Re: [openssl-users] OpenSSL FIPS test failure starting from version 1.0.2g
Thank you very much, Viktor. It works. Regards, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/OpenSSL-FIPS-test-failure-starting-from-version-1-0-2g-tp65320p65325.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL FIPS test failure starting from version 1.0.2g
Greetings. I am using OpenSSl 1.0.2f on various platforms including Solaris, Linux, RS6000, ibmplinux, HPIA and Windows. Now I am going to upgrade to OpenSSL 1.0.2g. However I hit a test failure when building and tesing 1.0.2g. The issue occurs on all my platforms except Windows which I haven't tested, so it is likely a generic problem. The issue didn't occur when I built and tested 1.0.2f, so it may be a regression in 1.0.2g. It is very stratforward to repro the issue. Take platform linux_x86-64 as an example, the repro steps are as follows. cd openssl-1.0.2g make clean ./Configure no-idea no-mdc2 no-rc5 no-ec2m fips -m64 no-asm linux-x86_64 make depend make make test<--- Hit the issue here. Error message: test SSL protocol test ssl3 is forbidden in FIPS mode *** IN FIPS MODE *** Available compression methods: NONE 46912496310224:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1877: 46912496310224:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1877: test ssl2 is forbidden in FIPS mode Testing was requested for a disabled protocol. Skipping tests. make[1]: *** [test_ssl] Error 1 make[1]: Leaving directory `/tzedek_ocsdev/qun/crs/797167/openssl_diff/openssl-1.0.2g.test/test' make: *** [tests] Error 2 Anyone knows how to fix the issue please? Thanks in advance, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/OpenSSL-FIPS-test-failure-starting-from-version-1-0-2g-tp65320.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to fix OpenSSL 1.0.1q Windows x86_64 build failure?
Thank you very much, jjf. Regards, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/How-to-fix-OpenSSL-1-0-1q-Windows-x86-64-build-failure-tp62289p62402.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to fix OpenSSL 1.0.1q Windows x86_64 build failure?
Hello, Anyone knows how to check what is updated in commit 9501418ea2287658d1a11ce888ff97fa49e9164d ? Any help is appreciated. Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/How-to-fix-OpenSSL-1-0-1q-Windows-x86-64-build-failure-tp62289p62344.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to fix OpenSSL 1.0.1q Windows x86_64 build failure?
Hello Viktor, Thank you very much for your response. I believe you are right. As I am new to OpenSSL, I don't know how to check what is updated in commit 9501418ea2287658d1a11ce888ff97fa49e9164d. I could not even find the commit in the list: http://git.openssl.org/?p=openssl.git;a=shortlog I wonder if you could show me what is updated in the commit or let me know how to check it? Your help is appreciated. Thanks again, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/How-to-fix-OpenSSL-1-0-1q-Windows-x86-64-build-failure-tp62289p62336.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to fix OpenSSL 1.0.1q Windows x86_64 build failure?
Hi Jeff, Thank you for your response. I got the commit number from here: http://openssl.6102.n7.nabble.com/Windows-x86-64-build-broken-RE-openssl-users-OpenSSL-version-1-0-1q-released-corrected-download-td61450.html The commit number was provided by Steve (Dr Stephen N. Henson. OpenSSL project core developer). Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/How-to-fix-OpenSSL-1-0-1q-Windows-x86-64-build-failure-tp62289p62326.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to fix OpenSSL 1.0.1q Windows x86_64 build failure?
Hi, Anyone knows how to check what is updated in commit 544058202be49a6 ? Thanks, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/How-to-fix-OpenSSL-1-0-1q-Windows-x86-64-build-failure-tp62289p62291.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] How to fix OpenSSL 1.0.1q Windows x86_64 build failure?
Hi Steve, I encountered a Windows OpenSSL build issue when upgrading the OpenSSL used in our product to version 1.0.1q. The error message is as follows. NMAKE : fatal error U1073: don't know how to make 'tmp32\applink.obj' I searched related articles in this forum and found the following post. http://openssl.6102.n7.nabble.com/Windows-x86-64-build-broken-RE-openssl-users-OpenSSL-version-1-0-1q-released-corrected-download-td61450.html However I was not allowed to ask my question there, so I post my question here. Hopefully you could see my question here. While I have already upgrraded OpenSSL on all our support platforms, this issue blocks me from upgrading on Windows. Under this circumstance, I could not wait for next OpenSSL release in which you have fixed the issue. I would need to put your fix into OpenEEL 1.0.1q to complete my upgrading. Would you please let me know how to fix the issue? Thanks a lot in advance, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/How-to-fix-OpenSSL-1-0-1q-Windows-x86-64-build-failure-tp62289.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL 1.0.1q build fails on RS6000, SunSparc and HPIA
Thank you very much, Michael. It works. Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/OpenSSL-1-0-1q-build-fails-on-RS6000-SunSparc-and-HPIA-tp62001p62018.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL 1.0.1q build fails on RS6000, SunSparc and HPIA
Hi, I need to build OpenSSL 1.0.1q on various platforms. At first I could only build 1.0.1q on windows. After reading the following post, I could build it on various Linux platforms. http://openssl.6102.n7.nabble.com/OpenSSL-version-1-0-1q-released-corrected-download-td61415.html However building 1.0.1q on RS6000, SunSparc and HPIA still fails becasue 'make depend' doesn't work on these platforms at all. Take RS6000 as an example, the following is the output of 'make depend'. $ pwd /rahav_ocsdev/qun/OpenSSL/openssl-1.0.1q $ make depend making depend in crypto... make[1]: Entering directory `/rahav_ocsdev/qun/OpenSSL/openssl-1.0.1q/crypto' ../util/domd[30]: makedepend: not found mv: cannot rename Makefile.new to Makefile: No such file or directory make[1]: *** [local_depend] Error 127 make[1]: Leaving directory `/rahav_ocsdev/qun/OpenSSL/openssl-1.0.1q/crypto' make: *** [depend] Error 1 Anyone knows how to solve this issue? Any suggestion is appreciated. Thanks, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/OpenSSL-1-0-1q-build-fails-on-RS6000-SunSparc-and-HPIA-tp62001.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Can OpenSSL applications/utilities use SunSPARC crypto accelerators?
Hello Andy and David, As the feature owners, would you please give me some tips for how to use the functionality of the feature? Thanks, Aaron The Changes between 1.0.1l and 1.0.2 [22 Jan 2015] ... *) Support for SPARC Architecture 2011 crypto extensions, first implemented in SPARC T4. This covers AES, DES, Camellia, SHA1, SHA256/512, MD5, GHASH and modular exponentiation. [Andy Polyakov, David Miller] ... -- View this message in context: http://openssl.6102.n7.nabble.com/Can-OpenSSL-applications-utilities-use-SunSPARC-crypto-accelerators-tp59163p59351.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Can OpenSSL applications/utilities use SunSPARC crypto accelerators?
I read the following description from Oracle Solaris website (https://blogs.oracle.com/DanX/entry/how_to_tell_if_sparc) OpenSSL T4 engine Availability The OpenSSL t4 engine is available with Solaris 11 and 11.1. For Solaris 10 08/11 (U10), you need to use the OpenSSL pkcs11 engine. The OpenSSL t4 engine is distributed only with the version of OpenSSL distributed with Solaris (and not third-party or self-compiled versions of OpenSSL). The following announcement is from OpenSSL. Changes between 1.0.1l and 1.0.2 [22 Jan 2015] ... *) Support for SPARC Architecture 2011 crypto extensions, first implemented in SPARC T4. This covers AES, DES, Camellia, SHA1, SHA256/512, MD5, GHASH and modular exponentiation. [Andy Polyakov, David Miller] ... I am confused. I don't know which one is right. I thought the announcement from OpenSSL was right and the description in Oracle website was obsolete. But my test results could not verify my idea. Thanks, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/Can-OpenSSL-applications-utilities-use-SunSPARC-crypto-accelerators-tp59163p59218.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Can OpenSSL applications/utilities use SunSPARC crypto accelerators?
Hello Misaki, Thanks for your response. What you pointed out is exactly what I thought previously. However my test showed that OpenSSL command utility 'openssl' built by my from OpenSSL 1.0.2d source code does NOT utilize the crypto accelerator provided in Sun SPARC Solaris 11.1. I tested the default 'openssl' installed in Solaris 11.1 to verify that the machine on which I run my 'openssl' does have the accelerator. I listed my test results in my previous messages. Now my question is if I need build utility 'openssl' with some special option to utilize the crypto accelerator? Thanks again, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/Can-OpenSSL-applications-utilities-use-SunSPARC-crypto-accelerators-tp59163p59198.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Can OpenSSL applications/utilities use SunSPARC crypto accelerators?
I checked utility 'openssl' built by my in solaris 11.1 and the default 'openssl' installed in Solaris 11.1. I noticed that my 'openssl' does NOT have SPARC T4 engine support. This may be the reason why my 'openssl' is much slower. Now the question is how to build 'openssl' to let it to have SPARC T4 engine support. I checked the OpenSSL documents, but seems there are no descriptions regarding to this topic. 1) This is the 'openssl' built by me on Solaris 11.1 ksol1% ./1.0.2d/normal/openssl/bin/openssl engine (dynamic) Dynamic engine loading support (4758cca) IBM 4758 CCA hardware engine support (aep) Aep hardware engine support (atalla) Atalla hardware engine support (cswift) CryptoSwift hardware engine support (chil) CHIL hardware engine support (nuron) Nuron hardware engine support (sureware) SureWare hardware engine support (ubsec) UBSEC hardware engine support (gost) Reference implementation of GOST engine 2) This is the default 'openssl' installed in Solaris 11.1 ksol1% /usr/bin/openssl engine (t4) SPARC T4 engine support (dynamic) Dynamic engine loading support (pkcs11) PKCS #11 engine support Anybody knows the answer please? Thanks, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/Can-OpenSSL-applications-utilities-use-SunSPARC-crypto-accelerators-tp59163p59179.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] How to let OpenSSL applications/utilities use SunSPARC crypto accelerators?
Hello OpenSSL folks, I noticed that the OpenSSL command line utility 'openssl' built in Solaris 11.1 does not use SunSPARC crypto accelerators. >From the change log of OpenSSL 1.0.2, I saw the following description. Changes between 1.0.1l and 1.0.2 [22 Jan 2015] ... *) Support for SPARC Architecture 2011 crypto extensions, first implemented in SPARC T4. This covers AES, DES, Camellia, SHA1, SHA256/512, MD5, GHASH and modular exponentiation. [Andy Polyakov, David Miller] ... My understanding is that starting from OpenSSL 1.0.2, OpenSSL applications/utilities would use SunSPARC crypto accelerator in Solaris 11.1 which has the accelerator. However my tests show there is no difference between the performance of 'openssl' 1.0.1p and that of its 1.0.2d counterpart. ksol1% ./1.0.1p/shared64bit/openssl/bin/openssl speed -evp aes-128-cbc WARNING: can't open config file: /usr/local/ssl/openssl.cnf Doing aes-128-cbc for 3s on 16 size blocks: 19705194 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 64 size blocks: 5257594 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 256 size blocks: 1361128 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 1024 size blocks: 34 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 8192 size blocks: 43029 aes-128-cbc's in 3.00s OpenSSL 1.0.1p-fips 9 Jul 2015 built on: Thu Jul 9 23:22:11 2015 options:bn(64,32) rc4(ptr,char) des(ptr,risc1,16,int) aes(partial) blowfish(ptr) compiler: cc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN - DHAVE_DLFCN_H -DOPENSSL_BUILD -KPIC -xtarget=ultra -xarch=v9 -xO5 -xstrconst -xd epend -Xa -DB_ENDIAN -DOPENSSL_BN_ASM_MONT -I/leo_ocsdev/qun/csi/allbuilt/main10 /built/ant-generated/fips-sun_svr4/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-128-cbc 105094.37k 112162.01k 116149.59k 117191.00k 117497.86k ksol1% ./1.0.2d/shared64bit/openssl/bin/openssl speed -evp aes-128-cbc WARNING: can't open config file: /usr/local/ssl/openssl.cnf Doing aes-128-cbc for 3s on 16 size blocks: 18777502 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 64 size blocks: 5066291 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 256 size blocks: 1317102 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 1024 size blocks: 331672 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 8192 size blocks: 40739 aes-128-cbc's in 3.00s OpenSSL 1.0.2d-fips 9 Jul 2015 built on: reproducible build, date unspecified options:bn(64,32) rc4(ptr,char) des(ptr,risc1,16,int) aes(partial) blowfish(ptr) compiler: cc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN - DHAVE_DLFCN_H -DOPENSSL_BUILD -KPIC -xtarget=ultra -xarch=v9 -xO5 -xstrconst -xd epend -Xa -DB_ENDIAN -I/leo_ocsdev/qun/csi/allbuilt/main12/built/ant-generated/f ips-sun_svr4/include The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-128-cbc 100146.68k 108080.87k 112392.70k 113210.71k 111244.63k I built 'openssl' on Solaris 11.1 using the following commands. Configure no-idea no-mdc2 no-rc5 no-asm solaris64-sparcv9-cc -KPIC make clean make make test make install When testing the default openssl installed in /usr/bin/ on Solaris 11.1, I saw a much better result below. ksol1% /usr/bin/openssl speed -evp aes-128-cbc Doing aes-128-cbc for 3s on 16 size blocks: 113798920 aes-128-cbc's in 2.99s Doing aes-128-cbc for 3s on 64 size blocks: 48425338 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 256 size blocks: 14613535 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 1024 size blocks: 3768123 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 8192 size blocks: 488001 aes-128-cbc's in 3.00s OpenSSL 1.0.0k 5 Feb 2013 built on: date not available options:bn(64,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,int) aes(partial) blowf ish(ptr) compiler: information not available The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-128-cbc 608957.43k 1033073.88k 1247021.65k 1286185.98k 1332568.06k Hence I believe OpenSSL utility 'openssl' built by me does not use the hardware crypto accelerators at all. I wonder if anyone knows the reason. Thanks in advance, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/How-to-let-OpenSSL-applications-utilities-use-SunSPARC-crypto-accelerators-tp59163.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Has the support for SPARC architecture crypto extensions been Implemented?
