Re: HOWTO...
> Franck Martin wrote: > > I have just written a little HOWTO, to be able to handle certificates. > I'm happy to receive comments and suggestions to improve it. > An alternative location for the OpenSSL configuration file can be specified using the environment variable OPENSSL_CONF. The command to setup a new CA is CA.pl -newca . You should not use the root CA certificate in the server and you should not remove the protection on its private key. Instead you should create a separate request and certificate for the server, signed by the root CA. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: porting openssl to linux kernel
Even if it were viable to put openssl in the kernel, I personally think that this would create more problems than it solves. For instance, any bug in the openssl code could potentially crash the kernel, rather than simply segfaulting. (I'm typing this in vmware, which has its own kernel modules and it has taken out my Linux machine several times). Also, do you really want to reboot or recompile your kernel for every upgrade to openssl? I've got some machines that have been running for over a year, so I don't see any benefit there. As machines are getting faster and faster all the time, the length of time required for a context switch is also becoming shorter and shorter. If that's the only reason to do it, it's really not worth it, IMNSHO. Now if the linux kernel had accessibility built in, eg keyboard control of voice synthesisers like a dectalk, that would be useful. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] >-Original Message- >From: Rich Salz [mailto:[EMAIL PROTECTED]] >Sent: 01 November 2001 01:01 >To: Imran Badr >Cc: [EMAIL PROTECTED] >Subject: Re: porting openssl to linux kernel > > >So far the complication has not proven to be worth it to anyone to >implement. > >Go for it. > /r$ >-- >Zolera Systems, Securing web services (XML, SOAP, Signatures, >Encryption) >http://www.zolera.com >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HOWTO...
I agree with you. I will make the modification. Yes the CA root certificate should be protected. However, if I use a certificate signed by the root CA, and I connect to the webserver, how do I install the root CA inside the browser without creating too much problem for the user so that the Certificate trust tree can be established. Can I use a script to inform the user, to download the root CA. Any ideas on the questions? Cheers Franck On 02 Nov 2001 12:27:25 +, Dr S N Henson wrote:> > Franck Martin wrote: > > > > I have just written a little HOWTO, to be able to handle certificates. > > I'm happy to receive comments and suggestions to improve it. > > > > An alternative location for the OpenSSL configuration file can be > specified using the environment variable OPENSSL_CONF. > > The command to setup a new CA is CA.pl -newca . > > You should not use the root CA certificate in the server and you should > not remove the protection on its private key. > > Instead you should create a separate request and certificate for the > server, signed by the root CA. > > Steve.
Re: SSL_read() and select() problem.
Hi,
I've modified the client code in such a way that reading
and writing is done in a single thread. But my basic problem was not cleared.
When i'm calling select() it is returning the read condition after which
the read_SSL() method is returning value 0. When i tried to find out the
error using SSL_get_error() it is giving me SSL_ERROR_SYSCALL. The man
pages have given that "EOF has occured and it is a violation of the protocol."
Any help on this is greatly appreciated.
