RE: Problems installing OpenSSL on Linux

[John . Airey]

> -Original Message-
> From: J Harper [mailto:[EMAIL PROTECTED]
> Sent: Thursday, 10 June 2004 20:39
> To: [EMAIL PROTECTED]
> Subject: Re: Problems installing OpenSSL on Linux
> 
> 
> This is an informative post, thank you.  I'd like to add that 
> this is one of
> the huge problems with RedHat's library and dependencies 
> configuration.
> Manually weeding through the dependencies by hand to install 
> a new version
> of OpenSSL from source is very difficult, and upgrading an 
> entirely new
> kernel and OS seems completely ludicrous to have timely 
> security updates.
> Production systems that are tested and have been running for 
> months/years
> can't go through this process each time a critical security update for
> OpenSSL is released.
> 
> The OpenSSL team does a fine job of acknowledging and fixing security
> issues, but if users of the most popular Linux distribution 
> can't use them,
> it seems like a huge issue.  Is there a workaround we don't 
> know about?  How
> well do other distributions handle this?  Ideally you could just use
> apt-get, and have the latest version installed.
> 
> J Harper
> PeerSec Networks
> http://www.peersec.com
> 

Actually in my experience (which goes back to compiling openssl and apache
on Red Hat BEFORE they were included in the OS) sticking with Red Hat's RPMs
is always easier than trying to roll your own generic installations. The
only restriction on using the Red Hat openssl are that certain ciphers are
not included due to US patent restrictions. 

In fact, it is Red Hat's stated policy that they "backport" patches rather
than add new "features". That does mean that version numbers differ from the
latest version, which is frankly a minor inconvenience.

Details of all of this and how to build openssl without patent restrictions
on your systems is in the openssl FAQ.

-- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

I don't know which is worse. The makers of soap operas thinking they portray
real life or those that watch them thinking it is real life!

-- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: [98] Address in use.. Could not bind to 443

[John . Airey]

> -Original Message-
> From: kloomis [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, 14 April 2004 15:21
> To: [EMAIL PROTECTED]
> Subject: [98] Address in use.. Could not bind to 443
> 
> 
> Hello:
> 
> I have migrated from RH 7.1 to RH 9. I have edited the 
> httpd.conf, and 
> connections work to the server thru port 80.  But when I move the 
> connection to 443 and SSL, I get a "Could not bind to 443, 
> Address already 
> in use" error message.  Upon some investigation I discovered 
> that in the 
> ssl.conf file there is: listen 443. When I removed the listen 
> 443, I was 
> able to connect to the server. The problem now is that the 
> virtual host 
> defined in the ssl.conf is not what I want.  My question is, should I 
> remove the virtual host for ssl from the httpd.conf and edit 
> the ssl.conf, 
> or vice versa?  Is the ssl.conf necessary if everything is 
> covered in the 
> httpd.conf?
> 
I'm way behind my reading on this list, so I've only just read this one.
Historically Apache had three config files (httpd.conf, access.conf and
srm.conf). These were all combined into httpd.conf. However, distributions
like Red Hat split the ssl configuration into an ssl.conf file. In the case
of 9 this is in /etc/httpd/conf/conf.d.

The simple answer is that it's up to you. Simply renaming the ssl.conf in
/etc/httpd/conf.d will prevent its use (it's included with "Include
conf.d/*.conf" in httpd.conf), but the configuration will have to go in the
httpd.conf file.

Can you send me more details off list? I've not come across this before and
I've not had to change this ssl.conf file at all. I suspect that you may be
trying to run Apache 2.0 with a lot of Apache 1.3 directives that are now
out of date.

-- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Every person who has set out to disprove the resurrection of Jesus Christ
has changed their mind after examining the evidence in detail.

- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Encrypted attachments

[John . Airey]

> -Original Message-
> From: Thorsten Müller
> [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, 31 March 2004 15:55
> To: [EMAIL PROTECTED]
> Subject: Re: Encrypted attachments
> 
> 
> Dave wrote:
> 
> >I am encrypting email attachments.  I am on HP-UX 11.11 using openssl
> >0.9.7c.  I can send unencrypted attachments.  I am having 
> trouble sending
> >encrypted attachments to Outlook.  When I look at the 
> message source the
> >attachment seems to be there but Outlook can not make sense 
> of it.  Any
> >ideas?
> >
> >  
> >
> I'm not quite sure what exactly you are doing and what Outlook you
> are using. When you only encrypt the attachments, i think Outlook has 
> some problems. You have to encrypt the complete mail generating a 
> correct S/MIME mail, this should work, unless you are testing with 
> Outlook 97 which i think has its problems with S/MIME
> 
> Thorsten
> 
Don't use Outlook 97, not even for a joke. It's seriously broken in many
other ways too. 98 is passible but 2000 is fairly reliable. YMMV of course.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Shameless movie plug - go see the Passion of the Christ!

- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Openssl upgrade on Red Hat 7.3 question

[John . Airey]

> -Original Message-
> From: Vigilance [mailto:[EMAIL PROTECTED]
> Sent: Thursday, 11 March 2004 20:02
> To: [EMAIL PROTECTED]
> Subject: Openssl upgrade on Red Hat 7.3 question
> 
> 
> 
> >
> >
> >I have a question about upgrading openssl on Redhat 7.3
> >
> >I have been runnning openssl 0.9.6b for quite some time without 
> >problems.  Now I see that there is apparently a psybnc 
> attack out there 
> >for apache port 443.  I've had to shut down https until I 
> can get this fixed.
> >
> >I installed 0.9.6l which seemed to go in just fine.  
> However, Redhat is 
> >still using the old stuff because the new openssl went into 
> /usr/local/ssl 
> >and the old stuff is in /usr/bin.  I don't see anything like 
> $SSL_HOME to set.
> >
> >There is an FAQ comment to not remove /usr/bin/openssl or it 
> will break 
> >sendmail and ssh but there is nothing in there about what to 
> do about 
> >it.  I'm not too keen to just put in a link under these 
> circumstances.
> >
> >I'd really like to be able to take advantage of these new 
> feature/security 
> >fixes for at least apache and ideally also for ssh. What do 
> I need to do 
> >to get this to work?
> >
> >Please cc me as well as responding to the forum.
> >
> >Thanks in advance
> 

First of all, Red Hat 7.3 is no longer supported by Red Hat. However, if you
had used all the security updates so far supplied by Red Hat, there would be
no known security issues. There is a legacy project for Red Hat 7.3 but no
updates for Apache, openssl or mod_ssl have been released since the end of
last year, when support ceased.

However, if you wish to use a different version of openssl with apache, you
would be best advised to recompile both openssl and apache. Details of how
to do this are in the openssl documentation.

www.redhat.com and https://rhn.redhat.com are a good place to start.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Why do so many people who call themselves christians use the name of Jesus
Christ as a swear word?

- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Virus Scanner

[John . Airey]

> -Original Message-
> From: Thomas H Jones II [mailto:[EMAIL PROTECTED]
> Sent: 27 February 2004 23:10
> To: '[EMAIL PROTECTED]'
> Subject: Virus Scanner
> 
> 
> Is there any possibility that this list could be run through a virus 
> scanner so that we wouldn't get spammed every time a virus passed 
> through this list to a system that mails back virus warning messages? 
> Seems like half the traffic is either virus or virus-response traffic.
> 
> -tom
> 
> ps. I don't -think- my site sends similar warnings,
>  let me know if it does, please.
> 
Well, for one those people on this list who are susceptible to viruses will
have anti-virus software anyway (and if they don't, getting openssl to work
is the least of their problems).

Two, there is the resource to this about. I don't think the server that runs
the openssl lists has been upgraded for years because of lack of funds, and
consequently I don't think anyone has the money to pay for it.

Three, it must be borne in mind that the vast amount of "virus traffic" now
is:

Out of office replies
Automatic responses from undeliverable addresses.
Automatic responses from anti-virus programs.
Real responses by individuals to the preceding three.

With the exception of a dedicated mail "echo" address, people today should
not have any kind of automatic responses to email set up. Recently viruses
have been faking addresses, and in some cases send viruses back to someone
who hadn't even sent it!

Given all these difficulties, a virus scanner would probably create more
problems than it solves.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

According to the book of Acts, Eutychus was the first man to suffer from a
General Protection Fault with Windows.


- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Using OpenSSL and smartcards with pkcs#11

[John . Airey]

> -Original Message-
> From: The Doctor [mailto:[EMAIL PROTECTED]
> Sent: 15 January 2004 05:18
> To: [EMAIL PROTECTED]
> Subject: Re: Using OpenSSL and smartcards with pkcs#11
> 
> 
> On Thu, Jan 15, 2004 at 07:03:22AM +0200, Amira Solomovici wrote:
> > Hi all,
> > 
> > I have been having difficulty in finding a tutorial 
> explaining how to use the openssl application with 
> smartcards, and I hope that someone could help me with the following:
> > 
> > What I am basically trying to do is use a smartcard for 
> logging into my Linux machine. 
> > I have openssl ver 0.9.7a installed, and I have implemented 
> a pkcs#11 interface to the smartcard. 
> > I also installed the OpenSC libraries, but I'm not sure how 
> to use it with openssl and with my pkcs#11 module.
> > 
> > I would be grateful if someone could guide me on how to 
> configure all those tools, and especially how to obtain or 
> generate a certificate/key-pair to use in the login process 
> to the computer.
> > 
> 
> May I recommend that you update to openssl 0.9.7.c as 0.9.7a
> has a security advisory.  Also, something like 
> http://www.apache-ssl.org
> might be of help.
> 
This depends on what you are running. If you are running Red Hat 9, for
example, it says the version is 0.9.7a, and "rpm -q openssl" gives
openssl-0.9.7a-20. However, this version does have the security updates.
"rpm -q --changelog openssl | more" shows that the security fixes were added
on Sep 23 2003.

Before suggesting they upgrade, find out what version of Linux they are
running please. Otherwise they may come back with more problems that what
they started with.

Thank you.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Even if you win the rat race, that will still only make you a rat.



- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL file destinations

[John . Airey]

I'm not sure why you'd want to run the query against a package that isn't
installed (that's what the p option does). Surely he wants to check it is
installed, then use "rpm -ql openssl |more" to see where the files are now?

One reason to check whether your distro has openssl already installed is so
that you don't have issues where your programs are executing the wrong
version. It's surprising how many times that happens.

You might also find that the distro version is sufficient for your needs
too, especially now the engine code is included. (I remembered that time...)

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Even if you win the rat race, that will still only make you a rat.


> -Original Message-
> From: Obermeier Markus ICM MP PD TS
> [mailto:[EMAIL PROTECTED]
> Sent: 13 January 2004 16:35
> To: '[EMAIL PROTECTED]'
> Subject: RE: OpenSSL file destinations
> 
> 
> Dear John,
> 
> best way to find out is to do a `rpm -qlp openssl-xyz.rpm` 
> where openssl-xyz
> is the rpm-file from a distribution's pre-installed openssl 
> library archive.
> Then you have to do a bit of manual work to figure out how to use the
> options of the ./configure-command of the tarball. In some 
> cases you will
> find out from the rpm command above have to adjust/create the library
> version links e.g. libssl.so.x.y as well.
> 
> I did this for the SuSE 8.1/8.2 distributions.
> 
> Rgds,
> Markus
> 
> -Original Message-
> From: Boyle Owen [mailto:[EMAIL PROTECTED] 
> Sent: Dienstag, 13. Januar 2004 15:30
> To: [EMAIL PROTECTED]
> Subject: RE: OpenSSL file destinations
> 
> 
> > -Original Message-
> > From: John S. Wolter [mailto:[EMAIL PROTECTED]
> > 
> > I am wondering if there is a document that describes where 
> > the files of 
> >  OpenSSL should normally be placed?
> 
> Look in the INSTALL file. The default location for Unix is
> /usr/local/openssl, but you can put it anywhere you like. NB - openssl
> is a library of functions, not a single binary.
> 
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored. 
> 
> > 
> > 
> > -- 
> >  Wolter Works - Always Innovating -
> > - Industry and Commerce Internet Invention
> > - Internet Marketing Product Concepts & Implementation
> > 
> > mailto:[EMAIL PROTECTED]
> > 
> > John Wolter, President
> > 1531 Jones Drive
> > Ann Arbor, MI 48105-1871 USA
> > 1-734-665-1263
> > 
> > Copyright 2003 John S. Wolter
> >   
> > Neither this information block, the typed name of the sender,
> > nor anything else in this message is intended to constitute an
> > electronic signature unless a specific statement to the contrary
> > is included in this message.
> > 
> > 
> > 
> > 
> > 
> > 
> __
> > OpenSSL Project 
http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est
un message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 


__
OpenSSL Project http://www.openssl.org
User Support M

RE: OpenSSL file destinations

[John . Airey]

> -Original Message-
> From: John S. Wolter [mailto:[EMAIL PROTECTED]
> Sent: 13 January 2004 14:19
> To: [EMAIL PROTECTED]
> Subject: OpenSSL file destinations
> 
> 
> I've downloaded the latest OpenSSL and I'm going to target an already 
> installed SUSE 8.1 for testing and then build a 9.0 system.  I've 
> noticed that the tarballs are not targeted to distributions.  SUSE 's 
> distribution does include an rpm file but the only way to 
> know where to 
> place files is to do an rpm query.  That does not appear to 
> be efficient 
> route for the installed result.
> 
> I am wondering if there is a document that describes where 
> the files of 
>  OpenSSL should normally be placed?
> 
> 
> -- 
I would guess (without having a copy of Suse to hand) that their RPM is
already installed.

Try 

rpm -q openssl

To see if it is. If it is then try

rpm -e openssl --test

You'll probably see a list of packages that depend on it. If you don't, then
you are free to stick with the defaults. If you do, then follow the build
instructions in the openssl FAQ that refer to Red Hat.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Even if you win the rat race, that will still only make you a rat.

- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: un-tar'ing not working for me

[John . Airey]

-Original Message-
From: John S. Wolter [mailto:[EMAIL PROTECTED]
Sent: 13 January 2004 13:40
To: [EMAIL PROTECTED]
Subject: un-tar'ing not working for me

[snip]

>What obvious error I'm I making using tar?

It's a gzipped tar file. I would use this to extract the contents:

tar -zxvf openssl-0.9.7c.tar.gz.tar

To be really sure, use this first:

tar -ztvf openssl-0.9.7c.tar.gz.tar

To ensure there are no errors with the tar file.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Even if you win the rat race, that will still only make you a rat.

- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Sign PIX certificate using OpenSSL CA

[John . Airey]

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: 16 December 2003 14:34
> To: [EMAIL PROTECTED]
> Subject: Sign PIX certificate using OpenSSL CA
> 
> 
> I would like to sign a certificate created by pix firewall 
> using OpenSSL CA server. 
> My current set up is: the OpenSSL CA server is 
> 
> Network 1-- Router -- PIX Firewall 
>  Network 2 
> (CA server)   VPN tunnel
> 
> I have established VPN tunnel between router and pix firewall 
> using preshared secret, but I would like to use the 
> certificate signed by OpenSSL CA.
> 
> How can I sign the pix certificate? Also, how can I download 
> the CA certificate to PIX firewall?
> Thank you. Your advice is appreciated.
> 
> Sanborne
> 
I'm assuming you mean a Pix Firewall version 6.3.x. I don't think there is a
way to get a certificate onto a Pix, as the "ca" commands can only create
certificates. Have a look at the version 6.3 command reference at
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_refer
ence_book09186a008017284e.html

If you do find a way, I'd love to know!

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

There is more historical evidence for the existence of Jesus Christ than for
either Henry VIII or Julius Caesar.

- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Signing a CSR from JetDirect

[John . Airey]

> -Original Message-
> From: Bob DeBolt [mailto:[EMAIL PROTECTED]
> Sent: 14 July 2003 18:35
> To: [EMAIL PROTECTED]
> Subject: RE: Signing a CSR from JetDirect
> 
> 
>  
> > It seems to me that it is in the best interest of the major 
> > CAs to not offer wildcard certificates;  that way, they can 
> > charge their outrageous prices for each certificate that you 
> > need, and when you happen to change a hostname, they are 
> > right there at the trough looking for more money.
> >  
> 
> Isn't capitalism wonderful?
> 
> Bob D

There are still CAs that will issue wildcards, but most will want to charge
heavily for them. Add to this the fact that IIS doesn't support them
directly (I know it has a small market share, but it's still second place to
Apache) and Microsoft keep messing up support for them in IE, they can be
more trouble than they are worth. Most of these problems can be overcome
however. I keep meaning to write a book including all this, as I don't think
anyone has yet. Maybe this year I will...

Getting back to the posters original point, is it at all possible that the
JetDirect won't accept a certificate that is over one or two years from
expiry?

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

After over 144 years, there's still no fossil evidence of Evolution.

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Upgrading to the lastest version, what happends with my Apach e-Mod_SSL?

[John . Airey]

Sorry for my delay in replying. It shouldn't affect SSH as that didn't come
with Red Hat 6.2. It's a while since I used 6.2, but at the time I
downloaded an RPM from a dutch encryption site (which is now long gone).
They used their own security libraries so were independent of openssl.

However, your time might be better spent upgrading to a newer version of
Linux.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Evolution isn't true just because the majority of people think it is.



> -Original Message-
> From: Francisco Javier Martinez Martinez 
> [mailto:[EMAIL PROTECTED]
> Sent: 13 June 2003 14:38
> To: [EMAIL PROTECTED]
> Subject: RE: Upgrading to the lastest version, what happends with my
> Apach e-Mod_SSL?
> 
> 
> Thanks for the anwser,
> 
> I was wondering whether with the same scenario (Redhat 6.2) 
> this upgrade 
> could affect to other services installed like SSH or not? An 
> if yes, is 
> necesary to update them too?
> 
> Thanks and greets.
> At 13:42 13/06/2003 +0100, you wrote:
> >Yes, but check the mod_ssl website http://www.mod_ssl.org 
> and ensure you are
> >compiling the correct mod_ssl against openssl. Since you 
> compile mod_ssl
> >into apache, you will need to recompile both.
> >
> >This is why I prefer RPMS! Even if you customise your 
> version of Apache, you
> >only need to build it once and then you can install it on 
> any number of
> >systems.
> >
> >John
> >
>

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Upgrading to the lastest version, what happends with my Apach e-Mod_SSL?

[John . Airey]

Undoubtedly yes. Redhat 6.2 doesn't come with openssl, although an optional
RPM is available for it, version 0.9.5a-33 (which is up to date as of March
26th this year). 

rpm -q openssl will tell you if this optional package is installed.

However, this version of Linux is no longer supported by Red Hat, so
continue at your own risk.

I believe that you compile openssl as shared to use it with mod_ssl. Others
on the list will surely flame me if I get it wrong. I'd be surprised if you
get it to compile on version 6.2 anyway. I was finding that the glibc
libraries were too far out of date the last time I tried.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Evolution isn't true just because the majority of people think it is.

