Re: [openssl-users] [openssl-dev] Ubsec and Chil engines

[Sander Temme]

All,

I toyed over the weekend with resurrecting CHIL: intermediate result here 
https://github.com/sctemme/openssl/tree/rescue-chil and I AM NOT PROUD OF THIS 
but have no cycles to clean it up for at least a couple of days to come. It 
builds now but doesn't work: my privkey loading routine doesn't get called and 
that may be an API change I missed. 

Can we resurrect CHIL for 1.1 along these lines? Then I'd be delighted to join 
the discussion about p11 for down the road. 

S. 

Sent from my iPhone

> On Feb 22, 2016, at 10:00 AM, Richard Levitte  wrote:
> 
> In message 
> <347004c001fd430aadadceac908e6...@ustx2ex-dag1mb1.msg.corp.akamai.com> on 
> Mon, 22 Feb 2016 14:46:28 +, "Salz, Rich"  said:
> 
> rsalz> > If we integrate the support natively into OpenSSL, then PKCS#11 URIs 
> (see
> rsalz> > RFC7512) can be first-class citizens throughout the crypto and SSL 
> APIs. Any
> rsalz> > function which takes a filename for a cert or key should also 
> accept¹ a
> rsalz> > PKCS#11 URI.
> rsalz> 
> rsalz> It'd be great to see a crypto/pkcs11 directory with full native 
> support (as much as possible).
> rsalz> 
> rsalz> But really doubtful to happen in 1.1 as the API freeze is in a month.
> 
> Yeah, 1.1 is unrealistic, I'm sorry to say.
> 
> -- 
> Richard Levitte levi...@openssl.org
> OpenSSL Project http://www.openssl.org/~levitte/
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-dev] Ubsec and Chil engines

[Sander Temme]

> On Feb 19, 2016, at 3:31 AM, Matt Caswell  wrote:

OK that made our support lines blow up so yes there is interest.

Disclaimer: I work for Thales but do not speak for Thales.

> So it seems that for chil there may possibly be some rare use (but even
> the most recent evidence is 4 years old). However the OpenSSL dev team
> do not have access to this hardware to maintain the engine and (as noted
> above) this is currently not building in 1.1.0.

I think (again, personal impression) that this is one of those sleeper 
integrations that a lot of people use but doesn’t get on the radar a whole lot. 
Using openssl is by far the easiest way to get the nShield HSM to do something 
with protected keys… as long as those are RSA keys.  Pair that with existing 
application integrations like Apache, OpenSSH, etc. I know of a number of 
customers and partners, none of whom I am at liberty to discuss (although they 
might speak up for themselves), who use OpenSSL with nShield for various 
applications.

So it’s not dead.  What it does, it does very well.  If anything, the lack of 
visible activity may indicate how easy CHIL is to use and support.

> In both cases I would like to remove these engines from 1.1.0. I'd like
> to hear from the community if there is any active use of these. One
> option if there is found to be some small scale use is to spin out the
> engine into a separately managed repo (as has happened recently with the
> GOST engine).
> 
> If I don't hear from anyone I will remove these.

Ehm.  Let’s talk about this.  As I noted above, a lot of our valued customers 
may depend on this even thought they might not know or may have forgotten about 
it.  From your October 28 commit (29e7a56d), it seems that what broke us was 
when the bn structure went opaque… I see only two lines in e_chil.c that depend 
on the internal structure of bn so that should be addressable.  We’d like to do 
some more things to this Engine, like more key types and, yes, those dynamic 
locks should go away, which requires some surgery to the stuff underneath but 
nothing major.  All the platforms we run on now have good locking.  And, Rich, 
I indeed have had those locks on my guilty conscience for all this time but not 
found any round tuits.

However, I’m intrigued by the notion of a PKCS#11 Engine in OpenSSL: it’s a 
standard (an OASIS standard now); it’s fairly fully featured; everyone in the 
industry supports it including Thales; and you can build a program that calls 
it without needing a vendor SDK, because there are standard headers and a well 
defined way to get to the entry points.  If we can come up with a way to pick a 
PKCS#11 slot and log into it that makes sense (e.g. not by poking PINs into a 
system wide config file etc.) then I think we’d have a winner.

What I would like to see though is for such a PKCS#11 Engine to be part of 
OpenSSL proper, so that our customers and everyone else’s don’t have to go hunt 
hither and yon for bits and bobs of software in order to make their hardware 
kit work with OpenSSL.  How would OpenSSL obtain a PKCS#11 Engine to include in 
its distribution?

Thanks,

S.

--
san...@temme.net  http://www.temme.net/sander/
PGP FP: BCD1 6D2C 8906 C48A 540E  253E 94D3 36A3 6D15 930A





signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: Tutorials on OpenSSL integration with nCipher HSM (nShield) ?

[Sander Temme]

On Mar 6, 2012, at 10:45 AM, Sunjeet Singh wrote:

 Hi,
 
 Most of the references on this forum on how to use nCipher HSM with OpenSSL 
 using the CHIL API (or CAPI) are outdated. I was wondering if anyone had any 
 pointers to helpful resources in this regard.

I don't know if outdated is the word: perhaps there hasn't ever been much. 

 I've been reading up about it here and there and I'm aware of the commands to 
 use for engine selection and usage etc. but I think I am lacking some basic 
 conceptual knowledge. I've gotten only as far as generating the keys using 
 the CHIL engine, but don't know how to use the key and certificate for crypto 
 operations. 


The CHIL Engine *only* registers for RSA exponentiation, and cannot be used to 
generate keys.  You generate HSM protected keys of 'embed' application type 
using the Thales/nCipher 'generatekey' utility (invoke with --help to see what 
options are available), and use the embedsavefile as key for your openssl 
program with the CHIL engine registered.

S.

