Is there any opportunity to set different cipher suits for different versions of TLS?
Hi, For example, I want to exclude wholly RC4 cipher suits for TLS 1.2/1.1 and leave them only for <=TLS 1.0 The reason is the same BEAST. But if we have only one string with cipher suits we can't do this because we need RC4 for TLS 1.0 and lower. --- Regards. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: What is the algorithm of choice cipher suite for connection by Server?
Thank you very much, Dave, for the answer and detailed explanation. And just one question. Is there any possibility to set different cipher suits for different versions of TLS? For example, I want to exclude RC4 cipher suits wholly for TLS 1.2/1.1 and leave them only for <=TLS 1.0 The reason is the same BEAST. But if we have only one string with cipher suits we can't do this because we need RC4 for TLS 1.0 and lower. 2013/12/24 Dave Thompson : > The RFC only says the server “select[s]” from the ClientHello list. > > There are two obvious ways, and openssl implements both. > > “client preference” – server chooses the first entry in the client’s list > > that the server can support > > “server preference” – server chooses the first entry in its own list > > that the client offers > > libssl server by default does client preference but does server preference > > if you set option CIPHER_SERVER_PREFERENCE. Some applications using > > openssl can do this, notably apache httpd,and during the BEAST furor one > > widely recommended response was to configure httpd to prefer RC4. > > (Now RC4 seems to be threatened while BEAST has been mitigated > > client side, and this is no longer such a good idea.) > > > > Other algorithms, such as randomly choosing a suite common to client > > and server (if there are more than one) would be legal, but silly. > > > > TLSv1.2 as a protocol can support all suites implemented by openssl. > > A given suite will be used only if implemented and (where applicable) > > configured on both the client and server. In particular, libssl server > > will agree a suite that uses RSA only if an RSA cert&key is configured, > > similarly for DSS, and for ECC only if a cert&key is configured *and* > > it uses a curve and format agreed by the client. DH* and ECDH* suites > > also require that suitable ‘temporary’ parameters (or optionally keys) > > be available – through 1.0.1 either configured or via a callback. > > (1.0.2 will apparently add new options?) Similarly PSK suites > > require PSK data is configured. Note that ECC, PSK, SRP, GCM, Camellia, > > SEED and ARIA suites are separate options not in the base RFC > > and thus a peer system can implement “TLS” without them. > > > > TLSv1.1 and lower cannot support the suites labelled TLSv1.2. > > TLSv1.1 and TLSv1.0, and in openssl SSLv3, can support all suites labelled > > SSLv3, subject to the same conditions above. Technically the RFCs for > > ECC, PSK, SRP, and ciphers newer than 3DES only apply to TLS, because > > SSLv3 (and v2) weren’t IETF standards. openssl does implement them > > on SSLv3 if the peer agrees, but given the timeline I doubt > > any peer does except maybe AES. > > > > Thus to answer your later question, ECDHE-(RSA,ECDSA)-RC4 > > is officially supported for TLSv1.0,1.1,1.2 if RFC 4492 is (also) > > implemented, and for openssl server can be chosen if it has > > an appropriate key&cert and temporary parameters/key. > > openssl can also do them on SSLv3 but others might not. > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Сipher suits for different TLS versions
Сommand options -ssl3 and -tls1 don't work properly. They show also TLS 1.2 cipher suits. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: What is the algorithm of choice cipher suite for connection by Server?
2013/12/23 Sri Ramya > > hi, > please go through the below link.. > http://www.openssl.org/docs/apps/ciphers.html There is no answer to the question "What is the algorithm of choice cipher suite for connection by Server?" About "Сipher suits for different TLS versions" i started a new email question. On that page there is no full information about what cipher suits will be used for TLS 1.2, TL 1.1, TLS 1.0 For example: 1) What elliptic curve cipher suites can be used for TLS 1.0, TLS 1.1? 2) What TLS 1.0 cipher suits or even SSL 3.0 cipher suits can be used in TLS 1.2? So it would be very useful to have information about each cipher suite in what versions of SSL/TLS protocols it can be used. For example, my question: in what versions of TLS will be used ECDHE-RSA-RC4-SHA and ECDHE-ECDSA-RC4-SHA cipher suits? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Сipher suits for different TLS versions
Hello, with command: openssl ciphers -V we can see cipher suits are determined as TLSv1.2 or SSLv3 cipher suits. How can I know all cipher suits which will be use: 1) for TLS 1.2 connections 2) for TLS 1.1 connections 3) for TLS 1.0 connections 4) for SSL 3.0 connections I understand that cipher suits which are determined as TLSv1.2 are specially for TLS 1.2 connections. But what else cipher suits for TLS 1.2? And what cipher suits for TLS 1.0? For example, in what versions of TLS will be used next cipher suits: ECDHE-RSA-RC4-SHA and ECDHE-ECDSA-RC4-SHA? --- Regards
What is the algorithm of choice cipher suite for connection by Server?
Hi, On Server we have an ordered list of cipher suits. Server gets a cipher suits of client in ClientHello. What is the algorithm of choice cipher suite for connection by Server from client's list? Is it simple so: server looks at its ciphers list from top to bottom and the first corresponding cipher suite that will be in ClientHello's cipher list will be chosen for connection. Or something else? And the second question. with command: openssl ciphers -V we can see cipher suits are determined as TLSv1.2 or SSLv3 cipher suits. How can I know all cipher suits which will be use: 1) for TLS 1.2 connections 2) for TLS 1.1 connections 3) for TLS 1.0 connections 4) for SSL 3.0 connections
Re: Compiling open ssl source code in Visual studio 2008
OFFTOPIC: )) Бл..., день сегодня весёлый )) во второй раз невнимателен... Priyaranjan, if you have ran: perl Configure VC-WIN32 --prefix=c:\some\openssl\dir ms\do_nasm or ms\do_ms nmake -f ms\nt.mak and get the following error message: “NMAKE : fatal error U1052: file 'ms\nt.mak;' not found” then possible problems are: 1) You must run Visual Studio Command Promt not usual Command Promt. This is important. 2) in Visual Studio. Maybe you forget to install SP1. Maybe problems with paths and vars. Try to reinstall. And don’t use source dir of OpenSSL for install path if you did so. From: PRIYARANJAN NAYAK Sent: Tuesday, October 23, 2012 8:09 AM To: openssl-users@openssl.org Subject: Re: Compiling open ssl source code in Visual studio 2008 Hi Tom, After running ms\do_ms.bat,the output comes like C:\tmp_open_ssl>ms\do_ms.bat; C:\tmp_open_ssl>perl util\mkfiles.pl 1>MINFO C:\tmp_open_ssl>perl util\mk1mf.pl no-asm VC-WIN32 1>ms\nt.mak C:\tmp_open_ssl>perl util\mk1mf.pl dll no-asm VC-WIN32 1>ms\ntdll.mak C:\tmp_open_ssl>if x == x goto skipce C:\tmp_open_ssl>perl util\mkdef.pl 32 libeay 1>ms\libeay32.def C:\tmp_open_ssl>perl util\mkdef.pl 32 ssleay 1>ms\ssleay32.def When I am trying to run "nmake -f ms\nt.mak" ,the below error is coming C:\tmp_open_ssl>nmake -f ms\nt.mak; Microsoft (R) Program Maintenance Utility Version 9.00.21022.08 Copyright (C) Microsoft Corporation. All rights reserved. NMAKE : fatal error U1052: file 'ms\nt.mak;' not found Stop. Thanks Priyaranjan On Mon, Oct 22, 2012 at 9:30 PM, Floodeenjr, Thomas wrote: Priyaranjan, Did you run ms\do_ms.bat in between the configure and the nmake command? -Tom Thomas Floodeen, Jr. Mentor Graphics BSD 720.494.1133 From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of PRIYARANJAN NAYAK Sent: Monday, October 22, 2012 3:33 AM To: openssl-users@openssl.org Subject: Compiling open ssl source code in Visual studio 2008 Hi ALL, I am trying to compile open ssl source code in visual studio 2008.Before compiling I have installed Active Perl. I have followed below steps. 1."C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\vsvars32.bat" 2.Perl Configure VC-WIN32 --prefix=C:/tmp_open_ssl These two steps working fine . But it is not executing " nmake -f ms\nt.mak" command , Can any one help me . Thanks Priyaranjan
