some interface. *For example* on
Solaris it changes 'errno' to '*(___errno())'. Former is single global
variable, which is not multi-thread safe, while latter refers to
thread-specific variable. It's perfectly possible [and appropriate] to
use MT variant even in single-threaded application, but not vice versa.
And therefore if one wants to have libcrypto.a that can be used in
either context, multi- or single-threaded application, then it should be
compiled with -pthreads. This is the reasoning for why. Note that *your*
application doesn't have to be compiled/linked with -pthreads. At least
no problems were ever reported that would indicate otherwise.

As for -lpthread vs. -lc_r and what's right for your target
cross-compiled platform (right?). Sounds like your cross-compiler
doesn't do right. In such case Configure is probably not right place to
solve this specific problem, gcc specs file is. I mean when gcc runs, it
looks for specs file, which describes how different compiler options are
threated, -pthreads included. You can examine current specs by running
gcc -dumpspecs.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Help with reading DER encoded RSA cert file

[Patrick Patterson]

Here's a hint:

You are creating a DER encoded RSA public Key - you are trying to read a DER 
encoded X.509 certificate. These are not the same thing.

Have fun.

Patrick.

On 2010-11-10, at 9:06 PM, furrbie wrote:

> 
> Hi,
> 
> I am trying to read in a DER encoded RSA public key using d2i_X509_fp();
> 
> I have generated an RSA key using openssl with the following commands:
> 
> 1. openssl genrsa -out privkey.pem 2048
> 2. openssl rsa -pubout -in privkey.pem -out pubkey.der -outform der
> 
> In my C++ program, I coded the following:
> FILE *fp = fopen("pubkey.der", "rb");
> X509 *x = d2i_X509_fp(fp, NULL);
> 
> However, x returns NULL after this point. How do I get a valid X509
> structure from a DER encoded cert?






__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

RE: help regarding .p12

[Dave Thompson]

>   From: owner-openssl-...@openssl.org On Behalf Of praveen likhar
>   Sent: Wednesday, 27 October, 2010 04:34

>   i am having .p12 pkcs12 format certificate and i want it to load 
> at client CA list using openssl api functions and want to use it at 
> verifying time. So please tell me what are the openssl api functions 
> for using certificate chain and how to do it. 

Your question isn't clear.

1. You have a pkcs12 containing a KEY AND cert (the normal use for p12) 
which you wish an SSL client to use to authenticate itself (to a server).

Extract the key and cert and give them to SSL_[CTX_]use_PrivateKey* 
and SSL_[CTX_]use_certificate*. If the client cert is not directly 
under a CA cert known to (trusted by) the server, you need to send 
the chain up to the point that is trusted. I think it works if you 
have them in the place(s) set by SSL_CTX_load_verify_locations or 
SSL_CTX_set_default_verify_paths (also used by the client to 
verify the server). Or use SSL_CTX_add_extra_chain_cert, or 
put in a (single concatenated PEM) file with the entity cert 
and use SSL_CTX_use_certificate_chain_file file .

Note an openssl client doesn't need the server to say clientCA-list 
correctly; it will use configured key/cert even though that doesn't 
match the server's request; if the server doesn't like this, it can 
(and must) fail the handshake. If you do want an openssl server to 
say clientCA-list, use SSL_[CTX_]add_client_CA or set_client_CA_list .

2. You have a pkcs12 containing only one or more certs, which is not 
a usual use of pkcs12 but it is permitted as far as I can see, and 
want to use it/them to verify something or somebody. In many cases, 
particularly including SSL, the sender/signer/whatever provides 
their cert in the data, so you don't need to have it already. 
That's the main benefit (or at least supposed to be) of PKI.
What you do need are CA certs under which peer certs are issued, 
especially if not well-known CAs like Thawte/Verisign/etc.
(That is, you always need the CA cert, but usually you already have 
or can easily get the well-known ones, so you only need to worry 
about getting private or local or experimental ones.)


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Help decrypting TLS

[Harsha gowda]

Hi,
:)
Ya i have private key of server,

Regards
Harsha

On Mon, Jun 29, 2009 at 6:02 PM, krish  wrote:

> its Diffie and Helman Key exchange algorith.
> There is no way You decrypt this session.
>
> for info on DIffie and Hellman see this url
>
> http://en.wikipedia.org/wiki/Diffie-Hellman.
>
> for public key and private key exchange algos You need private key file to
> decrypt the sessions.
>
>
>
>
> Regards,
> krish.
>
>
>
> On Mon, Jun 29, 2009 at 5:54 PM, Harsha gowda wrote:
>
>> Hi,
>>
>> Its
>> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
>>
>> Regards
>> Harsha
>>
>>
>> On Mon, Jun 29, 2009 at 5:31 PM, krish wrote:
>>
>>> Can You pass tell me the cipher suite it is using ?
>>> if the Key Exchange algo is Diffie and Helman .. then there is no way You
>>> can decrypt.
>>>
>>>
>>> Regards,
>>> krishna.
>>>
>>>
>>>
>>> On Mon, Jun 29, 2009 at 3:30 PM, Harsha gowda 
>>> wrote:
>>>
 Hi,
 I am sniffing packets over wireless of 802.11i packets,
 Which uses EAP-TLS,
 So i have two way data and private key of CA.

 Client-Hello-->

 

 So now i can derive key-block,

 But openssl utlity for SSL3/TLS methods are built for active sessions
 only,
 I mean

 1st create a socket

 fd=create_sock()
 then pass the socket descriptor to ssl_ctx

 is there any hack or work arround,

 Like i have sniffed packet so can store them in file and give file
 descriptor as socket descriptor ?.

 SSLDump changes the TLSV1 method and injects the certificate,Client and
 server random number of capture file and try to generate Key-block
 & decrypt the text,

 But SSLDump does not support all the TLSV1 ciphers.


 Can any one help me in this regard

 Thanks
 Harsha



 --
 ಇಂತಿ
 ಹರ್ಷ ಕೃ ಗೌಡ


>>>
>>
>>
>> --
>> ಇಂತಿ
>> ಹರ್ಷ ಕೃ ಗೌಡ
>>
>>
>


-- 
ಇಂತಿ
ಹರ್ಷ ಕೃ ಗೌಡ

Re: Help decrypting TLS

[krish]

its Diffie and Helman Key exchange algorith.
There is no way You decrypt this session.

for info on DIffie and Hellman see this url

http://en.wikipedia.org/wiki/Diffie-Hellman.

for public key and private key exchange algos You need private key file to
decrypt the sessions.




Regards,
krish.


On Mon, Jun 29, 2009 at 5:54 PM, Harsha gowda wrote:

> Hi,
>
> Its
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
>
> Regards
> Harsha
>
>
> On Mon, Jun 29, 2009 at 5:31 PM, krish wrote:
>
>> Can You pass tell me the cipher suite it is using ?
>> if the Key Exchange algo is Diffie and Helman .. then there is no way You
>> can decrypt.
>>
>>
>> Regards,
>> krishna.
>>
>>
>>
>> On Mon, Jun 29, 2009 at 3:30 PM, Harsha gowda 
>> wrote:
>>
>>> Hi,
>>> I am sniffing packets over wireless of 802.11i packets,
>>> Which uses EAP-TLS,
>>> So i have two way data and private key of CA.
>>>
>>> Client-Hello-->
>>>
>>> >>
>>> ClientKeyexchange>
>>>
>>> So now i can derive key-block,
>>>
>>> But openssl utlity for SSL3/TLS methods are built for active sessions
>>> only,
>>> I mean
>>>
>>> 1st create a socket
>>>
>>> fd=create_sock()
>>> then pass the socket descriptor to ssl_ctx
>>>
>>> is there any hack or work arround,
>>>
>>> Like i have sniffed packet so can store them in file and give file
>>> descriptor as socket descriptor ?.
>>>
>>> SSLDump changes the TLSV1 method and injects the certificate,Client and
>>> server random number of capture file and try to generate Key-block
>>> & decrypt the text,
>>>
>>> But SSLDump does not support all the TLSV1 ciphers.
>>>
>>>
>>> Can any one help me in this regard
>>>
>>> Thanks
>>> Harsha
>>>
>>>
>>>
>>> --
>>> ಇಂತಿ
>>> ಹರ್ಷ ಕೃ ಗೌಡ
>>>
>>>
>>
>
>
> --
> ಇಂತಿ
> ಹರ್ಷ ಕೃ ಗೌಡ
>
>

Re: Help decrypting TLS

[Harsha gowda]

Hi,

Its
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)

Regards
Harsha

On Mon, Jun 29, 2009 at 5:31 PM, krish  wrote:

> Can You pass tell me the cipher suite it is using ?
> if the Key Exchange algo is Diffie and Helman .. then there is no way You
> can decrypt.
>
>
> Regards,
> krishna.
>
>
>
> On Mon, Jun 29, 2009 at 3:30 PM, Harsha gowda wrote:
>
>> Hi,
>> I am sniffing packets over wireless of 802.11i packets,
>> Which uses EAP-TLS,
>> So i have two way data and private key of CA.
>>
>> Client-Hello-->
>>
>> >
>> ClientKeyexchange>
>>
>> So now i can derive key-block,
>>
>> But openssl utlity for SSL3/TLS methods are built for active sessions
>> only,
>> I mean
>>
>> 1st create a socket
>>
>> fd=create_sock()
>> then pass the socket descriptor to ssl_ctx
>>
>> is there any hack or work arround,
>>
>> Like i have sniffed packet so can store them in file and give file
>> descriptor as socket descriptor ?.
>>
>> SSLDump changes the TLSV1 method and injects the certificate,Client and
>> server random number of capture file and try to generate Key-block
>> & decrypt the text,
>>
>> But SSLDump does not support all the TLSV1 ciphers.
>>
>>
>> Can any one help me in this regard
>>
>> Thanks
>> Harsha
>>
>>
>>
>> --
>> ಇಂತಿ
>> ಹರ್ಷ ಕೃ ಗೌಡ
>>
>>
>


-- 
ಇಂತಿ
ಹರ್ಷ ಕೃ ಗೌಡ

Re: Help decrypting TLS

[krish]

Can You pass tell me the cipher suite it is using ?
if the Key Exchange algo is Diffie and Helman .. then there is no way You
can decrypt.


Regards,
krishna.


On Mon, Jun 29, 2009 at 3:30 PM, Harsha gowda wrote:

> Hi,
> I am sniffing packets over wireless of 802.11i packets,
> Which uses EAP-TLS,
> So i have two way data and private key of CA.
>
> Client-Hello-->
>
> 
> ClientKeyexchange>
>
> So now i can derive key-block,
>
> But openssl utlity for SSL3/TLS methods are built for active sessions only,
> I mean
>
> 1st create a socket
>
> fd=create_sock()
> then pass the socket descriptor to ssl_ctx
>
> is there any hack or work arround,
>
> Like i have sniffed packet so can store them in file and give file
> descriptor as socket descriptor ?.
>
> SSLDump changes the TLSV1 method and injects the certificate,Client and
> server random number of capture file and try to generate Key-block
> & decrypt the text,
>
> But SSLDump does not support all the TLSV1 ciphers.
>
>
> Can any one help me in this regard
>
> Thanks
> Harsha
>
>
>
> --
> ಇಂತಿ
> ಹರ್ಷ ಕೃ ಗೌಡ
>
>

Re: Help crash on IO_proc_close/ CRYPTO_free !

[Ger Hobbelt]

On Wed, Mar 18, 2009 at 11:29 AM,   wrote:
>        Hi,
>
>> > Core 1
>> > --
>> > (gdb) bt
>> > #0  0x4021e76e in pclose () from /lib/libc.so.6
>> > #1  0x4021e548 in _IO_proc_close () from /lib/libc.so.6
>> > #2  0x400b4772 in CRYPTO_free (str=0x0) at mem.c:380
>> > (gdb)
>
>> And if I read that backtrace in the correct direction,
>
> Sorry to interrupt, but no, you didn't read it in the correct
> direction. It's pclose being called by _IO_proc_close which in
> turn was called by CRYPTO_free...

Yes, I see that now. Thanks for correcting my assumptions!

This implies (assuming a 'good' stacktrace) they've very probably
hooked some pipe-based debug hook functions into CRYPTO_free() (one
can do that sort of thing), but that's 'advanced usage' and should
immediately have led internally to a 'hm, let's check our debug
tracing/logging code hooks, eh?' sort of response. Ah well...


> Either that or a completely corrupted stack or heap, in which case
> something like valgrind or purify is probably going to be helpful in
> finding the _real_ problem.

