Building OpenSSL 0.9.8k under Win32
Hi, All When building OpenSSL library under Win32 I've encountered and error C2220: warning treated as error - no object file generated After removing compiler flag /WX from ntdll.mak - build completed I was building using Visual C++ 9.0 (Visual Studio 2008) Here is nmake output // cl /Fotmp32dll\uplink.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DAES_ASM -DBN_ASM -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -D_WINDLL -c ms\uplink.c uplink.c cl /Fotmp32dll\cryptlib.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DAES_ASM -DBN_ASM -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -c .\crypto\cryptlib.c cryptlib.c ml /nologo /Cp /coff /c /Cx /Focrypto\cpu_win32.obj .\crypto\cpu_win32.asm Assembling: .\crypto\cpu_win32.asm cl /Fotmp32dll\dyn_lck.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DAES_ASM -DBN_ASM -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -c .\crypto\dyn_lck.c dyn_lck.c cl /Fotmp32dll\mem.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DAES_ASM -DBN_ASM -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -c .\crypto\mem.c mem.c cl /Fotmp32dll\mem_clr.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DAES_ASM -DBN_ASM -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -c .\crypto\mem_clr.c mem_clr.c cl /Fotmp32dll\mem_dbg.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DAES_ASM -DBN_ASM -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -c .\crypto\mem_dbg.c mem_dbg.c cl /Fotmp32dll\cversion.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DAES_ASM -DBN_ASM -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -DMK1MF_BUILD -DMK1MF_PLATFORM_VC_WIN32 -c .\crypto\cversion.c cversion.c .\crypto\cversion.c(105) : error C2220:
Re: Use of generic name STRING in safestack.h
Hi Steve, Thank you for your quick reply. I tried openssl-1.0.0-stable-SNAP-20090918.tar.gz, but got into some build problems again: ... rand_win.c: In function `RAND_poll': rand_win.c:517: error: `__try' undeclared (first use in this function) ... It seems like this has something to do wits MS's Structured Exception Handling, which is not supported on gcc? Unfortunately, I do not have time to dig into this right now. As for the original problem, I see that the problematic line in safestack.h now reads typedef char *OPENSSL_STRING;. This should definitely fix the problem. I'll try to report back to you if I manage to compile snapshots with gcc some day... Regards, Eystein On Thu, Sep 17, 2009 at 3:38 PM, Dr. Stephen Henson st...@openssl.org wrote: On Thu, Sep 17, 2009, Eystein Mly Stenberg wrote: While in 1.0.0 beta3, everything builds just fine. However, safestack.h, line 113 says typedef char *STRING;, which collides with /mingw/include/ntdef.h, line 35: typedef struct _STRING { USHORT Length; USHORT MaximumLength; PCHAR Buffer; } STRING, *PSTRING; I.e. the two header files safestack.h and ntdef.h both define STRING. I don't find this STRING definition in the stable releases, hopefully it is just temporary in the beta release? I believe that header files should not use such generic names (e.g. OSSLSTRING would be better). Do you know if this will be fixed or could you point out what's wrong when I'm trying to build the stable version? This has been reported before in ticket #1987 and should be fixed in current snapshots but no one has confirmed that. Please try one and let me know if that addresses tis issue. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
privateKeyUsagePeriod x509v3 extension
