RE: New in SSl ....

[GOMEZ Henri]

If you're running Redhat you got the easy way :

1) You need to install openssl and openssl-devel RPM:

http://www.modssl.org/contrib/openssl-0.9.4-1.i386.rpm
http://www.modssl.org/contrib/openssl-devel-0.9.4-1.i586.rpm

2) For apache you need an SSL version of Apache :


http://www.modssl.org/contrib/apache-mod_ssl-1.3.11.2.5.0-0.6.0.i386.rpm


http://www.modssl.org/contrib/apache-mod_ssl-devel-1.3.11.2.5.0-0.6.0.i386.r
pm

That's all ;-)

-
Henri Gomez ___[_]
EMAIL : [EMAIL PROTECTED] (. .) 
PGP KEY : 4912D659...oOOo..(_)..oOOo...
PGP Fingerprint : 8CAD0D50356DA7E45C540B010FFE39E8
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

error creating serial number index

[Angus Lee]

>= Original Message From [EMAIL PROTECTED] =

>You should include SSLeay_add_all_algorithms().

I could verify the signature using X509_REQ_verify() now.

The problem now come to saving the index.txt file. I sign the certificate 
request, and the index.txt file is saved with information like:
V   100223091809Z  01   unknown /CN=Guest 
[EMAIL PROTECTED]

However my program won't have those information after unknwon. Later when I 
try to sign another certificate request, "error creating serial number index" 
occured.

Any problem cuased the problem?

Angus Lee

---
Get Your Free Email at http://www.hknetmail.com

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

problems with signing message digest with rsa

[Elen Mägioja]

Hi,

I have a message digest i want to sign with my RSA private key and i just want the 
signature printed out on screen. I found a lot of
help in demos/sign.c but I still have problems.

The code i managed to write is added below. It seems to work ok... no errors... the 
signature gets printed out... but what makes me
wonder is the output format of the signature. That's not in the format I want to 
get... Shouldn't it be just ASCII? Like
sdf8gdfgfdl9fdgdl+dsf8fsjgsjgjsg009dfsf9 or something... What did I miss? Or is 
something totally wrong with the whole code? Sorry
if i'm acting like a real newbie but... that's exactly who I am :)

I'd highly appreciate if someone experienced took a look at the code and pointed out 
what I'm doing wrong.

Elen

the code that's supposed to do the signing
#include 
#include 
#include 
#include 
#include 

int main ()
{
  unsigned int siglen;
  unsigned char *sigret, data[1024];
/* plain-key.pem contains my private key*/
  static char keyfile[]  = "plain-key.pem";
/* hashfile.txt contains a message digest generated using sha1*/
  static char datafile[] = "hashfile.txt";
  RSA *pkey;
  FILE *fp, *hfp;
  int retval;

  /* Just load the crypto library error strings,
   * SSL_load_error_strings() loads the crypto AND the SSL ones */
  /* SSL_load_error_strings();*/
  ERR_load_crypto_strings();

  /* Read private key */

  fp = fopen (keyfile, "r");
  if (fp == NULL) exit (1);
  pkey = PEM_read_RSAPrivateKey (fp, NULL, NULL, NULL);
  if (pkey == NULL) { ERR_print_errors_fp (stderr); exit (1);  }
  fclose (fp);

  /* Read hashed text */
  hfp = fopen (datafile, "r");
  if (hfp == NULL) exit (1);
  fscanf (hfp, "%s", data);
  fclose (hfp);

  /* Sign the digest */
  sigret = malloc(RSA_size(pkey));
  retval = RSA_sign(NID_sha1, data, strlen(data), sigret, &siglen, pkey);
  if (!retval) { ERR_print_errors_fp (stderr); exit (1);  }
  puts (sigret);
  return(0);
}


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: openssl.cnf

[Richard Dykiel]

Ulf,
just to mention, the REQ part of the documentation is not accessible from
the index page of the OpenSSL web site http://www.openssl.org/docs/

Maybe other interesting existing documents are not accessible too. As a
newcomer in OpenSSL, I wish they would.

