RE: Openssl RPMs

[John . Airey]

Thank you for your reply. However, I find it confusing that RPMs are
available from the modssl site yet I am unable to contact the person who
provided them. I have managed to contact one person who tells me that he
didn't provide them, and I've had no response so far from the only other
email address mentioned in the package ([EMAIL PROTECTED]).

If the status of these RPMs is now "unsupported" then I myself am perfectly
willing to provide and support these, but I would not wish to do that unless
I know that I'm not stepping on anyone elses toes. I have plenty of machines
at my disposal to create and test these on.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


> -Original Message-
> From: Ulf Moeller [mailto:[EMAIL PROTECTED]]
> Sent: 17 November 2000 17:07
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: Openssl RPMs
> 
> 
> On Fri, Nov 17, 2000, [EMAIL PROTECTED] wrote:
> 
> > I've used the source rpm for openssl 0.9.6 to create the 
> i386 version (using
> > "rpm --rebuild openssl-0.9.6-1.src.rpm from
> 
> > Why are there no longer i386 and i586 versions being made 
> available? 
> 
> The OpenSSL project doesn't provide RPMs. You'll have to ask 
> whoever made
> them.
> 
> The official OpenSSL source creates i486 code with a few time-critical
> parts hand-optimized for Pentium. You can replace the -m486 flag with
> -march=pentiumpro if you have a relatively new compiler.
> 
> If you need to build code that also runs on i386 machines, 
> you must use
> the config option "386". That will cause some algorithms to be slower.
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Openssl RPMs

[Akos Szabo]

On Mon, 20 Nov 2000 [EMAIL PROTECTED] wrote:

> Thank you for your reply. However, I find it confusing that RPMs are
> available from the modssl site yet I am unable to contact the person who
> provided them. I have managed to contact one person who tells me that he
> didn't provide them, and I've had no response so far from the only other
> email address mentioned in the package ([EMAIL PROTECTED]).
I was in flu. Sorry.

> > On Fri, Nov 17, 2000, [EMAIL PROTECTED] wrote:
> >
> > > I've used the source rpm for openssl 0.9.6 to create the
> > i386 version (using
> > > "rpm --rebuild openssl-0.9.6-1.src.rpm from
> >
> > > Why are there no longer i386 and i586 versions being made
> > available?
Th i586, or i686 optimizing meaning that the C compiler generate the right
processor code, not for the source code optimizing!
So the i586 or i686 is meaning, that the compiler command line options
other like, i486. The improvements is minimal, if it about 4-5% I'm very
happy.

So if You would like generate i586 package type this:
rpm --rebuild --target i[356]86 openssl-0.9.6-1.src.rpm

, or, what I prefer:
rpm -Uvh openssl-0.9.6-1.src.rpm
cd /usr/src/redhat/SPEC
rpm -ba --target i[356]86 openssl.spec

If You would like, the optimizing code, You need edit the
/usr/lib/rpm/macros, and /usr/lib/rpm/rpmrc
The own rpmrc file for example:
optflags: i386 -O2 -m486 -fno-strength-reduce
optflags: i586 -O2 -fomit-frame-pointer -fno-exceptions -fno-rtti -pipe \
-s -mcpu=pentium -march=pentium -ffast-math -mieee-fp \
-fexpensive-optimizations -malign-loops=2 -malign-jumps=2 \
-malign-functions=2
optflags: i686 -O3 -march=pentiumpro -mpentiumpro -fno-strength-reduce \
-DCPU=686 -ffast-math -mieee-fp -fexpensive-optimizations \
-fomit-frame-pointer -fno-exceptions -fno-rtti -pipe -s

I stolen from mandrake the i586 flags :)

> > The official OpenSSL source creates i486 code with a few time-critical
> > parts hand-optimized for Pentium. You can replace the -m486 flag with
> > -march=pentiumpro if you have a relatively new compiler.
I replace this.
I use the gcc >= 2.96 or egcs >= 1.1.2

I hope this was helpfull. If You've got any question pls ask me, but I'm
ill so bit, so maybe the replay will be slowly...

