Re: Install Problems with OpenSSL 0.9.6d and Apache 1.3.26
HI list In fact I am also facing a problem like Joseph I am installing apache on my laptop what i wanna is to set up a https server I am reading instructions frm (I have kept a web page resume.html in my public_html dir in /home/chhabra ) http://www.modssl.org/docs/apachecon2001 but after doing all when i run nmap is i don find https but http but when I write /usr/local/apache/bin/apachectl startssl it says already running I am confused too Please help On Thu, 11 Jul 2002 Joseph Botto wrote : >Hello all. I'm new to all of this stuff, and am desparately in >need of some >help. >Here's the deal: > >I'm installing Apache 1.3.26, OpenSSL 0.9.6d, PHP 4.2.1, MySQL >3.23, mod_ssl >2.8.10, etc >on a Red Hat v7.2 box. Now, everything installs and compiles >properly >(without errors), yet SSL is not working. > >When I do an nmap localhost, it says that Apache is listening on >80 and 443. >But, trying >to go to https://servername gives a "Cannot Find Server". Also, >Apache >doesn't write anything >to the error_log or access_log about those attempted accesses, >nor does >anything show up in >the ssl_engine logs. > >A list of all the commands I executed are here: >http://iras.reserv.usf.edu/dox.txt > >Can someone help? =) > >-Joe >[EMAIL PROTECTED] > > >__ >OpenSSL Project >http://www.openssl.org >User Support Mailing List >[EMAIL PROTECTED] >Automated List Manager >[EMAIL PROTECTED] _ There is always a better job for you at Monsterindia.com. Go now http://monsterindia.rediff.com/jobs __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Install Problems with OpenSSL 0.9.6d and Apache 1.3.26
Try again and use openssl-0.9.6b...This may help -Original Message- From: Joseph Botto [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 10, 2002 8:57 PM To: [EMAIL PROTECTED] Cc: Graham Subject: Install Problems with OpenSSL 0.9.6d and Apache 1.3.26 Hello all. I'm new to all of this stuff, and am desparately in need of some help. Here's the deal: I'm installing Apache 1.3.26, OpenSSL 0.9.6d, PHP 4.2.1, MySQL 3.23, mod_ssl 2.8.10, etc on a Red Hat v7.2 box. Now, everything installs and compiles properly (without errors), yet SSL is not working. When I do an nmap localhost, it says that Apache is listening on 80 and 443. But, trying to go to https://servername gives a "Cannot Find Server". Also, Apache doesn't write anything to the error_log or access_log about those attempted accesses, nor does anything show up in the ssl_engine logs. A list of all the commands I executed are here: http://iras.reserv.usf.edu/dox.txt Can someone help? =) -Joe [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Install Problems with OpenSSL 0.9.6d and Apache 1.3.26