> -Original Message-
> From: Francisco Javier Martinez Martinez 
> [mailto:[EMAIL PROTECTED]
> Sent: 12 June 2003 14:20
> To: [EMAIL PROTECTED]
> Subject: RE: Upgrading to the lastest version, what happends with my
> Apach e-Mod_SSL?
> 
> 
> Sorry for disturbing you, but I was in a mistake with the 
> version of Linux, 
> my client had a Redhat 6.2 I had realized this because there is not 
> libssl.so.0.9.6xx in the files system, there is 
> /usr/local/ssl/lib/libssl.a 
> instead, this may indicate that the openssl is not built in 
> share mode?,
> The openssl  and the apache was compiled, this last  with 
> mod_ssl between 
> other modules using APACI format (configure and make).
> 
> Would you please be so kind of tell me if I had to recompile 
> the apache 
> once the openssl has been compiled?
> 
> Thanks in advance and regards.
> 
> 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Upgrading to the lastest version, what happends with my Apache-Mod_SSL?

[John . Airey]

If I had a Euro for each time this question gets asked...

The openssl FAQ details that fact the Red Hat 7.x (onwards) uses backported
versions. That is, if you have installed the Red Hat update to your version
(either manually or using Red Hat Network at rhn.redhat.com) you are
protected from currently known vulnerabilities.

The current supported openssl versions for Red Hat are:

openssl-0.9.6-16 - 7.1
openssl-0.9.6b-32.7 -  7.2, 7.3 
openssl-0.9.6b-33 - 8.0
openssl-0.9.7a-5 - 9.0

Of course, there is nothing to stop you building a separate version in a
different directory. Unless you need to use patent restricted code there'll
be no need.

If you haven't built against one of these versions, you'll either need to
recompile or use the Red Hat supplied mod_ssl package. Whichever you choose
is up to you.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Evolution isn't true just because the majority of people think it is.

> -Original Message-
> From: Francisco Javier Martinez Martinez 
> [mailto:[EMAIL PROTECTED]
> Sent: 12 June 2003 08:01
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Upgrading to the lastest version, what happends with my
> Apache-Mod_SSL?
> 
> 
> Hello.
> 
> I want to upgrade the OpenSSL to the 0.9.6j version to get 
> ride of the two 
> last vulnerabilities found in the previous versions of 
> OpenSSL. The system 
> is RedHat 7.x running Apache 1.3.27 with mod_ssl, both 
> compiled with APACI 
> method (configure, make & make install), an my question is:
> 
> It is necessary once I had upgraded the OpenSSL to recompile 
> my Apache so 
> the mod_ssl could be linked to the new libraries of the 
> OpenSSL or only 
> with upgrading the openssl is the work done?
> 
> Thanks in advance. Regards.
> 
> 
> 
> 
> 
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Minimum RSA Key length ?

[John . Airey]

> -Original Message-
> From: Ridge Cook [mailto:[EMAIL PROTECTED]
> Sent: 03 June 2003 03:10
> To: [EMAIL PROTECTED]
> Subject: Re: Minimum RSA Key length ?
> 
> 
>   >>>To answer your other question, I don't believe there are
>   >>any browsers that can accept a RSA key > 1024 bits. I did 
> look into this
>   >>last year as I was
>   >>>creating a new SSL key but was advised by the Thawte
>   >>representative that
>   >>>although I could create a certificate with this size key,
>   >>it wouldn't work.
> 
> The Thawte Rep was incorrect.  I have imported and used 
> certificates/RSA v3
> keys of 4096 bit size and higher in Internet Explorer and Mozilla.
> 
Are we at cross-purposes here? I'm referring to server certificates, not
client certificates (about which I am completely clueless as I currently
have no business reason to use them).

Anyway, the proof of the pudding is in the eating. Can you point me to a
secure site that uses a key size >1024 bits? I can't find one for love nor
money.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

What is "real"? How do you define "real"? If you're talking about what you
can feel, what you can smell, what you can taste and see, then "real" is
simply electrical signals interpreted by your brain... (Morpheus, The
Matrix, 1999)

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Anyone where to get a signed SSL certificate cheap?

[John . Airey]

Try globalsign www.globalsign.com, 175 Euro ($189 or £116.91 in proper
money).

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

A fundamentalist - what you call someone more sure of what they believe than
what you are


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: 13 February 2003 21:29
> To: [EMAIL PROTECTED]
> Subject: Re: Anyone where to get a signed SSL certificate cheap?
> 
> 
> Check tucows
> 
> Josef Karthauser <[EMAIL PROTECTED]> wrote ..
> > I need to obtain a certificate to use on my openssl/apache 
> web server,
> > but looking at Verisign and Thawte it appears that they're 
> charging a
> > lot of money ($450) per year for one!  Does anyone know 
> where I can get
> > one cheaper?  Last time I bought I'm sure that they were 
> only $100/yr
> > each.
> > 
> > Joe
> > 
> > p.s. yes, I know that I could self-sign, but this is for an 
> ecommerce
> > system and I'd prefer our customer's customers not to have to ask
> > themselves why the certificate is in our name and not our 
> customer's! :)
> > -- 
> > Josef Karthauser ([EMAIL PROTECTED])  http://www.josef-k.net/
> > FreeBSD (cvs meister, admin and hacker) 
> http://www.uk.FreeBSD.org/
> > Physics Particle Theory (student)   
> http://www.pact.cpes.sussex.ac.uk/
> >  An eclectic mix of fact and theory. 
> =
> 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Anyone where to get a signed SSL certificate cheap?

[John . Airey]

You are right about the price Jo. They've hiked their prices a lot (must be
to pay for Mark Shuttleworth's space trip...).

If you are representing a charity you may be able to negotiate a lower
price. We did that last year and received a wildcard certificate at a
discount.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

A fundamentalist - what you call someone more sure of what they believe than
what you are


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: 13 February 2003 21:29
> To: [EMAIL PROTECTED]
> Subject: Re: Anyone where to get a signed SSL certificate cheap?
> 
> 
> Check tucows
> 
> Josef Karthauser <[EMAIL PROTECTED]> wrote ..
> > I need to obtain a certificate to use on my openssl/apache 
> web server,
> > but looking at Verisign and Thawte it appears that they're 
> charging a
> > lot of money ($450) per year for one!  Does anyone know 
> where I can get
> > one cheaper?  Last time I bought I'm sure that they were 
> only $100/yr
> > each.
> > 
> > Joe
> > 
> > p.s. yes, I know that I could self-sign, but this is for an 
> ecommerce
> > system and I'd prefer our customer's customers not to have to ask
> > themselves why the certificate is in our name and not our 
> customer's! :)
> > -- 
> > Josef Karthauser ([EMAIL PROTECTED])  http://www.josef-k.net/
> > FreeBSD (cvs meister, admin and hacker) 
> http://www.uk.FreeBSD.org/
> > Physics Particle Theory (student)   
> http://www.pact.cpes.sussex.ac.uk/
> >  An eclectic mix of fact and theory. 
> =
> 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Problems building 0.9.7 on RedHat 7.3

[John . Airey]

What are you using to build it with? I've managed to build 0.9.7 fine on
RedHat 7.3 with "./config" and "./config shared"

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

"I know it sounds cocky, but I honestly believe that one day there'll be a
telephone in every Town in America" - Alexander Graham Bell (my paraphrase)


> -Original Message-
> From: Brian Ipsen [mailto:[EMAIL PROTECTED]]
> Sent: 17 January 2003 18:59
> To: [EMAIL PROTECTED]
> Subject: Problems building 0.9.7 on RedHat 7.3
> 
> 
> Hi!
> 
>  I'm trying to compile 0.9.7 on a RedHat 7.3 box, but when I 
> do thge make
> test I get:
> 
> NIST curve P-521 -- Generator:
>  x =
> 0xC6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B
> 4D3DBAA14B5E77
> EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66
>  y =
> 0x11839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD172
> 73E662C97EE729
> 95EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650
> verify group order  ok
> combined multiplication . ok
> 
> cat
> base64
> aes-128-cbc
> aes-128-cbc is an unknown cipher
> options are
> -in  input file
> -out output file
> -pass pass phrase source
> -e encrypt
> -d decrypt
> -a/-base64 base64 encode/decode, depending on encryption flag
> -k key is the next argument
> -kfile key is the first line of the file argument
> -K/-iv key/iv in hex is the next argument
> -[pP]  print the iv/key (then exit if -P)
> -bufsizebuffer size
> -engine e  use engine e, possibly a hardware device.
> Cipher Types
> 
> aes-128-cbc is an unknown cipher
> options are
> -in  input file
> -out output file
> -pass pass phrase source
> -e encrypt
> -d decrypt
> -a/-base64 base64 encode/decode, depending on encryption flag
> -k key is the next argument
> -kfile key is the first line of the file argument
> -K/-iv key/iv in hex is the next argument
> -[pP]  print the iv/key (then exit if -P)
> -bufsizebuffer size
> -engine e  use engine e, possibly a hardware device.
> Cipher Types
> 
> cmp: EOF on ./p.aes-128-cbc.clear
> 
> 
> Any idea why I get that "aes-128-cbc" error ??
> 
> Regards,
> 
> /Brian
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL Project Environment Migration on 10-Dec-2002 11:00 am CET

[John . Airey]

Can you give us more details about the move, like where, who, and whether it
has bigger bandwidth please Ralf? Sorry for being late in replying, but I've
been unwell.

Thanks.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

If you are easily offended, don't read the next line!
It always amazes me how people believe in evolution as if it is a fact when
at the very best it is and always will be a theory.


> -Original Message-
> From: Ralf S. Engelschall [mailto:[EMAIL PROTECTED]]
> Sent: 10 December 2002 09:10
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: OpenSSL Project Environment Migration on 10-Dec-2002 11:00 am
> CET
> 
> 
> The OpenSSL project migrates today (10-Dec-2002, 11:00 am 
> CET) its whole
> project environment to a completely new setup and location. In case of
> any problems after this switch time, please do not hesitate to contact
> me directly and describe the problem in detail. I'll make sure it is
> fixed as quick as possible. Sorry in advance for any inconviniences
> today. Thanks for understanding.
>Ralf S. Engelschall
>[EMAIL PROTECTED]
>www.engelschall.com
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: regenerate a host-specific ?

[John . Airey]

This is a question for the openssh site, www.openssh.org. However, as I'm
feeling friendly, I'll answer your question.

Indeed, RSA keys are generated by ssh-keygen as a default. These are only of
use for SSH version 1. Version 2 uses DSA keys, so you use "ssh-keygen -t
dsa".

If you don't give a passphrase, you can copy the contents of the id_dsa.pub
to $HOME/.ssh/authorized_keys on the remote server, chmod this file to 600,
chmod the .ssh directory to 700 and then ssh should let you in with this key
from that host rather than via a password.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

If we could learn one thing from September 11th 2001, it would be the utter
absurdity of moral relativism.



> -Original Message-
> From: rmckee [mailto:rmckeever@;earthlink.net]
> Sent: 15 November 2002 16:38
> To: [EMAIL PROTECTED]
> Subject: regenerate a host-specific ?
> 
> 
> Hello,
> 
> I was wondering how do you regenerate a host-specific RSA key 
> on unix with
> ssh. Do you use ssh-keygen?
> 
> thanks
> Rm
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Building 0.9.6g --RH8.0

[John . Airey]

I've now managed a build of openssl 0.9.6g on RedHat 8.0 now, much to my
surprise.

First of all, make sure you have these RPMs installed (from the RedHat 8.0
CD 1):

binutils-2.13.90.0.2-2
gcc-3.2-7
glibc-devel-2.2.93-5
glibc-kernheaders-2.4-7.20 (this used to be called kernel-headers pre
version 7.3)

I'm running the latest kernel, 2.4.18-17.8.0.

I used the following as a non root user:

./config shared

to install everything into /usr/local/ssl, including the shared libraries.

"make" and "make test" completed without errors, so I su'ed to root and ran
"make install".

To show that it is installed, I used:

[openssl-0.9.6g]# openssl
OpenSSL> version
OpenSSL 0.9.6b [engine] 9 Jul 2001
OpenSSL> exit
[openssl-0.9.6g]# cd /usr/local/ssl/bin
[bin]# ./
c_rehash  openssl   
[root@becketts bin]# ./openssl 
OpenSSL> version
OpenSSL 0.9.6g 9 Aug 2002
OpenSSL> exit

You'll note that the first version is what comes with RedHat 8.0, the second
version is what goes in /usr/local/ssl. To check I haven't stuffed up the
currently installed version "rpm -V openssl" returns no results, so no files
within the packages have changed. (I really like rpm -V, it helps me to
check whether anything has been tampered with).

I hope that helps.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

If we could learn one thing from September 11th 2001, it would be the utter
absurdity of moral relativism.


> -Original Message-
> From: Inman, David [mailto:David.Inman@;siemens.com]
> Sent: 31 October 2002 14:37
> To: ([EMAIL PROTECTED])
> Subject: Building 0.9.6g --RH8.0
> 
> 
> I am trying to build openssl-0.9.6g on a RedHat 8.0 system.  
> When I run make
> test everything pass but when I run a make install it does 
> not install the
> binaries into /usr/local/openssl (where I told it with 
> config).  I have done
> this several times on RH7.3 without a problem so I was 
> wondering if others
> have had this problem and what the solution might be.
> 
> Thanks,
> 
> David Inman
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Building 0.9.6g --RH8.0

[John . Airey]

Attached is the openssl.spec file for Red Hat 8.0, which is what Red Hat
uses to build their openssl package, presumably with gcc 3.2.

If you can make some sense of it, you'll probably find out how to get
openssl to compile. Ignore the configure options no-idea, no-mdc2 and
no-rc5. These are only there because of US patent restrictions.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Theories of evolution are like buses - there'll be another one along in a
minute


> -Original Message-
> From: Inman, David [mailto:David.Inman@;siemens.com]
> Sent: 31 October 2002 14:37
> To: ([EMAIL PROTECTED])
> Subject: Building 0.9.6g --RH8.0
> 
> 
> I am trying to build openssl-0.9.6g on a RedHat 8.0 system.  
> When I run make
> test everything pass but when I run a make install it does 
> not install the
> binaries into /usr/local/openssl (where I told it with 
> config).  I have done
> this several times on RH7.3 without a problem so I was 
> wondering if others
> have had this problem and what the solution might be.
> 
> Thanks,
> 
> David Inman
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
  




openssl.spec
Description: Binary data

RE: openssl 9.6g Redhat 7.3 Seg Fault

[John . Airey]

> -Original Message-
> From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) 
> [mailto:[EMAIL PROTECTED]]
> Sent: 10 October 2002 14:59
> To: '[EMAIL PROTECTED]'
> Subject: RE: openssl 9.6g Redhat 7.3 Seg Fault
> 
> 
> Hello all,
> 
> all good points, however.
> 
> Redhat is a good linux platform (in my opinion) so I am quite happy to
> accept a fair ammount of "rpm".
> However that fact 7.3 put on so much "crap" in rpm I decided 
> to strip down
> and run most things compiled from source so I know where/how 
> they where
> built.
> 
> I understand that using the "--nodeps" option will break the 
> packages what
> depend on the package removed. Infact I am HAPPY to break the 
> packages that
> depend on openssl, as I am chomping at the bit to recompile 
> them !!! as I
> think their RPM packages are rubbish and buggy also.
> [snip]

Link to aforementioned post:

http://www.mail-archive.com/openssl-users@openssl.org/msg28006.html

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Theories of evolution are like buses - there'll be another one along in a
minute

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: openssl 9.6g Redhat 7.3 Seg Fault

[John . Airey]

> -Original Message-
> From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) 
> [mailto:[EMAIL PROTECTED]]
> Sent: 10 October 2002 14:59
> To: '[EMAIL PROTECTED]'
> Subject: RE: openssl 9.6g Redhat 7.3 Seg Fault
> 
> 
> Hello all,
> 
> all good points, however.
> 
> Redhat is a good linux platform (in my opinion) so I am quite happy to
> accept a fair ammount of "rpm".
> However that fact 7.3 put on so much "crap" in rpm I decided 
> to strip down
> and run most things compiled from source so I know where/how 
> they where
> built.
> 
> I understand that using the "--nodeps" option will break the 
> packages what
> depend on the package removed. Infact I am HAPPY to break the 
> packages that
> depend on openssl, as I am chomping at the bit to recompile 
> them !!! as I
> think their RPM packages are rubbish and buggy also.
> [snip]

I should have mentioned that someone did recently post a method to this list
detailing how to remove openssl from Red Hat and build it. A search of the
archives should bring it up.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Theories of evolution are like buses - there'll be another one along in a
minute

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: openssl 9.6g Redhat 7.3 Seg Fault

[John . Airey]

> -Original Message-
> From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) 
> [mailto:[EMAIL PROTECTED]]
> Sent: 10 October 2002 14:59
> To: '[EMAIL PROTECTED]'
> Subject: RE: openssl 9.6g Redhat 7.3 Seg Fault
> 
> 
> Hello all,
> 
> all good points, however.
> 
> Redhat is a good linux platform (in my opinion) so I am quite happy to
> accept a fair ammount of "rpm".
> However that fact 7.3 put on so much "crap" in rpm I decided 
> to strip down
> and run most things compiled from source so I know where/how 
> they where
> built.
> 
> I understand that using the "--nodeps" option will break the 
> packages what
> depend on the package removed. Infact I am HAPPY to break the 
> packages that
> depend on openssl, as I am chomping at the bit to recompile 
> them !!! as I
> think their RPM packages are rubbish and buggy also.
> [snip]

Well, there's a contradiction for you! Red Hat consists of multiple RPM
packages, nothing more, nothing less. So you are saying that the whole is
"good", but that the parts are "crap". 

I've been running Red Hat for years, and in the days before they did bundle
openssl, I had to compile openssl, modssl and apache. After that I found
someone else who had created rpms (ie they did the hard work of getting
these to compile). I still compile Apache as I have a business need to run a
slightly different version, but even then I create an RPM package. 

I'd like to think that someone else would be able to help you further,
although why you should deliberately break a working system knowing full
well what you are doing (as you appear to) and then want help is beyond me.
We have a legal expression in England "you are the author of your own
misfortune"!

If you really want to know how the packages were built, install the source
rpms and go to /usr/src/redhat/SPECS. The individual spec files that build
each package are there. I think you'd find they aren't built that much
differently to how you are building them.

I'm also a big fan of Red Hat Network now as I'm able to see that my systems
are up to date with all the released patches at a glance. I should also add
that I'm not on any commission from Red Hat to say this (sadly ;-) ).

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Theories of evolution are like buses - there'll be another one along in a
minute

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: apache and that whole "bugbear" thing

[John . Airey]

I think you ([EMAIL PROTECTED]) are confusing "bugbear" with "slapper".
Provided you restarted your web server after the upgrade to 0.9.6g, you
should be OK as far as that is concerned. The restart is necessary to ensure
that no code from the previous version of openssl is still in memory.

