RE: Socket left in CLOSE_WAIT state...
Since BIO is creating the SSL object somewhere in the call to
BIO_new_ssl_connect(Ctx); the cleanup of the SSL object (SSL_shutdown &
SSL_free) maybe handled by BIO_free_all()
>> begin
else printf("BIO_new_ssl_connect failed.\n");
BIO_free_all(Bio);
/*
if (Ssl)
{
SSL_shutdown(Ssl);
SSL_free(Ssl);
}
*/
<< end
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Matthew Allen
Sent: Wednesday, April 21, 2010 7:00 PM
To: openssl-users@openssl.org
Subject: Re: Socket left in CLOSE_WAIT state...
-- Original Message --
To: (openssl-users@openssl.org)
From: Stuart Weatherby (stuart_weathe...@yahoo.ca)
Subject: Re: Socket left in CLOSE_WAIT state...
Date: 22/4/2010 5:18:48a
> Shutdown disables the ability to read, write (or both) on a
> socket. However, shutdown() does not close the socket. to release the
> socket descriptor back to the OS you also need to call closesocket();
This code does want I want:
int r = 0;
if ((r = SSL_shutdown(Ssl)) >= 0)
{
closesocket(SSL_get_fd(Ssl));
}
But it seems like an ugly hack. It _should_ close the socket by itself. I'm
worried that this leakes some BIO object(s), because clearly if the BIO
objects were free'd they'd close their SOCKET. And since that ISN'T
happening maybe the BIO object is not being free [correctly].
> Saju Paul wrote:
> Looks like it needs a BIO_free_all(bio) or something similair.
I tried that before and after the SSL_shutdown call and it just crashes,
clearly thats not the "proper" way. Maybe there is a way to disassociate the
BIO from the SSL but it seems like a hack rather than a solution.
Thanks for the responses.
PS in investigating these issues I did try and download + build OpenSSL
1.0.0 for myself, hoping to step into the code and see where things went,
but after following the instructions to build with Visual C++ I got stuck
running a command that never finished. The perl "do_ms" thing would run for
hours using up 100% of the core it was running on and just never seem to
finish. Ended up killing it and posting on the mailing list instead. Just
FYI.
--
Matthew Allen
http://www.memecode.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 9.0.814 / Virus Database: 271.1.1/2827 - Release Date: 04/21/10
14:31:00
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
RE: Socket left in CLOSE_WAIT state...
Looks like it needs a BIO_free_all(bio) or something similair.
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org]on Behalf Of Matthew Allen
Sent: Wednesday, April 21, 2010 5:18 AM
To: openssl-users@openssl.org
Subject: Socket left in CLOSE_WAIT state...
Hi,
My code leaves sockets in the CLOSE_WAIT state after I free the SSL
connection (running on windows XP with OpenSSL 0.9.8e). After I'm done with
the connection I call SSL_shutdown and SSL_free, but that doesn't close the
socket on the client side. My code's probably wrong, so tell me what I
should change?
#include
#include "windows.h"
#include "openssl/ssl.h"
char Hostname[] = "imap.gmail.com";
int Port = 993;
int main(int args, char **arg)
{
printf("OpenSSL Test\n");
SSL_library_init();
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
SSL_CTX *Ctx = SSL_CTX_new(SSLv23_client_method());
if (Ctx)
{
SSL *Ssl = 0;
BIO *Bio = BIO_new_ssl_connect(Ctx);
if (Bio)
{
BIO_get_ssl(Bio, &Ssl);
if (Ssl)
{
SSL_set_mode(Ssl, SSL_MODE_AUTO_RETRY);
BIO_set_conn_hostname(Bio, Hostname);
BIO_set_conn_int_port(Bio, &Port);
if (BIO_do_connect(Bio) > 0)
{
printf("Connected to '%s' using SSL\n", Hostname);
char Data[256];
char *Cmd = "A0001 CAPABILITY\r\n";
int w = SSL_write(Ssl, Cmd, strlen(Cmd));
if (w > 0)
{
printf("Wrote %i bytes.\n", w);
int r = SSL_read(Ssl, Data, sizeof(Data));
if (r > 0)
{
printf("Got %i bytes.\n", r);
}
else printf("SSL_read failed.\n");
}
else printf("SSL_write failed.\n");
}
else printf("BIO_do_connect failed.\n");
}
else printf("BIO_get_ssl failed.\n");
}
else printf("BIO_new_ssl_connect failed.\n");
if (Ssl)
{
SSL_shutdown(Ssl);
SSL_free(Ssl);
}
/* At this point I expect the socket should have disappeared, but
it's still there
hanging around in CLOSE_WAIT... why? */
SSL_CTX_free(Ctx);
}
return 0;
}
Thanks
--
Matthew Allen
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
RE: setting an SSL_accept(...) timeout
On linux and solaris SO_RCVTIMEO and SO_SNDTIMEO needs the timeout to be set in a timeval struct and not a DWORD. Saju -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Adam Grossman Sent: Sunday, April 04, 2010 4:40 PM To: openssl-users@openssl.org Subject: RE: setting an SSL_accept(...) timeout i have done networking programming for a while, and i have never run across that before. thank you so much, you have just saved me a lot of development time! -=- adam grossman On Sun, 2010-04-04 at 22:34 +0200, PMHager wrote: > Adam Grossman wrote: > > thanks for the info, but this is on linux. > > The socket interface is almost the same on linux: > > #include > > int hSocket; > int dwTimeout=1000; // milliseconds > > setsockopt(hSocket,SOL_SOCKET,SO_RCVTIMEO,(void*)&dwTimeout,sizeof dwTimeout); > setsockopt(hSocket,SOL_SOCKET,SO_SNDTIMEO,(void*)&dwTimeout,sizeof dwTimeout); > > [http://linux.die.net/man/3/setsockopt] > > Peter-Michael > > -- > > Peter-Michael Hager - acm senior - HAGER-ELECTRONICS GmbH - Germany > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.800 / Virus Database: 271.1.1/2789 - Release Date: 04/04/10 02:32:00 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Apache "SSL3_ACCEPT:unsafe legacy renegotiation disabled"?
OptRenegotiate - enables avoidance of unnecessary handshakes by mod_ssl which also performs safe parameter checks. It is recommended to enable OptRenegotiate on a per directory basis. "also performs safe parameter checks" maybe the key. disable it and check if MSIE likes it. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jason Haar Sent: Thursday, April 01, 2010 6:11 AM To: openssl-users@openssl.org Subject: Apache "SSL3_ACCEPT:unsafe legacy renegotiation disabled"? Hi there We have a CentOS-4.8 server that was upgraded to httpd-2.0.52-41.ent.7.centos4 this week - along with dependencies like openssl-0.9.7a and openssl096b At that moment our client-certificate based authentication Webapp broke :-( It's really weird. Users running Firefox-3.5+ or Chrome are still working fine - but MSIE7 and MSIE8 now get that useless MSIE error page and Apache reports lines like [Thu Apr 01 12:41:41 2010] [error] SSL Library Error: 336068931 error:14080143:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled Obviously this is related to the SSL renegotiation bugfix - but Google cannot find anyone else seeing this - so I'm thinking we have some peculiar to us? Our Apache config states SSLVerifyClient require SSLVerifyDepth 1 SSLOptions +StrictRequire +StdEnvVars -ExportCertData +OptRenegotiate So when you attempt to access https://server/ssl_secure/ - you are asked for your client cert. We have another section of the site that has "SSLVerifyClient optional" and that also triggers the same fault in MSIE - and FF/Chrome work fine :-( Help? Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.791 / Virus Database: 271.1.1/2783 - Release Date: 04/01/10 02:35:00 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: SSL renegotiation clarifications
Thank you Patrick. I'm aware that the SSL Client (SSL_connect) and SSL Server(SSL_accept) can renegotiate an SSL session. But my question is should the Sender(SSL_write) or the Receiver(SSL_read) do the renegotiation? For ex: if the Sender and Receiver decides to renegotiate either at a size(1G) or a time(2minute) boundary would it not result in two renegotiations at the boundary between the server and client. So even if either side can renegotiate; is there a preferred renegotiator? not sure if that is even a word but I hope you know where I'm going with this... Saju -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]on Behalf Of Eisenacher, Patrick Sent: Tuesday, February 02, 2010 9:07 AM To: 'openssl-users@openssl.org' Subject: RE: SSL renegotiation clarifications Hi Saju, -Original Message- From: Saju Paul Who as in Sender-encrypter or Receiver-decrypter should renegotiate an SSL session? Can it be both or is it only the Sender? Is there a document that describes the protocol? Does renegotiation always require SSL handshake? (SSL_do_handshake) Are they any circumstances where the handshake is not necessary? SSL renegotiation described @ http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html is a reference I'm planning to use and it suggest that the handshake is necessary. Need reconfirmation. --- Renegotiation is part of the SSL/TLS protocol and as such defined exactly there. Both client and server can initiate the renegotiation. And yes, renegotiation always triggers a new handshake. Please be aware that a security weakness was discovered lately in this renegotiation mechanism. A new TLS extension draft was published to close this weakneses. Currently, work is ongoing to adapt this extension in the relevant security tools. HTH, Patrick __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL renegotiation clarifications
1. Who as in Sender-encrypter or Receiver-decrypter should renegotiate an SSL session? Can it be both or is it only the Sender? Is there a document that describes the protocol? 2. Does renegotiation always require SSL handshake? (SSL_do_handshake) Are they any circumstances where the handshake is not necessary? SSL renegotiation described @ http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html is a reference I'm planning to use and it suggest that the handshake is necessary. Need reconfirmation.
RE: SSL port 990 mainframe ???
SSL on Port 21 usually is Explicit and on 990 Implicit. The difference
between the two being that in Explicit the client gets to decide by sending
the AUTH command when the SSL handshake happens. On Implicit the SSL
handshake happens right after connect. You could use the command line
openssl s_client utility to check where things are breaking down.
$ openssl s_client -connect ftp.zosserver.com:990
_
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Marian Turczyn
Sent: Tuesday, November 03, 2009 8:44 PM
To: openssl-users@openssl.org
Subject: Re: SSL port 990 mainframe ???
Hey thanks so much for the reply. Yes, the tcp/ip port definitions are the
same for port 21 as for port 990. Port 21 is working, ftp over ssl/tls ...
Port 990 is defined the same within tcp/ip ... I do make a connection after
the ftp is initiated, then I get dropped perhaps that is in the omvs segment
??? Not sure ?? ... Port 21 and 990 imply different things by definition
however both should be able to do ftp over ssl/tls and I do have one
(21/ssl/tls) working. So what am I missing ?? : {
Thanks for giving my problem some thought !