Probably a problem in your httpd.conf. If you like you can send me your httpd.conf - I'll try to fix it. Bye, Jochen. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Joseph Botto > Sent: Thursday, July 11, 2002 2:57 AM > To: [EMAIL PROTECTED] > Cc: Graham > Subject: Install Problems with OpenSSL 0.9.6d and Apache 1.3.26 > > > Hello all. I'm new to all of this stuff, and am desparately in > need of some > help. > Here's the deal: > > I'm installing Apache 1.3.26, OpenSSL 0.9.6d, PHP 4.2.1, MySQL > 3.23, mod_ssl > 2.8.10, etc > on a Red Hat v7.2 box. Now, everything installs and compiles properly > (without errors), yet SSL is not working. > > When I do an nmap localhost, it says that Apache is listening on > 80 and 443. > But, trying > to go to https://servername gives a "Cannot Find Server". Also, Apache > doesn't write anything > to the error_log or access_log about those attempted accesses, nor does > anything show up in > the ssl_engine logs. > > A list of all the commands I executed are here: > http://iras.reserv.usf.edu/dox.txt > > Can someone help? =) > > -Joe > [EMAIL PROTECTED] > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RE: Install Problems with OpenSSL 0.9.6d and Apache 1.3.26
hi list I am able to set up a http apache server using apache_1.3.26 and openssl-0.9.6d I also installed mod_ssl but when I write https://nessus I am not able to get anything but when I write http://nessus/ I see the page, Hey, it worked The SSL/TLS-aware Apache webserver was successfully installed I also ran /usr/local/apache/bin/apachectl startssl But I am not able to run https server Can someone guide me I am in urgent need to set up https server On Thu, 11 Jul 2002 Jochen Keutel wrote : >Probably a problem in your httpd.conf. If you like >you can send me your httpd.conf - I'll try >to fix it. > >Bye, Jochen. > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Joseph >Botto > > Sent: Thursday, July 11, 2002 2:57 AM > > To: [EMAIL PROTECTED] > > Cc: Graham > > Subject: Install Problems with OpenSSL 0.9.6d and Apache >1.3.26 > > > > > > Hello all. I'm new to all of this stuff, and am desparately >in > > need of some > > help. > > Here's the deal: > > > > I'm installing Apache 1.3.26, OpenSSL 0.9.6d, PHP 4.2.1, >MySQL > > 3.23, mod_ssl > > 2.8.10, etc > > on a Red Hat v7.2 box. Now, everything installs and compiles >properly > > (without errors), yet SSL is not working. > > > > When I do an nmap localhost, it says that Apache is listening >on > > 80 and 443. > > But, trying > > to go to https://servername gives a "Cannot Find Server". >Also, Apache > > doesn't write anything > > to the error_log or access_log about those attempted accesses, >nor does > > anything show up in > > the ssl_engine logs. > > > > A list of all the commands I executed are here: > > http://iras.reserv.usf.edu/dox.txt > > > > Can someone help? =) > > > > -Joe > > [EMAIL PROTECTED] > > > > > > >__ > > OpenSSL Project >http://www.openssl.org > > User Support Mailing List >[EMAIL PROTECTED] > > Automated List Manager >[EMAIL PROTECTED] > > > > >__ >OpenSSL Project >http://www.openssl.org >User Support Mailing List >[EMAIL PROTECTED] >Automated List Manager >[EMAIL PROTECTED] _ There is always a better job for you at Monsterindia.com. Go now http://monsterindia.rediff.com/jobs __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Requiring client certificates - how?
