Problem parsing CA's private key file generated by CA.pl
Hi all! I've got a problem parsing the CA's private key file generated by the utility CA.pl. When CA.pl wants to read the private key of the CA (/demoCA/private/cakey.pem) and I enter the _correct_ PEM pass phrase I always get the following error: # /usr/ssl/misc/CA.pl -sign Using configuration from /usr/ssl/openssl.cnf Enter PEM pass phrase: unable to load CA private key 21286:error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing:d2i_r_pr.c:116: 21286:error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:89: 21286:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:290: The same when i call # openssl rsa -in demoCA/private/cakey.pem -check read RSA key Enter PEM pass phrase: unable to load key 21298:error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing:d2i_r_pr.c:116: 21298:error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:89: 21298:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:290: The private key file was created by CA.pl and I succseeded once to create and sign a certificate whith the newly created CA. But the second attempt to do so failed with the above error. Any ideas? cu _lot_ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Duplicate Posts
Roger F. Borrello, Jr. wrote: Am I the only one getting 4 or 5 copies of posted messages? No, I have the same problem. Aarno __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem parsing CA's private key file generated by CA.pl
Hello Martin Centner, Pls run the CA.pl in the path /usr/ssl/ because the path of the ca private key is the relative path of /usr/ssl. Or, u should modify the openssl.cnf file to change the private key path to the absoulte path. Monday, March 18, 2002, 4:29:51 PM, you wrote: MC Hi all! MC I've got a problem parsing the CA's private key file generated by the MC utility CA.pl. When CA.pl wants to read the private key of the CA MC (/demoCA/private/cakey.pem) and I enter the _correct_ PEM pass phrase I MC always get the following error: # /usr/ssl/misc/CA.pl -sign MC Using configuration from /usr/ssl/openssl.cnf MC Enter PEM pass phrase: MC unable to load CA private key MC 21286:error:0D09D082:asn1 encoding MC routines:d2i_RSAPrivateKey:parsing:d2i_r_pr.c:116: MC 21286:error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 MC lib:d2i_pr.c:89: MC 21286:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:290: MC The same when i call # openssl rsa -in demoCA/private/cakey.pem -check MC read RSA key MC Enter PEM pass phrase: MC unable to load key MC 21298:error:0D09D082:asn1 encoding MC routines:d2i_RSAPrivateKey:parsing:d2i_r_pr.c:116: MC 21298:error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 MC lib:d2i_pr.c:89: MC 21298:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:290: MC The private key file was created by CA.pl and I succseeded once to MC create and sign a certificate whith the newly created CA. But the second MC attempt to do so failed with the above error. MC Any ideas? MC cu MC _lot_ MC __ MC OpenSSL Project http://www.openssl.org MC User Support Mailing List[EMAIL PROTECTED] MC Automated List Manager [EMAIL PROTECTED] -- Best regards, Yours, Gary Chen OICQ: 239696 ICQ UIN: 8444147 E-Mail: [EMAIL PROTECTED] Homepage: http://www.ipsprite.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Duplicate Posts
I have the same problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Aarno Syvanen Sent: 18 martie 2002 10:40 To: [EMAIL PROTECTED] Subject: Re: Duplicate Posts Roger F. Borrello, Jr. wrote: Am I the only one getting 4 or 5 copies of posted messages? No, I have the same problem. Aarno __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem parsing CA's private key file generated by CA.pl
Gary Chen wrote: Pls run the CA.pl in the path /usr/ssl/ because the path of the ca private key is the relative path of /usr/ssl. Or, u should modify the openssl.cnf file to change the private key path to the absoulte path. This doesn't seem to be the problem. The path in openssl.cnf is set correctly and i just tried to start CA.pl in /usr/ssl/, but the problem persits. thx + cu _lot_ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
reg. CA expiry/renewal and effect on Client certs
Hi, We hav a CA certificate and Client certificates generated using openssl. All configurations are default ones. My doubt is if/when the CA expires and I renew/extend its life, will the Client certificates get affected in anyway. In our case, the Client certificates are stored in hardware tokens and sent to users. What has to be done to ensure smooth operations in this case. Any help will be highly appreciated. regards Sarath Chandra M __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
don't find the openssl req -subj option
hi could any body tell me how can I find the openssl req -subj option wich version should I use to make this option available I must use it for openca regards __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
New User
Hi I have to install openssh and openssl is a prerequisite. I have never dealt with this package. Is there an SSL for dummies book out there ? Does it run any type of daemons ? How do you get started after initial install? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Make failure on Dynix 4.4.4