-- 
Ciao:
  Fonya

Computers are like airconditioners:
They stop working properly if you open windows.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Open SSL on Solaris 2.6

[Marco Donati]

Is there any place (www, ftp...) where I can download a COMPILED version of
Open-SSL (0.9.0.5a or 0.9.6) for Solaris 2.6 ?

Thanks

--
Marco Donati
Context Security -  Software
P.zza Liberazione, 25 - 20013 Magenta (MI)
Phone: ++39-02-97291291, Fax: ++39-02-97298225
E-Mail: [EMAIL PROTECTED],   Web site:http://www.csg.it
--


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Sending data on a socket before SSL_Accept

[Lutz Jaenicke]

On Sun, Nov 19, 2000 at 11:33:18PM -0500, Jeffrey Altman wrote:
> > 
> > Can I send data to a client via normal send() call before I call =
> > SSL_Accept? I would like to send a message to my client that identifies =
> > the server and it's options, like if SSL is being used or not? Will this =
> > mess up the SSL handshake ?
> > 
> 
> You will need to ensure that you synchronize the peers and clear the
> data channel prior to beginning the SSL/TLS handshake.
> 
> There is a security concern that you must be aware of.  Since
> everything that is being sent over the wire prior to the use of
> SSL/TLS is in plaintext, it can be tampered with.  Therefore, you
> can't trust its contents.  You absolutely should not use the contents
> of the plaintext data to determine if you should negotiate SSL/TLS.

For an example on how to use this method (cleartext first, then switch
to TLS mode), check out e.g. RFC2487 describing SMTP over TLS.
You especially don't want to identify the server (as described in the
original mail) but follow Jeffrey's advice and don't trust anything
sent in the clear. The identification is handled inside the TLS handshake
using cryptographically secured certificates (the certificate stuff inside
TLS is as important as the encryption stuff).

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Openssl RPMs

[Villy Kruse]

On Mon, 20 Nov 2000 [EMAIL PROTECTED] wrote:

> 
> Thank you for your reply. However, I find it confusing that RPMs are
> available from the modssl site yet I am unable to contact the person who
> provided them. I have managed to contact one person who tells me that he
> didn't provide them, and I've had no response so far from the only other
> email address mentioned in the package ([EMAIL PROTECTED]).
> 


That is not the openssl site, though.  The modssl is something different.

BTW, is it still necessary to link from www.modssl.org to www.ssleay.org,
considering that www.ssleay.org has very little ssl related stuff?



Villy

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Openssl RPMs

[John . Airey]

Thank you all for your replies, especially Fonya's. 

I agree that modssl isn't openssl , but I find it odd that the RPMS for
openssl are being put on the modssl site rather than the openssl site (which
incidentally has only one contribution at www.openssl.org./contrib). Openssl
RPMS have a much wider use than just for modssl. Could they be moved? (I
think I should ask here first before asking the modssl list).

My reasons for being keen on RPMs are that I have to explain to less
technical people what we have installed and how to uninstall it if it goes
wrong. From my point of view it's easier to show someone how to install and
uninstall RPMs rather than explaining how to compile code from scratch. I'm
not aversed to compiling programs with configure/make/etc , but my
colleagues wouldn't even know where to start. They don't even understand
what inetd does!

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


> -Original Message-
> From: Villy Kruse [mailto:[EMAIL PROTECTED]]
> Sent: 20 November 2000 14:37
> To: [EMAIL PROTECTED]
> Subject: RE: Openssl RPMs
> 
> 
> 
> That is not the openssl site, though.  The modssl is 
> something different.
> 
> BTW, is it still necessary to link from www.modssl.org to 
www.ssleay.org,
considering that www.ssleay.org has very little ssl related stuff?



Villy

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

OpenSSL on MacOS X Public Beta

[saywake]

Has anybody tried to build 0.9.6 on MacOS X?
Anybody willing to try?

-KenS

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

x509_def.c error

[mslygh]

I have tried building both 9.5a and 9.6. I get the same error with both.

error c2220: warning treated as error - no object file generated
warning c4129: 'o' unrecognized character escape sequence.

the code it is:

const char *X509_get_default_private_dir(void)
{ return(X509_PRIVATE_DIR); }

anyone else run in to this? 
i running the ntdll.mak

Mike Slygh
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL Certificate Installation Problem

[Visionary Website Creations, Inc.]

