RE: Unix SCO 5.05
You can use OpenSSL0.9.6g. Detailed instructions are given in 'INSTALL' file, located in directory where you extracted the openssl archive. - Sunil -Original Message- From: Deng Lor [mailto:deng_lor;hotmail.com] Sent: Tuesday, November 12, 2002 10:51 PM To: [EMAIL PROTECTED] Subject: Unix SCO 5.05 Hi all, I have to build openssl in Unix SCO 5.05, but I have never compiled openssl in unix, and there is no much time left. So, those who have experience in building openssl in Unix SCO, would you mind help me with belowing problems? 1) Which version of openssl is the easiest to build in Unix SCO 5.05? And which version is the stablest in Unix SCO 5.05? 2) Are there any step by step manual I can follow to? 3) Are there any things I should take care of? 4) ... There is really no much time left to me, any help will be very appreciated! Thank you! Deng Lor _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Is a https proxy possible?
Hello, I don't know of any option in the clients (browsers) that support your scenario. You could use stunnel (www.stunnel.org), and that could work perfect, but you will have to install one instance of stunnel client on each workstation. Technically, it is possible to encrypt the channel to the proxy, as it is TCP with just one (destination) port. BTW, what do you mean with analyze unencrypted network traffic? Should it be encrypt/protect unencrypted network traffic? Regards, Alejandro -Mensaje original- De: Mike Alberghini [mailto:sysmda;zim.gsu.edu] Enviado el: Miércoles, 13 de Noviembre de 2002 03:26 p.m. Para: [EMAIL PROTECTED] Asunto: Is a https proxy possible? We are trying to set up a system where a server can act as a proxy for http, while automaticaly encrypting all proxied communication via https. For example: (web server) --https-- (proxy) --http-- (browser) The whole point of this is to be able to analyze the unencrypted network traffic between the proxy and the browser. Is this even possible? If it is, what would you suggest I use to implement it? -- Mike Alberghini Georgia State University Software System Engineer Associate [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Is a https proxy possible?
Presumably the point of this exercise is to be able to analyze normally encrypted traffic. It would be easier to write a proxy that simply negotiated with the server as a client and with the browser as a server. Sure, the browser would detect that the server certificate was incorrect (actually a certificate stored on the proxy) but you can choose to ignore this error from the browser. Then it is simply a matter of logging the request/reply pairs. Christopher Bibbs -Original Message- From: Mike Alberghini [mailto:sysmda;zim.gsu.edu] Sent: Wednesday, November 13, 2002 1:26 PM To: [EMAIL PROTECTED] Subject: Is a https proxy possible? We are trying to set up a system where a server can act as a proxy for http, while automaticaly encrypting all proxied communication via https. For example: (web server) --https-- (proxy) --http-- (browser) The whole point of this is to be able to analyze the unencrypted network traffic between the proxy and the browser. Is this even possible? If it is, what would you suggest I use to implement it? -- Mike Alberghini Georgia State University Software System Engineer Associate [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is a https proxy possible?
This sounds like it could be handled by a reverse proxy setup to me. I'm pretty sure Apache Web Server can do this (see the ProxyPass/ProxyPassReverse|| directives). -- Tim We are trying to set up a system where a server can act as a proxy for http, while automaticaly encrypting all proxied communication via https. For example: (web server) --https-- (proxy) --http-- (browser) The whole point of this is to be able to analyze the unencrypted network traffic between the proxy and the browser. Is this even possible? If it is, what would you suggest I use to implement it? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: simple question !
The former supports several external cryptographic accelerator cards, and the latter does not. Otherwise, the two versions are the same. Lynn Gazis Rainbow Technologies -Original Message- From: ANKIT K SHAH [mailto:anshah;us.ibm.com] Sent: Wednesday, November 13, 2002 11:01 AM To: [EMAIL PROTECTED] Subject: simple question ! Hello all, What is the difference between openssl-engine-0.9.6g.tar.gz and openssl-0.9.6g.tar.gz downloads ? Thanks in advance, Ankit Shah. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: bad end line:pem_lib.c:762
On Wednesday 13 November 2002 12:17 pm, you wrote: $ openssl x509 -noout -modulus -in server.cert | openssl md5 unable to load certificate 26567:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:762: d41d8cd98f00b204e9800998ecf8427e D'oh! An unfaithful cut-n-paste added an extraneous space and left out a newline at the end. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
libssl.so.1 and libcrypto.so.1
does anyone know why these files no longer appear in the distribution? They were in the openssl-0.9.6b-11 version but not in openssl-0.9.6b-29 version. John d'Alelio Sr System Engineer Psynapse Technologies LLC Washington D.C. 20007 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is a https proxy possible?