-m
On 11/3/09 5:04 PM, "William Adams" wrote:
i may not have a clue;
but here are a couple of things to check.
lots of tcpip profiles run with port reservations.
the ftp server has to be configured to listen on 990 which
is probably is if the connection is sucessful.
but if it is and the mainframe is running RACF(or equivilent)
that defines port access in terms of facility, there should
be some error messages in the syslog if that is the problem.
the tcpip profile should show you whether or not the privleged
port are reserved.
On Tue, Nov 3, 2009 at 2:22 PM, Marian Turczyn
wrote:
Hello Folks ... I have had ssl handshaking (ftp over ssl) on port 21working
between a mainframe running z/OS 1.8 and any platform, aix, windows, linux,
no problem. I am now trying to do the same with port 990 and for the life
of me cannot get it to work. The connection to port 990 is successful
however the host (mainframe) drops my connection immediately. I have tried
both implicit & explicit ftps ... My question is does anyone know anything
'odd' about port 990, ssl and the mainframe ???
Thanks so much to anyone with a clue : }
Marian
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.424 / Virus Database: 270.14.46/2477 - Release Date: 11/02/09
19:39:00
RE: openssl s_client and FTPS
FTP SSL operates in two modes. Explicit SSL - where the FTP Client issues the AUTH command on the clear command channel which results in the server and client performing the SSL handshake to secure the channel. The other mode Implicit SSL - the SSL handshake is done soon as the Client to Server connection is established. Explicit FTP SSL usually defaults to Port 21 whereas Implicit FTP SSL defaults to Port 990. With the Curl FTP Client you should be able to connect to the server either in Explicit or Implicit SSL mode. Assuming the server supports both modes. With OpenSSL s_client you maybe limited to only Implicit SSL; in which case you will need to specify the 990 port at the command line. - sp panikulam -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of oh...@cox.net Sent: Sunday, November 01, 2009 9:47 PM To: openssl-users@openssl.org Subject: Re: openssl s_client and FTPS oh...@cox.net wrote: > Hi, > > We're having problems connecting to an FTP server using FTPS (not sftp), and to diagnose the problem, we've been using cURL with openssl. The server is IBM Z/OS FTP server. > > When we test with cURL, we are getting: > > Info SSLV3, TLS handshake, Client hello (1) Send SSL Data, 95 bytes (0x5f) =hex data=== > Info: SSLV?, Unknown (2) > Send SSL data, 2 bytes > : 02 46 > Info: error: 1408F10B: SSL routine:SSL3_GET_RECORD:wrong version number > > From various searches, I've gathered that this kind of problem is not uncommon (but I've not found a solution), but I'm also gathering that what is happening is that openssl is returing some error to cURL. > > So, I've been trying to see if I use "openssl s_client" by itself, and if openssl might provide more info on what he actual problem might be. > > From what I understand, "openssl s_client -starttls ftp" should work, but when we tried it on our system (RHEL) we got a segfault. We checked the openssl version, and it's 0.9.7a, which I understand is a really old version, so we're going to try to get a newer openssl version on the system. > > In the meantime, I wanted to elicit some feedback as to whether, in the experience of others here, if we can get "openssl s_client -starttls ftp" working, will that yield more info that might help us figure out what the problem might be? > > Thanks in advance! > > Jim > Hi, We're kind of guessing that what might be happening is that some firewall or network device between our client machine the the Z/OS FTP machine is causing the server response to the client HELLO to not be returned. Does anyone know, if that is what might be happening, if that would cause openssl to output what we're seeing, i.e. if openssl doesn't receive a response to the client HELLO, will it display: Info: error: 1408F10B: SSL routine:SSL3_GET_RECORD:wrong version number ?? Thanks, Jim __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.423 / Virus Database: 270.14.43/2474 - Release Date: 11/01/09 07:38:00 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: sign/verify kicking my ass
when building php; include the --with-openssl= option - on unix/linux platforms it would look something like... ./configure --with-openssl=[DIR]; does a dynamic bind of libssl & libcrypto libraries. check the built php binary with the ldd command. Saju -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Goetz Babin-Ebell Sent: Tuesday, November 25, 2008 4:52 PM To: openssl-users@openssl.org Subject: Re: sign/verify kicking my ass -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shaun wrote: | I'm really going to be using php to encrypt/sign ( | openssl_private_encrypt(), openssl_sign() ) I don't see any EVP functions | from php, Hm. There must be something wrong here. I'm almost sure that the EVP interface is available to PHP. Could any PHP user please shed some light ? | I'm assuming I can use EVP_* to decrypt/verify these? Is RSA just | a lower level api where as the EVP's are more for the beginner guys like me? Absolutely. The RSA low level encrypt / decrypt / sign functions are available for special cases for experienced users that really know what they are doing. For all normal operations there is the EVP (or even the SMIME/PKCS7) interface... Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJLHNs2iGqZUF3qPYRAnuiAJ4nDjYApPZlZq6uuLtpKyDrlqgTnQCZAbRH sJ0e+meqa+pA8LYZABA6kck= =D6Oy -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: how to run gdb in openssl
gdb is a debugger. it is not clear from reading your note why you are trying to debug the openssl command line module. if what you are trying to do is understand why the client is unable to make the connection to ipaddress:4433; try using the -debug option. ex: openssl s_client -connect ipaddress:4433 -debug HTH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of prashanth s joshi Sent: Tuesday, October 07, 2008 11:43 AM To: openssl-users@openssl.org Subject: Fwd: how to run gdb in openssl Hi all, Could anyone please tell me how to run the gdb in openssl? In gdb I am running the command as path_of_bin/bin/openssl s_client -connect ipaddress:4433. But i get the error as: Undefined command: "". Try "help". why is it so? How do i ensure that the gdb runs correclty? Regards, Prashanth -- Forwarded message -- From: prashanth s joshi <[EMAIL PROTECTED]> Date: Tue, Oct 7, 2008 at 6:52 PM Subject: how to run gdb in openssl To: openssl-users@openssl.org Hi all, could anyone please tell me how to run the gdb in openssl? Regards, Prashanth
RE: Installing openssl 0.9.8g in custom location on 64bit SLES 10
Have you checked shared libs with ldd ? # ldd /app/Apache/e2e01/modules/mod_ssl.so Also check if ssl and crypto are where they are supposed to be... # ldconfig -p | grep ssl # ldconfig -p | grep crypt Saju -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tim Spangler Sent: Wednesday, April 09, 2008 12:48 PM To: openssl-users@openssl.org Subject: Installing openssl 0.9.8g in custom location on 64bit SLES 10 Hello, I'm trying to configure openssl 0.9.8g on a 64bit install of SLES 10. I'm using a script that works fine in 32 bit, but doesn't work correctly in 64 bit. The script installs openssl to /app/openssl/0.9.8g with the --shared option, and then adds /app/openssl/0.9.8g/lib to /etc/ld.so.conf and runs ldconfig. I point an open source Apache build (2.2.8) against this openssl install. In the 32 bit OS install, Apache runs fine. In the 64 bit install, apache errors on start with this error: Cannot load /app/Apache/e2e01/modules/mod_ssl.so into server: /app/Apache/e2e01/modules/mod_ssl.so: undefined symbol: SSL_CTX_set_info_callback Unfortuantly a google search on "mod_ssl.so: undefined symbol: SSL_CTX_set_info_callback" reveals little information. I suspect this problem has something to do with running openssl from a non standard location (whatever location is standard in SLES 10, I have no idea --installing to /usr/local/ssl causes the same problem), but I can't seem to track down what the problem is. Any help is appreciated, even if its just a link to a guide that I can follow. Thanks in advace, -Tim Spangler __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL FIPS 1.1.2 on Windows
typo in step 2. 2. Build & Install openssl-fips- 1.1.2 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Saju Paul Sent: Thursday, March 13, 2008 10:37 AM To: openssl-users@openssl.org Subject: RE: OpenSSL FIPS 1.1.2 on Windows On a clean system the build order would be. 1. Build & Install openssl-0.9.7m 2. Build & Install openssl-1.1.2 3. Build & Install openssl-0.9.8g 4. Build your application. Sorry, wish I had the time in the day to get into specifics. Saju -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scholl, Ben M. Sent: Thursday, March 13, 2008 9:47 AM To: openssl-users@openssl.org Subject: RE: OpenSSL FIPS 1.1.2 on Windows So do you need either openssl version 0.9.7m, 0.9.8g, or other to be built on the system before trying to build the FIPS version? How do you link the two versions? Ben M. Scholl Ennovex Solutions, Inc. Software Engineer DoD PKE Engineering Phone: 703-933-9064 Fax: 703-933-9067 www.ennovex.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sisyphus Sent: Thursday, March 13, 2008 9:33 AM To: openssl-users@openssl.org Subject: Re: OpenSSL FIPS 1.1.2 on Windows - Original Message ----- From: "Saju Paul" <[EMAIL PROTECTED]> To: Sent: Friday, March 14, 2008 12:11 AM Subject: RE: OpenSSL FIPS 1.1.2 on Windows > Here is a clue...you need to have openssl 0.9.7m built & installed on the > system you are attempting the FIPS build on. > I have openssl-0.9.8g. Is it just a matter of linking to those libs ? What would be the requisite './config' command ? Cheers, Rob __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL FIPS 1.1.2 on Windows
On a clean system the build order would be. 1. Build & Install openssl-0.9.7m 2. Build & Install openssl-1.1.2 3. Build & Install openssl-0.9.8g 4. Build your application. Sorry, wish I had the time in the day to get into specifics. Saju -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scholl, Ben M. Sent: Thursday, March 13, 2008 9:47 AM To: openssl-users@openssl.org Subject: RE: OpenSSL FIPS 1.1.2 on Windows So do you need either openssl version 0.9.7m, 0.9.8g, or other to be built on the system before trying to build the FIPS version? How do you link the two versions? Ben M. Scholl Ennovex Solutions, Inc. Software Engineer DoD PKE Engineering Phone: 703-933-9064 Fax: 703-933-9067 www.ennovex.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sisyphus Sent: Thursday, March 13, 2008 9:33 AM To: openssl-users@openssl.org Subject: Re: OpenSSL FIPS 1.1.2 on Windows - Original Message - From: "Saju Paul" <[EMAIL PROTECTED]> To: Sent: Friday, March 14, 2008 12:11 AM Subject: RE: OpenSSL FIPS 1.1.2 on Windows > Here is a clue...you need to have openssl 0.9.7m built & installed on the > system you are attempting the FIPS build on. > I have openssl-0.9.8g. Is it just a matter of linking to those libs ? What would be the requisite './config' command ? Cheers, Rob __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL FIPS 1.1.2 on Windows