- Original Message - From: "David C. Tuttle" <[EMAIL PROTECTED]> To: "OpenSSL" <[EMAIL PROTECTED]> Sent: Thursday, July 11, 2002 1:13 AM Subject: Re: Requiring client certificates - how? > On Wed, 10 Jul 2002, Keary Suska wrote: > > on 7/10/02 4:33 PM, [EMAIL PROTECTED] purportedly said: > > > > > > How do I force Cyrus IMAP (2.1.4 compiled with OpenSSL 0.9.6c) to > > > require the use of client certificates? Is there a config parameter > > > for OpenSSL to do this? Or do I have to configure IMAP somehow? I > > > could not find instructions for this anywhere. > > > > Seek out the Cyrus IMAP docs/mailing lists for an answer to your question. > > Been there, tried that, no luck. Anybody here got a clue to sell me? Looks like the functionality you're looking for has been recently added in version 1.37 of tls.c: http://asg.web.cmu.edu/archive/message.php?mailbox=org.acs.asg.project.mail. commits&msg=445 Modified Files: imapd.conf.5 Log Message: added tls*_require_cert option So you might want to check out the Cyrus CVS and try it out, http://bugzilla.andrew.cmu.edu/cvsweb/src/cyrus/ hth Meint __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openbsd on sparc64: problems
Hi all, has anyone compiled openssl on a UltraSparc box running OpenBSD-sparc64? Every time I try I always get an error during the test (blowfish - encoded and decode sequences differ). It's the same if I try to compile from OpenBSD sources (which should include full OpenBSD-sparc64 support). Ideas? Thanks, bye Francesco G. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
a problem/question
Hi all, I am very new to openssl and I am hoping someone can help me with the following problem: I am trying to use openssl from the command line (using s_client) to get a file off a web server using ssl. When I run the following: openssl s_client -prexit -showcerts -connect xx.xxx.xxx.xxx:443 and I get the following: CONNECTED(0003) depth=1 /C=US/ST=IOWA/L=URBANDALE/O=ALLIED/OU=NETWORK SERVICES/CN=URBFTP01 verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=US/ST=IOWA/L=URBANDALE/O=ALLIED/OU=NETWORK SERVICES/OU=SecureTransport Server/CN=URBFTP01 i:/C=US/ST=IOWA/L=URBANDALE/O=ALLIED/OU=NETWORK SERVICES/CN=URBFTP01 -BEGIN CERTIFICATE- MIICbzCCAdgCAQIwDQYJKoZIhvcNAQEEBQAwbzELMAkGA1UEBhMCVVMxDTALBgNV BAgTBElPV0ExEjAQBgNVBAcTCVVSQkFOREFMRTEPMA0GA1UEChMGQUxMSUVEMRkw FwYDVQQLExBORVRXT1JLIFNFUlZJQ0VTMREwDwYDVQQDEwhVUkJGVFAwMTAeFw0w MjA1MDgxMTUyNDJaFw0wMzA1MDgxMTUyNDJaMIGQMQswCQYDVQQGEwJVUzENMAsG A1UECBMESU9XQTESMBAGA1UEBxMJVVJCQU5EQUxFMQ8wDQYDVQQKEwZBTExJRUQx GTAXBgNVBAsTEE5FVFdPUksgU0VSVklDRVMxHzAdBgNVBAsTFlNlY3VyZVRyYW5z cG9ydCBTZXJ2ZXIxETAPBgNVBAMTCFVSQkZUUDAxMIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQDb2JJEZrpgOGzvmdALpzsPtO75kSmbYygcLdyzKLgeZDMzNMNj /Y1BWmpH8iCLneJYlkQ6PVU307CwK5kYuvBHHHOu4rieGhUQ1aFvkQ3+30U32dKr M+6MMoFJxCW/q6y6gFOc3bSQmRr/JGQXX4o3g1J9YhYMgY6U+UTx2xJzewIDAQAB MA0GCSqGSIb3DQEBBAUAA4GBALmZZyiGHSwdfc4NKIH0oyzKkwMeK33gH5Xa7xFO rtYKZNXvvuhowHW/r080rfXZrYmKRv27KlvxFGSOJYoJg3tlD7mpHkrezLMr1rhC 72MDOhE6+LAd327Czw4LVFz347GQpg/Ki8ArSfNXggcGK8o61zig+0GmpzG/XU+D Xlq+ -END CERTIFICATE- 1 s:/C=US/ST=IOWA/L=URBANDALE/O=ALLIED/OU=NETWORK SERVICES/CN=URBFTP01 i:/C=US/ST=IOWA/L=URBANDALE/O=ALLIED/OU=NETWORK SERVICES/CN=URBFTP01 -BEGIN CERTIFICATE- MIICUjCCAbugAwIBAgIBADANBgkqhkiG9w0BAQQFADBvMQswCQYDVQQGEwJVUzEN MAsGA1UECBMESU9XQTESMBAGA1UEBxMJVVJCQU5EQUxFMQ8wDQYDVQQKEwZBTExJ RUQxGTAXBgNVBAsTEE5FVFdPUksgU0VSVklDRVMxETAPBgNVBAMTCFVSQkZUUDAx