Outlook DOES NOT support client-side certs
This is for the purposes of the list archives, as I have wasted a great deal of time on this and there is misleading information on the Internet. I have tested Outlook 2002, both with and without Office ServicePack1 and Office ServicePack2 (independently), on 4 different workstations, and I can say with a high degree of certainty that Microsoft Outlook does NOT support the use of client-side certificates. It simply does not return the certificate when prompted for it, and then fails to connect. I was very thorough in my testing, trying everying including making sure that the cert 'cn' matched the email address of the IMAP account, and it just doesn't work. Several hours of Google searches and Microsoft KnowledgeBase searches did not produce any information on this subject. Thanks, Derek Simkowiak dereks at itsite dot com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: config file help
Richard, Eric Weitzman [EMAIL PROTECTED] said: eweitzman Is there any overview documentation on the relationship eweitzman between the keys and sections in openssl.cnf and both the Isn't http://www.openssl.org/docs/apps/req.html enough? There's a small blurb about distinguished_name ending by saying that the section it refers to is explained in the next section of that manual. That section is basically right below said blurb. This is enough to document req. But I was looking for overview documentation of the config file per se. Being new to openssl, it's a leap to go from a code distribution and command descriptions to understanding the config file. It's an even bigger leap to understand that one anticipated usage pattern for req requires that an app will write the config file to supply specific values for the distinguished name fields of the request. Normally, the config file tells the app how to act globally, not how to behave for a specific invocation of the app. It was while glimpsing this unique arrangement that I wondered, is there some overview documentation that spells out the relationships between commands-sections-keys-other_sections. It would be nice if this was done in general, or as a compendium of all the various commands' usage of the config file in the config file documentation. For example, are req and ca the only commands that have their own eponymously-named sections with keys whose values point to other sections? Or are there others? Are the OIDs in the section pointed to by the global key oid_section used by more than x509?(I'll answer this for myself shortly...see below) Generally, look at the manual for each command, and you will hopefully find what you're looking for. I will take your advice and look for the information this way. If you find the manuals incomplete, please tell us in detail what's missing or should be changed, and we'll do our best to correct it. I'm spiraling in to an understanding of the system as the blind men came to understand the elephant. Since I'm interested in the CA capabilities, a document that describes how ca, req, and x509 fit together and are configured would be helpful. Note: the manuals on the web are for the development Given this note, I understand that my documentation desires might go unheeded! NP, I was just asking. Thanks, - Eric __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: anybody using EGADS?
Hi Stephen, Thanks for the reply. You're absolutely right. It does appear that I am not blocked indefinitely...it certainly does take a while to gather entropy. I was using nBytes = 1024. Then I tried 512. Still very long time. Any suggestions on what a number should be for acceptable randomness? Does anybody have any alternative suggestions? Does anybody know how Apache seeds the OpenSSL PRNG on Windows? I think Apache uses OpenSSL don't they? Thanks, Ed --- Stephen G. Schoggen [EMAIL PROTECTED] wrote: Ed, I tried EGADS on Windows (PIII 866) and found that it's time to 'gather entropy' was noticeable beyond nBytes=4. So if you use a relatively large nBytes, then it would appear to block. Steve Hi there, Is anybody using EGADS on Windows? I'm having a problem using it. I've downloaded the source and built everything. The egads service is running. I've written a program that links with egads.dll. I have a function that tries to see the OpenSSL PRNG : bool seedPRNG(int nBytes) { prngctx_t ctx; int nError; egads_init(ctx, 0, 0, nError); if (nError != 0) { DEBUG_TRACE1(_T(egads_init() failed : %d (Is egads service running???)), nError); return false; } char* pBuf = new char[nBytes + 1]; egads_entropy(ctx, pBuf, nBytes, nError); bool bOK = (0 == nError); if (bOK) { RAND_seed(pBuf, nBytes); } delete [] pBuf; egads_destroy(ctx); return bOK; } However, I seem to be blocking inside (presumably as egads gathers entropy), but it seems like I never unblock. Can anybody tell me what I'm doing wrong? Thanks, Ed __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: config file help
In message [EMAIL PROTECTED] on Tue, 22 Oct 2002 13:05:40 -0700, Eric Weitzman [EMAIL PROTECTED] said: eweitzman Richard, eweitzman eweitzman Eric Weitzman [EMAIL PROTECTED] said: eweitzman eweitzman eweitzman Is there any overview documentation on the relationship eweitzman eweitzman between the keys and sections in openssl.cnf and both the eweitzman eweitzman Isn't http://www.openssl.org/docs/apps/req.html enough? There's a eweitzman small blurb about distinguished_name ending by saying that the section eweitzman it refers to is explained in the next section of that manual. That eweitzman section is basically right below said blurb. eweitzman eweitzman This is enough to document req. But I was looking for eweitzman overview documentation of the config file per se. http://www.openssl.org/docs/apps/config.html eweitzman It's an even bigger leap to understand that one anticipated eweitzman usage pattern for req requires that an app will write the eweitzman config file to supply specific values for the distinguished eweitzman name fields of the request. Not quite. There are two ways you can do this; 1) use the -subj option when you call req, or 2) change all the {foo}_default values to come from environment variables, and then set all those environment variables to sensible values and call req with -batch. An example: [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = ${ENV::COUNTRYNAME} countryName_min = 2 countryName_max = 2 eweitzman It was while glimpsing this unique arrangement that I eweitzman wondered, is there some overview documentation that spells eweitzman out the relationships between eweitzman commands-sections-keys-other_sections. It would be nice eweitzman if this was done in general, or as a compendium of all the eweitzman various commands' usage of the config file in the config eweitzman file documentation. For example, are req and ca the only eweitzman commands that have