RE: HTTPS
Hi! It's the same as using plain connection... The difference is that the connection between client and server is encrypted... Uro Gaber PowerCom Gaber Globocnik d.n.o. http://www.powercom-si.com eMail: [EMAIL PROTECTED] Tel: 01/724-84-26 -- +386-1-7248426 Fax: 01/724-84-27 -- +386-1-7248427 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 27, 2001 3:14 AM To: [EMAIL PROTECTED] Subject: HTTPS hi, i'd like to know how to do GET / POST requests over HTTPS. there's some demos/bio example, but doesn't compile on Linux. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Illegal characters ASN.1 type
Underscore is not a valid character for PRINTABLESTRING's, however it is for IA5STRING. It seems that keytool has encoded the component of the name that contains the underscore as a PRINTABLESTRING, and therefore has produced an illegal ASN.1 encoding. Perhaps you should avoid using the underscore. -Original Message- From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] Sent: Friday, April 27, 2001 5:14 PM To: [EMAIL PROTECTED] Subject: Illegal characters ASN.1 type I'm using Java keytool to generate my certificate request and then openssl to sign the certs. If I use the underscore character ( _ ) when the keytool asks for the DN, I get an error when I try to sign for this DN with openssl. The error is; The string contains characters that are illegal for the ASN.1 type. Is there a way to avoid this ?? Some of the machines I want to sign certs for have a _ in the name . I'm not able to sign certs for these ?? Thanx in advance Shobhit -- --- This email message and files transmitted with it are confidential, proprietary and legally privileged. If the message that is received is an error, or if there is any mistransmission, the originator must be notified immediately as the unauthorized use, dissemination, publication, transfer or any other use of the message by unauthorized person is strictly forbidden by law and prohibited. If anybody commits violation then he would be legally liable and punishable under the relevant law. The intended recipient can be rest assured that the confidentiality and privilege is not waived or lost by any such mistransmission. Internet communications are not secure unless it is protected by using strong cryptography. TCS does not accept any responsibility whatsoever for changes in the nature of modifications, additions, deletions made to the message once it is sent. TCS reserves the right to monitor all e-mail communications through its network. -- --- Tata Consultancy Services www.tcs.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: unsupported certificate alert
On Thu, Apr 26, 2001 at 03:02:35PM -0400, George Lind wrote:
I am having a problem with the server I wrote, which is doing client
authentication. The server is getting the following error on the
SSL_accept() call:
140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned.
According to my tracing both the client and the server are presenting their
certificates. The server is sending back the following to the client:
15 03 00 00 02 02 2e which I believe is an unsupported certificate alert.
Both my client and server are using certificates issued by thawte. They
both have thawte as their trusted certificate authority.
The error message on the server is generated in s3_srvr.c:
i=ssl_verify_cert_chain(s,sk);
if (!i)
{
al=ssl_verify_alarm_type(s-verify_result);
SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIF
ICATE_RETURNED);
goto f_err;
}
Therefore this error is listed, when the verification of the certificate
failed for whatever reason. You can use the verify_callback() to check
out the reason in detail and override the decision (if verify_callback()
returns 0 for any test, the situation you describe will occur).
Check out the manual page for SSL_CTX_set_verify() and/or the examples
in s_cb.c on how to use verify_callback().
According to s3_srvr.c, SSL_AD_UNSUPPORTED_CERTIFICATE is the default
error message sent when no other reason applies, so you have to use
verify_callback() to find out what is going on.
Hint: use s_server and/or s_client with the certificates you have. They
have a quite narrative verify_callback() built in, so you can easily
check your certificates. Of course, openssl verify may also be helpful.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: HTTPS
From: Vadim Fedukovich [EMAIL PROTECTED] w3c-wwwlib from www.w3c.org wwwlib examples don't work with https, all i found was this: http://www.w3.org/Library/src/SSL/WWWSSL.html ( Because US regulations on encryption .. ) i'd be really happy if someone just told me how to fix OpenSSL demos/bio example: cc -I../../include sconnect.c -L../.. -lssl -lcrypto ../../libcrypto.a(dso_dlfcn.o): In function `dlfcn_load': dso_dlfcn.o(.text+0x99): undefined reference to `dlopen' dso_dlfcn.o(.text+0xa8): undefined reference to `dlopen' dso_dlfcn.o(.text+0xfd): undefined reference to `dlclose' ../../libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_var': dso_dlfcn.o(.text+0x1a3): undefined reference to `dlsym' ../../libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_func': dso_dlfcn.o(.text+0x253): undefined reference to `dlsym' ../../libcrypto.a(dso_dlfcn.o): In function `dlfcn_unload': dso_dlfcn.o(.text+0x332): undefined reference to `dlclose' i'd like to know how to do GET / POST requests over HTTPS. there's some demos/bio example, but doesn't compile on Linux. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HTTPS
