Re: SSLv23 client to SSLv3 server negotation fails
Bodo Moeller wrote: While this is true, the SSLeay/OpenSSL behaviour makes sense in that the SSL 3 or TLS 1.0 methods accept just there specific protocols. When compatibility with SSL 2 client hello messages is desired (which, as you note, can be the case even if SSL 2 is not accepted), one has to use the ssl23 stuff -- one still can disable SSL 2 (or both SSL 2 and SSL 3). For example, "openssl s_server -no_ssl2 -no_ssl3" forces the use of TLS, but accepts the SSL 2 client hello format (which "openssl s_server -tls1" does not). I'll buy that. Thanks. -Roland __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Compiles but fails big number test?
I am building OpenSSL 0.9.2b on Caldera OpenLinux 1.3. with libc-5.4.46 gcc-2.7.2.3-5. The libraries seem to build fine but fail the big number test: ... ... test a^b%c implementations ./exptest ..[cut] done starting big number library test, could take a while... test BN_add error make[1]: *** [test_bn] Error 1 make[1]: Leaving directory `/usr/src/OpenLinux/BUILD/openssl/test' make: *** [tests] Error 2 An ideas? -- Marc C. http://www.mecworks.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem contacting transaction server / Net_SSLeay 1.03
Hello, I use the Perl code below to contact a transaction server. It'll work fine if used with any server __except__ the one I want to use. When I try to contact tips.citicorp.de, the program displays "Segmentation fault" and coredumps after the Net_SSLeay debug ouput of "SSL NEGOTIATION". Any ideas? #!/usr/local/bin/perl -I/usr/home/medi01/Net_SSLeay.pm-1.03/blib/lib print "Content-type: text/html\n\n"; use Net::SSLeay; $Net::SSLeay::trace = 3; # 0=no debugging, 1=ciphers, 2=trace, 3=dump data $clength=length(message body goes here); $request = "POST /cgi-bin/ckshdl HTTP/1.0 Referer: http://medi01.bpaserver.net/cgi-bin/getc2.pl Connection: Keep-Alive User-Agent: Mozilla/4.04 [en] (Win 95; I) Host: medi01.bpaserver.net Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 Content-type: application/x-www-form-urlencoded Content-length: $clength message body goes here."; $reply = Net::SSLeay::sslcat("tips.citicorp.de", "443", $request); print $reply; -- Johannes SchritzTel 06721-975234 Saarlandstraße 176 Fax 06721-47222 55411 BingenMobil 0177-8799781 [EMAIL PROTECTED] ICQ 2531515 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Compiling for Perl on NT.
Sampo, Sampo Kellomaki wrote: Andy Shaw [EMAIL PROTECTED] writes: Hi all, Having found a version of ActiveState Perl which supports makemaker, I am trying to install Net::SSLeay with it but I keep getting : Checking for SSLeay-0.9.0 or OpenSSL-0.9.1c... I could not find your SSLeay in `/usr/local/ssl' Please provide SSLeay-0.9.0 or OpenSSL-0.9.1c (get from http://www.openssl.org/ if you dont have it) installation directory (C-c to abort): When I give the directory contiaining the complied and tested dll's it gives the same message, what is it looking for? I'd bet this is due to me assuming that ssleay executable is called "ssleay" without the .exe. I'll look into it along with other win build issues in forthcoming 1.04 release. I managed to get it to start working by doing the following, 1. Built openssl-0.9.1c without asm to build the win32dll's. 2. Copied this entire directory structure toit's installation directory. 3. Renames out32dll to bin so that Makefile.pl in Net::SSLeay can find ssleay 4. Altered Makefile.pl to check for ssleay.exe not ssleay 5. Finally got a make file to build the Perl. Now running nmake install gives c:\openssl/include\bn.h(266) : error C2143: syntax error : missing ';' before '-' c:\openssl/include\bn.h(266) : error C2238: unexpected token(s) preceding ';' c:\openssl/include\bn.h(417) : error C2143: syntax error : missing ')' before '-' c:\openssl/include\bn.h(417) : error C2059: syntax error : '-' c:\openssl/include\bn.h(417) : error C2059: syntax error : ')' c:\openssl/include\bn.h(426) : error C2143: syntax error : missing ')' before '-' c:\openssl/include\bn.h(426) : error C2059: syntax error : '-' c:\openssl/include\bn.h(426) : error C2501: 'PL_na' : missing decl-specifiers c:\openssl/include\bn.h(426) : error C2062: type 'unsigned long' unexpected c:\openssl/include\bn.h(426) : error C2501: 'b' : missing decl-specifiers c:\openssl/include\bn.h(426) : warning C4228: nonstandard