their own eponymously-named sections eweitzman with keys whose values point to other sections? Or are eweitzman there others? Are the OIDs in the section pointed to by the eweitzman global key oid_section used by more than x509? (I'll eweitzman answer this for myself shortly...see below) I think you need a general understanding of OpenSSL. The OpenSSL commands are really quite independent. Each of them have their own name as the main section of the configuration file to look in. The only ones that look in the configuration file are req, x509 and ca, so the main sections in the configuration file are [req], [x509] and [ca]. All other sections are somehow referenced from somewhere else, and those details are specific to each command. oid_section is used by req, x509 and ca. Perhaps that isn't entirely clear, although it is mentioned in each of those manual pages. eweitzman I'm spiraling in to an understanding of the system as the eweitzman blind men came to understand the elephant. Since I'm eweitzman interested in the CA capabilities, a document that eweitzman describes how ca, req, and x509 fit together and are eweitzman configured would be helpful. In general, you can ignore x509 except for two purposes: 1) to create a root certificate if you need to, and 2) to look at certificates. It only uses the configuration when creating certificates. req is used to create certificate requests, ca is used to sign them. Basically, the users wanting certificates would use req, and the CA administrator would use ca... eweitzman Note: the manuals on the web are for the development eweitzman eweitzman Given this note, I understand that my documentation desires eweitzman might go unheeded! Not necessarely, but we do have a certain structure, and it seems like some overall manual that would direct you better than http://www.openssl.org/docs/apps/openssl.html does is what you would have needd. Is that correct? -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Are self signed certificates bad?
On Tue, Oct 22, 2002 at 12:50:04PM +0200, Martin Witzel wrote: Except when you have an independent means to verify that a) the self-signed certificate which you received druing the handshake comes from the entity which claims to be the originator b) you also feel comfortable to trust this entity which issues its own certificate self-signed server certificates are essentially meaningless. Any certificate provide for public key that could be used to run some crypto protocol. It is crypto that actually creates value making verification tools working and trust possible. Self-signed client certificates are even less useful in my opinion. The server sends as a selection of trusted certificates during the handshake, and the client is supposed to select the one certificate from its client certificates which can be traced to one of these trusted signing entities. Otherwise the client must send an alert. Since a self-signed client certificate can never be traced to some other independent signing entity, this mechanism must break for client authentication. The mechanism is described as part of the SSL spec, if I recall this right. With other words, a self-signed client cert is not even spec-conformant in my opinion. According to RFC 2246, server sends (quoting) list of the distinguished names of acceptable certificate authorities...[that] names may specify a desired distinguished name for a root CA or for a subordinate CA, clause 7.4.4 Client sends empty client certificate message in case (quoting) if no suitable certificate is available or it could send the alert. I cant find a requirement to reject self-signed client certificate that server could find in it's local database of known public keys. I could imagine a self-signed client certificate used to prove I'm the same guy that send some electronic cash yesterday. That could work for the case of merchant who cares users to pay and dont care what's their name and whether it's confirmed by some well-known CA happy speculating, Vadim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: anybody using EGADS?
Not exactly open source, but http://www.intel.com/design/security/rng/rng-capi.htm Accessing the Intel® Random Number Generator through a CSP for Microsoft* CryptoAPI describes how to access the Intel *hardware* RNG. Might be of some use to you on Windows platforms. (I believe some *NIXs use the same hardware to populate /dev/random when on Intel platforms.) Edward Chan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent by: cc: owner-openssl-users@ Subject: Re: anybody using EGADS? openssl.org 10/22/2002 01:13 PM Please respond to openssl-users Hi Stephen, Thanks for the reply. You're absolutely right. It does appear that I am not blocked indefinitely...it certainly does take a while to gather entropy. I was using nBytes = 1024. Then I tried 512. Still very long time. Any suggestions on what a number should be for acceptable randomness? Does anybody have any alternative suggestions? Does anybody know how Apache seeds the OpenSSL PRNG on Windows? I think Apache uses OpenSSL don't they? Thanks, Ed --- Stephen G. Schoggen [EMAIL PROTECTED] wrote: Ed, I tried EGADS on Windows (PIII 866) and found that it's time to 'gather entropy' was noticeable beyond nBytes=4. So if you use a relatively large nBytes, then it would appear to block. Steve Hi there, Is anybody using EGADS on Windows? I'm having a problem using it. I've downloaded the source and built everything. The egads service is running. I've written a program that links with egads.dll. I have a function that tries to see the OpenSSL PRNG : bool seedPRNG(int nBytes) { prngctx_t ctx; int nError; egads_init(ctx, 0, 0, nError); if (nError != 0) { DEBUG_TRACE1(_T(egads_init() failed : %d (Is egads service running???)), nError); return false; } char* pBuf = new char[nBytes + 1]; egads_entropy(ctx, pBuf, nBytes, nError); bool bOK = (0 == nError); if (bOK) { RAND_seed(pBuf, nBytes); } delete [] pBuf; egads_destroy(ctx); return bOK; } However, I seem to be blocking inside (presumably as egads gathers entropy), but it seems like I never unblock. Can anybody tell me what I'm doing wrong? Thanks, Ed __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
FW: updates (SSL-Certificates-HOWTO)
I'm pleased to announce a new version of the SSL-Certificates-HOWTO. Thanks to all for your contributions and comments. Can someone put a link on the openssl.org web site? Thanks. Comments, critics,... you know how to join me... Cheers. -Original Message- From: Greg Ferguson [mailto:gferg;hoop.timonium.sgi.com] Sent: Wednesday, 23 October 2002 11:17 To: [EMAIL PROTECTED] Subject: updates (SSL-Certificates-HOWTO) SSL Certificates HOWTO Franck Martin v0.5 2002-10-20 * updated http://tldp.org/HOWTO/SSL-Certificates-HOWTO/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
installation openssl urgent!