Re: Compiling open ssl source code in Visual studio 2008
Seems to be I was mistaken in previous message: nmake was found, but you forgot to do: ms\do_nasm nt.mak and ntdll.mak were not created yet. From: PRIYARANJAN NAYAK Sent: Tuesday, October 23, 2012 8:09 AM To: openssl-users@openssl.org Subject: Re: Compiling open ssl source code in Visual studio 2008 Hi Tom, After running ms\do_ms.bat,the output comes like C:\tmp_open_ssl>ms\do_ms.bat; C:\tmp_open_ssl>perl util\mkfiles.pl 1>MINFO C:\tmp_open_ssl>perl util\mk1mf.pl no-asm VC-WIN32 1>ms\nt.mak C:\tmp_open_ssl>perl util\mk1mf.pl dll no-asm VC-WIN32 1>ms\ntdll.mak C:\tmp_open_ssl>if x == x goto skipce C:\tmp_open_ssl>perl util\mkdef.pl 32 libeay 1>ms\libeay32.def C:\tmp_open_ssl>perl util\mkdef.pl 32 ssleay 1>ms\ssleay32.def When I am trying to run "nmake -f ms\nt.mak" ,the below error is coming C:\tmp_open_ssl>nmake -f ms\nt.mak; Microsoft (R) Program Maintenance Utility Version 9.00.21022.08 Copyright (C) Microsoft Corporation. All rights reserved. NMAKE : fatal error U1052: file 'ms\nt.mak;' not found Stop. Thanks Priyaranjan On Mon, Oct 22, 2012 at 9:30 PM, Floodeenjr, Thomas wrote: Priyaranjan, Did you run ms\do_ms.bat in between the configure and the nmake command? -Tom Thomas Floodeen, Jr. Mentor Graphics BSD 720.494.1133 From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of PRIYARANJAN NAYAK Sent: Monday, October 22, 2012 3:33 AM To: openssl-users@openssl.org Subject: Compiling open ssl source code in Visual studio 2008 Hi ALL, I am trying to compile open ssl source code in visual studio 2008.Before compiling I have installed Active Perl. I have followed below steps. 1."C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\vsvars32.bat" 2.Perl Configure VC-WIN32 --prefix=C:/tmp_open_ssl These two steps working fine . But it is not executing " nmake -f ms\nt.mak" command , Can any one help me . Thanks Priyaranjan
Re: error while generating Certificate Signing Request
Don’t use ‘-config’ option for CSR, let the default configuration file be used, it’s enough or maybe not needed at all for CSRs. openssl req -newkey rsa:2048 -keyout my_key.key -keyform PEM –out my_request.csr -outform PEM From: PRIYARANJAN NAYAK Sent: Tuesday, October 23, 2012 1:03 PM To: openssl-users@openssl.org Subject: error while generating Certificate Signing Request Hi ALL, --> First I generate private key i.e my_key.key,then I am trying to Generate a Certificate Signing Request: while generating .csr file I faced this error . C:\>C:\tmp_open_ssl\bin\openssl.exe req -new -key my_key.key -out my_request.csr -config C:\tmp_open_ssl\ssl\openssl.cnf WARNING: can't open config file: c:/tmp_open_ssl;/ssl/openssl.cnf Error opening Private Key my_key.key 3464:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\bss_file.c:398:fopen('my_key.key','rb') 3464:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:400:unable to load Private Key Can any one help me about this error Thanks Priyaranjan
Re: Compiling open ssl source code in Visual studio 2008
>>NMAKE : fatal error U1052: file 'ms\nt.mak;' not found You must set up right paths to nmake and others in the system environment variable PATH From: PRIYARANJAN NAYAK Sent: Tuesday, October 23, 2012 8:09 AM To: openssl-users@openssl.org Subject: Re: Compiling open ssl source code in Visual studio 2008 Hi Tom, After running ms\do_ms.bat,the output comes like C:\tmp_open_ssl>ms\do_ms.bat; C:\tmp_open_ssl>perl util\mkfiles.pl 1>MINFO C:\tmp_open_ssl>perl util\mk1mf.pl no-asm VC-WIN32 1>ms\nt.mak C:\tmp_open_ssl>perl util\mk1mf.pl dll no-asm VC-WIN32 1>ms\ntdll.mak C:\tmp_open_ssl>if x == x goto skipce C:\tmp_open_ssl>perl util\mkdef.pl 32 libeay 1>ms\libeay32.def C:\tmp_open_ssl>perl util\mkdef.pl 32 ssleay 1>ms\ssleay32.def When I am trying to run "nmake -f ms\nt.mak" ,the below error is coming C:\tmp_open_ssl>nmake -f ms\nt.mak; Microsoft (R) Program Maintenance Utility Version 9.00.21022.08 Copyright (C) Microsoft Corporation. All rights reserved. NMAKE : fatal error U1052: file 'ms\nt.mak;' not found Stop. Thanks Priyaranjan On Mon, Oct 22, 2012 at 9:30 PM, Floodeenjr, Thomas wrote: Priyaranjan, Did you run ms\do_ms.bat in between the configure and the nmake command? -Tom Thomas Floodeen, Jr. Mentor Graphics BSD 720.494.1133 From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of PRIYARANJAN NAYAK Sent: Monday, October 22, 2012 3:33 AM To: openssl-users@openssl.org Subject: Compiling open ssl source code in Visual studio 2008 Hi ALL, I am trying to compile open ssl source code in visual studio 2008.Before compiling I have installed Active Perl. I have followed below steps. 1."C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\vsvars32.bat" 2.Perl Configure VC-WIN32 --prefix=C:/tmp_open_ssl These two steps working fine . But it is not executing " nmake -f ms\nt.mak" command , Can any one help me . Thanks Priyaranjan
Re: winsock.h inclusion in dtls1.h
Hi. Just do: #ifdef _WIN32 #define NOCRYPT #include #include #endif //... //other headers //... -- From: YUN GAO Sent: Thursday, October 11, 2012 7:59 PM To: openssl-users@openssl.org Subject: winsock.h inclusion in dtls1.h Hi there: winsock.h is included in dtls1.h, which overriding the #undefs in x509.h. There are several reportings on this issue already. I have a source file, that include openssl1.0.1b openssl/ssl.h, and X509_NAME has been used in the source file. And I got errors when compiling the source file. I checked ssl.h for openssl 1.0.1b, found that x509.h is included before dtls1.h, and I believe this is the root cause for compiler errors. I wonder if there is any solution to this issue, (including winsock2.h doesn't solve it, since windows.h is also used in winsocke2.h). I also wonder if I can change the ssl.h to include the dlts1.h before x509.h, could that be an workaround?? Thanks in advance, G.Y __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OCSP_basic_verify error: root ca not trusted
I made an error. I didn't actually add OCSPSigning extended key usage to the OCSP responder cert. My attempt(which I found at the mailing list archive) was bad: openssl x509 -in 03.crt -inform PEM -addtrust OCSPSigning -out ocsp_resp_cert.pem "-addtrust" is another command for another purposes. To add OCSPSigning extended key usage to the OCSP responder cert we must use "-extension" option during signing certificate request. OCSP verification works now. The problem is closed. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OCSP_basic_verify error: root ca not trusted