Could you give some more details about your other problems please? eg,
version of apache and mod_ssl? You may need to upgrade these. For example,
there is a recent update to apache (1.3.27) that contains several "new"
security fixes.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Theories of evolution are like buses - there'll be another one along in a
minute


> -Original Message-
> From: B. van Ouwerkerk [mailto:[EMAIL PROTECTED]]
> Sent: 07 October 2002 17:17
> To: [EMAIL PROTECTED]
> Subject: Re: apache and that whole "bugbear" thing
> 
> 
> Uhhh last time I checked bugbear was a virus infecting M$ 
> Lookout users.
> Don't think it runs against Linux.
> 
> 
> At 20:51 5-10-02 -0400, [EMAIL PROTECTED] wrote:
> 
> >Is this the right place to ask questions about the bugbear worm?
> >
> >On a Sun box, we upgraded openssl to 0.9.6g because of the potential
> >for the whole bugbear attack... I realize it's apparently targeted
> >at linux, but better safe then sorry... well, we've started getting
> >hit with what we think may be attacks... they're not getting through,
> >but they cause apache to lock up... it's very strange... the 
> situation
> >seems to happen as follows:
> >
> >We get a couple http requests that return a "400" status... then the
> >server stops serving requests... then EXACTLY (every time) 5 minutes
> >later, to the second, we get a request that gives a 408 error from
> >the same IP, then apache needs to be restarted before it accepts any
> >further requests...
> >
> >until this morning, there has not been much information in 
> the logs...
> >but this morning, there were some entries in the ssl_engine_log that
> >looked like this:
> >
> >[05/Oct/2002 02:55:42 00969] [error] SSL handshake timed out (client 
> >66.46.213.130, server XXX.XXX.com:443)
> >[05/Oct/2002 02:55:42 00969] [info]  Connection to child 14 
> established 
> >(server YYY.YYY.com:443, client 66.46.213.130)
> >[05/Oct/2002 02:55:42 00969] [info]  Seeding PRNG with 1160 
> bytes of entropy
> >[05/Oct/2002 02:55:42 00969] [error] SSL handshake failed (server 
> >YYY.YYY.com:443, client 66.46.213.130) (OpenSSL library 
> error follows)
> >[05/Oct/2002 02:55:42 00969] [error] OpenSSL: error:1406B458:SSL 
> >routines:GET_CLIENT_MASTER_KEY:key arg too long
> >[05/Oct/2002 02:55:42 00969] [info]  Connection to child 14 
> established 
> >(server XXX.XXX.com:443, client 66.46.213.130)
> >[05/Oct/2002 02:55:42 00969] [info]  Seeding PRNG with 1160 
> bytes of entropy
> >
> >66.46.213.130 was the ip address that gave the 400's and 408 this
> >time around (different IP each time)...
> >
> >If this is not the best place to ask about this, please point me in
> >the right direction... I'm starting to sweat with my boss breathing
> >down my next... this is a 24/7 production server, running critical
> >web applications that internal and external customers access
> >constantly... so any help towards an answer would be greatly
> >appreciated...
> >
> >Thanks.
> >Dan.
> >
> >
> >_
> _
> >OpenSSL Project 
> http://www.openssl.org
> >User Support Mailing List
> [EMAIL PROTECTED]
> >Automated List Manager   
> [EMAIL PROTECTED]
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB

RE: Validity period of certificates

[John . Airey]

In addition, that was your key and certificate that you sent, not just . So
I'd hope you have a pass-phrase on your key or the key and certificate that
you sent aren't ones that you intend to use.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Theories of evolution are like buses - there'll be another one along in a
minute

> -Original Message-
> From: Jose Correia (J) [mailto:[EMAIL PROTECTED]]
> Sent: 27 September 2002 13:50
> To: [EMAIL PROTECTED]
> Subject: RE: Validity period of certificates
> 
> 
> Try
> 
> openssl x509 -in thiscert -noout -dates
> 
> do a man x509 for more info.
> 
> Cheers
> Jose
> 
> 
> -Original Message-
> From: Radboud Platvoet [mailto:[EMAIL PROTECTED]]
> Sent: 27 September 2002 14:43
> To: [EMAIL PROTECTED]
> Subject: Validity period of certificates
> 
> 
> Hi everyone,
> 
> I would like to know if there is a way to find out for what period a
> certificate is valid (ie: the start and end date).
> 
> This is the certificate from which I like to determine the validity
> period:
> 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: upgrading

[John . Airey]

Oops! I made a mistake with part 2.

2. I'm not familiar with that package, but it probably doesn't fix the
recent Linux Slapper worm. Have a look at the package info with "rpm -qip
openssl-0.9.6c-2.i386". If the build date is before 30th July 2002 it won't.
That is the date of release of openssl-0.9.6e, which according to CERT is
the version that will fix it.

I can't get into the openssl site at the moment to check anything else.

Mornings aren't my best time of day...

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Reality TV - the ultimate oxymoron


> -Original Message-
> From: Info [mailto:[EMAIL PROTECTED]]
> Sent: 18 September 2002 20:07
> To: [EMAIL PROTECTED]
> Subject: upgrading 
> 
> 
> I am running a redhat 7.2 box with openssl version of 
> openssl-0.9.6b-28. I
> found a package openssl-0.9.6c-2.i386 , rawhide 1.0 for i386. 
> Can i download
> and and upgrade the present package with the rpm -Uvh 
> packagename command?
> Will it break the deps?
> 
> thanks
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: upgrading

[John . Airey]

There are two parts to my reply.

1. The rawhide packages aren't officially supported by RedHat and will
probably break your other packages. I've used them before but not where
there have been dependencies.
2. I'm not familiar with that package, but it probably doesn't fix the
recent Linux Slapper worm. Have a look at the package info with "rpm -qip
openssl-0.9.6c-2.i386". If the build date is before the Linux Slapper worm,
it won't.

There should be an update from RedHat soon. I suggest you subscribe to Red
Hat Network if you haven't already done so at http://rhn.redhat.com. A
single machine is free.

In the meantime, you can limit the damage this worm can do by either
removing any compilers from your servers (rpm -e gcc), or "chmod 700
/usr/bin/gcc" to make the gcc program only executable by root. In general it
isn't a good idea to leave compilers on public web servers, but there are
occasions where you might need to.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Reality TV - the ultimate oxymoron


> -Original Message-
> From: Info [mailto:[EMAIL PROTECTED]]
> Sent: 18 September 2002 20:07
> To: [EMAIL PROTECTED]
> Subject: upgrading 
> 
> 
> I am running a redhat 7.2 box with openssl version of 
> openssl-0.9.6b-28. I
> found a package openssl-0.9.6c-2.i386 , rawhide 1.0 for i386. 
> Can i download
> and and upgrade the present package with the rpm -Uvh 
> packagename command?
> Will it break the deps?
> 
> thanks
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Pls. suggest some books on security

[John . Airey]

Maximum Linux Security - ISBN 0-672-31670-6 is also very useful. Despite the
title, it covers UNIX based security fairly well.

John

> -Original Message-
> From: Matthew Hannigan [mailto:[EMAIL PROTECTED]]
> Sent: 18 September 2002 14:10
> To: [EMAIL PROTECTED]
> Subject: Re: Pls. suggest some books on security
> 
> 
> A little more practical and appropriate to this list:
> 
> Network Security with OpenSSL
> http://safari.oreilly.com/main.asp?bookname=openssl
> 
> Matt
> 
> v.p.r.n.saibabu v.p.r.n.saibabu wrote:
> > Hi Vaidya,
> > 
> > SSL and TLS by Eric Recorla
> > SSL and TLS Essentials by Stephen Thomas
> > 
> > are two good books.
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RH 7.3 hosed up

[John . Airey]

Just in case you've got the wrong end of the stick, I'm not suggesting that
you shouldn't compile stuff yourself rather than use pre-packaged software.
I'm simply saying that there may be more broken by forcibly removing
packages that have dependencies than is at first realised. Personally I'd
never forcibly install or remove packages without good reason.

The section of the FAQ I referred to has instructions of how to compile
openssl without breaking the rest of your installation. And that's my last
word on the subject.

John


> -Original Message-
> From: David Tonhofer, m-plify S.A. [mailto:[EMAIL PROTECTED]]
> Sent: 18 September 2002 12:00
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: RH 7.3 hosed up
> 
> 
> Sigh
> 
> No, I haven't read the FAQ recently (maybe 5y ago). And Yes, 
> RedHat will
> complain if you remove the RPM. That's why I have been fumbling the 
> symlinks,
> see? I have compiled SSH & Stunnel from the source tarball. 
> And dontcha
> worry, everything works just dandy.
> 
> I mean, I didn't power away from the Microsoft Deathstar to 
> get back to 
> being
> forced to use prepacked things only.
> 
> Further discussions of this will be off list.
> 
> Best regards,
> 
>   -- David Tonhofer
>   m-plify.com
> 
> --On Wednesday, September 18, 2002 11:13 AM +0100 
> [EMAIL PROTECTED] 
> wrote:
> 
> > On my desktop, removing openssl would break these packages:
> >
> > openssl is needed by libpcap-0.6.2-11.7.2.0
> > libcrypto.so.2   is needed by bind-utils-9.2.1-1.7x.2
> > libcrypto.so.2   is needed by curl-7.8-1
> > libcrypto.so.2   is needed by libesmtp-0.8.4-2
> > libcrypto.so.2   is needed by wget-1.7-3
> > libcrypto.so.2   is needed by cyrus-sasl-md5-1.5.24-23
> > libcrypto.so.2   is needed by links-0.96-2
> > libcrypto.so.2   is needed by autofs-3.1.7-21
> > libcrypto.so.2   is needed by nss_ldap-189-2
> > libcrypto.so.2   is needed by pine-4.44-1.72.0
> > libcrypto.so.2   is needed by sendmail-8.11.6-3
> > libcrypto.so.2   is needed by fetchmail-5.9.0-11
> > libcrypto.so.2   is needed by mutt-1.2.5.1-1
> > libcrypto.so.2   is needed by stunnel-3.22-1
> > libcrypto.so.2   is needed by gq-0.4.0-3
> > libcrypto.so.2   is needed by openssh-3.1p1-6
> > libcrypto.so.2   is needed by openssh-clients-3.1p1-6
> > libcrypto.so.2   is needed by openssh-server-3.1p1-6
> > libcrypto.so.2   is needed by pidentd-3.0.14-1
> > libcrypto.so.2   is needed by xchat-1.8.9-1.72.0
> > libcrypto.so.2   is needed by licq-1.0.3-7
> > libcrypto.so.2   is needed by ucd-snmp-4.2.5-7.72.0
> > libcrypto.so.2   is needed by balsa-1.2.3-1
> > libssl.so.2   is needed by curl-7.8-1
> > libssl.so.2   is needed by wget-1.7-3
> > libssl.so.2   is needed by links-0.96-2
> > libssl.so.2   is needed by autofs-3.1.7-21
> > libssl.so.2   is needed by nss_ldap-189-2
> > libssl.so.2   is needed by pine-4.44-1.72.0
> > libssl.so.2   is needed by sendmail-8.11.6-3
> > libssl.so.2   is needed by fetchmail-5.9.0-11
> > libssl.so.2   is needed by mutt-1.2.5.1-1
> > libssl.so.2   is needed by stunnel-3.22-1
> > libssl.so.2   is needed by gq-0.4.0-3
> > libssl.so.2   is needed by xchat-1.8.9-1.72.0
> > libssl.so.2   is needed by licq-1.0.3-7
> > libssl.so.2   is needed by balsa-1.2.3-1
> >
> > The last few are of course repeated. It might work now, but the sshd
> > daemon won't restart. Neither will the auto-mounter or most 
> of the email
> > clients for your system (elm being the one exception here).
> >
> > Have you read the FAQ?
> >
> > John
> > 
> 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RH 7.3 hosed up

[John . Airey]

On my desktop, removing openssl would break these packages:

openssl is needed by libpcap-0.6.2-11.7.2.0
libcrypto.so.2   is needed by bind-utils-9.2.1-1.7x.2
libcrypto.so.2   is needed by curl-7.8-1
libcrypto.so.2   is needed by libesmtp-0.8.4-2
libcrypto.so.2   is needed by wget-1.7-3
libcrypto.so.2   is needed by cyrus-sasl-md5-1.5.24-23
libcrypto.so.2   is needed by links-0.96-2
libcrypto.so.2   is needed by autofs-3.1.7-21
libcrypto.so.2   is needed by nss_ldap-189-2
libcrypto.so.2   is needed by pine-4.44-1.72.0
libcrypto.so.2   is needed by sendmail-8.11.6-3
libcrypto.so.2   is needed by fetchmail-5.9.0-11
libcrypto.so.2   is needed by mutt-1.2.5.1-1
libcrypto.so.2   is needed by stunnel-3.22-1
libcrypto.so.2   is needed by gq-0.4.0-3
libcrypto.so.2   is needed by openssh-3.1p1-6
libcrypto.so.2   is needed by openssh-clients-3.1p1-6
libcrypto.so.2   is needed by openssh-server-3.1p1-6
libcrypto.so.2   is needed by pidentd-3.0.14-1
libcrypto.so.2   is needed by xchat-1.8.9-1.72.0
libcrypto.so.2   is needed by licq-1.0.3-7
libcrypto.so.2   is needed by ucd-snmp-4.2.5-7.72.0
libcrypto.so.2   is needed by balsa-1.2.3-1
libssl.so.2   is needed by curl-7.8-1
libssl.so.2   is needed by wget-1.7-3
libssl.so.2   is needed by links-0.96-2
libssl.so.2   is needed by autofs-3.1.7-21
libssl.so.2   is needed by nss_ldap-189-2
libssl.so.2   is needed by pine-4.44-1.72.0
libssl.so.2   is needed by sendmail-8.11.6-3
libssl.so.2   is needed by fetchmail-5.9.0-11
libssl.so.2   is needed by mutt-1.2.5.1-1
libssl.so.2   is needed by stunnel-3.22-1
libssl.so.2   is needed by gq-0.4.0-3
libssl.so.2   is needed by xchat-1.8.9-1.72.0
libssl.so.2   is needed by licq-1.0.3-7
libssl.so.2   is needed by balsa-1.2.3-1

The last few are of course repeated. It might work now, but the sshd daemon
won't restart. Neither will the auto-mounter or most of the email clients
for your system (elm being the one exception here). 

Have you read the FAQ?

John

> -Original Message-
> From: David Tonhofer, m-plify S.A. [mailto:[EMAIL PROTECTED]]
> Sent: 18 September 2002 09:55
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: RH 7.3 hosed up
> 
> 
> Haven't had a single problem. Maybe I know what I'm doing? ;-)
> And sendmail is a no-no aaanyway...
> 
> --On Wednesday, September 18, 2002 9:10 AM +0100 
> [EMAIL PROTECTED] 
> wrote:
> 
> > Of course, you are overlooking the fact that many packages 
> depend on the
> > existence of openssl on Red Hat 7.0 and above such as ssh 
> and sendmail. So
> > if you want to forcibly remove the package and break your 
> system, go right
> > ahead.
> >
> > Otherwise, following the directions in the openssl FAQ:
> > http://www.openssl.org/support/faq.cgi#BUILD8
> >
> > -
> > John Airey, BSc (Jt Hons), CNA, RHCE
> > Internet systems support officer, ITCSD, Royal National 
> Institute of the
> > Blind,
> > Bakewell Road, Peterborough PE2 6XU,
> > Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 
> [EMAIL PROTECTED]
> >
> > Reality TV - the ultimate oxymoron
> >
> >
> >> -Original Message-
> >> From: David Tonhofer, m-plify S.A. [mailto:[EMAIL PROTECTED]]
> >> Sent: 17 September 2002 15:40
> >> To: [EMAIL PROTECTED]
> >> Cc: [EMAIL PROTECTED]
> >> Subject: Re: RH 7.3 hosed up
> >>
> >>
> >> The attached doc may be of use. My notes on installing
> >> openssl on RH7.3:
> >> remove RPM, then go for a tarball. Of course it's
> >> stream-of-consciousness,
> >> but even so
> >>
> >> Good luck,
> >>
> >>-- David Tonhofer
> >>m-plify S.A.
> >>
> >>
> >> P.S. It's called a 'howtoon' because 'toon' is my nickname.
> >>
> >>
> >> --On Tuesday, September 17, 2002 9:31 AM -0500
> >> [EMAIL PROTECTED]
> >> wrote:
> >>
> >> > Howdy all.  I just attempted to upgrade OpenSSL on a RH 7.3
> >> box (1st of
> >> > about 7 7.3 and 7.2 boxes) and I thoroughly hosed the install up.
> >> > Everything that relied on libcrypto or libssl is KIA.  I've
> >> never had any
> >> > luck with compiling and installing OpenSSL for some reason.
> >>  I usually
> >> > stick with the RPMS for OpenSSL.  I use ApacheToolbox and
> >> also let it
> >>

RE: RH 7.3 hosed up

[John . Airey]

Of course, you are overlooking the fact that many packages depend on the
existence of openssl on Red Hat 7.0 and above such as ssh and sendmail. So
if you want to forcibly remove the package and break your system, go right
ahead. 

Otherwise, following the directions in the openssl FAQ:
http://www.openssl.org/support/faq.cgi#BUILD8

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Reality TV - the ultimate oxymoron


> -Original Message-
> From: David Tonhofer, m-plify S.A. [mailto:[EMAIL PROTECTED]]
> Sent: 17 September 2002 15:40
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: RH 7.3 hosed up
> 
> 
> The attached doc may be of use. My notes on installing 
> openssl on RH7.3:
> remove RPM, then go for a tarball. Of course it's 
> stream-of-consciousness,
> but even so
> 
> Good luck,
> 
>   -- David Tonhofer
>   m-plify S.A.
> 
> 
> P.S. It's called a 'howtoon' because 'toon' is my nickname.
> 
> 
> --On Tuesday, September 17, 2002 9:31 AM -0500 
> [EMAIL PROTECTED] 
> wrote:
> 
> > Howdy all.  I just attempted to upgrade OpenSSL on a RH 7.3 
> box (1st of
> > about 7 7.3 and 7.2 boxes) and I thoroughly hosed the install up.
> > Everything that relied on libcrypto or libssl is KIA.  I've 
> never had any
> > luck with compiling and installing OpenSSL for some reason. 
>  I usually
> > stick with the RPMS for OpenSSL.  I use ApacheToolbox and 
> also let it
> > compile it there (and install again).  After removing the RPMS I
> > downloaded 0.9.6g, configured with --prefix=/usr/local, compiled and
> > installed.  I did a little searching in the archives but I'm in a
> > hurry and didn't find much.  Any pointers or tips would be greatly
> > appreciated.  If anyone has a spec file for OpenSSL (and 
> some instructions
> > for building an RPM because I've never done it--always 
> either work with
> > straight source or a prebuilt RPM) I'd gladly take it.  Many thanks
> >
> > Justin
> >
> > 
> __
> > OpenSSL Project 
http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>
>


- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: FIPS-140 certification

[John . Airey]

Indeed. In the UK there was recently an issue of the security of
cash-machines because of a bug in the implementation of a similarly
certified protocol. It meant that you could potentially get card details by
sniffing what went down the telephone lines. I haven't heard whether this
has been resolved or not. 

Of course, taking this to extremes many government agencies should therefore
disconnect from the Internet. I think it's an issue that will keep cropping
up until governments realise that security is something that you aim for,
and not necessarily guaranteed by any particular certificate.

