date:20021022

Outlook DOES NOT support client-side certs

2002-10-22 Thread Derek Simkowiak


This is for the purposes of the list archives, as I have wasted a
great deal of time on this and there is misleading information on the
Internet.

I have tested Outlook 2002, both with and without Office
ServicePack1 and Office ServicePack2 (independently), on 4 different
workstations, and I can say with a high degree of certainty that Microsoft
Outlook does NOT support the use of client-side certificates.  It simply
does not return the certificate when prompted for it, and then fails to
connect.

I was very thorough in my testing, trying everying including
making sure that the cert 'cn' matched the email address of the IMAP
account, and it just doesn't work.  Several hours of Google searches and
Microsoft KnowledgeBase searches did not produce any information on this
subject.



Thanks,
Derek Simkowiak
dereks at itsite dot com

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: config file help

2002-10-22 Thread Eric Weitzman

Richard,

 Eric Weitzman [EMAIL PROTECTED] said:

 eweitzman Is there any overview documentation on the relationship
 eweitzman between the keys and sections in openssl.cnf and both the

 Isn't http://www.openssl.org/docs/apps/req.html enough?  There's a
 small blurb about distinguished_name ending by saying that the section
 it refers to is explained in the next section of that manual.  That
 section is basically right below said blurb.

This is enough to document req. But I was looking for overview documentation of
the config file per se.

Being new to openssl, it's a leap to go from a code distribution and command
descriptions to understanding the config file. It's an even bigger leap to
understand that one anticipated usage pattern for req requires that an app will
write the config file to supply specific values for the distinguished name
fields of the request. Normally, the config file tells the app how to act
globally, not how to behave for a specific invocation of the app.

It was while glimpsing this unique arrangement that I wondered, is there some
overview documentation that spells out the relationships between
commands-sections-keys-other_sections. It would be nice if this was done in
general, or as a compendium of all the various commands' usage of the config
file in the config file documentation. For example, are req and ca the only
commands that have their own eponymously-named sections with keys whose values
point to other sections? Or are there others? Are the OIDs in the section
pointed to by the global key oid_section used by more than x509?(I'll answer
this for myself shortly...see below)

 Generally, look at the manual for each command, and you will hopefully
 find what you're looking for.

I will take your advice and look for the information this way.

 If you find the manuals incomplete, please tell us in detail what's
 missing or should be changed, and we'll do our best to correct it.

I'm spiraling in to an understanding of the system as the blind men came to
understand the elephant. Since I'm interested in the CA capabilities, a document
that describes how ca, req, and x509 fit together and are configured would be
helpful.

 Note: the manuals on the web are for the development

Given this note, I understand that my documentation desires might go unheeded!
NP, I was just asking.

Thanks,
- Eric


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: anybody using EGADS?

2002-10-22 Thread Edward Chan

Hi Stephen,

Thanks for the reply.  You're absolutely right.  It
does appear that I am not blocked indefinitely...it
certainly does take a while to gather entropy.  I was
using nBytes = 1024.  Then I tried 512.  Still very
long time.

Any suggestions on what a number should be for
acceptable randomness?

Does anybody have any alternative suggestions?  Does
anybody know how Apache seeds the OpenSSL PRNG on
Windows?  I think Apache uses OpenSSL don't they?

Thanks,
Ed

--- Stephen G. Schoggen [EMAIL PROTECTED]
wrote:
 Ed,
 
 I tried EGADS on Windows (PIII 866) and found that
 it's time to 
 'gather entropy' was noticeable beyond nBytes=4.  So
 if you use a 
 relatively large nBytes, then it would appear to
 block.
 
 Steve
 
 
 Hi there,
 
 Is anybody using EGADS on Windows?  I'm having a
 problem using it.  I've downloaded the source and
 built everything.  The egads service is running. 
 I've
 written a program that links with egads.dll.  I
 have a
 function that tries to see the OpenSSL PRNG :
 
 bool seedPRNG(int nBytes)
 {
  prngctx_t ctx;
  int nError;
 
  egads_init(ctx, 0, 0, nError);
  if (nError != 0)
  {
  DEBUG_TRACE1(_T(egads_init() failed : %d (Is
 egads
 service running???)), nError);
  return false;
  }
 
  char* pBuf = new char[nBytes + 1];
  egads_entropy(ctx, pBuf, nBytes, nError);
  bool bOK = (0 == nError);
  if (bOK)
  {
  RAND_seed(pBuf, nBytes);
  }
  delete [] pBuf;
 
  egads_destroy(ctx);
  return bOK;
 }
 
 However, I seem to be blocking inside (presumably
 as
 egads gathers entropy), but it seems like I never
 unblock.  Can anybody tell me what I'm doing wrong?
 
 Thanks,
 Ed
 
 __
 Do you Yahoo!?
 Y! Web Hosting - Let the expert host your web site
 http://webhosting.yahoo.com/

__
 OpenSSL Project
 http://www.openssl.org
 User Support Mailing List   
 [EMAIL PROTECTED]
 Automated List Manager  
 [EMAIL PROTECTED]
 

__
 OpenSSL Project
 http://www.openssl.org
 User Support Mailing List   
 [EMAIL PROTECTED]
 Automated List Manager  
[EMAIL PROTECTED]


__
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: config file help

2002-10-22 Thread Richard Levitte - VMS Whacker

In message [EMAIL PROTECTED] on Tue, 22 Oct 2002 
13:05:40 -0700, Eric Weitzman [EMAIL PROTECTED] said:

eweitzman Richard,
eweitzman 
eweitzman  Eric Weitzman [EMAIL PROTECTED] said:
eweitzman 
eweitzman  eweitzman Is there any overview documentation on the relationship
eweitzman  eweitzman between the keys and sections in openssl.cnf and both the
eweitzman 
eweitzman  Isn't http://www.openssl.org/docs/apps/req.html enough?  There's a
eweitzman  small blurb about distinguished_name ending by saying that the section
eweitzman  it refers to is explained in the next section of that manual.  That
eweitzman  section is basically right below said blurb.
eweitzman 
eweitzman This is enough to document req. But I was looking for
eweitzman overview documentation of the config file per se.

http://www.openssl.org/docs/apps/config.html

eweitzman It's an even bigger leap to understand that one anticipated
eweitzman usage pattern for req requires that an app will write the
eweitzman config file to supply specific values for the distinguished
eweitzman name fields of the request.

