"make test" fails on Linux while using libsafe-1.3

[Jim Breton]

Hello, I'm using the "libsafe" library on the system on which I'm trying
to install openssl-0.9.6.  The config and make complete without
problems, but while running "make test" this happens:

./certs/ICE-root.pem: /O=European ICE-TEL project/OU=V3-Certification
Authorityerror 10 at 0 depth lookup:Certificate has expired
OK
Detected an attempt to write across stack boundary.
Terminating /home/jamesb/src/openssl-0.9.6/apps/openssl.

And from libsafe I get this in syslog:

Oct 31 00:52:41 libsafe.so[16322]: version 1.3
Oct 31 00:52:41 libsafe.so[16322]: detected an attempt to write
across stack boundary.
Oct 31 00:52:41 libsafe.so[16322]: terminating
/home/jamesb/src/openssl-0.9.6/apps/openssl
Oct 31 00:52:41 libsafe.so[16322]: overflow caused by memcpy()

I just ran "make test" in my 0.9.5a source tree (which is the version
I've been using for some time now) and it does not fail even with
libsafe enabled (via /etc/ld.so.preload).

Any hints?  Seems to me this shouldn't happen at all and may very well
be a bug, I can't think of any legitimate reason for an overflow to
occur.

P.S. Please copy me on any responses as I am not subscribed to the list.

Thank you.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Crypt::SSLeay installation problems

[Jeff Haferman]

I'm trying to install Crypt::SSLeay into my home directory on
a FreeBSD 4.0 machine.

My guess is that my installation problems stem from the fact
that I am installing into /home/me, so for example openssl
is installed in /home/me/openssl rather than /usr/local/openssl.

I did install openssl 0.9.6 fine, everything seemed to go okay
and "make test" ran fine.

But, with Crypt-SSLeay-0.17, I have problems.  I did modify
Makefile.PL by adding /usr/local/openssl to the POSSIBLE_SSL_DIRS
variable.  The make runs fine, but 'make test' gives

PERL_DL_NONLAZY=1 /usr/bin/perl -Iblib/arch -Iblib/lib 
-I/usr/libdata/perl/5.00503/mach -I/usr/libdata/perl/5.00503 -e 'use Test::Harness 
qw(&runtests $verbose); $verbose=0; runtests @ARGV;' t/*.t
t/ssl_context...Can't load 'blib/arch/auto/Crypt/SSLeay/SSLeay.so' for module 
Crypt::SSLeay: blib/arch/auto/Crypt/SSLeay/SSLeay.so: Undefined symbol "SSL_set_fd" at 
/usr/libdata/perl/5.00503/DynaLoader.pm line 169.

 at blib/lib/Crypt/SSLeay/CTX.pm line 2
 BEGIN failed--compilation aborted at t/ssl_context.t line 3.
 dubious
 Test returned status 255 (wstat 65280, 0xff00)
 FAILED--1 test script could be run, alas--no output ever seen
 *** Error code 2

Help, please?

THanks,
Jeff


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Error because of different version of libeay32.dll

[myopenssl]

Hi,
   
I encoutered a strange question.

My platform is Windows2000+VC6.0.

I write a program based on openssl functions to generate certificate and private key 
for IIS4.0 web server.I generate files with postfix *.net and *.pem.Then I import this 
two files to Key Manager(Menu:Key->Import Key->key pair file) in IIS4.0.

If my program use openssl-0.9.5's libeay32.dll,everything is OK. *.net and *.pem can 
be installed on IIS correctly.But when I use openssl-0.9.5a and openssl-0.9.6's 
libeay32.dll,it shows "Can't install
certificate,because you didn't input correct password. Secure link 
error=80090304".(Because I use non-English Windows2000,may be I doesn't translate this 
error message exactlly.)

Why this happen?

Thanks in advance.



