Help building FIPS openssl (suitable for apache)
Hello, First off, I AM trying to follow the FIPS/OPENSSL user guide What am I doing wrong: 1.) downloaded fips openssl 1.2.3 2) ./config fipscanisterbuild make make install 3.) ./config fips --with-fipslibdir=/usr/local/ssl/fips1.2.3/lib make make install 4) build apache with ./configure --prefix=/usr/local/apache2.2.19 --with-ssl=/usr/local/ssl/fips1.2.3 --with-mpm=prefork --with-ldap --enable-ssl --enable-dav --enable-dav-fs --enable-dav-lock --enable-authnz-ldap --enable-ldap 5. Error: [root]# ./apachectl start Syntax error on line 1 of /usr/local/apache2.2.19/conf/extra/httpd-ssl.conf: SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS
generic configuration for 64 bit
hi all, The Configure file has generic 32 bit configurations: # Basic configs that should work on any (32 and less bit) box gcc, gcc:-O3::(unknown):::BN_LLONG:::, cc, cc:-O::(unknown)::, What would be an equivalent generic configuration for 64 bit? Best, Misha __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Openssl cms question
I tried to use this command from openssl examples: openssl cms -sign -in message.txt -text -out mail.msg -signer ./ssl1/newkey.pem The error is: unable to load certificate 3076057772:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE TO generate my newkey.pem I used this commands: /usr/lib/ssl/misc/CA.pl -newca /usr/lib/ssl/misc/CA.pl -newreq /usr/lib/ssl/misc/CA.pl -signreq I also tryed to pass the argument -noverify but the error is the same. newkey.pem looks like this: -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,6CACB288530133B0 7L0zCjlelaI3pqIzGLIs5HJsfDQuNEAZcE8Eguow+9cQaZrPZYy/hlK0aDHkGVSW 1eJlkNGz6Ppk5T69tMdFs8tzdr4NAlV5cAGt502hM3/2hZ94taEBCiSkLzoEk3NU wEIHzNpykrEAn3xTsmedrCru/oogaH9UITD18HfScZLBTaUuXsxBdyfyVy8xyVIn hOVZ8zNFwHU+56xuGy89q2EnGMtNuDo1UGC7Xyj+kFZUw811hIj2WEo8TC1b2Gc1 4mAjNHj4xW35fWla4MRdbXuq/qzDQKcJuLZT+OGbYBIwxcxfkwTL16ptwI1bHEo4 JtJyX7EzW9JhpbPvQmHLR3WDIMkx5johMmd6u3GF9Ae0LjKNqtO7pQYH2rQA2CmM jXQvggpyAbT486hn1pFPJcworPripIIvqAQYPHeMio3J++b287rXzlMCBKnPb7Xs w7UB48axVFrcpP9sDg/+RCz7AoIXG2ODt9GtGQ5xjJKnFQc5nXraDc3Dr64A6JLb zY72SI1oZXeDCfz548PxM5EhXYNM8xIx5lJqH7m8K27tUd0d46YTZEf7ymfAWwN7 +evpBbyCUwm7Bw/B+wjqFNIbUAPN6U0uQjfeguQT73da+1+zR7GkEFuKJFk6n1x1 HNEvqGLKo2FiTGhilMnKllx45c3WdS9TtoYdAWnO10psu9vro5ngQ7nz+WF8lNui KlDP5+mDEzUNBeSowky8d+jEnP3whnsnuLF6JhAb+kfUW97l5Pl5CP1zqXsBHFCv lz04QlQz/lM6/jGn0hZLG9hR+Bz+Y633G4MeUAAW7sGFO5Q9yM4yRQ== -END RSA PRIVATE KEY- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Why my SSL_Connect() hangs at times?
