Re: Problems building 0.9.8a on Intel Mac
On 2006-04-14, at 12.26, Nils Larsch wrote: try a recent snapshot from the stable branch and let openssl build shared libraries (see first problem mentioned in the PROBLEM file). i tried the workaround described in the PROBLEMS file with openssl-0.9.8-stable-SNAP-20060417. openssl binary seems to compile fine but i still get errors building the tests: ... making all in test... cc -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN - DHAVE_DLFCN_H -O3 -fomit-frame-pointer -fno-common -c -o bntest.o bntest.c ( :; LIBDEPS=${LIBDEPS:--L.. -lssl -L.. -lcrypto }; LDCMD=$ {LDCMD:-cc}; LDFLAGS=${LDFLAGS:--DOPENSSL_THREADS -D_REENTRANT - DDSO_DLFCN -DHAVE_DLFCN_H -O3 -fomit-frame-pointer -fno-common}; LIBPATH=`for x in $LIBDEPS; do if echo $x | grep '^ *-L' /dev/null 21; then echo $x | sed -e 's/^ *-L//'; fi; done | uniq`; LIBPATH=`echo $LIBPATH | sed -e 's/ /:/g'`; LD_LIBRARY_PATH=$LIBPATH: $LD_LIBRARY_PATH ${LDCMD} ${LDFLAGS} -o ${APPNAME:=bntest} bntest.o $ {LIBDEPS} ) /usr/bin/ld: Undefined symbols: _BN_GF2m_add _BN_GF2m_arr2poly _BN_GF2m_mod _BN_GF2m_mod_div _BN_GF2m_mod_exp _BN_GF2m_mod_inv _BN_GF2m_mod_mul _BN_GF2m_mod_solve_quad _BN_GF2m_mod_sqr _BN_GF2m_mod_sqrt _BN_generate_prime_ex collect2: ld returned 1 exit status make[2]: *** [link_app.] Error 1 make[1]: *** [bntest] Error 2 make: *** [build_tests] Error 1 here's the build procedure i'm using: cp apps/Makefile apps/Makefile.dist cp test/Makefile test/Makefile.dist sed -e 's/LIBCRYPTO=-L.. -lcrypto/LIBCRYPTO=..\/libcrypto.a/ s/LIBSSL=-L.. -lssl/LIBSSL=..\/libssl.a/' apps/Makefile.dist apps/ Makefile sed -e 's/LIBCRYPTO=-L.. -lcrypto/LIBCRYPTO=..\/libcrypto.a/ s/LIBSSL=-L.. -lssl/LIBSSL=..\/libssl.a/' test/Makefile.dist test/ Makefile ./config --prefix=/Users/aspa/tmp/098a -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [Crypt::SSLeay] mod_ssl overrides settings by mod_perl applications?
On 2006-02-14, at 16.44, Richard Eggert wrote: Thanks. That worked perfectly (well, actually, it failed, but that's what I wanted to happen). Is there any way for me to tell within my code which SSL has been loaded, or am I pretty much stuck having to both set the HTTPS_CA_FILE variable as well as set the IO::Socket::SSL's default context in all situations? i would recommend that you decide which module you want to use and make your code only work with that module. based on the code in libwww-perl Net/HTTPS.pm it looks like you could simply add a 'use IO::Socket::SSL;' line in your code to make LWP always use that module. you can determine whether a module has been loaded by testing package variable values such as $IO::Socket::SSL::VERSION. By the way, to answer your first question, they're both installed properly, as far as I can tell (they both came with the default Red Hat installation, I think). The Crypt::SSLeay version seems to get invoked whenever mod_ssl is disabled (since setting HTTPS_CA_FILE actually works properly in those cases), and the IO::Socket::SSL version gets invoked whenever mod_ssl is enabled. as noted above you can debug this by testing package variables for each module. br. aspa __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [Crypt::SSLeay] mod_ssl overrides settings by mod_perl applications?
