openssl hmac and key on the command line
Greetings I am reading some doc instructing me to run printf '%s' "${challenge}" | openssl dgst -sha1 -hmac ${APP_TOKEN} Doing so would leak the APP_TOKEN on the command line arguments (so a user running a "ps" at the right time would see the APP_TOKEN in clear). Due to my machine setup, programs started and their arguments also end up in an audit log. I am reading the documentation on https://www.openssl.org/docs/manmaster/man1/openssl-dgst.html, that points at the preferred https://www.openssl.org/docs/manmaster/man1/openssl-mac.html , and all the examples have the key in clear text on the command line. Is there an equivalent command I can run that will not leak the key? Best regards Francois
Issue with smartcard authentication for openvpn
Hi all, I have a working openvpn setup with client certificate and private key stored on my laptop. Then, I have loaded them into a smartcard (Yubico 5 NFC), and modified accordingly the openvpn client config. But running the openvpn client now fails with an error that seems to originate inside openssl. Here is a verbose openvpn log (only the portion that seems relevant for this error, but I have the full log if useful): Sat Apr 6 15:57:20 2019 us=467260 Incoming Ciphertext -> TLS Sat Apr 6 15:57:20 2019 us=467271 SSL state (connect): SSLv3/TLS read server hello Sat Apr 6 15:57:20 2019 us=467468 VERIFY OK: depth=1, CN=FG-CA Sat Apr 6 15:57:20 2019 us=467598 VERIFY KU OK Sat Apr 6 15:57:20 2019 us=467609 Validating certificate extended key usage Sat Apr 6 15:57:20 2019 us=467615 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sat Apr 6 15:57:20 2019 us=467620 VERIFY EKU OK Sat Apr 6 15:57:20 2019 us=467625 VERIFY OK: depth=0, CN=tx2 Sat Apr 6 15:57:20 2019 us=467650 SSL state (connect): SSLv3/TLS read server certificate Sat Apr 6 15:57:20 2019 us=467735 SSL state (connect): SSLv3/TLS read server key exchange Sat Apr 6 15:57:20 2019 us=467763 SSL state (connect): SSLv3/TLS read server certificate request Sat Apr 6 15:57:20 2019 us=467771 SSL state (connect): SSLv3/TLS read server done Sat Apr 6 15:57:20 2019 us=467845 SSL state (connect): SSLv3/TLS write client certificate Sat Apr 6 15:57:20 2019 us=468012 SSL state (connect): SSLv3/TLS write client key exchange Sat Apr 6 15:57:20 2019 us=468053 PKCS#11: __pkcs11h_openssl_rsa_enc entered - flen=256, from=0x559d078d6e70, to=0x559d078d6bc0, rsa=0x559d078b3630, padding=3 Sat Apr 6 15:57:20 2019 us=468060 PKCS#11: __pkcs11h_openssl_rsa_enc - return rv=112-'CKR_MECHANISM_INVALID' Sat Apr 6 15:57:20 2019 us=468070 SSL alert (write): fatal: internal error Sat Apr 6 15:57:20 2019 us=468085 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib Sat Apr 6 15:57:20 2019 us=468092 TLS_ERROR: BIO read tls_read_plaintext error Sat Apr 6 15:57:20 2019 us=468097 TLS Error: TLS object -> incoming plaintext read error Sat Apr 6 15:57:20 2019 us=468101 TLS Error: TLS handshake failed Somehow, it seems that __pkcs11h_openssl_rsa_enc was called with an unexpected padding. Any ideas on what might be the cause of this? Best regards, Francois
Re: OpenSSL 1.0.1a tarball ckecksums
Dear Mounir, I used wget to download the file to be sure the tarball is received compressed. However you're right, the file has been uncompressed and still saved as openssl-1.0.1a.tar.gz. There must be some transparent proxy or CDN in the path between my computer and the openssl.org web site doing something weird. Thanks for your help I could solve my problem. Cheers, Francois. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.1a tarball ckecksums
Hi, On the openssl download page the size of openssl-1.0.1a.tar.gz is 4456456 bytes but when I download it (wget http://www.openssl.org/source/openssl-1.0.1a.tar.gz) I'm receiving a tarball which is 21770240 bytes long. Of course the SHA1 checksum is different than the one announced on the web site: $ openssl sha1 openssl-1.0.1a.tar.gz SHA1(openssl-1.0.1a.tar.gz)= e3ba2479b7cc594aff9eba2d9804063cc5f9f43d Could it be the checksums on the source download page (http://www.openssl.org/source/) are wrong ? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: TLS CA Certificate Loading in DER format
Hello Ram, You may be interested in the d2i_X509_fp() function [http://openssl.org/docs/crypto/d2i_X509.html#] in conjunction with SSL_CTX_use_certificate() [http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html#]. Cheers, Francois ramaswamy.bm wrote: Hi, I am to use TLS for securing an application's data transfer. For development purposes I have been using a dummy set of certificates in PEM format. The currently used SSL_CTX_load_verify_locations API requires that the certificate be in PEM format. However, in real time scenario, the application being developed MUST make use of certificates in DER format as per the requirements. So I wanted to know whether there is a way to load CA certificates in DER format using any SSL APIs. My search till now for such an API has been unfruitful. Please let me know any if any OpenSSL API is available to load the DER formated certificates. Thanks Best Regards , Ram __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using openssl to test SSL on Windows 2008/IIS7
Hi Brad, This looks like a windows socket issue. Error 10054 is Connection reset by peer. You may have a firewall issue on windows 2008 that doesn't occur on the other servers and does not block https traffic. Cheers, Francois. Brad Baker wrote: I’m trying to use open ssl to connect to an IIS7 site hosted on a Windows 2008 server: openssl s_client -host server.domain.com -port 443 I’m getting the following error: Loading 'screen' into random state - done CONNECTED(00D8) write:errno=10054 The same command works fine on an IIS6 site hosted on windows 2003 and an IIS5 site hosted on windows 2000. I can confirm that https is functioning on the site in question by testing in a web browser. Is there a known incompatibility between the openssl client and IIS7 or some IIS7 configuration setting that needs to be tweaked to allow openssl to connect properly? Thanks Brad __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ssl methods
Thank you very much Marek ... Marek Marcola a écrit : Hello, I would like to know if it is possible to build a SSL server which accepts both sslv3 and tlsV1 methods .. As far as I understand, SSl_CTX_NEW API accepts only one method ... Yes, but if you want to support SSL3 and TLS1 then you should choose SSLv23_server_method(void). Check method info in SSL_CTX_new() man page. Best regards, __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to load CA content in context ??
