Re: Compile error
On 5 Dec, Tsang, Kevin wrote: > Hi, I'm having make problems on openssl-0.9.6 on NetBSD-1.4.3 (sparc): > > gcc -o openssl -DMONOLITH -I../include -DTHREADS -D_REENTRANT -DTERMIOS -O3 [...] > rand.o -L. -L.. -L../.. -L../../.. -L.. -lssl -L.. -lcrypto > speed.o: Undefined symbol `_ftime' referenced from text segment > speed.o: Undefined symbol `_ftime' referenced from text segment > collect2: ld returned 1 exit status See ftime(3). -- tschüß, Jochen Homepage: http://www.unixag-kl.fh-kl.de/~jkunz/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL on AIX 4.3.3
Hi, youll find it pre-packaged (www.bull.com) cu tobias > I followed the instructions and ran ./config and then /bin/make and > during > the make I got this: > > ... (lots of successful compiles) ... > making all in crypto/buffer... > cc -I.. -I../../include -O -DAIX -DB_ENDIAN -qmaxmem=16384 -c > buffer.c > cc -I.. -I../../include -O -DAIX -DB_ENDIAN -qmaxmem=16384 -c > buf_err.c > ar r ../../libcrypto.a buffer.o buf_err.o > /bin/ranlib ../../libcrypto.a > Target "all" is up to date. > making all in crypto/bio... > cc -I.. -I../../include -O -DAIX -DB_ENDIAN -qmaxmem=16384 -c > bio_lib.c > cc -I.. -I../../include -O -DAIX -DB_ENDIAN -qmaxmem=16384 -c > bio_cb.c > cc -I.. -I../../include -O -DAIX -DB_ENDIAN -qmaxmem=16384 -c > bio_err.c > cc -I.. -I../../include -O -DAIX -DB_ENDIAN -qmaxmem=16384 -c > bss_mem.c > cc -I.. -I../../include -O -DAIX -DB_ENDIAN -qmaxmem=16384 -c > bss_null.c > cc -I.. -I../../include -O -DAIX -DB_ENDIAN -qmaxmem=16384 -c > bss_fd.c > cc -I.. -I../../include -O -DAIX -DB_ENDIAN -qmaxmem=16384 -c > bss_file.c > cc -I.. -I../../include -O -DAIX -DB_ENDIAN -qmaxmem=16384 -c > bss_sock.c > cc -I.. -I../../include -O -DAIX -DB_ENDIAN -qmaxmem=16384 -c > bss_conn.c > cc -I.. -I../../include -O -DAIX -DB_ENDIAN -qmaxmem=16384 -c > bf_null.c > cc -I.. -I../../include -O -DAIX -DB_ENDIAN -qmaxmem=16384 -c > bf_buff.c > cc -I.. -I../../include -O -DAIX -DB_ENDIAN -qmaxmem=16384 -c > b_print.c > cc: 1501-230 Internal compiler error; please contact your Service > Representative > make: 1254-004 The error code from the last command is 40. > (more errors before stopping) > --- > What the hey? > Anyone got any ideas? > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > -- Sent through GMX FreeMail - http://www.gmx.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Verifying DSA signature made by java
Hello all, I'm having troubles verifying a DSA signature created by a java application with an openSSL application. When I use an openSSL application that creates this signature, instead of the java one, everything's working just fine. The scenario: The java based application (the client) creates private/public (DSA) keys and sends the public key to the openSSL application (the server). The server creates a random bytes array and sends it to the client. Now the client signs this array and sends the signature to the server for verification using the public key. The verification always fails! The communication between the java client and the openSSL server are not concerning me right now (jsse is not involved. yet). My question is pure cryptographic - why can't openSSL verify a DSA signature made by java? I've been searching the archives and had the feeling that I'm not the only one who encountered such problem, but never got an eye-opening answer. I'd be more than happy to hear any idea. Thanks, Ronen. BTW. I seem to be able to create in openSSL the (java's) public key with d2i_DSA_PUBKEY but not with d2i_DSAPublicKey. I guess it's because java is using "certificate format". __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Re: cipher suite issue?
