Re: 2 Server certificates

2014-06-11 Thread Saurabh Pandya 
To handle CA cert chain, you can use SSL_CTX_add_extra_chain_cert..

are you expect certificate form client ?

-
Saurabh


On Thu, Jun 12, 2014 at 7:09 AM, Hafedh TRIMECHE 
wrote:

> Hi,
> I would implement an OpenSSL Server which can handle authentication
> initiated by 2 client certificates issued by 2 CAs:
> Client1 < CA1 < Root1
> and
> Client2 < CA2 < Root2
> Please how to achieve mutual authentication using some APIs:
> - X509_STORE_add_cert
> - SSL_CTX_add_extra_chain_cert
> - SSL_CTX_add_client_CA
>
> to avoid the error 14094416 certificate unknown
>
> Regards
>
>
>
> --
> View this message in context:
> http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

2 Server certificates

2014-06-11 Thread Hafedh TRIMECHE 
Hi,
I would implement an OpenSSL Server which can handle authentication
initiated by 2 client certificates issued by 2 CAs:
Client1 < CA1 < Root1 
and
Client2 < CA2 < Root2
Please how to achieve mutual authentication using some APIs:
- X509_STORE_add_cert
- SSL_CTX_add_extra_chain_cert
- SSL_CTX_add_client_CA

to avoid the error 14094416 certificate unknown

Regards



--
View this message in context: 
http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

OpenSSL Version 1.0.1i release

2014-06-11 Thread Shanku Roy 
Following page mentions about known issues with OpenSSL 1.0.1h  and OpenSSL 
1.0.1i in progress: 
 
http://www.openssl.org/news/openssl-1.0.1-notes.html
 
What is the expected timeline for OpenSSL 1.0.1i release? 
 
Thanks
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

OpenSSL Version 1.0.1i release

2014-06-11 Thread Shanku Roy 
Following page mentions about known issues with OpenSSL 1.0.1h  and OpenSSL 
1.0.1i in progress:
OpenSSL: OpenSSL 1.0.1 Release Notes.
 
   OpenSSL: OpenSSL 1.0.1 Release Notes.
  OpenSSL 1.0.1 Branch Release notes
The major changes and known issues for the 1.0.1 branch of the OpenSSL
toolkit are summarised below.   
View on www.openssl.org Preview by Yahoo  
What is the expected timeline for OpenSSL 1.0.1i release?
 
Thanks

Re: SSL_CTX_clear_options(ssl_ctx, SSL_CTX_get_options(ssl_ctx))

2014-06-11 Thread Viktor Dukhovni 
On Wed, Jun 11, 2014 at 03:15:06PM -0400, Salz, Rich wrote:

> You *cannot* just set or clear them all...

Except that SSL_OP_ALL is implicitly recommended, while no options
is the default.  This said "SSL_OP_ALL" is a compile-time constant,
which is a bit of a nuisance when the run-time library has additional
invisible option bits.

Any future improved alternative interface should use named options
(not bits) and should have an "ALL" name that operates on all the
(runtime) options.

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: CVE-2014-0224

2014-06-11 Thread Viktor Dukhovni 
On Wed, Jun 11, 2014 at 07:07:09PM +, Scott Neugroschl wrote:

> We are aware of this, and are looking to upgrade.  Does anyone
> have a recommendation as to 0.9.8 vs 1.0.0 (1.0.1 is too bleeding
> edge)?  If you have a recommendation, may I ask what led you to
> choose that path?

I would recommend 1.0.1 (not signficantly more bleeding edge than
1.0.0 at this point).  I think more O/S distributions are shipping
with 1.0.1 than 1.0.0.  Even if you compile against 1.0.0, unless
you ship your own library or link statically, you may find your
code running on a platform with 1.0.1, the ABI version is 1.0.0.

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: SSL_CTX_clear_options(ssl_ctx, SSL_CTX_get_options(ssl_ctx))

2014-06-11 Thread Salz, Rich 
AARGH.

You *cannot* just set or clear them all...

--  
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rs...@jabber.me; Twitter: RichSalz


-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Salz, Rich
Sent: Wednesday, June 11, 2014 3:04 PM
To: openssl-users@openssl.org
Subject: RE: SSL_CTX_clear_options(ssl_ctx, SSL_CTX_get_options(ssl_ctx))

The subtle issue is that some option settings *enable* behavior, and some 
option settings *disable* behavior.  You can just set/clear them all and really 
expect something good to happen.

/r$

--  
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rs...@jabber.me; Twitter: RichSalz

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: CVE-2014-0224

2014-06-11 Thread Scott Neugroschl 

>From Victor:
>On Wed, Jun 11, 2014 at 04:09:47PM +, Scott Neugroschl wrote:

>> I know 0.9.7 is no longer under development, but for various reasons, 
>> I have an app that is still using 0.9.7g.
>> Is 0.9.7g subject to the vulnerability from CVD-0214-0224?

>There are I expect many unresolved issues (even if not the particular one in 
>question) in the long ago un-maintained 0.9.7 release.  So my advice is that 
>if this application is communicating over the public Internet, it needs to be 
>upgraded or retired.

We are aware of this, and are looking to upgrade.  Does anyone have a 
recommendation as to 0.9.8 vs 1.0.0 (1.0.1 is too bleeding edge)?  If you have 
a recommendation, may I ask what led you to choose that path?