MB4XDTAyMDUwODExNTIwMVoXDTAzMDUwODExNTIwMVowbzELMAkGA1UEBhMCVVMx DTALBgNVBAgTBElPV0ExEjAQBgNVBAcTCVVSQkFOREFMRTEPMA0GA1UEChMGQUxM SUVEMRkwFwYDVQQLExBORVRXT1JLIFNFUlZJQ0VTMREwDwYDVQQDEwhVUkJGVFAw MTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwHzbTE//oMejvDdJI1h8mCY5 eBkUlxNa/UqPEuq6lLocHXjJIshETHuC8sZ1TJJwwMc6+ARcASjHomRTGh/2xO5l GwXt+ZFoE0kNmkFOwCPCZtpGIKOqGF0GomUyy6WRpt35vXacnKulIwZ/u2srztUE U/HuDXVd5I2jnPNHlCECAwEAATANBgkqhkiG9w0BAQQFAAOBgQCHVj9GVxI5WZa7 ycFHhPjVnFhqOWZJQRQObZ5+VKUocG04B43V76bUS3hCi+Wrow+krXD2j0Oovah7 n75HNm7TVbI+k+36BJSygSqW686p7xubnqZz0g73WOSTiQhSqLwJUtpWKmpMb1IG hVscwVYGq2QUdEeD5FtXYI4PJ7+txw== -END CERTIFICATE- --- Server certificate subject=/C=US/ST=IOWA/L=URBANDALE/O=ALLIED/OU=NETWORK SERVICES/OU=SecureTransport Server/CN=URBFTP01 issuer=/C=US/ST=IOWA/L=URBANDALE/O=ALLIED/OU=NETWORK SERVICES/CN=URBFTP01 --- No client certificate CA names sent --- SSL handshake has read 1752 bytes and written 314 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: Session-ID-ctx: Master-Key: A4B7765876D6E1B1863B1BE32157B279394864CE8389AC199E6C395CF204406CF1B7436C48F43682A4487077C8F2C64D Key-Arg : None Start Time: 1026398836 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- GET / 302 Found Found The document has moved https://URBFTP01.ALLIED.NWIE.NET:443/?&STCO=1PS2a3cCoPQcAAAg8PS0&STCOEND"; >here. Additionally, a 302 Found error was encountered while trying to use an ErrorDocument to handle the request. closed -- Certificate chain 0 s:/C=US/ST=IOWA/L=URBANDALE/O=ALLIED/OU=NETWORK SERVICES/OU=SecureTransport Server/CN=URBFTP01 i:/C=US/ST=IOWA/L=URBANDALE/O=ALLIED/OU=NETWORK SERVICES/CN=URBFTP01 -BEGIN CERTIFICATE- MIICbzCCAdgCAQIwDQYJKoZIhvcNAQEEBQAwbzELMAkGA1UEBhMCVVMxDTALBgNV BAgTBElPV0ExEjAQBgNVBAcTCVVSQkFOREFMRTEPMA0GA1UEChMGQUxMSUVEMRkw FwYDVQQLExBORVRXT1JLIFNFUlZJQ0VTMREwDwYDVQQDEwhVUkJGVFAwMTAeFw0w MjA1MDgxMTUyNDJaFw0wMzA1MDgxMTUyNDJaMIGQMQswCQYDVQQGEwJVUzENMAsG A1UECBMESU9XQTESMBAGA1UEBxMJVVJCQU5EQUxFMQ8wDQYDVQQKEwZBTExJRUQx GTAXBgNVBAsTEE5FVFdPUksgU0VSVklDRVMxHzAdBgNVBAsTFlNlY3VyZVRyYW5z cG9ydCBTZXJ2ZXIxETAPBgNVBAMTCFVSQkZUUDAxMIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQDb2JJEZrpgOGzvmdALpzsPtO75kSmbYygcLdyzKLgeZDMzNMNj /Y1BWmpH8iCLneJYlkQ6PVU307CwK5kYuvBHHHOu4rieGhUQ1aFvkQ3+30U32dKr M+6MMoFJxCW/q6y6gFOc3bSQmRr/JGQXX4o3g1J9YhYMgY6U+UTx2xJzewIDAQAB MA0GCSqGSIb3DQEBBAUAA4GBALmZZyiGHSwdfc4NKIH0oyzKkwMeK33gH5Xa7xFO rtYKZNXvvuhowHW/r080rfXZrYmKRv27KlvxFGSOJYoJg3tlD7mpHkrezLMr1rhC 72MDOhE6+LAd327Czw4LVFz347GQpg/Ki8ArSfNXggcGK8o61zig+0GmpzG/XU+D Xlq+ -END CERTIFICATE- 1 s:/C=US/ST=IOWA/L=URBANDALE/O=ALLIED/OU=NETWORK SERVICES/CN=URBFTP01 i:/C=US/ST=IOWA/L=URBANDALE/O=ALLIED/OU=NETWORK SERVICES/CN=URBFTP01 -BEGIN CERTIFICATE- MIICUjCCAbugAwIBAgIBADANBgkqhkiG9w0BAQQFADBvMQswCQYDVQQGEwJVUzEN MAsGA1UECBMESU9XQTESMBAGA1UEBxMJVVJCQU5EQUxFMQ8wDQYDVQQKEwZBTExJ RUQxGTAXBgNVBAsTEE5FVFdPUksgU0VSVklDRVMxETAP
Getting the CERT chain
Question 1:
Is there a simple way using exported (i.e. - available
to general use via the openssl library and having definitions
in openssl.h) OpenSSL functions to do the following:
During the SSL connection process, if a user CERT has
been presented, get the cert chain?
