Re: X509_verify_cert() and multiple threads
On Thu, Nov 10, 2005, Steffen Fiksdal wrote: I have tried to get this error on my other linux box, a uniprocessor non SMP Linux kernel, without luck. So I experience the error in a few occations on the SMP kernel, but not on the uniprocessor non SMP Linux kernel. When I mutex the MONT_HELPER call myself by wrapping the macro with a CRYPTPO_lock(), I do not get the error on the SMP kernel. This can have several reasons, but it is kind of strange.. On 0.9.8 that macro calls BN_MONT_CTX_set_locked(). Can you put some locks in there so a lock is always called and see if that helps? I serialized the whole BN_MONT_CTX_set_locked() function, but it still fails. THe BN_MONT_CTX_set_locked is not always called because sometimes the _method_mod_n is NOT NULL. Because the BN_MONT_CTX_set_locked seems to work, this race condition must be for the times the BN_MONT_CTX_set_locked() is not called. I do not have knowledge about the details here, but I report what I experience.. I have the sequence for when it fails. First I print Going MONT_HELPER just before the macro is called, then I print Went MONT_HELPER just after the macro is finished. I also print the pre_cond and _method_mod_n values. The result was the following with 2 threads: Going MONT_HELPER pre_cond=2 _method_mod_n == NULL Going MONT_HELPER pre_cond=2 _method_mod_n != NULL Went MONT_HELPER Went MONT_HELPER. The times it works ok, one thread goes through MONT_HELPER without any disturbance from other threads. In this error situation this was not the case. For the second thread in the output the BN_MONT_CTX_set_locked() will not be called. Best Regards Steffen Fiksdal __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
what's the difference between copy and move?
Hi, in the template config file that came with 0.9.8, I found that subjectAltName=email:copy subjectAltName=email:move are both possible, but what is the difference? Gerd -- -- -- Gerd Schering, Email: [EMAIL PROTECTED] -- -- smime.p7s Description: S/MIME Cryptographic Signature
PKCS7 standard : OpenSSL is following weather v1.5 OR v1.6 OR any other
Hi All, I found that OpenSSL PKCS#7 module implementation is different from the both the versions . Please tell me which version it is following (URGENT) Regards, konark
Re: PKCS7 standard : OpenSSL is following weather v1.5 OR v1.6 OR any other
On Fri, Nov 11, 2005, Konark wrote: Hi All, I found that OpenSSL PKCS#7 module implementation is different from the both the versions . Please tell me which version it is following (URGENT) PKCS#7 v1.5. Very few applications use 1.6. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: PKCS7 standard : OpenSSL is following weather v1.5 OR v1.6 OR any other
Thanks for the reply . But my problem is .. PKCS#7 V1.5 sign implementation uses this structure in process of sign calculation DigestInfo ::= SEQUENCE { digestAlgorithm DigestAlgorithmIdentifier, digest Digest } But I found that OpenSSL is not doing as specified in V1.5 . Reply by cheking the OpenSSl . If incase OpenSSl is not fully folling the v1.5 Please let me know . Regards, konark On Fri, Nov 11, 2005, Konark wrote: Hi All, I found that OpenSSL PKCS#7 module implementation is different from the both the versions . Please tell me which version it is following (URGENT) PKCS#7 v1.5. Very few applications use 1.6. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: PKCS7 standard : OpenSSL is following weather v1.5 OR v1.6 OR any other
On Fri, Nov 11, 2005, Konark wrote: Thanks for the reply . But my problem is .. PKCS#7 V1.5 sign implementation uses this structure in process of sign calculation DigestInfo ::= SEQUENCE { digestAlgorithm DigestAlgorithmIdentifier, digest Digest } But I found that OpenSSL is not doing as specified in V1.5 . What makes you think that? Reply by cheking the OpenSSl . If incase OpenSSl is not fully folling the v1.5 Please let me know . OpenSSL passed S/MIME v2 compliance test which check PKCS#7 v1.5 conformance. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: PKCS7 standard : OpenSSL is following weather v1.5 OR v1.6 OR any other