Yup.
(Reading that stacktrace this way, I'd say it's a plausible trace,
which means the error is in an unmatched popen/pclose pair in some
user debug code - which is a good case for using purify to help dig
this one out - or does valgrind check handles as well these days? The
bit that's makes it extra 'hmmm' is no stacktrace beyond the
CRYPO_free() invocation.)



-- 
Met vriendelijke groeten / Best regards,

Ger Hobbelt

--
web:http://www.hobbelt.com/
http://www.hebbut.net/
mail:   g...@hobbelt.com
mobile: +31-6-11 120 978
--
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Help crash on IO_proc_close/ CRYPTO_free !

[Stefan . Neis]

Hi,

> > Core 1
> > --
> > (gdb) bt
> > #0  0x4021e76e in pclose () from /lib/libc.so.6
> > #1  0x4021e548 in _IO_proc_close () from /lib/libc.so.6
> > #2  0x400b4772 in CRYPTO_free (str=0x0) at mem.c:380
> > (gdb)

> And if I read that backtrace in the correct direction,

Sorry to interrupt, but no, you didn't read it in the correct
direction. It's pclose being called by _IO_proc_close which in
turn was called by CRYPTO_free...

> _I_ would suspect my own code and since this yaks about a pclose() my
> first question to the team would be: what have we got on pipes in our
> project? And see if you can put some diagnostics around it.

Either that or a completely corrupted stack or heap, in which case
something like valgrind or purify is probably going to be helpful in
finding the _real_ problem.

> And while you're at it, and assuming you're in a multithreaded app,
> check whether the OpenSSL thread lock hooks are done properly, just to
> cover all the bases.
(snipp)
> My bet is some part of your software has gone totally bonkers. With
> OpenSSL being part of the collateral.

Agreed.

Regards,
Stefan


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Help crash on IO_proc_close/ CRYPTO_free !

[Richard Salz]

My guess is that the stack is smashed, giving you garbage.  Run the 
program under GDB and try to reproduce it -- you might get a more 
reasonable backtrace.
/r$
--
Visiting Member, IBM Academy
STSM, DataPower Chief Programmer
WebSphere DataPower SOA Appliances
http://www.ibm.com/software/integration/datapower/

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Help crash on IO_proc_close/ CRYPTO_free !

[Ger Hobbelt]

pclose() is related to pipes (popen/pclose). OpenSSL itself doesn't
use pipes, so this must be an issue in some user code.

And if I read that backtrace in the correct direction, then some call
to pclose() call the libc internal _IO_proc_close(), which... in your
case calls CRYPTO_free() 
Either gdb has gone totally ape shit or you've been doing some _very_
interesting things to the libc source code. ;-)
A quick google (you made me wonder) delivers several implementations
of _IO_proc_close() code, all of whom have two theoretical ways to
push another call on the stack: _IO_close() and _IO_waitpid() (my
expectation is that _IO_fileno() is a macro). _IO_close() is a
candidate for calling heap free() somewhere in there, but that should
_never_ rise from these depths like the Great White in Jaws to end up
in CRYPTO_free(): the latter is an upper layer wrapper API, not a
libc-or-deeper core method!

Anyway, the short and long version of this is: none of those
would/should end up at CRYPTO_free(), as _that_ method would be
located in a layer ABOVE libc: it's a OPENSSL_wrapper around your
choice of malloc/free plus a few extras, so how that one comes to be
the next on the call stack is a true wonder.



_I_ would suspect my own code and since this yaks about a pclose() my
first question to the team would be: what have we got on pipes in our
project? And see if you can put some diagnostics around it.

A parallel process would be to check if your project assigns custom
malloc/free handlers, and/or special debug hooks for OpenSSL memory
allocation API ( CRYPTO_set_mem_debug_functions() /
CRYPTO_set_mem_functions() )
While you're at it, you might want to register a debug_free hook
function which pops up in your debugger (by forcibly invoking the
debugger, for example by causing a hardware exception (division by
zero, null memory reference, anything goes)

And while you're at it, and assuming you're in a multithreaded app,
check whether the OpenSSL thread lock hooks are done properly, just to
cover all the bases.



If it is indeed CRYPTO_free() in there as an active participant in
your call stack at that depth, it sure as Hell means some libc
function pointers or other libc internal references have been shot to
kingdom come.

My bet is some part of your software has gone totally bonkers. With
OpenSSL being part of the collateral.




On Tue, Mar 17, 2009 at 8:02 AM, Balaji Kannadassan  wrote:
> Hi All!
>
>    We are facing a crash as below. We are clueless on why is it happening.
> btw the tracebacks are partial in certain instances. Any help on how to
> trouble shoot the same would be ver much helpful.
>
> Thanks
> Balaji Kamal Kannadassan
>
>
> Core 1
> --
> (gdb) bt
> #0  0x4021e76e in pclose () from /lib/libc.so.6
> #1  0x4021e548 in _IO_proc_close () from /lib/libc.so.6
> #2  0x400b4772 in CRYPTO_free (str=0x0) at mem.c:380
> (gdb)
>
> Core 2:
> --
> Loaded symbols for /lib/libnss_files.so.2
> #0  0x4021e76e in pclose () from /lib/libc.so.6
> (gdb) bt
> #0  0x4021e76e in pclose () from /lib/libc.so.6
> #1  0x4021e548 in _IO_proc_close () from /lib/libc.so.6
> (gdb)



-- 
Met vriendelijke groeten / Best regards,

Ger Hobbelt

--
web:http://www.hobbelt.com/
http://www.hebbut.net/
mail:   g...@hobbelt.com
mobile: +31-6-11 120 978
--
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: help in edsa functions

[neorom]

I've solved my problem :
 EC_KEY *key;
 EC_GROUP *group;
//creation de la clef
if ((key = EC_KEY_new()) == NULL)
{
ret_ecdsa_check = -6;
return (ret_ecdsa_check);
}
group = EC_GROUP_new_by_curve_name(NID_secp192k1);
if (group == NULL)
{
ret_ecdsa_check = -5;
return (ret_ecdsa_check);
}
if (EC_KEY_set_group(key, group) == 0)
{
ret_ecdsa_check = -4;
return (ret_ecdsa_check);
}   
EC_GROUP_free(group);
if (EC_GROUP_get_degree(EC_KEY_get0_group(key)) < 16

Peviously, I didn't use the link function between the key and the
curve : EC_KEY_set_group(key, group)

So now it works with the source code upper.

Romain Hinfray

On Thu, Mar 5, 2009 at 2:43 PM, Billy Brumley  wrote:
> I think you want a key, not the group.
>
> EC_GROUP_new_by_curve_name => EC_KEY_new_by_curve_name
>
> Billy
>
> On Mon, Mar 2, 2009 at 6:15 PM, neorom  wrote:
>> I resolved my previous problem, the error came in the name of the
>> variable "key" which has to be named "eckey". So there is a mistake in
>> the code in the documentation.
>>
>> Now my problem is more difficult, because after :
>>
>> Initialization of the structure :
>> EC_KEY    *eckey =  EC_KEY_new()
>> link with an elliptic curve :
>> eckey = EC_GROUP_new_by_curve_name(NID_secp192k1);
>> finally, the creation of this key :
>> if (!EC_KEY_generate_key(eckey))
>>       {
>>        printf("error key generation\n");
>>       }
>>
>> when I execute my code, I get a Semgentation Fault and gdb tell me
>> that the problem comes with the  function :  BN_copy()
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x0805fee8 in BN_copy ()
>>
>> I am working with ubuntu and the libssl0.9.8g-10
>>
>> Thanks in advance for your help,
>>
>> Romain Hinfray
>>
>>
>> On Mon, Mar 2, 2009 at 2:57 PM, neorom  wrote:
>>> Hello every body,
>>>
>>> I'm new on this mailing list. I actually have to do a small program
>>> which have to generate signature with the ecdsa algorithm and I have
>>> never did it before.
>>> For this I saw the documentation and the example on the openssl web
>>> site (http://www.openssl.org/docs/crypto/ecdsa.html).
>>>
>>> But on line 8 of this program : key->group = 
>>> EC_GROUP_new_by_nid(NID_secp192k1);
>>> , I don't understood why the "key" structure isn't initialized before
>>> and with struture defines it. Gcc tells me that :  error: ‘key’
>>> undeclared.
>>>
>>> Can you help me please.
>>>
>>> Thanks in advance
>>>
>>> Romain Hinfray
>>>
>> __
>> OpenSSL Project                                 http://www.openssl.org
>> Development Mailing List                       openssl-dev@openssl.org
>> Automated List Manager                           majord...@openssl.org
>>
> __
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       openssl-dev@openssl.org
> Automated List Manager                           majord...@openssl.org
>
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: help in edsa functions

[Billy Brumley]

I think you want a key, not the group.

EC_GROUP_new_by_curve_name => EC_KEY_new_by_curve_name

Billy

On Mon, Mar 2, 2009 at 6:15 PM, neorom  wrote:
> I resolved my previous problem, the error came in the name of the
> variable "key" which has to be named "eckey". So there is a mistake in
> the code in the documentation.
>
> Now my problem is more difficult, because after :
>
> Initialization of the structure :
> EC_KEY    *eckey =  EC_KEY_new()
> link with an elliptic curve :
> eckey = EC_GROUP_new_by_curve_name(NID_secp192k1);
> finally, the creation of this key :
> if (!EC_KEY_generate_key(eckey))
>       {
>        printf("error key generation\n");
>       }
>
> when I execute my code, I get a Semgentation Fault and gdb tell me
> that the problem comes with the  function :  BN_copy()
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x0805fee8 in BN_copy ()
>
> I am working with ubuntu and the libssl0.9.8g-10
>
> Thanks in advance for your help,
>
> Romain Hinfray
>
>
> On Mon, Mar 2, 2009 at 2:57 PM, neorom  wrote:
>> Hello every body,
>>
>> I'm new on this mailing list. I actually have to do a small program
>> which have to generate signature with the ecdsa algorithm and I have
>> never did it before.
>> For this I saw the documentation and the example on the openssl web
>> site (http://www.openssl.org/docs/crypto/ecdsa.html).
>>
>> But on line 8 of this program : key->group = 
>> EC_GROUP_new_by_nid(NID_secp192k1);
>> , I don't understood why the "key" structure isn't initialized before
>> and with struture defines it. Gcc tells me that :  error: ‘key’
>> undeclared.
>>
>> Can you help me please.
>>
>> Thanks in advance
>>
>> Romain Hinfray
>>
> __
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       openssl-dev@openssl.org
> Automated List Manager                           majord...@openssl.org
>
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: help in edsa functions

[neorom]

I resolved my previous problem, the error came in the name of the
variable "key" which has to be named "eckey". So there is a mistake in
the code in the documentation.

Now my problem is more difficult, because after :

Initialization of the structure :
EC_KEY*eckey =  EC_KEY_new()
link with an elliptic curve :
eckey = EC_GROUP_new_by_curve_name(NID_secp192k1);
finally, the creation of this key :
if (!EC_KEY_generate_key(eckey))
   {
printf("error key generation\n");
   }

when I execute my code, I get a Semgentation Fault and gdb tell me
that the problem comes with the  function :  BN_copy()

Program received signal SIGSEGV, Segmentation fault.
0x0805fee8 in BN_copy ()

I am working with ubuntu and the libssl0.9.8g-10

Thanks in advance for your help,

Romain Hinfray


On Mon, Mar 2, 2009 at 2:57 PM, neorom  wrote:
> Hello every body,
>
> I'm new on this mailing list. I actually have to do a small program
> which have to generate signature with the ecdsa algorithm and I have
> never did it before.
> For this I saw the documentation and the example on the openssl web
> site (http://www.openssl.org/docs/crypto/ecdsa.html).
>
> But on line 8 of this program : key->group = 
> EC_GROUP_new_by_nid(NID_secp192k1);
> , I don't understood why the "key" structure isn't initialized before
> and with struture defines it. Gcc tells me that :  error: ‘key’
> undeclared.
>
> Can you help me please.
>
> Thanks in advance
>
> Romain Hinfray
>
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: help about sect163k1 public key size

[Andrzej Chmielowiec]

Hi,

First format is in compressed form

30 2b 
  30 10
 06 07 2a 86 48 ce 3d 02 01 
 06 05 2b 81 04 00 01 
  03 17 00 -> (public key as bit string)

 02 -> (compressed format)
 00 c6 2b 5c 20 84 e0 33 50 cd 27 1c 54 a7 7b 97 5e 10 ce 9d f1 -> (x 
coordinate of EC point)

Second format is uncompressed form

30 40 
  30 10 
 06 07 2a 86 48 ce 3d 02 01 
 06 05 2b 81 04 00 01 
  03 2c 00 -> (public key as bit string)

 04 -> (uncompressed point)
 05 e4 a9 b0 56 01 51 3f 28 cc a0 97 1d 42 e8 62 9b a9 fa 0d ec -> (x 
coordinate of EC point)
 05 56 2f 86 8a fe 06 ff 09 50 c6 a0 2a 30 d8 df 0b b9 f4 73 b6 -> (y 
coordinate of EC point)


Both formats are supported by OpenSSL.

