Oops, not the topic

[Cliff Sarginson]

Sorry, replying to my own post .. tut tut .. I inherited the topic by
accident.
Cliff Sarginson wrote:

> Hello,
> I recently posted a problem concerning the 64 bit HP port of OpenSSL,
> but received no replies. I take it therefore this is not the right list.
> I cannot compile HP 11.0 OpenSSL in 64 bit mode, does anyone have
> a clue which list or person I can ask about this ?
>
> Thanks you for your help
>
> Cliff
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Installation problem with mingw32 on NT4 SP4

[QUERAN LOIC]

--- Reçu de   CMB.QUERALO 0298002339 13-12-00 10.29

I try to install OpenSSL 0.9.6 with gcc 2.95.2, make 3.76.1 and Active Perl
5.6.0 620 as indicated in install.w32.

I obtain the followin error message :
"gcc: .cryptocryptlib.c: No such file or directory"
although make issues "gcc -o tmp\cryptlib.o  -Ioutinc -Itmp -O3 -fomit-
frame-pointer -DDSO_WIN32  -c .\crypto\cryptlib.c" and crypto\cryptlib.c
exists. Why can't it properly read the "\"s ?

Thanks in advance for any help.

L. QUERAN




F:\Program Files\openssl-0.9.6>perl Configure Mingw32
Configuring for Mingw32
IsWindows=1
CC=gcc
CFLAG =-DTHREADS  -DDSO_WIN32 -DL_ENDIAN -fomit-frame-pointer -O3 -
m486
-Wall
EX_LIBS   =
BN_ASM=bn_asm.o
DES_ENC   =des_enc.o fcrypt_b.o
BF_ENC=bf_enc.o
CAST_ENC  =c_enc.o
RC4_ENC   =rc4_enc.o
RC5_ENC   =rc5_enc.o
MD5_OBJ_ASM   =
SHA1_OBJ_ASM  =
RMD160_OBJ_ASM=
PROCESSOR =
RANLIB=true
PERL  =perl
THIRTY_TWO_BIT mode
DES_PTR used
DES_RISC1 used
DES_UNROLL used
BN_LLONG mode
RC4_INDEX mode
RC4_CHUNK is undefined

Configured for Mingw32.
Generating x86 for GNU assember
Bignum
DES
crypt
Blowfish
CAST5
RC4
MD5
SHA1
RIPEMD160
RC5\32
Generating makefile
Generating DLL definition files
Building OpenSSL
mkdir tmp
mkdir out
mkdir outinc
mkdir outinc\openssl
copy .\crypto\cryptlib.h tmp\cryptlib.h
1 fichier(s) copié(s).
copy .\crypto\buildinf.h tmp\buildinf.h
1 fichier(s) copié(s).
copy .\crypto\md32_common.h tmp\md32_common.h
1 fichier(s) copié(s).
copy .\crypto\md4\md4_locl.h tmp\md4_locl.h
1 fichier(s) copié(s).
copy .\crypto\md5\md5_locl.h tmp\md5_locl.h
1 fichier(s) copié(s).
copy .\crypto\sha\sha_locl.h tmp\sha_locl.h
1 fichier(s) copié(s).
copy .\crypto\ripemd\rmd_locl.h tmp\rmd_locl.h
1 fichier(s) copié(s).
copy .\crypto\ripemd\rmdconst.h tmp\rmdconst.h
1 fichier(s) copié(s).
copy .\crypto\des\des_locl.h tmp\des_locl.h
1 fichier(s) copié(s).
copy .\crypto\des\rpc_des.h tmp\rpc_des.h
1 fichier(s) copié(s).
copy .\crypto\des\spr.h tmp\spr.h
1 fichier(s) copié(s).
copy .\crypto\des\des_ver.h tmp\des_ver.h
1 fichier(s) copié(s).
copy .\crypto\rc2\rc2_locl.h tmp\rc2_locl.h
1 fichier(s) copié(s).
copy .\crypto\rc4\rc4_locl.h tmp\rc4_locl.h
1 fichier(s) copié(s).
copy .\crypto\rc5\rc5_locl.h tmp\rc5_locl.h
1 fichier(s) copié(s).
copy .\crypto\idea\idea_lcl.h tmp\idea_lcl.h
1 fichier(s) copié(s).
copy .\crypto\bf\bf_pi.h tmp\bf_pi.h
1 fichier(s) copié(s).
copy .\crypto\bf\bf_locl.h tmp\bf_locl.h
1 fichier(s) copié(s).
copy .\crypto\cast\cast_s.h tmp\cast_s.h
1 fichier(s) copié(s).
copy .\crypto\cast\cast_lcl.h tmp\cast_lcl.h
1 fichier(s) copié(s).
copy .\crypto\bn\bn_lcl.h tmp\bn_lcl.h
1 fichier(s) copié(s).
copy .\crypto\bn\bn_prime.h tmp\bn_prime.h
1 fichier(s) copié(s).
copy .\crypto\bio\bss_file.c tmp\bss_file.c
1 fichier(s) copié(s).
copy .\crypto\objects\obj_dat.h tmp\obj_dat.h
1 fichier(s) copié(s).
copy .\crypto\conf\conf_def.h tmp\conf_def.h
1 fichier(s) copié(s).
copy .\ssl\ssl_locl.h tmp\ssl_locl.h
1 fichier(s) copié(s).
copy .\apps\apps.h tmp\apps.h
1 fichier(s) copié(s).
copy .\apps\progs.h tmp\progs.h
1 fichier(s) copié(s).
copy .\apps\s_apps.h tmp\s_apps.h
1 fichier(s) copié(s).
copy .\apps\testdsa.h tmp\testdsa.h
1 fichier(s) copié(s).
copy .\apps\testrsa.h tmp\testrsa.h
1 fichier(s) copié(s).
copy .\.\e_os.h outinc\openssl\e_os.h
1 fichier(s) copié(s).
copy .\.\e_os2.h outinc\openssl\e_os2.h
1 fichier(s) copié(s).
copy .\crypto\crypto.h outinc\openssl\crypto.h
1 fichier(s) copié(s).
copy .\crypto\tmdiff.h outinc\openssl\tmdiff.h
1 fichier(s) copié(s).
copy .\crypto\opensslv.h outinc\openssl\opensslv.h
1 fichier(s) copié(s).
copy .\crypto\opensslconf.h outinc\openssl\opensslconf.h
1 fichier(s) copié(s).
copy .\crypto\ebcdic.h outinc\openssl\ebcdic.h
1 fichier(s) copié(s).
copy .\crypto\symhacks.h outinc\openssl\symhacks.h
1 fichier(s) copié(s).
copy .\crypto\md2\md2.h outinc\openssl\md2.h
1 fichier(s) copié(s).
copy .\crypto\md4\md4.h outinc\openssl\md4.h
1 fichier(s) copié(s).
copy .\crypto\md5\md5.h outinc\openssl\md5.h
1 fichier(s) copié(s).
copy .\crypto\sha\sha.h outinc\openssl\sha.h
1 fichier(s) copié(s).
copy .\crypto\mdc2\mdc2.h outinc\openssl\mdc2.h
1 fichier(s) copié(s).
copy .\crypto\hmac\hmac.h outinc\openssl\hmac.h
1 fichier(s) copié(s).
copy .\crypto\ripemd\ripemd.h outinc\openssl\ripemd.h
1 fichier(s) copié(s).
copy .\crypto\des\des.h outinc\openssl\des.h
1 fichier(s) copié(s).
copy .\crypto\rc2\rc2.h outinc\openssl\rc2.h
1 fichier(s) copié(s).
copy .\crypto\rc4\rc4.h outinc\openssl\rc4.h
 