Here is a clue...you need to have openssl 0.9.7m built & installed on the system you are attempting the FIPS build on. HTH - Saju -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Sisyphus Sent: Thursday, March 13, 2008 12:40 AM To: openssl-users@openssl.org Subject: Re: OpenSSL FIPS 1.1.2 on Windows > > - Original Message - > From: "Scholl, Ben M." <[EMAIL PROTECTED]> > To: > Sent: Tuesday, March 11, 2008 5:06 AM > Subject: OpenSSL FIPS 1.1.2 on Windows > > > Hello OpenSSL Team, > > I am having difficulty building OpenSSL FIPS 1.1.2 on Windows. I am > following the directions in the latest User Guide http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf>, and I am running > into > errors with Section 4.3.1 Item 5. I also tried the same procedure with > OpenSSL FIPS 1.1.1 and have received the same results. My configuration > is > as follows: > > > - Freshly installed and updated Windows XP SP2. > > - Installed MingW version 5.1.3 I think I've got the same. I've got gcc-3.4.5. (I think that's what the 5.1.3 installer provides.) > > - Installed MSYS version 1.0.10 I have version 1.0.11. I don't think that will make a difference in this case ... but one can never really be sure :-) > > - Installed MSYSDTK version 1.0.1 (For Perl) I haven't installed that - but I do have a perl-5.10.0 that's visible courtesy of my msys etc/fstab file. > > - Obtained openssl-fips-1.1.2.tar.gz from openssl.org Same here > > - Un-tarred openssl-fips.1.1.2.tar.gz per instructions (Section > 4.3.1 Item 3) > > The ./config fips command appears to succeed with the following note: > Configured for mingw. Same. I ran simply './config'. However I get a different error during make. For me, the make process runs for quite a long time, but when it comes to build desmovs.exe, I get 18 undefined references as follows: + gcc -o fips_desmovs.exe -I.. -I../include -DOPENSSL_SYSNAME_MINGW32 -DOPENSSL_THREA DS -DDSO_WIN32 -DOPENSSL_NO_KRB5 -DL_ENDIAN -fomit-frame-pointer -O3 -march=i4 86 -mno-cygwin -Wall -D_WIN32_WINNT=0x333 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM fips_desmovs.o -LC:/_32/msys/1.0/local/lib -lwsock32 -lgdi32 fips_desmovs.o:fips_desmovs.c:(.text+0xda): undefined reference to `EVP_des_ede3_cfb1' fips_desmovs.o:fips_desmovs.c:(.text+0x1b7): undefined reference to `EVP_des_ede3_cbc' fips_desmovs.o:fips_desmovs.c:(.text+0x1d7): undefined reference to `EVP_des_ede3_ofb' fips_desmovs.o:fips_desmovs.c:(.text+0x1e1): undefined reference to `EVP_des_ede3_cfb64' fips_desmovs.o:fips_desmovs.c:(.text+0x205): undefined reference to `EVP_CipherInit' fips_desmovs.o:fips_desmovs.c:(.text+0x23d): undefined reference to `EVP_des_ede3_cfb8' fips_desmovs.o:fips_desmovs.c:(.text+0x244): undefined reference to `EVP_des_ecb' fips_desmovs.o:fips_desmovs.c:(.text+0x24b): undefined reference to `EVP_des_cfb1' fips_desmovs.o:fips_desmovs.c:(.text+0x252): undefined reference to `EVP_des_ede3_ecb' fips_desmovs.o:fips_desmovs.c:(.text+0x259): undefined reference to `EVP_des_cfb8' fips_desmovs.o:fips_desmovs.c:(.text+0x260): undefined reference to `EVP_des_ofb' fips_desmovs.o:fips_desmovs.c:(.text+0x267): undefined reference to `EVP_des_cbc' fips_desmovs.o:fips_desmovs.c:(.text+0x26e): undefined reference to `EVP_des_cfb64' fips_desmovs.o:fips_desmovs.c:(.text+0x292): undefined reference to `ERR_print_errors_fp' fips_desmovs.o:fips_desmovs.c:(.text+0xaea): undefined reference to `DES_set_odd_parity' fips_desmovs.o:fips_desmovs.c:(.text+0xaf5): undefined reference to `DES_set_odd_parity' fips_desmovs.o:fips_desmovs.c:(.text+0xb00): undefined reference to `DES_set_odd_parity' fips_desmovs.o:fips_desmovs.c:(.text+0x1bee): undefined reference to `ERR_load_crypto_strings' collect2: ld returned 1 exit status It may be relevant that, in addition to my etc/fstab file pointing to the location of perl and mingw, it also points to an existing openssl build. Here's what that file contains: c:/home/rob/mingw_vista/i686-pc-mingw32 /mingw c:/perl510_M/5.10.0 /perl c:/_32/msys/1.0/local/ssl /openssl I don't know if the inclusion of 'openssl' in that file has any bearing on the differences we're seeing. Nor do I know why you're getting the error you get - unless it *is* related to the absence of a locatable openssl installation. And I don't know what's needed to resolve those undefined references that I'm getting - though I would think that others on this list might know the answer to that one. Cheers, Rob __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List
RE: SSL connections in persistent TCP connection.
TCP Connection: (4 bytes) SYN SYN/ACK ACK TCP TearDown: (3 bytes) FIN/ACK ACK 7 bytes were considered overhead and optimized on a channel that needs an SSL session. seems hardly worth it...IMO -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David Schwartz Sent: Thursday, February 21, 2008 1:31 PM To: openssl-users@openssl.org Subject: RE: SSL connections in persistent TCP connection. >> This is nearly impossible to do. It's possible that you did it correctly, >> but very unlikely. The basic problem is this -- when you call 'read' to get >> the last message of the first session, how do you make sure you also don't >> get all or part of the first message of the second session? > I do not think it is very difficult. The application initiates SSL > sessions sequentially in a established socket connection.One cycle of > SSL_connect - DataExchange-SSL_shutdown is followed by another cycle of > SSL_connect - DataExchange-SSL_shutdown. As such there shouldn't be issue of > session mix up.At least that is what is observed with say 400-500 clients > connecting to server simultaneously. It is either designed properly or it's not. You can't validate a design by testing. What makes sure that the last 'read' for the first session doesn't get some of the data for the second session? Either something makes absolutely sure this can't happen, or it can happen, and your design is broken. > Multiple sessions are tried in a single TCP connect to reduce the > overhead of TCP handshake and termination if the client wishes to > do multiple 'new' SSL connects to server. Right, but they serve a vital purpose. They make absolutely sure that the end of the first session can't be confused with the beginning of the second. If you remove this "overhead", you have to provide this same assurance with some other mechanism. It sounds like you don't. Do you understand the issue I'm talking about? TCP is a byte-stream that doesn't preserve message boundaries. Nothing stops a call to 'read' made by OpenSSL from getting the last bits of data from the first session and the first bits of data from the second. Then OpenSSL has no place to put the 'leftover' data that is vital to establishing the second session. As a result, the next session can't properly establish. This is most likely to show up under load and is a classic race condition. > So successful SSL handshakes in persistent connection should be possible > 'every time'. I do not think it can happen by accident. You say this, but your design does not make sure. You get lucky a lot and it happens by accident. But you provide no guaranteed separation between the last bits of the first session and the first bits of the second. > And I do agree with you on significance of improvement. I haven't > quantified yet the gain in doing connection in persistent TCP. So you made a premature optimization that his risks you don't understand. > But server as persistent TCP feature. Some client may wish to communicate > like that. Then you need a precise specification that explains in detail how the sessions are separated at the TCP level, and you need to make sure both the client and the server follow that specification. You are doing this completely wrong, and it is unfortunate that it worked by accident misleading you into thinking what you were doing made some kind of sense. It does not. By the way, did you do any kind of analysis to make sure this doesn't have security risks? Offhand, I can't think of any way that it would, but I wouldn't trust it without a full evaluation. If both SSL sessions have the same security parameters, tearing down the old one and building up a new one is a pure waste. If they have different security parameters, the possibility that the boundary between the two could be compromised in some way seems to be a threat that needs proper evaluation. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Trying to statically link to libeay32.lib
Jed, To build static openssl libraries; (libeay32.lib & ssleay32.lib) > perl Configure VC-WIN32 no-rc5 no-idea no-mdc2 > ms\do_nasm Edit: ms\nt.mak file (use any standard text editor) change '/MD' to '/MT' in CFLAG > nmake -f ms\nt.mak libeay32.lib & ssleay32.lib will be built in directory out32; the necessary include files will be built inc32\openssl Make sure you use /MT switch consistently when building your application. If you attempt a 'debug' build of your application the default switch /MTd will cause a library conflict (LIBCMT.lib) you can choose not build the 'debug version' of your application or you can change /MTd switch to /MT and define /define _DEBUG to /define NDEBUG -Original Message- Yeah, I was having a terrible time getting everything to compile. I was able to wrestle through a lot of it, but it simply wouldn't finished compiling. So I searched for others having similar troubles and came across http://www.silverex.org/compiling/. I realize that the page says EXACTLY what INSTALL.W32 says (somewhat briefer), but reading it in their format helped bring the whole picture together for me. I didn't catch on to the VC++ Command Line environment until that point also, which solved all my troubles. The instructions detailing "You can also build a static version of the library using the Makefile: ms\nt.mak" from INSTALL.W32 are a little buried in other text, so I missed that part until looking through it to answer your (Jeremy) question. It's all there in INSTALL.W32 -- it took me a little longer to choose and properly use the appropriate build environment. -Jed Mitten- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Trying to statically link to libeay32.lib
Jed,
To build static openssl libraries; (libeay32.lib & ssleay32.lib)
> perl Configure VC-WIN32 no-rc5 no-idea no-mdc2
> ms\do_nasm
Edit: ms\nt.mak file (use any standard text editor)
change '/MD' to '/MT' in CFLAG
> nmake -f ms\nt.mak
libeay32.lib & ssleay32.lib will be built in directory out32; the necessary
include files will be built inc32\openssl
Just make sure you use /MT switch consistently when building your
application. If you attempt a 'debug' build of your apllication it will use
/MTd switch and will run into a conflict with library LIBCMT.lib; you can
choose not to do the debug build of your application or you can change /MTd
switch to /MT and define /define _DEBUG to /define NDEBUG
Cheers,
Saju
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Scott Rueter
Sent: Friday, February 01, 2008 12:48 PM
To: openssl-users@openssl.org
Subject: Re: Trying to statically link to libeay32.lib
Jed Mitten wrote:
>I am trying to statically link into libeay32.lib so that I can
>distribute my application as a single executable instead of packaging
>DLLs along with it. I am not new to programming, but I am new to
>using libraries in C/C++. I am also completely new to using OpenSSL
>in any application.
>
>I did some extensive research online (and in this group) to get to
>where I could actually compile OpenSSL on Win32 and link using Visual
>C++ Express 9.0, but when I run the application that compiles I get an
>error that libeay32.dll cannot be found. Thanks for any help or
>advice.
>
>
Option 1:
First, it seems that you have compiled a dll rather than a static lib
for openssl.
IE you used: nmake -f ms\ntdll.mak
If you want a static lib you need to run:
nmake -f ms\nt.dll
When you create a dll build it creates a .dll and .lib. The lib for
linking against when you make your own executable, but you will still
need to include the .dll in your distribution.
