[openssl-users] Exclude unwanted ciphers during build
Is there a simple way of excluding unwanted ciphers or cipher suites during a build? I would like to remove ARIA in particular, but may want to remove additional ones in order to use a smaller footprint. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to compile 1.1.1 under Windows
Richard, Moving Glob.pm into the main directory of the latest stable snapshot openssl-1.1.1-stable-SNAP-20181022 allowed it to bypass the missing Glob.pm message, but then it failed with the same set of "error C2065: 'INT32_MAX' : undeclared identifier" messages as the older openssl-1.1.1-stable-SNAP-20181018. On Tue, Oct 23, 2018 at 3:31 AM Chris Clark wrote: > > Next I tried an older stable snapshot > openssl-1.1.1-stable-SNAP-20181018 which configured without issue, but > I got a different compile result: > > cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 > /nologo /O2 /I "." /I "crypto\include" /I "include" -D"L_ENDIAN" > -D"OPENSSL_PIC" -D"OPENSSL_CPUID_OBJ" -D"OPENSSL_IA32_SSE2" > -D"OPENSSL_BN_ASM_MONT" -D"OPENSSL_BN_ASM_MONT5" > -D"OPENSSL_BN_ASM_GF2m" -D"SHA1_ASM" -D"SHA256_ASM" -D"SHA512_ASM" > -D"KECCAK1600_ASM" -D"RC4_ASM" -D"MD5_ASM" -D"AES_ASM" -D"VPAES_ASM" > -D"BSAES_ASM" -D"GHASH_ASM" -D"ECP_NISTZ256_ASM" -D"X25519_ASM" > -D"PADLOCK_ASM" -D"POLY1305_ASM" -D"OPENSSLDIR=\"C:\\Program > Files\\Common Files\\SSL\"" > -D"ENGINESDIR=\"C:\\openssl\\lib\\engines-1_1\"" -D"OPENSSL_SYS_WIN32" > -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" > -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" > -D"OPENSSL_USE_APPLINK" -D"NDEBUG" -c /Focrypto\rand\drbg_ctr.obj > "crypto\rand\drbg_ctr.c" > drbg_ctr.c > crypto\rand\drbg_ctr.c(399) : warning C4267: '=' : conversion from > 'size_t' to 'int', possible loss of data > crypto\rand\drbg_ctr.c(420) : error C2065: 'INT32_MAX' : undeclared identifier > crypto\rand\drbg_ctr.c(422) : error C2065: 'INT32_MAX' : undeclared identifier > crypto\rand\drbg_ctr.c(423) : error C2065: 'INT32_MAX' : undeclared identifier > crypto\rand\drbg_ctr.c(424) : error C2065: 'INT32_MAX' : undeclared identifier > NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual > Studio 9.0\VC\BIN\amd64\cl.EXE"' : return code '0x2' > Stop. > NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual > Studio 9.0\VC\BIN\amd64\nmake.exe"' : return code '0x2' > Stop. > On Tue, Oct 23, 2018 at 3:17 AM Chris Clark wrote: > > > > Thanks Richard. I downloaded the latest stable snapshot in order to > > bypass the UINT16_MAX definition bug, but this version fails to > > configure: > > > > C:\openssl-1.1.1-stable-SNAP-20181022>perl Configure VC-WIN64A > > --prefix=c:/openssl no-makedepend > > Can't locate OpenSSL/Glob.pm in @INC (you may need to install the > > OpenSSL::Glob module) (@INC contains: > > C:/openssl-1.1.1-stable-SNAP-20181022/util/perl c:/perl/site/lib > > c:/perl/lib .) at Configure line 20. > > BEGIN failed--compilation aborted at Configure line 20. > > > > > > I'll try some of the older stable snapshots. > > On Tue, Oct 23, 2018 at 2:22 AM Richard Levitte wrote: > > > > > > Silly me, I forgot we already fixed that bug: > > > > > > commit 6258e244bf702dc981c8ad63ab61133b8bbf2ba3 > > > Author: Richard Levitte > > > Date: Wed Sep 12 02:06:26 2018 +0200 > > > > > > crypto/sm2/sm2_sign.c: ensure UINT16_MAX is properly defined > > > > > > Fixes #7186 > > > > > > Reviewed-by: Tim Hudson > > > (Merged from https://github.com/openssl/openssl/pull/7193) > > > > > > (cherry picked from commit > > > 88ea3685e4bf30fc529fe46e19effc6317726de8) > > > > > > Cheers, > > > Richard > > > > > > In message <20181023.103453.1842719922424343673.levi...@openssl.org> on > > > Tue, 23 Oct 2018 10:34:53 +0200 (CEST), Richard Levitte > > > said: > > > > > > > That indicates we do things in the wrong order (foo.obj depends on > > > > foo.d, meaning foo.d gets "built" first), but that's a side issue. > > > > > > > > You found a bug in crypto\sm2\sm2_sign.c, thank you. Are you willing > > > > to write up a Github issue for it? > > > > > > > > In message > > > > on > > > > Tue, 23 Oct 2018 01:22:34 -0700, Chris Clark > > > >
Re: [openssl-users] How to compile 1.1.1 under Windows
Next I tried an older stable snapshot openssl-1.1.1-stable-SNAP-20181018 which configured without issue, but I got a different compile result: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 /I "." /I "crypto\include" /I "include" -D"L_ENDIAN" -D"OPENSSL_PIC" -D"OPENSSL_CPUID_OBJ" -D"OPENSSL_IA32_SSE2" -D"OPENSSL_BN_ASM_MONT" -D"OPENSSL_BN_ASM_MONT5" -D"OPENSSL_BN_ASM_GF2m" -D"SHA1_ASM" -D"SHA256_ASM" -D"SHA512_ASM" -D"KECCAK1600_ASM" -D"RC4_ASM" -D"MD5_ASM" -D"AES_ASM" -D"VPAES_ASM" -D"BSAES_ASM" -D"GHASH_ASM" -D"ECP_NISTZ256_ASM" -D"X25519_ASM" -D"PADLOCK_ASM" -D"POLY1305_ASM" -D"OPENSSLDIR=\"C:\\Program Files\\Common Files\\SSL\"" -D"ENGINESDIR=\"C:\\openssl\\lib\\engines-1_1\"" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"OPENSSL_USE_APPLINK" -D"NDEBUG" -c /Focrypto\rand\drbg_ctr.obj "crypto\rand\drbg_ctr.c" drbg_ctr.c crypto\rand\drbg_ctr.c(399) : warning C4267: '=' : conversion from 'size_t' to 'int', possible loss of data crypto\rand\drbg_ctr.c(420) : error C2065: 'INT32_MAX' : undeclared identifier crypto\rand\drbg_ctr.c(422) : error C2065: 'INT32_MAX' : undeclared identifier crypto\rand\drbg_ctr.c(423) : error C2065: 'INT32_MAX' : undeclared identifier crypto\rand\drbg_ctr.c(424) : error C2065: 'INT32_MAX' : undeclared identifier NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\BIN\amd64\cl.EXE"' : return code '0x2' Stop. NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\BIN\amd64\nmake.exe"' : return code '0x2' Stop. On Tue, Oct 23, 2018 at 3:17 AM Chris Clark wrote: > > Thanks Richard. I downloaded the latest stable snapshot in order to > bypass the UINT16_MAX definition bug, but this version fails to > configure: > > C:\openssl-1.1.1-stable-SNAP-20181022>perl Configure VC-WIN64A > --prefix=c:/openssl no-makedepend > Can't locate OpenSSL/Glob.pm in @INC (you may need to install the > OpenSSL::Glob module) (@INC contains: > C:/openssl-1.1.1-stable-SNAP-20181022/util/perl c:/perl/site/lib > c:/perl/lib .) at Configure line 20. > BEGIN failed--compilation aborted at Configure line 20. > > > I'll try some of the older stable snapshots. > On Tue, Oct 23, 2018 at 2:22 AM Richard Levitte wrote: > > > > Silly me, I forgot we already fixed that bug: > > > > commit 6258e244bf702dc981c8ad63ab61133b8bbf2ba3 > > Author: Richard Levitte > > Date: Wed Sep 12 02:06:26 2018 +0200 > > > > crypto/sm2/sm2_sign.c: ensure UINT16_MAX is properly defined > > > > Fixes #7186 > > > > Reviewed-by: Tim Hudson > > (Merged from https://github.com/openssl/openssl/pull/7193) > > > > (cherry picked from commit 88ea3685e4bf30fc529fe46e19effc6317726de8) > > > > Cheers, > > Richard > > > > In message <20181023.103453.1842719922424343673.levi...@openssl.org> on > > Tue, 23 Oct 2018 10:34:53 +0200 (CEST), Richard Levitte > > said: > > > > > That indicates we do things in the wrong order (foo.obj depends on > > > foo.d, meaning foo.d gets "built" first), but that's a side issue. > > > > > > You found a bug in crypto\sm2\sm2_sign.c, thank you. Are you willing > > > to write up a Github issue for it? > > > > > > In message > > > on > > > Tue, 23 Oct 2018 01:22:34 -0700, Chris Clark > > > said: > > > > > > > Thank you Richard. Adding the "no-makedepend" avoided the fatal error > > > > U1077, but now it fails due to an undeclared identifier: > > > > > > > > cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 /I > > > > "." /I "crypto\include" /I "include" -D"L_ENDIAN" -D"OPENSSL_PIC" > > > > -D"OPENSSL_CPUID_OBJ" -D"OPENSSL_IA32_SSE2" -D"OPENSSL_BN_ASM_MONT" > > > > -D"OPENSSL_BN_ASM_MONT5" -D"OPENSSL_BN_ASM_GF2m" -D"SHA1_ASM" > > > > -D"SHA256_ASM" -D"SHA512_ASM" -D"KECCAK1600_ASM" -D"RC4_ASM" > > > >
