Re: creating client cert for IE
Donny AH wrote: I have read the instruction how to create client certification in "Introducing SSL and Certificates using SSLeay", but there is only sample page for Netscape, and there is no sample for Internet Explorer Is there anybody can help me to show or give me a sample page to create client certification for Internet Explorer (AFAIK it must contain java script) There is a clear example at: http://www.ultranet.com/~fhirsch/Papers/cook/ssl_msclient_certs.html However, this uses the old certenroll.dll which is said to produce some nonstandard data that needs to be handled with now-almost-obsolete openssl ca switches ... (-msie_hack and -preserveDN). Someone willing to share an example with Xenroll.dll? -- Niels Poppe - org.net bv [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl deperately needs some intro docs
Dr Stephen Henson wrote: There is another issue as well whatever the interpretation of the laws some companies and organisations take an ultra cautious line. For example one organisation at one point was considering not using OpenSSL because there was a (false) rumour that the OpenSSL group had encouraged anonymous contributions from US citizens. Steve. -- Still, documentation provided by US citizens, distributed through a website or mailing list *not* operated by the openssl team might be an option. When that would happen, would the openssl team provide assistance, i.e. answer questions posted here from documentation writers? -- Niels Poppe - org.net bv [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Secure FTP?
Ben Laurie wrote: Jason Stanford wrote: You could simply use the OpenSSH package (www.openssh.org) which has both a secure "telnet" client (ssh) and secure copy (scp). There are some ftp packages that support one-time passwords, but I've not been so unhappy with scp to investigate them. If you've every used rcp (remote copy), scp is exactly the same, but uses security. You could, _if_ you could find a link on the OpenSSH website that actually led to any source. Perhaps I'm being dim, but I certainly couldn't. Cheers, Ben. Hit me, too. FreeBSD's cvsup grabbed it (in my case, from cvsup2.nl.freebsd.org), but there's no source tarball there. Downloadable sources and various package files can be found at ftp://ftp.firedrake.org/openssh/files -- Niels Poppe - org.net bv [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: problem compiling openssl-0.9.2b
Norman Aronsen wrote: Hello again, im still having problems, and apparently i'm not recieving any mail from the list - even though i subscribed. if anyone who could help me would please reply directly to [EMAIL PROTECTED] i'd greatly appreciate it. thankyou. now onto my problem grin i can run neither the "config" or "Configure" script. i get the following error messages. running BSDI 4.0 mainserver# perl5 Configure gcc from a fresh sourcetree, start with # ./Configure gcc but -- first -- try the next command: mainserver# perl5 config # sh ./config Then, if all else, start suspecting what $PERL is detected by ./Configure. -- Niels Poppe - org.net bv [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl-0.9.2b on Linux Alpha
Chris Price wrote: Hi; Just getting started with openssl and discovered that compiling fails on bn_div_words which after some further reading, seems to be related to probs with crypto/bn/asm/alpha.s. [ ... old patch ... ] Can someone suggest what mods to the above diff need to be done, and then suggest a proper command line and location (in the filesystem) to execute the patch from? My apologies is this is a 'pain in the butt' newbie question. I am reasonably installing from source code (optimizing and so forth) but have had minimal experience with diffs (and have little docs about them).. This patch would have been applied from the top of your sourcedir as 'patch -p1 .patch'. However, despite all effort from various people, there is no alpha.s version that passes 'make test' as of now. Therefore, just add 'no-asm' to the ./configure command for now. -- Niels Poppe - org.net bv [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems to compile openssl on IRIX 6.2