If you create a static build, all you will have is a .lib; no .dll will
be created.
Note however that your executable will be larger if you use a static
library.
Option 2:
The other option is to take your libeay32.dll and put it in the same
directory as your executable.
>#include
>#include
>#include
>using namespace std;
>
>
>int main(int argc, char *argv[]) {
>string skey = "secret_key";
>char *sdata = "This is a message that I would like to keep secret.
> Please do not allow this message to be read without authorization.";
>
>BF_KEY symKey;
>BF_set_key( &symKey, strlen(sdata), (const unsigned char *)sdata );
>
>cout << symKey.S;
>
>return 0;
>}
>
>--
>Jed Mitten
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing Listopenssl-users@openssl.org
>Automated List Manager [EMAIL PROTECTED]
>
>
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: " unable to get local issuer certificate" & certificate not trusted errors
who is the signer of certificate newcert.pem ? is it a self-signed certificate ? it should not be. newcert.pem should be signed by a trusted CA (thawte,verisign,godaddy etc.) or by a CA that is in google/gmail's CA repository. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of gopinath ethiraja Sent: Friday, February 01, 2008 5:11 AM To: openssl-users@openssl.org; [EMAIL PROTECTED] Subject: " unable to get local issuer certificate" & certificate not trusted errors I tried to connect to a server using s_client command .but i get an error stating " unable to get local issuer certificate" & also it gives certificate not trusted " how to overcome this errors C:\OpenSSL\bin>openssl s_client -connect gmail.com:443 -verify 3 -cert newcert.p em -key newkey.pem -CAfile cacert.pem -state verify depth is 3 Enter pass phrase for newkey.pem: Loading 'screen' into random state - done CONNECTED(02D4) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA verify error:num=20:unable to get local issuer certificate verify return:1 depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -BEGIN CERTIFICATE- MIIDIjCCAougAwIBAgIQeGJdG+ZuLrAZgPwP49qYUTANBgkqhkiG9w0BAQUFADBM MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wNzA1MDMxNTM0NThaFw0w ODA1MTUxNzI0MDFaMGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRgw FgYDVQQDEw9tYWlsLmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBAMnUudLUhHv3cpy0A47K38oOYK9CeH93UMzH1QA/FYwwhRrcEkQjwSrddNqF RLBJMv+KWKFbMbTzMSR69VQCJJ26cKSOg95hhuIsRf6Y8MRfynWK4nfun8ubF8If LfISfrzTX8/nw8jmtL0zaNNSCZWs6UNzptkK085tRO2KoeZ5AgMBAAGjgecwgeQw KAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUFBwMCBglghkgBhvhCBAEwNgYDVR0f BC8wLTAroCmgJ4YlaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVNHQ0NBLmNy bDByBggrBgEFBQcBAQRmMGQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnRoYXd0 ZS5jb20wPgYIKwYBBQUHMAKGMmh0dHA6Ly93d3cudGhhd3RlLmNvbS9yZXBvc2l0 b3J5L1RoYXd0ZV9TR0NfQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEF BQADgYEA1JrSolCBCddemVIF/FzhGsN1eTFA0JwgzL+D4u65Ua+PeqzMnrG08+rQ OwzgNZPI6ld6IxVCQ2GkDU8VURk30vU26WucB+ImS+pC3ENSSmliB6U1CScu2QL4 A1p1sGdz+bOeovdw2XAOrQYMMCXT0hJZ++bTUhrijxqkaSdRePU= -END CERTIFICATE- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA --- No client certificate CA names sent --- SSL handshake has read 1778 bytes and written 322 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES256-SHA Session-ID: 78B1A16CBC8BFA005701E93ABC140387DEEC3CB62CB4396265BB4CD6490A9FEE Session-ID-ctx: Master-Key: 55DF03F5380E46145D0673EB66A82201810AC9E4CA82A7BD8E4DA4CCE34AB589 C9C79C560951DFF731B26A537A43DC11 Key-Arg : None Start Time: 1201860116 Timeout : 300 (sec) Verify return code: 27 (certificate not trusted) --- read:errno=0 SSL3 alert write:warning:close notify __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: problems with building the FIPS OpenSSL
The MSYS directory /usr/local/ssl/lib is the Windows directory C:\msys\1.0\local\ssl (refered to in points 9 & 10); 1. there is no directory called /usr/local/ssl/lib 2. in step 10 I can find most of the files, but fips_premain.c.sha1 is no where to be found Hmm...these 2 points you have made seem to contradict each other. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Paul Levin Sent: Friday, October 19, 2007 2:39 PM To: openssl-users@openssl.org Subject: problems with building the FIPS OpenSSL I am trying to build FIPS OpenSSL 1.1.1 for Windows, as per the instructions in the UserGuide-1.1.1.pdf. For the most part it goes ok, but when I get to step 7, in section 4.3.2, there are several problems. 1.. there is no directory called /usr/local/ssl/lib in MSYS. 2.. in step 10 I can find most of the files, but fips_premain.c.sha1 is no where to be found The everything goes to h-ll when I try to build OpenSSL with the FIPS addon. 1.. I'm using the OpenSSL that is in the FIPS tar. The User Guide implies that I need to download some other version 2.. The user guide says to use a --with-fipslibdir argument to perl Configure. That gives an invalid parameter error. 3.. Following the instructions in the INSTALL_W32 file, I ran "perl Configure VC-WIN32 fips". Then "ms\do_masm". This gave several errors that the FIPS files could not be found. 4.. Looking at the perl script, I see it is looking in the top level directory of the tar tree (openssl-fips-1.1.1) for the FIPS generated files. The FIPS build did not put the files there. 1.. I moved the files there and I'm still getting an error because the fips_premain.c.sha1 file is not there. What needs to be done to build this? Thanks, Paul __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: problems with building the FIPS OpenSSL
The other thing that you may have missed is that the tarball 'openssl-fips-1.1.1.tar.gz' should be used ONLY to build the FIPS modules (which is the fipscansiter.o, an executable, a C source file and 2 signatures). You then need to use the tarball 'openssl-0.9.7m.tar.gz' (nothing before,nothing after) to build the FIPS enabled versions of the ssl and crypto libraries. You got a ways to still; just hang in there and you'll have it all figured out. HTH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Paul Levin Sent: Friday, October 19, 2007 2:39 PM To: openssl-users@openssl.org Subject: problems with building the FIPS OpenSSL I am trying to build FIPS OpenSSL 1.1.1 for Windows, as per the instructions in the UserGuide-1.1.1.pdf. For the most part it goes ok, but when I get to step 7, in section 4.3.2, there are several problems. 1.. there is no directory called /usr/local/ssl/lib in MSYS. 2.. in step 10 I can find most of the files, but fips_premain.c.sha1 is no where to be found The everything goes to h-ll when I try to build OpenSSL with the FIPS addon. 1.. I'm using the OpenSSL that is in the FIPS tar. The User Guide implies that I need to download some other version 2.. The user guide says to use a --with-fipslibdir argument to perl Configure. That gives an invalid parameter error. 3.. Following the instructions in the INSTALL_W32 file, I ran "perl Configure VC-WIN32 fips". Then "ms\do_masm". This gave several errors that the FIPS files could not be found. 4.. Looking at the perl script, I see it is looking in the top level directory of the tar tree (openssl-fips-1.1.1) for the FIPS generated files. The FIPS build did not put the files there. 1.. I moved the files there and I'm still getting an error because the fips_premain.c.sha1 file is not there. What needs to be done to build this? Thanks, Paul __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: C++ compatibility
sorry ignore my latest post.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Phillips, Justin -
ACD
Sent: Wednesday, September 12, 2007 11:17 AM
To: openssl-users@openssl.org
Subject: RE: C++ compatibility
It turns out the lines that are causing problems (see below) were
inserted by a patch from Montavista for compatibility with gcc 4.2. I
was using an older version of gcc so the solution is to not install the
patch when building the rpm's. I guess this was more of a montavista
issue than an openssl issue, sorry for the misplacement of these
questions on this mailing list.
-Original Message-
From: Phillips, Justin - ACD
Sent: Wednesday, September 12, 2007 9:07 AM
To: 'openssl-users@openssl.org'
Subject: RE: C++ compatability
The error is on the header file asn1.h. I have commented out the call
to HMAC so the only related code is the include which at this point
looks like.
extern "C" {
#include
}
Here is the error...
In file included from
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/openssl/objects.h:9
60,
from
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/openssl/evp.h:94,
from
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/openssl/hmac.h:67,
from StateFill.cpp:36:
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/openssl/asn1.h:905:
invalid
conversion from `void (*)()' to `void*'
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/openssl/asn1.h:915:
invalid
conversion from `void (*)()' to `void*'
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/openssl/asn1.h:920:
invalid
conversion from `void (*)()' to `void*'
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/openssl/asn1.h:933:
invalid
conversion from `void (*)()' to `void*'
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/openssl/asn1.h:938:
invalid
conversion from `void (*)()' to `void*'
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/openssl/asn1.h:985:
invalid
conversion from `void (*)()' to `void*'
I also notice warnings that are related to these same lines...
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/c++/3.2.1/bits/stl_
queue.h: At
top level:
/opt/hardhat/devkit/arm/xscale_le/target2/usr/include/openssl/asn1.h:905
: warning: `
void*__ASN1_dup' defined but not used
/opt/hardhat/devkit/arm/xscale_le/target2/usr/include/openssl/asn1.h:915
: warning: `
void*__ASN1_d2i_fp' defined but not used
/opt/hardhat/devkit/arm/xscale_le/target2/usr/include/openssl/asn1.h:920
: warning: `
void*__ASN1_i2d_fp' defined but not used
/opt/hardhat/devkit/arm/xscale_le/target2/usr/include/openssl/asn1.h:933
: warning: `
void*__ASN1_d2i_bio' defined but not used
/opt/hardhat/devkit/arm/xscale_le/target2/usr/include/openssl/asn1.h:938
: warning: `
void*__ASN1_i2d_bio' defined but not used
/opt/hardhat/devkit/arm/xscale_le/target2/usr/include/openssl/asn1.h:985
: warning: `
void*__ASN1_pack_string' defined but not used
When I remove the include to openssl/hmac.h I can compile successfully.
I am wondering if there is a patch that I need to install to remove
these lines from the header file?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Saju Paul
Sent: Tuesday, September 11, 2007 3:23 PM
To: openssl-users@openssl.org
Subject: RE: C++ compatability
is the compile error on the header file (asn1.h) or at the call ?
copy and paste the error include any necessary code.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Phillips, Justin -
ACD
Sent: Tuesday, September 11, 2007 2:55 PM
To: openssl-users@openssl.org
Subject: RE: C++ compatability
I have the following code but I still get the compile errors described
below. There are no other openssl includes or function calls other than
what is shown below.
extern "C" {
#include
}
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Saju Paul
Sent: Tuesday, September 11, 2007 2:37 PM
To: openssl-users@openssl.org
Subject: RE: C++ compatability
extern "C" {
// defn...