Some additional information here. When testing the default openssl installed in /usr/bin/ on Solaris 11, I saw a much better result below. Hence I believe OpenSSL utility 'openssl' built by me does not use the hardware crypto accelerators at all. Anyone knows the reason? Thanks, Aaron ksol1% /usr/bin/openssl speed -evp aes-128-cbc Doing aes-128-cbc for 3s on 16 size blocks: 113798920 aes-128-cbc's in 2.99s Doing aes-128-cbc for 3s on 64 size blocks: 48425338 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 256 size blocks: 14613535 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 1024 size blocks: 3768123 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 8192 size blocks: 488001 aes-128-cbc's in 3.00s OpenSSL 1.0.0k 5 Feb 2013 built on: date not available options:bn(64,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,int) aes(partial) blowf ish(ptr) compiler: information not available The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-128-cbc 608957.43k 1033073.88k 1247021.65k 1286185.98k 1332568.06k -- View this message in context: http://openssl.6102.n7.nabble.com/Has-the-support-for-SPARC-architecture-crypto-extensions-been-Implemented-tp58866p59162.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Has the support for SPARC architecture crypto extensions been Implemented?
I am doing some tests using OpenSSL command line utility 'openssl'. My tests show regarding to the performance of executable ‘openssl’ there is no difference between 1.0.1p and 1.0.2d. Here is the test results. ksol1% ./1.0.1p/shared64bit/openssl/bin/openssl speed -evp aes-128-cbc WARNING: can't open config file: /usr/local/ssl/openssl.cnf Doing aes-128-cbc for 3s on 16 size blocks: 19705194 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 64 size blocks: 5257594 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 256 size blocks: 1361128 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 1024 size blocks: 34 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 8192 size blocks: 43029 aes-128-cbc's in 3.00s OpenSSL 1.0.1p-fips 9 Jul 2015 built on: Thu Jul 9 23:22:11 2015 options:bn(64,32) rc4(ptr,char) des(ptr,risc1,16,int) aes(partial) blowfish(ptr) compiler: cc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN - DHAVE_DLFCN_H -DOPENSSL_BUILD -KPIC -xtarget=ultra -xarch=v9 -xO5 -xstrconst -xd epend -Xa -DB_ENDIAN -DOPENSSL_BN_ASM_MONT -I/leo_ocsdev/qun/csi/allbuilt/main10 /built/ant-generated/fips-sun_svr4/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-128-cbc 105094.37k 112162.01k 116149.59k 117191.00k 117497.86k ksol1% ksol1% ./1.0.2d/shared64bit/openssl/bin/openssl speed -evp aes-128-cbc WARNING: can't open config file: /usr/local/ssl/openssl.cnf Doing aes-128-cbc for 3s on 16 size blocks: 18777502 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 64 size blocks: 5066291 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 256 size blocks: 1317102 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 1024 size blocks: 331672 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 8192 size blocks: 40739 aes-128-cbc's in 3.00s OpenSSL 1.0.2d-fips 9 Jul 2015 built on: reproducible build, date unspecified options:bn(64,32) rc4(ptr,char) des(ptr,risc1,16,int) aes(partial) blowfish(ptr) compiler: cc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN - DHAVE_DLFCN_H -DOPENSSL_BUILD -KPIC -xtarget=ultra -xarch=v9 -xO5 -xstrconst -xd epend -Xa -DB_ENDIAN -I/leo_ocsdev/qun/csi/allbuilt/main12/built/ant-generated/f ips-sun_svr4/include The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-128-cbc 100146.68k 108080.87k 112392.70k 113210.71k 111244.63k ksol1% I built 'openssl' on Solaris 11.1 using the following commands. Configure no-idea no-mdc2 no-rc5 no-asm solaris64-sparcv9-cc -KPIC make clean make make test make install Anyone knows how to let OpenSSL applications or utilities use SPARC crypto accelerator? Thanks in advance, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/Has-the-support-for-SPARC-architecture-crypto-extensions-been-Implemented-tp58866p59161.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Has the support for SPARC architecture crypto extensions been Implemented?
Found this, so the feature has been implemented. Aaron Changes between 1.0.1l and 1.0.2 [22 Jan 2015] ... *) Support for SPARC Architecture 2011 crypto extensions, first implemented in SPARC T4. This covers AES, DES, Camellia, SHA1, SHA256/512, MD5, GHASH and modular exponentiation. [Andy Polyakov, David Miller] -- View this message in context: http://openssl.6102.n7.nabble.com/Has-the-support-for-SPARC-architecture-crypto-extensions-been-Implemented-tp58866p58867.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Has the support for SPARC architecture crypto extensions been Implemented?
Hello OpenSSL folks, We have a product which is an OpenSSL 1.0.1 application. One of my customers is running my product on his SunSparc Solaris 11 platform which has a Crypto Accelerator. Around the end of last year, he complained to me that OpenSSL doesn't utilize the accelerator at all. I then checked on OpenSSL website and found the following description. Changes between 1.0.1e and 1.0.2 [xx XXX ] *) Initial support for PowerISA 2.0.7, first implemented in POWER8. This covers AES, SHA256/512 and GHASH. "Initial" means that most common cases are optimized and there still is room for further improvements. Vector Permutation AES for Altivec is also added. [Andy Polyakov] *) Add support for little-endian ppc64 Linux target. [Marcelo Cerri (IBM)] *) Initial support for AMRv8 ISA crypto extensions. This covers AES, SHA1, SHA256 and GHASH. "Initial" means that most common cases are optimized and there still is room for further improvements. Both 32- and 64-bit modes are supported. [Andy Polyakov, Ard Biesheuvel (Linaro)] *) Improved ARMv7 NEON support. [Andy Polyakov] *) Support for SPARC Architecture 2011 crypto extensions, first implemented in SPARC T4. This covers AES, DES, Camellia, SHA1, SHA256/512, MD5, GHASH and modular exponentiation. [Andy Polyakov, David Miller] Hence I told him to wait until OpenSSL 1.0.2 to be released officially. I promised him I would upgrade the OpenSSL used in my product to 1.0.2, so his crypto accelerator would be utilized. He came back to me recently as OpenSSL 1.0.2 has been released officially. However after checking change log of 1.0.2, 1.0.2a, 1.0.2b and 1.0.2c, I could not find any description regarding to 'Support for SPARC Architecture 2011 crypto extensions'. My question is if the support for SPARC architecture crypto extensions has been Implemented yet? Thanks in advance, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/Has-the-support-for-SPARC-architecture-crypto-extensions-been-Implemented-tp58866.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] The default cipher of executable 'openssl'
>Does your test case result in ECDHE being used when you change only >the protocol on both ends from ssl3 to tls1? Yes, I tested and verified this. Thanks again, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/The-behavior-change-of-command-line-utility-openssl-tp58557p58697.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] The default cipher of executable 'openssl'
Thanks so much, Viktor. Hence, this is an expected behavior change. In this case I will update my application. Aaron. -- View this message in context: http://openssl.6102.n7.nabble.com/The-behavior-change-of-command-line-utility-openssl-tp58557p58637.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] The default cipher of executable 'openssl'
Hi Dave,
Thanks for your comments.
I am not really familiar with OpenSSL, so some parts of my descriptions may
not be not very clear.
Right, I am talking about s_server subcommand. You mentioned that there is
no change in this area. However I can easily show something is change using
s_server subcommand. I am using original OpenSSL code to build my 'openssl',
to this change is not from me.
1) 1.0.1l
./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile
certdb/cafile.pem
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
2) 1.0.2
./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile
certdb/cafile.pem
Using default temp DH parameters
ACCEPT
Note that, in 1.0.2, openssl doesn't print out 'Using default temp ECDH
parameters'.
I checked related code in s_server.c and ssl_conf.c, There are some updates.
Some related code is moved from s_server.c to ssl_conf.c. However I haven't
found the root cause of this change.
I encountered a similar issue when upgrading from OpenSSL 1.0.1l to 1.0.1m.
I paste my analysis and fix below. After I applied my fix, the issue
disappeared.
1) Analysis
File s_server.c was updated in OpenSSL 1.0.1m. Variable 'no_ecdhe' was
uninitialized after the update. This causes the condition of the if
statement (if (!no_ecdheon) {...}) on line 1682 not to be true. Then
ECDHE-RSA-AES256-SHA is not the default temp ECDH parameters of 'openssl
s_server' any more.
2) Fix
273 diff -wruN openssl-1.0.1m.original/apps/s_server.c
openssl-1.0.1m.working/apps/s_server.c
274 --- openssl-1.0.1m.original/apps/s_server.c 2015-03-19
06:37:10.0 -0700
275 +++ openssl-1.0.1m.working/apps/s_server.c 2015-05-25
01:46:35.0 -0700
276 @@ -998,7 +998,7 @@
277int off = 0;
278int no_tmp_rsa = 0, no_dhe = 0, nocert = 0;
279#ifndef OPENSSL_NO_ECDH
280 -int no_ecdhe;
281 +int no_ecdhe = 0;
282#endif
283int state = 0;
284const SSL_METHOD *meth = NULL;
I noticed that the issue in 1.0.2 is not the same as the issue in 1.0.1m.
The issue started to appear in 1.0.2 rather than 1.0.2a.
Thanks,
Aaron
--
View this message in context:
http://openssl.6102.n7.nabble.com/The-behavior-change-of-command-line-utility-openssl-tp58557p58631.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] The behavior change of command line utility -- 'openssl'
I wonder if this is an expected behavior change or it is a bug. Thanks, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/The-behavior-change-of-command-line-utility-openssl-tp58557p58578.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] The default cipher of executable 'openssl'
Hello, We are using executable 'apps/openssl' in our test cases. We upgraded from OpenSSL 1.0.1l to OpenSSL 1.0.2a recently. Since then one of our test cases started to fail. After checking, I noticed that the default cipher of 'openssl' was changed from ECDHE-RSA-AES256-SHA to DHE-RSA-AES256-SHA in OpenSSL 1.0.2. The related description in OpenSSL 1.0.2 change log is as follows. 474 *) Support for automatic EC temporary key parameter selection. If enabled 475 the most preferred EC parameters are automatically used instead of 476 hardcoded fixed parameters. Now a server just has to call: 477 SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically 478 support ECDH and use the most appropriate parameters. 479 [Steve Henson] My question is how to enable automatic EC temporary key parameter selection? Is it possible to change the default cipher back to ECDHE-RSA-AES256-SHA? Thanks, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/The-default-cipher-of-executable-openssl-tp58557.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Default ciphersuite has changed from 1.0.1l to 1.0.2a?
Hello, We have an OpenSSL application in which the client calls SSL_connect() to connect to the server. We upgraded the OpenSSL used inour application from 1.0.1l to 1.0.2a recently. When OpenSSL 1.0.1l was used, the ciphersuite the client got was ECDHE_RSA_WITH_AES_256_CBC_SHA. When OpenSSL 1.0.1a is used, we notice that the ciphersuite the client gets has become DHE_RSA_WITH_AES_256_CBC_SHA. I traced OpenSSL 1.0.2a source code. Here is the stack trace. ssl_get_cipher_by_char() ssl3_get_server_hello() ssl3_connect() SSL_connect() ssl23_get_server_hello() ssl23_connect() SSL_connect() I noticed that in routine ssl_get_cipher_by_char() the internal cipher name it gets is DHE_RSA_AES256_SHA which should be corresponding to DHE_RSA_WITH_AES_256_CBC_SHA. My question is if this behavior change is expected? Thanks in advance, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/Default-ciphersuite-has-changed-from-1-0-1l-to-1-0-2a-tp57937.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Is there any plan for FIPS to be supported on Linux-aarch64?