Re: Installation problem with mingw32 on NT4 SP4

[qun-ying]

I used to get this kind of error. Active perl seems not working quite
well together with cygwin/mingw32. Try to get a perl version for cygwin.

QUERAN LOIC wrote:
> 
> --- Reçu de   CMB.QUERALO 0298002339 13-12-00 10.29
> 
> I try to install OpenSSL 0.9.6 with gcc 2.95.2, make 3.76.1 and Active Perl
> 5.6.0 620 as indicated in install.w32.
> 
> I obtain the followin error message :
> "gcc: .cryptocryptlib.c: No such file or directory"
> although make issues "gcc -o tmp\cryptlib.o  -Ioutinc -Itmp -O3 -fomit-
> frame-pointer -DDSO_WIN32  -c .\crypto\cryptlib.c" and crypto\cryptlib.c
> exists. Why can't it properly read the "\"s ?
> 
> Thanks in advance for any help.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: How to export a private key in a PKCS#11 module ?

[Etienne Loupias]

 Thanks a lot for this answer. Now I understand what was wrong.

 However, I think there is something wrong in the way Netscape passes the handle to
the DES3 key in the C_WrapKey function. Indeed, the handle is not a valid handle in
my token (i.e. no object exists with this handle for my module).

 In the other case, for the Unwrapping function, Netscape call the C_CreateObject
function of my PKCS#11 module before calling my C_UnWrapKey. Then Netscape passes to
my C_UnWrapKey() the handle to the secret key object it has just created with my
module. So for unwrapping, I can get the unwrapping key.

 But for the wrapping, Netscape doesn't call my C_CreateObject before calling my
C_WrapKey. As I understand it, may be the handle to the wrapping key refers to the
Netscape softtoken, because it hasn't called my C_CreateObject.

 Have you experienced this problem ? Could it be a bug of my Netscape version ( I use
Communicator 4.75 on Win98). Is there a way to access the secret key in Netscape key
database ?

 I hope this is not too much OT and that you can tell me what you think of this.
 Thanks again,

Etienne


Dr S N Henson wrote:

> Here's the problem. What Netscape is doing is passing you a handle to a
> 3DES key which you should use to encrypt the data. PKCS8_encrypt()
> specifically handles password based encryption and packages the result
> in a PKCS8 (X509_SIG) structure. So while this is what OpenSSL wants for
> packaging the PKCS8_PRIV_KEY_INFO structure into a PKCS8 structure it
> isn't what Netscape wants.
>
> What you need to do, if I understand things correctly, is to generate
> the DER encoding of the PKCS8_PRIV_KEY_INFO structure using the
> i2d_PKCS8_PRIV_KEY_INFO routine (see FAQ for some info on using i2d
> routines).
>
> Then with this data you encrypt it using the passed 3DES key using
> EVP_Encrypt() and friends (see manual pages). Zero the unencrypted
> encoding and pass the encrypted stuff back to the application.
>
> If you just want the length of the encrypted structure without actually
> going through all this you can make a few shortcuts to this by just
> working out the encoding length and then the padded encrypted length
> (round up to a multiple of 8 [the 3DES block size] or add 8 if it is
> already a multiple of the block size).
>
> Steve.
> --
> Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the   OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Client Certificate Verification

[Barrie Jarman]

Hope someone can help me.
I have been trying to add the feature to our clients sites so that a
personal certificate MUST be provided from the client to access the site.
The SSL is working fine, however, when i try to add the part for the client
certificate, it appears to accept the certificate, but then produces a
standard  "page cannot be displayed" error (not 404).

i am implementing it like this...
Alias /drkit/ "/drkit/"

Options all
SSLVerifyClient require
SSLVerifyDepth 5
Allow from all
SSLRequireSSL
SSLOptions  +StrictRequire +StdEnvVars +ExportCertData


When i build my box from clean (RH Linux 6.2/ php-4.0.3pl1/Apache 1.3.12/
mod_ssl-2.6.6-1.3.12/openssl-0.9.6) it works no problem, however when i try
to add this to a prebuilt server, like on a clients machine, it never works.
It also never works if i try to specify the directory containter inside the
virtual host information.