-- 
san...@temme.net  http://www.temme.net/sander/
PGP FP: FC5A 6FC6 2E25 2DFD 8007  EE23 9BB8 63B0 F51B B88A

View my availability: http://tungle.me/sctemme

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Tutorials on OpenSSL integration with nCipher HSM (nShield) ?

[Sander Temme]

On Mar 7, 2012, at 2:12 PM, Sunjeet Singh wrote:

 Thank you for your response. 
 
 I don't know if outdated is the word: perhaps there hasn't ever been much. 
 
 Some old blogs are referencing helpful blogs/tutorials that are now expired. 
 Searching online didn't help either.
 
 The CHIL Engine *only* registers for RSA exponentiation, and cannot be used 
 to generate keys.  You generate HSM protected keys of 'embed' application 
 type using the Thales/nCipher 'generatekey' utility (invoke with --help to 
 see what options are available), and use the embedsavefile as key for your 
 openssl program with the CHIL engine registered.
 
 Pardon me. Indeed, I have been using the 'embed' application type for 
 generating RSA keys using nCipher 'generatekey' utility. 
 
 After grappling at little more with this, I have come down to three specific 
 questions-
 
 1. When you say 'embedsavefile' are you talking about the key blob that gets 
 saved in the Key Management folder of nCipher as-it-is, or do I need to apply 
 some padding/formatting to it first?

When you create an 'embed' type key (not 'hwcrhk', but 'embed'), the 
generatekey utility will save three files in addition to the key blob.  They 
are named after the information you passed when generatekey asked for the 
'embedsavefile': for instance if you passed 'fookey' as response, you will have 

fookey
fookey_certreq
fookey_selfcert

The first one looks a lot like a private key, but it is a dummy key.  This is 
the key file you pass to the OpenSSL library.  It looks so much like a private 
key, that the library will just use it.  However, when you use it with the CHIL 
engine registered, and the Hardware Crypto Hook library loaded, the Hardware 
Crypto Hook library will find embedded (hence 'embed') in the private exponent 
value for that dummy key a pointer to the real key, protected by the nCipher 
Security World and saved under the Key Management Data folder. 

If you care to run that fookey file through openssl: 

openssl rsa -in fookey -noout -text

you will see that it is bogus: several values are identical that would differ 
for a real key.  As bonus exercise, decode the private exponent as straight 
ASCII: you will see the pointer to the real key appear.  

This is for embed type keys: I have never had the opportunity to figure out how 
this would work for hwcrhk type keys.

WARNING: if you try to use that dummy private key without the CHIL engine 
registered, the OpenSSL library will happily use the bogus key value for 
private key operations.  You are almost guaranteed to get garbage results if 
this happens.  

 2. My private key is ultimately protected by a smart-card pass-phrase. At 
 which step is the pass phrase supplied and how by an application that is 
 making use of the OpenSSL (CHIL) engine API?

OpenSSL, CHIL and the Hardware Crypto Hook library lack the capability to 
prompt for smart cards and passphrases.  You need to start your OpenSSL program 
out of the nCipher preload utility.  Run preload --help to find out which 
options are available.  

 3. If I want to use CryptoAPI instead of CHIL, what changes? I gather that 
 one immediate change would be that the private key will have to be imported 
 onto the HSM (assuming that nCipher generatekey can not generate CryptoAPI 
 keys). Other than that, CAPI engine for OpenSSL will have to be used. Any 
 other major changes that come to mind? 


I am wholly unfamiliar with the MS-CAPI engine.  However, if you can use it and 
can set the CSP to nCipher Enhanced Cryptographic Provider, you should be 
able to use hardware protected container keys.  The nCipher generatekey utility 
cannot generate or import MS-CAPI keys.  If the MS-CAPI Engine can generate 
keys, you might be able to use it through the nCipher CSP to generate hardware 
protected Signing and Exchange keypairs for your CAPI container.  Another 
option, if you already generated a Security World protected RSA keypair for 
another application type, is to use the nCipher cspimport utility to bring it 
into the MS-CAPI environment.  

Note that you can contact Thales technical support as part of your support 
contract.  They also sell Developer Support to help you with your code.

S.

-- 
san...@temme.net  http://www.temme.net/sander/
PGP FP: FC5A 6FC6 2E25 2DFD 8007  EE23 9BB8 63B0 F51B B88A

View my availability: http://tungle.me/sctemme

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: TLS 1.0 cracked...

[Sander Temme]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On Sep 22, 2011, at 6:56 AM, Johan van Selst wrote:

 Mounir IDRASSI wrote:
 So, an OpenSSL based web server is immune from this attack, unless it
 uses the flag SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.
 
 Which is exactly what Apache and some other popular applications seem to
 be doing. Maybe this flag should not be included in SSL_OP_ALL after all.

Do you have a patch for Apache?

Any of the some broken SSL/TLS implementations still in widespread use?

S.

- -- 
san...@temme.net  http://www.temme.net/sander/
PGP FP: FC5A 6FC6 2E25 2DFD 8007  EE23 9BB8 63B0 F51B B88A

View my availability: http://tungle.me/sctemme

-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJOfCz2AAoJEJu4Y7D1G7iKC+YP/2QWq4Ps+UAXhW2TKecru0RF
kNbgncurJbzax+D5p9vySob9LkADcRy1+b3dyg3Huto7e1KDIJ9HEx6z2JT/1LdN
um1xDIcR05bEt/EOWMIalq36tQ6ZYbf5dPb5tU2p6XbK7ynmcs0eGQfH0MHCjLI4
lGp3lOO+JUNnl47/at87Kcqh94CZEFiQkJ/HYevtQi0rf4fsNOurkT6FRHh3n7oN
znDauwqoDFtmv/sxFxB0xJALeB6qn5DYCPL5zanNtq44U4eTIrUXrmpTfw6lRh7T
64ZAAg+nWjBE2jxCyHgDH9cZWzFW0x7/Thm1357q+vbZHGcybV7cjO//fErXG43T
WzqcAwfpTY4FAfwN99Sfo0P7iu/Gz8oV2mpqp9CZOdoLBjxO1tUiDoc0pxODlmTc
vuEchWAvWiEAcwjdDLxwg6Rdc+QP/nyjQtDdiwZSPWpU2qzQOcXRE2QcYuhpo0AU
pnw9Tyv61tl1JVHIpFZJb+MgYG8FtWQ1hsR0OQXBcmtGkXwUwfz4pY2JdDNXgfHy
lsUeyyUS2gSm83hf+CimbCAdiHUYSAHEfsYtdUhvGJmRDmu5wPxVRjNXyFnUeFyN
6OXPuLgsmD8zNQUo63pz46VDKTlokkAl7IOSt9Gcl8YxNBAxztuwSYwgPAWc67Bu
YrUwdUBov0Ouf7G6soCB
=HT+z
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: elicptic Curve Key Generation