}
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Phillips, Justin -
ACD
Sent: Tuesday, September 11, 2007 2:20 PM
To: openssl-users@openssl.org
Subject: C++ compatability
I am trying to call the HMAC function (openssl 0.9.8e) within my C++
code. When I include I get compilation errors on the
asn1.h file at lines 905, 915, 920, 933, 938, and 985 all saying
"invalid conversion from 'void (*)() to 'void*'. This makes sense
because the libraries are compiled with gcc but I am compiling my
software with g++ and in C++ this type of casting is not allowed. So my
question is how do you use openssl in C++ when the include files use C
spec
RE: C++ compatability
first: the extern "C" around the hmac.h is not necessary. get rid of it.
second: the errors are make no sense at all; these header files you are
referencing are Unix/Linux files are they not ? meaning they are not files
built in a Windows environment (i hope not)
third: a rebuild of openssl is something that I might try next.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Phillips, Justin -
ACD
Sent: Wednesday, September 12, 2007 9:07 AM
To: openssl-users@openssl.org
Subject: RE: C++ compatability
The error is on the header file asn1.h. I have commented out the call
to HMAC so the only related code is the include which at this point
looks like.
extern "C" {
#include
}
Here is the error...
In file included from
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/openssl/objects.h:9
60,
from
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/openssl/evp.h:94,
from
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/openssl/hmac.h:67,
from StateFill.cpp:36:
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/openssl/asn1.h:905:
invalid
conversion from `void (*)()' to `void*'
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/openssl/asn1.h:915:
invalid
conversion from `void (*)()' to `void*'
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/openssl/asn1.h:920:
invalid
conversion from `void (*)()' to `void*'
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/openssl/asn1.h:933:
invalid
conversion from `void (*)()' to `void*'
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/openssl/asn1.h:938:
invalid
conversion from `void (*)()' to `void*'
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/openssl/asn1.h:985:
invalid
conversion from `void (*)()' to `void*'
I also notice warnings that are related to these same lines...
/opt/hardhat/devkit/arm/xscale_le/target/usr/include/c++/3.2.1/bits/stl_
queue.h: At
top level:
/opt/hardhat/devkit/arm/xscale_le/target2/usr/include/openssl/asn1.h:905
: warning: `
void*__ASN1_dup' defined but not used
/opt/hardhat/devkit/arm/xscale_le/target2/usr/include/openssl/asn1.h:915
: warning: `
void*__ASN1_d2i_fp' defined but not used
/opt/hardhat/devkit/arm/xscale_le/target2/usr/include/openssl/asn1.h:920
: warning: `
void*__ASN1_i2d_fp' defined but not used
/opt/hardhat/devkit/arm/xscale_le/target2/usr/include/openssl/asn1.h:933
: warning: `
void*__ASN1_d2i_bio' defined but not used
/opt/hardhat/devkit/arm/xscale_le/target2/usr/include/openssl/asn1.h:938
: warning: `
void*__ASN1_i2d_bio' defined but not used
/opt/hardhat/devkit/arm/xscale_le/target2/usr/include/openssl/asn1.h:985
: warning: `
void*__ASN1_pack_string' defined but not used
When I remove the include to openssl/hmac.h I can compile successfully.
I am wondering if there is a patch that I need to install to remove
these lines from the header file?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Saju Paul
Sent: Tuesday, September 11, 2007 3:23 PM
To: openssl-users@openssl.org
Subject: RE: C++ compatability
is the compile error on the header file (asn1.h) or at the call ?
copy and paste the error include any necessary code.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Phillips, Justin -
ACD
Sent: Tuesday, September 11, 2007 2:55 PM
To: openssl-users@openssl.org
Subject: RE: C++ compatability
I have the following code but I still get the compile errors described
below. There are no other openssl includes or function calls other than
what is shown below.
extern "C" {
#include
}
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Saju Paul
Sent: Tuesday, September 11, 2007 2:37 PM
To: openssl-users@openssl.org
Subject: RE: C++ compatability
extern "C" {
// defn...
}
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Phillips, Justin -
ACD
Sent: Tuesday, September 11, 2007 2:20 PM
To: openssl-users@openssl.org
Subject: C++ compatability
I am trying to call the HMAC function (openssl 0.9.8e) within my C++
code. When I include I get compilation errors on the
asn1.h file at lines 905, 915, 920, 933, 938, and 985 all saying
"invalid conversion from 'void (*)() to 'void*'. This makes sense
because the libraries are compiled with gcc but I am compiling my
software with g++ and in C++ this type of casting is not allowed. So my
question is how do you use openssl in C++ when the include files use C
specific syntax such as this? Thank you in advance for the help.
Justin
*
This e-mail and any files transmitted with it may be proprietary and are
intended solely for the use of the indiv
RE: C++ compatability
It is very clear that you Thomas have never ever used the hmac routines !!
So how you entertain yourself is irrelevant to the problem being discussed.
thank you.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Thomas J. Hruska
Sent: Tuesday, September 11, 2007 3:38 PM
To: openssl-users@openssl.org
Subject: Re: C++ compatability
Saju Paul wrote:
> is the compile error on the header file (asn1.h) or at the call ?
> copy and paste the error include any necessary code.
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Phillips, Justin -
> ACD
> Sent: Tuesday, September 11, 2007 2:55 PM
> To: openssl-users@openssl.org
> Subject: RE: C++ compatability
>
>
> I have the following code but I still get the compile errors described
> below. There are no other openssl includes or function calls other than
> what is shown below.
>
> extern "C" {
>#include
> }
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Saju Paul
> Sent: Tuesday, September 11, 2007 2:37 PM
> To: openssl-users@openssl.org
> Subject: RE: C++ compatability
>
> extern "C" {
>// defn...
> }
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Phillips, Justin -
> ACD
> Sent: Tuesday, September 11, 2007 2:20 PM
> To: openssl-users@openssl.org
> Subject: C++ compatability
>
>
>
> I am trying to call the HMAC function (openssl 0.9.8e) within my C++
> code. When I include I get compilation errors on the
> asn1.h file at lines 905, 915, 920, 933, 938, and 985 all saying
> "invalid conversion from 'void (*)() to 'void*'. This makes sense
> because the libraries are compiled with gcc but I am compiling my
> software with g++ and in C++ this type of casting is not allowed. So my
> question is how do you use openssl in C++ when the include files use C
> specific syntax such as this? Thank you in advance for the help.
>
> Justin
While I'm finding this discussion on misinformation entertaining, I
realize Justin probably has a job to do. In general, all you ever need
to include is:
#include
#include
After your other #include files. Those will generally #include any
other files you might need...including the HMAC routines. I've never
had any issues with VC++ or gcc/g++ when doing that.
--
Thomas Hruska
Shining Light Productions
Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
http://www.slproweb.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: SSL Library Error
for 32-bit objects set SHLIB_PATH and unset LD_LIBRARY_PATH for 64-bit objects set LD_LIBRARY_PATH and unset SHLIB_PATH might help.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Aaron Smith Sent: Tuesday, September 11, 2007 3:34 PM To: openssl-users@openssl.org Subject: RE: SSL Library Error Looking at the output of LDD closer, it looks like the httpd binary is linked to both libraries. BUT, I don't think this is the cause of the problem as the httpd binary that DOES work is ALSO linked this way -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Tuesday, September 11, 2007 1:57 PM To: openssl-users@openssl.org Subject: Re: SSL Library Error On Tue, Sep 11, 2007 at 01:43:50PM -0400, Aaron Smith wrote: > I apologize in advance if this is not the correct forum for this > question. I haven't had much luck in the apache forums. I have an > apache 2.0.55 installation that I'm attempting to recompile on an HP-UX > 11 system. It has mod_ssl 2.0.66 and I have OpenSSL 0.9.8d installed in > /opt/openssl098d. The system itself apparently has an older version of > OpenSSL (0.9.7e) installed in /usr/local. We have apache running on > this system just fine, but I have to recompile in order to add LDAP > support. If I take a fresh tarball of apache-2.0.55 and do a configure, > make, make install, everything completes without error. Doing an LDD of > the httpd binary shows it linked to the OpenSSL 0.9.8d libraries in > /opt/openssl098d/lib. The server starts up without issue, but when I > connect (with apache in debug mode), I get this: Perhaps you are using headers from one version of OpenSSL and linking with libraries from another. Make sure compile-time and run-time versions match. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: C++ compatability
is the compile error on the header file (asn1.h) or at the call ?
copy and paste the error include any necessary code.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Phillips, Justin -
ACD
Sent: Tuesday, September 11, 2007 2:55 PM
To: openssl-users@openssl.org
Subject: RE: C++ compatability
I have the following code but I still get the compile errors described
below. There are no other openssl includes or function calls other than
what is shown below.
extern "C" {
#include
}
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Saju Paul
Sent: Tuesday, September 11, 2007 2:37 PM
To: openssl-users@openssl.org
Subject: RE: C++ compatability
extern "C" {
// defn...
}
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Phillips, Justin -
ACD
Sent: Tuesday, September 11, 2007 2:20 PM
To: openssl-users@openssl.org
Subject: C++ compatability
I am trying to call the HMAC function (openssl 0.9.8e) within my C++
code. When I include I get compilation errors on the
asn1.h file at lines 905, 915, 920, 933, 938, and 985 all saying
"invalid conversion from 'void (*)() to 'void*'. This makes sense
because the libraries are compiled with gcc but I am compiling my
software with g++ and in C++ this type of casting is not allowed. So my
question is how do you use openssl in C++ when the include files use C
specific syntax such as this? Thank you in advance for the help.
Justin
*
This e-mail and any files transmitted with it may be proprietary and are
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this e-mail in error please notify the
sender. Please note that any views or opinions presented in this e-mail
are solely those of the author and do not necessarily represent those of
ITT Corporation. The recipient should check this e-mail and any
attachments for the presence of viruses. ITT accepts no liability for
any damage caused by any virus transmitted by this e-mail.
***
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
*
This e-mail and any files transmitted with it may be proprietary
and are intended solely for the use of the individual or entity to
whom they are addressed. If you have received this e-mail in
error please notify the sender. Please note that any views or
opinions presented in this e-mail are solely those of the author
and do not necessarily represent those of ITT Corporation. The
recipient should check this e-mail and any attachments for the
presence of viruses. ITT accepts no liability for any damage
caused by any virus transmitted by this e-mail.
***
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: C++ compatability
extern "C" {
// defn...