Not quite.  There are two ways you can do this; 1) use the -subj
option when you call req, or 2) change all the {foo}_default values to
come from environment variables, and then set all those environment
variables to sensible values and call req with -batch.  An example:

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = ${ENV::COUNTRYNAME}
countryName_min = 2
countryName_max = 2

eweitzman It was while glimpsing this unique arrangement that I
eweitzman wondered, is there some overview documentation that spells
eweitzman out the relationships between
eweitzman commands-sections-keys-other_sections. It would be nice
eweitzman if this was done in general, or as a compendium of all the
eweitzman various commands' usage of the config file in the config
eweitzman file documentation. For example, are req and ca the only 
eweitzman commands that have their own eponymously-named sections
eweitzman with keys whose values point to other sections? Or are
eweitzman there others? Are the OIDs in the section pointed to by the
eweitzman global key oid_section used by more than x509?   (I'll
eweitzman answer this for myself shortly...see below)

I think you need a general understanding of OpenSSL.  The OpenSSL
commands are really quite independent.  Each of them have their own
name as the main section of the configuration file to look in.  The
only ones that look in the configuration file are req, x509 and ca, so
the main sections in the configuration file are [req], [x509] and
[ca].  All other sections are somehow referenced from somewhere else,
and those details are specific to each command.

oid_section is used by req, x509 and ca.  Perhaps that isn't entirely
clear, although it is mentioned in each of those manual pages.

eweitzman I'm spiraling in to an understanding of the system as the
eweitzman blind men came to understand the elephant. Since I'm
eweitzman interested in the CA capabilities, a document that
eweitzman describes how ca, req, and x509 fit together and are
eweitzman configured would be helpful.

In general, you can ignore x509 except for two purposes: 1) to create
a root certificate if you need to, and 2) to look at certificates.  It
only uses the configuration when creating certificates.

req is used to create certificate requests, ca is used to sign them.
Basically, the users wanting certificates would use req, and the CA
administrator would use ca...

eweitzman  Note: the manuals on the web are for the development
eweitzman 
eweitzman Given this note, I understand that my documentation desires
eweitzman might go unheeded!

Not necessarely, but we do have a certain structure, and it seems like
some overall manual that would direct you better than
http://www.openssl.org/docs/apps/openssl.html does is what you would
have needd.  Is that correct?

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See http://www.stacken.kth.se/~levitte/mail/ for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Are self signed certificates bad?

2002-10-22 Thread Vadim Fedukovich

On Tue, Oct 22, 2002 at 12:50:04PM +0200, Martin Witzel wrote:
 
 Except when you have an independent means to verify that
a) the self-signed certificate which you received druing the handshake
 comes from the entity which claims to be the originator
b) you also feel comfortable to trust this entity which issues its own
 certificate
 self-signed server certificates are essentially meaningless.

Any certificate provide for public key that could be used to run
some crypto protocol. It is crypto that actually creates value
making verification tools working and trust possible.

 Self-signed client certificates are even less useful in my opinion. The
 server
 sends as a selection of trusted certificates during the handshake, and the
 client
 is supposed to select the one certificate from its client certificates
 which can be
 traced to one of these trusted signing entities. Otherwise the client must
 send
 an alert. Since a self-signed client certificate can never be traced to
 some other
 independent signing entity, this mechanism must break for client
 authentication.
 The mechanism is described as part of the SSL spec, if I recall this right.
 With
 other words, a self-signed client cert is not even spec-conformant in my
 opinion.

According to RFC 2246, server sends (quoting) list of the distinguished
names of acceptable certificate authorities...[that] names may specify
a desired distinguished name for a root CA or for a subordinate CA,
clause 7.4.4

Client sends empty client certificate message in case (quoting)
if no suitable certificate is available or it could send the alert.

I cant find a requirement to reject self-signed client certificate
that server could find in it's local database of known public keys.

I could imagine a self-signed client certificate used to prove
I'm the same guy that send some electronic cash yesterday.

That could work for the case of merchant who cares users to pay and
dont care what's their name and whether it's confirmed by
some well-known CA

happy speculating,
Vadim
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: anybody using EGADS?

2002-10-22 Thread Dick . Bridges


Not exactly open source, but
http://www.intel.com/design/security/rng/rng-capi.htm Accessing the Intel®
Random Number Generator through a CSP for Microsoft* CryptoAPI describes
how to access the Intel *hardware* RNG.  Might be of some use to you on
Windows platforms.  (I believe some *NIXs use the same hardware to populate
/dev/random when on Intel platforms.)



   
   
  Edward Chan  
   
  [EMAIL PROTECTED]  To:  [EMAIL PROTECTED]  
   
  Sent by: cc: 
   
  owner-openssl-users@ Subject: Re: anybody using EGADS?   
   
  openssl.org  
   
   
   
   
   
  10/22/2002 01:13 PM  
   
  Please respond to
   
  openssl-users
   
   
   
   
   




Hi Stephen,

Thanks for the reply.  You're absolutely right.  It
does appear that I am not blocked indefinitely...it
certainly does take a while to gather entropy.  I was
using nBytes = 1024.  Then I tried 512.  Still very
long time.

Any suggestions on what a number should be for
acceptable randomness?

Does anybody have any alternative suggestions?  Does
anybody know how Apache seeds the OpenSSL PRNG on
Windows?  I think Apache uses OpenSSL don't they?

Thanks,
Ed

--- Stephen G. Schoggen [EMAIL PROTECTED]
wrote:
 Ed,

 I tried EGADS on Windows (PIII 866) and found that
 it's time to
 'gather entropy' was noticeable beyond nBytes=4.  So
 if you use a
 relatively large nBytes, then it would appear to
 block.

 Steve


 Hi there,
 
 Is anybody using EGADS on Windows?  I'm having a
 problem using it.  I've downloaded the source and
 built everything.  The egads service is running.
 I've
 written a program that links with egads.dll.  I
 have a
 function that tries to see the OpenSSL PRNG :
 
 bool seedPRNG(int nBytes)
 {
   prngctx_t ctx;
   int nError;
 
   egads_init(ctx, 0, 0, nError);
   if (nError != 0)
   {
   DEBUG_TRACE1(_T(egads_init() failed : %d (Is
 egads
 service running???)), nError);
   return false;
   }
 
   char* pBuf = new char[nBytes + 1];
   egads_entropy(ctx, pBuf, nBytes, nError);
   bool bOK = (0 == nError);
   if (bOK)
   {
   RAND_seed(pBuf, nBytes);
   }
   delete [] pBuf;
 
   egads_destroy(ctx);
   return bOK;
 }
 
 However, I seem to be blocking inside (presumably
 as
 egads gathers entropy), but it seems like I never
 unblock.  Can anybody tell me what I'm doing wrong?
 