At 09:50 PM 11/17/00 +, you wrote:
>"Visionary Website Creations, Inc." wrote:
>> 
>> Hi,
>> 
>> I chatted via IRC with a Thawte tech for about 3 hours.  Unfortunately,
>> we're stumped.
>> 
>> Here's the problem:
>> 
>> I generated a csr for probrasive.com using SSLeay.  While trying to install
>> the resulting cert, I got the following error:
>> 
>> ns1:/vhost # /web/httpsd -d /web/ssl_conf -f /web/ssl_conf/httpd.conf
>> Reading certificate and key for server ns1.vwc.net
>> Enter PEM pass phrase:
>> Reading certificate and key for server probrasive.com
>> Error reading server certificate file
>> /usr/local/ssl/certs/probrasive.com.cert: error:02001002:system
>> library:fopen:system lib
>> error:0B067002:x509 certificate routines:X509_add_cert_file:system lib
>> error:0D074071:asn1 encoding routines:d2i_ASN1_INTEGER:expecting an integer
>> error:0D08C070:asn1 encoding routines:D2I_X509_CINF:error stack
>> error:0D089070:asn1 encoding routines:D2I_X509:error stack
>> error:0906600D:PEM routines:PEM_ASN1_read:ASN1 lib
>> ns1:/vhost #
>> 
>
>Strange, those error messages don't seem consistent. The first one
>suggests it can't open the file: is the file name correct and does it
>have the correct permissions?
>
>Steve.
>-- 
>Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
>Personal Email: [EMAIL PROTECTED] 
>Senior crypto engineer, Celo Communications: http://www.celocom.com/
>Core developer of the   OpenSSL project: http://www.openssl.org/
>Business Email: [EMAIL PROTECTED] PGP key: via homepage.


Yes.  The filename and permissions are correct.


Greg Dawson, President
Visionary Website Creations, Inc.
Post Office Box 905
Brandon, Florida 33509-0905
http://www.visionary-web.com/
[EMAIL PROTECTED]
813-661-7164 phone
801-459-4789 fax

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: xenroll.cab for IE to auto install certificate?

[Rick Fister]

I thought this Active X control was bundled with all but the older versions of
IE...  Anyhow, I've used it with IE 5+  without problems.  Here's a link that
gives some usage examples, etc:
http://msdn.microsoft.com/library/default.asp?URL=/library/psdk/certsrv/xen_abus_0gtv.htm

Rick

"P.K.B. Hari Gopal" wrote:

> XEnroll we used and we got it from MSDN subscription. May be you can check
> on MSDN site for this control. Regards
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Vincent W. S. Tam
> Sent: Friday, November 17, 2000 8:17 PM
> To: '[EMAIL PROTECTED]'
> Subject: xenroll.cab for IE to auto install certificate?
>
> Hello,
>
> Sorry, maybe this message is offtopic.
>
> I see many people mentioned the xenroll.cab ActiveX control can allow
> CA to auto insert a signed certificate into IE's database, but from where
> can I download this file?
>
> Thanks for your help! Please reply a copy to my e-mail if possible!
> Vincent
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Random number generation

[Tim Newsham]

> Hi,
> 
> I am a complete novice when it comes to SSL and I have had to =
> incorporate OpenSSL into my project through use of a CORBA ORB I am =
> using.
> 
> I have been advised that I need a random number generator to use =
> OpenSSL. Is this true, and if so why? I am just trying to understand =
> OpenSSL and how it works. Also, how do I go about implementing one if I =
> need one?

If your OS has a dedicated randomness source such as /dev/random,
this would be a great place to grab seed information.

> Thanks in advance.
> Timothy Sim.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Re: Random number generation

[Wolfgang=20H=E4felinger]

Hi,
since I have the same problem and since there is almost no useful
documentation  available,  what I'm supposed  to  do  if there is
/dev/random but it blocks? Note: Don't have /dev/urandom.

Btw, is there any useful documentation around or in progress? 

Bye, Wolfgang.