extension used : qualifiers after comma in declarator list are ignored c:\openssl/include\bn.h(426) : error C2062: type 'int' unexpected c:\openssl/include\bn.h(426) : error C2059: syntax error : ')' c:\openssl/include\bn.h(426) : error C2501: 'nb' : missing decl-specifiers c:\openssl/include\bn.h(426) : warning C4228: nonstandard extension used : qualifiers after comma in declarator list are ignored c:\openssl/include\asn1.h(138) : fatal error C1903: unable to recover from previous error(s); stopping compilation NMAKE : fatal error U1077: 'cl.exe' : return code '0x2' Stop. What am I doing wrong? Andy -- Andy Shaw [EMAIL PROTECTED] Phone: +44 (0)1223 715002 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problem contacting transaction server / Net_SSLeay 1.03
I use the Perl code below to contact a transaction server. It'll work fine if used with any server __except__ the one I want to use. When I try to contact tips.citicorp.de, the program displays "Segmentation fault" and coredumps after the Net_SSLeay debug ouput of "SSL NEGOTIATION". Any ideas? I bet you would get the same behavior with s_client. At least that's what I've experienced - the fix is to use only SSLv2 or SSLv3. To fix it look for the following line in Net::SSLeay: #$ssl_version = 3; # 2 = insist on v2 SSL protocol, 3 = insist on v3 SSL # undef = guess (v23) Uncomment it and choose either v2 or v3 - that should do the trick. You could also try it out manually with the s_client to see if it dumps core without the -ssl3 (-ssl2) option. vh Mads Toftum, QDPH --- The Cult of Seriousness decreed that everyone had to keep their source code hidden, because other people might laugh at how bad our code is, and make us fix it. Or worse, someone might steal our bad code and make it better. Then we would be out of business, and Life is Serious Business. -Larry Wall __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: using the Net_SSLeay.pm1.03
Francois, Thanks for your testing information. If you could send me the test.pl I would appreciate it. I will also look at the crypt module. I think I have that on my NT already. I hope it won't be as difficult to compile :) Doug -- Doug Courtney [EMAIL PROTECTED] (732)576-5572 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Compiling for Perl on NT.
Andy, In the list of modifications I sent you previously is a list of changes that need to be made because certain variables being used are apparently reserved words. I ran into the same problems. If you make the changes to those reserved words to name them something else, it should clear things up. Let me know if you need the list of changes Doug -- Doug Courtney [EMAIL PROTECTED] (732)576-5572 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Search Engines News
Dear Internet User, We invite you to download the last release of Engenius, a new breed of intelligent software letting you get search engines to put your site first. Top-rated by ZDNET, Internet Magazine and CoolToolOfTheDay, Engenius may put your site on the top20 of search engines' listings, automatically and at first shot. Download a free fully functional trial version at http://www.pegasoweb.com/engenius/ . Also, visit our free weekly online e-zine covering the lastest news on how the major search engines work going to http://www.pegasoweb.com/engenius/members.html . Sincerely, Engenius Team THIS IS A ONE TIME MAILING SENT TO EMAIL ADDRESSES WHO CONTACTED US IN THE PAST. OUR POLICY IS STRICTLY AGAINST UNSOLICITED MAILING. IF YOU FEEL FOR YOUR EMAIL ADDRESS TO BE ABUSED OR IF YOU RECEIVED THIS MESSAGE BY ERROR, PLEASE, EXCUSE US AND JUST SEND AN EMAIL TO: mailto:[EMAIL PROTECTED]?Subject=Delete_Me AND WE WILL DELETE ALL INFORMATION ABOUT YOU IN OUR DATABASE. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: help with renegotiation
