RE: FIPS error on Apache httpd v2.4.3, OpenSSL 1.0.1c and fips-2.0.1
Hi, Cassie I followed your post. I tried to recompile Apache with the recommendation that you given. I tried to rename Redhat's libcrypto and libssl to something else then Apache complains about LDAP library missing in the configure phase. I then tried using LDFLAGS for "configure" in Apache but no success. I also tried LD_LIBRARY_PATH to specify /usr/local/ssl/lib but also no luck. What else the trick that I can use? Thanks. Ryan -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Helms, Cassie Sent: Thursday, August 23, 2012 3:26 PM To: openssl-users@openssl.org Subject: RE: FIPS error on Apache httpd v2.4.3, OpenSSL 1.0.1c and fips-2.0.1 Ryan, A previous thread, "fingerprint does not match on FIPS_mode_set when FIPS + openssl is dynamically linked into build", might be of some use to you. As a first step, you may want to use ldd on your executable to make sure libcrypto.so/a points to 1.0.1c and not some other version of openssl. The thread has more information on this issue. Cassie __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FIPS enabled OpenSSL v1.0.1c
Hi, When I tried to start Apache(v2.4.3) with FIPS enabled OpenSSL v1.0.1c on RHEL v6.3, I was prompted for the pass phrase which is normal. After I typed in correct pass phrase, I got a message: Apache: mod_ssl:Error: Pass phrase incorrect (5 more retries permitted). When I ctrl-c to exist, I got another message: Apache:mod_ssl:Error: Private key not found. Which is not correct since the private key is there. The key and certificate was generated by older version of FIPS disabled OpenSSL. I copied the key and certificate from older version of web server for the new version web server to use. Once I disabled FIPS in the Apache configuration file, I typed in the same pass phrase and I can start httpd v2.4.3. Is this something from Apache or OpenSSL side for the wrong pass phrase prompt? What else do I need to do or check? Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Openssh error - Solaris 10 SPARC Platform
Sounds like an LD_LIBRARY_PATH issue. In /etc/default/profile you may
wabt to make sure that /usr/local/lib is set before /usr/lib in
LD_LIBRARY_PATH. Solaris should include its own vers of ssh and ssl
which will account for the conflict.
On 08/23/12 19:06, Roberto Ballan wrote:
> Hi,
> I have a Sun Solaris 10 Server that I have upgraded the Openssh
> version 5.3p1 to version 6.0p1.
> I have upgraded openssl from version 0.9.81 to version 1.0.1c.
> When I check the ssh log file I see the error.
> Please can you provide some help how to resolve this issue ?
> ==
> [ Aug 23 16:19:03 Executing start method ("/lib/svc/method/sshd start") ]
> starting /usr/local/sbin/sshd... *OpenSSL version mismatch. Built
> against 1000103f, you have 10af*
> /lib/svc/method/sshd: Error 255 starting /usr/local/sbin/sshd... bailing.
> [ Aug 23 16:19:03 Method "start" exited with status 255 ]
>
> Thanks.
> Roberto Ballan
> email: roberto.bal...@macys.com
>
Re: Convert symmetrically encrypted content to base64
On Fri, 24 Aug 2012 15:54:50 -0400 Dave Thompson wrote: > Note OpenSSL's RSA privatekey *includes* publickey. > RSA publickey is n,e and naive privatekey is n,d, > but OpenSSL privatekey is CRT form with n,d,e,p,q + more. > There is no need to transmit the publickey separately, > > [..] > > > Tiny aside: BIO_new_mem_buf will do the strlen() for you > if you pass -1 for length. Just a convenience. > > [..] > > If PEM_read_* returns null (or nearly any other OpenSSL > routine returns a failure indication), look at the error queue. > http://www.openssl.org/support/faq.html#PROG6 > and #PROG7 also if you don't get readable error. > > If they didn't, look very carefully at your PEM data. > Commandline can do this: openssl asn1parse -in myprivkey.pem > and/or: openssal rsa -in myprivkey.pem -text Thanks for your hints. After a lot of testing I figured out that my functions pem2key() and key2pem() works fine. The problem is that I lose some characters (e.g. '+' gets replaced by spaces) while sending the key over the network. But I think this problem don't belong to the mailing list. ;-) Thanks a lot! Björn -- Björn Schießle www: http://schiessle.org gnupg key: 0x0x2378A753E2BF04F6 fingerprint: 244F CEB0 CB09 9524 B21F B896 2378 A753 E2BF 04F6 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Why key file in *client* certificate situation?