The snippet of the code where i'm using select() and SSL_read()
is as follows:
void receive_thread(void *arg)
{
fds *conns;
int server_fd;
int HTTPSClient_fd;
SMSCenter *smsc = NULL;
conns = ((fds *)arg);
server_fd = http_socket_fd(conns->server);
HTTPSClient_fd = conns->HTTPSClient_fd;
smsc = (SMSCenter *)conns->smsc;
while(1)
{
int rc = 0;
fd_set rf, wf;
HTTPSocket *client;
struct timeval tv;
FD_ZERO(&wf);
FD_ZERO(&rf);
FD_SET(server_fd, &rf);
FD_SET(HTTPSClient_fd, &rf);
FD_SET(HTTPSClient_fd, &wf);
tv.tv_sec = 0;
tv.tv_usec = 1000;
rc = select(FD_SETSIZE, &rf, &wf, NULL, &tv);
if(rc < 0)
{
if(errno == EINTR || errno == EAGAIN)
continue;
error(errno, "select(2) failed");
}
else if(rc > 0 && FD_ISSET(server_fd, &rf))
{
client = http_server_accept_client(conns->server);
if(client != NULL)
{
jobqueue_add_job(serve_client, client);
}
}
mutex_lock(request_Mutex);
if(rc >0
&& FD_ISSET(HTTPSClient_fd, &wf)
&& (emptyList(request_list) != TRUE) )
{
mutex_unlock(request_Mutex);
http_post_ssl((void *)smsc);
}
mutex_unlock(request_Mutex);
if(rc > 0 && FD_ISSET(HTTPSClient_fd, &rf))
{
read_responces((void *)smsc);
}
}
}
void read_responces(void *arg)
{
int l=0;
SSL *ssl;
char buf[4096];
int SSL_error;
char *request;
SMSCenter *smsc = (SMSCenter
*)arg;
int read_blocked = 0;
memset(buf, 0, 4096);
ssl = get_session(conn);
readrepeat:
debug("test",0,"Thread
read_responces started...");
read_blocked
= 0;
do
{
l = 0;
l = SSL_read(ssl, buf, 4096);
if( l < 0)
{
switch(SSL_get_error(ssl, l))
{
case SSL_ERROR_WANT_READ:
error(0, "SSL_ERROR_WANT_READ in SSL_read() < 0");
read_blocked = 1;
break;
case SSL_ERROR_WANT_WRITE:
error(0, "SSL_ERROR_WANT_WRITE in SSL_read() < 0");
read_blocked = 1;
break;
default:
error(0, "default: ERROR in reading in ssl");
};
}
else if(l == 0)
{
int ret = 0;
int wait = 0;
read_blocked = 1;
debug("smsc_http", 0, "No data to read");
switch(SSL_get_error(ssl, l))
{
case SSL_ERROR_WANT_READ:
read_blocked = 1;
error(0, "SSL_ERROR_WANT_READ in SSL_read()");
break;
case SSL_ERROR_WANT_WRITE:
read_blocked = 1;
error(0, "SSL_ERROR_WANT_WRITE in SSL_read()");
break;
case SSL_ERROR_ZERO_RETURN:
error(0, "SSL_ERROR_ZERO_RETURN in SSL_read()");
break;
case SSL_ERROR_NONE:
error(0, "SSL_ERROR_NONE in SSL_read()");
break;
case SSL_ERROR_WANT_CONNECT:
error(0, "SSL_ERROR_WANT_CONNECT in SSL_read()");
break;
case SSL_ERROR_WANT_X509_LOOKUP:
error(0, "SSL_ERROR_WANT_X509_LOOKUP in SSL_read()");
break;
case SSL_ERROR_SYSCALL:
error(0, "
build on HP9000/800
Hi, I have trouble building openssl-0.9.6b on a HP A400 9000/800 with HP-UX 11i. The library builds without any warnings or errors but the "make test" does not run. "config -t" prints -- Operating system: 9000/800-hp-hpux11 Configuring for hpux-parisc-gcc /usr/local/bin/perl ./Configure hpux-parisc-gcc -D_REENTRANT -- but "make test" fails. "make report" prints OpenSSL self-test report: -- OpenSSL version: 0.9.6b Last change: Change ssleay_rand_bytes (crypto/rand/md_rand.c)... Options: -D_REENTRANT OS (uname): HP-UX A400 B.11.11 U 9000/800 unknown OS (config): 9000/800-hp-hpux11 Target (default): hpux-parisc-gcc Target: hpux-parisc-gcc Compiler: Configured with: ../gcc/configure --prefix=/usr/local/pa20_64 --enable-languages=c,c++ --host=hppa64-hp-hpux11.00 --target=hppa64-hp-hpux11.00 --with-ld=/usr/ccs/bin/ld --with-gnu-as --enable-libstdcxx-v3 Thread model: single gcc version 3.0 Failure! [...] -- and in testlog -- testing... ./destest *** Termination signal 138 Stop. *** Error exit code 1 Stop. -- If I run "Configure gcc" the test prints -- OpenSSL self-test report: OpenSSL version: 0.9.6b Last change: Change ssleay_rand_bytes (crypto/rand/md_rand.c)... OS (uname): HP-UX A400 B.11.11 U 9000/800 unknown OS (config): 9000/800-hp-hpux11 Target (default): hpux-parisc-gcc Target: gcc Compiler: Configured with: ../gcc/configure --prefix=/usr/local/pa20_64 --enable-languages=c,c++ --host=hppa64-hp-hpux11.00 --target=hppa64-hp-hpux11.00 --with-ld=/usr/ccs/bin/ld --with-gnu-as --enable-libstdcxx-v3 Thread model: single gcc version 3.0 Failure! [...] -- and the failing test was bntest -- starting big number library test, could take a while... test BN_add test BN_sub test BN_lshift1 test BN_lshift (fixed) test BN_lshift test BN_rshift1 test BN_rshift test BN_sqr Square test failed! *** Error exit code 1 -- If anybody knows what I have to configure to make it work, please write. Michael __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_read() and select() problem.