Actually we implemented PKCS#7 V1.5 ( we got the standards from RSA site ) - We did as per standard including DigestInfo structure as part of signature calculation . - When I try to identify signature with OpenSSL I found this thing then I tried with out this DigestInfo structure It's verified successfully . - That's why I doubt which version it is ? konark On Fri, Nov 11, 2005, Konark wrote: Thanks for the reply . But my problem is .. PKCS#7 V1.5 sign implementation uses this structure in process of sign calculation DigestInfo ::= SEQUENCE { digestAlgorithm DigestAlgorithmIdentifier, digest Digest } But I found that OpenSSL is not doing as specified in V1.5 . What makes you think that? Reply by cheking the OpenSSl . If incase OpenSSl is not fully folling the v1.5 Please let me know . OpenSSL passed S/MIME v2 compliance test which check PKCS#7 v1.5 conformance. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: PKCS7 standard : OpenSSL is following weather v1.5 OR v1.6 OR any other
On Fri, Nov 11, 2005, Konark wrote: Actually we implemented PKCS#7 V1.5 ( we got the standards from RSA site ) - We did as per standard including DigestInfo structure as part of signature calculation . - When I try to identify signature with OpenSSL I found this thing then I tried with out this DigestInfo structure It's verified successfully . - That's why I doubt which version it is ? The DigestInfo is also part of PKCS#1 so if you tell some implementations (including OpenSSL) to sign a message digest the DigestInfo is automatic. You can see the DigestInfo structure by using the 'rsautl' utility on the signature. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: X509_verify_cert() and multiple threads
On Fri, Nov 11, 2005, Steffen Fiksdal wrote: I serialized the whole BN_MONT_CTX_set_locked() function, but it still fails. THe BN_MONT_CTX_set_locked is not always called because sometimes the _method_mod_n is NOT NULL. OK, I've committed a fix. Please apply this patch: http://cvs.openssl.org/chngview?cn=14619 or try the next snapshot. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: PKCS7 standard : OpenSSL is following weather v1.5 OR v1.6 OR any other
Thanks Steve. I it seems to be correct But I need to check with my colleague who implemented PKCS#1 (crypto) . konark On Fri, Nov 11, 2005, Konark wrote: Actually we implemented PKCS#7 V1.5 ( we got the standards from RSA site ) - We did as per standard including DigestInfo structure as part of signature calculation . - When I try to identify signature with OpenSSL I found this thing then I tried with out this DigestInfo structure It's verified successfully . - That's why I doubt which version it is ? The DigestInfo is also part of PKCS#1 so if you tell some implementations (including OpenSSL) to sign a message digest the DigestInfo is automatic. You can see the DigestInfo structure by using the 'rsautl' utility on the signature. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: X509_verify_cert() and multiple threads
On Fri, Nov 11, 2005, Steffen Fiksdal wrote: I serialized the whole BN_MONT_CTX_set_locked() function, but it still fails. THe BN_MONT_CTX_set_locked is not always called because sometimes the _method_mod_n is NOT NULL. OK, I've committed a fix. Please apply this patch: http://cvs.openssl.org/chngview?cn=14619 or try the next snapshot. Works like a dream! Best Regards Steffen Fiksdal __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
ASN1 OID values.
We're creating custom extensions, so I went off and registered us an OID under {2.25} to use. It's a UUID OID, so it's quite a long numerical string. I can create and sign certificates with the extensions in, and load the certificates and pull extensions out by OID and everything seems fine until I print them using openssl x509 It says; X509v3 extensions: 2.25.2782250267.1: ..foo1 Now, foo1 is the testvalue I'm putting in. 2.25 is the right root for the tree, .1 is the value under our domain. However 2782250267 isn't our OID... Our OID, is 30 digits long and starts 14141...6731. Is there something in the x509 printing system that's truncating them? (which is not a major issue) [The number looks like it could be the 32 lsbs?] Or is it being truncated when being inserted into the certificate? (Which would be an issue, since we could get clashes..) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
is it me or ...