One example of how to get https or http is simply in the code of ocsp.c in the apps directory. The apps/ocsp.c code initialized optionally a normal or ssl connection. Then you just send your http data stream into it. if you want to add proxy support for ssl: Use the proxy host instaed, and add a SSL_do_connect before adding the sbio, and then send a CONNECT host:port HTTP/1.0 and read the answer until a double new line, then push the sbio and do the handshake as is. wwwlib examples don't work with https, all i found was this: http://www.w3.org/Library/src/SSL/WWWSSL.html ( Because US regulations on encryption .. ) i'd be really happy if someone just told me how to fix OpenSSL demos/bio example: cc -I../../include sconnect.c -L../.. -lssl -lcrypto ../../libcrypto.a(dso_dlfcn.o): In function `dlfcn_load': dso_dlfcn.o(.text+0x99): undefined reference to `dlopen' dso_dlfcn.o(.text+0xa8): undefined reference to `dlopen' dso_dlfcn.o(.text+0xfd): undefined reference to `dlclose' ../../libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_var': dso_dlfcn.o(.text+0x1a3): undefined reference to `dlsym' ../../libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_func': dso_dlfcn.o(.text+0x253): undefined reference to `dlsym' ../../libcrypto.a(dso_dlfcn.o): In function `dlfcn_unload': dso_dlfcn.o(.text+0x332): undefined reference to `dlclose' i'd like to know how to do GET / POST requests over HTTPS. there's some demos/bio example, but doesn't compile on Linux. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenLDAP
Dear all, Instead of using RedHat 7.1 openldap rpm, I wanna build the program by source: program used: - openssl-0.9.6a - openldap-2.0.7 I using the following config: # env CPPFLAGS=-I/usr/local/ssl/include LIBS=-L/usr/local/ssl/lib \ ./configure --with-tls -with-cyrus-sasl --with-ldbm-api=gdbm \ --enable-shell -enable-wrappers --enable-crypt --enable-cleartext # make depend # make After the make, it show the following eror: /usr/bin/ld: cannot find -lssl collect2: ld returned 1 exit status make[2]: *** [libldap.la] Error 1 make[2]: Leaving directory `/usr/src/openldap-2.0.7/libraries/libldap' make[1]: *** [all-common] Error 1 make[1]: Leaving directory `/usr/src/openldap-2.0.7/libraries' make: *** [all-common] Error 1 What am I doing wrong? How can I fix it? Many thanks in advance. --- Regards, Chris Lee __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
no shared ciphers ?
Hi, Can anyone help me solving the following problem. Case I : I have a SSL server and SSL client program.I am able to communicate between SSL Server and SSL Client perfectly using the certificates created in Linux box. Case II : When I use ' openSSL's s_server ' listening at a port ,HTTPS request comes perfectly from IEand this server was able to write to requested page. Case III : But the problem comes when I try to connect the SSL server ( The same SSL server program which I used for communication in Case I) from IE using the url https://server's-ip-address:port/ where "server's-ip-address " is where the server is listening in the specified "port".When I try the above step I got the following error " 1341:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:769: " I think this error is because the client and server are not sharing a compatible ciphers.I have added the default ciphers in the server program using the following SSL function " SSL_set_cipher_list(ssl,SSL_DEFAULT_CIPHER_LIST) " I have loaded the "root certificate " in the browser.Server is using the certificate authenticated by this "root certificate". Please let me know how to proceed. with regards,Siva K.
Re: no shared ciphers ?
Please don't send me personal copies. The list is the best place to go. On Fri, Apr 27, 2001 at 05:27:52PM +0530, Siva wrote: Case I : I have a SSL server and SSL client program.I am able to communicate between SSL Server and SSL Client perfectly using the certificates created in Linux box. What cipher is being used? Case II : When I use ' openSSL's s_server ' listening at a port ,HTTPS request comes perfectly from IE and this server was able to write to requested page. What cipher is being used? OpenSSL s_server will give you a list of the ciphers proposed by IE. Case III : But the problem comes when I try to connect the SSL server ( The same SSL server program which I used for communication in Case I) from IE using the url https://server's-ip-address:port/ where server's-ip-address is where the server is listening in the specified port.When I try the above step I got the following error 1341:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:769: Use openssl s_client to connect to the server and see whether this succeeds. What cipher is being used, in case it works? Then check out, what ingredients (support of cipher; type of certificate; DH-parameters?) might be missing. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Stronger SSL Encryption
Francis DeLaMaza wrote: Greg, Based on what I've discovered so far, and your feedback, it seems that the best approach is to tweek the default keylegth of the RC4/SHA ciphersuite. This cipher method comes standard under SSL v3/TLS1 at 56-bit and 128-bit functionality. It doesn't seem that it should take much more than a modification to the default key-length of these particular cryptosuites. After which the modified openSSL could then be used to drive the apache secureserver and konqueror browser to complete the two ends of the communication. I'm sure, that one of the devlopers of openSSL would know exactly where to make the surgical modifications that would allow for this functionality. Does this make sense, or am I overlooking something? Well the key sizes are fixed in the TLS/SSL standards. If you change them the server and client is broken and no longer compliant. You can't just use a new cipher with a different keysize because it wont have a standard number assigned to it. You could use an experimental ciphersuite number for a new ciphersuite which would then only interop with something that uses the same experimental number. AES (the Advanced Encryption Standard: a symmetric cipher) already supports keys sizes of 192 and 256 bits and is supported in the development version of OpenSSL. However the question remains: why would you need anything larger than 128 bits? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: My Cert canot work in openssl environment??
