Re: SSL Proxy problems
Bunny, stunnel (Failed to talk sslv3 properly, generating errors on certain packets. So why didn't you report your problem to stunnel-users, first? I'm sure I could help you. Regards, Mike --- Michal Trojnara * +48 501 00 12 43 IT Security Officer * PTK Centertel __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Scripting of s_client
Thomas Reinke schrieb: Point 3 is your problem, s_client handles stdin in a special way :( s_client assumes that if either stdin or the ssl socket hits end of file, that it should shut down operation. Unfortunately, when redirecting stdin from a file, what happens is that you read the command to send to the remote web server, send it, and then quit before the response can be read in. What about (cat file; sleep 15)| openssl s_client -options? This way stdin is not closd until 15 seconds have elapsed. -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 ErfurtWWW.SmartRing.de __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL Proxy problems
How about using eiterh mod_ssl or Apache-SSL togetehr with ProxyPass directive? It seems like a bit overkill but should work. Furthermore I suggest buying some hardware crypto accelerator that gives you *much* performance gain. A hardware implementation of 48bit SSL seems like a bit of a waste of effort :) A decent CPU and a threaded/single process can do it no problems. The apache thing could work, but again, its a fork module, although a very efficient one (leaves processes around). I guess its my last resort if nothing else is ready by opening. Richard __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Scripting of s_client
Holger Reif [EMAIL PROTECTED] ,in message 37981BDE.6A611A5@smartring. de, wrote: What about (cat file; sleep 15)| openssl s_client -options? This way stdin is not closd until 15 seconds have elapsed. Or, if s_client and s_server were able to do the subprocess plumbing the same way ssl-auth can, then they could be used to solve a much wider variety of problems. http://web.purplefrog.com/~thoth/netpipes/ssl-auth.html I'm still waiting for someone to follow my example and rewrite ssl-auth from a country with sane export laws. -- Bob Forsman [EMAIL PROTECTED] http://www.gainesville.fl.us/~thoth/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Bad Protocol Version Number
Hi, I'm using OpenSSL 0.9.2b / mod_ssl 2.2.7 / Apache 1.3.6 and trying to get it up and running. When I try to use a cert that was created using 0.9.0b libs I get this message from the server error log: [error] mod_ssl: Unable to configure server private key for connection (OpenSSL library error follows) [error] OpenSSL: error:14080074:SSL routines:SSL3_ACCEPT:bad protocol version number Here is a "openssl x509 -text -in www.myvideostore.com.crt -noout" Any help would GREATLY be appreciated as this server is supposed to be up today ;-) Certificate: Data: Version: 3 (0x2) Serial Number: 28954 (0x711a) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server [EMAIL PROTECTED] Validity Not Before: Jul 22 13:03:29 1999 GMT Not After : Aug 4 13:03:29 2000 GMT Subject: C=US, ST=Indiana, L=Indianapolis, O=Major Video Concepts, Inc., OU=MyVideoStore, CN=www.myvideostore.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:a7:36:54:b3:7f:6b:07:14:9a:3c:2a:46:f4:0a: 85:62:0b:99:90:99:bd:39:3f:0d:6f:09:6d:35:b3: 99:c8:50:0d:78:c1:ed:6e:e8:9c:53:3f:cb:14:c3: 37:3d:34:09:a1:bf:1e:3d:6f:ae:36:71:89:97:09: 54:46:a0:76:04:b1:42:27:87:42:89:08:ba:cd:2b: 03:db:9e:51:9f:6f:a7:ea:f9:86:23:b8:94:60:6d: 18:49:b8:47:f3:70:c6:1a:ff:f1:f1:dd:9d:4a:57: 1c:49:05:f2:4d:bc:62:8f:14:d1:dc:85:f6:d1:9f: 1b:cb:3e:de:3a:6d:8a:33:71 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE Signature Algorithm: md5WithRSAEncryption 44:39:c0:f5:0a:44:41:a8:01:f5:6a:97:69:65:85:e4:5e:ee: b6:b3:97:10:78:d2:72:6b:aa:d1:8e:23:46:d4:14:96:0f:de: 20:a0:cc:62:66:32:cc:2e:ed:8b:e8:98:ec:c5:a8:c9:7b:7b: 5b:74:d4:4f:a8:fb:09:f2:89:56:3b:a5:cb:2e:5e:fc:2f:ef: 29:1e:1b:d7:43:14:5a:3e:da:da:34:ef:9b:fb:58:43:a3:29: 64:13:27:6c:dd:bd:f7:23:d4:c7:53:d9:77:01:54:2a:d1:86: a8:2b:26:72:2a:88:af:a9:79:be:19:75:cf:c7:0d:31:3c:e5: dd:0d __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL Proxy problems
[EMAIL PROTECTED] schrieb: How about using eiterh mod_ssl or Apache-SSL togetehr with ProxyPass directive? It seems like a bit overkill but should work. Furthermore I suggest buying some hardware crypto accelerator that gives you *much* performance gain. A hardware implementation of 48bit SSL seems like a bit of a waste of It's either 40 or 56 bit symmetric key length... effort :) A decent CPU and a threaded/single process can do it no ...but what's you hit is the 512 Bit RSA provate key operations that will put the load on your server. problems. The apache thing could work, but again, its a fork module, although a very efficient one (leaves processes around). I guess its my last resort if nothing else is ready by opening. Richard __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 ErfurtWWW.SmartRing.de __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Secure transmissions OK, but how store data?