Here is the code that I am using the check the
USER certificate. Note that I uses SSL_get_peer_certificate(ssl)
to get the peer certificate.
Is there a function such as SSL_get_issuer_certifivate(ssl,peer)?
i.e. - issuer = SSL_get_issuer_certificate( ssl, peer );
If not, then where can I find a code template or the internal
information to write one?
/* now we check to see which server we talked to */
verify_result = SSL_get_verify_result(ssl);
if( verify_result != X509_V_OK ){
DEBUG1("Open_SSL_connection: SSL_get_verify_result '%s'",
X509_verify_cert_error_string(verify_result) );
SNPRINTF(errmsg,errlen)
"SSL_connect failed, peer certificat not verified: '%s'",
X509_verify_cert_error_string(verify_result) );
status = -1;
goto done;
} else {
X509 *peer;
peer = SSL_get_peer_certificate(ssl);
if( peer ){
if( X509_NAME_oneline( X509_get_subject_name( peer ),
buffer, sizeof(buffer) ) ){
DEBUG1("Open_SSL_connection: subject '%s'", buffer );
if( info ) Set_str_value(info,SERVER,buffer);
}
if( X509_NAME_oneline( X509_get_issuer_name( peer ),
buffer, sizeof(buffer) ) ){
if( info ) Set_str_value(info,ISSUER,buffer);
DEBUG1("Open_SSL_connection: issuer '%s'", buffer );
}
/* the SSL_get_peer_certificate man page indicates that
this memory is not freed */
X509_free(peer); peer = 0;
}
}
Question 2:
Now I just KNOW that I saw this, and everybody is going to laugh at this,
but:
If I have found a CERT using, say, peer = SSL_get_peer_certificate(ssl)
as in the example above, and I have a list of CERTS in a file or
directory (i.e. - as for the CA cert, etc), how can I check to see
if the peer cert (in the example) is in this list or directory?
I just KNOW that I saw this in some SSL or related code, but I cannot
remember the exact details and searching has not found it again.
Patrick Powell Astart Technologies
[EMAIL PROTECTED]6741 Convoy Court
Network and System San Diego, CA 92111
Consulting 858-874-6543 FAX 858-279-8424
LPRng - Print Spooler (http://www.lprng.com)
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Getting the CERT chain
On Thu, Jul 11, 2002 at 07:12:30AM -0700, Patrick Powell wrote: > Question 1: > > Is there a simple way using exported (i.e. - available > to general use via the openssl library and having definitions > in openssl.h) OpenSSL functions to do the following: > >During the SSL connection process, if a user CERT has >been presented, get the cert chain? SSL_get_peer_cert_chain(). > Question 2: >Now I just KNOW that I saw this, and everybody is going to laugh at this, >but: > >If I have found a CERT using, say, peer = SSL_get_peer_certificate(ssl) >as in the example above, and I have a list of CERTS in a file or >directory (i.e. - as for the CA cert, etc), how can I check to see >if the peer cert (in the example) is in this list or directory? > >I just KNOW that I saw this in some SSL or related code, but I cannot >remember the exact details and searching has not found it again. OpenSSL itself uses hashes for comparison. If the hashes are identical, so are the certificates. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Developing with ssl.
I`m writing an aplication that needs to comunicate trouhgh tcp/ip,run in win32 and linux and transmit confidential data. My doubts are: -Can i use ssl to make the code portable?(and secure) -How do i start?(i know some about sockets in linux nth about win32 sockets and nothing about ssl). I don`t have anyway($$) to buy books,i looked in the openssl.org but the material was useless to me, so i want something on the web i can read to start. I would thank a lot anyhelp. Rodrigo -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Developing with ssl.