Trying to build Openssl-0.9.6b on Dynix 4.4.4 and selected Configure -cc the make fails as follows: cc -o openssl -DMONOLITH -I../include -O openssl.o verify.o asn1pars.o Undefined first referenced symbol in file __bsd_accepts_server.o __bsd_bind s_server.o __bsd_connect s_server.o __bsd_getpeername s_server.o __bsd_getsockname s_server.o __bsd_getsockopts_server.o __bsd_listens_server.o __bsd_recvfrom s_server.o __bsd_recvmsg s_server.o __bsd_sendtos_server.o __bsd_sendmsg s_server.o __bsd_setsockopts_server.o __bsd_sockets_server.o __bsd_socketpairs_server.o __bsd_bindresvport s_server.o __bsd_rcmd s_server.o __bsd_rresvport s_server.o __bsd_shutdown s_server.o gethostbyaddr s_socket.o gethostbyname s_socket.o getservbyname s_socket.o ld: openssl: fatal error: Symbol referencing errors. No output written to opensl *** Error code 1 Make: . Stop. *** Error code 1 Make: . Stop. I would appreciate any advice you can offer. Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Duplicate Posts
See that is quite strange. My assumption is I don't think it has to do with the Mailing list server itself but rather your Mail Client applications. Why not post the client's everyone is using that is receiving duplicate posts? If they are all the same then it's a safe bet it's the client. I am subscribed multiple times under different accounts and have never received duplicate posts and I use Outlook XP. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Emanuel Dejanu Sent: Monday, March 18, 2002 3:54 AM To: [EMAIL PROTECTED] Subject: RE: Duplicate Posts I have the same problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Aarno Syvanen Sent: 18 martie 2002 10:40 To: [EMAIL PROTECTED] Subject: Re: Duplicate Posts Roger F. Borrello, Jr. wrote: Am I the only one getting 4 or 5 copies of posted messages? No, I have the same problem. Aarno __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Duplicate Posts
Lotus Notes 4.6.1 Andrew T. Finnell [EMAIL PROTECTED] on 03/18/2002 08:51:20 AM Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc:(bcc: Joel Jirak/Lex/Lexmark) Subject: RE: Duplicate Posts See that is quite strange. My assumption is I don't think it has to do with the Mailing list server itself but rather your Mail Client applications. Why not post the client's everyone is using that is receiving duplicate posts? If they are all the same then it's a safe bet it's the client. I am subscribed multiple times under different accounts and have never received duplicate posts and I use Outlook XP. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Emanuel Dejanu Sent: Monday, March 18, 2002 3:54 AM To: [EMAIL PROTECTED] Subject: RE: Duplicate Posts I have the same problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Aarno Syvanen Sent: 18 martie 2002 10:40 To: [EMAIL PROTECTED] Subject: Re: Duplicate Posts Roger F. Borrello, Jr. wrote: Am I the only one getting 4 or 5 copies of posted messages? No, I have the same problem. Aarno __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Duplicate Posts
Microsoft Outlook 2000 / Windows 2000 Emanuel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Andrew T. Finnell Sent: 18 martie 2002 15:51 To: [EMAIL PROTECTED] Subject: RE: Duplicate Posts See that is quite strange. My assumption is I don't think it has to do with the Mailing list server itself but rather your Mail Client applications. Why not post the client's everyone is using that is receiving duplicate posts? If they are all the same then it's a safe bet it's the client. I am subscribed multiple times under different accounts and have never received duplicate posts and I use Outlook XP. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Emanuel Dejanu Sent: Monday, March 18, 2002 3:54 AM To: [EMAIL PROTECTED] Subject: RE: Duplicate Posts I have the same problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Aarno Syvanen Sent: 18 martie 2002 10:40 To: [EMAIL PROTECTED] Subject: Re: Duplicate Posts Roger F. Borrello, Jr. wrote: Am I the only one getting 4 or 5 copies of posted messages? No, I have the same problem. Aarno __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Duplicate Posts
Hello, looking thru mail envelopes it seems to me that host mmx.engelschall.com sends the same message more that one time. Ales Privetivy Two sample mail headers: -- From [EMAIL PROTECTED] Mon Mar 18 15:02:28 2002 Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from jabberwock.ucw.cz (jabberwock.ucw.cz [212.71.128.53]) by artax.karlin.mff.cuni.cz (Postfix) with ESMTP id 989E640A5 for [EMAIL PROTECTED]; Mon, 18 Mar 2002 15:02:28 +0100 (CET) Received: from mmx.engelschall.com (mmx.engelschall.com [195.27.130.252]) by jabberwock.ucw.cz (Postfix) with ESMTP id 39D0EB923 for [EMAIL PROTECTED]; Mon, 18 Mar 2002 15:02:25 +0100 (CET) Received: by mmx.engelschall.com (Postfix/smtpfeed 1.16) id 57F961950B; Mon, 18 Mar 2002 10:13:13 +0100 (CET) Received: from opensource.ee.ethz.ch (opensource-01.ee.ethz.ch [129.132.7.153]) by mmx.engelschall.com (Postfix) with ESMTP id 2E5C21950A for [EMAIL PROTECTED]; Mon, 18 Mar 2002 10:13:13 +0100 (CET) Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id KAA12404; Mon, 18 Mar 2002 10:12:37 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for [EMAIL