Question of openssl compilation

[HU Chengzhe]

Hello,

   I use follow command to compile openssl-0.9.8o
   1)  ./Configure  solaris-sparcv9-cc
--prefix=MY_OPENSSL_INSTALL_DIRECTORY  shared
   2) make 
  3) make install
  
  I can compile it successfully and under
MY_OPENSSL_INSTALL_DIRECTORY/lib I can find some files like below:

  -rw-r--r--   1 arkie   bjumts   3623300 Aug  5 15:41 libcrypto.a
lrwxrwxrwx   1 arkie   bjumts18 Aug  5 15:41 libcrypto.so -
libcrypto.so.0.9.8
-r-xr-xr-x   1 arkie   bjumts   2567624 Aug  5 15:41 libcrypto.so.0.9.8
-rw-r--r--   1 arkie   bjumts588036 Aug  5 15:41 libssl.a
lrwxrwxrwx   1 arkie   bjumts15 Aug  5 15:41 libssl.so -
libssl.so.0.9.8
-r-xr-xr-x   1 arkie   bjumts424320 Aug  5 15:41 libssl.so.0.9.8

As we can see, there are two dynamic lib file libcrypto.so.0.9.8 and
libcrypto.so.0.9.8.

But my question is
1) How can  I make the generated dynamic lib name as  libcrypto.0.9.8.so
and libcrypto.0.9.8.so, not the default name?
2) If dynamic lib name is changed successfully, How to make sure the
link time name is same as the changed dynamic lib name? Is there some
option similar with -soname which can specify the link time name?
For example:
=ldd libssl.so.0.9.8
   libcrypto.so.0.9.8 = 
   .
After change name to libssl.0.9.8.so, result should be:
=ldd libssl.0.9.8.so
libcrypto.0.9.8.so =.
  .

Thank you.

Best Regards, 
Arkie

Getting detailed ssl-handshake debug output

[Jeff Saremi]

 I'd like to know if there's a way -- programmatic, config, environment
-- that I can get detailed print of what goes on during a handshake at
the client or the server? Below is the output from Apache Tomcat as an
example of the level of details i'm looking for:

http-442-1, READ: TLSv1 Handshake, length = 73
*** ClientHello, TLSv1
RandomCookie:  GMT: 1269551866 bytes = { 178, 23, 135, 211, 154, 110,
144, 59, 9
9, 139, 224, 45, 156, 231, 232, 123, 36, 95, 187, 165, 56, 121, 211, 63,
117, 43
, 7, 82 }
Session ID:  {}
Cipher Suites: [TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_S
HA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS
_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_
CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA
_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, Unknown 0x0:0xff]
Compression Methods:  { 0 }
Unsupported extension type_35, data:
***
%% Created:  [Session-1, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA]
*** ServerHello, TLSv1
RandomCookie:  GMT: 1269551766 bytes = { 32, 121, 10, 209, 123, 137,
160, 183, 1
86, 107, 255, 108, 79, 16, 190, 91, 180, 86, 18, 136, 232, 108, 249,
191, 90, 17
6, 87, 231 }
Session ID:  {76, 172, 211, 150, 251, 114, 230, 220, 75, 218, 174, 105,
134, 185
, 144, 119, 92, 182, 1, 58, 247, 172, 121, 90, 212, 100, 58, 220, 93,
76, 97, 11
1}
Cipher Suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Compression Method: 0
***
Cipher suite:  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
*** Certificate chain
chain [0] = [
[
  Version: V1
  Subject: OU=Tomcat, O=ACME, emailaddress=tom...@acme.com, C=CA,
CN=localhost
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
 
  Key:  Sun RSA public key, 512 bits
  modulus:
973285574783538290665814718553460486271776249697428968977460338357983
...
  public exponent: 65537
  Validity: [From: Mon Jun 21 14:33:25 EDT 2010,
   To: Tue Jun 21 14:33:25 EDT 2011]
  Issuer: OU=Root CA, O=ACME Systems Inc., L=TEST PURPOSES ONLY, C=CA,
CN=ACME Systems Root CA
  SerialNumber: [02]
 
]
  Algorithm: [SHA1withRSA]
  Signature:
: A5 A9 E6 5F BE 51 75 E5   E3 25 9D 92 AB 45 FA 1E  ..._.Qu..%...E..
...
 