Hi list members, is there a possibility to specify the x509v3 extension privateKeyUsagePeriod in the openssl.conf file for the req and ca commands? It seems, openssl knows the oid and asn1 structure of the extension but doesn't allow you to put it into certificates. When I specify privateKeyUsagePeriod = 365 or privateKeyUsagePeriod = notBefore:timestamp1,notAfter:timestamp2 in my extension setting for the req command, req complains 17054:error:22097067:X509 V3 routines:DO_EXT_NCONF:extension setting not supported:v3_conf.c:163:name=privateKeyUsagePeriod I worked around the problem by specifying the extension in its arbitrary extension format: [ req ] x509_extensions = req_ext [ req_ext ] 2.5.29.16 = ASN1:SEQUENCE:privateKeyUsagePeriod [ privateKeyUsagePeriod ] notBefore = EXPLICIT:0,GENERALIZEDTIME:timestamp1 notAfter = EXPLICIT:1,GENERALIZEDTIME:timestamp2 which puts the extension into the certificate request, but is not really handy for a configuration file, because you have to explicitly give the two timestamps. So in case the arbitrary extension format is the only way of getting the privateKeyUsagePeriod extension into the certificate, is there a way to specify parameterized values for the timestamps in openssl.conf, e.g. via the backtick operator and the date command? Or would I have to wrap the openssl command into my own script that modifies the timestamps in openssl.conf appropriately in advance? I'm using OpenSSL 0.9.8k 25 Mar 2009. Thanks for your help, Patrick Eisenacher __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: privateKeyUsagePeriod x509v3 extension
On Fri, Sep 18, 2009, Eisenacher, Patrick wrote: Hi list members, is there a possibility to specify the x509v3 extension privateKeyUsagePeriod in the openssl.conf file for the req and ca commands? It seems, openssl knows the oid and asn1 structure of the extension but doesn't allow you to put it into certificates. Yes that's correct. Setting isn't supported at present, at the time it was added the advice was that the extension should not be used, that has since been relaxed. I worked around the problem by specifying the extension in its arbitrary extension format: [ req ] x509_extensions = req_ext [ req_ext ] 2.5.29.16 = ASN1:SEQUENCE:privateKeyUsagePeriod [ privateKeyUsagePeriod ] notBefore = EXPLICIT:0,GENERALIZEDTIME:timestamp1 notAfter = EXPLICIT:1,GENERALIZEDTIME:timestamp2 which puts the extension into the certificate request, but is not really handy for a configuration file, because you have to explicitly give the two timestamps. So in case the arbitrary extension format is the only way of getting the privateKeyUsagePeriod extension into the certificate, is there a way to specify parameterized values for the timestamps in openssl.conf, e.g. via the backtick operator and the date command? Or would I have to wrap the openssl command into my own script that modifies the timestamps in openssl.conf appropriately in advance? I'm using OpenSSL 0.9.8k 25 Mar 2009. You could use environment variable substitution in the config file and include appropriate values for environment variables in a script. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building OpenSSL 0.9.8k under Win32
On Fri, Sep 18, 2009, Vadym Stetsiak wrote: Hi, All When building OpenSSL library under Win32 I've encountered and error C2220: warning treated as error - no object file generated After removing compiler flag /WX from ntdll.mak - build completed I was building using Visual C++ 9.0 (Visual Studio 2008) Here is nmake output .\crypto\cversion.c(105) : error C2220: warning treated as error - no 'object' file generated .\crypto\cversion.c(105) : warning C4129: 'w' : unrecognized character escape sequence .\crypto\cversion.c(105) : warning C4129: 'l' : unrecognized character escape sequence .\crypto\cversion.c(105) : warning C4129: 'o' : unrecognized character escape sequence What arguments are you passing to the Configure script? The normal cause of this is the use of backslashes in pathnames. These weren't escaped properly and you needed to use slashes instead. The latest snapshots should fix this. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Use of generic name STRING in safestack.h