Thank you very much for this fast answer ;) jf Dr. Stephen Henson a écrit : On Tue, Apr 24, 2007, [EMAIL PROTECTED] wrote: I try to build a SSL server which performs client authentication. But I cannot use SSL_CTX_load_verify_locations which has a CA file as parameter. (CA file is not located in the same machine) Nevertheless, I succeeded having in my server the content of CA file in a buffer through API like PEM_read_bio_X509 and i2d_X509, d2i_x509... I am looking for a SSl API that loads the CA content in the SSL Context. Can someone help me? You first retrieve the X509_STORE structure from the SSL_CTX structure using SSL_CTX_get_cert_store() and then add each cert with X509_STORE_add_cert(). Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Data truncated at the end of session
I have an application using OpenSSL that suffer from data truncation at the end of session. This application is a FTPS client. I check it using FileZilla FTPS server. What happend is that most of the time, the files are transferred truncated at the end. The received file is truncated at exactly the 4KB boundary nearest to the true end of file. This happend only on large files (more than 2MB). I'm using asynchronous socket on Win-XP/PRO/SP2. Any idea ? -- [EMAIL PROTECTED] The author for the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[Solution] Re: Problem in compiling openssl 0.9.7g on Windows with MSVC workspace
Simple: there was a second missing file: v3_pci.c. So the final solution is to add two files to the libeay32/x509v3 folder in the worlspace: v3_pci.c and v3_pcia.c -- [EMAIL PROTECTED] The author for the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be - Original Message - From: Francois PIETTE [EMAIL PROTECTED] To: openssl-users@openssl.org Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, June 05, 2005 3:37 PM Subject: Re: Problem in compiling openssl 0.9.7g on Windows with MSVC workspace I'm progressing ! The file v3_pcia.c was missing from libeay32/x509v3 files ! Now I have only one undefined symbol remaining: v3_pci --- cut here --- Creating library ..\..\out32dll\Debug/libeay32.lib and object ..\..\out32dll\Debug/libeay32.exp v3_lib.obj : error LNK2001: unresolved external symbol _v3_pci ..\..\out32dll\Debug/libeay32.dll : fatal error LNK1120: 1 unresolved externals Error executing link.exe. --- cut here --- I still have to find where it is defined. Probably in another file that is missing from libeay32.dll project. -- [EMAIL PROTECTED] The author for the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be - Original Message - From: Francois PIETTE [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Saturday, June 04, 2005 5:09 PM Subject: Re: Problem in compiling openssl 0.9.7g on Windows with MSVC workspace From the looks of it you are missing some include files. Search the source for where those symbols are defined. Get those include files into your project. There are no missing source file. The symbols are defined by various macros. Everything is there (I can compile correctly with the command line make file). I think it us only a matter of compiler or linker option. I think it currently compile the symbols as externals. BTW, why not just link to the libs? You could even link statically. I need the DLL because I don't write any C/C++ application but a Delphi application which dynamically link to the two OpenSSL DLL. -- [EMAIL PROTECTED] The author for the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be Francois PIETTE wrote: Am i the only one still using MSVC workspace ? Can someone give a look at my message below ? - Original Message - From: Francois PIETTE [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Thursday, June 02, 2005 6:37 PM Subject: Re: Problem in compiling openssl 0.9.7g on Windows with MSVC workspace I have the exact same problem and can't fix it. Can someone give a step by step procedure to fix the problem ? Or maybe correct MSVC workspace exist somewhere ? btw: Compiling works OK when using the make file. It only fails as explained below when using MSVC workspace. - Original Message - From: ahmad hassan [EMAIL PROTECTED] To: openssl-users@openssl.org Cc: [EMAIL PROTECTED] Sent: Tuesday, May 03, 2005 1:20 PM Subject: Problem in compiling openssl 0.9.7g on Windows Hello, I am trying to build openssl 0.9.7g on windows, which i was successfully able to do using steps mentioned in INSTALL.W32 file. Now i would like to include libeay32 and ssleay32 source code as a workspace in my Visual C++ 6.0 project. For that i went to http://www.openssl.org/related/ and the second link gave me the dsp to use and compile openssl source code through vc++ environment. It is actually so that i had openssl 0.9.7d with me which i downloaded a year ago and compiled it using this visual studio project file but now it is not compiling with the latest version giving me messages like this. There is some problem with proxy certifiactes thing. How do i reslove these errors. Some are just defined in the libeay32.def file which i removed but PROXY_CERT_INFO_EXTENSION_free is not declared anywhere and is being used in number of places like openssl-0.9.7g\crypto\x509\x509_vfy.c etc. Can anyone guide me or give me related information regarding how to include latest openssl version as workspace in my project. Configuration: libeay32 - Win32 Debug Linking... libeay32.def : error LNK2001: unresolved external symbol PROXY_CERT_INFO_EXTENSION_free libeay32.def : error LNK2001: unresolved external symbol PROXY_CERT_INFO_EXTENSION_it libeay32.def : error LNK2001: unresolved external symbol PROXY_CERT_INFO_EXTENSION_new libeay32.def : error LNK2001: unresolved external symbol PROXY_POLICY_free libeay32.def : error LNK2001: unresolved external symbol PROXY_POLICY_it libeay32.def : error LNK2001: unresolved external symbol PROXY_POLICY_new libeay32.def : error LNK2001: unresolved external symbol d2i_PROXY_CERT_INFO_EXTENSION libeay32.def : error LNK2001: unresolved external symbol d2i_PROXY_POLICY libeay32.def : error LNK2001: unresolved external symbol