On 2006-02-13, at 23.42, Richard Eggert wrote: It seems that it first tries to load the SSL module from Crypt::SSLeay first, and if that fails, it then tries to load IO::Socket::SSL, which, as far as I can tell, doesn't use HTTPS_CA_FILE (but may provide another mechanism for accomplishing the same thing). Could it be that perhaps loading mod_ssl is causing the load of Net::SSL to fail (symbol conflict?), resulting in it falling back to IO::Socket::SSL (which ignores HTTPS_CA_FILE)? do you have both IO::Socket::SSL (+Net::SSLeay) and Crypt::SSLeay properly installed on the system? Does IO::Socket::SSL provide a means for passing parameters via LWP::UserAgent (maybe through UserAgent's constructor or one of its other methods?)? It definitely seems to support verification of peer certificates in its interface, but it's unclear from the available documentation how one does that in conjunction with LWP::UserAgent, if that's even possible. If there is a way to do this, then an easy workaround seems to be to simply accomodate both configuration methods in my code. i just did some testing and with one caveat you can do it like this with IO::Socket:SSL and LWP: # NB: only works with ciphers that support certificate verification e.g. with Apache/mod_ssl: # SSLCipherSuite RSA # With some cipher suites server certificate may not be verified. use strict; use IO::Socket::SSL 0.97; use LWP::UserAgent; my $ctx = new IO::Socket::SSL::SSL_Context( SSL_verify_mode = 0x01, SSL_ca_file = 'certs/8086.pem', ); IO::Socket::SSL::set_default_context($ctx); my $ua = LWP::UserAgent-new(); my $rq = HTTP::Request-new(GET = 'https://foo.bar.int:8086/'); my $rt = $ua-request($rq); print $rt-content(); 1; br. aspa __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [Crypt::SSLeay] mod_ssl overrides settings by mod_perl applications?
Richard Eggert wrote: ... My best guess at what's happening is that mod_ssl is preloading libssl and configuring it according to its own requirements (and mod_ssl doesn't care about the certificates of other servers), and when my code runs (later) under mod_perl, the variables I'm sending it are being completely ignored. Apache/mod_ssl server configuration should not interfere with your libwww-perl/OpenSSL client configuration in any way. try to do some printf debugging and print the relevant environment variable values to a log file. do the variables have the correct values when the script is being run? br. aspa __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL 0.9.8a dumps core in SSL_CTX_load_verify_locations()
hi I'm having problems with the OpenSSL SSL_CTX_load_verify_locations() routine dumping core on Solaris 8 (sparc, 64-bit). I first noticed this problem with Apache mod_ssl but it can be reproduced with a minimal standalone C program which calls SSL_CTX_load_verify_locations (). I've only experienced this problem with one certain CA bundle file. The problem doesn't appear with OpenSSL release 0.9.7e (and at least d) but starting with f I'm getting core dumps (tested with i, g, f and 0.9.8a). Any ideas on what has changed between 0.9.7e and 0.9.7f that may be causing this? Here's the code for reproducing the problem: /* export PATH=/opt/local/gcc/4.0/bin:$PATH:/usr/ccs/bin:/opt/sfw/bin export or=/home/aspa/tmp/openssl098a coreadm -p core $$ gcc x509catest.c -g -m64 -I$or/include -L$or/lib -lssl -lcrypto - lsocket -ldl ./a.out */ #include openssl/ssl.h int main() { char *capath=/home/aspa/kronodoc/dev-3.4/httpd/conf/ssl.crt; char *cafile; cafile=/home/aspa/kronodoc/dev-3.4/httpd/conf/ssl.crt/bundle.crt; cafile=/home/aspa/kronodoc/dev-3.4/httpd/conf/ssl.crt/ca- bundle.crt; SSL_load_error_strings(); SSL_library_init(); SSL_CTX *ctx = SSL_CTX_new(SSLv3_method()); int r = SSL_CTX_load_verify_locations(ctx, cafile, capath); printf(SSL_CTX_load_verify_locations: %d\n,r); } Here's the stack backtrace from the core file: #0 0x0001000639a8 in x509_object_cmp (a=value optimized out, b=value optimized out) at x509_lu.c:161 161 ret=((*a)-type - (*b)-type); (gdb) bt #0 0x0001000639a8 in x509_object_cmp (a=value optimized out, b=value optimized out) at x509_lu.c:161 #1 0x7ef53a9c in qsort () from /usr/lib/64/libc.so.1 #2 0x00010004d9ac in sk_sort (st=0x1002351a0) at stack.c:331 #3 0x00010004dac0 in sk_find (st=0x1002351a0, data=0x100291900 ) at stack.c:227 #4 0x0001000640f4 in X509_OBJECT_retrieve_match (h=0x1002351a0, x=0x100291900) at x509_lu.c:460 #5 0x000100064354 in X509_STORE_add_cert (ctx=0x10021db80, x=0x100257f70) at x509_lu.c:344 #6 0x0001000663e8 in X509_load_cert_crl_file (ctx=0x1002354a0, file=value optimized out, type=value optimized out) at by_file.c:287 #7 0x000100066504 in by_file_ctrl (ctx=0x1002354a0, cmd=1, argp=0x18 Address 0x18 out of bounds, argl=1, ret=0x0) at by_file.c:120 #8 0x000100063858 in X509_LOOKUP_ctrl (ctx=0x0, cmd=1, argc=0x1000d0210 /home/aspa/kronodoc/dev-3.4/httpd/conf/ssl.crt/ ca-bundle.crt, argl=1, ret=0x0) at x509_lu.c:117 #9 0x000100060258 in X509_STORE_load_locations (ctx=0x10021db80, file=0x1000d0210 /home/aspa/kronodoc/dev-3.4/httpd/conf/ssl.crt/ ca-bundle.crt, path=0x1000d01a0 /home/aspa/kronodoc/dev-3.4/httpd/conf/ ssl.crt) at x509_d2.c:92 #10 0x000100023e64 in main () at x509catest.c:17 Here's the exact build procedure I'm using to build OpenSSL: # build OpenSSL export PATH=/opt/local/gcc/4.0/bin:$PATH:/usr/ccs/bin:/opt/sfw/bin perl Configure solaris64-sparcv9-gcc no-idea no-shared -g -fPIC -- prefix=/home/aspa/tmp/openssl098a gmake depend gmake gmake test gmake install -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL_CTX_load_verify_locations dumps core (Apache/Solaris 8)