Regards,
Andrzej Chmielowiec


Hello

Ooops sorry for the noise


I made a mistake the first format is this one

000 30 2b 30 10 06 07 2a 86 48 ce 3d 02 01 06 05 2b
020 81 04 00 01 03 17 00 02 00 c6 2b 5c 20 84 e0 33
040 50 cd 27 1c 54 a7 7b 97 5e 10 ce 9d f1

Second :
000 30 40 30 10 06 07 2a 86 48 ce 3d 02 01 06 05 2b
020 81 04 00 01 03 2c 00 04 05 e4 a9 b0 56 01 51 3f
040 28 cc a0 97 1d 42 e8 62 9b a9 fa 0d ec 05 56 2f
060 86 8a fe 06 ff 09 50 c6 a0 2a 30 d8 df 0b b9 f4
100 73 b6

The first with a key lentgh of 43 bytes which seems to be the standard,
the second used by openssl with length 64 bytes. I can't decode using
asn1parse the first format

I'm not sure but I don't think that 43 bytes is the compressed format patented 
by certicom

Can anyone tell me where I can find informations on that and what is the
impact on sha1 + sect263k1 signature.

I use a development snapshot (openssl-SNAP-20080930) of openssl 




Thanks for your help

Bruno Vetel



__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

  


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: help regarding random numbers in openssl

[Geoff Thorpe]

I see that you've cross-posted to both lists a few times, please don't. 
Most of your posts (if not all) belong on openssl-users. openssl-dev is 
for discussing the development of openssl itself, whereas openssl-users 
is for discussing development *using* openssl (or anything else related 
to openssl).

Thanks,
Geoff

On Tuesday 07 October 2008 11:47:42 prashanth s joshi wrote:
> Hi all,
>
> In openssl code which part actually handles catching of the random
> numbers exchanged during the handshake?
>
> Regards,
> Prashanth..

-- 
Un terrien, c'est un singe avec des clefs de char...
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Help required on building certificate chain

[luvlee_ghg]

You are right. A certificate chain is built starting from the subject cert
until we find a root certificate i.e; the chain building operation is
stopped when a certificate whose issuer and subject name is same.

I found that using authkeyidentifier and subjectkeyid we can build chain.
But the question is how to buiild it. I am having a hard time finding it. We
use CertGetCertificateChain() microsoft API to build cert chain based on
suject and issuer names. But I want to build it using akid and skid. Does
anyone knows how to do this or is there any API which I can use.

Thanks


macescandell wrote:
> 
> How are creating the certicate chain. A certificate chain has to start
> with
> the subject certificate followed  by an intermediate certificate ...
> ending
> in the root certificate. You can do this using *cat*
> 
> Thank You
> 
> 
> On Dec 19, 2007 12:18 PM, luvlee_ghg <[EMAIL PROTECTED]> wrote:
> 
>>
>> Hi experts,
>>
>> I would like to know if there is any API that takes care of building a
>> certificate chain in openSSL similar to MS API. Also please let me know
>> the
>> basic details on how a certificate chain is verified in openSSL.
>>
>> Following is my implementation:
>>
>>  R o o t C A
>>  ||
>> SUB CA1 SUB CA1(signing key is different than the
>> other one)
>> |
>>  Issued Certificate
>>
>> When the issued certificate is sent for verification, it always fails. I
>> think while building the certificate chain its building with the wrong
>> SUBCA
>> because it finds two of them with the same name. So I would like to know
>> how
>> can a certificate chain built in case if there are two CAs with similar
>> name
>> present in the certificate store. How to use the CA of the Issued
>> certificate to build the chain for verification?
>>
>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Help-required-on-building-certificate-chain-tp14422191p14422191.html
>> Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
>> __
>> OpenSSL Project http://www.openssl.org
>> Development Mailing List   openssl-dev@openssl.org
>> Automated List Manager   [EMAIL PROTECTED]
>>
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Help-required-on-building-certificate-chain-tp14422191p15530598.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Help required on building certificate chain

[luvlee_ghg]

Thanks all for your valuable info.

Yes, the certificates that I use have AKID and SKID extensions. Right now I
think my chain is built based on the issuer name.  I use MS API
CertGetCertificateChain to build the certificate chain. I need to modify it
to build the chain based on the AKID & SKID of the certificate. Could
someone tell me how I can go about it?

Thanks 
Harish


Bruno Bonfils-2 wrote:
> 
> On Wed 19 December, luvlee_ghg wrote:
>> When the issued certificate is sent for verification, it always fails. I
>> think while building the certificate chain its building with the wrong
>> SUBCA
>> because it finds two of them with the same name. So I would like to know
>> how
>> can a certificate chain built in case if there are two CAs with similar
>> name
>> present in the certificate store. How to use the CA of the Issued
>> certificate to build the chain for verification?
> 
> 
> Do you have AKI/SKI X509v3 extensions in your certificates? I'm not an
> expert of openssl internal, but regarding X509_check_issued (defined in
> v3_purp.c), openssl can used aki/ski to check the chain of verification.
> 
> However, maybe openssl tried the first CA certificate (the bad one),
> call check_issued, and doesn't try any others one since an error
> occured.
> 
> 
> my two cents
> 
> -- 
> http://asyd.net/home/   - Home Page
> http://guses.org/home/  - French Speaking (Open)Solaris User Group
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   openssl-dev@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Help-required-on-building-certificate-chain-tp14422191p14440838.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Help required on building certificate chain

[Hong Cho]

During the building of the certificate chain, the distinguished names
(DNs) are used to match the issuers and the subjects.  So if two
different certificates (since they are using different keys) have the
same DNs, that would be a problem.

Have you tried including the "correct" intermediate certificate with
the leaf one?  If the verifier decides to pick its own, there probably
nothing you can do, but it might work.

Hong.

On Dec 19, 2007 10:18 AM, luvlee_ghg <[EMAIL PROTECTED]> wrote:
>
> Hi experts,
>
> I would like to know if there is any API that takes care of building a
> certificate chain in openSSL similar to MS API. Also please let me know the
> basic details on how a certificate chain is verified in openSSL.
>
> Following is my implementation:
>
>   R o o t C A
>   ||
>  SUB CA1 SUB CA1(signing key is different than the
> other one)
>  |
>   Issued Certificate
>
> When the issued certificate is sent for verification, it always fails. I
> think while building the certificate chain its building with the wrong SUBCA
> because it finds two of them with the same name. So I would like to know how
> can a certificate chain built in case if there are two CAs with similar name
> present in the certificate store. How to use the CA of the Issued
> certificate to build the chain for verification?
>
>
>
> --
> View this message in context: 
> http://www.nabble.com/Help-required-on-building-certificate-chain-tp14422191p14422191.html
> Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   openssl-dev@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
>
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Help required on building certificate chain

[macescandell]

How are creating the certicate chain. A certificate chain has to start with
the subject certificate followed  by an intermediate certificate ... ending
in the root certificate. You can do this using *cat*

Thank You


On Dec 19, 2007 12:18 PM, luvlee_ghg <[EMAIL PROTECTED]> wrote:

>
> Hi experts,
>
> I would like to know if there is any API that takes care of building a
> certificate chain in openSSL similar to MS API. Also please let me know
> the
> basic details on how a certificate chain is verified in openSSL.
>
> Following is my implementation:
>
>  R o o t C A
>  ||
> SUB CA1 SUB CA1(signing key is different than the
> other one)
> |
>  Issued Certificate
>
> When the issued certificate is sent for verification, it always fails. I
> think while building the certificate chain its building with the wrong
> SUBCA
> because it finds two of them with the same name. So I would like to know
> how
> can a certificate chain built in case if there are two CAs with similar
> name
> present in the certificate store. How to use the CA of the Issued
> certificate to build the chain for verification?
>
>
>
> --
> View this message in context:
> http://www.nabble.com/Help-required-on-building-certificate-chain-tp14422191p14422191.html
> Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   openssl-dev@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
>

Re: Help required on building certificate chain

[Bruno Bonfils]

On Wed 19 December, luvlee_ghg wrote:
> When the issued certificate is sent for verification, it always fails. I
> think while building the certificate chain its building with the wrong SUBCA
> because it finds two of them with the same name. So I would like to know how
> can a certificate chain built in case if there are two CAs with similar name
> present in the certificate store. How to use the CA of the Issued
> certificate to build the chain for verification?


Do you have AKI/SKI X509v3 extensions in your certificates? I'm not an
expert of openssl internal, but regarding X509_check_issued (defined in
v3_purp.c), openssl can used aki/ski to check the chain of verification.

However, maybe openssl tried the first CA certificate (the bad one),
call check_issued, and doesn't try any others one since an error
occured.


my two cents

-- 
http://asyd.net/home/   - Home Page
http://guses.org/home/  - French Speaking (Open)Solaris User Group
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Help

[Dr. Stephen Henson]

On Thu, Oct 24, 2002, Nicolas Chelebifski wrote:

>  Now I also have to add a certificatePolicies extension and I can't make
> that work.
> How do add a certificatePolicies extension in my code (not using a config
> file),
> 
The easiest way is to add it via a config file in a C string,
which you can put in a memory BIO.

Alternatively you can populate the structure manually and
add it using X509_add1_ext_i2d().

Check the x509v3.h header file and v3_cpols.c too.

Steve.
--
Dr. Stephen Henson  [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Help

[Michel Labarre]

On Monday 30 September 2002 22:02, Reddy Prem-MGIA2040 wrote:

You can use gcc to do that! That's works fine. (with x80 series too in 32 bits 
mode).

> Hi
>
> Can any one help out with this error.
>
> # make
>
> + rm -f libcrypto.so.0
>
> + rm -f libcrypto.so
>
> + rm -f libcrypto.so.0.9.6
>
> + rm -f libssl.so.0
>
> + rm -f libssl.so
>
> + rm -f libssl.so.0.9.6
>
> making all in crypto...
>
> cc -I. -I../include -KPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
> -xtc
>
>
> License Error : Cannot find the license server (gulf)
>
> in the network database for product(Sun WorkShop Compiler C SPARC)
>
> Cannot find SERVER hostname in network database
>
>  The lookup for the hostname on the SERVER line in the
>
>  license file failed.  This often happens when NIS or DNS
>
>  or the hosts file is incorrect.  Workaround: Use IP-Address
>
>  (e.g., 123.456.789.123) instead of hostname
>
> Feature:workshop.c.sparc
>
> Hostname:citgo
>
> FLEXlm error:-14,7.
>
> cc: acomp failed for cryptlib.c
>
> *** Error code 2
>
> make: Fatal error: Command failed for target `cryptlib.o'
>
> Current working directory /usr/local/src/openssl-0.9.6g/crypto
>
> *** Error code 1
>
> make: Fatal error: Command failed for target `sub_all'
>
>
> Thanks
> Prem Reddy
>
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Michel Labarre
Helicom
232, rue de la croix blanchot 77750 BASSEVELLE
Tel. +33 1 60 22 52 15
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Help

[Lynn Gazis]

Your Sun Workshop C compiler is being managed by a FlexLM license server; in
order to execute it needs to first check out a license from this license
server.  Your system is configured such that the license server is expected
to be running on a computer named "gulf".  Either the license server is not
running on that computer, and needs to be restarted for some reason, or else
you are, for some reason, having trouble reaching "gulf" over the network.
Check your network connection; check whether the license server is running.
To check whether the license server is running on "gulf", you can use the
command

ps -e | grep lmgrd

The license server files are usually installed under /opt/SUNWste, along
with some relevant man pages.

If you need more assistance, you may want to contact Sun.  Or else ask on
openssl-users, rather than on openssl-dev, since openssl-dev is really
intended more for the discussion of the development of OpenSSL itself.

Lynn Gazis

-Original Message-
From: Reddy Prem-MGIA2040 [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 30, 2002 1:02 PM
To: '[EMAIL PROTECTED]'
Subject: Help


Hi 

Can any one help out with this error.