1. It uses the (deprecated) subjectUniqueID field, there's nothing
strictly speaking wrong with that but it is a BIT STRING used to wrap
another structure, specifically:
0:d=0 hl=2 l= 28 cons: SEQUENCE
2:d=1 hl=2 l= 5 prim: OBJECT:1.2.886.1.1
9:d=1 hl=2 l= 19 cons: cont [ 0 ]
11:d=2 hl=2 l= 17 prim: IA5STRING :34700N@TEST00
again there's nothing strictly speaking wrong with that but it is
encoded incorrectly. The structure starts at the first BIT STRING
content octet which is actually the number of unused bits. Its for this
reason that the OpenSSL signature is failing. If it had followed the
normal rules and set the number of unused bits to 0 and followed that by
this structure I suspect all would be well as far as the signature is
concerned.
2. The root CA has the following extensions:
X509v3 extensions:
X509v3 Key Usage:
Certificate Sign, CRL Sign
X509v3 Basic Constraints:
CA:FALSE, pathlen:1
X509v3 Subject Alternative Name:
0...0...*.v..CA001
Key Usage says its a CA certificate, Basic Constraints says it isn't a
CA certificate and the pathlen parameter is set which is illegal if CA
is FALSE. Even if the signature verified OK software would be justified
in rejecting the certificate on these grounds alone.
3. The SubjectAltName extension above looks a bit odd and for good
reason. It is not encoded properly and the weird output is it just
printing out the encoding because it couldn't parse it.
The structure in there looks like this:
0:d=0 hl=2 l= 32 cons: SEQUENCE
2:d=1 hl=2 l= 30 cons: cont [ 0 ]
4:d=2 hl=2 l= 28 cons: SEQUENCE
6:d=3 hl=2 l= 5 prim:OBJECT:1.2.886.1.1
13:d=3 hl=2 l= 19 cons:cont [ 0 ]
15:d=4 hl=2 l= 17 prim: IA5STRING :34700N@TEST03
From RFC2459:
SubjectAltName ::= GeneralNames
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
GeneralName ::= CHOICE {
otherName [0] OtherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName[5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID[8] OBJECT IDENTIFIER}
OtherName ::= SEQUENCE {
type-idOBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
The SEQUENCE OF bit accounts for the outer SEQUENCE. Then we have what
should be otherName (as specified by the [0] tag) however because its
IMPLICIT tagging by default the following SEQUENCE shouldn't be there. I
suspect that this is because it has been incorrectly encoded to use
EXPLICIT tagging.
Steve.
--
Thanks for Steve's help.
We will modify our bug following your opinion. :)
Best Regards.
Philip.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: unsupported certificate alert
Within the verify callback function X509_STORE_CTX_get_error(ctx) returns a 26 which is unsupported certificate purpose. The callback function than checks the verify depth. Since this is within the depth range the certificate is OK. What exactly does that error message mean and why is the certificate considered OK. Thanks, George __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Situation: Need to be able to generate Client Certificates for users in order to use SSLVerifyClient 2. I cannot successfully connect the first user to the server (after I figure out how to connect first client, the rest will be easy) Here are the details: Apache/1.3.19 Ben-SSL/1.42 (Unix) OpenSSL 0.9.6a SunOS 5.6 SSL directives from httpd.conf: # SSL configs SSLEnable SSLCacheServerPort 12345 SSLCacheServerPath bin/gcache SSLSessionCacheTimeout 3600 SSLCertificateFile /some/path/to/certs/new.cert.cert SSLCertificateKeyFile /some/path/to/certs/new.cert.key SSLCACertificatePath /some/path/to/certs SSLVerifyClient 2 SSLVerifyDepth 1 Created test certificate fo the server from the http://www.apache-ssl.org/#FAQ openssl req -new new.cert.csr openssl rsa -in privkey.pem -out new.cert.key openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365 Then did the following from http://www.drh-consultancy.demon.co.uk/pkcs12faq.html#nsissues CA.pl -newca CA.pl -newreq CA.pl -signreq openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -certfile demoCA/cacert.pem -name MY CERTIFICATE -out mycert.p12 imported mycert.p12 into Netscape 4.72. Security - Certificates - Yours : Verified MY CERTIFICATE OK Security - Certificates - Signers : Verified the test signer I get the following from Netscape: The site webserver has requested client authentication, but you do not have a Personal Certificate to authenticate yourself. The site may choose not to give you access without one Click OK Netscape: Error An I/O error occurred during security authorization. Please try your connection again httpsd_error_log: [Fri Apr 27 09:06:09 2001] [error] SSL_accept failed [Fri Apr 27 09:06:09 2001] [error] error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate I believe I am missing one very vital piece of information in order to make this work. Please help. Roger Vandenberg Nortel Networks 2745 Iris Street, Ottawa, Canada mailto:[EMAIL PROTECTED] (613) 763 8543 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Stronger SSL Encryption