On Wed, Nov 13, 2002 at 04:24:38PM -0300, Alejandro Rusell wrote: I don't know of any option in the clients (browsers) that support your scenario. BTW, what do you mean with analyze unencrypted network traffic? Should it be encrypt/protect unencrypted network traffic? We have a web system that is already secured via https. My boss wants to be able to sniff the network traffic and understand it. That's why we need a decrypted path. He explained what he wanted in 3 minutes before leaving on a week of vacation, so I'm kind of confused myself. :) -- Mike Alberghini Georgia State University Software System Engineer Associate [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: libssl.so.1 and libcrypto.so.1
In message [EMAIL PROTECTED] on Wed, 13 Nov 2002 14:43:49 -0500, John d'Alelio [EMAIL PROTECTED] said: jdalelio does anyone know why these files no longer appear in the distribution? They jdalelio were in the openssl-0.9.6b-11 version but not in openssl-0.9.6b-29 version. I think you're asking at the wrong place. Please ask your operating system distributor. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is a https proxy possible?
Mike Alberghini [EMAIL PROTECTED] writes: On Wed, Nov 13, 2002 at 04:24:38PM -0300, Alejandro Rusell wrote: I don't know of any option in the clients (browsers) that support your scenario. BTW, what do you mean with analyze unencrypted network traffic? Should it be encrypt/protect unencrypted network traffic? We have a web system that is already secured via https. My boss wants to be able to sniff the network traffic and understand it. That's why we need a decrypted path. He explained what he wanted in 3 minutes before leaving on a week of vacation, so I'm kind of confused myself. :) If you have the private key for the server, the easiest thing to do is use ssldump (http://www.rtfm.com/ssldump). Then you don't need a proxy, just the key and the ability to sniff. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL Config on Tomcat (443 or 8443)
Hi Experts: THANKS to Mr. Lance for his reply. I tried to modify my /jboss/server/default/deploy/tomcat4-service.xml file as shown below: -- Server Service name = JBoss-Tomcat Engine name=MainEngine defaultHost=localhost Logger className = org.jboss.web.catalina.Log4jLogger verbosityLevel = trace category = org.jboss.web.localhost.Engine/ Host name=localhost Valve className = org.apache.catalina.valves.AccessLogValve prefix = localhost_access suffix = .log pattern = common directory = ../server/default/log / DefaultContext cookies = true crossContext = true override = true / /Host /Engine !-- A HTTP Connector on port 8080 -- Connector className = org.apache.catalina.connector.http.HttpConnector port = 8080 redirectPort=8443 minProcessors = 3 maxProcessors = 10 enableLookups = true acceptCount = 10 debug = 0 connectionTimeout = 6/ Connector className=org.apache.catalina.connector.http.HttpConnector port=8443 scheme=https secure=true Factory className=org.jboss.web.catalina.security.SSLServerSocketFactory securityDomainName=java:/jaas/TomcatSSL clientAuth=false protocol = TLS/ /Connector /Service /Server -- Later when I run my JBOSS, I get following Errors - wonder why? -- 13:47:35,031 ERROR [EmbeddedCatalinaServiceSX] Starting failed java.lang.NullPointerException at org.jboss.web.catalina.security.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:74) at org.jboss.web.catalina.security.