unknown error message
Hi, the openssl ca command led to the following result: wrong number of fields on line 1 (looking for field 6, got 1, '' left) What does it like to tell me??? Which fields of what are ment? Thanks a lot for help Joerg PS: the config file is the standard one only root keys and certificates were replaced the complete commands: $ openssl req -new -out RegistryReq.pem -config ./openssl.cnf -key RegistryKey.pem Using configuration from ./openssl.cnf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:aa State or Province Name (full name) [Some-State]:a Locality Name (eg, city) []:a Organization Name (eg, company) [Internet Widgits Pty Ltd]:a Organizational Unit Name (eg, section) []:a Common Name (eg, YOUR name) []:a Email Address []:a Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:a string is too short, it needs to be at least 4 bytes long A challenge password []: An optional company name []:aa $ openssl ca -in RegistryReq.pem -config openssl.cnf -out RegistryCert.pem Using configuration from openssl.cnf wrong number of fields on line 1 (looking for field 6, got 1, '' left) $ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
hello
hello. i want to know how to install openssl with borland c++ builder 5.0!! where can i get the information about them?? thanks...
SSLeay and OpenSSL relationship
Hi, I would like to know what the current relationship between OpenSSL and SSLeay. As I understand OpenSSL was based on SSLeay. What happened to SSLeay when the OpenSSL project has started? Has it been being developed separately since then? Or is the development of SSLeay frozen and OpenSSL exists instead? What version of SSLeay is OpenSSL based on? Thanks for all information, Zoltan _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: creating request and certificate in utf8 format
Kikuyo Nagamatsu wrote: > > Hi, all > > I need some advices. > I tried to creating request (and certificate) in UTF8 format. > Openssl can make UTF8 certificate from UTF8 request. > > I input DN UTF8 chacters like this. > iconv -f eucJP -t UTF-8 kanji_dat.euc > kanji_dat.utf8 > cat kanji_dat.utf8 | ../openssl req -new -key kanji.pem.key -out kanji.req >-config openssl.conf > > What I did were.. > > --- > (1) specify "string_mask = utf8only" in [req] section and > create certificate in UTF8 string.Then the certificate that I got was > ASN.1 type was UTF8 , > but code was not UTF8String. > > >subject=/C=JP/O=X/L=\xC3\xA3\xC2\x83\xC2\xA1\xC3\xA3\xC2\x83\xC2\xA9\xC3\xA3\xC2\x83\xC2\xB3\xC3\xA3\xC2\x82\xC2\ > xB8/CN=\xC3\xA6\xC2\xBC\xC2\xA2\xC3\xA5\xC2\xAD\xC2\[EMAIL PROTECTED] > 171:d=5 hl=2 l= 3 prim: OBJECT:organizationName > 176:d=5 hl=2 l= 16 prim: UTF8STRING > 194:d=3 hl=2 l= 33 cons: SET > 196:d=4 hl=2 l= 31 cons: SEQUENCE > 198:d=5 hl=2 l= 3 prim: OBJECT:localityName > 203:d=5 hl=2 l= 24 prim: UTF8STRING > 229:d=3 hl=2 l= 23 cons: SET > > (2) So I modified "req.c" file as following. > > 1124c1124,1125 > < if (!X509_NAME_add_entry_by_txt(subj,type, MBSTRING_ASC, > --- > > //if (!X509_NAME_add_entry_by_txt(subj,type, MBSTRING_ASC, > > if (!X509_NAME_add_entry_by_txt(subj,type, MBSTRING_UTF8, > 1189c1190,1191 > < if (!X509_NAME_add_entry_by_NID(n,nid, MBSTRING_ASC, > --- > > //if (!X509_NAME_add_entry_by_NID(n,nid, MBSTRING_ASC, > > if (!X509_NAME_add_entry_by_NID(n,nid, MBSTRING_UTF8, > > And then what I can get is both of ASN.1 type and code is UTF. > >subject=/C=JP/O=X/L=\xE3\x83\xA1\xE3\x83\xA9\xE3\x83\xB3\xE3\x82\xB8/CN=\xE6\xBC\xA2\xE5\xAD\x97CN/Email=yyy@ > x.co.jp > 168:d=4 hl=2 l= 23 cons: SEQUENCE > 170:d=5 hl=2 l= 3 prim: OBJECT:organizationName > 175:d=5 hl=2 l= 16 prim: UTF8STRING > 193:d=3 hl=2 l= 21 cons: SET > 195:d=4 hl=2 l= 19 cons: SEQUENCE > 197:d=5 hl=2 l= 3 prim: OBJECT:localityName > 202:d=5 hl=2 l= 12 prim: UTF8STRING > > Although the modification is so forced, but if I specify "string_mask = utf8only" > in [req] section, I can get UTF8 certificate, and if I specify "string_mask = nmbstr" > I can get ascii certificate. > Because X509_NAME_ENTRY_ser_data() (crypt/x509/x509name.c) check the conf and > then write ASN.1 format. > > --- > I don't believe this is a correct way to do this. > Please advise me, and tell me the better way. > Currently you'd need to modify the source, as you've done above, because it always uses MBSTRING_ASC in req. There should really be a command line and config file option to do this, I'll look into adding that for OpenSSL 0.9.7. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: creating request and certificate in utf8 format
Kikuyo Nagamatsu wrote: > > Hi, all > > I need some advices. > I tried to creating request (and certificate) in UTF8 format. > Openssl can make UTF8 certificate from UTF8 request. > I've added a -utf8 command line option and a utf8 config file option to the req command in OpenSSL 0.9.7-dev . It will appear in OpenSSL 0.9.7, please check out the next snapshot and let me know of any problems. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SSLeay and OpenSSL relationship
