Re: Can OpenSSL use the Linux crypto API?
In message <[EMAIL PROTECTED]> on Mon, 19 Mar 2007 14:28:57 -0800, Shane McDonald <[EMAIL PROTECTED]> said: Shane_McDonald> I have a hardware acceleration engine on a board for Shane_McDonald> which I've got a Linux device driver, but I don't have Shane_McDonald> an OpenSSL driver for the engine. Is it possible to Shane_McDonald> configure OpenSSL to use the Linux crypto API so that Shane_McDonald> I can take advantage of the hardware acceleration Shane_McDonald> engine until I've got an OpenSSL driver written? I haven't looked into it, but an idea is to write a generic OpenSSL engine module that interfaces the Linux Crypto API. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: BMPSTRING in extensions
In message <[EMAIL PROTECTED]> on Mon, 12 Feb 2007 13:24:25 +0100, "Michael Leuchtner" <[EMAIL PROTECTED]> said: mleuchtner> 362:d=6 hl=2 l= 51 cons: SEQUENCE mleuchtner> 364:d=7 hl=2 l= 9 prim: OBJECT:1.3.6.1.4.1.311.20.2 mleuchtner> 375:d=7 hl=2 l= 38 prim: OCTET STRING [...] mleuchtner> OpenSSL> asn1parse -in testcert.txt -strparse 375 mleuchtner> 0:d=0 hl=2 l= 36 prim: BMPSTRING mleuchtner> OpenSSL> mleuchtner> mleuchtner> So it seems that I have to add a BMPSTRING as a subfield mleuchtner> of the OCTET STRING. But how can I do that?! It's more embedding a BMPSTRING in the OCTET STRING than anything else. You create and populate an OCTET_STRING like so: ASN1_OCTET_STRING *aos = ASN1_OCTET_STRING_new(); ASN1_OCTET_STRING_set(aos, YourBMPString, YourBMPStringLength); Then you create the extension itself (assuming you alread have a NID for that OID): X509_EXTENSION *xext = X509_EXTENSION_create_by_nid(NULL, YourNID, 0, aos); Finally, add it to the certificate you create like so: X509_add_ext(x509, xext, int loc); TOTALLY UNTESTED! I leave the rest to you. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[no subject]
In message <[EMAIL PROTECTED]> on Mon, 12 Feb 2007 11:34:22 +0100, "Michael Leuchtner" <[EMAIL PROTECTED]> said: mleuchtner> The request to the MS CA needs the "enroll certtype extension" (OID mleuchtner> 1.3.6.1.4.1.311.20.2) where I put the name of the certificate template mleuchtner> in. mleuchtner> I've already put the extension in the right place using mleuchtner> X509_EXTENSION_create_by_NID(), sk_X509_EXTENSION_push() and mleuchtner> X509_REQ_add_extensions_nid(). mleuchtner> Now the problem is, that the value is inserted as an OCTET STING. But I mleuchtner> want to set it as an BMPSTRING. What ever I tried - the value always mleuchtner> comes as octet string in my request. The problem seems to be, that the mleuchtner> Extension structure only takes octet strings, so I think, that the mleuchtner> bmpstring has to set as some kind of subfield?! mleuchtner> mleuchtner> Can anybody tell me how to set an BMPSTRING in my extension? The way X.509 extensions work, the whole structure of the value resides in that OCTET STRING. What you need to figure out is the structure of the value and how to populate it. This may mean that you have to ask Microsoft. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: PMI patch for OpenSSH
In message <[EMAIL PROTECTED]> on Fri, 19 Jan 2007 17:42:50 +0100, "Vincenzo Sciarra" <[EMAIL PROTECTED]> said: vincenzo.sciarra> I have just published a pre-alfa of a patch that has the goal to make vincenzo.sciarra> OpenSSH aware with PMI. vincenzo.sciarra> vincenzo.sciarra> Reference site : http://nutmay.sourceforge.net Hi Vincenzo, I believe you've got the wrong mailinglist. This is openss*l*, not openss*h*. Don't worry about it, you're not the first to confuse us. I suggest you look at http://www.openssh.org/ to figure out the mailing list to use. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: HTTPS security model
In message <[EMAIL PROTECTED]> on Tue, 5 Dec 2006 13:45:13 -0800, "David Schwartz" <[EMAIL PROTECTED]> said: davids> Authentication and authorization are the same thing. Generally speaking, that's incorrect, even if you might have a specific case where your statement applies. To take an example, I can *authenticate* you if you show me a legal piece of identity that shows you are you, but that doesn't mean that I *authorize* you to raid my fridge. This simple truth is applicable to security models as well. davids> They are both required ... OK, I'm going to take a humourous punch at what you just said; if authentication and authorization are the same thing, why are both required? Isn't one enough? Please make up your mind... Cheers, Richard -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ITU X509/ RFC 3281 Attribute Certificates API Beta
In message <[EMAIL PROTECTED]> on Tue, 10 Oct 2006 11:35:30 +0200, "Daniel Diaz Sanchez" <[EMAIL PROTECTED]> said: dds> Hello, dds> dds> Some source code to generate attribute certificates using OpenSSL can be dds> found at: dds> dds> http://www.it.uc3m.es/dds/swRelease/pmi/pmi.xml dds> dds> It has been tested with some versions of OpenSSL and works with all of them dds> including the latest release 0.9.8d. Hello, I've just had reasons to get interested in ACs, and I'm pleased it's been discussed already fairly recently. I'm really looking for something that could be included into OpenSSL propper, and as far as I've seen, there's your code, which could probably be retrofitted into OpenSSL, and there's the OpenPMI patch, which might come with a license incompatibility problem (they use AFL). Choices, choices... Any help in that direction would be appreciated. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: rewriting Subject to make O=CN?
In message <[EMAIL PROTECTED]> on Fri, 29 Sep 2006 01:31:32 -0400, Iljun Kim <[EMAIL PROTECTED]> said: ij> I'd like to make the "O" equal to the "CN" while sign the CSR. ij> For example, if the Subject was ij> "C=US, O=Example Company, CN=www.example.com", ij> I'd like to issue a cert with ij> "C=Us, O=www.exmaple.com, CN=www.example.com". ij> ij> I searched man pages and configuration options, but couldn't figure it ij> out. ij> ij> Any help would appreciated. To begin with, there's no way to do that that I know of. That said, I've a question to you: why? Why on earth would you want to do that? What does it give you in terms of security and usability? Quite honestly, that kind of reconstruction (or general messing around) usually means that someone has misunderstood something about distinguished names. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie Needs Help!!!
Hi Dan, In message <[EMAIL PROTECTED]> on Mon, 25 Sep 2006 09:50:32 -0600, Dan O'Reilly <[EMAIL PROTECTED]> said: dano> My CA is another system (Windows) and I requested it to create dano> the trusted root certificate in PKCS7 format, which I copied to dano> my VMS system. I can use OPENSSL PKCS7 to view the package dano> contents, and it contains a single certificate. I then tried to dano> do an OPENSSL VERIFY on that package, and it keeps coming up dano> with "NO START LINE" and "EXPECTING: TRUSTED CERTIFICATE" dano> errors. Finally, I tried "openssl s_clienit -connect dano> :636 -certfore der -CAfile dano> and it comes up with the following: You need to extract the certificate from that PKCS#7 package and use the resulting file. Since OPENSSL PKCS7 will give you the certificate in PEM format, the best you can probably do is save that in a .PEM file, and then use it as follows: openssl s_client -connect :636 -CAfile .PEM Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: related license question
In message <[EMAIL PROTECTED]> on Tue, 22 Aug 2006 15:07:31 -0400, Ryan Shon <[EMAIL PROTECTED]> said: rshon> Presumably, a program, e.g. a web browser, could be written rshon> which uses OpenSSL (whether through linking to the libraries or rshon> by including actual pieces of OpenSSL code), and this browser rshon> would not have to be licensed under the OpenSSL license. This rshon> would be a "product derived from OpenSSL", and users could be rshon> forbidden to redistribute the browser in source or binary forms. rshon> Is this a correct interpretation of what a "product derived" rshon> is? I'm actually unsure about that. Richard Stallman would probably interpret it that way, but I wouldn't. Using unmodified components from another package in your own package does not constitute derivation, in my opinion. But again, IANAL. rshon> If a person were to take a full OpenSSL distribution and rshon> completely rewrite some source files, but not all source files, rshon> of which libcrypto.a is composed, then compile and distribute rshon> the resulting libraries libssl.a and libcrypto.a, would rshon> libssl.a be a "redistribution", and would libcrypto.a be a rshon> "product derived" or a "redistribution"? If we look at the separate libraries, then yes. However, I would assume that you would distribute this changed source in the same manner as the original is distributed, in one package. In that case, that package is a modified version of OpenSSL, and therefore a product derived from OpenSSL. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: license question
In message <[EMAIL PROTECTED]> on Tue, 22 Aug 2006 18:47:12 +0200, Richard Koenning <[EMAIL PROTECTED]> said: Richard.Koenning> Ryan Shon wrote: Richard.Koenning> Richard.Koenning> > My boss hopes to sell this OpenSSL variant as a Richard.Koenning> > product. Because of this, he would not want Richard.Koenning> > customers who buy this product to be free to Richard.Koenning> > redistribute it on their own. If we were only to Richard.Koenning> > modify existing OpenSSL, then I assume our entire Richard.Koenning> > product would be subject to free redistribution by Richard.Koenning> > customers under the license. Is this correct? Richard.Koenning> Richard.Koenning> My first answer would have been plain "no", but then Richard.Koenning> i read the last sentences at Richard.Koenning> http://www.openssl.org/source/license.html. I think Richard.Koenning> (IANAL) that the answer depends on whether your Richard.Koenning> product is regarded a derivative of OpenSSL. For all intents and purposes, yes, it would, at least if the modification is distributed in a package that otherwise looks like a full OpenSSL distribution. IANAL either, but I think I've read enough to be able to make that statement with certainty. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Proxy Certs and security
In message <[EMAIL PROTECTED]> on Thu, 3 Aug 2006 14:20:50 -0500, Andrew White <[EMAIL PROTECTED]> said: aewhite> I was wondering what the general consensus was on proxy certs aewhite> and their security risks. I noticed this in the how-to, aewhite> "Noone seems to have tested proxy certificates with security aewhite> in mind." I wrote that. Basically, there's only one way to know if my suspicions are correct, and it's for someone to do some thorough testing. Feel free. My suspicion has to do with applications that aren't aware of proxy certs. If they are, I don't see a problem. aewhite> I am also concerned with issues such as having an EE sign a aewhite> cert. Delegation seems dangerous by allowing to much freedom aewhite> on the EE's part... Isn't that why the CA signs certs? Well, the point with proxy certs is, for example, to extend your authority to some process you choose without having to give out your private key. Another use is to have a Kerberos-like functionality through X.509. You can read all about it in the RFC. aewhite> I am also concerned that the only toolkit that works with aewhite> proxy certs is Globus which is bulky and, as far as I know, aewhite> has no rpm repository for RedHat. Uhmm, generally speaking, OpenSSL should work with them as well. aewhite> So, my question is this... proxy or standard x.509 with a aewhite> load balanced CA and Sub CAs for a grid that will contain aewhite> very sensitive data, and must be high performance? If you make sure that all applications are aware of proxy certs, they should be usable. Since the grid I've had any involvement in is based on proxy certs, there's no way getting around it, so it depends a bit on what grid implementation you're involved in. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem with Blowfish decryption
In message <[EMAIL PROTECTED]> on Thu, 03 Aug 2006 09:03:42 +0200, Andreas von Linden <[EMAIL PROTECTED]> said: Buglist> i have a problem with the Blowfish algorithm. When i encrypt a long Buglist> message i get the following error when i try to decrypt the message: Buglist> Buglist> 4156:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad Buglist> decrypt:.\crypto\evp\evp_enc.c:454: Your problem is at the end of blowencrypt() and blowdecrypt(). You're assuming that the result is a \0-terminated character string, while in reality, it's a binary blob that may *contain* \0. Also, I fail to understand why on *earth* you're doing all this copying to a C++ string just to copy back to a C character array, when you could do something as simple as this: (for blowencrypt) EVP_CIPHER_CTX_cleanup(&ctx); memcpy(output, encodebuffer, tmplen); return tmplen; (for blowdecrypt) EVP_CIPHER_CTX_cleanup(&ctx); memcpy(output, decodebuffer, tmplen); Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Can we tailor openSSL?
In message <[EMAIL PROTECTED]> on Wed, 19 Jul 2006 07:46:19 +0800, "Bo Xie" <[EMAIL PROTECTED]> said: xiebopublic> Does openSSL licence permit to tailor openSSL? e.g., we only need the xiebopublic> SHA-512 algorithm, so we want to tailor openSSL to only include this xiebopublic> algorithm in order to reduce openSSL's footprint (we have very strict xiebopublic> footprint limitation requirement). If you read the license, you will see that it starts with "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met" Tailoring is a modification. Then again, exactly what do you need? If you link with the static library and ONLY call the low-level SHA512 routines, those routines are the only footprint that OpenSSL will leave in your proigram. Cheers, Richard -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: obj_mac.num
In message <[EMAIL PROTECTED]> on Fri, 23 Jun 2006 17:03:53 +0530, "Bhat, Jayalakshmi Manjunath" <[EMAIL PROTECTED]> said: jayalakshmi.bhat> I went through objects.README. But I did not understand the jayalakshmi.bhat> obj_mac.num and objects.txt files use clearly. Where do I get more info jayalakshmi.bhat> on this. Sorry in my prev jayalakshmi.bhat> mail I mentioned obj_mac.h instead of obj_mac.num. As someone else said, that file keeps a map from symbols (Attribute Types in ASN.1 speak) to NIDs, which are the internal OpenSSL identifiers for them. Not only that, but obj_mac.num makes sure that those identifiers stay the same from one OpenSSL release to another, which is very important to do, since we assign them to the NID_* macros in obj_mac.h and those macros can be used by anyone any time. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: BIO_new_mem_buf() doesn't work after RSA_private_decrypt() failure.
