Re: www.openssl.org

[Magnus Stenman]

Ben Laurie wrote:
> 
> GOMEZ Henri wrote:
> >
> > Hi !!!
> >
> > Why not start feeding contrib dir located in http://www.openssl.org/contrib/
> > with
> > at least at least openssl RPMs (0.9.3) (found on
> > http://www.modssl.org/contrib/)
> 
> Good idea for the OpenSSL RPMs - but I'd say www.openssl.org should be
> the primary source, no?

That's what he meant -- we are now uploading to www.modssl.org/contrib
because www.openssl.org/contrib is not operational yet...

> 
> Cheers,
> 
> Ben.
> 
> --
> http://www.apache-ssl.org/ben.html
> 
> "My grandfather once told me that there are two kinds of people: those
> who work and those who take the credit. He told me to try to be in the
> first group; there was less competition there."
>  - Indira Gandhi
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
 Magnus Stenman   mailto:[EMAIL PROTECTED]   http://www.hkust.se

 Get it up, keep it up.  Linux -- Viagra for your PC
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Howto make a small footprint lib?

[Michael Portz]

Peter 'Luna' Altberg wrote:
> 
> Hi all,
> 
> I'm making a single floppy Linux router/firewall. For now I'm running
> the 'telnetd' from the GNU 'inetutil' package on it, but I'll rather be
> using SSL-MZtelnet instead. Unfortunately, I don't have much space left
> on the floppy now. Do anyone have any tips on how to configure/build
> OpenSSL and/or SSL-MZtelnet to use as little disk space as possible? A
> single encryption method would be sufficient I think.
> 
> Cheers,
> Peter
> 
> ---
> Peter "Luna" Altberg, Sweden <[EMAIL PROTECTED]>
> PGP Key ID: 0x33BE83E0
> Fingerprint: 05DB BFF0 4F9D 1FFA 8441  E859 7F7B E52E 33BE 83E0
> 
> Gubben Movitz ler och nickar, / men från Charons mörka sund
> dödens blund / i dina blickar / bådar snart din sista stund.
> Carl Michael Bellman, Fredmans epistel nr 34
> 

Well...I guess you already dropped the Idea, RC2 and RC4 stuff using
no-idea, no-rc2 and no-rc4 at config-time. Funny thing is, Im working
on a single floppy solution as well (not route/fw though) and so I m
concerned by the same problems. My statically linked SSLftp isnt a 
real problem so far though, but the smaller the better...:)

Regards
Michael

ps:  Of course SSLftp IS huge compared to the rest...pppd, mgetty and
 the basic utils, even the kernel isnt that much bigger...*sigh*
pps: Something I really dislike is that you have to give the "-DNO_IDEA
 -DNO_RC2 -DNO_RC4" options to each and every application/utility
 at compile time. How about adding a header file to the openSSL
 includes which defines those options for later inclusion? I try
 to work something out..shouldnt be that difficult...

-- 
//---
// 3C Dr.Klingler, Dr.Portz GbRTel:   ++49 2407 96056
// Kaiserstr. 100  Fax:   ++49 2407 96292 
// 52134 HerzogenrathEmail: [EMAIL PROTECTED]
// Germany
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RSA License + U.S. comercial use

[Chris Zimman]

On 05/26/99, Salz, Rich said:
>I expect, however, that what you are really interested in
>is "where can I get patches that integrate OpenSSL with
>crypto hardware?"  I don't know of any such patches. It's
>a moderate level of effort for you to do it yourself. I also
>believe that integration with PKCS11, the standard crypto-token
>API is on the OpenSSL wish list.

Actually, I've written patches for SSLeay-0.9.0b to use nCipher's hardware
supporting acceleration, the hardware RNG, and limited access to the
hardware key storage mechanism (actually the guys at nCipher wrote that
part, I just included it with the stuff I did too).

If you're in the US and you're interested in this, let me know, I will
send it to you.  

The hardware is really great, and very fast.  It requires a large thread
pool (or OpenSSL to move to a totally async model, which is pretty tough)
to really be effective though.  The package should work fine under any OS
that nCipher supports.

--Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RSA License + U.S. commercial use

[Paul Rubin]

If you control both the client and server, you can use Diffie-Hellman/DSA.
The US patent for DH expired in 1997.  DSA is patented by the government
but can be used at no charge as long as you follow the standard.  
Disclaimer: IANAL etc.  Technical note: DH is somewhat less cpu-efficient
than RSA with the same key size.  If you expect very high server loads,
you might look for a different solution.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Latest openssl and bsdi 3.1 compile problems.

[Ulf Möller]

>If your assembler only knows 386 opcodes, you'll probably have to use
>the "386" option to "./config".  (bswapl does not exist on the 386.)

In the SHA assembler code, bswapl is given as its numeric value, so
this problem would not occur. The problem is that Configure only
defines the macro SHA1_ASM, but the SHA-0 implementation checks for
SHA_ASM.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA License + U.S. commercial use

[Dr Stephen Henson]

Bodo Moeller wrote:
> 
> On Thu, May 27, 1999 at 10:25:34AM +1000, Ian Pollard wrote:
> 
> > I have a proprietary client application and server that I have implemented
> > OpenSSL for secure comms.  My own client app doesn't have to communicate
> > with anything other than my own application server.  My server will be
> > likely situated outside the US, my client app may be deployed to inside the
> > US.
> 
> So you likely don't want to use RSA.  If you configure the library
> with no-rsa no-idea, what is left should be safe to use without having
> to worry too much about patents; but IANAL, etc.

You might also want to exclude RC5 and RC4 which RSA is claiming various
things over. I believe RC2 is OK now but some people omit it anyway.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA License + U.S. commercial use

[Bodo Moeller]

On Thu, May 27, 1999 at 10:25:34AM +1000, Ian Pollard wrote:

> I have a proprietary client application and server that I have implemented
> OpenSSL for secure comms.  My own client app doesn't have to communicate
> with anything other than my own application server.  My server will be
> likely situated outside the US, my client app may be deployed to inside the
> US.

So you likely don't want to use RSA.  If you configure the library
with no-rsa no-idea, what is left should be safe to use without having 
to worry too much about patents; but IANAL, etc.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

trying to run httpsd...dies!

[Shane Clements]

I have apache 1.3.6 with openssl 0.9.2b installed.

When I run apache I get:
[Wed May 26 17:14:04 1999] [crit] Attempt to reinitialise SSL for server
www.myserver.com

Did I do something wrong or what?

in /usr/local/apache/conf/httpsd.conf I have:
SSLCertificateKeyFile mykey.key
SSLCertificateFile mycert.cert

these files exist:
/usr/local/ssl/certs/mycert.cert
/usr/local/ssl/private/mykey.key

Shane



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RSA License + U.S. commercial use

[Ian Pollard]

A single response from Bodo Moeller on this one would be fine.

I have a proprietary client application and server that I have implemented
OpenSSL for secure comms.  My own client app doesn't have to communicate
with anything other than my own application server.  My server will be
likely situated outside the US, my client app may be deployed to inside the
US.

Given I am using OpenSSL and developing this outside the US, I am assuming I
don't need to worry about export restrictions.

QUESTIONS:
Which crypto algorithm would you recommend to use to reduce my exposure to
legal issues?
Are there any other legal implications with what I am doing (apart from the
OpenSSL licensing agreement)?

I would certainly seek legal council on this prior to deployment, however I
would like to progress with a reasonable level of confidence that I am going
down the right track.

Thanks,
Ian Pollard
The Partnership Group
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RSA License + U.S. comercial use

[Paul Rubin]

There are a number of hardware crypto vendors, including
Spyrus, Chrsalis, nCipher. Point your browser to www.{pick}.com

I expect, however, that what you are really interested in
is "where can I get patches that integrate OpenSSL with
crypto hardware?"  I don't know of any such patches. It's
a moderate level of effort for you to do it yourself. I also
believe that integration with PKCS11, the standard crypto-token
API is on the OpenSSL wish list.