Hi, Well the key sizes are fixed in the TLS/SSL standards. If you change them the server and client is broken and no longer compliant. True. But just to test the proof of concept, it would be O.K. You could use an experimental ciphersuite number for a new ciphersuite which would then only interop with something that uses the same experimental number. This was mentioned by Greg as the appropriate place for such experimental ciphersuites. The exact approach to its execution is not clear to me at this point though. :( AES (the Advanced Encryption Standard: a symmetric cipher) already supports keys sizes of 192 and 256 bits and is supported in the development version of OpenSSL. OH! I will look into this right away. It sounds as if it could save me a heck of allot of time. Any disadvantages to AES? Who is developing it? Opensource? However the question remains: why would you need anything larger than 128 bits? I don't understand why this is a question. To me, it is obvious, that if a project is underway for such a standard (AES), there already exists a need. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: unsupported certificate alert
On Fri, Apr 27, 2001 at 09:51:07AM -0400, George Lind wrote: Within the verify callback function X509_STORE_CTX_get_error(ctx) returns a 26 which is unsupported certificate purpose. The callback function than checks the verify depth. Since this is within the depth range the certificate is OK. What exactly does that error message mean and why is the certificate considered OK. The default verify_callback returns 1 and thus indicates continue with the verification process. The error 26 is however still saved for the error code and can be queried after the handshake with SSL_get_verify_result(). Please check out the SSL_CTX_set_verify() manual page with its included verify_callback() example for alternative behaviour (hard failure). unsupported certificate purpose means, that the certificate presented does not match the specified purpose. Consider Thawte giving you a certificate for an SSL server. If you are going to use this certificate for an SSL client, you will get this error. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS#7 support in openssl-0.9.6a
Hi, Is there any documentation about the pkcs#7 support in openssl. Any help is much more apriciated. Thanks Aslam __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
deadlock
Hi, I've written a small test program to experiment with OpenSSL and have come across a deadlock. The deadlock occurs when I invoke the SSL_use_PrivateKey_file twice for two different SSL* objects. The deadlock occurs on the second call to SSL_use_PrivateKey_file. I'm using OpenSSL v0.9.5a on MacOSX Final Candidate and I've implemented the locking callback using the pthread library. Has anyone have experience with deadlocks or know where the locking callback is called for SSL_use_PrivateKey_file? Thanks, Rob __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS#7 support in openssl-0.9.6a
Aslam, Is this what you are looking for? http://www.openssl.org/docs/apps/pkcs7.html# - Original Message - From: Aslam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, April 28, 2001 1:08 AM Subject: PKCS#7 support in openssl-0.9.6a Hi, Is there any documentation about the pkcs#7 support in openssl. Any help is much more apriciated. Thanks Aslam __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Technical solution about smart card readers and Openssl?
Hello, I would like to know if anybody can help me about using smart card readers with an openssl based web application. I want to generate the keys in the smart card (client computer), transmit a certificate signed request to my CA sever that signs it automatically and import it back into the smart card, and I wonder how it works with Windows. I find a Smard card enrollment control (scrdenrl.dll) but only for 2K.Is there any other solution (without using PKCS12 file) to manage the smart card store? Your help will be much appreciated. Maxime DUBOIS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HTTPS
On Tue, Feb 27, 2001 at 12:05:36PM +0100, [EMAIL PROTECTED] wrote: wwwlib examples don't work with https, all i found was this: http://www.w3.org/Library/src/SSL/WWWSSL.html ( Because US regulations on encryption .. ) i'd be really happy if someone just told me how to fix OpenSSL demos/bio example: cc -I../../include sconnect.c -L../.. -lssl -lcrypto ../../libcrypto.a(dso_dlfcn.o): In function `dlfcn_load': dso_dlfcn.o(.text+0x99): undefined reference to `dlopen' dso_dlfcn.o(.text+0xa8): undefined reference to `dlopen' dso_dlfcn.o(.text+0xfd): undefined reference to `dlclose' ../../libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_var': dso_dlfcn.o(.text+0x1a3): undefined reference to `dlsym' ../../libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_func': dso_dlfcn.o(.text+0x253): undefined reference to `dlsym' ../../libcrypto.a(dso_dlfcn.o): In function `dlfcn_unload': dso_dlfcn.o(.text+0x332): undefined reference to `dlclose' These symbols are in libdl, so you need to add -ldl to the end of the link line, like this: cc -I../../include sconnect.c -L../.. -lssl -lcrypto -ldl Cheers, Nalin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Technical solution about smart card readers and Openssl?