On Fri, Sep 18, 2009, Eystein Mly Stenberg wrote: Hi Steve, Thank you for your quick reply. I tried openssl-1.0.0-stable-SNAP-20090918.tar.gz, but got into some build problems again: ... rand_win.c: In function `RAND_poll': rand_win.c:517: error: `__try' undeclared (first use in this function) ... It seems like this has something to do wits MS's Structured Exception Handling, which is not supported on gcc? Unfortunately, I do not have time to dig into this right now. As for the original problem, I see that the problematic line in safestack.h now reads typedef char *OPENSSL_STRING;. This should definitely fix the problem. I'll try to report back to you if I manage to compile snapshots with gcc some day... OK, that needs fixing, should for now at least use the old code if it isn't VC++. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Linking OpenSSL-FIPS application
Title: Evidian Signature Hi all, I'm trying to build an OpenSSL-FIPS application using static libeayfips32.lib library. Environment: OpenSSL 0.9.8k + OpenSSL-FIPS 1.2 + nasm 2.07 + Visual Studio 2005 (VC8). As explained in section 5.3.2 of OpenSSL FIPS 140-2 User Guide, I derived a .mak file from nt.mak. That makefile invokes fipslink.pl. Unfortunately, the perl script fails while checking the hash of fips_premain.c file: perl F:\OPENSSL-FIPS\fips\fipslink.pl /nologo /subsystem:windows /machine:X86 /map /out:Debug\OpenSSLFIPSTest.exe @C:\DOCUME~1\JACQUE~1.LEB\LOCALS~1\Temp\nmA108.tmp ***HASH VALUE MISMATCH FOR FILE fips_premain.c *** at F:\OPENSSL-FIPS\fips\fipslink.pl line 79. NMAKE : fatal error U1077: 'C:\Perl\bin\perl.EXE': code retour '0x9' Stop. I modified the fipslink.pl to check the hash of fipscanister.lib file first and this one succeeds. Both fips_premain.c and fips_premain.c.sha1 where copied from .\openssl-fips-1.2\out32dll. The computed hash value (9288187a74e4e795c6c2a3178c362b416e39a371) does not match the hash file: 9e5ddba185ac446e0cf36fcf8e1b3acffe5d0b2c Why am I getting a wrong hash value on fips_premain.c file only? A file format difference? -- Jacques LEBASTARD EVIDIAN - Enterprise SSO RD Tel:+33 1 30 80 77 86
Re: Building OpenSSL 0.9.8k under Win32
What arguments are you passing to the Configure script? The normal cause of this is the use of backslashes in pathnames. These weren't escaped properly and you needed to use slashes instead. The latest snapshots should fix this. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Originaly, I have used backslahes in the configure path. That was the reason if warnings. When building with forward slashes - no problems encountered. Thanks. -- Vadym Stetsiak
Re: Linking OpenSSL-FIPS application
Title: Evidian Signature Jacques Lebastard wrote: perl F:\OPENSSL-FIPS\fips\fipslink.pl /nologo /subsystem:windows /machine:X86 /map /out:Debug\OpenSSLFIPSTest.exe @C:\DOCUME~1\JACQUE~1.LEB\LOCALS~1\Temp\nmA108.tmp ***HASH VALUE MISMATCH FOR FILE fips_premain.c *** at F:\OPENSSL-FIPS\fips\fipslink.pl line 79. NMAKE : fatal error U1077: 'C:\Perl\bin\perl.EXE': code retour '0x9' Stop. I modified the fipslink.pl to check the hash of fipscanister.lib file first and this one succeeds. Both fips_premain.c and fips_premain.c.sha1 where copied from .\openssl-fips-1.2\out32dll. The computed hash value (9288187a74e4e795c6c2a3178c362b416e39a371) does not match the hash file: 9e5ddba185ac446e0cf36fcf8e1b3acffe5d0b2c Why am I getting a wrong hash value on fips_premain.c file only? A file format difference? The answer was in the question: I converted the file to a Unix format and the computed hash matches! -- Jacques LEBASTARD EVIDIAN - Enterprise SSO RD Tel:+33 1 30 80 77 86
SSL_Connect fails with error SSL_ERROR_SSL
Hi I am using Linux provided SSL Library OpenSSL 0.9.7a Feb 19 2003. The problem is that SSL_Connect fails with error SSL_ERROR_SSL I am not able to trace the possible reason for error. Any help is valuable as I need to resolve the issue urgently. Regards Anuradha Gupta Technical Leader Ext : 5119 Mobile : 9811814731 DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error,please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus.
