Re: Error revoking a certificate
Hi,
I think box A be the owner of the certificate so when u revoke it in box A it works fine.Box B may not be the owner(issuer) and when revoking the certificate , it is verified whether it is revoked by the
corresponding person who issued the certificate by checking CN field in the certificate, as box b is not the owner this field doestnot match and error outs.please let me know about this.
- Original Message From: Susan McIntosh <[EMAIL PROTECTED]>To: openssl-users@openssl.orgSent: Tuesday, 13 June, 2006 12:23:32 AMSubject: Error revoking a certificate
We are in the process of migrating from box A (AIX 4.3.3.0 running openssl 0.9.6g) to box B (AIX 5.3.0.0 running openssl 0.9.8). Both A and B access the same file system which contains our CA files.When I revoke a certificate from box A, the process works as expected.When I revoke a certificate from box B, I get the following error:ERROR:name does not match /C=US/ST=Florida/L=Gainesville/O=University of Florida /OU=Computing and Networking Services/CN=alt.smtp.ufl.edu/emailAddress=nerdc-uni [EMAIL PROTECTED]3080222:error:02001002:system library:fopen:No such file or directory:bss_file.c :122:fopen('/nerdc/src/ssl/CA/index.txt.attr','rb')3080222:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:3080222:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_de f.c:197:The certificate, key, config file, etc. are all the same for both revocation attempts. The only
thing that's changed, as far as I can tell, is the version of AIX and openssl. Is there a config file I need to check besides the one I specify on the command line?Any ideas about what might be going on appreciated...susan___OpenSSL Project http://www.openssl.orgUser Support Mailing Listopenssl-users@openssl.orgAutomated List Manager
[EMAIL PROTECTED]
Re: sigsegv in BN_BLINDING_free 0.9.8a
> > I am experiencing a SIGSEGV in BN_BLINDING_free because mt_blinding > > appears to be 0x11 instead of a pointer to some memory. > > We had an identical issue reported here: > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193633 > which is somehow caused by the use of Zimbra binaries. Thank you for your reply. I looked at that and it does not (at first glance) seem applicable to me. I had never heard of the Zimbra suite mentioned, but I rebuilt my openldap from src.rpm and that seems to have cured it's ills. I appreciate your insight into this, and hope this thread will help others avoid this pitfall. Thanks again, -- /v\atthew __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
newbie in need for hints
Hi, I'm currently developping a Python application which is a standalone xml-rpc server, so with no web server in front of it. (more details on http://www.pykota.com/software/pykoticon if needed) this application works perfectly fine, but now I'd like to encrypt all traffic between the client hosts and the server hosts. but what makes it interesting, IMHO, is that usually there are far more clients than servers, and in this situation the exact opposite is true. for example on a typical site, you'll have something like a maximum of ten clients, and several thousands servers, since this application is run (but not necessarily installed,if run from a network share) on desktops systems (of any type) and the clients are (in my own case) print servers (all *nix). Each client can connect to any server, but servers can accept queries only if they come from some particular clients (already handled in the current code). Each server has a very low impact on performance, on average accepting maybe twenty queries per hour. what I want to ensure is that : - the servers (desktop systems) can verify that incoming client connections really come from one of the authorized clients (print servers). Actually this verification is done but could probably be made more strict. - no data flies in the clear between clients and servers (these datas can contain passwords). - each client (print servers) can connect to any of the servers (desktop systems), but ensuring that a server really is the host it says it is, is not very important. I'm a complete newbie as far as ssl is concerned, so I'd like some directions about the best way to achieve my goals. In particular, having a separate certificate for each of the servers (desktop systems) really could be problematic considering the number of them, although having one for each client (print servers) could be feasible. Someone suggested to me that I use stunnel on both sides. Could this be the solution ? Since I entirely control the code on both the client and server sides, is there a simpler solution that could be implemented ? Could people give me some hints about what's the best thing to do, what I should read first, etc... ??? Thanks a lot in advance Jerome Alet __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Error revoking a certificate
We are in the process of migrating from box A (AIX 4.3.3.0 running
openssl 0.9.6g) to box B (AIX 5.3.0.0 running openssl 0.9.8). Both A and
B access the same file system which contains our CA files.
When I revoke a certificate from box A, the process works as expected.