--
»¶Ó­Ê¹Óà 21CN µç×ÓÓʼþϵͳ http://www.21cn.com
Thank you for using 21cn.com Email system

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: problems with openssl-0.9.6 on MacOS X Server

[Richard Levitte - VMS Whacker]

From: Mark Morrill <[EMAIL PROTECTED]>

mark> > cc -o openssl -DMONOLITH -I../include -O3 -DB_ENDIAN openssl.o verify.o
mark> > asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o
mark> > pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.o genrsa.o
mark> > gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o
mark> > app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o
mark> > smime.o rand.o -L. -L.. -L../.. -L../../.. -L.. -lssl -L.. -lcrypto
mark> > /usr/bin/ld: Undefined symbols:
mark> > _ftime
mark> 
mark> This looks like it would be a fairly easy thing to fix - _ftime missing.
mark> However, I'm not terribly familiar with MacOS X Server...
mark> 
mark> Help? Ideas?

If you tell me a macro that identifies MacOSX, I might be able to
provide a fix.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

problems with openssl-0.9.6 on MacOS X Server

[Mark Morrill]

Hi,

I got openssl-0.9.5 on my server without really big problems.  And I just
tried it again ./config and make and it worked just fine.

However, with openssl-0.9.6, I get:

> cc -o openssl -DMONOLITH -I../include -O3 -DB_ENDIAN openssl.o verify.o
> asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o
> pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.o genrsa.o
> gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o
> app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o
> smime.o rand.o -L. -L.. -L../.. -L../../.. -L.. -lssl -L.. -lcrypto
> /usr/bin/ld: Undefined symbols:
> _ftime

This looks like it would be a fairly easy thing to fix - _ftime missing.
However, I'm not terribly familiar with MacOS X Server...

Help? Ideas?

tia

Mark

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Compile problem (easy?) Sol 7, gcc 2.95.2

[Banananose Maldonado]

Hi All-
I've been told the best way to go when building
OpenSSL is to leave out the RSAref toolkit, since it
is no longer required in the US-- so I'm trying to
recompile OpenSSL 0.9.6 without it.  I'm getting
symbol referencing problems (below), I'm sure it must
be simple, like a bad LD_LIBRARY_PATH or something,
but I'm not seeing it.

Can someone point me in the right direction?

Thanks Mucho!

=Barry=

gcc -DMONOLITH -I../include -fPIC -DTHREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFC
N_H -mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN
-DBN_DIV2W  -c  pkcs8.c
gcc -DMONOLITH -I../include -fPIC -DTHREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFC
N_H -mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN
-DBN_DIV2W  -c  spkac.c
gcc -DMONOLITH -I../include -fPIC -DTHREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFC
N_H -mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN
-DBN_DIV2W  -c  smime.c
gcc -DMONOLITH -I../include -fPIC -DTHREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFC
N_H -mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN
-DBN_DIV2W  -c  rand.c
gcc -DMONOLITH -I../include -fPIC -DTHREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFC
N_H -mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN
-DBN_DIV2W  -c  openssl.c
rm -f openssl
gcc -o openssl -DMONOLITH -I../include -fPIC -DTHREADS
-D_REENTRANT -DDSO_DLFCN
-DHAVE_DLFCN_H -mv8 -O3 -fomit-frame-pointer -Wall
-DB_ENDIAN -DBN_DIV2W openssl
.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o
enc.o passwd.o gendh.o errstr
.o  ca.o pkcs7.o crl2p7.o crl.o  rsa.o rsautl.o dsa.o
dsaparam.o  x509.o genrsa.
o gendsa.o s_server.o s_client.o speed.o  s_time.o
apps.o s_cb.o s_socket.o app_
rand.o version.o sess_id.o  ciphers.o nseq.o pkcs12.o
pkcs8.o spkac.o smime.o ra
nd.o -L. -L.. -L../.. -L../../.. -L.. -lssl -L..
-lcrypto -lsocket -lnsl -ldl
Undefined   first referenced
 symbol in file
sfprintfverify.o
sfsync  openssl.o
sfwrite
../libcrypto.a(bss_file.o)
sfsscanfdhparam.o
sfclose enc.o
_sfflsbuf   s_time.o
_Sfstdinopenssl.o
_stdsprintf req.o
sfopen  enc.o
_Sfstdout   openssl.o
_stdprintf  verify.o
sfpurge openssl.o
sfread 
../libcrypto.a(bss_file.o)
_stdsetvbuf
../libcrypto.a(rand_win.o)
sfseek  openssl.o
_Sfstderr   openssl.o
_stdgetsopenssl.o
sfputr  openssl.o
ld: fatal: Symbol referencing errors. No output
written to openssl
collect2: ld returned 1 exit status
*** Error code 1
make: Fatal error: Command failed for target `openssl'
Current working directory
/opt/local/src/openssl-0.9.6/apps
*** Error code 1
make: Fatal error: Command failed for target `all'
wuf:/usr/local/src/openssl-0.9.6#