Hello. I could connect to OpenSSL OCSP responder only by IPv6. But I have another error: 3908:error:2706A067:OCSP routines:OCSP_CHECK_DELEGATED:missing ocspsigning usage:.\crypto\ocsp\ocsp_vfy.c:350: 3908:error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted:.\crypto\ocsp\ocsp_vfy.c:148: I made and adjusted the simple test Certification Authority. I have a root CA and three certs issued and certainly signed by the root CA: 01.crt, 02.crt, 03.crt. Now I want to test OpenSSL OCSP responder. I will test 01.crt for the revocation status and use 03.crt cert as the OCSP responder's certificate. I added OCSPSigning extended key usage to the 03.crt: openssl x509 -in 03.crt -inform PEM -addtrust OCSPSigning -out ocsp_resp_cert.pem I start OpenSSL OCSP responder: openssl ocsp -index index.txt -port -rkey cert3_pkey.pem -rsigner ocsp_resp_cert.pem -CA cacert.crt -text After that I try to verify 01.crt via OCSP and I get the above error. If I would use the root CA as the OCSP responder's cert all is ok: OCSP_basic_verify not failed and I get OCSP status "GOOD". I see docs on openssl.org: ocsp(1) section OCSP "Response verification": 1) "Otherwise the issuing CA certificate in the request is compared to the OCSP responder certificate: if there is a match then the OCSP verify succeeds." This rule works. This case is when certificate of the OCSP responder is a root CA. 2) "Otherwise the OCSP responder certificate's CA is checked against the issuing CA certificate in the request. If there is a match and the OCSPSigning extended key usage is present in the OCSP responder certificate then the OCSP verify succeeds. This rule doesn't work or I don't understand it or I made something wrong. Please, say what am I do wrong? Regards, Vladimir. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OCSP server listem only TCPv6 connections on Windows. Why?
Hello. I start OCSP server for testing. I use command: openssl ocsp -index index.txt -port -rkey ocsp_resp_pkey.pem -rsigner ocsp_resp_cert.crt -CA cacert.crt –text After I got the message “Waiting for OCSP client connections...” I see that process openssl.exe listen only TCPv6 port , no TCPv4. That’s why when I try to connect to OCSP responder on 127.0.0.1: BIO_do_connect returns errors: 2992:error:0200274D:system library:connect:reason(1869):.\crypto\bio\bss_conn.c:269:host=127.0.0.1: 2992:error:20073067:BIO routines:CONN_STATE:connect error:.\crypto\bio\bss_conn.c:273: My code is: conn = BIO_new_connect(host); if (!conn) { result=-6; goto l_fr; } int port_int=atoi(port); BIO_set_conn_int_port(conn, &port_int); if (BIO_do_connect(conn) <= 0) { result=-7; ERR_print_errors(bf_log); //here we print errors goto l_fr; } How to set up OCSP responder to handle IPv4-connections? Or the only way is to use manually IPv6-connection to the OpenSSL OCSP responder? Regards, Vladimir.
Re: OpenSSL and GOST engine issue (statically linked library )
As far as I understood the main idea of this code is to get engine and initialize it by ENGINE_init(e). My code was only for testing of loading and initialization of specific ENGINE. What is the further use of this ENGINE* pointer? It seems that i can "forget" about it Variable with type ENGINE can be used directly in many cryptography functions, such as EVP_EncryptInit_ex and many others. The code was executed without errors but SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) function call cause the same error: Unsupported algorithm. So, if "gost" engine is successfully loaded, then try this code: SSL_load_error_strings(); ENGINE *e; const char *engine_id = "gost"; ENGINE_load_openssl(); ENGINE_load_gost(); e = ENGINE_by_id(engine_id); if(!e) { //the engine isn't available ERR_print_errors(bf_log); return 1; } ENGINE_register_complete(e); OpenSSL_add_all_algorithms(); SSL_library_init(); //here is your code //at the end of the program ENGINE_free(e); ENGINE_cleanup(); From: Abyss Lingvo Sent: Friday, June 15, 2012 10:34 AM To: openssl-users@openssl.org Subject: OpenSSL and GOST engine issue (statically linked library ) Hi Vladimir, I have inserted your code into my application between OPENSSL_config("correct config file path"); SSL_library_init(); SSL_load_error_strings(); and SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) The code was executed without errors but SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) function call cause the same error: Unsupported algorithm. As far as I understood the main idea of this code is to get engine and initialize it by ENGINE_init(e). What is the further use of this ENGINE* pointer? It seems that i can "forget" about it. Why ENGINE_init(e) call is not necessary for dynamic linkage? I thought that everything should be the same because I pass correct configuration file path to OPENSSL_config("correct config file path"); I read "Network security with openssl" book and CryptoKom documentation http://www.cryptocom.ru/products/cryptopacket.html#docs Unfortunately both sources doesn't contain information how to handle with engines (especially in case of statically linkage). От: Vladimir Belov Кому: openssl-users@openssl.org Отправлено: четверг, 14 июня 2012 18:01 Тема: Re: OpenSSL and GOST engine issue (statically linked library ) I made a mistake in code and it is possible not to load all engines with ENGINE_load_builtin_engines : What next code show you: //testing loading GOST engine ENGINE *e; const char *engine_id = "gost"; ENGINE_load_openssl(); //ENGINE_load_builtin_engines(); ENGINE_load_gost(); e = ENGINE_by_id(engine_id); if(!e) { /* the engine isn't available */ ERR_print_errors(bf_log); return 1; } if(!ENGINE_init(e)) { /* the engine couldn't initialise, release 'e' */ ERR_print_errors(bf_log); ENGINE_free(e); return 1; } From: Abyss Lingvo Sent: Wednesday, June 13, 2012 5:21 PM To: openssl-users@openssl.org Subject: OpenSSL and GOST engine issue (statically linked library ) Hi all ! This is my first mail to openssl mailing list. I have a problem with statically linked openSSL library and GOST crypto engine. Openssl 1.0.0g I have simple client/server application using GOST keys and certificates. It works fine with GOST keys but only if I use dynamically linked version of openSSL library. If I try to use statically linked openSSL I got an error message. This is how I initialized openSSL library: OPENSSL_config("correct config file path"); SSL_library_init(); SSL_load_error_strings(); When I try to read certificate file I got an error. SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) Return value here is not 1. So this is an error. The human readable error message is: 3084809868:error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm:p_lib.c:239: 3084809868:error:0B07706F:x509 certificate routines:X509_PUBKEY_get:unsupported algorithm:x_pubkey.c:155: 3084809868:error:140BF10C:SSL routines:SSL_SET_CERT:x509 lib:ssl_rsa.c:402: When I use the same code with dynamically linked openSSL library with external GOST engine library everything works fine. So what is the difference between static and dynamic version? The only idea that I have at this time that my library initialization sequence is wrong. I checked symbols in the compiled libcrypto.a library. nm ./libcrypto.a | grep gost This command gave me output with many GOST function which were included to libcrypto.a library. So I think that library was compiled proper
