FIPS compilation with VC6
Hi All, Can any please tell me how to configure/compile FIPS on VC6? I am failed to do the configuration. C:\openssl-fips-1.1.1\openssl-fips-1.1.1>perl Configure VC-WIN32 fips . C:\openssl-fips-1.1.1\openssl-fips-1.1.1>perl util\mk1mf.pl dll no-asm fips VC-CE 1>ms\cedll.mak ***FIPS module directory sanity check failed*** FIPS module build failed, or was deleted Please rebuild FIPS module. What have I done wrong? Thanks, Kit. ___ YM - 離線訊息 就算你沒有上網,你的朋友仍可以留下訊息給你,當你上網時就能立即看到,任何說話都冇走失。 http://messenger.yahoo.com.hk
Sequences in extension
Hello!
I'm using the Openssl library (not the command line tool) for creating
certificate requests. I've already build up a request that works and I
also know how to add simple extensions (like ia5string, integer or
boolean) to my request. But now I want to add "deeper" structures to my
request using the SEUQENCE type. Something like:
myOID ...
Sequence {
Integer ..
Bmp String ...
}
I have no idea how to do this and which functions I should use. Can
anybody help me?
Thanks!
Michael
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: Can't build FIPS capable OpenSSL
On Thu, Feb 22, 2007, David Schwartz wrote: > > I'm sure I'm doing something stupid. I'm trying to build a FIPS capable > OpenSSL on a run-of-the-mill Linux box. I build the FIPS canister and > untarred a fresh distribution of 'openssl-0.9.7l'. I configured it with > "./config fips no-rc5 no-idea" and it found the FIPS stuff. Then I did a > 'make depend' and a 'make', and boom. > You need a recent 0.9.7 snapshot to use the 1.1.1 FIPS module, no official release supports it yet. There will be an official release "real soon now". Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Can't build FIPS capable OpenSSL
I'm sure I'm doing something stupid. I'm trying to build a FIPS capable OpenSSL on a run-of-the-mill Linux box. I build the FIPS canister and untarred a fresh distribution of 'openssl-0.9.7l'. I configured it with "./config fips no-rc5 no-idea" and it found the FIPS stuff. Then I did a 'make depend' and a 'make', and boom. The errors are lots of undefined symbols. Code in both the FIPS canister and the OpenSSL build is conflicting. For example: ../libcrypto.a(err.o):err.c:(.text+0xfa0): first defined here ../libcrypto.a(fipscanister.o): In function `ERR_load_PKCS12_strings': (.text+0x245b0): multiple definition of `ERR_load_PKCS12_strings' ../libcrypto.a(pk12err.o):pk12err.c:(.text+0x0): first defined here ../libcrypto.a(fipscanister.o): In function `BIO_push': (.text+0x8270): multiple definition of `BIO_push' ../libcrypto.a(bio_lib.o):bio_lib.c:(.text+0x2e0): first defined here ../libcrypto.a(fipscanister.o): In function `ERR_load_CONF_strings': (.text+0x15f70): multiple definition of `ERR_load_CONF_strings' ../libcrypto.a(conf_err.o):conf_err.c:(.text+0x0): first defined here ../libcrypto.a(fipscanister.o): In function `BUF_strlcpy': (.text+0x15be0): multiple definition of `BUF_strlcpy' ../libcrypto.a(buffer.o):buffer.c:(.text+0x0): first defined here ../libcrypto.a(fipscanister.o): In function `ERR_load_crypto_strings': (.text+0x1b070): multiple definition of `ERR_load_crypto_strings' ../libcrypto.a(err_all.o):err_all.c:(.text+0x0): first defined here There are many of these functions. All the sk_ functions, BN functions, and so on. Apparently, code that's in the FIPS canister is still getting built in the regular OpenSSL build. I though selecting 'fips' in the config line was supposed to shut that off. What stupid thing am I doing wrong? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with connection under win32
On Thu, Feb 22, 2007, Milan K?pek wrote: > Thanks for advice. Can you just give me here link to this exmaple, or copy > this, I cant find it. I go through the ocsp application in the latest release > of OpenSSL, but I did not find there anything usefull. > I said 0.9.9-dev not the latest release. You will need to download a recent snapshot for example: ftp://ftp.openssl.org/snapshot/openssl-SNAP-20070222.tar.gz Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [PATCH] ECDHE-RSA-AES256-SHA failure with 0.9.9 SNAP 20070221
On Thu, Feb 22, 2007 at 03:30:12AM -0500, Victor Duchovni wrote:
> --- ssl/ssl_lib.c 2007-02-19 12:01:04.0 -0500
> +++ ssl/ssl_lib.c 2007-02-22 03:07:27.0 -0500
> @@ -1946,7 +1946,7 @@
> alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
> alg_a = s->s3->tmp.new_cipher->algorithm_auth;
>
> - if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
> + if (alg_k & (SSL_kECDHr|SSL_kECDHe))
> {
> /* we don't need to look at SSL_kEECDH
>* since no certificate is needed for
The patch is now in the CVS.
