CVE-2013-4353 and CVSS v2 vector with Authentication set to None
Hi, I am analyzing CVE-2013-4353, and the CVSS vector mentions Au parameter to N [1] From what I understand, the culprit code is called in the Server Finish message of the handshake, which is the last step - by this time the client has authenticated the server (step 3). So why does the CVSS vector mention authentication to be None? Thanks. -ag [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Permanent error with binary OpenSSL installed
Dear Open SSL community, thank you for this opportunity to use open SSL. I will donate adequate only when I can use it. I installed too newer versions of OpenSSL binaries distributed from http://slproweb.com/products/Win32OpenSSL.html. Great seems to be all OK. But I cannot use the command line openssl. Whatever I want to do appears an error message and the command is not executed: Unable to load config info from /usr/local/ssl/openssl.cnf . There is no such file after installation! Even when I pose a copy of the openssl.cfg in the user - application - local data directory renaming it in openssl.cnf, also when I create a folder from /usr/local/ssl/ there or in the installation directory, the error message remains the same. I cannot use this tool therefore, but I need it for certificate request creation. My command line was about this: Installdir\bin\ openssl req -new -newkey rsa:4096 -keyout %SAVEPATH%xxx.pem -out %SAVEPATH%.pem Can you help me to use this command line? What do I do with the .cnf file, it is actually missing! Mit freundlichen Gruessen / kind regards Norbert Kailan ATEL AuTomotive ELectronics Norbert Kailan ~~ Ingenieur (Uni) Norbert Kailan Moltkestr. 24 D - 71116 Gärtringen Mobil: 0177/1727624 mailto:a...@henatel.de a...@henatel.de (a...@henatel.com) http://atel.henatel.de/ http://atel.henatel.de http://www.henatel.de/ www.henatel.de http://download.henatel.de/ http://download.henatel.de http://www.henatel.de/ image001.jpg
Re: Permanent error with binary OpenSSL installed
On 1/26/2014 12:39 PM, Norbert Kailan wrote: Whatever I want to do appears an error message and the command is not executed: “Unable to load config info from /usr/local/ssl/openssl.cnf “. There is no such file after installation! Reboot your computer. This is a known but rare issue that only happens on some Windows machines. The installer attempts to let the system know that the OPENSSL_CONF environment variable has been defined. However, some program in the system fails to respond properly to the message (a ::PostMessage(HWND_BROADCAST, WM_SETTINGCHANGE, ...) call), so the call just hangs in OS land before it reaches the important parts of the Windows subsystem. The bug used the hang the installer when it was a SendMessage() call. I have no idea what program causes it, but since it is so rare, I'm now more inclined that it is some piece of malware that is responsible because the behavior is NOT normal. The broadcast message is the last thing the installer does so that it won't affect anything else regarding the installation. Rebooting the computer corrects the problem since the OS will reload the system environment variables across all programs as part of that process. Hopefully this helps. -- Thomas Hruska Shining Light Productions Home of BMP2AVI and Win32 OpenSSL. http://www.slproweb.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Linking errors while building openssl 1.0.1e with gcc-3.4.3 and glibc 2.2.5
Hi, When I build openssl source code with gcc 3.4.3 and glibc 2.2.5, I get undefined symbol errors. Some of those errors are as follows: (cryptlib.o)(.text+0x18a): In function `OPENSSL_showfatal': : undefined reference to `__vfprintf_chk' (obj_dat.o)(.text+0xf01): In function `OBJ_obj2txt': : undefined reference to `__stack_chk_fail' (obj_dat.o)(.text+0x1082): In function `OBJ_create_objects': : undefined reference to `__ctype_b_loc' (obj_dat.o)(.text+0x118b): In function `OBJ_create_objects': : undefined reference to `__stack_chk_fail' (bn_print.o)(.text+0x393): In function `BN_hex2bn': : undefined reference to `__ctype_b_loc' (p5_crpt.o)(.text+0x272): In function `PKCS5_PBE_keyivgen': : undefined reference to `__memcpy_chk' (p5_crpt.o)(.text+0x2e3): In function `PKCS5_PBE_keyivgen': : undefined reference to `__memcpy_chk' (t_pkey.o)(.text+0xfc7): In function `ECPKParameters_print': : undefined reference to `__memset_chk' (t_pkey.o)(.text+0x1061): In function `ECPKParameters_print': : undefined reference to `__memset_chk' (x509_cmp.o)(.text+0x384): In function `X509_NAME_cmp': : undefined reference to `__ctype_tolower_loc' (x509_cmp.o)(.text+0x3ca): In function `X509_NAME_cmp': : undefined reference to `__ctype_b_loc' (pem_lib.o)(.text+0xf1): In function `PEM_def_callback': : undefined reference to `__fprintf_chk' (v3_alt.o)(.text+0x396): In function `i2v_GENERAL_NAME': : undefined reference to `__strcat_chk' (v3_alt.o)(.text+0x3b1): In function `i2v_GENERAL_NAME': : undefined reference to `__strcat_chk' (v3_alt.o)(.text+0x4af): In function `i2v_GENERAL_NAME': : undefined reference to `__stack_chk_fail' (v3_skey.o)(.text+0x271): In function `s2i_skey_id': : undefined reference to `__stack_chk_fail' Is there a workaround for getting these symbols resolved with gcc 3.4.3 and glibc 2.2.5? Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/Linking-errors-while-building-openssl-1-0-1e-with-gcc-3-4-3-and-glibc-2-2-5-tp48313.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org