does openssl-0.9.7i not respect LDFLAGS?? Im trying to set the rpath and cannot get it set for some reason.. [EMAIL PROTECTED] ldd /local/stuff/bin/openssl libssl.so.0.9.7 = (file not found) libcrypto.so.0.9.7 =(file not found) libsocket.so.1 =/usr/lib/libsocket.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libc.so.1 = /usr/lib/libc.so.1 libmp.so.2 =/usr/lib/libmp.so.2 /usr/platform/SUNW,UltraAX-e2/lib/libc_psr.so.1 [EMAIL PROTECTED] and of course libcrypto.so.0.9.7 and libssl.so.0.9.7 are in /local/stuff/lib and im trying to use LDFLAGS='-L/local/stuff/lib -R/local/stuff/lib';export LDFLAGS in my configure script, but openssl wont use it this is gcc 3.4.2 on solaris 8. Jason __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: is it me or ...
check out crle... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jason Sent: Friday, November 11, 2005 11:00 AM To: openssl-users@openssl.org Subject: is it me or ... does openssl-0.9.7i not respect LDFLAGS?? Im trying to set the rpath and cannot get it set for some reason.. [EMAIL PROTECTED] ldd /local/stuff/bin/openssl libssl.so.0.9.7 = (file not found) libcrypto.so.0.9.7 =(file not found) libsocket.so.1 =/usr/lib/libsocket.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libc.so.1 = /usr/lib/libc.so.1 libmp.so.2 =/usr/lib/libmp.so.2 /usr/platform/SUNW,UltraAX-e2/lib/libc_psr.so.1 [EMAIL PROTECTED] and of course libcrypto.so.0.9.7 and libssl.so.0.9.7 are in /local/stuff/lib and im trying to use LDFLAGS='-L/local/stuff/lib -R/local/stuff/lib';export LDFLAGS in my configure script, but openssl wont use it this is gcc 3.4.2 on solaris 8. Jason __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] NOTICE: This E-mail may contain confidential information. If you are not the addressee or the intended recipient please do not read this E-mail and please immediately delete this e-mail message and any attachments from your workstation or network mail system. If you are the addressee or the intended recipient and you save or print a copy of this E-mail, please place it in an appropriate file, depending on whether confidential information is contained in the message. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: is it me or ...
Jason wrote: does openssl-0.9.7i not respect LDFLAGS?? Im trying to set the rpath and cannot get it set for some reason.. [EMAIL PROTECTED] ldd /local/stuff/bin/openssl libssl.so.0.9.7 = (file not found) libcrypto.so.0.9.7 =(file not found) libsocket.so.1 =/usr/lib/libsocket.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libc.so.1 = /usr/lib/libc.so.1 libmp.so.2 =/usr/lib/libmp.so.2 /usr/platform/SUNW,UltraAX-e2/lib/libc_psr.so.1 [EMAIL PROTECTED] and of course libcrypto.so.0.9.7 and libssl.so.0.9.7 are in /local/stuff/lib and im trying to use LDFLAGS='-L/local/stuff/lib -R/local/stuff/lib';export LDFLAGS in my configure script, but openssl wont use it this is gcc 3.4.2 on solaris 8. Jason Use LD_OPTIONS instead of LDFLAGS if you use the ld provided by Sun. You can then do a dump -Lv on your object to see if RPATH is indeed set. /A __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ASN1 OID values.
On Fri, Nov 11, 2005, Katie Lucas wrote: We're creating custom extensions, so I went off and registered us an OID under {2.25} to use. It's a UUID OID, so it's quite a long numerical string. I can create and sign certificates with the extensions in, and load the certificates and pull extensions out by OID and everything seems fine until I print them using openssl x509 It says; X509v3 extensions: 2.25.2782250267.1: ..foo1 Now, foo1 is the testvalue I'm putting in. 2.25 is the right root for the tree, .1 is the value under our domain. However 2782250267 isn't our OID... Our OID, is 30 digits long and starts 14141...6731. Is there something in the x509 printing system that's truncating them? (which is not a major issue) [The number looks like it could be the 32 lsbs?] Or is it being truncated when being inserted into the certificate? (Which would be an issue, since we could get clashes..) Can you send me the certificate with the OID in it? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ASN1 OID values.