If I have all my information correct (I found it on sourceforge.net) about SSLeay, support / development stopped quite a while ago. But I think that SSLeay v 1.3 was the last to work with openSSL. You should double check though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Zoltan Glozik Sent: Friday, October 26, 2001 7:08 AM To: [EMAIL PROTECTED] Subject: SSLeay and OpenSSL relationship Hi, I would like to know what the current relationship between OpenSSL and SSLeay. As I understand OpenSSL was based on SSLeay. What happened to SSLeay when the OpenSSL project has started? Has it been being developed separately since then? Or is the development of SSLeay frozen and OpenSSL exists instead? What version of SSLeay is OpenSSL based on? Thanks for all information, Zoltan _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
NO_MD5 Compilation oddity
Good Day, My name is Nick Jenkins. I am setting up an Apache + mod_ssl + OpenSSL (AMO, heretofore) configuration for internal testing purposes here at GE. In general, I think this solution is great, and that although it is a shame that SSL was necessarily 'chucked' from Apache due to the NSA, that this more modular solution is better, anyway. Thanks to those of you who maintain this. Now then, I am trying to get AMO configured to provide only legal, non-patented, and Secure SSL. Thus, I have configured the ./config command as follows: sh config --openssldir=/usr/local/openssl \ no-threads shared no-idea no-rc2 no-rc4 no-rc5 \ no-md4 no-md5 -DSSL_FORBID_ENULL -DSSL_ALLOW_ADH The reason that I am excluding MD5 is that according to RSA, it is based upon MD4, that has been completely cracked, and that some follow-on work was performed on MD5 that might make it (somewhat) insecure, as well. (This is, of course, my paraphrase of what they said.) Whether MD5 is, in fact, insecure is not important. What IS important, for the sake of this discussion is that I don't trust it, and want it disabled. So, I specified the "no-md5" option, and after lots of compiling, the openSSL make failed at s3_srvr.c. When I investigated, I found that in ssl/ssl.h, it says: #if (defined(NO_RSA) || defined(NO_MD5)) && !defined(NO_SSL2) #define NO_SSL2 #endif So, I naturally am not surprised that I get no SSL2 by disabling MD5. What did surprise me, though, is that s3_srvr.c requires "#include ", which has in it: #ifdef NO_MD5 #error MD5 is disabled. #endif Since I haven't bothered to read the SSL spec (big surprise, eh?), I would have thought it possible to build an SSL server that only used SHA1 and/or MDC2, but not necessarily MD5. However, it would appear that at least in the current revision of the software, MD5 is a pre-requisite for building SSL2 or SSL3 or TLS1 support. Since MD5 seems to be required, I have enabled it in my current compile. I just wanted to point this out, in case this had slipped through the cracks. Also, this begs the question, "why have a 'NO_MD5' compilation option if it is required for compilation?" I have not joined this mailing list, as I really don't anticipate posting another note here, and I already get enough mail, so if you have any responses, please copy me at: [EMAIL PROTECTED] Thanks, -NICK __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OID's and X509V3 extensions in config file
Hello fellows, at first my truely compliment for our work with OpenSSL. I was trying to fit openssl-0.9.6 on my S.U.S.E. Linux 7.0 and it works! With the openssl req and ca applications I can get certification requests and sign it with rather extensions as described in openssl.cnf examples. However I didn't success in including and signing attributes and my own OID's. The req man pages explain that openssl passes the attributes in requests without signing. Unfortunately I am not so deep confirm with X509V3 standards and don't know is that a bug or an intension. Maybe in X509V3 is no more place for X509 attributes instead of several X509V3 extensions? In case of OID openssl ca traces the OID-section and their settings in the config file very well but assigning any value to the oid variable in the extension section araise an error. What happens? Browsing the source codes I found that the error occurs in v3_lib.c in the function X509V3_EXT_get_nid: OBJ_bsearch seems to return NULL and ext_list is NULL. On the other side I can't find out, where add_oid_section meets ext_list for setting. Questions over questions... Here my config file fragments: oid_section = new_oids [ new_oids ] TestOID = 2.5.4.12 [ CA ] ... x509_extensions = Usr # The extentions to add to the cert [ Usr ] basicConstraints= CA:FALSE keyUsage= nonRepudiation, digitalSignature, keyEncipherment nsComment = "User Certificate" subjectKeyIdentifier= hash authorityKeyIdentifier = keyid,issuer:always TestOID = Test In hope for a friendly answer and with best regards Klaus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSLeay and OpenSSL relationship