I have tried moving the location of the web pages around, changing ownership
on the directory, and im really pulling my hair out!!!, i need a solution by
the end of today, i really hope someone knows why this is happening, i have
also noticed something to do with SSLCACertificateFile
/usr/local/apache/conf/ssl.crt/ca-bundle.crt which also effects if it works
or not...

cheers people
Baj


Barrie Jarman
Professional Services
DigitalRUM
254-256 Belsize Road
London
NW6 4BT

t:0207 691 5502
e:[EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

No Subject

[Amara Jouini]

Hello,
I try to create a Certificate Request, however i receive the following error. Can you 
please help me to solve this problem.


% $OPENSSL_CONF/openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem
Using configuration from /opt/oracle/product/ias/Apache/open_ssl/bin
Generating a 1024 bit RSA private key
+
...+
writing new private key to 'key.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-
unable to find 'distinguished_name' in config
problems making Certificate Request
oracle@sbiss2t:/opt/oracle/product/ias/Apache/open_ssl/demoCA >
With kind regards / Mes meilleures salutations.
___
Amara JOUINI
DBPB Services S.A., Deutsche Bank  Group

Phone:   +41 [0] 22 -- 715 84 16
Mobile:  +41 [0] 79 -- 477 20 82
E-mail: [EMAIL PROTECTED]



--

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn 
Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, 
informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das 
unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you are not the 
intended recipient (or have received this e-mail in error) please notify the sender 
immediately and destroy this e-mail. Any unauthorised copying, disclosure or 
distribution of the material in this e-mail is strictly forbidden.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: rsaref/crypto in openssl

[Richard Levitte - VMS Whacker]

From: Cliff Sarginson <[EMAIL PROTECTED]>

csarginson> I recently posted a problem concerning the 64 bit HP port
csarginson> of OpenSSL, but received no replies. I take it therefore
csarginson> this is not the right list.  I cannot compile HP 11.0
csarginson> OpenSSL in 64 bit mode, does anyone have a clue which list
csarginson> or person I can ask about this ?

The only conclusion you can make from the delay is that the HP
knowledge isn't very high (I know only a few people who know HP well),
that anyone that answers on the lists is a volunteer and may have more
pressing matters on his hands for the moment being, or something else.

For user questions (like users of OpenSSL or application developpers
that use OpenSSL as a library), openssl-users is exactly right.  For
talking about development of OpenSSL itself, openbssl-dev is often a
better channel to use.

Patience is a virue.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Linker error

[Kirill Vasiliev]

Title: RE: Linker error





See comments below


> -Original Message-
> From: Andrew W. Gray [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, December 09, 2000 11:00 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Linker error
> 
> 
> How exactly did you configure your source tree?
> 
> I assume :
> perl Configure VC-WIN32


Yes.


> ms\do_ms or do_masm or do_nasm?


    do_nasm. Everything is all right.


> 
> then nmake -f ms\ntdll.mak?


    Yes
> 
> I see where the \GD comes from, but havent tracked down on how its
> enablement can arise.  It has actually been there since the 
> source tree
> import of SSLeay.


The string in the ntdll.mak:
LIB_CFLAG= /GD -D_WINDLL -D_DLL


From MSDN Library Oct 2000:

/GD   (Optimize for Windows DLL)
This optimization option is for future use.

This may cause a warning.


May be you mean \Gd (__cdecl - C calling convention)?






> 
> Kirill Vasiliev wrote:
> > 
> > Yes, it is.
> > 
> > Regards,
> > Vasiljev Kirill
> > 
> > > -Original Message-
> > > From: Andrew W. Gray [mailto:[EMAIL PROTECTED]]
> > > Sent: Saturday, December 09, 2000 10:40 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: Linker error
> > >
> > >
> > > I assume this is 0.9.6?
> > >
> > > Andrew
> > >
> > > Kirill Vasiliev wrote:
> > > >
> > > > I like this game :-)) :
> > > >
> > > > VC++ 6.0 on Win2000SP1:
> > > >
> > > > +++
> > > > link /nologo /subsystem:console /machine:I386 /opt:ref /dll
> > > > /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def
> > > > @C:\DOCUME~1\kirill\LOCALS~1\Temp\nma00896.
> > > >
> > > > ms/LIBEAY32.def : warning LNK4017: DESCRIPTION statement
> > > not supported
> > > > for the target platform; ignored
> > > >    Creating library out32dll\libeay32.lib and object
> > > > out32dll\libeay32.exp
> > > > md5_dgst.obj : error LNK2019: unresolved external symbol
> > > > _md5_block_asm_host_order referenced in function _MD5_Update
> > > > sha1dgst.obj : error LNK2019: unresolved external symbol
> > > > _sha1_block_asm_data_order referenced in function _SHA1_Update
> > > > sha1dgst.obj : error LNK2019: unresolved external symbol
> > > > _sha1_block_asm_host_order referenced in function _SHA1_Update
> > > > rmd_dgst.obj : error LNK2019: unresolved external symbol
> > > > _ripemd160_block_asm_host_order referenced in function
> > > > _RIPEMD160_Update
> > > >
> > > > out32dll\libeay32.dll : fatal error LNK1120: 4 unresolved
> > externals
> > > > NMAKE : fatal error U1077: 'link' : return code '0x460'
> > > > Stop.
> > > > +++
> > > >
> > > > Did anybody test it?
> > > >
> > > > Regards,
> > > > Vasiljev Kirill
> > >
> > 
> __
> > 
> > > OpenSSL Project
> > http://www.openssl.org
> > > User Support Mailing List
> > [EMAIL PROTECTED]
> > > Automated List Manager
> > [EMAIL PROTECTED]
> > >
> > 
> > 
> __
> > OpenSSL Project http://www.openssl.org User Support Mailing List
> > [EMAIL PROTECTED] Automated List Manager 
> [EMAIL PROTECTED]
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List    [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

Re: certificate issued by an official CA for openssl wanted

[Alexander 'Alfe' Fetke]

Hi, Oscar ...

