Quantum-Resistant Cryptographic Algorithms
Will OpenSSL persue/support the four new NIST Quantum Cryptographic Algorithms? https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms
Quantum-Resistant Cryptographic Algorithms
Will OpenSSL persue/support the four new NIST Quantum Cryptographic Algorithms? https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms
[openssl-users] OpenSSL 1.1 X509_STORE sharing
Hello, I have some legacy code that I am updating for 1.1 and there they set SSL_CTX::cert_store to NULL before `SSL_CTX_free`. Is this neccessary for the X509_STORE to be shared between contexts? Note that this still has to be buildable on 1.0 with the same result. In the docs it says "X509_STORE_free() frees up a single X509_STORE object." Does it just decrease the reference count or does it really delete the whole thing and break other contexts? Thanks, Maxwell. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL responder as a CGI
Hey there all, I'm using SSL as part of puppet, which has its own sort of CA. Puppet has no idea about OCSP, but on the master, it leaves most of its configuration to the apache backend. Since apache won't re-read a CRL unless restarted, OCSP seemed like a good answer to this. Puppet's CA doesn't generate a standard index.txt. What it *does* do is generate a standard CRL (which I suppose I can parse with the openssl crl command) as well as an inventory file that contains cert start and end dates, as well as serials and subjects. I *think* this is enough information to effectively regenerate the OCSP index file, and thus answer CRL requests. Rather than letting the openssl code manage sockets and tcp ports, I figured I'd write some basic perl code as glue, and let apache run an OCSP responder in a vhost, which would simply generate a signed response. The CGI would basically be a wrapper, as well as a tool to regenerate an index.txt if either the inventory or the CRL had changed. This way, threading and the like aren't issues, and error-handling is more easily catchable. Does any of this sound like a particularly awful idea? -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: Actually supporting ipv6 literals in s_client?
On Sun, 10 Mar 2013, Dan Mahoney, System Admin wrote: Hey there, Apparently supporting ipv6 literals... like openssl s_client -connect '[2001:4f8:0:2::d]:443' ..in s_client is oft-asked for but never-implemented, to the point where there are blog articles like this out there: https://lwn.net/Articles/486369/, and most OSes that want to support this, are applying the patches themselves at all, if at all. This is an already-solved problem. There are minor patches, which are already submitted (years ago) and which don't affect any of the production libraries, since s_client is really only supposed to be used for testing. Can anyone who actually has a commit-bit state why these haven't been added yet? ..and, Crickets. :( Is this question better asked on openssl-dev? What would it take to actually solve this problem, which seems to be common? -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Actually supporting ipv6 literals in s_client?
Hey there, Apparently supporting ipv6 literals... like openssl s_client -connect '[2001:4f8:0:2::d]:443' ..in s_client is oft-asked for but never-implemented, to the point where there are blog articles like this out there: https://lwn.net/Articles/486369/, and most OSes that want to support this, are applying the patches themselves at all, if at all. This is an already-solved problem. There are minor patches, which are already submitted (years ago) and which don't affect any of the production libraries, since s_client is really only supposed to be used for testing. Can anyone who actually has a commit-bit state why these haven't been added yet? -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL (FIPS) w/Apache on Windows
Microsoft FIPS implementation is broken. I tried to use it with the GPO enabled for communication between Postfix mail gateway and Exchange 2007 and it did not work. Troubleshooting revealed the FIPS issue. I called into Microsoft and they are aware of the problem, however they have no plans to fix it. Choices now are to upgrade to Vista and/or Windows 2008 Beta 3 (currently used on M$ web site, and quite stable), unfortunately. Edward Ray (SecAdmin) CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE Security, PE -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bennett, Darren L. Sent: Thursday, August 02, 2007 10:29 AM To: openssl-users@openssl.org Subject: OpenSSL (FIPS) w/Apache on Windows I've been working on compiling mod_ssl.so for use with Apache 2.x on Windows. Following the OpenSSLFips install instructions I am able to build the FIPS modules and then build OpenSSL with those modules. I then compile Apache using