The folks who developed SSLeay went on to other things. A new group of core developers have taken it over. For a variety of reasons, including avoiding confusion with the original folks' work, the project is now called OpenSSL. SSLeay has been abandoned. The code, however, lives on as the base for openssl. -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problems with pop3s on Outlook Express
Hi there, I have been trying to set up pop3s access using UW-IMAP. I am using Mandrake Linux 8.1, with UW-IMAP and OpenSSL installed as RPMs, so I don't think that there are any compilation problems. I hope that it is acceptable to post this to both the OpenSSL and the UW-IMAP mailing lists, as I'm not sure where the problem lies. I have already searched the archives for both lists to no avail. I have followed instructions from various sources and done the following: 1) Created a new CA, and exported the certificate as DER: # openssl req -new -x509 -config openssl.conf -keyout private/ca-key.pem \ -out certs/ca-cert.pem -days 365 # openssl x509 -in certs/ca-cert.pem -out certs/ca-cert.der -outform der 2) Imported the CA certificate into Explorer on Windows 2000, checked that it is listed and that the SHA1 thumbprint matches, and that it is enabled for Secure E-Mail. 3) Imported the CA certificate into Explorer on MacOS 9.1, and checked that it is listed. In this case, even after several attempts, the "fingerprint" listed by Explorer does not match any of the MD2, MD5, SHA1 or MDC2 fingerprints. I don't understand this, but am fairly sure that no-one is intercepting and replacing the key in transit. explorer produces the same fingerprint each time, so it doesn't look like it has been corrupted either. Eventually I decided to just add the certificate and see what happened. 3) Set up Outlook Express on both Windows 2000 and MacOS 9.1 to use pop.commerce.uk.net, and configured it to use SSL on port 995. 4) Created a new key, and sign it with the CA with the common name 'pop.commerce.uk.net': # openssl req -new -nodes -config openssl.conf -days 365 -keyout \ pop-key.pem -out pop-req.pem # openssl ca -config openssl.conf -policy policy_anything -in pop-req.pem \ -out pop-cert.pem 5) Concatenated pop-key.pem and pop-cert.pem into ipop3sd.pem (removing the text version), placing them on the POP server in /usr/lib/ssl/certs/, and created a link to it with the name of the hash: # cd /usr/lib/ssl/certs/ # ln -s ipop3sd.pem `openssl x509 -noout -hash < ipop3sd.pem `.0 # ls -l lrwxrwxrwx1 root root 11 Oct 26 13:27 a37eafc7.0 -> ipop3sd.pem -rw---1 root root 2376 Oct 26 02:01 ipop3sd.pem 6) Tested the setup with (long response indented): # openssl s_client -connect pop.commerce.uk.net:pop3s > CONNECTED(0003) > depth=0 /C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet > Server/OU=Test SSL Certificate/CN=localhost > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 /C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet > Server/OU=Test SSL Certificate/CN=localhost > verify error:num=27:certificate not trusted > verify return:1 > depth=0 /C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet > Server/OU=Test SSL Certificate/CN=localhost > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > Certificate chain > 0 s:/C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet Server/OU=Test > SSL Certificate/CN=localhost >i:/C=CA/ST=QC/L=Montreal/O=Advanced Extranet Server/OU=Secure Web > Division/CN=Advanced Extranet [EMAIL PROTECTED] The Apache binary I'm using is from an RPM based on the Apache Advanced Extranet Server project - I'm not sure what this is doing here. I can't find a certificate for AAES anywhere, and certainly not in /usr/lib/ssl/certs/ > Server certificate > -BEGIN CERTIFICATE- > MIICujCCAiMCAQEwDQYJKoZIhvcNAQEEBQAwgbsxCzAJBgNVBAYTAkNBMQswCQYD > 4DHr8RxsPMpJktVBLB4HadC13ykLMVDMgJ88W39E > -END CERTIFICATE- > subject=/C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet > Server/OU=Test SSL Certificate/CN=localhost > issuer=/C=CA/ST=QC/L=Montreal/O=Advanced Extranet Server/OU=Secure Web > Division/CN=Advanced Extranet [EMAIL PROTECTED] > --- > No client certificate CA names sent > --- > SSL handshake has read 856 bytes and written 320 bytes > --- > New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA > Server public key is 1024 bit > SSL-Session: > Protocol : TLSv1 > Cipher: DES-CBC3-SHA > Session-ID: > 6A6D0C3C40E1D4921514C5DB2EF475DD6454B84F7300980D53373906B3236C7C > Session-ID-ctx: > Master-Key: > >D467F520688186F34EF6984439B9FE3D01F2F23FEB6A4E721C2F33692CC39F864C2BA86C0AC5E0A343879B63ADB274E2 > Key-Arg : None > Start Time: 1004105856 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > --- > +OK POP3 v2000.70mdk server ready <[EMAIL PROTECTED]> So it appears to be finding the certificate, but doesn't seem to know which CA authorised it. When I try the Outlook setup, I get a message saying "The server you are connected to is using a security certificate that does not match its Internet address". When I googled for this message I found numerous people saying that this is because the common name on the certificate does not match the host name specifie