Hello, We are porting our products to Linux-aarch64. Our products are using OpenSSL with FIPS. I know that OpenSSL 1.0.2 started to support Linux-aarch64, but our products need OpenSSL FIPS as well. My question is when OpenSSL FIPS will be supported on Linux-aarch64? Thanks in advance, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/Is-there-any-plan-for-FIPS-to-be-supported-on-Linux-aarch64-tp57389.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
RE: Apache SSL proxy to Weblogic fails
I suspected that Apache and Weblogic fail to agree on the ciphers. The Weblogic logs shows its ciphers: I’ve been trying to match them using the SSLCipherSuite directive, for example, setting it to AES:RC4+RSA:!TLSv1.2:!ECDH:!SPR:!DSS:!PSK:!EXP but none of the values work. Best regards, -a Aaron Stromas | RSA The Security Division of EMC | Practice Consultant | Identity & Fraud Protection Practice | M – 240 271 64 58 | aaron.stro...@rsa.com<mailto:aaron.stro...@rsa.com> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Thulasi Goriparthi Sent: Tuesday, 23 September, 2014 03:20 To: openssl-users@openssl org Subject: Re: Apache SSL proxy to Weblogic fails On 19 September 2014 22:34, Stromas, Aaron mailto:aaron.stro...@rsa.com>> wrote: Greetings, I am looking for help with a problem I've ran into a using mod_proxy/mod_ssl. The Apache HTTP server on SLES 11 SP3 64 bit, OpenSSL 1.0.1.f acts as SSL proxy to the Weblogic 10.3 running on Redhat. The mod_ssl is configured correctly - it works when proxying to SSL connections to non-SSL serves. Also, the certificate on the proxy was issued with extensions allowing it to be used as both SSL client and server. Yet, the Apache proxy fails connection over SSL to the Weblogic’s HTTPS port. Below is the excerpt from the Apache errors log. Any advice will be gerately appreciated. TIA [Thu Sep 18 09:32:14 2014] [debug] mod_proxy.c(1036): Running scheme https handler (attempt 0) [Thu Sep 18 09:32:14 2014] [debug] mod_proxy_http.c(1995): proxy: HTTP: serving URL https://appdev2.example.com:8102/auth/logon.jsp?aa_param=user [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2022): proxy: HTTPS: has acquired connection for (appdev2.example.com<http://appdev2.example.com>) [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2078): proxy: connecting https://appdev2.example.com:8102/auth/logon.jsp?aa_param=user to appdev2.example.com:8102<http://appdev2.example.com:8102> [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2236): proxy: connected /auth/logon.jsp?aa_param=user to appdev2.example.com:8102<http://appdev2.example.com:8102> [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2487): proxy: HTTPS: fam 2 socket created to connect to appdev2.example.com<http://appdev2.example.com> [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2619): proxy: HTTPS: connection complete to 10.40.0.224:8102<http://10.40.0.224:8102> (appdev2.example.com<http://appdev2.example.com>) [Thu Sep 18 09:32:14 2014] [info] [client 10.40.0.224] Connection to child 0 established (server aaproxiedel1:443) [Thu Sep 18 09:32:14 2014] [info] Seeding PRNG with 144 bytes of entropy [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1090): [client 10.40.0.224] SNI extension for SSL Proxy request set to 'appdev2.example.com<http://appdev2.example.com>' [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1903): OpenSSL: Handshake: start [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: before/connect initialization [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: SSLv2/v3 write client hello A [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1939): OpenSSL: read 7/7 bytes from BIO#994fe0 [mem: 9ea880] (BIO dump follows) [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1872): +-+ [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1911): | : 15 03 00 00 02 02 28 ..( | [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1917): +-+ Content type 15 is alert. [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1916): OpenSSL: Read: SSLv2/v3 read server hello A [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1940): OpenSSL: Exit: error in SSLv2/v3 read server hello A [Thu Sep 18 09:32:14 2014] [info] [client 10.40.0.224] SSL Proxy connect failed [Thu Sep 18 09:32:14 2014] [info] SSL Library Error: 336032784 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure [Thu Sep 18 09:32:14 2014] [info] [client 10.40.0.224] Connection closed to child 0 with abortive shutdown (server aaproxiedel1:443) [Thu Sep 18 09:32:14 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 10.40.0.224:8102<http://10.40.0.224:8102> (appdev2.example.com<http://appdev2.example.com>) [Thu Sep 18 09:32:14 2014] [error] [client 141.1.3.134] proxy: Error during SSL Handshake with remote server returned by /auth/logon.jsp [Thu Sep 18 09:32:14 2014] [error] proxy: pass request body failed to 10.40.0.224:8102<http://10.40.0.224:8102> (appdev2.example.com<http://appdev2.example.com>) from 141.1.3.134 () [Thu Sep
RE: Apache SSL proxy to Weblogic fails
Hi Lewis, The Weblogic logs show the following ciphers on startup: Based on the error, it looks to be a CertiCom SSL provider which supports TLSv1/SSLv3 and SSLv2. I had tried to experiment with SSLCipherSuite but met no success. Last value I attempted was ALL:RC4+RSA:+HIGH:+MEDIUM:+LOW:!NULL:+SSLv2:+EXP This is what I see in the Weblogic log: <27112312 SSL3/TLS MAC> <27112312 received HANDSHAKE> (Unknown Source) at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source) at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source) at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source) at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source) at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source) at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source) at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source) at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source) at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201) at weblogic.work.ExecuteThread.run(ExecuteThread.java:173 Best regards, -a Aaron Stromas | RSA The Security Division of EMC | Practice Consultant | Identity & Fraud Protection Practice | M – 240 271 64 58 | aaron.stro...@rsa.com -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Lewis Rosenthal Sent: Friday, 19 September, 2014 14:11 To: openssl-users@openssl.org Subject: Re: Apache SSL proxy to Weblogic fails Hi, Aaron... On 09/19/2014 01:04 PM, Stromas, Aaron wrote: > > Greetings, > > I am looking for help with a problem I've ran into a using > mod_proxy/mod_ssl. The Apache HTTP server on SLES 11 SP3 64 bit, > OpenSSL 1.0.1.f acts as SSL proxy to the Weblogic 10.3 running on > Redhat. The mod_ssl is configured correctly - it works when proxying > to SSL connections to non-SSL serves. Also, the certificate on the > proxy was issued with extensions allowing it to be used as both SSL > client and server. > > Yet, the Apache proxy fails connection over SSL to the Weblogic’s > HTTPS port. Below is the excerpt from the Apache errors log. Any > advice will be gerately appreciated. TIA > > [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1940): OpenSSL: > Exit: error in SSLv2/v3 read server hello A > > [Thu Sep 18 09:32:14 2014] [info] [client 10.40.0.224] SSL Proxy > connect failed > > [Thu Sep 18 09:32:14 2014] [info] SSL Library Error: 336032784 > error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert > handshake failure > > [Thu Sep 18 09:32:14 2014] [info] [client 10.40.0.224] Connection > closed to child 0 with abortive shutdown (server aaproxiedel1:443) > > [Thu Sep 18 09:32:14 2014] [error] (502)Unknown error 502: proxy: pass > request body failed to 10.40.0.224:8102 (appdev2.example.com) > > [Thu Sep 18 09:32:14 2014] [error] [client 141.1.3.134] proxy: Error > during SSL Handshake with remote server returned by /auth/logon.jsp > > [Thu Sep 18 09:32:14 2014] [error] proxy: pass request body failed to > 10.40.0.224:8102 (appdev2.example.com) from 141.1.3.134 () > > [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2040): proxy: HTTPS: > has released connection for (appdev2.example.com) > > [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1921): OpenSSL: > Write: SSL negotiation finished successfully > > [Thu Sep 18 09:32:14 2014] [info] [client 141.1.3.134] Connection > closed to child 2 with standard shutdown (server aaproxiedel1:443) > What cipher suites is the server behind the proxy set to accept, and what version of SSL is that server using? -- Lewis - Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA Rosenthal & Rosenthal, LLC www.2rosenthals.com<http://www.2rosenthals.com> visit my IT blog www.2rosenthals.net/wordpress<http://www.2rosenthals.net/wordpress> IRS Circular 230 Disclosure applies see www.2rosenthals.com<http://www.2rosenthals.com> - -- This email was Anti Virus checked by Astaro Security Gateway. http://www.astaro.com __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org<mailto:openssl-users@openssl.org> Automated List Manager majord...@openssl.org<mailto:majord...@openssl.org>
Apache SSL proxy to Weblogic fails
Greetings, I am looking for help with a problem I've ran into a using mod_proxy/mod_ssl. The Apache HTTP server on SLES 11 SP3 64 bit, OpenSSL 1.0.1.f acts as SSL proxy to the Weblogic 10.3 running on Redhat. The mod_ssl is configured correctly - it works when proxying to SSL connections to non-SSL serves. Also, the certificate on the proxy was issued with extensions allowing it to be used as both SSL client and server. Yet, the Apache proxy fails connection over SSL to the Weblogic's HTTPS port. Below is the excerpt from the Apache errors log. Any advice will be gerately appreciated. TIA [Thu Sep 18 09:32:14 2014] [debug] mod_proxy.c(1036): Running scheme https handler (attempt 0) [Thu Sep 18 09:32:14 2014] [debug] mod_proxy_http.c(1995): proxy: HTTP: serving URL https://appdev2.example.com:8102/auth/logon.jsp?aa_param=user [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2022): proxy: HTTPS: has acquired connection for (appdev2.example.com) [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2078): proxy: connecting https://appdev2.example.com:8102/auth/logon.jsp?aa_param=user to appdev2.example.com:8102 [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2236): proxy: connected /auth/logon.jsp?aa_param=user to appdev2.example.com:8102 [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2487): proxy: HTTPS: fam 2 socket created to connect to appdev2.example.com [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2619): proxy: HTTPS: connection complete to 10.40.0.224:8102 (appdev2.example.com) [Thu Sep 18 09:32:14 2014] [info] [client 10.40.0.224] Connection to child 0 established (server aaproxiedel1:443) [Thu Sep 18 09:32:14 2014] [info] Seeding PRNG with 144 bytes of entropy [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1090): [client 10.40.0.224] SNI extension for SSL Proxy request set to 'appdev2.example.com' [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1903): OpenSSL: Handshake: start [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: before/connect initialization [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: SSLv2/v3 write client hello A [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1939): OpenSSL: read 7/7 bytes from BIO#994fe0 [mem: 9ea880] (BIO dump follows) [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1872): +-+ [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1911): | : 15 03 00 00 02 02 28 ..( | [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1917): +-+ [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1916): OpenSSL: Read: SSLv2/v3 read server hello A [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1940): OpenSSL: Exit: error in SSLv2/v3 read server hello A [Thu Sep 18 09:32:14 2014] [info] [client 10.40.0.224] SSL Proxy connect failed [Thu Sep 18 09:32:14 2014] [info] SSL Library Error: 336032784 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure [Thu Sep 18 09:32:14 2014] [info] [client 10.40.0.224] Connection closed to child 0 with abortive shutdown (server aaproxiedel1:443) [Thu Sep 18 09:32:14 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 10.40.0.224:8102 (appdev2.example.com) [Thu Sep 18 09:32:14 2014] [error] [client 141.1.3.134] proxy: Error during SSL Handshake with remote server returned by /auth/logon.jsp [Thu Sep 18 09:32:14 2014] [error] proxy: pass request body failed to 10.40.0.224:8102 (appdev2.example.com) from 141.1.3.134 () [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2040): proxy: HTTPS: has released connection for (appdev2.example.com) [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1921): OpenSSL: Write: SSL negotiation finished successfully [Thu Sep 18 09:32:14 2014] [info] [client 141.1.3.134] Connection closed to child 2 with standard shutdown (server aaproxiedel1:443) Best regards, -a ____ Aaron Stromas | RSA The Security Division of EMC | Practice Consultant | Identity & Fraud Protection Practice | M - 240 271 64 58 | aaron.stro...@rsa.com<mailto:aaron.stro...@rsa.com>
RE: New and bleeding - Install Win64 problems
Call me wimpy, but after six hours of fighting the compiling process, I went with the slproweb binary. New certificates are also in place. Thanks for the help--I'm no longer bleeding! == Aaron Bahmer Director, Instructional Technology Eastern Wyoming College http://ewc.wy.edu | (307) 532-8284 1-866-327-8996 (1-866-EAST WYO) x8284 > > -Original Message- > > From: Aaron Bahmer > > Sent: Monday, April 14, 2014 6:22 PM > > To: openssl-users@openssl.org > > Subject: New and bleeding - Install Win64 problems > > > > Sorry for the newbie question, but the archives didn't provide me any > > help. I'm dealing with the heartbleed bug, so updating openssl from > > 1.0.1e to 1.0.1g on a Windows box where I run Apache/Tomcat. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
New and bleeding - Install Win64 problems
Sorry for the newbie question, but the archives didn't provide me any help. I'm dealing with the heartbleed bug, so updating openssl from 1.0.1e to 1.0.1g on a Windows box where I run Apache/Tomcat. I downloaded the new openssl tarball (albeit with non-matching MD5 signatures) and unpacked it to my server. I then opened the Install.w64 file for guidance. Here's an excerpt where I am working: >>> Compiling procedure --- You will need Perl. You can run under Cygwin or you can download ActiveState Perl from http://www.activestate.com/ActivePerl. You will need Microsoft Platform SDK, available for download at http://www.microsoft.com/msdownload/platformsdk/sdkupdate/. As per April 2005 Platform SDK is equipped with Win64 compilers, as well as assemblers, but it might change in the future. To build for Win64/x64: > perl Configure VC-WIN64A > ms\do_win64a > nmake -f ms\ntdll.mak > cd out32dll > ..\ms\test >>> So, I downloaded and installed ActivePerl and installed the Windows SDK for Win 7 and .NET 4. I had to play with the Windows PATH environment variable a bit to get things to work. The "Configure" command seems to work. The ms\do_win64a has a problem on one line: >> C:\Installers\openssl-1.0.1g>ml64 -c -Foms\uptable.obj ms\uptable.asm >> 'ml64' is not recognized as an internal or external command, >> operable program or batch file. ...but I threw caution to the wind and tried to proceed anyhow. The nmake command is where I crash and burn. It seems to get most of the way through, then chokes out with this error message: >> NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 10.0 >> \VC\bin\cl.EXE"' : return code '0xc135' ...in researching this, it sounds like I need to run devenv.exe to work within the VS environment and then execute the cl command. However, having only installed the runtime libraries for VS9 and VS10, I don't have a devenv.exe to run. If I change to the 32bit installation from its instruction file, the nmake command still fails with this same error. Could this still be a path problem? Or??? Thanks. == Aaron Bahmer Director, Instructional Technology Eastern Wyoming College http://ewc.wy.edu | (307) 532-8284 1-866-327-8996 (1-866-EAST WYO) x8284 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
CRYPTO_set_mem_functions() Doesn't Work in Version 1.0.1b
It looks like CRYPTO_set_mem_functions() of OpenSSL 1.0.1e-4.fc18 does not work: CRYPTO_set_mem_functions() calls indirectly CRYPTO_malloc() which sets "allow_customize = 0;" and so CRYPTO_set_mem_functions() does nothing (just return 0, instead of 1). Gdb trace with a modified _ssl module: #0 0x003803463100 in CRYPTO_malloc () from /lib64/libcrypto.so.10 #1 0x003803542fae in FIPS_drbg_new () from /lib64/libcrypto.so.10 #2 0x0038035448e1 in FIPS_drbg_health_check () from /lib64/libcrypto.so.10 #3 0x003803542e88 in FIPS_drbg_init () from /lib64/libcrypto.so.10 #4 0x0038034cf9d1 in RAND_init_fips () from /lib64/libcrypto.so.10 #5 0x003803465764 in OPENSSL_init_library () from /lib64/libcrypto.so.10 #6 0x003803462c61 in CRYPTO_set_mem_functions () from /lib64/libcrypto.so.10 #7 0x7135bc6c in PyInit__ssl () at /home/haypo/prog/python/default/Modules/_ssl.c: Anyone have encountered the same issue? Will this be fixed? Thanks a lot, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/CRYPTO-set-mem-functions-Doesn-t-Work-in-Version-1-0-1b-tp46745.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: KDF algorithms
Thanks so much for answering my question, Matthew. -- View this message in context: http://openssl.6102.n7.nabble.com/KDF-algorithms-tp45762p45779.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
KDF algorithms
Hi All, I am working on a product using Certicom KDF function. In fact, we use HU_KDF_IEEE_KDF1_SHA1 and HU_KDF_ANSI_SHA256 only. The function hu_KDFDerive() has an argument specifying which KDF algorithm to use to compute a cryptographic key. This is referred to as a key derivation algorithm ID. The following constants are defined in hukdf.h: • HU_KDF_IEEE_KDF1_SHA1 (IEEE 1363-2000 KDF1 based on SHA-1) • HU_KDF_ANSI_SHA1 (ANSI X9.42/X9.63 KDF based on SHA-1) • HU_KDF_ANSI_SHA224 (ANSI X9.42/X9.63 KDF based on SHA-224) • HU_KDF_ANSI_SHA256 (ANSI X9.42/X9.63 KDF based on SHA-256) • HU_KDF_ANSI_SHA384 (ANSI X9.42/X9.63 KDF based on SHA-384) • HU_KDF_ANSI_SHA512 (ANSI X9.42/X9.63 KDF based on SHA-512) • HU_KDF_NIST_ALT1_SHA1 (SP 800-56A) • HU_KDF_NIST_ALT1_SHA224 (SP 800-56A) • HU_KDF_NIST_ALT1_SHA256 (SP 800-56A) • HU_KDF_NIST_ALT1_SHA384 (SP 800-56A) • HU_KDF_NIST_ALT1_SHA512 (SP 800-56A) Now my company is going to use OpenSSL instead. I checked OpenSSL and it seems to me that OpenSSL doesn't support these KDF algorithms. My question is - is there any way to implement these algorithms in OpenSSL? Thanks so much in advance, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/KDF-algorithms-tp45762.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: nonblocking implementation question
On Thu, May 28, 2009 at 3:32 PM, Victor Duchovni wrote: > NO! You call > > n = SSL_write(myssl, buffer, len); > err = SSL_get_error(myssl, n); > > "err" may be SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, in which case > you must retry the write again later, after there is room. > > On success (n>=0), or with WANT_READ/WANT_WRITE, arrange to move data from > the network bio to the peer and from the peer to the network bio. This > activity may be asynchronous if you are using non-blocking sockets with > select/epoll/... in an event loop. In that case you mark the socket for > read/write interest with appropriate callbacks. So, in the case of WANT_READ or WANT_WRITE, I interact with the network BIO through BIO_read and BIO_write, and recv()'d data gets dumped into the BIO via BIO_write() and data to be sent should be retrieved via BIO_read()? In the case I get an epoll-triggered recv() from the socket, do I dump that data into the BIO via BIO_write, and follow that with a SSL_read()? Once this is all over, I'll write a little piece of example code that could be thrown into a document somewhere - I would be surprised if this wasn't a common bit of misunderstanding for developers. -Aaron __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: nonblocking implementation question
On Tue, May 26, 2009 at 5:27 PM, Victor Duchovni wrote: > On Tue, May 26, 2009 at 05:02:59PM -0400, Aaron Wiebe wrote: > >> >> You're looking for a BIO_s_mem. >> > >> > No, he is looking for BIO_new_bio_pair(3) and SSL_set_bio(3). So, apologies for hammering this down, but I'm still a little fuzzy and the documentation is lacking.. This would be in theory how to perform this work: ctx = SSL_ctx_new(); myssl = SSL_new(ctx); BIO_new_bio_pair(app_bio, 0, net_bio, 0); SSL_set_bio(myssl, app_bio, app_bio); Now, for a write sequence... BIO_write(app_bio, buffer, len); /* unencrypted */ BIO_read(net_bio, buf, size); /* encrypted */ write(fd, buf, size); and the same in reverse: len = recv(fd, &buf, size); BIO_write(net_bio, buf, len); len = BIO_read(app_bio, buffer, size); This is ignoring the obvious semantics involved in various other types of situations, such as renegotiations or other state changes that might be involved. Am i on the right track? If this makes my BIO calls asynchronous, is the expectation that the other side of the BIO pair will be ready immediately, assuming a clean response? Thanks again all, -Aaron __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: nonblocking implementation question
On Tue, May 26, 2009 at 4:46 PM, Victor Duchovni
wrote:
> On Tue, May 26, 2009 at 01:13:33PM -0700, Kyle Hamilton wrote:
>
>> You're looking for a BIO_s_mem.