hi I'm having problems with Apache 2.0.55 mod_ssl + OpenSSL on Solaris 8 (sparc, 64-bit). When I start Apache with SSL enabled the process dumps core during initialization when client certificate verification has been configured with a certain certificate bundle file. The can't be reproduced on Red Hat Enterprise Linux 3 and 4 (ia32, 32-bit) or HP-UX 11i v1 (pa-risc, 64-bit). Where should I report this issue? It's related to Apache but the interesting thing is that it doesn't happen with all OpenSSL versions. The issue appears at least with the following OpenSSL versions - OpenSSL 0.9.8a - OpenSSL 0.9.7i - OpenSSL 0.9.7g but for example not with - OpenSSL 0.9.7e - OpenSSL 0.9.7d The issue can be reproduced by setting up Apache with SSL and adding the following config directives: SSLCACertificatePath /home/aspa/tmp/h2/conf/ssl.crt SSLCACertificateFile /home/aspa/tmp/h2/conf/ssl.crt/ca-bundle.crt It seems to be triggered by a certain certificate bundle file, not all. The core dump seems to be resulting from a SSL_CTX_load_verify_locations() call in ssl_engine_init() in Apache. Here's the exact procedure used for building Apache: # set build path export PATH=/opt/local/gcc/4.0/bin:$PATH:/usr/ccs/bin:/opt/sfw/bin # build OpenSSL perl Configure solaris64-sparcv9-gcc31 no-idea no-shared -fPIC \ --prefix=/home/aspa/tmp/openssl097f gmake depend gmake gmake test gmake install # build Apache 2.0.55 CC=gcc -static-libgcc -g CFLAGS=-mcpu=v9 -m64 \ ./configure --prefix=/home/aspa/tmp/h2 \ --enable-ssl --with-ssl=/home/aspa/tmp/openssl097f gmake gmake install br. aspa __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL 0.9.7d test failures on HP-UX 11.00 (hpux-parisc2-cc)
apparently my knowledge of HP compilers was a bit lacking. the hpux-parisc2-cc target seems to have been written with HP C/ANSI C, not HP aC++ compiler in mind. with the latest version (B.11.11.08) of HP C/ANSI C compiler OpenSSL 0.9.7d compiles without problems on HP-UX 11.00 using the hpux-parisc2-cc target. but it seems to compile fine with aC++ 3.52 with the optimization level downgrade. also, makedepend seems to be part of the imake package. best regards, aspa Marko Asplund wrote: i've upgraded my C compiler from an older version of HP aC++ to v3.52 on HP-UX 11.00 and i'm trying to build OpenSSL v0.9.7d using the hpux-parisc2-cc target. using the old compiler version OpenSSL build went ok but using the new one some tests, e.g. destest, are failing (see attached typescript for details). i experimented with the optimization levels for this target and noticed that changing +O3 to +O2 fixes this problem. is this a bug in OpenSSL or the compiler? i'm also getting some error messages about makedepend command not being found during 'make depend'. is this fatal when building from a fresh source tree? where can i get the makedepend program? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
HP-UX build problems with 0.9.7
i'm having a few problems building OpenSSL 0.9.7 on a HP-UX 11.00 machine using the HP Ansi C compiler. here's a list of the issues i've noticed so far (i've listed configuration options and error messages below): 1) when compiling for hpux-parisc2-cc target with no-asm option BN_kronecker test fails. 2) error messages during 'make depend' when not using gcc and makedepend is installed on the system (HP Ansi C Developer's Bundle, imake package). seems like this version of makedepend is not supported. maybe Configure should check that the system makedepend is suitable for building OpenSSL before using it. 3) shared library linking fails with hpux-parisc2-cc target. is anyone actually using OpenSSL 0.9.7 (or 0.9.6) compiled with some other compiler than gcc on HP-UX 11.00? how well are other compilers supported? i'd like to use HP Ansi C compiler instead of gcc because of the noticeable performance benefits in public key operations (benchmarking done with 'openssl speed'). 1) config: perl Configure no-idea no-asm --prefix=/opt/local/openssl/0.9.7-apache hpux-parisc2-cc error: test BN_kronecker 2) config: perl Configure no-idea --prefix=/opt/local/openssl/0.9.7-apache hpux-parisc2-cc error: ../util/domd .. -MD makedepend -- -DOPENSSL_THREADS -D_REENTRANT -DDSO_DL -DOPENSSL_NO_KRB5 -DOPENSSL_NO_IDEA +DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY -I. -I.. -I../include -DOPENSSL_NO_IDEA -- cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c cryptlib.c:433: !defined(_POSIX_C_SOURCE) || (_POSIX_C_SOURCE 199309L) ^--- expecting ) 3) config: perl Configure no-idea shared --prefix=/opt/local/openssl/0.9.7-apache hpux-parisc2-cc error: + /usr/ccs/bin/ld +vnocompatwarnings -b -z +s -o libcrypto.sl.0.9.7 +h +libcrypto.sl.0.9.7 -Fl libcrypto.a -ldld -lc /usr/ccs/bin/ld: DP relative code in file libcrypto.a(pa-risc2.o) - shared library must be position independent. Use +z or +Z to recompile. *** Error exit code 1 -- aspahttp://www.kronodoc.fi/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ISO 8859-1 characters in certificates?