John



> -Original Message-
> From: Andrew T. Finnell [mailto:[EMAIL PROTECTED]]
> Sent: 25 July 2002 15:12
> To: [EMAIL PROTECTED]
> Subject: RE: FIPS-140 certification
> 
> 
> John,
>   
>   Sometimes that is not up to the developer. You state it like
> someone has a choice of what they use. Most government 
> agency's disallow
> any encryption that isn't FIPS certified. If they had a choice it
> probably wouldn't be a question. :)
> 
> - 
> Andrew T. Finnell
> Active Solutions L.L.C
> [EMAIL PROTECTED] 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED]] On Behalf Of 
> > [EMAIL PROTECTED]
> > Sent: Thursday, July 25, 2002 10:04 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: FIPS-140 certification
> > 
> > 
> > Just to add my thoughts to the cooking pot, FIPS-140 probably 
> > isn't worth a string of beans. The actual encryption 
> > protocols used in openssl haven't changed in a long time, for 
> > example 3DES encryption is still 3DES encryption. Granted, 
> > newer one's have been added (rijndael for example), but on 
> > the whole protocols remain static.
> > 
> > So if someone had obtained FIPS-140 certification for openssl 
> > 0.9.6d (for
> > example) and a security bug was subsequently found in that 
> > software version, the fix for the bug would invalidate the 
> > certification.
> > 
> > Which all boils down to a question of choice, do you prefer a 
> > certificate that says your software is safe even if it isn't 
> > to uncertified software which is worked on constantly to 
> > ensure it is as safe as possible? I know which I would choose.
> > 
> > 
> > - 
> > John Airey
> > Internet systems support officer, ITCSD, Royal National 
> > Institute of the Blind, Bakewell Road, Peterborough PE2 6XU,
> > Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 
> > [EMAIL PROTECTED] 
> > 
> > Is the statement 'There is no such thing as truth'  true?
> > 
> > 
> > > -Original Message-
> > > From: Ed Moyle [mailto:[EMAIL PROTECTED]]
> > > Sent: 25 July 2002 14:47
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: FIPS-140 certification
> > > 
> > > 
> > > On Wednesday, July 24, 2002 23:14, Bil Kleb wrote:
> > > 
> > > Bil,
> > > 
> > > > This may be a blasphemous question due to U.S. patent 
> issues, but 
> > > > has anyone figured out if Open-SSL is FIPS-140 certified/ 
> > > > certifiable?
> > > 
> > >   You and I are on the same page.  NIST doesn't have a 
> > cert for OpenSSL 
> > > or SSLeay (bummer) and I've asked about this in the past.  
> > The problem 
> > > is the cost of certification as I understand it, plus the 
> "release 
> > > early release often" mantra doesn't lend well to NIST's 
> > perspective of 
> > > "everytime you change the crypto, you need to get it recertified."
> > > 
> > >   I've done some of the work of determining if the thing is 
> > > "certifiable" (meaning does it comply to the FIPS 140-2 
> req's) and 
> > > from what I've seen, it seems to, but I haven't finished 
> > this effort.  
> > > I coded up the random # statistical tests that are 
> described in the 
> > > req, and they pass (I'll send this to you if you want it... 
> > just write 
> > > me off-list).  Also, it supports ciphersuites that use only 
> > > NIST-approved algorithms.  This is good news, but, of 
> course, what 
> > > matters is the cert, and there isn't one.
> > > 
> > >   So, I guess the upshot of the deal is that until 
> > somebody certifies 
> > > it, it can't be used for unclassified cryptography (strictly 
> > > speaking).  If you want to go down a d

Submission for the openssl FAQ

[John . Airey]

Further to my previous message, I have discovered that the sentence: (They
are /lib/libssl.so.0.9.6b and  /lib/libcrypto.so.0.9.6b with symlinks
/lib/libssl.so.2 and /lib/libcrypto.so.2 respectively)

Should have read:

(eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and
/lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and
/lib/libcrypto.so.2 respectively).

I've also doubled check the patents against the US Patent and Trademark
Office website at http://patft.uspto.gov/netahtml/srchnum.htm, and these
appear to be the correct numbers (I took them from the Red Hat openssl
source packages).

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL, IIS 5.0 and Installing certificate trouble

[John . Airey]

There is a way to create certificates with openssl and convert them to
IIS4.0 format. We've  done that here for a number of years. I believe that
you can then copy them from an IIS4 server to an IIS5 server, though I
haven't done it myself. I don't know of anyone who has got the certificates
straight onto IIS5.

Contact me off the list for more details. I have a task for myself to test
keys of greater than 1024 bits before the end of next week. I'll be running
through the whole IIS procedure to do this.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Is the statement 'There is no such thing as truth'  true?


> -Original Message-
> From: Ian Coggins [mailto:[EMAIL PROTECTED]]
> Sent: 19 June 2002 20:06
> To: [EMAIL PROTECTED]
> Subject: OpenSSL, IIS 5.0 and Installing certificate trouble
> 
> 
> Hi,
> 
> I've been through faq's until they come out of my ears but 
> still don't quite have the answer I need.
> 
> I am simply trying to create a certificate to use on an IIS 
> web server, using openssl on a linux box to create it. 
> 
> The linux installation does not have the CA.pl scripts as far 
> as I can tell (not my box to manage I'm afraid). 
> 
> I have managed to create (or I believe) 
> 
> 1/ root CA certificate. Generated own key and certificate. 
> This created a key/cert file which I managed to combine into 
> a single pfx format. 
> 2/ server certificate signed by root CA; hwoever this is in a 
> pem format.
> 
> 
> I cannot directly import the certificate ( as key manager 
> backup file) under IIS 5.0; 
> 
> I have however successfully loaded the certificates into the 
> MMC -> certiticate manager console. The root CA under Trusted 
> roots; the other under Personal. However neither appear in 
> the 'assign existing' certificate dialog box on IIS 5.0
> 
> Where am I going wrong ?
> 
> How do I 
> 
> a) I get IIS 5.0 to import the certificates directly? (can 
> I?) - it always reports an error about "Cannot import key 
> ring backup file".
> 
> b) otherwise install the certificates I created so that I can 
> assign an existing cert to IIS 5.0?
> 
> or 
> 
> c) create a CSR from IIS and sign this using openssl ?
> 
> Thanks
> Ian
> 
> 
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to
find out all about it.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: REMOVE

[John . Airey]

Can't you read the headers of your email? There should be a line something
like

Received: from mmx.engelschall.com (mmx.engelschall.com [195.27.130.252])
by maggotts.rnib.org.uk (8.11.6/8.11.6) with ESMTP id g56Bp6r03903
for <[EMAIL PROTECTED]>; Thu, 6 Jun 2002 12:51:11 +0100

My email address is on the bottom line. Your mail server name will differ of
course. This header line was generated by sendmail. 

John

> -Original Message-
> From: David Lang [mailto:[EMAIL PROTECTED]]
> Sent: 05 June 2002 21:54
> To: [EMAIL PROTECTED]
> Subject: Re: REMOVE
> 
> 
> doesn't work becouse to get the old address of the list I 
> need to be able
> to figure out EXACTLY what the address is (capitalizations 
> included) or
> the robot won't match (I've attempted this already)
> 
> if the list manager notices this thread the addres I am on as 
> should be a
> varient of
> 
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> 
> I've attempted to unsubscribe all four addresses and get a response of
> 'name not subscribed'
> 
> David Lang
> 
>  On Wed, 5 Jun 2002,
> Michal Bachorik wrote:
> 
> > Date: Wed, 5 Jun 2002 12:10:52 +0200
> > From: Michal Bachorik <[EMAIL PROTECTED]>
> > Reply-To: [EMAIL PROTECTED]
> > To: [EMAIL PROTECTED]
> > Subject: Re: REMOVE
> >
> > :))
> >
> > but there's simple solution .. just join the list again, 
> read instructions
> > how to get off and that's it ..
> >
> > or someone who still has the welcome message could forward 
> it to you ..
> >
> > - Original Message -
> > From: "David Lang" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Wednesday, June 05, 2002 1:01 AM
> > Subject: RE: REMOVE
> >
> >
> > > seems that way. (as someone who has attempted to get off 
> the list a few
> > > times, but cannot get majordomo to cooperate)
> > >
> > > and no I didn't save the welcome message from when I 
> joined years ago.
> > >
> > > David Lang
> > >
> > > On Tue, 4 Jun 2002, Dilkie, Lee wrote:
> > >
> > > > Date: Tue, 4 Jun 2002 15:01:32 -0400
> > > > From: "Dilkie, Lee" <[EMAIL PROTECTED]>
> > > > Reply-To: [EMAIL PROTECTED]
> > > > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> > > > Subject: RE: REMOVE
> > > >
> > > > NO! You are NOT allowed to leave You HAVE to stay.
> > > >
> > > > (sorry to the list members for the noise, but I couldna 
> help maself)
> > > >
> > > > -Original Message-
> > > > From: Sidney Fortes [mailto:[EMAIL PROTECTED]]
> > > > Sent: Tuesday, June 04, 2002 2:30 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: REMOVE
> > > >
> > > >
> > > > REMOVE
> > > >
> > > >
> > > 
> __
> > > OpenSSL Project 
> http://www.openssl.org
> > > User Support Mailing List
> [EMAIL PROTECTED]
> > > Automated List Manager   
> [EMAIL PROTECTED]
> >
> >
> > 
> __
> > OpenSSL Project 
> http://www.openssl.org
> > User Support Mailing List
> [EMAIL PROTECTED]
> > Automated List Manager   
> [EMAIL PROTECTED]
> >
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to
find out all about it.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Key strength confusion

[John . Airey]

A quick search found the reseller for Verisign for the Asia/Pacific region.
Their site describes their SSL certificates as 128bit and 40bit at
http://www.esign.com.au/server/. Worse still, they describe the 40bit
certificate as "standard".

(I do wonder why people just don't buy the cheaper Thawte certificates.
 If they did, Mark Shuttleworth wouldn't be enjoying his trip to the
ISS ).

The global cert costs about twice the standard cert. As for the law in
Australia on cryptography, this seems a reasonable page on International
encryption. http://rechten.kub.nl/koops/cryptolaw/

Finally, their support for servers mentions Apache-SSL with no mention at
all of openssl.

Without a little more information about which browsers are causing trouble,
there's not a lot more we can do.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

The teaching of evolution as a proven fact rather than a theory has done
more harm to scientific progress than anything else in history.




-Original Message-
From: Eric Rescorla [mailto:[EMAIL PROTECTED]]
Sent: 26 April 2002 16:17
To: [EMAIL PROTECTED]
Subject: Re: Key strength confusion

[snip]
As far as I know, there is in fact no such thing as a 40-bit cert.

There are two kinds of certificates:

(1) Ordinary X.509 certs containing an RSA key of whatever strength
you've chosen.
(2) Certs containing the SGC/Step-Up extensions.

There are three kinds of browsers in the world:
(1) Really old export browsers which will only do 40 bit crypto.
(2) Newer export browsers which will do SGC/Step-Up.
(3) Old domestic browsers or new (post export-control removal)
export browsers which do strong crypto.

So, the interaction matrix between certificates and browsers looks like
this:

Cert
Browser  Ordinary SGC/Step-Up

Old Export   40-bit crypto40-bit crypto
Newer Export 40-bit cryptoSGC/Step-Up to strong
New Export/Domestic  Strong cryptoStrong crypto

There is no way to tag an X.509 certificate in such a way that
it is 40-bit only.




- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to
find out all about it.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Key strength confusion

[John . Airey]

I don't know much about the restrictions in Australia, but I do know that
we've had a 128bit certificate since 1997. At that time we were running
apache-ssl. So I confess that I've never touched a 40bit certificate.

There are issues with versions of IE5 before 5.01SP2 (which itself is being
dropped by Microsoft at the end of June). There may well be issues with
older versions of Netscape. If you can let me know browser versions or build
numbers I may be able to help you further. I have come across users who were
fixed once they upgraded their version of IE.

If you can let me know the address of the site in question, I can have a
look and see what I can ascertain from that also.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

The teaching of evolution as a proven fact rather than a theory has done
more harm to scientific progress than anything else in history.



- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to
find out all about it.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: smime segfault on redhat 7.2

[John . Airey]

As I've said before, RedHat 7.2 comes with openssl anyway, but that doesn't
preclude you from installing from source but you MUST put the newer openssl
binary in a different directory (eg in /usr/local/bin/openssl rather than
the pre-installed /usr/bin/openssl). Although the preinstalled openssl has
files in /lib, these have different filenames from the libraries that are
created with the source compilation (for reasons beyond the scope of your
problem).

On that basis, which openssl are you executing?

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Evolution - A crutch for scientists who can't handle the existence of a
creator. See  "disproven scientific theories" and Romans 1:22.


>-Original Message-
>From: alexandru matei [mailto:[EMAIL PROTECTED]]
>Sent: 21 February 2002 22:33
>To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
>Subject: smime segfault on redhat 7.2
>
>
>Hello,
>I complied latest snaps (all snaps from 2002) on a Redhat 7.2 system.
>Make test finished succesfully. But on trying "openssl smime -sign
>-encrypt " command, it segfaults. The rest of commands (as far as I
>tested) are OK.
>Can you give me some advice?
>
>Alex
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to
find out all about it.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RedHat Linux 7.1 ssh connection refused

[John . Airey]

Does "ps -C sshd" give a result on the server you are connecting to? Does
netstat -a on the server you are connecting to show that it is listening on
port 22?

If you telnet to port 22 on the server from your client, do you get a
response?
If you telnet to port 22 on the server from the server (ie telnet localhost
22) does that give a response? If it does, I would imagine that your
firewall configuration on the server disallows connections to port 22 from
remote machines.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Agnostic (Greek) = Ignoramus (Latin)




>-Original Message-
>From: Kevin A. T. Silverstein [mailto:[EMAIL PROTECTED]]
>Sent: 16 January 2002 22:47
>To: [EMAIL PROTECTED]
>Subject: RedHat Linux 7.1 ssh connection refused
>
>
>I am running sshd on a RedHat Linux 7.1 (with the latest upgrades
>for all openssh* rpms) Dell computer, but cannot seem to
>connect to it:
>
>[prompt]$ ssh machine-name.umn.edu
>Secure connection to machine-name.umn.edu refused.
>
>In debug mode:
>[prompt]$ ssh machine-name.umn.edu -v
>OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
>debug1: Reading configuration data /etc/ssh/ssh_config
>debug1: Applying options for *
>debug1: Seeding random number generator
>debug1: Rhosts Authentication disabled, originating port will not be
>trusted.
>debug1: restore_uid
>debug1: ssh_connect: getuid 500 geteuid 0 anon 1
>debug1: Connecting to  [] port 22.
>debug1: temporarily_use_uid: 500/500 (e=0)
>debug1: restore_uid
>debug1: temporarily_use_uid: 500/500 (e=0)
>debug1: connect: Connection refused
>debug1: restore_uid
>debug1: Trying again...
>[two more times, then...]
>Secure connection to giverny.umn.edu refused.
>
>The machine I'm trying to connect to seems to be running sshd:
>
>[prompt]$ ps -elf | grep sshd
>140 S root  1354 1  0  69   0-   662 do_sel 14:24 ?   
>00:00:00 
>
>and it can connect to other machines without problems.
>
>Oddly, in /etc/xinetd.d/, there are many services, but ssh is not among
>them.
>
>[prompt]$ cd /etc/xinetd.d; ls
>amanda   daytime  finger  klogin rexec   telnet
>amandaidxdaytime-udp  gssftp  krb5-telnetrlogin  tftp
>amidxtapedbskkd-cdb   imapkshell rsh time
>chargen  echo imaps   linuxconf-web  rsync   time-udp
>chargen-udp  echo-udp ipop2   ntalk  swatwu-ftpd
>comsat   eklogin  ipop3   pop3s  talk
>
>[prompt]$ cat rsh
># default: on
># description: The rshd server is the server for the rcmd(3) routine
>and, \
>#  consequently, for the rsh(1) program.  The server provides \
>#  remote execution facilities with authentication based on \
>#  privileged port numbers from trusted hosts.
>service shell
>{
>   socket_type = stream
>   wait= no
>   user= root
>   log_on_success  += USERID
>   log_on_failure  += USERID
>   server  = /usr/sbin/in.rshd
>   disable = yes
>}
>
>I tried to make a similar entry as root for ssh, using /usr/sbin/sshd
>as the server (since there does not appear to be a /usr/sbin/in.sshd),
>and set disable = no, but that didn't work.
>
>The file /etc/ssh/sshd_config is exactly as in the following version:
>#  $OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $
>
>Does anyone know what I'm doing wrong? or what I need to install?
>
>Thanks very much,
>Kevin Silverstein
>
>
>-- 
>Kevin A. T. Silverstein, Ph.D. <[EMAIL PROTECTED]>
>Department of Plant Biology, University of Minnesota
>220 Biological Sciences Center, 1445 Gortner Avenue
>St. Paul, MN 55108  612-624-3057
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from vir

RE: linux/openssl/apache problem solved

[John . Airey]

>-Original Message-
>From: Rick Dennis [mailto:[EMAIL PROTECTED]]
>Sent: 16 January 2002 19:27
>To: [EMAIL PROTECTED]
>Subject: linux/openssl/apache problem solved
>
>
>I found my problem.
>
>I was sure I had done everything right, but couldn't get a connection
>using https.
>
>Found out I needed to open port 443 in IPCHAINS.
>
>Voila !!!
>
>Anyone running a semi-standard installation of Linux RedHat 7.1+ will
>have this issue, unless they chose "No Firewall" during the
>installation.
>
>
>Rick Dennis
>Alaska Internetworks

Not entirely correct. If you select normal or high and then customise, you
can "trust" certain interfaces, eg eth0. Whilst this has the effect of
disabling firewalling for that interface, it still allows you to add
firewalling later.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Agnostic (Greek) = Ignoramus (Latin)

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: ./openssl speed -multi 1000 -engine aep ?

[John . Airey]

>-Original Message-
>From: John P. Looney [mailto:[EMAIL PROTECTED]]
>Sent: 14 January 2002 15:56
>To: [EMAIL PROTECTED]
>Subject: Re: ./openssl speed -multi 1000 -engine aep ?
>
>
>On Mon, Jan 14, 2002 at 03:52:18PM -, 
>[EMAIL PROTECTED] mentioned:
>> The openssl-engine versions also support "openssl speed".
>
> But not -multi ? (at least not 0.9.6c - I don't know of any 
>more recent
>ones).
>
>John
I don't know about -multi, or the aep code. Someone on the openssl-dev list
might know what the current situation is. My guess (and that's all it is) is
that the manufacturer may not have released any code or information about
how it works.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Agnostic (Greek) = Ignoramus (Latin)

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: ./openssl speed -multi 1000 -engine aep ?

[John . Airey]

The openssl-engine versions also support "openssl speed".

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Agnostic (Greek) = Ignoramus (Latin)


>-Original Message-
>From: John P. Looney [mailto:[EMAIL PROTECTED]]
>Sent: 14 January 2002 15:36
>To: [EMAIL PROTECTED]
>Subject: ./openssl speed -multi 1000 -engine aep ?
>
>
> It seems that the 0.9.7 snapshots are the only ones that 
>support running
>"openssl speed" concurrently. I was looking to test an AEP 
>card here, and
>the 0.9.7 snapshots don't have AEP accelleration merged yet.
>
> I was wondering - is there version of 0.9.7 with the AEP engine merged
>into it yet ? Is there likely to be in the future ?
>
>John
>
>-- 
>___
>John Looney Chief Scientist
>a n t e f a c t o t: +353 1 8586004
>www.antefacto.com f: +353 1 8586014
>
>

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Why DNS/IP in certificate?