When I revoke a certificate from box B, I get the following error:
ERROR:name does not match /C=US/ST=Florida/L=Gainesville/O=University of
Florida /OU=Computing and Networking
Services/CN=alt.smtp.ufl.edu/emailAddress=nerdc-uni [EMAIL PROTECTED]
3080222:error:02001002:system library:fopen:No such file or
directory:bss_file.c :122:fopen('/nerdc/src/ssl/CA/index.txt.attr','rb')
3080222:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:125:
3080222:error:0E078072:configuration file routines:DEF_LOAD:no such
file:conf_de f.c:197:
The certificate, key, config file, etc. are all the same for both
revocation attempts. The only thing that's changed, as far as I can
tell, is the version of AIX and openssl. Is there a config file I need
to check besides the one I specify on the command line?
Any ideas about what might be going on appreciated...
susan
_
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: error:0606506D
Hello, > The script is running on an AIX box. > > openssl enc -d -a -iv 31464F4C4C455431 -des3 -K > 31323334466F6C6C657426265472696D6461746131323334 -in > directory_encrypt/CS4_35854292.enc > > A.RETURN.PKT=bad decrypt 130746:error:0606506D:digital envelope > routines:EVP_Dec > > ryptFinal:wrong final block length:evp_enc.c:268: > This error may be due to incorrect decryption of encrypted data so padding can not be removed. Check if you really have base64 encoded data (-a option). If yes you may manually de-base64 and check if size of this data is multiply 8. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: PEM_read_bio:no start error with OpenSSL0.9.8a
Hello, > $ openssl s_client -connect secure.incab.se:443/verify/server/click > -cert debitech/debitech_CA.pem > > I get the following error; > > unable to load client certificate private key file > 31977:error:0906D06C:PEM routines:PEM_read_bio:no start > line:pem_lib.c:644:Expecting: ANY PRIVATE KEY > > I do not understand what ANY PRIVATE KEY means, does it mean it was > expecting a key but did not get a key? So the key is somehow wrong > and/or bad? You must add options: -key key_file.pem \ -cert your_key_cert.pem \ -CAfile debitech/debitech_CA.pem Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: PEM_read_bio:no start error with OpenSSL0.9.8a
On Mon, Jun 12, 2006, Kyle Hamilton wrote: > The server has supplied you with the certificate to its CA, which > includes the CA's public key. You're putting it in the option for > client authentication via certificate. > > I believe the option is -cacert, but I'm not quite certain. (I don't > use s_client enough to know for sure.) > -CAfile Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
error:0606506D
Hi all, I am getting the following error message on encrypted packets. Can someone tell me what they mean and what I can do to correct the problem. Google did not bring me any meaningfull results. The script is running on an AIX box. openssl enc -d -a -iv 31464F4C4C455431 -des3 -K 31323334466F6C6C657426265472696D6461746131323334 -in directory_encrypt/CS4_35854292.enc A.RETURN.PKT=bad decrypt 130746:error:0606506D:digital envelope routines:EVP_Dec ryptFinal:wrong final block length:evp_enc.c:268: A.RETURN.PKT=bad decrypt 92278:error:0606506D:digital envelope routines:EVP_Decr yptFinal:wrong final block length:evp_enc.c:268: A.RETURN.PKT=bad decrypt 56988:error:0606506D:digital envelope routines:EVP_Decr yptFinal:wrong final block length:evp_enc.c:268: A.RETURN.PKT=bad decrypt 69326:error:0606506D:digital envelope routines:EVP_Decr yptFinal:wrong final block length:evp_enc.c:268: A.RETURN.PKT=bad decrypt 126808:error:0606506D:digital envelope routines:EVP_Dec ryptFinal:wrong final block length:evp_enc.c:268: thanks grs
Re: PEM_read_bio:no start error with OpenSSL0.9.8a
The server has supplied you with the certificate to its CA, which includes the CA's public key. You're putting it in the option for client authentication via certificate. I believe the option is -cacert, but I'm not quite certain. (I don't use s_client enough to know for sure.) -Kyle H On 6/12/06, Jeremiah Foster <[EMAIL PROTECTED]> wrote: Hello list! I am trying to connect to a server that has supplied me with a cert. The cert in question is called debitech_CA.pem and when I supply the following command; $ openssl s_client -connect secure.incab.se:443/verify/server/click -cert debitech/debitech_CA.pem I get the following error; unable to load client certificate private key file 31977:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY I do not understand what ANY PRIVATE KEY means, does it mean it was expecting a key but did not get a key? So the key is somehow wrong and/or bad? thank you muchly, jeremiah __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: fipsld fails when CC=g++
Kyle Hamilton wrote:
>
> No, you got the problem exactly right, and it is a bug that
> does need to be addressed. (HMAC_SHA1_SIG is defined as a
> string with a nil terminator. gcc doesn't throw the error,
> but g++ rightly does. I think there's a command-line
> parameter to disable that particular error check, but I'm not
> sure -- but, as a possible workaround, you might be able to
> use gcc to call fipsld and use g++ for everything
> else.)