[EMAIL PROTECTED] schrieb:
> > Hi,
> > 
> > I am a complete novice when it comes to SSL and I have had to =
> > incorporate OpenSSL into my project through use of a CORBA ORB I am =
> > using.
> > 
> > I have been advised that I need a random number generator to use =
> > OpenSSL. Is this true, and if so why? I am just trying to understand =
> > OpenSSL and how it works. Also, how do I go about implementing one if I =
> > need one?
> 
> If your OS has a dedicated randomness source such as /dev/random,
> this would be a great place to grab seed information.
> 
> > Thanks in advance.
> > Timothy Sim.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED] @
> 


___
1.000.000 DM gewinnen - kostenlos tippen - http://millionenklick.web.de
[EMAIL PROTECTED], 8MB Speicher, Verschluesselung - http://freemail.web.de

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL Certificate Installation Problem

[Dr S N Henson]

"Visionary Website Creations, Inc." wrote:
> 
> At 09:50 PM 11/17/00 +, you wrote:
> >"Visionary Website Creations, Inc." wrote:
> >>
> >> Hi,
> >>
> >> I chatted via IRC with a Thawte tech for about 3 hours.  Unfortunately,
> >> we're stumped.
> >>
> >> Here's the problem:
> >>
> >> I generated a csr for probrasive.com using SSLeay.  While trying to install
> >> the resulting cert, I got the following error:
> >>
> >> ns1:/vhost # /web/httpsd -d /web/ssl_conf -f /web/ssl_conf/httpd.conf
> >> Reading certificate and key for server ns1.vwc.net
> >> Enter PEM pass phrase:
> >> Reading certificate and key for server probrasive.com
> >> Error reading server certificate file
> >> /usr/local/ssl/certs/probrasive.com.cert: error:02001002:system
> >> library:fopen:system lib
> >> error:0B067002:x509 certificate routines:X509_add_cert_file:system lib
> >> error:0D074071:asn1 encoding routines:d2i_ASN1_INTEGER:expecting an integer
> >> error:0D08C070:asn1 encoding routines:D2I_X509_CINF:error stack
> >> error:0D089070:asn1 encoding routines:D2I_X509:error stack
> >> error:0906600D:PEM routines:PEM_ASN1_read:ASN1 lib
> >> ns1:/vhost #
> >>
> >
> >Strange, those error messages don't seem consistent. The first one
> >suggests it can't open the file: is the file name correct and does it
> >have the correct permissions?
> >
> >Steve.
> >--
> >Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
> >Personal Email: [EMAIL PROTECTED]
> >Senior crypto engineer, Celo Communications: http://www.celocom.com/
> >Core developer of the   OpenSSL project: http://www.openssl.org/
> >Business Email: [EMAIL PROTECTED] PGP key: via homepage.
> 
> Yes.  The filename and permissions are correct.
> 

What does this alleged certificate look like? Can you read it with

openssl x509 -in cert.pem

or does it give a similar error? Can you include the certificate file?
It doesn't contain anything confidential and it may be packaged in an
unusual way which needs converting.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL Certificate Installation Problem

[Visionary Website Creations, Inc.]

