Re: engine-variant
From: John Wang [EMAIL PROTECTED] jjw 2576:error:0A06E004:dsa routines:d2i_DSA_SIG:nested asn1 jjw error:dsa_asn1.c:92: jjw 2576:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too jjw long:asn1_lib.c:139: jjw 2576:error:0A06E004:dsa routines:d2i_DSA_SIG:nested asn1 jjw error:dsa_asn1.c:92: jjw 2576:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too jjw long:asn1_lib.c:139: jjw 2576:error:0A06E004:dsa routines:d2i_DSA_SIG:nested asn1 jjw error:dsa_asn1.c:92: jjw 2576:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too jjw long:asn1_lib.c:139: jjw 2576:error:0A06E004:dsa routines:d2i_DSA_SIG:nested asn1 jjw error:dsa_asn1.c:92: jjw 2576:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too jjw long:asn1_lib.c:139: jjw 2576:error:0A06E004:dsa routines:d2i_DSA_SIG:nested asn1 jjw error:dsa_asn1.c:92: jjw 2576:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too jjw long:asn1_lib.c:139: jjw 2576:error:0A06E004:dsa routines:d2i_DSA_SIG:nested asn1 jjw error:dsa_asn1.c:92: jjw 2576:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too jjw long:asn1_lib.c:139: jjw 2576:error:0A06E004:dsa routines:d2i_DSA_SIG:nested asn1 jjw error:dsa_asn1.c:92: jjw 2576:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too jjw long:asn1_lib.c:139: jjw 2576:error:0A06E004:dsa routines:d2i_DSA_SIG:nested asn1 jjw error:dsa_asn1.c:92: jjw jjw Could you please tell what went wrong? How can I fix it? I've found the error. It's actually there in the main branch as well, it's just never been uncovered since those operations never failed there... The fix will be available in the snapshot that is created at 18:00 UTC today. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
java keytool and openssl certs
I'm trying to produce certs for use with Apache Project Tomcat : openssl req -new -out REQ.pem -keyout KEY.pem openssl req -x509 -in REQ.pem -key KEY.pem -out CERT.pem openssl req -verify -in REQ.pem openssl req -verify -in REQ.pem -key KEY.pem openssl req -text -in REQ.pem But when I try to import the CERT.pem with : keytool -import -v -trustcacerts -alias tomcat -file CERT.pem - keytool error: java.security.NoSuchAlgorithmException: MD5WITHRSA Signature not available I succeed to install a cert signed by Thawte or signed by a dummy CA I've setup. Thanks to point me where I'm bad since I'd like to add the reference and info about OpenSSL in the Jakarta Tomcat project. Regards __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL availabilty for NT and MacOS
Hi out there, could somebody please tell me whether Openssl is available for NT and/or MacOS in a way to have a PERL script use it as an HTTPS client like it is possible under Linux/Unix?! Maybe this is a mod_ssleay question, but I hope you know it either. TIA, Arne __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
I need parameter on PEM function
The program was made with SSLeay in the past. I want to use OpenSSL but is pourly documented. I don't now what is the last argument for PEM_write_RSAPrivateKey function ? ( the last arg is u) #define PEM_write_RSAPrivateKey(fp,x,enc,kstr,klen,cb,u) \ PEM_ASN1_write((int (*)())i2d_RSAPrivateKey,PEM_STRING_RSA,fp,\ (char *)x,enc,kstr,klen,cb,u) Thanks anticipated Narcis Suteu __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
DSO_WIN32 off by default on NT.