Thanks.

- Original Message -
From: Ulf Möller <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, February 22, 2000 6:27 PM
Subject: Re: openssl.cnf


> On Tue, Feb 22, 2000 at 03:01:02PM -0800, vijay karthik wrote:
>
> > How do i specify the conf file path during
> > runtime ? How do i get around this problem ?
>
> http://www.openssl.org/docs/apps/req.html#ENVIRONMENT_VARIABLES
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: basic...

[Ruben Laguna-Macias (ECE)]

server.csr is the certificate signing request (you send this to a CA and they return 
you the server.crt which is basically the server.csr signed by the CA)

server.crt is the certificate itself

and server.key is the private key associated with the public key on the certificate.

-Mensaje original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]En nombre de Osvaldo Brito
Enviado el: miércoles 23 de febrero de 2000 14:15
Para: [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]
Asunto: basic...


Hi,

What's the diference betwen this files:

server.csr, server.crt, server.key



Thank you in advance.

Osvaldo Brito

  [EMAIL PROTECTED] 
  [EMAIL PROTECTED]   


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: openssl.cnf

[frances lung-lee]

You can try -config option. It looks like:

openssl req -new -key vsign.key -out vsign.req -config 
\YourFilePath\openssl.cnf

Frances Lung



At 03:01 PM 2/22/00 -0800, you wrote:
>hi
>
>I tried to generate a certificate request file
>using openssl on NT.  The openssl binary complains
>that /usr/local/ssl/openssl.cnf is not found.
>Command:
>openssl req -new -key vsign.key -out vsign.req
>Error:
>Using configuration from /usr/local/ssl/openssl.cnf
>Unable to load config info
>
>How do i specify the conf file path during
>runtime ? How do i get around this problem ?
>
>Thanks
>Vijay
>__
>Do You Yahoo!?
>Talk to your friends online with Yahoo! Messenger.
>http://im.yahoo.com
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: problems with signing message digest with rsa

[Ulf Möller]

On Wed, Feb 23, 2000 at 03:13:28PM +0200, Elen Mägioja wrote:

> The code i managed to write is added below. It seems to work
> ok... no errors... the signature gets printed out... but what makes
> me wonder is the output format of the signature. That's not in the
> format I want to get... Shouldn't it be just ASCII? Like
> sdf8gdfgfdl9fdgdl+dsf8fsjgsjgjsg009dfsf9 or something... What did I
> miss? Or is something totally wrong with the whole code? Sorry

You'd have to encode the signature in some way if you want to print
it. Base 64 encoding is provided by the EVP_EncodeInit() etc
functions, but wheter or not it is appropriate to simply apply base
64 encoding to the RSA signature value depends on your application.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: openssl.cnf

[Ulf Möller]

On Wed, Feb 23, 2000 at 09:13:28AM -0500, Richard Dykiel wrote:

> just to mention, the REQ part of the documentation is not accessible from
> the index page of the OpenSSL web site http://www.openssl.org/docs/

You can click through the openssl(1) page. "req" is an option to the
openssl command line utility.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: openssl.cnf

[Richard Levitte - VMS Whacker]

dykiel> just to mention, the REQ part of the documentation is not
dykiel> accessible from the index page of the OpenSSL web site
dykiel> http://www.openssl.org/docs/

It's not available *directly*.  However, if you go in on the
"openssl(1)" link, you'll find req(1) with a link at the end of that
page.

dykiel> Maybe other interesting existing documents are not accessible
dykiel> too. As a newcomer in OpenSSL, I wish they would.

Perhaps we should list all available pages as links from the first?
It's worth considering.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-161 43  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Certificate dilemma

[Wade L. Scholine]

Are you doing a SSL_CTX_set_client_CA_list() in the server?