Ncipher's installation CD includes a set of patches for SSLEAY.
I'd expect those would also work with openSSL.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Passwords in OpenSSL-0.9.3

[Franco Papacella]

On Wed, 26 May 1999, Scheltema, R.A. wrote:

> Hi all,
> 
> I've installed openssl version 0.9.3 and I've noticed that the
> callback-function for passwords has gained a parameter, which totals it now
> to three.
> 
> int password_cb(char *buf, int len, int WhatIsThis);

It's 0 when the password is needed for decrypt a private key and 1 (or
non-zero?) when you have to reenter (verify) a new password, which will be
used for encryption of some (new) key. 

Regards, Franco


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Passwords in OpenSSL-0.9.3

[Franco Papacella]

On Wed, 26 May 1999, Wu Zhigang wrote:

> Hi,
> 
> Besides his question, I want to know anyone has an
> experience to build a Win32 dialog based password
> call back function?
> If Yes, can you share your code out?

Looking for something like this?

char passph[128];

BOOL CALLBACK
pass_proc (HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
  switch (uMsg) {
  case WM_INITDIALOG:
SetForegroundWindow (hwnd);
return TRUE;
  case WM_COMMAND:
switch (LOWORD (wParam)) {
case IDOK:
  GetDlgItemText (hwnd, IDC_PASSPH, passph, sizeof (passph));
case IDCANCEL:
  EndDialog (hwnd, LOWORD (wParam));
  break;
default:
  break;
}
break;
  default:
break;
  }
  return FALSE;
}

int
get_passph (char *buf, int buf_len, int unused)
{
  if (DialogBox (myInst, MAKEINTRESOURCE (IDD_PASSPH), 
 hwndMain, pass_proc) == IDOK) {
strncpy (buf, passph, buf_len);
return strlen (passph);
  }
  return 0;
}

int WINAPI
WinMain(HINSTANCE, HINSTANCE, LPCSTR, int)
{
   ...
   SSL_CTX_set_default_passwd_cb (ssl, get_passph);
   ...
}


IDD_PASSPH DIALOG 50, 5, 130, 80
STYLE DS_MODALFRAME | DS_3DLOOK | DS_CONTEXTHELP | WS_POPUP | WS_VISIBLE |
WS_CA
PTION | WS_SYSMENU
CAPTION "YourApp - Passphrase"
FONT 8, "MS Sans Serif"
{
 CONTROL "Please enter the passphrase to unlock your private key", -1,
"static",
 SS_LEFT | WS_CHILD | WS_VISIBLE, 10, 10, 110, 24
 CONTROL "", IDC_PASSPH, "edit", ES_LEFT | ES_AUTOHSCROLL | ES_PASSWORD |
WS_CHI
LD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 10, 40, 110, 12
 CONTROL "OK", IDOK, "BUTTON", BS_PUSHBUTTON | BS_CENTER | WS_CHILD |
WS_VISIBLE
 | WS_TABSTOP, 10, 60, 50, 14
 CONTROL "Cancel", IDCANCEL, "BUTTON", BS_PUSHBUTTON | BS_CENTER |
WS_CHILD | WS
_VISIBLE | WS_TABSTOP, 70, 60, 50, 14
}


Enjoy, Franco


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Object signing

[Franco Papacella]

On Tue, 25 May 1999, Mario Fabiano wrote:

> I want to issue a X509v3 certificate with openssl CA to sign Java
> applets.
> What extensions must I define in the ssleay.cnf file?


nsCertType = objsign

worked for me!

Ciao, Franco

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

libRSAglue.a

[Eric Cronin]

Hi.  I just switched a project I'm working on from using SSLeay to 
OpenSSL.  It initially had some problems with unresolved symbols... 
I tracked them down and fixed them by moving libRSAglue.a into the 
ssl/lib dir and linking with it.  I can't seem to find this lib 
documented in the readmes though, and since make install didn't 
install it, I'm wondering what its used for and why my code seems to 
need it?  I'm pretty new to OpenSSL so sorry if this is really basic. 
I'd rather have our code work with a normal install of OpenSSL...

Eric
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Building OpenSSL Project with MS C++ 5.0

[Greg Pasquariello]

About to do it this evening.  I'll let you know how it goes appears to
be fairly straightforward.