In message <[EMAIL PROTECTED]> on Wed, 21 Jun 2006 10:44:33 +0900, Tatsuya Tsurukawa <[EMAIL PROTECTED]> said: Tsurukawa.Tatsuya> It seems I need to clear error queue after private Tsurukawa.Tatsuya> decryption error, but does the status of error Tsurukawa.Tatsuya> queue actually affect to the behaviour of following Tsurukawa.Tatsuya> apis ? That mysterious. I can't immediately see why that would make a difference. Can you send me some real code that demonstrates this? Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: BIO_new_mem_buf() doesn't work after RSA_private_decrypt() failure.
In message <[EMAIL PROTECTED]> on Tue, 20 Jun 2006 21:16:49 +0900, Tatsuya Tsurukawa <[EMAIL PROTECTED]> said: Tsurukawa.Tatsuya> bioPtr = BIO_new_mem_buf( InputPEMstring, -1 ); Tsurukawa.Tatsuya> : Tsurukawa.Tatsuya> prvkey = PEM_read_bio_RSAPrivateKey( bioPtr, NULL, NULL, NULL ); Tsurukawa.Tatsuya> : Tsurukawa.Tatsuya> RSA_private_decrypt( ..., prvkey, RSA_PKCS1_OAEP_PADDING ); /* We use OAEP */ Tsurukawa.Tatsuya> Tsurukawa.Tatsuya> It does work well as long as providing appropriate Tsurukawa.Tatsuya> private keys. Buf if I provide wrong private key, Tsurukawa.Tatsuya> RSA_private_decrypt() fails of course, and then Tsurukawa.Tatsuya> next BIO_new_mem_buf() also fails with the error Tsurukawa.Tatsuya> code 0x407A079 by ERR_get_error(). Exactly how do you check for errors? You see, the error codes are stored in a queue until you either print it (ERR_print_errors()) or clear it (ERR_clear_error()). (yeah, of course, there are other ERR_* functions that you can use as well to manipulate the queue, but those I mention are probably the more useful most of the times) To check *if* a specific function returned with an error, you have to check the returned value, and *if* it returned with a value indicating an error, *then* you check the error code. Same thing as you do with errno, basically. Since BIO_new_mem_buf() returns a pointer, it's quite natural to check if returns NULL to see if there was an error at all with it. For RSA_private_decrypt(), the manual says the following about the returned value: RSA_public_encrypt() returns the size of the encrypted data (i.e., RSA_size(rsa)). RSA_private_decrypt() returns the size of the recovered plaintext. On error, -1 is returned; the error codes can be obtained by ERR_get_error(3). The code 0x407A079 is easily decoded, btw: : ; openssl errstr 407A079 error:0407A079:rsa routines:RSA_padding_check_PKCS1_OAEP:oaep decoding error Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL version 0.9.8b and 0.9.7j released
In message <[EMAIL PROTECTED]> on Fri, 05 May 2006 02:25:57 +0200 (CEST), Richard Levitte - VMS Whacker <[EMAIL PROTECTED]> said: richard> In message <[EMAIL PROTECTED]> on Thu, 4 May 2006 17:14:01 -0700, Randy Turner <[EMAIL PROTECTED]> said: richard> richard> rturner> Is there a brief on the reasons why someone would want to use richard> rturner> OpenSSL 0.9.7j or choose to use 0.9.8b? richard> richard> There are two answers to that. You nailed one of them: richard> richard> rturner> I believe one of the items is that the 0.9.7 branch can be richard> rturner> part of a solution for FIPS compliance, where 0.9.8b is "not richard> rturner> there" yet. richard> richard> The other answer is that there are incompatibilities, both in source richard> and in binary, between the 0.9.7 series and the 0.9.8 one, and richard> changing from one to the other has consequences for the software that richard> you link with OpenSSL. For some reason, I removed the next paragraph...: So apart from deciding if you want to have the FIPS code (0.9.7j) or not, you need to decide if you want to take the consequences of an upgrade to a more feature rich version (0.9.8) series, or if you want to take the easy route (stay with the 0.9.7 series). Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL version 0.9.8b and 0.9.7j released
In message <[EMAIL PROTECTED]> on Thu, 4 May 2006 17:14:01 -0700, Randy Turner <[EMAIL PROTECTED]> said: rturner> Is there a brief on the reasons why someone would want to use rturner> OpenSSL 0.9.7j or choose to use 0.9.8b? There are two answers to that. You nailed one of them: rturner> I believe one of the items is that the 0.9.7 branch can be rturner> part of a solution for FIPS compliance, where 0.9.8b is "not rturner> there" yet. The other answer is that there are incompatibilities, both in source and in binary, between the 0.9.7 series and the 0.9.8 one, and changing from one to the other has consequences for the software that you link with OpenSSL. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: libcrypto.a
In message <[EMAIL PROTECTED]> on Thu, 27 Apr 2006 13:59:59 +0200, "Saurabh Arora" <[EMAIL PROTECTED]> said: tanish2k> Thankyou openssl group for your overwhelming, ZERO help support. You know, you sent the first mail about 24 hours ago, and you seem to expect the kind of support you'd normally have to PAY for! This is a completely volunteer driven mailing list and help organisation, you can't expect commercial grade support from people who read and respond ON THEIR FREE TIME! Fer crying out loud, man! If I weren't a kind soul, I'd tell you to sod off at this point, but you know, I'll try to give you a bit of help instead... tanish2k> i am trying to add my custom extension under the standard tanish2k> extension stack. (my company have acquired OIDs) tanish2k> steps: tanish2k> - add entries (shortname,longname,nid,oid) in ( tanish2k>objects.h,obj_mac.num) Dont' do that. Instead, hack at crypto/objects/objects.txt, then do "make update". crypto/objects/objects.README will give you some useful hints as to the syntax. tanish2k> - for nid, i used the last available nid (>750) This is done automagically by "make update". tanish2k> - under [crypto/x509v3] , make a file v3_custom.c and add tanish2k>the code to get and set values. tanish2k> - add the corresponding typedef in x509v3.h tanish2k> - add the entry in ext_dat.h as (extern, X509V3_EXT_METHOD) tanish2k>( here i had to add the v3_custom.o in the libcrypto.a tanish2k>using "ar" utility ) Why not add it in Makefile instead, then things will be much smoother. tanish2k> - re-build openssl tanish2k> tanish2k> - tanish2k> - make custom conf file (myopenssl.cnf) and add custom extension in tanish2k> the section [v3_ca] tanish2k> tanish2k> --- tanish2k> customExtension = "hello" tanish2k> --- tanish2k> tanish2k> - now when i make a self-sign certificate tanish2k> tanish2k> --- tanish2k> openssl req -new -x509 -key cakey.pem -out cert.pem -config myopenssl.cnf tanish2k> --- tanish2k> tanish2k> it gives me the following error : tanish2k> --- tanish2k> error Loading extension section v3_ca tanish2k> 11715:error:2207C081:X509 V3 routines:DO_EXT_CONF:unknown tanish2k> extension:v3_conf.c:128: tanish2k> 11715:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in tanish2k> extension:v3_conf.c:92:name=customExtension ,value=hello tanish2k> --- tanish2k> but wen i write the extension value in DER form , as: tanish2k> tanish2k> tanish2k> myopenssl.cnf tanish2k> [v3_ca] tanish2k> tanish2k> customExtension = DER:02:03 tanish2k> tanish2k> tanish2k> and now i run the self-sign cert command , it compiles tanish2k> succesfully and i can see my extension in the certificate. Hmm, sounds like you have implemented the i2r function (or corresponding) but not the r2i one... I've been through the exact same struggle a little more than a year ago, when I implemented the necessary extension for proxy certificates. Take a look at v3_pci.c and v3_pcia.c if you wish. They work. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Use of Makefile.ssl
In message <[EMAIL PROTECTED]> on Wed, 19 Apr 2006 11:15:47 +0530, "Bhat, Jayalakshmi Manjunath" <[EMAIL PROTECTED]> said: jayalakshmi.bhat> In openssl-0.9.8a I am not finding jayalakshmi.bhat> Makefile.ssl file. Please can you tell me They're called Makefile nowadays. We realised that it was completely silly to have a Makefile.ssl to which we only created symlinks called Makefile.ssl, so we basically removed that operation by having them called Makefile directly. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Licenses...
In message <[EMAIL PROTECTED]> on Mon, 17 Apr 2006 21:51:10 -0700, "Ted Mittelstaedt" <[EMAIL PROTECTED]> said: tedm> >If your point is that the "openssl authors" don't want to tedm> >change the license because Eric (presumably) doesn't want to tedm> >change the license, then there is nowhere left to take this tedm> >discussion. tedm> tedm> Exactly! This is exactly it. And I will further add that I tedm> didn't start this thread, either, but that this was my response, tedm> and I agreed with it and thought it was the best thing for the tedm> project. Interesting conclusions... Whatever, I'm done with this discussion. Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Licenses...
In message <[EMAIL PROTECTED]> on Mon, 17 Apr 2006 17:02:49 -0700, "Ted Mittelstaedt" <[EMAIL PROTECTED]> said: tedm> >Not at all, I spoke for myself (I do believe I said that tedm> >clearly enough), and only reported what I have seen happening tedm> >within the group. tedm> tedm> Which isn't relevant unless it results in the license being tedm> changed. Uhmm, right... tedm> > I am *not* speaking for anyone else in the group, that's tedm> >entirely up to them. And you know, considering the heat and tedm> >the visciousness of this debate, I think they are the smarter tedm> >when keeping away. tedm> > tedm> tedm> How do you know they are keeping away because of the heat? tedm> Perhaps all of them are happy with it as-is right now. Who said I know? I wrote "I think". Perhaps I should have written "I believe" to be clearer. Either way, I made an assumption, and it might be incorrect. tedm> But, the group consensus, represented by the license in the tedm> code, is what the rest of the world has to deal with. Not me, tedm> not you, not what we want. You started this issue of claiming I tedm> wasn't speaking for OpenSSL and I responded by saying you wern't tedm> either (in effect) and we are back to square one - which is that tedm> the rest of the world needs to deal with the consensus of what tedm> OpenSSL project is using. The only difference is that I have an inside view that you don't, and shared it here. tedm> >tedm> What the GPL does is overlay the GPL over code that they tedm> >tedm> use in their GPL projects. The original license may tedm> >tedm> remain but since the GPL is more restrictive, it becomes tedm> >tedm> the defacto license. tedm> > tedm> >Not true. If a GPLed project uses a piece of code with a tedm> >different license, that piece of code keeps it and can be tedm> >reused under that license, not the GPL. That the GPL is used tedm> >for the whole project and the rest of the files in the project tedm> >is a non-issue. tedm> tedm> For example if a Linux distribution takes the BSD telnet daemon tedm> and puts it into a Linux distro - fast forward 20 years and the tedm> original telnet daemon code is no longer available except in the tedm> Linux distro - now how are you going to be able to take that tedm> code? You don't know if parts of that code have been modified tedm> with GPL, if you take that daemon code and try using it under tedm> it's original BSD licence you could be infringing. If the license on that file remains unchanged, it means that contributions to it are made under that license. If they want to contribute under a different license, they need to say so. Usually, that's done by putting their code in a different file. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Licenses...
In message <[EMAIL PROTECTED]> on Mon, 17 Apr 2006 15:48:16 -0700, "Ted Mittelstaedt" <[EMAIL PROTECTED]> said: tedm> Since SSLeay is part of OpenSSL, Eric Young is by definition tedm> an OpenSSL author. That's a matter of definition, and I don't agree. Eric hasn't written one byte of OpenSSL code since the start of OpenSSL. The OpenSSL peoject has taken over the SSLeay code, which comes under the SSLeay license. tedm> Therefore my statement is valid, as much as you may not like tedm> it. That is, the OpenSSL authors (you included) DON'T want to tedm> change the license. Don't put words in my mouth. I personally do want it, but there are some hoops to jump and it goes slowly, and I have no interest in acting a lone cowboy in this project. tedm> I am sure you are going to squawk and claim that you want to tedm> change it. But, Richard, you appointed yourself to talk for the tedm> rest of the OpenSSL authors when you started arguing with me. Not at all, I spoke for myself (I do believe I said that clearly enough), and only reported what I have seen happening within the group. I am *not* speaking for anyone else in the group, that's entirely up to them. And you know, considering the heat and the visciousness of this debate, I think they are the smarter when keeping away. tedm> If the OpenSSL group consensus was that this advert clause was tedm> that onerous, you would as a group, excluding the developers tedm> like Eric who want the clause intact, excise the portion of the tedm> code that has a problem and rewrite it. Right. Let's see, I have no life and nothing to deal with every day that earns me money so I can survive. Basically, I've 24 hours a day to work on OpenSSL. Is that what you're saying? And pardon me for pointing this out, but OpenSSL *is* a volunteer organisation, what exactly have YOU done to help out? Since you have no problem with a license change in the future, I'm sure you don't mind when we remove the advert clause on your contributions. tedm> This is exactly what the GPL does when they find code they tedm> want with some undigestible bits in it (ie: incompatible with tedm> GPL) they rewrite the bits. The OpenSSL Project has the same tedm> option. ... but not the same resources, it seems. tedm> What the GPL does is overlay the GPL over code that they use in tedm> their GPL projects. The original license may remain but since tedm> the GPL is more restrictive, it becomes the defacto license. Not true. If a GPLed project uses a piece of code with a different license, that piece of code keeps it and can be reused under that license, not the GPL. That the GPL is used for the whole project and the rest of the files in the project is a non-issue. Please read up on copyright law, on how licenses really work and are applied. I have. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Licenses...