Re: Linking OpenSSL-FIPS application
On Fri September 18 2009, Jacques Lebastard wrote: !DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN html head meta content=text/html;charset=ISO-8859-1 http-equiv=Content-Type /head body bgcolor=#ff text=#00 Jacques Lebastard wrote: blockquote cite=mid:4ab383e9.3090...@evidian.com type=citefont size=-1font face=Tahomafont face=Courier New, Courier, monospaceperl F:\OPENSSL-FIPS\fips\fipslink.pl /nologo /subsystem:windows /machine:X86 /map /out:Debug\OpenSSLFIPSTest.exe @C:\DOCUME~1\JACQUE~1.LEB\LOCALS~1\Temp\nmA108.tmpbr ***HASH VALUE MISMATCH FOR FILE fips_premain.c *** at F:\OPENSSL-FIPS\fips\fipslink.pl line 79.br NMAKE : fatal error U1077: 'C:\Perl\bin\perl.EXE'nbsp;: code retour '0x9'br Stop./fontbr br I modified the fipslink.pl to check the hash of fipscanister.lib file first and this one succeeds.br br Both fips_premain.c and fips_premain.c.sha1 where copied from .\openssl-fips-1.2\out32dll.br The computed hash value (/font/fontfont size=-1font face=Tahomafont face=Courier New, Courier, monospace9288187a74e4e795c6c2a3178c362b416e39a371)/font/font/fontbr font size=-1font face=Tahomadoes not match the hash file: /font/fontfont size=-1font face=Tahomafont face=Courier New, Courier, monospace9e5ddba185ac446e0cf36fcf8e1b3acffe5d0b2c/font/font/fontbr font size=-1font face=Tahomabr Why am I getting a wrong hash value on fips_premain.c file only? A file format difference?br /font/font/blockquote The answer was in the question: I converted the file to a Unix format and the computed hash matches!br div class=moz-signature-- br titleEvidian Signature/title !-- DIV align=leftFONT face=Courier New size=2--/FONT/DIV -- div align=leftfont face=Courier New size=2strongJacques LEBASTARD/strong/font/div div align=leftfont face=Courier New size=2EVIDIAN - Enterprise SSO Ramp;D/font/div div align=leftfont face=Courier New size=2Tel:nbsp;+33 1 30 80 77 86/font/div div align=left a href=http://www.evidian.com/blog/;img src=cid:part1.01070308.04030702@evidian.com alt=www.evidian.com border=0/abr !-- pFONT size=-1This e-mail contains material that is confidential for the sole use of the intended recipient.br/Any review, reliance or distribution by others or forwarding without express permission is strictly prohibited.br/If you are not the intended recipient, please contact the sender and delete all copies. /FONT/p -- /div /div /body /html Do you have a plain-text version of this post? Posting in HTML is not a nice thing to do, besides, many people /dev/null anything in HTML just to minimize spam. You might want to drop the signature notice also, since this is a public list viewable by the world. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FIPS: unavailable functions?
I just built my first (very basic) FIPS-enabled OpenSSL application on Windows using VC 8. When linking with static libraries (with fipslink.pl...), the following symbols are unresolved: _ERR_error_string _ERR_free_strings _ERR_load_FIPS_strings _ERR_load_crypto_strings _ERR_load_ERR_strings When linking with DLLs, there is no unresolved symbol. Appendix C of OpenSSL FIPS User Guide 1.2 contains a sample application that uses ERR_load_crypto_strings(). So I presume I did something wrong. Any hint? -- *Jacques LEBASTARD* __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_Connect fails with error SSL_ERROR_SSL
Once you receive SSL_ERROR_SSL, the next step is to use ERR_get_error(3ssl) to figure out what the specific SSL error was. Before you do this, you should call ERR_load_crypto_strings(3ssl) and SSL_load_error_strings(3ssl) so that you can get the full string; if you don't, you'll get a hexadecimal code, which you can feed to 'openssl errstr [code]' and it'll tell you what the code actually means. (errstr(1)). It's *entirely* possible that the return of ERR_get_error() will be SSL_WANT_READ or SSL_WANT_WRITE. If this is the case, call SSL_Connect() again with *exactly the same parameters*. Preferably, don't even move them in memory, just call it with the same pointers and everything. (Really, SSL_WANT_{(read|write)} could have been consolidated, since from the application developer's view it's exactly the same diagnostic and required action: call the last SSL function you called, with exactly the same parameters. They were separated probably during the SSLeay days when Mr. Young wanted to know what, precisely, was really happening in the state machine at any given failure.) -Kyle H On Fri, Sep 18, 2009 at 6:56 AM, Anuradha Gupta anuradha.gu...