>
> No, he is looking for BIO_new_bio_pair(3) and SSL_set_bio(3).
And this is where I'm running into confusing bits of information.
Bluntly, the documentation that I can find is nearly useless.
Let me put it this way, in pseudocode of how I would like to interact
in my perfect world:
readfunc(int fd)
{
/* entry on a "can read" event from the select/poll/etc call */
len = recv(fd, &buffer, sizeof(buffer));
if(IsSSL(fd)) {
if(have_crypted_buffer_already)
merge_buffer(buffer, encrypted_buffer);
switch(SSL_decrypt(context, buffer, &decr_buf, &dlen)) {
case SSL_NOTENOUGHDATA:
buffer_encrpyted_read(fd,
buffer, len);
case SSL_GOTDATA:
buffer_decrypted(fd, decr_buf, dlen);
if(dlen != len)
buffer_encrypted_read(fd, buffer+dlen, len-dlen);
case SSL_NEEDRENEG:
enqueue(fd,
get_ssl_reneg_data(context));
default:
break;
}
}
}
(or something..)
Basically, I don't really want any calls to require more than a
context that needs to be maintained - I don't want to hand my data off
to the API and have to come back to it at some arbitrary later time,
having it buffered and/or queued by mechanisms built into the openssl
api. I expect the API to do one thing and one thing only: provide me
the necessary information to handle an SSL connection. Not handle it
for me.
Not sure if I'm asking this well...
-Aaron
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
nonblocking implementation question
Greetings All, I've gone through various levels of documentation to see if there is a method available to implement SSL as I have envisioned, but I haven't been able to find what I'm looking for. Perhaps someone here could point me in a good direction... I'm developing a nonblocking application (backed by several edge-trigger methods, such as epoll/kqueue/etc). I'd like to integrate SSL into the flow, but I'm not fond of pushing the buffering and socket interaction routines into the SSL library. What I would prefer to do is to perform callouts to the ssl library, while maintaining the buffering and socket handling within my application. Ideally, I'd like to perform the recv() calls, buffer the data myself, and pass it to a function that would be capable of decrypting the data (if a complete encryption block is received) - and provide me appropriate returns to let me know if additional steps are required (such as a renegotiation). I'd also prefer to be able to encrypt the data through a function call, and be able to buffer and deliver that data at my leisure. In short, I don't really want SSL doing my writing or buffering. I just want the library to do my negotiation and encryption - but by providing me the data I need rather than by writing to the socket. Does the ability to do this exist? I'm not too fond of fully reverse-engineering SSL itself and using the pure encryption calls, so I'm hoping there exists API's that will let me take this route. If anyone knows of an implementation out there like this, I'd love to see it. Thanks! -Aaron __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
openssl-0.9.8k.tar.gz
I have saved this file off the openssl site to my documents. I am trying to copy the *.gz file with secure fx from my documents and the Alpha server using vms 8.3 and it will not allow me to transfer the file. Any ideas on how I get it there to unzip it? Thanks, Chuck __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
test
__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL and LDAP
Greetings... We are trying to sync up the SSL and LDAP configurations and we are having problems with the SSL certificates allowing Access when LDAP has Locked the Account. Do you have any suggestions ? Thanks Aaron Angel -- "NOTICE: The information contained in this electronic mail transmission is intended by Convergys Corporation for the use of the named individual or entity to which it is directed and may contain information that is privileged or otherwise confidential. If you have received this electronic mail transmission in error, please delete it from your system without copying or forwarding it, and notify the sender of the error by reply email or by telephone (collect), so that the sender's address records can be corrected." __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Openssl
What is the command please to view the entire contents of a certificate? Thank you, Chuck Kyle Hamilton wrote: ergh. My apologies for not catching that. You're right, it shouldn't matter on the client side. Okay... going back to basics (I'm sorry if this seems a bit patronizing, I honestly don't intend it to be such), a segfault occurs on a pointer dereference, trying to gain access to memory which is invalid (i.e., the pointer's pointing somewhere it shouldn't). This means that one of your pointers has either been changed in the structure, or the memory that the pointer refers to has been deallocated (and is thus invalid). OpenSSL is just trying to use what's being provided to it, and blindly assuming that what's provided is appropriate and won't get it into trouble. Do you have the registers available from the core? If %ecx is 0x, you've isolated your problem (something has called ssl_cleanup on the SSL* structure you're using, OR you're passing a NULL pointer to read into -- I'm not sure which argument is being dereferenced there, but since it looks like 32 bytes I'm conjecturing that it's the SSL* structure). If it's not, you have to take a more global view to the debugging. Since your server is multithreaded, the way that this generally happens is through concurrency issues. (My guess would be that a separate thread is doing cleanup on a live connection.) Have you given OpenSSL the locking functions that it needs in a multithreaded environment? Are you properly locking the session (NOT the SSL* structure, but the application session in your code which contains or references the SSL* structure) before you try to read from it? Are you sure that the session is valid before you start the thread to handle it? Is there a catch-up in the thread which, after being spawned, will take a lock against the session and examine it to ensure that it's still valid before trying to handle it, handle it, and then unlock it enough for other handlers to appropriate as necessary? Generally speaking, OpenSSL will not cause a SIGSEGV if it's passed valid data and valid pointers. If it's been given the proper locking methods, it will prevent itself from capriciously changing SSL* structure states while another OpenSSL thread is working with them. -Kyle H On Fri, Apr 18, 2008 at 5:44 AM, Ion Scerbatiuc <[EMAIL PROTECTED]> wrote: I'm not creating any MFC applications on linux. the client is for Windows platform, but as I said I don't think the client matters. I also wrote some client emulation on linux that emulates the behavior of the MFC clients and the server still crashes. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL Library Error
The system is 11.11. I'm *pretty* sure everything has been compiled with gcc. I'm compiling apache with gcc, but OpenLDAP and Openssl might have been compiled with something different. The apache install that works was definitely also compiled with gcc and uses the same install of OpenSSL and OpenLDAP. There is no lsof on this system, but I might be able to track down a copy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola Sent: Wednesday, September 12, 2007 11:43 AM To: openssl-users@openssl.org Subject: RE: SSL Library Error Hello, I've missed that this is on hpux11. Very important is what version you have: hpux1100, hpux, hpux1123ia, hpux1123pa, hpux1131ia or hpux1131pa ? > I added --with-ssl=/usr/local to the the configure options and > recompiled. Although mod_ldap is still unhappy, that corrects the > unresolved symbol error if I launch apache without mod_ldap. However, > the result is the same problem I've been wrestling with. Piling up > child processes in a "waiting..." state. This installation has no > mention in the ldd output of links to the 0.9.8 so it should be, as far > as I can tell, using ONLY the 0.9.7 system, OS installed Openssl > libraries. Check that all software is compiled with gcc or with HP compiler. If some part (like Apache) is compiled with HP compiler and other (like OpenSSL) with gcc then OpenSSL requires libgcc but Apache has no link to this library because libgcc is not used by HP compiler. On hpux1100 there is no standard OpenSSL library (and not OpenSSL headers). If you have your Apapche running you may check with lsof what shared libraries are used by apache and from what directories. I think you should be able to perform clean rebuild of Apache and current OpenSSL. Depending on hpux you have, to be sure, you may temporary rename link /usr/include/openssl (which sometime points to /opt/openssl/include/openssl and sometimes is directory) when you compile your applications to be sure that header files are from your specified locations If Aapache is running try to connect with 'openssl s_client' with specified protocols (-ssl2, -ssl3 -tls1). Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL Library Error
I added --with-ssl=/usr/local to the the configure options and recompiled. Although mod_ldap is still unhappy, that corrects the unresolved symbol error if I launch apache without mod_ldap. However, the result is the same problem I've been wrestling with. Piling up child processes in a "waiting..." state. This installation has no mention in the ldd output of links to the 0.9.8 so it should be, as far as I can tell, using ONLY the 0.9.7 system, OS installed Openssl libraries. Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola Sent: Wednesday, September 12, 2007 9:41 AM To: openssl-users@openssl.org Subject: RE: SSL Library Error Hello, > Well, I recompiled AGAIN with no mention of the 0.9.8 library in any of > my environment variables. The resulting httpd binary showed no links to > the 0.9.8 libraries, just 0.9.7 (the system OS libraries). THIS one > won't even start. I get an error of: > > /usr/lib/dld.sl: Unresolved symbol: __umoddi3 (code) from > /usr/local/lib/libcrypto.sl This symbol is in libgcc. Depending on gcc compilation, libgcc may be static or dynamic (or both). In this case it looks like main program is linked static (or not) with libgcc and when loading libcrypto.sl there is no link to this library. You may need to add this dynamic library to httpd recompilation (or rename temporary static version of libgcc). Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL Library Error
Well, I recompiled AGAIN with no mention of the 0.9.8 library in any of my environment variables. The resulting httpd binary showed no links to the 0.9.8 libraries, just 0.9.7 (the system OS libraries). THIS one won't even start. I get an error of: /usr/lib/dld.sl: Unresolved symbol: __umoddi3 (code) from /usr/local/lib/libcrypto.sl Not to mention that in order to get THAT far, I have to comment out the loading of the mod_ldap because it throws a much more vague "Unresolved External" error when it tries to load. This system is cursedCURSED I SAY! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Tuesday, September 11, 2007 4:12 PM To: openssl-users@openssl.org Subject: Re: SSL Library Error On Tue, Sep 11, 2007 at 03:34:13PM -0400, Aaron Smith wrote: > Looking at the output of LDD closer, it looks like the httpd binary is > linked to both libraries. BUT, I don't think this is the cause of the > problem as the httpd binary that DOES work is ALSO linked this way Being linked to both libraries is a problem, but even more so if the first library that is loaded does not match the compile-time headers. First escape DLL-hell, then debug other issues. If your LDAP library depends on OpenSSL 0.9.7, you need to link Apache also with 0.9.7. Mixing 0.9.7 and 0.9.8 in the same binary leads to unspecified behaviour. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL Library Error
I'll see if I can figure out what's causing apache to link to 0.9.7. As far as I know, I've got all my environment variables set to look at the 0.9.8 libraries. It seems odd that the original compile would work though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Tuesday, September 11, 2007 4:12 PM To: openssl-users@openssl.org Subject: Re: SSL Library Error On Tue, Sep 11, 2007 at 03:34:13PM -0400, Aaron Smith wrote: > Looking at the output of LDD closer, it looks like the httpd binary is > linked to both libraries. BUT, I don't think this is the cause of the > problem as the httpd binary that DOES work is ALSO linked this way Being linked to both libraries is a problem, but even more so if the first library that is loaded does not match the compile-time headers. First escape DLL-hell, then debug other issues. If your LDAP library depends on OpenSSL 0.9.7, you need to link Apache also with 0.9.7. Mixing 0.9.7 and 0.9.8 in the same binary leads to unspecified behaviour. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL Library Error
Looking at the output of LDD closer, it looks like the httpd binary is linked to both libraries. BUT, I don't think this is the cause of the problem as the httpd binary that DOES work is ALSO linked this way -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Tuesday, September 11, 2007 1:57 PM To: openssl-users@openssl.org Subject: Re: SSL Library Error On Tue, Sep 11, 2007 at 01:43:50PM -0400, Aaron Smith wrote: > I apologize in advance if this is not the correct forum for this > question. I haven't had much luck in the apache forums. I have an > apache 2.0.55 installation that I'm attempting to recompile on an HP-UX > 11 system. It has mod_ssl 2.0.66 and I have OpenSSL 0.9.8d installed in > /opt/openssl098d. The system itself apparently has an older version of > OpenSSL (0.9.7e) installed in /usr/local. We have apache running on > this system just fine, but I have to recompile in order to add LDAP > support. If I take a fresh tarball of apache-2.0.55 and do a configure, > make, make install, everything completes without error. Doing an LDD of > the httpd binary shows it linked to the OpenSSL 0.9.8d libraries in > /opt/openssl098d/lib. The server starts up without issue, but when I > connect (with apache in debug mode), I get this: Perhaps you are using headers from one version of OpenSSL and linking with libraries from another. Make sure compile-time and run-time versions match. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL Library Error
I apologize in advance if this is not the correct forum for this question. I haven't had much luck in the apache forums. I have an apache 2.0.55 installation that I'm attempting to recompile on an HP-UX 11 system. It has mod_ssl 2.0.66 and I have OpenSSL 0.9.8d installed in /opt/openssl098d. The system itself apparently has an older version of OpenSSL (0.9.7e) installed in /usr/local. We have apache running on this system just fine, but I have to recompile in order to add LDAP support. If I take a fresh tarball of apache-2.0.55 and do a configure, make, make install, everything completes without error. Doing an LDD of the httpd binary shows it linked to the OpenSSL 0.9.8d libraries in /opt/openssl098d/lib. The server starts up without issue, but when I connect (with apache in debug mode), I get this: [Tue Sep 11 10:10:43 2007] [info] Connection to child 2 established (server ourserver.name.scrubbed:8040, client ) [Tue Sep 11 10:10:43 2007] [info] Seeding PRNG with 136 bytes of entropy [Tue Sep 11 10:10:43 2007] [debug] ssl_engine_io.c(1512): OpenSSL: read 11/11 bytes from BIO#401a3500 [mem: 401aabb0] (BIO dump fo llows) [Tue Sep 11 10:10:43 2007] [debug] ssl_engine_io.c(1459): +--- --+ [Tue Sep 11 10:10:43 2007] [debug] ssl_engine_io.c(1484): | : 80 67 01 03 01 00 4e 00-00 00 10 .gN | [Tue Sep 11 10:10:43 2007] [debug] ssl_engine_io.c(1490): +--- --+ [Tue Sep 11 10:10:43 2007] [info] SSL library error 1 in handshake (server ourserver.name.scrubbed:8040, client ) [Tue Sep 11 10:10:43 2007] [info] SSL Library Error: 336027900 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol speaking not SSL to HTTPS port!? [Tue Sep 11 10:10:43 2007] [info] Connection to child 2 closed with abortive shutdown(server ourserver.name.scrubbed:8040, ) That's if mod_ssl is compiled as a shared module. If I compile it into the httpd binary statically, then each request results in a child process spawning and sitting in the "Waiting" mode. The pile up and pile up until they eventually drive the server load up to really high levels. One oddity I notice is that even though I set every environment variable I know of (SHLIB_PATH, LD_LIBRARY_PATH, CPPFLAGS, LDFLAGS) to point to /opt/openssl098d/lib, the apache server-status lists OpenSSL 0.9.7e (the local system install). The other thing is that a few months ago, I was working on the same issue and manage to compile a version of apache in a parallel directory using the same configure commands (I believe) as now, and that install works perfectly!! I'm thinking it's something strange with my current build environment but am uncertain where else to look. Where could apache be picking up that other SSL library?