Re: [openssl-users] How to compile 1.1.1 under Windows
Thanks Richard. I downloaded the latest stable snapshot in order to bypass the UINT16_MAX definition bug, but this version fails to configure: C:\openssl-1.1.1-stable-SNAP-20181022>perl Configure VC-WIN64A --prefix=c:/openssl no-makedepend Can't locate OpenSSL/Glob.pm in @INC (you may need to install the OpenSSL::Glob module) (@INC contains: C:/openssl-1.1.1-stable-SNAP-20181022/util/perl c:/perl/site/lib c:/perl/lib .) at Configure line 20. BEGIN failed--compilation aborted at Configure line 20. I'll try some of the older stable snapshots. On Tue, Oct 23, 2018 at 2:22 AM Richard Levitte wrote: > > Silly me, I forgot we already fixed that bug: > > commit 6258e244bf702dc981c8ad63ab61133b8bbf2ba3 > Author: Richard Levitte > Date: Wed Sep 12 02:06:26 2018 +0200 > > crypto/sm2/sm2_sign.c: ensure UINT16_MAX is properly defined > > Fixes #7186 > > Reviewed-by: Tim Hudson > (Merged from https://github.com/openssl/openssl/pull/7193) > > (cherry picked from commit 88ea3685e4bf30fc529fe46e19effc6317726de8) > > Cheers, > Richard > > In message <20181023.103453.1842719922424343673.levi...@openssl.org> on Tue, > 23 Oct 2018 10:34:53 +0200 (CEST), Richard Levitte said: > > > That indicates we do things in the wrong order (foo.obj depends on > > foo.d, meaning foo.d gets "built" first), but that's a side issue. > > > > You found a bug in crypto\sm2\sm2_sign.c, thank you. Are you willing > > to write up a Github issue for it? > > > > In message > > on > > Tue, 23 Oct 2018 01:22:34 -0700, Chris Clark said: > > > > > Thank you Richard. Adding the "no-makedepend" avoided the fatal error > > > U1077, but now it fails due to an undeclared identifier: > > > > > > cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 /I > > > "." /I "crypto\include" /I "include" -D"L_ENDIAN" -D"OPENSSL_PIC" > > > -D"OPENSSL_CPUID_OBJ" -D"OPENSSL_IA32_SSE2" -D"OPENSSL_BN_ASM_MONT" > > > -D"OPENSSL_BN_ASM_MONT5" -D"OPENSSL_BN_ASM_GF2m" -D"SHA1_ASM" > > > -D"SHA256_ASM" -D"SHA512_ASM" -D"KECCAK1600_ASM" -D"RC4_ASM" > > > -D"MD5_ASM" -D"AES_ASM" -D"VPAES_ASM" -D"BSAES_ASM" -D"GHASH_ASM" > > > -D"ECP_NISTZ256_ASM" -D"X25519_ASM" -D"PADLOCK_ASM" -D"POLY1305_ASM" > > > -D"OPENSSLDIR=\"C:\\Program Files\\Common Files\\SSL\"" > > > -D"ENGINESDIR=\"C:\\openssl\\lib\\engines-1_1\"" -D"OPENSSL_SYS_WIN32" > > > -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" > > > -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" > > > -D"OPENSSL_USE_APPLINK" -D"NDEBUG" -c /Focrypto\sm2\sm2_sign.obj > > > "crypto\sm2\sm2_sign.c" > > > sm2_sign.c > > > crypto\sm2\sm2_sign.c(70) : error C2065: 'UINT16_MAX' : undeclared > > > identifier > > > NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual > > > Studio 9.0\VC\BIN\amd64\cl.EXE"' : return code '0x2' > > > Stop. > > > NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual > > > Studio 9.0\VC\BIN\amd64\nmake.exe"' : return code '0x2' > > > Stop. > > > On Tue, Oct 23, 2018 at 12:19 AM Richard Levitte > > > wrote: > > > > > > > > I suspect you'll find some kind of error message in > > > > crypto\sm2\sm2_sign.d. I suspect that /showIncludes isn't supported > > > > in VS 2008. > > > > > > > > There is a workaround for this problem, and it's to use the > > > > 'no-makedepend' option: > > > > > > > > perl Configure VC-WIN64A --prefix=c:/openssl no-makedepend > > > > > > > > For a single build, that should be good enough. > > > > > > > > Cheers, > > > > Richard > > > > > > > > In message > > > > on > > > > Mon, 22 Oct 2018 23:50:46 -0700, Chris Clark > > > > said: > > > > > > > > > I am attempting to upgrade a project using OpenSSL 1.0.0h to version > > > > > 1.1.1 under Visual Studio 2008-SP1, but when I try to compile version > > > > > 1.1.1 for
Re: [openssl-users] How to compile 1.1.1 under Windows
Thank you Richard. Adding the "no-makedepend" avoided the fatal error U1077, but now it fails due to an undeclared identifier: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 /I "." /I "crypto\include" /I "include" -D"L_ENDIAN" -D"OPENSSL_PIC" -D"OPENSSL_CPUID_OBJ" -D"OPENSSL_IA32_SSE2" -D"OPENSSL_BN_ASM_MONT" -D"OPENSSL_BN_ASM_MONT5" -D"OPENSSL_BN_ASM_GF2m" -D"SHA1_ASM" -D"SHA256_ASM" -D"SHA512_ASM" -D"KECCAK1600_ASM" -D"RC4_ASM" -D"MD5_ASM" -D"AES_ASM" -D"VPAES_ASM" -D"BSAES_ASM" -D"GHASH_ASM" -D"ECP_NISTZ256_ASM" -D"X25519_ASM" -D"PADLOCK_ASM" -D"POLY1305_ASM" -D"OPENSSLDIR=\"C:\\Program Files\\Common Files\\SSL\"" -D"ENGINESDIR=\"C:\\openssl\\lib\\engines-1_1\"" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"OPENSSL_USE_APPLINK" -D"NDEBUG" -c /Focrypto\sm2\sm2_sign.obj "crypto\sm2\sm2_sign.c" sm2_sign.c crypto\sm2\sm2_sign.c(70) : error C2065: 'UINT16_MAX' : undeclared identifier NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\BIN\amd64\cl.EXE"' : return code '0x2' Stop. NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\BIN\amd64\nmake.exe"' : return code '0x2' Stop. On Tue, Oct 23, 2018 at 12:19 AM Richard Levitte wrote: > > I suspect you'll find some kind of error message in > crypto\sm2\sm2_sign.d. I suspect that /showIncludes isn't supported > in VS 2008. > > There is a workaround for this problem, and it's to use the > 'no-makedepend' option: > > perl Configure VC-WIN64A --prefix=c:/openssl no-makedepend > > For a single build, that should be good enough. > > Cheers, > Richard > > In message > on Mon, > 22 Oct 2018 23:50:46 -0700, Chris Clark said: > > > I am attempting to upgrade a project using OpenSSL 1.0.0h to version > > 1.1.1 under Visual Studio 2008-SP1, but when I try to compile version > > 1.1.1 for VC-WIN64A I get the following compile error: > > > >cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo > > /O2 /I "." /I "crypto\include" /I "include" -D"L_ENDIAN" > > -D"OPENSSL_PIC" -D"OPENSSL_CPUID_OBJ" -D"OPENSSL_IA32_SSE2" > > -D"OPENSSL_BN_ASM_MONT" -D"OPENSSL_BN_ASM_MONT5" > > -D"OPENSSL_BN_ASM_GF2m" -D"SHA1_ASM" -D"SHA256_ASM" -D"SHA512_ASM" > > -D"KECCAK1600_ASM" -D"RC4_ASM" -D"MD5_ASM" -D"AES_ASM" -D"VPAES_ASM" > > -D"BSAES_ASM" -D"GHASH_ASM" -D"ECP_NISTZ256_ASM" -D"X25519_ASM" > > -D"PADLOCK_ASM" -D"POLY1305_ASM" -D"OPENSSLDIR=\"C:\\Program > > Files\\Common Files\\SSL\"" > > -D"ENGINESDIR=\"C:\\openssl\\lib\\engines-1_1\"" -D"OPENSSL_SYS_WIN32" > > -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" > > -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" > > -D"OPENSSL_USE_APPLINK" -D"NDEBUG" /Zs /showIncludes > > "crypto\sm2\sm2_sign.c" 2>&1 > crypto\sm2\sm2_sign.d > > NMAKE : fatal error U1077: 'cl' : return code '0x2' > > Stop. > > NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual > > Studio 9.0\VC\BIN\amd64\nmake.exe"' : return code '0x2' > > Stop. > > > > My Command lines from the VS 2008 x64 Command Prompt are: > > perl Configure VC-WIN64A --prefix=c:/openssl > > nmake > > > > I also tried compiling the latest stable snapshot > > (openssl-1.1.1-stable-SNAP-20181022) with the same results. However > > version 1.1.0h compiles without error. Can anyone tell me what the > > problem is? > > > > Here is the configuration dump: > > > > Command line (with current working directory = .): > > c:\perl\bin\perl.exe Configure VC-WIN64A --prefix=c:/openssl > > Perl information: > > c:\perl\bin\perl.exe > > 5.24.3 for MSWin32-x64-multi-thread > > Enabled features: > > aria > > asm > > async > > autoalginit