Venugopal Panchamukhi <[EMAIL PROTECTED]> writes: >I've modified the client code in such a way that reading and writing > is done in a single thread. But my basic problem was not cleared. When > i'm calling select() it is returning the read condition after which the > read_SSL() method is returning value 0. When i tried to find out the > error using SSL_get_error() it is giving me SSL_ERROR_SYSCALL. The man > pages have given that "EOF has occured and it is a violation of the > protocol." >Any help on this is greatly appreciated. Is this happening at the end of the connection or in the middle. If at the end, that's pretty normal and you've probably just got a noncompliant server which doesn't send a close_notify. If in the middle something else is wrong. Do you have an ssldump of the connection? -Ekr __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
¿ªÍعØϵ£¬ÈýÊ®¶øÁ¢
Title: ÉϹØϵͨ£¬½±ÉÌÎñͨ£¡ ÉϹØϵͨ£¬½±ÉÌÎñͨ "¹Øϵͨ"Èí¼þÊÇÈýÊ®¶øÁ¢Íøwww.up30.com¹ØϵÁªÃËÊý¾Ý¿âµÄ·ÃÎÊƽ̨£¬ÕâÊÇÒ»¸ö¾ßÓÐÐÅÓÃÌصãµÄÍøÂç½»Íùƽ̨£¬ËùÓÐÓû§ÒÔ¸öÈËÕæʵÉí·Ý¼ÓÈë¡£ÈýÊ®¶øÁ¢ÍøϵĹØϵÁªÃËÊÇһȺҵÄÚÈËʿΪÁË·½±ãÉÌÎñÁªÏµ£¬½»»»ÐÅÏ¢¶ø½¨Á¢µÄÒ»¸ö¹ØϵÁªÃË£¬¸÷¸öÐÐÒµ¡¢µØÇø¾ùÓпÊÍû²»¶ÏÍØÕ¹¸öÈ˹ØϵµÄ¾«Ó¢¼ÓÈë¡£ÒªÔÚ"¹Øϵͨ"½¨Á¢¸öÈ˸ü¹ã·ºµÄÈ˼ʹØϵ£¬ÄãËùÒª×öµÄ¾ÍÊÇÒÔÕæʵµÄÉí·ÝºÍÆäËûÓû§Ö÷¶¯È¥½»»»ÐÅÏ¢¡£ "¿ªÍعØϵ£¬ÈýÊ®¶øÁ¢"ÊÇÎÒÃǵĿںţ¡ µÇ½ÈýÊ®¶øÁ¢ÍøÕ¾www.up30.com£¬×¢²á³ÉΪ"¹Øϵͨ"ƽ̨Óû§£¬ÖÚ¶à¾ßÓÐÕæʵÉí·ÝºÍÐÅÓü¶±ðµÄÒµ½ç¾«Ó¢µÈ×ÅÄã¡£ÉÏ"¹Øϵͨ"£¬¿ªÍعØϵ£¬ÈýÊ®¶øÁ¢¡£ »î¶¯Ï¸Ôò£º £¨»î¶¯Ê±¼ä£º2001Äê11ÔÂ1ÈÕµ½2001Äê11ÔÂ30ÈÕ£© ¡ô ÏÖÔڵǽÈýÊ®¶øÁ¢ÍøÕ¾×¢²á¸öÈËÕæʵ×ÊÁϳÉΪ"¹Øϵͨ"Óû§£»£¨Ê¹ÓÃ"ÃûƬ½»»»"¹¦ÄܾͿÉÒԺܿ콨Á¢ÆðÄãµÄ¹ØϵȦ£©£» ¡ô ÔÚ11ÔÂ30ÈÕÇ°ÔÚÈýÊ®¶øÁ¢ÍøÕ¾Ê×Ò³ÉϽøÐÐÍƼö3λ"¹Øϵͨ"ÉÏÄãÈÏΪ×îÓмÛÖµµÄÅóÓÑ£»£¨´ó¼ÒҪעÒâµ½ÍøÕ¾Éϲ鿴һÏÂÍƼöÅÅÃû£© ¡ô µÃµ½ÍƼö×î¶àµÄ1λÓû§½«»ñµÃ"×îÓмÛÖµ»ï°é½±"£¬½±£º¼ÛÖµ4680ÔªµÄÉÌÎñͨ±¼Ñï2186£» ¡ô¸ù¾ÝÓû§µÄÆÀÓÎÒÃÇÔÚ»ñµÃÍƼöµÄÇ°10ÃûÓû§ÖÐÑ¡³ö"×îÕæʵÓû§½±"1ÃûºÍ"×îÈÈÇéÓû§½±"¸÷1Ãû£¬½±£º¼ÛÖµ1380ÔªµÄÉÌÎñͨÏȽÝMBA8823£» ¡ô Ç°30ÃûÓû§³ÉΪ"¹Øϵͨ"µÄVIPÓû§£¬ÔÚÈýÊ®¶øÁ¢ÍøÕ¾ÉϽøÐиöÐÔÍƼö½éÉÜ£¬²¢ÏíÓÐÒÔºóµÄ¶àÖÖÌØÊâ·þÎñ¡£ ¡ô ÿλÓû§ÔÚʹÓùØϵͨµÄÇ°3´Î¿ÉÒÔÓлú»á½éÉÜÄãµÄ10λÀÏÓÑ¡£ÔÚÈκÎÒ»´Î¹ØϵͨµÄ»î¶¯ÖÐÖ»ÒªÄãÖн±£¬ËûÃǾͻáÁ¬´øÖн±¡£±¾´Î»î¶¯"×îÓмÛÖµÓû§"µÄ10λºÃÓÑ¿ÉÔÚJAZZÄÐÊ¿ÏãË®¡¢¾µäÈ«¸ÖÔ˶¯±í¡¢SANFOÖпÕËÄ¿×ÃÞÂÃÐÐ˯´ü¡¢È«Ì׶¡¶¡ÀúÏÕ¼ÇÖÐÑ¡Ôñ1·ÝÀñÆ·¡£ ¡¡ 1. ½«¶Ô»ñ½±Õß½øÐÐ×ÊÁÏÓèÒԺ˶ԣ¬Èç¹û³öÏÖÐé¼ÙÇé¿ö£¬È¡Ïû²Î¼Ó»î¶¯×ʸñ¡£ 2. ÉîÛÚ°®¶ûÆÕÐÅÏ¢¿Æ¼¼ÓÐÏÞ¹«Ë¾ÓµÓжԻµÄ×îÖÕ½âÊÍȨ¡£ www.up30.com Copyright ©2001 UP30com All rights reserved. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Follow-up