the OpenSSL built with the modules and it compiles. Unfortunately, when I start Apache, it loads all modules except mod_ssl.so (it dies on this module). The error I get is The Apache2.2 service is successfully installed. Testing httpd.conf Errors reported here must be corrected before the service can be started. httpd.exe: Syntax error on line 114 of C:/apache/apache2/conf/httpd.conf: Cannot load C:/apache/apache2/modules/mod_ssl.so into server: The operating system can not run %1. I've looked at the dependencies for mod_ssl.so using dependency walker and there are several that come up as unmet. Some of which do exist, but when I try and load them manually from the command line, they do not load (the act as if the OS doesn't recognize them as .dll files). If anyone knows the process to build ssl FIPS support into apache for windows, assistance would be appreciated. If not, can anyone provide guidance on resolving the issues I'm seeing? I am NOT a programmer, so I have limited knowledge in that regard. Thanks Much! Darren Bennett CISSP/Linux Expert/MCSE+I/MCSA/Member-SANS Advisory Board SAIC 858-826-2204 (Voice) 858-826-6478 (Fax) Opportunity is missed by most people because it is dressed in overalls and looks like work. - Thomas A. Edison __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- This mail was scanned by BitDefender For more informations please visit http://www.bitdefender.com -- This mail was scanned by BitDefender For more informations please visit http://www.bitdefender.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: use ssl for ssh transport layer (not proxy bypassing)
I sure would appreciate if someone could tell me if this is a bad idea and why, the more I know now at this time the better. Encryption adds latency to your traffic, double encryption just adds another delay. While this extra layer of security may be necessary for servers that have processing power to handle the load, one should weigh the pros and cons of client-to-server. It is asking a lot for a laptop to do this and not have users notice the delay, even in today's dual-core machines. Also important is that both ends of the SSH/SSL tunnel be under the same control, which is usually typical for IPSec site-to-site VPNs. I do not notice the delay on my 64-bit dual core desktop, when connecting to remote servers using double-encryption. The quality of the connection is key; in my case I have a controlled environment going through the same provider (Sprint) between Los Angeles and London (i.e. I use IPSec tunnel mode for the site-to-site, then IPSec transport for server-to-server). While IPSec is different in implementation than your SSL/SSH they essentially perform the same function of providing a secure tunnel through which to transmit/receive critical/private information. Do you also have control over both ends of your connection? I have always found that profit and productivity come before security. If this setup is for secure monitoring or securing data between servers (for example) this may provide some additional piece of mind for your customer. If this is for the CEO or VP of Sales/Marketing to securely connect to your LAN, this solution will have a short existence. Good luck! Edward Ray (SecAdmin) -- This mail was scanned by BitDefender For more informations please visit http://www.bitdefender.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: I got Geotrust CERT but have No Key (?)
On Fri, 10 Sep 2004, Ryan Beisner (AE) wrote: https://www.geotrust.com/news_events/press/pr_reissues_083004.htm Well, apparantly they only send the CERT, not the KEY. Now you have to log into their web site to retrieve the corresponding KEY. So, now you know if you ever get one via Bulkregister. It had me snowed. Thanks for the responses! -Ryan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- GO HOME AND COOK!!! Donielle Cocossa, Taco Bell, 2:30 AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
problem after upgrading openssl
After I upgraded to openssl-0.9.6g (also openssl-engine) on my RedHat 7.3, I got several problem. (1) qmail-pop3d can not authenticate my username and password (2) openssh (sshd) 3.4p1 also can not authenticate my username and password, not root account Do I need to recompile ALL applications? I tried with openssh, I removed ssh* in /usr/local/etc/ /usr/local/sbin /usr/local/bin, recompiled, make install again. But still, the problem exist. Then I read a workaround that I must build openssh --with-pam, and I did that. It's work! But why? Why do I need to use 'pam' after upgrading? Should I recompile all applications with 'pam' ? This will be problem if my application does not support 'pam'. 