Re: [openssl-users] How to compile 1.1.1 under Windows
Sorry, I meant to say I'm upgrading from 1.1.0h. On Tue, Oct 23, 2018 at 12:20 AM Dr. Matthias St. Pierre wrote: > > Oh, I should have read your mail until the end: > > Are you upgrading from 1.0.0h or 1.1.0h? Your post mentions both versions. > > > -Ursprüngliche Nachricht- > > Von: openssl-users Im Auftrag von Dr. > > Matthias St. Pierre > > Gesendet: Dienstag, 23. Oktober 2018 09:17 > > An: openssl-users@openssl.org > > Betreff: Re: [openssl-users] How to compile 1.1.1 under Windows > > > > Hi, > > > > a lot of structures where made opaque going from 1.0.2 to 1.1.0. > > This means, you will have to make changes to your program source code > > to compile it against 1.1.0 or 1.1.1. > > > > For details, see https://www.openssl.org/docs/faq.html#PROG2 > > > > HTH, > > Matthias > > > > > > > -Ursprüngliche Nachricht- > > > Von: openssl-users Im Auftrag von > > > Chris Clark > > > Gesendet: Dienstag, 23. Oktober 2018 08:51 > > > An: openssl-users@openssl.org > > > Betreff: [openssl-users] How to compile 1.1.1 under Windows > > > > > > I am attempting to upgrade a project using OpenSSL 1.0.0h to version > > > 1.1.1 under Visual Studio 2008-SP1, but when I try to compile version > > > 1.1.1 for VC-WIN64A I get the following compile error: > > > > > >cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo > > > /O2 /I "." /I "crypto\include" /I "include" -D"L_ENDIAN" > > > -D"OPENSSL_PIC" -D"OPENSSL_CPUID_OBJ" -D"OPENSSL_IA32_SSE2" > > > -D"OPENSSL_BN_ASM_MONT" -D"OPENSSL_BN_ASM_MONT5" > > > -D"OPENSSL_BN_ASM_GF2m" -D"SHA1_ASM" -D"SHA256_ASM" -D"SHA512_ASM" > > > -D"KECCAK1600_ASM" -D"RC4_ASM" -D"MD5_ASM" -D"AES_ASM" -D"VPAES_ASM" > > > -D"BSAES_ASM" -D"GHASH_ASM" -D"ECP_NISTZ256_ASM" -D"X25519_ASM" > > > -D"PADLOCK_ASM" -D"POLY1305_ASM" -D"OPENSSLDIR=\"C:\\Program > > > Files\\Common Files\\SSL\"" > > > -D"ENGINESDIR=\"C:\\openssl\\lib\\engines-1_1\"" -D"OPENSSL_SYS_WIN32" > > > -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" > > > -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" > > > -D"OPENSSL_USE_APPLINK" -D"NDEBUG" /Zs /showIncludes > > > "crypto\sm2\sm2_sign.c" 2>&1 > crypto\sm2\sm2_sign.d > > > NMAKE : fatal error U1077: 'cl' : return code '0x2' > > > Stop. > > > NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual > > > Studio 9.0\VC\BIN\amd64\nmake.exe"' : return code '0x2' > > > Stop. > > > > > > My Command lines from the VS 2008 x64 Command Prompt are: > > > perl Configure VC-WIN64A --prefix=c:/openssl > > > nmake > > > > > > I also tried compiling the latest stable snapshot > > > (openssl-1.1.1-stable-SNAP-20181022) with the same results. However > > > version 1.1.0h compiles without error. Can anyone tell me what the > > > problem is? > > > > > > Here is the configuration dump: > > > > > > Command line (with current working directory = .): > > > c:\perl\bin\perl.exe Configure VC-WIN64A --prefix=c:/openssl > > > Perl information: > > > c:\perl\bin\perl.exe > > > 5.24.3 for MSWin32-x64-multi-thread > > > Enabled features: > > > aria > > > asm > > > async > > > autoalginit > > > autoerrinit > > > autoload-config > > > bf > > > blake2 > > > camellia > > > capieng > > > cast > > > chacha > > > cmac > > > cms > > > comp > > > ct > > > deprecated > > > des > > > dgram > > > dh > > > dsa > > > dso > > > dtls > > > dynamic-engine > > > ec > > > ec2m > > > ecdh > > > ecdsa > > > engine > > > err > > > filenames > > > gost > > > hw(-.+)? > > > idea > > > makedepend > > >
[openssl-users] How to compile 1.1.1 under Windows
I am attempting to upgrade a project using OpenSSL 1.0.0h to version 1.1.1 under Visual Studio 2008-SP1, but when I try to compile version 1.1.1 for VC-WIN64A I get the following compile error: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 /I "." /I "crypto\include" /I "include" -D"L_ENDIAN" -D"OPENSSL_PIC" -D"OPENSSL_CPUID_OBJ" -D"OPENSSL_IA32_SSE2" -D"OPENSSL_BN_ASM_MONT" -D"OPENSSL_BN_ASM_MONT5" -D"OPENSSL_BN_ASM_GF2m" -D"SHA1_ASM" -D"SHA256_ASM" -D"SHA512_ASM" -D"KECCAK1600_ASM" -D"RC4_ASM" -D"MD5_ASM" -D"AES_ASM" -D"VPAES_ASM" -D"BSAES_ASM" -D"GHASH_ASM" -D"ECP_NISTZ256_ASM" -D"X25519_ASM" -D"PADLOCK_ASM" -D"POLY1305_ASM" -D"OPENSSLDIR=\"C:\\Program Files\\Common Files\\SSL\"" -D"ENGINESDIR=\"C:\\openssl\\lib\\engines-1_1\"" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"OPENSSL_USE_APPLINK" -D"NDEBUG" /Zs /showIncludes "crypto\sm2\sm2_sign.c" 2>&1 > crypto\sm2\sm2_sign.d NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\BIN\amd64\nmake.exe"' : return code '0x2' Stop. My Command lines from the VS 2008 x64 Command Prompt are: perl Configure VC-WIN64A --prefix=c:/openssl nmake I also tried compiling the latest stable snapshot (openssl-1.1.1-stable-SNAP-20181022) with the same results. However version 1.1.0h compiles without error. Can anyone tell me what the problem is? Here is the configuration dump: Command line (with current working directory = .): c:\perl\bin\perl.exe Configure VC-WIN64A --prefix=c:/openssl Perl information: c:\perl\bin\perl.exe 5.24.3 for MSWin32-x64-multi-thread Enabled features: aria asm async autoalginit autoerrinit autoload-config bf blake2 camellia capieng cast chacha cmac cms comp ct deprecated des dgram dh dsa dso dtls dynamic-engine ec ec2m ecdh ecdsa engine err filenames gost hw(-.+)? idea makedepend md4 mdc2 multiblock nextprotoneg ocb ocsp pic poly1305 posix-io psk rc2 rc4 rdrand rfc3779 rmd160 scrypt seed shared siphash sm2 sm3 sm4 sock srp srtp sse2 ssl static-engine stdio tests threads tls ts ui-console whirlpool tls1 tls1-method tls1_1 tls1_1-method tls1_2 tls1_2-method tls1_3 dtls1 dtls1-method dtls1_2 dtls1_2-method Disabled features: afalgeng[not-linux] asan[default] OPENSSL_NO_ASAN crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG crypto-mdebug-backtrace [default] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE devcryptoeng[default] OPENSSL_NO_DEVCRYPTOENG ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 egd [default] OPENSSL_NO_EGD external-tests [default] OPENSSL_NO_EXTERNAL_TESTS fuzz-libfuzzer [default] OPENSSL_NO_FUZZ_LIBFUZZER fuzz-afl[default] OPENSSL_NO_FUZZ_AFL heartbeats [default] OPENSSL_NO_HEARTBEATS md2 [default] OPENSSL_NO_MD2 (skip crypto\md2) msan[default] OPENSSL_NO_MSAN rc5 [default] OPENSSL_NO_RC5 (skip crypto\rc5) sctp[default] OPENSSL_NO_SCTP ssl-trace [default] OPENSSL_NO_SSL_TRACE ubsan [default] OPENSSL_NO_UBSAN unit-test [default] OPENSSL_NO_UNIT_TEST weak-ssl-ciphers[default] OPENSSL_NO_WEAK_SSL_CIPHERS zlib[default] zlib-dynamic[default] ssl3[default] OPENSSL_NO_SSL3 ssl3-method [default] OPENSSL_NO_SSL3_METHOD Config target attributes: AR => "lib", ARFLAGS => "/nologo", AS => "nasm", ASFLAGS => "-g", CC => "cl", CFLAGS => "/W3 /wd4090 /nologo /O2", CPP => "\$(CC) /EP /C", HASHBANGPERL => "/usr/bin/env perl", LD => "link", LDFLAGS => "/nologo /debug", MT => "mt", MTFLAGS => "-nologo", RANLIB => "CODE(0x65aff0)", RC => "rc", aes_asm_src => "aes-x86_64.s vpaes-x86_64.s bsaes-x86_64.s aesni-x86_64.s aesni-sha1-x86_64.s aesni-sha256-x86_64.s aesni-mb-x86_64.s", aes_obj => "aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o", apps_aux_src => "win32_init.c", apps_init_src => "../ms/applink.c", apps_obj => "win32_init.o", aroutflag => "/out:", asflags => "-Ox -f win64 -DNEAR", asoutflag => "-o ", bf_asm_src => "bf_enc.c", bf_obj => "bf_enc.o", bin_cflags => "/Zi /Fdapp.pdb", bin_lflag