I'm just trying to understand the SSL protocol -- this is not an alleged bug or an "issue." In OpenSSL s_client, or for that matter, in my client test program, an attempt to use a *client* certificate fails unless I also specify -key or call SSL_CTX_use_PrivateKey_file(). Why? What role does the private key play with a *client* certificate? My understanding -- admittedly perhaps flawed -- is that the role of a client certificate is solely to authenticate the client. Isn't that role complete with just a CA-signed certificate? There's no encryption based on the client certificate, right? So what role does the key play? If none, why does OpenSSL fail without it? Thanks, Charles __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Why key file in *client* certificate situation?
On 8/27/2012 3:46 PM, Charles Mills wrote: I'm just trying to understand the SSL protocol -- this is not an alleged bug or an "issue." In OpenSSL s_client, or for that matter, in my client test program, an attempt to use a *client* certificate fails unless I also specify -key or call SSL_CTX_use_PrivateKey_file(). Why? What role does the private key play with a *client* certificate? My understanding -- admittedly perhaps flawed -- is that the role of a client certificate is solely to authenticate the client. Isn't that role complete with just a CA-signed certificate? There's no encryption based on the client certificate, right? So what role does the key play? If none, why does OpenSSL fail without it? Basic principle: A certificate is not secret, it is a public statement by a CA that a public key matches a private key belonging to a certain person or other entity. So just sending the client *certificate* to the server would prove nothing and is not useful as authentication. Just as handing someone a (paper) business card doesn't prove it is *your* business card. Signing some part of the SSL exchange with the clients private key and sending along the certificate to tell the server what the public key is and as proof of what identity is proven by the signature does prove a lot. So that is what SSL does. And that is why an SSL client needs the private key of the client certificate (if any). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Why key file in *client* certificate situation?
Thanks. I think I get it. Charles -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: Monday, August 27, 2012 10:19 AM To: openssl-users@openssl.org Subject: Re: Why key file in *client* certificate situation? On 8/27/2012 3:46 PM, Charles Mills wrote: > I'm just trying to understand the SSL protocol -- this is not an > alleged bug > > or an "issue." > > > In OpenSSL s_client, or for that matter, in my client test program, an > > attempt to use a *client* certificate fails unless I also specify -key > or > > call SSL_CTX_use_PrivateKey_file(). > > > Why? What role does the private key play with a *client* certificate? > My > > understanding -- admittedly perhaps flawed -- is that the role of a > client > > certificate is solely to authenticate the client. Isn't that role > complete > > with just a CA-signed certificate? There's no encryption based on the > client > > certificate, right? So what role does the key play? If none, why does > > OpenSSL fail without it? > > Basic principle: A certificate is not secret, it is a public statement by a CA that a public key matches a private key belonging to a certain person or other entity. So just sending the client *certificate* to the server would prove nothing and is not useful as authentication. Just as handing someone a (paper) business card doesn't prove it is *your* business card. Signing some part of the SSL exchange with the clients private key and sending along the certificate to tell the server what the public key is and as proof of what identity is proven by the signature does prove a lot. So that is what SSL does. And that is why an SSL client needs the private key of the client certificate (if any). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
openssl smime verify fails in ASN1_CHECK_TLEN but asn1parse is ok?