On Fri, Nov 11, 2005, Dr. Stephen Henson wrote: On Fri, Nov 11, 2005, Katie Lucas wrote: We're creating custom extensions, so I went off and registered us an OID under {2.25} to use. It's a UUID OID, so it's quite a long numerical string. I can create and sign certificates with the extensions in, and load the certificates and pull extensions out by OID and everything seems fine until I print them using openssl x509 It says; X509v3 extensions: 2.25.2782250267.1: ..foo1 Now, foo1 is the testvalue I'm putting in. 2.25 is the right root for the tree, .1 is the value under our domain. However 2782250267 isn't our OID... Our OID, is 30 digits long and starts 14141...6731. Is there something in the x509 printing system that's truncating them? (which is not a major issue) [The number looks like it could be the 32 lsbs?] Or is it being truncated when being inserted into the certificate? (Which would be an issue, since we could get clashes..) Can you send me the certificate with the OID in it? No need, I've checked the routines involved and they *do* truncate the OID values. They've been around since the SSLeay days an so far no one has needed OIDs with numerical values that don't fit in an unsigned long value. I'll look into updating them. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: is it me or ...
did make clean rm Makefile and then tried LD_OPTIONS=-R/local/stuff/lib;export LD_OPTIONS ./config --shared --prefix=/local/stuff --openssldir=/local/stuff and did my make and still no rpath [EMAIL PROTECTED] dump -Lv apps/openssl | grep -i RUN [EMAIL PROTECTED] [EMAIL PROTECTED] dump -Lv apps/openssl | grep -i RP [EMAIL PROTECTED] [EMAIL PROTECTED] file apps/openssl apps/openssl: ELF 32-bit MSB executable SPARC32PLUS Version 1, V8+ Required, UltraSPARC1 Extensions Required, dynamically linked, not stripped [EMAIL PROTECTED] Jason Use LD_OPTIONS instead of LDFLAGS if you use the ld provided by Sun. You can then do a dump -Lv on your object to see if RPATH is indeed set. /A __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- |Jason Welsh [EMAIL PROTECTED]| | http://monsterjam.orgDSS PGP: 0x5E30CC98 | |gpg key: http://monsterjam.org/gpg/ | __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: is it me or ... [solved]
yall were right.. it was me.. didnt realize LD_OPTIONS was a make time variable.. not a configure time one. problem solved. thanks. Jason __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: what's the difference between copy and move?
Gerd Schering wrote: Hi, Hello Gerd, in the template config file that came with 0.9.8, I found that subjectAltName=email:copy subjectAltName=email:move are both possible, but what is the difference? it's obvious you never bothered to try it or apply a little bit of syntactical reasoning. email:copy searches the DN for all extensions of the type emailAddress, takes this values, generates a copy and inserts this _copy_ into the subjectAltName extension. Reasoning the function of the email:move command is an exercise for the reader. Bye Goetz -- DMCA: The greed of the few outweighs the freedom of the many smime.p7s Description: S/MIME Cryptographic Signature
what can be the content type (part of Content info ) other than simple data in Signed data