Thanks,

ScottN

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: SSL_CTX_clear_options(ssl_ctx, SSL_CTX_get_options(ssl_ctx))

2014-06-11 Thread Salz, Rich 
The subtle issue is that some option settings *enable* behavior, and some 
option settings *disable* behavior.  You can just set/clear them all and really 
expect something good to happen.

/r$

--  
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rs...@jabber.me; Twitter: RichSalz

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL_CTX_clear_options(ssl_ctx, SSL_CTX_get_options(ssl_ctx))

2014-06-11 Thread Viktor Dukhovni 
On Wed, Jun 11, 2014 at 07:24:05PM +0200, Dimitrios Apostolou wrote:

> Hello list,
> 
> given that I'm developing a custom client-server application that
> communicates via TLS, I decided to zero-out all options since I don't care
> about backwards compatibility and heterogenous clients like browsers by
> doing:
> 
> SSL_CTX_clear_options(ssl_ctx, SSL_CTX_get_options(ssl_ctx));
> 
> Can you think of reasons this might be bad practice? (e.g. openssl changing
> default behaviour in the future unless an option is set)

The options start out "clear" by default.  You would need to call
SSL_CTX_set_options() with a non-zero value (e.g. SSL_OP_ALL) to
have any options set.  Some options are recommended, e.g.

SSL_OP_NO_SSLv2

and possibly even SSL_OP_NO_SSLv3 if you really have no requirement
for legacy interoperability.  You can look over the rest to see
whether you're better off with them enabled or not.

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: CVE-2014-0224

2014-06-11 Thread Viktor Dukhovni 
On Wed, Jun 11, 2014 at 04:09:47PM +, Scott Neugroschl wrote:

> I know 0.9.7 is no longer under development, but for various
> reasons, I have an app that is still using 0.9.7g.
> Is 0.9.7g subject to the vulnerability from CVD-0214-0224?

There are I expect many unresolved issues (even if not the particular
one in question) in the long ago un-maintained 0.9.7 release.  So
my advice is that if this application is communicating over the
public Internet, it needs to be upgraded or retired.

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

SSL_CTX_clear_options(ssl_ctx, SSL_CTX_get_options(ssl_ctx))

2014-06-11 Thread Dimitrios Apostolou 

Hello list,

given that I'm developing a custom client-server application that 
communicates via TLS, I decided to zero-out all options since I don't care 
about backwards compatibility and heterogenous clients like browsers by 
doing:


SSL_CTX_clear_options(ssl_ctx, SSL_CTX_get_options(ssl_ctx));

Can you think of reasons this might be bad practice? (e.g. openssl 
changing default behaviour in the future unless an option is set)



Thanks,
Dimitris

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: CVE-2014-0224

2014-06-11 Thread Dr. Stephen Henson 
On Wed, Jun 11, 2014, Scott Neugroschl wrote:

> Hi guys,
> 
> I know 0.9.7 is no longer under development, but for various reasons, I have 
> an app that is still using 0.9.7g.
> Is 0.9.7g subject to the vulnerability from CVD-0214-0224?
> 

I think you mean CVE-2014-0224. Yes it is vulnerable as an SSL/TLS client
you're advised to fix servers too as a precaution.

It shouldn't be too hard to backport the patches.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

CVE-2014-0224

2014-06-11 Thread Scott Neugroschl 
Hi guys,

I know 0.9.7 is no longer under development, but for various reasons, I have an 
app that is still using 0.9.7g.
Is 0.9.7g subject to the vulnerability from CVD-0214-0224?

Thanks,

ScottN


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: error building openssl-0.9.8za with FIPS

2014-06-11 Thread Zhang, Ping (Unisphere) 
Added the command line used and the error.

perl Configure VC-WIN32 no-asm fips no-ec 
--with-fipslibdir=C:\openssl_build\openssl-fips-1.2.4\out32dll

cl /Fotmp32dll\fips_premain.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX 
/Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN 
-DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE 
-DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED 
-DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE 
-DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5 -DOPENSSL_NO_EC -DOPENSSL_NO_ECDSA 
-DOPENSSL_NO_ECDH -DOPENSSL_FIPS -DOPENSSL_NO_DYNAMIC_ENGINE -D_WINDLL  -c 
C:\openssl_build\openssl-fips-1.2.4\out32dll/fips_premain.c
fips_premain.c
link /nologo /subsystem:console /opt:ref /dll /fixed /map /base:0xFB0 
/out:out32dll\libeay32.dll /def:ms/LIBEAY32.def 
@C:\DOCUME~1\zhangp\LOCALS~1\Temp\1\nm8B4.tmp
LIBEAY32.def : error LNK2001: unresolved external symbol BN_consttime_swap

Please note the 3 -D for NO_EC are in the compiler options. 


-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Dr. Stephen Henson
Sent: Wednesday, June 11, 2014 7:47 AM
To: openssl-users@openssl.org
Subject: Re: error building openssl-0.9.8za with FIPS

On Wed, Jun 11, 2014, Saurabh Pandya wrote:

> Adding further I already tried below to build openssl, I already built 
> fips libs with /tmp/_install path
> 
> /config fips --prefix=/tmp/_install 
> --with-fipslibdir=/tmp/_install/lib
> -DOPENSSL_NO_EC -DOPENSSL_NO_ECDSA -DOPENSSL_NO_ECDH
> 
> It also gives below build error
> ../../include/openssl/ec.h:78:2: error: #error EC is disabled.
> make[2]: *** [ec_lib.o] Error 1
> 

I just tried it with no-ec here and it worked fine that is:

./config fips no-ec

That's on Ubuntu 12.4.03, not tried it on Windows.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Don't build apps?