[0.9.7g ] do_subject function missing from req.c, found in ca.c
I'm recompiling version 0.9.7g and found that do_subject function is missing in req.c. I copied the code from ca.c and it compile fine. Not tested at runtime. -- [EMAIL PROTECTED] The author for the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [0.9.7g ] do_subject function missing from req.c, found in ca.c
Well but later it fails compiling OpenSSL command line tool because it is defined in both ca.c and req.c :-( -- [EMAIL PROTECTED] http://www.overbyte.be - Original Message - From: Francois PIETTE [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Sunday, June 05, 2005 4:01 PM Subject: [0.9.7g ] do_subject function missing from req.c, found in ca.c I'm recompiling version 0.9.7g and found that do_subject function is missing in req.c. I copied the code from ca.c and it compile fine. Not tested at runtime. -- [EMAIL PROTECTED] The author for the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem in compiling openssl 0.9.7g on Windows with MSVC workspace
Am i the only one still using MSVC workspace ? Can someone give a look at my message below ? -- [EMAIL PROTECTED] The author for the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be - Original Message - From: Francois PIETTE [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Thursday, June 02, 2005 6:37 PM Subject: Re: Problem in compiling openssl 0.9.7g on Windows with MSVC workspace I have the exact same problem and can't fix it. Can someone give a step by step procedure to fix the problem ? Or maybe correct MSVC workspace exist somewhere ? btw: Compiling works OK when using the make file. It only fails as explained below when using MSVC workspace. -- [EMAIL PROTECTED] The author for the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be - Original Message - From: ahmad hassan [EMAIL PROTECTED] To: openssl-users@openssl.org Cc: [EMAIL PROTECTED] Sent: Tuesday, May 03, 2005 1:20 PM Subject: Problem in compiling openssl 0.9.7g on Windows Hello, I am trying to build openssl 0.9.7g on windows, which i was successfully able to do using steps mentioned in INSTALL.W32 file. Now i would like to include libeay32 and ssleay32 source code as a workspace in my Visual C++ 6.0 project. For that i went to http://www.openssl.org/related/ and the second link gave me the dsp to use and compile openssl source code through vc++ environment. It is actually so that i had openssl 0.9.7d with me which i downloaded a year ago and compiled it using this visual studio project file but now it is not compiling with the latest version giving me messages like this. There is some problem with proxy certifiactes thing. How do i reslove these errors. Some are just defined in the libeay32.def file which i removed but PROXY_CERT_INFO_EXTENSION_free is not declared anywhere and is being used in number of places like openssl-0.9.7g\crypto\x509\x509_vfy.c etc. Can anyone guide me or give me related information regarding how to include latest openssl version as workspace in my project. Configuration: libeay32 - Win32 Debug Linking... libeay32.def : error LNK2001: unresolved external symbol PROXY_CERT_INFO_EXTENSION_free libeay32.def : error LNK2001: unresolved external symbol PROXY_CERT_INFO_EXTENSION_it libeay32.def : error LNK2001: unresolved external symbol PROXY_CERT_INFO_EXTENSION_new libeay32.def : error LNK2001: unresolved external symbol PROXY_POLICY_free libeay32.def : error LNK2001: unresolved external symbol PROXY_POLICY_it libeay32.def : error LNK2001: unresolved external symbol PROXY_POLICY_new libeay32.def : error LNK2001: unresolved external symbol d2i_PROXY_CERT_INFO_EXTENSION libeay32.def : error LNK2001: unresolved external symbol d2i_PROXY_POLICY libeay32.def : error LNK2001: unresolved external symbol i2d_PROXY_CERT_INFO_EXTENSION libeay32.def : error LNK2001: unresolved external symbol i2d_PROXY_POLICY ..\..\out32dll\Debug/libeay32.lib : fatal error LNK1120: 10 unresolved externals LINK : fatal error LNK1141: failure during build of exports file Error executing link.exe. libeay32.dll - 12 error(s), 0 warning(s) Configuration: libeay32 - Win32 Debug _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem in compiling openssl 0.9.7g on Windows with MSVC workspace
From the looks of it you are missing some include files. Search the source for where those symbols are defined. Get those include files into your project. There are no missing source file. The symbols are defined by various macros. Everything is there (I can compile correctly with the command line make file). I think it us only a matter of compiler or linker option. I think it currently compile the symbols as externals. BTW, why not just link to the libs? You could even link statically. I need the DLL because I don't write any C/C++ application but a Delphi application which dynamically link to the two OpenSSL DLL. -- [EMAIL PROTECTED] The author for the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be Francois PIETTE wrote: Am i the only one still using MSVC workspace ? Can someone give a look at my message below ? - Original Message - From: Francois PIETTE [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Thursday, June 02, 2005 6:37 PM Subject: Re: Problem in compiling openssl 0.9.7g on Windows with MSVC workspace I have the exact same problem and can't fix it. Can someone give a step by step procedure to fix the problem ? Or maybe correct MSVC workspace exist somewhere ? btw: Compiling works OK when using the make file. It only fails as explained below when using MSVC workspace. - Original Message - From: ahmad hassan [EMAIL PROTECTED] To: openssl-users@openssl.org Cc: [EMAIL PROTECTED] Sent: Tuesday, May 03, 2005 1:20 PM Subject: Problem in compiling openssl 0.9.7g on Windows Hello, I am trying to build openssl 0.9.7g on windows, which i was successfully able to do using steps mentioned in INSTALL.W32 file. Now i would like to include libeay32 and ssleay32 source code as a workspace in my Visual C++ 6.0 project. For that i went to http://www.openssl.org/related/ and the second link gave me the dsp to use and compile openssl source code through vc++ environment. It is actually so that i had openssl 0.9.7d with me which i downloaded a year ago and compiled it using this visual studio project file but now it is not compiling with the latest version giving me messages like this. There is some problem with proxy certifiactes thing. How do i reslove these errors. Some are just defined in the libeay32.def file which i removed but PROXY_CERT_INFO_EXTENSION_free is not declared anywhere and is being used in number of places like openssl-0.9.7g\crypto\x509\x509_vfy.c etc. Can anyone guide me or give me related information regarding how to include latest openssl version as workspace in my project. Configuration: libeay32 - Win32 Debug Linking... libeay32.def : error LNK2001: unresolved external symbol PROXY_CERT_INFO_EXTENSION_free libeay32.def : error LNK2001: unresolved external symbol PROXY_CERT_INFO_EXTENSION_it libeay32.def : error LNK2001: unresolved external symbol PROXY_CERT_INFO_EXTENSION_new libeay32.def : error LNK2001: unresolved external symbol PROXY_POLICY_free libeay32.def : error LNK2001: unresolved external symbol PROXY_POLICY_it libeay32.def : error LNK2001: unresolved external symbol PROXY_POLICY_new libeay32.def : error LNK2001: unresolved external symbol d2i_PROXY_CERT_INFO_EXTENSION libeay32.def : error LNK2001: unresolved external symbol d2i_PROXY_POLICY libeay32.def : error LNK2001: unresolved external symbol i2d_PROXY_CERT_INFO_EXTENSION libeay32.def : error LNK2001: unresolved external symbol i2d_PROXY_POLICY ..\..\out32dll\Debug/libeay32.lib : fatal error LNK1120: 10 unresolved externals LINK : fatal error LNK1141: failure during build of exports file Error executing link.exe. libeay32.dll - 12 error(s), 0 warning(s) Configuration: libeay32 - Win32 Debug __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem in compiling openssl 0.9.7g on Windows with MSVC workspace
I have the exact same problem and can't fix it. Can someone give a step by step procedure to fix the problem ? Or maybe correct MSVC workspace exist somewhere ? btw: Compiling works OK when using the make file. It only fails as explained below when using MSVC workspace. -- [EMAIL PROTECTED] The author for the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be - Original Message - From: ahmad hassan [EMAIL PROTECTED] To: openssl-users@openssl.org Cc: [EMAIL PROTECTED] Sent: Tuesday, May 03, 2005 1:20 PM Subject: Problem in compiling openssl 0.9.7g on Windows Hello, I am trying to build openssl 0.9.7g on windows, which i was successfully able to do using steps mentioned in INSTALL.W32 file. Now i would like to include libeay32 and ssleay32 source code as a workspace in my Visual C++ 6.0 project. For that i went to http://www.openssl.org/related/ and the second link gave me the dsp to use and compile openssl source code through vc++ environment. It is actually so that i had openssl 0.9.7d with me which i downloaded a year ago and compiled it using this visual studio project file but now it is not compiling with the latest version giving me messages like this. There is some problem with proxy certifiactes thing. How do i reslove these errors. Some are just defined in the libeay32.def file which i removed but PROXY_CERT_INFO_EXTENSION_free is not declared anywhere and is being used in number of places like openssl-0.9.7g\crypto\x509\x509_vfy.c etc. Can anyone guide me or give me related information regarding how to include latest openssl version as workspace in my project. Configuration: libeay32 - Win32 Debug Linking... libeay32.def : error LNK2001: unresolved external symbol PROXY_CERT_INFO_EXTENSION_free libeay32.def : error LNK2001: unresolved external symbol PROXY_CERT_INFO_EXTENSION_it libeay32.def : error LNK2001: unresolved external symbol PROXY_CERT_INFO_EXTENSION_new libeay32.def : error LNK2001: unresolved external symbol PROXY_POLICY_free libeay32.def : error LNK2001: unresolved external symbol PROXY_POLICY_it libeay32.def : error LNK2001: unresolved external symbol PROXY_POLICY_new libeay32.def : error LNK2001: unresolved external symbol d2i_PROXY_CERT_INFO_EXTENSION libeay32.def : error LNK2001: unresolved external symbol d2i_PROXY_POLICY libeay32.def : error LNK2001: unresolved external symbol i2d_PROXY_CERT_INFO_EXTENSION libeay32.def : error LNK2001: unresolved external symbol i2d_PROXY_POLICY ..\..\out32dll\Debug/libeay32.lib : fatal error LNK1120: 10 unresolved externals LINK : fatal error LNK1141: failure during build of exports file Error executing link.exe. libeay32.dll - 12 error(s), 0 warning(s) Configuration: libeay32 - Win32 Debug _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Question about Certificate Revokation lists using openssl ....
Matthew McHugh a écrit : Hello all, hello alone Is there a tool that I can use to manage CRL's? I am looking at starting my own CA for my company, but we need to revoke certificates before they expire. I think this can be done via the command line, but I was wondering if there is an open source tool out there that can do this already. try TinyCA Thank you. Matt François -- Ce message a été vérifié par *MailScanner et Clamav* http://www.mailscanner.info/ pour des virus ou des polluriels et rien de suspect n'a été trouvé. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl-users] I need some help with parsing a X509 certificate
Hi When I read a PEM certificate with PEM_read_bio_X509(bp, NULL, 0, NULL); that return me a X509 object. who can I display it in STRING or char * format? thanks François __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: how to generate certs with a + in the dn
Hi, I think he was talking about RDNs and not RDSs Francois Charles B Cranston wrote: Think AVAs might be Attribute Value Assertions but am not finding RDSs in much googleing -- is this X.509 stuff that didn't make it into PKIX or what? Asking for edification. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Howto use a pivrate key contained inside a ncipher module ??