# make

+ rm -f libcrypto.so.0

+ rm -f libcrypto.so

+ rm -f libcrypto.so.0.9.6

+ rm -f libssl.so.0

+ rm -f libssl.so

+ rm -f libssl.so.0.9.6

making all in crypto...

cc -I. -I../include -KPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-xtc
 

License Error : Cannot find the license server (gulf)

in the network database for product(Sun WorkShop Compiler C SPARC)

Cannot find SERVER hostname in network database

 The lookup for the hostname on the SERVER line in the

 license file failed.  This often happens when NIS or DNS

 or the hosts file is incorrect.  Workaround: Use IP-Address

 (e.g., 123.456.789.123) instead of hostname

Feature:workshop.c.sparc

Hostname:citgo

FLEXlm error:-14,7.

cc: acomp failed for cryptlib.c

*** Error code 2

make: Fatal error: Command failed for target `cryptlib.o'

Current working directory /usr/local/src/openssl-0.9.6g/crypto

*** Error code 1

make: Fatal error: Command failed for target `sub_all'


Thanks
Prem Reddy

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Help with openssl-0.9.6c for Mac OS X

[Pier Fumagalli]

Steve Quirk <[EMAIL PROTECTED]> wrote:

> Ok.  I figured out what I did wrong - I didn't follow my own advice: seems
> /usr/lib/libssl.dyld and /usr/lib/libcrypt.dyld got reinstalled by one of
> the upgrades and I linked against the wrong lib.  Re-removing them fixed
> it.
> 
> So here's what works:
>  rm /usr/lib/libssl.dyld /usr/lib/libcrypt.dyld
>  ./Configure shared -DUSE_TOD --openssldir=/usr/local \
> --prefix=/usr/local darwin-ppc-cc
>  make && make tests
> 
> There is a warning about _crypt being defined in libSystem, it (seems to)
> work anyway.
> 
> "Configure threads ..." seems to be a problem because Apple
> doesn't provide gmtime_r().  Some hacking is required if you need it.
> IMO, the #ifdef idiom for things like this would be better
>   #if defined(NO_GMTIME_R)
>   ts=gmtime(&t);
>   #else
>   gmtime_r(&t, &data);
>   ts = &data;
>   #endif
> and allow Configure to set the proper -Dfoo.  The code seems to be riddled
> with expedient platform hacks (e.g. #if THISOS || THATOS || ANOTHEROS).
> 
> "Configure shared ..." doesn't seem to be directly supported either.
> Everything compiles & links, but no .so or .dyld libraries are created.
> Did I miss something?  IIRC, you have to do some funky make invocations to
> get this (SHLIB_EXT=.dyld &etc).
> 
> I'm not exactly sure what you mean by "partial configure", though.

Did you see the patch I submitted Friday on that? 0.9.6c compiles just fine
on Darwin, given that patch... At least on my system with threading and
shared library support... BTW, I'm using 10.1.2 (Darwin Kernel Version 5.2)
with the latest developers tools...

Pier

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Help with openssl-0.9.6c for Mac OS X

[Steve Quirk]

Probably because you're not using an ebcdic computer and ebcdic.o has no
symbols.  You might be comforted by the line that precedes it:

"You may get an error following this line. Please ignore."

- sq

On Thu, 3 Jan 2002, Jay States wrote:

> why does /usr/bin/ranlib: file: ../../libcrypto.a(ebcdic.o) has no
> symbols message keep coming up in all make processes
>
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Help with openssl-0.9.6c for Mac OS X

[Steve Quirk]

Ok.  I figured out what I did wrong - I didn't follow my own advice: seems
/usr/lib/libssl.dyld and /usr/lib/libcrypt.dyld got reinstalled by one of
the upgrades and I linked against the wrong lib.  Re-removing them fixed
it.

So here's what works:
   rm /usr/lib/libssl.dyld /usr/lib/libcrypt.dyld
   ./Configure shared -DUSE_TOD --openssldir=/usr/local \
--prefix=/usr/local darwin-ppc-cc
   make && make tests

There is a warning about _crypt being defined in libSystem, it (seems to)
work anyway.

"Configure threads ..." seems to be a problem because Apple
doesn't provide gmtime_r().  Some hacking is required if you need it.
IMO, the #ifdef idiom for things like this would be better
#if defined(NO_GMTIME_R)
ts=gmtime(&t);
#else
gmtime_r(&t, &data);
ts = &data;
#endif
and allow Configure to set the proper -Dfoo.  The code seems to be riddled
with expedient platform hacks (e.g. #if THISOS || THATOS || ANOTHEROS).

"Configure shared ..." doesn't seem to be directly supported either.
Everything compiles & links, but no .so or .dyld libraries are created.
Did I miss something?  IIRC, you have to do some funky make invocations to
get this (SHLIB_EXT=.dyld &etc).

I'm not exactly sure what you mean by "partial configure", though.

Steve

-- Forwarded message --
Date: Thu, 3 Jan 2002 12:20:07 -0500 (EST)
From: Steve Quirk <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: Help with openssl-0.9.6c for Mac OS X

ld is trying to link against the lib that Apple ships.  Before building
openssl (which will replace Apple's libs), you need to move/rename/unlink
/usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib.  Then you *might* be
able to build them.

Now, there's another issue from another email on the list - 'make test'
seems to fail.

 localhost> ./Configure threads shared --openssldir=/usr/local \
   --prefix=/usr/local darwin-ppc-cc
 ...
 localhost> make test
 ...
 output: f1 64 41 a7 00 00 a4 df 00 00 00 e9 53 e1 69 18 36 ff 78 00 00
 expect: d6 a1 41 a7 ec 3c 38 df bd 61 5a 11 62 e1 c7 ba 36 b6 78 58 00error in RC4 
multi-call processing
 output: f1 64 41 a7 00 00 a4 df 00 00 00 e9 53 e1 69 18 36 ff 78 00 00
 expect: d6 a1 41 a7 ec 3c 38 df bd 61 5a 11 62 e1 c7 ba 36 b6 78 58 00done
 make[1]: *** [test_rc4] Error 45
 make: *** [tests] Error 2
 ...

Host is
 localhost> uname -a
 Darwin localhost 1.4 Darwin Kernel Version 1.4: Sun Sep  9 15:39:59 PDT
 2001; root:xnu/xnu-201.obj~1/RELEASE_PPC  Power Macintosh powerpc

But something doesn't look right:
 localhost> ./apps/openssl version -a
 OpenSSL 0.9.6b 9 Jul 2001
 built on: Sun Sep  2 16:13:21 PDT 2001
 platform: Darwin
 options:  bn(32,32) md2(int) rc4(ptr,int) des(idx,cisc,4,long) idea(int) blowfish(idx)
 compiler: cc -arch i386 -arch ppc -g -O3 -pipe -Wno-precomp -arch i386 -arch ppc -pipe

Why does it report "0.9.6b"?  I might be inadvertantly getting headers
from /usr/local/include/openssl rather than ./include ...  Gimme a minute.

Steve

On Wed, 2 Jan 2002, Jay States wrote:

> i have a question about openssl and Mac OSX... why does ssl-0.9.6c only
> partial configure for osx and is there any place that can help me out?
>
> these are the error message that come up when i make install
> /usr/bin/ld: warning unused multiple definitions of symbol _crypt
> /usr/lib/libcrypto.dylib(fcrypt.o) definition of _crypt
> /usr/lib/libSystem.dylib(crypt.o) unused definition of _crypt
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Help with openssl-0.9.6c for Mac OS X

[Steve Quirk]

ld is trying to link against the lib that Apple ships.  Before building
openssl (which will replace Apple's libs), you need to move/rename/unlink
/usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib.  Then you *might* be
able to build them.

Now, there's another issue from another email on the list - 'make test'
seems to fail.

 localhost> ./Configure threads shared --openssldir=/usr/local \
   --prefix=/usr/local darwin-ppc-cc
 ...
 localhost> make test
 ...
 output: f1 64 41 a7 00 00 a4 df 00 00 00 e9 53 e1 69 18 36 ff 78 00 00
 expect: d6 a1 41 a7 ec 3c 38 df bd 61 5a 11 62 e1 c7 ba 36 b6 78 58 00error in RC4 
multi-call processing
 output: f1 64 41 a7 00 00 a4 df 00 00 00 e9 53 e1 69 18 36 ff 78 00 00
 expect: d6 a1 41 a7 ec 3c 38 df bd 61 5a 11 62 e1 c7 ba 36 b6 78 58 00done
 make[1]: *** [test_rc4] Error 45
 make: *** [tests] Error 2
 ...

Host is
 localhost> uname -a
 Darwin localhost 1.4 Darwin Kernel Version 1.4: Sun Sep  9 15:39:59 PDT
 2001; root:xnu/xnu-201.obj~1/RELEASE_PPC  Power Macintosh powerpc

But something doesn't look right:
 localhost> ./apps/openssl version -a
 OpenSSL 0.9.6b 9 Jul 2001
 built on: Sun Sep  2 16:13:21 PDT 2001
 platform: Darwin
 options:  bn(32,32) md2(int) rc4(ptr,int) des(idx,cisc,4,long) idea(int) blowfish(idx)
 compiler: cc -arch i386 -arch ppc -g -O3 -pipe -Wno-precomp -arch i386 -arch ppc -pipe

Why does it report "0.9.6b"?  I might be inadvertantly getting headers
from /usr/local/include/openssl rather than ./include ...  Gimme a minute.

Steve

On Wed, 2 Jan 2002, Jay States wrote:

> i have a question about openssl and Mac OSX... why does ssl-0.9.6c only
> partial configure for osx and is there any place that can help me out?
>
> these are the error message that come up when i make install
> /usr/bin/ld: warning unused multiple definitions of symbol _crypt
> /usr/lib/libcrypto.dylib(fcrypt.o) definition of _crypt
> /usr/lib/libSystem.dylib(crypt.o) unused definition of _crypt
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Help with openssl-0.9.6c for Mac OS X

[Richard Levitte - VMS Whacker]

From: Jay States <[EMAIL PROTECTED]>

jstates> why does /usr/bin/ranlib: file: ../../libcrypto.a(ebcdic.o) has no 
jstates> symbols message keep coming up in all make processes

Because that is correct.  It is, however, the first time I've heard
about ranlib complaining about it.  I think it can be safely ignored.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-733-72 88 11
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, GemPlus: http://www.gemplus.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Help with openssl-0.9.6c for Mac OS X

[Jay States]

why does /usr/bin/ranlib: file: ../../libcrypto.a(ebcdic.o) has no 
symbols message keep coming up in all make processes

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Help with openssl-0.9.6c for Mac OS X

[Richard Levitte - VMS Whacker]

From: Jay States <[EMAIL PROTECTED]>

jstates> The stable version 0.9.6c configures  on OSX, but
jstates> libcrypto.dylib and libssl.dylib mess up the make test and
jstates> build process.  I've tried moving libcrypto.dylib and
jstates> libssl.dylib but I get different error messages and the mail
jstates> program with os x does not work.  what can I do to clean the
jstates> libs for openssl to install new ones?

Since I do not know what error messages, I can't even start guessing.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-733-72 88 11
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, GemPlus: http://www.gemplus.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Help with openssl-0.9.6c for Mac OS X

[Jay States]

The stable version 0.9.6c configures  on OSX, but libcrypto.dylib and 
libssl.dylib mess up the make test and build process.  I've tried moving 
libcrypto.dylib and libssl.dylib but I get different error messages and 
the mail program with os x does not work.  what can I do to clean the 
libs for openssl to install new ones?

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Help with openssl-0.9.6c for Mac OS X

[Richard Levitte - VMS Whacker]

From: Jay States <[EMAIL PROTECTED]>

jstates> i have a question about openssl and Mac OSX... why does
jstates> ssl-0.9.6c only partial configure for osx and is there any
jstates> place that can help me out?

What exactly do you mean with "partial configure"?

I think it's time I go through all the platform accounts I have and
try things out.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-733-72 88 11
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, GemPlus: http://www.gemplus.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: HELP - Crypt-SSleay-0.22 Install on HPUX 11.00 64 bit arch

[Joshua Chamas]

[EMAIL PROTECTED] wrote:
> 
> I had the same problem on HP-UX 10.20, but when I recompiled openssl
> with CFLAGS='-fPIC' (or CFLAGS='+Z' if you are not using gcc) I did
> over come this problem. I have all kind of other problem (appearently
> to do with using gcc) which I am still asking people about (as I am
> not a C programmer), but this is one I did manage to solve. I can
> remember if I did "CFLAGS='+Z' ./configure" or if I had to change the
> makefile.