hello
ÄãºÃ! »ú»á£¨´ò½ÁÁË£© ±¾ÈË´óѧ±ÏÒµÒ²Á½Äê¶àÁË£¬¹¤×÷»»ÁËÓÖ»»¡¡ ¿É²»ÖªÉϱ²×ÓÔâµÄʲôÄõ£¬µ½ÄĶ¼ÎÞÎÒÁ¢×ãÖ®µØ¡¡ ʵÔÚÎÞÁÄ£¬³ýÁËÉÏÍø»¹ÊÇÉÏÍø£¡ ÔÚÍøÉÏÂþÓιý³ÌÖУ¬ÎÒ·¢ÏÖÁËÒ»¸öÎÊÌ⣬ Ϊʲô¸÷¸öÍøÕ¾¶¼ËµÄÜΪÄã׬µ½ºÜ¶àÇ®ÄØ£¿ ÄÑÒÔÖÃÐÅ£¬ÌìÏÂÄÄÓÐÃâ·ÑµÄÎç²Í£¿ ¿É´ô×ÅʵÔÚÊÇÎÞÁÄ°¡£¬·´ÕýÏÐ×ÅÒ²ÊÇÏÐ×Å£¬ ÕÒÁËÒ»¸ö²»ÒªÉí·ÝÖ¤£¬²»Òª»áÔ±·Ñ£¬ Ö»ÒªÓиöµØÖ·£¬µç»°ºÅÂë¾ÍÄÜÕõµ½Ç®µÄÍøÕ¾£¬ ÉêÇë³ÉÁË»áÔ±¡¡£¨·´ÕýÕõ²»µ½Ç®Ò²²»»á³Ô¿÷^o^£© µÈÁËÒ»¸öÔ£¬Á½¸öÔ¡¡ ʲô»ã¿îµ¥£¿Á¬¸öÓ°×Ó¶¼Ã»ÓУ¡ ²»¹ýÒ»Ï룬ÎÞËùνÁË¡¡·´ÕýҲû³Ô¿÷¡ ^o^ ¾Íµ±ÊǹíÃÔÐÄÇÏÒ»»Ø°É! ¿ÉÒ»Ö±µ½ÁË3¸öÔ¡¡ ͻȻ¡¡»ã¿îµ¥µ½ÁË£¿£¡ ²»¿´²»ÖªµÀ£¬Ò»¿´ÏÅÒ»Ìø£¡ 9°Ù¶àÃÀ½ð£¿ÕÛºÏÈËÃñ±Ò²»¾ÍÊÇ7ǧ¶àÁËÂ𣿠°ëÐÅ°ëÒÉ£¬µ½ÁËÒøÐУ¬½»Á˼¸Ê®ÔªµÄÊÖÐø·Ñ£¬»»»ØÁË7ǧ¶à¡¡ ÕæÏñ×öÃÎÒ»Ñù¡¡ÂòÁËһЩһֱÏëÂòµÄ¶«¶«¡¡ ÐË·ÜÖ®Ó࣬ÓÖ¿ªÊ¼ÁËÎÒµÄÐû´«£¡Ðû´«Ô½¶à£¬ÕõµÄÔ½¶àÂï ^o^ ¹ûÈ»£¬²»µ½Ò»¸öÔ£¬ÓÖ·ÉÀ´ÁËÒ»Õŵ¥×Ó£¡ 1ǧ3°Ù¶àÃÀ½ð¡¡ ÕæÊÇÄÑÒÔÖÃÐÅ£¡ ÓÖ¹ýÁËÒ»¸öÔÂÉÏÕǵ½ÁË2ǧ4°Ù¶àÃÀ½ð¡¡ Èç½ñ£¬²»ÓÃÉÏ°àÒ²ÓÐÇ®»¨ÁË£¬ÕæÊÇÀÖÔÕÀÖÔÕ£¡ Äã²»ÐÅ£¿ÄÇû°ì·¨£¡Ö»¿ÉϧÕâ°×»¨»¨µÄÒø×Óඡ¡ ¹ÅÈËÔÆ£º"Äþ¿ÉÐÅÆäÓУ¬²»¿ÉÐÅÆäÎÞ"°¡¡¡ ·´ÕýÒ²²»³Ô¿÷£¬¾Íµ±·èÒ»»ØÊÔÊÔ¿´Âï¡¡ ÏàÐÅÎÒ£¬Ã»´íµÄ£¡ ¼ÓÈë·½·¨ºÜ¼òµ¥µÄŶ£º www.mintmail.com/?m=1187189 ½øÈëÉÏÃæÍøÕ¾£¨Èçµã»÷²»³É£¬¸´ÖÆ¡¢Õ³Ìùµ½µØÖ·À¸£© ´ò¿ªÍøÒ³£¬µã»÷ÓÒÉÏ·½ click here »î¶¯Í¼±ê£¬ »òµã»÷À¶É« FREE Sign-up page ×ÖÑùÒ²¿É£¡ È»ºó£¬¸ú×ÅÌáʾ£¬Ò»²½Ò»²½ÊäÈëÐÅÏ¢¾ÍokÁË¡£ ÖµµÃ¸ßÐ˵ÄÊÇËüÄÜʶ±ðÖÐÎÄÐÅÏ¢£¬¶øÄÜ100%¼ÓÈ룡 ÏÂÃæÊÇÎÒΪÁË·½±ã´ó¼ÒµÄ¼ÓÈ룬Ïêϸ˵Ã÷Á˼ÓÈë¹ý³ÌÖеÄϸ½Ú - First name*: Ãû×Ö£¨Àý£ºÎÄ½Ü £© - Last Name*: ÐÕ £¨Àý£ºÍõ £© - Company Name: ¿É²»Ìî - Street Address*: ¼Òͥסַ£º£¨Ò»¶¨ÒªÏêϸÌîд£¬²»È»ÊÕ²»µ½»ã¿îµ¥à¶£¡£© Àý£ºÉîÛÚ **µØ·½ - City*: ³ÇÊÐÃû (Àý£ºshenzhen Ó¢ÎÄÌîд ) - State*: ¿É²»Ìî - Zip*: ÓÊ±à £¨ Ìî 000-000 £© - Country*: ¹ú¼Ò£¨ Ñ¡ china £© - Phone*: µç»°ºÅÂë £¨ ¹ú¼Ò´úÂë 86 + È¥µôÇøλºÅÇ°0 µÄµç»°ºÅÂ룩 Àý£º010-64243365 ¡ú 86-10-64243365£© - Fax: ¿É²»Ìî - E-mail*: µç×ÓÐÅÏ䣨ËùÓеĽ»Á÷¶¼Í¨¹ýÐÅÏä´«µÝ£¬ËùÒÔÎñ±ØÌîдÕýÈ·£© - Confirm E-mail*: ÔÙ´ÎÊäÈëÐÅÏäµØÖ· * - Year of birth*: ³öÉúÄêÔÂÈÕ Àý£º1970¡¢1980 - Gender*: ÐÔ±ð Male£¨ÄУ©, Femaie £¨Å®£© - Password*: ÃÜÂë £¨6λÒÔÉÏ£©** - Confirm Password: È·ÈÏÃÜÂë £¨±ØÐëÓëÉÏÏàͬ£©** - how do you want to receive commissions that you earn? ÒÔʲôÐÎʽ½ÓÊÕÀñÆ·£¿ *gift certificates(double$$) ½±Æ· *cash ÏÖ½ð ÈçÒª½±Æ·ÄÜÊÕµ½Ë«±¶¼Û¸ñµÄ¶«Î÷£¬ µ«¶¼ÊÇһЩӢÎÄ°æµÄÊé¼®¡¢´Å´ø¡¢¹âÅÌ µÈ ¶ÔÓÚÖйúÈËÀ´Ëµ£¬»¹ÊÇÑ¡ÔñÏÖ½ð±È½ÏºÏËãЩ£¬ÇëÑ¡Ôñ cash - do you want to be notified when your referrals sing up? ¼ÓÈë»áÔ±³É¹¦Ê±Í¨ÖªÄãÂð£¿Ñ¡ yes - MintMail.com ÇëÑ¡Ôñ×Ô¼ºµÄ°®ºÃ»òÐËȤ £¨×î¶à¿ÉÑ¡10ÖÖ£© - Submit µã»÷Ëü ÆÁÄ»ÉϾͻá³öÏÖ thank you µÄ×ÖÑù ͬʱÄãµÄID£¨Óû§Ãû Êý×Ö£©ºÍÃÜÂëÒ²»á³öÏÖÔÚÆÁÄ»ÉÏ ¼ÇסËü£¬¼ÓÈëÍê±Ï£¬Ò»ÇÐokÁË£¡¹§Ï²·¢²Æ ^o^ È»ºó£¬5·ÖÖÓÖ®ÄÚÄã»áÊÕµ½Ò»·â»¶ÓÐÅ£¡ *Ðû´«·½·¨* www.mintmail.com/?m=1187189 °Ñ×îºóµÄÊý×Ö1187189¸ÄΪÄãµÄID£¨Êý×Ö£© ÏȽéÉܸøÄãµÄÇ×ÅóºÃÓÑÃÇ ^o^ È»ºó£¬µ½¸÷¸öÍøÕ¾µÄÁôÑÔ°åÖаÑÉÏÃæµÄÄÚÈÝÈ«²¿¸´ÖÆ¡¢Õ³Ìù½øÈ¥£¡ ²»¹ý£¬Ò»¶¨Òª¼Çס°Ñ1187189¸ÄΪÄãµÄIDŶ ²»È»£¬ÄãÊÇÔÚΪÎÒÐû´«ÁË£¡¶ø²»ÊÇÄã ^o^ ºÃÁË£¬ÄǾÍ×£Äã¶à¶à·¢²ÆÁË¡¡ ²»£¬Ó¦¸ÃÊÇ×£ÎÒÃÇÒ»Æð·¢´ó²Æ£¡Õâ²Å¶Ô°¡£¡^o^ ! Bye£¡ - ¸ÃÓʼþÓÉ¡¶½ð·æÓʼþȺ·¢ 2.4¡··¢ËÍ£¬ÄÚÈÝÓëÈí¼þ×÷ÕßÎÞ¹Ø ½ð·æÈí¼þ£¬ÖµµÃÐÅÀµµÄÈí¼þ http://www.jinfengnet.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems with pop3s on Outlook Express
As can be seen from your post, the certficate being sent does NOT have pop.commerce.uk.net as the common name (CN) of the Subject: the CN is 'localhost'. It appears to be some kind of canned test certificate and private key, but I'm not familiar enough with UW-IMAP to know if it comes with such a beast. Maybe you concatented the wrong files? == Greg Stark [EMAIL PROTECTED] == - Original Message - From: "Corin Hartland-Swann" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, October 26, 2001 11:00 AM Subject: Problems with pop3s on Outlook Express > > Hi there, > > I have been trying to set up pop3s access using UW-IMAP. I am using > Mandrake Linux 8.1, with UW-IMAP and OpenSSL installed as RPMs, so I don't > think that there are any compilation problems. > > I hope that it is acceptable to post this to both the OpenSSL and the > UW-IMAP mailing lists, as I'm not sure where the problem lies. I have > already searched the archives for both lists to no avail. > > I have followed instructions from various sources and done the following: > > 1) Created a new CA, and exported the certificate as DER: > > # openssl req -new -x509 -config openssl.conf -keyout private/ca-key.pem \ > -out certs/ca-cert.pem -days 365 > > # openssl x509 -in certs/ca-cert.pem -out certs/ca-cert.der -outform der > > 2) Imported the CA certificate into Explorer on Windows 2000, checked that > it is listed and that the SHA1 thumbprint matches, and that it is enabled > for Secure E-Mail. > > 3) Imported the CA certificate into Explorer on MacOS 9.1, and checked > that it is listed. In this case, even after several attempts, the > "fingerprint" listed by Explorer does not match any of the MD2, MD5, SHA1 > or MDC2 fingerprints. I don't understand this, but am fairly sure that > no-one is intercepting and replacing the key in transit. explorer > produces the same fingerprint each time, so it doesn't look like it has > been corrupted either. Eventually I