@aricent.com wrote: Hi I am using Linux provided SSL Library “OpenSSL 0.9.7a Feb 19 2003”. The problem is that SSL_Connect fails with error SSL_ERROR_SSL I am not able to trace the possible reason for error. Any help is valuable as I need to resolve the issue urgently. Regards Anuradha Gupta Technical Leader Ext : 5119 Mobile : 9811814731 DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error,please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: .pem certificate loading issue
not-yet-commons-ssl-0.3.11.jar can accomplish what you are trying to do. Details here: http://juliusdavies.ca/commons-ssl/utilities.html#ksb java -cp not-yet-commons-ssl-0.3.11.jar org.apache.commons.ssl.KeyStoreBuilder KeyStoreBuilder converts PKCS12 and PKCS8 to Java Keystore KeyStoreBuilder: creates '[alias].jks' (Java Key Store) -topk8 mode: creates '[alias].pem' (x509 chain + unencrypted pkcs8) [alias] will be set to the first CN value of the X509 certificate. --- Usage1: [password] [file:pkcs12] Usage2: [password] [file:private-key] [file:certificate-chain] Usage3: -topk8 [password] [file:jks] --- [private-key] can be openssl format, or pkcs8. [password] decrypts [private-key], and also encrypts outputted JKS file. All files can be PEM or DER. You can download it here: http://juliusdavies.ca/commons-ssl/download.html On Thu, Aug 27, 2009 at 4:37 AM, Mohan Radhakrishnan radhakrishnan.mo...@gmail.com wrote: Not it does not look like I need OpenSSL. The following Java command could import the entire chain. keytool -import -alias visaftpsflux -file visacertificateedited.cer -trustcacerts -keystore FSSNABMAPSVISA.jks -storepass password Further testing is required. Mohan On Thu, Aug 27, 2009 at 4:24 PM, Mohan Radhakrishnanradhakrishnan.mo...@gmail.com wrote: What is the link between the existing key's alias and the alias used while importing the CA-root and sub-root certificates ? The CA-root and sub-root certificates have been imported with new aliases. The old alias throws an error. Thanks, Mohan On Thu, Aug 27, 2009 at 2:35 PM, Mohan Radhakrishnanradhakrishnan.mo...@gmail.com wrote: I have an ASCII text file with a chain of certificates. I had earlier sent a CSR and got these certificates back from the CA. When I opened the ASCII file I see some text before and after ---BEGIN CERTIFICATE-- and --END CERTIFICATE-- I removed this test because they were file names like CASubroot.pem.txt, CArootpem.txt etc. I tried to use openssl to convert these .pem certificates to .der. It didn't work. I am sure I am doing something wrong. How do I load these certificates into the Java KeyStore ? Since these are certificates signing my CSR I am going to load them back to the Java KeyStore( Not the TrustStore ). Can anyone throw some light on this procedure ? Thanks, Mohan __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org -- yours, Julius Davies 250-592-2284 (Home) 250-893-4579 (Mobile) http://juliusdavies.ca/logging.html __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Getting started at cryptography. Need directions.
Hi all! I don't know nothing about cryptography using sockets. I need to do an application written in C that is a client/server that receives and responds commands. The data must be cryptographed as it will travell in a wireless network. I plan to do this client/server to be used inside an openwrt router. I only need advices about how/where I can get started. Is openssl suitable for this task? Are there other options? Thanks in advance! - In case anyone want to know, this is a task for graduation and this is the system overview: The client connects by cable on an AccessPoint that will pass the data for the other AP and will communicate with a board. cable +---+ ***encrypted data*** +--+LAN port {client}--| Bridge AP | - - - - - - - - - - - - - - - - - | AccessPoint2 |{ethernet-based controller board} ++ wireless +-+ LAN cable port embedded client/server embedded client/server
Re: Getting started at cryptography. Need directions.