PROTECTED] from viefep16-int.chello.at id KAA12340; Mon, 18 Mar 2002 10:11:43 +0100 (MET) Received: from sbox.tugraz.at ([212.186.199.33]) by viefep16-int.chello.at (InterMail vM.5.01.03.06 201-253-122-118-106-20010523) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Mon, 18 Mar 2002 10:11:37 +0100 Message-ID: [EMAIL PROTECTED] -- From [EMAIL PROTECTED] Mon Mar 18 12:32:28 2002 Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from jabberwock.ucw.cz (jabberwock.ucw.cz [212.71.128.53]) by artax.karlin.mff.cuni.cz (Postfix) with ESMTP id D7CAA40A5 for [EMAIL PROTECTED]; Mon, 18 Mar 2002 12:32:28 +0100 (CET) Received: from mmx.engelschall.com (mmx.engelschall.com [195.27.130.252]) by jabberwock.ucw.cz (Postfix) with ESMTP id C73C4B981 for [EMAIL PROTECTED]; Mon, 18 Mar 2002 12:32:25 +0100 (CET) Received: by mmx.engelschall.com (Postfix/smtpfeed 1.16) id 57F961950B; Mon, 18 Mar 2002 10:13:13 +0100 (CET) Received: from opensource.ee.ethz.ch (opensource-01.ee.ethz.ch [129.132.7.153]) by mmx.engelschall.com (Postfix) with ESMTP id 2E5C21950A for [EMAIL PROTECTED]; Mon, 18 Mar 2002 10:13:13 +0100 (CET) Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id KAA12404; Mon, 18 Mar 2002 10:12:37 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for [EMAIL PROTECTED] from viefep16-int.chello.at id KAA12340; Mon, 18 Mar 2002 10:11:43 +0100 (MET) Received: from sbox.tugraz.at ([212.186.199.33]) by viefep16-int.chello.at (InterMail vM.5.01.03.06 201-253-122-118-106-20010523) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Mon, 18 Mar 2002 10:11:37 +0100 Message-ID: [EMAIL PROTECTED] See that is quite strange. My assumption is I don't think it has to do with the Mailing list server itself but rather your Mail Client applications. Why not post the client's everyone is using that is receiving duplicate posts? If they are all the same then it's a safe bet it's the client. I am subscribed multiple times under different accounts and have never received duplicate posts and I use Outlook XP. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: don't find the openssl req -subj option
Hi slim, use the snapshoots version of openssl. Bye Haikel MEJRI National Digital Certification Agency Slim CHTOUROU a écrit : hi could any body tell me how can I find the openssl req -subj option wich version should I use to make this option available I must use it for openca regards __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] begin:vcard n:MEJRI;haikel tel;fax:216 71 320 210 tel;work:216 71 359 402 x-mozilla-html:FALSE org:Agence Nationale de Certification Electronique;Dept. PKI version:2.1 email;internet:[EMAIL PROTECTED] title:Ingénieur Principal adr;quoted-printable:;;3 bis, Rue d'Angleterre=0D=0AMinist=E8re des Technologies de la Communication;Tunis;;1000;Tunisie x-mozilla-cpt:;4960 fn:haikel MEJRI end:vcard
RE: Duplicate Posts
Lotus Notes Oscar Valenzuela Unix System Support 212 326-6465 Andrew T. Finnell [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/18/2002 08:51 AM Please respond to openssl-users To:[EMAIL PROTECTED] cc: Subject:RE: Duplicate Posts See that is quite strange. My assumption is I don't think it has to do with the Mailing list server itself but rather your Mail Client applications. Why not post the client's everyone is using that is receiving duplicate posts? If they are all the same then it's a safe bet it's the client. I am subscribed multiple times under different accounts and have never received duplicate posts and I use Outlook XP. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Emanuel Dejanu Sent: Monday, March 18, 2002 3:54 AM To: [EMAIL PROTECTED] Subject: RE: Duplicate Posts I have the same problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Aarno Syvanen Sent: 18 martie 2002 10:40 To: [EMAIL PROTECTED] Subject: Re: Duplicate Posts Roger F. Borrello, Jr. wrote: Am I the only one getting 4 or 5 copies of posted messages? No, I have the same problem. Aarno __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] *** PLEASE NOTE *** This message, along with any attachments, may be confidential or legally privileged. It is intended only for the named person(s), who is/are the only authorized recipients. If this message has reached you in error, kindly destroy it without review and notify the sender immediately. Thank you for your help. **
Accept
Accept is returning me a bad asn1 object header error can nebody explain me what are the possiblw causes of this error iam using sslv23server method and have initailized SSL _CTX SSL SSL method objects without any errors -SIGTERM amit
Re: Intermediate CA
Oscar wrote: Hello. I try to create a Intermediate CA but i don´t know to do it. I create a CA root self signed but the pathlen is 0, it means that this CA signed end user, is it? Then how i create a intermediate CA? And possibly i want to create a second intermediate CA who sign this CA? (CA root--CA int--CAint2--end user) Thanks Oscar P.D. I read all the later messages but i don´t undestand it. You need to use the option: CA.pl -signca when signing the request for an intermediate CA. If you are seeing pathlen:0 for your certificates then the openssl.cnf is not the standard one from the OpenSSL distribution which never had a pathlen constraint applied. pathlen is actually the number of CA certificates that can appear below the current certificate in the chain. It is *only* valid in CA certificates anyway. However if you have it set to 0 in the root certificate then only end user certificates can be signed by that CA, which is not what you want. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Duplicate Posts