decided to just add the certificate > and see what happened. > > 3) Set up Outlook Express on both Windows 2000 and MacOS 9.1 to use > pop.commerce.uk.net, and configured it to use SSL on port 995. > > 4) Created a new key, and sign it with the CA with the common name > 'pop.commerce.uk.net': > > # openssl req -new -nodes -config openssl.conf -days 365 -keyout \ > pop-key.pem -out pop-req.pem > # openssl ca -config openssl.conf -policy policy_anything -in pop-req.pem \ > -out pop-cert.pem > > 5) Concatenated pop-key.pem and pop-cert.pem into ipop3sd.pem (removing > the text version), placing them on the POP server in /usr/lib/ssl/certs/, > and created a link to it with the name of the hash: > > # cd /usr/lib/ssl/certs/ > # ln -s ipop3sd.pem `openssl x509 -noout -hash < ipop3sd.pem `.0 > # ls -l > lrwxrwxrwx1 root root 11 Oct 26 13:27 a37eafc7.0 -> ipop3sd.pem > -rw---1 root root 2376 Oct 26 02:01 ipop3sd.pem > > 6) Tested the setup with (long response indented): > > # openssl s_client -connect pop.commerce.uk.net:pop3s > > CONNECTED(0003) > > depth=0 /C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet > > Server/OU=Test SSL Certificate/CN=localhost > > verify error:num=20:unable to get local issuer certificate > > verify return:1 > > depth=0 /C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet > > Server/OU=Test SSL Certificate/CN=localhost > > verify error:num=27:certificate not trusted > > verify return:1 > > depth=0 /C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet > > Server/OU=Test SSL Certificate/CN=localhost > > verify error:num=21:unable to verify the first certificate > > verify return:1 > > --- > > Certificate chain > > 0 s:/C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet Server/OU=Test > > SSL Certificate/CN=localhost > >i:/C=CA/ST=QC/L=Montreal/O=Advanced Extranet Server/OU=Secure Web > > Division/CN=Advanced Extranet [EMAIL PROTECTED] > > The Apache binary I'm using is from an RPM based on the Apache Advanced > Extranet Server project - I'm not sure what this is doing here. I can't > find a certificate for AAES anywhere, and certainly not in > /usr/lib/ssl/certs/ > > > Server certificate > > -BEGIN CERTIFICATE- > > MIICujCCAiMCAQEwDQYJKoZIhvcNAQEEBQAwgbsxCzAJBgNVBAYTAkNBMQswCQYD > > > > > 4DHr8RxsPMpJktVBLB4HadC13ykLMVDMgJ88W39E > > -END CERTIFICATE- > > subject=/C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet > > Server/OU=Test SSL Certificate/CN=localhost > > issuer=/C=CA/ST=QC/L=Montreal/O=Advanced Extranet Server/OU=Secure Web > > Division/CN=Advanced Extranet [EMAIL PROTECTED] > > --- > > No client certificate CA names sent > > --- > > SSL handshake has read 856 bytes and written 320 bytes > > --- > > New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA > > Server public key is 1024 bit > > SSL-Session: > > Protocol : TLSv1 > > Cipher: DES-CBC3-SHA > > Session-ID: >
interface for passing OAEP padding parameter
Dear openssl team, what is the best way to specify OAEP parameter for RSA operations? Currently, RSA_eay_public_encrypt() and RSA_eay_private_decrypt() will always pass NULL to RSA_padding_add_PKCS1_OAEP() and RSA_padding_check_PKCS1_OAEP() respectively. thank you, Vadim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems with pop3s on Outlook Express
Hi Gregory, On Fri, 26 Oct 2001, Gregory Stark wrote: > As can be seen from your post, the certficate being sent does NOT have > pop.commerce.uk.net as the common name (CN) of the Subject: the CN is > 'localhost'. > > It appears to be some kind of canned test certificate and private key, but > I'm not familiar enough with UW-IMAP to know if it comes with such a beast. > Maybe you concatented the wrong files? Thanks - I'm a newcomer to setting up SSL, and I didn't know what to look for in the s_client output. It turns out that there were existing pop3s and imaps certificates installed along with US-IMAP in the RPM, made out to localhost. This is somewhat braindead. What was even more braindead was that the location of the certificates had been changed from /usr/lib/ssl/certs to /usr/share/ssl/certs without updating the documentation. I've replaced the 'localhost' certificates with mine, and it now works fine on Windows 2000, and almost works with MacOS. When you hit "Send & Receive Mail" on MacOS it prompts you for a password. I found a reference to this at http://ist.uwaterloo.ca/security/IST-CA/ "IE5/Mac problems: Internet Explorer v5 for the Mac/Apple has several notable bugs -- it does not import our certificate properly (for reasons which escape us it wants to save it with a password which means every time you use it you need to recall that password). You should use Netscape on the Mac/Apple platform if you access secure pages protected by our certificate. 