Hi all! I have problems with the openssl in an installation of a wap gateway, I'm using the RedHat 7.2. When I was trying to install the gateway rpm I got this messages: libcrypto.so.0.9.6 required libssl.so.0.9.6 required. To solve it I removed the openssl0.9.6 rpm (is it right?) and I just downloaded openssl source code (openssl-0.9.6g) and compiled this to usr/local/ssl: ./config make make test make install after I wrote the path /usr/local/ssl/lib in the ld.so.config and the command ldconfig Do I forget some important step in the installation of the openssl? ... After I tried to install the gateway rpm again, but I got the same reply: libcrypto.so.0.9.6 required libssl.so.0.9.6 required. Could anybody explain me how I can solve it? please! Looking for another solution, To solve it I tried to install the gateway source (tar.gz) But when I configure the gateway with ./configure --prefix=/usr/local/kannel_test --with-ssl=/usr/local/ssl --with-wtls=openssl --enable-start-stop-daemon --enable-ssl --disable-docs I get this: ... Configuring OpenSSL support ... checking whether to compile with SSL support... trying /usr/local/ssl/lib /usr/local/ssl/include checking for openssl... /usr/local/ssl/bin/openssl checking for CRYPTO_lock in -lcrypto... yes checking for SSL_library_init in -lssl... yes checking for SSL_connect in -lssl... yes checking for openssl/x509.h... no checking for openssl/rsa.h... no checking for openssl/crypto.h... no checking for openssl/pem.h... no checking for openssl/ssl.h... no checking for openssl/err.h... no checking whether the OpenSSL library is multithread-enabled... yes checking whether to compile with SSL support... yes Configuring MySQL support ... checking whether to compile with MySQL support... disabled Configuring WTLS support ... checking for WTLS library... openssl checking for RSA_new in -lcrypto... yes checking for openssl/objects.h... no configure: warning: OpenSSL installation seems to lack RC5 algorithm! checking for openssl/rc5.h... no configure: warning: OpenSSL installation seems to lack RC5 algorithm! but my openssl have the rc5 algorithm! and openssl/x509.h,openssl/rsa.h,openssl/crypto.h,openssl/pem.h,openssl/ssl.h, openssl/err.h, openssl/objects.h and the openssl/rc5 are in the directory usr/local/ssl/include/openssl, so I don't know why the kannel gateway don't recognize it. Please, anybody could help me with this problem? any idea? Am I installing well the openssltar.gz? Thanks in advance, Ivone _ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.microsoft.com/es __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: installation openssl urgent!
