Re: Sparc compiling problem

1999-04-19 Thread Ulf Moeller

> I am having this same problem, only in English,  Please let me know if you find the 
>answer.

This is a problem in the current configuration script. You need to
configure with the option "no_asm". It is now fixed in the CVS.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



OpenSSL - Frequently Asked Questions

2000-02-28 Thread Ulf Moeller


OpenSSL  -  Frequently Asked Questions
--

* Which is the current version of OpenSSL?
* Where is the documentation?
* How can I contact the OpenSSL developers?
* Do I need patent licenses to use OpenSSL?
* Is OpenSSL thread-safe?
* Why do I get a "PRNG not seeded" error message?
* Why does the linker complain about undefined symbols?
* Where can I get a compiled version of OpenSSL?


* Which is the current version of OpenSSL?

The current version is available from http://www.openssl.org>.
OpenSSL 0.9.5 was released on February 28th, 2000.

In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at ftp://ftp.openssl.org/snapshot/>, or get it by anonymous CVS access.


* Where is the documentation?

OpenSSL is a library that provides cryptographic functionality to
applications such as secure web servers.  Be sure to read the
documentation of the application you want to use.  The INSTALL file
explains how to install this library.

OpenSSL includes a command line utility that can be used to perform a
variety of cryptographic functions.  It is described in the openssl(1)
manpage.  Documentation for developers is currently being written.  A
few manual pages already are available; overviews over libcrypto and
libssl are given in the crypto(3) and ssl(3) manpages.

The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a
different directory if you specified one as described in INSTALL).
In addition, you can read the most current versions at
http://www.openssl.org/docs/>.

For information on parts of libcrypto that are not yet documented, you
might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's
predecessor, at http://www.columbia.edu/~ariel/ssleay/>.  Much
of this still applies to OpenSSL.

There is some documentation about certificate extensions and PKCS#12
in doc/openssl.txt

The original SSLeay documentation is included in OpenSSL as
doc/ssleay.txt.  It may be useful when none of the other resources
help, but please note that it reflects the obsolete version SSLeay
0.6.6.


* How can I contact the OpenSSL developers?

The README file describes how to submit bug reports and patches to
OpenSSL.  Information on the OpenSSL mailing lists is available from
http://www.openssl.org>.


* Do I need patent licenses to use OpenSSL?

The patents section of the README file lists patents that may apply to
you if you want to use OpenSSL.  For information on intellectual
property rights, please consult a lawyer.  The OpenSSL team does not
offer legal advice.

You can configure OpenSSL so as not to use RC5 and IDEA by using
 ./config no-rc5 no-idea

Until the RSA patent expires, U.S. users may want to use
 ./config no-rc5 no-idea no-rsa

Please note that you will *not* be able to communicate with most of
the popular web browsers without RSA support.


* Is OpenSSL thread-safe?

Yes.  On Windows and many Unix systems, OpenSSL automatically uses the
multi-threaded versions of the standard libraries.  If your platform
is not one of these, consult the INSTALL file.

Multi-threaded applications must provide two callback functions to
OpenSSL.  This is described in the threads(3) manpage.


* Why do I get a "PRNG not seeded" error message?

Cryptographic software needs a source of unpredictable data to work
correctly.  Many open source operating systems provide a "randomness
device" that serves this purpose.  On other systems, applications have
to call the RAND_add() or RAND_seed() function with appropriate data
before generating keys or performing public key encryption.

Some broken applications do not do this.  As of version 0.9.5, the
OpenSSL functions that need randomness report an error if the random
number generator has not been seeded with at least 128 bits of
randomness.  If this error occurs, please contact the author of the
application you are using.  It is likely that it never worked
correctly.  OpenSSL 0.9.5 makes the error visible by refusing to
perform potentially insecure encryption.


* Why does the linker complain about undefined symbols?

Maybe the compilation was interrupted, and make doesn't notice that
something is missing.  Run "make clean; make".

If you used ./Configure instead of ./config, make sure that you
selected the right target.  File formats may differ slightly between
OS versions (for example sparcv8/sparcv9, or a.out/elf).