[openssl-users] How to detect AES-NI compatible CPU
My application links to OpenSSL 1.1.0 dynamically, and I would like to be able to determine if the CPU supports the AES-NI instruction set. Is there an OpenSSL API that can do this? -Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to enable RC4 in OpenSSL 1.1.0c
On Thu, Jan 19, 2017 at 10:36 AM, Matt Caswell wrote: > Try this: > > openssl ciphers -v "ALL:@SECLEVEL=0" Okay that worked! Thanks to everyone that responded. I saw Rich Salz mentioned using ALL, but I didn't realize it was a parameter. -Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to enable RC4 in OpenSSL 1.1.0c
On Wed, Jan 18, 2017 at 7:01 PM, Viktor Dukhovni wrote: > Sadly this does not shed much light on the build options. Here is more info, and now I added the "enable-ssl3" and "enable-ssl3-method" options: c:\openssl-1.1.0c64>perl Configure VC-WIN64A enable-weak-ssl-ciphers enable-deprecated enable-rc4 enable-ssl3 enable-ssl3-method Configuring OpenSSL version 1.1.0c (0x1010003fL) no-asan [default] OPENSSL_NO_ASAN no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG no-crypto-mdebug-backtrace [default] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 no-egd [default] OPENSSL_NO_EGD no-fuzz-afl [default] OPENSSL_NO_FUZZ_AFL no-fuzz-libfuzzer [default] OPENSSL_NO_FUZZ_LIBFUZZER no-heartbeats [default] OPENSSL_NO_HEARTBEATS no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-msan [default] OPENSSL_NO_MSAN no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP no-ssl-trace[default] OPENSSL_NO_SSL_TRACE no-ubsan[default] OPENSSL_NO_UBSAN no-unit-test[default] OPENSSL_NO_UNIT_TEST no-zlib [default] no-zlib-dynamic [default] Configuring for VC-WIN64A It looks like you don't have either nmake.exe or dmake.exe on your PATH, so you will not be able to execute the commands from a Makefile. You can install dmake.exe with the Perl Package Manager by running: ppm install dmake CC=cl CFLAG =-W3 -wd4090 -Gs0 -GF -Gy -nologo -DOPENSSL_SYS_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DUNICODE -D_UNICODE /MD /O2 SHARED_CFLAG = DEFINES =OPENSSL_USE_APPLINK DSO_WIN32 NDEBUG OPENSSL_THREADS OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM RC4_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM LFLAG =/nologo /debug PLIB_LFLAG= EX_LIBS =ws2_32.lib gdi32.lib advapi32.lib crypt32.lib user32.lib APPS_OBJ =win32_init.o ../ms/applink.o CPUID_OBJ =x86_64cpuid.o UPLINK_OBJ=../ms/uplink.o uplink-x86_64.o BN_ASM=bn_asm.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o EC_ASM=ecp_nistz256.o ecp_nistz256-x86_64.o DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o BF_ENC=bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM =md5-x86_64.o SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o RMD160_OBJ_ASM= CMLL_ENC =cmll-x86_64.o cmll_misc.o MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o PADLOCK_OBJ =e_padlock-x86_64.o CHACHA_ENC=chacha-x86_64.o POLY1305_OBJ =poly1305-x86_64.o BLAKE2_OBJ= PROCESSOR = RANLIB=true ARFLAGS =/nologo PERL =c:\perl\bin\perl.exe SIXTY_FOUR_BIT mode Configured for VC-WIN64A. Notice it says that dmake.exe is not in my path, but this appears to be a bug as I am running this from a Visual Studio 2008 x64 Command Prompt, and nmake.exe is indeed in the path, located in: c:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\bin\amd64 Here is the batch file which I use: SET PREFIX=C:\openssl64 SET OPENSSLDIR=C:\openssl64 perl Configure VC-WIN64A enable-weak-ssl-ciphers enable-deprecated enable-rc4 enable-ssl3 enable-ssl3-method nmake Here is my development environment: Windows 10 Professional Visual Studio 2008 version 9.0.30729.1 SP1 ActivePerl version 5.22.2 NASM version 2.12.02 nmake compiles without errors, though there are many "conversion from size_t" warnings. The results of running "openssl.exe ciphers -v" which I do not find any RC4 ciphers: ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 K
Re: [openssl-users] How to enable RC4 in OpenSSL 1.1.0c
On Wed, Jan 18, 2017 at 3:37 PM, Viktor Dukhovni wrote: >> I am trying to compile OpenSSL 1.1.0c for Visual Studio with the > >depreciated RC4 cipher enabled. >> I tried the following configure line: >> perl Configure VC-WIN64A enable-weak-ssl-ciphers enable-deprecated enable-rc4 >> > > Once I compile, and I run "openssl ciphers -v" it does not show any RC4 > > ciphers. > > Is there another parameter needed? > > Which "openssl" command did you run and against which libraries? > Report the output of "openssl version -a". OpenSSL 1.1.0c 10 Nov 2016 built on: reproducible build, date unspecified platform: compiler: cl " "VC-WIN64A OPENSSLDIR: "c:\openssl64" ENGINESDIR: "C:\openssl64\lib\engines-1_1" Here is the batch file I used: SET PREFIX=C:\openssl64 SET OPENSSLDIR=C:\openssl64 perl Configure VC-WIN64A enable-weak-ssl-ciphers enable-deprecated enable-rc4 nmake >> I would also like to know, is it possible to also enable the depreciated SSL3 >> ciphers? > > Do you mean the ciphers or the protocol? Many SSLv3 ciphers are > still needed for interoperable TLS 1.0/1.1/1.2 Sorry, I meant to say the SSLv3 protocol. -Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] How to enable RC4 in OpenSSL 1.1.0c
I am trying to compile OpenSSL 1.1.0c for Visual Studio with the depreciated RC4 cipher enabled. I tried the following configure line: perl Configure VC-WIN64A enable-weak-ssl-ciphers enable-deprecated enable-rc4 Once I compile, and I run "openssl cipher -v" it does not show any RC4 ciphers. Is there another parameter needed? I would also like to know, is it possible to also enable the depreciated SSL3 ciphers? -Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FW: Website changing this weekend
Hi Rich, I'm curious why the new download page lists version 1.01p before version 1.02d? Is it suggesting that users download the 1.01 branch instead of the later one? -Chris On Fri, Aug 14, 2015 at 1:26 PM, Salz, Rich wrote: > > > From: Salz, Rich [mailto:rs...@akamai.com] > Sent: Friday, August 14, 2015 4:20 PM > To: openssl-annou...@openssl.org > Subject: [openssl-announce] Website changing this weekend > > > > We’re bringing up a new website this weekend. Please be patient if you have > problems. If you notice any broken links, let us know. > > > > Thanks. > > > > > > > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
SSLv23_Server_Method() not working in OpenSSL 1.01e
I just updated my Win64 server app from OpenSSL 1.0.0k to 1.01e, and I noticed that although it was configured to use the SSLv23_Server_method(), it no longer accepts SSLv3 connections from clients as it did using 1.0.0k. It does accept TLSv1 connections this way however. If I change it to use SSLv23_method() on the server, then the client connects successfully. However if I force the client to connect using SSLv3 then the result is a TLSv1 connection instead. I double checked that everything works as it should when I go back to using OpenSSL 1.0.0k on my server app. Is this a known issue in 1.0.1e? -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
VS2010 compatibility?
Can anyone confirm if OpenSSL 1.0.0a is compatible with Visual Studio 2010? -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Apache "SSL3_ACCEPT:unsafe legacy renegotiation disabled"?