>
> The proper definition would be in explicit declarative mode,
> as opposed to string mode. (that is, { 's', 't', 'r', ... };
> instead of "stringhere"). It's difficult to update, though,
> as any modification of the -fips tarball invalidates the FIPS
> certification. (I'd like to see a FIPS validation system, as
> defined by the FIPS testing criteria, built for OpenSSL, in
> order to validate that any changes to the source tree won't
> cause a recertification to fail, and to perhaps fast-track
> any bugfixed code through a recertification. The cost of a
> recertification is not trivial, though...)
The pieces for such a FIPS 140-2 regression test are more or less in
place, in the form of the algorithm test drivers and the "fips_test_suite"
test program. The use of those test utilities is documented in the FIPS
Object Module User Guide.
> Steve: If you know how much the original certification cost,
> could you perhaps mention it? Or would you be able to point
> to someone I could ask?
It's hard to put a price tag on the overall OpenSSL FIPS object module
validation effort (not certification, BTW) for several reasons. One is
that this validation was unique as the first ever validated product
delivered in source form, in the amount of time and effort expended over
3-1/2 years, and in the amount of external opposition encountered. A
great deal of non-compensated labor was contributed, in addition to the
US$120,000+ of initial cash funding. I guesstimate the total effort would
easily have exceeded half a million bucks if the non-cash contributions
were accounted for at fair market rates.
A revalidation should be much simpler and cheaper, fortunately. John
Weathersby of the OSSI (www.oss-institute.org) is currently working on
coordinating a follow-up validation with interested sponsors. What that
revalidation will include and what it will cost will depend on the
sponsors he signs up.
-Steve M.
--
Steve Marquess
Veridical Systems, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
301-524-9915 cell
301-831-8447 land/fax
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: fipsld fails when CC=g++
Kyle Hamilton wrote: No, you got the problem exactly right, and it is a bug that does need to be addressed. (HMAC_SHA1_SIG is defined as a string with a nil terminator. gcc doesn't throw the error, but g++ rightly does. I think there's a command-line parameter to disable that particular error check, but I'm not sure -- but, as a possible workaround, you might be able to use gcc to call fipsld and use g++ for everything else.) Thanks. At least now I know I'm not crazy. I searched for a g++ command line parameter to disable that check, but couldn't find anything. Just a few minutes ago, however, I discovered exactly the solution you suggest. Compile everything (c and c++) into object files using whatever compiler is appropriate, then use gcc with fipsld to link, but manually specify the c++ library for the linker: CC=gcc fipsld ... -lstdc++ This works fine, and does not appear to violate any of the OpenSSL FIPS criteria. It might even be obvious to developers used to mixing C and C++ (unlike myself. :) (I'd like to see a FIPS validation system, as defined by the FIPS testing criteria, built for OpenSSL, in order to validate that any changes to the source tree won't cause a recertification to fail, and to perhaps fast-track any bugfixed code through a recertification. The cost of a recertification is not trivial, though...) That would be great. And I'm sure that there are plenty of parties who would be more than happy to help fund recertifications for future bug fixes. Thanks for the response and the dead-on solution. - Marty -- Marty Lamb Rajant Corporation 610-873-6788 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: fipsld fails when CC=g++
No, you got the problem exactly right, and it is a bug that does need
to be addressed. (HMAC_SHA1_SIG is defined as a string with a nil
terminator. gcc doesn't throw the error, but g++ rightly does. I
think there's a command-line parameter to disable that particular
error check, but I'm not sure -- but, as a possible workaround, you
might be able to use gcc to call fipsld and use g++ for everything
else.)