Lutz, Thanks for the quick response... I tried the same test you ran and it worked. However, I'm inclined to think that it might be something in OpenSSL on the client side. In it's current configuration, the server handles DES-CBC3-SHA requests from my java client perfectly, so I don't think it's a server issue. My server is using openssl-0.9.4. I cannot upgrade the server to any higher version because of incompatibilities with our crypto card. I upgraded to openssl-0.9.6 on the client side (because that's what you were using) and it didn't help. Can you think of anything else I could try? Also, could you (or anyone else) comment on the use of EDH-RSA-DES-CBC3-SHA vs. DES-CBC3-SHA? I'm looking for the cipher suite that will yield the best performance/security. Thanks again, Jeff __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Still got problems initialising cert in DLL
Colin Chalmers wrote: > > Hi, > > Since there was no response on the earlier posting here's a second chance > perhaps explaining the problem better. > > The code at the bottom works for me when used within the same program > however when I pass the (vtrCertStatus) structure to a DLL, although I can > access the memory using other *means*, I cannot init a cert. > I 've looked in the list server and see possible problems with multithreaded > apps. however if that was the case here surely I wouldn't be able to access > the memory at all. Or am I missing something? > > Any help much appreciated. > > /colin > > X509 *cert = NULL; > > SSLeay_add_all_algorithms(); > ERR_load_crypto_strings(); > > cert = d2i_X509(NULL, (unsigned char > **)&vtrCertStatus[0].cs_entityCert.b_data , > (long)vtrCertStatus[0].cs_entityCert.b_size ); > > if (cert != NULL) { > X509_NAME *name = NULL; > name = X509_get_subject_name(cert); > } > > X509_free(cert); > Well since I've no idea what that vtrCertStatus structure does any analysis is somewhat limited. However because you presumably have to use the (unsigned char **) case and because I'd guess its an internal pointer that looks questionable. Do you really want the call to modify .b_data after it has been made? Reading the FAQ might help. Particularly the bits about how to get further info if a function fails and how to use the ASN1 functions. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
To Mr. Brahm Windeler for Key Gen.. in IE
Hi Mr Windeler Thank you for your suggestions. Could you please help me with your Activex-control SDK for key generation in IE and/or signing in IE? Please reply to this mail id: [EMAIL PROTECTED] Thanks again, Tridib _ Chat with your friends as soon as they come online. Get Rediff Bol at http://bol.rediff.com Participate in crazy auctions at http://auctions.rediff.com/auctions/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Different meanings/effects of verify depth?
Hi, I've been investigating the way that verify depth works in OpenSSL, and I've managed to confuse myself over what it actually means. It seems to be used in two places, with different meanings and/or effects. 1. In the verify_callback example in s_cb.c. Here the verify depth is set as a global variable. If a verify error occurs, the callback is called, and the depth of the error is checked against the global variable. If the error is below the global variable, it is ignored. The effect of this is that we only check to the depth of the verify depth variable. So if I have a chain RootCA/SigningCA/PeerCert, and a verify depth of 1, Root CA is checked first, at depth 2. An error here will be ignored. The Signing CA is checked next, at depth 1, and the Peer Cert last at depth 0. Any errors here are returned to the caller. The effect then is to limit the checking to the depth set. 2. In the SSL_CTX_set_verify_depth() function. If we use this function, it seems that we actually change the start point of verify checking. Setting the verify depth to 1, with the same chain, starts the verify checking at the Signing CA, and this will fail with X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. If this is ignored, a second error, X509_V_ERR_CERT_UNTRUSTED, is detected. >From this, I wonder what the point of the SSL_CTX_set_verify_depth() function is, apart from limiting the depth of the search, i.e. barring chains that are too long. In any case it does seem to be the same purpose as the verify depth functionality in (1). Can anybody clarify this confusion. My problem arises because I assumed that the real purpose of verify depth was that in (1), but as I have to handle multiple SSL configurations in parallel, that was not really compatible with the use global variables. I was expecting the SSL_CTX_set_verify_depth() function to give me that context (in both senses of the word) sensitive functionality. And it does not. Thanks, G. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: WinSock& SSL