On Mon, Apr 05, 1999 at 11:07:57AM -0400, Nishith Dipak Shah wrote: I need to implement an SSL server that will force a renegotiation after a certain period of time. Why "after a certain period of time"? Renegotiation is useful e.g. if you want to verify a client certificate when you did not already do so in the initial handshake, but renegotiation after a time-out is usually not very meaningful, I'd think. I have the server up and running, but I cant seem to get the renegotiation to work. I am using the function SSL_renegotiate() in the server code. Is that all I need to do? Do I need to add code before this call and/or in the client program (I implemented the client using openssl too). SSL_renegotiate just sets the server state so that it will send a HelloRequest soon. After that, you have to tell OpenSSL that it must actually send a message (SSL_do_handshake), but obviously that's not your problem, since you report that your client sends its ClientHello. I added a few printf statements in s3_srvr.c and s3_clnt.c to see what was going on with the handshake. What was happening was that the server would send the Hello Request (A/B and then C?) and thats it. It would never see the client Hello so it would never send back the server Hello. The client, on the other hand, would see the Hello Request, send back a client Hello, and then keep waiting for the server Hello. Does your server use SSL_read after sending the HelloRequest? If so, it should probably work. Note that after sending a HelloRequest the server cannot usually immediately go into accept state because the client may still be sending data. It's actually the client that triggers the new handshake by sending a ClientHello. If you don't want the server to accept any more data from the client after the HelloRequest has been sent (which makes sense only if the application protocol is synchronized at that moment), then call SSL_set_accept_state followed by a second SSL_do_handshake. Note that if you don't do that, the client could simply ignore the HelloRequest. If you use non-blocking IO and select() (or poll() or pselect() and the like) in your server program, then there is the further complication that SSL_read and SSL_write do not necessarily correspond to OS-level reads and writes, respectively: When SSL_read or SSL_write is called within a handshake (which also may have been requested by the other party without knowledge of your application program), data flows in both directions. SSL_want_read and SSL_want_write must be used to find out what you should select() for. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem compiling with sunos-cc
Hi, I ran confugure with sunos-cc and when compiling on I have the following: making crypto... cc -I. -I../include -O4 -DNOPROTO -DNOCONST -DCFLAGS=" \"cc -O4 -DNOPROTO -DNOCONST\" " -DPLATFORM=" \"sunos-cc\" " -c cryptlib.c cc: Warning: option -4 passed to ld "/usr/include/unistd.h", line 333: identifier redeclared: rename current : function(pointer to char, pointer to char) returning int previous: function(pointer to const char, pointer to const char) returning int : "/usr/include/stdio.h", line 227 cc: acomp failed for cryptlib.c Does anyone know how to fix the problem? Thanks a lot, Olga Antropova. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem compiling on HPUX
Hi, on HPUX it looks like compilation is fine but then make hangs in the following: cc -o ssleay -DMONOLITH -I../include -DB_ENDIAN -D_HPUX_SOURCE -Aa -Ae +ESlit +O4 -Wl,-a,archive ssleay.o verify.o asn1pa rs.o req.o dgst.o dh.o enc.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o dsa.o dsaparam.o x509.o genrsa.o s_server.o s_ client.o speed.o s_time.o apps.o s_cb.o s_socket.o version.o sess_id.o ciphers.o -L. -L.. -L../.. -L../../.. -L.. -lssl -L.. -l crypto /usr/ccs/bin/ld: (Warning) At least one PA 2.0 object file (ssleay.o) was detected. The linked output may not run on a PA 1.x sys tem. Does anyone know what is the problem? Thanks for your help, Olga Antropova. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Now available: openssl-0.9.2b-rsaoaep.patch
Now available in our WWW/FTP source areas: openssl-0.9.2b-rsaoeap.patch - a patch against OpenSSL 0.9.2b which fixes the RSAref-related problems with RSA/OEAP for the US citizens. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem contacting transaction server / Net_SSLeay 1.03