On Tue, 12 Dec 2000, Oscar Jacobsson wrote:

> Alexander 'Alfe' Fetke wrote:
> > does anybody have experience with this problem?  Any hint (e.g. to a
> > different commercial CA) would be appreciated :-)
> 
[...]
> I don't actually have any experience with this but I think that the
> Verisign OnSite (http://www.verisign.com/onsite/index.html) might be the
> kind of thing you're looking for.
[...]

Thank you for your hint!  I've looked it up and it seems to me as if this
was one of the long-time services verisign provides.

I am not looking for a long-time service but just for a single act of
service:  The CA shall have a close look at us to be sure that we are who
we claim to be and then issue a certificate which states that -- nothing
more :-}

Is no commercial CA capable and willing to offer such a service?

Alfe (wondering)

--  / _|__  __  __   __|   __   __   SECURE INTERNET TECHNOLOGIES
  `/   |   (__) /  | |  | |  ) /__\  http://www.xtradyne.com
  / \  |   |   (__| \._| (__| |  | \._,  Alexander Fetke, Developer
 'Technologies AG --'[EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: certificate issued by an official CA for openssl wanted

[Goetz Babin-Ebell]

Alexander 'Alfe' Fetke wrote:
Hello Alexander,

> I am not looking for a long-time service but just for a single act of
> service:  The CA shall have a close look at us to be sure that we are who
> we claim to be and then issue a certificate which states that -- nothing
> more :-}

Yes, commercial CAs do that.
But you have to say what you want to do with your certificate.

I still don't know if you need client certificates
for your customer or a server certificate for you.

By

Goetz

-- 
Goetz Babin-Ebell, TC TrustCenter GmbH, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: certificate issued by an official CA for openssl wanted

[Oscar Jacobsson]

Alexander 'Alfe' Fetke wrote:
> I am not looking for a long-time service but just for a single act of
> service:  The CA shall have a close look at us to be sure that we are who
> we claim to be and then issue a certificate which states that -- nothing
> more :-}
> 
> Is no commercial CA capable and willing to offer such a service?

I would rather doubt it, I'm afraid, since what you would effectively be
receiving, if you by 'commercial CA' mean 'a CA trusted by current web
browser implementations', would be your very own CA certificate capable
of issuing certificates which would then in turn also be trusted by the
current crop of web browsers/relying parties.

So looking at this from a purely business-centric view, you are looking
for a commercial CA to sell you the tools required for you to go into
head-to-head competition with them, and at a conveniently fixed one-time
price at that. :-)

Plus, none of the current browsers, IIRC, have working revocation
mechanisms in place anyway, so I know I would personally be *very* wary
of trusting any authority using such certification practices.

//oscar
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: client certificate!!!

[Lutz Jaenicke]

Moved to [EMAIL PROTECTED]!

On Wed, Dec 13, 2000 at 03:15:04PM +, Filipe Contente wrote:
> I'm a new member, and i don't understand how ssl certificates very well.
> 
> i'm using this function to get the client certificate:
> 
> And it returns NULL!!
> 
> The s variable (SSL type), isn't NULL so i think it returns NULL when i
> copy the peer session..

man SSL_get_peer_certificate
(Manual page included since OpenSSL-0.9.6.)

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

make test fails on IRIX

[Kevin Walker]

I downloaded OpenSSL-0.9.6 and tried to make it but the make test fails. I
am only interested in using OpenSSH at present. Can anyone point me in the
right direction for solving this problem?  I got some precompiled binaries
from SGI which worked but I can't get the compiled source to pass the test.
I see alot of warnings about unused variables during the make.  Is this
normal under IRIX?  I tried compiling the same code on a linux box and that
works fine.  I would greatly appreciate some help.  Below is an edited
version of the testlog produced by "make report"


OpenSSL self-test report:

OpenSSL version:  0.9.6
Last change:  In ssl23_get_client_hello, generate an error message wh...
Options:  -mips3
OS (uname):   IRIX phil 6.5 07201607 IP22
OS (config):  mips3-sgi-irix
Target (default): ??
Target:   irix-mips3-cc
Compiler: cc ERROR:  no source or object file given

Failure!



test BN_lshift
test BN_rshift1
test BN_rshift
Right shift test failed!
*** Error code 1 (bu21)
*** Error code 1 (bu21)


Thanks in advance,

~
  Kevin B. Walker
Systems Engineering Simulator
  pager = (281) 527 - 2150
 office = (281) 244 - 5012
 [EMAIL PROTECTED]
~.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: rsaref/crypto in openssl

[Geoff Thorpe]

Hi there,

On Wed, 13 Dec 2000, Richard Levitte - VMS Whacker wrote:

> For user questions (like users of OpenSSL or application developpers
> that use OpenSSL as a library), openssl-users is exactly right.  For
> talking about development of OpenSSL itself, openbssl-dev is often a
> better channel to use.
> 
> Patience is a virue.

"virue"?? Perhaps you meant "virus"? But it's certainly not a terribly
contagious one. :-)

Cheers,
Geoff

PS: Yes, guilty as charged of wasting bandwidth ... 


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: rsaref/crypto in openssl

[Richard Levitte - VMS Whacker]

From: Geoff Thorpe <[EMAIL PROTECTED]>

geoff> "virue"?? Perhaps you meant "virus"? But it's certainly not a
geoff> terribly contagious one. :-)

One can always wish...

"virtue", as I'm sure you guessed :-).

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: certificate issued by an official CA for openssl wanted

[Alexander 'Alfe' Fetke]

Hi, Goetz Babin-Ebell,

On Wed, 13 Dec 2000, Goetz Babin-Ebell wrote:

> Alexander 'Alfe' Fetke wrote:
> 
> > I am not looking for a long-time service but just for a single act of
> > service:  The CA shall have a close look at us to be sure that we are who
> > we claim to be and then issue a certificate which states that -- nothing
> > more :-}
> 
> Yes, commercial CAs do that.
> But you have to say what you want to do with your certificate.

i understand that.

