Re: Using OpenSsl in a .Net server (ongoing opensource project)

2010-04-23 Thread Amit Ben Shahar 
On Fri, Apr 23, 2010 at 21:35, James Mansion
wrote:

> Amit Ben Shahar wrote:
>
>> One of the crucial ingredients is ssl using OpenSsl. but we are
>> encountering a problem with the 'no OPENSSL_Applink' error.
>> as this is a .Net project, there is no way (i can think of) to compile
>> with the applink.c file.
>>
> 1) Why is that crucial?  Microsoft provide crypto support on Windows,
> albeit with a different interface.  What's wrong with
> System.Net.Security.SslStream?
>
>
The .Net.Security.SslStream is not working in asynchronous calls, meaning
we'd have to implement it in a thread-per-connection paradigm, which is
obviously not an option.


> 2) Why can't you 'compile with the applink.c file'?  You need a talk to it
> through p/invoke - you may need to write another glue DLL to do this.  If
> you can locate an OpenSSL implementation that has been wrapped as a
> free-threaded COM service, you might find things easier if you don't know
> how to write such glue.  You could try looking in Mono's runtime, too, which
> I suspect delegates to OpenSsl (tho I haven't checked).


As far as i understood it, openSsl looks for the applink implementation in
the actual application and not in dlls, but i could have misread that,
anyhow i'm not sure i would know how to do that, can you maybe directly to
such an implmentation (free-threaded COM) ?
- in the meantime i'll try checking in Mono, though i've never ever looked
at it yet. maybe i'll get lucky ;)

thanks

RE: building OpenSSL 0.9.8/1.0.0 on Solarisx86

2010-04-23 Thread Alona Rossen 
We can give an access to our system. How can we contact a developer? 

-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. David Kirkby
Sent: April 23, 2010 3:13 PM
To: openssl-users@openssl.org
Subject: Re: building OpenSSL 0.9.8/1.0.0 on Solarisx86

Alona Rossen wrote:
> Specifyng solaris64-x86_64-gcc as a target results in a 64-bit
library,
> while we need a 32-bit library.

Oh, sorry i missed that.

I also failed to create a 32-bit library. It so happened that in the
software I 
wanted to develop, 64-bit was more sensible, so I ignored the fact I was
unable 
to create a 32-bit library.

I believe you are correct in saying this will not work. You will
probably need 
the assistance of a developer in that case. It might be easier if you
can give 
them access to a Solaris system, though with VirtualBox, they should be
able to 
set one up easily.

dave

> 
> -Original Message-
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. David Kirkby
> Sent: April 23, 2010 1:33 PM
> To: openssl-users@openssl.org
> Subject: Re: building OpenSSL 0.9.8/1.0.0 on Solarisx86
> 
> Alona Rossen wrote:
>>  
>>
>> Hello,
>>
>>  
>>
>> I built 32-bit OpenSSL 0.9.8 and OpenSSL 1.0.0 on Solaris10x86_64 
>> (64-bit kernel on Intel) with gcc compiler. Makefiles were generated 
>> with the following command:
>>
>>  
>>
>> "Configure solaris-x86-gcc"
> 
> Try solaris64-x86_64-gcc as the target, which was the default when I
run
> Configure.
> 
> I've built 0.9.8l on a Sun Ultra 27 (quad core 3.33 GHz Xeon
processor)
> using 
> OpenSolaris 06/2009 and gcc 4.3.4. It builds fine and passes tests
> 
> DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024
> bit RSA
> DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024
> bit RSA
> DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024
> bit RSA
> 10 handshakes of 256 bytes done
> Approximate total server time:   0.05 s
> Approximate total client time:   0.00 s
> Test IGE mode
> ../util/shlib_wrap.sh ./igetest
> Test JPAKE
> ../util/shlib_wrap.sh ./jpaketest
> No JPAKE support
> make[1]: Leaving directory `/export/home/drkirkby/openssl-0.9.8l/test'
> util/opensslwrap.sh version -a
> OpenSSL 0.9.8l 5 Nov 2009
> built on: Fri Apr 23 18:24:58 BST 2010
> platform: solaris64-x86_64-gcc
> options:  bn(64,64) md2(int) rc4(1x,char) des(idx,cisc,16,int)
idea(int)
> 
> blowfish(ptr2)
> compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
-DHAVE_DLFCN_H
> -m64 -O3 
> -Wall -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM
> -DSHA256_ASM 
> -DSHA512_ASM -DMD5_ASM -DAES_ASM
> OPENSSLDIR: "/usr/local/ssl"
> drkir...@hawk:~/openssl-0.9.8l$
> 
> 
> I have not tried this on Solaris 10 though - at least not on x86. I
have
> built 
> versions on SPARC before, but that is less relevant to you.
> 
> dave
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
> 

