Re: TLS issues with Opera

[Lutz Jaenicke]

On Mon, Jan 13, 2003 at 01:33:58PM -0800, Tim Regovich wrote:
> I have encountered an interesting problem when trying
> to connect to s_server with Opera, when only TLS is
> enabled in opera.  I can only seem to connect to the
> s_server if I :
> 
> 1) start s_server -ssl3
> 2) connect to https://localhost
> 
> If i try connecting to https://192.168.2.69 (the ip of
> the same machine) I get the following error in
> s_server : 
> 24092:error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:295:
> 
> I get teh same error if I run s_server with the -tls1
> option only.
> 
> I realize that this may be a problem with Opera, but
> other clients also have problems, like MSN messenger,
> so regardless of the root cause I would like to adress
> this as a workaround in the server.

I am not familiar with Opera and with its default settings.
However: in the normal setup the client sends a SSLv2 client hello
with the additional information, that up to TLSv1 is supported.
The server then chooses the highest protocol available.
If the server only understands SSLv3 or TLSv1 it will not understand
the client hello with symptoms as described. For the server I therefore
would recommend you to rather disable with -no_ssl2 etc. In this case
the server is still able to understand all formats of the client hello
sent, but it will only choose an allowed protocol, probably yielding
the desired result.

Remark 1: If you instruct Opera to only use TLSv1, it would make sense to
directly send a TLSv1 client hello. The symptoms indicate, that it still
sends the SSLv2 compatible client hello.
Remark 2: Use ssldump to verify the assumption made in remark 1.

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Modifying x509v3 Basic Constraints

[Richard Levitte - VMS Whacker]

In message <1042515717.23265.1885.camel@buddy> on 13 Jan 2003 19:41:57 -0800, Robert 
Morse <[EMAIL PROTECTED]> said:

rmorse> I created a certificate that has x509v3 Basic Constraints CA:FALSE.  I
rmorse> did this before getting "Network Security with OpenSSL".  Now that this
rmorse> cert exists, is there any way to change it to CA:TRUE?

You can't change a cert, but you can create a new one with exactly the
same content except for the change in basic constraint and the
signature.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Modifying x509v3 Basic Constraints

[Robert Morse]

I created a certificate that has x509v3 Basic Constraints CA:FALSE.  I
did this before getting "Network Security with OpenSSL".  Now that this
cert exists, is there any way to change it to CA:TRUE?

Sorry for the basic question.

Thanks.

-robert.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Stripping the OpenSSL library

[Tim Xex]

I have pared down the portion of OpenSSL that I
actually compile.  I did it on a directory basis.  I
know that I am never going to use Blowfish, so I don't
build anything in that folder.  There is a symbol you
can set to not use RC5 so if you set that you can also
remove the corresponding folder from the build.  If
you are just using the crypto libs then you won't be
needing anything in the ssl folder.  Things like that.

--- Sidney Fortes <[EMAIL PROTECTED]> wrote:
> Dear OpenSSL users,
> 
> I have sucessfully implemented a message system
> mechanism using the OpenSSL
> library as the foundation for all the cryptography
> operations. The system
> was deployed and now, the client asked me to
> do a dependency checking and find all the OpenSSL
> source files that are
> being used by my code and
> with this information to produce a makefile to
> compile only what I really
> need from OpenSSL.
> I have tried to find the dependencies using a map
> from all the linked
> functions from OpenSSL and
> it turns to be something around 1700 functions.
> My Question is, Is anybody out there that have done
> that sucessfully?
> If so, what is the best approach to get it done?
> Is that going to make easy for me to port my app to
> another "not yet ported
> OS" ?
> 
> PS.( I don't really agree with the client's idea
> (but they are "Client"
> anyway), So if anybody else has an good
> idea in how to convince them that we need to keep
> the OpenSSL library as a
> single unit, that would be
> very appreciated)
> 
> Thanks for any and all replies,
> 
> Sidney Fortes
> 
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List   
> [EMAIL PROTECTED]
> Automated List Manager  
[EMAIL PROTECTED]


__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

hash calculation in MAC version of IE?