hi are X509 certificate fields allowed to contain non-ASCII ISO 8859-1 characters? -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HP-UX application linking problems
On Tue, 26 Feb 2002, Lutz Jaenicke wrote: ... Hmm, hmm. I am not sure whether it is part of the assember code itself or of the flags. ... * As no ASFLAGS are specified, +z/+Z is nowhere set when building. I just tried to manually build pa-risc2.o calling as +Z -o pa-risc2.o pa-risc2.s but as gave me quite a lot of error messages on my 10.20 box... i was able to assemble pa-risc2.s by hand using the HP assembler on 11.0 but compiling OpenSSL with the pa-risc2.o object file didn't help with the position depence problem. is there a way to check if an object file contains position independent? i've tried contacting the pa-risc2.s author, Chris Ruemmler, but there hasn't been any answer, yet. best regards, -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: HP-UX application linking problems
On Wed, 20 Feb 2002, Reiner Buehl wrote: it seems like you are using the wrong compiler flags. Try adding -Ae +z to your CFLAGS for the HP Ansi C-Compiler. Note that the standard compiler that ships with the OS can not be used! If you do not have the HP Ansi CC use gcc and replace the flags mentioned above by -fPIC. i tried compiling with the HP cc and gcc. the HP cc seems to produce a faster OpenSSL so i'd like to prefer that over gcc. i've succesfully built OpenSSL v0.9.6c with HP cc for both hpux-parisc-cc and hpux-parisc2-cc targets. the strange thing is that when i try compiling Net::SSLeay against OpenSSL built for hpux-parisc-cc target the compilation goes without any glitches but when i try compiling against hpux-parisc2-cc OpenSSL i run into problems. i tried adding +z and +Ae which you suggested using the following configuration command: /opt/local/perl-5.005_03/bin/perl Makefile.PL /opt/local/openssl-noidea/0.9.6c-cc-pa2 CCFLAGS='-D_HPUX_SOURCE -Ae -I/usr/local/include' CCCDLFLAGS=+z but this still results in the same problem: /opt/local/perl-5.005_03/bin/perl -I/opt/local/perl-5.005_03/lib/5.00503/PA-RISC2.0 -I/opt/local/perl-5.005_03/lib/5.00503 /opt/local/perl-5.005_03/lib/5.00503/ExtUtils/xsubpp -typemap /opt/local/perl-5.005_03/lib/5.00503/ExtUtils/typemap -typemap typemap SSLeay.xs xstmp.c mv xstmp.c SSLeay.c cc -c -I/opt/local/openssl-noidea/0.9.6c-cc-pa2/include -D_HPUX_SOURCE -Ae -I/usr/local/include -O -DVERSION=\1.13\ -DXS_VERSION=\1.13\ +z -I/opt/local/perl-5.005_03/lib/5.00503/PA-RISC2.0/CORE SSLeay.c Running Mkbootstrap for Net::SSLeay () chmod 644 SSLeay.bs LD_RUN_PATH=/opt/local/openssl-noidea/0.9.6c-cc-pa2/lib ld -o blib/arch/auto/Net/SSLeay/SSLeay.sl -b -L/usr/local/lib SSLeay.o -L/opt/local/openssl-noidea/0.9.6c-cc-pa2 -L/opt/local/openssl-noidea/0.9.6c-cc-pa2/lib -lssl -lcrypto ld: DP relative code in file /opt/local/openssl-noidea/0.9.6c-cc-pa2/lib/libcrypto.a(pa-risc2.o) - shared library must be position independent. Use +z or +Z to recompile. *** Error exit code 1 i've also tried it with the +Z flag instead of +z but the result is the same. the OpenSSL hpux-parisc2-cc uses the following compiler options: +Z -DTHREADS -D_REENTRANT -DDSO_DL -DNO_IDEA +DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
HP-UX application linking problems
i'm trying to build Net::SSLeay v1.13 with OpenSSL v0.9.6c on HP-UX B.11.00. first the compilation fails because the compiler doesn't understand long long type used in include/openssl/bn.h include file. after fixing this the compilation goes fine but linking fails with the following error message (full typescript attached): ... LD_RUN_PATH=/opt/local/openssl-noidea/0.9.6c-cc/lib ld -o blib/arch/auto/Net/SSLeay/SSLeay.sl -b -L/usr/local/lib SSLeay.o -L/opt/local/openssl-noidea/0.9.6c-cc -L/opt/local/openssl-noidea/0.9.6c-cc/lib -lssl -lcrypto ld: DP relative code in file /opt/local/openssl-noidea/0.9.6c-cc/lib/libcrypto.a(pa-risc2.o) - shared library must be position independent. Use +z or +Z to recompile. *** Error exit code 1 Stop. can someone explain why the linker fails here? the OpenSSL object files were compiled with the '+Z' option and '+z' option was used when compiling SSLeay.o. -- aspa Script started on Tue Feb 19 17:27:06 2002 /opt/local/perl-5.005_03/bin/perl Makefile.PL /opt/local/openssl-noidea/0.9.6c -cc Checking for OpenSSL-0.9.6c or newer... You have OpenSSL-0.9.6c installed in /opt/local/openssl-noidea/0.9.6c-cc Writing Makefile for Net::SSLeay::Handle Writing Makefile for Net::SSLeay make Manifying ../blib/man3/Net::SSLeay::Handle.3 cc -c -I/opt/local/openssl-noidea/0.9.6c-cc/include -D_HPUX_SOURCE -Aa -I/usr/local/include -O -DVERSION=\1.13\ -DXS_VERSION=\1.13\ +z -I/opt/local/perl-5.005_03/lib/5.00503/PA-RISC2.0/CORE SSLeay.c cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 235: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 272: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 336: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 354: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 354: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 355: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 355: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 356: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 357: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 358: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 359: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 360: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 371: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 456: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 456: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 456: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 456: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 457: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 457: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 457: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 457: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 458: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 458: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 459: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 459: error 1681: Must use +e or -Ae for long long in ANSI mode. cc: /opt/local/openssl-noidea/0.9.6c-cc/include/openssl/bn.h, line 459: error 1681: Must use +e or -Ae for long
Re: SQL DB instead of index.txt
On Sun, 27 Jan 2002, Bear Giles wrote: ... Long term, it would be best to create an abstraction layer that would allow any backend to be used. I can think of multiple common storage formats: text files, DBM files, LDAP, RDBMS. But that's definitely not a 0.9.7 task! why not use an existing database abstraction layer such as libdbi or ODBC? http://libdbi.sourceforge.net/ http://www.unixodbc.org/ -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: https
On Tue, 20 Nov 2001, Keary Suska wrote: ... I would recommend that you remove Net::SSLeay and install Crypt::SSLeay. The former is no longer being maintained (and is considered deprecated), and may not function properly with newer openssl versions, but the latter is being actively maintained and I have been having good results from it. i'm using the latest Net::SSLeay version (1.08) with no problems and it does support OpenSSL v0.9.6b quite well. Net::SSLeay is maintained and not depricated at all, IMHO. -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: https
On Wed, 21 Nov 2001, Keary Suska wrote: ... It's your choice which to use, though the read me states that Net::SSLeay doesn't directly support LWP, so I imagine you will get better results with LWP if you use the library recommended by the author. yes, this choice is a matter of opinion - to my knowledge there aren't any known reliability issues involved. it is true that Net::SSLeay doesn't directly support LWP. for this you need to install IO::Socket::SSL which is mainly why i originally recommended using Crypt::SSLeay in the LWP README.SSL, so that the installation would be as easy as possible for the average user. -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL PRNG analysis
has anyone done an analysis of the OpenSSL PRNG which would be available for public? i've read the Random Number Generation chapter of Peter Gutmann's PhD thesis (The Design and Verification of a Cryptographic Security Architecture, http://www.cryptoapps.com/~peter/06_random.pdf) which contains an analysis of the design of OpenSSL PRNG but has anyone analysed the random numbers generated? does the PRNG contain mechanisms for statistically analysing its output? have there been any plans for including statistical randomness tests in the PRNG output? do these tests like the Maurer's universal statistical test catch PRNG errors in practice? best regards, -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Darwin builds