(sorry.. forgot to finish send this message off.. there you go) Mike Hess wrote: I believe I encountered a problem compiling openssl-0.9.2b on IRIX 6.2 similar to the one encountered in an earlier note on Digital UNIX V4.0E. I used the solution 1, (./Configure irix-cc no-asm) recommended below but wonder whether you have a patch file below for solution 2. Below are the errors I encountered during make after [...] ld: ERROR 33: Unresolved text symbol "bn_div_words" -- 1st referenced by ../libcrypto.a(bn_div.o). ld: ERROR 33: Unresolved text symbol "bn_mul_comba8" -- 1st referenced by ../libcrypto.a(bn_mul.o). ld: ERROR 33: Unresolved text symbol "bn_sub_words" -- 1st referenced by ../libcrypto.a(bn_mul.o). ld: ERROR 33: Unresolved text symbol "bn_mul_comba4" -- 1st referenced by ../libcrypto.a(bn_mul.o). ld: ERROR 33: Unresolved text symbol "bn_sqr_comba4" -- 1st referenced by ../libcrypto.a(bn_sqr.o). ld: ERROR 33: Unresolved text symbol "bn_sqr_comba8" -- 1st referenced by ../libcrypto.a(bn_sqr.o). Michael R.A. Hess -- [EMAIL PROTECTED] -- 573-882-2000 There has been some discussion on bn_div_words around in openssl-dev: From: Ben Laurie [EMAIL PROTECTED] Organization: A.L. Group plc To: [EMAIL PROTECTED] Subject: Re: Patch: BN_div_words in asm/alpha.s Hannes Reinecke wrote: Hi all, here is a patch for adding bn_div_words to asm/alpha.s. It got lost somehow, but without the assembler version won't compile. I'm not entirely familiar with the internal working of openssl, but to my untrained eye bn_asm.c:bn_div_words and bn_mulw.c:bn_div64 are looking suspiciously similar. Is there a special reason for it or can we just scrap one version ? (I suspect that's also why bn_div_words does not appear in asm/alpha.s; it just got renamed to bn_div64 hoping that all functions would call this and not bn_div_words. Evolutionary programming :-). Looks to me like the whole of bn_mulw.c is redundant. bn_div_words and bn_div64 are indeed identical, and bn_div64 is not actually used anywhere, AFAICS. So, I'm going to blow away bn_mulw.c, and rename bn_div64 to bn_div_words in alpha.s. Cheers, Ben. Looking at crypto/bn/asm/{mips1,mips3,r3000}.s I see bn_div64 is implemented in all of those. Try see whether - ./Configure irix64-cc no-asm - ./Configure irix-n64-cc no-asm work, build, and pass make test I think we can assume without no-asm they all fail, so change bn_div64 to bn_div_words in the 3 assembler files above, then try - ./Configure irix-cc - ./Configure irix64-cc - ./Configure irix-n64-cc and report what symbols are missing then ... -- Niels Poppe - org.net bv [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems to compile openssl
Detlef Schmier wrote: Hello, I try to compile openssl-0.9.2b on "Digital UNIX V4.0E (Rev. 1091)" using the normal C-compiler. Make stops to load openssl after all libraries are compiled: ld: Unresolved: bn_div_words *** Exit 1 Stop. Please advice There are three options to solve this: 1. pass no-asm to ./Configure, 2. patch asm/alpha.s to include bn_div_words, or, 3. start with 2 above, then find an axp guru and optimize things. In case you take the third way, please send us the results :) I'll include the original article from Holger Reiff who submitted the patch, and, the patch itself: Date: Tue, 23 Mar 1999 10:37:28 + From: Hannes Reinecke [EMAIL PROTECTED] Organization: Heriot Watt University, Edinburgh To: OpenSSL developer list [EMAIL PROTECTED] Subject: Patch: BN_div_words in asm/alpha.s Reply-To: [EMAIL PROTECTED] Hi all, here is a patch for adding bn_div_words to asm/alpha.s. It got lost somehow, but without the assembler version won't compile. I'm not entirely familiar with the internal working of openssl, but to my untrained eye bn_asm.c:bn_div_words and bn_mulw.c:bn_div64 are looking suspiciously similar. Is there a special reason for it or can we just scrap one version ? (I suspect that's also why bn_div_words does not appear in asm/alpha.s; it just got renamed to bn_div64 hoping that all functions would call this and not