At 04:57 PM 11/20/00 +, you wrote:
>"Visionary Website Creations, Inc." wrote:
>> 
>> At 09:50 PM 11/17/00 +, you wrote:
>> >"Visionary Website Creations, Inc." wrote:
>> >>
>> >> Hi,
>> >>
>> >> I chatted via IRC with a Thawte tech for about 3 hours.  Unfortunately,
>> >> we're stumped.
>> >>
>> >> Here's the problem:
>> >>
>> >> I generated a csr for probrasive.com using SSLeay.  While trying to
install
>> >> the resulting cert, I got the following error:
>> >>
>> >> ns1:/vhost # /web/httpsd -d /web/ssl_conf -f /web/ssl_conf/httpd.conf
>> >> Reading certificate and key for server ns1.vwc.net
>> >> Enter PEM pass phrase:
>> >> Reading certificate and key for server probrasive.com
>> >> Error reading server certificate file
>> >> /usr/local/ssl/certs/probrasive.com.cert: error:02001002:system
>> >> library:fopen:system lib
>> >> error:0B067002:x509 certificate routines:X509_add_cert_file:system lib
>> >> error:0D074071:asn1 encoding routines:d2i_ASN1_INTEGER:expecting an
integer
>> >> error:0D08C070:asn1 encoding routines:D2I_X509_CINF:error stack
>> >> error:0D089070:asn1 encoding routines:D2I_X509:error stack
>> >> error:0906600D:PEM routines:PEM_ASN1_read:ASN1 lib
>> >> ns1:/vhost #
>> >>
>> >
>> >Strange, those error messages don't seem consistent. The first one
>> >suggests it can't open the file: is the file name correct and does it
>> >have the correct permissions?
>> >
>> >Steve.
>> >--
>> >Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
>> >Personal Email: [EMAIL PROTECTED]
>> >Senior crypto engineer, Celo Communications: http://www.celocom.com/
>> >Core developer of the   OpenSSL project: http://www.openssl.org/
>> >Business Email: [EMAIL PROTECTED] PGP key: via homepage.
>> 
>> Yes.  The filename and permissions are correct.
>> 
>
>What does this alleged certificate look like? Can you read it with
>
>openssl x509 -in cert.pem
>
>or does it give a similar error? Can you include the certificate file?
>It doesn't contain anything confidential and it may be packaged in an
>unusual way which needs converting.
>
>Steve.
>-- 
>Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
>Personal Email: [EMAIL PROTECTED] 
>Senior crypto engineer, Celo Communications: http://www.celocom.com/
>Core developer of the   OpenSSL project: http://www.openssl.org/
>Business Email: [EMAIL PROTECTED] PGP key: via homepage.

It looks ok to me:

ns1:/usr/local/ssl/bin # ./openssl x509 -in ../certs/probrasive.com.cert
-BEGIN CERTIFICATE-
MIICyzCCAjSgAwIBAgIDD1JqMA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa
QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb
BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0
aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB
MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw0wMDEx
MTYyMjI3NDJaFw0wMTExMzAyMjI3NDJaMGkxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
EwdGbG9yaWRhMRMwEQYDVQQHEwpDbGVhcndhdGVyMRowGAYDVQQKExFDNCBDYXJi
aWRlcywgSW5jLjEXMBUGA1UEAxMOcHJvYnJhc2l2ZS5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAL/Js29tGdY2fciay8B3Up3lIZwKr/VpGjGSa4XYSm/W
7yyVQIg75wAM6waudwfvbRDktsW+yc9Wdnr6BAt+LmaNNOnCmYe6x9I4pq53HEoB
64VGmJQGFLZk1RRjviGDUG4DWv9vbsyX0d2l3ACatmmxcjkANbCGU8RLON82IR83
AgMBAAGjJTAjMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJ
KoZIhvcNAQEEBQADgYEAVuk+CfgSCQXCpsTtEAY2vg6hVeeNVmj+8jHUwuNfh6WU
UiFvefeVT5uRvNMT0tNDzbHSsNZsBCP+7Gc2QqgcnjPuocmSopShS3dSLIICt8nn
6M4D5QtGpsYwh9p7fLqZkTEQCl7hHdOwagpLSGxAsBVRePu49KoLC1uyOjz7fsY=
-END CERTIFICATE-
ns1:/usr/local/ssl/bin #


Greg Dawson, President
Visionary Website Creations, Inc.
Post Office Box 905
Brandon, Florida 33509-0905
http://www.visionary-web.com/
[EMAIL PROTECTED]
813-661-7164 phone
801-459-4789 fax

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Looking for an HTTPS client for NT C/C++

[Harry Whitehouse]

John -- Take a look at the WININET.DLL resources on the MS site.  This DLL
is the core of Internet Explorer and the API set is exposed to developers.
The user must have IE installed on their machine (although it needn't be
their default browser) for this to work.

HTH

Harry

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of John Townsend
Sent: Sunday, November 19, 2000 5:25 PM
To: [EMAIL PROTECTED]
Subject: Looking for an HTTPS client for NT C/C++


I'm looking for a basic HTTPS client program that will compile and run under
NT
(preferably with VC++).  If it can just GET a page from a named HTTPS server
with authentication and echo it to standard output, that would be perfect.
I've
looked at several examples already (including the ssl/cli.cpp and
bio/sconnect.c
examples in the OpenSSL distribution and the SSL gadget at Darkspell), but
haven't quite found what I'm looking for.  The biggest problem is probably
that
I'm a UNIX programmer, not an NT programmer, and am having various problems
getting some of these to port.  If someone could send or direct me to a
better
example, I'd be most grateful.  Thanks!