On Thu, Apr 1, 2010 at 3:11 AM, Jason Haar wrote: > Hi there > > We have a CentOS-4.8 server that was upgraded to > httpd-2.0.52-41.ent.7.centos4 this week - You need to upgrade Apache to httpd-2.2.15 (released March 6, 2010) Your version is years old. -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Broadcom & OpenSSL support
> One specific advancement is the AES-specific instruction set in the 2010 > Intel Core™ processor family; an excerpt: > Intel® AES instructions are a new set of instructions available beginning > with the all new 2010 Intel® Core™ processor family based on the 32nm Intel® > microarchitecture codename Westmere. These instructions enable fast and > secure data encryption and decryption, using the Advanced Encryption > Standard (AES) which is defined by FIPS Publication number 197. Does anyone know if support for this hardware based AES is planning to be implemented into OpenSSL anytime soon? -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Downage
What he means, is that the openssl.org web site was down most of yesterday.. But I see it is working again today. -Chris On Tue, Mar 9, 2010 at 2:34 AM, tensy joseph wrote: > What you mean by Downage on 8th March 2010?Can you please elaborate? > > > > On Mon, Mar 8, 2010 at 8:16 PM, The Doctor wrote: >> >> Downage on 8 MArch 2010 . When will this be rectified? >> >> -- >> Member - Liberal International This is doc...@nl2k.ab.ca Ici >> doc...@nl2k.ab.ca >> God, Queen and country! Never Satan President Republic! Beware AntiChrist >> rising! >> http://twitter.com/rootnl2k http://www.facebook.com/dyadallee >> Hey! Hey! Ho! Ho! Lying Stephen Harper has got to go! Hey! Hey! Ho! Ho! >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-us...@openssl.org >> Automated List Manager majord...@openssl.org > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: commercial OpenSSL use
Hi Alan, If you re-read below you will see it says this: If...advertisement of the product... that lists a line item of a feature that your software has which is dependent on use of OpenSSL, you must follow the... So if your advertisement does not list any encryption or other features provided by OpenSSl, there is no problem. -Chris On 7/17/08, Alan Wolfe <[EMAIL PROTECTED]> wrote: > Thats kind of difficult because we are making a retail video game that uses > libcurl to talk http for one of the minor features the game has. > > We've already had commercials on tv and tons of advertisements go out. > > It seems like pretty tough guidelines to have all advertisement materials > say this. > > I'm a coder so i know where the license is coming from but from a practical > standpoint i know I couldn't convince my company to do this in tv > commercials, magazine adds etc. I know they would be ok to put something in > the credits but aparently that's not enough here. > > Growl I guess i'm going to have to find an alternative ): > > Thanks for your help > > > > > On Wed, Jul 16, 2008 at 11:52 PM, Ted Mittelstaedt <[EMAIL PROTECTED]> > wrote: > > > > > > It is fine to use OpenSSL as long as the instructions IN that license are > followed, note: > > > > "...All advertising materials mentioning features ..." > > > > That is pretty broad. Basically, if your commercial application has a > > spec sheet or other sheet that is distributed as part of an advertisement > > of the product (available on the website for download, or whatever) that > > lists a line item of a feature that your software has which is dependent > on > > use of OpenSSL, you must follow the: > > > > "This product includes software developed by the OpenSSL Project > > for use in the OpenSSL Toolkit. (http://www.openssl.org/)" > > > > restriction, PLUS: > > > > "This product includes cryptographic software written by > > * Eric Young ([EMAIL PROTECTED])" > > *The word 'cryptographic' can be left out if the rouines from the > library > > *being used are not cryptographic related :-). > > * 4. If you include any Windows specific code (or a derivative thereof) > from > > *the apps directory (application code) you must include an > acknowledgement: > > *"This product includes software written by Tim Hudson > ([EMAIL PROTECTED])" > > > > those restrictions as well. > > > > Make sure your marketing people are informed, and make sure that your > > company lawyer impresses on your director of marketing the importance > > of following the license, regardless of their own opinions of how > "cluttered" > > these additions make a particular piece of advertising. > > > > It's a pretty easy set of instructions to follow in the license, IMHO. > The > > problem you run into is these stupid graphic artists that companies seem > > to employ who create a lot of marketing slicks, and care mostly about > > getting a particular "look" in the slick, and don't give a damn about > anything > > else. > > > > Ted > > > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Alan > Wolfe > > Sent: Wednesday, July 16, 2008 4:46 PM > > To: openssl-users@openssl.org > > Subject: commercial OpenSSL use > > > > > > Hi! > > > > I'm making a commercial application for windows which uses libcurl. > > > > This build of libcurl I'm usings links to both zlib and openssl. > > > > I know libcurl and zlib themselves are fine for us to use commercially but > OpenSSL seemed a little more grey. > > > > It seems like it's ok to use OpenSSL commercially so long as this file is > included along with the application: > > > > http://www.openssl.org/source/license.html > > > > would that be correct? > > > > Thanks so much! > > Alan > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Please help: very urgent: Query on patented algorithms
On 6/16/08, bagavathy raj <[EMAIL PROTECTED]> wrote: > Hi, > Is there any binary distribution where I can find SSL dlls without > patented algorithms like IDEA,MCD2,RC4,RC5 etc. I tried compiling > without them. I could exclude other algos but not RC4. Some linking > issues. So i need to know if there is any ssl release without the > patented algorithms. RC4 is owned (and trademarked) by RSA Security Inc, but they are no longer enforcing the patent, and will allow free usage of the OpenSSL implementation of this cipher to those that ask. However they do require that OpenSSL toolkit users either do not call it RC4, or call it "Alleged RC4 cipher" to avoid trademark infringement. If you even mention the words RC4 in your documentation you may need to mention that it is "Alleged" and that RC4 is a trademark of RSA Security. RC2 is also a trademark of RSA Security, but this one can be used without the "Alleged" prefix, providing you list them as the trademark owner. Disclaimer: I am not a lawyer, and I suggest you contact RSA directly to confirm this information on your own. -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Max length of company field
I tried this here, and it accepted the Organization Name that you provided "long Name problems making Certificate Request" without any errors. As you can see, this name is only 45 characters long, and the maxsize is 64 characters. -Chris On 6/9/08, Florian Lindner <[EMAIL PROTECTED]> wrote: > Hallo, > > I want to create a Certificate Signing Request (CSR) with Debian etch > openssl. > > openssl req -new -nodes -keyout cc.key -out cc.csr > > But my company name seems to be a bit too long., > > Organization Name (eg, company) [Internet Widgits Pty Ltd]:long Name > problems making Certificate Request > 21868:error:0D07A097:asn1 encoding > routines:ASN1_mbstring_ncopy:string too > long:a_mbstr.c:154:maxsize=64 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RC4-MD5 cipher suites rep;acement
