Compilation options
FWIW, every build I do of openssl on my machine (an AMD Duron 650), I edit the Makefile after ./config and change '-m486' to '-march=athlon'. I find this works well enough, but was wondering if there's any good benchmark of openssl performance as it relates to SSL/TLS (for mod_ssl) and OpenSSH. Thank-you. - OpenSSL self-test report: OpenSSL version: 0.9.6g Last change: [In 0.9.6g-engine release:]... Options: shared --prefix=/usr --openssldir=/usr/local/ssl OS (uname): Linux mbabcock.cytech 2.4.19 #1 Tue Sep 10 23:20:08 EDT 2002 i686 unknown OS (config): i686-whatever-linux2 Target (default): linux-elf Target: linux-elf Compiler: gcc version 2.96 2731 (Red Hat Linux 7.2 2.96-108.7.2) Test passed. -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: you suck
Some of us instead sent much longer and more descript comments to the postmaster and other addresses at the domain in question. cool, direct and to to the point. i guess many of us feel this way, but not able to put it into such a direct statement. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Time to Refinance?
To whom it may concern, Please note: since this list munges the reply-to: header, all replies go to the list unless you manually cut and paste the sender's address into the To: field. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: shared vs. static libraries
Austin Hung wrote: Additionally, the shared libraries get installed incorrectly, that is, it creates three instances of the same file and names them lib*.so, lib*.so.0, and lib*.so.0.9.6 (where * is either crypto or ssl), when I *think* the first two should be symbolic links. I'm not sure if this is a Makefile problem or a ranlib problem (ranlib gives errors on the first two since they are symbolic links in the build directory). I am using the latest and greatest Make and ranlib. I've had this problem too. I do my ./config, make, make install, then a ./config shared, make, make install, then I delete the .so.0* files and run ldconfig to create them properly (on Linux). -- Michael T. Babcock (PGP: 0xBE6C1895) http://www.fibrespeed.net/~mbabcock/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: mailtag.com is fixed, I think
It would be nice to know which responders are causing these problems, then contact the authors w.r.t. "x-list-*" headers (and ignore messages with them). "Michael H. Warfield" wrote: On Sun, Feb 25, 2001 at 11:29:34PM -0500, Rich Salz wrote: I got email from webmaster at mailtag. I think they fixed their problem, but I can't quite understand the following direct quote: We shut off our responder...however; it is going back on now...so hopefully all your mailing list stuff is finished. Excellent. This is most wonderful. Every time I need to deal with another brain damaged autoresponder, I have to spend TOO much time (10ms) locating another one to tie them into an E-Mail food fight. If they have turned their autoresponder back on and are insisting that they are right, I can note them down as a live exploitable reflector for the next time I need one! -- Michael T. Babcock (PGP: 0xBE6C1895) http://www.fibrespeed.net/~mbabcock/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Auto response
Stop sending these -- you're flooding a mailing list. [EMAIL PROTECTED] wrote: Hello there. This is an automated message. This email is from [EMAIL PROTECTED] am the main administrator for mailtag.com. I get all emails that are sent to mailtag without a recipient or that are sent to invalid email addresses. You have just sent an email to someone at mailtag.com that did not have the proper recipient name on it, or have left your recipient name on your email blank. Please resend this email with the fully qualified domain name, and username. If you have any more questions, or are intending to send an email to [EMAIL PROTECTED] I will get it. All messages are read by a human eventually. Thank you for using mailtag. jAKeStone __ OpenSSL Projecthttp://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Michael T. Babcock (PGP: 0xBE6C1895) http://www.fibrespeed.net/~mbabcock/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL mailing list SPAM report