]
***
*** Diffie-Hellman ServerKeyExchange
DH Modulus:  { 233, 230, 66, 89, 157, 53, 95, 55, 201, 127, 253, 53,
103, 18, 11
... }
DH Base:  { 48, 71, 10, 213, 160, 5, 251, 20, 206, 45, 157, 205, 135,
227, 139,
... }
Server DH Public Key:  { 159, 193, 69, 114, 138, 167, 128, 50, 5, 51,
77, 127, 2
...}
Signed with a DSA or RSA public key
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
OU=Root CA, O=ACME Systems Inc., C=CA, CN=ACME Systems Root CA
OU=Root CA, O=ACME Systems Inc., L=TEST PURPOSES ONLY, C=CA,
CN=ACME Systems Root CA
CN=TESTCA, OU=CA, O=TEST
*** ServerHelloDone
http-442-1, WRITE: TLSv1 Handshake, length = 1544
http-442-1, READ: TLSv1 Handshake, length = 3309
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=fd0172c2-3f02-432e-8317-097b8fabff7d, OU=Windows/1.00,
O=instance
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
 
  Key:  Sun RSA public key, 1024 bits
  modulus:
128531339772544414974300233324968135333513753311766363920169114394683
...
 
  public exponent: 65537
  Validity: [From: Tue Oct 05 17:49:02 EDT 2010,
   To: Wed Oct 05 17:49:02 EDT 2011]
  Issuer: CN=TESTActivationCA, OU=Activation CA, O=TEST ACTIVATION
  SerialNumber: [012b7e5e 79df]

[2]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  CN=guest, OU=ACME PC Client, O=instance
]
 
[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
  Key_Agreement
]
 
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]
 
]
  Algorithm: [SHA256withRSA]
  Signature:
: 97 32 64 63 D4 DA ED AF   CD 7F EC 77 A6 7C 72 85  .2dc...w..r.
...
 
]
chain [1] = [
[
  Version: V3
  Subject: CN=TESTActivationCA, OU=Activation CA, O=TEST ACTIVATION
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
 
  Key:  Sun RSA public key, 2048 bits
  modulus:
241401315179803415263681113133745704037912047640810783616090692543408
...
  public exponent: 65537
  Validity: [From: Wed Jun 09 14:04:45 EDT 2010,
   To: Thu Jun 09 14:04:45 EDT 2011]
  Issuer: OU=Root CA, O=ACME Systems Inc., L=TEST PURPOSES ONLY, C=CA,
CN=ACME Systems Root CA
  SerialNumber: [01]
 
Certificate Extensions: 6
[1]: ObjectId: 2.5.29.30 Criticality=true
NameConstraints: [
Permitted:   GeneralSubtrees:
[
   GeneralSubtree: [
GeneralName: O=instance
Minimum: 0  Maximum: undefined]
]
   ]
 
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
: 7C FB 2B 96 C9 0D 37 89   01 83 D9 5A 67 41 3B 3C  ..+...7ZgA;
0010: E7 45 81 43.E.C
]
]
 
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
: 70 8F 22 BC D7 55 20 6E   

Re: Using CMS_verify() without certificates

[tmu]

On 10/07/2010 10:04 PM, Dr. Stephen Henson wrote:
 On Thu, Oct 07, 2010, t...@compumatica.de wrote:

   
 Hi,

 I like to verify a S/MIME message with CMS_verify() (openssl-1.0.0a). If
 the CMS structure does not contain a certificate and if I also cannot
 provide the certificate, the verification fails. error:2E09D08A:CMS
 routines:CMS_verify:signer certificate not found

 I know that I need the certificate to verify the signature, but what can
 I do in this case, to get my hands on the content? Even if I use
 CMS_NO_CONTENT_VERIFY I get the same error and the output is empty. Is
 there an other way to extract the data out of the CMS structure?