Custom oid in openssl.cnf
A quick question for everyone... In the openssl.cnf, by default there is a new_oids section with a testoid line to serve as an example. So if I have a unique assigned oid, can I just remove the # on the testoid1 line? I recall reading someone mentioning using a line of dc=(oid number) instead. Which one is correct?
Re: Recall: do_cipher function
Recalling emails doesn't work on the internet. On 5/1/07, Bhat, Jayalakshmi Manjunath <[EMAIL PROTECTED]> wrote: Bhat, Jayalakshmi Manjunath would like to recall the message, "do_cipher function". __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl tool vs. EVP API missmatch for desx & des-ede3-cbc
crap... hit send not save... rest of the email is below On 4/30/07, Aaron Turner <[EMAIL PROTECTED]> wrote: I'm having a problem under OS X (10.4.9/Intel) where Openssl 0.9.8e (compiled from source) is returning different encrypted values using the cli (openssl enc) and the EVP interface for desx and des-ede3-cbc. echo -n "Why doesn't this work?" | openssl enc -iv 0B0B0B0B0B0B0B0B -K \ 0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A -des-ede3-cbc -a cUT/lE4Zmui1FCqVUAosCd1nmwQ1gNd1 but using the EVP API I get: NDHoSSaYJvwx09SoYm87iZmDbcU6Ew== openssl enc for desx using same parameters as above: 1qLukPtJ6f4p4KsulWiJDomyVA67zkX2 EVP API for desx: cUT/lE4Zmui1FCqVUAosCd1nmwQ1gNd1 Notice that the EVP desx == openssl enc for des-ede3-cbc! I've tested the results for all the other DES modes as well as AES, Rc2,4,5, Blowfish, and Cast5 and they all match as I would expect, so it doesn't seem to be an issue with how I'm using the EVP API. Suggestions? -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl tool vs. EVP API missmatch for desx & des-ede3-cbc
I'm having a problem under OS X (10.4.9/Intel) where Openssl 0.9.8e (compiled from source) is returning different encrypted values using the cli (openssl enc) and the EVP interface for desx and des-ede3-cbc. -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Openssl root and subordinate, CA creation problem
I've setup an openssl root and a subordinate CA. I have successfully signed CA certificate for the subordinate from the root (used the -newreq option), however when I execute the 'ca.pl -newca' it doesn't set up the subordinate authority at all. When it asks for the CA certificate filename, I point it to the signed certificate but it immediately terminates after that not giving any errors. I could just hit enter but then that would make the subordinate think it needs to self-sign its certificates. Do I have my steps mixed up?
Newca error, -create_serial
Let me preface first by saying I did see some previous users had this problem also. I've even gone so far as to completely wipe the system and start fresh only to have the same issue. Running a FreeBSD 6.2 server with OpenSSL 0.9.8d. After I do the installation, I execute the CA.pl -newca option. After I enter the information, it gives me the "unknown option -create_serial" error. I'm using the root account on this machine to keep it simple, which defaults to csh. By default the openssl installation has placed it in the /usr/local/ssl directory, so I added /usr/local/ssl/misc to the PATH in .cshrc and still receive the same error. Any suggestions? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL with Windows subordinates
Wonderful! I redid the root CA setup using ca.pl, modified the openssl.cnf file to CA:TRUE in the v3_ca section, and signed the subordinate request using the previous command: (ca -config /path/openssl.cnf -out thecertificate.pem -in requestfile.req -extensions v3_ca). I imported the the pem file for the subordinate, and also the root cert, and the Windows services started up just fine. I was also able to verify its functionality by requesting some user certs from it. Is there much difference between signing with the openssl command above and the ca.pl perl script? It seems to me it is mainly helpful for automating the process. One last question if you don't mind. I noticed the keysize for my subordinate is 1024 bits. Where can I indicate the keysize when signing the request? In the openssl.cnf file I used, I have 4096 listed in the req section, but does this need to be placed elsewhere? It didn't work when I placed it in the v3_ca section. Thanks, Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Thursday, December 28, 2006 15:47 To: openssl-users@openssl.org Subject: Re: OpenSSL with Windows subordinates Yes the root CA has basicConstraints CA:FALSE on it which is causing the error. I'd suggest you redo the root CA and the subordinate using CA.pl: CA.sh is an older script that isn't maintained any more. The command CA.pl -signCA automatically signs a request as a CA instead of an end entity cert. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL with Windows subordinates
I think I see what you're getting at now. I reviewed the text of the root and the subordinate certs; the root does NOT have the CA:TRUE (false obviously), the subordinate does have CA:TRUE. So I guess this tells me I must have installed the root CA incorrectly. I didn't use CA.pl, but rather CA.sh. I'll list each step I did to set up OpenSSL and the root. 1. ./config 2. make 3. make test 4. make install 5. ./CA.sh -newca 6. ./CA.sh -sign It sounds like I'll probably need to redo the root setup, but let me know if there is an adjustment I need to make based on how many tiers I want to set up in the overall PKI. I'll also email you copies of the certificates separately. Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Thursday, December 28, 2006 12:34 To: openssl-users@openssl.org Subject: Re: OpenSSL with Windows subordinates If you used the CA.pl script to generate the certificates it should just "do the right thing". The standard openssl.cnf has some sensible defaults which should suit most purposes. That includes using basicConstraints for a CA certificate. If you've used other commands (all manner of weird stuff is recommended by some cookbooks) then the certificates may not suit your purpose. If you do: openssl x509 -in cert.pem -text -noout you should see the basicConstraints extension. It must have CA:TRUE for both the root CA and the subordinate. If that doesn't help just post (or mail me privately) with the two certificates you have created. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL with Windows subordinates
Yes I did. I had to install that yesterday also in order for the subordinate to trust the root. I was reading on the web site (specifically on this web page: http://www.openssl.org/docs/apps/x509v3_config.html# ) It would seem to indicate one should modify the basicConstraints lines in the openssl.cnf file, but again I am not terribly familiar with this option. The only things I have modified in my openssl.cnf file so far are the lines to include email address, location, directory structure , changed policy fields to optional, and the key size. If I am understanding this correctly, the OpenSSL root issued the certificate as a simple 'machine' cert, not as a subordinate CA. Am I on the right track? Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Thursday, December 28, 2006 11:55 To: openssl-users@openssl.org Subject: Re: OpenSSL with Windows subordinates On Thu, Dec 28, 2006, Aaron Barnes wrote: > I think we're making some progress with resolving this problem. I > signed a new request with the switch you mentioned and loaded it onto > the subordinate. I don't receive the old ASN1 error, which is good, > but now I've received one I've never seen before, "A certificate's > basic constraint extension has not been observed." Does this mean I > may have something configured incorrectly in the openssl.cnf file? > Did you install a root CA onto that system too? If so that might be a problem depending on how you created it. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL with Windows subordinates
I think we're making some progress with resolving this problem. I signed a new request with the switch you mentioned and loaded it onto the subordinate. I don't receive the old ASN1 error, which is good, but now I've received one I've never seen before, "A certificate's basic constraint extension has not been observed." Does this mean I may have something configured incorrectly in the openssl.cnf file? One bit of good news though is that I no longer have to export the certificate into .der format; the .pem file worked just fine. Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Wednesday, December 27, 2006 15:04 To: openssl-users@openssl.org Subject: Re: OpenSSL with Windows subordinates > Yes the signing command is incorrect. By default the certificate is an end entity certificate for OpenSSL not a CA certificate. Try the command line switch: -extensions v3_ca Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL with Windows subordinates
With Windows certificate services, upon installation it will ask you to select the type of CA the server is to become from 4 different options. I've chosen an enterprise online CA, however its parent is offline, so of course I cannot make an online certificate request. I saved the actual certificate request as a .der file (Windows defaults to .req I believe) and copied to the OpenSSL parent box. Perhaps my signing command was in error. I used "ca -config /pathtoconfigfile/openssl.cnf -out thecertificate.pem -in windowsrequestfile.der". When installing the subordinate's certificate, it does not like .pem files...which doesn't really surprise me. The available options are .cer, .crt, .p12, .pfx and .p7b. I was using pkcs12 as it indicated there was an available export option for that command. When I tried to use the .pem file it would give me the error "The certificate is not a CA certificate". I also executed the command you suggested and tried installing the .der file; it gives the same error. Regards, Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Wednesday, December 27, 2006 11:24 To: openssl-users@openssl.org Subject: Re: OpenSSL with Windows subordinates The private key resides on the Windows machine and doesn't leave it which is as it should be. A PKCS#12 file is only really used when the private key and matching certificate are present. You really need to just install the certificate and have Windows associate the key with it. How you do that depends on exactly what you did in Step #1. You may be able to just install the newcert.pem file or you can convert it to DER using: openssl x509 -in newcert.pem -outform DER -out newcert.der Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL with Windows subordinates
I have an OpenSSL CA running on a BSD 6.1 machine as the root, and am trying to have that act as the parent to subordinate Windows online enterprise CAs. The installation went fine. I signed the Windows subordinate CA cert request with SSL, then converted it to pkcs12 to be installed. That's where I get the problem. When I try to installed the pkcs12 cert on the Windows machine, it doesn't like it, giving me an "ASN1 unexpected end of data". I suspect that possibly it is because it isn't seeing the private key when OpenSSL converts to pkcs12. I was actually only able to get the .pem -> .p12 conversion to work by using the -nokeys option. So let me walk you through each step. 1. Received Windows CA generated request file (.der). 2. Signed it using "ca -config blahblah/openssl.cnf -in windowsreqfile.der -out newcert.pem" 3. Converted it using "pkcs12 -export -in newcert.pem -out newercert.p12 -nokeys" So as I said I could only get the conversion command to work using the nokeys option. If I didn't, it would error out on me saying "unable to load private key". This tells me I may have missed a step in the signing process, but I'm unsure what exactly. Do I need to execute another command after step 2 to output a separate private key file? Shouldn't the private key be included in the .pem file in step 2?