Its an autoresponder, not a spammer -- just block them with 'kill thread' in your mailer ... Insh_Allah wrote: Hi, I report the user '[EMAIL PROTECTED]' as a SPAMMER on the [EMAIL PROTECTED] and [EMAIL PROTECTED] email mailing lists. Since having received 150+ unsolicited emails, with identical contents, from above-mentioned user within the last 2 hours, I think some quick action is appropriate. This SPAMMER does harm quite a few people's capabilities on this email-list, as this SPAMMER is filling and overflowing quite a few peoples mailboxes. FYI: here's the abusing email source (within the tripple-dash lines): --- Received: from ossp.org ([62.208.181.50]) by hetnet.nl with Microsoft SMTPSVC(5.5.1877.647.64); Mon, 26 Feb 2001 00:49:15 +0100 Received: by mail.ossp.org (Sendmail 8.11.0+/smtpfeed 1.07) for openssl-dev-L2 id f1PNkqW57158; Mon, 26 Feb 2001 00:46:52 +0100 (CET) Received: by mail.ossp.org (Sendmail 8.11.0+) via ESMTP for [EMAIL PROTECTED] from opensource.ee.ethz.ch id f1PNkqW57155; Mon, 26 Feb 2001 00:46:52 +0100 (CET) Received: by en5.engelschall.com (Sendmail 8.9.2/smtpfeed 1.06) for openssl-dev-L id AAA28704; Mon, 26 Feb 2001 00:46:45 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via SMTP for [EMAIL PROTECTED] from mailtag.com id AAA28690; Mon, 26 Feb 2001 00:46:33 +0100 (MET) From: [EMAIL PROTECTED] Received: by mailtag.com (Wildcat) id 20595W Sun, 25 Feb 2001 17:46:19 -0600 Subject: Auto response Date: Sun, 25 Feb 2001 17:46:19 -0600 Message-Id: [EMAIL PROTECTED] Organization: Get your Free Email at http://www.mailtag.com To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Precedence: bulk Reply-To: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-dev Return-Path: [EMAIL PROTECTED] Hello there. This is an automated message. This email is from [EMAIL PROTECTED] am the main administrator for mailtag.com. I get all emails that are sent to mailtag without a recipient or that are sent to invalid email addresses. You have just sent an email to someone at mailtag.com that did not have the proper recipient name on it, or have left your recipient name on your email blank. Please resend this email with the fully qualified domain name, and username. If you have any more questions, or are intending to send an email to [EMAIL PROTECTED] I will get it. All messages are read by a human eventually. Thank you for using mailtag. jAKeStone __ OpenSSL Projecthttp://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] --- BTW: this email can easily be produced by addressing your SPAMMER at the [EMAIL PROTECTED] email address, as specified in the SPAM email itself. I he doesn't like you (100% percent of the time), you get SPAMMED just a bit more. Thanks for your cooperation and have nice day yourselves too. Groetjes/Greetinx, Ger PS: if you are looking for a quick solution for this one, you might want to consider pulling the plug on your mailer-deamon user. You know, you can plead self-defense when you're accused of killing an electronic being, you know... -- Ger Hobbelt a.k.a. Insh_Allahmailto:[EMAIL PROTECTED] -- Peter Pan can fly when he thinks his Happy Thought. I want to fly too. My Happy Thought is... one part Prozac and one part LSD... Wow! Awesome, dude! __ OpenSSL Projecthttp://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Michael T. Babcock (PGP: 0xBE6C1895) http://www.fibrespeed.net/~mbabcock/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Man in the middle attacks
Greg Stark wrote: The attack you are referring to is defeated by the client checking the identity that is contained in the certificate. I do not know why you are so sure that this checking is not normally done. IE and Netscape Nav. do it, for example [...] IE 5.x does not, by default, check to see if the server or signer certificate is revoked. These must be turned on in the advanced options. This is a real problem because it means an attacker can break into a web site, steal their certificates and do what they wish to do without the certificate owner able to do anything about it because they can't revoke their certificates in a meaningful way. -- Michael T. Babcock (PGP: 0xBE6C1895) http://www.fibrespeed.net/~mbabcock/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Kurt Seifred's article on securityportal
Ulf Moeller wrote: On Wed, Dec 20, 2000, Gary Feldman wrote: Let's be fair. As your example really points out, the problem in this specific case (your example, not necessarily the "Accept this invalid certificate case") is with the developers, not the users. Which browser would that be? Netscape has no default, and with IE the default is "no". Check IE 5.5's advanced options. Several security related defaults are shut off -- like checking the expiry on a cert and/or checking if a cert is revoked. -- Michael T. Babcock (PGP: 0xBE6C1895) http://www.fibrespeed.net/~mbabcock/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Kurt Seifred's article on securityportal