2014-06-11 Thread Dr. Stephen Henson 
On Wed, Jun 11, 2014, Jeffrey Walton wrote:

> I'm working with OpenSSL 1.0.1h. I'm configuring for android-x86.
> 
> setenv-android.sh worked fine, and exported the following:
> 
> export MACHINE=i686
> export RELEASE=2.6.37
> export SYSTEM=android
> export ARCH=x86
> 
> export CROSS_COMPILE="i686-linux-android-"
> export 
> ANDROID_DEV="$ANDROID_NDK_ROOT/platforms/$_ANDROID_API/$_ANDROID_ARCH/usr"
> export HOSTCC=gcc
> 
> $ echo $ANDROID_DEV
> /opt/android-ndk-r9/platforms/android-14/arch-x86/usr
> 
> The configure looks like so:
> 
> $ ./config shared -no-ssl2 -no-ssl3 -no-comp -no-hw -no-engine
> --openssldir=/usr/local/ssl/android-14/
> 
> However, compilation is failing because the programs are being
> compiled (more correctly, the missing comp.h):
> 
> $ make
> 
> i686-linux-android-gcc -DMONOLITH -I.. -I../include  -fPIC
> -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
> -DHAVE_DLFCN_H -Wa,--noexecstack -mandroid
> -I/opt/android-ndk-r9/platforms/android-14/arch-x86/usr/include
> -B/opt/android-ndk-r9/platforms/android-14/arch-x86/usr/lib -O3
> -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS
> -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m
> -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
> -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM   -c -o dhparam.o dhparam.c
> i686-linux-android-gcc -DMONOLITH -I.. -I../include  -fPIC
> -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
> -DHAVE_DLFCN_H -Wa,--noexecstack -mandroid
> -I/opt/android-ndk-r9/platforms/android-14/arch-x86/usr/include
> -B/opt/android-ndk-r9/platforms/android-14/arch-x86/usr/lib -O3
> -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS
> -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m
> -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
> -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM   -c -o enc.o enc.c
> enc.c:70:26: fatal error: openssl/comp.h: No such file or directory
> compilation terminated.
> make[1]: *** [enc.o] Error 1
> make: *** [build_apps] Error 1
> 
> How do I stop the attempt to compile the programs? What change is made
> to stop building of programs during a cross-compile of, for example,
> Android (arm) and iOS (arm)?
> 

That particular error is a bug. Fixed here:

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b66f59adfa281abbc

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: link error building openssl 0.9.8za with FIPS module 1.2.4

2014-06-11 Thread Zhang, Ping (Unisphere) 
Added the command line used and the error.

perl Configure VC-WIN32 no-asm fips no-ec 
--with-fipslibdir=C:\openssl_build\openssl-fips-1.2.4\out32dll

cl /Fotmp32dll\fips_premain.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX 
/Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN 
-DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE 
-DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED 
-DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE 
-DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5 -DOPENSSL_NO_EC -DOPENSSL_NO_ECDSA 
-DOPENSSL_NO_ECDH -DOPENSSL_FIPS -DOPENSSL_NO_DYNAMIC_ENGINE -D_WINDLL  -c 
C:\openssl_build\openssl-fips-1.2.4\out32dll/fips_premain.c
fips_premain.c
link /nologo /subsystem:console /opt:ref /dll /fixed /map /base:0xFB0 
/out:out32dll\libeay32.dll /def:ms/LIBEAY32.def 
@C:\DOCUME~1\zhangp\LOCALS~1\Temp\1\nm8B4.tmp
LIBEAY32.def : error LNK2001: unresolved external symbol BN_consttime_swap

Please note the 3 -D for NO_EC are in the compiler options. 

-Original Message-
From: Zhang, Ping (Unisphere) 
Sent: Tuesday, June 10, 2014 11:54 AM
To: 'openssl-users@openssl.org'
Subject: RE: link error building openssl 0.9.8za with FIPS module 1.2.4

Thanks! Got a build with 0610's snapshot.
However rebuilt openssl0.9.8za with no-ec (not rebuild fips libs), still see 
the same error.
-DOPENSSL_NO_EC -DOPENSSL_NO_ECDSA -DOPENSSL_NO_ECDH

-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Dr. Stephen Henson
Sent: Tuesday, June 10, 2014 10:54 AM
To: openssl-users@openssl.org
Subject: Re: link error building openssl 0.9.8za with FIPS module 1.2.4

On Tue, Jun 10, 2014, Zhang, Ping (Unisphere) wrote:

> In process upgrade openssl to 0.9.8za. When building with fips module 1.2.4 
> lib, failed with link error. The same process and fips 1.2.4 lib works with 
> 0.9.8y.
> 
> Compared the code difference with 0.9.8za and 0.9.8y, noticed 
> BN_consttime_swap() is used in 0.9.8za crypto/ec/ec2_mult.c.
> 
> perl Configure VC-WIN32 no-asm fips
> --with-fipslibdir=C:\openssl_build\openssl-fips-1.2.4\out32dll
> ms\do_ms
> nmake -f ms\ntdll.mak clean
> nmake -f ms\ntdll.mak
> 
> The error I got
> cl /Fotmp32dll\fips_premain_dso.obj 
> -DFINGERPRINT_PREMAIN_DSO_LOAD -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX 
> /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN 
> -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE 
> -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED 
> -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE 
> -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS 
> -DOPENSSL_NO_DYNAMIC_ENGINE -D_WINDLL  -c .\fips\fips_premain.c fips_premain.c
> link /nologo /subsystem:console /opt:ref 
> /out:out32dll\fips_premain_dso.exe 
> @C:\DOCUME~1\zhangp\LOCALS~1\Temp\1\nm419.tmp
>Creating library out32dll\fips_premain_dso.lib and object 
> out32dll\fips_premain_dso.exp ec2_mult.obj : error LNK2019: unresolved 
> external symbol _BN_consttime_swap referenced in function 
> _ec_GF2m_montgomery_point_multiply
> out32dll\fips_premain_dso.exe : fatal error LNK1120: 1 unresolved 
> externals
> 
> Any recommendation on solutions?
> 

Fixed in the latest snapshots. This problem is mentioned in the release
notes:

https://www.openssl.org/news/openssl-0.9.8-notes.html

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: ECDSA - Signature verify

2014-06-11 Thread Anant Rao 
Hi Matt,

Thanks very much!
I'm glad I'm on the right track in regards to EVP vs EC.

The signature is generated by a client program (also a 'c' program). What
is the format of a signature? How do I find out?

Just to confirm - whether it's ECDSA or RSA, for verification, we just get
the EVP_PKEY data structure filled with the public key correctly and call
in a sequence ending up with a call to EVP_VerifyFinal. Is that correct?

Thanks again!
Anant



On Tue, Jun 10, 2014 at 3:51 PM, Matt Caswell  wrote:

> On 10 June 2014 15:24, Anant Rao  wrote:
> > Hi,
> >
> > Objective in one-line:
> > =
> > Verify a signature, given an ECDSA public key in X509 format.
> >
> >
> > Details:
> > ==
> > I read an X509 cert stored on disk. The following are some of its
> contents:
> >
> > Public Key Algorithm: id-ecPublicKey
> > Public-Key: (256 bit)
> >
> > ...
> > ASN1 OID: prime256v1
> > Signature Algorithm: ecdsa-with-SHA1
> > ...
> >
> >
> > Now, I get some data that is signed by the private key corresponding to
> the
> > above public key/cert and I need to verify it.
> >
> > Here're some pieces of my code:
> >
> > ...
> > EVP_PKEY *pub_key = X509_get_pubkey(cert);  //this is OK
> > ...
> > EVP_VerifyFinal(&c, signature, signature_len, pub_key); //this fails; Why
> > does it fail?
> >
> > The following are the errors from the above VerifyFinal:
> >
> > 140310811899840:error:0D07207B:asn1 encoding
> routines:ASN1_get_object:header
> > too long:asn1_lib.c:150:
> > 140310811899840:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad
> > object header:tasn_dec.c:1306:
> > 140310811899840:error:0D07803A:asn1 encoding
> > routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=ECDSA_SIG
> >
>
> Looks to me like the signature you are passing it is in the wrong
> format. Where did you get it from?
>
>
> >
> > So, after reading this page
> > (http://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography), I
> realized
> > I need to extract the EC_POINT out of the above public key.
>
> No. There is no need to do this. You only need to worry about the low
> level EC stuff if you are not using the EVP interface - which you are.
>
> Matt
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>



-- 

   *Anant* *Rao*
Server Lead
D  / a...@noknok.com

 *Nok Nok Labs Inc.*
4151 Middlefield Road, Suite 200
Palo Alto, CA 94303
T +1 650 433 1300
i...@noknok.com

*www.noknok.com*

Re: link error building openssl 0.9.8za with FIPS module 1.2.4

2014-06-11 Thread Dr. Stephen Henson 
On Wed, Jun 11, 2014, Zhang, Ping (Unisphere) wrote:

> Added the command line used and the error.
> 
> perl Configure VC-WIN32 no-asm fips no-ec 
> --with-fipslibdir=C:\openssl_build\openssl-fips-1.2.4\out32dll
> 
> cl /Fotmp32dll\fips_premain.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX 
> /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN 
> -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE 
> -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED 
> -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE 
> -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5 -DOPENSSL_NO_EC -DOPENSSL_NO_ECDSA 
> -DOPENSSL_NO_ECDH -DOPENSSL_FIPS -DOPENSSL_NO_DYNAMIC_ENGINE -D_WINDLL  -c 
> C:\openssl_build\openssl-fips-1.2.4\out32dll/fips_premain.c
> fips_premain.c
> link /nologo /subsystem:console /opt:ref /dll /fixed /map /base:0xFB0 
> /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def 
> @C:\DOCUME~1\zhangp\LOCALS~1\Temp\1\nm8B4.tmp
> LIBEAY32.def : error LNK2001: unresolved external symbol BN_consttime_swap
> 

Workaroud for that is to delete the BN_consttime_swap line from libeay32.def.
It's better to just apply the correct patch for this issue:

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0a9b8dd1b4cb15

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: error building openssl-0.9.8za with FIPS

2014-06-11 Thread Saurabh Pandya 
Thanks you very much for prompt info.