> -Original Message-
> From: Mario Bai [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, February 22, 2000 4:52 PM
> To: [EMAIL PROTECTED]
> Subject: Certificate dilemma
> 
> 
> Wondering if anyone ran into this or has a quick response. We 
> have been
> trying to implement a solution where we can mint two types of 
> certs, one for
> a server to serve up SSL and one for clients to stuff 
> information into. We
> have no problem actually creating the certs, the one for the 
> server works
> fine. The problem is on the client side. No matter what we 
> try, when we
> "enforce" client certificates from the server's perspective 
> (Microsoft IIS
> 4.0 spack 6), and import the client cert into the browser 
> (either IE 5.01 or
> Netscape 4.7) neither browser recognizes the fact that there 
> is a client
> cert loaded. We get a 403.7 error, that we have no client 
> certs to offer the
> server.
> 
> When we use certs obtained from Verisign, no problems...
> 
> 
> Mario Bai Straticom International, Inc.
> Account Executive 1841 Broadway
> (212) 315-0500New York, NY 10023
> x410  www.straticom.com
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Examples of Client Side Cache

[Steve Shah]

Hello,

Can anyone point me to an example of setting up and using a client side
cache?

Thanks,
-Steve


-- 
__
Steve Shah ([EMAIL PROTECTED]) | SysAdmin/Coder/Gabbernaut/DJ/Writer/Minister
http://www.planetoid.org | We're not dropping out, we're infiltrating.
~~
   Nothing says christmas like xsnow...
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: how to convert Netscape's cert7.db to PEM?

[Jean-Marc Beroud]

I found the answer on the modssl mailing list. See:

http://marc.theaimsgroup.com/?l=apache-modssl&m=94274021419529&w=2

I compiled it on Linux, works fine.

Greets,

Jean-Marc

>Try the file http://www.e-softinc.com/cacerts.txt
>
>It contains a list of certs that were found in the
>mod_ssl package, and were supplemented with certs found
>in the cert7.db file.
>
>Thomas
>
>Jean-Marc Beroud wrote:
>> 
>> Hello,
>> 
>> How can I convert Netscape's cert7.db file into PEM format? I need one
>> particular CA root certificate contained in this file for Apache.
>>
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

make rules to build shared libraries in Solaris and Digital UNIX

[Steve VanDevender]

The below diff to the OpenSSL 0.9.4 Makefile.org adds rules for building
shared library versions of OpenSSL on Solaris and Digital UNIX (formerly
OSF/1, now Compaq Tru64 UNIX).  When linked against these shared
libraries the test suite passes all tests and I am successfully using
the shared libraries in production.

solaris-gcc-shared: builds Solaris ELF shared library with gcc

solaris-cc-shared: builds Solaris ELF shared library with Sun Workshop cc

osf-cc-shared: builds COFF shared library with Digital UNIX C compiler
(includes appropriate options for COFF shared library version
information)

Linkers other than GNU ld don't appear to have equivalents to the
--with-whole-archive option, so these rules extract the .o files from
the .a files created by the usual build process into openssl-0.9.4/tmp,
and link those to create the shared libraries.

--- openssl-0.9.4/Makefile.org~ Sun Aug  8 03:29:52 1999
+++ openssl-0.9.4/Makefile.org  Wed Feb 23 13:52:35 2000
@@ -206,6 +206,55 @@
ln -s lib$$i.so.${MAJOR} lib$$i.so; \
done;
 