what can be the content type (part of Content info ) other than simple data in Signed data. Structure description SignedData ::= SEQUENCE { version Version, digestAlgorithms DigestAlgorithmIdentifiers, contentInfo ContentInfo, certificates [0] IMPLICIT ExtendedCertificatesAndCertificates OPTIONAL, crls [1] IMPLICIT CertificateRevocationLists OPTIONAL, signerInfos SignerInfos } ContentInfo ::= SEQUENCE { contentType ContentType, content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL } -It seems to be content type can only be Simple data ( after looking in to the code ) - Is it possible to put content type other than simple data like enveloped data when authenticated attributes are present . Regards, konark
CRYPTO_set_id_callback problem
Hi I have a Engine which uses pthreads and I copied the thread stuff from mttest.c to implement proper CRYPTO_set_locking_callback and CRYPTO_set_id_callback functions. If I don't call 'CRYPTO_set_id_callback' in 'void thread_setup(void)' openssl exits without any problem. If I call 'CRYPTO_set_id_callback' and I quit openssl I get a segmentation fault, after 'void thread_cleanup(void)' prints 'done cleanup' so cleanup should be complete. #0 0xb7d76590 in ?? () #1 0xb7dadf39 in CRYPTO_thread_id () at cryptlib.c:444 #2 0xb7daede1 in CRYPTO_mem_ctrl (mode=3) at mem_dbg.c:198 #3 0xb7daf4f9 in CRYPTO_dbg_free (addr=0x80d9360, before_p=0) at mem_dbg.c:516 #4 0xb7daeaf9 in CRYPTO_free (str=0x80d9360) at mem.c:374 #5 0xb7e1dc3f in sk_free (st=0x80d9310) at stack.c:297 #6 0xb7e0c7ce in DSO_free (dso=0x80d92a8) at dso_lib.c:166 #7 0xb7e11762 in dynamic_data_ctx_free_func (parent=0x80d8fe8, ptr=0x80d9050, ad=0x80d903c, idx=0, argl=0, argp=0x0) at eng_dyn.c:171 #8 0xb7db0907 in int_free_ex_data (class_index=9, obj=0x80d8fe8, ad=0x80d903c) at ex_data.c:518 #9 0xb7db0ac2 in CRYPTO_free_ex_data (class_index=9, obj=0x80d8fe8, ad=0x80d903c) at ex_data.c:588 #10 0xb7e0d45f in engine_free_util (e=0x80d8fe8, locked=0) at eng_lib.c:132 #11 0xb7e0e3c2 in engine_unlocked_finish (e=0x80d8fe8, unlock_for_handlers=0) at eng_init.c:112 #12 0xb7e0f3f7 in int_cleanup_cb (p=0x80da3d0) at eng_table.c:205 #13 0xb7e0f424 in int_cleanup_cb_LHASH_DOALL (arg=0x80da3d0) at eng_table.c:208 #14 0xb7e1e26c in doall_util_fn (lh=0x80da268, use_arg=0, func=0xb7e0f40d int_cleanup_cb_LHASH_DOALL, func_arg=0, arg=0x0) at lhash.c:289 #15 0xb7e1e29a in lh_doall (lh=0x80da268, func=0xb7e0f40d int_cleanup_cb_LHASH_DOALL) at lhash.c:297 #16 0xb7e0f470 in engine_table_cleanup (table=0xb7eb5be8) at eng_table.c:214 #17 0xb7e108df in engine_unregister_all_ciphers () at tb_cipher.c:71 #18 0xb7e0d61d in engine_cleanup_cb_free (item=0x80da388) at eng_lib.c:183 #19 0xb7e1dbf0 in sk_pop_free (st=0x80cea20, func=0xb7e0d603 engine_cleanup_cb_free) at stack.c:290 #20 0xb7e0d669 in ENGINE_cleanup () at eng_lib.c:190 #21 0x08055f34 in main (Argc=11, Argv=0xbfc0fb28) at openssl.c:356 if I call 'CRYPTO_set_id_callback(NULL);' in 'void thread_cleanup(void)' I get this: done cleanup 2464 file=err.c, line=1001, number=396, address=080DA0A0 2465 file=lhash.c, line=193, number=12, address=080D9428 1860 file=lhash.c, line=119, number=96, address=080CED00 thread=12750, file=err.c, line=420, info=int_thread_get (err.c) 1861 file=lhash.c, line=121, number=64, address=080CEDA0 thread=12750, file=err.c, line=420, info=int_thread_get (err.c) 568 bytes leaked in 4 chunks This output comes from efence because openssl was compiled with debugging information. With a 'normal' openssl build i don't see any errors. Any suggestions? Thank you. -- Hypnos powered by LFS SVN-20041206 (Linux 2.6.14.1) visit http://www.kratz00.org/ http://liflg.org/ Best regards, Steffen Pankratz. PGP PUBLIC KEY: http://www.kratz00.org/kratz00.at.gmx.de.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]