16-Feb-2001." I have successfully set it up with an empty password, and you just have to hit "OK" and it picks up the e-mail, but it's really annoying for our users. Does anyone know of any way to disable this? Could it be related in any way to this problem: > > 3) Imported the CA certificate into Explorer on MacOS 9.1, and checked > > that it is listed. In this case, even after several attempts, the > > "fingerprint" listed by Explorer does not match any of the MD2, MD5, SHA1 > > or MDC2 fingerprints. I don't understand this, but am fairly sure that > > no-one is intercepting and replacing the key in transit. explorer > > produces the same fingerprint each time, so it doesn't look like it has > > been corrupted either. Eventually I decided to just add the certificate > > and see what happened. And have you got any idea what this might be? Are there any other fingerprint types? Many Thanks, Corin /+-\ | Corin Hartland-Swann |Tel: +44 (0) 20 7491 2000| | Commerce Internet Ltd |Fax: +44 (0) 20 7491 2010| | 22 Cavendish Buildings | Mobile: +44 (0) 79 5854 0027| | Gilbert Street | | | Mayfair|Web: http://www.commerce.uk.net/ | | London W1K 5HJ | E-Mail: [EMAIL PROTECTED]| \+-/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
make test failed (long)
I've never had a problem compiling the last 4 versions of openssl, but I
just tried to compile openssl-0.9.6b with gcc 3.0.1 on glibc 2.1.3 and
I've had a test failure (resulting in a segfault). The same tree builds
fine with egcs 2.91.66 with "-mpentium" and gcc 3.0.1 without "-m"
anything. If this is a compiler bug, I'll report it to GNU, but I
thought I should post it here first.
Many details:
../apps/openssl verify -CApath ../certs ../certs/*.pem
make[1]: *** [test_verify] Segmentation fault (core dumped)
make[1]: Leaving directory `/usr/src/Security/openssl-0.9.6b/test'
make: *** [tests] Error 2
I compiled with "-march=athlon -mcpu=athlon" instead of "-m486"
(replaced in the main Makefile).
The backtrace is (terribly useful):
#0 0x7f840fc0 in ?? ()
#1 0x80ac062 in sk_find ()
#2 0x8510c483 in ?? ()
An strace shows that this happened right after:
personality(PER_LINUX) = 0
getpid()= 20813
SYS_174(0xd, 0xbfffeba4, 0xbfffeb18, 0x8, 0xd) = 0
getpid()= 20813
brk(0) = 0x813cb24
brk(0x813cb9c) = 0x813cb9c
[...]
brk(0x8145000) = 0x8145000
open("/usr/local/ssl/openssl.cnf", O_RDONLY) = 3
recvmsg(3, Segmentation fault (core dumped)
ltrace is a bit more useful:
fprintf(0x40114960, "%s: ", "../certs/ICE-CA.pem") = 21
malloc(96)= 0x08145ef0
memset(0x08145ef0, '\000', 96)= 0x08145ef0
malloc(20)= 0x08145f58
malloc(16)= 0x08145f70
bsearch(0x080cfb55, 0x8510c483, 0x28244489, 4, 0x7f840fc0
--
Michael T. Babcock
CTO, FibreSpeed Ltd.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
OpenSSL On Tandem Guardian
Need to be build the OpenSSL libraries libssl.a & libcrypto.a on a Tandem Guardian platform. Trouble is it's an environment without the MAKE utility. Using simple Compile & Bind Macros (shell-scripts in unix-speak) I have managed to compile (source list from Makefile.ssl) and build libssl.a . My next task is to compile and build libcrypto.a would like to know if there are any compile time DEFINES I have not included. How does one go about building the ssl & crypto libraries on non-unix, non-pc, non-vms type platforms ? thanks... __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Link problems on Solaris, solution
Hello, My experience, just FYI: The openssl-0.9.6b configure script fails to detect the combination of gcc and Solaris ld on Solaris 8, for compiling shared libraries, at least for me. I have Solaris 7 and 8 systems, with both Sun Workshop and gcc (2.95.2) compilers installed. The Configure script automatically detected gcc, which is fine with me: ./config --prefix=/usr shared Operating system: sun4u-whatever-solaris2 Configuring for solaris-sparcv9-gcc However, we don't have the GNU binutils installed; instead, gcc uses the Solaris assembler and linker. The first round of compiling ended in tragedy as the Solaris linker rejected most of the options passed to it from gcc. I edited the file 'Configure', and changed line 143 to have 'solaris-shared' instead of 'gnu-shared'. Here's the new line: "solaris-sparcv9-gcc","gcc:-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", Actually, I started again from scratch with just this one change, just to keep things clean. After reconfiguring and recompiling, everything seems good. I ran 'make test' at the end, and I don't think anything failed - the final output was: OpenSSL 0.9.6b 9 Jul 2001 built on: Fri Oct 26 13:15:46 EDT 2001 platform: solaris-sparcv9-gcc options: bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) idea(int) blowfish(ptr) compiler: gcc -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM I'm sure there is a better way to do this, but this worked for me. I did basically the same thing for the solaris-sparcv8-gcc target (on line 142) which I used for our non-ultra systems. Thanks, (no reply necessary) -D. Daniel Morrison \ Senior Unix Systems Administrator [EMAIL PROTECTED] \Dept. of Electrical and Computer Engineering / Concordia University, Montreal __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
command line certificates with Crypto++ private keys?