+solaris-gcc-shared:
+   for i in ${SHLIBDIRS}; do \
+   rm -f lib$$i.a lib$$i.so \
+   lib$$i.so.${MAJOR} lib$$i.so.${MAJOR}.${MINOR}; \
+   ${MAKE} CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='-fPIC ${CFLAG}' 
+SDIRS='${SDIRS}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' 
+EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' 
+CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' 
+SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' 
+RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' DIRS=$$i clean all || exit 1; \
+   ( set -x; rm -f tmp/*.o; cd tmp; ar x ../lib$$i.a; cd ..; \
+   ${CC}  -shared -o lib$$i.so.${MAJOR}.${MINOR} \
+   -Wl,-h,lib$$i.so.${MAJOR} tmp/*.o ;\
+   rm -f tmp/*.o ) || exit 1; \
+   rm -f lib$$i.a; make -C $$i clean || exit 1 ;\
+   done;
+   @set -x; \
+   for i in ${SHLIBDIRS}; do \
+   ln -s lib$$i.so.${MAJOR}.${MINOR} lib$$i.so.${MAJOR}; \
+   ln -s lib$$i.so.${MAJOR} lib$$i.so; \
+   done;
+
+solaris-cc-shared:
+   for i in ${SHLIBDIRS}; do \
+   rm -f lib$$i.a lib$$i.so \
+   lib$$i.so.${MAJOR} lib$$i.so.${MAJOR}.${MINOR}; \
+   ${MAKE} CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='-KPIC ${CFLAG}' 
+SDIRS='${SDIRS}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' 
+EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' 
+CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' 
+SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' 
+RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' DIRS=$$i clean all || exit 1; \
+   ( set -x; rm -f tmp/*.o; cd tmp; ar x ../lib$$i.a; cd ..; \
+   ${CC} -G -KPIC ${CFLAG} -o lib$$i.so.${MAJOR}.${MINOR} \
+   -h lib$$i.so.${MAJOR} tmp/*.o \
+   -lc; rm -f tmp/*.o ) || exit 1; \
+   rm -f lib$$i.a; make -C $$i clean || exit 1 ;\
+   done;
+   @set -x; \
+   for i in ${SHLIBDIRS}; do \
+   ln -s lib$$i.so.${MAJOR}.${MINOR} lib$$i.so.${MAJOR}; \
+   ln -s lib$$i.so.${MAJOR} lib$$i.so; \
+   done;
+
+osf-cc-shared:
+   for i in ${SHLIBDIRS}; do \
+   rm -f lib$$i.so lib$$i.so.${MAJOR} lib$$i.so.${MAJOR}.${MINOR}; \
+   ${MAKE} CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='${SDIRS}' 
+INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' 
+BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' 
+RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' 
+MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' DIRS=$$i 
+all || exit 1; \
+   ( set -x; rm -f tmp/*.o; cd tmp; ar x ../lib$$i.a; cd ..;\
+   ${CC}  -shared -o lib$$i.so.${MAJOR}.${MINOR} \
+   -soname lib$$i.so -set_version ${MAJOR}.${MINOR} tmp/*.o ;\
+   rm -f tmp/*.o ) || exit 1;\
+   done;
+   @set -x; \
+   for i in ${SHLIBDIRS}; do \
+   ln -s lib$$i.so.${MAJOR}.${MINOR} lib$$i.so.${MAJOR}; \
+   ln -s lib$$i.so.${MAJOR} lib$$i.so; \
+   done;
+
 Makefile.ssl: Makefile.org
@echo "Makefile.ssl is older than Makefile.org."
@echo "Reconfigure the source tree (via './config' or 'perl Configure'), 
please."
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: server configuration problem

[Bodo Moeller]

Osvaldo Brito <[EMAIL PROTECTED]>:

> $ openssl s_client -host localhost -port 443

> CONNECTED(0003)
> 
>[EMAIL PROTECTED]
> verify error:num=18:self signed certificate
> verify return:1
> 
>[EMAIL PROTECTED]
> verify error:num=7:certificate signature failed
> verify return:1
> 14228:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block
> type is not 01:rsa_pk1.c:100:
> 
> 14228:error:04067071:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
> failed:rsa_eay.c:394:
> 
> 14228:error:0D079006:asn1 encoding routines:ASN1_verify:bad get asn1
> object call:a_verify.c:106:
> 
> 14228:error:140900F7:SSL routines:SSL3_GET_SERVER_CERTIFICATE:unknown
> certificate type:s3_clnt.c:793:

What client version and platform?  What software is the server
listening at port 443?
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

About DER and PEM Format..

[Raul Gutierrez Rodriguez]

What is the meaning of DER, PEM and PKCS12 Format?


Slds
Raul Gutierrez

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Is OpenSSL supported on WinCE3.0?