[Sander Temme]

On Mar 18, 2011, at 3:57 PM, Strecker, Dean A. wrote:

 I'm using the OpenSSL Crypto library to perform Elliptic Curve key
 generation and signature generation/verification.  Actually, I don't
 have any problem creating a key (EC_KEY) and generating signatures and
 verifying signatures using pure OpenSSL.
 
 The challenge I'm having is that I'm using a Hardware Security Module
 (HSM) to generate the private key and the public key point (X, Y).  I

What model of HSM?  And how are you integrating with it? 

 thought I might be able to initialize the EC_KEY-priv_key and
 EC_KEY-pub_key with the data generated by the HSM before calling
 EC_KEY_generate_key(EC_KEY). 

Are you exporting the key material once generated, or are you looking to use it 
while under protection by the HSM? 

S.

 I was hoping this would act as an Import key action.  Wrong!
 EC_KEY_generate_key generates new private and public key point
 overriding the private and public key point passed into the
 EC_KEY_generate_key function.
 
 Since OpenSSL supports importing of keys, well from the command line
 anyhow, I can't help but think there must be a way to programmatically
 import an Elliptic Curve key (private key and public key point).
 
 I have been studying the source coding starting with the call to
 EC_KEY_generate_key function and working my way down.  So far I have not
 figured out how to create an Elliptic Curve Key from a given private key
 and public key point.  Does anybody have any idea where I could look for
 an answer?  
 
 Thank you,
 
 Dean
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org


-- 
san...@temme.net  http://www.temme.net/sander/
PGP FP: FC5A 6FC6 2E25 2DFD 8007  EE23 9BB8 63B0 F51B B88A

View my availability: http://tungle.me/sctemme

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Open SSL installtion on Solaris - 10

[Sander Temme]

On Feb 27, 2011, at 2:02 AM, John R Pierce wrote:

 but, my Sol10 systems appear to already have an openssl in /usr/sfw/bin (and 
 libraries in /usr/sfw/lib, etc) which is maintained by Oracle


Last time I was on a Solaris box, that one seemed to be stuck at 0.9.7.  

S.

-- 
san...@temme.net  http://www.temme.net/sander/
PGP FP: FC5A 6FC6 2E25 2DFD 8007  EE23 9BB8 63B0 F51B B88A

View my availability: http://tungle.me/sctemme

Re: CA cert installed/imported but they are not trusted

[Sander Temme]

On Apr 9, 2010, at 3:02 AM, Götz Reinicke - IT Koordinator wrote:

 [r...@ldap1 ~]# openssl s_client -connect ldap1.filmakademie.de:389
 -showcerts -CAfile /etc/openldap/CA_falu/CA.pem
 CONNECTED(0003)
 5066:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
 failure:s23_lib.c:188:
 
 What the hell ... hmm. What may be missing/wrong?

389 is plaintext.  LDAP-over-SSL runs on 636. 

S.

-- 
san...@temme.net  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: CA cert installed/imported but they are not trusted

[Sander Temme]

On Apr 8, 2010, at 6:55 AM, Götz Reinicke - IT Koordinator wrote:

 So dose my local ldap client (Apache Directory Studio (ADS) on mac OS X
 10.6.x ).
 
 Nearly, because the servers and the ADS client both alert me, that I use
 invalide certificates and the cerificate can't be validated.
 
 But I have e.g. on the Mac imported my ca cert in the Macs keychain
 (once for sytem resp. for login) and the use for everything (ssl, IPsec,
 X.509, ...) is set to trust.

I have never used Apache DS but since it runs on Eclipse, I would not be 
surprised if it did not use the Mac Keychain.  Try adding the CA cert to the 
Java Keystore used by the JVM.  

S.

-- 
san...@temme.net  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Urgent Help Needed

[Sander Temme]

On Mar 21, 2010, at 12:12 AM, Anjan Koundinya.K wrote:

 What should I do? I need as a part of final year project . Please help

If your curriculum has anything to do with computing, I suggest going back and 
taking the other years before you hit the final.  Otherwise, you might try to 
put the lib directory under your OpenSSL install on your LD_LIBRARY_PATH. 

S.

-- 
san...@temme.net  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF



smime.p7s
Description: S/MIME cryptographic signature

Re: how do you create signatures in OpenSSL?

[Sander Temme]

On Mar 17, 2010, at 2:05 PM, Thomas Anderson wrote:

 According to http://linuxmanpages.com/man1/rsautl.1.php, you can
 sign data with OpenSSL.  My question is how?  I tried to sign my
 private key and got the following error:
 
 ubu...@ubuntu:~$ openssl rsautl -sign -in rsa.txt -inkey rsa.txt -out sig
 Enter pass phrase for rsa.txt:
 RSA operation error
 1543:error:0406C06E:rsa routines:RSA_padding_add_PKCS1_type_1:data too
 large for key size:rsa_pk1.c:73:

Read a little further down that same man page, and you'll see: 

NOTES

rsautl because it uses the RSA algorithm directly can only be used to sign or 
verify small pieces of data. 