it looks like you have an issue with your include files . . . try setting CPPFLAGS=-I/usr/local/ssl/openssl, or whatever the path to your rc5.h file is, then run configure. let me know if that doesn't work. regards, guy Ivone Uribe wrote: Hi all! I have problems with the openssl in an installation of a wap gateway, I'm using the RedHat 7.2. When I was trying to install the gateway rpm I got this messages: libcrypto.so.0.9.6 required libssl.so.0.9.6 required. To solve it I removed the openssl0.9.6 rpm (is it right?) and I just downloaded openssl source code (openssl-0.9.6g) and compiled this to usr/local/ssl: ./config make make test make install after I wrote the path /usr/local/ssl/lib in the ld.so.config and the command ldconfig Do I forget some important step in the installation of the openssl? ... After I tried to install the gateway rpm again, but I got the same reply: libcrypto.so.0.9.6 required libssl.so.0.9.6 required. Could anybody explain me how I can solve it? please! Looking for another solution, To solve it I tried to install the gateway source (tar.gz) But when I configure the gateway with ./configure --prefix=/usr/local/kannel_test --with-ssl=/usr/local/ssl --with-wtls=openssl --enable-start-stop-daemon --enable-ssl --disable-docs I get this: ... Configuring OpenSSL support ... checking whether to compile with SSL support... trying /usr/local/ssl/lib /usr/local/ssl/include checking for openssl... /usr/local/ssl/bin/openssl checking for CRYPTO_lock in -lcrypto... yes checking for SSL_library_init in -lssl... yes checking for SSL_connect in -lssl... yes checking for openssl/x509.h... no checking for openssl/rsa.h... no checking for openssl/crypto.h... no checking for openssl/pem.h... no checking for openssl/ssl.h... no checking for openssl/err.h... no checking whether the OpenSSL library is multithread-enabled... yes checking whether to compile with SSL support... yes Configuring MySQL support ... checking whether to compile with MySQL support... disabled Configuring WTLS support ... checking for WTLS library... openssl checking for RSA_new in -lcrypto... yes checking for openssl/objects.h... no configure: warning: OpenSSL installation seems to lack RC5 algorithm! checking for openssl/rc5.h... no configure: warning: OpenSSL installation seems to lack RC5 algorithm! but my openssl have the rc5 algorithm! and openssl/x509.h,openssl/rsa.h,openssl/crypto.h,openssl/pem.h,openssl/ssl.h, openssl/err.h, openssl/objects.h and the openssl/rc5 are in the directory usr/local/ssl/include/openssl, so I don't know why the kannel gateway don't recognize it. Please, anybody could help me with this problem? any idea? Am I installing well the openssltar.gz? Thanks in advance, Ivone _ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.microsoft.com/es __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: anybody using EGADS?
Hi Ed, Knowing very little about any of this cryptography stuff, I have no idea what value of nBytes is enough. I think the wisdom, though, is that it depends upon your situation. From what I've read, the whole purpose of cryptography is to make it too difficult for an attacker to succeed with an attack. Obviously, how much effort you have to make to thwart an attack depends to a significant degree upon how much effort the attacker is willing to make. That would depend upon how valuable the information is, etc. In my particular application of SSL, I don't think the information being transferred is terribly sensitive. So I just chose to use RAND_screen() on Windows to seed the PRNG. Although Viega, et. al., page 99 (Network Security with OpenSSL, O'Reilly), makes it clear that he thinks RAND_screen() is a poor choice at best, it is described as using a hash of the current screen scan-lines for entropy. I'm no math wiz, but it's hard for me to see how any attacker could determine what the results of that are, regardless of effort. Perhaps if the attacker can see the screen... I conclude that with cryptography, as with other things in life, we all just have to decide when enough is enough and move on. Steve Not exactly open source, but http://www.intel.com/design/security/rng/rng-capi.htm Accessing the Intel® Random Number Generator through a CSP for Microsoft* CryptoAPI describes how to access the Intel *hardware* RNG. Might be of some use to you on Windows platforms. (I believe some *NIXs use the same hardware to populate /dev/random when on Intel platforms.) Edward Chan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent by: cc: owner-openssl-users@ Subject: Re: anybody using EGADS? openssl.org 10/22/2002 01:13 PM Please respond to openssl-users Hi Stephen, Thanks for the reply. You're absolutely right. It does appear that I am not blocked indefinitely...it certainly does take a while to gather entropy. I was using nBytes = 1024. Then I tried 512. Still very long time. Any suggestions on what a number should be for acceptable randomness? Does anybody have any alternative suggestions? Does anybody know how Apache seeds the OpenSSL PRNG on Windows? I think Apache uses OpenSSL don't they? Thanks, Ed --- Stephen G. Schoggen [EMAIL PROTECTED] wrote: Ed, I tried EGADS on Windows (PIII 866) and found that it's time to 'gather entropy' was noticeable beyond nBytes=4. So if you use a relatively large nBytes, then it would appear to block. Steve Hi there, Is anybody using EGADS on Windows? I'm having a problem using it. I've downloaded the source and built everything. The egads service is running. I've written a program that links with egads.dll. I have a function that tries to see the OpenSSL PRNG : bool seedPRNG(int nBytes) { prngctx_t ctx; int nError; egads_init(ctx, 0, 0, nError); if (nError != 0) { DEBUG_TRACE1(_T(egads_init() failed : %d (Is egads service running???)), nError); return false; } char* pBuf = new char[nBytes + 1]; egads_entropy(ctx, pBuf, nBytes, nError); bool bOK = (0 == nError); if (bOK) { RAND_seed(pBuf, nBytes); } delete [] pBuf; egads_destroy(ctx); return bOK; } However,
Re: FW: updates (SSL-Certificates-HOWTO)
Thanks Franck. I have referred to your docs often. --- Franck Martin [EMAIL PROTECTED] wrote: I'm pleased to announce a new version of the SSL-Certificates-HOWTO. Thanks to all for your contributions and comments. Can someone put a link on the openssl.org web site? Thanks. Comments, critics,... you know how to join me... Cheers. -Original Message- From: Greg Ferguson [mailto:gferg;hoop.timonium.sgi.com] Sent: Wednesday, 23 October 2002 11:17 To: [EMAIL PROTECTED] Subject: updates (SSL-Certificates-HOWTO) SSL Certificates HOWTO Franck Martin v0.5 2002-10-20 * updated http://tldp.org/HOWTO/SSL-Certificates-HOWTO/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: installation openssl urgent!