 Thanks,
 Ed
 
 __
 Do you Yahoo!?
 Y! Web Hosting - Let the expert host your web site
 http://webhosting.yahoo.com/

__
 OpenSSL Project
 http://www.openssl.org
 User Support Mailing List
 [EMAIL PROTECTED]
 Automated List Manager
 [EMAIL PROTECTED]


__
 OpenSSL Project
 http://www.openssl.org
 User Support Mailing List
 [EMAIL PROTECTED]
 Automated List Manager
[EMAIL PROTECTED]


__
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

FW: updates (SSL-Certificates-HOWTO)

2002-10-22 Thread Franck Martin

I'm pleased to announce a new version of the SSL-Certificates-HOWTO.

Thanks to all for your contributions and comments.

Can someone put a link on the openssl.org web site? Thanks.

Comments, critics,... you know how to join me...

Cheers.

-Original Message-
From: Greg Ferguson [mailto:gferg;hoop.timonium.sgi.com]
Sent: Wednesday, 23 October 2002 11:17 
To: [EMAIL PROTECTED]
Subject: updates (SSL-Certificates-HOWTO)


SSL Certificates HOWTO
Franck Martin
v0.5  2002-10-20

  * updated
  http://tldp.org/HOWTO/SSL-Certificates-HOWTO/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

installation openssl urgent!

2002-10-22 Thread Ivone Uribe

Hi all!

I have problems with the openssl in an installation of a wap gateway, I'm 
using the RedHat 7.2.

When I was trying to install the gateway rpm I got this messages:
libcrypto.so.0.9.6 required
libssl.so.0.9.6 required.


To solve it I removed the openssl0.9.6 rpm  (is it right?)
and I just downloaded openssl source code (openssl-0.9.6g) and compiled this 
to usr/local/ssl:
./config
make
make test
make install

after I wrote the path /usr/local/ssl/lib in the ld.so.config and the 
command ldconfig

Do I forget some important step in the installation of the openssl?

...

After I tried to install the gateway rpm again, but I got the same reply:
libcrypto.so.0.9.6 required
libssl.so.0.9.6 required.

Could anybody explain me how I can solve it? please!



Looking for another solution, To solve it I tried to install the gateway 
source (tar.gz)

But when I configure the gateway with
./configure
--prefix=/usr/local/kannel_test
--with-ssl=/usr/local/ssl
--with-wtls=openssl
--enable-start-stop-daemon
--enable-ssl
--disable-docs


I get this:

...
Configuring OpenSSL support ...
checking whether to compile with SSL support... trying /usr/local/ssl/lib 
/usr/local/ssl/include
checking for openssl... /usr/local/ssl/bin/openssl
checking for CRYPTO_lock in -lcrypto... yes
checking for SSL_library_init in -lssl... yes
checking for SSL_connect in -lssl... yes
checking for openssl/x509.h... no
checking for openssl/rsa.h... no
checking for openssl/crypto.h... no
checking for openssl/pem.h... no
checking for openssl/ssl.h... no
checking for openssl/err.h... no
checking whether the OpenSSL library is multithread-enabled... yes
checking whether to compile with SSL support... yes

Configuring MySQL support ...
checking whether to compile with MySQL support... disabled

Configuring WTLS support ...
checking for WTLS library... openssl
checking for RSA_new in -lcrypto... yes
checking for openssl/objects.h... no
configure: warning: OpenSSL installation seems to lack RC5 algorithm!
checking for openssl/rc5.h... no
configure: warning: OpenSSL installation seems to lack RC5 algorithm!



but my openssl have the rc5 algorithm!
and
openssl/x509.h,openssl/rsa.h,openssl/crypto.h,openssl/pem.h,openssl/ssl.h, 
openssl/err.h, openssl/objects.h and the openssl/rc5
are in the directory usr/local/ssl/include/openssl, so I don't know why the 
kannel gateway don't recognize it.

Please, anybody could help me with this problem? any idea? Am I installing 
well the openssltar.gz?

Thanks in advance,
Ivone






_
Charla con tus amigos en línea mediante MSN Messenger: 
http://messenger.microsoft.com/es

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: installation openssl urgent!

2002-10-22 Thread Guy Matz

it looks like you have an issue with your include files . . .  try 
setting CPPFLAGS=-I/usr/local/ssl/openssl, or whatever the path to 
your rc5.h file is, then run configure.  let me know if that doesn't work.

regards,
guy

Ivone Uribe wrote:

Hi all!

I have problems with the openssl in an installation of a wap gateway, 
I'm using the RedHat 7.2.

When I was trying to install the gateway rpm I got this messages:
libcrypto.so.0.9.6 required
libssl.so.0.9.6 required.


To solve it I removed the openssl0.9.6 rpm  (is it right?)
and I just downloaded openssl source code (openssl-0.9.6g) and 
compiled this to usr/local/ssl:
./config
make
make test
make install

after I wrote the path /usr/local/ssl/lib in the ld.so.config and the 
command ldconfig

Do I forget some important step in the installation of the openssl?

...

After I tried to install the gateway rpm again, but I got the same reply:
libcrypto.so.0.9.6 required
libssl.so.0.9.6 required.

Could anybody explain me how I can solve it? please!



Looking for another solution, To solve it I tried to install the 
gateway source (tar.gz)

But when I configure the gateway with
./configure
--prefix=/usr/local/kannel_test
--with-ssl=/usr/local/ssl
--with-wtls=openssl
--enable-start-stop-daemon
--enable-ssl
--disable-docs


I get this:

...
Configuring OpenSSL support ...
checking whether to compile with SSL support... trying 
/usr/local/ssl/lib /usr/local/ssl/include
checking for openssl... /usr/local/ssl/bin/openssl
checking for CRYPTO_lock in -lcrypto... yes
checking for SSL_library_init in -lssl... yes
checking for SSL_connect in -lssl... yes
checking for openssl/x509.h... no
checking for openssl/rsa.h... no
checking for openssl/crypto.h... no
checking for openssl/pem.h... no
checking for openssl/ssl.h... no
checking for openssl/err.h... no
checking whether the OpenSSL library is multithread-enabled... yes
checking whether to compile with SSL support... yes

Configuring MySQL support ...
checking whether to compile with MySQL support... disabled

Configuring WTLS support ...
checking for WTLS library... openssl
checking for RSA_new in -lcrypto... yes
checking for openssl/objects.h... no
configure: warning: OpenSSL installation seems to lack RC5 algorithm!
checking for openssl/rc5.h... no
configure: warning: OpenSSL installation seems to lack RC5 algorithm!



but my openssl have the rc5 algorithm!
and
openssl/x509.h,openssl/rsa.h,openssl/crypto.h,openssl/pem.h,openssl/ssl.h, 
openssl/err.h, openssl/objects.h and the openssl/rc5
are in the directory usr/local/ssl/include/openssl, so I don't know 
why the kannel gateway don't recognize it.