RE: Wierd Linking issue with 0.9.8d
Ah! Excellent! That did indeed correct that annoying error. Thank you. Aaron Smith[EMAIL PROTECTED] System Administrator (269) 337-7496 Kalamazoo College -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola Sent: Thursday, December 21, 2006 10:36 AM To: openssl-users@openssl.org Subject: Re: Wierd Linking issue with 0.9.8d Hello, > So I downloaded a copy of OpenSSL 0.9.8d to my HP-UX > system, did a ./config -prefix=/opt/openssl098d shared, make, make > test, make install and all worked well. However, I've run into a > problem while compiling other pieces of software that use OpenSSL > (such as Apache's mod_auth_ldap module) where it's trying to find > "./libcrypto.sl.0.9.8". Yes, there's a "../" on there. If I run ldd > on libssl.sl.0.9.8, it shows: > > > > # /usr/ccs/bin/ldd libssl.sl.0.9.89 > > /usr/lib/libdld.2 =>/usr/lib/libdld.2 > > /usr/lib/libc.2 => /usr/lib/libc.2 > > /usr/lib/libdld.2 =>/usr/lib/libdld.2 > > ../libcrypto.sl.0.9.8 => ../libcrypto.sl.0.9.8 > > /usr/lib/libdld.2 =>/usr/lib/libdld.2 > > > > I can get things to compile by copying that libcrypto library into > whatever local directory it happens to be trying to compile in, but > that's a dirty hack and I suspect that this is the cause of me not > being able to run those resultant binaries (they throw errors about > unresolved symbols like ap_set_flag_slot and apr_pool_cleanup_null). > What did I do wrong with the install here to cause this to happen? Nothing, sometimes on hpux this works this way. To change this you may after "make install" change definition of SHLIBDEPS variable in main Makefile in line: $(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \ to: SHLIBDEPS='/opt/openssl098d/lib/libcrypto.sl.0.9.8' and next: # ldd libssl.sl.0.9.8 # rm libssl.sl.0.9.8 # make libssl.sl.0.9.8 # ldd libssl.sl.0.9.8 # cp libssl.sl.0.9.8 /opt/openssl098d/lib this will change "./" to "/opt/openssl098d/lib". Next dirty hack. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Wierd Linking issue with 0.9.8d
So I downloaded a copy of OpenSSL 0.9.8d to my HP-UX system, did a ./config -prefix=/opt/openssl098d shared, make, make test, make install and all worked well. However, I've run into a problem while compiling other pieces of software that use OpenSSL (such as Apache's mod_auth_ldap module) where it's trying to find "./libcrypto.sl.0.9.8". Yes, there's a "./" on there. If I run ldd on libssl.sl.0.9.8, it shows: # /usr/ccs/bin/ldd libssl.sl.0.9.89 /usr/lib/libdld.2 =>/usr/lib/libdld.2 /usr/lib/libc.2 => /usr/lib/libc.2 /usr/lib/libdld.2 =>/usr/lib/libdld.2 ./libcrypto.sl.0.9.8 => ./libcrypto.sl.0.9.8 /usr/lib/libdld.2 =>/usr/lib/libdld.2 I can get things to compile by copying that libcrypto library into whatever local directory it happens to be trying to compile in, but that's a dirty hack and I suspect that this is the cause of me not being able to run those resultant binaries (they throw errors about unresolved symbols like ap_set_flag_slot and apr_pool_cleanup_null). What did I do wrong with the install here to cause this to happen? ---- Aaron Smith[EMAIL PROTECTED] System Administrator (269) 337-7496 Kalamazoo College
N00B needs csr/key help
I am trying to get my copy of pure-ftpd running with a signed certificate and having a horrible time. I had to send them a csr so i did the following: openssl genrsa -des3 -out ftp.mydomain.com.key 1024 openssl req -new -key ftp.mydomain.com.key -out ftp.mydomain.com.csr I got the key signed from godaddy (it was cheap, anyone have any ideas on their service?) (also they use an intermediate key, does everyone now? I don't even know if pureftpd can use an intermediate key) and so i put the necessary files on my ftp machine and fired it up. There is a problem however, i see this in the log: Oct 31 17:19:33 ftp pure-ftpd: ([EMAIL PROTECTED]) [ERROR] SSL/TLS [/etc/pure/private/pure-ftpd.pem]: error:0906406D:PEM routines:DEF_CALLBACK:problems getting password I assume since i used des3 generating the key, that is why it's looking for a password. For ssl enabled web and ftp servers is it commonplace to create the private key without encryption? Does anyone have an idea about this error? I was also wondering, if i were to do the same as above only include the --passout file:/some/directory/path/file like such: openssl genrsa -passout file:/etc/pure/pasfile -des3 -out ftp.mydomain.com.key 1024 that generates the key just fine without me having to type in the password, but does the key then know to read from that file as well when it's being used? If so, would that also mean that when pureftpd is looking for the password, the password file is hardcoded soemhow into the key and it would be found? I would just try these things, but of course i have to go through the whole process of generating a new csr and getting new keys every time i do that from godaddy. Thanks in advance. Aaron __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Certificate Verification
Well, I figured out PART of my problem. Somehow I got the wrong CA certificate. Once I got the right one, I can do a successful s_client connect as long as I provide the –Cafile argument to point openssl to the correct CA file. However, if I try to do it without the –Cafile argument, I get the same “unable to get local issuer” problem. I don’t have a cacert.pem file on the system at all (this is a stock Solaris 10 install). Everything openssl related appears to be in /etc/sfw/openssl, including the openssl.cnf file. This file has the following default options in the [CA_default] section: dir = /etc/sfw/openssl certs = $dir/certs certificate = $dir/cacert.pem So, I take this to mean that openssl will look for CA certificates in /etc/sfw/openssl/cacert.pem? I took the CA certificate (that works) and put it in /etc/sfw/openssl with the name of cacert.pem but it still couldn’t find it. From: owner-openssl-users@openssl.org [mailto:owner-openssl-users@openssl.org] On Behalf Of Vincenzo Sciarra Sent: Thursday, October 12, 2006 4:29 AM To: openssl-users@openssl.org Subject: Re: Certificate Verification Try to add the CA certificate to cacert.pem default openssl CA certificate Simply: cat MScaCERT.pem >> cacert.pem 2006/10/12, Dr. Stephen Henson <[EMAIL PROTECTED]>: On Wed, Oct 11, 2006, Aaron Smith wrote: > Ok. This is hopefully a simple question, and one that I see > quite a bit in the archives. However, everything I've tried and gleaned > from searching the archives have come up nothing. I have server > certificate from a Microsoft Domain Controller that was created via MS's > certificate authority. I'm trying to get Openssl to connect to it, but > I get the now familiar "unable to get local issuer certificate" error > when using s_client. I have the CA certificate, and there is, to my > knowledge, no intermediate certificates. I have tried putting the CA > certificate into the certs directory defined in openssl.cnf with a > symbolic link of the cert's hash value pointing to it. I have tried > doing openssl verify -Cafile ./sandbox-ca.pem server-cert.pem and still > get the same error. Now, my assumption is that if I try to do a verify > on a server certificate and provide (via the -Cafile option) that SHOULD > be all it needs to verify the certificate correct? Is there something > wrong with my certs? I've provided both in the email so that maybe > someone can point out what the problem is: > The problem is that the subject key identifier (SKID) of the issuer certifcate does not match the authority key identifier (AKID) of the server certificate. You can see this for yourself by doing: openssl x509 -in cert.pem -text -noout So whatever generated the certificates needs to be configured so it correctly uses the same value for AKID in the server as SKID in the CA. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Vincenzo Sciarra
Certificate Verification
Ok. This is hopefully a simple question, and one that I see quite a bit in the archives. However, everything I’ve tried and gleaned from searching the archives have come up nothing. I have server certificate from a Microsoft Domain Controller that was created via MS’s certificate authority. I’m trying to get Openssl to connect to it, but I get the now familiar “unable to get local issuer certificate” error when using s_client. I have the CA certificate, and there is, to my knowledge, no intermediate certificates. I have tried putting the CA certificate into the certs directory defined in openssl.cnf with a symbolic link of the cert’s hash value pointing to it. I have tried doing openssl verify –Cafile ./sandbox-ca.pem server-cert.pem and still get the same error. Now, my assumption is that if I try to do a verify on a server certificate and provide (via the –Cafile option) that SHOULD be all it needs to verify the certificate correct? Is there something wrong with my certs? I’ve provided both in the email so that maybe someone can point out what the problem is: N1-wrath.sandbox.com (sandbox.com is a virtual domain used for testing): -BEGIN CERTIFICATE- MIIFszCCBJugAwIBAgIKGlNrzjANBgkqhkiG9w0BAQUFADBDMRMwEQYK CZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHc2FuZGJveDETMBEGA1UE AxMKU2FuZGJveCBDQTAeFw0wNjA4MjMxNTM5NDNaFw0wNzA4MjMxNTM5NDNaMB8x HTAbBgNVBAMTFG4xLXdyYXRoLnNhbmRib3guY29tMIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQDfYb6tJxC8E4GMIIXwuV2VuUTKMavBRjem04DRZzYDpLky4mOo cBd8s8DwlmRKqtW68LxIhRxHZc6K3y8ytXeFD9VMKTX9hPl3Tk+vvQ/Q2Xjv1CwG wTRqaeAbnZK+15Q6WkM61yAu0XA3U1f6RaBA5PZFyFbTOkSN0TAJiHw2tQIDAQAB o4IDTzCCA0swCwYDVR0PBAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcN AwICAgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNV HQ4EFgQUAduzIdaqGDT41RLrYhQJdAR+YPswLwYJKwYBBAGCNxQCBCIeIABEAG8A bQBhAGkAbgBDAG8AbgB0AHIAbwBsAGwAZQByMB8GA1UdIwQYMBaAFEcKpdwNYJ/A b+MFCQo8wgaO7VtCMIIBBAYDVR0fBIH8MIH5MIH2oIHzoIHwhoG0bGRhcDovLy9D Tj1TYW5kYm94JTIwQ0EsQ049bjEtd3JhdGgsQ049Q0RQLENOPVB1YmxpYyUyMEtl eSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2Fu ZGJveCxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVj dENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50hjdodHRwOi8vbjEtd3JhdGguc2Fu ZGJveC5jb20vQ2VydEVucm9sbC9TYW5kYm94JTIwQ0EuY3JsMIIBGgYIKwYBBQUH AQEEggEMMIIBCDCBqwYIKwYBBQUHMAKGgZ5sZGFwOi8vL0NOPVNhbmRib3glMjBD QSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMs Q049Q29uZmlndXJhdGlvbixEQz1zYW5kYm94LERDPWNvbT9jQUNlcnRpZmljYXRl P2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTBYBggrBgEF BQcwAoZMaHR0cDovL24xLXdyYXRoLnNhbmRib3guY29tL0NlcnRFbnJvbGwvbjEt d3JhdGguc2FuZGJveC5jb21fU2FuZGJveCUyMENBLmNydDAdBgNVHSUEFjAUBggr BgEFBQcDAgYIKwYBBQUHAwEwQAYDVR0RBDkwN6AfBgkrBgEEAYI3GQGgEgQQgto8 vGzkE0+9zIRFWXgxVYIUbjEtd3JhdGguc2FuZGJveC5jb20wDQYJKoZIhvcNAQEF BQADggEBAJjCdQkVc+QOSMp81/Og7/2X8nJDEP6qJqPnJjVLAfWnMJjYzbj3bZs0 XompdxVxNb7CchT3TEJoUMnGGzTSu7J0di+Qgwt7lMfOR6BFOYal03fscuLQmALZ U4/4K//QJV9MWungDMkj0XBGg86HJzwtUpZeu7bUdgmcRCYfZhTdY42fD13a9bGD IGcz6LAAYBMWwfIDQ0UL6CuFIkS6j7WTxxLWzB+i8cxrEMhLvpUT54fJQnYfNkhS 4Wg12/MUGn9ykK1IFk3ym+FgB20K5vjAykx3DVqdxKG1pa+NhDHdpgcv+cI7wyUA bBtxiZa2V2vB2x+BV0f0LYVB+3KgrOU= -END CERTIFICATE- The CA certificate from the sandbox.com domain controller (which happens to be n1-wrath): -BEGIN CERTIFICATE- MIIEgjCCA2qgAwIBAgIQHZSufQev7bBPeD3puDiTZDANBgkqhkiG9w0BAQUFADBD MRMwEQYKCZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHc2FuZGJveDET MBEGA1UEAxMKU2FuZGJveCBDQTAeFw0wNjA4MjMxODEwNDJaFw0xMTA4MjMxODE5 MTFaMEMxEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdzYW5k Ym94MRMwEQYDVQQDEwpTYW5kYm94IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAzi1RBABv+NIwN6V5Cb36Xvh4aBR0meZu6Dt7C03E2NGLRuqByGEZ roxHFmxfw3iLEXCG4wuX8vgmofL25Zxs4SFh0AGTXRLtyCgWkcaRtaRLv/2uOdxu cfzr0lQujvuaBwORG2b/oxMvaHNs7Fn1W+dDl8mtaq1GIoW4Cy37xWvEK/cLfxzK Ar2ieI9edSMTDn23ckksKhFVhz4vQN2eDGR6hS7a22ocxFf+X5bbCZih8gtsZq7P tNByxtAtqxPvFK+KvBphFi8W7W4xRwY9jbgigjluzM4HxtqmNHUWmhFtOjdwnfDd RJPxgLVvkrlNz8xQi4s4j2f/naIZUDZMIQIDAQABo4IBcDCCAWwwEwYJKwYBBAGC NxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O BBYEFFF6eyh++VR2O41NFn610FcKO2RIMIIBBAYDVR0fBIH8MIH5MIH2oIHzoIHw hoG0bGRhcDovLy9DTj1TYW5kYm94JTIwQ0EsQ049bjEtd3JhdGgsQ049Q0RQLENO PVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy YXRpb24sREM9c2FuZGJveCxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlz dD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50hjdodHRwOi8v bjEtd3JhdGguc2FuZGJveC5jb20vQ2VydEVucm9sbC9TYW5kYm94JTIwQ0EuY3Js MBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQCpf6vt20PD17bi /GJFzIbR+fnjbmYtM6dCcjJoxquxMhBG6YDh29kNIoztDXShEOVPxhFYeaDvONEk v39WBYpyCqwQogQkNAQGOP0j+hzVJqxJtwZW0GE2QW+5pmdYJkzcD7R7ckZvHU9t ngYBqbCZQTVPFCxit0nHiwNLe0P+aFb4cc7xq+l4Sd/9GyDAnQLsJ8NL8seqWbVZ NPA70dgYj1qJR08yuJlB48yXkOyOG0GJQvsZpmwMV5r7feKjQCQnRV7fYHSTpsh6 RYx+zA1okfkaqBQ75RAoidiGyYkeBKwp+I+SzHf7011dUajRMik2ZD7u7APa6sZB zVlJ7wPM -END CERTIFICAT
OpenSSL 0.9.8a Crashes Apache--and a Fix
ers where appropriate) with OpenSSL 0.9.7i. It worked like a charm--no failed tests, no errors, and no segmentation faults. I noticed only one key difference: the 0.9.7i configuration program automatically detected the system as "linux-pentium," instead of "linux-elf." I tried configuring and compiling 0.9.8a with "linux-pentium" as the system type, but I was given an error implying that no such system type existed for that configuration program. Eventually, I forced the system type as "linux-generic32" with 0.9.8a and everything finally worked, thanks to the following command: /Configure linux-generic32 zlib shared no-threads --prefix=/usr/local --openssldir=/usr/local/openssl However, the small difference in terminology between "generic32" and "pentium" and "elf" was enough to take up twenty hours of my time. Is there a page somewhere that I missed blatantly outlining this issue? (Is this the "compatibility issue" alluded to on the OpenSSL home page?) Though I'm not sure what the technical difference is between the system types, all of which sound generic to me, I think someone should probably look into it if no one has already. Hope this helps someone... Aaron Aaron Greenspan President & CEO Think Computer Corporation http://www.thinkcomputer.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How to disable id and password check
Can anyone tell me how to disable id and pw checking when entering a specific web site. I'd like to turn it completely off. Thanks, Chuck Mark wrote: my last mail seem to be lost somewhere.. I got it! Hi all, Im testing an SSL server with s_client. I want to implement client authentication. The problem is even if I include the certificate and key file in my client call, SSL_get_peer_certificate() returns NULL I tried the following calls, a) S_client -connect ip:port b) s_client -connect ip:port -cert clientcert.pem -key clientPrivkey.pem I would think you would need to specify the root certificate using the -CAfile option. Cheers, Mark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: validifying RSA key fingerprint
On Wed, 2005-05-04 at 14:18 -0700, Miles Bradford wrote: > User a class A or B IP > If you're offsite - your 192.X.X.X probably won't work. The IP addresses provided were for problem explanation purposes only. if you like, use x.x.x.x. > > -Original Message- > From: Aaron P. Martinez [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 04, 2005 12:13 PM > To: openssl-users@openssl.org > Subject: validifying RSA key fingerprint > > > I am trying to figure out how to veryify a RSA key fingerprint against > the hash that i have already in my known_hosts file. > > When i connect to a machine for the first time after i move it offsite, > i get a message like: > > The authenticity of host 'www.example.com (192.168.x.x)' can't be > established. > RSA key fingerprint is 36:97:27:70:e2:1b:80:32:34:e1:7p:99:89:93:45:92. > > in my known hosts i have something like: > > 192.168.x.x ssh-rsa > B3NzaC1yc2EBIwAAAIEAmPwYG833PifTQ501dsi6JSB/H7HtT0rZ678oSht9I6nWwtaV > Z6KH/fToPZlrtExAIvIj9W901MsUYMTCT9LlPN7RNzVBtIJEBt+P59vZn6xPKbzEk3DDU92u5jBG > ukR7qGaF9oz+h3Q06mqZauu+BeLt147ChuqHXT0hO08TLfM= > > > so how can i convert the ssh-rsa into a fingerprint to compare the two. > Or maybe there's even an easier way? > > > TIA, > > Aaron Martinez > > ps, i know the above fingerprint and the following ssh-rsa don't match. > Aaron Martinez __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
validifying RSA key fingerprint
I am trying to figure out how to veryify a RSA key fingerprint against the hash that i have already in my known_hosts file. When i connect to a machine for the first time after i move it offsite, i get a message like: The authenticity of host 'www.example.com (192.168.x.x)' can't be established. RSA key fingerprint is 36:97:27:70:e2:1b:80:32:34:e1:7p:99:89:93:45:92. in my known hosts i have something like: 192.168.x.x ssh-rsa B3NzaC1yc2EBIwAAAIEAmPwYG833PifTQ501dsi6JSB/H7HtT0rZ678oSht9I6nWwtaVZ6KH/fToPZlrtExAIvIj9W901MsUYMTCT9LlPN7RNzVBtIJEBt+P59vZn6xPKbzEk3DDU92u5jBGukR7qGaF9oz+h3Q06mqZauu+BeLt147ChuqHXT0hO08TLfM= so how can i convert the ssh-rsa into a fingerprint to compare the two. Or maybe there's even an easier way? TIA, Aaron Martinez ps, i know the above fingerprint and the following ssh-rsa don't match. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
description of error numbers?