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: building OpenSSL 0.9.8/1.0.0 on Solarisx86

2010-04-23 Thread Dr. David Kirkby 

Alona Rossen wrote:

Specifyng solaris64-x86_64-gcc as a target results in a 64-bit library,
while we need a 32-bit library.


Oh, sorry i missed that.

I also failed to create a 32-bit library. It so happened that in the software I 
wanted to develop, 64-bit was more sensible, so I ignored the fact I was unable 
to create a 32-bit library.


I believe you are correct in saying this will not work. You will probably need 
the assistance of a developer in that case. It might be easier if you can give 
them access to a Solaris system, though with VirtualBox, they should be able to 
set one up easily.


dave



-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. David Kirkby
Sent: April 23, 2010 1:33 PM
To: openssl-users@openssl.org
Subject: Re: building OpenSSL 0.9.8/1.0.0 on Solarisx86

Alona Rossen wrote:
 


Hello,

 

I built 32-bit OpenSSL 0.9.8 and OpenSSL 1.0.0 on Solaris10x86_64 
(64-bit kernel on Intel) with gcc compiler. Makefiles were generated 
with the following command:


 


"Configure solaris-x86-gcc"


Try solaris64-x86_64-gcc as the target, which was the default when I run
Configure.

I've built 0.9.8l on a Sun Ultra 27 (quad core 3.33 GHz Xeon processor)
using 
OpenSolaris 06/2009 and gcc 4.3.4. It builds fine and passes tests


DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024
bit RSA
DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024
bit RSA
DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024
bit RSA
10 handshakes of 256 bytes done
Approximate total server time:   0.05 s
Approximate total client time:   0.00 s
Test IGE mode
../util/shlib_wrap.sh ./igetest
Test JPAKE
../util/shlib_wrap.sh ./jpaketest
No JPAKE support
make[1]: Leaving directory `/export/home/drkirkby/openssl-0.9.8l/test'
util/opensslwrap.sh version -a
OpenSSL 0.9.8l 5 Nov 2009
built on: Fri Apr 23 18:24:58 BST 2010
platform: solaris64-x86_64-gcc
options:  bn(64,64) md2(int) rc4(1x,char) des(idx,cisc,16,int) idea(int)

blowfish(ptr2)
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-m64 -O3 
-Wall -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM
-DSHA256_ASM 
-DSHA512_ASM -DMD5_ASM -DAES_ASM

OPENSSLDIR: "/usr/local/ssl"
drkir...@hawk:~/openssl-0.9.8l$


I have not tried this on Solaris 10 though - at least not on x86. I have
built 
versions on SPARC before, but that is less relevant to you.


dave
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: strange intermittent errors

2010-04-23 Thread Jeffrey Walton 
Hi Mikhail,

On Fri, Apr 23, 2010 at 11:34 AM, Mikhail Kruk  wrote:
> Hi,
>
> we are getting strange intermittent errors from OpensSSL.  We have a
> hundreds of instances of this app connecting over the Internet to our
> servers.  Only this one instance is sometimes experiences the
> following errors
> What could be causing this?
Sounds more like it is related to the hardware. MemCheck.

[SNIP]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Using OpenSsl in a .Net server (ongoing opensource project)

2010-04-23 Thread James Mansion 

Amit Ben Shahar wrote:
One of the crucial ingredients is ssl using OpenSsl. but we are 
encountering a problem with the 'no OPENSSL_Applink' error.
as this is a .Net project, there is no way (i can think of) to compile 
with the applink.c file.
1) Why is that crucial?  Microsoft provide crypto support on Windows, 
albeit with a different interface.  What's wrong with 
System.Net.Security.SslStream?


2) Why can't you 'compile with the applink.c file'?  You need a talk to 
it through p/invoke - you may need to write another glue DLL to do 
this.  If you can locate an OpenSSL implementation that has been wrapped 
as a free-threaded COM service, you might find things easier if you 
don't know how to write such glue.  You could try looking in Mono's 
runtime, too, which I suspect delegates to OpenSsl (tho I haven't checked).