Funny question -- easy answer: We should expect user interfaces to not provide such a question in such a fashion -- that's why "are you sure?" question boxes appear for formatting, etc. in most UIs, including "alias rm 'rm -i'". That said, its the UI that's the problem in the certificate case as well -- the security of E-commerce applications has enough of an effect on international economies now that users' preferences to ignore such problems must be circumvented. A lack of education is partially to blame, but telling users that they may accept a self-signed certificate without warning them that they may be giving away their credit information is negligent. [EMAIL PROTECTED] wrote: [sarcasm on] User is busy typing away in an email while a background task is processing. Background task runs into a problem and pops up - "Unavoidable application error - press any key to reformat harddrive" on users new 1 Ghz machine. The next keystroke clears the message. User has given permission of course. Solution. Don't use the keyboard. Only use the mouse. Or use a machine that is slower so that the focus change is detected." [sarcasm off] What should we expect? -- Michael T. Babcock (PGP: 0xBE6C1895) http://www.fibrespeed.net/~mbabcock/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Netscape SSL with IMAP problem
Jason Keltz wrote: Can someone explain why the server has to pass along the certificates from the CAs though? I don't quite understand. I'm new to this all. Isn't it up to the server to send out just the certificate, and then up to the client to do the checks? I mean, isn't it counter-productive -- couldn't the server (be it imap or http) somehow send along fake CA certificates that make the real certificate look as if it were truly signed when it's not? I believe I once saw on the Equifax site that they use signing certificates signed by Thawte -- so its possible that their certificate is not in the browser but that the browser can verify the Equifax certificate against the Thawte cert, and then verify yours against the Equifax cert. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Licencing issues
Ulf Moeller wrote: On Mon, Nov 13, 2000, George Staikos wrote: (I have emails here if you need to see these) Anyhow, is there any chance of OpenSSL being released under GPL, or failing that, under a BSD style licence without the advertising clause? The original authors now work for a company that sells a toolkit with the same functionality for a six figure price. Is there any chance of the GPL being changed to something less obnoxious? :) I'd watch yourself -- you'll lose a lot of respect if you start slandering (as opposed to criticising) licenses like the GPL. Note: the poster mentioned the BSD license, which would allow the use you infer. The GPL also does not prevent the above use -- simply use the LGPL for the base code and wrap it with the extras in a closed-source method to bundle for sale. It is better to keep silent and thought a fool ... -- Michael T. Babcock (PGP: 0xBE6C1895) http://www.fibrespeed.net/~mbabcock/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Licencing issues
George Staikos wrote: I see you cc:'d to me, but not to Ulf. Those were his words, not mine. No problem though. Calling it obnoxious is not slandering. It's an opinion and definitely a criticism. However, this is not the issue here so we can put that to rest. I did a "Reply to all" with my MUA -- yours was the only address it picked up because this list munges headers and changes "Reply-to:" to be the list (instead of "Mail-followup-to:" or leaving it to the intelligence of the user). My CC'ing you had little to do with the difference in importance between your statements and Ulf's. IANAL. I don't care for any of this. Have you read the GPL? Its one of the simplest licenses I've ever read (cf. Microsoft ...). You don't have to be a lawyer to understand what the GPL says and is trying to say. That said, being a software developer in this day and age (in our litigious world), it is wise to know what licenses have which effects on one's software to be a responsible member of the community. Its unfortunate (to some degree), but true. I only brought this to the attention of this list because there is not much we can do short of using a different library or rolling our own. Many other people must be in this situation too, probably unknowingly. We have to resolve this, and if what we are doing is not allowed, it should probably be documented in the OpenSSL documentation. AFAICS, its documented to some degree in the license itself, although openssl.org should definately mention that linking against GPL code is illegal* (*according to lawyers, or the fsf, or whoever) and print the full text of their license on the site where they mention it. [While you are reading this, keep in mind that this is