I do not think that you can use every nCipher key with OpenSSL. You must build the key pair with a nCipher command (generatekey or keysafe) with the option application = embed (see nCipher documentation). The private key is stored in the HSM module, but you will have : - a private key file wich does not contain any key but a reference to the key in the module - a certificate request (pkcs#10) - a self signed Certificate Then, in the config file : private_key = name of the pseudo private key file engine = chil Francois - Original Message - From: Guillaume Coue [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, June 25, 2002 9:53 AM Subject: Howto use a pivrate key contained inside a ncipher module ?? Hi all, I've got a ncipher module in my box and I'd like to know how I can use keys inside to generate a request and a certificate. I tried this : C:\openssl req -engine chil -keyform engine -text -key dsa:test -config c:/templates/user.cnf -out cr.pem engine chil set. unable to load Private Key 1108:error:81069066:hwcrhk engine:HWCRHK_LOAD_PRIVKEY:chil error:./crypto/engine /hw_ncipher.c:755:NFKM_findkey failed: InvalidParameter 1108:error:26096080:engine routines:ENGINE_load_private_key:failed loading priva te key:./crypto/engine/eng_pkey.c:117: * test is the name of my private key (inside the ncipher module) An other question is What should I put in my cnf file to access to my private key inside the module: field private_key = ?? Thanks, -- Guillaume ___ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: netscape i.e.
murali krishna vemuri I had a similar problem with Windows 200 SP1 when using POST method. It was solved using Service Pack 2 - Original Message - From: Murali K. Vemuri [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 03, 2002 6:22 PM Subject: netscape i.e. hi list, I am working on HTTP (1.0) over SSL. I am using OpenSSL as the SSL underlying HTTP. Here only the server is being authenticated. i am using apache 1.3.20 and openssl 0.9.6 and mod-ssl 2.8.4 I am encountering the following problem: When i am trying to browse the HTTPS server using Netscape, everything is working fine. But when i use Internet Explorer (5.0 and 6.0), I am getting the following error when submitting FORM data from browser (the same works well with netscape). The page cannot be displayed I don't know whether there is a problem in the security settings of Internet Explorer which i am using. Any hints or suggestions would be greatly helpful. thanks and regards, murali krishna vemuri __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Adding Application Attributes to X509 Certificates?
Title: RE: Adding Application Attributes to X509 Certificates? the line MyAttribute=MyValue is not correct you must give a valid ASN1Object as the value examples : 1.2.3.4 = DER:05:00# oid=1.2.3.4 value = ASN1Null 1.2.3.4 = DER:16:05:68:65:6C:6C:6F # ASN1IA5String for hello 1.2.3.4 = DER:02:02:01:00 # ASN1Integer for 256 1.2.3.4 = DER:18:0f:32:30:30:32:30:34:31:35:31:32:34:38:34:35:5a # ASN1GeneralizedTime (2002/04/15 12:48:35) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]De la part de Brian Skrab Envoye : jeudi 11 avril 2002 13:44 A : Richard Levitte - VMS Whacker Cc : [EMAIL PROTECTED] Objet : Re: Adding Application Attributes to X509 Certificates? Richard Levitte - VMS Whacker wrote: Do you mean that the attributes do not necessarely need to be part of the CSR? I agree, I just thought that was what you were after. You are correct. The attributes do not have to be part of the CSR. I should have been more clear about that fact. I mentioned the CSR because I was able to get the attributes to appear in the CSR (as request attributes), but not the signed certificate as attributes or extensions. Absolutely. If you look in the default openssl.cnf, you'll see that the CA_default section has a key called x509_extensions which names the section where the extensions are stored. If you go to that section usr_cert, you'll see the extensions that are added to the new certificates. That default section is of course ignored if you've given a different section name with -extensions. I have moved my additions into the default usr_cert section of the config file. Executing the following command delivers the same error as mentioned in my last message: openssl ca -keyfile cakey.pem -in csr.pem -out crt.pem So, you either haven't added an OID named MyAttribute, or you have misspelled something. Care to show us your configuration file? Absolutely. Below is the text of my openssl.cnf. # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the -extfile option of the # openssl x509 utility, name here the section containing the # X.509v3 extensions to use: extensions = usr_cert # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca' and 'req'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 MyAttribute=2.44.88 [ ca ] default_ca = CA_default # The default ca section [ CA_default ] dir = /usr/local/apache/conf/ssl.csr # Where everything is kept certs = $dir # Where the issued certs are kept new_certs_dir = $dir/ca.db.certs crl_dir = $dir/crl # Where the issued crl are kept database = $dir/ca.db.index serial = $dir/ca.db.serial RANDFILE = $dir/ca.db.rand certificate = $dir/ca.crt private_key = $dir/ca.key x509_extensions = usr_cert # The extentions to add to the cert # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_anything # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix :
RE: Extension in CRLs never used????
the crlEntryExtensions can be used for the Reason Code (oid= id-ce-reasonCode = 2.5.29.21) reasonCode EXTENSION ::= { SYNTAX CRLReason IDENTIFIED BY id-ce-reasonCode } CRLReason ::= ENUMERATED { unspecified(0), keyCompromise(1), cACompromise(2), affiliationChanged(3), superseded(4), cessationOfOperation(5), certificateHold(6), removeFromCRL(8) } Some of crlExtensions are : CRLNumber (id-ce-cRLNumber = 2.5.29.20) Delta CRL indicator (id-ce-deltaCRLIndicator = 2.5.29.27) Issuing Distribution Point (id-ce-issuingDistributionPoint = 2.5.29.28) 2 attached CRLs with extensions for example -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]De la part de Mads Rasmussen Envoye : jeudi 28 fevrier 2002 13:13 A : [EMAIL PROTECTED] Objet : Extension in CRLs never used Hi there, A question about certificates: In the rfc 2459 definition of the crl format 5.1 CRL Fields (page 42) TBSCertList ::= SEQUENCE {
RE: Extension in CRLs never used????