[John . Airey]

Personally I would have a second server outside the NAT device that proxies
requests in and out of the server behind the firewall. There seems to me
little point in having a firewall if you allow public access straight
through it!

In that case you can secure the connection between the outside machine and
the client machine without worrying about the firewall.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Agnostic (Greek) = Ignoramus (Latin)


>-Original Message-
>From: Stanley Hopcroft [mailto:[EMAIL PROTECTED]]
>Sent: 14 January 2002 09:36
>To: [EMAIL PROTECTED]
>Subject: Re: Why DNS/IP in certificate?
>
>
>Deear Ladies and Gentlemen,
>
>I am writing to thank you for your comments about this matter and ask
>
>On Thu, Jan 10, 2002 at 09:34:50AM -0500, Neff Robert A wrote:
>> 
>> The client needs to verify who it is connected to.
>> Anyone in the world can present a certificate to
>> establish an ssl connection.  In a nutshell, the
>> checks that need to be made on the client end are:
>>   a. Do you trust the signer of the certificate received
>>   b. Is the CN contained within the cert what you expect
>> 
>
>..snip..
>
>>  Your next task is to ensure that the
>> trusted cert truly came from the site you expected and
>> not www.someothersite.com.  The browser does this step by
>> comparing the CN contained in the cert to the URL address
>> typed into your browser.  Your own app must do so as well...
>> 
>
>is it possible to have an OpenSSL server located behind a 
>Network Adress
>Transalation device (a NET device is sometimes part of firewalls, eg
>the Cisco PIX) and still have the client handshake complete without
>error ?
>
>Here is the scenario.
>
>Server has valid certificate signed by root CA for Distinguished Name
>'S'.
>
>DNS responds to an A record request from the client for S, with the
>public interface of the NAT device (PTR query for that address also
>returns S), but the OpenSSL server with that cert has a completely
>different address (because its been translated)
>
>One might do this because of outsourcing or merger activities that
>result in a new or different firewall.
>
>Presumably the network between the NAT box and the OpenSSL server is
>secure enough to be tolerablee.
>
>So :-
>
>1 Will the scenario above work ?
>2 If not, how can it be made to work ? 
>
>Thank you,
>
>Yours sincerely.
>
>-- 
>---
>-
>Stanley Hopcroft  Network 
>Specialist
>---
>-
>
>'...No man is an island, entire of itself; every man is a piece of the
>continent, a part of the main. If a clod be washed away by the sea,
>Europe is the less, as well as if a promontory were, as well as if a
>manor of thy friend's or of thine own were. Any man's death diminishes
>me, because I am involved in mankind; and therefore never send to know
>for whom the bell tolls; it tolls for thee...'
>
>from Meditation 17, J Donne.
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: I got 4 or more emails identical....

[John . Airey]

Title: RE: I got 4 or more emails identical



The 
exact configuration line in a Pix firewall for "smtp security" 
is
 
fixup 
protocol smtp 25
However, I would doubt this is causing this. There is 
an old bug with Pix firewall's that might cause this, but the same version 
of IOS has more serious bugs (like being able to send fake TCP RSTs as a DOS 
attack).
 
Occasionally I get the same message twice, which can 
occur if the message is received OK but the sending server doesn't receive 
the confirmation. However, this happens rarely. 
 
The 
users who've only received one message probably have more queued up waiting for 
them somewhere!

-John AireyInternet systems support officer, ITCSD, 
Royal National Institute for the Blind,Bakewell Road, Peterborough PE2 
6XU,Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 
[EMAIL PROTECTED]More people die each day of AIDS than died in the 
terrorist attacks on September 11th 2001.
 

  -Original Message-From: Fabro, Loic 
  [mailto:[EMAIL PROTECTED]]Sent: 20 December 2001 
  16:24To: '[EMAIL PROTECTED]'; 'Andrew T. Finnell'; 
  [EMAIL PROTECTED]; 'Richard Levitte - VMS Whacker'Cc: 
  [EMAIL PROTECTED]Subject: RE: I got 4 or more emails 
  identical
  Sorry, I do not think I will be able to post to the list 
  (because my !@#%@#$ Exchange Admin make every outgoing email an HTML 
  email. :-( ). If my message does not make it to the list, could anyone of 
  you forward it? Thanks.
  I had this exact same issue before here on my professional 
  email account. I looked into the issue and found out 
  that we are using a Cisco firewall (PIX?). This firewall has a bug So if 
  you turn on "SMTP Security" (not sure how this is called), they are times 
  where the PIX think that the message timed out and will try to send it 
  again. (I can take technical explanation off-line if needed). I had them 
  turn off this feature until they fix the firware of the PIX. Since then No 
  duplicates! :-) [I used to blame yahoo, then I realized that other messages 
  were duplicated as well]
  2 cents, Loic. 
  > -Original Message- > 
  From: Boyd Lynn Gerber [mailto:[EMAIL PROTECTED]] > Sent: Thursday, December 20, 2001 11:17 AM > To: [EMAIL PROTECTED] > 
  Subject: I got 4 or more emails identical > 
  > > On Thu, 20 Dec 2001, 
  Richard Levitte - VMS Whacker wrote: > > 
  > > OK, I just got tired of these mail replays.  
  Since this > looks like it > > comes from some place under rr.com, I'm tossing out all 
  > users in that > > 
  domain or subdomains thereoff.. > > 
  > > If you want to resubscribe, you're most welcome to, 
  *after* you've > > removed the replayer. 
  > > > > -- 
  > > Richard Levitte   \ Spannvägen 38, II \ 
  [EMAIL PROTECTED] > > 
  Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 
  47 > 
  > 
  \  SWEDEN   \ 
  or +46-733-72 88 11 > > Procurator Odiosus Ex 
  Infernis    
  -- [EMAIL PROTECTED] > > Member of the OpenSSL 
  development team: http://www.openssl.org/ > > 
  Software Engineer, 
  GemPlus: 
  http://www.gemplus.com/ > 
  > > > Unsolicited commercial email is subject 
  to an archival fee of $400. > > See  for more 
  info. > > 
  > I hope these stop soon! > > -- > Boyd 
  Gerber <[EMAIL PROTECTED]> > ZENEZ 3748 
  Valley Forge Road, Magna Utah  84044 > 
  > 
  __ 
  > OpenSSL 
  Project 
  http://www.openssl.org > User 
  Support Mailing 
  List    
  [EMAIL PROTECTED] > Automated List 
  Manager   
  [EMAIL PROTECTED] > 



- 


NOTICE: The information contained in this email and any attachments is 

confidential and may be legally privileged. If you are not the 

intended recipient you are hereby notified that you must not use, 

disclose, distribute, copy, print or rely on this email's content. If 

you are not the intended recipient, please notify the sender 

immediately and then delete the email and any attachments from your 

system.


RNIB has made strenuous efforts to ensure that emails and any 

attachments generated by its staff are free from viruses. However, it 

cannot accept any responsibility for any viruses which are 

transmitted. We therefore recommend you scan all attachments.


Please note that the statements and views expressed in this email 

and any attachments are those of the author and do not necessarily 

represent those of RNIB.


RNIB Registered Charity Number: 226227


Website: http://www.rnib.org.uk 

RE: Help needed with getting SSL installed

[John . Airey]

>-Original Message-
>From: Doug Poulin [mailto:[EMAIL PROTECTED]]
>Sent: 10 December 2001 22:51
>To: [EMAIL PROTECTED]
>Subject: Help needed with getting SSL installed
>
>
>I have a Redhat Linux 6.2 server running Apache with mod-ssl.  We were
>using SSH and Teraterm for connecting
>to the server remotely.  Unfortunately that proved to be a security
>problem, so we are shopping for a solution.  We
>would like to carry on with Teraterm since we have a large number of
>scripts written for it.  The only other option
>appears to be Teraterm with SSL.  I have downloaded the openssl sources
>and installed them, then I downloaded
>the SSLtelnet sources from ftp.psych.psy.uq.oz.au and attempted to
>compile and install them.  It would appear
>that they haven't been looked at since 1996 and as such no longer
>compile against the most current versions of
>mod_ssl.  I'm running into compile errors, like too few 
>parameters being
>passed, and it appears that mod_ssl has been modified from the 
>time this
>version was released.  Does anyone have a working copy of SSL Telnetd
>for Linux, or know where a current working version of ssltelnet can be
>found.  Any and all help would be appreciated.
>
>Is this the right way to go?  Is anyone working on a SSH2 library for
>Teraterm?
>
>Doug
>
If you look at http://www.openssh.org, you'll see that they have links to
various clients for Windows, such as putty. They also have rpms for RedHat
(although I can't find any for RedHat 6.2. I still have some copies around
myself). You could also consider commercial software such as F-Secure SSH
from Datafellows. We have a number of licenses for  F-Secure SSH and it is
fairly robust.

The maintainer of Teraterm SSH is Robert O'Callahan, contact details are at
http://www-2.cs.cmu.edu/~roc/. He will be able to tell you if anyone is
working on SSH2 support. 

Teraterm SSL's page is at
http://www.infoscience.co.jp/eng/products/ssltterm/index.html,
together with contact details. The change log there indicates the last
change to Teraterm SSL was over three years ago. Not encouraging.

All these pages are linked from the Teraterm Home Page at
http://hp.vector.co.jp/authors/VA002416/teraterm.html.

Also, as it is only a matter of time before Red Hat drop support for version
6.2, you might consider upgrading to 7.2. This comes with openssh built in.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

More people die each day of AIDS than died in the terrorist attacks on
September 11th 2001.

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Large File Support

[John . Airey]

The best advice is to rebuild the rpm packages so that these options are in
the makefile. You can then upgrade your openssl packages to your new version
without (hopefully) breaking other packages.

Mail me off the list and I'll send you instructions.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


>-Original Message-
>From: Andrew Cornell [mailto:[EMAIL PROTECTED]]
>Sent: 27 November 2001 00:03
>To: openssl-users
>Subject: Large File Support
>
>
>Has anybody compiled openssl with support for large file 
>(>2Gbytes) on linux?  I'm running Redhat 7.2 with openssl 0.9.6b.
>
>The standard build doesn't handle files bigger than 2G.  I'm 
>considering adding the _FILE_OFFSET_BITS=64 and and 
>_LARGEFILE_SOURCE gcc flags into the makefile.
>
>Anybody got good advice?
>
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RPM & Source code version

[John . Airey]

>-Original Message-
>From: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED]]
>Sent: 20 November 2001 19:42
>To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
>Subject: Re: RPM & Source code version
>
>
>From: Eric Daigneault <[EMAIL PROTECTED]>
>
>scouby> At 03:40 PM CN=a2011in.O=acv0111 +, you wrote:
>scouby> RedHat use libcrypto.so.1 (name of the file), but when 
>you install the 
>scouby> source, the name of the file is libcrypto.so.0.  Go 
>ask RH why they did 
>scouby> that, cause it's was stupid !
>
>The reason is probably that RH started producing shared libraries of
>OpenSSL before we had gotten started on it.  So they probably had some
>idea of what scheme they wanted to use and went ahead with it.
>
>The stupid part was probably that they didn't bother talking with us
>(or perhaps they did, but that was before my time as OpenSSL developer
>then).

I think openssl was released for RedHat 6.2 on April 17th this year (see
http://www.redhat.com/support/errata/RHSA-2001-051.html) although this may
have been an update to a previous version. I never touched it, as it wasn't
necessary and the OS didn't require it. Since RedHat 7.0 it's basically been
an essential part of the OS (although I've only tried it on 7.1 and 7.2).

It does look like they didn't consult openssl developers before they
produced their shared libraries, but I don't think they would object to
being contacted now. Any changes could be put into a future edition. 

However, the version they package has a number of changes, eg they remove
certain crypto algorithms that are patented in the US. I had a brief
discussion with one of their staff on this list about making a non-US
package available, but the sticking point with that is how to integrate it
with their "up2date" tool. Unless we have US and non-US versions of RedHat I
think we'll be stuck with that one.

Incidentally, the hack of using a symlink doesn't work for all packages, eg
openssh still doesn't like the existence of different libraries to the
libraries it was compiled against.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RPM & Source code version

[John . Airey]

>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>Sent: 20 November 2001 15:41
>To: [EMAIL PROTECTED]
>Subject: RPM & Source code version
>
>
>Hi Sirs,
>
>I'm running RedHat 7.1 with kernel 2.4.3-12 on my Intel P3 866 
>system. Recently, I just removed the openssl package that came 
>with RedHat 7.1 and I installed the source package from the 
>openssl website. After this I was not able to use most of my 
>apps(like ssh, dig, nslookup, KDE)
>There is always an error saying libcrypto.so.1 not found. I 
>really need the source code version cause sendmail STARTTLS 
>requires it.
>
>Can both type of openssl package work happily on the same 
>machine? If its not possible, is there any way for me to use 
>the source code version without affecting my other apps?
>
>sincerely Thanks for your help
>ddl

This gets asked so often it should be in the FAQ! 

Basically, it's best with RedHat 7.x to stick with what you get. If you need
some of the stuff that doesn't come with the RedHat 7.x (certain US patented
code that can be used anywhere outside of the US), drop me a line off the
list. I can then give you instructions on how to rebuild the RPM to include
these.

I've counted up over 20 packages that break if you remove openssl on RedHat
7.x.

Some people have said that they have installed the latest from source over
the RPM, but what they've actually succeeded in doing is corrupting their
RPM database. Any updates released by RedHat cannot now be guaranteed to
work, since it may depend on the version of a file that isn't there any
more.

At the risk of starting a flame war, I prefer managing servers with RPMs.
It's easy enough to find out what is in them, and one RPM install on one
machine is the same on another. (I know that you can create a custom
configuration file and use that to compile and install on every machine, but
frankly all that compiling and copying is a lot more work for multiple
servers. If I build an RPM I do it from source on one machine and install
the same one everywhere).

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: porting openssl to linux kernel

[John . Airey]

Even if it were viable to put openssl in the kernel, I personally think that
this would create more problems than it solves. For instance, any bug in the
openssl code could potentially crash the kernel, rather than simply
segfaulting. (I'm typing this in vmware, which has its own kernel modules
and it has taken out my Linux machine several times).

Also, do you really want to reboot or recompile your kernel for every
upgrade to openssl? I've got some machines that have been running for over a
year, so I don't see any benefit there.

As machines are getting faster and faster all the time, the length of time
required for a context switch is also becoming shorter and shorter. If
that's the only reason to do it, it's really not worth it, IMNSHO.

Now if the linux kernel had accessibility built in, eg keyboard control of
voice synthesisers like a dectalk, that would be useful.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

>-Original Message-
>From: Rich Salz [mailto:[EMAIL PROTECTED]]
>Sent: 01 November 2001 01:01
>To: Imran Badr
>Cc: [EMAIL PROTECTED]
>Subject: Re: porting openssl to linux kernel
>
>
>So far the complication has not proven to be worth it to anyone to
>implement.
>
>Go for it.
>   /r$
>-- 
>Zolera Systems, Securing web services (XML, SOAP, Signatures,
>Encryption)
>http://www.zolera.com
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Two versions of openssl on one system

[John . Airey]

Your chances of running KDE2.2 on RedHat 7.0 are approximately zero. My
colleague tried this and he totalled his machine. I've said this so often it
should be in a FAQ, but RedHat 7.0 onwards depends heavily on the openssl
package.

KDE2.2 comes with RedHat 7.2, so it's probably a better option to upgrade to
that. Make sure you have plenty of backups before you start, though.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>Sent: 30 October 2001 10:56
>To: [EMAIL PROTECTED]
>Subject: Two versions of openssl on one system
>
>
>Hi,
>
>
>I have Red Hat Linux 7.0 with openssl-0.9.5a-14 as a part of 
>it. Now I want to 
>compile and install KDE 2.2 what requires openssl-0.9.6. Is it 
>possible to use 
>both versions of openssl and it should be configured? I don't 
>want to remove 
>the old version because many packages are depend on it.
>
>Thank you,
>Sascha
>
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Decrypting encrypted e-mail in OE 5

[John . Airey]

Specifically, IE5.01SP2 has 128bit support. This is the oldest version of IE
that MS currently supports. A trip to http://windowsupdate.microsoft.com/
will allow you to upgrade to this.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


>-Original Message-
>From: Reiner Buehl [mailto:[EMAIL PROTECTED]]
>Sent: 16 October 2001 11:45
>To: [EMAIL PROTECTED]
>Subject: RE: Decrypting encrypted e-mail in OE 5
>
>
>Can you check if the IE5 installation is High Crypto? If not
>this might be the problem. Try generating a cert with 512 Bit
>in IE6 or upgrade IE5 to High Crypto version if this is the
>cause.
>
>Best regards,
>Reiner.
>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED]]On Behalf Of Angus Lee
>> Sent: Tuesday, October 16, 2001 11:47 AM
>> To: [EMAIL PROTECTED]
>> Subject: Decrypting encrypted e-mail in OE 5
>>
>>
>> Hi,
>>
>> I've set up my own CA using OpenSSL. I suppose there're no known
>> problems/mistakes in my CA setup. I could used the digital
>> certificates issued
>> by this CA to send secure e-mail and login intranet web sites (in
>> my office)
>> which require client authentication.
>>
>> Now I have two e-mail accounts, suppose one is S and another one
>> is W. S is
>> using IE 5 with SP2 (but the Outlook Express version is 5.5 as
>> reported by the
>> application) while W is using IE 6. Both run on Microsoft Windows
>> 2000 with
>> SP2. S and W exchange their public certificate by sending a
>> signed e-mail to
>> one another. Then both reply with an encrypted e-mail using
>> Outlook Express.
>>
>> W which has IE 6 has no problem decrypting the encryted 
>e-mail sent by S.
>> S which has IE 5 SP2 could NOT decrypt the encrypted e-mail 
>sent by W.
>>
>> The error message is:
>> Error Decrypting Message
>> You cannot read the message.
>> --
>> 
>> --
>> This might be because:
>> o You may have lost or deleted the Digital ID that the message is
>> encrypted
>> to.
>> o You may have installed the Digital ID that the message is
>> encrypted to on
>> another computer.
>> o The sender may have meant the message for somebody else.
>> o You do not have the necessary security package installed on
>> this computer.
>>
>> I have the some problem on another machine which has IE 5.5 SP2
>> installed.
>> Could someone please help me?
>>
>> The BIG problem is that both S and W have no problem decrypting
>> e-mail when I
>> use digital certificates issued by Thawte. I guess there may 
>be something
>> wrong with my CA setup. Please also find the openssl.cnf I use
>> for my own CA.
>>
>> Thank you very much.
>>
>> Angus Lee
>>
>> ---
>> Get Your Free Email at http://www.hknetmail.com
>>
>
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: About libssl.so.2 and libcrypto.so.2

[John . Airey]

>-Original Message-
>From: Michael H. Warfield [mailto:[EMAIL PROTECTED]]
>Sent: 08 October 2001 22:02
>To: [EMAIL PROTECTED]
>Subject: Re: About libssl.so.2 and libcrypto.so.2
>
>
>On Mon, Oct 08, 2001 at 09:28:52AM +0100, [EMAIL PROTECTED] wrote:
>
>   [...]
>
>> "Rawhide" is not another version of Linux, it is simply the name of a
>> repository for optional updates to the current version of 
>RedHat Linux. Of
>> course, that question is a little off-topic for this list.
>
>   No, it's not optional updates to the current release.  It's
>an alpha thread that you use at your own risk.  It's basically a
>pre-beta rolling release.  It is definitely a good spot to catch up
>on recent kernel releases before they make it to the main updates site.