If that doesn't help, you may want to try using the current snapshot.
If the problem persists, please submit a bug report.


* Where can I get a compiled version of OpenSSL?

Some applications that use OpenSSL are distributed in binary form.
When using such an application, you don't need to install OpenSSL
yourself; the application will include the required parts (e.g. DLLs).

If you want to install OpenSSL on a Windows system and you don't have
a C compiler, read the "Mingw32" section of INSTALL.W32 for information
on how to obtain and install the free GNU C com

Re: setting random seed generator under Windows NT

2000-05-10 Thread Ulf Moeller

On Wed, May 10, 2000 at 11:02:43AM +0530, Amit Chopra wrote:
 
> srand((unsigned)(time(NULL))); //C Runtime Function
>   seed[i] = rand(); //C Runtime function
 
> Can somebody tell me if this method of seeding the RNG secure enough?

It is not. rand() was never meant to be a cryptographic RNG.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: difference between OpenSSL and BSAFE libs?

2000-05-26 Thread Ulf Moeller

On Fri, May 26, 2000, Martin Szotkowski wrote:

> When I tested SSL-C this look like OpenSSL. (I know both start from SSLeay)
> Are somewhere document differences betwteen this two products?
> Go both by same way?
> Is some type of cooperation there?
> It's possible BSAFE libs modified as OpenSSL?
> What is better?

The OpenSSL changes are documented in the CHANGES file. You'll have to try
to find out what RSA changed in SSL-C and compare it to OpenSSL (in
particular if they fixed the major SSLeay bugs).
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: SSLeay on HP-UX¿s, which perl version?

2000-06-08 Thread Ulf Moeller

On Thu, Jun 08, 2000, Sergio Basto wrote:

> And the question is should i install a new version of perl, what the version that 
>you recommend and if perl5004 is more than enough for install OpenSSL?
> How I can know what is the version of perl that I have install in /usr/contrib/bin ?

perl 5.004 should be enough. You can run "perl -v" to get the version number.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: base64-encoding with openssl

2000-06-28 Thread Ulf Moeller

On Wed, Jun 28, 2000, [EMAIL PROTECTED] wrote:

> how can I encrypt a string with base64-encryption using openssl?

openssl base64

But base64 is an encoding mechanism (just like hexadecimal encoding
for example), not encryption.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Bug relating to /dev/urandom and RAND_egd in libcrypto.a

2000-06-30 Thread Ulf Moeller

On Fri, Jun 30, 2000, Louis LeBlanc wrote:

> RAND_bytes(entropy, 4000);
> RAND_seed(entropy, 3000);
> /*  just giving myself some room until the code is working  */
> 
> And everything works.  

No, nothing works, as you would have noticed, had you checked the RAND_bytes()
return value. You still haven't grasped the concept: The "PRNG not seeded"
error is not a bug in OpenSSL, it is a safety measure. OpenSSL stops when
it detects that you are operating on an insecure PRNG state. Your task is
not to trick OpenSSL into not noticing the insecurity, it is to provide
sufficient randomness.

The above code might win you a citation in future versions of Peter's paper
on PRNG design, but it will not secure your data. Why don't you read the
randomness manpages and use EGD?

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Randomness question

2000-07-21 Thread Ulf Moeller

On Fri, Jul 21, 2000, Bennett Samowich wrote:

> What if I were to take this routine and modify it so that it wrote to the 
> random device (/dev/random in my case) and just let it run in the 
> background or as a daemon?  Aside from the extra CPU cycles would this 
> produce any ill-effects?  Would it increase the quality of random numbers 
> generated by standard rand()/srand() mechanisms?

No on both questions. It will not have any good or bad effects aside from
wasting CPU time.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: RC5 question

2000-07-28 Thread Ulf Moeller

On Fri, Jul 28, 2000, Jeff Hamilton wrote:

> Does anyone have an idea as to what release of Openssl first contained RC5?