X-Mailer: PMMail 2.10.1999 for OS/2 Warp 4.05 - rb On Mon, 18 Mar 2002 16:10:35 +0200, Emanuel Dejanu wrote: |See that is quite strange. My assumption is I don't think it has to do |with the Mailing list server itself but rather your Mail Client |applications. Why not post the client's everyone is using that is |receiving duplicate posts? If they are all the same then it's a safe bet |it's the client. I am subscribed multiple times under different accounts |and have never received duplicate posts and I use Outlook XP. | |- |Andrew T. Finnell |Active Solutions L.L.C |[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Duplicate Posts
I doubt it's the user agent (client) that's at fault. I sometimes receive duplicates from openssl-users (and may have from openssl-dev, though with its lighter traffic it's less apparent), but I haven't always seen duplicates when other people post complaints about them. I've never received duplicates with any other list. More likely it's either the openssl.org list server or one of the MTAs in the (rather convoluted) path en route to my MTA that's duplicating messages. I'd prowl through the Received headers of some of the duplicates to check, but I'm using Outlook 2001 (idiotic company standard, unfortunately) and it's too much effort. Michael Wojcik Principal Software Systems Developer, Micro Focus Department of English, Miami University -Original Message- From: Andrew T. Finnell [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 7:51 AM To: [EMAIL PROTECTED] Subject: RE: Duplicate Posts See that is quite strange. My assumption is I don't think it has to do with the Mailing list server itself but rather your Mail Client applications. Why not post the client's everyone is using that is receiving duplicate posts? If they are all the same then it's a safe bet it's the client. I am subscribed multiple times under different accounts and have never received duplicate posts and I use Outlook XP. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Emanuel Dejanu Sent: Monday, March 18, 2002 3:54 AM To: [EMAIL PROTECTED] Subject: RE: Duplicate Posts I have the same problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Aarno Syvanen Sent: 18 martie 2002 10:40 To: [EMAIL PROTECTED] Subject: Re: Duplicate Posts Roger F. Borrello, Jr. wrote: Am I the only one getting 4 or 5 copies of posted messages? No, I have the same problem. Aarno __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Duplicate Posts
On Mon, Mar 18, 2002, Lance Nehring wrote: Yes, I see the same thing in my headers. I've also addressed this to [EMAIL PROTECTED] to try to get their attention to investigate their email logs. A valid STMP host on the net should route the postmaster address to an admin. per RFC822. Sometimes mmx.engelschall.com shows up in the header as: Received: from mmx.engelschall.com [195.27.130.252] by cmsmail05.cms.usa.net via smtad (CM.1201.1.04.PATCH); Mon, 18 Mar 2002 15:02:36 GMT other times it shows up as: Received: from mmx.engelschall.com [195.27.130.252] by cmsmail06.cms.usa.net via smtad (CM.1201.1.04); Mon, 18 Mar 2002 14:05:36 GMT It does look like a good place to look for the problem but will require assistence from engelschall.com. [...] mmx.engelschall.com is the Postfix+SMTPfeed service for the mass-mail delivery of our mailing list subscriptions which is also used by OpenSSL. According to the Postfix logfile for this particular mail and the receiving MTA, it is the problem of the receiving MTA or the network connection to it: | Mar 18 10:27:36 info postfix/lmtp[83321]: 57F961950B: to=[EMAIL PROTECTED], | relay=127.0.0.1[127.0.0.1], delay=863, status=deferred (conversation with | 127.0.0.1[127.0.0.1] timed out while sending end of data -- message may be | sent more than once) | Mar 18 11:14:22 info postfix/lmtp[85311]: 57F961950B: to=[EMAIL PROTECTED], | relay=127.0.0.1[127.0.0.1], delay=3668, status=deferred (conversation with | 127.0.0.1[127.0.0.1] timed out while sending end of data -- message may be | sent more than once) | Mar 18 12:43:59 info postfix/lmtp[87921]: 57F961950B: to=[EMAIL PROTECTED], | relay=127.0.0.1[127.0.0.1], delay=9046, status=deferred (conversation with | 127.0.0.1[127.0.0.1] timed out while sending end of data -- message may be | sent more than once) | Mar 18 15:13:55 info postfix/lmtp[92784]: 57F961950B: to=[EMAIL PROTECTED], | relay=127.0.0.1[127.0.0.1], delay=18042, status=deferred (conversation with | 127.0.0.1[127.0.0.1] timed out while sending end of data -- message may be | sent more than once) | Mar 18 17:44:06 info postfix/lmtp[99370]: 57F961950B: to=[EMAIL PROTECTED], | relay=127.0.0.1[127.0.0.1], delay=27053, status=deferred (conversation with | 127.0.0.1[127.0.0.1] timed out while sending end of data -- message may be | sent more than once) As you can see, SMTPfeed (the LMTP service reported here by Postfix) on mmx.engelschall.com tried many times to deliver the message because the connection timed out in the middle of the SMTP conversation. And, yes, as the log also says, the result could be that the message is received by the peer more than once. So, that's the expected behaviour in this case and nothing is wrong -- at least not on the mmx.engelschall.com side as far as I can see it. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