Please, anybody could help me with this problem? any idea? Am I 
installing well the openssltar.gz?

Thanks in advance,
Ivone






_
Charla con tus amigos en línea mediante MSN Messenger: 
http://messenger.microsoft.com/es

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]




__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: anybody using EGADS?

2002-10-22 Thread Stephen G. Schoggen

Hi Ed,

Knowing very little about any of this cryptography stuff, I have no 
idea what value of nBytes is enough.  I think the wisdom, though, is 
that it depends upon your situation.  From what I've read, the whole 
purpose of cryptography is to make it too difficult for an attacker 
to succeed with an attack.  Obviously, how much effort you have to 
make to thwart an attack depends to a significant degree upon how 
much effort the attacker is willing to make.  That would depend upon 
how valuable the information is, etc.  In my particular application 
of SSL, I don't think the information being transferred is terribly 
sensitive.  So I just chose to use RAND_screen() on Windows to seed 
the PRNG.  Although Viega, et. al., page 99 (Network Security with 
OpenSSL, O'Reilly), makes it clear that he thinks RAND_screen() is a 
poor choice at best, it is described as using a hash of the current 
screen scan-lines for entropy.  I'm no math wiz, but it's hard for me 
to see how any attacker could determine what the results of that are, 
regardless of effort.  Perhaps if the attacker can see the screen...

I conclude that with cryptography, as with other things in life, we 
all just have to decide when enough is enough and move on.

Steve


Not exactly open source, but
http://www.intel.com/design/security/rng/rng-capi.htm Accessing the Intel®
Random Number Generator through a CSP for Microsoft* CryptoAPI describes
how to access the Intel *hardware* RNG.  Might be of some use to you on
Windows platforms.  (I believe some *NIXs use the same hardware to populate
/dev/random when on Intel platforms.)




   
  Edward 
Chan
  [EMAIL PROTECTED]  To: 
[EMAIL PROTECTED]
  Sent by: 
cc:   
  owner-openssl-users@ Subject: Re: 
anybody using 
EGADS? 

openssl.org

   

   
  10/22/2002 01:13 
PM
  Please respond 
to  

openssl-users  

   

   




Hi Stephen,

Thanks for the reply.  You're absolutely right.  It
does appear that I am not blocked indefinitely...it
certainly does take a while to gather entropy.  I was
using nBytes = 1024.  Then I tried 512.  Still very
long time.

Any suggestions on what a number should be for
acceptable randomness?

Does anybody have any alternative suggestions?  Does
anybody know how Apache seeds the OpenSSL PRNG on
Windows?  I think Apache uses OpenSSL don't they?

Thanks,
Ed

--- Stephen G. Schoggen [EMAIL PROTECTED]
wrote:
 Ed,

 I tried EGADS on Windows (PIII 866) and found that
 it's time to
 'gather entropy' was noticeable beyond nBytes=4.  So
 if you use a
 relatively large nBytes, then it would appear to
 block.

 Steve


 Hi there,
 
 Is anybody using EGADS on Windows?  I'm having a
 problem using it.  I've downloaded the source and
 built everything.  The egads service is running.
 I've
 written a program that links with egads.dll.  I
 have a
 function that tries to see the OpenSSL PRNG :
 
 bool seedPRNG(int nBytes)
 {
   prngctx_t ctx;
   int nError;
 
   egads_init(ctx, 0, 0, nError);
   if (nError != 0)
   {
   DEBUG_TRACE1(_T(egads_init() failed : %d (Is
 egads
 service running???)), nError);
   return false;
   }
 
   char* pBuf = new char[nBytes + 1];
   egads_entropy(ctx, pBuf, nBytes, nError);
   bool bOK = (0 == nError);
   if (bOK)
   {
   RAND_seed(pBuf, nBytes);
   }
   delete [] pBuf;
 
   egads_destroy(ctx);
   return bOK;
 }
 
 However,

Re: FW: updates (SSL-Certificates-HOWTO)

2002-10-22 Thread Xperex Tim

Thanks Franck.  I have referred to your docs often.

--- Franck Martin [EMAIL PROTECTED] wrote:
 I'm pleased to announce a new version of the SSL-Certificates-HOWTO.
 
 Thanks to all for your contributions and comments.
 
 Can someone put a link on the openssl.org web site? Thanks.
 
 Comments, critics,... you know how to join me...
 
 Cheers.
 
 -Original Message-
 From: Greg Ferguson [mailto:gferg;hoop.timonium.sgi.com]
 Sent: Wednesday, 23 October 2002 11:17 
 To: [EMAIL PROTECTED]
 Subject: updates (SSL-Certificates-HOWTO)
 
 
 SSL Certificates HOWTO
 Franck Martin
 v0.5  2002-10-20
 
   * updated
   http://tldp.org/HOWTO/SSL-Certificates-HOWTO/
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]


__
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: installation openssl urgent!

2002-10-22 Thread Guy Matz

set it in your environment . . .  just before you run configure, type:
CPPFLAGS=-I/usr/local/ssl/openssl; export CPPFLAGS

then run configure.  the CPPFLAGS environment setting should tell 
configure to check in that directory for the include files it needs.

again, let me know if you have a problem.

regards,
guy

Ivone Uribe wrote:

Hi Guy!
Thanks for your reply :)

but Where do I set : CPPFLAGS=-I/usr/local/ssl/openssl?

the rc5.h is in the /usr/local/ssl/include/openssl and the libs like 
libcrypto are in /usr/local/ssl/libs

so I guess I have to set this path:
-I/usr/local/ssl/include/openssl...is that right?...but where do I 
set it?


Regards,
Ivone

From: Guy Matz [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: installation openssl urgent!
Date: Tue, 22 Oct 2002 21:59:26 -0400

it looks like you have an issue with your include files . . .  try 
setting CPPFLAGS=-I/usr/local/ssl/openssl, or whatever the path to 
your rc5.h file is, then run configure.  let me know if that doesn't 
work.

regards,
guy

Ivone Uribe wrote:

Hi all!

I have problems with the openssl in an installation of a wap 
gateway, I'm using the RedHat 7.2.

When I was trying to install the gateway rpm I got this messages:
libcrypto.so.0.9.6 required
libssl.so.0.9.6 required.