Thanks to everyone for pointing me to PEM_X509_INFO_read However I've noticed a very strange problem. If I call: ASN1_d2i_fp(X509_new, d2i_X509, fp, NULL); before I call PEM_X509_INFO_read(fp, NULL, myPemCallback, NULL), and the ASN1_d2i_fp call fails, the PEM_X509_INFO_read call _always_ fails too. I can't explain this at all. These are on different fp so that's not the problem. It's as though there's some static data or perhaps a spinlock blocking the second call. I haven't tried debugging OpenSSL yet. It could very well be that I'm calling something incorrectly... I don't see it though. I am calling this from C++ so I have to do lots of casting to get the function pointers to be accepted in the first call, but I'm not sure that has anything to do with it. -- George Staikos __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problem with installing Crypt::SSLeay
Josh, Thanks. After I installed gcc3, I have successfully installed SSLeay. Thanks again. > -Original Message- > From: Joshua Chamas [mailto:[EMAIL PROTECTED]] > Sent: Thursday, November 01, 2001 1:57 PM > To: Feng, James > Cc: [EMAIL PROTECTED]; Keary Suska > Subject: Re: Problem with installing Crypt::SSLeay > > > "Feng, James" wrote: > > > > I cannot find such a file, libgcc_s.so.1, in my Solaris 8 > box. I only > > found libgcc.a. Does it mean I need to reinstall or compile > gcc on my > > box? You help is deeply appreciated. > > > > I don't know, but I would certainly try to fix your compiler > installation if that file isn't there. This file seems > to be referenced on this page: > > http://www.sunfreeware.com/programlistintel8.html > > included in this libgcc-3.0-sol8-intel-local.gz package. > > --Josh > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
License Question
The last paragraph of the license says: * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] Could someone on this list explain what this is intending. For example if one were to put out a product which uses openSSL, and that product's license was a private license. Would one be precluded from providing service and support for openSSL under such a license... -- Steven A. Bade UNIX Network Security Cryptographic Strategy and Development Architecture [EMAIL PROTECTED] T/L 678-4799 (512)-838-4799 -- To convert from Hogsheads to Cubic Feet - Multiply by 8.4219 "Two-way communication is necessary to proactively facilitate acceptance and involvement and to get insights about the journey it takes to get where we want" this mess is so big and so bad and so tall, we cannot clean it up, there is no way at all (Cat in the Hat) he Hat) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_read() and select() problem.