User base for Openssl
I am a graduate student writing a paper on OpenSSL and I wonder if you can help me with some information regarding the user base. I was not able to find the info on the website Openssl.org. To the best of your knowledge, how large is the user base for OpenSSL? What is the annual growth rate so far? Is OpenSSL bundled with any software? Is it being used by schools and universities? If so, can you site a couple of examples? I really appreciate any help you may be able to provide. Thank you very much. Theresa Liu Katz Graduate School of Business [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Mod_SSL Errors
Trying to get SSL running for the first time. Using Apache 1.2.23, openssl-0.9.6c, mod_ssl-2.8.7-1.3.23. After creating the virtual host and restarting apache I get the following errors: [Mon Mar 18 09:22:56 2002] [error] mod_ssl: Init: (secure.raeinternet.com:443) U nable to configure verify locations for client authentication (OpenSSL library e rror follows) [Mon Mar 18 09:22:56 2002] [error] OpenSSL: error:0906D066:PEM routines:PEM_read_bio:bad end line [Mon Mar 18 09:22:56 2002] [error] OpenSSL: error:0B084009:x509 certificate routines:X509_load_cert_crl_file:missing asn1 eos [Mon Mar 18 09:23:04 2002] [error] mod_ssl: Init: (secure.raeinternet.com:443) Unable to configure verify locations for client authentication (OpenSSL library error follows) [Mon Mar 18 09:23:04 2002] [error] OpenSSL: error:0906D066:PEM routines:PEM_read_bio:bad end line I have seen other have found this error but I could not find a solution. Michael Katz RAE Internet 39 Carthage Road Scarsdale, NY 10583 ph. (914) 725-2370, (877)302-2027 fax (914) 725-2372 http://www.raeinternet.com US Distributor RAV Antivirus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Duplicate Posts
Yes, I see the same thing in my headers. I've also addressed this to [EMAIL PROTECTED] to try to get their attention to investigate their email logs. A valid STMP host on the net should route the postmaster address to an admin. per RFC822. Sometimes mmx.engelschall.com shows up in the header as: Received: from mmx.engelschall.com [195.27.130.252] by cmsmail05.cms.usa.net via smtad (CM.1201.1.04.PATCH); Mon, 18 Mar 2002 15:02:36 GMT other times it shows up as: Received: from mmx.engelschall.com [195.27.130.252] by cmsmail06.cms.usa.net via smtad (CM.1201.1.04); Mon, 18 Mar 2002 14:05:36 GMT It does look like a good place to look for the problem but will require assistence from engelschall.com. r, Lance Nehring New Particles Corporation Ales Privetivy wrote: Hello, looking thru mail envelopes it seems to me that host mmx.engelschall.com sends the same message more that one time. Ales Privetivy Two sample mail headers: -- From [EMAIL PROTECTED] Mon Mar 18 15:02:28 2002 Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from jabberwock.ucw.cz (jabberwock.ucw.cz [212.71.128.53]) by artax.karlin.mff.cuni.cz (Postfix) with ESMTP id 989E640A5 for [EMAIL PROTECTED]; Mon, 18 Mar 2002 15:02:28 +0100 (CET) Received: from mmx.engelschall.com (mmx.engelschall.com [195.27.130.252]) by jabberwock.ucw.cz (Postfix) with ESMTP id 39D0EB923 for [EMAIL PROTECTED]; Mon, 18 Mar 2002 15:02:25 +0100 (CET) Received: by mmx.engelschall.com (Postfix/smtpfeed 1.16) id 57F961950B; Mon, 18 Mar 2002 10:13:13 +0100 (CET) Received: from opensource.ee.ethz.ch (opensource-01.ee.ethz.ch [129.132.7.153]) by mmx.engelschall.com (Postfix) with ESMTP id 2E5C21950A for [EMAIL PROTECTED]; Mon, 18 Mar 2002 10:13:13 +0100 (CET) Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id KAA12404; Mon, 18 Mar 2002 10:12:37 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for [EMAIL PROTECTED] from viefep16-int.chello.at id KAA12340; Mon, 18 Mar 2002 10:11:43 +0100 (MET) Received: from sbox.tugraz.at ([212.186.199.33]) by viefep16-int.chello.at (InterMail vM.5.01.03.06 201-253-122-118-106-20010523) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Mon, 18 Mar 2002 10:11:37 +0100 Message-ID: [EMAIL PROTECTED] -- From [EMAIL PROTECTED] Mon Mar 18 12:32:28 2002 Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from jabberwock.ucw.cz (jabberwock.ucw.cz [212.71.128.53]) by artax.karlin.mff.cuni.cz (Postfix) with ESMTP id D7CAA40A5 for [EMAIL PROTECTED]; Mon, 18 Mar 2002 12:32:28 +0100 (CET) Received: from mmx.engelschall.com (mmx.engelschall.com [195.27.130.252]) by jabberwock.ucw.cz (Postfix) with ESMTP id C73C4B981 for [EMAIL PROTECTED]; Mon, 18 Mar 2002 12:32:25 +0100 (CET) Received: by mmx.engelschall.com (Postfix/smtpfeed 1.16) id 57F961950B; Mon, 18 Mar 2002 10:13:13 +0100 (CET) Received: from opensource.ee.ethz.ch (opensource-01.ee.ethz.ch [129.132.7.153]) by mmx.engelschall.com (Postfix) with ESMTP id 2E5C21950A for [EMAIL PROTECTED]; Mon, 18 Mar 2002 10:13:13 +0100 (CET) Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id KAA12404; Mon, 18 Mar 2002 10:12:37 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for [EMAIL PROTECTED] from viefep16-int.chello.at id KAA12340; Mon, 18 Mar 2002 10:11:43 +0100 (MET) Received: from sbox.tugraz.at ([212.186.199.33]) by viefep16-int.chello.at (InterMail vM.5.01.03.06 201-253-122-118-106-20010523) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Mon, 18 Mar 2002 10:11:37 +0100 Message-ID: [EMAIL PROTECTED] See that is quite strange. My assumption is I don't think it has to do with the Mailing list server itself but rather your Mail Client applications. Why not post the client's everyone is using that is receiving duplicate posts? If they are all the same then it's a safe bet it's the client. I am subscribed multiple times under different accounts and have never received duplicate posts and I use Outlook XP. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org
Re: Duplicate Posts
Ralf S. Engelschall wrote: ... According to the Postfix logfile for this particular mail and the receiving MTA, it is the problem of the receiving MTA or the network connection to it: There you have it, Ralf -- the problem is with Postfix itself. Other mailing lists don't have this problem. You're blaming the victims -- the poor sods who have to read the same not-quite-deathless prose, again and again. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Netscape vs. IE with self root CA
I'm having a slight problem, I've created a my own root authority file and signed a certificate with it. I've successfully imported the Root Authority into Internet Explorer and IE sees the certificate without any warnings. As for Netscape, I'm having a problem getting Netscape to import the Root Authority. I've tried the normal PEM file and a converted DER file (This one went into IE just fine) and Netscape doesn't see it. Any help would be appreciated... Also, is there a way to tell if my certificates that I sign are 128 bit encrypted? Or is there something I should use with openssl to guarantee a 128 bit certificate? Thanks for the help! Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: User base for Openssl
Theresa, I'm new to OpenSSL so can not speak to this very well. One example at least I can offer. I just installed NetBSD 1.5.1 as one of many ongoing project evaluations, I noticed that OpenSSL was included in the packages it installed from the default full install selection. My guess would be, (guess alone, you'd have to confirm this) that FreeBSD, OpenBSD, Linux (depending on version/efforts/CVS trees), would very likely include OpenSSL ports/binaries in the current versions. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/openssl.html http://www.onlamp.com/pub/a/bsd/2000/08/08/OpenBSD.html Again, I'm quite new to this effort and only a user at this stage so others can speak to this better I'm sure. Chet Golding -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 6:30 AM To: [EMAIL PROTECTED] Subject: User base for Openssl I am a graduate student writing a paper on OpenSSL and I wonder if you can help me with some information regarding the user base. I was not able to find the info on the website Openssl.org. To the best of your knowledge, how large is the user base for OpenSSL? What is the annual growth rate so far? Is OpenSSL bundled with any software? Is it being used by schools and universities? If so, can you site a couple of examples? I really appreciate any help you may be able to provide. Thank you very much. Theresa Liu Katz Graduate School of Business [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Duplicate Posts
Ralf S. Engelschall wrote: As you can see, SMTPfeed (the LMTP service reported here by Postfix) on mmx.engelschall.com tried many times to deliver the message because the connection timed out in the middle of the SMTP conversation. And, yes, as the log also says, the result could be that the message is received by the peer more than once. So, that's the expected behaviour in this case and nothing is wrong -- at least not on the mmx.engelschall.com side as far as I can see it. That's because you have your eyes firmly shut! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Mod_SSL Errors
Michael Katz wrote: Trying to get SSL running for the first time. Using Apache 1.2.23, openssl-0.9.6c, mod_ssl-2.8.7-1.3.23. After creating the virtual host and restarting apache I get the following errors: [Mon Mar 18 09:22:56 2002] [error] mod_ssl: Init: (secure.raeinternet.com:443) U nable to configure verify locations for client authentication (OpenSSL library e rror follows) [Mon Mar 18 09:22:56 2002] [error] OpenSSL: error:0906D066:PEM routines:PEM_read_bio:bad end line [Mon Mar 18 09:22:56 2002] [error] OpenSSL: error:0B084009:x509 certificate routines:X509_load_cert_crl_file:missing asn1 eos [Mon Mar 18 09:23:04 2002] [error] mod_ssl: Init: (secure.raeinternet.com:443) Unable to configure verify locations for client authentication (OpenSSL library error follows) [Mon Mar 18 09:23:04 2002] [error] OpenSSL: error:0906D066:PEM routines:PEM_read_bio:bad end line I have seen other have found this error but I could not find a solution. That sounds like there's a corrupted certificate somewhere in the trusted certificate store. If you can place a printf() in the function X509_load_cert_crl_file() and see which file is causing that problem. I suppose in future versions of OpenSSL we could add some additional error information which logs the file causing the error. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Duplicate Posts