--
John E. Townsend
Sr. Software Engineer  "Machines should work;
LEXIS-NEXIS people should think."
Dayton OH, USA-- IBM Pollyanna Principle
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Timeout problems?

[Soul Fire]

Hmm .. would you mind explaining where this needs to be set?

Thanks


-Original Message-
From:Arne Ansper [EMAIL PROTECTED]
Sent:Sat, 18 Nov 2000 15:56:06 +0200 (E. Europe Standard Time)
To:  [EMAIL PROTECTED]
Subject: Re: Timeout problems?




> > I have been running a powerbuilder app through stunnel and am
> running across an issue where the server is waiting for the app to
> send a command and the client is frozen. > The appllication works
> without sending it through a tunneling server i.e. pointed directly at
> the Sybase server. > > Has anyone experienced a similar issue ?

out of band data perhaps. ms sql server (which is i based on sybase and
uses probably same protocoll) uses out of band data for cancelling pending
request. some drivers (borland's database engine for example) use this
feature, others dont. i guess that stunnel does not set OOB_INLINE on
plain sockets and this will hang the connection. enabling OOB_INLINE and
ignoring the fact that some bytes are out of band works. at least for ms
sql server. if you don't want to change stunnel, you can try ssa
(www.privador.com/ssa) which sets OOB_INLINE on all sockets and has
special mode for ms sql server too where server sets database user name
according to distinguished name from client certificate.

arne


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



___
Visit http://www.visto.com/info, your free web-based communications center.
Visto.com. Life on the Dot.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL Certificate Installation Problem

[Dr S N Henson]

"Visionary Website Creations, Inc." wrote:
> 
> >
> >What does this alleged certificate look like? Can you read it with
> >
> >openssl x509 -in cert.pem
> >
> >or does it give a similar error? Can you include the certificate file?
> >It doesn't contain anything confidential and it may be packaged in an
> >unusual way which needs converting.
> >
> 
> It looks ok to me:
> 
> ns1:/usr/local/ssl/bin # ./openssl x509 -in ../certs/probrasive.com.cert

Hmmm seems OK to me too. Is that the only certificate in the file?

I suppose it is possible that some other certificate it attempts to read
in somewhere is corrupt: check the trusted file or directory to see if
anything is wrong there.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Re: Random number generation

[Tim Newsham]

> Hi,
> since I have the same problem and since there is almost no useful
> documentation  available,  what I'm supposed  to  do  if there is
> /dev/random but it blocks? Note: Don't have /dev/urandom.

you can read as much as is available, with a non-blocking
file descriptor or with FIONREAD.  If you need more randomness,
yo can try to collect it by reading in as much system state as
possible and adding that to the randomness pool (examples
are output from ps, time, user list, auditing logs, whatever
else you can get your hands on).

> Btw, is there any useful documentation around or in progress? 

I dont know of any, but I'd bet you could find some somewhere,
possibly in an unrelated thread (like ssh lists, info about
using xauth, genera crypto faqs, maybe a linux howto).

> Bye, Wolfgang.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL Certificate Installation Problem

[Visionary Website Creations, Inc.]

At 07:54 PM 11/20/00 +, you wrote:
>Hmmm seems OK to me too. Is that the only certificate in the file?
>
>I suppose it is possible that some other certificate it attempts to read
>in somewhere is corrupt: check the trusted file or directory to see if
>anything is wrong there.
>
>Steve.

There is one other certificate referenced in the httpsd.conf file.  I'm
sure that the error is not with the other cert, because I can remove the
probrasive.com virtual host information and https boots just fine.

I'm unclear as to what you mean by "check the trusted file or directory"
... what specifically should I do?