KDE. We have to allow redistribution in binary forms, on cds sold by vendors, and more. Some platforms will be compiling and linking with a closed source commercial compiler, linker and library too (ie HP-UX, IRIX, Solaris). This is not negotiable.] The GPL makes explicit mention of such closed source vendor libraries -- they are quite permitted as a special case: "... as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable." Your complaint, btw, should be more directed: either you have a problem with your own software's license, or with the license of OpenSSL, or both. Pick an option if you wish this to actually be resolved instead of degenerating into a flame-war. If its with OpenSSL not being GPL compatible, OpenSSL could (at their discretion) be tri-licensed with the BSD or LGPL licenses in conjunction with its own license and the original SSLeay license. PS, to quote "In case of any license issues related to OpenSSL please contact [EMAIL PROTECTED]" Also note: this may be an issue the FSF wants to re-investigate since the only condition I can see in the OpenSSL license that precludes it from being linked against a GPL program is the advertising clause. The GPL however, explicitly states: "Activities other than copying, distribution and modification are not covered by this License; they are outside its scope." As advertising paraphenalia has nothing to do with the acts of distribution, copying or modification of the software, it seems to me (and IANAL) that the issue may be moot. -- Michael T. Babcock (PGP: 0xBE6C1895) http://www.fibrespeed.net/~mbabcock/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Key exchange, etc.
Are there any good online references for effectively using OpenSSL to negotiate a key exchange, then set up a random session key? -- Michael T. Babcock, C.T.O. FibreSpeed http://www.fibrespeed.net/~mbabcock __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL + VirtualHost in Apache 1.3.x
tomn wrote: So, you can run apache-ssl with this scenario: Port 443 Listen 1.2.3.4:444 Listen 1.2.3.4:445 Listen 1.2.3.4:446 Then, Each VH has the same IP with the corresponding port. Each VH has a different Certificate. Each VH serves up the correct certificate. This would also work if you wanted to set up multiple machines by using something like Linux's port forwarder ("ipmasqadm portfw") and sending the requests to private IP'd machines: ipmasqadm portfw -a -S this_machine 445 -D 192.168.100.5 443 ipmasqadm portfw -a -S this_machine 446 -D 192.168.100.6 443 ipmasqadm portfw -a -S this_machine 447 -D 192.168.100.7 443 Hmmm ... ;-) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: MSIE 4.x - 5.0 and SSL v3
What is mod_ssl anyway, the string "mod_ssl" does not exist in the whole of OpenSSL and only once in OpenLDAP 2.0.6 as a FIXME? cf. http://www.modssl.org mod_ssl is an SSL extension to Apache that uses OpenSSL. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL + VirtualHost in Apache 1.3.x
Richard Levitte - VMS Whacker wrote: This is why upgrading to TLS within the original protocol is a better idea, as stated in RFC2817, among others. After all, it wouldn't be that difficult to write a small routine library that deals with this kind of upgrade, or so I imagine... Exactly, except that there are those situations in which you don't want anything transmitted in the clear (including the "Host:" header, which could be changed by a man-in-the-middle for DoS at least). Adding a "Destination" field or "Requested service" field (more generic) to the TLS connection protocol would allow TLS based servers to know where the client is trying to go. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL + VirtualHost in Apache 1.3.x
Vadim Fedukovich wrote: On Fri, 13 Oct 2000, Norman Mackey wrote: I believe it was made clear already. The only point to add is a recent RFC on "Upgrade to TLS". I've read that RFC and I tried to find information on whether IE or Netscape were planning on supporting (or did support) it anytime soon. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL + VirtualHost in Apache 1.3.x
Vadim Fedukovich wrote: Beware features of IE on processing wildcarded certificates. Different Michael here ... what "features" ?? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Proxied SSL server
I'd like to place an Apache SSL server (Apache + mod_ssl + openssl) behind a firewall machine that does port-forwarding via ipmasqadm so that the SSL server can operate on a private IP address. This is already done for our mail services, but as its set up now, the web server doesn't seem to be getting the packets. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]