[Rodney Thayer]

I created a root certificate with Openssl, then load it into
IE 5.2 on the MAC (latest revision, the one that works with OS X)

The "fingerprint" it displays doesn't match anything I can identify.
The SHA-1 fingerprint of this root as displayed by OpenSSL matches that
displayed by IE 6 on Windows XP, so I believe the root is valid.

Any ideas what they're doing?

At a minimum they've got their display logic a bit confused on
the Mac -- it shows 21 bytes for a SHA-1 hash and 17 bytes for an MD5
hash.

p.s. smtp server for openssl.org rejects messages from my normal host --
anyone else seeing this?

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

TLS issues with Opera

[Tim Regovich]

All,

I have encountered an interesting problem when trying
to connect to s_server with Opera, when only TLS is
enabled in opera.  I can only seem to connect to the
s_server if I :

1) start s_server -ssl3
2) connect to https://localhost

If i try connecting to https://192.168.2.69 (the ip of
the same machine) I get the following error in
s_server : 
24092:error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:295:

I get teh same error if I run s_server with the -tls1
option only.

I realize that this may be a problem with Opera, but
other clients also have problems, like MSN messenger,
so regardless of the root cause I would like to adress
this as a workaround in the server.

Thanks in advance,

Tim
[EMAIL PROTECTED]



__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: What do RSA functions use?

[Javier Kohen]

Ramon Martinez Pena wrote:
> 
> Hello,
> I'm doing a C program using RSA functions and I also have files that
> contain digital signs and digital certificates that I have created
> with the commands of openssl (openssl genrsa, openssl rsautl and
> openssl req). This files are .key and .crt and I don't know what
> functions are availables in C to let me work with this files.
> Can you help me?
> Thanks for advanced.
> PD: I have read something about PKCS#12 files (.p12 and .pem) that
> maybe let me to work in C but it isn't very clear what functions I
> can use for this.

See the PEM section in libcrypto documentation. You can find it online
at http://www.openssl.org/docs/crypto/pem.html.

-- 
Javier Kohen <[EMAIL PROTECTED]>
ICQ Core: blashyrkh #159394190
begin:vcard 
n:Kohen;Javier
x-mozilla-html:FALSE
org:Core ST;Force
adr:;;
version:2.1
email;internet:[EMAIL PROTECTED]
x-mozilla-cpt:;0
fn:Javier Kohen
end:vcard

Re: obtaining expiry dates

[Ryan Johnson]

I extracted netscape certs using the s_client switch.

openssl s_client -connect host:port -showcerts > cert.pem

just get rid of everything but the -Begin Cetificate- 
-End Certificate -

in my case we use verisign certs and am presented with two certs. One
being the intermediate cert, the other the server's cert.
You can figure out which one is that of the server by the subject above
the certificate.

Not sure this is always the case.

The resulting format is called pem.

Ryan


> On Fri, Jan 10, 2003 at 04:52:07PM -, Dicks, Gareth M wrote:
>> Hi,
>>
>> I'm trying to write an automated script to check for pending expiry
>> dates in
>> SSL certs. I know how to get this info from a standard cert file in X509
>> format:-
>>
>> openssl x509 -in cert.cer -enddate
>>
>> The problem is I have inherited a set of iPlanet web servers with the
>> certs
>> already loaded with no sign of the original certificates. Does anyone
>> know
>> ant method of extracting the certs from the iPlanet database into a
>> format
>> that can be used with openssl?
>
> could you run s_client to talk to your servers?
>
>>
>> Thanks,
>> Gareth
>> __
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List[EMAIL PROTECTED]
>> Automated List Manager   [EMAIL PROTECTED]
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: trouble compiling

[Laurent Blume]

Wayne Thomas wrote:

I am attempting to compile openssl-0.9.7 on my Solaris 8 Sun Blade 100
with simply ./config and make. The following error occurs:

"/usr/ucbinclude/signal.h", line 49: syntax error before or at: int
"/usr/ucbinclude/signal.h", line 49: warning: undefined or missing type


This is wrong, the ucb directories (/usr/ucb, /usr/ucbinclude, 
/usr/ucblib) are for backward compatibility with BSD-based SunOS 4.x, 
and should never be used for System V-based Solaris.