Title: RE: Extension in CRLs never used They probably want to remain compatible with the old softwares. Sorry for the attached files. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]De la part de Mads Rasmussen Envoye : jeudi 28 fevrier 2002 16:13 A : [EMAIL PROTECTED] Cc : Francois Guerry Objet : RES: Extension in CRLs never used Thanks, Thats exactly why I would like to use the version 2 crl, it just seems that none of the most established CA's uses it. I find the idea of reason code excellent and useful. Have you any idea why it isn't used? Just one more thing, you wrote that you attached 2 crls, maybe our firewall removed these because I didn't receive any. Could you send them in a zipfile? Mads Rasmussen -Mensagem original- De: Francois Guerry [mailto:[EMAIL PROTECTED]] Enviada em: quinta-feira, 28 de fevereiro de 2002 10:16 Para: '[EMAIL PROTECTED]' Assunto: RE: Extension in CRLs never used the crlEntryExtensions can be used for the Reason Code (oid= id-ce-reasonCode = 2.5.29.21) reasonCode EXTENSION ::= { SYNTAX CRLReason IDENTIFIED BY id-ce-reasonCode } CRLReason ::= ENUMERATED { unspecified(0), keyCompromise(1), cACompromise(2), affiliationChanged(3), superseded(4), cessationOfOperation(5), certificateHold(6), removeFromCRL(8) } Some of crlExtensions are : CRLNumber (id-ce-cRLNumber = 2.5.29.20) Delta CRL indicator (id-ce-deltaCRLIndicator = 2.5.29.27) Issuing Distribution Point (id-ce-issuingDistributionPoint = 2.5.29.28) 2 attached CRLs with extensions for example -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]De la part de Mads Rasmussen Envoye : jeudi 28 fevrier 2002 13:13 A : [EMAIL PROTECTED] Objet : Extension in CRLs never used Hi there, A question about certificates: In the rfc 2459 definition of the crl format 5.1 CRL Fields (page 42) TBSCertList ::= SEQUENCE { __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] crls.zip Description: Binary data
No Subject
Hi I am a Mac user under Mac OS X and I want to connect to SGI via SSH. My problem is that when I do the command ssh host, I receive this message: OpenSSL version mismatch. Built against 90581f, you have 90602f. What I have to do? Please Help! Thank you! Jean-Francois Naud Ph.D student University of Sherbrooke [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
copy extensions from a pkcs10 request
Title: copy extensions from a pkcs10 request Hi, I work with openssl-engine-0.9.6b on Windows NT4SP6. I am trying to build a x509v3 certificate from a PKCS10 request with the openssl ca utility. It works fine, but the extensions from the request are not copied into the certificate. The copy_extensions = copyall option in the config file does not change anything. Is this option really implemented ? François Guerry
Re: openssl 0.9.6 and Irix 6.x ( SGI OS )
* RAVIER Benoit - NTR ([EMAIL PROTECTED]) [20010329 10:34] thus spake: Hello, Is somebody has already used the cryptography library under Irix 6.5 operating system ? Like many, I think, I have a problem with the /dev/urandom device... After calling SGI hotline, it seems having no package to install it. You need egd/prngd. See http://www.openssl.org/docs/crypto/RAND_egd.html HTH, jf Thank you if you've any news about that. Sorry for the poor english... __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Double, double toil and trouble Fire burn, and cauldron bubble __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: make test fails on IRIX
* Kevin Walker ([EMAIL PROTECTED]) [20001213 10:34] thus spake: [...] OpenSSL self-test report: OpenSSL version: 0.9.6 Last change: In ssl23_get_client_hello, generate an error message wh... Options: -mips3 OS (uname): IRIX phil 6.5 07201607 IP22 OS (config): mips3-sgi-irix Target (default): ?? Target: irix-mips3-cc Compiler: cc ERROR: no source or object file given Failure! h, I built openssl-0.9.6 on irix-5.3 with both the SGI native C compiler and egcs-2.91.66 and also on a O200 running irix-6.5.6m (no gcc there as it's broken for 6.5.x) with no problems whatsover... what does your 'cc -version' says? jf snip test BN_lshift test BN_rshift1 test BN_rshift Right shift test failed! *** Error code 1 (bu21) *** Error code 1 (bu21) Thanks in advance, ~ Kevin B. Walker Systems Engineering Simulator pager = (281) 527 - 2150 office = (281) 244 - 5012 [EMAIL PROTECTED] ~. -- "I haven't lost my mind...it's backed up on tape" __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: certificates setup: OpenSSL with imap-2000
Hello Lutz, * Lutz Jaenicke ([EMAIL PROTECTED]) [20001129 14:36] thus spake: [much elition] Please do a openssl rsa -in privkey.pem -text If the data is listed without password, you'r done. If not, the PEM pass phrase wanted is the old one needed to decrypt the private key... woah! That worked! I can now use mutt/uw-imap-2000/openssl with cram-md5 authentication! So far I have mutt-1.3.9i on Linux and irix working. Mutt-1.2.5i does not seem to like cram-md5 authentication and pine-4.30 (compiled with openssl-0.9.6) complains about "[unable to get local issuer certificate...] Thanks a million! jf Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- "I haven't lost my mind...it's backed up on tape" __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
certificates setup: OpenSSL with imap-2000