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:57) at org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java:948) at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnector.java:1128) at org.apache.catalina.startup.Embedded.start(Embedded.java:962) at org.jboss.web.catalina.EmbeddedCatalinaServiceSX.startService(EmbeddedCatalinaServiceSX.java:189) at org.jboss.system.ServiceMBeanSupport.start(ServiceMBeanSupport.java:162) at java.lang.reflect.Method.invoke(Native Method) 13:47:35,132 ERROR [SARDeployer] start operation failed on package file:/jboss-3.0.0_tomcat-4.0.3/server/default/deploy/tomcat4-service.xml java.lang.NullPointerException at org.jboss.web.catalina.security.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:74) at org.jboss.web.catalina.security.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:57) at org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java:948) at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnector.java:1128) at org.apache.catalina.startup.Embedded.start(Embedded.java:962) at org.jboss.web.catalina.EmbeddedCatalinaServiceSX.startService(EmbeddedCatalinaServiceSX.java:189) 13:47:35,269 ERROR [MainDeployer] could not start deployment: file:/jboss-3.0.0_tomcat-4.0.3/server/default/deploy/tomcat4-service.xml org.jboss.deployment.DeploymentException: - nested throwable: (java.lang.NullPointerException) at org.jboss.deployment.SARDeployer.start(SARDeployer.java(Compiled Code)) at org.jboss.deployment.MainDeployer.start(MainDeployer.java:678) + nested throwable: java.lang.NullPointerException at org.jboss.web.catalina.security.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:74) at org.jboss.web.catalina.security.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:57) at org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java:948) at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnector.java:1128) at org.apache.catalina.startup.Embedded.start(Embedded.java:962) at org.jboss.web.catalina.EmbeddedCatalinaServiceSX.startService(EmbeddedCatalinaServiceSX.java:189) at org.jboss.system.ServiceMBeanSupport.start(ServiceMBeanSupport.java:162) 13:47:35,382 ERROR [URLDeploymentScanner] Failed to deploy: org.jboss.deployment.scanner.URLDeploymentScanner$DeployedURL@716eee7e{ url =file:/jboss-3.0.0_tomcat-4.0.3/server/default/deploy/tomcat4-service.xml, deployedLastModified=0 } org.jboss.deployment.DeploymentException: - nested throwable: (java.lang.NullPointerException) at org.jboss.deployment.SARDeployer.start(SARDeployer.java(Compiled Code)) at org.jboss.deployment.MainDeployer.start(MainDeployer.java:678) at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:513) at
Re: libssl.so.1 and libcrypto.so.1
If it's RedHat, AFAIK we have the following situation and the following fix. 0.9.5b is libcrypto.so.0 and libssl.so.0 0.9.6 is libcrypto.so.1 and libssl.so.1 0.9.6b is libcrypto.so.2 and libssl.so.2 Recreate these symlinks: ln -s /usr/local/ssl/lib/libcrypto.so /usr/lib/libcrypto.so.1 ln -s /usr/local/ssl/lib/libcrypto.so /usr/lib/libcrypto.so.2 ln -s /usr/local/ssl/lib/libssl.so /usr/lib/libssl.so.1 ln -s /usr/local/ssl/lib/libssl.so /usr/lib/libssl.so.2 Enjoy, -- El Tonno --On Wednesday, November 13, 2002 9:15 PM +0100 Richard Levitte - VMS Whacker [EMAIL PROTECTED] wrote: In message [EMAIL PROTECTED] on Wed, 13 Nov 2002 14:43:49 -0500, John d'Alelio [EMAIL PROTECTED] said: jdalelio does anyone know why these files no longer appear in the distribution? They jdalelio were in the openssl-0.9.6b-11 version but not in openssl-0.9.6b-29 version. I think you're asking at the wrong place. Please ask your operating system distributor. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is a https proxy possible?