-Greg

---
Greg Pasquariello
CTO, PrivaSeek, Inc.
[EMAIL PROTECTED] 
303-604-6334 x104


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Niels J. Thorwirth
> Sent: Wednesday, May 26, 1999 11:52 AM
> To: [EMAIL PROTECTED]
> Subject: Building OpenSSL Project with MS C++ 5.0
>
>
> Hi,
> has anybody made an MSVC++ project from OpenSSL 0.9.3 or earlier ?
>
> thanx
>   Niels
>
> --
> -N-i-e-l-s--T-h-o-r-w-i-r-t-h--
>  Tel:
> -Frauenhofer CRCGWork: xx1-401-453-6363 Ext. 133
> -321 South Main St.  Home: xx1-401-331-9284
> -Providence, RI 02903 USA
> -http://webrum.uni-mannheim.de/bwl/thorwir/www/NielsThorwirth/
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: DES key mismatch

[Chris Bongaarts]

As Tri Phan once put it:

> I'm using openSSL-0.9.1c's EVP_BytesToKey to generate a DES
> encryption key for EVP_des_cbc() and EVP_des_ede3_ofb(). I can run
> my application sucessfully as an NT application, NSAPI DLL within
> NES 3.6.1 (on NT), Sun Solaris application, or Sun Solaris shared
> object without NSAPI. The same encyption is derived for my given
> password, salt, and iteration count.
> 
> However, when I run my application as an NSAPI share object within
> Netscape Enterprise Server (NES) 3.61 on Solaris, a different DES
> encryption key is derived for the same password, salt, and iteration
> count.

Keep in mind when working with dynamically loaded object files that
the symbols already found in the program will override any symbols
present in your loaded code (or anything linked to it).  NS Enterprise 
Server has several symbols that conflict with the symbols in
ssleay/openssl.  When such a conflict exists, the Netscape version of
the routine (which likely has different calling conventions or
semantics) is used in preference to the OpenSSL version.

I ran into this problem when trying to use SSL calls from within an
NSAPI.  I solved it by hacking the OpenSSL source to tweak the names
of the colliding routines, changing *_Update to *_update:

find /src/openssl-0.9.1c -type f \( -name '*.[ch]' -o -name '*.org' \) -exec egrep -s 
'(MD2|MD5|SHA1)_Update' {} \; -print | xargs perl5 -i -pe 
's/(MD2|MD5|SHA1)_Update/$1_update/g;'

As the example3.c file appears to use MD5 for the BytesToKey routine, 
this is the likely culprit.

%%  Christopher A. Bongaarts%%  [EMAIL PROTECTED]
%%  ADCS - Internet Enterprise  %%  http://umn.edu/~cab
%%  University of Minnesota %%  +1 (612) 625-1809
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

About pyCa-0.4.5

[Raul Gutierrez]

Hi:

When I resquest a Certificate from NetScape the ns-enroll.py's script save
the file ns-cert-req.CA.83231027.spkac, I issue the certificate with this
command :
"/usr/local/ssl/bin/openssl ca -config /usr/local/SegCA/openssl.cnf -name
CA_CA -spkac ns-cert-req.CA.83231027.spkac"
this command create the new certificate at /usr/local/SegCA/CA/newcerts
directory. How can I get this Certificate From NetScape?


Thank in Advances

Raul Gutierrez







__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Linkedit error __umoddi3

[Matthew Ling]

I just built OpenSSL 0.9.3. ( I was using SSLeay 0.9.2b in past) My
program didn't make through link editting. The linker (AIX 4.2.1)
complains the presence of an undefined symbol called
.__umoddi3. The symbol is located inside the object "bnword.o" . Any
idea what is missing in my link edit command.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: apache+ssl HOWTO?

[Marko Asplund]

On Wed, 26 May 1999, geoffrey wrote:

> ...
>   this is the first apache+ssl server I have built; so, my knowledge
> of ssl servers, and ssl in general, is very limited. Is there an
> apache+ssl HOWTO, or a general primer on ssl servers? I would like to find
> a source of information on what the different aspects of openssl do, what
> certificates can be, and need to be, generated for running an ssl-enabled
> storefront on the web, etc. All pointers are heartily welcomed!

not directly related to apache-ssl but, you could try using mod_ssl's
(http://www.modssl.org) documentation as one of you starting points.