}
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Phillips, Justin -
ACD
Sent: Tuesday, September 11, 2007 2:20 PM
To: openssl-users@openssl.org
Subject: C++ compatability
I am trying to call the HMAC function (openssl 0.9.8e) within my C++
code. When I include I get compilation errors on the
asn1.h file at lines 905, 915, 920, 933, 938, and 985 all saying
"invalid conversion from 'void (*)() to 'void*'. This makes sense
because the libraries are compiled with gcc but I am compiling my
software with g++ and in C++ this type of casting is not allowed. So my
question is how do you use openssl in C++ when the include files use C
specific syntax such as this? Thank you in advance for the help.
Justin
*
This e-mail and any files transmitted with it may be proprietary
and are intended solely for the use of the individual or entity to
whom they are addressed. If you have received this e-mail in
error please notify the sender. Please note that any views or
opinions presented in this e-mail are solely those of the author
and do not necessarily represent those of ITT Corporation. The
recipient should check this e-mail and any attachments for the
presence of viruses. ITT accepts no liability for any damage
caused by any virus transmitted by this e-mail.
***
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
ERROR: no shared cipher - in FIPS Mode
error: SSL accept error(SSL): error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher Works great without FIPS but get "no shared cipher" error when FIPS enabled libraries are linked in. Suspect the problem is with the X509 certificate that I'm using. Certificates details are included below. Public Key Algorthim on my certificate is rsaEncryption not sure if it can be used with FIPS. Thanks, Saju openssl version:0.9.7m openssl fips version: 1.1.1 platform: windows XP (fipscansiter.o built with MinGW, openssl libs built with VC++) application: in-house FTP server built with openssl (works great with regular (non-fips) openssl libraries) server certificate: self-signed certificate built with openssl (command line tool) error: SSL accept error(SSL): error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher built openssl libs with defines: CIPHER_DEBUG & KSSL_DEBUG Debug Output from Server::: Server has 20 from 00C36E20: 006FEE38:ADH-AES256-SHA 006FEE10:DHE-RSA-AES256-SHA 006FEDE8:DHE-DSS-AES256-SHA 006FED70:AES256-SHA 006FED48:ADH-AES128-SHA 006FED20:DHE-RSA-AES128-SHA 006FECF8:DHE-DSS-AES128-SHA 006FEC80:AES128-SHA 006FEC08:EDH-RSA-DES-CBC3-SHA 006FEBE0:EDH-RSA-DES-CBC-SHA 006FEBB8:EXP-EDH-RSA-DES-CBC-SHA 006FEB90:EDH-DSS-DES-CBC3-SHA 006FEB68:EDH-DSS-DES-CBC-SHA 006FEB40:EXP-EDH-DSS-DES-CBC-SHA 006FEA28:DES-CBC3-SHA 006FEA00:DES-CBC-SHA 006FE9D8:EXP-DES-CBC-SHA 006FE8E8:ADH-DES-CBC3-SHA 006FE8C0:ADH-DES-CBC-SHA 006FE898:EXP-ADH-DES-CBC-SHA Client sent 20 from 00C51158: 006FEE10:DHE-RSA-AES256-SHA 006FEDE8:DHE-DSS-AES256-SHA 006FED70:AES256-SHA 006FEC08:EDH-RSA-DES-CBC3-SHA 006FEB90:EDH-DSS-DES-CBC3-SHA 006FEA28:DES-CBC3-SHA 006FED20:DHE-RSA-AES128-SHA 006FECF8:DHE-DSS-AES128-SHA 006FEC80:AES128-SHA 006FE9B0:IDEA-CBC-SHA 006FE960:RC4-SHA 006FE938:RC4-MD5 006FEBE0:EDH-RSA-DES-CBC-SHA 006FEB68:EDH-DSS-DES-CBC-SHA 006FEA00:DES-CBC-SHA 006FEBB8:EXP-EDH-RSA-DES-CBC-SHA 006FEB40:EXP-EDH-DSS-DES-CBC-SHA 006FE9D8:EXP-DES-CBC-SHA 006FE988:EXP-RC2-CBC-MD5 006FE910:EXP-RC4-MD5 rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 0 alg= d00050 0:[0050:0200]006FEE10:DHE-RSA-AES256-SHA rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 1 alg= d00090 0:[0090:0200]006FEDE8:DHE-DSS-AES256-SHA rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 2 alg= d00041 0:[0041:0200]006FED70:AES256-SHA rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 3 alg= 502050 0:[0050:0200]006FEC08:EDH-RSA-DES-CBC3-SHA rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 4 alg= 502090 0:[0090:0200]006FEB90:EDH-DSS-DES-CBC3-SHA rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 5 alg= 502041 0:[0041:0200]006FEA28:DES-CBC3-SHA rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 6 alg= d00050 0:[0050:0200]006FED20:DHE-RSA-AES128-SHA rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 7 alg= d00090 0:[0090:0200]006FECF8:DHE-DSS-AES128-SHA rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 8 alg= d00041 0:[0041:0200]006FEC80:AES128-SHA rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 9 alg= 510041 0:[0041:0200]006FE9B0:IDEA-CBC-SHA rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 10 alg= 504041 0:[0041:0200]006FE960:RC4-SHA rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 11 alg= 484041 0:[0041:0200]006FE938:RC4-MD5 rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 12 alg= 501050 0:[0050:0200]006FEBE0:EDH-RSA-DES-CBC-SHA rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 13 alg= 501090 0:[0090:0200]006FEB68:EDH-DSS-DES-CBC-SHA rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 14 alg= 501041 0:[0041:0200]006FEA00:DES-CBC-SHA rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 15 alg= 501050 0:[0050:0200]006FEBB8:EXP-EDH-RSA-DES-CBC-SHA (export) rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 16 alg= 501090 0:[0090:0200]006FEB40:EXP-EDH-DSS-DES-CBC-SHA (export) rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 17 alg= 501041 0:[0041:0200]006FE9D8:EXP-DES-CBC-SHA (export) rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 18 alg= 488041 0:[0041:0200]006FE988:EXP-RC2-CBC-MD5 (export) rt=0 rte=0 dht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 ssl3_choose_cipher 19 alg= 484041 0:[0041:0200]006FE910:EXP-RC4-MD5 (export) tls1_enc(1) certificate details: Certificate: Data: Version: 1 (0x0) Serial Number: f5:55:6d:6c:47:4e:6c:84 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Michigan, L=Livonia, O=MessageWay Solutions, OU=Development (FIPS), CN=localhost/[EMAIL PROTECTED] V
RE: SSL Handshake
Check 'Network Security with OpenSSL' by John Veiga, Matt Messier and Pravir Chandra -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Madhuri Rambhatla Sent: Friday, June 18, 2004 10:14 AM To: [EMAIL PROTECTED] Subject: SSL Handshake Hi, I am trying to establish a successful handshake with a SSL server. I am using openSSL version 0.9.7d and my compiler MS Visual Studio.NET and OS is WIN 2K, Server I do not see any methods that let me do it. Can someone please tell me how to establish a successful SSL handshake. Thanks. Madhuri Rambhatla Lead Systems Programmer Venue 1 Inc 954 797 9883 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Please Don't Shoot....
Openssl has a command line utility (openssl). Use it to build your certificate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ryan Schefke Sent: Thursday, May 20, 2004 7:14 AM To: [EMAIL PROTECTED]; 'Ryan Schefke' Subject: Please Don't Shoot Me for asking this question, I'm just not sure where to start but with the experts here. I'm moving my PHP and MySQL application to a hosting server. Currently, I'm looking at 1and1.com's dedicated servers on a Linux machine for $49/month (let me know if there are better choices). One problem though, the dedicated server, unlike a shared server, does not have a SSL certificate. So, I need one. Can anyone recommend a low cost (preferably free), and easy to install (since I have to do it myself) SSL Cert? Thanks, Ryan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: compiling 32bit binary on solaris 8
here is a guess (and it is ONLY that); since the linker is complaining about the ssl and crypto libraries. will it help if you rebuilt the ssl and crypto libraries with the sparc7 or sparc8 compiler ? - Original Message - From: "Jim Mack" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 24, 2003 2:12 PM Subject: RE: compiling 32bit binary on solaris 8 > > Thanks for lead, but it's still blowing up complaining about > linking against 64bit libs. This is for : > > solaris-sparcv7-gcc > solaris-sparcv8-gcc > solaris-sparcv9-gcc > > I really have no idea what to do. I have gone through all > the relevent Makefiles and cannot find where these libs are > getting built in 64bit. Does anyone know where this might be > happening? > > Thanks, > > -jim > > On Thu, 23 Oct 2003, Venkatesh Ramaswamy wrote: > > > Use sparcv7 or sparcv8 for the configure script. sparcv9 is sun4u and links in the 64-bit libraries. > > > > -Original Message- > > From: Jim Mack [mailto:[EMAIL PROTECTED] > > Sent: Thu 10/23/2003 6:19 PM > > To: [EMAIL PROTECTED] > > Cc: > > Subject: compiling 32bit binary on solaris 8 > > > > > > > > > > Hi, > > > > I am desperately trying to compile openssl-0.9.7b as 32bit > > since we have dependencies that require it. I am running : > > > > ./Configure --prefix=/usr/pkg/openssl -shared solaris-sparcv9-gcc -m32 > > > > Everything seems to go ok until the linking blows up since > > it's still makes the libs in 64 bit (errors below). I tried > > hacking the Makefiles etc and it's still doing this. I have > > done this before but for some reason this is not working > > this time. Any suggestions?? > > > > Thanks! > > > > LD_LIBRARY_PATH=..:$LD_LIBRARY_PATH \ > > gcc -o openssl -DMONOLITH -I.. -I../include > > -DOPENSSL_SYSNAME_ULTRASPARC -fPIC -DOPENSSL_THREADS > > -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 > > -m32 -m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall > > -DB_ENDIAN -DBN_DIV2W -DMD5_ASM openssl.o verify.o > > asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o > > gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o > > dsa.o dsaparam.o x509.o genrsa.o gendsa.o s_server.o > > s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o > > app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o > > pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o -L.. -lssl > > -L.. -lcrypto -lsocket -lnsl -ldl ; \ > > fi > > ld: fatal: file ../libssl.so: wrong ELF class: ELFCLASS64 > > ld: fatal: file ../libcrypto.so: wrong ELF class: ELFCLASS64 > > ld: fatal: File processing errors. No output written to > > openssl > > collect2: ld returned 1 exit status > > make[1]: *** [openssl] Error 1 > > > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List[EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > > > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Installation problem with OpenSSL
- a '.so' is a shared object I think what you need to find is ".a" file Saju - Original Message - From: "Anand Raghavan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 28, 2003 11:41 AM Subject: RE: Installation problem with OpenSSL > I did a find on my system for thread* and found that the files libthread.so > and libthread.so.1 reside in /usr/lib > > I included this line in the Makefile: > -L/usr/lib/lthread > > and still I get the error message: > UX:ld: ERROR: fatal error: library not found: -lthread > > -Anand > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Richard Koenning > Sent: Friday, March 28, 2003 11:05 AM > To: [EMAIL PROTECTED] > Subject: RE: Installation problem with OpenSSL > > > At 10:54 28.03.2003 -0500, you wrote: > > > >Thanks! > >I did that and it worked thanks. But now it complains about > > > >ld:ERROR: fatal error: library not found: -lthread > > Replace in Saju's answer "socket" with "thread" and repeat the procedure. > Ciao, > Richard > -- > Dr. Richard W. Könning > Fujitsu Siemens Computers GmbH, EP LP COM 5 > Phone/Fax: +49-89-636-47852 / 47655 > E-Mail: [EMAIL PROTECTED] > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: someone in the UK phone Andy pls
C'mon give the guy a break. It's an innocent mistake and could happen to anybody. He said he will take care of the problem so just leave him alone for a while. - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, September 12, 2002 11:24 AM Subject: RE: someone in the UK phone Andy pls > No answer right now - I left hime a text messsage. > > Colin > > -Original Message- > From: CorreiJ [SMTP:[EMAIL PROTECTED]] > Sent: Thursday, September 12, 2002 3:59 PM > To: openssl-users > Subject: someone in the UK phone Andy pls > > and tell him to phone someone at his company to disable his > auto-response thingy. Otherwise we are going to end up with hundreds > of these things...!! > > Thanks > Jose > > > -- > --- > > This e-mail and its attachments may contain information that is > confidential > and that may be subject to legal privilege and copyright. If you are > not > the intended recipient you may not peruse, use, disclose, distribute, > copy > or retain this message. If you have received this message in error, > please > notify the sender immediately by e-mail, facsimile or telephone and > return > and thereafter destroy the original message. > > Please note that e-mails are subject to viruses, data corruption, > delay, > interception and unauthorised amendment, and that the sender does not > accept > liability for any damages that may be incurred as a result of > communication > by e-mail. > > No employee or intermediary is authorised to conclude a binding > agreement on > behalf of the sender by e-mail without express written confirmation by > a > duly authorised representative of the sender. > > By transmitting this e-mail message over the Internet the sender does > not > intend to allow the contents hereof to become part of the public > domain, and > the confidential nature of the contents shall not be altered or > diminished > from by such transmission. > -- > --- > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How can I install openssl as a system file
Try adding the full path to the ssl.h file and replace the <> with "" like so #include "/openssl/full/path/openssl/ssl.h" #include "C:\openssl\full\path\openssl\ssl.h" Most compilers can also be instructed to look for header files with compile time switches; the most common one being the -I switch. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 07, 2002 2:45 AM Subject: How can I install openssl as a system file Hello all, I installed openssl (successfully) because I want to compile a Direct Connect API with Authorize.net which uses the openssl ssl.h header. #include but the compiler does not know where to find the ssl.h header. It seems like the openssl has to be installed as system file. Does anyone knows how to install the openssl as a system file so that the compiler would know where to find the ssl.h header? I would appreciate very much any input. Fernan
C Experts HELP !!! (BN_div Issue ??)