On Tue, Dec 05, 2000 at 11:33:14AM -0500, Sudeep Sudhakaran wrote: > > This is one solution which I have thought of . > But what is bothering me is, why doesnt open SSL library return an error if > the client doesnt initiate a handshake. There can be lot of scenarios in > which this happens. What if somebody who just know the servers ip address > and port number, tries to connect to the server. > I am not talking about an external person but an Internal person. > > In this scenario, Server hangs... Yes, the server hangs. It cannot be avoided. The SSL library has no idea on whether the client will send a data packet or not. Maybe the client is waiting for some user interaction. The only way to overcome this problem is by introducing a timeout to the _application_. If the server waited too long without something happening, the connection is shut down. This is however the responsibility of the application. How should the OpenSSL library decide, which timeout would reasonable? Only the application knows the facts!! Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Still got problems initialising cert in DLL
On Tue, Dec 05, 2000 at 05:18:47PM +0100, Colin Chalmers wrote: > Hi, > > Since there was no response on the earlier posting here's a second chance > perhaps explaining the problem better. > > The code at the bottom works for me when used within the same program > however when I pass the (vtrCertStatus) structure to a DLL, although I can > access the memory using other *means*, I cannot init a cert. > I 've looked in the list server and see possible problems with multithreaded > apps. however if that was the case here surely I wouldn't be able to access > the memory at all. Or am I missing something? > > Any help much appreciated. > > /colin > > > X509 *cert = NULL; > > SSLeay_add_all_algorithms(); > ERR_load_crypto_strings(); > > cert = d2i_X509(NULL, (unsigned char > **)&vtrCertStatus[0].cs_entityCert.b_data , > (long)vtrCertStatus[0].cs_entityCert.b_size ); Disclaimer: I don't have the slightest idea about DLLs (Windows). You are passing data to the d2i_X509() function. d2i_X509() returns NULL. This at least means, that d2i_X509() received some useful point, so that it could return "failure". (Otherwise you might have faced a segmentation fault.) Did you check out the error stack? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: WinSock& SSL
This is one solution which I have thought of . But what is bothering me is, why doesnt open SSL library return an error if the client doesnt initiate a handshake. There can be lot of scenarios in which this happens. What if somebody who just know the servers ip address and port number, tries to connect to the server. I am not talking about an external person but an Internal person. In this scenario, Server hangs... Thanks a lot. Sudeep >From: Lutz Jaenicke <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Subject: Re: WinSock& SSL >Date: Tue, 5 Dec 2000 16:48:16 +0100 > >On Tue, Dec 05, 2000 at 09:51:02AM -0500, Sudeep Sudhakaran wrote: > > Thanx for the generic information... My client server program works in a > > non-secured environment. If a ssl-client tries to connect, connection is > > accepted for a secured server. But if a non-ssl client connects, the >access > > permissions client has will be limited. But both has to connect to the >same > > port number because of design criteria. > > Only way I can figure out that this is a non-ssl client is by initiating >a > > server handshake. But SSL_Accept function waits till the client >initiates a > > handshake and the program hangs right there.. > >I seems that you have a protocol problem. Your normal (non-ssl) protocol >expects the server to speak first while ssl expects the client to speak >first. There is probably no clean solution to it. >In stunnel they try to provide a similar functionality by guessing, whether >to use (SMTP with SSL tunneling) vs. (STARTTLS extension to SMTP). They >do so by waiting whether there is client input. In this case, SSL is >assumed. >This can only be done by waiting for the client to time-out. >You could e.g. perform a select() on the input channel to see, whether the >client sends data. In this case, initiate SSL_accept(). If it did not until >a >certain period of time is exceeded, you assume non-SSL and have the server >initiate the non-SSL protocol. > >Don't ask me what the Windows replacement for select() is... > >Having this said, you should rather fix your protocol or setup to avoid >this problem at all. > >Best regards, > Lutz >-- >Lutz Jaenicke [EMAIL PROTECTED] >BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ >Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 >Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] _ Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Still got problems initialising cert in DLL