> I still don't know if you need client certificates
> for your customer or a server certificate for you.

i think we have a special situation here.  i could answer these
questions with `yes' and `kind of', though i figure you think you
asked just one question.

we will sell our product and do not need anything for ourselves.
our customers are going to need certificates, and we are trying
to find out what we can do beforehand for them.  our customers
will run our application which will be both client and server.
the used protocols will be IIOP over SSL or plain IIOP (but then
of course without encryption, so this case is not of interest).

we are not planning to issue certificates by ourselves or make
our customers issue anything.
Alfe

--  / _|__  __  __   __|   __   __   SECURE INTERNET TECHNOLOGIES
  `/   |   (__) /  | |  | |  ) /__\  http://www.xtradyne.com
  / \  |   |   (__| \._| (__| |  | \._,  Alexander Fetke, Developer
 'Technologies AG --'[EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Client Certificate Verification

[buitrago]

[EMAIL PROTECTED] dijo:
> I have tried moving the location of the web pages around, changing
> ownership
> on the directory, and im really pulling my hair out!!!, i need a
> solution by
> the end of today, i really hope someone knows why this is happening, i
> have
> also noticed something to do with SSLCACertificateFile
> /usr/local/apache/conf/ssl.crt/ca-bundle.crt which also effects if it
> works
> or not...
> 

Did you copy the certificate for the CA to
/usr/local/apache/conf/ssl.crt/ca-bundle.crt? Also, you have to run
"make" from /usr/local/apache/conf/ssl.crt to regenerate some links.

Hope this helps,


--
Marina Buitrago BravoArea de Seguridad Informática
mailto:[EMAIL PROTECTED]  mailto:[EMAIL PROTECTED]
 http://www.cica.es/seguridad/
 Centro de Informática Científica de Andalucía (CICA) 
--
   Y colorín, colorado, este cuento se ha acabado.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Using OpenSSL on Win32?

[Ng Pheng Siong]

On Sun, Dec 10, 2000 at 11:09:04PM -0500, Tim Gustafson wrote:
> I was wondering if anyone could point me in the direction of some OpenSSL 
> compiled DLLs for Win32?  I am a Delphi programmer, and don't really know 
> enough C to compile them myself.

Hi,

I have a Win32 binary package comprising openssl.exe, libeay32.dll
and ssleay32.dll, built with VC++ 6.

You can find it here: 

http://www.post1.com/home/ngps/m2


Cheers.
-- 
Ng Pheng Siong <[EMAIL PROTECTED]> * http://www.post1.com/home/ngps

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: certificate issued by an official CA for openssl wanted

[Jean-Marc Desperrier]

Alexander 'Alfe' Fetke wrote:

> our customers
> will run our application which will be both client and server.
> the used protocols will be IIOP over SSL or plain IIOP (but then
> of course without encryption, so this case is not of interest).

> we are not planning to issue certificates by ourselves or make
> our customers issue anything.

Standard ssl server certificates have exactly the extension needed to open an ssl
connexion.

It doesn't matter if the protocole on it is HTTP or not.

They could be restricted to have only the server usage, but until now all those I
have seen have both ssl server (receives connexion) and ssl client (opens
connexion) usage.

If you ask for an intranet certificate, this frees you of the contraint that the
common name does should be a FQDN in a domain you own.

It's quite reasonnable for you to use a certificate under a public CA, but if the
expense of a certificate under a public CA is too much for your clients, you
might consider searching a non-commercial option for the clients and having an
OOB (out of band) way of checking if the certificate owner is really your client.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Client Auth from IE

[Dale Peakall]

I've got a problem performing client auth from IE.

I've created a CA cert and used this to create two key-pairs: one for a
web-server (nsCertType=server),
the other for a client (nsCertType=client,email).

I've installed the CA cert as a trusted root CA, setup IIS with the
web-server certificate, and imported
a PKCS#12 version of the client key-pair into IE.

I can communicate with the web-server using https and according to the
certificate manager in IE, I have
a Personal certificate (suitable for client auth).

The problem occurs when the web-server requests a client certificate: IE
pops up a dialog and asks which
certificate I'd like to use - the problem is no certificates are listed.

What's going on?

Cheers,

- Dale.

--
Dale Peakall
mailto:[EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Client Auth from IE

[george]

It's a BUG in IE, try last version, it works 


- Original Message - 
From: Dale Peakall <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, December 13, 2000 5:36 PM
Subject: Client Auth from IE


> I've got a problem performing client auth from IE.
> 
> I've created a CA cert and used this to create two key-pairs: one for a
> web-server (nsCertType=server),
> the other for a client (nsCertType=client,email).
> 
> I've installed the CA cert as a trusted root CA, setup IIS with the
> web-server certificate, and imported
> a PKCS#12 version of the client key-pair into IE.
> 
> I can communicate with the web-server using https and according to the
> certificate manager in IE, I have
> a Personal certificate (suitable for client auth).
> 
> The problem occurs when the web-server requests a client certificate: IE
> pops up a dialog and asks which
> certificate I'd like to use - the problem is no certificates are listed.
> 
> What's going on?
> 
> Cheers,
> 
> - Dale.
> 
> --
> Dale Peakall
> mailto:[EMAIL PROTECTED]
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Message status - undeliverable

[Mailer-Daemon]

The message that you sent was undeliverable to the following:
IMagesh


Information about your message:
Subject: Re: Client Auth from IE

Message status - undeliverable

[Mailer-Daemon]

The message that you sent was undeliverable to the following:
RShyamsundar


Information about your message:
Subject: Re: Client Auth from IE

Re: certificate issued by an official CA for openssl wanted

[Alexander 'Alfe' Fetke]

Hi, Oscar ...