In message <[EMAIL PROTECTED]> on Mon, 17 Apr 2006 11:52:33 -0700, Tyler MacDonald <[EMAIL PROTECTED]> said: tylerm> Richard Levitte - VMS Whacker <[EMAIL PROTECTED]> wrote: tylerm> > And here, you pretend to know everything that's going on behind the tylerm> > scene. We (well, the OpenSSL core team, which is our legal body of tylerm> > sorts) have approached Eric on this subject, more than once. tylerm> tylerm> Now this is interesting... What happened when you tylerm> approached Eric? All I know is that the answer has been "no" so far. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Licenses...
In message <[EMAIL PROTECTED]> on Sat, 15 Apr 2006 12:44:33 -0700, "Ted Mittelstaedt" <[EMAIL PROTECTED]> said: tedm> If the OpenSSL authors (you included) wanted to change the tedm> license you all would have done so, it's not like you don't have tedm> write access to the source and cannot change it. You could tedm> change it right now if you want. So don't pretend that the tedm> OpenSSL authors don't want the advert clause. If you all tedm> didn't, you would have changed it. And here, you pretend to know everything that's going on behind the scene. We (well, the OpenSSL core team, which is our legal body of sorts) have approached Eric on this subject, more than once. It is true that we could change the OpenSSL license, and by that, I mean the OpenSSL portion of the dual license found in the LICENSE file. However, the SSLeay portion would still stay the same, so the net effect of removing the advert clause from the OpenSSL portion would be to ask everyone to give Eric Young and sometimes Tim Hudson the credit for the work that is done on OpenSSL. I suspect that very few that have contributed would be OK with that. Therefore, removal of the advert clause from the OpenSSL license is only realistic if the advert clause in the SSLeay license is removed first. And we can't remove the advert clause from the SSLeay license without Eric's and Tim's consent, that would only lead to deep legal trouble. tedm> >Speaking only for myself, I would say that anyone has the right tedm> >to criticize! That's part of freedom of speach, and one that tedm> >is actually exercised every day in form of bug reports! tedm> tedm> Bug reports are not criticism. This is pure political tedm> correctness bullcrap. I disagree, obviously. But hey, that's just my opinion! tedm> A bug report is simply an observation of a FACT - which is a tedm> defect exists. FACTS are not criticisms. Ah, yeah, the strict interpretation of "bug report". I got mixed up, partly because we use the same tool for feature requests, wishes and so on. tedm> specifically the statement: tedm> tedm> "...part because the verb criticize, once neutral between praise tedm> and censure, is now mainly used in a negative sense..." Well, we all choose our own interpretation, don't we? tedm> >If we weren't open to critique, how the hell would we develop tedm> >to anything but pickers of our own navel fuzz? tedm> > tedm> tedm> This is a very clever statement since "critique" and "criticize" tedm> are regarded as having different meanings by most people. Actually, that was a linguistic mixup. I'm Swedish/French. I should have said "criticism". tedm> I was using the common meaning of the word, the negative sense, tedm> whihc I am sure you were aware of, and you are flip-flopping tedm> between the negative and the neutral sense of the word. You're right, I am using it in the neutral sense. But flip-flopping? Unless I misunderstand that term, it would mean that I would change my interpretation of critizism, right? I can't see that I've done so. [... about the Berne Convnetion, Article 6bis ...] tedm> In any case I think this section is rather dangerous since all tedm> satire can be construed as damaging the authors reputation, even tedm> when the point is to make a joke about it. You talk about tedm> stifling speech and criticisms, well this section is pretty much tedm> guarenteeing that. And that might be why copyright law usually includes explicit sections about fair use and satire. tedm> >They do. If you read their own pages on it, they have a list tedm> >of them, and will say for each of them if it is compatible with tedm> >the GPL or not. tedm> tedm> That isn't being accepting of other licenses. And by compatible tedm> they only mean "legal to replace their license with our own" tedm> they don't mean "a good and reasonable license that follows the tedm> idea of open source. Don't be ridiculous, noone can replace someone else's license without their explicit consent! Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Licenses...
In message <[EMAIL PROTECTED]> on Fri, 14 Apr 2006 22:29:12 -0700, "Ted Mittelstaedt" <[EMAIL PROTECTED]> said: tedm> Binary distributions have one purpose - to boot up the system so tedm> you can get a full source tree on it and start building! It's tedm> no fun otherwise! :-) You know, if that was true, I would spend my days doing nothing but rebuild and watch what happens. Having someone else build the binaries for me is a huge time saver and gives me time to do my job, create what I want to create and enjoy life a bit more. So you know, binaries have a little more use than just for booting. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Licenses...
Oi, you're quite the speaker, aren't ya? In message <[EMAIL PROTECTED]> on Fri, 14 Apr 2006 17:28:47 -0700, "Ted Mittelstaedt" <[EMAIL PROTECTED]> said: tedm> OpenSSL needs to stick with the license that most closely tedm> reflects the philosophy of it's authors. That is, right now, an tedm> "advert clause" license, that is why the "advert clause" is in tedm> there. If some people in the community have a problem with tedm> that, that is their problem, not mine and not OpenSSL's. Uhmm, you pretend to speak for the OpenSSL authors (Hi, I'm one of them!), and I can't recall you having asked us at all what our opinion is. As far as I can see, the rest of the team (those with write access to the repo) have stayed clear of this discussion, and I believe it's for good reasons. I'm probably just too bull-headed to stay away :-). I, for one, would like to see the advert clause removed, and I believe I +1'd the original post in this thread so show my personal approval. As far as I've understood the story, that the way the OpenSSL license is formed is a more or less direct result of conditions made by Eric Young. Now, Eric isn't an OpenSSL author and has never been. He's the author of SSLeay, from which OpenSSL is derived (well, continued upon would be a more correct term). To kindly ask him to allow us to have a less restrictive license is a perfectly sensible thing to do, whatever the reasons! I actually don't know if the rest of the OpenSSL team agree with me or not, but every time there's been a discussion about the license (and this is definitely not the first time), it has always been ended by saying that we're bound by the desires of Eric Young. My conclusion is that most of the OpenSSL team would like to remove the advert clause *if we could*. Please do not pretend to speak for us when you haven't even asked! tedm> >Do you *really* feel that way? That anything anyone gets out of tedm> >OpenSSL is manna from the gods and they have no right to tedm> >criticize it -- tedm> tedm> Pretty much. Don't you? Speaking only for myself, I would say that anyone has the right to criticize! That's part of freedom of speach, and one that is actually exercised every day in form of bug reports! If we weren't open to critique, how the hell would we develop to anything but pickers of our own navel fuzz? tedm> If the removal of the advert clause would bring huge benefits to tedm> thousands of people that might be something. You have not tedm> established this. This is a regularly reoccuring topic, maybe that's something to consider? tedm> I will point out though for middleware producers, that the tedm> benefits of not having to reinvent the wheel have some cost; tedm> tracking this stuff is one of them. And I will further point tedm> out that EVEN IF the OpenSSL license was modded to help these tedm> people, that any middleware producer IS STILL GOING TO HAVE TO tedm> REVIEW -all- licenses of -all- software they use, because they tedm> will not know if there is a gotcha in any of those. You do have a point there. tedm> Keep in mind that the courts have not ruled on the idea that tedm> just because you link your code into GPL code that you lose all tedm> rights to control licensing of your portion of the code. This tedm> is a revolutionary idea of the FSF's and it is frequently tedm> pointed out in legal circles how this is one of the big weak tedm> spots of the GPL, and would likely be invalidated. tedm> tedm> My reading of copyright law is that the GPL cannot control how I tedm> license my copyrighted software just because I link an object tedm> module into their code or vis-versa. The FSF vehemently tedm> disagrees and this linking issue is one of the central reasons tedm> why the GPL is called a viral license, and it is one of the tedm> linchpins of the argument that the advertising clause in OpenSSL tedm> is a burden. Are you a lawyer? I know of two lawyers you do not agree with you, at least as far as I understand what they write. On of them is the author of the GPL. tedm> The law already has provisions for that. Regardless of what tedm> Jack Smith wants, the law says if I'm paying him hourly to write tedm> code, the copyright to the code belongs to me, not to him. I tedm> don't really have any feelings one way or another on his desire, tedm> because it's not a decision for him to make - per the law, not tedm> per me. You mean the *american* copyright law. Please be specific, as there are some differences between countries. There is one article in the Berne Convention, on which most copyright law is based today, that american copyright law disregards; article 6bis, Moral Rights, see http://www.law.cornell.edu/treaties/berne/6bis.html . That article does give the actual author the right to have a say on how his/her work is used. Swedish copyright law implements that article in its copyright law. tedm> The GPL community could at least give a shot at leading by tedm> example - by accep
Re: Patch Openssl
In message <[EMAIL PROTECTED]> on Thu, 13 Apr 2006 01:03:15 -0700 (PDT), "Sara978 (sent by Nabble.com)" <[EMAIL PROTECTED]> said: lists> TEST 5: lists> bash-3.00$ patch -p1 lists> can't find file to patch at input line 5 lists> Perhaps you used the wrong -p or --strip option? lists> The text leading up to this was: lists> -- lists> |Index: openssl/Configure lists> |diff -u openssl/Configure:1.1.1.11 openssl/Configure:1.1.1.11.2.1 lists> |--- openssl/Configure:1.1.1.11 Sat Oct 29 11:50:52 2005 lists> |+++ openssl/Configure Sat Oct 29 13:10:03 2005 lists> -- lists> File to patch: OK, since the "text leading up to this" section shows a perfectly sensible diff header, we can conclude that this file is NOT compressed. We can therefore rule out anything having to do with gunzip. Now, a few questions: 1. ARE YOU STANDING IN THE ROOT OF A OPENSSL SOURCE TREE WHEN YOU TRY THE PATCH? That's imperative 2. Have you looked at the file, you know, using something like 'more' or 'less'? Could it be that it's garbled in some way? If you still can't figure it out, just send me the file and I'll take a look at it. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Licenses...
Hi Jeffrey, long time! In message <[EMAIL PROTECTED]> on Mon, 10 Apr 2006 22:28:22 -0400, Jeffrey Altman <[EMAIL PROTECTED]> said: jaltman> Tyler MacDonald wrote: jaltman> jaltman> > And it's not always even that simple: for example, the jaltman> > freeradius project's postgresql plugin links against the jaltman> > postgresql client library (naturally). Postgresql may or jaltman> > may not link against OpenSSL. If it does, then the jaltman> > freeradius-postgresql plugin is breaking the GPL's rules, jaltman> > but how the postgresql client library was compiled isn't jaltman> > neccessarily under freeradius's control. jaltman> jaltman> Maybe the problem is the GPL rules. I don't agree with that assesment. The GPL rules are there for a reason, and within the GNU world, they are well balanced. The same goes for the BSD type of license, they're well balanced within the BSD camp. No license is really wrong per se. However, when the worlds are mixed, we have a conflict, and the real issue seems to be two-fold: 1. do we want to resolve the conflict? 2. how do we resolve the conflict? I can only speak from my own perspective when I answer those. The first is easy for me to answer, it's a resounding YES. The second takes a little bit of thinking, and is deeply connected with what I want for OpenSSL. I've come into this project with the vision that OpenSSL should be as available to anyone as possible without compromising its freedom to exist. If someone wants to embed it into their software, regardless of who that is, my vision is unthreatened. However, if someone can't use OpenSSL because of some idiotic thing as a license clash, I'm getting upset because it doesn't match my vision. As has already been said, OpenSSL is very well known and stands on its own two feet (so to speak) and its own merits with no real need for every user to tell everyone that they use it[1]. From that point of view, I see zero harm in removing a clause that seems to generate more conflict and confusion[2] than good from our license. Cheers, Richard --- [1] You know, I'm I'm sure some will give us the credit without having to be asked, just because they like OpenSSL. And for those who don't want to, check if I care. I wouldn't be surprised if a lot use OpenSSL in their software without saying a word about it. [2] We regularly get questions about what the advertisement clause means. It seems to be the single question that gets asked about the license, really. - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Patch Openssl
In message <[EMAIL PROTECTED]> on Wed, 12 Apr 2006 07:10:23 -0700 (PDT), "Sara978 (sent by Nabble.com)" <[EMAIL PROTECTED]> said: lists> gzip -cd ts-20060225-0_9_8a-patch.gz | patch -p1 lists> lists> but I have this error: lists> lists> ts-20060225-0_9_8a-patch.gz: not in gzip format lists> patch: command not found Take a quick look at ts-20060225-0_9_8a-patch.gz and see if it's already decompressed, in that case, you can simply do this: patch -p1 < ts-20060225-0_9_8a-patch.gz Cheers, Richard -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Licenses...
In message <[EMAIL PROTECTED]> on Tue, 11 Apr 2006 14:51:58 -0700, Tyler MacDonald <[EMAIL PROTECTED]> said: tyler> However, the descussion about how OpenSSL should interact with tyler> GPL software has been quite valuable. Yes, I entirely agree with you on that. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Licenses...
OK, boys and girls, however much I actually enjoy discussing the intricaties of licenses out the wazoo, I don't think a discussion on how to interpret the GPL belongs in this list. Let's move along, shall we? Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Licenses...