Presumably the point of this exercise is to be able to analyze normally encrypted traffic. That's what I thought when I first read your problem description. IMHO, you're going at this the wrong way. Set up a second box running snort. Set it up to read the encrypted traffic... and use a decrypting engine. (Something like ssldump - I don't know for sure that snort has this yet, but you could always hack something together from the ssldump source.) You'll require the server's private key to decrypt the traffic, but that shouldn't be a problem if that really is your own secure web server. :-) The benefit is that snort can log as much or as little as you want. Once you have the monitor set up, it's just a matter of deciding what to log and how to set up subsequent queries to the database backend. One possible gotcha is that I'm not sure ssldump works with servers set up for perfect forward secrecy. THAT SAID, I find this rationale very strange. I've given this some thought, but only because I was trying to determine whether it was possible to set up a snort-based NIDS to monitor encrypted traffic for an indication that I would want to drop the connection at the firewall. If you just want to know what's going to/from the web server, it makes a lot more sense to instrument that server than go through the hassles of setting up a sniffer. Bear __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL Config on Tomcat (443 or 8443)
Oops, I'm not an expert on mbeans, etc. so I'm not wasn't sure what all you needed Here's what we're using for the tomcat-service.xml file. (I've 'd out the private pieces.) The keystore is located in the jboss/server/default/conf/ directory. I would seriously recommend upgrading your JBoss/Tomcat bundle to the most recent stable versions. Currently this is JBoss-3.0.4_Tomcat-4.0.6. DO NOT mix configuration xml files between the JBoss versionsthey have made changes/additions throughout the 3.0.x releases. I have gone down the road and have screwed things up so badly as to cause a fatal error in the JVM itself - complete with a notice to contact Sun. You'll mostly likely need to re-edit files rather than copy them from an older release. Errors in the log files are not very easy to figure track down and find the true root cause Note that the defaultHost attribute of the Engine tag must match the name attribute of an enclosed Host tag. You can have Alias tags inside a Host tag. Also, you can use an Address attribute in the Connector tags to specify an IP address to bind to. ?xml version=1.0 encoding=UTF-8? !-- Set catalina.home to the location of the Tomcat-4.x dist. The default value is that of the JBoss/Catalina bundle where the jakarta-tomcat-4.0.3-LE-jdk14 is included as jboss_dist/catalina -- !DOCTYPE server [ !ENTITY catalina.home ../catalina ] !-- The service configuration for the embedded Tomcat4 web container -- server classpath codebase=file:catalina.home;/common/lib/ archives=*/ classpath codebase=file:catalina.home;/server/lib/ archives=*/ classpath codebase=file:catalina.home;/bin/ archives=*/ classpath codebase=file:catalina.home;/lib/ archives=*/ classpath codebase=. archives=tomcat4-service.jar/ !-- The SSL domain setup -- mbean code=org.jboss.security.plugins.JaasSecurityDomain name=Security:service=JaasSecurityDomain,domain=TomcatSSL dependsjboss.security:service=JaasSecurityManager/depends constructor arg type=java.lang.String value=TomcatSSL/ /constructor attribute name=KeyStoreURL-ssl.keystore/attribute attribute name=KeyStorePass/attribute /mbean mbean code=org.jboss.web.catalina.EmbeddedCatalinaServiceSX name=jboss.web:service=EmbeddedCatalinaSX attribute name=CatalinaHomecatalina.home;/attribute !-- Uncomment this if you want interval snapshot for the session clustering. attribute name=SnapshotModeinterval/attribute attribute name=SnapshotInterval2000/attribute -- attribute name=Config Server Service name = JBoss-Tomcat Engine name=MainEngine defaultHost=www..com Logger className = org.jboss.web.catalina.Log4jLogger verbosityLevel = trace category = org.jboss.web.localhost.Engine/ Host name=www..com Valve className = org.apache.catalina.valves.AccessLogValve prefix = localhost_access suffix = .log pattern = common directory = ../server/default/log / DefaultContext cookies = true crossContext = true override = true / /Host /Engine !