__
Do You Yahoo!?
Yahoo! Messenger - Talk while you surf!  It's FREE.
http://im.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Books on OPENSSL and Certificates

[Alan Roman]

Eric Rescorla has also just published a book: "SSL and TLS : Designing and
Building Secure Systems" (ISBN: 0201615983).


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Luiz Carneiro
> Sent: Monday, October 30, 2000 8:01 AM
> To: [EMAIL PROTECTED]
> Subject: Books on OPENSSL and Certificates
>
>
> Hi,
>
>   I want to know if someone knows a good book, where
> I can find
> information about how to use openssl.
>
> Thanks,
>
>  Luiz Carneiro
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Books on OPENSSL and Certificates

[Michael Kurtinitis]

Hi Luiz,

You might try a search on , but the one book I have found
useful is:

"SSL and TLS Essentials" by Stephen Thomas
ISBN: 0471383546

Good luck,

Mike Kurtinitis
Mooshwerks
[EMAIL PROTECTED]

> From: Luiz Carneiro <[EMAIL PROTECTED]>
> Organization: Aquarius Tec. e Informática Ltda
> Reply-To: [EMAIL PROTECTED]
> Date: Mon, 30 Oct 2000 12:01:20 -0200
> To: [EMAIL PROTECTED]
> Subject: Books on OPENSSL and Certificates
> 
> Hi,
> 
> I want to know if someone knows a good book, where I can find
> information about how to use openssl.
> 
> Thanks,
> 
> Luiz Carneiro
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Problem with Win98 and Outlook client: rollback attack

[Robert Chastain]

Hello,

I've been using OpenSSL 0.95 and 0.96 with stunnel to successfully encrypt
pop3 and smtp connections from Windows NT and 98 machines running Outlook
and Outlook Express. My problem is that one of the Win98 machines running
Outlook is unable to connect using SSL. The error I get is this:


 Oct 30 08:47:42 mail stunnel[15938]: SSL_accept: error:04072073:rsa
routines:RSA_padding_check_SSLv23:sslv3 rollback attack
 Oct 30 08:48:43 mail stunnel[15939]: 192.168.0.5.pop3 connected from
192.168.0.32:1120
 Oct 30 08:48:43 mail stunnel[15939]: SSL_accept: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
 Oct 30 08:48:43 mail stunnel[15940]: 192.168.0.5.pop3 connected from
192.168.0.32:1121
 Oct 30 08:48:43 mail stunnel[15940]: SSL_accept: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol

It's not a problem with OpenSSL or stunnel as none of the other client
machines is having this problem. Has anyone seen this before?

Thanks,
Robert Chastain

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Problem for setting CAfile in my program

[BOILY, MARC]

How i can set the locations for certificate trusted 
?
 
***Marc BoilyCGI 
inc.Consultant - Bell CanadaSolutions Informatiques en 
Téléphonie/Computer Telephony Solutions930 d'Aiguillon, bureau 
520Québec, G1R 5M9Tel.: (418) 691-1120Fax.: (418) 
691-3578

Re: Error Message : IP address does not match the server name

[Leland V. Lammert]

At 11:17 AM 10/29/00 +0800, you wrote:

>When I try to send mail or receive mail using the SSL
>connection using Outlook 98 , the following error
>message occurs . "IP address does not match the server
>name" .
>
>So , I am wondering if this is due to DNS error ?

That would mean that the Reverse DNS does not match your name - which is 
not an SSL problem. The most likely cause is the RDNS configuration on your 
DNS server - make sure that the server IP you are using correctly resolves 
to your CN.

 Lee

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: IIS client authentication?

[Steve Wang]

Michael,

Thank you for the help!

How can load a self-signed root certificate into the IIS trusted store?
Is IIS using the same trusted certificate store as IE? or it has its own
trusted store?