The proper definition would be in explicit declarative mode, as
opposed to string mode. (that is, { 's', 't', 'r', ... }; instead of
"stringhere"). It's difficult to update, though, as any modification
of the -fips tarball invalidates the FIPS certification. (I'd like to
see a FIPS validation system, as defined by the FIPS testing criteria,
built for OpenSSL, in order to validate that any changes to the source
tree won't cause a recertification to fail, and to perhaps fast-track
any bugfixed code through a recertification. The cost of a
recertification is not trivial, though...)
Steve: If you know how much the original certification cost, could you
perhaps mention it? Or would you be able to point to someone I could
ask?
-Kyle H
On 6/12/06, Marty Lamb <[EMAIL PROTECTED]> wrote:
I just noticed an insanely bad typo in my original message:
> However, when "CC=gcc fipsld" is used, the following error results:
Should instead be
> However, when "CC=g++ fipsld" is used, the following error results:
Sorry for any confusion. Any help would be very much appreciated.
- Marty
--
Marty Lamb
Rajant Corporation
610-873-6788
Marty Lamb wrote:
> Hello,
>
> I am trying to build a C++ application using OpenSSL-fips-1.0. The
> application compiles and runs fine (sans FIPS_mode_set()) when simply
> compiled using g++.
>
> However, when "CC=gcc fipsld" is used, the following error results:
>
> /usr/local/ssl/bin/../lib/fips_premain.c:66: error: initializer-string
> for array of chars is too long
>
> The line in question (line 66 of fips_premain.c) is:
>
> static const unsigned char FINGERPRINT_ascii_value[40] = HMAC_SHA1_SIG;
>
> As far as I can tell this looks like an off by one error (no room in
> array for null terminator). Of course, I cannot modify fips_premain.c
> and still run fipsld.
>
> My compiler version is: g++ (GCC) 3.4.4 20050721 (Red Hat 3.4.4-2)
>
> This is trivial to test using the following program:
>
> int main(int argc, char **argv) {
> return 0;
> }
>
> Am I missing something?
>
> Thanks,
>
> Marty
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
PEM_read_bio:no start error with OpenSSL0.9.8a
Hello list! I am trying to connect to a server that has supplied me with a cert. The cert in question is called debitech_CA.pem and when I supply the following command; $ openssl s_client -connect secure.incab.se:443/verify/server/click -cert debitech/debitech_CA.pem I get the following error; unable to load client certificate private key file 31977:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY I do not understand what ANY PRIVATE KEY means, does it mean it was expecting a key but did not get a key? So the key is somehow wrong and/or bad? thank you muchly, jeremiah __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Multihomed SSL Server?
On Mon, Jun 12, 2006 at 11:42:03AM +0200, Marek Marcola wrote: > Hello, > > > Is there any support for multiple primary domains and associated > > customer certificates on the same ip and port (i.e. a multihomed SSL > > server). > > If you think of mechanism such server_name introduced in RFC 3546 6.1 > (which may be used for this purpose) - not in this release. This said, SubjectAlternativeName:DNS may work, as will running a separate server instance with separate certs on each IP address, if each IP represents a distinct domain. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: fipsld fails when CC=g++
I just noticed an insanely bad typo in my original message:
> However, when "CC=gcc fipsld" is used, the following error results:
Should instead be
> However, when "CC=g++ fipsld" is used, the following error results:
Sorry for any confusion. Any help would be very much appreciated.
- Marty
--
Marty Lamb
Rajant Corporation
610-873-6788
Marty Lamb wrote:
Hello,
I am trying to build a C++ application using OpenSSL-fips-1.0. The
application compiles and runs fine (sans FIPS_mode_set()) when simply
compiled using g++.
However, when "CC=gcc fipsld" is used, the following error results:
/usr/local/ssl/bin/../lib/fips_premain.c:66: error: initializer-string
for array of chars is too long
The line in question (line 66 of fips_premain.c) is:
static const unsigned char FINGERPRINT_ascii_value[40] = HMAC_SHA1_SIG;
As far as I can tell this looks like an off by one error (no room in
array for null terminator). Of course, I cannot modify fips_premain.c
and still run fipsld.
My compiler version is: g++ (GCC) 3.4.4 20050721 (Red Hat 3.4.4-2)
This is trivial to test using the following program:
int main(int argc, char **argv) {
return 0;
}
Am I missing something?