On Wed, 25 Jul 2001, CJ Holmes wrote: ... prebind does a neat trick where is pre-resolves the location of all the symbols needed in the dynamic libraries used by a binary. This speeds up launch time dramatically. If you app is pre-bound to its dynamic libraries, and they are all pre-bound to their dynamic libs, then launching an app is much faster. But if the library is not the same as the one your app was pre-bound to, then the loader reverts to the normal linking procedures. Prebinding only works if the app and ALL of its dynamic libs have been prebound, so it isn't always possible to get it working for a specific app. when i try to use the prebind linker flag i get the following warnings when linking libssl: [spatburgunder:~/tmp/openssl-0.9.6b] aspa% cc -prebind -dynamiclib -all_load -o libssl.0.9.6.dylib -compatibility_version 0.9.6 -current_version 0.9.6 libssl.a -L. -lcrypto ld: warning prebinding disabled because (__TEXT segment (address = 0x0 size = 0x2f000) of libssl.0.9.6.dylib overlaps with __TEXT segment (address = 0x0 size = 0xab000) of libcrypto.0.9.6.dylib ld: warning prebinding disabled because (__DATA segment (address = 0x2f000 size = 0x3000) of libssl.0.9.6.dylib overlaps with __TEXT segment (address = 0x0 size = 0xab000) of libcrypto.0.9.6.dylib ld: warning prebinding disabled because (__LINKEDIT segment (address = 0x32000 size = 0xe000) of libssl.0.9.6.dylib overlaps with __TEXT segment (address = 0x0 size = 0xab000) of libcrypto.0.9.6.dylib any ideas on how to get rid of these warnings? -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Darwin builds
On Mon, 23 Jul 2001, hunter wrote: no i have not, i took a previous suggestion and moved the libcryto amd libssl out of /usr/lib but now i get: cc -o openssl -DMONOLITH -I../include -O3 -DB_ENDIAN openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o -L.. -lssl -L.. -lcrypto /usr/bin/ld: Undefined symbols: _ftime make[1]: *** [openssl] Error 1 make: *** [sub_all] Error 1 Is there something like ldconfig i need or can run that will correct this? And do you have any other ideas? this should only appear if the sources were compiled without -DUSE_TOD. the patch you've applied should add this. maybe your source tree hasn't been properly cleaned after the initial Configure. please, try and delete your whole OpenSSL source tree, untar it again, apply the patch and run the following commands: ./Configure rhapsody-ppc-cc shared make best regards, -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Darwin builds
On Mon, 23 Jul 2001, hunter wrote: ... [agmacosx:~/openssl-0.9.6b] root# ./Configure rhapsody-ppc-cc shared Configuring for rhapsody-ppc-cc IsWindows=0 CC=cc CFLAG =-O3 -DB_ENDIAN -DUSE_TOD -DPEDANTIC EX_LIBS = BN_ASM=bn_asm.o DES_ENC =des_enc.o fcrypt_b.o BF_ENC=bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM = RMD160_OBJ_ASM= PROCESSOR = RANLIB=/usr/bin/ranlib PERL =/usr/bin/perl THIRTY_TWO_BIT mode DES_UNROLL used BN_LLONG mode RC4 uses uchar RC4_CHUNK is unsigned long BF_PTR used Makefile.ssl:368: *** commands commence before first target. Stop. ... i'm attaching my Makefile.ssl (patched) and a typescript of my configuration process to this email. could you please diff the Makefile.ssl against your patched version. also, you could check that the typescript corresponds to your configuration steps. are you running Configure as root? try running as a regular user. what does 'patch --version', 'make --version' and 'uname -a' say? best regards, -- aspa openssl-macosx-conf.tgz
Re: Darwin Builds
On Mon, 23 Jul 2001, hunter wrote: ... snip cc -o openssl -DMONOLITH -I../include -O3 -DB_ENDIAN openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o -L.. -lssl -L.. -lcrypto /usr/bin/ld: Undefined symbols: _X509_STORE_CTX_set_flags _X509_STORE_CTX_trusted_stack _sk_new_null _ASN1_parse_dump _ERR_error_string_n _X509_CRL_digest _d2i_RSA_NET _i2d_RSA_NET _ASN1_UTCTIME_cmp_time_t _X509_email_free _X509_get1_email _MD4 _ftime _X509_NAME_print_ex _d2i_PUBKEY_bio make[1]: *** [openssl] Error 1 make: *** [sub_all] Error 1 Any ideas? I finally got through the configure without error and now come across this. Any help would be greatly appreciate as i am trying to get mod_ssl-2.8.4-1.3.20 built for the latest apache on this server and obviously cant go forward if openssl isnt compiled and installed properly. yes, this is a problem with the MacOS X linker not respecting the '-L..' option properly. the linker seems to prefer the OpenSSL libraries previously installed on your system and tries to link the openssl utility against them. try temporarily mv'ing libcrypto and libssl (probably) in /usr/lib somewhere else while compiling. best regards, -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Darwin builds
On Sun, 22 Jul 2001, hunter wrote: i used the patch and ran and received the following: [agmacosx:~/openssl-engine-0.9.6b] root# ./Configure rhapsody-ppc-cc shared Configuring for rhapsody-ppc-cc IsWindows=0 CC=cc CFLAG =-O3 -DB_ENDIAN -DUSE_TOD -DPEDANTIC EX_LIBS = BN_ASM=bn_asm.o DES_ENC =des_enc.o fcrypt_b.o BF_ENC=bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM = RMD160_OBJ_ASM= PROCESSOR = RANLIB=/usr/bin/ranlib PERL =/usr/bin/perl THIRTY_TWO_BIT mode DES_UNROLL used BN_LLONG mode RC4 uses uchar RC4_CHUNK is unsigned long BF_PTR used Makefile.ssl:367: *** commands commence before first target. Stop. ... did you already manage to resolve this problem? best regards, -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Trying to install it on Mac OS X