Steve

- Original Message -
From: "Michael Howard" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Sunday, October 29, 2000 2:26 AM
Subject: RE: IIS client authentication?


> iis will walk up the chain 'til it reaches the root - so you need the root
> loaded in the machine store. also, by default iis5 will check the crl, if
> it's location is listed in the client cert.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Steve Wang
> Sent: Friday, October 27, 2000 11:45 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: IIS client authentication?
>
>
> Hi, all,
>
> One question for a case where strong CLIENT authentication is needed:  we
> use open ssl on
> client side and use Microsoft IIS on the server side. How will the
Microsoft
> IIS check the validity
> of the client certificate?  Will it need to validate the whole certificate
> chain? Is it configurable?
>
> Thank you!
>
> Steve
>
>
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Books on OPENSSL and Certificates

[Luiz Carneiro]

Hi,

  I want to know if someone knows a good book, where I can find
information about how to use openssl.

Thanks,

 Luiz Carneiro

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

error: unable to load 'random state'

[Gianluca Russo]

Hello,
I'm trying to 
install OpenSSL 0.9.6 onto Unix machine.
During installation, after 
"make test", I have this error:
 
unable to load 'random state'This means that the random number 
generator has not been seededwith much random data. 
 
Can you help me 
??
 
thanks in 
advance
 
Gianluca

RE: Error Message : IP address does not match the server name

[John . Airey]

If memory serves me correctly, a "lame" DNS record is one where a server
thinks that record is authorative, but actually isn't. Try querying another
DNS server at random to see what it thinks is your primary DNS.

If this is what is causing you a problem it isn't related to Openssl at all.


- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: Sze Yee [mailto:[EMAIL PROTECTED]]
Sent: 29 October 2000 03:17
To: [EMAIL PROTECTED]
Subject: Error Message : IP address does not match the server name


Hi, all

I am have set up the openssl on a RedHat 6.1 .Have
created a self-signed cert using the perl module
CA.pl.

When I try to send mail or receive mail using the SSL
connection using Outlook 98 , the following error
message occurs . "IP address does not match the server
name" . 

I have entered my server name (host.domain) as my
comman name (CN) in the certificate . I tried keying
in the IP address and the error message no longer
appears.

So , I am wondering if this is due to DNS error ? (PS
:
I have set up an DNS server as well. When viewing the
error log , error messages like "All A RR records are
lame ")..

Thank u in advance

Regards, 
Sze Yee


__
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com.sg/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Help with Solaris 8 and openssl.

[Jim Grimmett]

From: "Noah Silverman" <[EMAIL PROTECTED]>
> Hi,
>
> I am new to this and need some help.
>
> I just installed openssl, and mod_ssl onto my machine.  Everything works
> fine with the "test certificate" that comes with the installation.
>
> I need to generate a request for verisign, but when I do, I get the error
> "PRNG not seeded".  I read the FAQ, but was still not sure about how to
set
> this up in Solaris 8.
>
> Has anybody else discovered an easy fix for this problem?

Some of the modules need to use a Pseudo Random Number Generator
(PRNG) when building keys. SOlaris 8 does not have (as default) a device
than generates random numbers so you have to seed it manually.

To do this you need to generate a seed and then initialise the PRNG with
it. Here's a rough program to generate a seed.

#include "openssl/rsa.h"
#include "rsaref.h"

#define BUFFER_SIZE 512

int main(int argc, char *argv[])
{
char buffer[BUFFER_SIZE + 1];
char temp[256];
int len = 0;

if ( 2 != argc )
{
printf("usage: seedgen \n");
return -1;
}

while ( len < BUFFER_SIZE - 1)
{
fgets(temp, 256, stdin);
memcpy(buffer + len, temp, strlen(temp));
len = len + strlen(temp);
}
RAND_seed(buffer, len);
RAND_write_file(argv[1]);

return 0;
}

If you're going to use this I'd recommend rewriting it.
Then, to seed the PRNG you use the command:

RAND_load_file(char *filename);

where filename points to the file you saved the seed in.

Hope this helps.

Cheers, Jim.
IT Manager, Blitz The Net Ltd.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]