On Wed, 13 Dec 2000, Oscar Jacobsson wrote:

> Alexander 'Alfe' Fetke wrote:
> > I am not looking for a long-time service but just for a single act of
> > service:  The CA shall have a close look at us to be sure that we are who
> > we claim to be and then issue a certificate which states that -- nothing
> > more :-}
> > 
> > Is no commercial CA capable and willing to offer such a service?
> 
> I would rather doubt it, I'm afraid, since what you would effectively be
> receiving, if you by 'commercial CA' mean 'a CA trusted by current web
> browser implementations', would be your very own CA certificate capable
> of issuing certificates which would then in turn also be trusted by the
> current crop of web browsers/relying parties.
> 
> So looking at this from a purely business-centric view, you are looking
> for a commercial CA to sell you the tools required for you to go into
> head-to-head competition with them, and at a conveniently fixed one-time
> price at that. :-)

this seems to me that we have a logical problem here right now.  if a
commercial CA gives me a certificate with which i can prove that i am who
i claim to be, it doesn't automatically mean that i always tell the truth.
it just proves my identity.  (or my authenticity, but let's ignore the
difference between those for a moment.)

now, if i issued a certificate for John Doe, using my purchased
certificate for this, then i would certify for John Doe that he is who he
claims to be.  but i could still be lying.  and i could also simply be
wrong because i made a mistake when i checked John Doe's identity.

so, why should someone trust the certificates i issued?  a receiver of
such a certificate i issued for John Doe could just say:  Trusting the
commercial CA Alfe used, I can be sure that _Alfe_ claims that the person
I talk to right now is John Doe.

technically speaking, you are right.  A typical browser today trusts a
certificate already if it trusts one link in its chain down to its root.
but just because a commercial CA sells me something, my social reputation
doesn't rise, so why do browsers this?  (if they do at all, i do not know
all browsers.)

another point of view:  if i bought a certificate for sending emails, i
could hand out a signed document in which i stated that John Doe be really
that John Doe and that he owns that particular public key.  This document
would logically be a complete certificate.  one couldn't even call it an
abuse of my certificate, since it was bought for making statements
(sending emails).  the only difference to `proper' certificates would be
the ability of applications to read and interprete it automatically.  but
that is just a question of the intelligence of those applications.

> Plus, none of the current browsers, IIRC, have working revocation
> mechanisms in place anyway, so I know I would personally be *very*
> wary of trusting any authority using such certification practices.

this and the above makes me think that up to now the infrastructure is not
cleared up at all ...
Alfe

--  / _|__  __  __   __|   __   __   SECURE INTERNET TECHNOLOGIES
  `/   |   (__) /  | |  | |  ) /__\  http://www.xtradyne.com
  / \  |   |   (__| \._| (__| |  | \._,  Alexander Fetke, Developer
 'Technologies AG --'[EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: certificate issued by an official CA for openssl wanted

[Goetz Babin-Ebell]

Alexander 'Alfe' Fetke wrote:
> Hi, Goetz Babin-Ebell,
Hello Alexander,

> On Wed, 13 Dec 2000, Goetz Babin-Ebell wrote:
> 
> > Alexander 'Alfe' Fetke wrote:
> >
> > > I am not looking for a long-time service but just for a single act of
> > > service:  The CA shall have a close look at us to be sure that we are who
> > > we claim to be and then issue a certificate which states that -- nothing
> > > more :-}
> >
> > Yes, commercial CAs do that.
> > But you have to say what you want to do with your certificate.
> 
> i understand that.
> 
> > I still don't know if you need client certificates
> > for your customer or a server certificate for you.
> 
> we will sell our product and do not need anything for ourselves.
> our customers are going to need certificates, and we are trying
> to find out what we can do beforehand for them.  our customers
> will run our application which will be both client and server.
> the used protocols will be IIOP over SSL or plain IIOP (but then
> of course without encryption, so this case is not of interest).
> 
> we are not planning to issue certificates by ourselves or make
> our customers issue anything.

I think you want:

You have customers.
These customers will need certificates for secure communication.
Every customer has servers and clients.
Servers of one customer communicate only with clients of this customer ?
(The servers are not public...)

You yourself don't want to issue any certficates.
But you want a way to tell the CA:
"I have verified this certificate request, please issue a certificate."
You want to become a RA.


You are asking for a PKI.

And this is more than yust one time verify and go...


By

Goetz

-- 
Goetz Babin-Ebell, TC TrustCenter GmbH, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: make test fails on IRIX

[Jean-Francois Malouin]

* Kevin Walker ([EMAIL PROTECTED]) [20001213 10:34] thus spake:

[...]

> OpenSSL self-test report:
> 
> OpenSSL version:  0.9.6
> Last change:  In ssl23_get_client_hello, generate an error message wh...
> Options:  -mips3
> OS (uname):   IRIX phil 6.5 07201607 IP22
> OS (config):  mips3-sgi-irix
> Target (default): ??
> Target:   irix-mips3-cc
> Compiler: cc ERROR:  no source or object file given
> 
> Failure!

h, I built openssl-0.9.6 on irix-5.3 with both the SGI native C
compiler and egcs-2.91.66 and also on a O200 running irix-6.5.6m (no
gcc there as it's broken for 6.5.x) with no problems whatsover...

what does your 'cc -version' says?

jf

> 
> 
> 
> test BN_lshift
> test BN_rshift1
> test BN_rshift
> Right shift test failed!
> *** Error code 1 (bu21)
> *** Error code 1 (bu21)
> 
> 
> Thanks in advance,
> 
> ~
>   Kevin B. Walker
> Systems Engineering Simulator
>   pager = (281) 527 - 2150
>  office = (281) 244 - 5012
>  [EMAIL PROTECTED]
> ~.

-- 
"I haven't lost my mind...it's backed up on tape"
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: How to export a private key in a PKCS#11 module ?