On 5/15/08, PoWah Wong <[EMAIL PROTECTED]> wrote: > Use TLS_RSA_WITH_AES_256_CBC_SHA (AES256-SHA) to replace > SSL_RSA_WITH_RC4_128_MD5 (RC4-MD5) > and TLS_DH_anon_WITH_AES_256_CBC_SHA (ADH-AES256-SHA) to replace > SSL_DH_anon_WITH_RC4_128_MD5 (ADH-RC4-MD5), right? I'm not clear on what your goal is, but if you are writing both the client and server applications that communicate only with each other then you would be fine supporting only specific cipher suites such as AES, but if you are writing only one end of it (client or server), then be aware that AES is not compatible with RC4, so your application would need to support at least one of the cipher suites which the other end requires. In the later case, if your application supports both AES and RC4, and if the other end supports AES the SSL handshake negotiation will select the better cipher AES, and if the other end only supports RC4 then it will be selected instead. -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RC4-MD5 cipher suites rep;acement
On 5/15/08, PoWah Wong <[EMAIL PROTECTED]> wrote: > Is there some cipher suites more secure than SSL_RSA_WITH_RC4_128_MD5 > (RC4-MD5) so that they should replace RC4-MD5? The AES 256-bit cipher suites are not only more secure then RC4, they are also much faster. :) -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL How to redistribute as part of our application
On 10/30/07, Dave Bound wrote: > >> Not everyone can use the default build of OpenSSL. > Can you point me at some docs which will allow me to ascertain whether I > fall into the 'not everyone' category? One thing to consider is if you want to include the patented ciphers in your build, such as RC5, and IDEA. If you are in USA you may need to pay royalities to the owners of these ciphers if you use them. Many people disable these when building OpenSSL libraries, by using something like "perl Configure VC-WIN32 no-idea no-rc5". MDC2 was also patented, but the patent expired earlier this year. I suggest you build your own library files (libeay32.dll and ssleay32.dll), and within your application you should include all the source files found in \include\openssl\ in order to use the libraries. As far as an installer deployment, it is very simple to add the two DLL library files to an existing InstallShield or Wise installer installation, and these files can be placed in the same directory as your main application. There is no need to "register" these DLL's in Windows. -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL 0.9.8f Win32 Compile Error
I downloaded NASM (nasm-0.99.04-win32.zip) from Soundforge, and gave it a try, and when I run "ms\do_nasm" it is all sucessful but now I get a different error when running "nmake -f ms\ntdll.mak": Microsoft (R) Program Maintenance Utility Version 6.00.9782.0 Copyright (C) Microsoft Corp 1988-1998. All rights reserved. Building OpenSSL perl util/copy.pl .\crypto\buildinf.h tmp32dll\buildinf.h Copying: ./crypto/buildinf.h to tmp32dll/buildinf.h perl util/copy.pl .\crypto\opensslconf.h inc32\openssl\opensslconf.h Copying: ./crypto/opensslconf.h to inc32/openssl/opensslconf.h nasmw -f win32 -o crypto\cpu_win32.obj .\crypto\cpu_win32.asm 'nasmw' is not recognized as an internal or external command, operable program or batch file. NMAKE : fatal error U1077: 'nasmw' : return code '0x1' Stop. I do not have NASMW, as the only files included in nasm-0.99.04-win32.zip are: COPYING nasm.exe ndisasm.exe Can anyone tell me what I am doing wrong? -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL 0.9.8f Win32 Compile Error
> Did someone forget to add the equate for XMMWORD? > Can anyone tell me how XMMWORD should be defined? It appears that I need more then just the newer version of MASM, and while reading the MASM32 forums they reference this page: http://www.intel.com/cd/ids/developer/asmo-na/eng/167741.htm?page=6 It mentions that the following include file is needed to assemble SSE3 instructions: 'include ia_pni.inc' Can anyone tell me where to find this, or of there is a simpler solution for compiling 0.9.8F for Windows? - Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL 0.9.8f Win32 Compile Error
> I am following the instructions in INSTALL.W32, which works fine for > the previous 0.9.8f build, but when I get to the point of running > "nmake -f ms\ntdll.mak" I get the following errors in 0.9.8f: oops.. I ment to say that the previous version 0.9.8E works fine, and now that I look closer I see that 0.9.8E did not include the asm file sha512-sse2.asm so this appears to be a new issue in 0.9.8F. I looked at the .ASM code and XMMWORD is not a variable, but rather a type definition which my version of ML does not understand. I see some info here: http://msdn2.microsoft.com/en-us/library/cw0399sf(VS.80).aspx which indicates that I need a newer ML from VS2005. Is that correct? -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL 0.9.8f Win32 Compile Error
I am trying to compile version 0.9.8f for Windows, using VC++ 6.0, ActivePerl, and MASM 6.15.8803. I am following the instructions in INSTALL.W32, which works fine for the previous 0.9.8f build, but when I get to the point of running "nmake -f ms\ntdll.mak" I get the following errors in 0.9.8f: Building OpenSSL ml /Cp /coff /c /Cx /Focrypto\sha\asm\sha512-sse2.obj .\crypto\sha\asm\sha512-sse2.asm Assembling: .\crypto\sha\asm\sha512-sse2.asm .\crypto\sha\asm\sha512-sse2.asm(29) : error A2006: undefined symbol : XMMWORD .\crypto\sha\asm\sha512-sse2.asm(30) : error A2006: undefined symbol : XMMWORD .\crypto\sha\asm\sha512-sse2.asm(31) : error A2006: undefined symbol : XMMWORD .\crypto\sha\asm\sha512-sse2.asm(32) : error A2006: undefined symbol : XMMWORD Actually I get 21 more of these same errors, each with a different line number. Did someone forget to add the equate for XMMWORD? Can anyone tell me how XMMWORD should be defined? -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Cipher Negotiation
It's not a bug that AES182 is classified as "HIGH", although it is a missing feature that there is no class that encompasses only the 256-bit ciphers. That's why there now is "@STRENGTH", which does not add any ciphers and just sorts the one enabled so far. I assume "AES182" is a typo for AES128. This is indeed a bug in OpenSSL according to the documentation at http://www.openssl.org/docs/apps/ciphers.html): HIGH - with key lengths larger than 128 bits. MEDIUM - those using 128 bit encryption. LOW - those using 64 or 56 bit encryption algorithms excluding export ciphers. But if I just use 'Medium' it does not select AES128. and If I use 'High' then it selects both AES128 and AES256. -Chris >> Is this a real problem? What's wrong with: >> >> !EXPORT:!LOW:!MEDIUM:DEFAULT:-DHE-RSA-AES128-SHA:-DHE-DSS-AES128-SHA:-AES128-SHA > Sorry, I guess this ("DEFAULT:" should have been first) does not work, > because removing the 128 bit ciphers also removes the 256 bit ciphers. > > With: > > $ openssl ciphers -v \ > 'DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:@STRENGTH' > DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 > DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 > AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 > DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 > DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 > AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 > > and > > $ openssl ciphers -v \ > 'DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:@STRENGTH' > DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 > DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 > AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 > DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 > DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 > AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 > > producing the same results you are out of luck, if you want 256 bit AES, > you always also get 128 bit AES. It appears that you are using OpenSSL 0.9.8 or 0.9.8a here. This is a bug that should be fixed in OpenSSL 0.9.8b, so that the DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA ciphersuite specification (with or without :STRENGTH appended) will only yield the three ciphersuites intended. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Cipher Negotiation