Hello, I'm trying to verify an email signature using openssl. I've saved the complete mail to a file named mail.eml, then I'm using openssl to verify: openssl smime -inform SMIME -CAfile all.pem -verify -in mail.eml which gives an error: 2674688:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319: 2674688:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509_SIG 2674688:error:21071069:PKCS7 routines:PKCS7_signatureVerify:signature failure:pk7_doit.c:1120: 2674688:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:pk7_smime.c:410: Now I've also saved the base64 encoded signature only from the mime part into a separate file named mail_sig.txt to analyse further: openssl asn1parse -i -in mail_sig.txt which runs ok (at least there is no error shown) and prints out a nice tree, which at least to me does not show any errors (I'm a novice in this...). I'm using OpenSSL Version 1.0.1 14 Mar 2012 Any advice what may be wrong with the signature or how verify it in openssl? If needed, I can upload the e-mail or complete asn1parse output to pastebin or similar. Thanks for any help, Georg PS: I have to note that the complete story is longer: the email signature verifies fine in MS Outlook, but not in Thunderbird, so I tried to analyse this behavior and stumbled over the fact that openssl also has troubles verifying it. And Thunderbird most probably uses openssl libraries internally, so I've ended up here. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl smime verify fails in ASN1_CHECK_TLEN but asn1parse is ok?
On Mon, Aug 27, 2012, GWu wrote: > Hello, > > I'm trying to verify an email signature using openssl. > > I've saved the complete mail to a file named mail.eml, then I'm using > openssl to verify: > > openssl smime -inform SMIME -CAfile all.pem -verify -in mail.eml > > which gives an error: > > 2674688:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong > tag:tasn_dec.c:1319: > 2674688:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested > asn1 error:tasn_dec.c:381:Type=X509_SIG > 2674688:error:21071069:PKCS7 routines:PKCS7_signatureVerify:signature > failure:pk7_doit.c:1120: > 2674688:error:21075069:PKCS7 routines:PKCS7_verify:signature > failure:pk7_smime.c:410: > > Now I've also saved the base64 encoded signature only from the mime > part into a separate file named mail_sig.txt to analyse further: > > openssl asn1parse -i -in mail_sig.txt > > which runs ok (at least there is no error shown) and prints out a nice > tree, which at least to me does not show any errors (I'm a novice in > this...). > > I'm using OpenSSL Version 1.0.1 14 Mar 2012 > > Any advice what may be wrong with the signature or how verify it in > openssl? If needed, I can upload the e-mail or complete asn1parse > output to pastebin or similar. > It sounds like the signature is malformed. That wouldn't cause problems with asn1parse but would when OpenSSL tried to verify it. I'd need to see the email to be sure though. > > PS: I have to note that the complete story is longer: the email > signature verifies fine in MS Outlook, but not in Thunderbird, so I > tried to analyse this behavior and stumbled over the fact that openssl > also has troubles verifying it. And Thunderbird most probably uses > openssl libraries internally, so I've ended up here. Thunderbird doesn't use OpenSSL it uses its own cryptographic library called NSS. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl smime verify fails in ASN1_CHECK_TLEN but asn1parse is ok?
On Mon, Aug 27, 2012 at 9:27 PM, Dr. Stephen Henson wrote: > On Mon, Aug 27, 2012, GWu wrote: >> [...] >> openssl smime -inform SMIME -CAfile all.pem -verify -in mail.eml >> which gives an error: >> [...] > > It sounds like the signature is malformed. That wouldn't cause problems with > asn1parse but would when OpenSSL tried to verify it. > > I'd need to see the email to be sure though. The email is available at http://www.buergerkarte.at/mvnforum/mvnforum/viewthread_thread,272#1180 (German language forum, but the email - or it's significant parts respectively - is easily visble). >> PS: [...] And Thunderbird most probably uses >> openssl libraries internally, so I've ended up here. > > Thunderbird doesn't use OpenSSL it uses its own cryptographic library called > NSS. I wasn't aware of that, thanks for the clarification. kind regards, Georg __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl smime verify fails in ASN1_CHECK_TLEN but asn1parse is ok?