On Mon, Mar 18, 2002 at 06:08:49PM +0100, Ralf S. Engelschall wrote: | Mar 18 10:27:36 info postfix/lmtp[83321]: 57F961950B: to=[EMAIL PROTECTED], | relay=127.0.0.1[127.0.0.1], delay=863, status=deferred (conversation with | 127.0.0.1[127.0.0.1] timed out while sending end of data -- message may be | sent more than once) | Mar 18 11:14:22 info postfix/lmtp[85311]: 57F961950B: to=[EMAIL PROTECTED], | relay=127.0.0.1[127.0.0.1], delay=3668, status=deferred (conversation with | 127.0.0.1[127.0.0.1] timed out while sending end of data -- message may be | sent more than once) | Mar 18 12:43:59 info postfix/lmtp[87921]: 57F961950B: to=[EMAIL PROTECTED], | relay=127.0.0.1[127.0.0.1], delay=9046, status=deferred (conversation with | 127.0.0.1[127.0.0.1] timed out while sending end of data -- message may be | sent more than once) | Mar 18 15:13:55 info postfix/lmtp[92784]: 57F961950B: to=[EMAIL PROTECTED], | relay=127.0.0.1[127.0.0.1], delay=18042, status=deferred (conversation with | 127.0.0.1[127.0.0.1] timed out while sending end of data -- message may be | sent more than once) | Mar 18 17:44:06 info postfix/lmtp[99370]: 57F961950B: to=[EMAIL PROTECTED], | relay=127.0.0.1[127.0.0.1], delay=27053, status=deferred (conversation with | 127.0.0.1[127.0.0.1] timed out while sending end of data -- message may be | sent more than once) As you can see, SMTPfeed (the LMTP service reported here by Postfix) on mmx.engelschall.com tried many times to deliver the message because the connection timed out in the middle of the SMTP conversation. And, yes, as the log also says, the result could be that the message is received by the peer more than once. So, that's the expected behaviour in this case and nothing is wrong -- at least not on the mmx.engelschall.com side as far as I can see it. I am not familiar with SMTPfeed, but I am quite familiar with postfix :-) The message above means, that the mail body was sent out successfully. According to RFC821, the body is finished with a . on a single line. The receiving host acknowledges deliveray with a 2xx queued as ... answer, than postfix sends QUIT. The message above indicates, that the acknowledgement was not sent, so postfix does not know for sure, whether the message was received or not. To make sure the message was not lost, Postfix will send the message again. Please check out e.g. http://www.postfix.org/faq.html#timeouts Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Duplicate Posts
Lutz.Jaenicke == Lutz Jaenicke [EMAIL PROTECTED] writes: Lutz.Jaenicke I am not familiar with SMTPfeed, but I am quite familiar with Lutz.Jaenicke postfix :-) The message above means, that the mail body was sent Lutz.Jaenicke out successfully. According to RFC821, the body is finished Lutz.Jaenicke with a . on a single line. The receiving host acknowledges Lutz.Jaenicke deliveray with a 2xx queued as ... answer, than postfix sends Lutz.Jaenicke QUIT. The message above indicates, that the acknowledgement Lutz.Jaenicke was not sent, so postfix does not know for sure, whether the Lutz.Jaenicke message was received or not. To make sure the message was not Lutz.Jaenicke lost, Postfix will send the message again. Please check out Lutz.Jaenicke e.g. http://www.postfix.org/faq.html#timeouts The problem/lmtp is with postfix, it appears. If some system in the Czech Republic has a timeout, why should I get the repeated deliveries? The software appears not to be smart enough to differentiate the single failing recipient from the rest of the successful ones and requeues the whole bunch. Maybe http://www.postfix.org/faq.html#timeouts has some lame excuse for why they cannot differentiate good deliveries from bad, but the learn to live with it answer really doesn't cut it. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Certificate format
Someone know if there is an simple OpenSSL function that say format (PEM or DER) of a given certificate? Tnx, Francesco Dal Bello __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Netscape vs. IE with self root CA
Williams, Jeff wrote: As for Netscape, I'm having a problem getting Netscape to import the Root Authority. This is a known problem. The only way to import a new root inside Netscape 4.x is to create an HTML page with a link that points to the certificates, and install by clicking on the link on this page. The HTML page can be a file on your hard drive, as well as the certificate. The only important thing is that the MIME type associated inside the registry with the certificate file be the one Netscape expects. This usually is the case when you give the file the extension is .der. Try .cer too. If that doesn't word, do some search on the mailing list archive to get the exact MIME type needed, and find how to modify the MIME type from file explorer. Also, is there a way to tell if my certificates that I sign are 128 bit encrypted? Or is there something I should use with openssl to guarantee a 128 bit certificate? Thanks for the help! What is called 128-bit certificates is a certificates with some special extension, and that is signed by an authority that the client browser will recognised as allowed to emit 128-bit certificate. When seing both of these together, the client webbrowser (IE below version 5.5 or Netscape Navigator 4.x) will switch to 128-bit cryptography, even if it's an export version that would usually be restricted to 56 bit. Your home-made CA is not recognised as such a trusted CA. If the application is intranet, you could search and find how to individually get each client webbrowser on the intranet to trust you CA to emit 128-bit certificate, but it won't be of any use in the general world. Even for an intranet, simply updating all the clients to a non-cryptographically restricted version would be _a lot_ easier. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Bruce Schneier´s Cryptogram: OpenSSL ASN.1 Vulnerability