set it in your environment . . . just before you run configure, type: CPPFLAGS=-I/usr/local/ssl/openssl; export CPPFLAGS then run configure. the CPPFLAGS environment setting should tell configure to check in that directory for the include files it needs. again, let me know if you have a problem. regards, guy Ivone Uribe wrote: Hi Guy! Thanks for your reply :) but Where do I set : CPPFLAGS=-I/usr/local/ssl/openssl? the rc5.h is in the /usr/local/ssl/include/openssl and the libs like libcrypto are in /usr/local/ssl/libs so I guess I have to set this path: -I/usr/local/ssl/include/openssl...is that right?...but where do I set it? Regards, Ivone From: Guy Matz [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: installation openssl urgent! Date: Tue, 22 Oct 2002 21:59:26 -0400 it looks like you have an issue with your include files . . . try setting CPPFLAGS=-I/usr/local/ssl/openssl, or whatever the path to your rc5.h file is, then run configure. let me know if that doesn't work. regards, guy Ivone Uribe wrote: Hi all! I have problems with the openssl in an installation of a wap gateway, I'm using the RedHat 7.2. When I was trying to install the gateway rpm I got this messages: libcrypto.so.0.9.6 required libssl.so.0.9.6 required. To solve it I removed the openssl0.9.6 rpm (is it right?) and I just downloaded openssl source code (openssl-0.9.6g) and compiled this to usr/local/ssl: ./config make make test make install after I wrote the path /usr/local/ssl/lib in the ld.so.config and the command ldconfig Do I forget some important step in the installation of the openssl? ... After I tried to install the gateway rpm again, but I got the same reply: libcrypto.so.0.9.6 required libssl.so.0.9.6 required. Could anybody explain me how I can solve it? please! Looking for another solution, To solve it I tried to install the gateway source (tar.gz) But when I configure the gateway with ./configure --prefix=/usr/local/kannel_test --with-ssl=/usr/local/ssl --with-wtls=openssl --enable-start-stop-daemon --enable-ssl --disable-docs I get this: ... Configuring OpenSSL support ... checking whether to compile with SSL support... trying /usr/local/ssl/lib /usr/local/ssl/include checking for openssl... /usr/local/ssl/bin/openssl checking for CRYPTO_lock in -lcrypto... yes checking for SSL_library_init in -lssl... yes checking for SSL_connect in -lssl... yes checking for openssl/x509.h... no checking for openssl/rsa.h... no checking for openssl/crypto.h... no checking for openssl/pem.h... no checking for openssl/ssl.h... no checking for openssl/err.h... no checking whether the OpenSSL library is multithread-enabled... yes checking whether to compile with SSL support... yes Configuring MySQL support ... checking whether to compile with MySQL support... disabled Configuring WTLS support ... checking for WTLS library... openssl checking for RSA_new in -lcrypto... yes checking for openssl/objects.h... no configure: warning: OpenSSL installation seems to lack RC5 algorithm! checking for openssl/rc5.h... no configure: warning: OpenSSL installation seems to lack RC5 algorithm! but my openssl have the rc5 algorithm! and openssl/x509.h,openssl/rsa.h,openssl/crypto.h,openssl/pem.h,openssl/ssl.h, openssl/err.h, openssl/objects.h and the openssl/rc5 are in the directory usr/local/ssl/include/openssl, so I don't know why the kannel gateway don't recognize it. Please, anybody could help me with this problem? any idea? Am I installing well the openssltar.gz? Thanks in advance, Ivone _ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.microsoft.com/es __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ MSN. Más Útil Cada Día http://www.msn.es/intmap/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated
Re: installation openssl urgent!