What could be the end-user effect if I start using openssl with no-ec ?
(sorry for a silly question !!)

-
Saurabh


On Wed, Jun 11, 2014 at 5:17 PM, Dr. Stephen Henson 
wrote:

> On Wed, Jun 11, 2014, Saurabh Pandya wrote:
>
> > Adding further I already tried below to build openssl, I already built
> fips
> > libs with /tmp/_install path
> >
> > /config fips --prefix=/tmp/_install --with-fipslibdir=/tmp/_install/lib
> > -DOPENSSL_NO_EC -DOPENSSL_NO_ECDSA -DOPENSSL_NO_ECDH
> >
> > It also gives below build error
> > ../../include/openssl/ec.h:78:2: error: #error EC is disabled.
> > make[2]: *** [ec_lib.o] Error 1
> >
>
> I just tried it with no-ec here and it worked fine that is:
>
> ./config fips no-ec
>
> That's on Ubuntu 12.4.03, not tried it on Windows.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: Don't build apps?

2014-06-11 Thread Stacy Devino 
Hey Jeff,

You might want to look at Arne Swabe's ics-openvpn.

https://code.google.com/p/ics-openvpn/

If you are just looking for how to compile for various android chip arch's.
He is using and Android.mk file which is a Make file that is specific to
Android, but if you know one you can figure out the other.

He also has pretty clean code on the JNI for linking (whichever you would
need in an app) .

Be sure to say thanks to him! Buy him a beer if its helpful!

Stacy Wylie
stacydevino.com
Android and Mobile Design guru
On Jun 11, 2014 1:02 AM, "Jeffrey Walton"  wrote:

> Configuring with no-apps does not work either (even though it states
> its skipping the directory):
>
> $ ./config shared -no-ssl2 -no-ssl3 -no-comp -no-hw -no-engine
> -no-apps --openssldir=/usr/local/ssl/android-14/
> Operating system: i686-whatever-android
> Configuring for android-x86
> no-apps [option]   OPENSSL_NO_APPS (skip dir)
> no-comp [option]   OPENSSL_NO_COMP (skip dir)
> no-ec_nistp_64_gcc_128 [default]  OPENSSL_NO_EC_NISTP_64_GCC_128 (skip
> dir)
> no-engine   [option]   OPENSSL_NO_ENGINE (skip dir)
> no-gmp  [default]  OPENSSL_NO_GMP (skip dir)
> no-hw   [option]   OPENSSL_NO_HW
> ...
>
> On Wed, Jun 11, 2014 at 1:49 AM, Jeffrey Walton 
> wrote:
> > I'm working with OpenSSL 1.0.1h. I'm configuring for android-x86.
> >
> > setenv-android.sh worked fine, and exported the following:
> >
> > export MACHINE=i686
> > export RELEASE=2.6.37
> > export SYSTEM=android
> > export ARCH=x86
> >
> > export CROSS_COMPILE="i686-linux-android-"
> > export
> ANDROID_DEV="$ANDROID_NDK_ROOT/platforms/$_ANDROID_API/$_ANDROID_ARCH/usr"
> > export HOSTCC=gcc
> >
> > $ echo $ANDROID_DEV
> > /opt/android-ndk-r9/platforms/android-14/arch-x86/usr
> >
> > The configure looks like so:
> >
> > $ ./config shared -no-ssl2 -no-ssl3 -no-comp -no-hw -no-engine
> > --openssldir=/usr/local/ssl/android-14/
> >
> > However, compilation is failing because the programs are being
> > compiled (more correctly, the missing comp.h):
> >
> > $ make
> > 
> > i686-linux-android-gcc -DMONOLITH -I.. -I../include  -fPIC
> > -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
> > -DHAVE_DLFCN_H -Wa,--noexecstack -mandroid
> > -I/opt/android-ndk-r9/platforms/android-14/arch-x86/usr/include
> > -B/opt/android-ndk-r9/platforms/android-14/arch-x86/usr/lib -O3
> > -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS
> > -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m
> > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
> > -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM   -c -o dhparam.o dhparam.c
> > i686-linux-android-gcc -DMONOLITH -I.. -I../include  -fPIC
> > -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
> > -DHAVE_DLFCN_H -Wa,--noexecstack -mandroid
> > -I/opt/android-ndk-r9/platforms/android-14/arch-x86/usr/include
> > -B/opt/android-ndk-r9/platforms/android-14/arch-x86/usr/lib -O3
> > -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS
> > -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m
> > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
> > -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM   -c -o enc.o enc.c
> > enc.c:70:26: fatal error: openssl/comp.h: No such file or directory
> > compilation terminated.
> > make[1]: *** [enc.o] Error 1
> > make: *** [build_apps] Error 1
> >
> > How do I stop the attempt to compile the programs? What change is made
> > to stop building of programs during a cross-compile of, for example,
> > Android (arm) and iOS (arm)?
> >
> > Thanks in advance.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

OWA not verifying emails signed and encrypted by OpenSSL

2014-06-11 Thread Yash Dosi 
I am trying to create an android app which can send sign and encrypted
mails using OpenSSL.

So far I am able to send Signed Emails and verify them using both web
browsers and my android apps.

Same is the case with Encryption and Decryption.

But now when I am trying to send signed+encrypted mails from my android
app. The Exchange server is unable to verify/decrypt the mails send from my
android app.