Hello Maxime, With MS You can do it using xenroll.dll and with Netscape you use keygen to generate keys on the card. In MS you have to get a list of available CSP's also using xenroll, and then user just has to choose the right csp and then they press enter and the card does the rest. It's a very similar process to generating keys using soft certs. Oliver - Original Message - From: Maxime Dubois [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, April 29, 2001 2:26 AM Subject: Technical solution about smart card readers and Openssl? Hello, I would like to know if anybody can help me about using smart card readers with an openssl based web application. I want to generate the keys in the smart card (client computer), transmit a certificate signed request to my CA sever that signs it automatically and import it back into the smart card, and I wonder how it works with Windows. I find a Smard card enrollment control (scrdenrl.dll) but only for 2K.Is there any other solution (without using PKCS12 file) to manage the smart card store? Your help will be much appreciated. Maxime DUBOIS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: PKCS#7 support in openssl-0.9.6a
Hi, No I'm looking for some the docs of pkcs#7 functions exported by openssl. Thanks any way.. Aslam -Original Message- From: Oliver Bode [mailto:[EMAIL PROTECTED]] Sent: Friday, April 27, 2001 12:30 PM To: [EMAIL PROTECTED] Subject: Re: PKCS#7 support in openssl-0.9.6a Aslam, Is this what you are looking for? http://www.openssl.org/docs/apps/pkcs7.html# - Original Message - From: Aslam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, April 28, 2001 1:08 AM Subject: PKCS#7 support in openssl-0.9.6a Hi, Is there any documentation about the pkcs#7 support in openssl. Any help is much more apriciated. Thanks Aslam __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
The AES question (was Re: Stronger SSL Encryption)
- Original Message - From: Francis DeLaMaza [EMAIL PROTECTED] BTW, what is AES? - Original Message - From: Francis DeLaMaza [EMAIL PROTECTED] Any disadvantages to AES? Who is developing it? Opensource? AES is the soon to be government standard titled Advanced Encryption Algorithm, it has become commonplace to use the term AES to refer to a cipher that is actually names Rijndael. The name change will only be complete after the FIPS is published. It is a 128-bit block cipher, supporting keys of 128/192/256 bits. Because the cipher is Rijndael it also supports block and key sizes that are any multiple of 32-bits, but only 128x128/192/256 will be the official standard. Originally created in Europe for the AES competition, by Joan Daemen and Vincent Rijmen. Rijndael benefits a large body of attack knowledge from Square. And the specification can be found from http://csrc.nist.gov/encryption/aes/rijndael/ along with a significant body of information. As with any recent cipher it's security is in question. However Rijndael has survived 2+ years of intense public scrutiny, of the final 5 it was chosen because it was fastest. The other 4 were MARS, Twofish, RC6, and Serpent. General concensus was that the only real competitors were Twofish, Serpent, and Rijndael. Of these Rijndael was universally fast, and the most well balanced cipher. However of the 3 that were identified as real competitors, Rijndael has the smallest security margin, and is believed to be the weakest. This makes no difference because with all 3 contending finalists, in fact with all the finalists there are no attacks better than brute-force known. In spite of this it is worth noting that during the final AES conference the developers for each algorithm were asked barring their own cipher which cipher they would like to see as AES. With the obvious exception of the Rijndael team every team stated they would like to see Rijndael crowned. Joe __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Ocotillo PRNG
I'd like to use the a href=http://ocotillo.sourceforge.net;Ocotillo/a PRNG with OpenSSL, but it is failing when I do the make test in the randtest module. Ocotillo creates a named pipe at /dev/urandom but if OpenSSL is treating it like a character device it may not work correctly. I'm out of my depth here, but I'm hoping that somebody will be able to help me out. I'm not a C programmer, but I've been a programmer for the past 28 years and I am currently a Unix system administrator, so fire away! Any help anybody (OpenSSL developers?) can give would be wonderful! (Note: Please cc my email address: mailto:[EMAIL PROTECTED] ) Jerel Crosland 21st Century Insurance Unix Level 2 Support (818)704-3187 *** This e-mail and any files transmitted with it are intended solely for the use of the addressee. This e-mail may contain confidential and/or legally privileged information. Any review, transmission, disclosure, copying, or any action taken or not taken, by other than the intended recipient, in reliance on the information, is prohibited. If you received this e-mail in error, notify the sender and delete this e-mail (and any accompanying material) from your computer and network. In addition, please be advised that 21st Century Insurance Group reserves the right to monitor, access and review all messages, data and images transmitted through our electronic mail system. By using our e-mail system, you consent to this monitoring. *** __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL in embedded environment