Hello, I just compiled and installed openssl-0.9.6 with imap-2000 from UW on irix-6.5.x (using egd as an entropy generator) but due to my lack of understanding on how to generate and where to install my self-signed certificates I get the following error when trying to telnet to port 993 on the imap server: ~# telnet imaps-server 993 imapd: Unable to load private key from /usr/local/ssl/certs/imapd.pem imapd: SSL error status: error:0906D06C:PEM routines:PEM_read_bio:no start line imapd: SSL error status: error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:missing asn1 eos Here's what I did to generate my self-signed certificates. I used the guidelines found in http://www.w3j.com/7/s3.hirsch.wrap.html even though i'm not sure if it applies to openssl, hence my problem :( 1- Generate self-signed root certificate: ~# openssl req -new -out -x509 -keyout CAkey.pem -out CAcert.pem Using configuration from /usr/local/ssl/openssl.cnf Generating a 1024 bit RSA private key ..++ ..++ writing new private key to 'CAkey.pem' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [CA]: State or Province Name (full name) [Quebec]: Locality Name (eg, city) [Montreal]: Organization Name (eg, company) [McConnell Brain Imaging Center]: Organizational Unit Name (eg, section) [BIC]: Common Name (eg, YOUR name) []:example CA Email Address [[EMAIL PROTECTED]]: ~# mv CA*.pem private 2- Generate certificate request: ~# openssl req -new -out MyReq.req Using configuration from /usr/local/ssl/openssl.cnf Generating a 1024 bit RSA private key .++ ..++ writing new private key to 'privkey.pem' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [CA]: State or Province Name (full name) [Quebec]: Locality Name (eg, city) [Montreal]: Organization Name (eg, company) [McConnell Brain Imaging Center]: Organizational Unit Name (eg, section) [BIC]: Common Name (eg, YOUR name) []:BIC CA Email Address [[EMAIL PROTECTED]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 3- Sign it: ~# openssl ca -out newcert.pem -in MyReq.req Using configuration from /usr/local/ssl/openssl.cnf Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'CA' stateOrProvinceName :PRINTABLE:'Quebec' localityName :PRINTABLE:'Montreal' organizationName :PRINTABLE:'McConnell Brain Imaging Center' organizationalUnitName:PRINTABLE:'BIC' commonName:PRINTABLE:'BIC CA' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until Nov 29 14:40:47 2001 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 4- Install the imapd certificate: ~# cp newcert.pem certs/imapd.pem Obviously, I'm missing something! TIA, jf -- "You are born naked, wet and hungry. Then it gets worse" -Woto __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: using the Net_SSLeay.pm1.03
The Net_SSLeay1.03 "test.pl" does not go through on NT; due mostly because a Perl process spawn is not supported the same way on NT.. (from what I recall) I modified it and added some of the tests on my own... You don't need a client certificate to connect to a remote site... Make the Perl Net_SSLeay succeeds by removing some of the tests which fail within test.pl ... after that, run the following under the Net_SSLeay examples directory: perl get_page.pl www.cryptsoft.com 443 / or perl get_page.pl www.thawte.com 443 / and you should see the home page html code as well as some SSL tracing if you have enabled any... You can enable Net_SSLeay tracing by adding the following in your Perl program (i.e. get_page.pl) : $Net::SSLeay::trace = 3; the tracing conventions being: # 0=no warns, 1=only errors, 2=ciphers, 3=progress, 4=dump data I can send you my test.pl if you want to...hope this helps, I'm not sure you can use LWP with Net_SSLeay...Net_SSLeay writes HTTP request on its own and that was enough for me...I think you may need Crypt_SSLeay in that case. I know it integrates with LWP... --francois -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: sslusers [EMAIL PROTECTED] Date: Monday, April 05, 1999 7:16 PM Subject: using the Net_SSLeay.pm1.03 Now that I have Net_SSLeay1.03 finally compiled and ran the install I tried to do a nmake test without much luck. Is there a way to test my install. I am on NT without my own certificate. Also, can I use the LWP now with https://some_site like I was using http:// some site when I am sending a POST to a site Thanks for any help Doug -- Doug Courtney [EMAIL PROTECTED] (732)576-5572 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Compiling OpenSSL 0.9.2b on Win32
I did compile 0.9.2b on Win98 w/ VC6.0 and no problem. (followed the same steps as described below) fyi. -Original Message- From: Erwann ABALEA [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Wednesday, March 31, 1999 1:52 AM Subject: Re: Compiling OpenSSL 0.9.2b on Win32 On Tue, 30 Mar 1999, Jerry Baker wrote: After thouroughly following the directions that come with the distribution (including fixing some broken stuff that's not documented like a bunch of link files in place of some includes), I am running into an error that I cannot figure out. The compiler spits out "LIBEAY32.def : error LNK2001: unresolved external symbol BIO_get_ex_num". I am absolutely 100% positive that all paths are correct and all settings are good. I have several times wiped out the entire src tree for OpenSSL and unpacked the tarball to start fresh. Same error everytime. Any ideas anyone? This is all on Win98 with MS VC++ 6.0 SP2 I compiled the 0.9.2b version on my Win98+VC++5.0 without any trouble, by running only 3 commands, like described in the INSTALL.W32 doc: perl Configure VC-WIN32 ms\do_ms.bat nmake -f ms\ntdll.mak Maybe you missed one step? Or your VC++6.0 is the problem? -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Best Ciphers?