You should check that none of them appear in PATH, CFLAGS, CPPFLAGS, 
LDFLAGS, or any other environement variable before starting ./configure 
or make.
The only tool that's commonly used is /usr/ucb/install, but it's 
automatically detected by ./configure, so there no need to put it in the 
PATH.

HTH,

Laurent

--
  IRI-Secodip  www.infores.com
  4, rue André Derain  mailto:[EMAIL PROTECTED]
  78240 Chambourcy tel: +33 (0) 130 06 26 52
  France   fax: +33 (0) 130 65 09 45

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac

[Fdrconseil]

Hi all,

I still have a problem using OpenSSL inside Apache-SSL.

Everything works well EXCEPT when the browser is asking for an SSL session with C4 or C2 cypher algo and a 40 bits lenghth keys.
(using 128 bits works well).

This is a very big problem for us, because in France, we have a lot of users with old IE 4 browsers that cannot override the 40 bits limit.

When the problem occurs, I get the following error message :

error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac

The strange thing is that IE4 is not supposed to support SSL3, is it ?

Can anybody explain me this error message ? What can i do ?

Thank you for your helps,

FdR

RE: Why does get_https do not free memory used

[Shao (E-mail)]

I have a similar problem, too.
I write a https server using openssl.
When a new browser window is opened and client_key_exchange is processed,
my https server will lose memories.
I have no idea about the memory problem up to now.
I wonder whether you have fixed the problem.
Could you tell me what you do about the problem?
Thanks a lot.

wilson shao
mailto:[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On 
Behalf Of Kim Carter
Sent: Saturday, December 21, 2002 12:02 AM
To: [EMAIL PROTECTED]
Subject: Why does get_https do not free memory used


 Platform: UNIX, solaris,  PERL 5.6.1, Net::SSLeay-1.18, OpenSSL 0.9.6e

   I have written code to make a https call to a secure server that also

  requires user authentication. Using the Net::SSLeay::get_https
function,
see code below. A request is made to retrieve a large document. Once
the file is successfully downloaded, I execute the UNIX check sum
command (cksum filename) to validate the transfer.  The check sum fails
  with the error "not enough space".  I monitored the script using the
top
command and noticed the memory used by the get_https function does not
get freed until the calling program is terminated; resulting in not
enough memory to run the cksum command that follows. Before my script is
executed, I have 527M of free
 memory. When the download is completed, I have less than a MEG free.

Is this the correct behavior of the function ? Is there a way to free
the memory used by the function after a request is completed?
I also noticed once the function obtains the memory needed, I can make
additional request for document download (for loop) and it does not use
any additional memory.  The problem is I don't have enough memory to
execute any UNIX command  after the get_https function is invoked  .

Any help or explanation is appreciated.

Thanks.

Kim Carter


 Code:

 #!/usr/local/bin/perl -w
 use strict;
 use HTTP::Request;
 use Net::SSLeay qw(get_https);
 use HTTP::Headers;
 my $h = new HTTP::Headers;
 $h->authorization_basic("id","passwd");

 ($page, $results, %headers) =
   get_https("hostname.com", 443,
"/filename.bin", $h->as_string());
 open F, ">newfile";
 print F $page;
 close F;
 undef($page); undef($results);
undef(%headers);

 open(CK, "/usr/bin/cksum newfile |") or
warn "can't perform
 checksum $!\n";
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]:—§I"Ï®ˆÞrØm¶ŸÿÃ
(¥éì²Z+K­+©¦Ší1¨¥ŠxŠËh¥éì²[¬z»(¥éì²Z+€­¢f­yÒâ²Ó¨®f£¢·hšŠ)z{,–Šà