Thanks Guy, I hope don't boring you, but I' a little new with this. Well If understand you... I have to do that: #cd usr/local/ssl #CPPFLAGS=-I/usr/local/ssl/openssl; export CPPFLAGS #./configure Are these steps rights? It is to compile my old openssl, so I don't need to erase my old installation, isn't it? Regards, Ivone Ivone From: Guy Matz [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: installation openssl urgent! Date: Tue, 22 Oct 2002 23:30:08 -0400 set it in your environment . . . just before you run configure, type: CPPFLAGS=-I/usr/local/ssl/openssl; export CPPFLAGS then run configure. the CPPFLAGS environment setting should tell configure to check in that directory for the include files it needs. again, let me know if you have a problem. regards, guy Ivone Uribe wrote: Hi Guy! Thanks for your reply :) but Where do I set : CPPFLAGS=-I/usr/local/ssl/openssl? the rc5.h is in the /usr/local/ssl/include/openssl and the libs like libcrypto are in /usr/local/ssl/libs so I guess I have to set this path: -I/usr/local/ssl/include/openssl...is that right?...but where do I set it? Regards, Ivone From: Guy Matz [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: installation openssl urgent! Date: Tue, 22 Oct 2002 21:59:26 -0400 it looks like you have an issue with your include files . . . try setting CPPFLAGS=-I/usr/local/ssl/openssl, or whatever the path to your rc5.h file is, then run configure. let me know if that doesn't work. regards, guy Ivone Uribe wrote: Hi all! I have problems with the openssl in an installation of a wap gateway, I'm using the RedHat 7.2. When I was trying to install the gateway rpm I got this messages: libcrypto.so.0.9.6 required libssl.so.0.9.6 required. To solve it I removed the openssl0.9.6 rpm (is it right?) and I just downloaded openssl source code (openssl-0.9.6g) and compiled this to usr/local/ssl: ./config make make test make install after I wrote the path /usr/local/ssl/lib in the ld.so.config and the command ldconfig Do I forget some important step in the installation of the openssl? ... After I tried to install the gateway rpm again, but I got the same reply: libcrypto.so.0.9.6 required libssl.so.0.9.6 required. Could anybody explain me how I can solve it? please! Looking for another solution, To solve it I tried to install the gateway source (tar.gz) But when I configure the gateway with ./configure --prefix=/usr/local/kannel_test --with-ssl=/usr/local/ssl --with-wtls=openssl --enable-start-stop-daemon --enable-ssl --disable-docs I get this: ... Configuring OpenSSL support ... checking whether to compile with SSL support... trying /usr/local/ssl/lib /usr/local/ssl/include checking for openssl... /usr/local/ssl/bin/openssl checking for CRYPTO_lock in -lcrypto... yes checking for SSL_library_init in -lssl... yes checking for SSL_connect in -lssl... yes checking for openssl/x509.h... no checking for openssl/rsa.h... no checking for openssl/crypto.h... no checking for openssl/pem.h... no checking for openssl/ssl.h... no checking for openssl/err.h... no checking whether the OpenSSL library is multithread-enabled... yes checking whether to compile with SSL support... yes Configuring MySQL support ... checking whether to compile with MySQL support... disabled Configuring WTLS support ... checking for WTLS library... openssl checking for RSA_new in -lcrypto... yes checking for openssl/objects.h... no configure: warning: OpenSSL installation seems to lack RC5 algorithm! checking for openssl/rc5.h... no configure: warning: OpenSSL installation seems to lack RC5 algorithm! but my openssl have the rc5 algorithm! and openssl/x509.h,openssl/rsa.h,openssl/crypto.h,openssl/pem.h,openssl/ssl.h, openssl/err.h, openssl/objects.h and the openssl/rc5 are in the directory usr/local/ssl/include/openssl, so I don't know why the kannel gateway don't recognize it. Please, anybody could help me with this problem? any idea? Am I installing well the openssltar.gz? Thanks in advance, Ivone _ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.microsoft.com/es __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ MSN. Más Útil Cada Día
Re: anybody using EGADS?
Ed See the book Network Security with OpensSSL. With 4 bits of entropy, an attacker has 1 in 16 chances of guessing the right seed. If you're creating 128-bit keys you should use 128 bits of entropy anything less than 64 bits may not be secure enough. I am not sure how nBytes is read. To get 128 bits of entropy you should use nBytes = 16. Right? However at nBytes = 128 it takes about 55 seconds to gather entropy on Windows. Marcus - Original Message - From: Edward Chan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 22, 2002 1:13 PM Subject: Re: anybody using EGADS? Hi Stephen, Thanks for the reply. You're absolutely right. It does appear that I am not blocked indefinitely...it certainly does take a while to gather entropy. I was using nBytes = 1024. Then I tried 512. Still very long time. Any suggestions on what a number should be for acceptable randomness? Does anybody have any alternative suggestions? Does anybody know how Apache seeds the OpenSSL PRNG on Windows? I think Apache uses OpenSSL don't they? Thanks, Ed --- Stephen G. Schoggen [EMAIL PROTECTED] wrote: Ed, I tried EGADS on Windows (PIII 866) and found that it's time to 'gather entropy' was noticeable beyond nBytes=4. So if you use a relatively large nBytes, then it would appear to block. Steve Hi there, Is anybody using EGADS on Windows? I'm having a problem using it. I've downloaded the source and built everything. The egads service is running. I've written a program that links with egads.dll. I have a function that tries to see the OpenSSL PRNG : bool seedPRNG(int nBytes) { prngctx_t ctx; int nError; egads_init(ctx, 0, 0, nError); if (nError != 0) { DEBUG_TRACE1(_T(egads_init() failed : %d (Is egads service running???)), nError); return false; } char* pBuf = new char[nBytes + 1]; egads_entropy(ctx, pBuf, nBytes, nError); bool bOK = (0 == nError); if (bOK) { RAND_seed(pBuf, nBytes); } delete [] pBuf; egads_destroy(ctx); return bOK; } However, I seem to be blocking inside (presumably as egads gathers entropy), but it seems like I never unblock. Can anybody tell me what I'm doing wrong? Thanks, Ed __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Error Log
Hi (B (BMy SSL server periodically output same error messages as follow.. (B (B (B[Sun Oct 13 05:35:26 2002] [error] SSL_accept failed (B[Sun Oct 13 09:05:40 2002] [error] error:1407609C:SSL (Broutines:SSL23_GET_CLIENT_HELLO:http request (B (BThis server runs OPENSSL-0.95a and Apache-SSL 1.3.22 on Linux. (B (BIs anybody know how I can stop this messages?? (B (B (BHara (B (B__ (BOpenSSL Project http://www.openssl.org (BUser Support Mailing List[EMAIL PROTECTED] (BAutomated List Manager [EMAIL PROTECTED]
Re: anybody using EGADS?