RC4-SHA or RC4-MD5 is very secure (128bits) and fast , comparing to triple-DES which is one of the most secure (168bits) but also much slower than RC4... A pretty common cipher suite used is RC4-MD5 with RSA for Key Exchange (I prefer RC4-SHA w/ RSA for Kx) Just an opinion of course :) --francois -Original Message- From: Juergen Rensen [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Thursday, March 25, 1999 1:44 AM Subject: "Best" Ciphers? Hi everyone, I was wondering if there is something like a "best" cipher to use, ie. which one is the fastest, which one the most secure, which one the best compromise, etc. I checked the mail archive and couldn't find anything on that topic. If anyone knows of any books or FAQs where I can find some comparative information, then I would be grateful if you could let me know. Thank you Juergen __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Win 32 DLL library NET_SSLEAY Perl module generation (bn.h) compilation errors
I'm preparing some instructions that I will send to Sampo and to whomever who wants them (i.e. Doug). Net_SSLeay (1.0.3) is working fine for me on Win32 (NT/95/98) with (SSLeay 0.9.0b). I'm in the process of converting and testing with OpenSSL 0.9.2... Cheers, --francois -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Saturday, March 20, 1999 1:24 PM Subject: Re: Win 32 DLL library NET_SSLEAY Perl module generation (bn.h) compilation errors Hello, I saw this on the mailing list and I am running into the same problem. Did you ever get a solution to the problem. I am not currently on the list, so could you mail me any info you care to share. Thanks Doug Hi, I'm doing it at the moment and I'm also getting these quite unexpected errors (for ssl.h and bn.h) . I wonder if this is caused by #include ordering in the SSLeay.xs? Would there be any Win32 MS VC 5.0 or 6.0 expert as to know if there would be any special compile flags to set in order to get rid of these errors.. c:\SSLeayBin\include\bn.h(245) : error C2143: syntax error : missing ';' before '-' c:\SSLeayBin\include\bn.h(245) : error C2059: syntax error : '-' c:\SSLeayBin\include\bn.h(245) : error C2238: unexpected token(s) precedi= ng ';' c:\SSLeayBin\include\bn.h(376) : error C2143: syntax error : missing ',' before '-' c:\SSLeayBin\include\bn.h(376) : error C2059: syntax error : '-' c:\SSLeayBin\include\ssl.h(892) : error C2143: syntax error : missing ',' before '-' c:\SSLeayBin\include\ssl.h(892) : error C2059: syntax error : '-' c:\SSLeayBin\include\ssl.h(893) : error C2143: syntax error : missing ',' before '-' c:\SSLeayBin\include\ssl.h(893) : error C2059: syntax error : '-' The syntax errors in the bn.h aren't C syntax error to me at all, therefo= re it must be caused as a side-effect of something else... I'm enclosing the errors in case it rings anybody a bell...Thanks for any thoughts on this. Once w= e can make it work, anybody can benefit from using it..The Net_SSLeay perl modu= le seems to be a great package. --francois -Original Message- From: Hugues Obolonsky [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Monday, February 08, 1999 6:22 AM Subject: Re: Win 32 DLL library [Re: (no subject)] That's ok for me, but what can i do to use the perl SSleay module. Every time i try to compile, i 've got many errors in the bn.h ? Anyone have compiled the perl module on NT ? Ulrich Kroener a =E9crit : Ng, (?) You need Perl for Win32 (from ActiveWare) VC 5 or later (from you know whom) Last time I checked (with openssl-0.9.1c), it worked like this: where_your_MSVC_bin_directory_is\vcvars.bat cd where_your_openssl_root_is perl util\mk1mf.pl VC-WIN32 dll no-asm ms\ntdll.mak perl util\mkdef.pl 32 libeay ms\libeay32.def perl util\mkdef.pl 32 ssleay ms\ssleay32.def nmake -f ms\ntdll.mak After this, you will (so I hope) find two DLLs in the out32dll directo= ry, together with their respective import libraries. This is very similar to the ms\do_ms.bat script proposed, but with no-asm enabled, so that you won't need the MS assembler (named ml.exe). Cheers! Ulrich Kr=F6ner P.S.: Also see my attached mak file for making a debug version ( use "nmake -f ms\ntdll-debug-noasm.mak" ) Disclaimer: I speak for myself, not for my employer. ---Ng Wei Yang [EMAIL PROTECTED] wrote: Hi, for the kind people out there, please help me to get the openssl source code compiled n made into a dll library. I'm quite dumb in th= is thing n i face a lot of problem when try to follow the instructions provided in the install.w32. my email is [EMAIL PROTECTED] _ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com = --- - Name: ntdll-debug-noasm.zip ntdll-debug-noasm.zip Type: Zip Compressed Data (application/x-zip-compressed) Encoding: base64 Description: ntdll-debug-noasm.zip __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Doug Courtney [EMAIL PROTECTED] (732)576-5572 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenS
Re: Fresh meat -- Java SSL using OpenSSL (SSLeay)
Sorry if I'm not actually answering your problem but I think OpenSSL should maybe start to think about having some Java Interface/integration within the OpenSSL project. Java popularity is growing more than what non-Java developpers tend to think (i.e. Servlet technology is great) ... JNI is not really portable but Java is for sure. Doesn't that sound like a reasonable/plausible suggestion ? Cheerios, --francois -Original Message- From: Buchs Christian [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Thursday, March 11, 1999 6:11 AM Subject: RE: Fresh meat -- Java SSL using OpenSSL (SSLeay) Do you support (or plan to support) also SSLeay-0.9.0b or OpenSSL ? It builds and works fine with SSLeay-0.9.0b and openssl-0.9.1c without changes. (just tested) Not under NT unfortunately... In itissl.h, you include ssl_locl.h which doesn't come out in the inc32 directory when you build openssl for NT. Does anybody has a hint how I could change things to make the whole thing work? (not inlcuding ssl_locl.h doesn't help...) Ch. Buchs __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]