It's coming from the beginning. Right now i don't have the ssl_dump but shall send it to you once i get that. Thanks, Venu Eric Rescorla wrote: Venugopal Panchamukhi <[EMAIL PROTECTED]> writes: > I've modified the client code in such a way that reading and writing > is done in a single thread. But my basic problem was not cleared. When > i'm calling select() it is returning the read condition after which the > read_SSL() method is returning value 0. When i tried to find out the > error using SSL_get_error() it is giving me SSL_ERROR_SYSCALL. The man > pages have given that "EOF has occured and it is a violation of the > protocol." > Any help on this is greatly appreciated. Is this happening at the end of the connection or in the middle. If at the end, that's pretty normal and you've probably just got a noncompliant server which doesn't send a close_notify. If in the middle something else is wrong. Do you have an ssldump of the connection? -Ekr __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Venugopal Panchamukhi Mobile# +358-(0)9-4110 1675 E-Mail: [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: License Question
That part of the license doesn't actually add anything that wasn't already there under standard copyright terms. That part of the license is from the days when the codebase was SSLeay, the product of Eric and Tim. Years ago. AT the time, it was not uncommon for someone to "rip off" open source code and replace it with a "similar" copyright. We've all become smarter and more law-abiding, so this is less of a concern. But it's the original license for some openssl code, so the openssl folks can't change it. Fundamentally, as long as you provide appropriate credit, you can do what you want. /r$ -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Mac OSX Server 10.1 (Darwin)
Hi all, I am compiling libcurl for php on Mac OSX Server 10.1. I need libcurl to support ssl. When I try to ./config for openssl 9.6b I get this message. Operating system: Power Macintosh-whatever-Darwin This system (Darwin) is not supported. See file INSTALL for details. Is there something I can change that will allow it to work with 10.1? Thanks for any help, Dale Schell FrontBase, Inc. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HOWTO...