When I am trying to open open these mails using OWA I get this error:

One or more errors occurred while the message was being loaded. Error:
(0x800ccef6)
The digital signature of this message couldn't be validated because an
error occurred while the message was being loaded.


Encryption and signing code:

*Sign Code:*

public static boolean Java_PKCS7Sign(File inputFile, File outputFile,
PrivateKey privateKey, X509Certificate certificate, String
signingAlgorithm) {
try {
String inputFilePath = inputFile.getAbsolutePath();
String outputFilePath = outputFile.getAbsolutePath();

byte arr[] = android.security.Credentials.convertToPem(certificate);
InputStream certIs = new  ByteArrayInputStream(arr);
OpenSSLX509Certificate openSSLcert =
OpenSSLX509Certificate.fromX509PemInputStream(certIs);
byte openSSLcertEncoded[] = openSSLcert.getEncoded();
long signCertRef = NativeCrypto.d2i_X509(openSSLcertEncoded);

OpenSSLKey oKey = OpenSSLKey.fromPrivateKey(privateKey);
long evpKeyRef = oKey.getPkeyContext();

//boolean res = PKCS7Sign(signCertRef, pkeyRef, certs, bioRef,
flags, a, b)
long arr1[] = new long[0];
return PKCS7Sign(inputFilePath, signCertRef, evpKeyRef, arr1,
outputFilePath);
} catch (Exception e) {
e.printStackTrace();
}


return false;
}

In the above code PKCS7Sign is a JNI call to OpenSSL. And the flags used
are for signing are: int flgs = PKCS7_STREAM | PKCS7_DETACHED |
PKCS7_BINARY ;

*Encrypt Code:*

public static boolean Java_PKCS7encrypt(File inputData, File output,
X509Certificate[] recipientCertificates, String encryptionAlgorithm) {
if(!inputData.exists() || !output.exists())
return false;

try {
fis = new FileInputStream(inputData);
OpenSSLBIOInputStream bis = new OpenSSLBIOInputStream(fis);
long bioRef = NativeCrypto.create_BIO_InputStream(bis);

int certsRefArrLength = recipientCertificates.length;
long certsRefArr[] = new long[certsRefArrLength];
for (int i = 0; i < certsRefArrLength; i++) {
byte arr[] =
android.security.Credentials.convertToPem(recipientCertificates[i]);
InputStream certIs = new  ByteArrayInputStream(arr);
OpenSSLX509Certificate openSSLcert =
OpenSSLX509Certificate.fromX509PemInputStream(certIs);
byte openSSLcertEncoded[] = openSSLcert.getEncoded();
certsRefArr[i] = NativeCrypto.d2i_X509(openSSLcertEncoded);
}

String outputFilePath = output.getAbsolutePath();

return PKCS7encrypt(bioRef, certsRefArr, outputFilePath,
encryptionAlgorithm);


} catch (FileNotFoundException e) {
e.printStackTrace();
} catch (CertificateEncodingException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
}
return false;
}

Same as in case of sign PKCS7encrypt is a JNI call to OpenSSL. And flags
used are:

int flags = PKCS7_STREAM | PKCS7_BINARY;

And cipher used for encryption is cipher = EVP_rc2_40_cbc();

Any pointers about my mistake?

Re: fingerprint calculation depends on fipscanister alone or entire application code?

2014-06-11 Thread Dr. Stephen Henson 
On Wed, Jun 11, 2014, Bala Duvvuri wrote:

> Hi All,
> 
> During linking my application with the OpenSSL FIPs, fipsld is invoked to
> embed the digest and during runtime it is calculated and verified during
> FIPS_mode_set.
> 
> Can you help me to understand if digest is calculated only for fipscanister
> module or the entire application code?
> 
> My observation is say my test application file is test.c , if I make any
> change to test.c, I get a different digest even though fipscanister is same.
> 

The digest (actually HMAC) covers the in core version of fipscanister.o: i.e.
the code that gets actually loaded from the executable. As a result the linker
may change some addresses as it links with fipscanister.o and so changing the
application code may change that.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: error building openssl-0.9.8za with FIPS

2014-06-11 Thread Dr. Stephen Henson 
On Wed, Jun 11, 2014, Saurabh Pandya wrote:

> Adding further I already tried below to build openssl, I already built fips
> libs with /tmp/_install path
> 
> /config fips --prefix=/tmp/_install --with-fipslibdir=/tmp/_install/lib
> -DOPENSSL_NO_EC -DOPENSSL_NO_ECDSA -DOPENSSL_NO_ECDH
> 
> It also gives below build error
> ../../include/openssl/ec.h:78:2: error: #error EC is disabled.
> make[2]: *** [ec_lib.o] Error 1
> 

I just tried it with no-ec here and it worked fine that is:

./config fips no-ec

That's on Ubuntu 12.4.03, not tried it on Windows.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

fingerprint calculation depends on fipscanister alone or entire application code?

2014-06-11 Thread Bala Duvvuri 
Hi All,

During linking my application with the OpenSSL FIPs, fipsld is invoked to embed 
the digest and during runtime it is calculated and verified during 
FIPS_mode_set.

Can you help me to understand if digest is calculated only for fipscanister 
module or the entire application code?