In message <[EMAIL PROTECTED]> on Sun, 09 Apr 2006 11:04:12 -0700, Tyler MacDonald <[EMAIL PROTECTED]> said: tyler> I think that these programmers could be more happy and productive tyler> and get back to moving our planet forward if they didn't have tyler> to spend so much time thinking about licensing issues, coding tyler> around the problem, etc. Can you please, please consider tyler> removing this requirement from the next version of SSLeay's tyler> license, so that OpenSSL can follow suit, so that we can go tyler> back to solving the *real* problems instead of all this legal tyler> mumbo jumbo? +1! Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [BUG] Installation problem on cygwin
In message <[EMAIL PROTECTED]> on Mon, 03 Apr 2006 10:22:26 +0200, Yann Coscoy <[EMAIL PROTECTED]> said: Yann.Coscoy> Technical Description: Yann.Coscoy> The script 'Configure' (line 1253) uses 'chop' function Yann.Coscoy> to suppress end-of-line characters. Unfortunalety under Yann.Coscoy> cygwin, the end-of-lines are not always correctly handled Yann.Coscoy> and some '\r' may be present in addition to '\n'. Yann.Coscoy> Yann.Coscoy> Solution: Yann.Coscoy> Replace 'chop' function by 's/[\r\n]+$//'. Even better, replace it with chomp. Doing it now. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: HSM/engine/SmartCard for OpenVMS
In message <[EMAIL PROTECTED]> on Sun, 26 Mar 2006 20:22:48 +0200, Francesco Gennai <[EMAIL PROTECTED]> said: francesco.gennai+openssl> thank you for the pointers. You're welcome. francesco.gennai+openssl> Now we need to move the private key to a francesco.gennai+openssl> signing device. Uhmm, you do know that most devices will not import a private key, and will instead have a couple of predefined ones or will allow you to create news ones, right? francesco.gennai+openssl> We could use also an expensive solution, francesco.gennai+openssl> like an HSM, but we would know about francesco.gennai+openssl> existing experiences, and about products: francesco.gennai+openssl> SmartCard models and producers and/or HSM francesco.gennai+openssl> models and producers that have been already francesco.gennai+openssl> used in OpenSSL/OpenVMS environment or that, francesco.gennai+openssl> accordingly to your experiences, could be francesco.gennai+openssl> tested. I would have a chat with the OpenSC (http://www.opensc-project.org/) guys, as they've already written an engine module that interfaces pkcs11 libraries. There are a few other implementations floating in our contrib area as well. Cheers, Richard -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: HSM/engine/SmartCard for OpenVMS
In message <[EMAIL PROTECTED]> on Sun, 26 Mar 2006 00:51:54 +0100, Francesco Gennai <[EMAIL PROTECTED]> said: francesco.gennai+openssl> I need to sign e-mail messages in OpenVMS francesco.gennai+openssl> environment by a signing device (SmartCard, francesco.gennai+openssl> HSM, other...) francesco.gennai+openssl> francesco.gennai+openssl> Is there any solution to use a signing francesco.gennai+openssl> device with OpenSSL in OpenVMS environment? Yes, you need to build a shareable image that implements a OpenSSL engine to interface with the device. That sort of engine translates OpenSSL crypto and hash algorithm calls to whatever the device needs to perform its job properly. Unfortunately, the best documentation is the source. Look in crypto/engine/, engines/ and demos/engines/rsaref/ . The last one was written specifically to show how it's done (or at least how it can be done :-)). Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: pod2man: not found
In message <[EMAIL PROTECTED]> on Mon, 20 Mar 2006 14:05:15 -0700, "Ting Feng"
<[EMAIL PROTECTED]> said:
fengtingting2001> ./pod2mantest: pod2man: not found
fengtingting2001> pod2man does not work properly('BasicTest' failed). Looking
for another
fengtingting2001> pod2man ...
fengtingting2001> No working pod2man found. consider installing a new version.
fengtingting2001> As a workaround, we'll use a bundled old copy of pod2man.pl.
fengtingting2001> ../../util/pod2man.pl
fengtingting2001>
fengtingting2001>
fengtingting2001> Do I need to download a newer version of pod2man?
fengtingting2001> Where to download it?
No. Pay attention to the last two lines.
Cheers,
Richard
-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.
--
Richard Levitte [EMAIL PROTECTED]
http://richard.levitte.org/
"When I became a man I put away childish things, including
the fear of childishness and the desire to be very grown up."
-- C.S. Lewis
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: Updating OPENSSL
In message <[EMAIL PROTECTED]> on Sat, 18 Mar 2006 02:27:18 -0500, "Hector Santos" <[EMAIL PROTECTED]> said: ssluser> I have multiple applications using OPENSSL 0.9.7c and I'm finally getting ssluser> around to updating it. ssluser> ssluser> I have downloaded and recompiled the *eay*.dll files for: ssluser> ssluser> 0.9.7i ssluser> 0.9.8a ssluser> ssluser> Can I just use the new DLLs for 0.9.8a or do I need to ssluser> recompile my applications? I take it I will be fine with ssluser> 0.9.7i dlls. It really depends on what your application uses the libraries for. There are some fundamental changes in some parts of the libraries between the 0.9.7 and the 0.9.8 series, so to be on the safe side, I'd recommend you to recompile your applications for 0.9.8a. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: porting to QNX4
In which OpenSSL versions have you tested this?
Cheers,
Richard
In message <[EMAIL PROTECTED]> on Sun, 12 Mar 2006 12:19:27 +0300, kbob kbob
<[EMAIL PROTECTED]> said:
kbob_ru> Under QNX4
kbob_ru>
kbob_ru> and I use in Configure:
kbob_ru> "qnx4", "cc:-DL_ENDIAN -DTERMIO
-DNO_STRINGS_H::(unknown)::-lsocket:EXPORT_VAR_AS_FN ${x86_gcc_des}
${x86_gcc_opts}:"
kbob_ru>
kbob_ru> it based on Valdimir Timonin patch
kbob_ru>
kbob_ru> I use in config:
kbob_ru>
kbob_ru> QNX:*)
kbob_ru>case "$VERSION" in
kbob_ru>4*)
kbob_ru>echo "${MACHINE}-whatever-qnx4"
kbob_ru>;;
kbob_ru>6*)
kbob_ru>echo "${MACHINE}-whatever-qnx6"
kbob_ru>;;
kbob_ru>*)
kbob_ru>echo "${MACHINE}-whatever-qnx"
kbob_ru>;;
kbob_ru>esac
kbob_ru>exit 0
kbob_ru>;;
kbob_ru>
kbob_ru> becouse $VERSION in qnx4.25 is 'uname -v' = 425, but I dont know about
qnx6 for this.
kbob_ru>
kbob_ru> After that all compile and test fine!
kbob_ru>
kbob_ru> may be include this in next version.
-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.
--
Richard Levitte [EMAIL PROTECTED]
http://richard.levitte.org/
"When I became a man I put away childish things, including
the fear of childishness and the desire to be very grown up."
-- C.S. Lewis
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: IPR Infringement Lawsuites
In message <[EMAIL PROTECTED]> on Mon, 20 Feb 2006 20:26:22 +0100, "Roger Boden" <[EMAIL PROTECTED]> said: roger_no_spam> Are there any known IPR infringement lawsuits as result roger_no_spam> of using or including openssl in a product? None that I know of. And honestly, if there had been a lawsuit, I'm pretty we would have heard of it... Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: what exactly is the difference between ssl and ssh (secure shell)?
In message <[EMAIL PROTECTED]> on Thu, 19 Jan 2006 11:03:09 -0800, "Chong Peng" <[EMAIL PROTECTED]> said: ChongPeng> if you google "ssl and ssh", you will find a few pages ChongPeng> regarding this issue, such as: ChongPeng> ChongPeng> http://www.snailbook.com/faq/ssl.auto.html ChongPeng> http://www.rpatrick.com/tech/ssh-ssl/ ChongPeng> ChongPeng> but all in all, what ssl accomplishes can be done by ssh ChongPeng> and what ssh accomplishes can be done by ssl. it seems to ChongPeng> me that this is just another example of complicities ChongPeng> (confuses) created by human. There are quite a few perspectives from which to answer: Trust: the trust model differs. SSL uses the X.509 model, which is an authority hierarchy (roughly, there's actually a lot more to say about it). SSH uses a much more personal style, where the individual user is responsable for his keys and how they are to be used and authenticated. Cryptographic security: there's not really a lot of difference between the two in this respect. They use methods for key exchange and data encryption that are fairly similar to each other. Interface: SSH and SSL are widely different in this respect. SSH works as an application that you can call and tunnel whatever you wish through, while SSL comes as a library of routines to use instead of your usual network calls. However, there are SSL applications that provide the same kind of functionality as SSH; stunnel provides tunneling, stelnet provides secure remote login. There are probably other perspectives that I forget... Cheers, Richard -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem upgrading to 0.9.8a
In message <[EMAIL PROTECTED]> on Thu, 5 Jan 2006 11:37:40 -0500, Dan Peacock <[EMAIL PROTECTED]> said: bluedanunit> We have an application that is currently using OpenSSL bluedanunit> 0.9.6c in conjunction with an Apache server. We've been bluedanunit> told we should upgrade the libaries to 0.9.6k or higher bluedanunit> in order to plug the known holes with this version of bluedanunit> OpenSSL. I obtained the 0.9.8a libraries from Shining bluedanunit> Light Productions (www.slproweb.com) as we are a Windows bluedanunit> shop (It's what we have and I have to deal with it :( ) bluedanunit> I shut down Apache and replaced the libeay32.dll, bluedanunit> ssleay32.dll, and openssl.exe files from the 0.9.6c bluedanunit> install with the 0.9.8a. Apache now won't start and is bluedanunit> giving me the following error in the Windows Application bluedanunit> Event viewer: Unfortunately, between different 0.9.x series (where x differs) of OpenSSL, there are usually binary incompatibilities. This means it's quite likely you won't get it to work unless you rebuild mod_ssl (if it's Apache 1) or Apache itself (if it's Apache 2 or Apache-SSL). Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: proxyCertInfo
In message on Tue, 3 Jan 2006 00:33:45 +0100, [EMAIL PROTECTED] said: mailinglists> I *have* read the RFC 3820 and the mailinglists> doc/HOWTO/proxy_certificates.txt, however I am still not mailinglists> sure about: mailinglists> mailinglists> - the language field: can someone explain the different mailinglists> values (id-ppl-anyLanguage, id-ppl-inheritAll, mailinglists> id-ppl-independent)? Dear, they are explained as well as I can get them in section 3.8.2. Basically, id-ppl-anyLanguage is the wildcard that matches anything, id-ppl-inheritAll just says that the current proxy cert inherits everything from the issuing proxy cert, and id-ppl-independent inherits nothing from the issuing proxy cert. The use is not well defined in the RFC, and I guess experience will show how it will be used in reality. In the mean time, it looks like a lot of people simply use id-ppl-anyLanguage. mailinglists> - the policy field: what (and how) can be defined using it? It can be defined by any content. It's up to the authenticating application to defined what it should contain and how it should be interpreted. For that reason, the value or its' interpretation are not defined in the RFC. For all I care, you can have a bit of XML in there following some nice rights DTD. Cheers, Richard -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: unable to free PROXY_CERT_INFO_EXTENSION
In message <[EMAIL PROTECTED]> on Mon, 05 Dec 2005 11:43:40 -0800, Matthew
Rodriguez DSD staff <[EMAIL PROTECTED]> said:
MKRodriguez> #include
MKRodriguez> #include
MKRodriguez> #include
MKRodriguez> static char * pci_value = "critical, language:Inherit all";
MKRodriguez>
MKRodriguez> int
MKRodriguez> main(int argc, char **argv){
MKRodriguez>X509_EXTENSION *ext =NULL;
MKRodriguez>X509V3_CTX *ctx;
MKRodriguez>LHASH *lhash;
MKRodriguez>SSL_library_init();
MKRodriguez>OpenSSL_add_all_ciphers();
MKRodriguez>OpenSSL_add_all_algorithms();
MKRodriguez>SSL_load_error_strings();
MKRodriguez>lhash = lh_new(NULL, NULL);
MKRodriguez> X509V3_set_conf_lhash(ctx, lhash);
MKRodriguez>ext = X509V3_EXT_conf(NULL, ctx, "proxyCertInfo", pci_value);
As Stephen already noticed, ext isn't a PROXY_CERT_INFO_EXTENSION*.
To get that, you need to do the following:
PROXY_CERT_INFO_EXTENSION *pci
/* ... */
pci = X509V3_EXT_d2i(ext);
MKRodriguez>if (ext == NULL){
MKRodriguez> ERR_print_errors_fp(stderr);
MKRodriguez>exit(-1);
MKRodriguez>}
MKRodriguez> X509V3_EXT_print_fp(stdout, ext, 0, 0);
MKRodriguez> X509_EXTENSION_free(ext);
MKRodriguez>/*X509V3_EXT_cleanup();
MKRodriguez>PROXY_CERT_INFO_EXTENSION_free((PROXY_CERT_INFO_EXTENSION
*)ext); */
And of course, freeing a X509_EXTENSION with a routine to free a
PROCY_CERT_INFO_EXTENSION won't work. Two different structures!
Plus, you have already free'd ext!
MKRodriguez>return 0;
MKRodriguez> }
Cheers,
Richard
--
Richard Levitte [EMAIL PROTECTED]
http://richard.levitte.org/
"When I became a man I put away childish things, including
the fear of childishness and the desire to be very grown up."
-- C.S. Lewis
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: unable to free PROXY_CERT_INFO_EXTENSION
In message <[EMAIL PROTECTED]> on Fri, 02 Dec 2005 12:09:14 -0800, Matthew Rodriguez DSD staff <[EMAIL PROTECTED]> said: MKRodriguez> I can't seem to get rid of a memory leak when I create a MKRodriguez> proxyCertInfo extension. I've tried calling MKRodriguez> X509_EXTENSION_free, and then X509_EXT_cleanup. I don't MKRodriguez> think I need to do that because it is not a custom MKRodriguez> extension, I'm using openssl-0.9.8a. Have you tried PROXY_CERT_INFO_EXTENSION_free() ? Cheers, Richard -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: E-mail address changed
In message <[EMAIL PROTECTED]> on Thu, 3 Nov 2005 10:01:01 +0200 (EET), Kande Kande <[EMAIL PROTECTED]> said: pierrekande> My e-mail address is changed to [EMAIL PROTECTED] pierrekande> The e-mail [EMAIL PROTECTED] is not longer available Please resubscribe from your new address. Your old one has been removed from the list. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ECB, CBC, CFB, OFB, and when and where you would use them.