 
 You can do this via the lower level API.

 Something like..

 ASN1_OCTET_STRING **pos = CMS_get0_content(cms);

 Then the content is ASN1_STRING_length(*pos) bytes using the buffer
 ASN1_STRING_data(*pos). Note that those are internal pointers which should be
 treated as read only.
   

Works fine.

Thanks for your help.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: FIPS mode - fails to read the RSA key

[john.mattapilly]

Thank you Steve,

I had problem in creating certificate and key in FIPS mode. With your
suggestion now I am able to create FIPS supported certificate

When I create it with a passphrase the key looks as below

-BEGIN ENCRYPTED PRIVATE KEY-
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIKdsTY4y2xlsCAggA
..snip
toGSfl42MUwLRpuoYfQ/WFNVMKUr78WqrFHd1VV1VCAnaFi95seEJKqE
-END ENCRYPTED PRIVATE KEY-

Now it fails at PKCS8_decrypt in PEM_read_bio_PrivateKey. I verified
that passphase returned by the cb is as same as the one that I used to
create the certificate. Any hint if I miss something in the key
generation

The command I used to create this key is

 ./openssl req -x509 -days 1460 -newkey rsa:1024 -keyout wv-key.pem -out
wv-cert.pem

If I create the key with out passphrase then the code hits this snippet
of the code (PEM_read_bio_PrivateKey) and works fine
..
..
p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, p, len);
if(!p8inf) goto p8err;
ret = EVP_PKCS82PKEY(p8inf);
..
..

Thanks
John Paul

-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, October 06, 2010 9:48 PM
To: openssl-users@openssl.org
Subject: Re: FIPS mode - fails to read the RSA key

On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote:

 Thanks again

 I do have the env Variable OPENSSL_FIPS set to 1. And the key
 generated is as below

 -BEGIN RSA PRIVATE KEY-
 Proc-Type: 4,ENCRYPTED
 DEK-Info: DES-EDE3-CBC,6238C2ACEDF888E5

 bmtRXSn8WHfHAUBX6m7RLs/yVctQf9TG8WmUbuc1rJ+GrP3yOc+YzY8uhgw5TZRb
 vtV2WAJ9rfeYlenV+F9PvgnGOr7mLojzQhndnuVr7ZMDciuCAd/nVvp8trUPBtFJ
 .
 .
 .
 .hXasFeSrd5IpLMOBsQ3bcpUoRiqe0gNzyIZRSsx4+OZbhLbzBxTSiUUh3NiqmhXG
 bfJi1dm+M35+0BbZrGI/z2EkRW30FV5C9OLUd77AJjZITCpPl28Aew==
 -END RSA PRIVATE KEY-

 But still it fails at the same method PEM_do_header


If that happens the version of OpenSSL isn't in FIPS mode. You should
get:

-BEGIN PRIVATE KEY-

and no Proc-Type, DEK-Info lines if it worked. If you also do:

OPENSSL_FIPS=1 openssl md5 somefile

it should fail with an error if FIPS mode is entered correctly.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Please do not print this email unless it is absolutely necessary. 

The information contained in this electronic message and any attachments to 
this message are intended for the exclusive use of the addressee(s) and may 
contain proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should 
check this email and any attachments for the presence of viruses. The company 
accepts no liability for any damage caused by any virus transmitted by this 
email. 

www.wipro.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: FIPS mode - fails to read the RSA key

[Dr. Stephen Henson]

On Fri, Oct 08, 2010, john.mattapi...@wipro.com wrote:

 Thank you Steve,
 
 I had problem in creating certificate and key in FIPS mode. With your
 suggestion now I am able to create FIPS supported certificate
 