On Thu, 19 Jul 2001 [EMAIL PROTECTED] wrote: How can I install OpenSSL on Mac OS X ? Running config it tells it does not recognize the system ? go here for some hints: http://www.macosxhints.com/search.php?query=opensslmode=searchdatestart=0dateend=0topic=0type=storiesautho=0 the instructions there tell to use config for configuring OpenSSL. on my system this this produces the following message: Operating system: Power Macintosh-whatever-Darwin This system (Darwin) is not supported. See file INSTALL for details. i use Configure ./Configure -DUSE_TOD -DPEDANTIC rhapsody-ppc-cc to configure OpenSSL v0.9.6b source tree on my system. best regards, -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL session resumption
does OpenSSL automatically resume SSL sessions on server side if the same SSL_CTX object is used for all the client connections? or are some steps required to enable session resumption? what about on the client side? i've gotten the impression that the client application needs to keep track of server address-port pairs and associate SSL sessions to these using SSL_get_session() and SSL_set_session(). is this correct? best regards, -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: pop3+ssl
On Mon, 16 Jul 2001, Gazi Altafin wrote: How I'd to make a pop3+ssl server ? do you want to implement the whole thing by yourself or are you just looking for a pop server to use? the UW Imapd can speak pop3 over ssl: http://www.washington.edu/imap/ -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: nonblocking SSLeay stuff
On Fri, 13 Jul 2001, Noel Burton-Krahn wrote: That's my email. No, I didn't submit it to the Net::SSLeay maintainer. Sorry, I got distracted. They're welcome to it, I just don't know their address. the Net::SSLeay homepage (http://www.bacus.pt/Net_SSLeay/index.html) states Sampo Kellomäki ([EMAIL PROTECTED]) as the package's maintainer. i for one would like to see Noel's nonblocking I/O patch go into Net::SSLeay as it would provide the basis for IO::Socket::SSL nonblocking interface. one thing i didn't understand though, is the purpose of SSL_ssl_read()? doesn't it suffice to implement SSL_get_error() in Net::SSLeay and then just check the return value from SSL_get_error() after SSL I/O function calls? best regards, -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Memory Leak: Perl, OpenSSL, LWP https requests
On Wed, 6 Sep 2000 [EMAIL PROTECTED] wrote: when using the following combinations I got memory leaks by sending SSL-requests via LWP objects. I do not got such problems when using e.g. Net::SSLeay::get_https directly. you mentioned having both Crypt-SSLeay and IO-Socket-SSL in your environment. LWP uses only _one_ of these modules for SSL/TLS support if both are installed. Crypt-SSLeay is the default one. -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
CommonName in Thawte Server Certificates
i just started the Thawte Server Cert Enrollment process on Thawte's web pages (https://www.thawte.com/cgi/server/step1.exe). on the first page of the enrollment process i cut and pasted the Certificate Signing Request. on the second page of the enrollment i got puzzled by a piece of text which states that: Desired Secure URL: https://puppa.huuhaa.org/ It is very important that you confirm that you wish to secure the web server at puppa.huuhaa.org. Based on the current request details, if your secure URL begins with anything other than https://puppa.huuhaa.org/ then most browsers will give a warning about a mismatched certificate site name. i'm a bit confused by this message. the common name field in the certificate signing request is CN=puppa.huuhaa.org. how can it be that browsers would give name mismatch warnings if the URL used is not https://puppa.huuhaa.org/? don't browsers match server name against the certificate's CN field's value and not the URL through which the server is accessed? -- marko asplund __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CommonName in Thawte Server Certificates