OpenSSL provides a toolkit which implements a well-reviewed, cryptographically secure protocol called SSL (and now TLS). For an OpenWRT router, the size of the default compile may be too large to fit into RAM. You can build it without a lot of the optional ciphers, if you know your environment and know your own security requirements. (Remember: SSL is a tool, a building block. You cannot solve a policy/decision problem using only tools -- you must actually think about what's going on, and determine what's okay and what's not.) Technically, if you use WPA2, your data is already encrypted as it passes through the air. I don't tend to rely on it too much, and I do use TLS whenever I can. So, the short answer is yes, OpenSSL will do what you need, and do it well. It's got a lot of code and data bloat, though, so you might have issues with its default configuration. MatrixSSL may do what you need, but it's open-source crippleware that only does SSLv3 in its default configuration (but, it is very small). -Kyle H 2009/9/18 Fábio Ricci fabio.ri...@gmail.com: Hi all! I don't know nothing about cryptography using sockets. I need to do an application written in C that is a client/server that receives and responds commands. The data must be cryptographed as it will travell in a wireless network. I plan to do this client/server to be used inside an openwrt router. I only need advices about how/where I can get started. Is openssl suitable for this task? Are there other options? Thanks in advance! - In case anyone want to know, this is a task for graduation and this is the system overview: The client connects by cable on an AccessPoint that will pass the data for the other AP and will communicate with a board. cable +---+ ***encrypted data*** +--+ LAN port {client}--| Bridge AP | - - - - - - - - - - - - - - - - - | AccessPoint2 |{ethernet-based controller board} ++ wireless +-+ LAN cable port embedded client/server embedded client/server __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
AES pointers needed..
Hello everyone.. I am presently looking at implementing AES 256bit into an application which I am working on... What I need is pointers as to where I could find example source code about how to do it... Is it possible to do it with OpenSSL? regards Dennis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: AES pointers needed..
Hi Dennis, I am presently looking at implementing AES 256bit into an application which I am working on... Is it possible to do it with OpenSSL? It depends on what you want to accomplish, and the mode of operation in which AES-256 will be operating. Can you offer more details? Jeff On 9/18/09, Dennis Morgan dennis.mor...@xtra.co.nz wrote: Hello everyone.. I am presently looking at implementing AES 256bit into an application which I am working on... What I need is pointers as to where I could find example source code about how to do it... Is it possible to do it with OpenSSL? regards Dennis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: AES pointers needed..
You could use libeay alone (not linking in libssl), and that would include an implementation of AES256. -Kyle H On Fri, Sep 18, 2009 at 5:58 PM, Dennis Morgan dennis.mor...@xtra.co.nz wrote: Hello everyone.. I am presently looking at implementing AES 256bit into an application which I am working on... What I need is pointers as to where I could find example source code about how to do it... Is it possible to do it with OpenSSL? regards Dennis __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: AES pointers needed..
Hi, what i am trying to achieve is to encrypt a plain ascii text message Which will be transmitted via a udp or tcp. The application which its been implemented for is for a security product.. regards Dennis --- On Sat, 19/9/09, Jeffrey Walton noloa...@gmail.com wrote: From: Jeffrey Walton noloa...@gmail.com Subject: Re: AES pointers needed.. To: openssl-users@openssl.org Received: Saturday, 19 September, 2009, 1:19 PM Hi Dennis, I am presently looking at implementing AES 256bit into an application which I am working on. Is it possible to do it with OpenSSL? It depends on what you want to accomplish, and the mode of operation in which AES-256 will be operating. Can you offer more details? Jeff On 9/18/09, Dennis Morgan dennis.mor...@xtra.co.nz wrote: Hello everyone.. I am presently looking at implementing AES 256bit into an application which I am working on... What I need is pointers as to where I could find example source code about how to do it. Is it possible to do it with OpenSSL? regards Dennis __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org