On Mon, Aug 27, 2012, GWu wrote: > On Mon, Aug 27, 2012 at 9:27 PM, Dr. Stephen Henson wrote: > > On Mon, Aug 27, 2012, GWu wrote: > >> [...] > >> openssl smime -inform SMIME -CAfile all.pem -verify -in mail.eml > >> which gives an error: > >> [...] > > > > It sounds like the signature is malformed. That wouldn't cause problems with > > asn1parse but would when OpenSSL tried to verify it. > > > > I'd need to see the email to be sure though. > > The email is available at > http://www.buergerkarte.at/mvnforum/mvnforum/viewthread_thread,272#1180 > (German language forum, but the email - or it's significant parts > respectively - is easily visble). > Well I'm not surprised Thunderbird and OpenSSL has problems with that. The signature is malformed. It should contain the digest enclosed in an ASN1 structure called DigestInfo but it isn't: it just contains the raw digest. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FW: OpenSSL on beagleboard
Can no one help me? Isn't there a way of specifying the local the openssl is installed? I need very much to make it works. Thanks everybody. From: bad_boy_...@hotmail.com To: openssl-users@openssl.org Subject: OpenSSL on beagleboard Date: Thu, 23 Aug 2012 22:06:59 -0300 Hello, I am using the package libssl-dev on ubuntu in my beagleboard xm, and I have to run two C algorithms using the openSSL library.. Although I can't compile using the command: gcc test.c -lssl -o test. It seems the compiler isn't recognizing the "-lssl" command. Does someone know how to solve this? Do I have to set some path, or something like that? Thanks Guys.
RE: OpenSSL on beagleboard
Thanks for helping jeff, but it haven't worked yet. I searched my libssl.so in my /usr/lib and I didn't find. Does someone have any idea? I have installed the libssl-dev, libssl0.9.8. Thanks for helping. > Date: Thu, 23 Aug 2012 21:18:37 -0400 > Subject: Re: OpenSSL on beagleboard > From: noloa...@gmail.com > To: openssl-users@openssl.org > > On Thu, Aug 23, 2012 at 9:06 PM, Paulo Roberto > wrote: > > Hello, I am using the package libssl-dev on ubuntu in my beagleboard xm, and > > I have to run two C algorithms using the openSSL library.. > > Although I can't compile using the command: gcc test.c -lssl -o test. It > > seems the compiler isn't recognizing the "-lssl" command. > > Does someone know how to solve this? > > Do I have to set some path, or something like that? > You specify linker commands (such as libraries) at the very end of the > compiler drive command. From the g++ man pages (around line 25): > "...the placement of the -l option is significant." > > gcc test.c -o test -lssl > > You might also want to add -Wl,-Bstatic unless you want to do the > shared object thing. > > Jeff > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org
RE: OpenSSL on beagleboard
When I use the command gcc teste.c -lssl -o teste: Error: ubuntu@omap:~/arquivos$ gcc rsa.c -lssl -o teste /tmp/ccyvrO2i.o: In function `main': rsa.c:(.text+0x8): undefined reference to `BN_new' rsa.c:(.text+0xe): undefined reference to `BN_new' rsa.c:(.text+0x14): undefined reference to `BN_new' rsa.c:(.text+0x1a): undefined reference to `BN_new' rsa.c:(.text+0x20): undefined reference to `BN_new' /tmp/ccyvrO2i.o:rsa.c:(.text+0x26): more undefined references to `BN_new' follow /tmp/ccyvrO2i.o: In function `main': rsa.c:(.text+0x5c): undefined reference to `BN_set_word' rsa.c:(.text+0x66): undefined reference to `BN_set_word' rsa.c:(.text+0x70): undefined reference to `BN_set_word' rsa.c:(.text+0x98): undefined reference to `BN_generate_prime' rsa.c:(.text+0xba): undefined reference to `BN_generate_prime' rsa.c:(.text+0xbe): undefined reference to `BN_CTX_new' rsa.c:(.text+0xca): undefined reference to `BN_mul' rsa.c:(.text+0xd4): undefined reference to `BN_sub' rsa.c:(.text+0xe2): undefined reference to `BN_bn2dec' rsa.c:(.text+0xf6): undefined reference to `BN_sub' rsa.c:(.text+0xfa): undefined reference to `BN_CTX_new' rsa.c:(.text+0x106): undefined reference to `BN_mul' rsa.c:(.text+0x114): undefined reference to `BN_bn2dec' rsa.c:(.text+0x11c): undefined reference to `BN_bn2dec' rsa.c:(.text+0x124): undefined reference to `BN_bn2dec' rsa.c:(.text+0x140): undefined reference to `BN_rand' rsa.c:(.text+0x1b8): undefined reference to `BN_mul' rsa.c:(.text+0x1c6): undefined reference to `BN_bn2dec' rsa.c:(.text+0x1de): undefined reference to `BN_bn2dec' rsa.c:(.text+0x1f6): undefined reference to `BN_bn2dec' rsa.c:(.text+0x204): undefined reference to `BN_CTX_new' rsa.c:(.text+0x216): undefined reference to `BN_div' rsa.c:(.text+0x224): undefined reference to `BN_bn2dec' rsa.c:(.text+0x236): undefined reference to `BN_cmp' rsa.c:(.text+0x24a): undefined reference to `BN_bn2dec' rsa.c:(.text+0x252): undefined reference to `BN_bn2dec' rsa.c:(.text+0x25a): undefined reference to `BN_bn2dec' rsa.c:(.text+0x262): undefined reference to `BN_bn2dec' rsa.c:(.text+0x26a): undefined reference to `BN_bn2dec' collect2: ld returned 1 exit status Another attempt: ubuntu@omap:~/arquivos$ gcc rsa.c -Wl, -lssl, -lcrypto -o teste /usr/bin/ld: cannot find : No such file or directory /usr/bin/ld: cannot find -lssl, collect2: ld returned 1 exit status Any idea? I haven't found the libssl.so in my directory /usr/lib. Thanks everybody. > Date: Fri, 24 Aug 2012 09:45:15 +0100 > Subject: Re: OpenSSL on beagleboard > From: b...@links.org > To: openssl-users@openssl.org > > On Fri, Aug 24, 2012 at 2:18 AM, Jeffrey Walton wrote: > > On Thu, Aug 23, 2012 at 9:06 PM, Paulo Roberto > > wrote: > >> Hello, I am using the package libssl-dev on ubuntu in my beagleboard xm, > >> and > >> I have to run two C algorithms using the openSSL library.. > >> Although I can't compile using the command: gcc test.c -lssl -o test. It > >> seems the compiler isn't recognizing the "-lssl" command. > > You really need to show the error, I doubt it is "not recognizing" it. > > >> Does someone know how to solve this? > >> Do I have to set some path, or something like that? > > You might do, use -L for this. > > > You specify linker commands (such as libraries) at the very end of the > > compiler drive command. From the g++ man pages (around line 25): > > "...the placement of the -l option is significant." > > Significant relative to .o and other libraries, not to the output > file, so this should make no difference. > > > > > gcc test.c -o test -lssl > > > > You might also want to add -Wl,-Bstatic unless you want to do the > > shared object thing. > > > > Jeff > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing Listopenssl-users@openssl.org > > Automated List Manager majord...@openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org
RE: OpenSSL on beagleboard
>From: owner-openssl-us...@openssl.org On Behalf Of Paulo Roberto >Sent: Monday, 27 August, 2012 18:37 >Can no one help me? Isn't there a way of specifying the local >the openssl is installed? You mean "location" i.e. in the file system? As far as I know packages on most Linuxes, including ubuntu, install into system standard locations, maybe something like /usr/lib or /opt/ssl . "System" locations vary for different Unixes but are usually the same for different libraries on the same Unix, so you might be better off asking people who know about ubuntu in particular. If it is in a standard location, your gcc (assuming your gcc is the correct package of gcc for your Unix) should find it. If you have some kind of nonstandard perhaps experimental package, and you know where it is installed, -L/path/to/libdir is the gcc way to specify additional library directories. (The -Ldir must occur before the/any -llib that's lower-ell that needs it.) You always need to make sure you *compile* with headers that are compatible with the library(ies) you *link* with; if you are linking with libraries in a nonstandard location you may need -I/path/to/incdir that's upper-eye (for gcc) to find the corresponding headers. I'm not sure if -I must precede the sourcefile(s) but I put it there for clarity. And if you have a non-package build, such as one you did yourself from source, both of these (-L and -I) are much more likely. >From: bad_boy_...@hotmail.com >Date: Thu, 23 Aug 2012 22:06:59 -0300 >Hello, I am using the package libssl-dev on ubuntu in my beagleboard xm, >and I have to run two C algorithms using the openSSL library.. > Although I can't compile using the command: gcc test.c -lssl -o test. >It seems the compiler isn't recognizing the "-lssl" command. >Does someone know how to solve this? >Do I have to set some path, or something like that? You haven't obeyed the response Friday asking for the actual error. There are many possible errors and exactly which one you have may point to very different causes and solutions. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Generation ECDHE parameters