> The problem is I can't find a way of selecting the order in which I > want the cipher negotiated. For example if all ciphers are enabled in > the configuration, I would perfer if AES is selected during > negoitation. What real problem is this intended to solve? Because AES is faster then other ciphers such as RC4 and 3DES, I want to use AES as the default if both the client and server allow it. So you want AES(128) to be preferred over DES(168)? In my client, the user can select which cipher-suites are allowed, and the following strengths: low, medium, high. If all cipher-suites are selected, and also all strengths are selected then I want the negotiation to use AES256 instead of 3DES if the server also allows this. -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Cipher Negotiation
I have written a client program in which I allow the user to configure which cipher groups they want to allow as well as a cipher strength of low, medium, or high. The problem is I can't find a way of selecting the order in which I want the cipher negotiated. For example if all ciphers are enabled in the configuration, I would perfer if AES is selected during negoitation. Currently I specify the group (HIGH/MEDIUM/LOW) and remove some ciphers from a group (IDEA and ADH). I also remove AES at the beginning (Shif +="-AES:") and add it later because if I don't remove AES there is no way to separate AES128 and AES256. (Due to an OpenSSL bug, HIGH selects both AES128 and AES256) Here is the code: if (g_MaxC>=2 && g_MinC<=2) { Shif+="HIGH:"; } if (g_MaxC>=1 && g_MinC<=1) { Shif+="MEDIUM:"; } if (g_MaxC>=0 && g_MinC<=0) Shif+="LOW:EXP:"; Shif+="!IDEA:!ADH:"; Shif +="-AES:"; if (g_MaxC>=2 && g_MinC<=2 && g_AES) { Shif +="AECDH-AES256-SHA:AES256-SHA:DHE-DSS-AES256-SHA:ECDH-ECDSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:"; Shif +="ECDHE-RSA-AES256-SHA:ECDH-RSA-AES256-SHA:"; } if (g_MaxC>=1 && g_MinC<=1 && g_AES) { Shif +="AECDH-AES128-SHA:AES128-SHA:DHE-DSS-AES128-SHA:ECDH-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:"; Shif +="ECDHE-RSA-AES128-SHA:ECDH-RSA-AES128-SHA:"; } if (!g_RC2) Shif += "-RC2:"; if (!g_RC4) Shif += "-RC4:"; if (!g_DES) Shif += "-DES:"; if (!g_3DES) Shif += "-3DES:"; if (!g_AES) Shif += "-AES:"; lfb->SetContextChipers(Shif.GetBuffer(255)); The result that when all ciphers are enabled, the client and sever negotitate a 3DES protocol. If I disable 3DES, then they negotiate using RC4. Is there a way I can force the client to negotiate using AES as the perfered method, and if the server will not allow AES then it selects some other cipher? -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Errors compiling snapshot under Win32
I'm having trouble compiling the current snapshot of OpenSSL under VC++. Configure and domasm are both successful, but when I run nmake I get the following result: > nmake -f ms\ntdll.mak Microsoft (R) Program Maintenance Utility Version 6.00.9782.0 Copyright (C) Microsoft Corp 1988-1998. All rights reserved. Building OpenSSL perl util/copy.pl .\crypto\buildinf.h tmp32dll\buildinf.h Copying: ./crypto/buildinf.h to tmp32dll/buildinf.h ml /Cp /coff /c /Cx /Focrypto\md5\asm\m5_win32.obj .\crypto\md5\asm\m5_w in32.asm Microsoft (R) Macro Assembler Version 6.15.8803 Copyright (C) Microsoft Corp 1981-2000. All rights reserved. Assembling: .\crypto\md5\asm\m5_win32.asm ml /Cp /coff /c /Cx /Focrypto\sha\asm\s1_win32.obj .\crypto\sha\asm\s1_win32.asm Microsoft (R) Macro Assembler Version 6.15.8803 Copyright (C) Microsoft Corp 1981-2000. All rights reserved. Assembling: .\crypto\sha\asm\s1_win32.asm ml /Cp /coff /c /Cx /Focrypto\ripemd\asm\rm_win32.obj .\crypto\ripemd\asm\rm_win32.asm Microsoft (R) Macro Assembler Version 6.15.8803 Copyright (C) Microsoft Corp 1981-2000. All rights reserved. Assembling: .\crypto\ripemd\asm\rm_win32.asm ml /Cp /coff /c /Cx /Focrypto\des\asm\d_win32.obj .\crypto\des\asm\d_win32.asm Microsoft (R) Macro Assembler Version 6.15.8803 Copyright (C) Microsoft Corp 1981-2000. All rights reserved. Assembling: .\crypto\des\asm\d_win32.asm ml /Cp /coff /c /Cx /Focrypto\des\asm\y_win32.obj .\crypto\des\asm\y_win32.asm Microsoft (R) Macro Assembler Version 6.15.8803 Copyright (C) Microsoft Corp 1981-2000. All rights reserved. Assembling: .\crypto\des\asm\y_win32.asm ml /Cp /coff /c /Cx /Focrypto\rc4\asm\r4_win32.obj .\crypto\rc4\asm\r4_win32.asm Microsoft (R) Macro Assembler Version 6.15.8803 Copyright (C) Microsoft Corp 1981-2000. All rights reserved. Assembling: .\crypto\rc4\asm\r4_win32.asm ml /Cp /coff /c /Cx /Focrypto\bf\asm\b_win32.obj .\crypto\bf\asm\b_win32.asm Microsoft (R) Macro Assembler Version 6.15.8803 Copyright (C) Microsoft Corp 1981-2000. All rights reserved. Assembling: .\crypto\bf\asm\b_win32.asm ml /Cp /coff /c /Cx /Focrypto\cast\asm\c_win32.obj .\crypto\cast\asm\c_win32.asm Microsoft (R) Macro Assembler Version 6.15.8803 Copyright (C) Microsoft Corp 1981-2000. All rights reserved. Assembling: .\crypto\cast\asm\c_win32.asm ml /Cp /coff /c /Cx /Focrypto\bn\asm\bn_win32.obj .\crypto\bn\asm\bn_win32.asm Microsoft (R) Macro Assembler Version 6.15.8803 Copyright (C) Microsoft Corp 1981-2000. All rights reserved. Assembling: .\crypto\bn\asm\bn_win32.asm cl /Fotmp32dll\t_pkey.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX / Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DD SO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DBN_ASM -DMD5_A SM -DSHA1_ASM -DRMD160_ASM -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_RC 5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -D_WINDLL -DO PENSSL_BUILD_SHLIBCRYPTO -c .\crypto\asn1\t_pkey.ct_pkey.c .\crypto\asn1\t_pkey.c(161) : error C2220: warning treated as error - no object file generated .\crypto\asn1\t_pkey.c(161) : warning C4013: 'ASN1_bn_print' undefined; assuming extern returning int NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. Could anyone point me in the right direction? -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: AES128 accepted when AES256 configured
> Try the next 0.9.8 snapshot. Thanks Dr. Steve! -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: AES128 accepted when AES256 configured
> What I tried was to remove all the AES 128 options from ssl/s3_lib.c. > That seemed to do the trick. I do not know if it has any bad side > effects though. > > Of course, this will only work if you don't need AES 128 at all. In my case I have a configuration program which allows users to select ciphers and the minimum/maximum strengths, so I have not found any solution to the problem. It's been close to two months now, so I'm currently considering switching to an older version of OpenSSL which does not have the bug. -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: AES128 accepted when AES256 configured