In message <[EMAIL PROTECTED]> on Tue, 18 Oct 2005 09:31:44 -0400, David Gianndrea <[EMAIL PROTECTED]> said: dgianndrea> I wonder if some one could point me to some high level dgianndrea> document that would describe where, and when you would use dgianndrea> ECB, CBC, CFB, OFB modes. I have some developers that are dgianndrea> trying to include encryption into some code, and there dgianndrea> seems to be some confusion among them. I can point you at Bruce Schneier's book, Applied Cryptography: http://www.amazon.com/exec/obidos/tg/detail/-/0471117099/qid=1129643113/sr=8-1/ref=pd_bbs_1/102-0263158-8696136?v=glance&s=books&n=507846 My second choice would be the Handbook of Applied Cryptography (http://www.cacr.math.uwaterloo.ca/hac/), chapter 7, which does say a little bit but isn't quite as in-depth as Schneier's book. Cheers, Richard -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL version 0.9.7i released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.7i released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL 0.9.7h caused crashes when the shared libcrypto was upgraded. This release fixes that problem. For those who want or have to stay with the 0.9.7 series of OpenSSL instead of using the 0.9.8 series, we strongly recommend that you upgrade to OpenSSL 0.9.7h soon as possible. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. OpenSSL 0.9.7i is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file names are: * openssl-0.9.7i.tar.gz MD5 checksum: f69d82b206ff8bff9d0e721f97380b9e SHA1 checksum: 4c23925744d43272fa19615454da44e01465eb06 The checksums were calculated using the following commands: openssl md5 openssl-0.9.*.tar.gz openssl sha1 openssl-0.9.*.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDUIPNp6+eePcJRTsRAjdtAKCINFymy9DS/vrzmxDxLKRNCzIwjwCdGV74 NqcnOE9Eo+TC4RZPcX8dqUU= =R3AN -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Licensing conditions in OpenSSL with proprietary software
In message <[EMAIL PROTECTED]> on Thu, 13 Oct 2005 11:15:33 +0500, "ahmad hassan" <[EMAIL PROTECTED]> said: guideveloper123> I am using OpenSSL as a static library with my guideveloper123> proprietary software for windows OS. I would like to guideveloper123> know what steps exactly i have to do pertaining to guideveloper123> licensing to link statically against openssl guideveloper123> library. Have you read the license file (LICENSE)? It's a dual license, and you must heed item 3 from both the "OpenSSL License" and the "Original SSLeay License". Other than that, just don't include "OpenSSL" in your product name (item 5 in "OpenSSL License") and don't use "OpenSSL Toolkit" or "OpenSSL Project" to endorse or promote your product (item 4 in "OpenSSL License") and you'll be fine. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Binary compatibility between 0.9.7g and 0.9.7h?
In message <[EMAIL PROTECTED]> on Tue, 11 Oct 2005 22:08:35 +0200, "Matthias Buecher / Germany" <[EMAIL PROTECTED]> said: maddes.b> Do I have to apply this to 0.9.8a too? No, this is a 0.9.7h issue only. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Binary compatibility between 0.9.7g and 0.9.7h?
In message <[EMAIL PROTECTED]> on Tue, 11 Oct 2005 21:53:23 +0200 (CEST), Richard Levitte - VMS Whacker <[EMAIL PROTECTED]> said: levitte> The patch to correct the problem is quite easy, though, and levitte> you can find it attached to this letter. That patch isn't enough, apparently. Follow Andy's directions instead. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Binary compatibility between 0.9.7g and 0.9.7h?
In message <[EMAIL PROTECTED]> on Tue, 11 Oct 2005 10:22:00 -0700, "David Schwartz" <[EMAIL PROTECTED]> said: davids> > I just tried to upgrade from openssl-0.9.7g to 0.9.7h davids> > and noticed that my openssh-4.2p1 server and clients now davids> > crash with segfault with the new openssl shared library! davids> > I tested this on two installations and both had this davids> > problem. davids> davids> We discovered similar problems caused by a change in the size davids> of the EVP_MD_CTX structure. We fixed it by changing code davids> like: davids> davids> EVP_MD_CTX ctx; davids> davids> to davids> davids> EVP_MD_CTX *ctx=EVP_MD_CTX_create(); davids> ... davids> EVP_MD_CTX_destroy(ctx); Correct analysis. What's happened is that the FIPS functions for SHA224, SHA256, SHA384 and SHA512 were added. They require a larger EVP_MAX_MD_SIZE. The functions were wrapped with an #ifdef OPENSSL_FIPS, while EVP_MAX_MD_SIZE was forgotten in that process. To say it straight out, we fucked up! The patch to correct the problem is quite easy, though, and you can find it attached to this letter. My recommendation is to apply that patch unconditionally. The security issue that caused the release of 0.9.7h is serious enough not to disregard this release and instead go through the hoops of applying an extra patch. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~levitte/ Index: crypto/evp/evp.h === RCS file: /e/openssl/cvs/openssl/crypto/evp/evp.h,v retrieving revision 1.86.2.19 diff -u -r1.86.2.19 evp.h --- crypto/evp/evp.h17 May 2005 19:48:42 - 1.86.2.19 +++ crypto/evp/evp.h11 Oct 2005 19:51:13 - @@ -132,7 +132,11 @@ #define EVP_CAST5_KEY_SIZE 16 #define EVP_RC5_32_12_16_KEY_SIZE 16 */ +#ifdef OPENSSL_FIPS #define EVP_MAX_MD_SIZE64 /* longest known SHA512 */ +#else +#define EVP_MAX_MD_SIZE(16+20) /* The SSLv3 md5+sha1 type */ +#endif #define EVP_MAX_KEY_LENGTH 32 #define EVP_MAX_IV_LENGTH 16 #define EVP_MAX_BLOCK_LENGTH 32
Re: question on linking dynamic engines
In message <[EMAIL PROTECTED]> on Wed, 5 Oct 2005 21:25:34 -0700 (PDT), Anil Gunturu <[EMAIL PROTECTED]> said: anil_gunturu> How do I link the dynamic engine "so" and the library anil_gunturu> that the hardware vendor provides? For example, if I am anil_gunturu> using the ibmca engine in the demos directory it seem to anil_gunturu> generate the libibmca.so. Looks like this path needs to anil_gunturu> be provided to the engine as SO_PATH. But, how I anil_gunturu> actually link to the hardware library? You don't. It's loaded by libcrypto in run-time. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: AES test code
In message <[EMAIL PROTECTED]> on Wed, 21 Sep 2005 16:08:44 +0530, joseph k j <[EMAIL PROTECTED]> said: ark.papers> Why is there no unit test code available for AES, in ark.papers> crypto/aes. We use the newer EVP tester. See crypto/evp/evp_test.c and crypto/evp/evptests.txt. ark.papers> 1. I assume that the aes code has the same naming ark.papers>conventions as for des. (ie DES_ will change to AES_) There's no such guarantee. You have to look at each crypto implementation separately. ark.papers> 2. I need to change the test vectors as per fips-197. There are already such vectors in evptests.txt. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Different versions of OpenSSL
In message <[EMAIL PROTECTED]> on Tue, 20 Sep 2005 13:49:12 -0300, "Cleidson" <[EMAIL PROTECTED]> said: cleidson> I use Linux 2.6.5, OpenSSL 0.9.7 and OpenVPN 2.0. cleidson> Now I want to use OpenVPN with OpenSSL 0.9.8, but keeping cleidson> other aplications using OpenSSL 0.9.7. cleidson> Someone known whow to do that? Depends. Some Linuxen have OpenSSL packages that are made in such a way that several versions of the run-time library can co-exist side by side. On others, I simply dunno. Another option, if you want to use shared libraries, is to make sure the installation trees differ, at least for the binaries. The configure script for OpenSSL takes a --prefix that you can use for such purposes. A third option is to keep the standard OpenSSL in your Linux installation at 0.9.7, and keep a private build of OpenSSL 0.9.8 against which you link OpenVPN statically. There are certainly more possiblities. Only your imagination and common sense are your limits. Good luck! Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: What does Outlook 2003 look for in a S/MIME cert?
In message <[EMAIL PROTECTED]> on Wed, 31 Aug 2005 07:11:28 +1200, Jason Haar <[EMAIL PROTECTED]> said: Jason.Haar> Richard Levitte wrote: Jason.Haar> Jason.Haar> > Jason Haar writes: Jason.Haar> > Jason.Haar> >> ... *IT CAN'T READ THE "SENT ITEMS" COPY OF THE EMAIL Jason.Haar> >> IT JUST SENT* Jason.Haar> > Jason.Haar> > My first thought is that OutLook may have stored the Jason.Haar> > encrypted mail in the Sent Items folder... Jason.Haar> Jason.Haar> No - that's not it. ... In that case, I'm as clueless as you are... I don't use OutLook, so I'm not much help... Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: undefined symbol: X509_free
In message <[EMAIL PROTECTED]> on Tue, 30 Aug 2005 08:07:03 +0530, Toney Samuel <[EMAIL PROTECTED]> said: toney.samuel> i have downloaded openssl-0.9.8.tar.gz. I untared it then configured toney.samuel> it with these switches toney.samuel> ./config --prefix=/usr/local shared zlib-dynamic toney.samuel> then did make and make install toney.samuel> toney.samuel> i had apache httpd-2.0.53.tar.gz also untared it then used these toney.samuel> switches to configure toney.samuel> ./configure --enable-deflate --enable-usertrack --enable-auth-dbm toney.samuel> --enable-mime-magic \ toney.samuel> --enable-expires -disable-autoindex --enable-so --enable-cern-meta toney.samuel> --enable-ssl \ toney.samuel> --enable-mods-shared=ssl --with-ssl=/usr/local/bin toney.samuel> then did make and make install I doubt your value for --with-ssl... Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: undefined references compiling demo program
In message <[EMAIL PROTECTED]> on Fri, 19 Aug 2005 16:51:59 -0700, "Kevin L. King" <[EMAIL PROTECTED]> said: kevink> I installed OpenSSL 0.9.8 on Fedora in the default kevink> /usr/local/ssl directory. I tried compiling mkcert.c in the kevink> ../openssl-0.9.8/demos/x509 directory like this: kevink> kevink> gcc -lcrypto -lssl -L/usr/local/ssl/lib -I/usr/local/ssl/include mkcert.c Incorrect order of arguments. You want this: gcc -L/usr/local/ssl/lib -I/usr/local/ssl/include mkcert.c -lssl -lcrypto Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Can't to find .so libraries
In message <[EMAIL PROTECTED]> on Wed, 10 Aug 2005 18:24:54 +0200 (CEST), Johnny Gonzalez <[EMAIL PROTECTED]> said: johnnygonzalezl> Hello Richard, johnnygonzalezl> johnnygonzalezl> I have just done it, a friend told me to add the johnnygonzalezl> shared option to the config command, like this: johnnygonzalezl> ./config shared Oh, that's what was wrong! Hmm, that's really a bug, those modules should be built of there's shared library support, period... I guess I've got some work cut out for myself... Thanks! Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Can't to find .so libraries
In message <[EMAIL PROTECTED]> on Wed, 10 Aug 2005 03:27:23 +0200 (CEST), Johnny Gonzalez <[EMAIL PROTECTED]> said: johnnygonzalezl> > Hmm? It should, in the engines/ directory. johnnygonzalezl> Well, I don't know if I did it wrong, but I didn't johnnygonzalezl> find the libraries in the downloads I have. johnnygonzalezl> I downloaded: johnnygonzalezl> - openssl-0.9.8.tar.gz, untar, compile it: ./config, johnnygonzalezl> make, make install, In none of these steps I found johnnygonzalezl> the libraries. johnnygonzalezl> Are you sure it is located there? johnnygonzalezl> Which distribution should I download to have my johnnygonzalezl> library? Ah, I forgot it had changed name. libchil.so The reason is that nCipher actually defined an API that they thought was going to become generally accepted. They called it CHIL, and we honored that by changing the internal name of the module a very long time ago. With 0.9.8, the shared module file name has to contain the internal name of the module (poor mans security :-)). Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Can't to find .so libraries
In message <[EMAIL PROTECTED]> on Tue, 9 Aug 2005 03:45:01 +0200 (CEST), Johnny Gonzalez <[EMAIL PROTECTED]> said: johnnygonzalezl> > Hmm, maybe you should ask the OpenCA folks? They johnnygonzalezl> > may be counting on OpenSSL 0.9.8, which does indeed johnnygonzalezl> > contain that shared library. johnnygonzalezl> johnnygonzalezl> so OpenSSL 0.9.8 has the library? I downloaded it but johnnygonzalezl> I didn't find it :-( Hmm? It should, in the engines/ directory. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Can't to find .so libraries
In message <[EMAIL PROTECTED]> on Tue, 9 Aug 2005 03:29:09 +0200 (CEST), Johnny Gonzalez <[EMAIL PROTECTED]> said: johnnygonzalezl> Is this the same as that I need. My whole context is johnnygonzalezl> this: I have a CA software (OpenCA) which uses an HSM johnnygonzalezl> (nCipher), in some docs I found that I need to tell johnnygonzalezl> OpenCA config files the location of the library johnnygonzalezl> (libncipher.so) so it can load it dinamically. Hmm, maybe you should ask the OpenCA folks? They may be counting on OpenSSL 0.9.8, which does indeed contain that shared library. johnnygonzalezl> That is the reason I'm looking for the library. So, johnnygonzalezl> there's now another question, the file you mentioned johnnygonzalezl> (librcrypto.a.so) could be used instead of johnnygonzalezl> libncipher.so in my CA's config files? libcrypto.a/libcrypto.so (not librcrypto.so, I misspelled) is one of the two standard OpenSSL libraries (the other is libssl.a/libssl.so). Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Can't to find .so libraries
In message <[EMAIL PROTECTED]> on Tue, 9 Aug 2005 00:24:50 +0200 (CEST), Johnny Gonzalez <[EMAIL PROTECTED]> said: johnnygonzalezl> Hello Richard, johnnygonzalezl> johnnygonzalezl> Thanks a lot for your answer, however I have another johnnygonzalezl> question. johnnygonzalezl> johnnygonzalezl> How can I generate them? You can't, or at least not easily. And if they are already in librcrypto.a.so, why should you bother? Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Can't to find .so libraries
In message <[EMAIL PROTECTED]> on Mon, 8 Aug 2005 22:16:13 +0200 (CEST), Johnny Gonzalez <[EMAIL PROTECTED]> said: johnnygonzalezl> Hello Richard, johnnygonzalezl> johnnygonzalezl> I thought I only needed to download it somewhere in johnnygonzalezl> openssl sources or compile it and generate it. For johnnygonzalezl> example in: johnnygonzalezl> openssl-0.9.7-stable-SNAP-20050801/crypto/engine/ johnnygonzalezl> johnnygonzalezl> I found these files: johnnygonzalezl> hw_ncipher.c johnnygonzalezl> hw_ncipher_err.h johnnygonzalezl> hw_ncipher_err.c johnnygonzalezl> johnnygonzalezl> Can I generate the lib (.so) using these files? or are johnnygonzalezl> them for other tasks? Ah, sorry, got mixed up. Yeah, they are built, but with 0.9.7, they are normally built into libcrypto. It's different in 0.9.8, where the built-in engines modules reside in their own directory (engines/) and are built into individual shared libraries. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Can't to find .so libraries
In message <[EMAIL PROTECTED]> on Mon, 8 Aug 2005 20:32:09 +0200 (CEST), Johnny Gonzalez <[EMAIL PROTECTED]> said: johnnygonzalezl> Can anyone tell me where can I find a library I need? johnnygonzalezl> I need the libncipher.so library, but I can't find johnnygonzalezl> it. Where should I look for it? You get it from your hardware vendor, nCipher. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Permission to link OpenSSL