I know, see my follow up!
>
>> As I have said repeatedly, openssl is included with RedHat 
>7.1. openssh,
>> sendmail and bind all rely on the package being there. This 
>has been the
>> case since RedHat 7.0, and will undoubtedly be the case for 
>7.2. I haven't
>> checked out roswell (aka 7.1.93) yet, as RedHat have locked 
>off the file
>> permissions on their ftp site! 
>
>   Looks like they just did that a couple of days ago.  I 
>had downloaded
>both Beta1 and Beta2 from 
>ftp.redhat.com:/pub/redhat/linux/beta/roswell but
>permissions are now set to deny.  Simultanious to that, a 7.2 
>directory has
>now appeared as /pub/redhat/linux/7.2 also with access 
>permissions denied.
>Looks like we are on the verge of the 7.2 release and they are 
>preping the
>site...  :-)  Wheee...
>
I think it's worse than that. It appears (looking at all the other betas)
that they've inadvertently deleted roswell from their site and locked off
the directory so that all the other mirrors that use rsync don't delete
their copy! (They might be running short of disk space, but that would be
odd).

I found this out because the md5 checksum on the roswell iso images doesn't
match the entry in the MD5SUM file, so I tried to download from the master
site.

I'm eagerly awaiting 7.2, not least because I hope to upgrade all our 6.2
machines straight to it, and then be able to put off another upgrade for a
bit longer. I suspect 6.2 support will be dropped very soon anyway.

>> RPM packages contain either pre-built binaries or a source 
>package that will
>> compile in a pre-arranged way (specified in a "spec" file). 
>They are useful
>> for maintaining a common installation on multiple systems, or for
>> administrators who haven't a clue what "make" or "configure" does.
>
>> Anyone who upgrades or changes openssl without using the 
>RedHat updates
>> (details at www.redhat.com/errata/) runs the risk of 
>breaking a lot of code.
>> Also, the version of openssl with RedHat 7.1 is "hobbled" 
>and does not
>> include all the cipher support. I've asked an employee of 
>RedHat who has
>> OK'd the making available of a package that contains all the 
>support for
>> non-US users. I've yet to get round to doing that though.
>
>   Relative to the latest RawHide SRPMS 
>(openssl-0.9.6b-9.src.rpm)...
>
>   1) Replace the openssl-engine-0.9.6b-usa.tar.bz2 source ball
>   with the real thing from the OpenSSL site.  (The source
>   tarball with the RPM has had some things 
>stripped.  That's
>   part of the hobbling.)
>
>   2) Edit the spec file and remove the "-usa" from "Source".
>
>   2) Down in %prep, kill off %{SOURCE1} by commenting it 
>out.  (That's
>   another part of the hobbling).
>
>   3) Remove no-idea, no-rc5, etc on the config line.  
>(Last part of
>   the hobbling.)
>
>   4) Build.  All the RedHat "patches" seem to be 
>compatible with the
>   non-crippled source tarball.
>
>   5) Enjoy.
>
Exactly what I've done already, except I haven't made it available to anyone
yet!


- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB

RE: About libssl.so.2 and libcrypto.so.2

[John . Airey]

>-Original Message-
>From: Xia Shang [mailto:[EMAIL PROTECTED]]
>Sent: 05 October 2001 13:55
>To: [EMAIL PROTECTED]
>Subject: About libssl.so.2 and libcrypto.so.2
>
>
>Hello,everyone
>I know now that KDE 2.2 is not for Redhat 7.1 but for Roswell, 
>but what is Rawhide? 
>Another version of Redhat Linux?
>I have downloaded "openssl0.9.6b" from www.openssl.org and  
>unpacked it, but I still 
>can't find "libssl.so.2" and "libcrypto.so.2".
>I guess I must install it so that these two files can be 
>created. Am I right?
>Another foolish question:What's the difference between the 
>installations from "*.rpm" 
>package and from "*.tar.gz" package(with "make",
>"install" and so on)?
>Thank you
>
Correction to my previous post, RawHide is indeed another version of Linux,
but it is not supported, might destroy all your data, etc. However, I have
taken packages from it (apache-mod_ssl 1.3.20-2.8.4 for example) and they've
worked for me.

Details are at ftp://ftp.redhat.com/pub/redhat/linux/rawhide/README

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 




- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: About libssl.so.2 and libcrypto.so.2

[John . Airey]

>-Original Message-
>From: Xia Shang [mailto:[EMAIL PROTECTED]]
>Sent: 05 October 2001 13:55
>To: [EMAIL PROTECTED]
>Subject: About libssl.so.2 and libcrypto.so.2
>
>
>Hello,everyone
>I know now that KDE 2.2 is not for Redhat 7.1 but for Roswell, 
>but what is Rawhide? 
>Another version of Redhat Linux?
>I have downloaded "openssl0.9.6b" from www.openssl.org and  
>unpacked it, but I still 
>can't find "libssl.so.2" and "libcrypto.so.2".
>I guess I must install it so that these two files can be 
>created. Am I right?
>Another foolish question:What's the difference between the 
>installations from "*.rpm" 
>package and from "*.tar.gz" package(with "make",
>"install" and so on)?
>Thank you
>
"Rawhide" is not another version of Linux, it is simply the name of a
repository for optional updates to the current version of RedHat Linux. Of
course, that question is a little off-topic for this list.

As I have said repeatedly, openssl is included with RedHat 7.1. openssh,
sendmail and bind all rely on the package being there. This has been the
case since RedHat 7.0, and will undoubtedly be the case for 7.2. I haven't
checked out roswell (aka 7.1.93) yet, as RedHat have locked off the file
permissions on their ftp site! 

RPM packages contain either pre-built binaries or a source package that will
compile in a pre-arranged way (specified in a "spec" file). They are useful
for maintaining a common installation on multiple systems, or for
administrators who haven't a clue what "make" or "configure" does.

Anyone who upgrades or changes openssl without using the RedHat updates
(details at www.redhat.com/errata/) runs the risk of breaking a lot of code.
Also, the version of openssl with RedHat 7.1 is "hobbled" and does not
include all the cipher support. I've asked an employee of RedHat who has
OK'd the making available of a package that contains all the support for
non-US users. I've yet to get round to doing that though.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 




- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Major OpenSSL/mod_ssl install problems.

[John . Airey]

Your statement "I'm using RH 7.1" is the critical one for me.

RedHat 7.1 (Which I assume you mean) includes openssl by default. If you
build openssl from source and replace that which comes with it, you will
break about 24 packages, including sendmail (I can send you a list if you
want).

Specifically, Apache 1.3.19 comes with RedHat 7.1, which is probably the
package that owns the httpd.conf file you are looking at

Try the following to check this:
rpm -q --whatprovides /etc/httpd/conf/httpd.conf

(Although of course it is likely that you've overwritten this file)

I suggest you look at http://www.redhat.com/errata/ and
ftp://ftp.redhat.com/pub/redhat/linux/rawhide for updates to RedHat 7.1 and
the latest packages for Apache and mod_ssl.

You can build from source RPMS, which gives you just as much control over
what you build, although it is more fiddly. I've offered to help with
installing these before on either this list or the mod_ssl list (and
unfortunately I deleted my last offer!)

John


-Original Message-
From: The_polymorph
To: [EMAIL PROTECTED]
Sent: 29/09/01 21:12
Subject: Major OpenSSL/mod_ssl install problems.

Hi all.

 After building OpenSSL 0.9.6b, the latest version of mod_ssl for
apache 1.3.20 and rsaref 2.0 ( all without incident ), I experienced
the following problems:

1). My httpd.conf file has *no* mention of SSL *anywhere =* in the
file.

2). After starting apache in SSL mode ( apachectl startssl ), it works
fine but I cannot connect to port 443. The message is connection
refused by server. For the record I am using RH 7.1.

 What might the problem(s) be?

 Thanks,

 -Caitlin.
 



=


__
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: openssl-0.9.6b.tar.gz.asc

[John . Airey]

The md5 file contains an md5 checksum of the openssl package.

To verify the package use 

md5sum openssl-0.9.6b.tar.gz

The result of the above should match the md5 file. I'm not so sure about why
you can't add the pgp signature. It makes no difference AFAIK that the
version of the signature is 2.6.3ia.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

>-Original Message-
>From: Victor S. [mailto:[EMAIL PROTECTED]]
>Sent: 25 September 2001 14:21
>To: [EMAIL PROTECTED]
>Subject: openssl-0.9.6b.tar.gz.asc
>
>
>Hello,
>
>I'm having trouble to check openssl package integrity (And I 
>have to do it)
>
>In ftp://ftp.openssl.org/source/ I could find 3 files available:
>openssl-tar.gz
>openssl-tar.gz.md5
>openssl-tar.gz.asc
>
>As far as I know, the asc file should be the public key and I 
>should add to 
>pgp before anything else:
>
>%pgp -ka openssl-0.9.6b.tar.gz.asc
>(And the file is under ~/.pgp/ )
>
>Looking for new keys...
>File '' has signature, but with no text.
>Keyring add error.
>
>What can be wrong? Should the file name be inside the quotes?
>
>I have Pretty Good Privacy(tm) Version 6.5.8 Is this the problem since 
>openssl-0.9.6b.tar.gz.asc is Version: 2.6.3ia
>
>What is the md5 file for?
>
>Thanks,
>Victor
>
>
>_
>Get your FREE download of MSN Explorer at 
http://explorer.msn.com/intl.asp

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Export laws

[John . Airey]

>-Original Message-
>From: Eric Rescorla [mailto:[EMAIL PROTECTED]]
>Sent: 14 September 2001 02:22
>To: [EMAIL PROTECTED]
>Subject: Re: Export laws
>
>
>Michael Sierchio <[EMAIL PROTECTED]> writes:
>> The code was simply reverse-engineered.  It's a small, simple
>> piece of code.  Reverse-engineering is the determination of someone
>> else's trade secret information via examination and testing 
>of publicly 
>> available information.  It's legal.
>RSA required a prohibition on reverse engineering as part of the
>pass-through license which they imposed on their licensees (at least
>they did for us). Thus, whoever reverse engineered the code likely
>violated the license in the process. It's certainly debatable whether
>such a prohibition is enforceable but it's not a slam-dunk that it
>isn't, either.

Just to enter the fray, it's worth pointing out that "Samba" was reverse
engineered also, and Microsoft support it in all but name. Actually, you
could probably reverse engineer Windows as well but it probably wouldn't be
worth it.

Also, to say that ARC4 violates the RC4 trademark is as daft as stating that
the name Christina Saunders violates the right to the initials NASA. I
believe someone with a name like this was once refused the right to register
a domain name. Closer to home, Does NASDAQ violate the trademark name ASDA?
I don't think so!

However, like Eric I would be concerned about being sued by RSA.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Time Diff?

[John . Airey]

>-Original Message-
>From: Averroes [mailto:[EMAIL PROTECTED]]
>Sent: 14 September 2001 10:03
>To: [EMAIL PROTECTED]
>Subject: Time Diff?
>
>
>Hi all,
>
>Perhaps someone noticed this:
>
>When I create a certificate there is difference
>between system (OS) time and creation time of certificate.
>Approximately one hour.
>
>
>certificate info:
>Validity
>Not Before: Sep 14 09:57:24 2001 GMT
>Not After : Sep 13 09:57:24 2006 GMT
>
>and immediately after signing:
>Fri Sep 14 10:58:32 BST 2001
>
>Any ideas?
>
There isn't a time difference. These are the same time! 9:58:32 GMT (or more
correctly UTC) is 10:58:32 BST, although only between (at present) 1:00AM
UTC on the last Sunday in March and 1:00AM UTC on the last Sunday in
October. This is the same across the whole of the EU.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: WIN32 binaries anyone??

[John . Airey]

Have you checked out http://curl.haxx.se/download.html?

-
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]

>-Original Message-
>From: Radi Shourbaji [mailto:[EMAIL PROTECTED]]
>Sent: 13 September 2001 08:50
>To: '[EMAIL PROTECTED]'
>Subject: WIN32 binaries anyone??
>Importance: High


>I am in search of pre-built binaries for WIN32 to use in conjunction with
curl in a w2k environment.  Any help would be appreciated!  
 
>Thanks!
 
>Radi
 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: libssl.so & libcrypto.so, again.

[John . Airey]

>-Original Message-
>From: Joe Orton [mailto:[EMAIL PROTECTED]]
>Sent: 10 September 2001 10:50
>To: [EMAIL PROTECTED]
>Cc: [EMAIL PROTECTED]
>Subject: Re: libssl.so & libcrypto.so, again.
>
>
>On Mon, Sep 10, 2001 at 09:48:28AM +0100, [EMAIL PROTECTED] wrote:
>> I have tried upgrading the version of openssl 0.9.6 on a 
>RedHat 7.1 machine
>> to 0.9.6b using the RedHat openssl.spec file and it broke several
>> applications, including openssh. This is why I've been 
>saying in the case of
>> RedHat 7.x to stick with the RedHat openssl packages. Now if 
>you could just
>> provide different packages for us Brits (and others) who 
>aren't restricted
>> by RC5 and IDEA patents...
>
>You could do this yourself without too much trouble. You'd just have to
>comment out the %{SOURCE1} line in openssl.spec, and adjust 
>the ./config
>line appropriately, and learn how to rebuild a source RPM :)
>
>joe
>
I realise I could do that (and probably will do now!). I take it that
SOURCE1 is the hobble.openssl file? I've been building rpms from source for
quite a while now. When you have numerous RedHat boxes to administer,
building RPMS on one to install on the others makes perfect sense. However,
like I said it would help if the packages were made available. If not, does
RedHat have any objections to me making them available?

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: libssl.so & libcrypto.so, again.

[John . Airey]

>-Original Message-
>From: Joe Orton [mailto:[EMAIL PROTECTED]]
>Sent: 07 September 2001 15:09
>To: Robert Pungello
>Cc: [EMAIL PROTECTED]
>Subject: Re: libssl.so & libcrypto.so, again.
>
>
>On Fri, Sep 07, 2001 at 08:09:06AM -0400, Robert Pungello wrote:
>> Hello All.  I know there have been a few questions about 
>this already, but
>> I'm still a bit confused.  I'm using Red Hat 7.1 with the 
>openssl-0.9.6-3
>> and openssl-devel-0.9.6-3 packages installed.  In addition, 
>I have also
>> installed openssl-0.9.6b myself because at the time I didn't 
>realize the
>> previously installed package existed.  When I look in my /usr/lib/
>> directory, I see the following files (among others):
>> libssl.a, libssl.so, libssl.so.0.9.6, libssl.so.1
>> libcrypto.a, libcrypto.so, libcrypto.so.0.9.6, libcrypto.so.1.
>
>Okay, I'll try my best at answering this... with RHL7.1, you would get
>the following: (the same applies throughout for libssl as libcrypto)
>
>libcrypto.so.0.9.6: the actual shared library
>libcrypto.so.1: symlink to above
>
>If you have upgraded your system from 7.0, you will also have 
>
>libcrypto.so.0.9.5a: another real actual shared library
>libcrypto.so.0: symlink to above
>
>These symlinks are created by the 'ldconfig' command (run automagically
>just after the RPMs are installed).
>
>Each time that the ABI changes (so that the library is no longer
>backwards-compatible), and a new RPM is made, you'll see a new symlink
>libcrypto.so.N (where N increases by 1 each time). This allows Red Hat
>to keep backwards compatibility with old applications.  So in the next
>release, if you upgrade, IIRC you'll find:
>
>libcrypto.so.0.9.6a: a real library
>libcrypto.so.2: symlink to above
>
>and if 0.9.7 isn't binary compatibility with 0.9.6a, then at some point
>later you'll find an RPM with:
>
>libcrypto.so.0.9.7: real shared library
>libcrypto.so.3: symlink to above
>
>I hope this makes sense so far. The -devel package will install the
>following two libs, which you only need if you want to build any
>packages which link against OpenSSL:
>
>libcrypto.so: symlink to real library again
>libcrypto.a: the static library
>
>So that's how Red Hat's OpenSSL RPMs work, I think. This differs
>slightly from how the stock OpenSSL tarballs will install shared
>libraries, since the stock Makefiles don't try to cope with binary
>compatibility issues.  I think if you install a stock OpenSSL 
>over a RHL
>system, it will create
>
>libcrypto.so.X.Y.Z
>libcrypto.so, libcrypto.so.0: symlinks to above
>
>This will be a problem if you have any applications on your system
>linked against the 0.9.5a library if you upgraded from RHL 7.0, but
>otherwise, your existing applications should work fine still.
>
>Compiling things on this system will probably be okay, unless you ever
>upgrade any of the OpenSSL RPMs, in which case your applications may
>break again, I'm not sure. I'd advise doing

I have tried upgrading the version of openssl 0.9.6 on a RedHat 7.1 machine
to 0.9.6b using the RedHat openssl.spec file and it broke several
applications, including openssh. This is why I've been saying in the case of
RedHat 7.x to stick with the RedHat openssl packages. Now if you could just
provide different packages for us Brits (and others) who aren't restricted
by RC5 and IDEA patents...

>
># rpm --erase openssl-devel
># rpm -Uvh openssl-devel-0.9.6-3.rpm ### from the CD, or wherever
>
>if you wish to get back under the RPM management. You may need 
>a --force
>too.
>
>Hope some of that makes sense :)
>
>joe

It makes sense to me. It's good to see someone from RedHat giving a hand
with this one, as it does come up often on the list.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in th

RE: Wasn't someone joking about the virus being posted by an autoresponder

[John . Airey]

>-Original Message-
>From: Steven Reddie [mailto:[EMAIL PROTECTED]]
>Sent: 22 August 2001 12:23
>To: [EMAIL PROTECTED]
>Subject: Wasn't someone joking about the virus being posted by an
>autoresponder
>
>
>At least I thought it was a joke.
>
>Steven

That was me, and it was a joke. However, there are anti-virus products about
that will send the virus back to the sender (what on earth for I ask?). We
don't set ours to do this and I'm pleased to see that our AV package didn't
send any auto-response other than to internal administrators (including
myself). We already get grief from our users because Out of Office messages
don't go the Internet!

Mind you, if a mischievious sysadmin in the UK has done this deliberately as
a result of my "suggestion", I'd like to chase him/her under the Computer
Misuse Act.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: W2k wiazrd

[John . Airey]

>-Original Message-
>From: Nevalainen, Eric [mailto:[EMAIL PROTECTED]]
>Sent: 22 August 2001 17:20
>To: 'Robert Krenn'
>Cc: '[EMAIL PROTECTED]'
>Subject: W2k wiazrd
>
>
>Bingo!
>
>The string:
>
>bash-2.04# OpenSSL ca -out request.pem -notext -infiles certreq.txt
>where -out =the cert to be generated, and -infiles =the 
>pending request, 
>the -notext option supresses the plaintext form of the 
>certificate to the
>output file.  IIS 5 seems to like this.  
>
>output looks like:
>
I wouldn't hold your breath if this is a "self-signed" certificate. No doubt
someone else will correct me if I'm wrong, but I've never been able to get
self-signed certificate working on any version of IIS.