-- A HTTP Connector on port 80 -- Connector className = org.apache.catalina.connector.http.HttpConnector port = 80 redirectPort=443 minProcessors = 3 maxProcessors = 10 enableLookups = true acceptCount = 10 debug = 0 connectionTimeout = 6 / !-- SSL/TLS Connector configuration using the SSL domain keystore -- Connector className=org.apache.catalina.connector.http.HttpConnector port=443 scheme=https secure=true Factory className=org.jboss.web.catalina.security.SSLServerSocketFactory securityDomainName=java:/jaas/TomcatSSL clientAuth=false protocol = TLS/ /Connector /Service /Server /attribute /mbean /server Hope this helps. r, Lance www.newparticles.com snip-o-rama __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please help: SSL_read() hang after read http 100 continue header
Lin No I am not an OpenSSL developer. However I have built several server and client applications using OpenSSL. The the following code works with IE 5.0 and the simple client program I sent you. BIO_puts(io,HTTP/1.1 100 Continue\r\n); BIO_puts(io,Server: Microsoft-IIS/5.0\r\n); BIO_puts(io,Date: Wed, 30 Oct 2002 06:34:5 6 GMT\r\n\r\n); /* the extra 0d 0a after the Date header is needed to tells the browser it has reached the end of the block before reading the 200 reponse code */ /* Without the \r\n the server sends an invalid response to the browser */ BIO_puts(io,HTTP/1.1 200 OK\r\n); BIO_puts(io,Server: Microsoft-IIS/5.0\r\n); BIO_puts(io,Date: Wed,30 Oct 20 02 06:35:07 GMT\r\n); BIO_puts(io,Content-Length: 1863\r\n); BIO_puts(io,Content-Type: text/html\r\n); BIO_puts(io,Expires: Wed, 30 Oct 2002 06:35: 07 GMT\r\n); BIO_puts(io,Cache-control: private\r\n); BIO_puts(io,\r\n); BIO_puts(io,html\r\n); BIO_puts(io,head\r\n); BIO_puts(io,titleBIO Openssl Test Server/title\r\n); BIO_puts(io,/head\r\n); BIO_puts(io,body\r\n); BIO_puts(io,centerfont face=VerdanaBIO OpenSSL Test Server/font/center\r\n); BIO_puts(io,/body\r\n); BIO_puts(io,/html\r\n); Browser output: html head titleBIO Openssl Test Server/title /head body centerfont face=VerdanaBIO OpenSSL Test Server/font/center /body /html Simple client output Wrote 17 chars Handshake completed successfully! Read 411 chars: HTTP/1.1 100 Continue Server: OpenSSL/1.0 Date: Wed, 30 Oct 2002 06:34:5 6 GMT HTTP/1.1 200 OK Date: Wed,30 Oct 20 02 06:35:07 GMT Content-Length: 1863 Content-Type: text/html Expires: Wed, 30 Oct 2002 06:35: 07 GMT Cache-control: private html head titleBIO Openssl Test Server/title /head body centerfont face=VerdanaBIO OpenSSL Test Server/font/center /body /html I am running this code on Windows 2000 Server with VC++ 6.0. Send me your client or server code so that I can look at it. - Original Message - From: Lutz Jaenicke [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 13, 2002 1:13 PM Subject: Re: Please help: SSL_read() hang after read http 100 continue header On Wed, Nov 13, 2002 at 09:53:34AM -0800, Lin Ma wrote: I have a client program using Openssl to send request to and receive response from a web server. SSL_read hangs if the web server sends the following headers. The following is the header dump without SSL. I think the problem is the separator 0d 0a 0d 0a between the two block of headers. No. The SSL layer does not care about the data transferred, whether it is line oriented or not. ... You can see, it is like HTTP/1.1 100 Continue Server: Microsoft-IIS/5.0 Date: Wed, 30 Oct 2002 06:34:56 GMT 0d 0a 0d 0a HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Wed, 30 Oct 2002 06:34:56 GMT Content-Length: 1863 . There is separator 0d 0a 0d 0a between the two block of headers. My program just stuck in the separator and couldn't get the following HTTP/1.1 200 OK ... If I change it to non-blocking, SSL_read() doesn't hang any more, but it keep getting SSL_ERROR_WANT_READ error, if I keeping SSL_read, it keep getting SSL_ERROR_WANT_READ and doesn't return valid data. This means, that no data has been received or at least not enough data to complete the TLS record. SSL_read() is waiting for (more) data. Use ssldump to analyze the traffic. What platform are you working on? Windows or UNIX? Can you try your program on another platform? Microsoft IIS is not know to be free of errors, but it seems to work good enough that I don't think the problem is caused by the server side. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How can I add 8-bit charset/unicode strings to certs?
