RE: Supported OS Versions...
I assume any OS that has a compiler, which should be all. Steven -Original Message- From: Clifford Grimm [mailto:[EMAIL PROTECTED] Sent: Friday, 28 February 2003 4:00 To: [EMAIL PROTECTED] Subject: Supported OS Versions... Where can a find a list of the OS Versions that are supported for various versions of openssl? For example, is Solaris 2.6 supported in version 0.9.6h. Thanks!! Cliff -- = Clifford L. Grimm Sun Microsystems, Inc. UMAR04 46 Lizotte Drive Marlborough, MA 01752 Direct: 781-442-6246 Internal: x26246 Fax: 781-442-7198 Cell: 978-618-1336 = *** Sun Proprietary/Confidential = __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Instalation
Sirs I´ve installed apache-1.3.27-sol7-sparc-local with openssl-0.9.6g-sol7- sparc-local but I think I have some problem with ssl because when I try to start up apache I obtain this error: ld.so.1: /usr/local/apache/bin/httpd: fatal: libexpat.so.0: open failed: No such file or directory Killed ./apachectl start: httpd could not be started One requerement to install apache is openssl could you help me with this error? Regards René Pontón Impsat Fiber Networks __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
a problem in installtion
Dear Sir, When I am running ./config, it says you want perl 5. My perl directory is /usr/bin/perl5.6.0,. Could you please inform me that where I should edit or how can I fix it. Thanks Rohana. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Malloc failure error with OpenSSL
Title: Message Hi Kal, What version of OpenSSL are you using? What platform are you seeing this error on - Unix, VMS, Windows? And, it might help to know how you built it?!? Thanks, Kevin. Kevin Greaney SSL for OpenVMS Team Hewlett Packard Company OpenVMS Engineering Group 110 Spitbrook Road Nashua, NH 03062 (603) 884-5099 -Original Message-From: Kattamuri, Kal Sent: Tuesday, March 04, 2003 2:46 PMTo: '[EMAIL PROTECTED]'Subject: Malloc failure error with OpenSSLImportance: High Hi All, I am seeing the following error in my error logs after I installed/enabled SSL in my server. Please note that I was not seeing this error prior to enabling SSL on this server. Any help would be highly appreciated: [Mon Mar 3 20:43:17 2003] [error] mod_ssl: SSL handshake failed (server xxx.xxx.xxx.com:443, client 11.11.11.11) (System and OpenSSL library errors follow)[Mon Mar 3 20:43:17 2003] [error] System: Not enough space (errno: 12)[Mon Mar 3 20:43:17 2003] [error] OpenSSL: error:1409C021:SSL routines:SSL3_SETUP_BUFFERS:Malloc failure Thanks in advance. Best Regards,Kalyan Kattamuri,Web Hosting Services Delivery,Hewlett P-Cupertino.408-t447-4021 �
RE: Cert usage
If u don't want to use any certs on both side then u have to chose annonymous cipher suites, the ones having ADH- in them, like ADH-DES-CBC-SHA. But still u need to have DH key on server and turn off the client athentication on server side. Aslam -Original Message- From: Emil Kopysc [mailto:[EMAIL PROTECTED] Sent: Saturday, March 08, 2003 10:41 AM To: [EMAIL PROTECTED] Subject: Cert usage Hi All! I'm writing a small library to provide secure communication for our client/server application. I don't want to use any certs on both sides (client/server), just establish a connection whith e.g. DHE-DSS-AES128-SHA (i think it doesn't need any certificate to use... or I am wrong...?). The OpenSSL libraries version I'm using is 0.9.7a (on RH7.3), they're compiled as shared libraries. My programs caused some errors, so I thought I've made something wrong, but when I tried to use: openssl s_server -nocert -debug -cipher DHE-DSS-AES128-SHA and openssl s_client -debug on server side there was an error: 2847:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:881:shutting down SSL and on client side: 2951:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:470: and these errors are the same as my programs made... All is good when I use a certificate on server side. So my question is: Is there possible to make any encrypted communication without any certificate? -- Emil Kopysc Design Developement TRX - Cyfrowe Rejestratory Rozmow __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ftp implicit ssl connection
It is very unclear to me what type of help you are looking for. There are many SSL/TLS FTP client and server implementations available as open source in addition to the specifications for the protocol which are available as an Internet-Draft. What do you need? gomess wrote: Nobody can help me ? :-(( Please... :-)
Problem changing key/iv on a CIPHER bio
I want to be able to change the key and iv on a connection that is already established. Currently I just have a simple socket BIO and cipher BIO chained together. (Cipher is EVP_bf_cbc() currently.) The connection should look like this: 1) client connects to server 2) set both client and server to use key/iv foo/bar 3) send some data 4) set both client and server to use new key/iv one/two 5) send more data #1 through #3 are working fine, I can easily verify that the data sent is what I recieve. It's #4 and #5 that seem to be failing. Doing doing operation #4 above is clearly what I need to fix. I've tried: * calling BIO_set_cipher on the cipher BIO directly. * removing the cipher BIO and adding a new one with the correct key/iv to the socket BIO. * calling BIO_flush on the chain before using any of the previous two changes, discarding any padding bytes from the BIO_flush. I'm doing the same thing on both ends, of course - it would never work to change the key on client and not server and expect things to work. This is unidirectional data flow -- the server never sends any data to the client. Any quick ideas where my brain or code is failing me? -- Brian Hatch LLooccall EEcchhoo iiss Systems anduunnddeeaatteedd. Security Engineer http://www.ifokr.org/bri/ Every message PGP signed pgp0.pgp Description: PGP signature
Re: Problem changing key/iv on a CIPHER bio