Folks,
Trying to resolve a problem with the BIGNUM divide routine BN_div; could
someone check the code below and let me know if there is anything wrong with
code...
The code below is from openssl version 9.6B
int BN_div(..)
{
BIGNUM *snum;
BN_ULONG *wnump; /* a word number pointer ?? */
/* pointer to the 'top' of snum */
wnump = &(snum->d[num_n-1]);
for (i=0; i>> RUN TIME ERROR HERE !!! */
#endif
:
: > some code <<<
:
wnump--;/* CAN THIS BE DONE ON THE ARRAY OF LONGS IN A BIGNUM ?
*/
}
end of source >>
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: RSA private key patterns
>> What platform are we talking about? The openssl toolkit and the two libraries (crypto & ssl) have been built on a Tandem Himalaya system. The operating system is Guardian. It does not have PERL or the MAKE utilities. It has a ANSI compatible C compiler; which I used to compile and link the libraries and the toolkit with. >> What is the configuration setting for "Configure"? Where do I find this ? Had to manually convert all the Makefiles into 'C' compile scripts for the Tandem to build the openssl libraries and toolkit with the MONOLITH define turned on. The apps: enc, passwd and rand have been tested with examples shown in the documentation. Regards, Saju Paul > > Hmm. What platform are we talking about? What is the configuration > setting for "Configure"? > Of course you are aware, that an RSA key with a modulus of 32, 64 etc > is or more or less cosmetic worth. I would consider 1024 to be the minimum > for today's purposes. > .org __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RSA private key patterns
I'm having a problem generating a RSA private when numbits is > 64. The RSA key generation patterns for few bits size I've tried is shown below. It's seems to have no trouble when numbit is >= 32 and <= 64. $WORK0 OLAPPOBJ 392> openssl genrsa 16 (does not generate key file to stdout) Generating RSA private key, 16 bit long modulus .+++ .+++*.+++*.+ ++* $WORK0 OLAPPOBJ 394> openssl genrsa 32 (generates key to stdout) Generating RSA private key, 32 bit long modulus .+++ .+++ e is 65537 (0x10001) -BEGIN RSA PRIVATE KEY- MCwCAQACBQDRw9HDAgMBAAECBQCjFwABAgMBAAECAwDRwwIBAQICLqsCAwCmlQ== -END RSA PRIVATE KEY- $WORK0 OLAPPOBJ 395> openssl genrsa 48 (generates key to stdout) Generating RSA private key, 48 bit long modulus .+++ .+++ e is 65537 (0x10001) -BEGIN RSA PRIVATE KEY- MDgCAQACBwCqTHb47aMCAwEAAQIHAKPPaA+KAQIEANkuLQIEAMi9DwIEAIgTtQIE ALhkMQIEAKDZoA== -END RSA PRIVATE KEY- $WORK0 OLAPPOBJ 396> openssl genrsa 100 (unable to create the private key) $WORK0 OLAPPOBJ 396.. Generating RSA private key, 100 bit long modulus ..1:error:0306C072:bignum routin es:bn_expand2:bignum too long:$DATA5.OLCPBN.BNLIBC:-2680: 1:error:04069003:rsa routines:RSA_generate_key:BN lib:$DATA5.OLCPRSA.RSAGENC:-14 608: ABENDED: 1,236 CPU time: 0:01:13.222 1: Process terminated with warning diagnostics >From the pattern you can see that the 'P-Prime' itself is not generated. And I'm not sure why. The default numbits - 512 bits also fails with the same error as numbits = 100. If anybody is knows with openssl source; it might help to know how some of the defines declared in the header file bn.h are used SIXTY_FOUR_BIT_LONG; SIXTY_FOUR_BIT; THIRTY_TWO_BIT; SIXTEEN_BIT Built the BIGNUM routines with and without these defines defined and got the same results. >> I need to create a private key with atleast 512 bits; with 64 bit private keys the Message Digest does not work. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: problems with private keys... please help! urgent!
If the private key has been created with a password (usually is); then the same password needs to be supplied using the -passin argument. for ex: openssl rsa -noout -modulus -in server.key -passin pass:mypasswd | openssl md5 If the -passin argument is not used; it could be picking up a default passin password from the openssl.cnf file. Check the openssl.cnf for a default passin and make sure it matches the password you used to create the private key. --- - Original Message - From: "Mike K" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, December 18, 2001 2:32 PM Subject: Re: problems with private keys... please help! urgent! > It never asked me for a password > > > - Original Message - > From: "Saju Paul" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, December 18, 2001 10:23 AM > Subject: Re: problems with private keys... please help! urgent! > > > > > For domain1, I tried to check the md5's of each of the key and crt... > > > > > > The md5 for the crt shows up fine. When I try to get the md5 for the > > .key, > > > I get this error: > > > > > > # openssl rsa -noout -modulus -in server.key | openssl md5 > > > read RSA key > > > unable to load key > > > d41d8cd98f00b204e9800998ecf8427e > > > > I get this error when I use an incorrect password... check your > password.. > > > > > > - Original Message - > > From: "Mike K" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Tuesday, December 18, 2001 1:31 PM > > Subject: problems with private keys... please help! urgent! > > > > > > > Hi all... > > > > > > Before upgrading, one of my virtual domains (ip based) had SSL setup and > > was > > > working fine. The second domain did not work. The error was odd > > according > > > to people in IRC support channels, and I was told to upgrade to all of > the > > > latest versions. > > > > > > I did that. > > > > > > Now when I try to run startssl, I get errors on BOTH virtual domains. > > > > > > The domain that had once worked produces these errors: > > > > > > [Mon Dec 17 16:41:46 2001] [error] mod_ssl: Init: (.com:443) > > > Unable to configure RSA server private key (OpenSSL library error > follows) > > > [Mon Dec 17 16:41:46 2001] [error] OpenSSL: error:0B080074:x509 > > certificate > > > routines:X509_check_private_key:key values mismatch > > > > > > The domain2, that I couldn't get to work before the upgrade, produces > > these > > > errors: > > > > > > [Mon Dec 17 16:45:43 2001] [error] mod_ssl: Init: Private key not found > > > (OpenSSL library error follows) > > > [Mon Dec 17 16:45:43 2001] [error] OpenSSL: error:0D06B078:asn1 encoding > > > routines:ASN1_get_object:header too long > > > > > > - > > > > > > For domain1, I tried to check the md5's of each of the key and crt... > > > > > > The md5 for the crt shows up fine. When I try to get the md5 for the > > .key, > > > I get this error: > > > > > > # openssl rsa -noout -modulus -in server.key | openssl md5 > > > read RSA key > > > unable to load key > > > d41d8cd98f00b204e9800998ecf8427e > > > > > > > > > I get this same "unable to load key" error for any key I try to get the > > md5 > > > checksum for > > > > > > > > > Any help in getting both of my virtual domain's (the two that need SSL) > > > working is greatly appreciated. > > > > > > Thanks. > > > > > > -Mike > > > > > > > > > PS: Here is the Virtual Server entry from httpd.conf for domain2... > > domain1 > > > has the exact same (but updated ip and paths) > > > > > > > > > NamevirtualHost xxx.xxx.xxx.44:443 > > > > > > SSLEngine On > > > SSLCipherSuite > > > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > > SSLCertificateKeyFile /www/conf/ssl.key/domain2_server.key > > > SSLCertificateFile /www/conf/ssl.crt/domain2.com.crt > > > DocumentRoot /home/hosting/domain2.com/public_html > > > ServerName domain2.com > > >CustomLog /www/logs/domain2.com combined > > >ErrorLog /www
Re: problems with private keys... please help! urgent!