Thanks,
Marty
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: Error with FIPS module using static lib
I compiled fips module OpenSSL-fips-1.0.tar.gz with the following options ./Configure fips hpux-ia64-cc If you literally typed that command in then it is a violation of the security policy and the result is not compliant. If the config script chose those options when you did: ./config fips then you are OK. I tried the same as specified in the Security Policy. # ./config fips Operating system: ia64-hp-hpux1x WARNING! 64-bit ABI is the default configured ABI on HP-UXi. If you wish to build 32-bit library, the you have to invoke './Configure hpux-ia64-cc' *manually*. You have about 5 seconds to press Ctrl-C to abort. It automatically choosed the 64-bit ABI. I'm in need of 32-bit library. So, I followed the suggestion provided in the warning message. Can you suggest me how to build 32-bit library. And the official OpenSSL release 0.9.7j with the following options ./Configure threads zlib shared no-rc5 no-idea no-krb5 fips --openssldir=/opt/openssl hpux-ia64-cc I tried compling the sample FIPS application given in the FIPS User Guide, page # 47 fips_sample.c The compile options are cc -I.. -I/opt/openssl/include +Z -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DOPENSSL_NO_RC5 -DOPENSSL_NO_IDEA -Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN -c -o fips_sample.o fips_sample.c cc -o fips_sample -I/opt/openssl/include +Z -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DOPENSSL_NO_RC5 -DOPENSSL_NO_IDEA -Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN fips_sample.o /opt/openssl/lib/libssl.a /opt/openssl/lib/libcrypto.a -Wl,+s,+b,/opt/openssl/lib -ldl -lz You MUST use the fipsld script for that step. Try just using fipsld instead of cc. Thanks a lot Steve. --Haridharan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Error with FIPS module using static lib
On Mon, Jun 12, 2006, Haridharan wrote: > I compiled fips module OpenSSL-fips-1.0.tar.gz with the following options > ./Configure fips hpux-ia64-cc > If you literally typed that command in then it is a violation of the security policy and the result is not compliant. If the config script chose those options when you did: ./config fips then you are OK. > And the official OpenSSL release 0.9.7j with the following options > ./Configure threads zlib shared no-rc5 no-idea no-krb5 > fips --openssldir=/opt/openssl hpux-ia64-cc > > I tried compling the sample FIPS application given in the FIPS User Guide, > page # 47 fips_sample.c > > The compile options are > > cc -I.. -I/opt/openssl/include > +Z -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN > -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DOPENSSL_NO_RC5 -DOPENSSL_NO_IDEA -Ae > +DD32 +O3 +Olit=all -z -DB_ENDIAN -c -o fips_sample.o fips_sample.c > > cc -o fips_sample -I/opt/openssl/include > +Z -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN > -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DOPENSSL_NO_RC5 -DOPENSSL_NO_IDEA -Ae > +DD32 +O3 +Olit=all -z -DB_ENDIAN fips_sample.o /opt/openssl/lib/libssl.a > /opt/openssl/lib/libcrypto.a -Wl,+s,+b,/opt/openssl/lib -ldl -lz > You MUST use the fipsld script for that step. Try just using fipsld instead of cc. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Error with FIPS module using static lib
I compiled fips module OpenSSL-fips-1.0.tar.gz with the following options ./Configure fips hpux-ia64-cc And the official OpenSSL release 0.9.7j with the following options ./Configure threads zlib shared no-rc5 no-idea no-krb5 fips --openssldir=/opt/openssl hpux-ia64-cc I tried compling the sample FIPS application given in the FIPS User Guide, page # 47 fips_sample.c The compile options are cc -I.. -I/opt/openssl/include +Z -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DOPENSSL_NO_RC5 -DOPENSSL_NO_IDEA -Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN -c -o fips_sample.o fips_sample.c cc -o fips_sample -I/opt/openssl/include +Z -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DOPENSSL_NO_RC5 -DOPENSSL_NO_IDEA -Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN fips_sample.o /opt/openssl/lib/libssl.a /opt/openssl/lib/libcrypto.a -Wl,+s,+b,/opt/openssl/lib -ldl -lz I get the following error message. ./fips_sample -v abc 22118:error:2A07806E:FIPS routines:FIPS_check_dso:fingerprint does not match:fips.c:212: BUT its working fine for *Shared* library. Will FIPS module doesnot work with static library? Thanks in advance, Haridharan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: sigsegv in BN_BLINDING_free 0.9.8a