Testing the engine code in openssl-engine-0.9.6 beta1 on NT: I found that DSO_load failed because DSO_METHOD_null was being used. A flick through the code revealed that I needed the compiler symbol DSO_WIN32 set - Surely this should be set by default on NT ? Incidently couldn't find the definition of DEF_DSO_METHOD anywhere - but luckily I didn't have DEF_DSO_METHOD set either. Tripped up on PCURSORINFO - but that's been mentioned by others. Having fixed the above I found openssl s_server -engine chil worked a treat using the nCipher nfhwcrhk.dll. I tested s_server with a standard RSA key.pem file and also with a Key Management chil.pem file. Both worked. Bertie __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
No Subject
Hello: i have a problem trying to decrypt a message using RSA_private_decrypt() that was encrypted using cryptix. i use the keys generated by cryptix. Any suggestions? Thanks Andres __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ANNOUNCE: OpenSSL 0.9.6 Beta 1
OpenSSL 0.9.6-beta1 11 Sep 2000 builds and tests fine on Solaris 5.7/UltraSparc with gcc 2.95.2. That is: SunOS Release 5.7 Version Generic_106541-12 64-bit [UNIX(R) System V Release 4.0] UltraSPARC-IIi 360MHz gcc version 2.95.2 19991024 (release) As usual, congratulations to the OpenSSL team. -T.H. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
stunnel configuration !
Hello all , I have installed openssl both on my server and client and stunnel to do the tunneling between them ! In the server i run : 'stunnel -d simap -r imapd -p /usr/local/ssl/pem/stunnel.pem -v 3 ' This meens that my server listens to the simap port and unencrypt the information and route it to imap port while using the server self signed ceritificate verification level 3 ! On the client i run : 'stunnel -c -d imap -r simap -p /usr/local/ssl/pem/stunnel.pem' When i use on the server the -v option i get an error message : LOG4[7685:1026]: VERIFY ERROR: depth=0 error=self signed certificate: /C=PL/ST=Some-State/O=Stunnel Developers Ltd/CN=localhost LOG7[7685:1026]: SSLv3 read client certificate B LOG7[7685:1026]: SSLv3 read client certificate B LOG7[7685:1026]: SSLv3 read client certificate B LOG3[7685:1026]: SSL_accept: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned LOG7[7685:1026]: pop.3 finished (0 left) how can i solve this problem ??? P.S: - I don't have any certificates under /usr/local/ssl/certs to verify !!! Should i copy the client certification stunnel.pem to /usr/local/ssl/certs ??? Could this be the problem ??? Is the certificate that i created by 'make cert' in the client is my client private key and should i copy it to the server as trusted key ??? Please help -- if you can -- those who already implemented stunnel . -- Regards , Nissim Penias .
No Subject
Hello, for a bespoke client/server application, I wish to include an extension to x509 certificates that contains an integer value only. What is the best way to set about this? I imagine I can add a completely new extension (this seems nontrivial) or perhaps overload an existing extension. Overloading looks preferable, what would be a good candidate? regards, M. _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RSA key creation from an external source (i.e file)
Hello, I need to create an RSA (or DSA) key structure in C++ program given the fact that the key is stored in external file. This key will be the public key used for the verification of the digital signature. I have browsed the crypto(3) online documentation but I have found no easy way of doing this. Could anyone recommend a solution? Thanks very much, Dimitry London __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: RSA key creation from an external source (i.e file)
I need to create an RSA (or DSA) key structure in C++ program given the fact that the key is stored in external file. This key will be the public key used for the verification of the digital signature. I have browsed the crypto(3) online documentation but I have found no easy way of doing this. Could anyone recommend a solution? openssl x509 -in cert.pem -C -noout __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
DSA/RSA key usage in C++ program
Hello, I need to verify a digital signature in a C++ program using a public RSA/DSA key. I have browsed crypto(3) manual pages, and can't find an easy way for reading a public key from an external file and converting it into RSA (or DSA) structure. Can anyone make a recommendation? Thanks very much, Dimitry London. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Adding Entropy on the fly.