Re: OpenSSL and GOST engine issue (statically linked library )
I made a mistake in code and it is possible not to load all engines with ENGINE_load_builtin_engines : What next code show you: //testing loading GOST engine ENGINE *e; const char *engine_id = "gost"; ENGINE_load_openssl(); //ENGINE_load_builtin_engines(); ENGINE_load_gost(); e = ENGINE_by_id(engine_id); if(!e) { /* the engine isn't available */ ERR_print_errors(bf_log); return 1; } if(!ENGINE_init(e)) { /* the engine couldn't initialise, release 'e' */ ERR_print_errors(bf_log); ENGINE_free(e); return 1; } From: Abyss Lingvo Sent: Wednesday, June 13, 2012 5:21 PM To: openssl-users@openssl.org Subject: OpenSSL and GOST engine issue (statically linked library ) Hi all ! This is my first mail to openssl mailing list. I have a problem with statically linked openSSL library and GOST crypto engine. Openssl 1.0.0g I have simple client/server application using GOST keys and certificates. It works fine with GOST keys but only if I use dynamically linked version of openSSL library. If I try to use statically linked openSSL I got an error message. This is how I initialized openSSL library: OPENSSL_config("correct config file path"); SSL_library_init(); SSL_load_error_strings(); When I try to read certificate file I got an error. SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) Return value here is not 1. So this is an error. The human readable error message is: 3084809868:error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm:p_lib.c:239: 3084809868:error:0B07706F:x509 certificate routines:X509_PUBKEY_get:unsupported algorithm:x_pubkey.c:155: 3084809868:error:140BF10C:SSL routines:SSL_SET_CERT:x509 lib:ssl_rsa.c:402: When I use the same code with dynamically linked openSSL library with external GOST engine library everything works fine. So what is the difference between static and dynamic version? The only idea that I have at this time that my library initialization sequence is wrong. I checked symbols in the compiled libcrypto.a library. nm ./libcrypto.a | grep gost This command gave me output with many GOST function which were included to libcrypto.a library. So I think that library was compiled properly and all GOST engine functions were included in the static library. "Unsupported algorithm" error message means that GOST functions was not initialized properly. The question is: how properly initialize engines with statically linked openSSL? Is it possible to use engines and statically linked openssl library in general? Best Regards Xidex __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL and GOST engine issue (statically linked library )
"Unsupported algorithm" error message means that GOST functions was not initialized properly. The question is: how properly initialize engines with >>statically linked openSSL? How you init GOST engine with statically linked openSSL? What next code show you: //testing loading GOST engine with statically linked openssl library ENGINE *e; const char *engine_id = "gost"; ENGINE_load_openssl(); ENGINE_load_builtin_engines(); e = ENGINE_by_id(engine_id); if(!e) /* the engine isn't available */ ERR_print_errors(bf_log); return 1; if(!ENGINE_init(e)) { /* the engine couldn't initialise, release 'e' */ ERR_print_errors(bf_log); ENGINE_free(e); return 1; } //if we here, seems to be initialization is ok ENGINE_free(e); ENGINE_cleanup(); --- From: Abyss Lingvo Sent: Wednesday, June 13, 2012 5:21 PM To: openssl-users@openssl.org Subject: OpenSSL and GOST engine issue (statically linked library ) Hi all ! This is my first mail to openssl mailing list. I have a problem with statically linked openSSL library and GOST crypto engine. Openssl 1.0.0g I have simple client/server application using GOST keys and certificates. It works fine with GOST keys but only if I use dynamically linked version of openSSL library. If I try to use statically linked openSSL I got an error message. This is how I initialized openSSL library: OPENSSL_config("correct config file path"); SSL_library_init(); SSL_load_error_strings(); When I try to read certificate file I got an error. SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) Return value here is not 1. So this is an error. The human readable error message is: 3084809868:error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm:p_lib.c:239: 3084809868:error:0B07706F:x509 certificate routines:X509_PUBKEY_get:unsupported algorithm:x_pubkey.c:155: 3084809868:error:140BF10C:SSL routines:SSL_SET_CERT:x509 lib:ssl_rsa.c:402: When I use the same code with dynamically linked openSSL library with external GOST engine library everything works fine. So what is the difference between static and dynamic version? The only idea that I have at this time that my library initialization sequence is wrong. I checked symbols in the compiled libcrypto.a library. nm ./libcrypto.a | grep gost This command gave me output with many GOST function which were included to libcrypto.a library. So I think that library was compiled properly and all GOST engine functions were included in the static library. "Unsupported algorithm" error message means that GOST functions was not initialized properly. The question is: how properly initialize engines with statically linked openSSL? Is it possible to use engines and statically linked openssl library in general? Best Regards Xidex __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: What is the difference between green and yellow address bars in browser for certificate's fields?
Thank you for the hyperlink, Joshua. I will investigate this. I'm not sure why the guy at Thawte got secretive and rude to you, because it's open information Maybe I had a talk with a bad technical specialist. - From: Joshua Bowman Sent: Wednesday, June 13, 2012 10:07 PM To: openssl-users@openssl.org Subject: Re: What is the difference between green and yellow address bars in browser for certificate's fields? On 6/13/2012 10:05 AM, Vladimir Belov wrote: I need to make some corrections. So, I think maybe there is a arrangement of CA's companies(Verisign,Thawte and others) with browser's companies(Microsoft, Opera, Mozilla) that a special root or trusted CA’s certificate is use for Extended Validation. Therefore, any web server's certificate which is signed with this special cert is treated as cert with Extended Validation and a green bar is displayed. Who has another point of view? Maybe there are some special extensions of X.509v3? Regards, Vladimir. I'm not sure why the guy at Thawte got secretive and rude to you, because it's open information and you were close to the mark the first time: https://en.wikipedia.org/wiki/Extended_Validation_Certificate#Extended_Validation_certificate_identification It's a bit confusing because most (maybe all?) vendors use a different intermediate cert for their EV certs, but that doesn't matter, only the presence or absence of the OID does. Joshua Bowman __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
What is the difference between green and yellow address bars in browser for certificate's fields?