The amount of data that you can decrypt with an RSA private key is small, and 
depends on size of the modulus of your key (1024, 2048, etc.).  Your private 
key data, being a X bit exponent and a Y bit modules, is likely too large to be 
signed with a Y bit key.  

Try taking a hash of your data, and feeding that to the utility. 

 If I didn't know better, I'd guess that rsautl wasn't signing messages
 but rather was encrypting them, even though I had out -sig set.  So
 how do I sign with rsautl?  Is it even possible?  And how do I sign
 with PSS as opposed to PKCS#1?

Looks like this utility is a little limited... you could either a) add PSS 
support to the utility and recompile your OpenSSL or 2) hash and pad your data 
through other means and use -raw. 

S.

-- 
san...@temme.net  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF



smime.p7s
Description: S/MIME cryptographic signature

Re: Compiling Errors Crypt::SSLeay

[Sander Temme]

On Feb 5, 2010, at 1:28 PM, Merker, Nick wrote:

 I am receiving errors when compiling Crypt::SSLeay on RHEL4ASu7 x86_64.
  ^^
64bits system...

 $ make test
 # Error:  Can't load 
 '/home/nmerker/.cpan/build/Crypt-SSLeay-0.57/blib/arch/auto/Crypt/SSLeay/SSLeay.so'
  for module Crypt::SSLeay: 
 /home/nmerker/.cpan/build/Crypt-SSLeay-0.57/blib/arch/auto/Crypt/SSLeay/SSLeay.so:
  cannot open shared object file: No such file or directory at 
 /usr/local/cars-perl/5.8.8/lib/5.8.8/i686-linux/DynaLoader.pm line 230.
^^^
That looks like a 32bits Perl... run file /usr/local/cars-perl/bin/perl ? 
  
 I am fairly certain this is something to do with being unable to load 
 libcrypto.so or libssl.so, so I checked it out:
 # ldd 
 /home/nmerker/.cpan/build/Crypt-SSLeay-0.57/blib/arch/auto/Crypt/SSLeay/SSLeay.so
 libc.so.6 = /lib64/tls/libc.so.6 (0x002a9566a000)
 /lib64/ld-linux-x86-64.so.2 (0x00552000)

That seems like a 64bits build, but file can tell you.

A 32bits binary cannot load a 64bits library.  I'd say building a 64bits Perl, 
or 32bits Perl modules on a 64bits system, is off-topic for this list.  

S.

 That looks fine.  I have the following packages installed:
 openssl-0.9.7a-43.17.el4_6.1
 openssl-devel-0.9.7a-43.17.el4_6.1
  
 I am confused as to what is missing here.  From my standpoint, there should 
 be no error when trying to load SSLeay.so file, especially a “No such file or 
 directory” error because ‘ldd’ responds properly.
  
 What am I missing here?
  
 -Nick


-- 
san...@temme.net  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF



smime.p7s
Description: S/MIME cryptographic signature

Re: OpenSSL with SafeNet ProtectServer engine

[Sander Temme]

Hi Frederik, 

On Dec 2, 2009, at 7:27 AM, Frederik Mennes wrote:

 Hi everyone,
  
 I am trying to use OpenSSL’s EVP interface with as engine a SafeNet (formerly 
 Eracom) ProtectServer HSM.
  
 I have received from SafeNet a patched version of OpenSSL 0.9.8d. This patch 
 is called “ERAC-3.30-openssl-0.9.8d.patch”. I am working on Ubuntu Linux with 
 kernel version 2.6.28-13-generic, and I use SafeNet ProtectToolkit C version 
 3.32.00.
  
 I have successfully built the patched OpenSSL library. However when I try to 
 use the SafeNet engine it seems the actual engine library cannot be found. 
 Can anyone help?

Hard to tell what it is trying to do without seeing the code... could you 
perhaps post the patch? 

S.

  
  
 Here are the steps I have performed:
  
 1)   I have stored the patched OpenSSL 0.9.8d source code at following 
 location:
  
 /home/user/Desktop/openssl-0.9.8d-patched-safenet
  
 2)   I have built the patched OpenSSL source code using the instructions 
 in the readme.txt file that came with the patch. This worked fine. The result 
 of the build was following directory structure:
  
 /opt/test/bin
   c_rehash
 openssl
 /opt/test/include
   /openssl [directory with .h files]
 /opt/test/lib
   /engines [empty directory]
 libcrypto.so
 libssl.a
 libssl.so.0.9.8
 libcrypto.a
 libcrypto.so.0.9.8
 libssl.so
 /pkgconfig [directory with .pc files]
 /opt/test/ssl
   /certs [empty directory]
   /engines [empty directory]
   /man
 /man1
 /man3
 /man5
 /man7
   /misc [directory with some executables]
   openssl.cnf
   /private [empty directory]
  
  It seems all engine directories are empty, so I don’t have an engine for 
 the ProtectServer HSM. Is this normal?
  
 3)   I have generated an RSA key pair on the ProtectServer HSM using the 
 ctkmu tool:
  
 ctkmu c –s0 -t rsa -n CA -a PTxSV
  
 4)   I now try to create a keylink for this file:
  
 /opt/test/bin$ ./openssl genrsa –engine ERACOM –hwkey 0/CA  CA.keylink
  
 However I receive following error (also when executed as root user):
  
 bash: CA.keylink: Permission denied
  
 Then I tried following command:
  
 /opt/test/bin$ ./openssl genrsa –engine ERACOM
  
 And I received following error:

 Invalid engine “ERACOM”
 12740: error: 25066067: DSO support routines: DLFCN_LOAD: could not load the 
 shared library: dso_dlfcn.c:16: filename (/usr/lib/ssl/engines/libERACOM.so): 
 no such file or directory
  
 Thanks,
 
 Frederik


-- 
san...@temme.net  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF



smime.p7s
Description: S/MIME cryptographic signature

Re: Problem with openssl versioning

[Sander Temme]

On Nov 22, 2009, at 1:53 PM, Sagar Dixit wrote:

 Hi,
 
 I'm trying to trace the calls in libssl while I run firefox. I
 downloaded openssl-0.9.8l.tar.gz  source and added my logging
 information into source files (just for study purpose) and executed
 following steps
 
 ./config -fPIC shared
 make
 make install
 
 This created /usr/local/ssl/lib/libssl.so  I added the path to
 LD_LIBRARY_PATH and ran firefox. But firefox failed with
 
 sa...@sagar-laptop:~/Desktop/openssl-0.9.8l$ firefox
 Couldn't load XPCOM.