Bodo
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: compiling openssl-fips-1.1.1 on HP-UX 11.11
Wei: My current guess is that if all you are trying to do is get an openssl utility that is FIPS certified, then doing ./config fips make make install from inside the top level directory of openssl-fips-1.1.1 is all that is required. If you want an openssl utility of a more recent 0.9.7 version that the one fips-1.1.1 is based on, then you would have to do a two pass build as you outlined using one of the 0.9.7 snapshots. Is that correct everyone? Chris Marshall --- Wei Weng <[EMAIL PROTECTED]> wrote: > Hi. Sorry I can not answer your question, but it seems that you are the > only one that is working on getting openssl-fips-1.1.1 to work these > days, so I had to bug you for some trivial questions. :) > > Do you think the process I had gone into making openssl-fips-1.1.1 work > is correct? (I do realize we are working on different platforms, but I > think the general procedures should be similar) > > Thanks! The following is from an email I sent the list earlier. > > Hi all. > > I want to know whether this is correct in building a FIPS capable > openSSL binaries. > download openssl-fips-1.1.1.tar.gz and openssl-0.9.7l.tar.gz, unzip them > into their own directories. > cd openssl-fips-1.1.1, do > ./config fips --prefix=/opt/fips > and make; make install is going to install fips_canister.o inside > /opt/fips/lib directory. > cd openssl-0.9.7l, do > ./config shared --with-fipslibdir=/opt/fips/lib/ > --openssldir=/opt/openssl-0.9.7l/ > and make; make install is going to put FIPS capable openssl binaries > into /opt/openssl-0.9.7l/ > > Is this correct? Thanks in advance. > > > Wei > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > > > > Wei > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Getting a cert with different openssl versions
Hi, I wrote an app that prints out the fingerprint of a certificate. I used SSL_get_peer_certificate(ssl) to get the cert. This works fine with openssl 0.9.8b but not with c (I always get NULL for the cert). Any ideas why? I used SSL_set_verify on the SSL object before making a sslconnect/acceppt. Thanks, Stephan
Re: problem with connection under win32
Thanks for advice. Can you just give me here link to this exmaple, or copy this, I cant find it. I go through the ocsp application in the latest release of OpenSSL, but I did not find there anything usefull. Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Link to libssl.so.0 instead of libssl.so.2
Hi, My destination machine only has libssl.so.0 and libssl.so.0.9.6 that all symbolic link to libssl.so.0.9.7. I cannot do any changes on that machine. On my development machine, I tried to compile my codes and the binary always depends on libssl.so.2 which is symbolic links to libssl.so.0.9.6. How can I make my binary depending on libssl.so.0 instead of libssl.so.2? Thanks, Jin
Re: problem with connection under win32
On Thu, Feb 22, 2007, Milan K?pek wrote:
> Hi, In my project I try to set up TCP connection. It works fine on Unix
> systems, but when I try it on Windows I have problem.
> For connecting I use the non blocking BIO.
> Here is part of the code I use:
>
> BIO_set_nbio (bio,1);
>
> int rc = -1;
> while (rc <= 0){
> rc = BIO_do_connect(bio);
> if (rc<=0){
> if (!BIO_should_retry(bio)){
> return (OT_ERROR);
> }
> }
> }
>
> I set BIO to nonblocking and than I try to connect, until it connects or
> throws an error.
> On windows system I have this problem, this code is finished even the
> connection wasnt established.