On Sat, 24 Jul 1999 [EMAIL PROTECTED] wrote: Thirdly, you could download any one of a number of open-source encryption products which will encrypt the data with the public key of the recipient, thus making it available only to whoever has the private key. Start at the PGP site for that sort of thing. www.gnupg.org, though be advised that it's still a beta program. If you're running linux, though, I believe it should work fine for you. But don't take my word for it :) read the info at the site. --B | We never leave the cross behind, |we use it as a banner, www.piratech.net/bfordham | scripture the vernacular, pgp key id:0x4E75B945 (RSA) | Jesus in the grammar. 0xB3585D28 (DSS) | - Supertones, _Chase the Sun_ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Secure transmissions OK, but how store data?
Hi, Thanks for the tips! The PGP aspect seems most interesting as I need to be able to access the data securely again via the net, although the other are good interim solutions! Regards, Barry On Sat, 24 Jul 1999 00:22:15 +1200 (NZST), [EMAIL PROTECTED] wrote: emailing the data to root@localhost. Since it never passes over the the data to an all-writeable, root-readble file, thus turning it into a PGP site for that sort of thing. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
compile problem - bswap
Encountered the error below when running make... I scanned through INSTALL, checked the archive and found somebody with a similar error, but there were no answers to the problem (not encouraging). Config runs fine, I've tried both ./config and ./config no-asm. The system is a fairly fresh redhat 6.0 install (I've installed openssl on a rh5.2 box w/o problem, not so fortunate this time). Can somebody please help me? . . . make[2]: Leaving directory `/usr/local/src/openssl-0.9.3a/crypto/md5' making all in crypto/sha... make[2]: Entering directory `/usr/local/src/openssl-0.9.3a/crypto/sha' gcc -I.. -I../../include -DTHREADS -D_REENTRANT -DL_ENDIAN -DTERMIO -O3 -fomit-f rame-pointer -m486 -Wall -c sha_dgst.c -o sha_dgst.o /tmp/ccSe851y.s: Assembler messages: /tmp/ccSe851y.s:293: Error: suffix or operands invalid for `bswap' /tmp/ccSe851y.s:298: Error: suffix or operands invalid for `bswap' /tmp/ccSe851y.s:303: Error: suffix or operands invalid for `bswap' /tmp/ccSe851y.s:313: Error: suffix or operands invalid for `bswap' /tmp/ccSe851y.s:536: Error: suffix or operands invalid for `bswap' /tmp/ccSe851y.s:541: Error: suffix or operands invalid for `bswap' /tmp/ccSe851y.s:546: Error: suffix or operands invalid for `bswap' /tmp/ccSe851y.s:551: Error: suffix or operands invalid for `bswap' make[2]: *** [sha_dgst.o] Error 1 make[2]: Leaving directory `/usr/local/src/openssl-0.9.3a/crypto/sha' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/usr/local/src/openssl-0.9.3a/crypto' make: *** [all] Error 1 TIA, Mark. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
What is this ?
Hello All, I recently made a dump from a communication session between a verisign CA and an IPsec client. I tried to find out what system they are using to do the online CERT request etc.. I know they are using somekind of pkcs7/pkcs10 system, like the SMIME CRS.. But i can't figure out how i can process the request so that openssl can sign it for me and return the certificate. Maybe somebody can have a look at these files and give me some hints/pointers? the file request.der is the request i captured from the IPSec client, is should be a cert request. response.der is the response from the server, it should be somethink like, received the cert, please wait for approval. The original response was base64 encoded.. But this format is easier to parse with asn1parse... Thanx, Hugo request.der response.der
SSL-C vs OpenSSL
Hello, What are the differences between OpenSSL and RSA's SSL-C? I would like to get Apache-SSL working commercially within the US, without breaking any patent laws. And, I do know of the available SSL packages, like Stronghold and Raven. I want to know what other options are available. Ray Hodel begin:vcard n:Hodel;Ray tel;fax:(703) 847-1383 tel;work:(703) 847-1381 x-mozilla-html:FALSE url:http://www.servint.com org:ServInt Internet Services version:2.1 email;internet:[EMAIL PROTECTED] title:Director of MIS adr;quoted-printable:;;6861 Elm Street=0D=0ASuite 2B;McLean;VA;22101;USA x-mozilla-cpt:;16368 fn:Ray Hodel end:vcard
Re: Memory leaks in strong ciphers
gic [EMAIL PROTECTED]: I was developing an SSL client (with openssl-0.9.3a) and found memory leaks when using RC4-MD5 (1024/128 bits). HOWEVER, when I switched to "EXP-RC4-MD5" (512/40 bits), there are NO leaks. The best way to reproduce the leaks is to run 's_time' for a long time. (Use 'top' to monitor its memory SIZE) It's actually not the best way, because the library has built-in memory leak checking (compile with -DCRYPTO_MDEBUG; I'm afraid it does not quite work with 0.9.3a, though). The bugs that you found have been fixed about two weeks ago -- please have a look at a recent snapshot (ftp://ftp.openssl.org/snapshot). __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Memory leaks in strong ciphers
I was developing an SSL client (with openssl-0.9.3a) and found memory leaks when using RC4-MD5 (1024/128 bits). HOWEVER, when I switched to "EXP-RC4-MD5" (512/40 bits), there are NO leaks. The best way to reproduce the leaks is to run 's_time' for a long time. (Use 'top' to monitor its memory SIZE) ./openssl s_time -connect "host:port" -ssl3 -cipher "RC4-MD5" -new -time 1800 The following un-exportable ciphers produces leaks in 's_time': DES-CBC3-SHASSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 IDEA-CBC-SHASSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 The following exportable ciphers do NOT produces leaks: EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Can someone help me to get a patch or show me a workaround? Many thanks. -- Greg __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]