To solve it I removed the openssl0.9.6 rpm  (is it right?)
and I just downloaded openssl source code (openssl-0.9.6g) and 
compiled this to usr/local/ssl:
./config
make
make test
make install

after I wrote the path /usr/local/ssl/lib in the ld.so.config and 
the command ldconfig

Do I forget some important step in the installation of the openssl?

...

After I tried to install the gateway rpm again, but I got the same 
reply:
libcrypto.so.0.9.6 required
libssl.so.0.9.6 required.

Could anybody explain me how I can solve it? please!



Looking for another solution, To solve it I tried to install the 
gateway source (tar.gz)

But when I configure the gateway with
./configure
--prefix=/usr/local/kannel_test
--with-ssl=/usr/local/ssl
--with-wtls=openssl
--enable-start-stop-daemon
--enable-ssl
--disable-docs


I get this:

...
Configuring OpenSSL support ...
checking whether to compile with SSL support... trying 
/usr/local/ssl/lib /usr/local/ssl/include
checking for openssl... /usr/local/ssl/bin/openssl
checking for CRYPTO_lock in -lcrypto... yes
checking for SSL_library_init in -lssl... yes
checking for SSL_connect in -lssl... yes
checking for openssl/x509.h... no
checking for openssl/rsa.h... no
checking for openssl/crypto.h... no
checking for openssl/pem.h... no
checking for openssl/ssl.h... no
checking for openssl/err.h... no
checking whether the OpenSSL library is multithread-enabled... yes
checking whether to compile with SSL support... yes

Configuring MySQL support ...
checking whether to compile with MySQL support... disabled

Configuring WTLS support ...
checking for WTLS library... openssl
checking for RSA_new in -lcrypto... yes
checking for openssl/objects.h... no
configure: warning: OpenSSL installation seems to lack RC5 algorithm!
checking for openssl/rc5.h... no
configure: warning: OpenSSL installation seems to lack RC5 algorithm!



but my openssl have the rc5 algorithm!
and
openssl/x509.h,openssl/rsa.h,openssl/crypto.h,openssl/pem.h,openssl/ssl.h, 
openssl/err.h, openssl/objects.h and the openssl/rc5
are in the directory usr/local/ssl/include/openssl, so I don't know 
why the kannel gateway don't recognize it.

Please, anybody could help me with this problem? any idea? Am I 
installing well the openssltar.gz?

Thanks in advance,
Ivone






_
Charla con tus amigos en línea mediante MSN Messenger: 
http://messenger.microsoft.com/es

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]




__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]




_
MSN. Más Útil Cada Día http://www.msn.es/intmap/

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]





__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated

Re: installation openssl urgent!

2002-10-22 Thread Ivone Uribe

Thanks Guy, I hope don't boring you, but I' a little new with this.

Well If understand you... I have to do that:

#cd usr/local/ssl
#CPPFLAGS=-I/usr/local/ssl/openssl; export CPPFLAGS
#./configure

Are these steps rights?

It is to compile my old openssl, so I don't need to erase my old 
installation, isn't it?

Regards, Ivone
Ivone



From: Guy Matz [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: installation openssl urgent!
Date: Tue, 22 Oct 2002 23:30:08 -0400

set it in your environment . . .  just before you run configure, type:
CPPFLAGS=-I/usr/local/ssl/openssl; export CPPFLAGS

then run configure.  the CPPFLAGS environment setting should tell configure 
to check in that directory for the include files it needs.

again, let me know if you have a problem.

regards,
guy

Ivone Uribe wrote:

Hi Guy!
Thanks for your reply :)

but Where do I set : CPPFLAGS=-I/usr/local/ssl/openssl?

the rc5.h is in the /usr/local/ssl/include/openssl and the libs like 
libcrypto are in /usr/local/ssl/libs

so I guess I have to set this path:
-I/usr/local/ssl/include/openssl...is that right?...but where do I set 
it?


Regards,
Ivone

From: Guy Matz [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: installation openssl urgent!
Date: Tue, 22 Oct 2002 21:59:26 -0400

it looks like you have an issue with your include files . . .  try 
setting CPPFLAGS=-I/usr/local/ssl/openssl, or whatever the path to your 
rc5.h file is, then run configure.  let me know if that doesn't work.

regards,
guy

Ivone Uribe wrote:

Hi all!

I have problems with the openssl in an installation of a wap gateway, 
I'm using the RedHat 7.2.

When I was trying to install the gateway rpm I got this messages:
libcrypto.so.0.9.6 required
libssl.so.0.9.6 required.


To solve it I removed the openssl0.9.6 rpm  (is it right?)
and I just downloaded openssl source code (openssl-0.9.6g) and compiled 
this to usr/local/ssl:
./config
make
make test
make install

after I wrote the path /usr/local/ssl/lib in the ld.so.config and the 
command ldconfig

Do I forget some important step in the installation of the openssl?

...

After I tried to install the gateway rpm again, but I got the same 
reply:
libcrypto.so.0.9.6 required
libssl.so.0.9.6 required.

Could anybody explain me how I can solve it? please!



Looking for another solution, To solve it I tried to install the gateway 
source (tar.gz)

But when I configure the gateway with
./configure
--prefix=/usr/local/kannel_test
--with-ssl=/usr/local/ssl
--with-wtls=openssl
--enable-start-stop-daemon
--enable-ssl
--disable-docs


I get this:

...
Configuring OpenSSL support ...
checking whether to compile with SSL support... trying 
/usr/local/ssl/lib /usr/local/ssl/include
checking for openssl... /usr/local/ssl/bin/openssl
checking for CRYPTO_lock in -lcrypto... yes
checking for SSL_library_init in -lssl... yes
checking for SSL_connect in -lssl... yes
checking for openssl/x509.h... no
checking for openssl/rsa.h... no
checking for openssl/crypto.h... no
checking for openssl/pem.h... no
checking for openssl/ssl.h... no
checking for openssl/err.h... no
checking whether the OpenSSL library is multithread-enabled... yes
checking whether to compile with SSL support... yes

Configuring MySQL support ...
checking whether to compile with MySQL support... disabled

Configuring WTLS support ...
checking for WTLS library... openssl
checking for RSA_new in -lcrypto... yes
checking for openssl/objects.h... no
configure: warning: OpenSSL installation seems to lack RC5 algorithm!
checking for openssl/rc5.h... no
configure: warning: OpenSSL installation seems to lack RC5 algorithm!



but my openssl have the rc5 algorithm!
and
openssl/x509.h,openssl/rsa.h,openssl/crypto.h,openssl/pem.h,openssl/ssl.h, 
openssl/err.h, openssl/objects.h and the openssl/rc5
are in the directory usr/local/ssl/include/openssl, so I don't know why 
the kannel gateway don't recognize it.