On Wed, Nov 13, 2002 at 09:35:47AM +0100, Karl-Michael Werzowa wrote: letters, etc. (If you use an Ö or Ä it may be easy, but what about hungarian, slovak, croatian characters? How to type these? Do you know the possible transcripts?) The best way seems to be to have an ascii transcript and the full BMPString in LDAP and certificates. Don't get me started! :-) As it is, we're talking about Microsoft Active Directory LDAP here - so I need to find out just what that is from a charset point of view. I mean, M$ make a big thing over Unicode - but the LDAP data certainly isn't Unicode. In fact, from what I can find off Google, LDAP (include AD) uses ISO-10646 - which is a superset of Unicode. Apparently all standard ASCII chars stay the same, and the rest are converted into the double-byte Unicode. However, I'm definitely getting ASCII-8bit chars out of LDAP - so I don't know what the hell's going on :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please help: SSL_read() hang after read http 100 continue header
On Wed, Nov 13, 2002 at 09:53:34AM -0800, Lin Ma wrote: I have a client program using Openssl to send request to and receive response from a web server. SSL_read hangs if the web server sends the following headers. The following is the header dump without SSL. I think the problem is the separator 0d 0a 0d 0a between the two block of headers. No. The SSL layer does not care about the data transferred, whether it is line oriented or not. ... You can see, it is like HTTP/1.1 100 Continue Server: Microsoft-IIS/5.0 Date: Wed, 30 Oct 2002 06:34:56 GMT 0d 0a 0d 0a HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Wed, 30 Oct 2002 06:34:56 GMT Content-Length: 1863 . There is separator 0d 0a 0d 0a between the two block of headers. My program just stuck in the separator and couldn't get the following HTTP/1.1 200 OK ... If I change it to non-blocking, SSL_read() doesn't hang any more, but it keep getting SSL_ERROR_WANT_READ error, if I keeping SSL_read, it keep getting SSL_ERROR_WANT_READ and doesn't return valid data. This means, that no data has been received or at least not enough data to complete the TLS record. SSL_read() is waiting for (more) data. Use ssldump to analyze the traffic. What platform are you working on? Windows or UNIX? Can you try your program on another platform? Microsoft IIS is not know to be free of errors, but it seems to work good enough that I don't think the problem is caused by the server side. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
IMPORTANT: Please try these specific snapshots
As we're starting up our release process again, we'd need to have as many as possible test the latest snapshots for us. I can personally cover Debian GNU/Linux on i386. -- 0.9.6h: One of the upcoming releases will be 0.9.6h (basically to fix all bugs that have been found in 0.9.6g and in the development branches), which will happen very soon (we haven't set a fixed date yet, but my personal guess is early next week). Therefore, the most urgent snapshots to test are: openssl-0.9.6-stable-SNAP-200211xx.tar.gz non-engine version openssl-e-0.9.6-stable-SNAP-200211xx.tar.gz engine version where 'xx' really is the highest day number you can find. At the point of writing, it's '12', but tomorrow, it will be '13'. I'm trying to keep the engine version as tightly synchronised with the non-engine version as I possibly can. -- 0.9.7: OpenSSL version 0.9.7 is also on it's way, starting tuesday next week when we hope to get beta 4 rolling (it will depend on a certain patch that will hopefully be sent to us very soon). We expect that release to have problem, considering everything that has gone in since beta 3, so we will not call that a final beta. Instead, we're giving it about two weeks to get thoroughly tested, and will then release beta 5 december 3rd. That one will hopefully be a final beta, and we're giving it a week for tests, and have a full release on dece,ber 10th. -- In summary: Starting now: please try every snapshot you can, as often as you can. The current important snapshot names are: openssl-0.9.6-stable-SNAP-2002mmdd.tar.gz openssl-e-0.9.6-stable-SNAP-2002mmdd.tar.gz openssl-0.9.7-stable-SNAP-2002mmdd.tar.gz where 'mmdd' is the current month and day numbers. Between now and november 19 (included): Release of 0.9.6h November 19:Release of 0.9.7 beta 4 December 3:Release of 0.9.7 beta 5 (hopefully beta) December 10:Release of 0.9.7 NOTE: during the beta testing periods, we may ask for targeted tests of snapshots. It would be nice if people who're willing to help could make themselves known. Updates will be available on the web: http://www.openssl.org/news/state.html -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How can I add 8-bit charset/unicode strings to certs?