Has anyone had any experience with OpenSSL in an embedded environment? I'm trying to trim libcrypto.a and libssl.a down to a reasonable size for an embedded project. I've turned off all but the few ciphers that I need, and that only trimmed off about 200kB. (The ciphers that I kept are des, rsa, md5, and sha.) I'd like to get both of those libraries to be much smaller. Any suggestions? --- FREE! The World's Best Email Address @email.com Reserve your name now at http://www.email.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HTTPS
hi, i'd like to know how to do GET / POST requests over HTTPS. there's some demos/bio example, but doesn't compile on Linux. perl+ Net::SSLeay [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HTTPS
Michael wrote: hi, i'd like to know how to do GET / POST requests over HTTPS. there's some demos/bio example, but doesn't compile on Linux. perl+ Net::SSLeay I'm not sure I understand your question. Examples of doing this in my application are in the files HTTPing.pm and ATLSS.pm, and they both use Net::SSLeay. Please feel free to peruse this and ask me questions about it. I'll attach a tarball of a recent installation of FuncRegr. If you extract it, then look in the plibs directory for the aforementioned source files, you'll see what I do do run the security procedures in the various password cases. There are also some examples in files called sh-bin/*hhack.pl, but these are very stale, so you can't depend on them working anymore, but they are close. [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Email: [EMAIL PROTECTED] (home home page: http://www.aa.net/~xeno) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
largest bottleneck
First post here, please cut me some slack. I'm doing some research on SSL and was looking for some help in regards to a question that might seem a bit obvious. I'm trying to locate the algorithms in openssl causing the largest bottlenecks (i.e. decryption of pre_master_secret). I'd greatly appreciate if someone could point me in the right direction as I start out digging through this source code. Thanks in advance. Chris __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HTTPS
Michael wrote: hi, i'd like to know how to do GET / POST requests over HTTPS. there's some demos/bio example, but doesn't compile on Linux. perl+ Net::SSLeay [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] My mistake. I guess I'm tired. I thought you were an internal Michael. Sorry. Here's some examples of code that I can pass on because it's basically stuff I got from someone else on this group: pstoev.pl is attached. Mr. Stoev is another contributor. -- Email: [EMAIL PROTECTED] (home home page: http://www.aa.net/~xeno) pstoev.pl
VMS problems
Hi, I tried to build version 0.9.6 on an OpenVMS Alpha Operating System, Version V7.1. Having unpacked the openssl 0.9.6 tar ball. I tried to build the package in stages. @MAKEVMS OPTION NORSAREF NODEBUG config, buildinf, and softlink stages all went well. The crypto library successfully built with one warning from the compilation of BSS_LOG.C. Then the build script started to build the crypto applications. The script got stuck in an infinite loop printing: Compiling The PKCS7 Applications. (APPS,APPS) ENC.c DEC.c SIGN.c VERIFY.c EXAMPLE.c ENC.exe %LINK-E-OUTSIMG, attempted store location %X000504E0 is outside image binary (%X to %X) in psect MD5_VERSION module MD5_DGST file $1$DKB300:[CDF.BELL.OPENSSL-0_9_6.VAX.EXE.CRYPTO]LIBCRYPTO.OLB;1 I killed the script execution and tried building the other executables with similar errors resulting. I seem to remember some limit on the number of objects inside a library but I don't know how to get arround this problem. (A complete summary of the errors is attached to this message.) I am interested in running David Jones' SSH server for OpenVMS if I can successfully compile the needed libraries. Can anyone help? Thanks and Best Regards, Will Openssl Version 0.9.6 ~ CRYPTO ++ #pragma member_alignment __restore ^ %CC-W-ALIGNPOP, This restore has underflowed the member alignment's stack. No corresponding save was found. At line number 265 in OPCDEF. %VCG-I-SUMMARY, Completed with 0 error(s), 1 warning(s), and 0 informational messages. At line number 394 in $1$DKB300:[CDF.BELL.OPENSSL-0_9_6.CRYPTO.B IO]BSS_LOG.C;1. %LIBRAR-W-COMCOD, compilation warnings in module BSS_LOG file $1$DKB300:[CDF.BELL.OPENSSL-0_9_6.VAX.OBJ.CRYPTO]BSS_LOG.OBJ;1 All Done... Then it started to compile the applications... Compiling The PKCS7 Applications. (APPS,APPS) ENC.c DEC.c SIGN.c VERIFY.c EXAMPLE.c ENC.exe %LINK-E-OUTSIMG, attempted store location %X000504E0 is outside image binary (%X to %X) in psect MD5_VERSION module MD5_DGST file $1$DKB300:[CDF.BELL.OPENSSL-0_9_6.VAX.EXE.CRYPTO]LIBCRYPTO.OLB;1 This failed but then tried again. It seems it was caught in an infinite loop. So I killed the process. ssl +++ Compiled with no errors ssl_task Creating SSL_TASK OSU HTTP SSL Engine. %LINK-E-OUTSIMG, attempted store location %X000504E0 is outside image binary (%X to %X) in psect MD5_VERSION module MD5_DGST file $1$DKB300:[CDF.BELL.OPENSSL-0_ 9_6.VAX.EXE.CRYPTO]LIBCRYPTO.OLB;1 %LINK-E-NOIMGFIL, image file not created TEST Building The MD5TEST Test Program. %LINK-E-OUTSIMG, attempted store location %X000504E0 is outside image binary (%X to %X) in psect MD5_VERSION module MD5_DGST file $1$DKB300:[CDF.BELL.OPENSSL-0_ 9_6.VAX.EXE.CRYPTO]LIBCRYPTO.OLB;1 %LINK-E-NOIMGFIL, image file not created Building The HMACTEST Test Program. %LINK-E-OUTSIMG, attempted store location %X000504E0 is outside image binary (%X to %X) in psect MD5_VERSION module MD5_DGST file $1$DKB300:[CDF.BELL.OPENSSL-0_ 9_6.VAX.EXE.CRYPTO]LIBCRYPTO.OLB;1 %LINK-E-NOIMGFIL, image file not created Building The SSLTEST Test Program. %LINK-E-OUTSIMG, attempted store location %X000504E0 is outside image binary (%X to %X) in psect MD5_VERSION module MD5_DGST file $1$DKB300:[CDF.BELL.OPENSSL-0_ 9_6.VAX.EXE.CRYPTO]LIBCRYPTO.OLB;1 %LINK-E-NOIMGFIL, image file not created APPS Building The OPENSSL Application Program. %LINK-E-OUTSIMG, attempted store location %X000504E0 is outside image binary (%X to %X) in psect MD5_VERSION module MD5_DGST file $1$DKB300:[CDF.BELL.OPENSSL-0_ 9_6.VAX.EXE.CRYPTO]LIBCRYPTO.OLB;1 %LINK-E-NOIMGFIL, image file not created
RE: VMS problems
Its always nice to hear your not the only one. I had this same problem building 0.9.6a on OpenVMS 7.2 on a VAX w/ Multinet 4.3. To get it to stop I had to edit [.CRYPTO.MD5]MD5_DGST.C to comment out this line: const char *MD5_version=MD5 OPENSSL_VERSION_PTEXT; I don't think it is a good answer, but it did compile after that and I'm up and running OSU's webserver (ver 3.9) using it. -Bryan Programmer/Webmaster New Mexico Military Institute http://www.nmmi.cc.nm.us 101 W College Blvd, Roswell NM 88201-5173 (505) 624-8110 mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of William Hamish Bell Sent: Friday, April 27, 2001 2:01 PM To: [EMAIL PROTECTED] Subject: VMS problems Hi, I tried to build version 0.9.6 on an OpenVMS Alpha Operating System, Version V7.1. Having unpacked the openssl 0.9.6 tar ball. I tried to build the package in stages. @MAKEVMS OPTION NORSAREF NODEBUG config, buildinf, and softlink stages all went well. The crypto library successfully built with one warning from the compilation of BSS_LOG.C. Then the build script started to build the crypto applications. The script got stuck in an infinite loop printing: Compiling The PKCS7 Applications. (APPS,APPS) ENC.c DEC.c SIGN.c VERIFY.c EXAMPLE.c ENC.exe %LINK-E-OUTSIMG, attempted store location %X000504E0 is outside image binary (%X to %X) in psect MD5_VERSION module MD5_DGST file $1$DKB300:[CDF.BELL.OPENSSL-0_9_6.VAX.EXE.CRYPTO]LIBCRYPTO.OLB;1 I killed the script execution and tried building the other executables with similar errors resulting. I seem to remember some limit on the number of objects inside a library but I don't know how to get arround this problem. (A complete summary of the errors is attached to this message.) I am interested in running David Jones' SSH server for OpenVMS if I can successfully compile the needed libraries. Can anyone help? Thanks and Best Regards, Will __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HTTPS
Michael wrote: hi, i'd like to know how to do GET / POST requests over HTTPS. there's some demos/bio example, but doesn't compile on Linux. perl+ Net::SSLeay My mistake. I guess I'm tired. I thought you were an internal Michael. Sorry. Here's some examples of code that I can pass on because it's basically stuff I got from someone else on this group: That's OK, I was answering the original posters question :-) about easy use of HTTPS Michael [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: VMS problems
From: William Hamish Bell [EMAIL PROTECTED] wbell %LINK-E-OUTSIMG, attempted store location %X000504E0 is outside image wbell binary (%X wbell to %X) wbell in psect MD5_VERSION module MD5_DGST file wbell $1$DKB300:[CDF.BELL.OPENSSL-0_9_6.VAX.EXE.CRYPTO]LIBCRYPTO.OLB;1 That's happened to be once, but I can't remember the circumstances, because when I tried again, I had no problem... I think there was something about old stuff being in the .OLB file, but I'm not sure. And no, it's not a limit on the amount of object files. Anyhow, how about trying 0.9.6a instead? wbell I am interested in running David Jones' SSH server for OpenVMS if I can wbell successfully compile the needed libraries. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: VMS problems
From: Bryan [EMAIL PROTECTED] bryan Its always nice to hear your not the only one. I had this same problem bryan building 0.9.6a on OpenVMS 7.2 on a VAX w/ Multinet 4.3. To get it to stop bryan I had to edit [.CRYPTO.MD5]MD5_DGST.C to comment out this line: bryan const char *MD5_version=MD5 OPENSSL_VERSION_PTEXT; The other solution is to make it static. I remember that now. I'm quite surprised, however, that this doesn't happen for the other version strings... -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Ocotillo PRNG
On Fri, Apr 27, 2001 at 11:33:25AM -0700, Crosland, Jerel (Contract) wrote: I'd like to use the a href=http://ocotillo.sourceforge.net;Ocotillo/a PRNG with OpenSSL, but it is failing when I do the make test in the randtest module. Ocotillo creates a named pipe at /dev/urandom but if OpenSSL is treating it like a character device it may not work correctly. OpenSSL will only open() and read() from the file. Please run trace/strace/tusc/truss or whatever the system call tracer is called on your platform and see, whether the open() or the read() call fails and with which error. This already should give you a hint. As far as I have seen from the open() man-page, using a named pipe for this purpose is not very robust (it will fail for non-blocking behaviour: you cannot open a pipe for writing without a reading process, HP-UX 10.20) and I am not sure how this setup should work with several processes trying to read entropy at the same time. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Computer Virus