Hi, Since there was no response on the earlier posting here's a second chance perhaps explaining the problem better. The code at the bottom works for me when used within the same program however when I pass the (vtrCertStatus) structure to a DLL, although I can access the memory using other *means*, I cannot init a cert. I 've looked in the list server and see possible problems with multithreaded apps. however if that was the case here surely I wouldn't be able to access the memory at all. Or am I missing something? Any help much appreciated. /colin X509 *cert = NULL; SSLeay_add_all_algorithms(); ERR_load_crypto_strings(); cert = d2i_X509(NULL, (unsigned char **)&vtrCertStatus[0].cs_entityCert.b_data , (long)vtrCertStatus[0].cs_entityCert.b_size ); if (cert != NULL) { X509_NAME *name = NULL; name = X509_get_subject_name(cert); } X509_free(cert); __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: WinSock& SSL
On Tue, Dec 05, 2000 at 09:51:02AM -0500, Sudeep Sudhakaran wrote: > Thanx for the generic information... My client server program works in a > non-secured environment. If a ssl-client tries to connect, connection is > accepted for a secured server. But if a non-ssl client connects, the access > permissions client has will be limited. But both has to connect to the same > port number because of design criteria. > Only way I can figure out that this is a non-ssl client is by initiating a > server handshake. But SSL_Accept function waits till the client initiates a > handshake and the program hangs right there.. I seems that you have a protocol problem. Your normal (non-ssl) protocol expects the server to speak first while ssl expects the client to speak first. There is probably no clean solution to it. In stunnel they try to provide a similar functionality by guessing, whether to use (SMTP with SSL tunneling) vs. (STARTTLS extension to SMTP). They do so by waiting whether there is client input. In this case, SSL is assumed. This can only be done by waiting for the client to time-out. You could e.g. perform a select() on the input channel to see, whether the client sends data. In this case, initiate SSL_accept(). If it did not until a certain period of time is exceeded, you assume non-SSL and have the server initiate the non-SSL protocol. Don't ask me what the Windows replacement for select() is... Having this said, you should rather fix your protocol or setup to avoid this problem at all. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[SPAM]BRe: are YOU a boxing fan?
How did that SPAM get through? -blue0ne http://www.digitz.org On Tue, 5 Dec 2000, Jan C Booker wrote: > then you NEED to check out www.CurrentFights.com a web site FULL of >Streaming Videos and audio's of the TOP Fights and Fighters of today SEE IT NOW >!!! > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: i2d_RSAPublicKey,d2i_RSAPublicKey
El vie, 01 de dic de 2000, a las 18:27, Rafa Marín López escribió: > Hello. > > > I have a problem with this situation: > > I have this code in function A: > > char keystr[1024]; > > > ... > RSA *rsa=RSA_generate_key((int)1024,0x10001,NULL,NULL); > > unsigned char *ptr; > int derlen > ptr=keystr; > derlen=i2d_RSAPublicKey(rsa,&ptr); > ptr=keystr; > > In a function B: > > >unsigned char *ptr; > int len; > > ptr=keystr; //keystr is a param but its value is equal keystr in > function A. > printCadena(KCtx->keystr,KCtx->derlen); > rsa=d2i_RSAPublicKey(NULL,&ptr,KCtx->derlen); > > But I obtain a NULL (rsa == NULL) > > Why? > > > Thank you > 0o Fin de mensaje original oO Creo que puede ser porque d2i_RSAPublicKey como segundo parámetro necesita un char **puntero, y tú solo tienes un char *ptr. prueba a definirte otra variable y la iguales unsigned char datos [] = {0x30,0x82,0x02,0x5c,0x02,0x01,0x00,0x02,0x81,0x81}; char *arraydatos[1] = {datos}; ptr = array_datos[0] Salu2 -- ''' (O O) Universidad Carlos III (Leganes) +---oOO(_)---+ | Ignacio Diaz Asenjo | = Proyecto de Investigación E-TICKET = | [EMAIL PROTECTED] | Edificio Betancourt (1.1H29) +--oOO---+Tfno: (91)624-59-49 |__|__| ICQ:32646959 || || ooO Ooo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
are YOU a boxing fan?