In message <[EMAIL PROTECTED]> on Tue, 26 Jul 2005 08:59:01 -0400, Charles Gagnon <[EMAIL PROTECTED]> said: charlesg> I help maintain wput, a command-line ftp-client that looks charlesg> like wget but instead of downloading, uploads files or whole charlesg> directories to remote ftp-servers (http://wput.sourceforge.net/). charlesg> charlesg> Our latest release candidate uses OpenSSL. Before we release charlesg> it, we want to make sure we are following whatever charlesg> legalities OpenSSL requires. Currently, the wput code under charlesg> GPL and ships with a copy of "GNU GENERAL PUBLIC LICENSE", charlesg> Version 2, June 1991. charlesg> charlesg> If anything else should be requested or included with the charlesg> source to make us square with OpenSSL, please let me know. >From an OpenSSL point of view, there is no problem. However, the GNU project defines OpenSSL as incompatible with the GPL, as you can see on http://www.gnu.org/licenses/license-list.html#GPLIncompatibleLicenses (you need to scroll down a little bit). I believe the solution that has been offered so far is to add a note below the copyright statement in each file, saying it is allowed to link your source with OpenSSL. You might want to ask RMS or anyone else in the GNU community, but be prepared that they will try to push you to use GNUtls instead. Whether you do so or not is, of course, your choice. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Setting HWCryptoHook_InitInfo structure for HWCRHK/CHIL library
In message <[EMAIL PROTECTED]> on Mon, 11 Jul 2005 10:35:32 +0200, Bartek Palak <[EMAIL PROTECTED]> said: bartek> How to force HWCRHK library to use "my" getphystoken and bartek> getpassphrase functions? Sounds like you're about to write your own engine... Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Batch mode for ENGINE_load_private_key
In message <[EMAIL PROTECTED]> on Mon, 11 Jul 2005 10:06:03 +0200, Bartek Palak <[EMAIL PROTECTED]> said: bartek> I have tried to implement UI_METHOD doesn't ask for the pass bartek> phrase. But in case of any errors (e.g. no card inserted, bartek> incorrect pass) Complaints like no card inserted and the like are sent to the output stream, aren't they? That's handled by hwcrhk_log_message(). Otherwise, I'm not entirely sure what exactly isn't working or what is sending out the output that disturbs you. bartek> HWCRHK/CHIL library still requires interaction with user - it bartek> just writes an error string and waits for user reaction. Well, it will wait for something for sure. After all, if there's no card or the pin you entered is incorrect, it can't do mush work, can it? bartek> To emulate user reaction I will need knowledge what error bartek> event took place. Is it possible to get such knowledge just bartek> by examining "string type" of UI_STRING argument passed to ui bartek> methods? Depends a little on the behavior of the CHIL interface... I haven't had a box to play with since 2001, so I can't really tell. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl-0.9.8 will not compile on MinGW
In message <[EMAIL PROTECTED]> on Wed, 6 Jul 2005 18:53:43 +0200, "Frank Buttner" <[EMAIL PROTECTED]> said: frank-buettner> What data do you need. Can I send you the full output frank-buettner> of the compiling process? Configuration and compilation, yes please. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl ocsp request , serial number
In message <[EMAIL PROTECTED]> on Wed, 6 Jul 2005 09:07:23 -0700, "Choudhary, Bimalendu" <[EMAIL PROTECTED]> said: bchoudhary> 2) When I send the serial number 0x81 the der encoded bchoudhary>serial number is bchoudhary> bchoudhary> 02 02 00 81 bchoudhary> bchoudhary> 4) When I send the serial number 0x8111 the der encoded bchoudhary>serial number is bchoudhary> bchoudhary> 02 03 00 81 11 bchoudhary> bchoudhary> The problem here is that in case 2) and 4) there is a bchoudhary> extra byte 00 appended in front of the actual serial bchoudhary> number given in the command line. bchoudhary> bchoudhary> Can any one tell me why the length is being increased and bchoudhary> an extra 00 is added in front of the serial number in this bchoudhary> two cases. bchoudhary> bchoudhary> It happens foe any serial number starting with hex digit 8 bchoudhary> or above and number of digit in the serial number is even. ASN.1 Complete (downloadable from http://www.oss.com/asn1/larmouth.html), Section 3.3 (Encoding an INTEGER value) explains it. Basically, the integer is a 2-complement value. This means '02 01 81' would be interpreted as (decimal) -127, while '02 02 00 81' is correctly interpreted as (decimal) 129. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Shamir Secret Sharing in OpenSSL?
In message <[EMAIL PROTECTED]> on Wed, 06 Jul 2005 12:00:24 -0300, Rafael Cividanes <[EMAIL PROTECTED]> said: rafacividanes> I was looking this discussion you have rafacividanes> mentioned. But for my application I just need a free rafacividanes> secure implementation of Shamir's Secret Sharing rafacividanes> algorithm. Then I'd like to know if any implementaion rafacividanes> like that (free) exists in OpenSSL project or in rafacividanes> another one. OpenSSL doesn't have any secret sharing scheme yet. The only free implementation that I found while googling today was http://www.buttsoft.com/~silly/software/tontine/ Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.8 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8 released == OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8 of our open source toolkit for SSL/TLS. This new OpenSSL version is a major release and incorporates many new features as well as major fixes compared to 0.9.7x. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES . The most significant changes are: o Major work on the BIGNUM library for higher efficiency and to make operations more streamlined and less contradictory. This is the result of a major audit of the BIGNUM library. o Addition of BIGNUM functions for fields GF(2^m) and NIST curves, to support the Elliptic Crypto functions. o Major work on Elliptic Crypto; ECDH and ECDSA added, including the use through EVP, X509 and ENGINE. o New ASN.1 mini-compiler that's usable through the OpenSSL configuration file. o Added support for ASN.1 indefinite length constructed encoding. o New PKCS#12 'medium level' API to manipulate PKCS#12 files. o Complete rework of shared library construction and linking programs with shared or static libraries, through a separate Makefile.shared. o Rework of the passing of parameters from one Makefile to another. o Changed ENGINE framework to load dynamic engine modules automatically from specifically given directories. o New structure and ASN.1 functions for CertificatePair. o Changed the ZLIB compression method to be stateful. o Changed the key-generation and primality testing "progress" mechanism to take a structure that contains the ticker function and an argument. o New engine module: GMP (performs private key exponentiation). o New engine module: VIA PadLOck ACE extension in VIA C3 Nehemiah processors. o Added support for IPv6 addresses in certificate extensions. See RFC 1884, section 2.2. o Added support for certificate policy mappings, policy constraints and name constraints. o Added support for multi-valued AVAs in the OpenSSL configuration file. o Added support for multiple certificates with the same subject in the 'openssl ca' index file. o Make it possible to create self-signed certificates using 'openssl ca -selfsign'. o Make it possible to generate a serial number file with 'openssl ca -create_serial'. o New binary search functions with extended functionality. o New BUF functions. o New STORE structure and library to provide an interface to all sorts of data repositories. Supports storage of public and private keys, certificates, CRLs, numbers and arbitrary blobs. This library is unfortunately unfinished and unused withing OpenSSL. o New control functions for the error stack. o Changed the PKCS#7 library to support one-pass S/MIME processing. o Added the possibility to compile without old deprecated functionality with the OPENSSL_NO_DEPRECATED macro or the 'no-deprecated' argument to the config and Configure scripts. o Constification of all ASN.1 conversion functions, and other affected functions. o Improved platform support for PowerPC. o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512). o New X509_VERIFY_PARAM structure to support parametrisation of X.509 path validation. o Major overhaul of RC4 performance on Intel P4, IA-64 and AMD64. o Changed the Configure script to have some algorithms disabled by default. Those can be explicitely enabled with the new argument form 'enable-xxx'. o Change the default digest in 'openssl' commands from MD5 to SHA-1. o Added support for DTLS. o New BIGNUM blinding. o Added support for the RSA-PSS encryption scheme o Added support for the RSA X.931 padding. o Added support for BSD sockets on NetWare. o Added support for files larger than 2GB. o Added initial support for Win64. o Added alternate pkg-config files. We consider OpenSSL 0.9.8 to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.8 is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.8.tar.gz MD5 checksum: 9da21071596a124acde6080552deac16 SHA1 checksum: 7350b0f0d1a6d257cb24b9d4dc5e30b80e49d6ac The checksums were calculated using the following command: openssl md5 < openssl-0.9.8.tar.gz openssl sha1 < openssl-0.9.8.tar.gz Yours, The OpenS
Re: Creating certs for others (without their private keys)
In message <[EMAIL PROTECTED]> on Mon, 04 Jul 2005 17:16:31 -0400, Uri <[EMAIL PROTECTED]> said: urimobile> /At least two demoCA sripts - CA and CA.pl CA.sh and CA.pl both do the same wrong thing, bundle the private key with the CSR (Certificate Signature Request or something like that, described in PKCS #10, and what 'openssl req' mainly produces) in newreq.pem. I'm changing that for OpenSSL 0.9.8 and on. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Creating certs for others (without their private keys)
In message <[EMAIL PROTECTED]> on Mon, 04 Jul 2005 13:41:17 -0400, Uri <[EMAIL PROTECTED]> said: urimobile> Richard Levitte - VMS Whacker wrote: urimobile> urimobile> >>> >What makes you think the private key is included? urimobile> >urimobile> urimobile> >urimobile> The fact that Windows XP machine (into which I urimobile> >urimobile> load the created cert) claims to now have the urimobile> >urimobile> private key for it. urimobile> > urimobile> >Uhmmm, in a X.509 PKI, you need a key pair (private and urimobile> >public key) to have it work at all. In Windows, the urimobile> >computer stores them for you. Where did you think the urimobile> >private keys would be stored? In your head? Are you urimobile> >willing to remember and type 1024 or more bits (in urimobile> >whatever format)? Thought not... urimobile> > urimobile> Look, I'd be very obliged if you took the trouble to urimobile> understand the actual questions before jumping the gun with urimobile> answers that are less than helpful. Well, considering the small amount of facts you actually gave, you can't be surprised that I had to use my imagination to try to understand what you had done. Contrary to what you seem to think, it was less than obvious. Still, my appologies for the tone I used. It was needlessly harsh. urimobile> For example, you didn't seem to comprehend that CA's urimobile> (self-signed) cert goes to the Windows box (which is a urimobile> client and a member of the realm of this CA), and in urimobile> addition to that - Windows box stores the server's cert, urimobile> with who it corresponds. It's fine for any box to store or cache certificates of any kind. Certificates are public data, and only contain a public key. urimobile> We are NOT talking about key pair that belongs to this urimobile> Windows box (where private key is necessary). Now I've urimobile> described it with plenty of details. Nope: urimobile> NOW Windows box claims that it holds NOT ONLY the server's urimobile> public key (which was expected), but ALSO the server's urimobile> PRIVATE KEY. This is the first time you said that *another* device's private key ended up on your Windows box. And still, that can't happen because of a CSR, which is what you claimed was at fault. However, it seems you found something: urimobile> Also, here's an example of openssl-created "newreq.pem" on urimobile> my box: (I assume, BTW, that you used CA.pl here) urimobile> -BEGIN RSA PRIVATE KEY- urimobile> Proc-Type: 4,ENCRYPTED urimobile> DEK-Info: DES-EDE3-CBC,D002B0C9C6F377C7 urimobile> urimobile> wSqix6TJp... urimobile> . urimobile> .tuJZYOyg== urimobile> -END RSA PRIVATE KEY- urimobile> -BEGIN CERTIFICATE REQUEST- urimobile> MIIBqTCC urimobile> . urimobile> ..FalOz urimobile> -END CERTIFICATE REQUEST- urimobile> urimobile> Looks like it concatenates private key and the actual cert urimobile> request together. Yup. I was in disbelief, but just checked CA.pl (which I usually don't use), and saw this really happens. I'd call that a bug, that's not the way it should be, in my opinion (translated: that's completely f*cked!). urimobile> Thank you. It works. So now I'll need to dig up the exact urimobile> format of X.509 cert. The quickest way to find that information is by reading RFC3280. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Creating certs for others (without their private keys)
In message <[EMAIL PROTECTED]> on Mon, 04 Jul 2005 00:03:50 -0400, Uri <[EMAIL PROTECTED]> said: urimobile> Dr. Stephen Henson wrote: urimobile> urimobile> >On Sun, Jul 03, 2005, Uri wrote: urimobile> > urimobile> >>How do I create a request that doesn't contain private urimobile> >>key, and how do I sign it? Could you give me an example urimobile> >>please? urimobile> >> urimobile> >What makes you think the private key is included? urimobile> urimobile> The fact that Windows XP machine (into which I load the urimobile> created cert) claims to now have the private key for it. Uhmmm, in a X.509 PKI, you need a key pair (private and public key) to have it work at all. In Windows, the computer stores them for you. Where did you think the private keys would be stored? In your head? Are you willing to remember and type 1024 or more bits (in whatever format)? Thought not... urimobile> >The private key needs to be *used* to sign the request but urimobile> >it is never included. urimobile> > urimobile> Could you recommend a verification procedure for me, urimobile> please? Look at the CSR you created with a ASN.1 dumper. OpenSSL contains one, and you can basically use it in any output OpenSSL produces: openssl asn1parse -in my-csr.pem -i Since you don't trust OpenSSL, I can also recommed dumpasn1. However, you need to convert your .pem file to pure binary (DER), so something like this gives you the correct output: openssl base64 -d < my-csr.pem | dumpasn1 - If you want further proof, read the standards! For CSRs, it is PKCS #10, which is reproduced in RFC 2986. Cheers, Richard P.S. I purposefully avoid to give you links. I interpret your level of trust as fairly low, so it seems to me it's better that you find things on your own. I encourage you to look around. If my interpretation is wrong, please tell me. - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Creating certs for others (without their private keys)
In message <[EMAIL PROTECTED]> on Mon, 04 Jul 2005 00:00:20 -0400, Uri <[EMAIL PROTECTED]> said: urimobile> Tan Eng Ten wrote: urimobile> urimobile> >> But how??? Could you give an example please (of [a] urimobile> >> creating, and [b] signing a "req")? urimobile> > urimobile> > How is in the HOWTO (http://www.openssl.org/docs/HOWTO/) urimobile> urimobile> Darn, I thought I explained the problem: openssl "req" urimobile> seems to require private key of the cert requestor, which urimobile> defeats the whole idea of PKI. Here's the excerpt of the urimobile> HOWTO you're referring me to. It is not helpful, sorry - urimobile> for the above reason (private key necessary). urimobile> urimobile> The certificate request is created like this: urimobile> urimobile> openssl req -new -key privkey.pem -out cert.csr OpenSSL, as well as *any* other software that produces CSRs, requires that a private key be *used* to sign the CSR. That does not mean that the private key gets included in the CSR, just the signature. However, the *public* key gets included in the CSR. So you see, the private key, is necessary, but not for the reasons you seem to imagine. It looks to me like you need to read up on public key cryptography and how a X.509 PKI works. There are books on the subjects. Cheer, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Still a few issues. Release delayed...