I have Linux Server which has been connected with a Windows XP client using SSL Sockets. I am able to read and write through those sockets. Recently my calls to SSL_Connect() waits for long time. And yes I am using in Blocking mode. My search on that issue ended up with, I have to use non-blocking mode and have to use time outs as well. But I want the connection to be successful so as to proceed further. Only when I am done with those little transfers between the Server and the Client, I will be able to move to the next step. Hence I used blocking mode here. While at the start of SSL Socket programming, I let the socket connections close abruptly without releasing them (through exceptions and as a beginner's ignorance). Will that might be the reason for my client not get connected with the Server? By the way I mean that those connections may not be still cleared which makes my current SSL_Connect() call to hang? If so, can I clean up those through any command or something? Or What might be reasons that make SSL_Connect to hang/wait for long? And how can I establish a connection in such case when I had to use blocking mode? -- Regards, Kali
Re: Openssl cms question
I fixed it. The certificate was not in the right form. On 11.06.2011 18:16, Victor Sterpu wrote: I tried to use this command from openssl examples: openssl cms -sign -in message.txt -text -out mail.msg -signer ./ssl1/newkey.pem The error is: unable to load certificate 3076057772:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE TO generate my newkey.pem I used this commands: /usr/lib/ssl/misc/CA.pl -newca /usr/lib/ssl/misc/CA.pl -newreq /usr/lib/ssl/misc/CA.pl -signreq I also tryed to pass the argument -noverify but the error is the same. newkey.pem looks like this: -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,6CACB288530133B0 7L0zCjlelaI3pqIzGLIs5HJsfDQuNEAZcE8Eguow+9cQaZrPZYy/hlK0aDHkGVSW 1eJlkNGz6Ppk5T69tMdFs8tzdr4NAlV5cAGt502hM3/2hZ94taEBCiSkLzoEk3NU wEIHzNpykrEAn3xTsmedrCru/oogaH9UITD18HfScZLBTaUuXsxBdyfyVy8xyVIn hOVZ8zNFwHU+56xuGy89q2EnGMtNuDo1UGC7Xyj+kFZUw811hIj2WEo8TC1b2Gc1 4mAjNHj4xW35fWla4MRdbXuq/qzDQKcJuLZT+OGbYBIwxcxfkwTL16ptwI1bHEo4 JtJyX7EzW9JhpbPvQmHLR3WDIMkx5johMmd6u3GF9Ae0LjKNqtO7pQYH2rQA2CmM jXQvggpyAbT486hn1pFPJcworPripIIvqAQYPHeMio3J++b287rXzlMCBKnPb7Xs w7UB48axVFrcpP9sDg/+RCz7AoIXG2ODt9GtGQ5xjJKnFQc5nXraDc3Dr64A6JLb zY72SI1oZXeDCfz548PxM5EhXYNM8xIx5lJqH7m8K27tUd0d46YTZEf7ymfAWwN7 +evpBbyCUwm7Bw/B+wjqFNIbUAPN6U0uQjfeguQT73da+1+zR7GkEFuKJFk6n1x1 HNEvqGLKo2FiTGhilMnKllx45c3WdS9TtoYdAWnO10psu9vro5ngQ7nz+WF8lNui KlDP5+mDEzUNBeSowky8d+jEnP3whnsnuLF6JhAb+kfUW97l5Pl5CP1zqXsBHFCv lz04QlQz/lM6/jGn0hZLG9hR+Bz+Y633G4MeUAAW7sGFO5Q9yM4yRQ== -END RSA PRIVATE KEY- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help building FIPS openssl (suitable for apache)
On Fri, Jun 10, 2011, Sam Theman wrote: Hello, First off, I AM trying to follow the FIPS/OPENSSL user guide What am I doing wrong: 1.) downloaded fips openssl 1.2.3 2) ./config fipscanisterbuild make make install 3.) ./config fips --with-fipslibdir=/usr/local/ssl/fips1.2.3/lib make make install 4) build apache with ./configure --prefix=/usr/local/apache2.2.19 --with-ssl=/usr/local/ssl/fips1.2.3 --with-mpm=prefork --with-ldap --enable-ssl --enable-dav --enable-dav-fs --enable-dav-lock --enable-authnz-ldap --enable-ldap 5. Error: [root]# ./apachectl start Syntax error on line 1 of /usr/local/apache2.2.19/conf/extra/httpd-ssl.conf: SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS Looks like Apache isn't seeing the correct header files and not including the appropriate FIPS code. That's an Apache configuration issue and not OpenSSL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org