HI There are 2 books in the market 1. network Security with openssl (oreilly) which is just out in the market 2. SSL and TLS Designing and Building Secure Systems : by Eric Rescorla Plus you can find some examples on how to set up ssl communication if you download a latest version of openssl library I think they are in the apps directory and named client.c , server.c and inetdserv.c check out this link also: http://www.pdos.lcs.mit.edu/asrg/2000-11-13.html Examples in the Eric book are here http://www.rtfm.com/openssl-examples/ Good Luck Shalendra Further there are some more examples by Eric On Thu, 11 Jul 2002 Rodrigo Cesar Herefeld wrote : > >I`m writing an aplication that needs to comunicate trouhgh >tcp/ip,run in win32 and linux and transmit confidential data. >My doubts are: > > -Can i use ssl to make the code portable?(and secure) > -How do i start?(i know some about sockets in linux nth about >win32 sockets and nothing about ssl). > I don`t have anyway($$) to buy books,i looked in the >openssl.org but the material was useless to me, so i want >something on the web i can read to start. > >I would thank a lot anyhelp. > >Rodrigo >-- >__ >OpenSSL Project >http://www.openssl.org >User Support Mailing List >[EMAIL PROTECTED] >Automated List Manager >[EMAIL PROTECTED] _ There is always a better job for you at Monsterindia.com. Go now http://monsterindia.rediff.com/jobs __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Newbie question, extending life of self-signed certs beyond 30 days.
Hi, I have a RH 7.2 system running Apache 2.0.39 and openssl-0.9.6b-8. I used the openssl utilities to create a private key and a self-signed certificate. I noticed that my browser showed the certiciate having a validity of only a month, so I went to the /usr/share/ssl/openssl.cnf file and changed the following : default_days = 3650 default_crl_days = 3650 default_md = sha1 Having re-created the self-signed cert and restarted the web server, I noticed that the browser showed the sha1 encryption (changed from md5), but no change to the validity - I was expecting it to be 10 years. Is there a way to change the default days for a self-signed certificate. When I created it, I was not prompted for the valid days. Thanks in advance, Zac. __ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Possible Bug: RAND_pseudo_bytes, NT 4.0?
Hi, I've encountered a possible bug with RAND_psuedo_bytes on Windows NT 4.0. While I can call it just fine directly from an EXE, attempting to call it from a DLL hangs the calling process. It's easily reproducible: SSL_library_init(); SSL_load_error_strings(); RAND_pseudo_bytes(buf, 32); I tried doing a RAND_seed but that did not help. Also, I have no problems on Windows 98/2000/XP. I will attempt to delve a little deeper into RAND_pseudo_bytes to see if I can track down exactly where it's hanging, but it's pretty dense. A brief look at rand_win.c suggests that maybe the OpenSSL libraries need to be compiled separately for NT 4.0 (they were compiled under XP) -- But in that case why would it work from an EXE and not a DLL? Any suggesstions/comments would be greatly appreciated. Thanks, Matt __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Possible Bug: RAND_pseudo_bytes, NT 4.0?
I think I may have seen this once due to Lotus Notes. A performance counter entry in the registry was referring to a Notes DLL that did not exist (perhaps the uninstaller didn't clean up properly) and when OpenSSL's RAND_poll() queried the performance counters there was an extremely long hang. Steven -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Pauker Sent: Friday, 12 July 2002 4:53 AM To: [EMAIL PROTECTED] Subject: Possible Bug: RAND_pseudo_bytes, NT 4.0? Hi, I've encountered a possible bug with RAND_psuedo_bytes on Windows NT 4.0. While I can call it just fine directly from an EXE, attempting to call it from a DLL hangs the calling process. It's easily reproducible: SSL_library_init(); SSL_load_error_strings(); RAND_pseudo_bytes(buf, 32); I tried doing a RAND_seed but that did not help. Also, I have no problems on Windows 98/2000/XP. I will attempt to delve a little deeper into RAND_pseudo_bytes to see if I can track down exactly where it's hanging, but it's pretty dense. A brief look at rand_win.c suggests that maybe the OpenSSL libraries need to be compiled separately for NT 4.0 (they were compiled under XP) -- But in that case why would it work from an EXE and not a DLL? Any suggesstions/comments would be greatly appreciated. Thanks, Matt __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Possible Bug: RAND_pseudo_bytes, NT 4.0?