[Hakan Lindh]

Trying to port OpenSSL to WinCE3.0. Has anyone done this before, and if so,
would you share the experience?
Also, is there someone that has loaded the necessary files into Visual
Studio and turned it in to a project instead of using nmake??

Thanks,
/Hakan Lindh
Senior Software Engineer
Mobile Devices Division
Arcot Systems, Inc.
www.arcot.com


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Is OpenSSL supported on WinCE3.0?

[John Saylor]

Hi
> "HL" == Hakan Lindh <[EMAIL PROTECTED]> writes:

 HL> Trying to port OpenSSL to WinCE3.0.

Yikes! Why do you think they call it "wince" anyway?

-- 
\js

I just heard the SEVENTIES were over!!  And I was just getting in touch
 with my LEISURE SUIT!!
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: make rules to build shared libraries in Solaris and Digital UNIX

[Jose Roberto Fernandes]

Hi Steve,

I am working intensively with the openssl for Tru64, on shared libraries, I obtained 
success (the best time results) using the following shell script:

#!/bin/sh
# osf.sh -  Shared libraries assembly for DEC ALPHA OSF/1 formely Tru64
# 02/22/2000 by Jose Roberto Fernandes ([EMAIL PROTECTED])
#
HOME=..
EX_LIBS="-lc"
LFLAGS="-shared -std1 -O4 -msym -s -no_archive"
LIBDIR=/usr/opt/openssl/lib

SO_LOCATIONS=$HOME/so_locations

MAJOR=0
MINOR=9.5
COMPT=9
SHVERSION=${MAJOR}.$MINOR:$MAJOR.$COMPT

SHLIBCRYPTO=libcrypto.so
SHLIBSSL=libssl.so

DLIBCRYPTO=$HOME/libcrypto.a
DLIBSSL=$HOME/libssl.a

echo linking $SHLIBCRYPTO.$MAJOR.$MINOR
rm -f $HOME/$SHLIBCRYPTO.$MAJOR.$MINOR
ld $LFLAGS -set_version $SHVERSION -update_registry $SO_LOCATIONS -soname $SHLIBCRYPTO 
\
-o $HOME/$SHLIBCRYPTO.$MAJOR.$MINOR -all $DLIBCRYPTO -none $EX_LIBS

echo linking $SHLIBSSL.$MAJOR.$MINOR
rm -f $SHLIBSSL
rm -f $SHLIBSSL.$MAJOR.$MINOR
ld $LFLAGS -set_version $SHVERSION -update_registry $SO_LOCATIONS -soname $SHLIBSSL \
-o $HOME/$SHLIBSSL.$MAJOR.$MINOR -expect_unresolved \* -all $DLIBSSL -none $EX_LIBS

# echo copying libraries to final destination
# cp $HOME/$SHLIBCRYPTO.$MAJOR.$MINOR $LIBDIR
# cp $HOME/$SHLIBSSL.$MAJOR.$MINOR $LIBDIR

Notice that:

Is not recommended (you need to verify in case), but I used the highest optimization 
independent level (O4).
I also set up the public symbols entries table in the own library (-msym) saving work 
for the loader and reducing the dynamic memory allocation on-the-fly.

Even so I didn't reach the results obtained with openssl speed when I use archives!
A small performance difference can be measured in some digests.

We needed to test the optimization cluster level -fast (using V5 compiler) and
-unsigned. This last one will allow better optimização of instructions with the type 
unsigned char that aren´t  possible with char. If none math operations is present 
using this data type (char) we will still improve more
performance.

Don't I know if works, need more tests ...