Are you sure Firefox uses OpenSSL?  I was under the impression that it uses the 
Netscape crypto library. 

S.


 I used xpcshell to trace the problem and saw this:
 
 sa...@sagar-laptop:~/Desktop/openssl-0.9.8l$ xpcshell-1.9
 xpcshell-1.9: /usr/local/ssl/lib/libssl3.so: no version information
 available (required by /usr/lib/xulrunner-1.9.0.15/libxul.so)
 xpcshell-1.9: /usr/local/ssl/lib/libssl3.so: no version information
 available (required by /usr/lib/xulrunner-1.9.0.15/libxul.so)
 xpcshell-1.9: relocation error: /usr/lib/xulrunner-1.9.0.15/libxul.so:
 symbol SSL_ImplementedCiphers, version NSS_3.2 not defined in file
 libssl3.so with link time reference
 
 I think Mozilla Firefox 3.5 needs libssl3.so   (and renaming libssl.so
 to libssl3.so did not work and gave same error)
 
 I later tried nm on original libssl.so (/usr/lib/libssl.so) and on
 'new' libssl.so  (/usr/local/ssl/lib/libssl.so)
 and found that OPENSSL_0.9.8 symbol is missing in 'new' built libssl.so
 
 Am I missing anything in Installation steps ?   How can I pass the
 versioning information during installation steps ?
 I read the INSTALL file but could not find any related information.
 
 Any help is highly appreciated.
 
 Thanking you,
 Sagar
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
 
 


-- 
san...@temme.net  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF



smime.p7s
Description: S/MIME cryptographic signature

Re: Problem with openssl versioning

[Sander Temme]

On Nov 22, 2009, at 2:27 PM, Sagar Dixit wrote:

 Yes,
 
 I ran firefox through strace and saw that for https websites it uses 
 libssl3.so

scte...@surtur:~$ dpkg -S /usr/lib/libssl3.so
libnss3-1d: /usr/lib/libssl3.so

NSS is Netscape's crypto library. 

S.

 On Sun, Nov 22, 2009 at 5:15 PM, Sander Temme san...@temme.net wrote:
 On Nov 22, 2009, at 1:53 PM, Sagar Dixit wrote:
 
 Hi,
 
 I'm trying to trace the calls in libssl while I run firefox. I
 downloaded openssl-0.9.8l.tar.gz  source and added my logging
 information into source files (just for study purpose) and executed
 following steps
 
 ./config -fPIC shared
 make
 make install
 
 This created /usr/local/ssl/lib/libssl.so  I added the path to
 LD_LIBRARY_PATH and ran firefox. But firefox failed with
 
 sa...@sagar-laptop:~/Desktop/openssl-0.9.8l$ firefox
 Couldn't load XPCOM.
 
 Are you sure Firefox uses OpenSSL?  I was under the impression that it uses 
 the Netscape crypto library.
 
 S.
 
 
 I used xpcshell to trace the problem and saw this:
 
 sa...@sagar-laptop:~/Desktop/openssl-0.9.8l$ xpcshell-1.9
 xpcshell-1.9: /usr/local/ssl/lib/libssl3.so: no version information
 available (required by /usr/lib/xulrunner-1.9.0.15/libxul.so)
 xpcshell-1.9: /usr/local/ssl/lib/libssl3.so: no version information
 available (required by /usr/lib/xulrunner-1.9.0.15/libxul.so)
 xpcshell-1.9: relocation error: /usr/lib/xulrunner-1.9.0.15/libxul.so:
 symbol SSL_ImplementedCiphers, version NSS_3.2 not defined in file
 libssl3.so with link time reference
 
 I think Mozilla Firefox 3.5 needs libssl3.so   (and renaming libssl.so
 to libssl3.so did not work and gave same error)
 
 I later tried nm on original libssl.so (/usr/lib/libssl.so) and on
 'new' libssl.so  (/usr/local/ssl/lib/libssl.so)
 and found that OPENSSL_0.9.8 symbol is missing in 'new' built libssl.so
 
 Am I missing anything in Installation steps ?   How can I pass the
 versioning information during installation steps ?
 I read the INSTALL file but could not find any related information.
 
 Any help is highly appreciated.
 
 Thanking you,
 Sagar
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
 
 
 
 
 --
 san...@temme.net  http://www.temme.net/sander/
 PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF
 
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
 
 


-- 
san...@temme.net  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF



smime.p7s
Description: S/MIME cryptographic signature

Re: how to uninstall openSSL Urgent help needed

[Sander Temme]

On Mar 29, 2009, at 7:10 PM, Srinivas Jonnalagadda wrote:


I am using Sun Solaris version 10. any help i shighly appreciated.



If you mess with the OpenSSL 0.9.7 installed under /usr/sfw, you will  
lose ssh access to your server, since the installed copy of OpenSSH  
links against that OpenSSL.


I have never had trouble building Apache against my own OpenSSL  
installation on that platform.  Squid was far mor retalcitrant: I had  
to move the /usr/sfw libraries out of the way (and be careful not to  
log out of my ssh shell) during the build, or edit the configure  
script to set SSLLIBS to /path/to/my/openssl/lib/libcrypto.a /path/to/ 
my/openssl/lib/libssl.a to link the SSL libraries in statically.


But you did not mention Squid in the other thread.  Apache should be  
fine.


S.