Hi, The release is delayed again. There are a couple of issues that I think need to be checked. I hope we'll be through with this in a week. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Release delayed a few days - 20050624 Success with Mac OS X 10.4.1
In message <[EMAIL PROTECTED]> on Fri, 24 Jun 2005 08:58:29 -0700, Rush Manbert <[EMAIL PROTECTED]> said: rush> Just tried again with 20050624 snapshot. It built just fine and rush> successfully ran all the tests. Great! Thanks! Noted. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL on VMS
Hey Steve, I guess I'm the one supposed to answer your query :-). In message <[EMAIL PROTECTED]> on Fri, 24 Jun 2005 09:29:33 -0400 (EDT), Steve Thompson <[EMAIL PROTECTED]> said: smt> (1) I currently obtain sockets by doing an $ASSIGN to INET0:. I smt> assume that these sockets cannot be passed to SSL_set_fd(), smt> since they are VMS channel numbers. At least, I can't get it smt> to work, even if dividing them by CHANNELSIZE. Do I need to smt> assign to BG0: instead? Well, there are actually several ways to handle this. The routines implemented in OpenSSL support BSD socket calls using the UCX or TCP/IP Services libraries or emulation layers. However, nothing stops you from implementing your own BIO that does things the way you want. You might get inspired from [.CRYPTO.BIO]BSS_RTCP.C. Dividing the channel number with CHANNELSIZE is an error. smt> (2) I see that OpenSSL makes extensive use of select(). Under smt> MultiNet, I do not use multinet_select() because it is not smt> thread safe (I've tried it, and I've seen the source). smt> Instead I use my own selection routine (which calls smt> IO$_SELECT). BTW, the UCX version of select() appears to work smt> properly in a multi-threaded environment. This seems to smt> indicate that OpenSSL cannot be used with MultiNet in a smt> threaded environment (unless I change the OpenSSL source to smt> use my own selection routine). Is this true? Not sure I understand. When you say "the UCX version", do you mean the real UCX library, or are you talking about the UCX emulation library that comes with MultiNet? In any case, if you find BSD socket calls not to be good enough, create a BIO that suits your needs. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Release delayed a few days...
Hi all, Due to a number of last minute reports, the final release of OpenSSL 0.9.8 is delayed a few days to give the affected people a chance to test that the corrections done do fix things as expeted. So please, if you have sent in a report about something failing with one of the 0.9.8 betas, grap a snapshot (tomorrow's, i.e. openssl-0.9.8-stable-SNAP-20050624.tar.gz or later) and try it, to confirm that we fixed your problem and didn't create new ones. And if anyone else wants to run a test, just to see that we didn't break anything on your platform, please do so. In all cases, please tell us how it went, so we know. Same channel as before. I plan to do the final release on sunday (26th) or monday (27th) evening, swedish time, so time is of the essence. Thanks, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.8 beta 6 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8 Beta 6 (FINAL!) = OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The sixth beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ PLEASE TEST THIS RELEASE! This is a final beta. The final release is due very soon, and we would like your help to make this as good a release as ever possible. Among others, base64 decoding needs extra attention (see below). The file names of the beta are: o openssl-0.9.8-beta6.tar.gz MD5 checksum: e6771df5621169ae616adb3475aac71a SHA1 checksum: d5aad452a4a192780ff1990b5c75513eb8408fe2 The checksums were calculated using the following command: openssl md5 < openssl-0.9.8-beta6.tar.gz openssl sha1 < openssl-0.9.8-beta6.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 104 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES and http://www.openssl.org/source/exp/NEWS). Since the fifth beta, the following has happened: - Change the DJGPP setup so it's DEVRANDOM is defined in e_os.h instead of in the build command line. - Worked around a DJGPP command line bug during installation of docs. - Worked out better target selections for BSD ELF. - Corrected the CPUid code for x86_64. - Made the base64 decoder a bit more robust. - We made sure crypto/bn/bn_prime.h is properly built during an update. - Enhanced the documentation on id_function in threads.pod. - Added a fallback to software in the CSwift engine. - Other bug fixes... Reports and patches should be sent to [EMAIL PROTECTED] Discussions around the development of OpenSSL should be sent to [EMAIL PROTECTED] Anything else should go to [EMAIL PROTECTED] The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file "testlog". Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCt7G3p6+eePcJRTsRAmHnAJ9YcnbPEj2J48vkBHpZCBQ1vKQI/wCglgM5 wKq2R9+XiFHQS5aumgYaEkE= =1qsL -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Rescheduling
Hi, I've just remade the release schedule a little bit. Originally, OpenSSL 0.9.8 was supposed to be released yesterday. However, due to personal stuff and some issues with the latest beta, the release has been slightly delayed. So, the final beta will be this evening (Swedish time), and the release is scheduled for Thursday (June 23) evening. This means that I'm asking for a last effort to help make OpenSSL 0.9.8 as good as it can be. Please test this final beta, and if there are any issue, please tell us. If there are any issues we have forgotten, please remind us! Actually, there's nothing stopping you fram grabbing a snapshot now and try it out :-). You might even find something for us to correct before we release beta 6. ftp://ftp.openssl.org/snapshot/openssl-0.9.8-stable-SNAP-mmdd.tar.gz (mmdd is really a date, like 20050620) - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Release delay
I'm delaying the release of 0.9.8 beta6 until tomorrow (friday) night. The reason is that I want to test some changes on systems that may be sensitive to them before releasing. I believe that will be better for the release process as a whole. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: mini-ASN.1 compiler 0.9.8-beta5
In message <[EMAIL PROTECTED]> on Thu, 16 Jun 2005 11:51:57 +0200, pana <[EMAIL PROTECTED]> said: panasa1> The error I get when I use -genstr is: panasa1> panasa1> unknown option -genstr panasa1> asn1parse [options] where options are panasa1> -inform arg input format - one of DER TXT PEM panasa1> -in arg input file panasa1> -out arg output file (output format is always DER panasa1> -noout argdon't produce any output panasa1> -offset arg offset into file panasa1> -length arg length of section in file panasa1> -iindent entries panasa1> -dump dump unknown data in hex form panasa1> -dlimit arg dump the first arg bytes of unknown data in hex form panasa1> -oid file file of extra oid definitions panasa1> -strparse offset panasa1>a series of these can be used to 'dig' into multiple panasa1>ASN1 blob wrappings That's not 0.9.8-beta5. Try the following command: openssl version Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need objective arguments against double certificate
In message <[EMAIL PROTECTED]> on Tue, 14 Jun 2005 00:14:54 -1000, "coco coco" <[EMAIL PROTECTED]> said: coconut_to_go> We called it bullshit, and were having a hot debate, coconut_to_go> most people (the technical people) are opposed to that, coconut_to_go> saying that there is nothing secure about this scheme. coconut_to_go> If you want to separate the signature key from the coconut_to_go> encryption key, you should have 2 keys, and not one key coconut_to_go> with 2 certificates. This does not make any sense. Like everyone else, I say this consultant doesn't know what he's talking about (I'm tempted to ask you to tell me who it is, so I can avoid him/her). Can I suggest a different line of attack, though? It's obvious that confronting the consultant by calling bull doesn't win you any points, so how about simply asking the consultant how, exactly, the double certificate scheme increases security. And do not let yourself be satisfied with a half ass answer. coconut_to_go> The CEO said he trusts the "security expert", and if we coconut_to_go> want to change that, we need to come up with better coconut_to_go> arguments than that. I'd ask the CEO up front on what grounds he trusts that consultant. coconut_to_go> But the annoying thing is, the 2 certificates do not coconut_to_go> even specify usage attributes correctly. And our coconut_to_go> security expert said it does not matter, we (the coconut_to_go> programmers) have to figure that out, which cert is coconut_to_go> used for signature and which one is used for encryption. This is just further proof that consultant doesn't know squat what he or she is talking about. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.8 beta 5 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8 Beta 5 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The fifth beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-0.9.8-beta5.tar.gz MD5 checksum: 4b492a622ca39f0c444c3cabc330933d SHA1 checksum: 3524b04490491e1d1674363fac601cd4b002d471 The checksums were calculated using the following command: openssl md5 < openssl-0.9.8-beta5.tar.gz openssl sha1 < openssl-0.9.8-beta5.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 104 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES and http://www.openssl.org/source/exp/NEWS). Since the fourth beta, the following has happened: - Changed -m486 to -march=i486 in Configure. - Added a new NetWare target that uses BSD sockets. - Propagate INSTALL_PREFIX to inner Makefiles. - Make it possible to read files larger than 2GB with the FILE BIO. - Enhance cipher suite parsing. - Other bug fixes... Reports and patches should be sent to [EMAIL PROTECTED] Discussions around the development of OpenSSL should be sent to [EMAIL PROTECTED] Anything else should go to [EMAIL PROTECTED] The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file "testlog". Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCrQdUp6+eePcJRTsRAucGAKC6qdM+dkv49snNHEK6yOsTenuHSgCgjKmr 5dva5K5bwl7Q1HFzgIuyf08= =Lqig -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.8 beta 4 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8 Beta 4 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The fourth beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-0.9.8-beta4.tar.gz MD5 checksum: 55268415737b3d21726307d778fdf39e SHA1 checksum: 3d2a19de0c7e1972f8a3f0420e6cf9ac35bbaf4f The checksums were calculated using the following command: openssl md5 < openssl-0.9.8-beta4.tar.gz openssl sha1 < openssl-0.9.8-beta4.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 104 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES and http://www.openssl.org/source/exp/NEWS). Since the third beta, the following has happened: - Ultrix issues are fixed (we think). - ia64 issues are fixed (we think). - NetWare is updated. - More VMS issues are fixed. - rpm build issues are fixed (we think). - Engine padloack isses are fixed (we think). - pqueue should now work a lot better on systems that do not support integer types larger than 32 bits. Reports and patches should be sent to [EMAIL PROTECTED] Discussions around the development of OpenSSL should be sent to [EMAIL PROTECTED] Anything else should go to [EMAIL PROTECTED] The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file "testlog". Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Ulf Möller Lutz JänickeNils Larsch -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCo6SSp6+eePcJRTsRAoGtAJwOQJxueNPiSaMFJ2Rrc2cvgOHP9gCfaDeF xKCWTtFoUUfZnYbuwy3B7JI= =wDna -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.8 beta 3 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8 Beta 3 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The third beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-0.9.8-beta3.tar.gz MD5 checksum: 5353f8c553c3be6835180bfdeb31b5dc SHA1 checksum: a8c3624e1dd5fd797fc5e58ea7d0def361fa26e2 The checksums were calculated using the following command: openssl md5 < openssl-0.9.8-beta3.tar.gz openssl sha1 < openssl-0.9.8-beta3.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 104 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES and http://www.openssl.org/source/exp/NEWS). Since the second beta, the following has happened: - the build system has been corrected for systems where the second beta was failing. These contain enhancements for VMS and DJGPP. - there has been work to make pqueue and dtls more portable - RSA-PSS and RSA-X.931 have been added. Reports and patches should be sent to [EMAIL PROTECTED] Discussions around the development of OpenSSL should be sent to [EMAIL PROTECTED] Anything else should go to [EMAIL PROTECTED] The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file "testlog". Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Ulf Möller Lutz JänickeNils Larsch -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCm6NTp6+eePcJRTsRAtthAJ9WJrdIXskkIFH7UcUADdbx/s8VOwCeLgQG X019YLgh1fNpWDYhicjjmGo= =Z/+m -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Question on ENGINE implementation.