Dear List: According to Bruce Schneier, there is a security problem with OpenSSL's ASN.1 implementation. I have searched the OpenSSL Web FAQ and the list archive, but have not found any mention... Any comments/feedback will be appreciated. Many thanks! Andrew. SCHNEIER dixit: The vulnerabilities concerns SNMP's trap-handling and request-handling functions, and stem from problems in the reference code (probably) used inside the Abstract Syntax Notation (ASN.1) and Basic Encoding Rules (BER). The SNMP vulnerabilities affect hundreds of different devices: operating systems, network equipment, software packages, even things like digital cameras. It's a BIG deal. It's actually a bigger deal than has been reported. ASN.1 is used inside a lot of other applications, such as OpenSSL. These vulnerabilities aren't limited to SNMPv1; that's just the only thing that's been well-publicized at this point. (The recently reported problems in mod_ssl and Apache are apparently related to this, too.) The Schneier CRYPTO-GRAM Newsletter (Relevant article only) -- - Original Message - From: Bruce Schneier [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 15, 2002 6:38 PM Subject: CRYPTO-GRAM, March 15, 2002 CRYPTO-GRAM March 15, 2002 by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. [EMAIL PROTECTED] http://www.counterpane.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. Back issues are available at http://www.counterpane.com/crypto-gram.html. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to [EMAIL PROTECTED] Copyright (c) 2002 by Counterpane Internet Security, Inc. ** *** * *** *** * SNMP Vulnerabilities SNMP is the Simple Network Management Protocol, the most popular protocol to manage network devices. Hundreds, possibly thousands, of products use it. Last fall, a group of Finnish researchers discovered multiple vulnerabilities in SNMP. By exploiting the vulnerabilities, an attacker could cause a denial-of-service attack, and in some cases take over control of the system. The vulnerabilities concerns SNMP's trap-handling and request-handling functions, and stem from problems in the reference code (probably) used inside the Abstract Syntax Notation (ASN.1) and Basic Encoding Rules (BER). The SNMP vulnerabilities affect hundreds of different devices: operating systems, network equipment, software packages, even things like digital cameras. It's a BIG deal. It's actually a bigger deal than has been reported. ASN.1 is used inside a lot of other applications, such as OpenSSL. These vulnerabilities aren't limited to SNMPv1; that's just the only thing that's been well-publicized at this point. (The recently reported problems in mod_ssl and Apache are apparently related to this, too.) The history of the vulnerability's discovery and publication is an interesting story, and illustrates the tension between bug secrecy and full disclosure. A research group from the Oulu University Secure Programming Group in Oulu, Finland, first discovered this problem in October 2001, and decided not to publish because it was such a large problem. CERT took on the task of coordinating the fix with the major software vendors, and has said that the reason publication was delayed so long is that there were so many vendors to contact. CERT even had problems with vendors not taking the problem seriously, and had to spend considerable effort to get the right people to pay attention. Lesson #1: If bugs are secret, many vendors won't bother patching their systems. The vulnerability was published on 12 February. Supposedly, this was two weeks earlier than planned, and because the story was leaking too much. CERT felt that early publication was better than widespread rumors. Some companies were caught off-guard. Even though they had months to patch their systems, they weren't ready and needed those two extra weeks. Some companies didn't bother to start worrying about the problem until publication was imminent. Lesson #2: It is only the threat of publication that makes many vendors patch their systems. (To be fair, many companies did a great job proactively patching their systems. And in many cases, the patches were not trivial. Some vendors were swamped by the sheer number of different products and releases they had to patch and test. And I stress test, because patching mature code carries a strong probability of either not fixing the problem or of introducing new problems.) When CERT finally published and the Oulu Web site went live, there were all sorts of reactions.