On Mon, 21 Aug 2000, Lutz Jaenicke wrote: ... The browsers don't have the slightest idea on the "server name". The only reliable information is the URL. A hostname being obtained by DNS lookup may already be faked by someone tampering with your DNS servers (or packets). A server name sent by the server itself is also not trustworthy. If you want to connect to "https://www.my-bank.com", you want to be sure to be connected to www.my-bank.com and not to "www.bandits.org", regardless of any other server names/DNS entries... yes, but how is CommonName matched exactly? is it only matched against the hostname extracted from a URL? Thawte's web pages say that if CN=www.bandits.org this only matches to URLs that begin with https://www.bandits.org/. but what about e.g. imaps://www.bandits.org/ and https://www.bandits.org:/? -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
checking configuration options
is there a way for checking the configuration options of an OpenSSL installation? -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to get Net::SSLeay to work with client cert
On Tue, 30 Nov 1999, Reiner Buehl wrote: I'd like to post some stuff to a https server from a perl script using client cert secured SSL v3 connections. At the moment everything works with server cert SSL v2 but I have no idea how to switch to SSL v3. you can specify the prefered protocol version with $Net::SSLeay::ssl_version. see SSLeay.pm. How do I tell my script which cert file to use and which password is needed to use it? Is this possible with perl and Net::SSLeay (or another perl module) and if so could somebody point me to some sample code for this particular case? for RSA key exchange you could use Net::SSLeay::CTX_use_RSAPrivateKey_file() and Net::SSLeay::CTX_use_certificate_file() routines for example. also, if you're using Net::SSLeay for talking to a web server you might want to check out libwww-perl. best regards, -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: certificates of major CAs
On Mon, 28 Jun 1999, Martin Kuba wrote: ... Thanks you all for help. I have found this link: http://www.columbia.edu/~ariel/good-certs/ns45/ on www.openssl.org which leads to a page with certificates extracted from Netscape4.5 you can also try the attached perl script for exporting Netscape certs in case you don't want to download them. -- aspa # # a script for exporting Netscape navigator's certificate database # ([EMAIL PROTECTED]). # # $Id: export_certs.pl,v 1.2 1999/05/28 15:33:50 aspa Exp aspa $. # # additional information: # - http://www.drh-consultancy.demon.co.uk/cert7.html # - man xxd # # conversion from DER format: # /usr/local/ssl/bin/x509 -inform der -text cert.der # use strict; my (%certhash, $key, $val); my $cert_db_path = $ENV{'HOME'} . "/.netscape/cert7"; my $rcnt = 0; print STDERR "opening '$cert_db_path'.\n"; if( ! dbmopen(%certhash, $cert_db_path, undef) ) { print STDERR "dbmopen failed: '$!'.\n"; } while ( ($key, $val) = each %certhash ) { my ($rec_type, $data, $klen, $vlen, $cert); $rcnt++; # get key info: [type] [data] ($rec_type, $data) = unpack("Ca*", $key); # get additional diagnostics info. $klen = length($key); $vlen = length($val); print STDERR "$rcnt: \t record type: '$rec_type'. key len: " . "'$klen, \t value len: '$vlen'.\n"; # check record type. if($rec_type != 1) { # not a certificate record. skip it. next; } # it is a certificate record. # certificates are stored in DER format starting at offset 13. $cert = substr($val, 13); # save cert in DER format. open(C_FILE, "tmp/cert-$rcnt.der"); print C_FILE "$cert"; close(C_FILE); } dbmclose(%certhash);
a perl interface to OpenSSL
in case someone is interested, i'm writing a perl interface (called Net::SSL) to OpenSSL. at first, it was meant to be a Net::SSL (in Gisle Aas's Crypt-SSLeay package) emulation library that would fix libwww-perl's support for https scheme URLs. the library provides an interface similar to that of IO::Socket::INET. i've managed to write an experimental client and server with it in the spirit of IO::Socket::INET. it also appears to be working with LWP and i'm able to use https URLs through LWP. the library uses Net::SSLeay v1.03 so you have to have it installed. the interface library and test scripts can be found at: http://www.hip.fi/~aspa/SSL/net_ssl.tgz any comments are welcome, best regards, -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: apache+ssl HOWTO?
On Wed, 26 May 1999, geoffrey wrote: ... this is the first apache+ssl server I have built; so, my knowledge of ssl servers, and ssl in general, is very limited. Is there an apache+ssl HOWTO, or a general primer on ssl servers? I would like to find a source of information on what the different aspects of openssl do, what certificates can be, and need to be, generated for running an ssl-enabled storefront on the web, etc. All pointers are heartily welcomed! not directly related to apache-ssl but, you could try using mod_ssl's (http://www.modssl.org) documentation as one of you starting points. -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]