'checkpassword' for qmail-pop3d does not support pam, if I am not mistaken. Or maybe my upgrade process was wrong? (see below) Please help me. Thanks, kapot I followed this when upgraded my openssl : Upgrading OPENSSL on RedHat 7.3 (Simple Guide) == * Download latest openssl AND openssl-engine from : http://www.openssl/org -OR- http://openssl.planetmirror.com * Copy all *.tar.gz to /tmp * Building openssl-0.9.6g cd /tmp tar -zxvf openssl-0.9.6g.tar.gz cd openssl-0.9.6g.tar.gz ./config shared make make test make install * Building openssl-engine.0.9.6g cd /tmp tar -zxvf openssl-engine-0.9.6g.tar.gz cd openssl-engine-0.9.6g.tar.gz ./config shared make make test make install * Remove old openssl rpm rpm --erase --nodeps openssl * Link new files cd /usr/lib rm libcrypto.so rm libcrypto.so.1 rm libcrypto.so.2 rm libssl.so rm libssl.so.1 rm libssl.so.2 ln -s /usr/local/ssl/lib/libcrypto.so libcrypto.so ln -s /usr/local/ssl/lib/libcrypto.so libcrypto.so.1 ln -s /usr/local/ssl/lib/libcrypto.so libcrypto.so.2 ln -s /usr/local/ssl/lib/libssl.so libssl.so ln -s /usr/local/ssl/lib/libssl.so libssl.so.1 ln -s /usr/local/ssl/lib/libssl.so libssl.so.2 ln -s /usr/local/ssl/include/ /usr/include/ssl cd /usr/include rm -rf openssl ln -s /usr/local/ssl/include/openssl openssl * Rerun ldconfig cd /etc rm ld.so.cache vi ld.so.conf - add /usr/local/ssl/lib - add /usr/local/lib -- optional ldconfig * Done Thanks to David Tonhofer, m-plify S.A. [EMAIL PROTECTED] __ Do you Yahoo!? New DSL Internet Access from SBC Yahoo! http://sbc.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
No Subject
Hi We own a website www.fexin.com .We have purchased SSL certificate from Verisign and installed it on our web server. This certificate has been expired in july 2001. Can we now use OpenSSL to create a SSL Certificate and then install it on web server ? We have downloaded openssl-0.9.6b.tar and openssl-engine-0.9.6b.tar from www.openssl.org. Please tell us how we caninstallit and use it. Regards Qadeer Ahmed
clean up
Our email data files got corrupted. We found your address in the mess. Why you're there, we don't know. Maybe you can tell us mailto:[EMAIL PROTECTED]. If you don't know (or don't care) just please ignore this notice. Your address will be zapped and blown to bits after this mailing unless you tell us otherwise. Thanks for your patience, ProLinkz(tm) Administration --- ProLinkz(tm): Master Your Links! Home Page - http://prolinkz.com/cgi-bin/pl.cgi?hm 4 PRO Affiliate Marketers http://prolinkz.com/cgi-bin/pl.cgi?afc Real World Applications http://prolinkz.com/cgi-bin/pl.cgi?ap __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
pkcs12 into IE5.5, stubborn priv keys
Hi, I import my pkcs12 personal certificate (openssl generated) into IE5.5. It takes it without a problem and puts everything in its place: CA cert, personal cert, private key. The problem is that once I set up the initial security level on the private key (low, medium, high, and the password for 'high'), I can no longer change it. Removing the associated personal certificate and CA certificate does not remove the private key. I had to nuke the registry and re-install to get the priv key security dialogs back. Is there a cleaner way? -Erik __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
windows openssl.DLL ?
is there a windows ssl version ? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Error 1 Message
I am trying to install openssl-0.9.4 and When I type ./config I get the following message at the end. ---start message Reconfigure the source tree (via './config' or 'perl Configure'), Please. make: *** [Makefile.ssl] Error 1 ---end message Any help will be greatly appreciated... With best personal regards,I amVery truly yours, Jason J. MorganVPWebhosting L.L.CMicrosoft Certified ProfessionalSysAdmin[EMAIL PROTECTED]1-877-8VP-HOST
transfer of certificates?
Hi, I'm just starting to run apache 1.3.9 with v1.3.7 of the apache-ssl patch, and openssl 0.9.4 This is all on Caldera Linux, 2.2.10 kernel I've BEEN running Netscape Fasttrack for a while now..which has built in SSL support. I have SSL certificates with my Netscape server, how specifically would i go about transferring them over to apache? Is this possible? or do I have to re-register all my certificates with new CSRs or something? Secondly, i have a httpd.conf file for each domain..to setup a domain on port 80 and 443 how do i specify the SSL cert on port 443 only in that domain's config file? Do i have to make a virtual host directive for that port? like: VirtualHost www.intergrafix.net:443 SSL directives /VirtualHost Thanx, -Cygnus .-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-. Anthony J. Biacco Network Administrator/Engineer [EMAIL PROTECTED]Intergrafix Internet Services "Dream as if you'll live forever, live as if you'll die today" http://cygnus.ncohafmuta.comhttp://www.intergrafix.net .-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: transfer of certificates?