If this doesn't end up being a fix for openssl ./configure on HP-UX,
would some HP-UX user one day please confirm what steps are necessary 
to make things work from start to finish, so I can add a build note 
in Crypt::SSLeay README

Thanks,

Josh
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: help

[Geoff Thorpe]

Hi there,

On Thu, 14 Dec 2000, [iso-8859-1] dilip kumar wrote:

[snip]

> i am running a daeomon using stunnel version 3.8p4
> ,but give the following output with some in generating
> random numbers 

[snip]

> i also tried to generate random number file with open
> ssl with rand command . this command gives error like
> this

perhaps you should look carefully at the error output;

> OpenSSL> rand -out RANDFILE 23
> unable to load 'random state'
> This means that the random number generator has not
> been seeded
> with much random data.
> Consider setting the RANDFILE environment variable to
> point at a file that
> 'random' data can be kept in (the file will be
> overwritten).
> 13836:error:24064064:random number
> generator:SSLEAY_RAND_BYTES:PRNG not seeded:m
> d_rand.c:474:You need to read the OpenSSL FAQ,
> http://www.openssl.org/support/fa
> q.html
> error in rand

You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html

> and here follows the output of stunnel command .please
> help me .its very urgent.

again, you should read your own error output;

[snip]

> LOG5[13670:1]: Using '203.111.24.54.4053' as
> tcpwrapper service name
> LOG4[13670:1]: Wrong permissions on
> /usr/local/ssl/certs/gjones@mintech[1].com.s
> g.pem

Off the main subject - stunnel doesn't like the permissions on that file,
but then;

> LOG6[13670:1]: Unable to retrieve any random data from
> /tmp/entropy
> LOG4[13670:1]: Failed to write strong random data to
> /tmp/entropy.  May be a per
> missions or seeding problem
> LOG6[13670:1]: PRNG seeded with 0 bytes total
> LOG4[13670:1]: PRNG may not have been seeded with
> enough random bytes

[snip]

If you read that FAQ, you may get a clue as to what all that means. Beyond
that FAQ entry, anything like this becomes an application problem (ie.
stunnel, not openssl). Also, this belongs on openssl-users, not
openssl-dev.

Cheers,
Geoff


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: HELP for $$$$, all problems gone away

[James Bailey]

Thanks bill, your comments were informative, your assumptions correct,
and your advice on how to address the problem was exact enough for me to
be able to get things working inside 2 minutes. I have to be impressed
with that ;-)

I hope the person who posted the original 'HELP for ' message has
similar success and is equally appreciative.

Thank you once again,

dgym bailey
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: HELP for $$$$

[Bill Rebey]

This sounds EXACTLY like what I ran across - right down to the mask values
and missing bit (low bit of 2nd nibble is missing).

All I had to do was call SSL_CTX_set_tmp_dh () after creating the context
(SSL_CTX_new()).  See "s_server.c" in the "apps" directory, and use the code
in the function "get_dh512()".  Search for the single call to that function
in "s_server.c" for an example of its use and how to subsequently call
SSL_CTX_set_tmp_dh().

Do this and your code will probably spring to life;  mine did.  

For the background on this, the missing mask bit is  'kEDH'.  This is set
only if 'dh_tmp' in the CERT structure is non-NULL when it is processed in
"ssl_set_cert_masks (in ssl_lib.c)".  The only way this dh_tmp is set (that
I could find) is when a successful call is made to SSL_CTX_set_tmp_dh (),
which ultimately happens in s3_lib.c (search for the case
SSL_CTRL_SET_TMP_DH in that module to see the code).

Hope this helps, and once again:

MANY THANKS to Dr. Stephen Henson for sending me down the right path.

Bill Rebey


 
-Original Message-
From:   James Bailey [mailto:[EMAIL PROTECTED]]
Sent:   Monday, June 19, 2000 8:30 AM
To: [EMAIL PROTECTED]
Subject:Re: HELP for 

I too am in a similar situation. When trying to use ssl to connect from
a test client to a test server using RSA certificates everything runs
smoothly. However, when switching to DSA certificates the cipher
selection fails.

I too wish to disable all RSA support so that my end product isn't
hindered by licensing nonsense from companies, and as such I am using
the no-rc5, no-idea and no-rsa flags for the config script.

I have looked into the problem as much as I can, but have a severly
limited knowledge of how and why a cipher is choosen.

in s3_lib.c, function ssl3_choose_cipher, the alg is anded with an emask
( I presume this is some sort of functionality check ) before a cipher
is selected, when running with debug on the following output was
generated :

Have:
0x80b291c:EDH-DSS-DES-CBC3-SHA
0x80b2b24:DHE-DSS-RC4-SHA
0x80b2afc:EXP1024-DHE-DSS-RC4-SHA
0x80b2aac:EXP1024-DHE-DSS-DES-CBC-SHA
0x80b28f4:EDH-DSS-DES-CBC-SHA
0:[0050:0140]0x80b291c:EDH-DSS-DES-CBC3-SHA
0:[0050:0140]0x80b2b24:DHE-DSS-RC4-SHA
0:[0050:0140]0x80b2afc:EXP1024-DHE-DSS-RC4-SHA (export)
0:[0050:0140]0x80b2aac:EXP1024-DHE-DSS-DES-CBC-SHA (export)
0:[0050:0140]0x80b28f4:EDH-DSS-DES-CBC-SHA
0:[0050:0140]0x80b28cc:EXP-EDH-DSS-DES-CBC-SHA (export)

50 is the alg, and when anded with an emask of 140, does not equal 50.
As all these ciphers have the same alg, none of them pass, and so no
cipher is choosen.

Please can someone offer some more indepth knowledge as to what is going
on here. Should there be more ciphers to choose from?

I hope that this insight proves usefull, and wish to offer thanks in
advance for any help given,

Regards,

dgym bailey
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: HELP for $$$$

[James Bailey]

I too am in a similar situation. When trying to use ssl to connect from
a test client to a test server using RSA certificates everything runs
smoothly. However, when switching to DSA certificates the cipher
selection fails.

I too wish to disable all RSA support so that my end product isn't
hindered by licensing nonsense from companies, and as such I am using
the no-rc5, no-idea and no-rsa flags for the config script.

I have looked into the problem as much as I can, but have a severly
limited knowledge of how and why a cipher is choosen.

in s3_lib.c, function ssl3_choose_cipher, the alg is anded with an emask
( I presume this is some sort of functionality check ) before a cipher
is selected, when running with debug on the following output was
generated :

Have:
0x80b291c:EDH-DSS-DES-CBC3-SHA
0x80b2b24:DHE-DSS-RC4-SHA
0x80b2afc:EXP1024-DHE-DSS-RC4-SHA
0x80b2aac:EXP1024-DHE-DSS-DES-CBC-SHA
0x80b28f4:EDH-DSS-DES-CBC-SHA
0:[0050:0140]0x80b291c:EDH-DSS-DES-CBC3-SHA
0:[0050:0140]0x80b2b24:DHE-DSS-RC4-SHA
0:[0050:0140]0x80b2afc:EXP1024-DHE-DSS-RC4-SHA (export)
0:[0050:0140]0x80b2aac:EXP1024-DHE-DSS-DES-CBC-SHA (export)
0:[0050:0140]0x80b28f4:EDH-DSS-DES-CBC-SHA
0:[0050:0140]0x80b28cc:EXP-EDH-DSS-DES-CBC-SHA (export)

50 is the alg, and when anded with an emask of 140, does not equal 50.
As all these ciphers have the same alg, none of them pass, and so no
cipher is choosen.

Please can someone offer some more indepth knowledge as to what is going
on here. Should there be more ciphers to choose from?

I hope that this insight proves usefull, and wish to offer thanks in
advance for any help given,

Regards,

dgym bailey
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: HELP - I have a Netscape hang!

[Ben Laurie]

Oi! This has nothing to do with OpenSSL development - take it elsewhere.

Cheers,

Ben.

[EMAIL PROTECTED] wrote:
> 
> Angelo -
> 
> Thank you for your reply!  Yes, I did try it with nslookup, and the addresses
> resolve normally.  I thoroughly checked the DNS aspect using 'snoop.'  What I
> found is that the name information is not getting back to Netscape, so it keeps
> re-requesting the info.
> 
> I also loaded a text-based browser called 'lynx' to see if it had any name
> resolution problems, but it didn't have any problems at all - lynx worked just
> fine.  When I used 'snoop' on lynx, you could see the names going back and forth
> exactly as expected.  I even did a test where I went to the exact same location
> using lynx and using Netscape.  lynx worked, Netscape didn't.   And yes, I did
> try reloading Netscape from scratch (using the same gzip'd tarball as I did 6
> months ago), just in case the binary was corrupted in any way.  I've blown away
> and reinstalled Netscape twice.  Still didn't help, still have the same problem.
> This is definitely Netscape<->DNS weirdness.
> 
> Does that give you a clearer picture of what's happening?  Let me know if you
> need any additional info, like the sessions I captured using snoop.
> 
> Dana
> 
> "Angelo Nardone" <[EMAIL PROTECTED]> on 06/08/2000 08:57:46
> 
> 
> 
> 
> 
> 
> 
>  To:  [EMAIL PROTECTED]
> 
>  cc:  Dana Kaempen/Corp/Walgreens@Walgreens
> 
> 
> 
>  Subject: RE: HELP - I have a Netscape hang!
> 
> 
> I think that Netscape do NOT resolve the address, its call 'gethostbyname'
> function.
> Did you tried with 'nslookup', Is not a DNS problem? Are you sure?
> 
> Angelo
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of [EMAIL PROTECTED]
> Sent: Wednesday, June 07, 2000 2:37 PM
> To: [EMAIL PROTECTED]
> Subject: HELP - I have a Netscape hang!
> 
> I hope someone out there can help me - quickly!
> 
> I compiled and installed OpenSSL v0.9.5a a few weeks ago and then I rebooted
> my
> Sun SPARC (running Solaris 7) on Monday, 06/05.  Since then, when I bring up
> Netscape (v4.61), it hangs on every site that has to be resolved thru DNS.
> If I
> put in a numeric URL, Netscape can function; if Netscape must resolve the
> address, it hangs until it finally says it can't resolve the name.  The
> system
> was fine until I did the reboot.
> 
> Does anyone have any suggestions as to how I can fix this, or at very least
> uninstall OpenSSL to see if that is causing the problem?  Please help me,
> because I am not that great at solving problems that are "under the radar"
> (unviewable & system-related, that is).  I've tried everything else that I
> or my
> colleagues can think of.  Unfortunately, none of us do system-level
> debugging...
> 
> Thank you *very* much!
> 
> Dana Kaempen
> 
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

--
http://www.apache-ssl.org/ben.html

Coming to ApacheCon Europe 2000? http://apachecon.com/
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: HELP - I have a Netscape hang!

[Dana . Kaempen]

Originally, no, nobody touched either nsswitch.conf or resolv.conf.  This
problem started without any modification to those files.  In the course of
trying to debug the problem, I did modify resolve.conf, but it neither helps nor
harms, and was only done after the difficulties first manifested.  nsswitch.conf
has not been changed in 10 months.

The only other recent system change was the installation of OpenSSH, for which
OpenSSL is a prereq.  Could that in any way affect Netscape?  I didn't consider
it at first since it's only supposed to be relevant for rsh, rlogin, and similar
functions, none of which Netscape is doing.  Is this a logical conclusion?  I
couldn't find a way of uninstalling OpenSSH any more than I could of
uninstalling OpenSSL.

Thoughts?

Dana








Chris Zimman <[EMAIL PROTECTED]> on 06/08/2000 11:17:39





  
  
  
 To:  Dana Kaempen/Corp/Walgreens@Walgreens   
  
 cc:  [EMAIL PROTECTED]
  
  
      
 Subject: Re: HELP - I have a Netscape hang!  
  








> I compiled and installed OpenSSL v0.9.5a a few weeks ago and then I rebooted
my
> Sun SPARC (running Solaris 7) on Monday, 06/05.  Since then, when I bring up
> Netscape (v4.61), it hangs on every site that has to be resolved thru DNS.  If
I
> put in a numeric URL, Netscape can function; if Netscape must resolve the
> address, it hangs until it finally says it can't resolve the name.  The system
> was fine until I did the reboot.

Did anyone touch your /etc/resolv.conf or /etc/nsswitch.conf files?
Netscape has completely wierd ways of doing DNS resolution.  I can't
imagine that this is related to OpenSSL in any way though.

--Chris





__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: HELP - I have a Netscape hang!

[Chris Zimman]

> I compiled and installed OpenSSL v0.9.5a a few weeks ago and then I rebooted my
> Sun SPARC (running Solaris 7) on Monday, 06/05.  Since then, when I bring up
> Netscape (v4.61), it hangs on every site that has to be resolved thru DNS.  If I
> put in a numeric URL, Netscape can function; if Netscape must resolve the
> address, it hangs until it finally says it can't resolve the name.  The system
> was fine until I did the reboot.

Did anyone touch your /etc/resolv.conf or /etc/nsswitch.conf files?
Netscape has completely wierd ways of doing DNS resolution.  I can't
imagine that this is related to OpenSSL in any way though.

--Chris


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: HELP - I have a Netscape hang!