> Franck Martin wrote: > > I agree with you. I will make the modification. Yes the CA root certificate should >be protected. No, you still don't have a clue -- you don't protect a certificate, it's essentially a public document. You protect the private key. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: porting openssl to linux kernel
Imran Badr wrote: > I think Eric Rescorla responded to a similar question sometimes ago that RSA > operation would be a limiting factor. But if you take that bottleneck away > then I think putting SSL handshake and record porcessing layers in kernel > space would be a next better thing to do because we can see many new > hardware accelerators out there in the near future market which are 10-20 > times better than what we have today. > We can have certficate management in the user space for the sake of > simplicity. > > Any comments ??? "We should forget about small efficiencies, say about 97% of the time: premature optimization is the root of all evil." - Donald Knuth Andreas. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Shared libs under Linux
Netmeisters, I've just had some trouble building shared versions of the ssl libraries under Linux. I just did ./config shared make make test make install Make test reports no errors, but make install finishes with: installing libcrypto.so /usr/bin/ranlib: /usr/local/ssl/lib/libcrypto.so: File format not recognized installing libcrypto.so.0 /usr/bin/ranlib: /usr/local/ssl/lib/libcrypto.so.0: File format not recognized installing libcrypto.so.0.9.6 /usr/bin/ranlib: /usr/local/ssl/lib/libcrypto.so.0.9.6: File format not recogniz ed installing libssl.so /usr/bin/ranlib: /usr/local/ssl/lib/libssl.so: File format not recognized installing libssl.so.0 /usr/bin/ranlib: /usr/local/ssl/lib/libssl.so.0: File format not recognized installing libssl.so.0.9.6 /usr/bin/ranlib: /usr/local/ssl/lib/libssl.so.0.9.6: File format not recognized Any suggestions as to how to fix this would be much appreciated. -- Matthew Fleming -- Matthew G. Fleming, MD e-mail: [EMAIL PROTECTED] Associate Professor phone : 414.456.4072 Department of Dermatology s-mail: Dept. of Dermatology Medical College of WisconsinMedical College of Wisconsin MFRC Room 4061 Milwaukee, WI 53226-4810 -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA Encrypt / Decrypt Problem
On Wed, May 30, 2001 at 01:24:06PM -0700, dnewbold wrote: > I'm pretty new to security, RSA, and OpenSSL. But I have encountered a > weird problem that I hope someone on this list > can explain. I have a demonstrable, repeatable, situation in which I can > encrypt a user data buffer with an RSA public key, > and decrypt it with its "partner" RSA private key, and yet not get the > result back again. I thought that the RSA algorithm was > supposed to work correctly on ANY user data, which it evidently does not. > And I know that the RSA key pair is correct > because: > > 1. They are generatead by the libeay Eric A. Young crypto library > RSA_generate_key routine > 2. When applied to a different user data buffer, they work fine. > > Although its fairly small, I didn't want to attach the code, data, etc. to > an email message that would go out to who knows > how many recipients. However, if you would like to look at the problem, you > can find code and data at: > > http://rtsse.hispeed.com Sounds like you have the problem of the Message text being greater than the modulus. The PKCS#1 specified padding prevents this from happening, but if you are doing a RAW RSA encrypt/decrypt then you have to check the values. > > Click on the "RSA Enc/Dec Problem" link > > I suggest you unzip it into a separate folder. There is a small readme file > included. It should work out of the box if you have > installed and built openssl-engine-0.9.6a on an NT system. On other > versions of openssl, or on other systems, you may need to > hack it a bit, but even that should (probably) take you no more than 5 > minutes. > > On the other hand, if you already know all about this problem, and can give > me some advice as to what constitutes acceptable / > unacceptable input data for RSA publc encryption and RSA private decryption, > I would very much appreciate that also. I am not > a member of the openssl-users mailing list, so if you could direct your > responses to:[EMAIL PROTECTED], I'd appreciate it. Thanks. > > [EMAIL PROTECTED] > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Steven A. Bade AIX E-Commerce/Network Security Cryptographic Strategy and Development Architecture [EMAIL PROTECTED] T/L 678-4799 (512)-838-4799 -- To convert from Hogsheads to Cubic Feet - Multiply by 8.4219 "Two-way communication is necessary to proactively facilitate acceptance and involvement and to get insights about the journey it takes to get where we want" __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Anyone using A Chrysalis Luna CA3 box?