I am considering calling RAND_seed at different times during my program, I was wondering what people who really understand PRNG and the openssl PRNG library would think of the following scenario: 1. Assume the application runs forever. 2. Once per day lots of random information is collected from several sources (ie, mouse moves, time between key presses etc.) 3. I take all this data and call RAND_seed with it. I am going to improve the "randomness" of numbers from the PRNG by doing this? Or am I just wasting clock cycles? Thanks, Bill Browning __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Client certificate help
Hi everyone. I'm newbie with openssl. I'm running it on openbsd. I have followed the instructions and now I am able to see the webpage via https protocol. As I was reading the manual, I come across SSLVerifyClient. It caught my attention. Now I've edited httpd.conf and enabled SSLVerifyClient require. Now my problem is, how do I create a client/personal certificate for my own testing here at home? Can you give me steps on how to do this stuff. Btw, can you also please specify the files that I need to import from my webbrowser. Thanks in advance and any help would greatly be appreciated. :-) Ronneil __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Parsing X.509v3 extensions
HI! I'm currently trying to parse the X.509v3 certificate extensions with the help of an ASN.1 parser module for Python. I'm somewhat stuck into detail problems since I'm a total ASN.1 newbie. Maybe I have misunderstood some concepts. If I'm parsing the extensions do I have to use a-priori knowledge (e.g. definitions in RFC2459) to transform hard-coded to an appropriate data structure on my local platform? Or should I avoid applying such a-priori knowledge? Any hint is appreciated. Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Using openssl to generate keys for IIS
Some people have reported success by converting the key to NET format: openssl rsa -in prkey.pem -outform NET -out key.net The latest snapshot of OpenSSL also has an -sgckey flag which is needed on some version of IIS which use a modified algorithm. OK, I seem to have it working. For anyone who cares: 1) The key file must be in NET format, with a password, but can be encrypted in DES or DES3 or IDEA. 2) The password Key Manager asks for is the password to the key file (not the IUSR_hostname password as someone claimed). 3) I only managed to get it to work with key RSA moduli lengths that were a power of 2: 512, 1024, and 2048 all worked, but 2100 and 2096 didn't: IIS accepted the key, but communication failed when trying to use it. 4) The certificate file must not have any text in it before the certificate, so don't use the -text option on the x509 or ca command you sign it with. 5) SHA-1 certificate signing works, and is arguably more secure than the IIS default of MD5 So I've managed to move from 1024-bit RSA modulus with MD5 signing generated by propriatory Microsoft-written code with an unknown random number genrator to a 2048-bit RSA modulus with SHA-1 signing generated by openssl where I can seed rand myself. --Roger Dearnaley [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Adding Entropy on the fly.
On Tue, Sep 12, 2000 at 09:34:41AM -0700, Bill Browning wrote: I am considering calling RAND_seed at different times during my program, I was wondering what people who really understand PRNG and the openssl PRNG library would think of the following scenario: 1. Assume the application runs forever. 2. Once per day lots of random information is collected from several sources (ie, mouse moves, time between key presses etc.) 3. I take all this data and call RAND_seed with it. I am going to improve the "randomness" of numbers from the PRNG by doing this? Or am I just wasting clock cycles? Whenever you add entropy to the PRNG, its state changes. That makes it more difficult to an attacker. Adding seed on the fly is a standard technique, it is done by OpenSSH, mod_ssl, Postfix/TLS... The most straight forward idea is to add entropy whenever random data is retrieved, but doing it on a periodic basis is also not bad. I would however think that doing it more often with a smaller amount of data is better, as an attacker that sucks large amount of data from the PRNG has more problems when the state changes often... Go ahead, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Can anyone send me a sample about SSL client?
Hi, I am a newcomer. I am interested in writting a client program in C to send HTTPS request and communicate with HTTPS server. But I don't know how to use OpenSSL/SSLeay suite to do so? Can you give a sample or details manual about OpenSSL/SSLeay? thanx a lot. David. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl-0.9.6-beta1 won't build on BSDI 4.1
Just tried to build 0.9.6-beta-1 on BSDI (BSD/OS) 4.1, and got a problem when building openssl. The first two lines of the "sh config" output are these: Operating system: i486-whatever-bsdi4 Configuring for bsdi-elf-gcc (That's gcc version egcs-2.91.66 19990314 (egcs-1.1.2 release)) When make'ing, way down when it's compiling "openssl" I get the following (lines wrapped for readability): -- gcc -o openssl -DMONOLITH -I../include -DPERL5 -DL_ENDIAN \ -fomit-frame-pointer -O3 -m486 -Wall -DSHA1_ASM -DMD5_ASM \ -DRMD160_ASM openssl.o verify.o asn1pars.o req.o dgst.o dh.o \ dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o \ crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o \ s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o \ app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o \ pkcs8.o spkac.o smime.o rand.o -L. -L.. -L../.. -L../../.. \ -L.. -lssl -L.. -lcrypto speed.o: In function `speed_main': speed.o(.text+0xe8d): undefined reference to `ftime' speed.o(.text+0xf26): undefined reference to `ftime' speed.o(.text+0x106d): undefined reference to `ftime' speed.o(.text+0x1106): undefined reference to `ftime' speed.o(.text+0x124d): undefined reference to `ftime' speed.o(.text+0x12e6): more undefined references to `ftime' follow *** Error code 1 Stop. -- I already have openssl 0.9.5 installed on the system, and I'm wondering if the final link is picking up the existing library (in /usr/local/ssl/lib) and something's going on, though it doesn't look like that's the case. Any thoughts? Regards, -T.H. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: stunnel configuration !