If you can recompile OpenSSL, try commenting out the code in rand_win.c that does this querying. Steven -Original Message- From: Steven Reddie [mailto:[EMAIL PROTECTED]] Sent: Friday, 12 July 2002 2:24 PM To: [EMAIL PROTECTED] Subject: RE: Possible Bug: RAND_pseudo_bytes, NT 4.0? I think I may have seen this once due to Lotus Notes. A performance counter entry in the registry was referring to a Notes DLL that did not exist (perhaps the uninstaller didn't clean up properly) and when OpenSSL's RAND_poll() queried the performance counters there was an extremely long hang. Steven -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Pauker Sent: Friday, 12 July 2002 4:53 AM To: [EMAIL PROTECTED] Subject: Possible Bug: RAND_pseudo_bytes, NT 4.0? Hi, I've encountered a possible bug with RAND_psuedo_bytes on Windows NT 4.0. While I can call it just fine directly from an EXE, attempting to call it from a DLL hangs the calling process. It's easily reproducible: SSL_library_init(); SSL_load_error_strings(); RAND_pseudo_bytes(buf, 32); I tried doing a RAND_seed but that did not help. Also, I have no problems on Windows 98/2000/XP. I will attempt to delve a little deeper into RAND_pseudo_bytes to see if I can track down exactly where it's hanging, but it's pretty dense. A brief look at rand_win.c suggests that maybe the OpenSSL libraries need to be compiled separately for NT 4.0 (they were compiled under XP) -- But in that case why would it work from an EXE and not a DLL? Any suggesstions/comments would be greatly appreciated. Thanks, Matt __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Install Problems with OpenSSL 0.9.6d and Apache 1.3.26
Dude, I went over the same thing. There is no easy way to update any of Red Hat's RPM packages with nre re-compile on your packages. The reason being is that most of the utilities and dependant on each other. If you install Openssl 9.6.0f and the version RH of openssh was compiled with 0.9.6c. It will not start. Also when you install any of the OpenSSH, OpenSSL, PHP etc. They ALL default to /usr/local. not /usr/lib. Now, if you build a RPM for these, that might work. EXCEPT that you must hunt down were all of the include, libraries, binaries are!!! I myself gave up and this is what I did. I did RPM -e for OpenSSL, SSH, apache , PHP and any utilities that needed these libraries utilites. This also include mod_ssl, stunnel imap etc. Once I verified that they were gone. I install one by one OpenSSL, sfio (for Sendmail), zlib, OpenSSH, Sendmail, named, mod_php, Apache. They now work MUCH MUCH faster and I now know EXACTLY how they were built. I plan to install RH 7.3 soon. I will do the full install and then gut it from all of the things I want to compile and maintain myself: Sendmail, Samba, Named, SSH, SSL , Apache, PHP, Perl. Just to name the ones that come to my head. I will not install ftp, tftp, telnet, NFS, since I don't use them. Why keep them around...;) I will probaly build RPM packs for the above just for the sake of completeness and easier upgrades. My two cents. -Ed > > Try again and use openssl-0.9.6b...This may help > > -Original Message- > From: Joseph Botto [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, July 10, 2002 8:57 PM > To: [EMAIL PROTECTED] > Cc: Graham > Subject: Install Problems with OpenSSL 0.9.6d and Apache 1.3.26 > > > Hello all. I'm new to all of this stuff, and am desparately in need of some > help. > Here's the deal: > > I'm installing Apache 1.3.26, OpenSSL 0.9.6d, PHP 4.2.1, MySQL 3.23, mod_ssl > 2.8.10, etc > on a Red Hat v7.2 box. Now, everything installs and compiles properly > (without errors), yet SSL is not working. > > When I do an nmap localhost, it says that Apache is listening on 80 and 443. > But, trying > to go to https://servername gives a "Cannot Find Server". Also, Apache > doesn't write anything > to the error_log or access_log about those attempted accesses, nor does > anything show up in > the ssl_engine logs. > > A list of all the commands I executed are here: > http://iras.reserv.usf.edu/dox.txt > > Can someone help? =) > > -Joe > [EMAIL PROTECTED] > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