Hello. Many public CAs suggest Extended Validation for certificates of web servers. These certificates cost much more expensive but in browser we can only see green address bar instead of yellow or blank. I thought what is the difference between green and yellow address bars in browser for certificate's fields. Maybe there are some special extensions that can be added by CA during signing of certificate request. I had a talk with a specialist of technical support of Thawte and he said that "There is no difference in what an Extended Validation certificate technically from all of our other certificates. It is the cosmetics that they do on a browser. For an example, the SSL Web Server certificate would have the same properties, extensions, etc, that our Extended Validation certificates have. The only difference is that the EV certificates display the web browsers URL address bar green when a successful secured connection has been made". He also refused to answer how browser determines what bar to display - green or yellow? So, I think maybe there is a arrangement of CA's companies(Verisign,Thawte and others) with browser's companies(Microsoft, Opera, Mozilla) that a special root certificate is use for Extended Validation. Therefore, any web server's certificate which is signed at the top with this special root cert is treated as cert with Extended Validation and a green bar is displayed. Who has another point of view? Regards, Vladimir. [sorry, my english isn't good :)] This is my talk with Thawte technical support: You have been connected to Macario . Macario : Good day, how may I help you today? Vladimir Belov: Hello Vladimir Belov: What is the difference between green and yellow address bars in browser. What fields in certificate determine what bar will be - green or yellow? Macario : Green address bar is when an Extended Validation certificate is installed as that is the highest level security certificate we offer. Vladimir Belov: What is the " Extended Validation"? What fields of certificate it sets? Macario : It is an extended process that we go through to validate the certificate information before it is approved. Macario : One of the main features of this certificate is having the address bar green. Macario : If you see a yellow address bar, it is most likely due to having an old version of your browser installed. Vladimir Belov: I need technical info, more in detail please Vladimir Belov: What fields of certificate it sets? Vladimir Belov: Can you switch me to a technical specialist? For example, Duke. Macario : Sure, let me get you over to our technical support group for further assistance. Macario has left the session. Please wait while we find an agent from the transfer TechSupport Thawte department to assist you. You have been connected to Clifford. Clifford: Please hold as I review your information, thank you. Vladimir Belov: Ok. I am waiting. Clifford: You have reached Technical Support. What specific technical information are you looking for please? Vladimir Belov: What is the " Extended Validation"? What fields of certificate it sets? Clifford: Please be more technically specific as to what you mean "fields of certificate" it sets Clifford: What fields are you referring to? Vladimir Belov: What fields of x509 certificate it sets? Clifford: Unfortunately that does not make sense. X.509 is a base64 format of any digital certificate, not just SSL. Clifford: What fields are you looking for? Clifford: There is no specific term called "fields" on a certificate. Please describe technically what you are looking for Vladimir Belov: What will be the difference in fields of x509-certificate "SSL Web Server Certificates with EV" and for example "SSL123 Certificates"? "Fields" such as special extensions. Basic fields of x509-certificate are Subject, Isuuer, NotBefore, NotAfter and so on Vladimir Belov: Other fields are exyensions such as basicConstraints, keyUsage Vladimir Belov: Other fields are extensions such as "basicConstraints", "keyUsage" Clifford: There is no difference in what an Extended Validation certificate technically from all of our other certificates. It is the cosmetics that they do on a browser. For an example, the SSL Web Server certificate would have the same properties, extensions, etc, that our Extended Validation certificates have. The only difference is that the EV certificates display the web browsers URL address bar green when a successful secured connection has been made. Vladimir Belov: How browser determines what bar green or yellow to display? Vladimir Belov: If you say that "the SSL Web Server certificate would have the same properties, extensions, etc, that our Extended Validation certificates " Clifford: Unfortunately that is information that we cannot disclose. Vladimir Belov: Why? :)
Re: trust chain building for X509_verify_cert
His code WORKS fine with OpenSSL library initialization. I checked. The verification failed because OpenSSL couldn’t find digest algorithm. Special error checking isn't needed now, the reason is the absence of OpenSSL_add_all_algorithms function or similar. --- From: Dave Thompson Sent: Thursday, June 07, 2012 5:43 AM To: openssl-users@openssl.org Cc: 'Alexander Kirschner' Subject: RE: trust chain building for X509_verify_cert From: owner-openssl-us...@openssl.org On Behalf Of Arthur Spitzer Sent: Tuesday, 05 June, 2012 04:48 I need to verify a X.509 certificate against a self-signed X.509 CA, both certificates are in PEM-format. Doing this on the command line works so far: Right now I am working on a small piece of code that is supposed to do the same from C++ using the X509_verify_cert function. The problem is: The verification always fails with error code 7 ("signature invalid"). I already tried three different attempts (documented in the attached cpp file) to build the trust chain, with the same result. verify error 7 isn't a chain building problem, it's an error verifying the signature (on the cert, against the parent). http://www.openssl.org/support/faq.html#PROG6 tells you to do ERR_print_errors_fp (or equivalent) which says 0D0C50A1, and http://www.openssl.org/support/faq.html#PROG7 tells you to ERR_load_crypto_strings (or equivalent, e.g. for SSL apps use SSL_load_error_strings) which says ...:unknown message digest algorithm and http://www.openssl.org/support/faq.html#PROG8 tells you OpenSSL_add_all_algorithms (or equivalent). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: trust chain building for X509_verify_cert
Hi, Arthur. The verification always fails because OpenSSL can’t find digest algorithm. You(as I just now) forgot about OpenSSL initialization. You must add at the beginning of the main function next code: //SSLeay library init (libcrypto) ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); There are another variants of initialization(if will be necessary): //SSL library init(libssl) ERR_load_SSL_strings(); SSL_library_init(); //OpenSSL library init (both libcrypto and libssl) SSL_load_error_strings(); SSL_library_init(); OpenSSL_add_all_algorithms(); -- From: Arthur Spitzer Sent: Tuesday, June 05, 2012 12:48 PM To: openssl-users@openssl.org Cc: Alexander Kirschner Subject: trust chain building for X509_verify_cert Hi, I need to verify a X.509 certificate against a self-signed X.509 CA, both certificates are in PEM-format. Doing this on the command line works so far: openssl verify -CAfile caCertificate.pem certificate.pem certificate.pem: OK The version of OpenSSL is: 1.0.0j-fips 10 May 2012. Right now I am working on a small piece of code that is supposed to do the same from C++ using the X509_verify_cert function. The problem is: The verification always fails with error code 7 (“signature invalid”). I already tried three different attempts (documented in the attached cpp file) to build the trust chain, with the same result. The relevant source code (certificates as char arrays included in the cpp) and both certificates are attached. I would be very grateful if you could give me a hint. Right now I am a little lost. Thanks in advance & Best regards, Arthur Dipl.-Math. Arthur Spitzer, Software Architect Phone: +49.89.45 23 47 - 260 jambit Software Development & Management GmbH Erika-Mann-Str. 63, 80636 München Phone: +49.89.45 23 47-0 Fax: +49.89.45 23 47-70 http://www.jambit.com where innovation works Geschäftsführer: Peter F. Fellinger, Markus Hartinger Sitz: München; Registergericht: München, HRB 129139 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OCSP_basic_verify FAILED(returns -1) (all details in email)