Steve VanDevender wrote:

> The below diff to the OpenSSL 0.9.4 Makefile.org adds rules for building
> shared library versions of OpenSSL on Solaris and Digital UNIX (formerly
> OSF/1, now Compaq Tru64 UNIX).  When linked against these shared
> libraries the test suite passes all tests and I am successfully using
> the shared libraries in production.
>
> solaris-gcc-shared: builds Solaris ELF shared library with gcc
>
> solaris-cc-shared: builds Solaris ELF shared library with Sun Workshop cc
>
> osf-cc-shared: builds COFF shared library with Digital UNIX C compiler
> (includes appropriate options for COFF shared library version
> information)
>
> Linkers other than GNU ld don't appear to have equivalents to the
> --with-whole-archive option, so these rules extract the .o files from
> the .a files created by the usual build process into openssl-0.9.4/tmp,
> and link those to create the shared libraries.
>
> --- openssl-0.9.4/Makefile.org~ Sun Aug  8 03:29:52 1999
> +++ openssl-0.9.4/Makefile.org  Wed Feb 23 13:52:35 2000
> @@ -206,6 +206,55 @@
> ln -s lib$$i.so.${MAJOR} lib$$i.so; \
> done;
>
> +solaris-gcc-shared:
> +   for i in ${SHLIBDIRS}; do \
> +   rm -f lib$$i.a lib$$i.so \
> +   lib$$i.so.${MAJOR} lib$$i.so.${MAJOR}.${MINOR}; \
> +   ${MAKE} CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='-fPIC ${CFLAG}' 
>SDIRS='${SDIRS}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' 
>EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' 
>CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' 
>SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' 
>RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' DIRS=$$i clean all || exit 1; \
> +   ( set -x; rm -f tmp/*.o; cd tmp; ar x ../lib$$i.a; cd ..; \
> +   ${CC}  -shared -o lib$$i.so.${MAJOR}.${MINOR} \
> +   -Wl,-h,lib$$i.so.${MAJOR} tmp/*.o ;\
> +   rm -f tmp/*.o ) || exit 1; \
> +   rm -f lib$$i.a; make -C $$i clean || exit 1 ;\
> +   done;
> +   @set -x; \
> +   for i in ${SHLIBDIRS}; do \
> +   ln -s lib$$i.so.${MAJOR}.${MINOR} lib$$i.so.${MAJOR}; \
> +   ln -s lib$$i.so.${MAJOR} lib$$i.so; \
> +   done;
> +
> +solaris-cc-shared:
> +   for i in ${SHLIBDIRS}; do \
> +   rm -f lib$$i.a lib$$i.so \
> +   lib$$i.so.${MAJOR} lib$$i.so.${MAJOR}.${MINOR}; \
> +   ${MAKE} CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='-KPIC ${CFLAG}' 
>SDIRS='${SDIRS}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' 
>EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' 
>CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' 
>SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' 
>RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' DIRS=$$i clean all || exit 1; \
> +   ( set -x; rm -f tmp/*.o; cd tmp; ar x ../lib$$i.a; cd ..; \
> +   ${CC} -G -KPIC ${CFLAG} -o lib$$i.so.${MAJOR}.${MINOR} 

strange phenomenon

[李武]

hi.
i am dealing with a PKCS7 SignedAndEnveloped data.   i construct a
PKCS7 structure by given DER encoded data. then use function
PKCS7_dataDecode() decoded it, the function return a BIO pointer. Use
this bio and BIO_read, i thought i can get the clear data. But when i
read it into one buffer byte by byte, the funciotn return 1. after i
have read some data and want more, it return 0(only occur once). i
though it stand for end of the data. but when i call BIO_read, it still
has data.
 why?how can i adjust then end of data. The SSLeay
Documentation said: when the BIO_read return with -1 , data over. but
when i call it, if has no data, it will always return 0.   what's more,
when i call BIO_pending, the return value is always great than the
original raw data length.   why?

sorry for my poor english, thank you.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: make rules to build shared libraries in Solaris and Digital UNIX

[Mixmaster]

Steve VanDevender wrote:
> The below diff to the OpenSSL 0.9.4 Makefile.org adds rules for building
> shared library versions of OpenSSL on Solaris and Digital UNIX (formerly
> OSF/1, now Compaq Tru64 UNIX).  When linked against these shared
> libraries the test suite passes all tests and I am successfully using
> the shared libraries in production.