Thanks Dick. I heard about the the Intel RNG. Unfortunately, we may also run on AMD machines, in which case, this wouldn't be portable. But it might be worth looking into. Thanks again, Ed --- [EMAIL PROTECTED] wrote: Not exactly open source, but http://www.intel.com/design/security/rng/rng-capi.htm Accessing the Intel® Random Number Generator through a CSP for Microsoft* CryptoAPI describes how to access the Intel *hardware* RNG. Might be of some use to you on Windows platforms. (I believe some *NIXs use the same hardware to populate /dev/random when on Intel platforms.) Edward Chan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent by: cc: owner-openssl-users@ Subject: Re: anybody using EGADS? openssl.org 10/22/2002 01:13 PM Please respond to openssl-users Hi Stephen, Thanks for the reply. You're absolutely right. It does appear that I am not blocked indefinitely...it certainly does take a while to gather entropy. I was using nBytes = 1024. Then I tried 512. Still very long time. Any suggestions on what a number should be for acceptable randomness? Does anybody have any alternative suggestions? Does anybody know how Apache seeds the OpenSSL PRNG on Windows? I think Apache uses OpenSSL don't they? Thanks, Ed --- Stephen G. Schoggen [EMAIL PROTECTED] wrote: Ed, I tried EGADS on Windows (PIII 866) and found that it's time to 'gather entropy' was noticeable beyond nBytes=4. So if you use a relatively large nBytes, then it would appear to block. Steve Hi there, Is anybody using EGADS on Windows? I'm having a problem using it. I've downloaded the source and built everything. The egads service is running. I've written a program that links with egads.dll. I have a function that tries to see the OpenSSL PRNG : bool seedPRNG(int nBytes) { prngctx_t ctx; int nError; egads_init(ctx, 0, 0, nError); if (nError != 0) { DEBUG_TRACE1(_T(egads_init() failed : %d (Is egads service running???)), nError); return false; } char* pBuf = new char[nBytes + 1]; egads_entropy(ctx, pBuf, nBytes, nError); bool bOK = (0 == nError); if (bOK) { RAND_seed(pBuf, nBytes); } delete [] pBuf; egads_destroy(ctx); return bOK; } However, I seem to be blocking inside (presumably as egads gathers entropy), but it seems like I never unblock. Can anybody tell me what I'm doing wrong? Thanks, Ed __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you
Re: anybody using EGADS?
I hear what you're saying, and I totally agree. The problem with using RAND_screen() is that the app I'm writing is a server. So it may be running on a box hidden away in some closet, and may not even have a monitor attached to it. So there may not be any user interaction at all, in which case, this may not provide very much entropy. But I hear what you're saying. Thanks. Ed --- Stephen G. Schoggen [EMAIL PROTECTED] wrote: Hi Ed, Knowing very little about any of this cryptography stuff, I have no idea what value of nBytes is enough. I think the wisdom, though, is that it depends upon your situation. From what I've read, the whole purpose of cryptography is to make it too difficult for an attacker to succeed with an attack. Obviously, how much effort you have to make to thwart an attack depends to a significant degree upon how much effort the attacker is willing to make. That would depend upon how valuable the information is, etc. In my particular application of SSL, I don't think the information being transferred is terribly sensitive. So I just chose to use RAND_screen() on Windows to seed the PRNG. Although Viega, et. al., page 99 (Network Security with OpenSSL, O'Reilly), makes it clear that he thinks RAND_screen() is a poor choice at best, it is described as using a hash of the current screen scan-lines for entropy. I'm no math wiz, but it's hard for me to see how any attacker could determine what the results of that are, regardless of effort. Perhaps if the attacker can see the screen... I conclude that with cryptography, as with other things in life, we all just have to decide when enough is enough and move on. Steve Not exactly open source, but http://www.intel.com/design/security/rng/rng-capi.htm Accessing the Intel® Random Number Generator through a CSP for Microsoft* CryptoAPI describes how to access the Intel *hardware* RNG. Might be of some use to you on Windows platforms. (I believe some *NIXs use the same hardware to populate /dev/random when on Intel platforms.) Edward Chan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent by: cc: owner-openssl-users@ Subject: Re: anybody using EGADS? openssl.org 10/22/2002 01:13 PM Please respond to openssl-users Hi Stephen, Thanks for the reply. You're absolutely right. It does appear that I am not blocked indefinitely...it certainly does take a while to gather entropy. I was using nBytes = 1024. Then I tried 512. Still very long time. Any suggestions on what a number should be for acceptable randomness? Does anybody have any alternative suggestions? Does anybody know how Apache seeds the OpenSSL PRNG on Windows? I think Apache uses OpenSSL don't they? Thanks, Ed --- Stephen G. Schoggen [EMAIL PROTECTED] wrote: Ed, I tried EGADS on Windows (PIII 866) and found that it's time to 'gather entropy' was noticeable beyond nBytes=4. So if you use a relatively large nBytes, then it would appear to block. Steve Hi there, Is anybody using EGADS on Windows? I'm having a problem using it. I've downloaded the source and built everything. The egads service is running. I've written a program that links with egads.dll. I have a function that tries to see the OpenSSL PRNG : bool
Re: anybody using EGADS?