Where can I find a description of the various error numbers? Here's what I'm getting in my apache logs: OpenSSL: error:14094418:lib(20):func(148):reason(1048) l8r Aaron -- There's no trick to being a humorist when you have the whole government working for you -- Will Rodgers __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL and OSU
SSL Group, I am running the 3.10a osu web server with openvms SSL. Our users access our server based on two different ip addresses, which corrulate to two different applications. Do you know if there is a way to make users who are accessing only one of the applications on the web to force them to ssl (https) and leave the other application http or will I have to make it all https if I chose that route? Thanks in advance, Chuck Aaron
Re: Question about generating keys, certificate requests
Well, with the various SSL certificates I create with our in-house CA, I create them all on one machine and then copy the certificates over to the machines that will actually use them. No problem at all. So I'd guess that nothing about the machine you're creating the request on is put into the certificate... On Tue, 2005-01-04 at 16:22, Stewart Dean wrote: > When you do this using either the req or gen rsa command, does the > generated output have *anything* in it that acts as a fingerprint of the > machine where the command was invoked? > That is, as part of running these commands, does the output end up withe > some section that ties it to that very machine and no other? > > I am bringing up secure IMAP using openssl on our imap mail server. I > currently have it working just fine using a self-signed certificate. > Now I want to get a Class 1 Digital Certificate from Verisign and so > have to submit a certificate request > I'm pretty clear on what I have to do, but I have a problem. > > The mail server in question has a hostname (mercury.bard.edu). It also > has 3 NICs that answer to 6 numeric addresses...three of them primary > addresses and the other three secondary 'network aliases' (as defined, I > think, by Sun, IBM and Red Hat, a network alias is a numeric address > that is recognized and responded to BY THE NIC HARDWARE...as such, it is > externally indistinguishable from the primary address...the machine > responds the same to either, and it's only internally that you can find > out which is which). ALL six of the corresponding symbolic host names > have A records (NOT CNAME) in DNS and resolve forward and back uniquely. > > Now if this were a machine with one hostname and one numeric address, I > would have no question about how to generate keys and certificate > requests...I would just do it. > > But. > > This machine has 6 numeric IP addresses it answers, one internal > hostname (mercury) and 5 more hostnames in DNS: mercury2, mercmailport, > smtp, imap & mail > > When I run the openssl req/genrsa command, am I going to get some > fingerprint of the machine embedded that won't match the DNS symbolic > name I want to use (imap.bard.edu) and put in the CN? Which I would > think would make the certificate usage fail because the host name it got > for that fingerprint might be mercury or anyone of the other 4? > > Or does the generation process take no fingerprint and could be run on > any machine that answers to the numeric IP address corresponding to the > CN specified and entered when the command was run? > > My head hurts. > > I wouldn't make such a big deal out of this, except that the certificate > isn't cheap, and Verisign gives you 3 days of support to get things up, > then you're on your own. And my attempt to ask this question of the > pre-purchase email tech support returned a 'dartboard' answerit had > absolutely nothing to do with my question..must have been picked out > by throwing a dart at a list of canned answers > > Thanks in advance for your help -- - Aaron Smith vox: 269.226.9550 ext.26 http://www.nexcerpt.com fax: 269.349.9076 ...Nexcerpt... Extend Your Expertise signature.asc Description: This is a digitally signed message part
Re: Certificate Revocation
That did the trick. Thanks a lot! On Fri, 2004-05-14 at 12:52, Olaf Gellert wrote: > Aaron Smith wrote: > > We have been using OpenSSL to generate certificates for various > > applications here with a home grown CA (created using openssl ca). We > > recently started upgrading our servers from Redhat 7.3 to RHEL 3.0. The > > machine that used to house the CA directories used openssl version > > 0.9.6b (RedHat RPM) and the new machine uses openssl version 0.9.7b > > (again, RedHat RPM). I tar'ed up the CA directories from the old > > machine and plopped them onto the new machine. When I attempted to > > revoke a certificate (by "openssl ca -revoke certfile.pem"), I received > > the following error: > > > > ERROR:name does not match > > Maybe it's something to do with Email-Addresses in > the DN? From 0.9.6 to 0.9.7 the entry output of > openssl changed from "Email" to "emailAddress" > so it could be that you have to change this in > the "index.txt" file of OpenSSL. > > Just a guess... > Cheers, Olaf -- - Aaron Smith vox: 269.226.9550 ext.26 Network Directorfax: 269.349.9076 Nexcerpt, Inc. http://www.nexcerpt.com ...Nexcerpt... Extend Your Expertise signature.asc Description: This is a digitally signed message part
Certificate Revocation
We have been using OpenSSL to generate certificates for various applications here with a home grown CA (created using openssl ca). We recently started upgrading our servers from Redhat 7.3 to RHEL 3.0. The machine that used to house the CA directories used openssl version 0.9.6b (RedHat RPM) and the new machine uses openssl version 0.9.7b (again, RedHat RPM). I tar'ed up the CA directories from the old machine and plopped them onto the new machine. When I attempted to revoke a certificate (by "openssl ca -revoke certfile.pem"), I received the following error: ERROR:name does not match The same command worked fine on the old server. The only different in execution that I see is that, when run on the new server, I get a line that says "Using configuration from /usr/share/ssl/openssl.cnf" which I don't get on the old server. I have an openssl.cnf file in the CA directory that was just copied from /usr/share/ssl when the CA was originally created (along with CA.pl). Is this a compatibility problem between the openssl versions? If so, is there a way around it or do I need to recreate all of my CA's and regenerate all of my certificates? -- ----- Aaron Smith vox: 269.226.9550 ext.26 Network Directorfax: 269.349.9076 Nexcerpt, Inc. http://www.nexcerpt.com ...Nexcerpt... Extend Your Expertise signature.asc Description: This is a digitally signed message part
RE: Where are the reason codes?
Did you call ERR_load_crypto_strings ()? Without it, you won't get the descriptive text. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Putnam Sent: Tuesday, April 27, 2004 10:27 AM To: [EMAIL PROTECTED] Subject: Where are the reason codes? I am having a problem with Apache's mod_ssl. It is getting an error from OpenSSL but the message is useless without an error code reference. I cannot find any error codes at the OpenSSL web site or anywhere else for that matter. Can someone point me to a place to find what these error messages mean? TIA. [Tue Apr 27 08:22:34 2004] [error] OpenSSL: error:0D0680A8:lib(13):func(104):reason(168) [Tue Apr 27 08:22:34 2004] [error] OpenSSL: error:0D07803A:lib(13):func(120):reason(58) Dennis Putnam Information Technology AIM Systems, Inc. 11675 Rainwater Dr. Alpharetta, GA 30004 678-297-0700 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non-public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221-1024. -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Test
yes, it made it. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: 0.9.6j vs 0.9.7b
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Is there a major difference between the two? My guess would be that eventually everthing will move to the 0.9.7 series. If thats the case, I would think it makes more sense to upgrade to the 0.9.7 series - --- Aaron Axelsen AIM: AAAK2 Email: [EMAIL PROTECTED] Want reliable web hosting at affordable prices? www.modevia.com Web Dev/Design Community/Zine www.developercube.com - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Levitte - - VMS Whacker Sent: Tuesday, June 03, 2003 1:22 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: 0.9.6j vs 0.9.7b In message <[EMAIL PROTECTED]> on Mon, 2 Jun 2003 21:27:10 -0500, "Aaron Axelsen" <[EMAIL PROTECTED]> said: axelseaa> Currently I am running OpenSSL 0.9.6g, and I am looking to axelseaa> upgrade. My question is what is the different between 0.9.6i axelseaa> and 0.9.7b?? Which one will be easiest to upgrade from 0.9.6g? axelseaa> Or is there no difference? Thanks is advance your your axelseaa> assistance, it is much appreciated. It's easier to upgrade to 0.9.6i. A change to the 0.9.7 series often requires changes in the applications. - -- Richard Levitte \ Tunnlandsvägen 3 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPtz3VbrnDjSLw9ADEQIzfACggvUxJVeQMtZ7cpBqoASZbQUOl0YAn2Fz a0c59cyc/bTbsoD+uTI2EUFx =4f20 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
0.9.6j vs 0.9.7b
Title: 0.9.6j vs 0.9.7b -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, Currently I am running OpenSSL 0.9.6g, and I am looking to upgrade. My question is what is the different between 0.9.6i and 0.9.7b?? Which one will be easiest to upgrade from 0.9.6g? Or is there no difference? Thanks is advance your your assistance, it is much appreciated. - --- Aaron Axelsen AIM: AAAK2 Email: [EMAIL PROTECTED] Want reliable web hosting at affordable prices? www.modevia.com Web Dev/Design Community/Zine www.developercube.com -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPtwHfrrnDjSLw9ADEQIGAQCg9GriW4utuDmAopW5q/Vy7WflZZ4AoJ73 M9SvAt1gr8NF7CHsi+w9DXH+ =D3OB -END PGP SIGNATURE- PGPexch.rtf.asc Description: Binary data
0.9.6j vs 0.9.7b
Title: Message Hello, Currently I am running OpenSSL 0.9.6g, and I am looking to upgrade. My question is what is the different between 0.9.6i and 0.9.7b?? Which one will be easiest to upgrade from 0.9.6g? Or is there no difference? Thanks is advance your your assistance, it is much appreciated. ---Aaron AxelsenAIM: AAAK2Email: [EMAIL PROTECTED]Want reliable web hosting at affordable prices?www.modevia.com Web Dev/Design Community/Zine www.developercube.com
Re: OpenSSL: Support, Mailing Lists
I just installed mod_ssl on my Mac OS X server and when I try to access it for testing I get the following error message: SSL_connect:error in SSLv2/v3 read server hello A 404:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:460: Any suggestions? Thanks, Aaron Smith __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Attempting to use EVP Context initialisation functions under 0.9.6d
REMOVE > Tim Gillott wrote: > > Greetings. > > I am having trouble initialising both Digest Contexts and Digests > using the EVP wrappers. I am using 0.9.6d under Windows XP Pro. I > can't seem to find the functions EVP_MD_CTX_init, EVP_MD_CTX_create > or EVP_DigestInit_ex in any of the includes or libraries I have, > although the documentation mentions them and describes their > function in detail. I built the libraries from scratch using the > Perl utilities and all built fine. I can compile and link > successfully. The problem is, if you want to use the EVP wrappers, > initialising the context and digest is sort of vital otherwise you > can't perform any operations at all. Am I missing something here? Is > the OpenSSL documentation (gasp) *ahead* of the code ? I could go > back to using explicit message digest calls but I really don't want > to do that having upgraded to using the EVP wrappers can anyone > help??? > > Cheers > > Tim Gillott > [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
new version applying:
Hello, I am currently running 9.6A. how do I go about downloading the newest 9.6d version and applying it to my alphas? CJA __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
bad decrypt error
I am trying to decrypt a file that has been decrypted in the des3 format. The guy says that is was decrypted by some kind of hardware device that they use internally to their company. It is coming from a mainframe then we are trying to decrypt it on a hp box. We have tried to convert it to ascii before he encrypts and we still get the bad decrypt error. Here is the comnmand+error: /opt/openssl/bin/openssl des3 -d -in ascrypt.txt -out decrypted.txt -K 12345678bad decrypt21296:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:277: Any help would be appreciated. Aaron
OpenSSL problem with SSH
Hello all! I have recently downloaded and compiled successfully openssl-0.9.6c for Solaris 2.6. Or at least that is what the messages tell me. However, when attempting to compile openssh-3.1p1.tar.gz I get the following error: cofnigure:7868 error: Could not find working OpenSSL library, please install or check the config.log I have tried using the sysconfdir=/opt/ssl but came up with the same results. I also downloaded the openssl-0.9.6c binary for Solaris 2.6 and still get the same error when compiling ssh. Has anyone experienced this before? Where do I start? Thanks in advance for the help! -- Aaron M. Hirsch Systems Administrator SchlumbergerSema 11146 Thompson Ave. Lenexa, KS 66219 Phone: (913) 312-4717 Mobile: (913) 284-9094 Fax:(913) 312-4701 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ssh install problems
Hello all! I have recently downloaded and compiled successfully openssl-0.9.6c for Solaris 2.6. Or at least that is what the messages tell me. However, when attempting to compile openssh-3.1p1.tar.gz I get the following error: cofnigure:7868 error: Could not find working OpenSSL library, please install or check the config.log I have tried using the sysconfdir=/opt/ssl but came up with the same results. I also downloaded the openssl-0.9.6c binary for Solaris 2.6 and still get the same error when compiling ssh. Has anyone experienced this before? Where do I start? Thanks in advance for the help! -- Aaron M. Hirsch Systems Administrator SchlumbergerSema 11146 Thompson Ave. Lenexa, KS 66219 Phone: (913) 312-4717 Mobile: (913) 284-9094 Fax:(913) 312-4701 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Mac OS X 10.0.4
Will OpenSSL compile for OS X 10.0.4? When I try ./config, it says Operating system: Power Macintosh-whatever-Darwin This system (Darwin) is not supported. See file INSTALL for details. When I try ./Configure, I don't see anything about Darwin. There's a Rhapsody option, but that fails during make. -- ____ / ) / ) /--/ __. __ / / __. , __o _ _ / (_(_/|_/ (_(_) / / <_ /__/_(_/|_\/ <__http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: DES - 3DES (novice)
Thanks Robert. I think it worked, does this look correct to you?(or anyone) -output Connection from 17f, port e904 SSL connection using RC4-MD5 Client does not have certificate. Got 23 chars:'Hello World! Encrypt me' -end--- (is it in fact 3des now? I've been at http://www.openssl.org/docs/apps/ciphers.html to see if it looks right. but I can't tell. it reports RC4-MD5 but not DES-CBC3-SHA...I don't understand the syntax in the call. (can you please explain how RC4-MD5 is on the left of the colon':' and how it is used with the DES-CBC3-SHA on the right? If this IS right, then will I need to create a working certificate for the client next? SSL_CTX_set_cipher_list(yourCTX, "RC4-MD5:DES-CBC3-SHA"); Thanks very much, I'm sure this is simple and I just need to get these few answers to move forward. Aaron -Original Message- Here's an example: SSL_CTX_set_cipher_list(yourCTX, "RC4-MD5:DES-CBC3-SHA"); HTH, Rob __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Need to use 3des not des
Hello,
I have compiled and run a demo program that encrypts a string of text
and sends it across a socket connection where it is encrypted. This is
obviously using the ssl.h library.