In message <[EMAIL PROTECTED]> on Thu, 26 May 2005 11:34:20 +0100, David Woodroffe <[EMAIL PROTECTED]> said: dwoodroffe> I am currently trying to use openSSL with an nCipher HSM dwoodroffe> for signing and verfication. At the moment we are using dwoodroffe> the with-nfast predicate for the application to access the dwoodroffe> keys and this works fine. However this asks for a dwoodroffe> passphrase interactively which we do not want rather we dwoodroffe> would pass it in at startup from an initialisation file dwoodroffe> (encrypted). I also noticed ENGINE_load_private_key etc dwoodroffe> use a UI_method prompting for passphrase. Is there any way dwoodroffe> of initialising the engine and keys etc without any user dwoodroffe> interaction? Look for struct pw_cb_data in apps/apps.h and the functions ui_open(), ui_read(), ui_write(), ui_close(), setup_ui_method(), destroy_ui_method() and password_callback() in apps/apps.c in the OpenSSL source code and let yourself get inspired :-). Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.8 beta 2 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8 Beta 2 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The second beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-0.9.8-beta2.tar.gz MD5 checksum: 2c1c0958500a6c4e63b5c13f0f5d0694 SHA1 checksum: bbe0460154099506484affb49d40ccaefe6ef3d2 The checksums were calculated using the following command: openssl md5 < openssl-0.9.8-beta2.tar.gz openssl sha1 < openssl-0.9.8-beta2.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 103 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES). Since the first beta, the following has happened: - the build system has been corrected for systems where the first beta was failing. Enhancements for Cygwin are the most notable. - some more platforms have 'no-sse2' by default. - there are better checks to see if SHA-512 is built (it won't build on systems that have no support for 64-bit integers). - a memory leak in PKCS#7 has been plugged. - ECDH and ECDSA have a few enhancements. We still have problems with BN_ULLONG in crypto/pqueue and the DTLS files. It's being worked on. Reports and patches should be sent to [EMAIL PROTECTED] Discussions around the development of OpenSSL should be sent to [EMAIL PROTECTED] Anything else should go to [EMAIL PROTECTED] The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file "testlog". Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Ulf Möller Lutz JänickeNils Larsch -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCkquTp6+eePcJRTsRAgKPAKCguxwQdtSwMv2VctoC1Nyo2+WOgQCfeAoE xS4Cc5davZAbfXEFPEaiphM= =qCHk -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.8 beta 1 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8 Beta 1 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The first beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-0.9.8-beta1.tar.gz MD5 checksum: edcfbc90cc125a184b88a01bb52c0e08 SHA1 checksum: 531350515eed47290f50087320fe78176ab1d5a7 The checksums were calculated using the following command: openssl md5 < openssl-0.9.8-beta1.tar.gz openssl sha1 < openssl-0.9.8-beta1.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 103 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES). Some changes aren't quite complete at this time. Most notably, the use of BN_ULLONG in crypto/pqueue and the DTLS files doesn't work on some platforms, for example some 64-bit systems (those using the SIXTY_FOUR_BIT BIGNUM macro). Reports and patches should be sent to [EMAIL PROTECTED] Discussions around the development of OpenSSL should be sent to [EMAIL PROTECTED] Anything else should go to [EMAIL PROTECTED] The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file "testlog". Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Ulf Möller Lutz JänickeNils Larsch -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCjPJop6+eePcJRTsRAje7AJwMeYrwRR6QUu7guQ2+gZX33IMy5QCfcbYq ZkZC7t9z7cfhiR+zeyQHvfs= =XTtl -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Regarding OpenSSL
This kind of question should go to openssl-users@openssl.org, which is why I only send the response there. In message <[EMAIL PROTECTED]> on Thu, 5 May 2005 14:26:42 +0530, "Karthik Bodigere" <[EMAIL PROTECTED]> said: Karthik.Bodigere> I am using OpenSSL library in our web application. Karthik.Bodigere> But now i am making my web application to support Karthik.Bodigere> IPV6. So is there any version of openSSL which Karthik.Bodigere> supports IPV6. If not suggest me the modifications Karthik.Bodigere> which i have to carry out in giving IPV6 support to Karthik.Bodigere> OpenSSL. Right now, OpenSSL has no specific support for IPv6. I've pondered doing something about it, but have come around to yet. Here are the options available for you: - you can construct your own BIO (there are plenty of examples in crypto/bio, looks for the bss_*.c files). - you can open the socket yourself, you can use the already available file descriptor BIO. See 'man BIO_s_fd' - you can open the socket yourself, then pass it to OpenSSL with the function SSL_set_fd(). See 'man SSL_set_fd'. I suspect the last choice is what you really want. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL 0.9.6m or 0.9.7g?
In message <[EMAIL PROTECTED]> on Sat, 30 Apr 2005 11:03:37 -0400, "Scott Galambos" <[EMAIL PROTECTED]> said: scottg> I noticed that a 0.9.6n has not been released in a long scottg> time. Is this because its no longer maintained? Should I be running scottg> 0.9.7g now instead? scottg> scottg> I'm concerned I have a false sense of security now because I've scottg> been running 0.9.6m for so long without an update. scottg> scottg> Linux 2.4, Apache 1.3, OpenSSL 0.9.6m The 0.9.6 branch hasn't been updated much for a long time. I'd move to 0.9.7g if I was you. That will be maintained for a while in parallell with the upcoming 0.9.8. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Can anybody share some ENGINE sample code?
In message <[EMAIL PROTECTED]> on Mon, 18 Apr 2005 15:09:36 -0700, Edward Chan <[EMAIL PROTECTED]> said: echan> Does anybody have some working code that enables the use of echan> crypto hardware using the ENGINE API's and would be willing to echan> share it? Uhmm, there are a few engines in crypto/engine/ as well as in demos/engines/. If those don't help, maybe you need some specific help. I'd like to help, but I can only do so if you tell me what you really need. Cheers, RIchard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [EMAIL PROTECTED]: X.509 v3 certificates and Sha256, Sha384, Sha512 and RSASSA-PSS]
In message <[EMAIL PROTECTED]> on Wed, 13 Apr 2005 13:06:45 +0200, Lutz Jaenicke <[EMAIL PROTECTED]> said: Lutz.Jaenicke> From: Kauppinen Pauli <[EMAIL PROTECTED]> Lutz.Jaenicke> I am trying to verify X.509 v3 certificate with Lutz.Jaenicke> openssl.exe verify command but I get following error: Lutz.Jaenicke> - error 7 at 0 depth lookup:certificate signature failure Lutz.Jaenicke> Lutz.Jaenicke> I am using following environment: Lutz.Jaenicke> - OpenSSL 0.9.7d Lutz.Jaenicke> - Windows NT Lutz.Jaenicke> Lutz.Jaenicke> Are the following signatures supported in OpenSSL ? Lutz.Jaenicke> - RSASSA-PKCS1-V1_5 with Sha256, Sha384 and Sha512 In OpenSSL 0.9.8, I believe. Since you're using 0.9.7d (you should upgrade!), the answer for you is no. Lutz.Jaenicke> - RSASSA-PSS Not that I know of, at least yet. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: cbc3_enc.c usage
In message <[EMAIL PROTECTED]> on Wed, 13 Apr 2005 10:43:13 +0300, "Israel Viente" <[EMAIL PROTECTED]> said: israel_viente> I wanted to use cbc3 encryption but saw the following israel_viente> in openssl-0.9.7f\crypto\des: israel_viente> israel_viente> 1) In FILE0 - "cbc3_enc.c - des_3cbc_encrypt() source, don't use israel_viente> this function." israel_viente> israel_viente> 2) In cbc3_enc.c - "/* HAS BUGS! DON'T USE - this is only present for use in israel_viente> des.c */" israel_viente> israel_viente> Are these comments up to date? I assume so, not having looked much further. israel_viente> Is it reliable to use cbc3 encryption with the openssl? Yes. Really, the best way to use crypto functionality in OpenSSL is through the EVP interface. However, if you must go low level, take a look at DES_ede2_cbc_encrypt() anf DES_ede3_cbc_encrypt(). There's a manual page. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.7g released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.7g released == OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.7g of our open source toolkit for SSL/TLS. This new OpenSSL version is mainly a bugfix release and incorporates changes and bugfixes to the toolkit, but is also contains the new processing of proxy certificates (RFC 3820). For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES . The most significant changes are: o More compilation issues fixed. o Adaptation to more modern Kerberos API. o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin. o Enhanced x86_64 assembler BIGNUM module. o More constification. o Added processing of proxy certificates (RFC 3820). We consider OpenSSL 0.9.7g to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.7g is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.7g.tar.gz MD5 checksum: 991615f73338a571b6a1be7d74906934 SHA1 checksum: 008511ec9f0bcda4a431c3f0a0827e535b8c5c93 The checksums were calculated using the following command: openssl md5 < openssl-0.9.7g.tar.gz openssl sha1 < openssl-0.9.7g.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Ulf Möller Lutz JänickeNils Larsch -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCWpwNp6+eePcJRTsRApIBAJwK431ohe5S0Z858ZQVq+9cduG1fwCgl60w FNrImhvazY+w+bREYoFy4Ok= =Y6xS -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL != HTTPS ???
In message <[EMAIL PROTECTED]> on Fri, 01 Apr 2005 10:10:58 -0500, Joe Flowers <[EMAIL PROTECTED]> said: flowers> Please help me understand what's going on. I think the first thing you should do is take a look at the TLS (TLS is basically the newer version of SSL) specification, RFC 2246. It explains th mechanisms used while communicating using SSL or TLS. flowers> I've successfully used OpenSSL (latest released version - flowers> 0.9.7f) to communicate with a https:// site. (See my flowers> pseudo-code at the bottom of this message.) However, nowhere flowers> in my code is a public key for the https:// site specified. That is correct. Ever used SSH? It basically works using the same principles. Roughly speaking, the principle is as follows: - the server is sending it's public key to the client (your program), plus a challenge (some random data, usually). - the client (your program) then computes a response to the challenge, encrypts it using the received public key and sends the result back to the server. - the server decrypts the received message using it's own private key, and checks that the contents is what it expects. - both client and server compute a session key using the challenge and response that were just passed back and forth. - both client and server sets up encryption on the communication channel, using the session key as encryption key. If I missed something, I'm sure someone will hit me over the head with a bat. That's OK, as long as it's a nerf bat :-). flowers> If this is so, then I assume my OpenSSL client could, at flowers> that point, try to do some checks on that public key to see flowers> if it's a regular, valid SSL certificate as given by flowers> Verisign, et. al.? yes. flowers> If this current setup is "weak" or "insecure", what can be flowers> done at the server-side to tell my client to "grow up or get flowers> lost"? Yes, require that the client present a client certificate. That's up to the server. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: compiling openssl with zlib support on win32
In message <[EMAIL PROTECTED]> on Fri, 1 Apr 2005 14:57:34 +1000, "Louis Solomon [SteelBytes]" <[EMAIL PROTECTED]> said: louis> > Hmm, I wouldn't be surprised if we've forgotten to unload the shared louis> > library for zlib, and thereby created that "leak". Note that the leak louis> > isn't very important, and a one-time thingy. It's not like it's going louis> > to grow over time. louis> louis> but are you sure? or is this just a guess. For now, it's just a guess. Cheers, RIchard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: compiling openssl with zlib support on win32
In message <[EMAIL PROTECTED]> on Thu, 31 Mar 2005 21:07:28 +1000, "Louis Solomon [SteelBytes]" <[EMAIL PROTECTED]> said: louis> I then stick zlib1.dll in the out32 folder, and run louis> ssltest -zlib louis> and I get the following output louis> TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 512 bit RSA louis> [12:13:53] 1675 file=.\crypto\dso\dso_lib.c, line=380, thread=1816, louis> number=6, address=00972580 louis> [12:13:53] 1672 file=.\crypto\dso\dso_lib.c, line=103, thread=1816, louis> number=36, address=0099A0A0 louis> [12:13:53] 1674 file=.\crypto\stack\stack.c, line=126, thread=1816, louis> number=16, address=0099A170 louis> [12:13:53] 1673 file=.\crypto\stack\stack.c, line=124, thread=1816, louis> number=20, address=0099A110 louis> [12:13:53] 1676 file=.\crypto\dso\dso_win32.c, line=262, thread=1816, louis> number=10, address=0099A208 louis> [12:13:53] 1677 file=.\crypto\dso\dso_win32.c, line=132, thread=1816, louis> number=4, address=00972570 louis> 92 bytes leaked in 6 chunks louis> louis> if I do all the above without the references to zlib, then I louis> don't get the above leak msgs, but I also don't get zlib :-( Hmm, I wouldn't be surprised if we've forgotten to unload the shared library for zlib, and thereby created that "leak". Note that the leak isn't very important, and a one-time thingy. It's not like it's going to grow over time. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