Yes! I forgot about OpenSSL initialization. Thank you, Dr. Stephen Henson. From: Dr. Stephen Henson Sent: Wednesday, June 06, 2012 5:12 PM To: openssl-users@openssl.org Subject: Re: OCSP_basic_verify FAILED(returns -1) (all details in email) On Wed, Jun 06, 2012, Vladimir Belov wrote: Hello. OCSP_basic_verify failed(returns -1) although "openssl ocsp -respin ..." show "Response verify OK" with the same OCSP response and root CAs. I attached to this email the ZIP and TAR archives with OCSP response, the checked certificate, it's issuer certificate(VeriSignClass3ExtendedValidationSSLSGCCA.pem) and root certs of CAs. The checked certificate is certificate of the web-site www.verisign.com. I use OpenSSL 1.0.0e. OCSP_basic_verify failed(return -1) with next errors: 4064:error:0D0C50A1:lib(13):func(197):reason(161):.\crypto\asn1\a_verify.c:150: 4064:error:27069075:lib(39):func(105):reason(117):.\crypto\ocsp\ocsp_vfy.c:98: I debuged this situation and found that this happens because EVP_get_digestbyname for argument "name"="SHA1" returns "NULL"! Perhaps: http://www.openssl.org/support/faq.html#PROG8 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: self-signed certificates vs CA (was: Re: authenticate peer)
Hi, Marco. What can you say(_Conceptually_) about a way to revoke root CA certificates? They don’t have any CRL distribution points or OCSP responder URLs. But why is it so? For example another company(another CAs) can sign OCSP responder certificate for the root certificate and this will be more secure scheme in comparing with the existing realities. Probability of that both private keys of both companies will be compromised at the same time is too low. Regards, Vladimir. -- From: Marco Molteni Sent: Tuesday, June 05, 2012 1:35 PM To: openssl-users@openssl.org Subject: self-signed certificates vs CA (was: Re: authenticate peer) What is a CA? _Conceptually_ a CA is nothing more than a self-signed certificate you trust as an issuer of other certificates :-) So, a self-signed certificate doesn't need its own CA. Or, it is the same thing. >From a practical point of view, in my opinion the main differences are this: Say you have 100 self-signed certificates. You have to put them out of band, in a secure way, in the N places they will be needed to authenticate the owners of the associated private keys. The day you add the 101st self-signed certificate, you have to put it on the N places, as before. On the other hand, if you have your own root CA, you just have to put once 1 certificate, the certificate of the root CA, in the N places. The day you add the 101st certificate issued by the CA, you don't need to do anything in the N places. If you have a CA, you must guard the private key. A compromise will compromise _all_ your system. If you don't have a CA, you don't have to guard a private key. A compromise will compromise 1 identity. In both cases (CA or not), you probably need a way to revoke certificates. On Jun 4, 2012, at 17:07 , Dinh, Thao V CIV NSWCDD, K72 wrote: > Please help me to understand more about "SELF SIGNED CERTIFICATES". > > Do Self-Signed certificates have to signed at all by its own CA ?? Do we have > to generate CSR for each client ?? If > they do, What is the best way to create "Self-Signed Cert" ?? Either > > 1. Each client is its own CA >a. // generate keys and CSR > openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out > clientreq.pem >b. // generate cert signed by its own CA > openssl x509 -req -in clientreq.pem -sha1 -signkey clientkey.pem -out > clientcert.pem > > > 2. Create one root CA, every client create its own Certificate signed by > root CA > >//create root >a. openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem >b. openssl x509 -req -in rootreq.pem -sha1 -signkey rootkey.pem -out > rootcert.pem >c. cat rootcert.pem rootkey.pem > root.pem > >// create client certificate , signed by common root >d. openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out > clientreq.pem >f. openssl x509 -req -in clientreq.pem -sha1 -CA root.pem -CAkey root.pem > -signkey -out client.pem > > Please help. > > Thao __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Verify return code: 20 (unable to get local issuer certificate) for www.verisign.com
Thank you, Joshua. It works now. It turns out that there are 4 certificates in the chain: 1) Class 3 Public Primary Certification Authority 2) VeriSign Class 3 Public Primary Certification Authority – G5 3) VeriSign Class 3 Extended Validation SSL SGC CA 4) www.verisign.com But it is strange that "VeriSign Class 3 Public Primary Certification Authority – G5" has the same fields in Issuer and Subject that is characteristic for the self-signed root certificates. That's why I think that it is a last self-signed root CA. Why in the Issuer field CN of certificate "VeriSign Class 3 Public Primary Certification Authority - G5" is the same name "VeriSign Class 3 Public Primary Certification Authority - G5", though it is signed with another certificate "Class 3 Public Primary Certification Authority"? Also it is strange that no browser has shown the last actual certificate in the chain, the top root CA. Regards. -- From: Joshua Bowman Sent: Tuesday, June 05, 2012 9:48 AM To: openssl-users@openssl.org Subject: Re: Verify return code: 20 (unable to get local issuer certificate) for www.verisign.com Sorry, I coped in the wrong cert by mistake, but the right serial number. -BEGIN CERTIFICATE- MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k -END CERTIFICATE- Joshua Bowman __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Verify return code: 20 (unable to get local issuer certificate) for www.verisign.com
Hi Joshua, Can you say what concrete root CA I must add to my file trusted_root_certs_of_CAs.pem? What serial number? I see in many browsers(FireFox, Opera, IE) the certificate's chain consists of only 3 certificates: 1) VeriSign Class 3 Public Primary Certification Authority – G5 2) VeriSign Class 3 Extended Validation SSL SGC CA 3) www.verisign.com The first and the second are in my CAfile, the third is the certificate of domen www.verisign.com. The "VeriSign Class 3 Public Primary Certification Authority – G5" is a self signed root certificate. It is on the top of chain. What else root CA should I add? Regards, Vladimir. -- From: Joshua Bowman Sent: Tuesday, June 05, 2012 8:48 AM To: openssl-users@openssl.org Subject: Re: Verify return code: 20 (unable to get local issuer certificate) for www.verisign.com Hi Vladimir, Use the actual root CA instead (i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority) and you'll see it works. You can save it with a web browser, the -showcerts options, or it is also be bundled as a root cert in all modern OSes. The others aren't the root cert so they don't work. Joshua Bowman __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Multi-threaded applications, locking_function, threadid_func, dynamic locks
Thank you, Brian. This is exactly the answer to my question that I asked Dr. Stephen Henson at second time. The question was: “...can we use safely only dynamic locks in multi-threaded applications instead of locking_function and threadid_func or no? Or if we want to use dynamic locks we must set callback functions for "static" and dynamic locks both and OpenSSL already choose what callback it want to use in concrete case? How OpenSSL works here?” The answer(from “Network Security with OpenSSL” John Viega, Matt Messier, Pravir Chandra) is: “If you want your applications to continue working with a minimal amount of effort in the future, we recommend that you implement both static and dynamic locks now”. It turns out that OpenSSL choose what callback it want to use in concrete case. But OpenSSL does not currently make use of dynamic locks(with some exceptions), that’s why we can’t use ONLY dynamic locks. So, or ONLY static locks, or both static and dynamic. Thank you very much for your answer, Brian. From: bebro...@rockwellcollins.com Sent: Tuesday, May 15, 2012 5:50 PM To: openssl-users@openssl.org Subject: Re: Multi-threaded applications, locking_function, threadid_func, dynamic locks Good coverage of this topic is in the chapter "4 Support Infrastructure", section "4.1 Multithread Support" http://my.safaribooksonline.com/book/networking/security/059600270x/support-infrastructure/openssl-chp-4-sect-1 from the book Network Security with OpenSSL By: John Viega; Matt Messier; Pravir Chandra Publisher: O'Reilly Media, Inc. Pub. Date: June 17, 2002 Print ISBN-13: 978-0-596-00270-1 The book's sample code contains common.h, common.c, reentrant.h, and reentrant.c which attempts to setup the static and dynamic threading callbacks for WIN32 and POSIX. http://examples.oreilly.com/9780596002701/ Just for completeness, the source reference for the static and dynamic thread primitive callbacks is http://www.openssl.org/docs/crypto/threads.html If you have a Association for Computing Machinery membership, you can access this book with http://acmsel.safaribooksonline.com/book/networking/security/059600270x/support-infrastructure/openssl-chp-4-sect-1 --- Brian Brooks Senior Software Engineer Rockwell Collins Satellite Communications Systems 2205 Northmont Parkway Duluth, GA 30096 bebro...@rockwellcollins.com office: (678) 252-4498 "Vladimir Belov" Sent by: owner-openssl-us...