Please, anybody could help me with this problem? any idea? Am I 
installing well the openssltar.gz?

Thanks in advance,
Ivone






_
Charla con tus amigos en línea mediante MSN Messenger: 
http://messenger.microsoft.com/es

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]




__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]




_
MSN. Más Útil Cada Día

Re: anybody using EGADS?

2002-10-22 Thread Marcus Carey

Ed


See the book Network Security with OpensSSL.

With 4 bits of entropy, an attacker has 1 in 16 chances of guessing the
right seed.

If you're creating 128-bit keys you should use 128 bits of entropy anything
less than 64 bits may not be secure enough.
I am not sure how nBytes is read.  To get 128 bits of entropy you should use
nBytes = 16. Right?

However at nBytes = 128 it takes about 55 seconds to gather entropy on
Windows.


Marcus



- Original Message -
From: Edward Chan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, October 22, 2002 1:13 PM
Subject: Re: anybody using EGADS?


 Hi Stephen,

 Thanks for the reply.  You're absolutely right.  It
 does appear that I am not blocked indefinitely...it
 certainly does take a while to gather entropy.  I was
 using nBytes = 1024.  Then I tried 512.  Still very
 long time.

 Any suggestions on what a number should be for
 acceptable randomness?

 Does anybody have any alternative suggestions?  Does
 anybody know how Apache seeds the OpenSSL PRNG on
 Windows?  I think Apache uses OpenSSL don't they?

 Thanks,
 Ed

 --- Stephen G. Schoggen [EMAIL PROTECTED]
 wrote:
  Ed,
 
  I tried EGADS on Windows (PIII 866) and found that
  it's time to
  'gather entropy' was noticeable beyond nBytes=4.  So
  if you use a
  relatively large nBytes, then it would appear to
  block.
 
  Steve
 
 
  Hi there,
  
  Is anybody using EGADS on Windows?  I'm having a
  problem using it.  I've downloaded the source and
  built everything.  The egads service is running.
  I've
  written a program that links with egads.dll.  I
  have a
  function that tries to see the OpenSSL PRNG :
  
  bool seedPRNG(int nBytes)
  {
   prngctx_t ctx;
   int nError;
  
   egads_init(ctx, 0, 0, nError);
   if (nError != 0)
   {
   DEBUG_TRACE1(_T(egads_init() failed : %d (Is
  egads
  service running???)), nError);
   return false;
   }
  
   char* pBuf = new char[nBytes + 1];
   egads_entropy(ctx, pBuf, nBytes, nError);
   bool bOK = (0 == nError);
   if (bOK)
   {
   RAND_seed(pBuf, nBytes);
   }
   delete [] pBuf;
  
   egads_destroy(ctx);
   return bOK;
  }
  
  However, I seem to be blocking inside (presumably
  as
  egads gathers entropy), but it seems like I never
  unblock.  Can anybody tell me what I'm doing wrong?
  
  Thanks,
  Ed
  
  __
  Do you Yahoo!?
  Y! Web Hosting - Let the expert host your web site
  http://webhosting.yahoo.com/
 
 __
  OpenSSL Project
  http://www.openssl.org
  User Support Mailing List
  [EMAIL PROTECTED]
  Automated List Manager
  [EMAIL PROTECTED]
 
 
 __
  OpenSSL Project
  http://www.openssl.org
  User Support Mailing List
  [EMAIL PROTECTED]
  Automated List Manager
 [EMAIL PROTECTED]


 __
 Do you Yahoo!?
 Y! Web Hosting - Let the expert host your web site
 http://webhosting.yahoo.com/
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Error Log

2002-10-22 Thread Hara

Hi
(B
(BMy SSL server periodically output same error messages as follow..
(B
(B
(B[Sun Oct 13 05:35:26 2002] [error] SSL_accept failed
(B[Sun Oct 13 09:05:40 2002] [error] error:1407609C:SSL
(Broutines:SSL23_GET_CLIENT_HELLO:http request
(B
(BThis server runs OPENSSL-0.95a and Apache-SSL 1.3.22 on Linux.
(B
(BIs anybody know how I can stop this messages??
(B
(B
(BHara
(B
(B__
(BOpenSSL Project http://www.openssl.org
(BUser Support Mailing List[EMAIL PROTECTED]
(BAutomated List Manager   [EMAIL PROTECTED]

Re: anybody using EGADS?

2002-10-22 Thread Edward Chan

Thanks Dick.  I heard about the the Intel RNG. 
Unfortunately, we may also run on AMD machines, in
which case, this wouldn't be portable.  But it might
be worth looking into.

Thanks again,
Ed

--- [EMAIL PROTECTED] wrote:
 
 Not exactly open source, but

http://www.intel.com/design/security/rng/rng-capi.htm
 Accessing the Intel®
 Random Number Generator through a CSP for Microsoft*
 CryptoAPI describes
 how to access the Intel *hardware* RNG.  Might be of
 some use to you on
 Windows platforms.  (I believe some *NIXs use the
 same hardware to populate
 /dev/random when on Intel platforms.)
 
 
 
 
 
 
   Edward Chan   
 
 
   [EMAIL PROTECTED] 
 To:  [EMAIL PROTECTED]  
   
   Sent by:
 cc: 
   
   owner-openssl-users@
 Subject: Re: anybody using EGADS?   
   
   openssl.org   
 
 
 
 
 
 
 
 
   10/22/2002 01:13 PM   
 
 
   Please respond to 
 
 
   openssl-users 
 
 
 
 
 
 
 
 
 
 
 
 
 Hi Stephen,
 
 Thanks for the reply.  You're absolutely right.  It
 does appear that I am not blocked indefinitely...it
 certainly does take a while to gather entropy.  I
 was
 using nBytes = 1024.  Then I tried 512.  Still very
 long time.
 
 Any suggestions on what a number should be for
 acceptable randomness?
 
 Does anybody have any alternative suggestions?  Does
 anybody know how Apache seeds the OpenSSL PRNG on
 Windows?  I think Apache uses OpenSSL don't they?
 
 Thanks,
 Ed
 
 --- Stephen G. Schoggen [EMAIL PROTECTED]
 wrote:
  Ed,
 
  I tried EGADS on Windows (PIII 866) and found that
  it's time to
  'gather entropy' was noticeable beyond nBytes=4. 
 So
  if you use a
  relatively large nBytes, then it would appear to
  block.
 