My observation is say my test application file is test.c , if I make any change 
to test.c, I get a different digest even though fipscanister is same.

thanks,
Bala
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: link error building openssl 0.9.8za with FIPS module 1.2.4

2014-06-11 Thread Saurabh Pandya 
Hi Stephen,

I understand it got fixed with development version. I tried it its working
fine. But I want to build 0.9.8za with FIPS, and release notes says it
could be done by compiling openssl without EC algorithms,can you point me
out how can I do that ?
-
Saurabh



On Tue, Jun 10, 2014 at 8:23 PM, Dr. Stephen Henson 
wrote:

> On Tue, Jun 10, 2014, Zhang, Ping (Unisphere) wrote:
>
> > In process upgrade openssl to 0.9.8za. When building with fips module
> 1.2.4 lib, failed with link error. The same process and fips 1.2.4 lib
> works with 0.9.8y.
> >
> > Compared the code difference with 0.9.8za and 0.9.8y, noticed
> BN_consttime_swap() is used in 0.9.8za crypto/ec/ec2_mult.c.
> >
> > perl Configure VC-WIN32 no-asm fips
> --with-fipslibdir=C:\openssl_build\openssl-fips-1.2.4\out32dll
> > ms\do_ms
> > nmake -f ms\ntdll.mak clean
> > nmake -f ms\ntdll.mak
> >
> > The error I got
> > cl /Fotmp32dll\fips_premain_dso.obj
> -DFINGERPRINT_PREMAIN_DSO_LOAD -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX
> /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN
> -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE
> -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_USE_APPLINK -I. /Fdout32dll
> -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2
> -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5
> -DOPENSSL_FIPS -DOPENSSL_NO_DYNAMIC_ENGINE -D_WINDLL  -c
> .\fips\fips_premain.c
> > fips_premain.c
> > link /nologo /subsystem:console /opt:ref
> /out:out32dll\fips_premain_dso.exe
> @C:\DOCUME~1\zhangp\LOCALS~1\Temp\1\nm419.tmp
> >Creating library out32dll\fips_premain_dso.lib and object
> out32dll\fips_premain_dso.exp
> > ec2_mult.obj : error LNK2019: unresolved external symbol
> _BN_consttime_swap referenced in function _ec_GF2m_montgomery_point_multiply
> > out32dll\fips_premain_dso.exe : fatal error LNK1120: 1 unresolved
> externals
> >
> > Any recommendation on solutions?
> >
>
> Fixed in the latest snapshots. This problem is mentioned in the release
> notes:
>
> https://www.openssl.org/news/openssl-0.9.8-notes.html
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: error building openssl-0.9.8za with FIPS

2014-06-11 Thread Saurabh Pandya 
Adding further I already tried below to build openssl, I already built fips
libs with /tmp/_install path

/config fips --prefix=/tmp/_install --with-fipslibdir=/tmp/_install/lib
-DOPENSSL_NO_EC -DOPENSSL_NO_ECDSA -DOPENSSL_NO_ECDH

It also gives below build error
../../include/openssl/ec.h:78:2: error: #error EC is disabled.
make[2]: *** [ec_lib.o] Error 1


-
Saurabh


On Wed, Jun 11, 2014 at 2:48 PM, Saurabh Pandya 
wrote:

> Hi,
>
> I am trying to build "openssl-0.9.8za" with "openssl-fips-1.2", but with
> no luck. Came to know from release notes, that "openssl-0.9.8za" have know
> compilation issues with FIPS. I got below statement from release notes
>
>  "FIPS capable link failure with missing symbol
> BN_consttime_swap. Fixed in 0.9.8zb-dev. Workaround is to compile with
> no-ec: the EC algorithms are not
>  FIPS approved in OpenSSL 0.9.8 anyway. "
>
> I dont want to go with development version "0.9.8zb-dev", can anybody
> helpme out with another option (compile 0.9.8za with no-ec), how can I
> compile with no-ec.
>
> -
> Thanks
> Saurabh
>

error building openssl-0.9.8za with FIPS

2014-06-11 Thread Saurabh Pandya 
Hi,

I am trying to build "openssl-0.9.8za" with "openssl-fips-1.2", but with no
luck. Came to know from release notes, that "openssl-0.9.8za" have know
compilation issues with FIPS. I got below statement from release notes

 "FIPS capable link failure with missing symbol
BN_consttime_swap. Fixed in 0.9.8zb-dev. Workaround is to compile with
no-ec: the EC algorithms are not
 FIPS approved in OpenSSL 0.9.8 anyway. "

I dont want to go with development version "0.9.8zb-dev", can anybody
helpme out with another option (compile 0.9.8za with no-ec), how can I
compile with no-ec.

-
Thanks
Saurabh

RE: error iin x509v3.h compiled with visual studio

2014-06-11 Thread Eirene Xu 
Hi Charles,

I was facing the same problem here. I did now quite get where to add the
'includes' code part in.

Can you suggest me more detailed steps to take?

I'm using nmake.exe and .mak to build from the visual studio command prompt
(2010).

Thank you.