Thanks Steve for the response. That was very useful information. Thanks Varma On Thu, Aug 23, 2012 at 6:05 AM, Dr. Stephen Henson wrote: > On Wed, Aug 22, 2012, Varma Dantuluri wrote: > > > Hi > > > > We are in the process of adding support for ECDSA-ECDHE cipher suites and > > hence ECDSA certificates to our server. > > > > Right now, the server does the following: > > > > 1) Assign the ECDSA certificate to the SSL_CTX. > > 2) Set the callback for ECDH parameter generation using > > SSL_CTX_set_tmp_ecdh_callback. > > > > In ssl3_send_server_key_exchange, when this callback is called, the value > > of 'keylength' parameter is always either 512 or 1024. Shouldnt > 'keylength' > > have the curve name or id in the case of ECDH? Are we doing something > wrong > > here? > > > > No, it's a limitation in some versions of OpenSSL. You basically have to > pick > a curve you think the peer will support, P-256 is usually a safe choice. If > the peer doesn't support it then ECDHE will be disabled. You might as as > well > set the curve using SSL_CTX_set_tmp_ecdh instead of the callback. > > This is fixed in the development version of OpenSSL: for that you can just > set > it to automatically use the right curve based on client and server > preferences. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
RE: OpenSSL on beagleboard
>From: owner-openssl-us...@openssl.org On Behalf Of Paulo Roberto >Sent: Monday, 27 August, 2012 20:21 Okay, this time you did post the error. >When I use the command gcc teste.c -lssl -o teste: >/tmp/ccyvrO2i.o: In function `main': >rsa.c:(.text+0x8): undefined reference to `BN_new' BN_* are in libcrypto not libssl. >Another attempt: >ubuntu@omap:~/arquivos$ gcc rsa.c -Wl, -lssl, -lcrypto -o teste >/usr/bin/ld: cannot find : No such file or directory >/usr/bin/ld: cannot find -lssl, >collect2: ld returned 1 exit status That's closer, but you've mixed up two different things. -Wl,x,y -- comma(s) and NO space -- passes "opaque" linker arguments, like -Wl,-Bstatic in a previous response. -lxxx is not opaque (driver knows it) so don't use -Wl . You do want -lssl -lcrypto (space but no comma). >Any idea? If you need both SSL and "low-level" routines like BN_*, use -lssl -lcrypto . If only need low-level, just -lcrypto . If you need both depending on your linker order may matter, in which case -lssl should be first. >I haven't found the libssl.so in my directory /usr/lib. Then that's (probably) not the right location on your Unix/distro. If it is dynamic, on Linux at least, ldd should work. Do ldd `which openssl` and look to see where libssl.* and libcrypto.* are. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl smime verify fails in ASN1_CHECK_TLEN but asn1parse is ok?
On Mon, Aug 27, 2012 at 10:50 PM, Dr. Stephen Henson wrote: > On Mon, Aug 27, 2012, GWu wrote: >> The email is available at >> http://www.buergerkarte.at/mvnforum/mvnforum/viewthread_thread,272#1180 >> (German language forum, but the email - or it's significant parts >> respectively - is easily visble). >> > > Well I'm not surprised Thunderbird and OpenSSL has problems with that. The > signature is malformed. It should contain the digest enclosed in an ASN1 > structure called DigestInfo but it isn't: it just contains the raw digest. Can you give me a hint where to find DigestInfo or the offending raw digest in the result of asn1parse? I can spot messageDigest, which is shown as: 3957:d=7 hl=2 l= 9 prim:OBJECT:messageDigest 3968:d=7 hl=2 l= 22 cons:SET 3970:d=8 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:38BA6AE720F09EFFB46BC8859293743DD13EDBF0 But this looks very similar in a message which verifies successfully. The asn1parse output of another, successfully verified signature also does not contain "DigestInfo". Is DigestInfo a structure inside messageDigest in asn1parse output? If yes, is there a way to display it in structured/readable form? Or did you mean that the content inside of messageDigest is not encoded properly? Thanks for any advice and please excuse my beginner's questions, I'm trying to get a grip on these things ... __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