Thanks,


Greg Dawson, President
Visionary Website Creations, Inc.
Post Office Box 905
Brandon, Florida 33509-0905
http://www.visionary-web.com/
[EMAIL PROTECTED]
813-661-7164 phone
801-459-4789 fax

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL Certificate Installation Problem

[Dr S N Henson]

"Visionary Website Creations, Inc." wrote:
> 
> At 07:54 PM 11/20/00 +, you wrote:
> >Hmmm seems OK to me too. Is that the only certificate in the file?
> >
> >I suppose it is possible that some other certificate it attempts to read
> >in somewhere is corrupt: check the trusted file or directory to see if
> >anything is wrong there.
> >
> >Steve.
> 
> There is one other certificate referenced in the httpsd.conf file.  I'm
> sure that the error is not with the other cert, because I can remove the
> probrasive.com virtual host information and https boots just fine.
> 
> I'm unclear as to what you mean by "check the trusted file or directory"
> ... what specifically should I do?
> 

There should be either a load of trusted certificates in a single file
or a directory containing them. If you are using client authentication
then it may try to read the whole lot in. If one is corrupt then this
could be a problem.

Actually now I look at the error message:

error:0B067002:x509 certificate routines:X509_add_cert_file:system lib

I can't find the relevant function in OpenSSL: does it give *exactly*
the same error? If so then I suggest you get the function to print out
the file it is trying to load when it gets the error and then examine
it.

Alternatively try using the s_server utility as a test server to check
it works OK.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Timeout problems?

[Soul Fire]

Thanks for pointing me in the direction of the thread. I compiled the patched 
version ... however, I noticed two things :

1- When compiling with HPUX 10.20 + gcc (or cc) + openssl-0.9.5a I get thye following 
error :
cc: "/openssl-0.9.5a/include/openssl/stack.h", line 82: error 1000: Unexpected symbol: 
"*".

2- the package compiles on linux (RH 7.0) but does not ptoduce consistent results i.e. 
the client will connect once - I exit and reconnect and it will fail ! I also 
experience the same issue from diffrent machines and different versions of Windows.

Any word folks ?

Thanks for your help.


Regards


-Original Message-
From:Lutz Jaenicke [EMAIL PROTECTED]
Sent:Fri, 17 Nov 2000 23:11:06 +0100
To:  [EMAIL PROTECTED]
Subject: Re: Timeout problems?


On Fri, Nov 17, 2000 at 01:44:48PM -0800, Soul Fire wrote:
> I have been running a powerbuilder app through stunnel and am running across an 
>issue where the server is waiting for the app to send a command and the client is 
>frozen.
> The appllication works without sending it through a tunneling server i.e. pointed 
>directly at the Sybase server.
> 
> Has anyone experienced a similar issue ?

I vaguely remember that somebody stated something similar with stunnel.
There is a set of patches available at www.stunnel.org, in the stunnel
mailing list there is a disussion concluding that this solves the problem.
Watch out for the thread
   Stunnel stall and SSL_want_*, SSL_pending (fix 2?)
on
   http://marc.theaimsgroup.com/?l=stunnel-users

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



___
Visit http://www.visto.com/info, your free web-based communications center.
Visto.com. Life on the Dot.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Timeout problems?

[Lutz Jaenicke]

On Mon, Nov 20, 2000 at 03:46:22PM -0800, Soul Fire wrote:
>   Thanks for pointing me in the direction of the thread. I compiled the patched 
>version ... however, I noticed two things :
> 
> 1- When compiling with HPUX 10.20 + gcc (or cc) + openssl-0.9.5a I get thye 
>following error :
> cc: "/openssl-0.9.5a/include/openssl/stack.h", line 82: error 1000: Unexpected 
>symbol: "*".

This seems to be somewhat odd. At line 82 in stack.h, there is a STACK *
used and the error message means that STACK is not understood. I have seen
behaviour like this when forgetting to include other header files, as
STACK is however a typdef only several lines above in the same file, this
does not apply here. Seems, either your stack.h or your compiler is messed up.
Are there no error messages preceding this error?? 