At 11:42 14.11.2002 +1300, you wrote: On Wed, Nov 13, 2002 at 09:35:47AM +0100, Karl-Michael Werzowa wrote: letters, etc. (If you use an Ö or Ä it may be easy, but what about hungarian, slovak, croatian characters? How to type these? Do you know the possible transcripts?) The best way seems to be to have an ascii transcript and the full BMPString in LDAP and certificates. Don't get me started! :-) As it is, we're talking about Microsoft Active Directory LDAP here - so I need to find out just what that is from a charset point of view. I mean, M$ make a big thing over Unicode - but the LDAP data certainly isn't Unicode. In fact, from what I can find off Google, LDAP (include AD) uses ISO-10646 - which is a superset of Unicode. Apparently all standard ASCII chars stay the same, and the rest are converted into the double-byte Unicode. However, I'm definitely getting ASCII-8bit chars out of LDAP - so I don't know what the hell's going on :-) -- Cheers Jason Haar LDAP normally uses UTF-8, which is a way to encode iso-10646 characters. 7bit ascii looks the same in utf-8 and ascii, but higher up the charset the encoding takes 2 (in case of a simple Ö) to 6 characters. And that works. I have a CA with an ö in its name, and I can fetch its CRL from LDAP without problems. One hint: Your LDAP server might behave differently depending on the client's version number. Do you use version 3? See RFC2553. Jörn (Guess why there is an ö in my CA certificate) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: IMPORTANT: Please try these specific snapshots
Richard Exactly what are you testing, installation, routines etc. I have RH Linux on i686, Windows 2000 Server and Windows Professional. Marcus - Original Message - From: Richard Levitte - VMS Whacker [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 13, 2002 3:02 PM Subject: IMPORTANT: Please try these specific snapshots As we're starting up our release process again, we'd need to have as many as possible test the latest snapshots for us. I can personally cover Debian GNU/Linux on i386. -- 0.9.6h: One of the upcoming releases will be 0.9.6h (basically to fix all bugs that have been found in 0.9.6g and in the development branches), which will happen very soon (we haven't set a fixed date yet, but my personal guess is early next week). Therefore, the most urgent snapshots to test are: openssl-0.9.6-stable-SNAP-200211xx.tar.gz non-engine version openssl-e-0.9.6-stable-SNAP-200211xx.tar.gz engine version where 'xx' really is the highest day number you can find. At the point of writing, it's '12', but tomorrow, it will be '13'. I'm trying to keep the engine version as tightly synchronised with the non-engine version as I possibly can. -- 0.9.7: OpenSSL version 0.9.7 is also on it's way, starting tuesday next week when we hope to get beta 4 rolling (it will depend on a certain patch that will hopefully be sent to us very soon). We expect that release to have problem, considering everything that has gone in since beta 3, so we will not call that a final beta. Instead, we're giving it about two weeks to get thoroughly tested, and will then release beta 5 december 3rd. That one will hopefully be a final beta, and we're giving it a week for tests, and have a full release on dece,ber 10th. -- In summary: Starting now: please try every snapshot you can, as often as you can. The current important snapshot names are: openssl-0.9.6-stable-SNAP-2002mmdd.tar.gz openssl-e-0.9.6-stable-SNAP-2002mmdd.tar.gz openssl-0.9.7-stable-SNAP-2002mmdd.tar.gz where 'mmdd' is the current month and day numbers. Between now and november 19 (included): Release of 0.9.6h November 19: Release of 0.9.7 beta 4 December 3: Release of 0.9.7 beta 5 (hopefully beta) December 10: Release of 0.9.7 NOTE: during the beta testing periods, we may ask for targeted tests of snapshots. It would be nice if people who're willing to help could make themselves known. Updates will be available on the web: http://www.openssl.org/news/state.html -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: IMPORTANT: Please try these specific snapshots