[Dr S N Henson]

Etienne Loupias wrote:
> 
>  Thanks a lot for this answer. Now I understand what was wrong.
> 
>  However, I think there is something wrong in the way Netscape passes the handle to
> the DES3 key in the C_WrapKey function. Indeed, the handle is not a valid handle in
> my token (i.e. no object exists with this handle for my module).
> 
>  In the other case, for the Unwrapping function, Netscape call the C_CreateObject
> function of my PKCS#11 module before calling my C_UnWrapKey. Then Netscape passes to
> my C_UnWrapKey() the handle to the secret key object it has just created with my
> module. So for unwrapping, I can get the unwrapping key.
> 
>  But for the wrapping, Netscape doesn't call my C_CreateObject before calling my
> C_WrapKey. As I understand it, may be the handle to the wrapping key refers to the
> Netscape softtoken, because it hasn't called my C_CreateObject.
> 
>  Have you experienced this problem ? Could it be a bug of my Netscape version ( I use
> Communicator 4.75 on Win98). Is there a way to access the secret key in Netscape key
> database ?
> 
>  I hope this is not too much OT and that you can tell me what you think of this.

I suspect this is a bug in Netscape's PKCS#11 implementation.

Are you returning the DES3 mechanism in the list of supported
mechanisms? I believe Netscape will try to use 3DES for private key
export even if the library doesn't handle it.

You might also see if adding the PKCS#12 derivation mechanisms causes it
to try to derive a key.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: make test fails on IRIX

[Kevin Walker]

The sgi is an old Indigo 2, the OS is 6.5.9, and running
cc -version
says:  MIPSpro Compilers: Version 7.30


>* Kevin Walker ([EMAIL PROTECTED]) [20001213 10:34] thus spake:
>
>[...]
>
>> OpenSSL self-test report:
>>
>> OpenSSL version:  0.9.6
>> Last change:  In ssl23_get_client_hello, generate an error message wh...
>> Options:  -mips3
>> OS (uname):   IRIX phil 6.5 07201607 IP22
>> OS (config):  mips3-sgi-irix
>> Target (default): ??
>> Target:   irix-mips3-cc
>> Compiler: cc ERROR:  no source or object file given
>>
>> Failure!
>
>h, I built openssl-0.9.6 on irix-5.3 with both the SGI native C
>compiler and egcs-2.91.66 and also on a O200 running irix-6.5.6m (no
>gcc there as it's broken for 6.5.x) with no problems whatsover...
>
>what does your 'cc -version' says?
>
>jf
>
>>
>> 
>>
>> test BN_lshift
>> test BN_rshift1
>> test BN_rshift
>> Right shift test failed!
>> *** Error code 1 (bu21)
>> *** Error code 1 (bu21)

~
  Kevin B. Walker
Systems Engineering Simulator
  pager = (281) 527 - 2150
 office = (281) 244 - 5012
 [EMAIL PROTECTED]
~.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Client Auth from IE

[jkunz]

On 13 Dec, Dale Peakall wrote:

> The problem occurs when the web-server requests a client certificate: IE
> pops up a dialog and asks which
> certificate I'd like to use - the problem is no certificates are listed.
Did you load the CA-Cert in to IE? See
http://www.ultranet.com/~fhirsch/Papers/cook/ssl_cook.html
http://www.ultranet.com/~fhirsch/Papers/cook/ssl_ca.html#browser_install
-- 



tschüß,
 Jochen

Homepage: http://www.unixag-kl.fh-kl.de/~jkunz/

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Stunnel 3.9 released

[Michal Trojnara]

For your information:

stunnel version 3.9 has been released.

New features:
* Updated temporary key generation:
   - stunnel is now honoring requested key-lengths correctly,
   - temporary key is changed every hour.
* transfer() no longer hangs on some platforms.
  Special thanks to Peter Wagemans for the patch.
* Potential security problem with syslog() call fixed.

Homepage: http://stunnel.mirt.net/
Download: ftp://stunnel.mirt.net/stunnel/

Regards,
Mike
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: bad mac decode?

[Louis LeBlanc]

Dr S N Henson wrote:
> 
> What command did you use to produce that message? Were you attempting to
> connect to a remote server, if its is on the internet its address would
> help.
> 
> There are several possible causes of that message such as as connecting
> to a server with a broken SSL/TLS implementation.
> 
> Steve.


I have seen this error on occasion when trying to connect to an Apache
server with ModSSL.  Since it uses OpenSSL, I would tend to give it the
benefit of the doubt in terms of wether it is broken or not.

I do not see this error all the time, one out of every couple thousand
connections, maybe a little more when there is a lot of other traffic on
the test network.  Though I can't be sure at this point, I suspect it
happens in the connect attempt.

When it does show up, I always see a similar message in the Apache log.

Any ideas there?

Thanks in advance.
Lou
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

config error with pem.h

[C. Jason Bruner]

Please forgive me in advance if this is a boneheaded question, but I openly
admit I'm a Unix newbie...

When doing a ./config of the 0.9.6 build I get the following error making
pem.h on my SCO OpenServer 5.0.5 system, regardless of which of the sco
options I specify in ./Configure

Here's the results of a ./config > file.txt with some other errors not
exported appended by me...


Any ideas what I might be doing wrong?