I briefly tried using the Eracom patch that was submitted with a LunaCA but was un-successful. I did not spend any time diagnosing but the framework was good enough to make it work it would just take some time which I did not have. Ryan -Original Message- From: Steven A. Bade [mailto:[EMAIL PROTECTED]] Sent: Friday, June 08, 2001 11:10 AM To: [EMAIL PROTECTED] Subject: Re: Anyone using A Chrysalis Luna CA3 box? A while back someone from eracom posted that they had been working on such an animal. I believe that they are in a holding pattern on making it available to the community because of business processes (as is my team for some things we have done that we would like to submit)... On Fri, Jun 08, 2001 at 10:14:31AM -0500, Gene titus wrote: > > Has anyone tried to make openssl work with a Chrysalis Luna CA3? > > The Chrysalis Luna CA3 is a PKCS11 device that would handle the actual > signing functions (I think). Has anybody modified openssl to use a PKCS11 > device? We would appreciate any information at all. We're starting from > scratch here. > > When we get this to work, we'll make our modifications available to anyone > who wants them. > > Thanks, > Gene titus > The University of Texas at Austin > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Steven A. Bade AIX E-Commerce/Network Security Cryptographic Strategy and Development Architecture [EMAIL PROTECTED] T/L 678-4799 (512)-838-4799 -- To convert from Hogsheads to Cubic Feet - Multiply by 8.4219 "Two-way communication is necessary to proactively facilitate acceptance and involvement and to get insights about the journey it takes to get where we want" __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HOWTO...
If the private key is given away, the the certificate is useless, and does not protect anything it signs. As you seem very smart, how do you renew a certificate with openssl when you are a CA? Cheers. On 02 Nov 2001 09:33:19 -0800, Michael Sierchio wrote:> > Franck Martin wrote: > > > > I agree with you. I will make the modification. Yes the CA root certificate should be protected. > > No, you still don't have a clue -- you don't protect a certificate, it's > essentially a public document. You protect the private key. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED]
Re: openssl performance
On Monday 09 July 2001 13:52, Steven A. Bade wrote: > OK Stupid question Where can one find SWAMP??? There's a downloadable tarball at; http://www.geoffthorpe.net/crypto/ However, expect a heavily revamped version soon ... Cheers, Geoff __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
problem with SSL reconnection
hi everyone, i am working on a ssl server, upon getting a request from the client, the server is succesfully serving the request. if i am going to use the same process for serving another request from the same/different client I get the following error during SSL_accept(): 10190:error:140D9115:SSL routines:SSL_GET_PREV_SESSION: session id context uninitialized since problem may be caused by SSL_get_session()/SSL_SESSION_free(), i looked in the SSL_set_session_id_context man page and added the following code int s_server_session_id_context = 1; SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context, sizeof s_server_session_id_context); on doing the above i am getting the following errors error:0D067007:asn1 encoding routines:ASN1_COLLATE_PRIMITIVE:expecting an asn1 sequence error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate on internet explorer it is poping up a window and asking me for the certificate. on netscape i donot get any such problems but i am getting the above error messages can anyone tell me how i can overcome the following problem Thanks in advance ganesh godavari __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL's make scripts + Cygwin's perl = Bad Mojo
This is a cautionary tale. I'll sum up the
moral at the beginning: "Don't try to compile OpenSSL on Windows from
inside the Cygwin shell."
The problem, in a nutshell, is that Cygwin installs
a Cygwin-friendly perl interpreter into cygwin/bin. The reason this is an
issue has is that mkdef.pl and mk1mf.pl try to parse paths with
subdirectories. As anyone who has tried to use Cygwin knows too well,
Cygwin has a constant battle that with Windows about whether directory
delimiters are "/" or "\". In this case the
loser is the OpenSSL make system.
ms/do_ms.bat burps out warnings ("cannot
parse") about line continuation symbols and then generates a ntdll.mak file
with mangled lines like:
SSL
OBJS= ...
instead of
SSLOBJS=...
and:
$(INCL_D)\cryptlib.h:
$(SRC_D)\\cryptlib.h $(CP) $(SRC_D)\\cryptlib.h
$(INCL_D)\cryptlib.hinstead of
$(INCL_D)\cryptlib.h:
$(SRC_D)\crypto\cryptlib.h $(CP) $(SRC_D)\crypto\cryptlib.h
$(INCL_D)\cryptlib.h
When you try to build with this makefile you get an
error that it cannot build cryptlib.h.
Once I realized the presence of the bogus
perl.exe in my path and got the good one involved all went
fine.