  Steve
 
 
  Hi there,
  
  Is anybody using EGADS on Windows?  I'm having a
  problem using it.  I've downloaded the source and
  built everything.  The egads service is running.
  I've
  written a program that links with egads.dll.  I
  have a
  function that tries to see the OpenSSL PRNG :
  
  bool seedPRNG(int nBytes)
  {
prngctx_t ctx;
int nError;
  
egads_init(ctx, 0, 0, nError);
if (nError != 0)
{
   
 DEBUG_TRACE1(_T(egads_init() failed : %d (Is
  egads
  service running???)), nError);
return false;
}
  
char* pBuf = new char[nBytes + 1];
egads_entropy(ctx, pBuf, nBytes,
 nError);
bool bOK = (0 == nError);
if (bOK)
{
RAND_seed(pBuf, nBytes);
}
delete [] pBuf;
  
egads_destroy(ctx);
return bOK;
  }
  
  However, I seem to be blocking inside (presumably
  as
  egads gathers entropy), but it seems like I never
  unblock.  Can anybody tell me what I'm doing
 wrong?
  
  Thanks,
  Ed
  
 
 __
  Do you Yahoo!?
  Y! Web Hosting - Let the expert host your web
 site
  http://webhosting.yahoo.com/
 

__
  OpenSSL Project
  http://www.openssl.org
  User Support Mailing List
  [EMAIL PROTECTED]
  Automated List Manager
  [EMAIL PROTECTED]
 
 

__
  OpenSSL Project
  http://www.openssl.org
  User Support Mailing List
  [EMAIL PROTECTED]
  Automated List Manager
 [EMAIL PROTECTED]
 
 
 __
 Do you

Re: anybody using EGADS?

2002-10-22 Thread Edward Chan

I hear what you're saying, and I totally agree.  The
problem with using RAND_screen() is that the app I'm
writing is a server.  So it may be running on a box
hidden away in some closet, and may not even have a
monitor attached to it.  So there may not be any user
interaction at all, in which case, this may not
provide very much entropy.  But I hear what you're
saying.  Thanks.

Ed


--- Stephen G. Schoggen [EMAIL PROTECTED]
wrote:
 Hi Ed,
 
 Knowing very little about any of this cryptography
 stuff, I have no 
 idea what value of nBytes is enough.  I think the
 wisdom, though, is 
 that it depends upon your situation.  From what I've
 read, the whole 
 purpose of cryptography is to make it too difficult
 for an attacker 
 to succeed with an attack.  Obviously, how much
 effort you have to 
 make to thwart an attack depends to a significant
 degree upon how 
 much effort the attacker is willing to make.  That
 would depend upon 
 how valuable the information is, etc.  In my
 particular application 
 of SSL, I don't think the information being
 transferred is terribly 
 sensitive.  So I just chose to use RAND_screen() on
 Windows to seed 
 the PRNG.  Although Viega, et. al., page 99 (Network
 Security with 
 OpenSSL, O'Reilly), makes it clear that he thinks
 RAND_screen() is a 
 poor choice at best, it is described as using a hash
 of the current 
 screen scan-lines for entropy.  I'm no math wiz, but
 it's hard for me 
 to see how any attacker could determine what the
 results of that are, 
 regardless of effort.  Perhaps if the attacker can
 see the screen...
 
 I conclude that with cryptography, as with other
 things in life, we 
 all just have to decide when enough is enough and
 move on.
 
 Steve
 
 
 Not exactly open source, but

http://www.intel.com/design/security/rng/rng-capi.htm
 Accessing the Intel®
 Random Number Generator through a CSP for
 Microsoft* CryptoAPI describes
 how to access the Intel *hardware* RNG.  Might be
 of some use to you on
 Windows platforms.  (I believe some *NIXs use the
 same hardware to populate
 /dev/random when on Intel platforms.)
 
 
 
  

 

Edward 
 Chan   
 

[EMAIL PROTECTED] 
 To: 
 [EMAIL PROTECTED]  
  
Sent by: 
 cc:
   
owner-openssl-users@
 Subject: Re: 
 anybody using 
 EGADS? 

  
 openssl.org
 
   
  

 

  

 

10/22/2002 01:13 
 PM 
   
Please respond 
 to 
 
  
 openssl-users  
 
   
  

 

  

 

 
 
 
 
 Hi Stephen,
 
 Thanks for the reply.  You're absolutely right.  It
 does appear that I am not blocked indefinitely...it
 certainly does take a while to gather entropy.  I
 was
 using nBytes = 1024.  Then I tried 512.  Still very
 long time.
 
 Any suggestions on what a number should be for
 acceptable randomness?
 
 Does anybody have any alternative suggestions? 
 Does
 anybody know how Apache seeds the OpenSSL PRNG on
 Windows?  I think Apache uses OpenSSL don't they?
 
 Thanks,
 Ed
 
 --- Stephen G. Schoggen
 [EMAIL PROTECTED]
 wrote:
   Ed,
 
   I tried EGADS on Windows (PIII 866) and found
 that
   it's time to
   'gather entropy' was noticeable beyond nBytes=4.
  So
   if you use a
   relatively large nBytes, then it would appear to
   block.
 
   Steve
 
 
   Hi there,
   
   Is anybody using EGADS on Windows?  I'm having
 a
   problem using it.  I've downloaded the source
 and
   built everything.  The egads service is
 running.
   I've
   written a program that links with egads.dll.  I
   have a
   function that tries to see the OpenSSL PRNG :
   
   bool

Re: anybody using EGADS?

2002-10-22 Thread Edward Chan

Ah, thanks Marcus.  We're talking bits, not bytes, I
see.  In that case, I'm using way too big a number.

Thanks,
Ed


--- Marcus Carey [EMAIL PROTECTED] wrote:
 Ed
 
 
 See the book Network Security with OpensSSL.
 
 With 4 bits of entropy, an attacker has 1 in 16
 chances of guessing the
 right seed.
 
 If you're creating 128-bit keys you should use 128
 bits of entropy anything
 less than 64 bits may not be secure enough.
 I am not sure how nBytes is read.  To get 128 bits
 of entropy you should use
 nBytes = 16. Right?
 
 However at nBytes = 128 it takes about 55 seconds to
 gather entropy on
 Windows.
 
 
 Marcus
 
 
 
 - Original Message -
 From: Edward Chan [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Tuesday, October 22, 2002 1:13 PM
 Subject: Re: anybody using EGADS?
 
 
  Hi Stephen,
 
  Thanks for the reply.  You're absolutely right. 
 It
  does appear that I am not blocked
 indefinitely...it
  certainly does take a while to gather entropy.  I
 was
  using nBytes = 1024.  Then I tried 512.  Still
 very
  long time.
 