I have installed openssl both on my server and client and stunnel to do the tunneling between them ! In the server i run :'stunnel -d simap -r imapd -p /usr/local/ssl/pem/stunnel.pem -v 3 ' This meens that my server listens to the simap port and unencrypt the information and route it to imap port while using the server self signed ceritificate verification level 3 ! On the client i run : 'stunnel -c -d imap -r simap -p /usr/local/ssl/pem/stunnel.pem' Are you running these on the same machine? I'm thinking you need something more like client# stunnel -c -d imap -r SERVERNAME:simap server# stunnel -d simap -r simap -p /usr/local/ssl/pem/stunnel.pem (client doesn't need a certificate unless you want it for addl authentication.) For better debugging, include '-D 7' on the command line, and send it's output as well as 'stunnel -V' output to the stunnel list. I'd take this off openssl. Subscribe info for the stunnel mailing list is available at http://www.stunnel.org/ When i use on the server the -v option i get an error message : Don't use the '-v' unless you want to verify certs. My guess is that you don't. '-v' doesn't mean verbose for stunnel. I don't have any certificates under /usr/local/ssl/certs to verify !!! then don't specify '-v'. ;-) -- Brian HatchI feel like I'm Systems and diagonally parked in a Security Engineerparallel universe. http://www.ifokr.org/bri/ Every message PGP signed PGP signature
verify_callback and multithread
in multhread program, everify thread has a client certificate verify_callback, in the verify_callback function,I need to tell the thread the err info, how can I know this verify_callback function belong to which thread? thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Crypt::SSLeay get_https() on NT
Hello everyone: I installed Crypt-SSLeay package under perl PPM then tried to call get_https() function but got a undefined subroutine get_https() error msg. My perl version on NT box is: 5.005_03, do you know do I need to install other package(s) on the NT box, looks like there is no SSLeay.pm or get_https() under drive:\perl\lib\ thanks for the help Ricky __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Strange Encryption.
Hello: I´m working on a proyect that i need to decrypt a message using openss. The message was originaly encrypted with cryptix. The keys were also generated with cryptix. Now i have successfully read a key in the cryptix format from a file.But i can´t get to decrypt well everytime. The strange thing is that sometimes the decryption works and sometimes it does´nt. Here is something even more strange. When i encrypt a message using cryptix i get some a little bit different than when i encrypt using openssl. Looks like it is a little bit shifted. This is what i got (the entries in the buffer are separated by dots): Message for encryption (64 bytes long): 0.2.36.-96.109.-113.-126.-14.76.85.58.91.117.31.117.-89.66.-4.-40.120.-108.123.-55.-63.-42.89.-100.-62.21.-71.35.-17.31.-14.-25.25.-13.111.48.16.-42.-19.-118.52.-52.-19.-71.-119.29.-43.18.96.-104.-23.-105.-43.50.17.-99.0.49.50.51.52. Encrypted message using cryptix (64 bytes long): 9.-57.32.-63.-58.87.-65.21.-125.95.116.77.-22.21.-1.30.36.124.-40.-20.-86.107.-54.39.-66.-110.-55.-54.83.-10.120.95.-122.73.-15.54.66.41.-15.102.-104.-126.-37.4.-25.-65.-22.16.5.26.60.-93.85.73.90.97.32.19.61.-59.81.0.-110.-78. Encrypted message using openssl (64 bytes long); 48.48.48.48.58.9.-57.32.-63.-58.87.-65.21.-125.95.116.77.-22.21.-1.30.36.124.-40.-20.-86.107.-54.39.-66.-110.-55.-54.83.-10.120. 95.-122.73.-15.54.66.41.-15.102.-104.-126.-37.4.-25.-65.-22.16.5.26.60.-93.85.73.90.97.32.19.61. In both cases i use no padding. Strange huh? What are those 48.48.48..??? Help please.. Thanks Andres __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Serious Bug in ssl3_get_record