@openssl.org 05/13/2012 02:04 PM Please respond to openssl-users@openssl.org To cc Subject Re: Multi-threaded applications, locking_function, threadid_func, dynamic locks From: Dr. Stephen Henson Sent: Sunday, May 13, 2012 5:53 PM > Yes because some structures need to be locked internally. An example is > the > error queue. I draw a conclusion: in multi-threaded application using of locking_function and threadid_func is mandatory. Ok. > Currently dynamical locks aren't used for much. The only example I can > immediately think of is the CHIL ENGINE. > At some point dynamic locks might be used more generally. The reason they > could increase performance is that currently locks are global and related > to > structures. I don't understand precisely, Steve. All locking is done by OpenSSL itself, we only set platform-specific callback functions such as locking_function, CRYPTO_set_dynlock_lock_callback. We don't speak about locking programmer's objects but about internal objects of OpenSSL that must be done by OpenSSL itself not by programmer. If you also say that "dynamical locks aren't used for much" I really don't understand can we use safely only dynamic locks in multi-threaded applications instead of locking_function and threadid_func or no? Or if we want to use dynamic locks we must set callback functions for "static" and dynamic locks both and OpenSSL already choose what callback it want to use in concrete case? How OpenSSL works here? > So if you need to perform locking on an X509 structure you lock > *all* X509 structures while this is going on. It would be more efficient > if > only the single affected X509 structure was locked. Yes, it would be more efficient if only the single affected X509 structure was locked, I understood now about performance. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __
Re: Multi-threaded applications, locking_function, threadid_func, dynamic locks
From: Dr. Stephen Henson Sent: Sunday, May 13, 2012 5:53 PM Yes because some structures need to be locked internally. An example is the error queue. I draw a conclusion: in multi-threaded application using of locking_function and threadid_func is mandatory. Ok. Currently dynamical locks aren't used for much. The only example I can immediately think of is the CHIL ENGINE. At some point dynamic locks might be used more generally. The reason they could increase performance is that currently locks are global and related to structures. I don't understand precisely, Steve. All locking is done by OpenSSL itself, we only set platform-specific callback functions such as locking_function, CRYPTO_set_dynlock_lock_callback. We don't speak about locking programmer's objects but about internal objects of OpenSSL that must be done by OpenSSL itself not by programmer. If you also say that "dynamical locks aren't used for much" I really don't understand can we use safely only dynamic locks in multi-threaded applications instead of locking_function and threadid_func or no? Or if we want to use dynamic locks we must set callback functions for "static" and dynamic locks both and OpenSSL already choose what callback it want to use in concrete case? How OpenSSL works here? So if you need to perform locking on an X509 structure you lock *all* X509 structures while this is going on. It would be more efficient if only the single affected X509 structure was locked. Yes, it would be more efficient if only the single affected X509 structure was locked, I understood now about performance. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Multi-threaded applications, locking_function, threadid_func, dynamic locks
Hello. 1) If I will use each OpenSSL object only by one thread at the moment, it can be different thread each time but never two or more threads will use one object simultaneously do I need to use locking_function and threadid_func or no? 2) Performance of dynamic locks in comparison with "static" locks. In thread3(3) documentation page there is a phrase: "OpenSSL supports dynamic locks, and sometimes, some parts of OpenSSL need it for better performance". I don't understand how dynamic locks can increase performance of the application! If we use static locks with locking_function and threadid_func then all necessary locking objects are created at starting, we get their quantity with CRYPTO_num_locks(), and during working of the application only locking and unlocking occurs. If we will use dynamic locks then OpenSSL will spend additional time for creating dynamic lock and destroying it. Maybe here more pertinent to speak about saving of resources and memory not about performance? And also I don't understand the phrase from threads(3) documentation page: "Also, dynamic locks are currently not used INTERNALLY by OpenSSL, but may do so in the future". If they are not used internally how they can guard internal OpenSSL objects in Multi-threaded application? It would be very nice if somebody from the developers team also would answer to the second question and I will be very grateful for the response. For example, Dr Stephen N. Henson. Because it is not a general question but about a one detail. Regards, Vladimir. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
no-store(OPENSSL_NO_STORE) experimental option
Hello. I see a new experimental option that turn on by default in Configure: no-store What does it mean?
applink.c, OPENSSL_Applink, small C snippet
As I understand from FAQ, this small snippet is needed only if I mixing compilers for OpenSSL compilation and compilation of my application. But if I use the same compiler and the same compiler options for OpenSSL compilation and compilation of my application I don't need this one. Am I right or wrong? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Programming with OpenSSL in different operation systems
>>Do you mean an application which calls OpenSSL, or OpenSSL itself? I mean an application – “Programming with OpenSSL”. >>If you mean your client program, opensslconf.h is among >>the .h files copied to the installed include directory, >>so you can #include it if you want. But your program >>shouldn't need to do anything different *in OpenSSL >>calls* depending on platform. (If your program makes >>platform-dependent calls directly, that's your own >>concern.) I understand, Dave. Thank you. When I choose target platform during installation(compilation), OpenSSL automatically generate necessity macros and create platform-specific header file depending on chosen platform. Most likely opensslconf.h is that file and it is include at first of all header files and also in e_os2.h So we don’t need to include any macros in our applications in different OS to use OpensSSL API, because OpenSSL do it automatically. From: Dave Thompson Sent: Saturday, May 12, 2012 2:45 AM To: openssl-users@openssl.org Subject: RE: Programming with OpenSSL in different operation systems > From: owner-openssl-us...@openssl.org On Behalf Of Vladimir Belov > Sent: Thursday, 10 May, 2012 16:09 > I want to know what constants(such as OPENSSL_SYS_WIN32 or > OPENSSL_SYS_UNIX) > with #define operator I must define at the beginning of the > program in > different OS: Windows, Linux and others? . > Do you mean an application which calls OpenSSL, or OpenSSL itself? > I understand that there are different functions that must be > different in > different OS, that's why these macroses are used. But I see > in e-os2.h that > OpenSSL automatically define necessity macros depending on > OS-specific > macroses that are already defined. > When an instance of OpenSSL is built, the first step is either: - run a perl script Configure and tell it your OS, CPU, compiler/tools, target location(s), etc., and optionally numerous things you can select (include or exclude certain ciphers, use or not use assembler, etc.) and it sets various neeeded macros in crypto/opensslconf.h - or run a shell script config which guesses your OS/CPU/etc and runs Configure with 'recommended' options Either way, when OpenSSL is compiled it uses opensslconf.h to control all (we hope!) platform-dependent things. If you mean your client program, opensslconf.h is among the .h files copied to the installed include directory, so you can #include it if you want. But your program shouldn't need to do anything different *in OpenSSL calls* depending on platform. (If your program makes platform-dependent calls directly, that's your own concern.) I suppose you might do some things differently (or not at all) if your OpenSSL was built with or without certain cipher or protocol features. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Programming with OpenSSL in different operation systems
Hello. I want to know what constants(such as OPENSSL_SYS_WIN32 or OPENSSL_SYS_UNIX) with #define operator I must define at the beginning of the program in different OS: Windows, Linux and others? . I understand that there are different functions that must be different in different OS, that's why these macroses are used. But I see in e-os2.h that OpenSSL automatically define necessity macros depending on OS-specific macroses that are already defined. So, my question is: do i need to define any macroses myself or OpenSSL makes it automatically and SAFELY? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Open SSL API's Support For IPv6.