(I'm assuming this is a server cert. If it's a client cert then I'm probably
barking up the wrong tree).

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Please reconfigure majordomo to not set Reply-To (was: Failed to clean virus file Emanuel.exe)

[John . Airey]

>-Original Message-
>From: Amos Gouaux [mailto:[EMAIL PROTECTED]]
>Sent: 20 August 2001 14:03
>To: [EMAIL PROTECTED]
>Subject: Re: Please reconfigure majordomo to not set Reply-To (was:
>Failed to clean virus file Emanuel.exe)
>
>
>>>>>> On Mon, 20 Aug 2001 05:00:01 -0700,
>>>>>> Caliban Tiresias Darklock <[EMAIL PROTECTED]> (ctd) writes:
>
>ctd> On Mon, 20 Aug 2001 13:33:18 +0200, Michael Ströder
>ctd> <[EMAIL PROTECTED]> wrote:
>
>>> Because the mailing list processor is configured to set the Reply-To
>>> address to the list address. IMHO this should be changed to reduce
>>> such problems with automatic replies (vacation e-mails, virus-scans
>>> etc.).
>
>ctd> But that would make *regular* replies a pain in the ass for list
>ctd> members. 
>
>What we do is send the notice to the envelope sender, which
>typically is set to the list owner.  (Sorry list owner.)  At least
>that way it doesn't flood the entire list time and time again
>
If you think this is bad, imagine what would happen if the anti-virus
checker attached the infected email in each alert (which for example
InoculateIT can do). Forget out of office replies et al...

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Linux and EVP_rc5_32_12_16_ofb

[John . Airey]

>-Original Message-
>From: Dr S N Henson [mailto:[EMAIL PROTECTED]]
>Sent: 27 July 2001 18:50
>To: [EMAIL PROTECTED]
>Subject: Re: Linux and EVP_rc5_32_12_16_ofb
>
>
>
>
>Ng Pheng Siong wrote:
>> 
>> Hi,
>> 
>> I've gotten a few messages about M2Crypto not working on 
>Linux (Red Hat
>> 7.1, SuSe 7.1) because "undefined symbol: EVP_rc5_32_12_16_ofb".
>> 
>> I understand the packaged OpenSSL on those platforms are versions of
>> 0.9.6.
>> 
>> I don't have a Linux installation at the moment, so I have 
>no clue why
>> this is so.
>> 
>
>RC5 is probably omitted for patent reasons.
>
You are spot on. The pre-packaged openssl with RedHat 7.1 has a file called
"hobble-openssl". It removes RC5, IDEA and MDC2.

Of course, it is possible to rebuild the package so that it doesn't. I'm
just building one now.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Web Site Alert: Not Responding

[John . Airey]

Title: Web Site Alert: Not Responding



It 
worked just now! I've just pulled 0.9.6b again to test it 
(again).
 

- John 
Airey Internet Systems Support Officer, 
ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]]Sent: 25 July 2001 
  11:32To: [EMAIL PROTECTED]Subject: Web Site 
  Alert: Not RespondingThere appears to be a problem in 
  reaching your Web site at http://www.openssl.org/support/. 
  
Time of Error: 2001-07-25 06:32:29Error Type: 
Connection Refused 
  InternetSeer, a Web site monitoring company, is conducting an ongoing study 
  of the true connectivity of the Web. As recommended by the Robots Guidelines, 
  this email is being sent to explain our research activities and to let you 
  know about the difficulty in connecting to your site.  
  If you would like InternetSeer to continue to alert you at no charge 
  whenever there is a problem reaching your Web site, click 
  here.  
  InternetSeer does not store or publish the content of your pages, 
  but rather uses availability and link information for our research.
  Click 
  here to learn more about InternetSeer. 
  Mike DeverPresident[EMAIL PROTECTED] 

  Note: If you prefer not to receive these occasional alerts 
  regarding the availability of your Web site, reply to this email with Cancel 
  in the subject line. Please leave a full copy of this message in the body of 
  your reply email.##[EMAIL PROTECTED]## 



- 


NOTICE: The information contained in this email and any attachments is 

confidential and may be legally privileged. If you are not the 

intended recipient you are hereby notified that you must not use, 

disclose, distribute, copy, print or rely on this email's content. If 

you are not the intended recipient, please notify the sender 

immediately and then delete the email and any attachments from your 

system.


RNIB has made strenuous efforts to ensure that emails and any 

attachments generated by its staff are free from viruses. However, it 

cannot accept any responsibility for any viruses which are 

transmitted. We therefore recommend you scan all attachments.


Please note that the statements and views expressed in this email 

and any attachments are those of the author and do not necessarily 

represent those of RNIB.


RNIB Registered Charity Number: 226227


Website: http://www.rnib.org.uk 

Expired certificates

[John . Airey]

I've just made an interesting discovery after suffering the ignomy of having
an SSL certificate expire. (Supposedly I'll have it within the next two
hours. A late night for me!)

It appears from my testing that the expiry time on a certificate is taken
from the client's machine time, not the server time. I've tested this with
IE 5.01 SP1 and Netscape 4.77.

Therefore the moral is to ensure that you renew all certificates before the
time on the certificate is reached anywhere in the world, to prevent browser
warnings. In practical terms this would mean renewing before the last 24
hours of the certificate is reached. As far as I am aware this is not
documented anywhere. (No doubt some clever person will point me to the RFC
where this is).

I believe I'll have some accurate information about self-signed starred
certificates with IIS fairly soon also.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL and IIS4 - problem

[John . Airey]

>-Original Message-
>From: Greg Stark [mailto:[EMAIL PROTECTED]]
>Sent: 20 July 2001 15:51
>To: [EMAIL PROTECTED]
>Subject: Re: OpenSSL and IIS4 - problem
>
>
>I have to disagree with Mr. Airey, though not without some trepidation.
>
>You enter the  hostname into IE *exactly* as it is entered in 
>the CN (or
>subjectAltName) in the certificate. If the certificate has an 
>IP address,
>then that's what you should put into IE. If it has dotted DNS 
>address, then
>that is what you should put into IE.
>
>Also, even if the addresses differ, IE still pops up a warning window
>telling you about this. It doesn't just silently fail with an 
>error message.
>
>If the IP address is correct in your example, then I tried to 
>connect to it
>and noticed that the server is actively refusing TCP 
>connections on port
>443. It is not even getting to the SSL part, it just sends a TCP RST in
>response to a TCP SYN on port 443. Perhaps you have a firewall 
>in the way?

No problem disagreeing with me, my managers do that all the time ;-).
Perhaps I should have said "some versions" of IE do not like it. I'm using
IE 5.01SP1 (I have to because we've internal systems that depend on IE.
Yuk!) and can connect to one of our secure sites using an IP address and the
actual address. The former gives a warning. I've had problems with older
versions of IE4, but upgrading to 128bit security cleared it. (I would
recommend anyone who can to upgrade IE to 128bit).

But like you say, it looks like a firewall or router configuration that is
preventing connections.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL and IIS4 - problem

[John . Airey]

  I would 
  suspect that you are using IE, which is extremely fussy about connecting to IP 
  addresses with SSL. Use the full host name (ie host.domain) to connect. You'll 
  need either an entry in a hosts file, or the host name to exist in your 
  DNS.
   
  In the case of the first 
  error, IIS will refuse you access to that directory as you requested a 
  secure channel. It usually says something about requiring a secure connection 
  though.
  
  - John 
  Airey Internet Systems Support Officer, 
  ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 
  [EMAIL PROTECTED] 
   
   -Original 
  Message-From: David 
  [mailto:[EMAIL PROTECTED]]Sent: 20 July 2001 
  01:54To: [EMAIL PROTECTED]Subject: OpenSSL and 
  IIS4 - problem  Now 
  I am able to install key generated by OpenSSL from IIS key 
  manager by 
  converting format to IIS format. (Thanks Lisle and John) 
  Then I did  follow 
  steps. 1. Add my 
  ip(203.1.1.1) and port(443) to keymanager and save changes. 
  2. Select a virtul directory 
  (download) and update properties with     Select  'Require 
  Secure Channel'  and 'Do not accept certificates' 
  option 3. 
  Restart IIS. 
  Then when I try URL: 
  http://203.76.4.111/download 
  Error: it tell me not 
  authorized *why? I 
  did not select require client cert option. 
  try another 
  https://203.76.4.111/download 
  Error: The page cannot be 
  displayed *why? I 
  already add my ip and port to key manager. 
  I change option to 'Require Client 
  Certificates' then try URL again, It still give me same error instead of 
  popup a requre cert window. If I use this option, do I need to install the same cert into my 
  browser in order to access my secure directory? 
  What am I doing wrong 
  here? 
  Thanks. David   

RE: OpenSSL and IIS4

[John . Airey]

IIS4 
can use 1024 RSA keys. We have several machines that are doing this already. 


- John 
Airey Internet Systems Support Officer, 
ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


  -Original Message-From: haikel 
  [mailto:[EMAIL PROTECTED]]Sent: 19 July 2001 10:06To: 
  [EMAIL PROTECTED]Subject: Re: OpenSSL and 
  IIS4Slamou alycom, 
  Verify that IIS 4 use keys with lenght higher than 512 bits, if not upgrade 
  your version of IIS. 
  Haikel MEJRI   
  David a écrit : 
  Hey, 
I am trying to setup https on 
IIS4 by using OpenSSL, I follow steps: 1. Create private key 
    openssl 
genrsa -des3 > holly.pem 2.Generate a CSR from your 
key     openssl req -new -key holly.pem  > 
holly.csr 3. 
Generate a self-signed certificate     openssl req -x509 -key 
holly.pem  -in holly.csr > holly.crt 4. From IIS4 key Manager select import 
key file: holly.pem and cert file:holly.crt. I got error: wrong 
password. 
I am sure that I use exactly the 
same password, so what  real problem is? anyone has this experience. 

Thanks 
 

RE: ROOKIE Question

[John . Airey]

Have a look at http://www.openssh.org/windows.html 

There's a whole list of them. I haven't tried putty yet. I use TTSSH at home
(not that my LAN at home is likely to be hacked, I just prefer it to
Windows' telnet!) and F-Secure SSH at work.  The latter costs money,
but I think it's money well spent 

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 



> -Original Message-
> From: Web boy [mailto:[EMAIL PROTECTED]]
> Sent: 09 April 2001 20:00
> To: [EMAIL PROTECTED]
> Subject: ROOKIE Question
> 
> 
> Hello I have installed and configured openssl on my
> linux box (redhat 6.2).  Everything went fine now I
> need to know how do I connect remotly from my NT
> workstation?
> 
> I have seen with SSH that there is something called
> putty but not sure what my next step is.
> 
> My goal is to be able to transfer files securly back
> and forth from my NT workstation to my LINUX box and
> vis-versa.
> 
> Any help would be great
> 
> __
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail. 
> http://personal.mail.yahoo.com/
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: a question about install

[John . Airey]

You can also use the DOS "SHELL" command to increase environment space.
Details can be gathered from a DOS 6.0-6.22 machine. Windoze doesn't have
any information on it, AFAIK.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


> -Original Message-
> From: Jonas Jakobsson [mailto:[EMAIL PROTECTED]]
> Sent: 06 April 2001 01:03
> To: [EMAIL PROTECTED]
> Subject: Re: a question about install
> 
> 
> 
> >  before i comple the openssl,i use the vcvars32.bat in the directory
> D:\Program Files\Microsoft Visual Studio\VC98\Bin
> > but it tell me that out of the environment space,what shoud i do !
> 
> 
> I had the same problem.
> The soultion was in my case was to cut down the size of my 
> path variable in
> config.sys, restart
> and run the vcvars.bat in the dos box.
> Or, you could modify the shortcut to the dos-box to use your 
> own modified
> config.sys.
> 
> just my 2 cents
> /Jonas Jakobsson
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL or Engine

[John . Airey]

The openssl-engine code contains "experimental" support for hardware crypto
devices. If you don't have one, or don't even know what one is, then just
use the vanilla "openssl" code.

I read somewhere that the two code branches will be merged in 0.9.7. Can't
remember where now.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


> -Original Message-
> From: Dave Horner [mailto:[EMAIL PROTECTED]]
> Sent: 29 March 2001 11:20
> To: [EMAIL PROTECTED]
> Subject: OpenSSL or Engine
> 
> 
> We are using an apache web server and need to generate a CSR so we can
> use SSL.
> The documentation says that we need openssl to generate the CSR. 
> Could someone explain the difference between OpenSSL and OpenSSL
> (engine) , so I know which one to install ?
> Many Thanks
> Dave
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Batching E-Mails

[John . Airey]

My $0.02 worth. It is perfectly possible for there to be two versions of
this list, a normal list and a "digest" or batched list as the original
poster calls it. Majordomo supports it, but it will involve more work for
someone to set it up.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 



> -Original Message-
> From: Gil Peeters [mailto:[EMAIL PROTECTED]]
> Sent: 14 March 2001 10:37
> To: [EMAIL PROTECTED]
> Subject: Re: Batching E-Mails
> 
> 
> Hey man, I think you got me wrong here. 
> 
> I am not saying that you should not have the choice, I was 
> just stating my
> reasons for liking the current system. I was not bagging you 
> for having your own
> opinion.
> 
> Choice is a wonderfull thing!
> 
> Chill out and go in peace!
> 
> G.
> 
> Oliver Bode wrote:
> > 
> > That's your preference. I prefer batched E-Mails. I would 
> prefer to open one
> > message related to an issue than open 10,
> > 
> > I wrote to Majordomo and requested that I would prefer 
> batched E-mails.
> > 
> > And as Majordomo can already do all sorts of filtering
> > himslef/herself/itself, I asked him/her/it that I would 
> like my E-mail's
> > batched if possible.
> > 
> > Again - what is wrong with choice This is all possible 
> and easilly
> > implemented.
> > 
> > - Original Message -
> > From: "Gil Peeters" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Wednesday, March 14, 2001 8:52 PM
> > Subject: Re: Batching E-Mails
> > 
> > > Well actually no...
> > >
> > > I keep all the messages on this forum as a reference 
> (Just in case I have
> > > similar probs later) and I delete and irrelevant/SPAM 
> messges when I get
> > time.
> > >
> > > I do filter all messaegs from openssl.org to a seperate 
> folder, and I can
> > view
> > > the messages threaded in my mail client (Netscape 
> Messanger)... So this is
> > an
> > > excellent feature. Mostly I just mark them all as read, 
> and I scan the
> > message
> > > subjects if I have a problem that needs solving..
> > >
> > > I don't mind the individual messages at all.
> > >
> > > Gil.
> > >
> > > Oliver Bode wrote:
> > > >
> > > > The mailing lists I enjoy and stick with are the ones 
> where I get one
> > E-Mail
> > > > everyday - batched. I can then scan through the 
> headings each day and
> > > > respond when I want or learn what I need.
> > > >
> > > > Why do I have to download every message and then delete 
> every single
> > one?.
> > > > It is not difficult to batch E-Mail messages. And 
> what's wrong with
> > having a
> > > > choice
> > > >
> > > > I can tell that you would appreciate batched E-mails also.
> > > >
> > > > - Original Message -
> > > > From: "Gil Peeters" <[EMAIL PROTECTED]>
> > > > To: <[EMAIL PROTECTED]>
> > > > Sent: Wednesday, March 14, 2001 8:05 PM
> > > > Subject: Re: Batching E-Mails
> > > >
> > > > > Why not filter all the messages from this group into 
> a seperate
> > folder?
> > > > >
> > > > > That waty they are seperated from your other mails.
> > > > >
> > > > > G,
> > > > >
> > > > > Oliver Bode wrote:
> > > > > >
> > > > > > Hello Majordomo,
> > > > > >
> > > > > > I enjoy reading *some* of the E-mail's posted to 
> this list and am
> > > > prepared
> > > > > > to help people enable OpenSSL in their own projects.
> > > > > >
> > > > > > However, I can't stand my inbox being filled up 
> every morning.with
> > > > 10,000
> > > > > > messages. Is there a way I can get the messages 
> packaged up in one
> > > > E-Mail?
> > > > > > So I can respond to the ones I can help with! 
> Otherwise, I want out
> > by
> > > > the
> > > > > > end of this week!
> > > > > >
> > > > > > Majordomo or whoever you are is their a way we can get this
> > happening
> > > > >

RE: Can't compile openssl-0.9.6

[John . Airey]

Just to muddy the waters a little, the latest kernel (2.2.17) from RedHat
put the "kernel-headers" package in with the "kernel-source" package. A
really stupid idea which has caused a number of people a lot of grief,
including me!

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


> -Original Message-
> From: Greg Stark [mailto:[EMAIL PROTECTED]]
> Sent: 09 March 2001 15:04
> To: [EMAIL PROTECTED]
> Subject: Re: Can't compile openssl-0.9.6
> 
> 
> Marcel,
> 
> Your problem is that /usr/include/linux/errno.h does not exist on the
> machine in question. Make sure you have installed the 
> neccessary RedHat
> package, which I think is the "kernel-headers-xxx" RPM, and 
> check that any
> symbolic links point to the correct places.
> 
> _
> Greg Stark
> Ethentica, Inc.
> [EMAIL PROTECTED]
> _
> 
> 
> 
> - Original Message -
> From: "Marcel Loesberg" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, March 09, 2001 9:17 AM
> Subject: Can't compile openssl-0.9.6
> 
> 
> > Hi,
> >
> > I'm using openssl as a part of Tinc (a VPN program).
> > I've tried to compile openssl-0.9.6 on two machines.
> > Both run RedHat 6.2, the only difference between the machines
> > is the motherboard and CPU.
> >
> > When I try to do "make" on the 2nd machine I get this error:
> >
> > > making all in crypto...
> > > make[1]: Entering directory `/var/opt/test/openssl-0.9.6/crypto'
> > >
> gcc -I. -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN 
> -DHAVE_DLFCN_H
> >
> > -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall 
> -DSHA1_ASM -DMD5_
> ASM
> > > -DRMD160_ASM   -c -o cryptlib.o cryptlib.c In file included from
> > > /usr/include/bits/errno.h:25,  from
> /usr/include/errno.h:36,
> >>   from ../include/openssl/err.h:90,
>   from
> > > cryptlib.h:70,  from cryptlib.c:61:
> > > /usr/include/linux/errno.h:4: asm/errno.h: No such file 
> or directory
> > > make[1]: *** [cryptlib.o] Error 1
> > > make[1]: Leaving directory `/var/opt/test/openssl-0.9.6/crypto'
> > > make: *** [all] Error 1
> >
> > I don't understand which file it cannot find.
> > "cryptlib.o" is in /var/opt/test/openssl-0.9.6/crypto
> > What do I do wrong?
> >
> > Regards,
> >
> > Marcel
> > --
> > It sports 64K of L1 data cache, 64K of L1 instruction cache, three
> > independent integer pipelines, three address calculation pipelines,
> > and a fully pipelined, out-of-order, three-way 
> floating-point engine.
> > 
> __
> > OpenSSL Project 
http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: ????????--???