On Sat, Sep 09, 2000 at 09:19:34AM +0800, Fung wrote: If you look at the source code, you will see the following static int ssl3_get_record(SSL *s) [...skipped] n=ssl3_read_n(s,SSL3_RT_HEADER_LENGTH, SSL3_RT_MAX_PACKET_SIZE,0); if (n = 0) return(n); /* error or non-blocking */ s-rstate=SSL_ST_READ_BODY; p=s-packet; /* Pull apart the header into the SSL3_RECORD */ rr-type= *(p++); ssl_major= *(p++);-- WRONG!! ssl_minor= *(p++);-- WRONG!! version=(ssl_major8)|ssl_minor; n2s(p,rr-length); If you smart enough, you will see that ssl_major and ssl_minor is wrongly assigned and will NEVER get the correct version. Because the version number is stored at the 3rd and the 4th byte of p. According to what specification?! According to RFC 2246 (and, similarly, the SSL 3.0 drafts), the version number immediately follows the ContentType byte. And that's also where it is located in real life: $ openssl s_client -debug -connect www.microsoft.com:443 [...] read from 00156C48 [0015E320] (7 bytes = 7 (0x7)) - 16 03 01 02 a9 02 .. 0007 - SPACES/NULS [...] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Crypt::SSLeay
Sorry but I am a rank newbie at this. Basic question: I want to be able to connect to a website via HTTPS and use POST to upload the contents of a file. Is this a typical use of Crypt::SSLeay. I have installed OpenSSL installed and the perl mods Crypt-SSLeay-0.17 / OpenCA-OpenSSL-0.4.51 / LWP-attic-1.00. Thanks for taking the time to respond. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: DSA/RSA key usage in C++ program
Dimitry London wrote: Hello, I need to verify a digital signature in a C++ program using a public RSA/DSA key. I have browsed crypto(3) manual pages, and can't find an easy way for reading a public key from an external file and converting it into RSA (or DSA) structure. Can anyone make a recommendation? Thanks very much, Dimitry London. I'm fighting on the same problem. Check demos/eay/loadrsa.c, this is where I started. If you reach to something please tell me. Darío __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl-0.9.6-beta1 won't build on BSDI 4.1
From: Theodore Hope [EMAIL PROTECTED] ssl The first two lines of the "sh config" output are these: ssl ssl Operating system: i486-whatever-bsdi4 ssl Configuring for bsdi-elf-gcc ssl speed.o: In function `speed_main': ssl speed.o(.text+0xe8d): undefined reference to `ftime' ssl speed.o(.text+0xf26): undefined reference to `ftime' ssl speed.o(.text+0x106d): undefined reference to `ftime' ssl speed.o(.text+0x1106): undefined reference to `ftime' ssl speed.o(.text+0x124d): undefined reference to `ftime' ssl speed.o(.text+0x12e6): more undefined references to `ftime' follow ssl *** Error code 1 Hmm, exactly this was report for OpenBSD a few days ago. Could all BSD systems today do without ftime? in that case, is there a macro that is defined on BSD systems only and that is common to them all? Otherwise, what would the macro to identify BSDI be? -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Off topic Newbie question: IE v5 prompts for a client cert each GET.