bn_div_words. Evolutionary programming :-). HTH, Hannes -- Hannes Reinecke [EMAIL PROTECTED] Fluid Loading and Instrumentation CenterTel: (+44) 131 451 3149 Dept. of Civil Offshore Engineering Fax: (+44) 131 451 3154 Heriot Watt University, Edinburgh EH14 4AS -- Niels Poppe - org.net bv [EMAIL PROTECTED] diff -u --recursive openssl-SNAP-19990316-1530/crypto/bn/asm/alpha.s openssl.works/crypto/bn/asm/alpha.s --- openssl-SNAP-19990316-1530/crypto/bn/asm/alpha.sMon Dec 21 10:59:03 1998 +++ openssl.works/crypto/bn/asm/alpha.s Sun Mar 21 00:40:33 1999 @@ -530,6 +530,129 @@ $103: ret $31,($26),1 .end bn_sub_words + .align 5 + .globl bn_div_words + .ent bn_div_words +bn_div_words: + .frame $30,48,$26,0 + .mask 0x4003e00,-48 + ldgp $29,0($27) +bn_div_words..ng: + subq $30,48,$30 + stq $9,8($30) + stq $10,16($30) + bis $16,$16,$9 + stq $11,24($30) + bis $17,$17,$10 + stq $12,32($30) + bis $18,$18,$11 + stq $13,40($30) + bis $31,2,$12 + stq $26,0($30) + .prologue 1 + bis $31,$31,$13 + bne $11,$236 + lda $0,-1 + br $31,$255 +$236: + bis $11,$11,$16 + jsr $26,BN_num_bits_word + ldgp $29,0($26) + cmpeq $0,64,$1 + bne $1,$237 + bis $31,1,$1 + sll $1,$0,$1 + cmpule $9,$1,$1 + bne $1,$237 + jsr $26,abort + ldgp $29,0($26) +$237: + bis $31,64,$4 + cmpult $9,$11,$1 + subq $4,$0,$3 + subq $9,$11,$2 + cmoveq $1,$2,$9 + addl $3,$31,$0 + beq $0,$239 + subq $4,$0,$1 + srl $10,$1,$1 + sll $9,$0,$2 + sll $10,$0,$10 + bis $2,$1,$9 + sll $11,$0,$11 +$239: + srl $11,32,$7 + zapnot $11,15,$8 + lda $22,-1 + br $31,$240 + .align 4 +$253: + srl $10,32,$1 + sll $9,32,$2 + sll $27,32,$13 + bis $2,$1,$9 + sll $10,32,$10 +$240: + srl $9,32,$1 + cmpeq $1,$7,$1 + beq $1,$243 + zapnot $22,15,$27 + br $31,$244 +$243: + bis $9,$9,$24 + bis $7,$7,$25 + divqu $24,$25,$27 +$244: + mulq $27,$7,$5 + subq $9,$5,$3 + zapnot $3,240,$2 + bne $2,$246 + mulq $8,$27,$4 + zapnot $10,240,$1 + sll $3,32,$2 + bis $1,$1,$6 + br $31,$256 + .align 4 +$248: + subq $27,1,$27 + mulq $27,$7,$5 + subq $9,$5,$3 + zapnot $3,240,$2 + bne $2,$246 + mulq $8,$27,$4 + sll $3,32,$2 +$256: + srl $6,32,$1 + addq $2,$1,$1 + cmpule $4,$1,$1 + beq $1,$248 +$246: + mulq $27,$8,$1 + srl $1,32,$3 + sll $1,32,$1 + addq $5,$3,$4 + cmpult $10,$1,$3 + subq $10,$1,$10 + addq $4,$3,$4 + cmpult $9,$4,$2 + beq $2,$252 + addq $9,$11,$9 + subq $27,1,$27 +$252: + subq $9,$4,$9 + subl $12,1,$12 + bne $12,$253 + bis $13,$27,$0 +$255: + ldq $26,0($30) + ldq $9,8($30) + ldq $10,16($30) + ldq $11,24($30) + ldq $12,32($30) + ldq $13,40($30) + addq $30,48,$30 + ret $31,($26),1 + .end bn_div_words .text .align 3 .globl bn_mul_comba4
Re: Problems to compile openssl
I just wrote: Detlef Schmier wrote: bn_div_words *** Exit 1 I'll include the original article from Holger Reiff who submitted the patch, and, the patch itself: Excuses to H.R. (both:) please read Hannes Reinecke there. Date: Tue, 23 Mar 1999 10:37:28 + From: Hannes Reinecke [EMAIL PROTECTED] -- Niels Poppe - org.net bv [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Legal to use OpenSSL ?
Lutz Behnke wrote: Alan Pogrebinschi wrote: [..] PS: off topic: My company is located in Brazil and our server is in the US. I never know for sure if I should use the international or U.S. versions of crypto software. Anyone knows? You may use the US version on the server, but if you are doing any encrypted operations from brazil you will have to ensure that you are not using any strong encryption while doing so. So it depends on what you are doing from your server. If it is web-stuff, a US server might help, since you US-custemers might be able to use strong encryption. If your customers are ouside US/Can then you might want to avoid the hassles as nobody can connect to it anyway. Excuse me if I misunderstand this. Why shouldn't I be able to connect to a strong encrypted service? I am not living in the US. A service provider inside the US might violate this export regulation while providing service to me. That does not limit my rights at the other side of the wire. Or am I missing something? -- Niels Poppe - org.net bv [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]