--
aspa

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RSA License + U.S. comercial use

[Salz, Rich]

oops, the FQDN of Chrysalis is chrysalis-its.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RSA License + U.S. comercial use

[Salz, Rich]

(I really hate the Reply-to header as used here..)

>Could you point us (me) somewhere where we can get more info on this 
>hardware-based encryption?  (website, etc)

There are a number of hardware crypto vendors, including
Spyrus, Chrsalis, nCipher. Point your browser to www.{pick}.com

I expect, however, that what you are really interested in
is "where can I get patches that integrate OpenSSL with
crypto hardware?"  I don't know of any such patches. It's
a moderate level of effort for you to do it yourself. I also
believe that integration with PKCS11, the standard crypto-token
API is on the OpenSSL wish list.
/r$
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: newbie question

[Dave Clark]

No problem.

- dc

At 01:06 PM 05/26/1999 , you wrote:
>Got it.  It was the /MD problem, but I was building the OpenSSL libs with
>/MD and my application in debug mode (/MDd).  Matching them fixed it.
>
>Thanks for your help!
>
>-G
>
>---
>Greg Pasquariello
>CTO, PrivaSeek, Inc.
>[EMAIL PROTECTED] 
>303-604-6334 x104
>
>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED]]On Behalf Of Dave Clark
>> Sent: Wednesday, May 26, 1999 6:32 AM
>> To: [EMAIL PROTECTED]
>> Subject: Re: newbie question
>>
>>
>> At 07:37 PM 05/25/1999 , you wrote:
>> >Greg Pasquariello wrote:
>> >>
>> >> Hi,
>> >>
>> >> I'm a newbie to OpenSSL and the SSLeay (though not SSL in
>> general).  I've
>> >> gotten basic SSL negotiation working, but for the life of me I
>> can't get
>> >> this BIO stuff to work.
>> >>
>> >> I'm running the latest build on NT and the following fails
>> with an Access
>> >> Violation.
>> >>
>> >> BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE);
>> >> BIO_printf(bio, "Hello World\n");
>> >>
>> >> Can anyone point me in a direction?
>> >>
>> >
>> >If you check INSTALL.W32 it says you have to link with the
>> >multi-threaded DLL version of the runtime library (/MD switch) thats
>> >almost always the cause of this.
>>
>> And if you are linking in any other libraries of your own, they also
>> must be compiled for multithreaded DLL (not just multithreaded).  This
>> one had me going for a bit.  :-)
>>
>> - Dave
>> __
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List[EMAIL PROTECTED]
>> Automated List Manager   [EMAIL PROTECTED]
>>
>
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: www.openssl.org

[Ben Laurie]

GOMEZ Henri wrote:
> 
> Hi !!!
> 
> Why not start feeding contrib dir located in http://www.openssl.org/contrib/
> with
> at least at least openssl RPMs (0.9.3) (found on
> http://www.modssl.org/contrib/)

Good idea for the OpenSSL RPMs - but I'd say www.openssl.org should be
the primary source, no?

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
 - Indira Gandhi
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RSA License + U.S. comercial use

[E. Stuart Hicks]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Could you point us (me) somewhere where we can get more info on this 
hardware-based encryption?  (website, etc)

- -Original Message-
From:   Salz, Rich [SMTP:[EMAIL PROTECTED]]
Sent:   Wednesday, May 26, 1999 11:33 AM
To: '[EMAIL PROTECTED]'
Subject:RE: RSA License + U.S. comercial use

>Is it true there is no way to use OpenSSL in a commercial U.S. 
>product ?

This is not true.  For example, you can replace the patent-violating
code with hardware crypto.

>My first pass through the license information gave me the
>impression I could pay RSA a licensee fee but the saleswoman
>informed me that it is not legal to use OpenSSL in the United
>States for commercial use in any way.

The saleswoman (who has particular, obvious, motivations) is
incorrect.  See my first paragraph.