Too late to download stunnel and try myself tonight :-)

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Using OPENSSL toolkit

[Hegde, Ramdas]

Hello All

I am new to the SSL world and have this task to write an application which
talks to another application using SSL_RSA_WITH_RC4_128_MD5.
I have downloaded and installed the OPENSSL toolkit.
I am looking for something like a programming reference to guide me thru the
steps necessary to achieve this task.
Any pointers to books / web pages will be appreciated.

Thanks

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Timeout problems?

[Michael Wojcik]

> From: Lutz Jaenicke [mailto:[EMAIL PROTECTED]]
> Sent: Monday, November 20, 2000 6:02 PM

> On Mon, Nov 20, 2000 at 03:46:22PM -0800, Soul Fire wrote:
> > 1- When compiling with HPUX 10.20 + gcc (or cc) + openssl-0.9.5a I
> > get thye following error :
> > cc: "/openssl-0.9.5a/include/openssl/stack.h", line 82: error 1000:
> > Unexpected symbol: "*".

> This seems to be somewhat odd. At line 82 in stack.h, there is a STACK *
> used and the error message means that STACK is not understood. I have seen
> behaviour like this when forgetting to include other header files, as
> STACK is however a typdef only several lines above in the same file, this
> does not apply here. Seems, either your stack.h or your compiler is messed

> up.  Are there no error messages preceding this error?? 

It's possible that there's a typedef or #define for "STACK" in something
included before stack.h's STACK typedef, possibly in one of the system
headers.

A quick find-xargs-grep through /usr/include on my 10.10 system didn't find
anything, but since the OP is on 10.20 and there may be model series
differences as well, that doesn't prove anything.  I don't have the OpenSSL
source handy to try building on that box.

(Generally speaking, using an identifier like "STACK" in open source C
software is not a great idea.  That's precisely the kind of name an
implementation or user is likely to tromp on.  Portable C code should strive
to use restricted, well-defined portions of namespace.  It's probably too
late to fix OpenSSL now, though.)

Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of English, Miami University
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Installed.. Making a Cert

[Brock Noland]

Ok I have OpenSSL installed.. Now, being used to good docs, I don't know how
to configure it for my use. Is there any documentation out there?? I am
running linux on a i586..

Thanks

Brock

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Build Problem Latest Release

[James Goruk]

I was trying to build
 
2086131 Sep 24 17:46:22 2000 openssl-0.9.6.tar.gz  [LATEST] 
And I got two errors
 
1.
    cl 
/Fotmp32dll\rand_win.obj  -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2 /Ob2 
/Gs0 /GF /Gy /nologo -DWIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 
-DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll /GD -D_WINDLL 
-D_DLL  -c 
.\crypto\rand\rand_win.crand_win.c.\crypto\rand\rand_win.c(581) : error 
C2400: inline assembler syntax error in 'opcode'; found 'newline'NMAKE : 
fatal error U1077: 'cl' : return code '0x2'
 
2.
 
Building OpenSSL    
link /nologo /subsystem:console /machine:I386 /opt:ref /dll 
/out:out32dll\libeay32.dll /def:ms/LIBEAY32.def 
@C:\TEMP\nma00322.tmp32dll\rc5ofb64.obj : fatal error LNK1136: invalid or 
corrupt fileNMAKE : fatal error U1077: 'link' : return code 
'0x470'Stop.
 
Just thought I send it in.
 
 

somebody has told me to compile without RSAREF

[Randy Danielson]

Hello,

I am trying to configure a Red Hat 7 server per a developers specs.  The SSL
specs are:

openssl-0.9.6
Net_SSLeay.pm-1.05

He told me that I need to compile openssl without RSAREF.  What are the
steps/commands to use to compile OpenSSL without RSAREF?

Thanks,
Randy Danielson

Active Computing
Fax/Voice Mail: (503) 296-2229


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

compiling openssl-0.9.6 without RSAREF

[Randy Danielson]

Hello,

I am trying to configure a Red Hat 7 server per a developers specs.  The SSL
specs are:

openssl-0.9.6
Net_SSLeay.pm-1.05

He told me that I need to compile openssl without RSAREF.  I guessed this is
the way to do that:
Since I had already installed it that is why I did a make clean first
cd /usr/local/src
Make clean
./config -no-rsaref
make
make test
make install
Does anybody know if that is correct?

Thanks,
Randy


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]