Achtung, die von Ihnen versandte Mail enthaelt entweder einen Computer Virus oder mindestens eine beigefuegte Datei des Typs BAT, CHM, CMD, COM, CPL, EXE, HLP, INF, INS, ISP, JAR, JS, JSE, LNK, MDB, MDE, MSC, MSI, MSP, MST, OCX, PIF, PL, REG, SCR, SCT, SHB, SHS, VB, VBE, VBS, WSC, WSF, WSH und wurde daher nicht an den Empfaenger weitergeleitet. Wenn Sie Dateien der genannten Typen senden wollen, koennen Sie diese innerhalb einer ZIP oder TAR Datei, welche Sie Ihrer Mail beifuegen, uebertragen. Attention, your mail contains either a computer virus or one of the following attachment types: BAT, CHM, CMD, COM, CPL, EXE, HLP, INF, INS, ISP, JAR, JS, JSE, LNK, MDB, MDE, MSC, MSI, MSP, MST, OCX, PIF, PL, REG, SCR, SCT, SHB, SHS, VB, VBE, VBS, WSC, WSF, WSH. These types are not delivered to the final recipients. If you want to send one of these types, please encode them as ZIP or TAR files. [EMAIL PROTECTED] - Unsent message follows - Received: from ossp1.ossp.org(62.208.181.50) by mozart.adv.magwien.gv.at via smap (V2.0) id xma024423; Fri, 27 Apr 01 22:34:55 +0200 Received: by mail.ossp.org (Sendmail 8.11.0+/smtpfeed 1.12) for openssl-users-L2 id f3RK1ke53034; Fri, 27 Apr 2001 22:01:46 +0200 (CEST) Received: by mail.ossp.org (Sendmail 8.11.0+) via ESMTP for [EMAIL PROTECTED] from opensource.ee.ethz.ch id f3RK1it53030; Fri, 27 Apr 2001 22:01:45 +0200 (CEST) Received: by en5.engelschall.com (Sendmail 8.9.2/smtpfeed 1.06) for openssl-users-L id WAA17163; Fri, 27 Apr 2001 22:01:29 +0200 (MET DST) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for [EMAIL PROTECTED] from sighup.aventail.com id WAA17111; Fri, 27 Apr 2001 22:00:54 +0200 (MET DST) Received: from leo.in.aventail.com (leo.in.aventail.com [192.168.1.136]) by sighup.aventail.com (8.11.0/8.11.0) with ESMTP id f3RK0rP28919 for [EMAIL PROTECTED]; Fri, 27 Apr 2001 13:00:53 -0700 (PDT) Received: from aventail.com (xeno1.in.aventail.com [192.168.0.161]) by leo.in.aventail.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 2ZJPPCG1; Fri, 27 Apr 2001 12:59:05 -0700 Message-ID: [EMAIL PROTECTED] Date: Fri, 27 Apr 2001 13:05:31 -0700 From: Xeno Campanoli [EMAIL PROTECTED] Organization: Aventail X-Mailer: Mozilla 4.73 [en] (X11; I; Linux 2.2.16 i686) X-Accept-Language: en MIME-Version: 1.0 To: [EMAIL PROTECTED] Subject: Re: HTTPS References: [EMAIL PROTECTED] Content-Type: multipart/mixed; boundary=AF8B335297E11E2BF0350842 Sender: [EMAIL PROTECTED] Precedence: bulk Reply-To: [EMAIL PROTECTED] X-Sender: Xeno Campanoli [EMAIL PROTECTED] X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users X-Header-From: Xeno Campanoli [EMAIL PROTECTED] X-Header-From: Xeno Campanoli [EMAIL PROTECTED] - Message body suppressed - __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL error in mod_ssl.
I do not know if this is the correct place to post this, but the only error message I see is OpenSSL errors in apache's output. here goes... [Fri Apr 27 18:06:19 2001] [error] mod_ssl: SSL handshake failed (server www.hidden.com:443, client hidden) (OpenSSL library error follows) [Fri Apr 27 18:06:19 2001] [error] OpenSSL: error:0607C084:digital envelope routines:func(124) :reason(132) [Fri Apr 27 18:06:19 2001] [error] OpenSSL: error:0607B086:digital envelope routines:func(123) :reason(134) [Fri Apr 27 18:06:19 2001] [error] OpenSSL: error:1408F071:SSL routines:SSL3_GET_RECORD:bad mac decode [Hint: Browser still remembered details of a re-created server certificate?] I just built the server with both 9.6 and 9.6a with the same results. Here is what ver of apache It is running w/ mods Apache/1.3.19 (Unix) AuthPG/1.2 PHP/4.0.4pl1 mod_ssl/2.8.2 OpenSSL/0.9.6 thank you Jason __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Ocotillo PRNG
A related question: if I have a hardware random number generator and i use it instead of /dev/urandom, is it likely to improve performance at all? how much will it help? thanks, vijo. On Fri, 27 Apr 2001, you wrote: On Fri, Apr 27, 2001 at 11:33:25AM -0700, Crosland, Jerel (Contract) wrote: I'd like to use the a href=http://ocotillo.sourceforge.net;Ocotillo/a PRNG with OpenSSL, but it is failing when I do the make test in the randtest module. Ocotillo creates a named pipe at /dev/urandom but if OpenSSL is treating it like a character device it may not work correctly. OpenSSL will only open() and read() from the file. Please run trace/strace/tusc/truss or whatever the system call tracer is called on your platform and see, whether the open() or the read() call fails and with which error. This already should give you a hint. As far as I have seen from the open() man-page, using a named pipe for this purpose is not very robust (it will fail for non-blocking behaviour: you cannot open a pipe for writing without a reading process, HP-UX 10.20) and I am not sure how this setup should work with several processes trying to read entropy at the same time. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- vijo __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