then you NEED to check out www.CurrentFights.com a web site FULL of Streaming Videos and audio's of the TOP Fights and Fighters of today SEE IT NOW !!! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: WinSock& SSL
Thanx for the generic information... My client server program works in a non-secured environment. If a ssl-client tries to connect, connection is accepted for a secured server. But if a non-ssl client connects, the access permissions client has will be limited. But both has to connect to the same port number because of design criteria. Only way I can figure out that this is a non-ssl client is by initiating a server handshake. But SSL_Accept function waits till the client initiates a handshake and the program hangs right there.. Have you ever come across this scenario. Sudeep >From: "Prashant Nair" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Subject: Re: WinSock& SSL >Date: Fri, 01 Dec 2000 05:16:15 - > > >Hi , > > > Winsock is on layer 4 (TCP) and SSL is above that > so make the Winsock connection i.e connect( ) . > > Thereafetr call the SSL API functions. > > >Prashant > >>From: "Sudeep Sudhakaran" <[EMAIL PROTECTED]> >>Reply-To: [EMAIL PROTECTED] >>To: [EMAIL PROTECTED] >>Subject: WinSock& SSL >>Date: Thu, 30 Nov 2000 17:04:26 -0500 >> >>Hi, >> >>Does anybody have a working example for Winsock & ssl using openssl. >>I want to provide ssl authentication and encryption support to my winsock >>client server application. >> >>I tried using the modified WSOCK sample. But when I connect from an >>unauthorised client, SSL_Accept() hangs waiting for the client handshake. >>I >>want to reject all unauthorized connections. >> >>Thanks in advance for the help. >> >> >>I had tried sending this message before. If you are receiving it for the >>second time, I am sorry for that. >> >>Sudeep >>_ >>Get more from the Web. FREE MSN Explorer download : >>http://explorer.msn.com >> >>__ >>OpenSSL Project http://www.openssl.org >>User Support Mailing List[EMAIL PROTECTED] >>Automated List Manager [EMAIL PROTECTED] > >_ >Get more from the Web. FREE MSN Explorer download : >http://explorer.msn.com > >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] _ Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Using OpenSSL with Mac OSX server
Hi I want to install openssl on Mac OS X server.I have downloaded openssl-0.9.6.tar.gz from www.openssl.org/source.If I see the INSTALL file I see that there are seperate files for Windows ,OpenVMS and MacOS(before Mac OS X) but nothing on Mac OS X Server.I followed the instructions for UNIX. When I execute the step 1 i.e run ./Configure with rhapsody-ppc-cc as the compiler and prefix=/usr/bin/openssl no directory is created in /usr/bin but the directories are created under the current directory only. When I give make it creates all the libraries under the current directory only and finally fails with the message Undefined Symbols _ftime _gmtime_r in /usr/bin/ld Please help me to solve this problem. thanks Arnab _ Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: cipher suite issue?
On Mon, Dec 04, 2000 at 04:34:52PM -0800, Jeffrey Ricks wrote: > GET /servlets/TestServlet HTTP/1.0 (I type this) > > SSL_connect:SSL renegotiate ciphers > SSL_connect:SSLv3 write client hello A > SSL_connect:SSLv3 read server hello A > SSL_connect:SSLv3 read server certificate A > SSL3 alert write:fatal:illegal parameter > SSL_connect:error in SSLv3 read server key exchange A > 27309:error:1408E098:SSL routines:SSL3_GET_MESSAGE:excessive message > size:s3_both.c:302: Here there is a hard error and an alert (closing message) is sent to the client. > and the following shows up in my ssl_request_log: > > [04/Dec/2000:18:55:07 -0500] ipaddress TLSv1 (NONE) "GET > /servlets/TestServlet HTTP/1.0" 289 > > Notice the missing (NONE) cipher suite. The handshake failed, so there is no connection established at all. Hence there is no cipher :-) Trying to reproduce your problem I just performed the following steps: * openssl s_server -key ws01_key.pem -cert ws01_cert.pem -Verify 2 -CAfile CAcert.pem * openssl s_client -key ws01_key.pem -cert ws01_cert.pem -connect localhost:4433 -cipher DES-CBC3-SHA -CAfile CAcert.pem * Success with --- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: DES-CBC3-SHA ... I am running OpenSSL 0.9.6, if that matters... The keys and certificates are generated by OpenSSL (demoCA), standard setup with one CA signing all keys, certificate purpose not restricted. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: cipher suite issue?