--
san...@temme.net  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF



smime.p7s
Description: S/MIME cryptographic signature

Re: How to install 2 instances of openssl on the same machine

[Sander Temme]

On Mar 26, 2009, at 6:04 AM, Srinivas Jonnalagadda wrote:

I need to have 2 separate installations of apache2 http server  
refereing to 2 different versions of openssl. One is using 0.9.8b  
and the other uses 0.9.8i. How do i install open ssl in such a  
scenario. Help is urgently needed.


As other respondents have said, you must install the two copies of  
OpenSSL in separate locations.  In addition, it appears that  
hardcoding the path to a linked library in Apache modules does not  
work very well on Linux.  So, you must point each copy of Apache to  
the proper copy of OpenSSL by setting the LD_LIBRARY_PATH environment  
variable.  On Solaris, this is not necessary since the linker does the  
right thing.


If you choose to install OpenSSL in the same prefix as Apache itself  
and start Apache using the apachectl script, you don't have to set the  
environment variable since the script sets it to the lib directory  
under your Apache installation, and that is also where your OpenSSL  
libraries will be.


You don't tell us which operating system you are using, but the  
'apache2' moniker is used by Debian and its derivatives like Ubuntu.   
If you are on Red Hat 5, you can't run a custom copy of OpenSSL since  
Red Hat links OpenSSL into the C library, which is loaded by the httpd  
binary before it loads its modules, and while mod_ssl may be linked  
against your copy, you will find that the system copy always wins.


S.

--
san...@temme.net  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF



smime.p7s
Description: S/MIME cryptographic signature

Re: CRYPTO_set_dynlock_* mystery ... (was: Engine Issue: nShield 500)

[Sander Temme]

On Nov 21, 2008, at 12:01 AM, Massimiliano Pala wrote:


Actually, it seems that the dynamic functions are never called... :(


I can assure you from my work on Apache 2.2.10 that the CHIL engine  
calls the dynamic locking upcalls many times.  It seems to be the only  
thing in the OpenSSL distribution that uses them though.


Are you by any chance passing the THREAD_LOCKING control command to  
the engine?  In engines/e_chil.c:736:


case HWCRHK_CMD_THREAD_LOCKING:
CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
disable_mutex_callbacks = ((i == 0) ? 0 : 1);
CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
break;

which I take to read if the input i is 0, then set  
disable_mutex_callbacks to 0, any other value, set it to 1.  Then, in  
hwcrhk_init at line 580 (in trunk):


if (disable_mutex_callbacks == 0)
{
if (CRYPTO_get_dynlock_create_callback() != NULL 
CRYPTO_get_dynlock_lock_callback() != NULL 
CRYPTO_get_dynlock_destroy_callback() != NULL)
{
hwcrhk_globals.mutex_init = hwcrhk_mutex_init;
hwcrhk_globals.mutex_acquire = hwcrhk_mutex_lock;
hwcrhk_globals.mutex_release = hwcrhk_mutex_unlock;
hwcrhk_globals.mutex_destroy = hwcrhk_mutex_destroy;
}
}

which means the function pointers that use the dynamic locks only get  
passed to the Hardware Crypto Hook library when that flags is 0.  My  
coffee-starved brain would assume that 0 means no and !0 means yes  
when specifying whether to use thread locking, but it seems to be the  
other way around here.  Perhaps that should be documented in the  
description of the control.


FWIW Apache runs just fine, with dynamic locks and CHIL, in a  
multithreaded setup, without setting THREAD_LOCKING on the engine.  I  
just got back from watching it run for a week with 8192 threads, 256  
threads to a child process and it was rock solid.


S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: CRYPTO_set_dynlock_* mystery ... (was: Engine Issue: nShield 500)

[Sander Temme]

On Nov 21, 2008, at 8:50 AM, Max Pala wrote:

The problem is that they are not called by the nCipher driver - no  
sign

at all in the logs... :( How come they are not called ???



Can you set a breakpoint in engines/e_chil.c:581 and inspect the value  
of disable_mutex_callbacks?  It should be 0 and if it isn't,  
libnfhwcrhk never learns about the existence of the locks.


S.

--
[EMAIL PROTECTED]  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF



smime.p7s
Description: S/MIME cryptographic signature

Re: CRYPTO_set_dynlock_* mystery ... (was: Engine Issue: nShield 500)

[Sander Temme]

On Nov 21, 2008, at 8:07 AM, Max Pala wrote:

I definitely did - now I do initialize all the static locks in  
OpenSSL *and* the
dynamic functions. But they are never called by the chil - the  
assert fails and

the SIGABRT is sent to my daemon forcing it to exit.


The library needs both the static locks and the dynamic locking upcalls.

Anybody knows where can I find the patched OpenSSL version from  
nCipher ?



/opt/nfast/toolkits/openssl/openssl098e-patch.txt

Should apply cleanly to newer versions of OpenSSL, with patch -p1.  It  
creates a static lock for CHIL to use so it doesn't need the dynamic  
ones available.


I personally think the dynamic locking concept is more elegant, but I  
do agree it smells of duplicated code because everyone has to set up  
the same scaffolding.


S.

--
[EMAIL PROTECTED]  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF



smime.p7s
Description: S/MIME cryptographic signature

Re: CRYPTO_set_dynlock_* mystery ... (was: Engine Issue: nShield 500)

[Sander Temme]

On Nov 21, 2008, at 9:45 AM, Przemek Michalski wrote:


/opt/nfast/toolkits/openssl/openssl098e-patch.txt


Could you send/post the nCipher patch 0.9.8e - I am using one  
supplied originally by nCipher for 0.9.8a



The source code bits in the patch are the same.  The 'a' patch is  
better, the 'e' version clobbers your openssl.cnf.


S.

