FIPS compilation with VC6
Hi All, Can any please tell me how to configure/compile FIPS on VC6? I am failed to do the configuration. C:\openssl-fips-1.1.1\openssl-fips-1.1.1>perl Configure VC-WIN32 fips . C:\openssl-fips-1.1.1\openssl-fips-1.1.1>perl util\mk1mf.pl dll no-asm fips VC-CE 1>ms\cedll.mak ***FIPS module directory sanity check failed*** FIPS module build failed, or was deleted Please rebuild FIPS module. What have I done wrong? Thanks, Kit. ___ YM - 離線訊息 就算你沒有上網,你的朋友仍可以留下訊息給你,當你上網時就能立即看到,任何說話都冇走失。 http://messenger.yahoo.com.hk
Sequences in extension
Hello! I'm using the Openssl library (not the command line tool) for creating certificate requests. I've already build up a request that works and I also know how to add simple extensions (like ia5string, integer or boolean) to my request. But now I want to add "deeper" structures to my request using the SEUQENCE type. Something like: myOID ... Sequence { Integer .. Bmp String ... } I have no idea how to do this and which functions I should use. Can anybody help me? Thanks! Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Can't build FIPS capable OpenSSL
On Thu, Feb 22, 2007, David Schwartz wrote: > > I'm sure I'm doing something stupid. I'm trying to build a FIPS capable > OpenSSL on a run-of-the-mill Linux box. I build the FIPS canister and > untarred a fresh distribution of 'openssl-0.9.7l'. I configured it with > "./config fips no-rc5 no-idea" and it found the FIPS stuff. Then I did a > 'make depend' and a 'make', and boom. > You need a recent 0.9.7 snapshot to use the 1.1.1 FIPS module, no official release supports it yet. There will be an official release "real soon now". Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Can't build FIPS capable OpenSSL
I'm sure I'm doing something stupid. I'm trying to build a FIPS capable OpenSSL on a run-of-the-mill Linux box. I build the FIPS canister and untarred a fresh distribution of 'openssl-0.9.7l'. I configured it with "./config fips no-rc5 no-idea" and it found the FIPS stuff. Then I did a 'make depend' and a 'make', and boom. The errors are lots of undefined symbols. Code in both the FIPS canister and the OpenSSL build is conflicting. For example: ../libcrypto.a(err.o):err.c:(.text+0xfa0): first defined here ../libcrypto.a(fipscanister.o): In function `ERR_load_PKCS12_strings': (.text+0x245b0): multiple definition of `ERR_load_PKCS12_strings' ../libcrypto.a(pk12err.o):pk12err.c:(.text+0x0): first defined here ../libcrypto.a(fipscanister.o): In function `BIO_push': (.text+0x8270): multiple definition of `BIO_push' ../libcrypto.a(bio_lib.o):bio_lib.c:(.text+0x2e0): first defined here ../libcrypto.a(fipscanister.o): In function `ERR_load_CONF_strings': (.text+0x15f70): multiple definition of `ERR_load_CONF_strings' ../libcrypto.a(conf_err.o):conf_err.c:(.text+0x0): first defined here ../libcrypto.a(fipscanister.o): In function `BUF_strlcpy': (.text+0x15be0): multiple definition of `BUF_strlcpy' ../libcrypto.a(buffer.o):buffer.c:(.text+0x0): first defined here ../libcrypto.a(fipscanister.o): In function `ERR_load_crypto_strings': (.text+0x1b070): multiple definition of `ERR_load_crypto_strings' ../libcrypto.a(err_all.o):err_all.c:(.text+0x0): first defined here There are many of these functions. All the sk_ functions, BN functions, and so on. Apparently, code that's in the FIPS canister is still getting built in the regular OpenSSL build. I though selecting 'fips' in the config line was supposed to shut that off. What stupid thing am I doing wrong? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with connection under win32
On Thu, Feb 22, 2007, Milan K?pek wrote: > Thanks for advice. Can you just give me here link to this exmaple, or copy > this, I cant find it. I go through the ocsp application in the latest release > of OpenSSL, but I did not find there anything usefull. > I said 0.9.9-dev not the latest release. You will need to download a recent snapshot for example: ftp://ftp.openssl.org/snapshot/openssl-SNAP-20070222.tar.gz Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [PATCH] ECDHE-RSA-AES256-SHA failure with 0.9.9 SNAP 20070221