On Wed, Jun 07, 2006 at 07:40:44PM -0400, Matthew L Daniel wrote: > If this needs to go to the dev list, let me know. > > I am experiencing a SIGSEGV in BN_BLINDING_free because mt_blinding > appears to be 0x11 instead of a pointer to some memory. We had an identical issue reported here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193633 which is somehow caused by the use of Zimbra binaries. joe > > Thanks, > -- /v\atthew > > 1 = > http://groups.google.com/group/mailing.openssl.users/msg/6dfa523d76e40fd7?dmode=source > > === begin stack trace === > Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread -1216694592 (LWP 3819)] > BN_BLINDING_free (r=0x11) at bn_blind.c:167 > 167 if (r->A != NULL) BN_free(r->A ); > (gdb) bt > #0 BN_BLINDING_free (r=0x11) at bn_blind.c:167 > #1 0xb78fc730 in RSA_free (r=0x80168d20) at rsa_lib.c:236 > #2 0xb791c412 in EVP_PKEY_free_it (x=Variable "x" is not available. > ) at p_lib.c:479 > #3 0xb791c47e in EVP_PKEY_free (x=0x80168d00) at p_lib.c:466 > #4 0xb7927553 in pubkey_cb (operation=3, pval=0x80163eb0, it=0xb79889c8) > at x_pubkey.c:76 > #5 0xb792dde2 in asn1_item_combine_free (pval=0x80163eb0, it=0xb79889c8, > combine=0) at tasn_fre.c:175 > #6 0xb792e002 in ASN1_template_free (pval=0x80163eb0, tt=0xb798b338) > at tasn_fre.c:202 > #7 0xb792df15 in asn1_item_combine_free (pval=0x80166f40, it=0xb7988b7c, > combine=0) at tasn_fre.c:172 > #8 0xb792e002 in ASN1_template_free (pval=0x80166f40, tt=0xb798b3a0) > at tasn_fre.c:202 > #9 0xb792df15 in asn1_item_combine_free (pval=0xbfd25710, it=0xb7988b98, > combine=0) at tasn_fre.c:172 > #10 0xb792e02e in ASN1_item_free (val=0x80166f40, it=0xb7988b98) > at tasn_fre.c:71 > #11 0xb7928f39 in X509_free (a=0x80166f40) at x_x509.c:128 > #12 0xb70019fa in ssl_init_ModuleKill (data=0x80052ca0) > at /usr/src/redhat/BUILD/httpd-2.2.2/modules/ssl/ssl_engine_init.c:1233 > #13 0xb7cc052b in run_cleanups (cref=0x8004d330) > at memory/unix/apr_pools.c:2034 > #14 0xb7cc0db0 in apr_pool_clear (pool=0x8004d320) > at memory/unix/apr_pools.c:689 > #15 0x800107fe in main (argc=-2147175656, argv=0x0) > at /usr/src/redhat/BUILD/httpd-2.2.2/server/main.c:667 > (gdb) up > #1 0xb78fc730 in RSA_free (r=0x80168d20) at rsa_lib.c:236 > 236 if (r->mt_blinding != NULL) BN_BLINDING_free(r->mt_blinding); > (gdb) print r->mt_blinding > $1 = (BN_BLINDING *) 0x11 > > === end stack trace === > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Multihomed SSL Server?
Hello, > Is there any support for multiple primary domains and associated > customer certificates on the same ip and port (i.e. a multihomed SSL > server). If you think of mechanism such server_name introduced in RFC 3546 6.1 (which may be used for this purpose) - not in this release. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Multihomed SSL Server?
Is there any support for multiple primary domains and associated customer certificates on the same ip and port (i.e. a multihomed SSL server).
RE: renegotiating problem - connection hanging?
Hello > Your proposition was to add further breakage. It is a mistake to issue a > blocking socket operation if you do not wish to block, end of story. This is > just a single example of one way this can break and it is impossible to fix > it completely without breaking proper blocking applications that really do > want to block. My proposition is only clarifying what is already implemented. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: renegotiating problem - connection hanging?
Hello, > If a blocking application sets SSL_MODE_AUTO_RETRY, SSL_read() will > only return once data is available, or a real error occurs. This must > not change. It is not set for s_client. We are taking of these case. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