Ah, thanks Marcus. We're talking bits, not bytes, I see. In that case, I'm using way too big a number. Thanks, Ed --- Marcus Carey [EMAIL PROTECTED] wrote: Ed See the book Network Security with OpensSSL. With 4 bits of entropy, an attacker has 1 in 16 chances of guessing the right seed. If you're creating 128-bit keys you should use 128 bits of entropy anything less than 64 bits may not be secure enough. I am not sure how nBytes is read. To get 128 bits of entropy you should use nBytes = 16. Right? However at nBytes = 128 it takes about 55 seconds to gather entropy on Windows. Marcus - Original Message - From: Edward Chan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 22, 2002 1:13 PM Subject: Re: anybody using EGADS? Hi Stephen, Thanks for the reply. You're absolutely right. It does appear that I am not blocked indefinitely...it certainly does take a while to gather entropy. I was using nBytes = 1024. Then I tried 512. Still very long time. Any suggestions on what a number should be for acceptable randomness? Does anybody have any alternative suggestions? Does anybody know how Apache seeds the OpenSSL PRNG on Windows? I think Apache uses OpenSSL don't they? Thanks, Ed --- Stephen G. Schoggen [EMAIL PROTECTED] wrote: Ed, I tried EGADS on Windows (PIII 866) and found that it's time to 'gather entropy' was noticeable beyond nBytes=4. So if you use a relatively large nBytes, then it would appear to block. Steve Hi there, Is anybody using EGADS on Windows? I'm having a problem using it. I've downloaded the source and built everything. The egads service is running. I've written a program that links with egads.dll. I have a function that tries to see the OpenSSL PRNG : bool seedPRNG(int nBytes) { prngctx_t ctx; int nError; egads_init(ctx, 0, 0, nError); if (nError != 0) { DEBUG_TRACE1(_T(egads_init() failed : %d (Is egads service running???)), nError); return false; } char* pBuf = new char[nBytes + 1]; egads_entropy(ctx, pBuf, nBytes, nError); bool bOK = (0 == nError); if (bOK) { RAND_seed(pBuf, nBytes); } delete [] pBuf; egads_destroy(ctx); return bOK; } However, I seem to be blocking inside (presumably as egads gathers entropy), but it seems like I never unblock. Can anybody tell me what I'm doing wrong? Thanks, Ed __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL PROBLEM on HP-UX 11.00 and 11.11 (11i)
On Mon, Oct 21, 2002 at 02:50:43PM -0700, J wrote: Has anyone had trouble with using the OpenSSL library on HP-UX?? I am using version 0.9.6d and there seems to be an intermittent problem with the digest encryption, or just some of the encryption/decryption routines in the OpenSSL toolkit. It does not happen all the time on HP-UX 11i, but it occurs all the time in HP-UX 11.00, in that the encryption and decryptions do not work. This was just recently ported to the HP-UX source tree of the product that is using OpenSSL. We have not had any report about a similar failure. I am using openssl on HP-UX 10.20 and could not see any problem, yet. I am afraid, that without a more specific problem report we will not be able to help you in narrowing down the issue. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL PROBLEM on HP-UX 11.00 and 11.11 (11i)
We are using OpenSSL 0.9.6g on HP-UX 11.00 and 11.11 without any trouble. It's bundled into our CDS package (OpenLDAP+OpenSSL+Heimdal+SASL) and is available for free download from www.symas.com. We aren't doing anything fancy here, just using libssl for LDAP connection security, but it works without any issues. -- Howard Chu Chief Architect, Symas Corp. Director, Highland Sun http://www.symas.com http://highlandsun.com/hyc Symas: Premier OpenSource Development and Support -Original Message- From: [EMAIL PROTECTED] [mailto:owner-openssl-dev;openssl.org]On Behalf Of Lutz Jaenicke Sent: Tuesday, October 22, 2002 12:02 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: OpenSSL PROBLEM on HP-UX 11.00 and 11.11 (11i) On Mon, Oct 21, 2002 at 02:50:43PM -0700, J wrote: Has anyone had trouble with using the OpenSSL library on HP-UX?? I am using version 0.9.6d and there seems to be an intermittent problem with the digest encryption, or just some of the encryption/decryption routines in the OpenSSL toolkit. It does not happen all the time on HP-UX 11i, but it occurs all the time in HP-UX 11.00, in that the encryption and decryptions do not work. This was just recently ported to the HP-UX source tree of the product that is using OpenSSL. We have not had any report about a similar failure. I am using openssl on HP-UX 10.20 and could not see any problem, yet. I am afraid, that without a more specific problem report we will not be able to help you in narrowing down the issue. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]