Ok, I just read the mailing list archive and found Stephen's about converting netscape certs, but I'm confused at step 8. Do I put key.db and cert5.db in the 4.0 directory as themselves or renamed them as the formerly deleted key3.db and cert7.db. I'm also confused on step 10. I dont understand totally what it means or how exactly to do it. I tried setting up a MIME type in NT of application/x-x509-user-cert and telling it Handled by Netscape 4, but when i open the db (which db am i opening) it just sits there..and there's none listed under Certificates-Yours Thanx, -Cygnus .-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-. Anthony J. Biacco Network Administrator/Engineer [EMAIL PROTECTED]Intergrafix Internet Services "Dream as if you'll live forever, live as if you'll die today" http://cygnus.ncohafmuta.comhttp://www.intergrafix.net .-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-. On Mon, 20 Sep 1999, Admin Mailing Lists wrote: Hi, I'm just starting to run apache 1.3.9 with v1.3.7 of the apache-ssl patch, and openssl 0.9.4 This is all on Caldera Linux, 2.2.10 kernel I've BEEN running Netscape Fasttrack for a while now..which has built in SSL support. I have SSL certificates with my Netscape server, how specifically would i go about transferring them over to apache? Is this possible? or do I have to re-register all my certificates with new CSRs or something? Secondly, i have a httpd.conf file for each domain..to setup a domain on port 80 and 443 how do i specify the SSL cert on port 443 only in that domain's config file? Do i have to make a virtual host directive for that port? like: VirtualHost www.intergrafix.net:443 SSL directives /VirtualHost Thanx, -Cygnus .-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-. Anthony J. Biacco Network Administrator/Engineer [EMAIL PROTECTED]Intergrafix Internet Services "Dream as if you'll live forever, live as if you'll die today" http://cygnus.ncohafmuta.comhttp://www.intergrafix.net .-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
error complie 0.9.4, HELP!!
Hi all, I tried to complied openssl 0.9.4 on Solaris 7 x86 and it gave me this error when I try to config it with this command: sh config -L`pwd`/../rsaref-2.0/local/ rsaref -fPIC the error is: make[2]: Entering directory `/build/openssl-0.9.3a/crypto/sha' gcc -I.. -I../../include -DTHREADS -D_REENTRANT -DRSAref -fPIC -O3 -fomit-frame- pointer -m486 -Wall -DL_ENDIAN -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c sha_dgst.c -o sha_dgst.o Assembler: sha_dgst.c aline 303 : Illegal mnemonic aline 303 : syntax error aline 309 : Illegal mnemonic aline 309 : syntax error aline 314 : Illegal mnemonic aline 314 : syntax error aline 320 : Illegal mnemonic aline 320 : syntax error aline 536 : Illegal mnemonic aline 536 : syntax error aline 542 : Illegal mnemonic aline 542 : syntax error aline 547 : Illegal mnemonic aline 547 : syntax error aline 553 : Illegal mnemonic aline 553 : syntax error make[2]: *** [sha_dgst.o] Error 1 make[2]: Leaving directory `/build/openssl-0.9.3a/crypto/sha' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/build/openssl-0.9.3a/crypto' make: *** [all] Error 1 how can I fix this? please help! pe' -- UNIX System Admin. Distributed Computing Services Lake Superior State University 650 W. Easterday Ave. Sault Ste. Marie. MI 49783 USA. -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl on redhat 6.0
admin linux wrote: hi, been trying to make on linux redhat 6.0 openssl unsucessfully. has anyone been able to build cleanly openssl*.tar.gz on redhat 6.0? TIA Rick __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Can't compile openssl on Solaris 7
I actully successfully install Apache+mod_ssl+openssl-0.9.2b installed on my system and it works great. I use egcs-1.1.2 compiler, gnu make, Apache 1.3.6, mod_ssl-2.2.8-1.3.6, openssl-0.9.2b, mm-1.0.2, and rsaref20.1996.tar.gz. I followed instruction that came with mod_ssl in INSTALL file. HTH pe' -- UNIX System Admin. Distributed Computing Services Lake Superior State University 650 W. Easterday Ave. Sault Ste. Marie. MI 49783 USA. -- On Wed, 2 Jun 1999, Bodo Moeller wrote: On Tue, Jun 01, 1999 at 04:15:40PM -0400, York Pang wrote: I try to install Apache-ssl on Solaris 2.7. First, I need to install Openssl. When I compile the package, I need to run "make", "make test", "make install", etc. However, make is not in the default path. I do a find, and get /usr/share/lib/make, /usr/ccs/bin/make, /usr/xpg4/bin/make. 1. When I tried, these makes, I got error massage: making all in crypto... sh: make: not found Apparently you just called /usr/ccs/bin/make etc., but didn't include /usr/ccs/bin in you PATH. That cannot work. Is there anyone out there who successes in installing Apache-ssl on Solaris7? I don't think there were reports of success yet ... __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]