James


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: building OpenSSL 0.9.8/1.0.0 on Solarisx86

2010-04-23 Thread Alona Rossen 
Specifyng solaris64-x86_64-gcc as a target results in a 64-bit library,
while we need a 32-bit library.

-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. David Kirkby
Sent: April 23, 2010 1:33 PM
To: openssl-users@openssl.org
Subject: Re: building OpenSSL 0.9.8/1.0.0 on Solarisx86

Alona Rossen wrote:
>  
> 
> Hello,
> 
>  
> 
> I built 32-bit OpenSSL 0.9.8 and OpenSSL 1.0.0 on Solaris10x86_64 
> (64-bit kernel on Intel) with gcc compiler. Makefiles were generated 
> with the following command:
> 
>  
> 
> "Configure solaris-x86-gcc"

Try solaris64-x86_64-gcc as the target, which was the default when I run
Configure.

I've built 0.9.8l on a Sun Ultra 27 (quad core 3.33 GHz Xeon processor)
using 
OpenSolaris 06/2009 and gcc 4.3.4. It builds fine and passes tests

DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024
bit RSA
DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024
bit RSA
DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024
bit RSA
10 handshakes of 256 bytes done
Approximate total server time:   0.05 s
Approximate total client time:   0.00 s
Test IGE mode
../util/shlib_wrap.sh ./igetest
Test JPAKE
../util/shlib_wrap.sh ./jpaketest
No JPAKE support
make[1]: Leaving directory `/export/home/drkirkby/openssl-0.9.8l/test'
util/opensslwrap.sh version -a
OpenSSL 0.9.8l 5 Nov 2009
built on: Fri Apr 23 18:24:58 BST 2010
platform: solaris64-x86_64-gcc
options:  bn(64,64) md2(int) rc4(1x,char) des(idx,cisc,16,int) idea(int)

blowfish(ptr2)
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-m64 -O3 
-Wall -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM
-DSHA256_ASM 
-DSHA512_ASM -DMD5_ASM -DAES_ASM
OPENSSLDIR: "/usr/local/ssl"
drkir...@hawk:~/openssl-0.9.8l$


I have not tried this on Solaris 10 though - at least not on x86. I have
built 
versions on SPARC before, but that is less relevant to you.

dave
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: building OpenSSL 0.9.8/1.0.0 on Solarisx86

2010-04-23 Thread Dr. David Kirkby 

Alona Rossen wrote:
 


Hello,

 

I built 32-bit OpenSSL 0.9.8 and OpenSSL 1.0.0 on Solaris10x86_64 
(64-bit kernel on Intel) with gcc compiler. Makefiles were generated 
with the following command:


 


“Configure solaris-x86-gcc”


Try solaris64-x86_64-gcc as the target, which was the default when I run 
Configure.

I've built 0.9.8l on a Sun Ultra 27 (quad core 3.33 GHz Xeon processor) using 
OpenSolaris 06/2009 and gcc 4.3.4. It builds fine and passes tests


DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
10 handshakes of 256 bytes done
Approximate total server time:   0.05 s
Approximate total client time:   0.00 s
Test IGE mode
../util/shlib_wrap.sh ./igetest
Test JPAKE
../util/shlib_wrap.sh ./jpaketest
No JPAKE support
make[1]: Leaving directory `/export/home/drkirkby/openssl-0.9.8l/test'
util/opensslwrap.sh version -a
OpenSSL 0.9.8l 5 Nov 2009
built on: Fri Apr 23 18:24:58 BST 2010
platform: solaris64-x86_64-gcc
options:  bn(64,64) md2(int) rc4(1x,char) des(idx,cisc,16,int) idea(int) 
blowfish(ptr2)
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -O3 
-Wall -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM 
-DSHA512_ASM -DMD5_ASM -DAES_ASM

OPENSSLDIR: "/usr/local/ssl"
drkir...@hawk:~/openssl-0.9.8l$


I have not tried this on Solaris 10 though - at least not on x86. I have built 
versions on SPARC before, but that is less relevant to you.


dave
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

strange intermittent errors

2010-04-23 Thread Mikhail Kruk 
Hi,

we are getting strange intermittent errors from OpensSSL.  We have a
hundreds of instances of this app connecting over the Internet to our
servers.  Only this one instance is sometimes experiences the
following errors:

ssl error: error:0606C06E:digital envelope
routines:EVP_VerifyFinal:wrong public key type
ssl error: error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
ssl error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

or sometimes

ssl error: error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01
ssl error: error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding
check failed
ssl error: error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
ssl error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The problems start and go aways by themselves.  Sometimes it lasts for
a while affecting multiple destination servers, sometimes it only
happens ones or twice.
What could be causing this?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Using OpenSsl in a .Net server (ongoing opensource project)

2010-04-23 Thread Amit Ben Shahar 
Hi guys,

I am working on a .Net HTTP(s) server in .Net, which is released is driving
(as a component) a commercial service and is also release in an openSource
project (nettp: http://sourceforge.net/projects/nettp/).