It is in all versions of OpenSSL, and in some releases of SSLeay.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Error building 0.9.6 with ms\mingw32 on NT4

2000-10-12 Thread Ulf Moeller

On Wed, Oct 11, 2000, Doug Serres wrote:

> I am getting the error below when trying to build the 0.9.6 distribution using
> Mingw32 on Windows NT 4 SP6. (I can build 0.9.5a with the same machine.) Where
> can I get the missing files?

>From a more recent Mingw32 distribution. If you don't want to update your
compiler, as far as I know it is safe to just replace the Windows header
files.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Licencing issues

2000-11-13 Thread Ulf Moeller

On Mon, Nov 13, 2000, George Staikos wrote:

>   (I have emails here if you need to see these)  Anyhow, is there 
> any chance of OpenSSL being released under GPL, or failing that, under a BSD 
> style licence without the advertising clause?

The original authors now work for a company that sells a toolkit with the
same functionality for a six figure price.

Is there any chance of the GPL being changed to something less obnoxious? :)

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Licencing issues

2000-11-13 Thread Ulf Moeller

On Mon, Nov 13, 2000, George Staikos wrote:

> other people must be in this situation too, probably unknowingly.  We have to 
> resolve this, and if what we are doing is not allowed, it should probably be 
> documented in the OpenSSL documentation.

As far as the OpenSSL team is concerned, everybody is free to use OpenSSL.
Unfortunately, the FSF is telling GPL software developers that they are not
allowed to, and as I indicated we can't do anything about it. (The GPL
is the only license with that problem that I know of. You can use OpenSSL
even with the most evil commercially licensed SDK and of course with any
other free software out there. Based on these facts I have come to the
conclusion that that provision of the GPL is obnoxious - but thanks for
caring about my reputation, Michael.) 

> [While you are reading this, keep in mind that this is KDE.  We have to allow 
> redistribution in binary forms, on cds sold by vendors, and more.  Some 
> platforms will be compiling and linking with a closed source commercial 
> compiler, linker and library too (ie HP-UX, IRIX, Solaris).  This is not 
> negotiable.]

OpenSSL is part of all major free operating systems and one or two commercial
ones. You can use it on those systems, thanks to a special clause in the 
GPL. If you want to use it on any other systems, you'll have to change your
license. Sorry.

> > May I dynamically link my GPL-ed application to OpenSSL?
> 
> You cannot do this without a special exception, lest redistribution of your
> software will not be legal.

Their own GnuPG is loading proprietary patent-protected modules at runtime.
Is that hypocrisy or what?

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Licencing issues

2000-11-13 Thread Ulf Moeller

On Tue, Nov 14, 2000, Ulf Moeller wrote:

> OpenSSL is part of all major free operating systems and one or two commercial
> ones. You can use it on those systems, thanks to a special clause in the 
> GPL. If you want to use it on any other systems, you'll have to change your
> license. Sorry.

I forgot to mention that I'm speaking for myself, not for the OpenSSL team
or anyone else.

Also, if you're in doubt about what the GPL does or doesn't allow, you
should get legal advise. The FSF clearly has its own ideological agenda.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: installation problem

2000-11-14 Thread Ulf Moeller

On Tue, Nov 14, 2000, Xiaohua Cheng wrote:

> cc -o openssl -DMONOLITH -I../include -DTHREADS -D_REENTRANT -xtarget=ultra 
>-xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC 
>-DMD5_ASM openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o 
>gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o dsa.o dsaparam.o x509.o genrsa.o 
>gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o 
>version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o -L. -L.. 
>-L../.. -L../../.. -L.. -lssl -L.. -lcrypto -lsocket -lnsl

You failed to include the "make report" output, so I can only gues, but
probably your compiler flags are wrong.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Kurt Seifred's article on securityportal

2000-12-20 Thread Ulf Moeller

On Wed, Dec 20, 2000, Gary Feldman wrote:

> Let's be fair.  As your example really points out, the problem in this
> specific case (your example, not necessarily the "Accept this invalid
> certificate case") is with the developers, not the users.

Which browser would that be? Netscape has no default, and with IE the
default is "no".

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]