On Mon, Dec 04, 2000 at 04:34:52PM -0800, Jeffrey Ricks wrote: [...] > If I use my java client with the DES-CBC3-SHA cipher, everything works > fine. It's when I use that cipher with any openssl-based apps > (including s_client) that things don't work. If I run this: > > openssl s_client -connect myserver:443 -cert /tmp/s_client.crt -key > /tmp/s_client.key -CAfile /tmp/s_clientCA.crt -tls1 -cipher > DES-CBC3-SHA -state > > I get the following output: > . > . > . > GET /servlets/TestServlet HTTP/1.0 (I type this) > > SSL_connect:SSL renegotiate ciphers > SSL_connect:SSLv3 write client hello A > SSL_connect:SSLv3 read server hello A > SSL_connect:SSLv3 read server certificate A > SSL3 alert write:fatal:illegal parameter > SSL_connect:error in SSLv3 read server key exchange A > 27309:error:1408E098:SSL routines:SSL3_GET_MESSAGE:excessive message > size:s3_both.c:302: > > and the following shows up in my ssl_request_log: > > [04/Dec/2000:18:55:07 -0500] ipaddress TLSv1 (NONE) "GET > /servlets/TestServlet HTTP/1.0" 289 > > Notice the missing (NONE) cipher suite. [...] > [..] The DES-CBC3-SHA cipher only works if client authentication is off. What happens if you connect to s_server instead, using options similiar to that server's configuration? -- Bodo Möller <[EMAIL PROTECTED]> PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Error at the installation
On Mon, Dec 04, 2000 at 05:14:02PM -0500, C?me Chaput wrote: > I tried to install openssl-0.9.6. on solaris 2.6 > I modified the file config to put a line > PERL="/usr/local/bin/perl" (perl is my executable file) > > And I modified the file Configure at the line > $perl="/usr/local/bin/perl"; > > With that modification I can run ./config without error and run make with > out error. > > But when I run make test I received > > test BN_exp > running bc > sh: perl: not found Hmm, check out Makefile.ssl whether PERL has been set correctly. I recommend you to leave config and Configure unchanged and perform a (sh-syntax): PERL=/usr/local/bin/perl ; export PERL ./config (with your additional options, if any) You could also consider simply adding /usr/local/bin to your PATH PATH=${PATH}:/usr/local/bin ./config Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: certificates setup: OpenSSL with imap-2000
On Tue, Dec 05, 2000 at 02:22:50AM -0500, Jean-Francois Malouin wrote: > I can now use mutt/uw-imap-2000/openssl with cram-md5 authentication! > So far I have mutt-1.3.9i on Linux and irix working. Mutt-1.2.5i does > not seem to like cram-md5 authentication and pine-4.30 (compiled with > openssl-0.9.6) complains about "[unable to get local issuer certificate...] I only use mutt-1.2.5i with local mailbox, so I cannot comment about mutt's possibilities here. The [unable to get local issuer certificate...] comes from pine not being able to load the CA certificate from its own storage _and_ the CA certificate not being sent from uw-imap-2000. To get rid of this message: 1) Change line 706 of auth_ssl.c from if (!SSL_CTX_use_certificate_file (stream->context,tmp,SSL_FILETYPE_PEM)) to if (!SSL_CTX_use_certificate_chain_file (stream->context,tmp)) and put your certificate and the complete CA chain (sorted from server cert down to root CA) into the certificate file. Now you should get a "self signed cert in chain" message :-) 2) Now add your root CA cert into pine (don't ask me how). Documentation about SSL_CTX_use_certificate_chain_file() et al still pending on my TODO list... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]