Re: building 32-bit openssl library on 64-bit RedHat Linux
Hi there, On Thu, 24 Jan 2008, Geetanjali Sovani wrote: I am trying to build openssl 32-bit libraries on a 64-bit RedHat Linux x86_64 However, the default configuration always builds it as 64-bit libraries. I saw that there is a configuration parameter that can be used to build 32-bit libraries on 64-bit Solaris. Is there some similar option available for RedHat Linux ? Have you read the document entitled INSTALL? -- 73, Ged. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: About ECC patent and OpenSSL ECC code
Hi there, On Thu, 10 Jan 2008, Rodney Thayer wrote: As far as I'm concerned... Your analysis was very helpful. Thanks very much. -- 73, Ged. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to dump SSL Handshake messages?
Hi there, On Fri, 11 Jan 2008, Vicky Ven wrote: I need to the capture the SSL handshake messages between my client application and server. How do we dump detailed SSL Handshake messages? Does OpenSSL offer some means? Depends on your platform. Try tcpdump if you have something that offers it - almost all Unix-like systems do. Wireshark is very much better but takes a little effort to install if you don't already have it. -- 73, Ged. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL mailing list posting guidelines.
Hello all, In the absence of moderation and/or a daily digest of the OpenSSL mailing list, and in view of the rather high and apparently increasing volume(/noise level) on the list, here are some options that I can see for me, listed in order of increasing reluctance: 1. Beg for the publication of some posting guidlines, to be posted at http://www.openssl.org/support/ or perhaps linked from there. 2. Locally drop mail from e.g. 'free' accounts. It seems these are are often used by students who need help with their homework, and some of them, apparently, should never have been admitted to the course in the first place. 3. Find a 'milter-digest' for Sendmail, or write something like that for procmail, or whatever. Working on the principle of least reluctance I'll try option 1. I'm happy to write the first draft if necessary. I have something kicking around that I wrote for another list a few years back, it should be a good starting point. Comments? -- 73, Ged. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Vista 64 bit
Hi there, On Mon, 31 Dec 2007, Thomas J. Hruska wrote: If you absolutely have to have a 64-bit build (i.e. 32-bit doesn't work), wait a few weeks. I'm planning on purchasing and installing Microsoft Visual Studio Professional 2008 out of my own pocket (since almost no one donates). One of the first things I plan on doing is creating a 64-bit binary build of OpenSSL. Apparently you can get a 90-day trial download of this product. There's a link on http://msdn2.microsoft.com/en-us/vstudio/products/aa700831.aspx which seems to be to http://go.microsoft.com/?linkid=7771657 but when I clicked it, the page didn't render properly - all I saw was a few empty panes and a button. That's probably because I was using Konqueror, and the page is produced by M1cr0$0ft. I wanted to see if the presumed attached strings would prohibit using it to compile OpenSSL and then throwing MVSP2008 in the bin. It's not worth my time to pursue it since I don't run Windows. -- 73, Ged. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How To Download Latest Tarball?
Hi there, On Sat, 17 Nov 2007 [EMAIL PROTECTED] wrote: ...having problems downloading one of the *.gz tarballs on your website. ...upon downloading, it has been modified to a *tar.tar file - that is, openssl-0.9.8g.tar.tar. Ugh. That's probably just Windows being stupid. So then, I FTP that tar file to the Solaris UNIX box that I am remotely trying to install OpenSSL onto, and try to untar -xvf the file, at which point I get the following message: vobs lca1099 /usr/local/bin/tar -xvf openssl-0.9.8g.tar.tar /usr/local/bin/tar: Hmm, this doesn't look like a tar archive That's because it's not a simple tar archive. It's gzipped... ... vobs lca1099 ls *.gz openssl-0.9.8g.tar.gz ... ^Cvobs lca1099 gunzip open*.gz gunzip: openssl-0.9.8g.tar.gz: invalid compressed data--format violated ...as you figured out for yourself. :) There's got to be a better way to do this. wget? Check that the file size and its checksum are what you expect after download and after file transfer. Check that you're using binary mode when you transfer with ftp. Use a different file transfer mechanism if you can - sftp for example? -- 73, Ged. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Possible memory leak or bad allocation strategy in openssl-0.9.8d - known issue?