[Angelo Nardone]

Why you suspect about openssl?
Did you not install other software since your last reboot?
If help, in the same directory that you use to install the openssl, there
are other command for uninstall.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 08, 2000 11:32 AM
To: Angelo Nardone
Cc: [EMAIL PROTECTED]
Subject: RE: HELP - I have a Netscape hang!


Angelo -

Thank you for your reply!  Yes, I did try it with nslookup, and the
addresses
resolve normally.  I thoroughly checked the DNS aspect using 'snoop.'  What
I
found is that the name information is not getting back to Netscape, so it
keeps
re-requesting the info.

I also loaded a text-based browser called 'lynx' to see if it had any name
resolution problems, but it didn't have any problems at all - lynx worked
just
fine.  When I used 'snoop' on lynx, you could see the names going back and
forth
exactly as expected.  I even did a test where I went to the exact same
location
using lynx and using Netscape.  lynx worked, Netscape didn't.   And yes, I
did
try reloading Netscape from scratch (using the same gzip'd tarball as I did
6
months ago), just in case the binary was corrupted in any way.  I've blown
away
and reinstalled Netscape twice.  Still didn't help, still have the same
problem.
This is definitely Netscape<->DNS weirdness.

Does that give you a clearer picture of what's happening?  Let me know if
you
need any additional info, like the sessions I captured using snoop.

Dana








"Angelo Nardone" <[EMAIL PROTECTED]> on 06/08/2000 08:57:46








 To:  [EMAIL PROTECTED]

 cc:  Dana Kaempen/Corp/Walgreens@Walgreens



 Subject: RE: HELP - I have a Netscape hang!







I think that Netscape do NOT resolve the address, its call 'gethostbyname'
function.
Did you tried with 'nslookup', Is not a DNS problem? Are you sure?

Angelo

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, June 07, 2000 2:37 PM
To: [EMAIL PROTECTED]
Subject: HELP - I have a Netscape hang!


I hope someone out there can help me - quickly!

I compiled and installed OpenSSL v0.9.5a a few weeks ago and then I rebooted
my
Sun SPARC (running Solaris 7) on Monday, 06/05.  Since then, when I bring up
Netscape (v4.61), it hangs on every site that has to be resolved thru DNS.
If I
put in a numeric URL, Netscape can function; if Netscape must resolve the
address, it hangs until it finally says it can't resolve the name.  The
system
was fine until I did the reboot.

Does anyone have any suggestions as to how I can fix this, or at very least
uninstall OpenSSL to see if that is causing the problem?  Please help me,
because I am not that great at solving problems that are "under the radar"
(unviewable & system-related, that is).  I've tried everything else that I
or my
colleagues can think of.  Unfortunately, none of us do system-level
debugging...

Thank you *very* much!

Dana Kaempen

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]




__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: HELP - I have a Netscape hang!

[Dana . Kaempen]

Angelo -

Thank you for your reply!  Yes, I did try it with nslookup, and the addresses
resolve normally.  I thoroughly checked the DNS aspect using 'snoop.'  What I
found is that the name information is not getting back to Netscape, so it keeps
re-requesting the info.

I also loaded a text-based browser called 'lynx' to see if it had any name
resolution problems, but it didn't have any problems at all - lynx worked just
fine.  When I used 'snoop' on lynx, you could see the names going back and forth
exactly as expected.  I even did a test where I went to the exact same location
using lynx and using Netscape.  lynx worked, Netscape didn't.   And yes, I did
try reloading Netscape from scratch (using the same gzip'd tarball as I did 6
months ago), just in case the binary was corrupted in any way.  I've blown away
and reinstalled Netscape twice.  Still didn't help, still have the same problem.
This is definitely Netscape<->DNS weirdness.

Does that give you a clearer picture of what's happening?  Let me know if you
need any additional info, like the sessions I captured using snoop.

Dana








"Angelo Nardone" <[EMAIL PROTECTED]> on 06/08/2000 08:57:46





  
  
  
 To:  [EMAIL PROTECTED] 
  
 cc:  Dana Kaempen/Corp/Walgreens@Walgreens   
  
      
  
 Subject: RE: HELP - I have a Netscape hang!  
  






I think that Netscape do NOT resolve the address, its call 'gethostbyname'
function.
Did you tried with 'nslookup', Is not a DNS problem? Are you sure?

Angelo

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, June 07, 2000 2:37 PM
To: [EMAIL PROTECTED]
Subject: HELP - I have a Netscape hang!


I hope someone out there can help me - quickly!

I compiled and installed OpenSSL v0.9.5a a few weeks ago and then I rebooted
my
Sun SPARC (running Solaris 7) on Monday, 06/05.  Since then, when I bring up
Netscape (v4.61), it hangs on every site that has to be resolved thru DNS.
If I
put in a numeric URL, Netscape can function; if Netscape must resolve the
address, it hangs until it finally says it can't resolve the name.  The
system
was fine until I did the reboot.

Does anyone have any suggestions as to how I can fix this, or at very least
uninstall OpenSSL to see if that is causing the problem?  Please help me,
because I am not that great at solving problems that are "under the radar"
(unviewable & system-related, that is).  I've tried everything else that I
or my
colleagues can think of.  Unfortunately, none of us do system-level
debugging...

Thank you *very* much!

Dana Kaempen

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]




__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: HELP - I have a Netscape hang!

[Angelo Nardone]

I think that Netscape do NOT resolve the address, its call 'gethostbyname'
function.
Did you tried with 'nslookup', Is not a DNS problem? Are you sure?

Angelo

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, June 07, 2000 2:37 PM
To: [EMAIL PROTECTED]
Subject: HELP - I have a Netscape hang!


I hope someone out there can help me - quickly!

I compiled and installed OpenSSL v0.9.5a a few weeks ago and then I rebooted
my
Sun SPARC (running Solaris 7) on Monday, 06/05.  Since then, when I bring up
Netscape (v4.61), it hangs on every site that has to be resolved thru DNS.
If I
put in a numeric URL, Netscape can function; if Netscape must resolve the
address, it hangs until it finally says it can't resolve the name.  The
system
was fine until I did the reboot.

Does anyone have any suggestions as to how I can fix this, or at very least
uninstall OpenSSL to see if that is causing the problem?  Please help me,
because I am not that great at solving problems that are "under the radar"
(unviewable & system-related, that is).  I've tried everything else that I
or my
colleagues can think of.  Unfortunately, none of us do system-level
debugging...

Thank you *very* much!

Dana Kaempen

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: HELP - I have a Netscape hang!

[Marc Jadoul]

Hello,

I would be very surprise it has anything to do with openssl. You should
verify you can do nslookup or other dns querry with an other program
than netscape.


Marc
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: help on PKCS10

[Robert Eiglmaier]

Got it. The data IS a valid PKCS#10 Request, and OpenSSL can handle it.

Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Florida, O=Eyes on The Web, CN=www.etw.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:9e:a2:3b:63:9c:7a:a0:d0:64:f1:a7:e5:d9:e7:
a4:5a:49:ed:62:65:6a:6e:99:78:d4:e9:2c:7b:bf:
51:5d:5f:3b:18:d6:82:ce:41:ad:3d:d0:9b:67:bb:
55:ac:41:11:e1:d3:20:d2:fb:8e:68:9d:c8:ca:9b:
5c:c2:1b:f2:19
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption
50:63:f6:0f:8d:89:48:7c:61:63:eb:14:69:ed:81:fe:26:89:
47:7f:c2:a5:2c:86:9b:63:27:2e:0f:8d:db:03:de:e8:32:e6:
cb:ef:ba:1d:c6:ff:f3:e9:1a:1d:9a:61:72:23:1e:92:57:4d:
40:50:cb:3c:52:10:82:0d:62:d7

All I had to do is change the BEGIN and END line

-BEGIN CERTIFICATE REQUEST-
MIIBCTCBtAIBADBPMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxvcmlkYTEYMBYG
A1UEChMPRXllcyBvbiBUaGUgV2ViMRQwEgYDVQQDFAt3d3cuZXR3Lm5ldDBcMA0G
CSqGSIb3DQEBAQUAA0sAMEgCQQCeojtjnHqg0GTxp+XZ56RaSe1iZWpumXjU6Sx7
v1FdXzsY1oLOQa090Jtnu1WsQRHh0yDS+45oncjKm1zCG/IZAgMBAAGgADANBgkq
hkiG9w0BAQQFAANBAFBj9g+NiUh8YWPrFGntgf4miUd/wqUshptjJy4PjdsD3ugy
5svvuh3G//PpGh2aYXIjHpJXTUBQyzxSEIINYtc=
-END CERTIFICATE REQUEST-


-Original Message-
From: Yunhong Li [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 09, 2000 6:49 PM
To: [EMAIL PROTECTED]
Subject: help on PKCS10

-BEGIN NEW CERTIFICATE REQUEST
   ^^^

* I removed the NEW and added a fifth hyphen. *

MIIBCTCBtAIBADBPMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxvcmlkYTEYMBYG
A1UEChMPRXllcyBvbiBUaGUgV2ViMRQwEgYDVQQDFAt3d3cuZXR3Lm5ldDBcMA0G
CSqGSIb3DQEBAQUAA0sAMEgCQQCeojtjnHqg0GTxp+XZ56RaSe1iZWpumXjU6Sx7
v1FdXzsY1oLOQa090Jtnu1WsQRHh0yDS+45oncjKm1zCG/IZAgMBAAGgADANBgkq
hkiG9w0BAQQFAANBAFBj9g+NiUh8YWPrFGntgf4miUd/wqUshptjJy4PjdsD3ugy
5svvuh3G//PpGh2aYXIjHpJXTUBQyzxSEIINYtc=
-END NEW CERTIFICATE REQUEST-
 ^^^

* removed the NEW *

Robert

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: help needed: apache+OpenSSL+modssl+bsafe on NT

[vijay karthik]

This is what i found out...
Once i start the apache.exe from commandline,
it asks for the passphrase for the private key.
I enter it and it says the server has started.
But it seems like it is not started. I had put
logtype=debug in httpd.conf and followed the trace
in the ssl_error_log. The trace shows that it asks
for the passphrase again even after entering it
once before.So i went ahead and entered my passphrase
again in commandline(even though it didnt ask for it)
and everything seems to work fine...I was able to
see the response.

I checked out with the openssl tool.
once you enter the passphrase first time, the s_client
module still seem to wait for server hello. When
i enter the passphrase again, i see all the messages
(server hello/certificate etc) in the opentool
output.
(...and now i know why my dummy cert worked fine,
because i didnt give a passphrase to protect
my private key for the dummy cert)

Thanks
Vijay

--- vijay karthik <[EMAIL PROTECTED]> wrote:
> Eventhough the openssl complains for the
> certificate, it doesnt seem to to mean
> much. Because i tried the same certificate on
> my Unix installation(same setup:apache/modssl/bsafe)
> it worked very fine. And still the openssl
> tool on unix complained. probably the error
> shown by the tool is not related to the
> problem i am seeing.
> 
> The fact that the dummy certs work fine
> but not verisign certs should give some lead to
> which component the problem could lie in. 
> (could it be in mod_ssl/openssl/bsafe patch?)
> 
> Any guesses?
> thanks
> vijay
> 
> --- vijay karthik <[EMAIL PROTECTED]> wrote:
> > 
> > Hi !
> > 
> > The apache server is working with the
> > dummy certs but not the verisign cert.
> > 
> > I ran the command,
> > openssl verify 
> > 
> > i got the following error
> > verisign.crt:
> >
>
/C=US/ST=california/L=location/O=xyzInc/OU=test/CN=Mypc
> > .xyz.com
> > error 20 at 0 depth lookup:unable to get local
> > issuer
> > certificate
> > 
> > I dont have any trust points installed on my
> apache
> > server(which i hope is not needed)
> > 
> > Any idea on what the problem could be ?
> > 
> > thanks
> > Vijay
> > --- vijay karthik <[EMAIL PROTECTED]> wrote:
> > > 
> > > The httpd.conf was taken from unix and
> > >  was failing hence the
> > > modules were not getting loaded.
> > > I removed the IfDefine from httpd.conf.
> > > (thats the reason we give -DSSL in commandline
> > > to start httpd on Unix ?)
> > 
> > __
> > Do You Yahoo!?
> > Talk to your friends online with Yahoo! Messenger.
> > http://im.yahoo.com
> >
>
__
> > OpenSSL Project
> > http://www.openssl.org
> > Development Mailing List  
> > [EMAIL PROTECTED]
> > Automated List Manager  
> > [EMAIL PROTECTED]
> > 
> __
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com
>
__
> OpenSSL Project
> http://www.openssl.org
> Development Mailing List  
> [EMAIL PROTECTED]
> Automated List Manager  
> [EMAIL PROTECTED]
> 
__
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: help needed: apache+OpenSSL+modssl+bsafe on NT

[Vadim Fedukovich]

On Fri, Feb 11, 2000 at 01:04:09PM -0800, vijay karthik wrote:
> ...
> I ran the command,
> openssl verify 
> ...
> error 20 at 0 depth lookup:unable to get local issuer
> certificate

Seems this one goes to "top 10 of FAQ"

> Any idea on what the problem could be ?