One of the crucial ingredients is ssl using OpenSsl. but we are encountering
a problem with the 'no OPENSSL_Applink' error.
as this is a .Net project, there is no way (i can think of) to compile with
the applink.c file.
The error manifests while running a load through the server as pop-up
windows 'FATAL' error messages.
I am really in a pinch here, as nothing i did seemed to work, including
trying to compile openSsl 1.0 and running with the new binaries - that only
led to a crash instead of error messages. i'd hate to dump that project, it
took a long time and some hard work to make a .Net server perform anywhere
near to reasonable :P ...

The project is running with openSsl 0.9.8, all the source and relevant
binaries are in the sourceforge project.
I'd appreciate any insight.

Regards,

Amit Ben Shahar

building OpenSSL 0.9.8/1.0.0 on Solarisx86

2010-04-23 Thread Alona Rossen 
 

Hello, 

 

I built 32-bit OpenSSL 0.9.8 and OpenSSL 1.0.0 on Solaris10x86_64
(64-bit kernel on Intel) with gcc compiler. Makefiles were generated
with the following command: 

 

"Configure solaris-x86-gcc"

 

Test executables provided with OpenSSL and other executables and
libraries linked to libcrypto.* and libssl.* statically or dynamically
dump core in init:

 

core 'core' of 4479:./exec

 fd28f5c5 _init(feffb28c, feffdd58, feffb818, fc280c90, fdfc01ac,
fd28f5b0) + 15

 fefd4c11 call_init (fc280c50, 1) + f5

 fefd4194 setup(8047b08, 8047b88, 0, 8047fed, 1000, fefc9141) + fd4

 fefe005e _setup   (8047abc, feffbaec, 3, 8047b00, 4, 8047b08) + 2ba

 fefcaa1c _rt_boot (0, 8047bfa, 8047c06, 8047c49, 8047c56, 8047c5d) + 56
08047bf0  ()

 

And probably is happened when calling init of curl library:

 

04487: 1: calling .init (done):
/export/home/PreTest/genio/libGShricudata.so.34

04487: 1:

04487: 1: calling .init (from sorted order): /usr/lib/libz.so.1

04487: 1:

04487: 1: calling .init (done): /usr/lib/libz.so.1

04487: 1:

04487: 1: calling .init (from sorted order):
/export/home/PreTest/genio/libcurl.so.4

04487: 1:

Segmentation Fault(coredump)

 

libcurl.so.4 is statically linked to libcrypto and libssl.

 

Core dump does not occur with 64-bit libcrypto.* and libssl.*.

We were able to create usable 32- and 64-bit libraries on 64-bit kernel
using platform specific compilers on Solaris SPARC, AIX, HP-UX.

 

This is our system info:

SunOS viola 5.10 Generic_141445-09 i86pc i386 i86pc

 

/export/home/sambuild/OpenSSL> more /etc/release

   Solaris 10 10/09 s10x_u8wos_08a X86

   Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.

Use is subject to license terms.

   Assembled 16 September 2009

/export/home/sambuild/OpenSSL> /usr/bin/isainfo -kv

64-bit amd64 kernel modules

 

Please advise. 

 

Thank you, 

Alona

Alona Rossen 
Software developer 
Connectivity Solutions Group 
Open Text 
Phone: +1 (905) 762-6001 ext. 6908 
aros...@opentext.com

Verify a PKCS7 detached signature

2010-04-23 Thread JG Disenador Multimedia 
Hello,

 

I would like to verify a pkcs7 signature from a document, is pkcs7 detached
signature.

I have extracted form the document, the signature is a very long hexadecimal
string.

 

I used this command but the I get a verification failure.

openssl dgst -verify  -sha1 -signature


 

Could anyone tell me a way to verify the signature correctly?