As for whether or not your interpretation of the license is
correct, you should probably have a lawyer advise you.
/r$
__

OpenSSL Project 
http://www.openssl.org
User Support Mailing Listopenssl-
[EMAIL PROTECTED]
Automated List Manager   
majordomo@o
-BEGIN PGP SIGNATURE-
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBN0w+65Pqzjuhi02yEQKnkQCgidWCuI/Jz5d+fXCcTg1PTxaqEX0AnjQE
D8HOAclfyMd4tVEftgcWglW7
=Q7c1
-END PGP SIGNATURE-

 application/ms-tnef

Building OpenSSL Project with MS C++ 5.0

[Niels J. Thorwirth]

Hi,
has anybody made an MSVC++ project from OpenSSL 0.9.3 or earlier ?

thanx
Niels

-- 
-N-i-e-l-s--T-h-o-r-w-i-r-t-h--
 Tel:
-Frauenhofer CRCGWork: xx1-401-453-6363 Ext. 133
-321 South Main St.  Home: xx1-401-331-9284
-Providence, RI 02903 USA
-http://webrum.uni-mannheim.de/bwl/thorwir/www/NielsThorwirth/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Latest openssl and bsdi 3.1 compile problems.

[Bodo Moeller]

On Wed, May 26, 1999 at 10:41:02AM -0600, Jim Hribnak wrote:

> I am having problems compiling openssl .0.9.3 and bsdi 3.1  I run config
> and then make and I then eventually get the following:
> 
> 
> making all in crypto/sha...
> gcc -I.. -I../../include -O3 -ffast-math -DL_ENDIAN -DPERL5 -m486
> -DSHA1_ASM -DM
> D5_ASM -DRMD160_ASM -c sha_dgst.c
> sha_dgst.c:301:no such 386 instruction: `bswapl'
> sha_dgst.c:308:no such 386 instruction: `bswapl'
> sha_dgst.c:313:no such 386 instruction: `bswapl'
> sha_dgst.c:318:no such 386 instruction: `bswapl'
> sha_dgst.c:518:no such 386 instruction: `bswapl'
> sha_dgst.c:524:no such 386 instruction: `bswapl'
> sha_dgst.c:529:no such 386 instruction: `bswapl'
> sha_dgst.c:534:no such 386 instruction: `bswapl'
> *** Error code 1
> 
> 
> What is goin wrong? do I have to add something? remove something?

If your assembler only knows 386 opcodes, you'll probably have to use
the "386" option to "./config".  (bswapl does not exist on the 386.)
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

apache+ssl HOWTO?

[geoffrey]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,
this is the first apache+ssl server I have built; so, my knowledge
of ssl servers, and ssl in general, is very limited. Is there an
apache+ssl HOWTO, or a general primer on ssl servers? I would like to find
a source of information on what the different aspects of openssl do, what
certificates can be, and need to be, generated for running an ssl-enabled
storefront on the web, etc. All pointers are heartily welcomed!

Thanks for all the work, and I hope to one day give back.

geoffrey

- ---
When you take that bus ...
You get there.
___

public key available upon request.

Key fingerprint ===> 0BE3 2484 957D 13F9 8D76 84EA 3C04 68FF D379 F9B4


-BEGIN PGP SIGNATURE-
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBN0wxnzwEaP/Tefm0EQLdJQCfeS0d3rTGH3zyx+U2VwnJND6ZjvIAoK7I
Ma/VvHd67jYsl7Vhlq+cfCUP
=vPqO
-END PGP SIGNATURE-

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: How to have the client's certificate...

[Alessandro Vesely]

--
X-Sun-Data-Type: text
X-Sun-Data-Description: text
X-Sun-Data-Name: text
X-Sun-Charset: us-ascii
X-Sun-Content-Lines: 75