Eirene

Charles Mills wrote
> The following compiles without error in MS VS 2010 C++. Yes, I know 
> 
> is in there twice: no reason, it just is.
> 
> #include "targetver.h"
> 
> // Watch out! winsock2 and friends has to be ahead of most things
> #include "Ws2tcpip.h"
> // Ws2tcpip always needs Ws2_32.lib. You can put it here or in the linker
> input
> #pragma comment (lib, "Ws2_32.lib")
> #include 
> 
> #include 
> 
> #include 
> 
> #include 
> 
> #include 
> 
> #include 
> 
> #include 
> 
> #include 
> 
> /* _beginthread, _endthread */
> #include 
> 
> #include 
> 
> // #include "Shlwapi.h" for PathRemoveFileSpec; requires Shlwapi.lib
> #include "Shlwapi.h"
> #pragma comment (lib, "Shlwapi.lib")
> 
> #include 
> 
> // SSL
> #include "openssl\ssl.h"
> #include "openssl\crypto.h"
> #include "openssl\err.h"
> #include "openssl\rand.h"
> #include "openssl\x509v3.h"
> 
> targetver.h is #include 
> 
>  which is too long to paste here and
> hopefully not the active ingredient. Probably VS version dependent anyway.
> 
> Charles





--
View this message in context: 
http://openssl.6102.n7.nabble.com/error-iin-x509v3-h-compiled-with-visual-studio-tp9675p50818.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Installing OpenSSL

2014-06-11 Thread Viktor Dukhovni 
On Wed, Jun 11, 2014 at 01:04:14PM +0530, Rahul Godbole wrote:

> Tried this. Still doesn't solve my problem. I still do not see 1.0.1g libs
> being copied to /usr/lib or /usr/lib64.
> 
> I also tried installing from 1.0.1g RPM but the installation failed.
> 
> I already have 1.0.1e installed and want to upgrade to 1.0.1g. Any other
> way out?

A custom build, or vendor package?  Many vendor packages backport
fixes, but don't change the version number, so you need to look
closely at the package changelog to determine what you really have.

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Installing OpenSSL

2014-06-11 Thread Viktor Dukhovni 
On Wed, Jun 11, 2014 at 03:17:10AM -0400, Jeffrey Walton wrote:

> > The make install is not installing libcrypto.so, libssl.so and openssl
> > binary into /usr/bin and /usr/lib64. I need it to be installed there.
>
> By default, the library is installed at /usr/local/ssl.

One can override the parent directory with --prefix=/some/path

> ./config shared --openssldir=/usr might do the tirck.

./Configure shared --prefix=/usr 

Where target is a named configuration such as "linux-x86_64".

> I don't believe its a recommended practice, though.

Nothing wrong with this if the platform does not include OpenSSL,
however replacing vendor packages in /usr with possibly incompatible
custom builds can create problems.

> lib64/ may give you trouble. You might have to copy from /usr/lib/ to
> /usr/lib64/.

One can also override the name of the "lib" sub-directory:

./Configure shared --libdir=lib64 --prefix=/usr 

though in the case of the "linux-x86_64" target, this is already
the default (at least in the master branch).

Run "./Configure TABLE" and look for the "multilib" parameter for
the relevant entry.  This is automatically appended to "lib" to
form the default "libdir".

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Installing OpenSSL

2014-06-11 Thread Rahul Godbole 
Tried this. Still doesn't solve my problem. I still do not see 1.0.1g libs
being copied to /usr/lib or /usr/lib64.

I also tried installing from 1.0.1g RPM but the installation failed.

I already have 1.0.1e installed and want to upgrade to 1.0.1g. Any other
way out?

Thanks
Rahul




On Wed, Jun 11, 2014 at 12:47 PM, Jeffrey Walton  wrote:

> On Wed, Jun 11, 2014 at 2:50 AM, Rahul Godbole 
> wrote:
> > Hi
> >
> > I want to install OpenSSL 1.0.1e on my CentOS 6.4. I downloaded the souce
> > and built it by running
> > ./config
> > make
> > make install
> >
> > The make install is not installing libcrypto.so, libssl.so and openssl
> > binary into /usr/bin and /usr/lib64. I need it to be installed there.
> >
> By default, the library is installed at /usr/local/ssl.
>
> ./config --openssldir=XXX allows you to control the directory. I think
> in your case, ./config shared --openssldir=/usr might do the tirck. I
> don't believe its a recommended practice, though.
>
> It might be a better idea to build the library, then copy
> libssl-1.0.1e.so and libcrypto-1.0.1e.so by hand, and then change the
> links for libssl.so and libcrypto.so.
>
> lib64/ may give you trouble. You might have to copy from /usr/lib/ to
> /usr/lib64/.
>
> Jeff
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: Installing OpenSSL

2014-06-11 Thread Jeffrey Walton 
On Wed, Jun 11, 2014 at 2:50 AM, Rahul Godbole  wrote:
> Hi
>
> I want to install OpenSSL 1.0.1e on my CentOS 6.4. I downloaded the souce
> and built it by running
> ./config
> make
> make install
>
> The make install is not installing libcrypto.so, libssl.so and openssl
> binary into /usr/bin and /usr/lib64. I need it to be installed there.
>
By default, the library is installed at /usr/local/ssl.

./config --openssldir=XXX allows you to control the directory. I think
in your case, ./config shared --openssldir=/usr might do the tirck. I
don't believe its a recommended practice, though.

It might be a better idea to build the library, then copy
libssl-1.0.1e.so and libcrypto-1.0.1e.so by hand, and then change the
links for libssl.so and libcrypto.so.

lib64/ may give you trouble. You might have to copy from /usr/lib/ to
/usr/lib64/.

Jeff
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org