 When I create it with a passphrase the key looks as below
 
 -BEGIN ENCRYPTED PRIVATE KEY-
 MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIKdsTY4y2xlsCAggA
 ..snip
 toGSfl42MUwLRpuoYfQ/WFNVMKUr78WqrFHd1VV1VCAnaFi95seEJKqE
 -END ENCRYPTED PRIVATE KEY-
 
 Now it fails at PKCS8_decrypt in PEM_read_bio_PrivateKey. I verified
 that passphase returned by the cb is as same as the one that I used to
 create the certificate. Any hint if I miss something in the key
 generation
 
 The command I used to create this key is
 
  ./openssl req -x509 -days 1460 -newkey rsa:1024 -keyout wv-key.pem -out
 wv-cert.pem
 
 If I create the key with out passphrase then the code hits this snippet
 of the code (PEM_read_bio_PrivateKey) and works fine
   ..
   ..
   p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, p, len);
   if(!p8inf) goto p8err;
   ret = EVP_PKCS82PKEY(p8inf);
   ..
   ..
 

Have you included OpenSSL_add_all_algorithms() in your code? If so then see the
FAQ for details of how to print out error messages.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

print implicit ASN1 application tag at top level

[anon.y.mous]

Hello

There must be an obvious answer to this... 

Using a current release of OpenSSL source I have declared a new array of
ASN1_TEMPLATES (i.e. ##name_seq_tt), by defining an ASN1_SEQUENCE_ref with
some other ASN1 objects in it. 

ASN1_SEQUENCE_APPLICATION_ref(FOO, FOO_cb, CRYPTO_LOCK_FOO) = {
...some ASN1 objects... 
} ASN1_SEQUENCE_APPLICATION_END_ref(FOO, FOO)
IMPLEMENT_ASN1_FUNCTIONS(FOO)

I would like to allocate an implicit tag to the array itself, so that the
first thing that prints out (when a FOO runs through tasn1enc.c and is
displayed in DER format) is the ASN1 encoded tag of my choice (in this case
0x7F21), rather than the 0x308X of a standard ASN1 SEQUENCE. 

I have worked out how to do it for the templates contained within the array
(creating a new macro alongside ASN1_IMP defining
ASN1_TFLG_IMPTAG|ASN1_TFLG_APPLICATION) and declaring the inner templates
using the new macro, but am struggling with the top level one. Do I need to
do something similar ? Any ideas ? 




-- 
View this message in context: 
http://old.nabble.com/print-implicit-ASN1-application-tag-at-top-level-tp29913785p29913785.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: print implicit ASN1 application tag at top level

[Dr. Stephen Henson]

On Fri, Oct 08, 2010, anon.y.mous wrote:

 
 I have worked out how to do it for the templates contained within the array
 (creating a new macro alongside ASN1_IMP defining
 ASN1_TFLG_IMPTAG|ASN1_TFLG_APPLICATION) and declaring the inner templates
 using the new macro, but am struggling with the top level one. Do I need to
 do something similar ? Any ideas ? 
 

You need a special type for the top level and item template. Check out the
definition of GENERAL_NAMES for an example.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Getting detailed ssl-handshake debug output

[Dave Thompson]

 From: owner-openssl-us...@openssl.org On Behalf Of Jeff Saremi
 Sent: Thursday, 07 October, 2010 15:15

  I'd like to know if there's a way -- programmatic, config, 
 environment
 -- that I can get detailed print of what goes on during a handshake at
 the client or the server? Below is the output from Apache Tomcat as an
 example of the level of details i'm looking for:
 
Not in OpenSSL, I'm pretty sure.

If you can install other software on the same machine, 
or (usually?) another machine on the same LAN, WireShark from 
www.wireshark.org can display it on screen, or save a trace file 
which you can open and re-display later. I haven't found a way to 
capture the formatted display (except screen print on Windows).

This will only work for initial negotiation, since renegotiation 
is encrypted (unless the initial/current ciphersuite is eNULL). 
ssldump might work in that case, but I haven't tried it.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org