> I try connection to another computer, that I disconnect from LAN. In unix
> system, it throws error, but in windows, it says me that connect was
> succesfully established :o(
>
> Please what should I do. I need some advice how to recognize if the
> connection is avaiable.
> I used to try select function. Guarding the filedesriptor of bio, and
> watching if this socket is writeable. but it never happen.
>
While that technique will work under Unix it wont on Win32 due to some
differences in the way connect() operates in non blocking mode. I suppose we
should really modify the connect BIO under Win32 to allow that to work.
A slightly different technique should work on both. After the call to
BIO_do_connect() retrieve the fd and if a retry is requested wait for a write
condition: this indicates that the connection has completed.
After that perform I/O on the BIO in the normal way.
There is an example of this in the ocsp application in OpenSSL 0.9.9-dev.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: problem with connection under win32
Probabily there is a different response on windows. See openssl
documentation on windows
I'm not sure but BIO_do_connect should be a blocking code so you don't need
the while
2007/2/22, Milan Křápek <[EMAIL PROTECTED]>:
Hi, In my project I try to set up TCP connection. It works fine on Unix
systems, but when I try it on Windows I have problem.
For connecting I use the non blocking BIO.
Here is part of the code I use:
BIO_set_nbio (bio,1);
int rc = -1;
while (rc <= 0){
rc = BIO_do_connect(bio);
if (rc<=0){
if (!BIO_should_retry(bio)){
return (OT_ERROR);
}
}
}
I set BIO to nonblocking and than I try to connect, until it connects or
throws an error.
On windows system I have this problem, this code is finished even the
connection wasnt established.
I try connection to another computer, that I disconnect from LAN. In unix
system, it throws error, but in windows, it says me that connect was
succesfully established :o(
Please what should I do. I need some advice how to recognize if the
connection is avaiable.
I used to try select function. Guarding the filedesriptor of bio, and
watching if this socket is writeable. but it never happen.
thanks for response
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
--
Dott. Vincenzo Sciarra
problem with connection under win32
Hi, In my project I try to set up TCP connection. It works fine on Unix
systems, but when I try it on Windows I have problem.
For connecting I use the non blocking BIO.
Here is part of the code I use:
BIO_set_nbio (bio,1);
int rc = -1;
while (rc <= 0){
rc = BIO_do_connect(bio);
if (rc<=0){
if (!BIO_should_retry(bio)){
return (OT_ERROR);
}
}
}
I set BIO to nonblocking and than I try to connect, until it connects or throws
an error.
On windows system I have this problem, this code is finished even the
connection wasnt established.
I try connection to another computer, that I disconnect from LAN. In unix
system, it throws error, but in windows, it says me that connect was
succesfully established :o(
Please what should I do. I need some advice how to recognize if the connection
is avaiable.
I used to try select function. Guarding the filedesriptor of bio, and watching
if this socket is writeable. but it never happen.
thanks for response
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
[PATCH] ECDHE-RSA-AES256-SHA failure with 0.9.9 SNAP 20070221
Tried to use openssl-SNAP-20070221 with ECDHE and an RSA certificate
and ran into internal errors, until I applied the following (lightly
considered) patch:
--- ssl/ssl_lib.c 2007-02-19 12:01:04.0 -0500
+++ ssl/ssl_lib.c 2007-02-22 03:07:27.0 -0500
@@ -1946,7 +1946,7 @@
alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
alg_a = s->s3->tmp.new_cipher->algorithm_auth;
- if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
+ if (alg_k & (SSL_kECDHr|SSL_kECDHe))
{
/* we don't need to look at SSL_kEECDH
* since no certificate is needed for
The original code insists on certificates with EC public keys even for
EECDH, while the comment seems to suggest (and I think it is correct)
that kEECDH should get the public key type from "alg_a" not, as with
ECDHr and ECDHe, from "alg_k". Without the patch EECDH-RSA handshakes
fail, with the patch they work. No warranty, the patch may have broken
something else...
Before:
postfix/smtpd[22091]: warning: TLS library problem: 22091:error:1409A044:SSL
routines:SSL3_SEND_SERVER_CERTIFICATE:internal error:s3_srvr.c:2703:
After:
postfix/smtpd[23768]: TLS connection established from localhost[127.0.0.1]:
TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Are there other known problem configurations?
--
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