  Any suggestions on what a number should be for
  acceptable randomness?
 
  Does anybody have any alternative suggestions? 
 Does
  anybody know how Apache seeds the OpenSSL PRNG on
  Windows?  I think Apache uses OpenSSL don't they?
 
  Thanks,
  Ed
 
  --- Stephen G. Schoggen
 [EMAIL PROTECTED]
  wrote:
   Ed,
  
   I tried EGADS on Windows (PIII 866) and found
 that
   it's time to
   'gather entropy' was noticeable beyond nBytes=4.
  So
   if you use a
   relatively large nBytes, then it would appear to
   block.
  
   Steve
  
  
   Hi there,
   
   Is anybody using EGADS on Windows?  I'm having
 a
   problem using it.  I've downloaded the source
 and
   built everything.  The egads service is
 running.
   I've
   written a program that links with egads.dll.  I
   have a
   function that tries to see the OpenSSL PRNG :
   
   bool seedPRNG(int nBytes)
   {
prngctx_t ctx;
int nError;
   
egads_init(ctx, 0, 0, nError);
if (nError != 0)
{
DEBUG_TRACE1(_T(egads_init() failed : %d (Is
   egads
   service running???)), nError);
return false;
}
   
char* pBuf = new char[nBytes + 1];
egads_entropy(ctx, pBuf, nBytes, nError);
bool bOK = (0 == nError);
if (bOK)
{
RAND_seed(pBuf, nBytes);
}
delete [] pBuf;
   
egads_destroy(ctx);
return bOK;
   }
   
   However, I seem to be blocking inside
 (presumably
   as
   egads gathers entropy), but it seems like I
 never
   unblock.  Can anybody tell me what I'm doing
 wrong?
   
   Thanks,
   Ed
   
  
 __
   Do you Yahoo!?
   Y! Web Hosting - Let the expert host your web
 site
   http://webhosting.yahoo.com/
  
 

__
   OpenSSL Project
   http://www.openssl.org
   User Support Mailing List
   [EMAIL PROTECTED]
   Automated List Manager
   [EMAIL PROTECTED]
  
  
 

__
   OpenSSL Project
   http://www.openssl.org
   User Support Mailing List
   [EMAIL PROTECTED]
   Automated List Manager
  [EMAIL PROTECTED]
 
 
  __
  Do you Yahoo!?
  Y! Web Hosting - Let the expert host your web site
  http://webhosting.yahoo.com/
 

__
  OpenSSL Project
 http://www.openssl.org
  User Support Mailing List   
 [EMAIL PROTECTED]
  Automated List Manager  
 [EMAIL PROTECTED]
 

__
 OpenSSL Project
 http://www.openssl.org
 User Support Mailing List   
 [EMAIL PROTECTED]
 Automated List Manager  
[EMAIL PROTECTED]


__
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL PROBLEM on HP-UX 11.00 and 11.11 (11i)

2002-10-22 Thread Lutz Jaenicke

On Mon, Oct 21, 2002 at 02:50:43PM -0700, J wrote:
 Has anyone had trouble with using the OpenSSL library on HP-UX?? I am using version
 0.9.6d and there seems to be an intermittent problem with the digest encryption, or 
just
 some of the encryption/decryption routines in the OpenSSL toolkit.  It does not 
happen
 all the time on HP-UX 11i, but it occurs all the time in HP-UX 11.00, in that the
 encryption and decryptions do not work.  This was just recently ported to the HP-UX
 source tree of the product that is using OpenSSL.  

We have not had any report about a similar failure. I am using openssl
on HP-UX 10.20 and could not see any problem, yet.

I am afraid, that without a more specific problem report we will not
be able to help you in narrowing down the issue.

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL PROBLEM on HP-UX 11.00 and 11.11 (11i)

2002-10-22 Thread Howard Chu

We are using OpenSSL 0.9.6g on HP-UX 11.00 and 11.11 without any trouble.
It's bundled into our CDS package (OpenLDAP+OpenSSL+Heimdal+SASL) and is
available for free download from www.symas.com. We aren't doing anything
fancy here, just using libssl for LDAP connection security, but it works
without any issues.

  -- Howard Chu
  Chief Architect, Symas Corp.   Director, Highland Sun
  http://www.symas.com   http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:owner-openssl-dev;openssl.org]On Behalf Of Lutz Jaenicke
 Sent: Tuesday, October 22, 2002 12:02 AM
 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Subject: Re: OpenSSL PROBLEM on HP-UX 11.00 and 11.11 (11i)


 On Mon, Oct 21, 2002 at 02:50:43PM -0700, J wrote:
  Has anyone had trouble with using the OpenSSL library on
 HP-UX?? I am using version
  0.9.6d and there seems to be an intermittent problem with
 the digest encryption, or just
  some of the encryption/decryption routines in the OpenSSL
 toolkit.  It does not happen
  all the time on HP-UX 11i, but it occurs all the time in
 HP-UX 11.00, in that the
  encryption and decryptions do not work.  This was just
 recently ported to the HP-UX
  source tree of the product that is using OpenSSL.

 We have not had any report about a similar failure. I am using openssl
 on HP-UX 10.20 and could not see any problem, yet.

 I am afraid, that without a more specific problem report we will not
 be able to help you in narrowing down the issue.

 Best regards,
   Lutz
 --
 Lutz Jaenicke
 [EMAIL PROTECTED]
 http://www.aet.TU-Cottbus.DE/personen/jaenicke/
 BTU Cottbus, Allgemeine Elektrotechnik
 Universitaetsplatz 3-4, D-03044 Cottbus
 __
 OpenSSL Project http://www.openssl.org
 Development Mailing List   [EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Outlook DOES NOT support client-side certs

RE: config file help

Re: anybody using EGADS?

Re: config file help

Re: Are self signed certificates bad?

Re: anybody using EGADS?

FW: updates (SSL-Certificates-HOWTO)

installation openssl urgent!

Re: installation openssl urgent!

Re: anybody using EGADS?

Re: FW: updates (SSL-Certificates-HOWTO)

Re: installation openssl urgent!

Re: installation openssl urgent!

Re: anybody using EGADS?

Error Log

Re: anybody using EGADS?

Re: anybody using EGADS?

Re: anybody using EGADS?

Re: OpenSSL PROBLEM on HP-UX 11.00 and 11.11 (11i)

RE: OpenSSL PROBLEM on HP-UX 11.00 and 11.11 (11i)

20 matches

Site Navigation

Mail list logo

Footer information