> From [EMAIL PROTECTED] Wed May 26 18:32 MET 1999
> Received: from north.tana.it (north.tana.it [10.2.3.4])
> 	by north.tana.it (8.8.7/8.8.5) with ESMTP id SAA11794
> 	for <[EMAIL PROTECTED]>; Wed, 26 May 1999 18:31:48 +0200 (METDST)
> Received: from www.tana.it
> 	by north.tana.it (fetchmail-4.3.2 POP3 run by ale)
> 	for <[EMAIL PROTECTED]> (single-drop); Wed May 26 18:31:48 1999
> Received: from opensource.ee.ethz.ch (unverified [129.132.7.153]) by www.tana.it
>  (Rockliffe SMTPRA 2.1.7) with SMTP id <[EMAIL PROTECTED]> for <[EMAIL PROTECTED]>;
>  Wed, 26 May 1999 18:11:36 +0200
> Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L
> 	id OAA24500; Wed, 26 May 1999 14:55:54 +0200 (MET DST)
> Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for <[EMAIL PROTECTED]>
> 	from tn.village.it id OAA24489; Wed, 26 May 1999 14:55:42 +0200 (MET DST)
> Received: from pc586 (dialup-ge-34.village.it [194.184.119.162])
> 	by tn.village.it (8.9.0/8.8.7) with SMTP id OAA14315
> 	for <[EMAIL PROTECTED]>; Wed, 26 May 1999 14:49:32 +0200 (MET DST)
> Message-ID: <000e01bea776$f730c2a0$d938fea9@pc586>
> From: "Davide Campanella" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Subject: How to have the client's certificate...
> Date: Wed, 26 May 1999 14:54:29 +0200
> MIME-Version: 1.0
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 4.72.3110.5
> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
> Sender: [EMAIL PROTECTED]
> Precedence: bulk
> Reply-To: [EMAIL PROTECTED]
> X-Sender: "Davide Campanella" <[EMAIL PROTECTED]>
> X-List-Manager: OpenSSL Majordomo [version 1.94.4]
> X-List-Name: openssl-users
> Content-Type: multipart/alternative; boundary="=_NextPart_000_0009_01BEA787.A7F000A0"
> Content-Length: 1759
> X-Lines: 52
> Status: RO
> 
> I have a problem because my server can't receive the client's certificate...
> I'm not sure if I have a problem in the client or in the server.

I'm not sure either, since you don't say what's your client.

AFAIK, it may be a problem of mime types. Netscape needs to receive
certificates with a mime type of "application/x-x509-xxx-cert", where
xxx is any of "user", "ca" and "email". It doesn't mind the format
the certificate is actually written in (der or text) but it wants
to know its meaning. (For type "user" it looks for a match in its
cash of hidden requests.)

Personally, I added the following in Apache's httpd.conf:

AddType application/x-x509-ca-cert .ca-cert
AddType application/x-x509-user-cert .usr-cert
AddType application/x-x509-email-cert .mime-cert

(only the "ca" type was conditionally defined. You
don't need an ssl aware http server to define that
type, though.)

but then I must make sure if to copy the certificate with
the right extension, depending on who is going to get it.
(Perhaps that's why most people use scripts for that task.)

Hope this helps
Ciao
Ale

> 
> I'm using openssl-0.9.3... I tried everything that I read in openssl-users... 
> 
> Bye,
>  Davide
> 

--
X-Sun-Data-Type: html
X-Sun-Encoding-Info: quoted-printable
X-Sun-Content-Lines: 22









I have a problem because my server =
can't receive=20
the client's certificate... I'm not sure if I have a problem in the =
client or in=20
the server.
 
I'm using openssl-0.9.3... I tried =
everything=20
that I read in openssl-users... 
 
Bye,
 Davide
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

a perl interface to OpenSSL

[Marko Asplund]

in case someone is interested, i'm writing a perl interface (called
Net::SSL) to OpenSSL. at first, it was meant to be a Net::SSL (in Gisle
Aas's Crypt-SSLeay package) emulation library that would fix libwww-perl's
support for https scheme URLs. the library provides an interface similar
to that of IO::Socket::INET. i've managed to write an experimental client
and server with it in the spirit of IO::Socket::INET. it also appears to
be working with LWP and i'm able to use https URLs through LWP.

the library uses Net::SSLeay v1.03 so you have to have it installed.

the interface library and test scripts can be found at:
http://www.hip.fi/~aspa/SSL/net_ssl.tgz

any comments are welcome,

best regards,
--
aspa

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: openssl-0.9.3 breaks apache_1.3.6+ssl_1.34 patch?

[giwarden]

Thanks for pointing out the info in the Configure and INSTALL files.
 That's what I get for not reading the documentation carefully...
:)

-giwarden
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]