What I need to do is change the encryption from DES to 3DES.
I cannot yet figure out where to do this. Is there a chance that this
information may be stored in the certificate on the server? I noticed
that it has a field for AU which would have to be ENC to allow for 3des,
but then would I have to generate a new certificate(if so where do I
begin) or is it simply somewhere in the code?
here's some of the code:
SSL_CTX* ctx; //defined above
...main body...
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
meth = SSLv23_server_method();
ctx = SSL_CTX_new (meth);
if (!ctx) {
ERR_print_errors_fp(stderr);
exit(2);
}
if (SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(3);
}
if (SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(4);
}
if (!SSL_CTX_check_private_key(ctx)) {
fprintf(stderr,"Private key does not match the certificate public
key\n");
exit(5);
}
/* --- */
/* TCP connection is ready. Do server side SSL. */
ssl = SSL_new (ctx); CHK_NULL(ssl);
SSL_set_fd (ssl, sd);
err = SSL_accept (ssl);CHK_SSL(err);
/* Get the cipher - opt */
printf ("SSL connection using %s\n", SSL_get_cipher (ssl));
/* Get client's certificate (note: beware of dynamic allocation) - opt
*/
client_cert = SSL_get_peer_certificate (ssl);
if (client_cert != NULL) {
printf ("Client certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0);
CHK_NULL(str);
printf ("\t subject: %s\n", str);
Free (str);
str = X509_NAME_oneline (X509_get_issuer_name (client_cert), 0, 0);
CHK_NULL(str);
printf ("\t issuer: %s\n", str);
Free (str);
/* We could do all sorts of certificate verification stuff here
before
deallocating the certificate. */
X509_free (client_cert);
} else
printf ("Client does not have certificate.\n");
..ETC.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Installation over Linux Slackware
I am running the most current release on that very operating system, any reason you are not running OpenSSL 0.9.X instead of SSLeay? On Monday 23 April 2001 03:32, you wrote: > I'm trying to install SSLeay-0.8.1 on Linux-Slackware. > Compiling is not right because file standards.h is missing. > > Perhaps a previous package must be installed before ssl ? > > > Thanks in advance. > > > Narciso Guillen > [EMAIL PROTECTED] > [EMAIL PROTECTED] > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Resolved. Was: Need a certificate verification help
Dr S N Henson wrote: > http://www.openssl.org/support/faq.html#PROG7 > > for what I suspect is the cause of the error. > Yes, it was. OpenSSL_add_all_algorithms() solved it. Thank you. -- Aaron Stromas| "Tick-tick-tick!!!... ja, Pantani is weg..." Oracle Corp | BRTN commentator +1 703.708.68.21 | L'Alpe d'Huez 1995 Tour de France __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Need a certificate verification help
Dr S N Henson wrote: > Aaron Stromas wrote: > > > > Sorry, it's a typo, of course. I'm using X509_verify_cert(&ctx). Was it > > supposed to work, i.e., successfully verify? > > > > See what error you get and see if: > > openssl verify -CAfile cacert.pem cert.pem > > works. It does. Returns OK. Is it the code in apps/verify.c that implements "openssl veryfy ..." above? -a > > > Steve. > -- > Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ > Personal Email: [EMAIL PROTECTED] > Senior crypto engineer, Celo Communications: http://www.celocom.com/ > Core developer of the OpenSSL project: http://www.openssl.org/ > Business Email: [EMAIL PROTECTED] PGP key: via homepage. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Aaron Stromas| "Tick-tick-tick!!!... ja, Pantani is weg..." Oracle Corp | BRTN commentator +1 703.708.68.21 | L'Alpe d'Huez 1995 Tour de France __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Need a certificate verification help
Sorry, it's a typo, of course. I'm using X509_verify_cert(&ctx). Was it
supposed to work, i.e., successfully verify?
-a
Dr S N Henson wrote:
> Aaron Stromas wrote:
> >
> > I am probably making a silly mistake but I've been stuck on it for quite
> > a long time. Please help me to get out of my predicament. This is what
> > I'm doing:
> >
> > BIO *bstdout;
> > X509 *x, *ca;
> > X509_STORE *store;
> > X509_STORE_CTX ctx;
> >
> > bstdout = BIO_new_fp(stdout, BIO_NOCLOSE);
> > /* load & show CA cert */
> > if (ca = load_cert(bstdout, "ca.pem", str2fmt("PEM"))) {
> > X509_print(bstdout, ca);
> > if (x = load_cert(bstdout, "cart.pem", str2fmt("PEM))) {
> > X509_print(bstdout, x);
> > store = X509_STORE_new();
> > X509_STORE_set_default_paths(store);
> > X509_STORE_add_cert(store, ca);
> > X509_STORE_CTX_init(&ctx, store, x, NULL);
> > if (X509_verify(&ctx))
> > printf("OK\n");
> > else
> > printf("Nope\n");
> > }
> > }
> >
> > Although the cert loaded in x was issued by the CA whose cert is in ca
> > (openssl 0.9.5), I'm still getting "Nope". I must be misunderstanding
> > something, but what is it? TIA,
> >
>
> X509_verify()? Surprised it doesn't crash, that function is just for
> verifying a single certificate against a known public key, and it takes
> two arguments. If you are using X509_verify() (and that isn't just a
> typo) use X509_verify_cert() instead.
>
> Steve.
> --
> Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
Aaron Stromas| "Tick-tick-tick!!!... ja, Pantani is weg..."
Oracle Corp | BRTN commentator
+1 703.708.68.21 | L'Alpe d'Huez
1995 Tour de France
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Need a certificate verification help
I am probably making a silly mistake but I've been stuck on it for quite
a long time. Please help me to get out of my predicament. This is what
I'm doing:
BIO *bstdout;
X509 *x, *ca;
X509_STORE *store;
X509_STORE_CTX ctx;
bstdout = BIO_new_fp(stdout, BIO_NOCLOSE);
/* load & show CA cert */
if (ca = load_cert(bstdout, "ca.pem", str2fmt("PEM"))) {
X509_print(bstdout, ca);
if (x = load_cert(bstdout, "cart.pem", str2fmt("PEM))) {
X509_print(bstdout, x);
store = X509_STORE_new();
X509_STORE_set_default_paths(store);
X509_STORE_add_cert(store, ca);
X509_STORE_CTX_init(&ctx, store, x, NULL);
if (X509_verify(&ctx))
printf("OK\n");
else
printf("Nope\n");
}
}
Although the cert loaded in x was issued by the CA whose cert is in ca
(openssl 0.9.5), I'm still getting "Nope". I must be misunderstanding
something, but what is it? TIA,
-a
--
Aaron Stromas| "Tick-tick-tick!!!... ja, Pantani is weg..."
Oracle Corp | BRTN commentator
+1 703.708.68.21 | L'Alpe d'Huez
1995 Tour de France
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
x509
Hi, Not sure whether this question is in its appropriate place but I have a problem when creating a certificate Payload in ISAKMP. In RFC2408 it mentions 3 types of X.509 certificates, mainly: X.509 Certificate - Signature 4 X.509 Certificate - Key Exchange 5 x.509 Certificate - Attribute 10 Does anyone know what is the difference between them??? or if there is any document that explain this??? Thanks, Aaron
Re: Compilation Errors on Winnt
During Winnt compilation it gives you a number of unresolved externals. The best way is to create a library "crypto.lib" and ensure you set up all the correct paths in the settings. Quite a tedious task!!! - Original Message - From: "Louis Lam" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, November 29, 2000 1:06 PM Subject: Compilation Errors on Winnt > Hi, > > I'm quite new to the openssl, just trying to compile it on winnt, but got > some errors due to unresolved symbols, did anyone encounter this problem? > > Thanks in Advance > > Louis Lam > _ > Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
DSA vs RSA
Hi, I am not sure whether you require to generate two CAs for creating DSA and RSA certificates. The problem is that if I create the CA certificate and key file using RSA I would not be using the file containing the dsa parameters and may be it fails during signing of certificate requests. I am not sure about this, so any help would definitely clarify my ambiguities. Thanks, Aaron
Re: .CRT
Thanks everyone for the help about .Crt Aaron - Original Message - From: "Massimiliano Pala" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, November 27, 2000 6:22 PM Subject: Re: .CRT > > Aaron Galea wrote: > > > > Hi, > > > Hi, > > > Does anyone know how to read a .crt certificate? Reading .pem, .cer and .der > > no problem but I can't figure out how to read a .crt certificate. > > The file extension does not reveal the file format... a .crt file could be > any format of the above... anyway it is usually a .pem formatted file > (certificate). > > C'you, > > Massimiliano Pala ([EMAIL PROTECTED]) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PEM_read_X509
Hi, I am compiling all the openssl files under VC++ and creating a number of libraries that I can include to compile the programs. However I am having problems with PEM_read_X509 when compiling the .c files of the openssl. The error is "Not enough actual Parameters". Has anyone experienced this before? Not actually sure about the parameter that I need to add for it to compile successfully. Probably a NULL but I am having so much of these that I am wondering why there is so much of a mismatch between the headers and actual code. Aaron
rsa to pkcs8 question
Background I administer a product that requires private keys to be in a specific format, which is not the format given by genrsa. After pulling teeth with the "customer support" people I found out that there is a tool included with the product that generates the required private keys. Also after doing some research it appears that they are pkcs8 keys--only because of the -BEGIN ENCRYPTED PRIVATE KEY- containers. Openssl happily makes cert requests and certs using the pkcs8 keys generated by the other app. I want to use openssl to generate all subsequent keys, to make administration easier for the people after me since I have already set up a CA. However, if I generate an rsa key and then convert it to a pkcs8 key (using the example in the pkcs8 man page), my app can not use them. Questions Can I assume that the required keys are pkcs8? If not how can I tell what format the private key is in? Can I tell how a key is password encrypted? Can I directly generate a pkcs8 key using openssl? Any info would be helpful. Thanks. Aaron __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Sorry... PKCS5 cert chain question
Sorry about the last message it was user error on my part. Please disregard the previous message, as it was incomplete. This is the finished version... I'm trying to get a handle on what needs to be done to get a commercial product I just started administrating to provide ssl access to three different services. Below is an edited quote from the operations guide: The name of a file containing a PKCS 5 password-encrypted, formatted private key, followed by DER formatted certificates defining the private key and certificate chain for the servers. The last certificate in the file is the root certificate. "_Begin" and "_End" PEM syntax delimits the encrypted private key and certificates. I have already looked at the openssl man page and through the mailing list archive and even the RSA crypto faq, but I couldn't find answers to the following questions. It seems that when generating a private key pkcs#10 is used. I don't see any mention to pkcs#5. How would I go about generating a pkcs#5 private key?And finally, I have only limited experience with openssl and personal servers so my next questions is what is meant by "certificate chain" and how does one create the chain? Thanks in advance for any information. Aaron __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