> For domain1, I tried to check the md5's of each of the key and crt... > > The md5 for the crt shows up fine. When I try to get the md5 for the .key, > I get this error: > > # openssl rsa -noout -modulus -in server.key | openssl md5 > read RSA key > unable to load key > d41d8cd98f00b204e9800998ecf8427e I get this error when I use an incorrect password... check your password.. - Original Message - From: "Mike K" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, December 18, 2001 1:31 PM Subject: problems with private keys... please help! urgent! > Hi all... > > Before upgrading, one of my virtual domains (ip based) had SSL setup and was > working fine. The second domain did not work. The error was odd according > to people in IRC support channels, and I was told to upgrade to all of the > latest versions. > > I did that. > > Now when I try to run startssl, I get errors on BOTH virtual domains. > > The domain that had once worked produces these errors: > > [Mon Dec 17 16:41:46 2001] [error] mod_ssl: Init: (.com:443) > Unable to configure RSA server private key (OpenSSL library error follows) > [Mon Dec 17 16:41:46 2001] [error] OpenSSL: error:0B080074:x509 certificate > routines:X509_check_private_key:key values mismatch > > The domain2, that I couldn't get to work before the upgrade, produces these > errors: > > [Mon Dec 17 16:45:43 2001] [error] mod_ssl: Init: Private key not found > (OpenSSL library error follows) > [Mon Dec 17 16:45:43 2001] [error] OpenSSL: error:0D06B078:asn1 encoding > routines:ASN1_get_object:header too long > > - > > For domain1, I tried to check the md5's of each of the key and crt... > > The md5 for the crt shows up fine. When I try to get the md5 for the .key, > I get this error: > > # openssl rsa -noout -modulus -in server.key | openssl md5 > read RSA key > unable to load key > d41d8cd98f00b204e9800998ecf8427e > > > I get this same "unable to load key" error for any key I try to get the md5 > checksum for > > > Any help in getting both of my virtual domain's (the two that need SSL) > working is greatly appreciated. > > Thanks. > > -Mike > > > PS: Here is the Virtual Server entry from httpd.conf for domain2... domain1 > has the exact same (but updated ip and paths) > > > NamevirtualHost xxx.xxx.xxx.44:443 > > SSLEngine On > SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > SSLCertificateKeyFile /www/conf/ssl.key/domain2_server.key > SSLCertificateFile /www/conf/ssl.crt/domain2.com.crt > DocumentRoot /home/hosting/domain2.com/public_html > ServerName domain2.com >CustomLog /www/logs/domain2.com combined >ErrorLog /www/logs/domain2_error_log > SetEnvIf User-Agent ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > > SSLOptions +StdEnvVars > > > SSLOptions +StdEnvVars > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Maximum size of server certificate
\MIS.$:2:202:45032252 - *** Run-time Error 004 *** \MIS.$:2:202:45032252 - Arithmetic fault \MIS.$:2:202:45032252 - From d2i_ASN1_SET + %334, UC.02 \MIS.$:2:202:45032252 - d2i_X509_NAME + %222, UC.02 \MIS.$:2:202:45032252 - ASN1_dup + %75, UC.00 \MIS.$:2:202:45032252 - X509_NAME_dup + %17, UC.01 \MIS.$:2:202:45032252 - X509_NAME_set + %21, UC.02 \MIS.$:2:202:45032252 - X509_set_issuer_name + %24, UC.00 \MIS.$:2:202:45032252 - req_main + %4123, UC.00 \MIS.$:2:202:45032252 - OPENSSLC.do_cmd + %43, UC.00 \MIS.$:2:202:45032252 - main + %315, UC.00 \MIS.$:2:202:45032252 - _MAIN + %31, UC.00 ABENDED: 2,202 CPU time: 0:00:02.515 3: Premature process termination with fatal errors or diagnostic - Original Message - From: "Krishnaswamy R." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, December 18, 2001 1:08 PM Subject: Maximum size of server certificate > Hi all, > > Is there is any maximum size defined in TLS for a server's > certificate sent to the client? > > Or is there is any practical implementation size limit defined > in OpenSSL for the size of a server's certificate. > > thanks, > Krishna > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RSA PRIVATE KEY GENERATION (Errors)
Trying to generate a RSA private key and get the errors shown below It is able to generate private keys when numbits <= 64. Any Ideas AnyOne; Thanks In Advance $WORK0 OLAPPOBJ 315> run openssl genrsa -out $work0.cadir.privkey -rand $work0.cadir.rnd -des3 -out $work0.cadir.privkey -passout pass:password 128 $WORK0 OLAPPOBJ 315.. 1024 semi-random bytes loaded Generating RSA private key, 128 bit long modulus ...1:error:0306C072:bignum routines:bn_expand2:bignum too long:$DATA5.OLCPBN.BNLIBC:-2680: 1:error:04069003:rsa routines:RSA_generate_key:BN lib:$DATA5.OLCPRSA.RSAGENC:-14608: ABENDED: 1,156 CPU time: 0:00:57.121 1: Process terminated with warning diagnostics
remove
- Original Message - From: "support" <[EMAIL PROTECTED]> Sent: Wednesday, December 05, 2001 9:48 PM Subject: ¹úÄÚÍâóÒ׶¯Á¦Ö®Ô´ [ ÈôÄú²»¸ºÔðÕâ·½ÃæµÄÒµÎñ, ÇëתÏà¹ØÒµÎñ»ò²¿ÃŵĸºÔðÈË£¬Íò·Ö¸Ðл ] [ Èô±¾Óʼþ´òÈÅÁËÄú£¬ÎÒÃÇÍò·Ö±§Ç¸ ] £££££££££££££££££££££££££££££££££ ¹úÄÚÍâóÒ׶¯Á¦Ö®Ô´** ¡°ÓʼþѲ²¶¡±ÊÇInternet¶¨Ïò¿Í»§ËÑË÷¹¤¾ß£¬ÄúÖ»ÐèÒªÊäÈëËÑË÷¹Ø¼ü×Ö£¬ ¾Í¿ÉÒÔ×Ô¶¯µØÔÚ»¥ÁªÍøÉϽøÐÐËÑË÷£¬²»µ½¼¸ÃëÖÓ£¬ÓʼþµØÖ· ¾Í»áÔ´Ô´²»¶ÏµÄ³öÏÖÔÚÄúÃæÇ°¡£ 1 ¶¨ÏòÐÔ£¬Ö»ËÑË÷ͬÄúÒµÎñÏà¹Ø¹«Ë¾µÄÍøÕ¾ºÍEmail. 2 ËÑË÷Ëٶȿì: ¶àÏß³ÌËÑË÷£¬Ã¿Ð¡Ê±¿ÉÒÔËÑË÷³ÉǧÉÏÍòµÄEmail¡£ 3 ¼¯³É21¸ö¶¥¼¶ËÑË÷ÒýÇ棺ÐÂÀË£¬ËÑ»¡£¬ÍøÒ×£¬21CN, 263, YahooµÈµÈ 4 ·µ»ØÐÅÏ¢·á¸»£º²»½öÊÕ¼¯ÓʼþµØÖ·£¬Í¬Ê±»¹Ìṩ¸ÃµØÖ·µÄÀ´Ô´ÍøÖ·¡£ 5 ¶àÓïÖÖÖ§³Ö£º¼´¿ÉËÑË÷ÖÐÎÄÐÅÏ¢£¬ÓÖ¿ÉËÑË÷Ó¢ÎÄ£¬µÂÎĵÈÍâÎÄÐÅÏ¢. 6 ¿ÉÒÔÈÃÄúÇáËɽ¨Á¢¿Í»§Ô´£¬À©´óÒµÎñÁ¿£¬ÌáÉý¾ºÕùÁ¦¡£ ²»¹ÜÄúÊÇ×ö¹úÄÚÒµÎñ»¹Êǹú¼ÊÒµÎñ£¬ÓʼþѲ²¶¶¼ÊÇÄúÇ¿ÓÐÁ¦µÄÖúÊÖ¡£ --- "ÓʼþÌØ¿ì": .Ç¿´óµÄÖ±½Ó·¢ËÍÄÜÁ¦¡£ÄÚ½¨Óʼþ·¢ËÍ·þÎñÆ÷£¬²»ÐèÄúµÄSMTP·þÎñÆ÷ Ö±½Ó°ÑÓʼþ·¢¸øÊÕ¼þÈË¡£ .¸ßËÙÌؿ죬ÿСʱÈη¢ËÍ5,6ÍòÓʼþ .רҵÐÔÒ»¶ÔÒ»·¢ËÍ -- "ÓʼþУÑéר¼Ò": ÊÇÒ»¿îרҵ¿ìËÙÓʼþµØÖ·ÕýÈ·ÐÔУÑéÈí¼þ. .ʹÓöàÏ̼߳¼Êõ£¬Ã¿Ð¡Ê±Äܹ»Ð£Ñ鼸ʮÍò·ÝÓʼþ. .ÌÞ³ý´íÎó²»´æÔÚµÄÖظ´µÄÓʼþµØÖ·£¬Ìá¸ßÓʼþ·¢Ë͵ÄÓÐЧÐÔ¡£ .½ÚÊ¡ÈËÁ¦ÎïÁ¦¡£ »¶ÓÃâ·ÑÏÂÔØÊÔÓà http://www.email-tool.com/china/download.html ¶©¹º http://www.email-tool.com/china/order.html µç»°£º86-755-6568917 ÁªÏµÈË£º·ëÏÈÉú ÉîÛÚÊÐÒ×ÍØÒÀ¿Æ¼¼¿ª·¢ÓÐÏÞ¹«Ë¾ http://www.email-tool.com Dear [Email], We are the software development company: "Target Customer Search Expert" Integrated with 21 top search engine to find your customers' web addresses and email addresses. Invaluable Internet Marketing Tool. If you are interested to buy or to be an agent to sell our software, please contact with me. Indetail introduction, please access http://www.email-tool.com/ [ Very sorry to matter you in such style] [remove please replywith subject: remove] [ Èô±¾Óʼþ´òÈÅÁËÄú£¬ÎÒÃÇÍò·Ö±§Ç¸ ] [ ³ý·ÇÓÐÄúµÄÔÊÐí£¬·ñÔòÎÒÃDz»»áÔٴδòÈÅÄú£¬Ôٴαíʾ±§Ç¸] - ÓʼþѲ²¶£º¼¯³É21¸öËÑË÷ÒýÇ棬¶¨ÏòËÑË÷ÓʼþµØÖ·¡£ http://www.emailspidereasy.com/china/ -- ±¾ÓʼþÓÉ¿Í»§×ÔÐÐÀûÓÃÍØÒ×"ÓʼþÌØ¿ì"·¢ËÍ,·¢Ëͼ°ÄÚÈݾùÓë±¾¹«Ë¾Î޹ء£ --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL On Tandem Guardian
Need to be build the OpenSSL libraries libssl.a & libcrypto.a on a Tandem Guardian platform. Trouble is it's an environment without the MAKE utility. Using simple Compile & Bind Macros (shell-scripts in unix-speak) I have managed to compile (source list from Makefile.ssl) and build libssl.a . My next task is to compile and build libcrypto.a would like to know if there are any compile time DEFINES I have not included. How does one go about building the ssl & crypto libraries on non-unix, non-pc, non-vms type platforms ? thanks... __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