Hi, I'm somewhat new to openssl so please bear with my newbie questions. I'm interesting in using the openssl command-line utility to generate certificates, and certificate requests. I'd like to use private keys exported from the Crypto++ v4.1 library, and I'm wondering if anyone has successfully done this before. I've tried with both the RSAES_PKCS1v15_Decryptor and RSAES_OAEP_SHA_Decryptor objects from Crypto++ with no luck - these parse errors result: Using configuration from /usr/local/ssl/openssl.cnf unable to load Private key 32312:error:0D080071:asn1 encoding routines:d2i_ASN1_INTEGER:expecting an integer:a_int.c:258: 32312:error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing:d2i_r_pr.c:116: 32312:error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:89: error in req Does anyone know a way around this? Thanks, Rob Haynes P.S. - please cc: all replies as I don't belong to this list __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Memory leak issues in OPEN SSL 0.9.6a
I was wondering if this is a known issue with this particular release of OPEN SSL Crypto library. The dll I ran BoundsChecker against is Lib32eay.dll, and the reported memory leak indicates 16 bytes of allocated memory through Crypto_malloc function in \crypto\mem.c. This function gets called ~2500 in a single client/server mutual authentication session using X.509 certs, with a total memory leak of ~50k. Thank you! Areg A. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Newsletter Vol. 10, No. 3
World Beat News 10/26/01: - EMI Music Distribution is gearing up for a full slate of DVD-Audio titles! The first three titles in the series are slated for release in December: "Al Green -- Greatest Hits"; "Leon Russell -- Retrospective" and "Eric Johnson -- Ah Via Musicom." In the months that follow, other key catalog titles will also be released in the DVD format. "The superior sound quality of DVD-Audio gives music fans an outstanding music experience," said Jay Samit, senior vice president of New Media for EMI Recorded Music. http://www.emigroup.com - The Jazzconnect.com 2nd Annual Jazz Competition is in full swing! The first Internet jazz competition, where the voting is done online by jazz fans, began in October and runs till the end of December. To date, the competition has 40 contestants from 11 different countries competing on-line to win a grand prize worth over $5000. Each week, new contestants are added to the "stage". Contestants are invited to enter but must have their applications in by December 1st. http://www.jazzconnect.com/competition - Quincy Jones bristles at accusations he sold out when he moved from jazz to pop music." People young and old try to minimize you by saying, 'Well, Quincy's strongest suit is that he's got a strong telephone book,'" said Jones, who in a half-century career has played, arranged and produced music with some of pop's biggest names. But he has paid his dues as a jazz trumpeter and a music arranger. "Seven hundred miles a night for years. Traveling on that band bus. Seventy gigs in just the Carolinas ... and get stranded with a big band in Europe, and some sucker is gonna come talk to me about sellin' out. Please! Jones relates some of that history in the new book "Q: The Autobiography of Quincy Jones." now available at www.amazon.com - Benefit concerts raise millions for victims of terrorist attacks Organizers of the last weekend's three all-star benefit concerts said they hope to raise 17 million for the victims of the Sept. 11 terrorist attacks. Already, the Concert for New York at Madison Square Garden, which featured Paul McCartney, the Who, Billy Joel and Elton John among others, raised at least $14 million in ticket sales. Tickets for the event ranged from $200 to $5,000. The United We Stand concert in Washington, where the Pentagon was attacked, raised about $3 million from ticket sales. Tickets for that event, which featured Michael Jackson, Mariah Carey, Sean "P. Diddy" Combs, the Backstreet Boys and 'N Sync, were priced from $25 to $75. Ticket sales figures were unavailable Monday for the Nashville charity concert, which featured Martina McBride, Tim McGraw, Trisha Yearwood and others. Prices for that concert ranged from $25 to $1,000. The Washington benefit concert will be aired Nov. 1 on ABC, and a phone number will also be displayed to raise additional funds. *** *To unsubscribe, please reply to [EMAIL PROTECTED] with REMOVE placed in the subject line. If this email came to you by way of forwarding and you'd like to be added to our list, please send an email to [EMAIL PROTECTED] with SUBSCRIBE placed in the subject line. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Test cipher?
Does any openssl or any other ssl lib support a "test" cipher that does not encrypt the data and just passes it clear text? I'm trying to debug an application and still want to see the handshake but not really encrypt just to verify the software layers above are really passing the correct data. Thanks! len __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Test cipher?
Len wrote: > > Does any openssl or any other ssl lib support a "test" cipher that does > not encrypt the data and just passes it clear text? I'm trying to debug > an application and still want to see the handshake but not really > encrypt just to verify the software layers above are really passing > the correct data. > There are two cipher suites that don't encrypt data, they just authenticate it. They are not enabled by default but can be enabled using the "eNULL" cipher string. For more info see the 'ciphers' manual page. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Test cipher?
Hi I haven't tried this myself and its just a wild guess, but if you look at the engine api, you might be able to plugin your own dummy Encrypt/Decrypt functions into OpenSSL engine in crypto/engine/engine_openssl.c and see if it gets you what you want. Thanx Himanshu Soni -Original Message- From: Len [mailto:[EMAIL PROTECTED]] Sent: Friday, October 26, 2001 4:45 PM To: [EMAIL PROTECTED] Subject: Test cipher? Does any openssl or any other ssl lib support a "test" cipher that does not encrypt the data and just passes it clear text? I'm trying to debug an application and still want to see the handshake but not really encrypt just to verify the software layers above are really passing the correct data. Thanks! len __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: command line certificates with Crypto++ private keys?