Hi there, On Fri, 19 Oct 2007, David Lobron wrote: I am testing an Objective-C program that links with openssl-0.9.8d, in a Linux environment. In testing, I noticed that RSS use was creeping up fairly quickly I don't know why that might be, but the generic advice is to try the most recent version of the package before bringing it up on a mailing list. Your openssl version is over a year old, and in addition to a few known faults it contains numerous vulnerabilities. -- 73, Ged. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Changing the expiry date of a cert
Hi there, On Wed, 17 Oct 2007, David Schwartz wrote: The OP wrote: I have a private CA certificate created using openssl command line. The issue is that the certificate expires on 19th Oct, 2007. The question is that Is it possible to extend the expiry of this certificate without changing any other fields in the certificate? Basically, I want to continue using this CA Cert to sign end-user certs for a longer time. Any help will be appreciated. Thanks. This question comes up a lot and I still have no idea what anyone is asking. It seems fairly clear to me. It seems like it's largely a philosophical question, like am I the same person I was ten years ago even though only 1% of the molecules are the same. I don't think the OP asked anything like that. Some might consider the resulting certificate to be the original certificate with a later expiry date. Some might consider it to be a brand new certificate that just happens to share some common values with the previous certificate. I don't think the OP asked whether it would still be the old certificate or if it would be a new certificate. He just asked if he can change the date, and only the date, on his existing certificate. What possible difference does it make whether you consider the resulting certificate a new certificate or the original certificate with a later expiration date? I don't think, in this thread, that anyone else considered that difference. Or are you asking something else entirely? And if so, what? It seems to me that the OP is indeed asking something else entirely different from the question which you yourself seem to have posed and then immediately failed to answer. He's asking Is it possible to extend the expiry of this certificate without changing any other fields in the certificate? to which it seems that the answer is Yes, although one might add that the resulting certificate could be viewed by some as a different certificate. In that case, the next question would be Is it valid?, to which the answer would also presumably be Yes. Have I understood? -- 73, Ged. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SHA1 checksum mismatch on openssl-0.9.8f tarball
Hi there, On Fri, 12 Oct 2007, Keith Thompson wrote: On Fri 07-10-12 15:02, Keith Thompson wrote: That's not the only problem. [...] The key used to generate openssl-0.9.8f.tar.gz.asc (key ID 2719AF35) appears to belong to Ben Laurie, who is a member of the OpenSSL core team, but it's not the same key advertised on http://openssl.org/about/ (key ID 2118CF83). And what's this about...? [EMAIL PROTECTED] src]$ tar xzf ~/openssl-0.9.8f.tar.gz tar: A lone zero block at 32800 -- 73, Ged. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SHA1 checksum mismatch on openssl-0.9.8f tarball
Hi there, This seems to be going from bad to worse... mail4:~/src/openssl-0.9.8f$ su Password: mail4:/home/ged/src/openssl-0.9.8f# make install making all in crypto... make[1]: Entering directory `/home2/ged/src/openssl-0.9.8f/crypto' making all in crypto/objects... make[2]: Entering directory `/home2/ged/src/openssl-0.9.8f/crypto/objects' /usr/bin/perl5 obj_dat.pl obj_mac.h obj_dat.h make[2]: /usr/bin/perl5: Command not found make[2]: *** [obj_dat.h] Error 127 make[2]: Leaving directory `/home2/ged/src/openssl-0.9.8f/crypto/objects' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/home2/ged/src/openssl-0.9.8f/crypto' make: *** [build_crypto] Error 1 mail4:/home/ged/src/openssl-0.9.8f# ln -s /usr/bin/perl5.8.6 /usr/bin/perl5 mail4:/home/ged/src/openssl-0.9.8f# make install [...] [...] make[2]: Entering directory `/home2/ged/src/openssl-0.9.8f/apps' ( :; LIBDEPS=${LIBDEPS:--L.. -lssl -L.. -lcrypto }; LDCMD=${LDCMD:-cc}; LDFLAGS=${LDFLAGS:--O}; LIBPATH=`for x in $LIBDEPS; do if echo $x | grep '^ *-L' /dev/null 21; then echo $x | sed -e 's/^ *-L//'; fi; done | uniq`; LIBPATH=`echo $LIBPATH | sed -e 's/ /:/g'`; LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH ${LDCMD} ${LDFLAGS} -o ${APPNAME:=openssl} openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o prime.o ${LIBDEPS} ) ../libcrypto.a(dso_dlfcn.o)(.text+0x45): In function `dlfcn_load': : undefined reference to `dlopen' ../libcrypto.a(dso_dlfcn.o)(.text+0xa1): In function `dlfcn_load': : undefined reference to `dlclose' ../libcrypto.a(dso_dlfcn.o)(.text+0xcc): In function `dlfcn_load': : undefined reference to `dlerror' ../libcrypto.a(dso_dlfcn.o)(.text+0x15b): In function `dlfcn_unload': : undefined reference to `dlclose' ../libcrypto.a(dso_dlfcn.o)(.text+0x221): In function `dlfcn_bind_var': : undefined reference to `dlsym' ../libcrypto.a(dso_dlfcn.o)(.text+0x295): In function `dlfcn_bind_var': : undefined reference to `dlerror' ../libcrypto.a(dso_dlfcn.o)(.text+0x313): In function `dlfcn_bind_func': : undefined reference to `dlsym' ../libcrypto.a(dso_dlfcn.o)(.text+0x38f): In function `dlfcn_bind_func': : undefined reference to `dlerror' collect2: ld returned 1 exit status make[2]: *** [link_app.] Error 1 make[2]: Leaving directory `/home2/ged/src/openssl-0.9.8f/apps' make[1]: *** [openssl] Error 2 make[1]: Leaving directory `/home2/ged/src/openssl-0.9.8f/apps' make: *** [build_apps] Error 1 -- 73, Ged. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Arbitrary code execution?
Hi there, There's a notice that 0.9.7m and 0.9.8e have a vulnerability posted here: http://www.securityfocus.com/bid/25831 and the Debian package maintainer recently sent this: -- Subject: [DSA 1379-1] New openssl packages fix arbitrary code execution [snip] Package: openssl Vulnerability : off-by-one error/buffer overflow Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-5135 Debian Bug : 35 An off-by-one error has been identified in the SSL_get_shared_ciphers() routine in the libssl library from OpenSSL, an implementation of Secure Socket Layer cryptographic libraries and utilities. This error could allow an attacker to crash an application making use of OpenSSL's libssl library, or potentially execute arbitrary code in the security context of the user running such an application. For the stable distribution (etch), this problem has been fixed in version 0.9.8c-4etch1. For the old stable distribution (sarge), this problem has been fixed in version 0.9.7e-3sarge5. For the unstable and testing distributions (sid and lenny, respectively), this problem has been fixed in version 0.9.8e-9. [snip] -- yet I see only 0.9.7l and 0.9.8d mentioned here: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5135 and nothing on the Openssl site itself. What's the story? -- 73, Ged. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]