Trusted self-sined root cert should be available as "hashname".0

yours,
Vadim
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: help needed: apache+OpenSSL+modssl+bsafe on NT

[vijay karthik]

Eventhough the openssl complains for the
certificate, it doesnt seem to to mean
much. Because i tried the same certificate on
my Unix installation(same setup:apache/modssl/bsafe)
it worked very fine. And still the openssl
tool on unix complained. probably the error
shown by the tool is not related to the
problem i am seeing.

The fact that the dummy certs work fine
but not verisign certs should give some lead to
which component the problem could lie in. 
(could it be in mod_ssl/openssl/bsafe patch?)

Any guesses?
thanks
vijay

--- vijay karthik <[EMAIL PROTECTED]> wrote:
> 
> Hi !
> 
> The apache server is working with the
> dummy certs but not the verisign cert.
> 
> I ran the command,
> openssl verify 
> 
> i got the following error
> verisign.crt:
>
/C=US/ST=california/L=location/O=xyzInc/OU=test/CN=Mypc
> .xyz.com
> error 20 at 0 depth lookup:unable to get local
> issuer
> certificate
> 
> I dont have any trust points installed on my apache
> server(which i hope is not needed)
> 
> Any idea on what the problem could be ?
> 
> thanks
> Vijay
> --- vijay karthik <[EMAIL PROTECTED]> wrote:
> > 
> > The httpd.conf was taken from unix and
> >  was failing hence the
> > modules were not getting loaded.
> > I removed the IfDefine from httpd.conf.
> > (thats the reason we give -DSSL in commandline
> > to start httpd on Unix ?)
> 
> __
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com
>
__
> OpenSSL Project
> http://www.openssl.org
> Development Mailing List  
> [EMAIL PROTECTED]
> Automated List Manager  
> [EMAIL PROTECTED]
> 
__
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: help needed: apache+OpenSSL+modssl+bsafe on NT

[Daniel S. Reichenbach]

-BEGIN PGP SIGNED MESSAGE-

> ApacheModuleSSL.dll is installed under the module 
> directory. When i run apache.exe -l to list the
> compiled in modules I get this output,
Thats okay to this point.

> Should i be specifiying the ApacheModuleSSL.dll
> in LoadModule in httpd.conf ? is it supported on NT ?
There should be a LoadModule directive like this one:


LoadModule ssl_module modules/ApacheModuleSSL.dll


As i see from your config you use the SSL define. This
means, you have to start Apache with

apache -D SSL

to enable mod_ssl and OpenSSL

Good luck.

Daniel

__
The OpenSA Project  http://www.opensa.org/
Daniel S. Reichenbach   [EMAIL PROTECTED]

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.3 for non-commercial use 

iQEVAwUBOKR/N71mYxV2qld3AQEptggAuj4Sd0uE31kp5hyKycAvyvLnkq18s/Jj
jYty6LCXuXLtIREsMWYhFDLgDlXDfu6L21tcq19k78jbOe1YJjb/Ah6Q1jR0RWnE
/AgnjrGumPlIkEcGNiqzlXYiobK6myCRJ0wqIZvdwl2NCM0Viz5PwQFZV7CKF91a
yNxgT07TmoU2+HnZzFgnDseKbElCj5QKc7n2/Umo8wM15iToOMnGGxpGl2sxgnf1
zhz9DIRNXbRijwnaaYqQ5tnasDutfplOJwDzmO8GdpVxloxjDA592HANLSsP+2cG
dGEsuSTfgPeF3AzseYf+beerpPmGf6a8E2hP9+I1s3w2Qh1NaMKYIw==
=lweu
-END PGP SIGNATURE-

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: help needed: apache+OpenSSL+modssl+bsafe on NT

[vijay karthik]

Hi !

The apache server is working with the
dummy certs but not the verisign cert.

I ran the command,
openssl verify 

i got the following error
verisign.crt:
/C=US/ST=california/L=location/O=xyzInc/OU=test/CN=Mypc
.xyz.com
error 20 at 0 depth lookup:unable to get local issuer
certificate

I dont have any trust points installed on my apache
server(which i hope is not needed)

Any idea on what the problem could be ?

thanks
Vijay
--- vijay karthik <[EMAIL PROTECTED]> wrote:
> 
> The httpd.conf was taken from unix and
>  was failing hence the
> modules were not getting loaded.
> I removed the IfDefine from httpd.conf.
> (thats the reason we give -DSSL in commandline
> to start httpd on Unix ?)

__
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: help needed: apache+OpenSSL+modssl+bsafe on NT

[vijay karthik]

The httpd.conf was taken from unix and
 was failing hence the
modules were not getting loaded.
I removed the IfDefine from httpd.conf.
(thats the reason we give -DSSL in commandline
to start httpd on Unix ?)

Now the apache with modssl/openssl is running
when i start apache.exe. Eventhough the
apache server is now listening on SSL port
i dont get any response back!(no failures in
ssl_error_log file) The browser hangs with 
"contacted: waiting for reply" message!

any pointers on what to check to find out the
problem?

thanks
vijay

--- vijay karthik <[EMAIL PROTECTED]> wrote:
> Hi !
> 
> I am trying to run apache+modssl+openssl+bsafe on
> NT.
> I was able to build the openssl libraries
> and Apache.exe(with ssl module:mod_ssl)
> 
> I ran the binary "Apache.exe" and i see the apache
> server listening on normal port(8080).(I see no 
> error message while startup) But i dont see
> the SSL-aware Apache server(port#8443) up! 
> There are  no ssl related error logs in the 
> logs directory !
> 
> ApacheModuleSSL.dll is installed under the module 
> directory. When i run apache.exe -l to list the
> compiled in modules I get this output,
>  http_core.c
>  mod_so.c
>  mod_mime.c
>  mod_access.c
>  mod_auth.c
>  mod_negotiation.c
>  mod_include.c
>  mod_autoindex.c
>  mod_dir.c
>  mod_cgi.c
>  mod_userdir.c
>  mod_alias.c
>  mod_env.c
>  mod_log_config.c
>  mod_asis.c
>  mod_imap.c
>  mod_actions.c
>  mod_setenvif.c
>  mod_isapi.c
> 
> Should i be specifiying the ApacheModuleSSL.dll
> in LoadModule in httpd.conf ? is it supported on NT
> ?
> 
> When i access the normal port thru browser it shows
> the normal installation success page:
> "The SSL/TLS-aware Apache webserver was
> successfully installed on this website
> ...
> ..
> "
> 
> I have got a certificate and the location of the
> cert file is correctly specified in httpd.conf. 
> The error_log is clean. 
> 
> Can someone tell me where the problem could be ?
> How should i proceed debugging this problem ?
> 
> Thanks
> Vijay
> 
>
--
> httpd.conf
> ===
> ##
> ## httpd.conf -- Apache HTTP server configuration
> file
> ##
> 
> #
> # Based upon the NCSA server configuration files
> originally by Rob McCool.
> #
> ServerType standalone
> ServerRoot "c:\apache"
> PidFile c:\apache\logs\httpd.pid
> 
> ClearModuleList
> AddModule mod_env.c
> AddModule mod_log_config.c
> AddModule mod_mime.c
> AddModule mod_negotiation.c
> #AddModule mod_status.c
> AddModule mod_include.c
> AddModule mod_autoindex.c
> AddModule mod_dir.c
> AddModule mod_cgi.c
> AddModule mod_asis.c
> AddModule mod_imap.c
> AddModule mod_actions.c
> AddModule mod_userdir.c
> AddModule mod_alias.c
> AddModule mod_access.c
> AddModule mod_auth.c
> AddModule mod_so.c
> AddModule mod_setenvif.c
> 
> AddModule mod_ssl.c
> 
> 
> Port 8080
> 
> Listen 8080
> Listen 8443
> 
> 
> DocumentRoot "c:\apache\htdocs"
> 
> ErrorLog c:\apache\logs\error_log
> LogLevel warn
> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
> \"%{User-Agent}i\"" combined
> LogFormat "%h %l %u %t \"%r\" %>s %b" common
> LogFormat "%{Referer}i -> %U" referer
> LogFormat "%{User-agent}i" agent
> CustomLog c:\apache\logs\access_log common
> ServerSignature On
> 
> 
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl.crl
> 
> 
> 
> SSLPassPhraseDialog  builtin
> SSLSessionCacheTimeout  300
> SSLMutex  file:c:\apache\logs\ssl_mutex
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> SSLLog  c:\apache\logs\ssl_engine_log
> SSLLogLevel info
> 
> 
> 
> 
> DocumentRoot "c:\apache\htdocs"
> ServerName pc.xyz.com
> ServerAdmin [EMAIL PROTECTED]
> ErrorLog c:\apache\logs\error_log
> TransferLog c:\apache\logs\access_log
> 
> #   SSL Engine Switch:
> #   Enable/Disable SSL for this virtual host.
> SSLEngine on
> 
> SSLCertificateFile
> c:\apache\conf\ssl.crt\verisign.crt
> SSLCertificateKeyFile
> c:\apache\conf\ssl.key\verisign.key
> 
> CustomLog c:\apache\logs\ssl_request_log \
>  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\"
> %b"
> 
> 
> 
> 
> __
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com
> 
__
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: HELP

[Peter Gutmann]

"Sean O'Dell" <[EMAIL PROTECTED]> writes:

>HELP

"What was the name of the Beatles film released in July 1965?".

That's correct, and it looks like he's won a chance to read the FAQ...

Peter.

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [Help] Compiling openssl 0.9.4 on Solaris 2.5.1, problems ....

[Andy Polyakov]

>  FYI:
> 
> ar -V
> GNU ar version 2.5.2
Too old, but I don't beleive it causes the problem... But who knows...
To be honest I never ran GNU binutils under Solaris as there is really
*no* reason for doing so. I just compare your versioin numbers with to
what they have in RedHat 6.0 for UltraSPARC where corresponding
linux-sparcv9 option is known to work properly.
> 
> nm -V
> GNU nm version 2.5.2
Redhat says 2.9.1
> 
> as -V
> GNU assembler version 2.2 (sparc-sun-solaris2.3), using BFD version 2.2
Redhat says 2.9.1, using BFD 2.9.1.0.23
> 
> ld -V
> ld: Software Generation Utilities - Solaris/ELF (3.0)
> 
> /usr/local/GNU/bin/ld -V
> ld version 2.5.2 (with BFD 2.5)
Readhat says 2.9.1 with BFD 2.9.1.0.23.
> 
> Andy> Ulf wrote:
> 
> >> So, "sun4u" (and even "Ultra-2" in the uname output) does not imply
> >> that we can use -multrasparc?
> 
> I successfully build the system with :
> 
>   solaris-sparcv8-gcc
> 
> as opposed to the default setting for "sun4u*-sun-solaris2"
> 
>   solaris-sparcv9-gcc
If you would keep your binutils up-to-date this one would work just fine
as well and you would be able to accept more connections per unit of
time (thanks to specially optimized for UltraSPARC bignum routines).
> 
> Andy> I bet it does and the problem is very likely caused by out-of-date
> Andy> GNU binutils present on the $PATH and/or in /.../gcc-lib/../*.
> 
>  Surely version test of the utilities at Configure would resolve some of this.
In ./LICENSE it says:

 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.

It's not feasible to check for presence and maintain every possible
combination of (out-dated) tools. The library was developed in
"bare-boned" configuration (no alien binutils present).
> 
> >> What do we have to test for to get it right?
> Andy> We could demand having /usr/ccs/bin *first* in the
> Andy> $PATH. Unfortunately it won't help in situations when people have
> Andy> out-of-date GNU binutils ('as' and 'ld' in particular) fused into
> Andy> the path they have feeded the the gcc configure script with through
> Andy> the --prefix option. As it was already discussed here gcc looks for
> Andy> components like 'as' and 'ld' in its --prefix tree first and only
> Andy> then falls down to vendor provided utilities:-( Just run 'truss -f
> Andy> -t exec,access gcc a.c' to see where does it look for the stuff...
> 
>  It could well be because I have my system configured to make use of the
> System "ld" as opposed to the GNU "ld". This being historical due to various
> warnings of using the GNU "ld" on Sparc Solaris system.
As I already said in order to be sure wich ld does gcc invoke run 'gcc
-v a.c' and/or 'truss -f -t exec,access gcc a.c', not just 'ld -V' and
pick up whatever found on the $PATH first.