On Thu, Feb 22, 2007 at 03:30:12AM -0500, Victor Duchovni wrote: > --- ssl/ssl_lib.c 2007-02-19 12:01:04.0 -0500 > +++ ssl/ssl_lib.c 2007-02-22 03:07:27.0 -0500 > @@ -1946,7 +1946,7 @@ > alg_k = s->s3->tmp.new_cipher->algorithm_mkey; > alg_a = s->s3->tmp.new_cipher->algorithm_auth; > > - if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) > + if (alg_k & (SSL_kECDHr|SSL_kECDHe)) > { > /* we don't need to look at SSL_kEECDH >* since no certificate is needed for The patch is now in the CVS. Bodo __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: compiling openssl-fips-1.1.1 on HP-UX 11.11
Wei: My current guess is that if all you are trying to do is get an openssl utility that is FIPS certified, then doing ./config fips make make install from inside the top level directory of openssl-fips-1.1.1 is all that is required. If you want an openssl utility of a more recent 0.9.7 version that the one fips-1.1.1 is based on, then you would have to do a two pass build as you outlined using one of the 0.9.7 snapshots. Is that correct everyone? Chris Marshall --- Wei Weng <[EMAIL PROTECTED]> wrote: > Hi. Sorry I can not answer your question, but it seems that you are the > only one that is working on getting openssl-fips-1.1.1 to work these > days, so I had to bug you for some trivial questions. :) > > Do you think the process I had gone into making openssl-fips-1.1.1 work > is correct? (I do realize we are working on different platforms, but I > think the general procedures should be similar) > > Thanks! The following is from an email I sent the list earlier. > > Hi all. > > I want to know whether this is correct in building a FIPS capable > openSSL binaries. > download openssl-fips-1.1.1.tar.gz and openssl-0.9.7l.tar.gz, unzip them > into their own directories. > cd openssl-fips-1.1.1, do > ./config fips --prefix=/opt/fips > and make; make install is going to install fips_canister.o inside > /opt/fips/lib directory. > cd openssl-0.9.7l, do > ./config shared --with-fipslibdir=/opt/fips/lib/ > --openssldir=/opt/openssl-0.9.7l/ > and make; make install is going to put FIPS capable openssl binaries > into /opt/openssl-0.9.7l/ > > Is this correct? Thanks in advance. > > > Wei > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > > > > Wei > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Getting a cert with different openssl versions
Hi, I wrote an app that prints out the fingerprint of a certificate. I used SSL_get_peer_certificate(ssl) to get the cert. This works fine with openssl 0.9.8b but not with c (I always get NULL for the cert). Any ideas why? I used SSL_set_verify on the SSL object before making a sslconnect/acceppt. Thanks, Stephan
Re: problem with connection under win32
Thanks for advice. Can you just give me here link to this exmaple, or copy this, I cant find it. I go through the ocsp application in the latest release of OpenSSL, but I did not find there anything usefull. Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Link to libssl.so.0 instead of libssl.so.2
Hi, My destination machine only has libssl.so.0 and libssl.so.0.9.6 that all symbolic link to libssl.so.0.9.7. I cannot do any changes on that machine. On my development machine, I tried to compile my codes and the binary always depends on libssl.so.2 which is symbolic links to libssl.so.0.9.6. How can I make my binary depending on libssl.so.0 instead of libssl.so.2? Thanks, Jin
Re: problem with connection under win32
On Thu, Feb 22, 2007, Milan K?pek wrote: > Hi, In my project I try to set up TCP connection. It works fine on Unix > systems, but when I try it on Windows I have problem. > For connecting I use the non blocking BIO. > Here is part of the code I use: > > BIO_set_nbio (bio,1); > > int rc = -1; > while (rc <= 0){ > rc = BIO_do_connect(bio); > if (rc<=0){ > if (!BIO_should_retry(bio)){ > return (OT_ERROR); > } > } > } > > I set BIO to nonblocking and than I try to connect, until it connects or > throws an error. > On windows system I have this problem, this code is finished even the > connection wasnt established. > I try connection to another computer, that I disconnect from LAN. In unix > system, it throws error, but in windows, it says me that connect was > succesfully established :o( > > Please what should I do. I need some advice how to recognize if the > connection is avaiable. > I used to try select function. Guarding the filedesriptor of bio, and > watching if this socket is writeable. but it never happen. > While that technique will work under Unix it wont on Win32 due to some differences in the way connect() operates in non blocking mode. I suppose we should really modify the connect BIO under Win32 to allow that to work. A slightly different technique should work on both. After the call to BIO_do_connect() retrieve the fd and if a retry is requested wait for a write condition: this indicates that the connection has completed. After that perform I/O on the BIO in the normal way. There is an example of this in the ocsp application in OpenSSL 0.9.9-dev. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with connection under win32
Probabily there is a different response on windows. See openssl documentation on windows I'm not sure but BIO_do_connect should be a blocking code so you don't need the while 2007/2/22, Milan Křápek <[EMAIL PROTECTED]>: Hi, In my project I try to set up TCP connection. It works fine on Unix systems, but when I try it on Windows I have problem. For connecting I use the non blocking BIO. Here is part of the code I use: BIO_set_nbio (bio,1); int rc = -1; while (rc <= 0){ rc = BIO_do_connect(bio); if (rc<=0){ if (!BIO_should_retry(bio)){ return (OT_ERROR); } } } I set BIO to nonblocking and than I try to connect, until it connects or throws an error. On windows system I have this problem, this code is finished even the connection wasnt established. I try connection to another computer, that I disconnect from LAN. In unix system, it throws error, but in windows, it says me that connect was succesfully established :o( Please what should I do. I need some advice how to recognize if the connection is avaiable. I used to try select function. Guarding the filedesriptor of bio, and watching if this socket is writeable. but it never happen. thanks for response __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Dott. Vincenzo Sciarra
problem with connection under win32
Hi, In my project I try to set up TCP connection. It works fine on Unix systems, but when I try it on Windows I have problem. For connecting I use the non blocking BIO. Here is part of the code I use: BIO_set_nbio (bio,1); int rc = -1; while (rc <= 0){ rc = BIO_do_connect(bio); if (rc<=0){ if (!BIO_should_retry(bio)){ return (OT_ERROR); } } } I set BIO to nonblocking and than I try to connect, until it connects or throws an error. On windows system I have this problem, this code is finished even the connection wasnt established. I try connection to another computer, that I disconnect from LAN. In unix system, it throws error, but in windows, it says me that connect was succesfully established :o( Please what should I do. I need some advice how to recognize if the connection is avaiable. I used to try select function. Guarding the filedesriptor of bio, and watching if this socket is writeable. but it never happen. thanks for response __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[PATCH] ECDHE-RSA-AES256-SHA failure with 0.9.9 SNAP 20070221
Tried to use openssl-SNAP-20070221 with ECDHE and an RSA certificate and ran into internal errors, until I applied the following (lightly considered) patch: --- ssl/ssl_lib.c 2007-02-19 12:01:04.0 -0500 +++ ssl/ssl_lib.c 2007-02-22 03:07:27.0 -0500 @@ -1946,7 +1946,7 @@ alg_k = s->s3->tmp.new_cipher->algorithm_mkey; alg_a = s->s3->tmp.new_cipher->algorithm_auth; - if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) + if (alg_k & (SSL_kECDHr|SSL_kECDHe)) { /* we don't need to look at SSL_kEECDH * since no certificate is needed for The original code insists on certificates with EC public keys even for EECDH, while the comment seems to suggest (and I think it is correct) that kEECDH should get the public key type from "alg_a" not, as with ECDHr and ECDHe, from "alg_k". Without the patch EECDH-RSA handshakes fail, with the patch they work. No warranty, the patch may have broken something else... Before: postfix/smtpd[22091]: warning: TLS library problem: 22091:error:1409A044:SSL routines:SSL3_SEND_SERVER_CERTIFICATE:internal error:s3_srvr.c:2703: After: postfix/smtpd[23768]: TLS connection established from localhost[127.0.0.1]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) Are there other known problem configurations? -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]