Hallo George, die Domain funktioniert jetzt! Vielen Dank! Grüße, -- Johannes SchritzTel 06721-975234 Saarlandstraße 176 Fax 06721-47222 55411 BingenMobil 0177-8799781 [EMAIL PROTECTED] ICQ 2531515 -Ursprüngliche Nachricht- Von: Johannes Schritz [EMAIL PROTECTED] An: [EMAIL PROTECTED] Gesendet: Dienstag, 6. April 1999 14:45 Betreff: Re: Problem contacting transaction server / Net_SSLeay 1.03 I bet you would get the same behavior with s_client. At least that's what I've experienced - the fix is to use only SSLv2 or SSLv3. To fix it look for the following line in Net::SSLeay: #$ssl_version = 3; # 2 = insist on v2 SSL protocol, 3 = insist on v3 SSL # undef = guess (v23) Uncomment it and choose either v2 or v3 - that should do the trick. You could also try it out manually with the s_client to see if it dumps core without the -ssl3 (-ssl2) option. No, unfortunately that didn't fix it. Here's what happens when I try to connect via s_client: SSLeays_client -connect tips.citicorp.de:443 -ssl2 CONNECTED(0003) 1747:error:1407F0E1:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:371: SSLeays_client -connect tips.citicorp.de:443 -ssl3 CONNECTED(0003) 1747:error:1409E0E1:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c :461: SSLeays_client -connect tips.citicorp.de:443 CONNECTED(0003) 1919:error:140790E1:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:223 : That's what happens when I try to connect to another secure web site: SSLeays_client -connect www.puretec.de:443 CONNECTED(0003) depth=0 /C=DE/ST=BW/L=Karlsruhe/O=Schlund + Partner AG/OU=PureTec/CN=www.puretec .de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=DE/ST=BW/L=Karlsruhe/O=Schlund + Partner AG/OU=PureTec/CN=www.puretec .de verify error:num=21:unable to verify the first certificate verify return:1 --- Certficate chain 0 s:/C=DE/ST=BW/L=Karlsruhe/O=Schlund + Partner AG/OU=PureTec/CN=www.puretec.de i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification S ervices Division/CN=Thawte Server [EMAIL PROTECTED] --- Server certificate -BEGIN CERTIFICATE- MIICrTCCAhYCAjBoMA0GCSqGSIb3DQEBBAUAM . That's what it looks like when I try to connect via get_page.pl from the examples subdirectory (SSL2 enforced): medizinrecht: {30} % ./get_page.pl tips.citicorp.de 443 /cgi-bin/ckshdl Opening connection to tips.citicorp.de:443 (0) Creating SSL 2 context... Creating SSL connection (context was '733696')... Setting fd (ctx 733696, con 734720)... Entering SSL negotiation phase... SSLeay connect returned 0 Cipher `(NONE)' Segmentation fault (core dumped) medizinrecht: {31} % Any help would be greatly appreciated. -- Johannes SchritzTel 06721-975234 Saarlandstraße 176 Fax 06721-47222 55411 BingenMobil 0177-8799781 [EMAIL PROTECTED] ICQ 2531515 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
0.9.2b problems on irix.
i've successfully built openssl-0.9.2b on irix (6.5.3m) with mipspro compilers 7.2.1.3m. firstly, ssl_ciph.c contains 8 lines that end in ^M which the compiler can't grok. the compiler then bails out with an error. ./Configure irix-cc points BN_ASM=asm/mips1.o. when the compilation gets round to linking the apps/openssl monolith i moans about all sorts of functions that aren't available. using asm/mips3.o also causes these problems. using bn_asm.o cures this. ok, so far all this has been minor issues. fixing the problems above enables "make" to complete successfully. "make rehash" also has no problems, however "make test" fails at rsa_oaep_test. i have no idea what could be wrong. i suspected a compiler bug and removed -O from the CFLAGS - no success. i tried gcc but it fell over terribly and i'm now at a loss. FYI, this is an IP19 and /etc/compiler.defaults contains -DEFAULT:abi=n32:isa=mips3 none of the tests following rsa_oaep_test fail. i'd appreciate any tips. regards, -al. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem contacting Stronghold server
Hi -- I have successfully installed SSLeay 1.03 and run the test.pl script that is included. This script contacts several external secure server sites. The problem is, I can't get to the one site that I need to get to. It's running the Stronghold server (based on Apache 2.2 server), and supports the following ciphers: RC4 with MD5 RC4 with MD5 40-bit RC2 with MD5 DES with MD5 Triple DES with MD5 RC4-64-MD5 I get a segmentation violation and the following output: = Opening connection to www.creditnet.com:443 (0) Creating SSL context... Creating SSL connection (context was '1932808')... Setting fd (ctx 1932808, con 1932552)... Entering SSL negotiation phase... SSLeay connect returned 0 Cipher `(NONE)' = So it looks like it's the cipher negotiation that's failing. Any help would be greatly appreciated! I don't know where to go from here but it's extremely frustrating, especially since I was able to connect to my own secure server. --Linda Mundy [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]