Are there any PIC experts in the house? Maybe Andy?

Steve's recipe builds not only the libraries but also the apps with -KPIC.
Do ld or dld.sl do anything different with that (change the memory map, etc.)?
Is there any down side to it other than the performance hit due to PIC
opcodes?

And doesn't -Kpic theoretically result in faster execution than -KPIC?
-Kpic does work for openssl.

Also, the PIC .a's are useful for linking with other DSO's for use with
things like Apache.

FWIW, I use a procedure to compile everything with -Kpic, save the resulting
libraries as libcrypto_pic.a and libssl_pic.a, link the .o's into real
shared libs, then reconfigure for non-PIC and build the static libs, and
build the apps and tests and link them to the shared libs.  But it requires
several ugly makefile hacks and it's not fit for inclusion directly in
Makefile.ssl.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: s_client question

[Osvaldo Brito]

Hi,

I'm configuring the apache mod-ssl. When i try the connection via
netscape broswer, i get this error message:

The server's certificate has an invalid signature. You will not be able to
connect to this site securely.

At the same time, in the error_log file:

[Wed Feb 23 05:36:52 2000] [error] mod_ssl: SSL handshake failed (server
www.laplace.inesc.pt:443, client) (OpenSSL library error follows)

[Wed Feb 23 05:36:52 2000] [error] OpenSSL: error:14094412:SSL routines:
SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in
certificate not server name or identical to CA!?]

[Wed Feb 23 05:52:25 2000] [error] mod_ssl: SSL handshake interrupted by
system [Hint: Stop button pressed in browser?!] (System error follows)

[Wed Feb 23 05:52:25 2000] [error] System: Connection reset by peer
(errno: 104) 

What's the problem?


By the way, does anyone knows where i can find documention to understand
the error_log (or even all the apache/logs files)?

Thank you in advance!

Osvaldo Brito

  [EMAIL PROTECTED] 
  [EMAIL PROTECTED]   


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: import certificate

[Osvaldo Brito]

Hi,

I've tried to run the above command line, and i've got this stdout error
mesage:

Error loading private key
13988:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:610:

Any help?

Thanks in advance! 

Osvaldo Brito

  [EMAIL PROTECTED] 
  [EMAIL PROTECTED]   

On Mon, 21 Feb 2000, Paul Khavkine wrote:

> You have to convert the certificate with pkcs12
> Ex:
> openssl pkcs12 -export -in server.crt -name "My Certificate" -out mycert.p12
> 
> On Mon, 21 Feb 2000, Osvaldo Brito wrote:
> 
> > 
> > I want to import a certificate in to a netscape browser. Wish file should
> > I get (I've tried the server.crt with no sucess)? 
> > 
> > Osvaldo Brito
> > 
> >   [EMAIL PROTECTED] 
> >   [EMAIL PROTECTED]   
> > 
> > 
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> > 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

server configuration problem

[Osvaldo Brito]

Hi, 

When i execute this command line:

$ openssl s_client -host localhost -port 443

I get this stdout error message:

CONNECTED(0003)
[EMAIL PROTECTED]
verify error:num=18:self signed certificate
verify return:1
[EMAIL PROTECTED]
verify error:num=7:certificate signature failed
verify return:1
14228:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block
type is not 01:rsa_pk1.c:100:

14228:error:04067071:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
failed:rsa_eay.c:394:

14228:error:0D079006:asn1 encoding routines:ASN1_verify:bad get asn1
object call:a_verify.c:106:

14228:error:140900F7:SSL routines:SSL3_GET_SERVER_CERTIFICATE:unknown
certificate type:s3_clnt.c:793:


What may be the problem?

Thank you in advance.


Osvaldo Brito

  [EMAIL PROTECTED] 
  [EMAIL PROTECTED]   


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

basic...

[Osvaldo Brito]

Hi,

What's the diference betwen this files:

server.csr, server.crt, server.key



Thank you in advance.

Osvaldo Brito

  [EMAIL PROTECTED] 
  [EMAIL PROTECTED]   


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]