Cheers. Andy.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [Help] Compiling openssl 0.9.4 on Solaris 2.5.1, problems ....

[Tarang Patel]

> On Sat, 25 Sep 1999 14:44:08 +0200, Andy Polyakov <[EMAIL PROTECTED]> said:

 FYI:

ar -V
GNU ar version 2.5.2

nm -V
GNU nm version 2.5.2

as -V
GNU assembler version 2.2 (sparc-sun-solaris2.3), using BFD version 2.2

ld -V
ld: Software Generation Utilities - Solaris/ELF (3.0)


/usr/local/GNU/bin/ld -V
ld version 2.5.2 (with BFD 2.5)

Andy> Ulf wrote:

>> So, "sun4u" (and even "Ultra-2" in the uname output) does not imply
>> that we can use -multrasparc?

I successfully build the system with :

  solaris-sparcv8-gcc

as opposed to the default setting for "sun4u*-sun-solaris2"

  solaris-sparcv9-gcc


Andy> I bet it does and the problem is very likely caused by out-of-date
Andy> GNU binutils present on the $PATH and/or in /.../gcc-lib/../*.

 Surely version test of the utilities at Configure would resolve some of this.

>> What do we have to test for to get it right?
Andy> We could demand having /usr/ccs/bin *first* in the
Andy> $PATH. Unfortunately it won't help in situations when people have
Andy> out-of-date GNU binutils ('as' and 'ld' in particular) fused into
Andy> the path they have feeded the the gcc configure script with through
Andy> the --prefix option. As it was already discussed here gcc looks for
Andy> components like 'as' and 'ld' in its --prefix tree first and only
Andy> then falls down to vendor provided utilities:-( Just run 'truss -f
Andy> -t exec,access gcc a.c' to see where does it look for the stuff...

 It could well be because I have my system configured to make use of the
System "ld" as opposed to the GNU "ld". This being historical due to various
warnings of using the GNU "ld" on Sparc Solaris system.

  Tarang
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [Help] Compiling openssl 0.9.4 on Solaris 2.5.1, problems ....

[Andy Polyakov]

> file crypto/cryptlib.o
> crypto/cryptlib.o:  ELF 32-bit MSB relocatable SPARC32PLUS Version 1, V8+ 
>Required, UltraSPARC1 Extensions Required
Looks great!
> 
> thus when I do use "nm" to list the archive library created:
> 
> nm -u libcrypto.a
> nm: cryptlib.o: File format not recognized
> ..
Can you post output from 'which nm'? Can you confirm that
/usr/ccs/bin/nm exhibits same behaviour? Do check other involved
"parties" as well! Namely what does 'which ar' say? Which ld gets hired
to link programs? In order to figure the latter out run 'touch a.o;
truss -f -t exec gcc a.o'... What is the first argument to the last
execve system call? 
> 
> I certainly am not happy with the following option on the compile list :
> 
> -mcpu=ultrasparc
> 
> Even though "uname " reports
> SunOS 5.5.1 Generic_103640-24 sun4u sparc SUNW,Ultra-2
> 
> It appears to me that some sort of cross compiling is happening here.
Define "cross compiling." I don't consider this case as cross compiling
because it's the very same system interfaces (libc and accompanying
/usr/include) get involved with and without -mcpu=ultrasparc option.
> 
>   Tarang

Ulf wrote:
> So, "sun4u" (and even "Ultra-2" in the uname output) does not imply
> that we can use -multrasparc?
I bet it does and the problem is very likely caused by out-of-date GNU
binutils present on the $PATH and/or in /.../gcc-lib/../*.
> What do we have to test for to get it
> right?
We could demand having /usr/ccs/bin *first* in the $PATH. Unfortunately
it won't help in situations when people have out-of-date GNU binutils
('as' and 'ld' in particular) fused into the path they have feeded the
the gcc configure script with through the --prefix option. As it was
already discussed here gcc looks for components like 'as' and 'ld' in
its --prefix tree first and only then falls down to vendor provided
utilities:-( Just run 'truss -f -t exec,access gcc a.c' to see where
does it look for the stuff...

Andy.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [Help] Compiling openssl 0.9.4 on Solaris 2.5.1, problems ....

[Ulf Möller]

So, "sun4u" (and even "Ultra-2" in the uname output) does not imply
that we can use -multrasparc? What do we have to test for to get it
right?
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [Help] Compiling openssl 0.9.4 on Solaris 2.5.1, problems ....

[Tarang Patel]

Douglas,

  Thanks for your suggestion, as I had performed identically after having
massaged the Makefile generated by the ./config script. I prefer an end to end
clean make so I did follow up your suggestion too and sure enough that worked.

> On Thu, 23 Sep 1999 12:31:23 +1000, Douglas Clowes <[EMAIL PROTECTED]> said:

Douglas> I have successfully built Openssl 0.9.4 on Solaris 2.5.1 on X86
Douglas> using GCC 2.8.1

Douglas> As I recall, I had to use ./Configure and select the
Douglas> solaris-x86-gcc option.

Douglas> After that, all went well.

Douglas> Options include: solaris-sparc-sc3 solaris-sparcv7-cc
Douglas> solaris-sparcv7-gcc solaris-sparcv8-cc solaris-sparcv8-gcc
Douglas> solaris-sparcv9-cc solaris-sparcv9-gcc solaris-sparcv9-gcc27
Douglas> solaris-x86-gcc solaris64-sparcv9-cc sunos-gcc

Douglas> Perhaps one of these is more appropriate for you.

 Sure enough that was all that was needed. So to summarize, instead of using
 ./config ...

 I had to use the same arguments as passed to ./config with the addition of
 solaris-sparcv8-gcc

 Thus the final build was with :

./Configure -L/usr/local/ssl/lib -fPIC rsaref  no-asm --prefix=/usr/local \
--openssldir=/usr/local/openssl solaris-sparcv8-gcc

   Tarang
Douglas> Douglas At 16:25 1999-09-22 -0700, Tarang Patel wrote:
>>> On Wed, 22 Sep 1999 01:48:15 +0200, Ulf Möller <[EMAIL PROTECTED]>
>>> said:
>>  Ulf,
>> 
>> Thanks for your response, the only one to date. Surely other have built
>> openssl on Sparc/Solaris.
>> 
>> >> Sure the archive files have been build and appear to be correct
>> form.
>> 
Ulf> Has ranlib been run on them? Do you get proper output for nm?
>>  FYI:
>> 
>> On Solaris 2.5.1, one doesn't need to run "ranlib". The problem clearly
>> is that ./config is establishing the wrong set of configuration system
>> as the following is noted :
>> 
>> 
>> file crypto/cryptlib.o crypto/cryptlib.o: ELF 32-bit MSB relocatable
>> SPARC32PLUS Version 1,
Douglas> V8+ Required, UltraSPARC1 Extensions Required
>>  thus when I do use "nm" to list the archive library created:
>> 
>> nm -u libcrypto.a nm: cryptlib.o: File format not recognized ..
>> 
>> 
>> I certainly am not happy with the following option on the compile list
>> :
>> 
>> -mcpu=ultrasparc
>> 
>> Even though "uname " reports SunOS 5.5.1 Generic_103640-24 sun4u sparc
>> SUNW,Ultra-2
>> 
>> It appears to me that some sort of cross compiling is happening here.
>> 
>> 
>> Any clues ?
>> 
>> Tarang
>> __
>> OpenSSL Project http://www.openssl.org Development Mailing List
>> [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
>> 
>> 

Douglas> __
Douglas> OpenSSL Project http://www.openssl.org Development Mailing List
Douglas> [EMAIL PROTECTED] Automated List Manager
Douglas> [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [Help] Compiling openssl 0.9.4 on Solaris 2.5.1, problems ....

[Douglas Clowes]

I have successfully built Openssl 0.9.4 on Solaris 2.5.1 on X86 using GCC
2.8.1

As I recall, I had to use ./Configure and select the solaris-x86-gcc option.

After that, all went well.

Options include:
solaris-sparc-sc3  solaris-sparcv7-cc solaris-sparcv7-gcc solaris-sparcv8-cc 
solaris-sparcv8-gcc solaris-sparcv9-cc solaris-sparcv9-gcc
solaris-sparcv9-gcc27 
solaris-x86-gccsolaris64-sparcv9-cc sunos-gcc

Perhaps one of these is more appropriate for you.

Douglas
At 16:25 1999-09-22 -0700, Tarang Patel wrote:
>> On Wed, 22 Sep 1999 01:48:15 +0200, Ulf Möller <[EMAIL PROTECTED]> said:
>
>Ulf,
>
>  Thanks for your response, the only one to date. Surely other have built
>openssl on Sparc/Solaris.
>
>>> Sure the archive files have been build and appear to be correct form.
>
>Ulf> Has ranlib been run on them? Do you get proper output for nm?
>
> FYI:
>   
>   On Solaris 2.5.1, one doesn't need to run "ranlib". The problem clearly is
>   that ./config is establishing the wrong set of configuration system as the
>   following is noted :
>
>
>file crypto/cryptlib.o
>crypto/cryptlib.o:  ELF 32-bit MSB relocatable SPARC32PLUS Version 1,
V8+ Required, UltraSPARC1 Extensions Required
>
>thus when I do use "nm" to list the archive library created:
>
>nm -u libcrypto.a
>nm: cryptlib.o: File format not recognized
>..
>
>
>I certainly am not happy with the following option on the compile list :
>
>-mcpu=ultrasparc 
>
>Even though "uname " reports
>SunOS 5.5.1 Generic_103640-24 sun4u sparc SUNW,Ultra-2
>
>It appears to me that some sort of cross compiling is happening here.
>
>
>Any clues ?
>
>  Tarang
>__
>OpenSSL Project http://www.openssl.org
>Development Mailing List   [EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>
>

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [Help] Compiling openssl 0.9.4 on Solaris 2.5.1, problems ....

[Tarang Patel]

> On Wed, 22 Sep 1999 01:48:15 +0200, Ulf Möller <[EMAIL PROTECTED]> said:

Ulf,

  Thanks for your response, the only one to date. Surely other have built
openssl on Sparc/Solaris.

>> Sure the archive files have been build and appear to be correct form.

Ulf> Has ranlib been run on them? Do you get proper output for nm?

 FYI:
   
   On Solaris 2.5.1, one doesn't need to run "ranlib". The problem clearly is
   that ./config is establishing the wrong set of configuration system as the
   following is noted :


file crypto/cryptlib.o
crypto/cryptlib.o:  ELF 32-bit MSB relocatable SPARC32PLUS Version 1, V8+ 
Required, UltraSPARC1 Extensions Required

thus when I do use "nm" to list the archive library created:

nm -u libcrypto.a
nm: cryptlib.o: File format not recognized
..


I certainly am not happy with the following option on the compile list :

-mcpu=ultrasparc 

Even though "uname " reports
SunOS 5.5.1 Generic_103640-24 sun4u sparc SUNW,Ultra-2

It appears to me that some sort of cross compiling is happening here.


Any clues ?

  Tarang
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Help: format convert between .p12 and .pem

[Dr Stephen Henson]

Emmy Chen wrote:
> 
> Hi all:
> 
> I have a problem here regarding exchange the format between .p12 and .pem.
> 
> I generated a private key and public key from netscape v4.5 and
> issue a certificate using the CA built from openssl-0.9.3.a.
> I can export it from Netscape and import it to IE4.0 successfully too.
> I export the private key and x.509 certificate from netscape with p12
> format.
> Then I use the program which I derived from openssl-0.9.3a to parse out the
> private key and certificate.
> After that, I use the program derived from openssl-0.9.3.a to compose a p12
> file with same
> private key and certificate that I got from the above steps.
> And then Netscape and IE not read my p12 file.
> 
> Please help me out about this problem. Attached are my .c file and the p12
> file.
> 

I've tried your program and it works fine under Linux and OpenSSL 0.9.4.
However the PKCS#12 file you include is corrupted. One problem at least
is this bit:

>   fseek(fp,0,SEEK_END);
> 
>   len = ftell(fp);
> 
>   fseek(fp,0,SEEK_SET);
> 
>   mykey = (char *)malloc(len);
> 
>   fread(mykey,len,1,fp);
> 
>   fclose(fp);
>   d2i_PKCS12(&p12, &mykey, len);
> 

The last line will end up incrementing the pointer "mykey" which will
cause problems if you free() it up. This can all be replaced with:

p12 = d2i_PKCS12_fp(fp, NULL);
fclose(fp);

Also later on you do:

> if((fp = fopen("hailong_chen1.p12","w")) == NULL)

it should really be "wb" because the PKCS#12 file is binary.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]