Assuming its a binary file try: openssl pkcs8 -in key.bin -inform DER -nocrypt openssl pkcs8 -in key.bin -inform DER if neither works see what: openssl asn1parse -inform DER -in key.bin produces on a test key (i.e. not anything important). Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Memory leak issues in OPEN SSL 0.9.6a
[EMAIL PROTECTED] wrote: > > I was wondering if this is a known issue with this particular release of > OPEN SSL Crypto library. The dll I ran BoundsChecker against is > Lib32eay.dll, and > the reported memory leak indicates 16 bytes of allocated memory through > Crypto_malloc function in \crypto\mem.c. This function gets called ~2500 > in a > single client/server mutual authentication session using X.509 certs, with > a total memory leak of ~50k. > There are no known cumulative memory leaks in OpenSSL: that is leaks that can increase in size. A few fixed length leaks can occur when some static tables are allocated but most of those have been eliminated in newer versions of OpenSSL. The functions Crypto_malloc() is what OpenSSL uses for memory allocation. So saying there's a leak in something which calls Crypto_malloc() is equivalent to saying that theres a leak in something which calls malloc(): i.e. not very helpful :-) Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_connect() blocks
Hi, I am new to OpenSSL and I am currently trying to use it to make a simple sort of `rexec' program. I first started with the examples taken from http://www.rtfm.com/openssl-examples . Actually, the problem I am facing is that my program (which is almost the same as the one above) just hangs when calling SSL_connect() (SSL_connect() doesn't perform the connection and just doesn't return). When I interrupt the program, sshd says: sshd[199302]: Did not receive identification string from xxx.xxx.xxx.xxx. (i am using OpenSSH). Also, I do not manage to load my OpenSSH private key using SSL_CTX_use_[RSA]PrivateKey_file(), which are not documented, at least not in the man pages available on openssl.org. I guess one might need some further details to really help me, but that's pretty all i can tell. :) Ludovic. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_connect() blocks
Ludovic Courtès <[EMAIL PROTECTED]> writes: > I am new to OpenSSL and I am currently trying to use it to make a simple sort of > `rexec' program. I first started with the examples taken from > http://www.rtfm.com/openssl-examples . > > Actually, the problem I am facing is that my program (which is almost the same > as the one above) just hangs when calling SSL_connect() (SSL_connect() doesn't > perform the connection and just doesn't return). When I interrupt the program, > sshd says: > sshd[199302]: Did not receive identification string from xxx.xxx.xxx.xxx. > (i am using OpenSSH). This is pretty confusing. Are you trying to connect to an OpenSSH server with SSL? That won't work. > Also, I do not manage to load my OpenSSH private key using > SSL_CTX_use_[RSA]PrivateKey_file(), which are not documented, at least not in > the man pages available on openssl.org. There's no real reason to expect this to work. OpenSSH uses a different keyfile format from OpenSSL. -Ekr __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_connect() blocks
> This is pretty confusing. Are you trying to connect to an OpenSSH > server with SSL? That won't work. Ok. I am getting a bit confused with secure protocols, and i guess i didn't get it at all... ;) > There's no real reason to expect this to work. OpenSSH uses a different > keyfile format from OpenSSL. I thought both of them could use DSA and RSA keys, am I wrong? So, what would be the best solution to connect to an ssh server? Sorry for my misunderstanding of the problem. ;) Ludovic. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: creating request and certificate in utf8 format
Dr S N Henson srote: >Kikuyo Nagamatsu wrote: >> >> Hi, all >> >> I need some advices. >> I tried to creating request (and certificate) in UTF8 format. >> Openssl can make UTF8 certificate from UTF8 request. >> > >I've added a -utf8 command line option and a utf8 config file option to >the req command in OpenSSL 0.9.7-dev . It will appear in OpenSSL 0.9.7, >please check out the next snapshot and let me know of any problems. > >Steve. Thanks a lot! I'm sure to get and check. But actually I have one more favor..if it's possible. Openssl CA application cannot handle UTF8 request. 1) It was working like this : The Subjects Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :ASN.1 12:' The string contains characters that are illegal for the ASN.1 type 2) So I modified 'apps/ca.c' as following: 1575a1576,1577 > else if (str->type == V_ASN1_UTF8STRING) > BIO_printf(bio_err,"UTF8STRING:'"); 1588c1590,1591 <(str->type != V_ASN1_T61STRING)) || --- >// (str->type != V_ASN1_T61STRING)) || >(str->type != V_ASN1_T61STRING) && (str->type != >V_ASN1_UTF8STRING)) || 1602c1605,1606 < BIO_printf(bio_err,"\\0x%02X",*p); --- > //BIO_printf(bio_err,"\\0x%02X",*p); > BIO_printf(bio_err,"\\0x%02X",(*p & 0x00ff)); 3) And then it's working: The Subjects Distinguished Name is as follows countryName :PRINTABLE:'ASN.1 :'JP' stateOrProvinceName :UTF8STRING:'ASN.1 :'\0xE7\0xA5\0x9E\0xE5\0xA5\0x88\0xE5\0xB7\0x9D' localityName :UTF8STRING:'ASN.1 :'\0xE5\0xB9\0xB3\0xE5\0xA1\0x9A' organizationName :UTF8STRING:'ASN.1 :'\0xE3\0x83\0xA1\0xE3\0x83\0xA9\0xE3\0x83\0xB3\0xE3\0x82\0xB8' organizationalUnitName:UTF8STRING:'ASN.1 :'xxx' commonName:UTF8STRING:'ASN.1 :'z' As you know, I should have modified ASN1_PRINTABLE_type() in crypto/asn1/a_print.c. But I haven't. It returns T61STRING type and I use this. Thanks for your help, Kikuyo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_connect() blocks
Ludovic Courtès <[EMAIL PROTECTED]> writes: > > This is pretty confusing. Are you trying to connect to an OpenSSH > > server with SSL? That won't work. > > Ok. I am getting a bit confused with secure protocols, and i guess i didn't get > it at all... ;) It's a little confusing because OpenSSH uses OpenSSL as its crypto engine. :) > > There's no real reason to expect this to work. OpenSSH uses a different > > keyfile format from OpenSSL. > > I thought both of them could use DSA and RSA keys, am I wrong? Yes, they both do, but the formats aren't exactly interchangeable. The keys are basically big numbers and the OpenSSH and OpenSSL encoding formats aren't the same. > So, what would be > the best solution to connect to an ssh server? Use OpenSSH. -Ekr __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