Dear Ladies and Gentlemen, I am writing to ask your help about perplexing browser behaviour and the usefulness, for anything but performance, of the SSL Session ID. We would like to use the environment variable (created by apache_ + mod_ssl) SSL_SESSION_ID to identify (to an application) a transaction (such as lodging a document so that its no reputable, condidential etc). Unfortunately, IE re prompts the user to supply a client certificate - in this case the server insists that clients validate their identity - before it gets each part of the HTTPS page. From the (mod_ssl + Apache) server point of view, the SSL session is logged as being new every time. Please would you let me know what's going on, on where to look ? Is the SSL_SESSION_ID useful for other things than eliminating the SSL Handshake (and therefore saving the cost of SSL session setup) ? Thank you. Yours sincerely, S Hopcroft Network Specialist IP Australia +61 2 6283 3189 +61 2 6281 1353 FAX __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Off topic Newbie question: IE v5 prompts for a client cert eachGET.
Hi there,
On Wed, 13 Sep 2000, Stanley Hopcroft wrote:
We would like to use the environment variable (created by apache_ +
mod_ssl) SSL_SESSION_ID to identify (to an application) a transaction
(such as lodging a document so that its no reputable, condidential
etc).
not a recommended practise (see below).
Is the SSL_SESSION_ID useful for other things than eliminating the SSL
Handshake (and therefore saving the cost of SSL session setup) ?
Not really ... SSL itself is very much not a transactional protocol so
much as a stream protocol. Apart from sessions being resumable via session
caching (thus avoiding SSL session setup overheads), they are also
renegotiable at any time by either party regardless of what's going on at
the time (yeah, this is the hollywood rendition of the spec ... light on
details :-). In other words, from SSL's point of view, it would be
perfectly acceptable for either the server or browser to renegotiate the
SSL session being used in the encrypted stream half-way through
downloading a .gif image in a web page. From that angle, you might see
that relying on sessions being held open by client and server, and
renegotiated (or not) on the basis of some rational web-browsing logic is
very shaky ground indeed.
In practise however, HTTPS browsers and servers typically do not behave in
this way (renegotiating mid-download), at least not unless you try to prod
them to do so ... but it's certainly not recommended to try and rely too
much on the lifetime of SSL sessions from inside the application layer
that's on top of the SSL layer, at least not in transaction type
("question"/"answer") protocols, eg. https.
Cheers,
Geoff
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE: openssl-0.9.6-beta1 won't build on BSDI 4.1
Hi all. I am compiled on NetBSD-1.5_APLPHA2(i386) platform. I tried to build config option under below /bin/sh config -lcompat I am build successfull. I think to needed "-lcompat option" on some *BSD* system. -Original Message- From: Theodore Hope [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 13, 2000 3:59 AM To: [EMAIL PROTECTED] Subject: openssl-0.9.6-beta1 won't build on BSDI 4.1 speed.o: In function `speed_main': speed.o(.text+0xe8d): undefined reference to `ftime' speed.o(.text+0xf26): undefined reference to `ftime' speed.o(.text+0x106d): undefined reference to `ftime' speed.o(.text+0x1106): undefined reference to `ftime' speed.o(.text+0x124d): undefined reference to `ftime' speed.o(.text+0x12e6): more undefined references to `ftime' follow *** Error code 1 Stop. -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Crypt::SSLeay
Steve Gorman wrote: Sorry but I am a rank newbie at this. Basic question: I want to be able to connect to a website via HTTPS and use POST to upload the contents of a file. Is this a typical use of Crypt::SSLeay. I have installed OpenSSL installed and the perl mods Crypt-SSLeay-0.17 / OpenCA-OpenSSL-0.4.51 / LWP-attic-1.00. Sure, though I have never done a file upload POST, POST is fully supported via LWP and Crypt::SSLeay. I don't know about LWP-attic though. Just use CPAN to install LWP should work fine. --Joshua __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Crypt::SSLeay get_https() on NT
Ricky Sun wrote: Hello everyone: I installed Crypt-SSLeay package under perl PPM then tried to call get_https() function but got a undefined subroutine get_https() error msg. My perl version on NT box is: 5.005_03, do you know do I need to install other package(s) on the NT box, looks like there is no SSLeay.pm or get_https() under drive:\perl\lib\ Crypt::SSLeay only works under LWP, install that and you will get the functionality you want. get_https() sounds like something from the Net::SSLeay package? I don't know what would define that for you. perldoc Crypt::SSLeay for an example usage under LWP. -- Joshua __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