--
[EMAIL PROTECTED]  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF



smime.p7s
Description: S/MIME cryptographic signature

Re: Engine Issue: nShield 500

[Sander Temme]

On Nov 20, 2008, at 5:13 PM, Max Pala wrote:


Hi Sander,

yep the order is correct - the thread callbacks (pthread) init  
function

is before the Engine initialization (which happens before the spawning
of the threads).

The error you are describing sounds definitely familiar - although my
magic number is 12 (if I use 13 threads then... crash...). The  
backtrace

is not really useful as well - unless you have the source code:


Thank you for the backtrace.  This does not give us any insight in the  
parts that are your code, just the OpenSSL and libnfhwcrhk bits.


Would you mind compiling with -g to include debug symbols in your  
binary, and then running the backtrace again?  It would be nice to see  
what code path triggers this assert(), and what parameter values you  
pass in.


Thanks,

S.



0xb7fe5410 in ?? ()
(gdb) backtrace
#0  0xb7fe5410 in ?? ()
#1  0xb5a3e3f8 in ?? ()
#2  0x0006 in ?? ()
#3  0x27a0 in ?? ()
#4  0xb7cd8811 in raise () from /lib/tls/i686/cmov/libc.so.6
#5  0xb7cd9fb9 in abort () from /lib/tls/i686/cmov/libc.so.6
#6  0xb7cd1fbf in __assert_fail () from /lib/tls/i686/cmov/libc.so.6
#7  0xb7adbada in receive (conn=0x8086380, cctx=0xb5a3ebf0,  
replyp=0xb5a3e86c,

   tctx_r=0x0, nonblocking=0, functionname=0xb7b41ce0 Wait)
   at ../client.c:945
#8  0xb7adc3eb in NFastApp_Wait (conn=0x8086380, cctx=0xb5a3ebf0,  
replyp=0x0,

   tctx_r=0x0) at ../client.c:982
#9  0xb7adaa1b in NFastApp_Transact (conn=0x8086380, cctx=0xb5a3ebf0,
   command=0x0, reply=0xb5a3e9e0, tctx=0x0) at ../client.c:211
#10 0xb7ab40e9 in nfast_hwch_command (upc=0xb5a3ebf0, conn=0x0,  
remember=0,
   command=0xb5a3eaa0, reply=0xb5a3e9e0, status_r=0x0, ebuf=0x0,  
ebuflen=0)

   at ../command.c:15
#11 0xb7ab42a1 in nfast_hwch_command_chk (upc=0xb5a3ebf0, conn=0x0,
   remember=0, command=0x0, reply=0x0, what=0x0) at ../command.c:59
#12 0xb7aaf338 in nfast_hwch_raw_rsa (upc=0xb5a3ebf0, conn=0x0,  
remember=0,

   key=0, msg=
 {buf = 0x808ba68 \210E\032��\234�6�ED*\220�h��2Bʸ 
\217, size = 128},

   result=0x0) at ../keys.c:260
#13 0xb7aaf214 in HWCryptoHook_RSA (msg=
 {buf = 0x808ba68 \210E\032��\234�6�ED*\220�h��2Bʸ 
\217, size = 128},

   k=0x806c858, result=0x0, errors=0xb5a3f0c0) at ../keys.c:260
#14 0xb7b7bc1f in bind_engine () from /usr/lib/ssl/engines/libchil.so
#15 0xb7ee7736 in RSA_PKCS1_SSLeay ()
  from /usr/lib/i686/cmov/libcrypto.so.0.9.8
#16 0x0808bf10 in ?? ()
#17 0x0808bee8 in ?? ()
#18 0x08072078 in ?? ()
#19 0x0808be30 in ?? ()
#20 0xce86bb62 in ?? ()
#21 0x03d508e8 in ?? ()
#22 0x0021 in ?? ()
#23 0xb7f8d830 in ?? () from /usr/lib/i686/cmov/libcrypto.so.0.9.8
#24 0xb7f7c048 in CAST_S_table7 () from /usr/lib/i686/cmov/ 
libcrypto.so.0.9.8

#25 0x0080 in ?? ()
#26 0x0808bee8 in ?? ()
#27 0x0808bf10 in ?? ()
#28 0x0808befc in ?? ()
#29 0x0807eed8 in ?? ()
#30 0x08085558 in ?? ()
#31 0x0010 in ?? ()
#32 0x in ?? ()

Any Idea ???

Later,
Max

Sander Temme wrote:

On Nov 19, 2008, at 11:24 PM, Max Pala wrote:

The software that I am writing is a multi-threaded OCSP responder.
Please make sure you initialize the engine correctly, and set up  
your locking callbacks before you actually initialize the engine.   
If you look at Apache:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?view=markup 
 the invocation of ssl_init_Engine() and ssl_util_thread_setup()  
used to be in the wrong order, which led to Apache children  
crashing on an assert() from within the Hardware Crypto Hook  
library (libnfhwcrhk) whenever more than five threads were used.   
Sounds familiar?
If that is all in order, perhaps you can trap that assert() in gdb  
and take a backtrace.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]





--
[EMAIL PROTECTED]  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF



smime.p7s
Description: S/MIME cryptographic signature

Re: FIXED - CRYPTO_set_dynlock_* mystery ... (was: Engine Issue: nShield 500)

[Sander Temme]

On Nov 21, 2008, at 11:12 AM, Massimiliano Pala wrote:


Hi Sander,

I debugged the init process and it seems that you were right. The
disable_mutex_callbacks is set to 1 at e_chil.c:578. Definitely it
is due to initialization, at this point...

... looked into that, and... et voilas! Found the problem! The PRE
commands were wrong. Indeed the following:

5.engine_pre = THREAD_LOCKING:1

caused the disable_mutex_callbacks to be set to 1, therefore no
callbacks were used! A... what a nightmare! If you want to be
sure, you can set it to 0:

5.engine_pre = THREAD_LOCKING:0

Przemek, this should solve also your problem - so you can enable
multiple threads and get rid of your 'lock' around the signing
function.