In message 002301c28b72$8d1d1060$142c2e04@internet on Wed, 13 Nov 2002 16:12:32 -0800, marcus.carey [EMAIL PROTECTED] said: marcus.carey Exactly what are you testing, installation, routines etc. Tests that need to be performed: - configuration and build - test suite - installation (be wise and do it in some temporary directory) Optional things would be to test the following: - build and run mod_ssl with the new installation - build and run OpenSSH with the new installation Note that 0.9.7 can produce shared libraries. It would be nice if they were tested as well with other applications. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL v3.0 Renegotation
Can someone please confirm for me that, by default, OpenSSL never requests a renegotiation and that if you want it to initiate a renegotiation, you have to specify a timeout or byte count. DS -- David Schwartz [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: MS Certs and x509 -email extract
On Tue, Nov 12, 2002, Henry E. Thorpe wrote: Question: Is there a standard for how the e-mail address is supposed to be contained in the Subject or Alternative name extension of an x509 certificate? We have some folks trying to set up a PKI using a Microsoft Certificate server. I noted that openssl x509 doesn't successfully extract the email address from their certs. The quote from them is The Subject in our certificates uses the default method provided by Microsoft's CA. As an example, a Verisign Class 1 Individual certificate (see attached) parses just fine: [thorpe@ermine tmp]$ openssl x509 -in mikeschiraldi.crt -noout -email [EMAIL PROTECTED] [thorpe@ermine tmp]$ Where as the MS Cert Server ones don't: [thorpe@ermine tmp]$openssl x509 -in henrysmime.crt -noout -email [thorpe@ermine tmp]$ I think that's because Verisign places the Email in the CN field: Subject: [stuff]CN=Mike [EMAIL PROTECTED] Whereas the MS server places it in the other noise in the Subject line: Subject: [EMAIL PROTECTED], [stuff] CN=Henry E Thorpe I've also seen: X509v3 Subject Alternative Name: email:[EMAIL PROTECTED], email:[EMAIL PROTECTED] which also works: [thorpe@ermine tmp]$ openssl x509 -in alt-smime.crt -noout -email [EMAIL PROTECTED] [EMAIL PROTECTED] [thorpe@ermine tmp] Can anyone help me point these folks in the right direction? TIA for any hints. Email is always in a separate field. You get some odd looking subject names because of a quirk in the default OpenSSL print routines which are retained for compatibility. If you use the -nameopt option to the x509 utility with oneline or multiline it may make things a bit clearer. Now the reason why the cert you included doesn't display the email address is because of a bug in OpenSSL: it would miss the email address if it was at the start of the subject name. I've checked in a fix which will appear in the next snapshots. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Q: CA signing of smart card hosted key pair?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! Problem: I am in the following situation: I have generated a CA using openssl. I have a smart card containing a private key. How do I generate a certificate request based on an already existing certificate containing the public key which is corresponding to the private key on the card? So far I am using 'openssl x509' together with generate a certificate requestjust commented out the error handling in ca.c. But this is just a hack and I wonder whether there is a clean way to do this. - -- Heiko Nardmann (Dipl.-Ing.), [EMAIL PROTECTED], Software Development secunet Security Networks AG - Sicherheit in Netzwerken (www.secunet.de), Weidenauer Str. 223-225, D-57076 Siegen Tel. : +49 271 48950-13, Fax : +49 271 48950-50 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iEYEARECAAYFAj3TQCUACgkQpm53PRScYyh43gCfRN0uYF+bNobvrKUz63HyxDy4 SV8AnitO+VIaNUKW2HhDk/PZagwxJ+7/ =9nYE -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Linking with libeay32.a and libssl32.a
I am compiling OpenSSL on Windows 2000. I read INSTALL.W32 that came with the source. I had a successful compile using Mingw32. Further down in INSTALL.W32 I see the following note... libcrypto.a and libssl.a are the static libraries. To use the DLLs, link with libeay32.a and libssl32.a instead. What does this mean in english? Don't I just put libeay32.dll and libssl32.dll in the windows system directory (C:\WINNT\system32)? Or is there more to it than that? Ron