TIA,

Jason



Operating system: whatever-whatever-sco5
Makefile => Makefile.ssl
e_os.h => include/openssl/e_os.h [File exists]
e_os2.h => include/openssl/e_os2.h [File exists]
crypto
making links in crypto...
Makefile => Makefile.ssl
crypto.h => ../include/openssl/crypto.h [File exists]
tmdiff.h => ../include/openssl/tmdiff.h [File exists]
opensslv.h => ../include/openssl/opensslv.h [File exists]
opensslconf.h => ../include/openssl/opensslconf.h [File exists]
ebcdic.h => ../include/openssl/ebcdic.h [File exists]
symhacks.h => ../include/openssl/symhacks.h [File exists]
Makefile => Makefile.ssl
making links in crypto/md2...
Makefile => Makefile.ssl
md2.h => ../../include/openssl/md2.h [File exists]
md2test.c => ../../test/md2test.c [File exists]
making links in crypto/md4...
Makefile => Makefile.ssl
md4.h => ../../include/openssl/md4.h [File exists]
md4test.c => ../../test/md4test.c [File exists]
md4.c => ../../apps/md4.c [File exists]
making links in crypto/md5...
Makefile => Makefile.ssl
md5.h => ../../include/openssl/md5.h [File exists]
md5test.c => ../../test/md5test.c [File exists]
making links in crypto/sha...
Makefile => Makefile.ssl
sha.h => ../../include/openssl/sha.h [File exists]
shatest.c => ../../test/shatest.c [File exists]
sha1test.c => ../../test/sha1test.c [File exists]
making links in crypto/mdc2...
Makefile => Makefile.ssl
mdc2.h => ../../include/openssl/mdc2.h [File exists]
mdc2test.c => ../../test/mdc2test.c [File exists]
making links in crypto/hmac...
Makefile => Makefile.ssl
hmac.h => ../../include/openssl/hmac.h [File exists]
hmactest.c => ../../test/hmactest.c [File exists]
making links in crypto/ripemd...
Makefile => Makefile.ssl
ripemd.h => ../../include/openssl/ripemd.h [File exists]
rmdtest.c => ../../test/rmdtest.c [File exists]
making links in crypto/des...
Makefile => Makefile.ssl
asm/perlasm => ../../perlasm
des.h => ../../include/openssl/des.h [File exists]
destest.c => ../../test/destest.c [File exists]
making links in crypto/rc2...
Makefile => Makefile.ssl
rc2.h => ../../include/openssl/rc2.h [File exists]
rc2test.c => ../../test/rc2test.c [File exists]
making links in crypto/rc4...
Makefile => Makefile.ssl
rc4.h => ../../include/openssl/rc4.h [File exists]
rc4test.c => ../../test/rc4test.c [File exists]
making links in crypto/rc5...
Makefile => Makefile.ssl
rc5.h => ../../include/openssl/rc5.h [File exists]
rc5test.c => ../../test/rc5test.c [File exists]
making links in crypto/idea...
Makefile => Makefile.ssl
idea.h => ../../include/openssl/idea.h [File exists]
ideatest.c => ../../test/ideatest.c [File exists]
making links in crypto/bf...
Makefile => Makefile.ssl
blowfish.h => ../../include/openssl/blowfish.h [File exists]
bftest.c => ../../test/bftest.c [File exists]
making links in crypto/cast...
Makefile => Makefile.ssl
cast.h => ../../include/openssl/cast.h [File exists]
casttest.c => ../../test/casttest.c [File exists]
making links in crypto/bn...
Makefile => Makefile.ssl
bn.h => ../../include/openssl/bn.h [File exists]
bntest.c => ../../test/bntest.c [File exists]
exptest.c => ../../test/exptest.c [File exists]
making links in crypto/rsa...
Makefile => Makefile.ssl
rsa.h => ../../include/openssl/rsa.h [File exists]
rsa_test.c => ../../test/rsa_test.c [File exists]
making links in crypto/dsa...
Makefile => Makefile.ssl
dsa.h => ../../include/openssl/dsa.h [File exists]
dsatest.c => ../../test/dsatest.c [File exists]
making links in crypto/dh...
Makefile => Makefile.ssl
dh.h => ../../include/openssl/dh.h [File exists]
dhtest.c => ../../test/dhtest.c [File exists]
making links in crypto/dso...
Makefile => Makefile.ssl
dso.h => ../../include/openssl/dso.h [File exists]
making links in crypto/buffer...
Makefile => Makefile.ssl
buffer.h => ../../include/openssl/buffer.h [File exists]
making links in crypto/bio...
Makefile => Makefile.ssl
bio.h => ../../include/openssl/bio.h [File exists]
making links in crypto/stack...
Makefile => Makefile.ssl
stack.h => ../../include/openssl/stack.h [File exists]
safestack.h => ../../include/openssl/safestack.h [File exists]
making links in crypto/lhash...
Makefile => Makefile.ssl
lhash.h => ../../include/openssl/lhash.h [File exists]
making links in crypto/rand...
Makefile => Makefile.ssl
rand.h => ../../include/openssl/rand.h [File exists]
randtest.c => ../../test/randtest.c [File exists]
making links in crypto/err...
Makefile => Makefile.ssl
err.h => ../../include/openssl/err.h [File exists]
making links in crypto/objects...
Makefile => Makefile.ssl
objects.h => ../../include/

Question about certificate extension.

[James Xie]

Hello,

I'm very new to OpenSSL,  just have my first Apache/mod_ssl server running
with self signed server and client certificates. Still trying to read all
the documents for OpenSSL.  

Here is my question:
I want to include some binary data (1024 byte) in the client certificate for
authentication purpose.  I figured this has to be done through the
certificate extension.  I read the openssl.txt file but still unclear how
this could be done.  Is it possible?
Thanks in advance

James Xie

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: bad mac decode?

[Dr S N Henson]

Louis LeBlanc wrote:
> 
> Dr S N Henson wrote:
> >
> > What command did you use to produce that message? Were you attempting to
> > connect to a remote server, if its is on the internet its address would
> > help.
> >
> > There are several possible causes of that message such as as connecting
> > to a server with a broken SSL/TLS implementation.
> >
> > Steve.
> 
> I have seen this error on occasion when trying to connect to an Apache
> server with ModSSL.  Since it uses OpenSSL, I would tend to give it the
> benefit of the doubt in terms of wether it is broken or not.
> 
> I do not see this error all the time, one out of every couple thousand
> connections, maybe a little more when there is a lot of other traffic on
> the test network.  Though I can't be sure at this point, I suspect it
> happens in the connect attempt.
> 
> When it does show up, I always see a similar message in the Apache log.
> 
> Any ideas there?
> 

Tricky. It could be the client sending garbage or not politely closing
the connection, a server problem or some obscure race condition in
either client or server.

If I *really* wanted to trace the cause then I'd start by printing out
the expected and received MACs on each side (if possible on client) and
then independently verifying them with some sniffer [can ssldump check
MACs?].

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]