On Thu, Mar 13, 2003, Brian Hatch wrote: I want to be able to change the key and iv on a connection that is already established. Currently I just have a simple socket BIO and cipher BIO chained together. (Cipher is EVP_bf_cbc() currently.) The connection should look like this: 1) client connects to server 2) set both client and server to use key/iv foo/bar 3) send some data 4) set both client and server to use new key/iv one/two 5) send more data #1 through #3 are working fine, I can easily verify that the data sent is what I recieve. It's #4 and #5 that seem to be failing. Doing doing operation #4 above is clearly what I need to fix. I've tried: * calling BIO_set_cipher on the cipher BIO directly. * removing the cipher BIO and adding a new one with the correct key/iv to the socket BIO. * calling BIO_flush on the chain before using any of the previous two changes, discarding any padding bytes from the BIO_flush. I'm doing the same thing on both ends, of course - it would never work to change the key on client and not server and expect things to work. This is unidirectional data flow -- the server never sends any data to the client. Any quick ideas where my brain or code is failing me? This isn't something I've had to do personally however... Popping and pushing the BIO should work provided you get it right. For this to work properly of course you need change keys and IVs only after a multiple of the block length has been sent, otherwise data will be lost and possibly internal buffering could spoil you whole day due to synchronisation errors. In fact synchronisation may well be a problem because when using padding the EVP routines need to buffer a whole block on decrypt so that the block padding check works. So when you read data from the end BIO in the chain it will typically have internally buffered the next block using the current key/IV. In OpenSSL 0.9.7X you can disable padding using the EVP API, that is the preferred method because the internal buffering no longer occurs. You need to retrieve the EVP_CIPHER_CTX structure from the BIO to do that, see the 0.9.7 manual pages for precise details. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl configuration for IA5String: domainComponent
On Thu, Feb 27, 2003, Dhiva Muruganantham wrote: I want have a certificate request with subject DN as CN=www.zty.net,OU=hosts,DC=sample,DC=org. and also i want the DC component value as a IA5String. By default the asn1parse shows me that the DC component values are PRINTABLE. Is it possible with 0.9.7a ? If yes, what are the changes which i have to do with the openssl.cnf This is possible but not via openssl.cnf. It needs a source modification. The behaviour of DN components is governed by a table in crypto/asn1/a_strnid.c If a particular component is absent then it reverts to DirectoryString which wont use an IA5String at all. So the only solution is to add an appropriate value to this table or call the ASN1_STRING_table_add() function which I'm not sure has ever been tested... Since this is incorrect behaviour for this component I'll check in a fix which will appear in the next snapshots. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: introduction
Mozilla can use SSL for NNTP, POP, and SMTP connections, so its source code will have client code for each of those service types. Mozilla knows how to provide client certs if the server requests them, but it's up to the server to do that. I've coded servers that require client certs, but I don't know if there's an SMTP server that does that. (I mean, I'm ignorant, not I don't think one exists.) The client/server examples from Eric Rescorla's book might also be useful in figuring out how the code works. And actually, Eric's book (SSL and TLS, Designing and Building Secure Systems, Addison Wesley) should be on the shelf of anyone coding with SSL. I've certainly found it handy. Paul Allen Jake Zajac wrote: I am new to the ssl thing but have been asked to implement this into an existing application. We currently support email in our app, but only smtp servers that do not require any type of authentication. Can you provide me with a link that has an overview of ssl? I am looking for information on the flow of the data, the details of the transaction between the client and the smtp server, and an overview of the certificates and how they work with ssl. Any input on this would be greatly appreciated. I am sure that you get a lot of questions like this and I apologize for asking, but I could not find any overviews on the web site. I have looked at several newsgroups but could not find any information on my topic or get any answers to my questions, so I figured that I would try here... To connect to a server that does use SSL, is there always going to be a need for certificates on the client machine? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem running Tomcat SSL with my CA-generated certificate
I am sorry if I should not have posted this message in this list. But I've been trying in both tomcat-user and tomcat-dev, nobody has a clue. Therefore, I wanna try my luck here. I use Tomcat 4.1.12 under Windows 2000. I know how to run Tomcat in SSL mode by generating a self-signed cert using the keytool utility that comes with the Java J2SDK. But my project needs to run Tomcat SSL with the certificate generated by my little Java program. It has not been successful. Check the cert attached in this message (cert4ca.cer). It is generated by my little Java program. The keytool-generated self-signed cert works perfect. I can access both https://localhost and http://localhost. To try the cert generated by my little Java program, I deleted the tomcat cert in the keystore and imported the above cert into the keystore as tomcat. Then I can only access http://localhost, not https://localhost. And if I reverse to the keytool-generated certificate, both http and https work perfect again. Obviously, it looks like it is the problem of the cert generated by little Java program. But the thing is, the cert generated by my little Java program is a valid one as you can see from the attached cert. Can you guys give me a hint? I need to resolve this badly. __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com cert4ca.cer Description: cert4ca.cer
DES/CBC question
Hi, I am developing a cipher encryption tool in c++ using your openssl-crypto library. The result encrypted string is passed to another system for decryption and vice versa, in which the cipher encryption tool was developed in Java, cipher algorithm isDES, mode is CBC, PKCS 5 padding. I tried both functions DES_ncbc_encrypt() and DES_cbc_encrypt() in lib crypto/des for encryption, the result string can't be decrypted by the Java version cipher tool, it doesn't work the other way around neither. I got around the padding but the strings just look totally different. Am I using the wrong functions? Which function provides the same algorithm/mode as the one we used in ourJava version. Please help!! Thanks. Ken Ho