I think that the config variable should have been called:

DISABLE_THREAD_LOCKING

because if THREAD_LOCKING is set to 1 - then the  
disable_mutex_callbacks

is set to 1.. which should be the contrary (developer's error ?).


Yes, this is confusing.  The problem is that it's been like this for  
years and years, so you can't just turn the name or value around like  
that.  At least not in the Stable branch.  I think that would cause  
almost as much confusion as the present situation.  I would suggest a  
documentation fix, like so:


Index: engines/e_chil.c
===
RCS file: /home/openssl/cvs/openssl/engines/e_chil.c,v
retrieving revision 1.9
diff -u -r1.9 e_chil.c
--- engines/e_chil.c19 Nov 2008 14:21:26 -  1.9
+++ engines/e_chil.c21 Nov 2008 19:24:37 -
@@ -164,11 +164,11 @@
ENGINE_CMD_FLAG_STRING},
{HWCRHK_CMD_FORK_CHECK,
FORK_CHECK,
-   Turns fork() checking on or off (boolean),
+   Turns fork() checking on (non-zero) or off (0),
ENGINE_CMD_FLAG_NUMERIC},
{HWCRHK_CMD_THREAD_LOCKING,
THREAD_LOCKING,
-   Turns thread-safe locking on or off (boolean),
+   Turns thread-safe locking on (0) or off (non-zero),
ENGINE_CMD_FLAG_NUMERIC},
{HWCRHK_CMD_SET_USER_INTERFACE,
SET_USER_INTERFACE,

Very confusing... and besides, it should give out some warning!!!  
Anyhow,

now the callbacks are called, and the server seems to run pretty ok
with a relatively large amount of threads (150). But I still have
to stress-test it...

Thanks to all of you who helped me - now I have a single file with
the code for OpenSSL and pthreads, both static and dynamic locks..

Shall we include it into OpenSSL ?

void OpenSSL_pthread_init( void );

.. that would make it more usable for the average developer! :D



We discussed this a while back, when I proposed setting the callbacks  
from the CHIL engine as a fallback option when the application didn't  
provide them.  It breaks down on platforms where, for instance,  
pthreads are scarily broken.  Howerver, it would be neat if OpenSSL  
could provide this scaffolding for the vast majority of users who have  
a working implementation.


S.

--
[EMAIL PROTECTED]  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF



smime.p7s
Description: S/MIME cryptographic signature

Re: Engine Issue: nShield 500

[Sander Temme]

On Nov 19, 2008, at 10:36 PM, Max Pala wrote:


Anybody has experienced problems with this HSM on Linux + pThread ?



What software are you running that makes he calls into OpenSSL?

Thanks,

S.

--
[EMAIL PROTECTED]  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF



smime.p7s
Description: S/MIME cryptographic signature

Re: Engine Issue: nShield 500

[Sander Temme]

On Nov 19, 2008, at 11:24 PM, Max Pala wrote:


The software that I am writing is a multi-threaded OCSP responder.



Please make sure you initialize the engine correctly, and set up your  
locking callbacks before you actually initialize the engine.  If you  
look at Apache:


http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?view=markup

the invocation of ssl_init_Engine() and ssl_util_thread_setup() used  
to be in the wrong order, which led to Apache children crashing on an  
assert() from within the Hardware Crypto Hook library (libnfhwcrhk)  
whenever more than five threads were used.  Sounds familiar?


If that is all in order, perhaps you can trap that assert() in gdb and  
take a backtrace.


S.

--
[EMAIL PROTECTED]  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF



smime.p7s
Description: S/MIME cryptographic signature

Re: OpenSSL 0.9.8i but (Library: OpenSSL 0.9.8c)

[Sander Temme]

On Oct 21, 2008, at 9:12 AM, patrick wrote:

i am running debian etch stable. the version of openssl is too old.  
what i did is to download



Are you sure?  A lot of linux distro folks keep the upstream version  
the same but backport fixes into their packages.  An apt-get update /  
apt-get upgrade might get you a newer package.


S.

--
[EMAIL PROTECTED]  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Configuring ssl on apache and Leopard Mac OS 10.5.1

[Sander Temme]

Ben,

On Dec 19, 2007, at 9:31 AM, Ben assis wrote:

On Leopard with apache 2.2.6 and OpenSSL 0.9.7, configuration files  
have significantly changed; so, I cannot set my own web server to  
work with openssl under https protocol.



Are you loading the SSL module?  Look for a LoadModule line in  
httpd.conf for the ssl_module and see if it is commented out.  Unless  
the module is loaded, Apache will not understand any mod_ssl  
configuration directives.


I'm not running Leopard yet, but if they stuck to a fairly plain  
vanilla Apache 2.2.x (as they did with 1.3 on earlier versions of the  
OS), the httpd-ssl.conf should work out of the box once you load the  
SSL module.  Be sure to have your private key and certificate in the  
right place, or edit the SSLCertificateKeyFile and SSLCertificateFile  
directives.


This is an Apache-specific question and might be better discussed on  
[EMAIL PROTECTED]


S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: openssl with accelerator

[Sander Temme]

On Aug 7, 2007, at 11:24 PM, Piotr Skwarna wrote:


bash-2.03# uname -a
SunOS sun250 5.8 Generic_117350-35 sun4u sparc SUNW,Ultra-250

bash-2.03# ./openssl speed rsa -engine ubsec
can't use that engine
28137:error:25066067:DSO support routines:DLFCN_LOAD:could not load  
the shared library:dso_dlfcn.c:162:filename(libubsec.so): ld.so.1:  
openssl: fatal: libubsec.so: open failed: No such file or directory


nCipher's cards use the chil plugin.  You also need to make sure the  
right library is on the search path:


# LD_LIBRARY_PATH=/opt/nfast/toolkits/hwcrhk openssl speed -engine  
chil rsa


should do the trick.

S.

--
[EMAIL PROTECTED]  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF



smime.p7s
Description: S/MIME cryptographic signature