[John . Airey]

> -Original Message-
> From: Marco Cunha [mailto:[EMAIL PROTECTED]]
> Sent: 31 January 2001 15:45
> To: [EMAIL PROTECTED]
> Subject: RE: --???
> 
[snip]
> 
> If the list already shouldn't accept email from the "outside"... then
> there's something very wrong with majordomo.
> 
> Thank you for your time,
> Marco Cunha

I'm not wishing to drift off into too technical a discussion, but majordomo
can operate "closed" lists, where only those on the list can send to it. I
administer several lists where this is the case. One of them I actually
approve messages before they go out, because most of the people on that list
reply to the list rather than send messages to me, which is a real pain in
the neck!

- 
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Certificates with many Virtual host

[John . Airey]

It appears that you are not using one IP address for each virtual host. Once
you've configured those correctly the error should go away.

- 
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


> -Original Message-
> From: Luis Miguel [mailto:[EMAIL PROTECTED]]
> Sent: 25 January 2001 11:50
> To: [EMAIL PROTECTED]
> Subject: Certificates with many Virtual host
> 
> 
> Please, help.
> I have an apache http/https server an 8 virtual http servers
> (8 virtual host). Four virtual servers are secure servers
> Then, I have 4 hostnames and my on CA root (self signed) certificate.
> 
> The certificate have only 1 host name and with
> 3 of virtual host, clients can see the message:
> 
>   "The certificate you are viewing does not mach the
> name of the site you are trying to view"
>   or similar
>   (Clients can work, but they see this previous message)
> 
> I need thay the clients can't see this message.
> 
> a) Can I make my on certificate valid for many host names ?
> b) If don't, then the solution is to make 4 certificates, one for each
> virtual https host
> - a certificate (C1) for host A
> - a certificate (C2) for host B
> ...
> - a certificate (C3) for host C
> 
> , but then the client must accept 4 four certificates.
> I need that the client only accept the firt certificate, 
> and not the
> 
>four  certificates .
> 
>Are the solution to make a CA root certificate an then
>4 CA certificates ?
>How can make it ?
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Certificates with many Virtual host

[John . Airey]

Correction, it does work with IE, we have a wildcard certificate that works
with IE 5.01. It works with IE 4 fine. As for IE 3.02 and before, well, they
have problems with their root certs anyway.

- 
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


> -Original Message-
> From: Michael Ströder [mailto:[EMAIL PROTECTED]]
> Sent: 25 January 2001 14:34
> To: [EMAIL PROTECTED]
> Subject: Re: Certificates with many Virtual host
> 
> 
> Reiner Buehl wrote:
> > 
> > There is a (not recommended) possibility for this: If all 
> of your hosts
> > belong to the same domain you could generate a so called "wildcard 
> > certificate".
> > This is a certificate with a hostname like '*.mydomain.org'
> 
> AFAIK this does not work with M$ IE.
> 
> Ciao, Michael.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: URGENT : SSL Handshake failed

[John . Airey]

I hope you are kidding about using mod_ssl 2.2.7. The latest version is
2.7.1, which is what you should be running.

- 
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm 
John Airey 
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind, 
Bakewell Road, Peterborough PE2 6XU, 
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 
-Original Message-
From: drt rappanah [mailto:[EMAIL PROTECTED]]
Sent: 25 January 2001 14:07
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: URGENT : SSL Handshake failed
Importance: High


Hi !!

I've installed a Netscape Certificate Server 4.2sp1 on a linux mandrake
7.2 (kernel 2.2.17-21)...
I've also installed an Apache 1.3.14 server with mod_perl 1.24_01,
mod_ssl 2.2.7, php 4.0.3pl1 and openssl 0.9.6...

 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Rainbow Cryptoswift cards

[John . Airey]

> -Original Message-
> From: Rodney Thayer [mailto:[EMAIL PROTECTED]]
> Sent: 19 January 2001 14:52
> To: [EMAIL PROTECTED]
> Subject: Re: Rainbow Cryptoswift cards
> 
> 
> is there somewhere one can get a list of the supported engine cards?
> I mean, there are vendors out there, other than Rainbow, who'd like
> to put their two milli-euro's worth into this conversation but
> that would be impolite and a commercial advertisement
> 
> (yeah, yeah, read the source.  I mean a real list of the cards
> and how you buy them/etc.)
> 
> 
There's a list of supported cards in the openssl changelog at
http://www.openssl.org/news/changelog.html

Don't know anything else though.

- 
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Rainbow Cryptoswift cards

[John . Airey]

I'm getting a Rainbow Cryptoswift card in the post today (thank you Santa,
although you are a bit late). 

Does anyone have experience of setting this up with mod-ssl? If so, can you
let me know how I do it. I understand I need to use shm rather than dbm, but
how do I get openssl to recognise the card?

I've the openssl change list, and it alleges support for these cards, but I
don't seem to have it. I'm using the pre-compiled rpms which I realise may
not have compiled this support in.

(I can't find anything else in the openssl or modssl docs to help me, hence
my post. The documentation available on the Rainbow site is scant as well)

Thank you. If no-one can help, I'll battle on and post my results later.

- 
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Can IMagesh and RShyamsundar be unsubscribed from the list?

[John . Airey]

That will work up to a point. Any messages already sent from their server
will have to be removed from the list's queue as well.

If it's any consolation someone used one of our mail servers to send a
shed-load of spam overnight. I've fixed it now, and it doesn't help that the
mail-abuse.org site tests didn't check for this one!

- 
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 



> -Original Message-
> From: Reddie, Steven [mailto:[EMAIL PROTECTED]]
> Sent: 11 January 2001 04:56
> To: [EMAIL PROTECTED]
> Subject: Can IMagesh and RShyamsundar be unsubscribed from the list?
> 
> 
> I assume that IMagesh and RShyamsundar are subscribers to the 
> list.  Isn't
> an easy solution for them to be removed?
> 
> > -Original Message-
> > From:   [EMAIL PROTECTED]
> > [SMTP:[EMAIL PROTECTED]]
> > Sent:   Thursday, January 11, 2001 8:57 AM
> > To: [EMAIL PROTECTED]
> > Subject:Message status - undeliverable
> > 
> > The message that you sent was undeliverable to the following:
> > RShyamsundar << File: ATT1270713.txt >> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Re(2): Problem compilig under RH Linux 6.2

[John . Airey]

> -Original Message-
> From: Sebastian Paul Avarvarei [mailto:[EMAIL PROTECTED]]
> Sent: 08 January 2001 12:04
> To: [EMAIL PROTECTED]
> Subject: Re(2): Problem compilig under RH Linux 6.2
> 
> 
> Hello Paul,
> 
> Thanks for the fast reply, but I'm still a little puzzled 
> (sorry, I'm a big Linux fan, but not a good Linux admin yet :)
> 
> So I did a "rpm -qa", and I see that 
> "kernel-headers-2.2.14-5.0" is installed. On the other hand, 
> some time ago I deleted the kernel sources from HDD, to have 
> some more space. Do I need to put the sources back?
> 
> Also, can someone tell me how can I check if my kernel is 
> actually compiled with support for elf binaries? 
> 
> Thank you very much for helping a poor beginner.
> 
I should have mentioned that you can use the RPMs instead for openssl if you
want. They are at www.modssl.org/contrib/. Use the versions with "fixed" in
the title as there are installation problems with the other versions. 

I prefer them myself as it makes it easier to know what you have installed. 

- 
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Re(2): Problem compilig under RH Linux 6.2

[John . Airey]

> -Original Message-
> From: Sebastian Paul Avarvarei [mailto:[EMAIL PROTECTED]]
> Sent: 08 January 2001 12:04
> To: [EMAIL PROTECTED]
> Subject: Re(2): Problem compilig under RH Linux 6.2
> 
> 
> Hello Paul,
> 
> Thanks for the fast reply, but I'm still a little puzzled 
> (sorry, I'm a big Linux fan, but not a good Linux admin yet :)
> 
> So I did a "rpm -qa", and I see that 
> "kernel-headers-2.2.14-5.0" is installed. On the other hand, 
> some time ago I deleted the kernel sources from HDD, to have 
> some more space. Do I need to put the sources back?
> 
> Also, can someone tell me how can I check if my kernel is 
> actually compiled with support for elf binaries? 
> 
> Thank you very much for helping a poor beginner.
> 
> Best regards,
> Sebastian Paul Avarvarei
> E-mail: [EMAIL PROTECTED]
> 
Not strictly an openssl answer this, but basically you only need the kernel
source rpm installed if you are recompiling the kernel. Also, for Redhat
6.2, you really should be using the 2.2.16-3 kernel as there are other
problems with the older version.

Support for elf binaries comes with the out of the box installation, AFAIK.

- 
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: what is ISO 9796?

[John . Airey]

> And anyway, if ISO9796 is a standard about digital signature, 
> shouldn't it
> be examined to see if OpenSSL can support it?
> 
> 

The interesting thing about the ISO is that it takes years to get around to
making standards or changes to standards. Have a look at how often ISO
3166-1 gets changed. It's about every three years, even though country names
often change more regularly than that. It was last updated in 1997. 

I would imagine that either OpenSSL already supports it, or the standard is
so dated as to have been superseded by other developments.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: what is ISO 9796?

[John . Airey]

I don't think any of us has ISO 9796 to hand. Do you have a library that
would stock it? (They are all stocked on microfiche here in the UK at major
libraries). 

Other than going out and buying it, I don't know how you would be able to
compare the two, as I guess you've already seen the description on the ISO
site. I don't believe that ISO make the full standards available on the
'net. Although I appreciate that this standard covers data encryption, I
don't think it's that relevant to this list. Anyone care to differ?

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


> -Original Message-
> From: Martin Szotkowski [mailto:[EMAIL PROTECTED]]
> Sent: 11 December 2000 15:53
> To: [EMAIL PROTECTED]
> Subject: Re: what is ISO 9796?
> 
> 
> Sorry,
> I did't specify kind of this ISO. This is like PKCS#1 sign 
> algorithm (or
> something with create padding) and on ISO pages are only a buy this
> document.
> I would know differences between PKCS#1 and iso9796 coding (signing).
> 
> Martin
> 
> > The International Standards Organisation have a description 
> of this and
> all
> > their standards at http://www.iso.ch/
> >
> > Totally off-topic question though.
> >
> > -
> > John Airey
> > Internet Systems Support Officer, ITCSD, Royal National 
> Institute for the
> > Blind,
> > Bakewell Road, Peterborough PE2 6XU,
> > Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 
> [EMAIL PROTECTED]
> >
> >
> > > -Original Message-
> > > From: Martin Szotkowski [mailto:[EMAIL PROTECTED]]
> > > Sent: 11 December 2000 15:03
> > > To: [EMAIL PROTECTED]
> > > Subject: what is ISO 9796?
> > >
> > >
> > > have anybody description (or short description) of this document?
> > >
> > > Martin
> > >
> > > 
> __
> > > OpenSSL Project 
> http://www.openssl.org
> > > User Support Mailing List
> [EMAIL PROTECTED]
> > > Automated List Manager   
> [EMAIL PROTECTED]
> > >
> > 
> __
> > OpenSSL Project 
> http://www.openssl.org
> > User Support Mailing List
> [EMAIL PROTECTED]
> > Automated List Manager   
> [EMAIL PROTECTED]
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: what is ISO 9796?

[John . Airey]

The International Standards Organisation have a description of this and all
their standards at http://www.iso.ch/

Totally off-topic question though.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


> -Original Message-
> From: Martin Szotkowski [mailto:[EMAIL PROTECTED]]
> Sent: 11 December 2000 15:03
> To: [EMAIL PROTECTED]
> Subject: what is ISO 9796?
> 
> 
> have anybody description (or short description) of this document?
> 
> Martin
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Corrected openssl.spec file

[John . Airey]

This spec file is basically an amended version of what was already on the
contrib page. However, this file tried to create symlinks in directories
that don't normally exist (not on my machines, anyway) and remove a
directory as a file. This causes the installation script to fail as it is a
more serious error (on my system) than creating a directory that doesn't
exist or attempting to remove a non-empty directory. The package doesn't
install fully in this case.

Since I needed to fix this for my own purposes, I made it public.

I'm about to put this spec file on the contrib page and "fixed" versions of
the existing rpms. I hope that Steve, who recently posted to this list, will
find these useful as they install without errors (again, on my system).

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


> -Original Message-
> From: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED]]
> Sent: 22 November 2000 15:20
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: Corrected openssl.spec file
> 
> 
> From: [EMAIL PROTECTED]
> 
> John.Airey> This is the diff between my file and the old file. If I
> John.Airey> have this the wrong way round please let me know!
> 
> Actually, your file is much more different from the "standard" one
> than you showed us.  It seems to contain a lot of tweaks to make sure
> old SSLeay users don't get beothered and a lot of other stuff that I'm
> not sure really belongs in a .spec...
> 
> -- 
> Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
> Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
> Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
> Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
> Member of the OpenSSL development team: http://www.openssl.org/
> Software Engineer, Celo Communications: http://www.celocom.com/
> 
> Unsolicited commercial email is subject to an archival fee of $400.
> See <http://www.stacken.kth.se/~levitte/mail/> for more info.
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Openssl RPMs

[John . Airey]

Thank you all for your replies, especially Fonya's. 

I agree that modssl isn't openssl , but I find it odd that the RPMS for
openssl are being put on the modssl site rather than the openssl site (which
incidentally has only one contribution at www.openssl.org./contrib). Openssl
RPMS have a much wider use than just for modssl. Could they be moved? (I
think I should ask here first before asking the modssl list).

My reasons for being keen on RPMs are that I have to explain to less
technical people what we have installed and how to uninstall it if it goes
wrong. From my point of view it's easier to show someone how to install and
uninstall RPMs rather than explaining how to compile code from scratch. I'm
not aversed to compiling programs with configure/make/etc , but my
colleagues wouldn't even know where to start. They don't even understand
what inetd does!

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


> -Original Message-
> From: Villy Kruse [mailto:[EMAIL PROTECTED]]
> Sent: 20 November 2000 14:37
> To: [EMAIL PROTECTED]
> Subject: RE: Openssl RPMs
> 
> 
> 
> That is not the openssl site, though.  The modssl is 
> something different.
> 
> BTW, is it still necessary to link from www.modssl.org to 
www.ssleay.org,
considering that www.ssleay.org has very little ssl related stuff?



Villy

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Openssl RPMs

[John . Airey]

Thank you for your reply. However, I find it confusing that RPMs are
available from the modssl site yet I am unable to contact the person who
provided them. I have managed to contact one person who tells me that he
didn't provide them, and I've had no response so far from the only other
email address mentioned in the package ([EMAIL PROTECTED]).

If the status of these RPMs is now "unsupported" then I myself am perfectly
willing to provide and support these, but I would not wish to do that unless
I know that I'm not stepping on anyone elses toes. I have plenty of machines
at my disposal to create and test these on.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


> -Original Message-
> From: Ulf Moeller [mailto:[EMAIL PROTECTED]]
> Sent: 17 November 2000 17:07
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: Openssl RPMs
> 
> 
> On Fri, Nov 17, 2000, [EMAIL PROTECTED] wrote:
> 
> > I've used the source rpm for openssl 0.9.6 to create the 
> i386 version (using
> > "rpm --rebuild openssl-0.9.6-1.src.rpm from
> 
> > Why are there no longer i386 and i586 versions being made 
> available? 
> 
> The OpenSSL project doesn't provide RPMs. You'll have to ask 
> whoever made
> them.
> 
> The official OpenSSL source creates i486 code with a few time-critical
> parts hand-optimized for Pentium. You can replace the -m486 flag with
> -march=pentiumpro if you have a relatively new compiler.
> 
> If you need to build code that also runs on i386 machines, 
> you must use
> the config option "386". That will cause some algorithms to be slower.
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE:

[John . Airey]

Sorry to correct you, but ssh is much more than secured telnet. Using
stunnel it is possible to encrypt telnet over an ssl link using a single key
of 40/56/128 bits (this would probably be using the openssl libraries to do
so). However ssh uses a combination of keys to encrypt the data. One of
those is the server session key that changes automatically every hour. 

This makes it more difficult to break ssh via brute force than ssl. However,
I'm not foolish enough to state that it is impossible to break, just very
difficult.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 



-Original Message-
From: David Walgamotte [mailto:[EMAIL PROTECTED]]
Sent: 08 November 2000 14:52
To: '[EMAIL PROTECTED]'
Subject: RE: 


ssh is secured telnet !

-Original Message-
From: Ian Diddams [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 08, 2000 8:56 AM
To: [EMAIL PROTECTED]
Subject: 



I've been tasked into investigating a link a 3rd party may be making to our
servers shortly over SSL.

I've downloaded OpenSSL and installed it etc... but frankly I don;t know
what I'm supposed to do with it!

The 3rd party mentioned will basically be telneting in over an SSL link I
am told (but nobody knows any more :-( ) ... so how exactly would such an
arrangmet normally occur? Any ideas?
Apologies for the ignorance, but I have to start somewhere (the 3rd party
is not available for questioning AFAIUI).
Ian

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE:

[John . Airey]

There are at least two possibilities here:

Either the 3rd party is using ssh, a kind of secure telnet (that runs on
port 22)
Or the client is using an ssl encrypted connection to the telnet port (23)
or any other port for that matter.

If it is the latter case it's worth checking out "stunnel" which uses
openssl to encrypt data over a standard port. Some protocols can't use this
(eg ftp) as they don't use a single port.

I think you'll need some more information though!

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 



-Original Message-
From: Ian Diddams [mailto:[EMAIL PROTECTED]]
Sent: 08 November 2000 14:56
To: [EMAIL PROTECTED]
Subject: 



I've been tasked into investigating a link a 3rd party may be making to our
servers shortly over SSL.

I've downloaded OpenSSL and installed it etc... but frankly I don;t know
what I'm supposed to do with it!

The 3rd party mentioned will basically be telneting in over an SSL link I
am told (but nobody knows any more :-( ) ... so how exactly would such an
arrangmet normally occur? Any ideas?
Apologies for the ignorance, but I have to start somewhere (the 3rd party
is not available for questioning AFAIUI).
Ian

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Error Message : IP address does not match the server name

[John . Airey]

If memory serves me correctly, a "lame" DNS record is one where a server
thinks that record is authorative, but actually isn't. Try querying another
DNS server at random to see what it thinks is your primary DNS.

If this is what is causing you a problem it isn't related to Openssl at all.


- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: Sze Yee [mailto:[EMAIL PROTECTED]]
Sent: 29 October 2000 03:17
To: [EMAIL PROTECTED]
Subject: Error Message : IP address does not match the server name


Hi, all

I am have set up the openssl on a RedHat 6.1 .Have
created a self-signed cert using the perl module
CA.pl.

When I try to send mail or receive mail using the SSL
connection using Outlook 98 , the following error
message occurs . "IP address does not match the server
name" . 

I have entered my server name (host.domain) as my
comman name (CN) in the certificate . I tried keying
in the IP address and the error message no longer
appears.

So , I am wondering if this is due to DNS error ? (PS
:
I have set up an DNS server as well. When viewing the
error log , error messages like "All A RR records are
lame ")..

Thank u in advance

Regards, 
Sze Yee


__
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com.sg/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]