Hi Roy, > In 0.9.8a, it looks like AES 128 will be accepted by the server even if it > is supposed to accept only AES 256. I reported this same bug on February 17th, and Dr. Steven Henson has confirmed it is a bug so hopefully it will be fixed. If you find any work around please let me know. -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: AES key length selection bug in OpenSSL 0.9.8a
Hi Michal, > OpenSSL 0.9.8a does not allow to properly select AES key length. > It selects both 128-bit and 256-bit AES no matter which one was specified: I reported this same bug in February 17th, and Dr. Steven Henson has confirmed it is a bug so hopefully it will be fixed soon. If you find any work around please let me know. -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: AES cipher
> > > CString Shif = "AES128-SHA"; > > > > When I just use this string, it automaticly adds "AES256-SHA" as well. > > This appears to be a bug in OpenSSL 0.98a. Could anyone confirm this? > > > > Yes I can confirm that. The "ciphers" command does the same. Thanks Steve. Do you know if this has been fixed in the development version? If so, which source file would I need to look at? -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: AES cipher
On 2/16/06, Kyle Hamilton wrote: > Yeah. Any cipher that is not explicitly added is denied. So, try just doing: > > CString Shif = "AES128-SHA"; When I just use this string, it automaticly adds "AES256-SHA" as well. This appears to be a bug in OpenSSL 0.98a. Could anyone confirm this? -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: AES cipher
I tried adding ":" as suggested, but this still did not work. :( Does anyone have other suggestions? -Chris > > I'm trying to allow my program to be configurable for either AES 128 > > bit, or AES 256 bit. The problem is that when I select only the > > AES128-SHA cipher, the AES256-SHA cipher gets added > > automaticlly. > > > > Is this a limitation of selecting AES, or am I doing something wrong? > > Here is my code: > > > > 1. Set cyphers: > > > > CString Shif = "AES128-SHA"; > > > > Shif+="!IDEA:!ADH:"; > > You probably have to add some ":" here. With the explicit selection of > AES128-SHA you do not have to remove the other ciphers anyway. > > > SSL_CTX_set_cipher_list(m_ctx, Shif.GetBuffer()); > > SSL_CTX_set_options(SSL_OP_NO_SSLv2); > > > > 2. Display chypers: > > > > SSL* lSSL = SSL_new(lCTX); > > > > int ccnt=0; > > const char *res=(char*)1; > > for (int i=0;res!=NULL;i++) > > { > > res = SSL_get_cipher_list(lSSL, i); > > if (res) > > { > >m_List.AddString((char*)res); > >ccnt++; > > } > > } __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AES cipher
I'm trying to allow my program to be configurable for either AES 128 bit, or AES 256 bit. The problem is that when I select only the AES128-SHA cipher, the other AES ciphers (including 256 bit) get added automaticlly. Is this a limitation of selecting AES, or am I doing something wrong? Here is my code: 1. Set cyphers: CString Shif = "AES128-SHA"; Shif+="!IDEA:!ADH:"; SSL_CTX_set_cipher_list(m_ctx, Shif.GetBuffer()); SSL_CTX_set_options(SSL_OP_NO_SSLv2); 2. Display chypers: SSL* lSSL = SSL_new(lCTX); int ccnt=0; const char *res=(char*)1; for (int i=0;res!=NULL;i++) { res = SSL_get_cipher_list(lSSL, i); if (res) { m_List.AddString((char*)res); ccnt++; } } -Chris Clark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL_METHOD
It appears that the SSL_METHOD functions don't allow a server to accept connections using either SSL or TLS, so it has to be either one or the other. Does anyone have a work around to allow both SSL and TLS connections to be accepted? -Chris Clark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Cipher suites
> If nothing else, you can implement your own interpretation of "HIGH" > and "MEDIUM", and then for MEDIUM as specified by the user change the > string passed to the cipher setup function to include "MEDIUM+" and > the AES128 algorithm names. Thanks Kyle. After giving this some thought I can see it would be best to do it this way so the users have a choice of 128 or 256 bit AES, and at the same time adhering to the documented definition of what MEDIUM means. -Chris Clark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Cipher suites
Hi Richard, > The docs are outdated. AES is strong. That makes sense. In that case I could let users choose either MEDIUM or "Strong" along with which Cipher group (RC4, 3DES, DES, AES). Of course if they choose Medium and only AES, they would not have any cipher in the result list, so I could hide AES as a selection when Medium is selected. :) A question: Would users see much performance difference between AES 128 bit and AES 256 bit ciphers on slower PC's, such as on PII and P3 class CPU's? What about CPU usage differences? I'm wondering if its worth giving users detailed options on which ciphers to use, or to stick with the simplistic nature of the MEDIUM and HIGH settings along with the 4 groups. -Chris Clark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Cipher suites
Hi Steve, > Also there are grounds for classifying AES in general as "stronger" (for some > value of stronger) due its 128 bit block length compared to the other block > ciphers which have a 64 bit block length. So I won't be able to use the MEDIUM and HIGH settings to let the users choose between 128 bit and 256 bit key lengths when they are using AES... Looks like I will have to implement these user options the hard way then :( -Chris Clark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Cipher suites
Hi Richard, > The openssl "ciphers" command shows the text format of the cipher suites > supported Allow you users to choose from (a subset of) that list, and > set the env var or config param appropriately. Like PATH, it's a > colon-separated list in order of priority. Yes, but that would be rather messy. I was hoping for a simpler solution, so rather then letting users choose the exact cipher suite names they could simply choose between AES, 3DES, DES, RC4, and they could also choose if they want MEDIUM (128 bit) encryption, or HIGH (greater then 128 bit) encryption. This method works great for everything except AES, which incorrectly groups all the 128 bit ciphers as being HIGH instead of MEDIUM. Is it a known bug, or are the docs outdated? -Chris Clark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Cipher suites
Hi Richard, > The high medium and low are arbitrary terms, and date back to then the US > had stricter export controls on cryptography. > > Ignore them. But I want my client/server application to allow users to select the level of encryption they wish to use. It is my understanding that 128 bit AES is faster then 256 bit AES, and will use less CPU overhead on slower machines. Is this not true? Is there an easy way I can limit openssl to only use 128 bit ciphers for example? -Chris Clark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Cipher suites
According to the documentation, "medium" encryption cipher suites are those that use 128 bit encryption, and "high" suites are those that use higher then 128 bits... Why is it that when I select a "medium" set of cipher suites, it will never include any AES ciphers such as: AES128-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA But when I select a "high" set of cipher suites it does include the above, in addition to the 256 bit ciphers. It seems that this is only a problem with the AES ciphers. -Chris Clark