Hi. I think for support IPv6 you must use BIO_new_bio_pair(http://www.openssl.org/docs/crypto/BIO_new_bio_pair.html). The BIO pair can be used to have full control over the network access of an application and you can manually add IPv6 support in your application. From: Akanksha Shukla Sent: Thursday, November 03, 2011 7:25 PM To: openssl-users@openssl.org Subject: RE: Open SSL API's Support For IPv6. Hi All, I want to summarize what issue has been faced by me till now and how I proceeded further on that with the help of suggestions provided on this forum and what is the current status on the issue is. Issue Description: I am using the SSL API’s for client application to get connect to server and that worked fine over IPv4. Now my requirement is to have the same client-server communication over IPv6. And this time I also used the same SSL API’s to get connected to server using IPv6 address, but faced issue in that. That’s why I raised the same issue in forum itself. Now I would like to summarize all the options which I used along with code snippets and their outcome: Approach 1: int main() { Bio *conn; SSL_library_init(); SSL_load_error_strings(); ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); conn = BIO_new_connect("250::56ff:feab:20:80"); if(!conn) { int error = ERR_get_error(); char errorString[BUFFER_SIZE]; // Buffer size has been initialized to 256. ERR_error_string(error, errorString); cout << "The error details returned by Bio_new_connect() are:" << errorString << endl; return 0; } /* Configure the BIO as a non-blocking one */ BIO_set_nbio(conn, 1); int retryCounter = 0; while(retryCounter < CONNECT_MAX_TRY) // Connect_Max_try has been initialized to 10. { int retVal = BIO_do_connect(conn); if(retVal <= 0) { if(BIO_should_retry(conn)) { retryCounter++; cout << "try: BIO_do_connect return BIO_should_retry true! Retrying later!" << endl; sleep(CONNECT_SLEEP_INTERVAL); continue; } else { int error = ERR_get_error(); char errorString[BUFFER_SIZE]; ERR_error_string(error, errorString); cout << "The error details returned by Bio_do_connect() are:" << errorString << endl; break; } } else { cout << "Bio_do_connect() passed successfully." << endl; break; } } return 0; } After executing the above program, the output came: The error details returned by Bio_do_connect() are: error:02003000:system library:getservbyname:system library Approach 2: All of the code mentioned above is same except this API call which is BIO_new_connect("[250::56ff:feab:20]:80"). After executing this, the outcome came as: The error details returned by Bio_do_connect() are: error:2006A066:BIO routines:BIO_get_host_ip:bad hostname lookup Approach 3: I followed the way suggested in forum and tried with IPv4 address. This time, I am not able to make connection on IPV4 and biggest issue is that nothing is coming in the error logs of SSL as well. int main() { Bio *conn; SSL_library_init(); SSL_load_error_strings(); ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); char address[INET_ADDRSTRLEN+1] = "10.65.156.43"; int socket_desc = socket (AF_INET, SOCK_STREAM, 0); if (socket_desc == INVALID_SOCKET) { cout << "The error retuned by socket is" << errno << endl; } cout << "The socket is created successfully." << endl; struct sockaddr_in addrinfo; addrinfo.sin_family = AF_INET; addrinfo.sin_port = htons(80); inet_pton(AF_INET, address, &(addrinfo.sin_addr.s_addr)); int retval = connect(socket_desc, (struct sockaddr *)&addrinfo, sizeof (addrinfo)); if (retval != 0) { cout << " The error returned by socket connect is" << errno << endl; } cout << "The socket is connected successfully." << endl; conn = BIO_new_socket(socket_desc,0); if(!conn) { int error = ERR_get_error(); char errorString[BUFFER_SIZE]; ERR_error_string(error, errorString); cout << "The error details returned by Bio_new_socket() are:" << errorString << endl; } /* Configure the BIO as a non-blocking one */ BIO_set_nbio(conn, 1); int retryCounter = 0; while(retryCounter < CONNECT_MAX_TRY) // whose value is 10. { int retVal = BIO_do_connect(conn); if(retVal <= 0) { if(BIO_should_retry(conn)) { retryCounter++; cout << "try: BIO_do_connect return BIO_should_retry true! Retr
Re: Using certificate and private key from Windows cert store with OpenSSL
Thanks for answer, Stephen. Does it mean that if I want to perform Certificate Verification with Windows CryptoAPI I must manually extract certificate from handshake procedure or get it through callback function, change its format (to be compatible with WinAPI functions) and give it to WinAPI functions for next verifications of certificate with Windows CryptoAPI? From: Dr. Stephen Henson Sent: Tuesday, November 01, 2011 10:45 PM To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL On Tue, Nov 01, 2011, Vladimir Belov wrote: > > How to use some "engine API" in my program? What is the name of > this "some engine API" or engine plug-in? > > Please, give a small example or where can I find documentation about > this? Is any documentation on the openssl.org? > Note that the ENGINE API currently only accesses keys and not certificates. The CryptoAPI ENGINE can be used to redirect operations to private keys stored on Windows. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using certificate and private key from Windows cert store with OpenSSL
How to use some "engine API" in my program? What is the name of this "some engine API" or engine plug-in? Please, give a small example or where can I find documentation about this? Is any documentation on the openssl.org? -- From: Jakob Bohm Sent: Tuesday, November 01, 2011 8:04 PM To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL This option is for the OpenSSL API, and I sure hope it would work with all the supported Windows Compilers, so you can use it with the compiler needed by the rest of your project. Once compiled in, your code will need to use some "engine API" at your program startup to request use of that engine plug-in, after which you should be able to use the Windows Certificate store and contents directly. On 11/1/2011 4:03 PM, Vladimir Belov wrote: Thanks, I understood that 'enable-capieng' option is a standard option for Configure (enable/no). Is this option only for openssl.exe? How will openssl.exe use Windows CERT store? Automatically or there is a command of openssl.exe for this. I asked about OpenSSLAPI functions, that will let me to use Windows CERT store directly in my own program. Like X509_verify_cert for OpenSSL CERT Store. Or I must manually extract Certificate during handshake, transform it(if necessary) and give it to WinAPI functions to next verifications of certificate with CryptoAPI? --- From: Sergio NNX Sent: Monday, October 31, 2011 11:12 PM To: openssl-users@openssl.org Subject: RE: Using certificate and private key from Windows cert store with OpenSSL Ciao. I use MinGW to build OpenSSL and it has always worked very well. Steps: a) perl Configure mingw shared enable-capieng --prefix=/mingw --openssldir=C:/OpenSSL b) make After a while, you'll have openssl.exe and a couple of DLLs. At this stage, you'll be able to access Windows Certificate store. If you're using Windows boxes, I can send you my copy of OpenSSL for you to test. I hope it helps. Sergio. From: ml.vladimbe...@gmail.com To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL Date: Mon, 31 Oct 2011 21:40:44 +0400 Sergio, how to set this option building OpenSSL? I didn't find any suggestions in documentation. And can you give a link to the documentation on the site openssl.org where there are functions of API to work with Windows CERT Stores? From: Sergio NNX Sent: Monday, October 31, 2011 1:02 PM To: openssl-users@openssl.org Subject: RE: Using certificate and private key from Windows cert store with OpenSSL Ciao Andrejs. I don't know much about the source code you posted previously but if you build OpenSSL with the 'enable-capieng' option you'll be able to access every single store and all the certs stored in Windows. I hope it helps. Sergio. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using certificate and private key from Windows cert store with OpenSSL
Thanks, I understood that 'enable-capieng' option is a standard option for Configure (enable/no). Is this option only for openssl.exe? How will openssl.exe use Windows CERT store? Automatically or there is a command of openssl.exe for this. I asked about OpenSSLAPI functions, that will let me to use Windows CERT store directly in my own program. Like X509_verify_cert for OpenSSL CERT Store. Or I must manually extract Certificate during handshake, transform it(if necessary) and give it to WinAPI functions to next verifications of certificate with CryptoAPI? --- From: Sergio NNX Sent: Monday, October 31, 2011 11:12 PM To: openssl-users@openssl.org Subject: RE: Using certificate and private key from Windows cert store with OpenSSL Ciao. I use MinGW to build OpenSSL and it has always worked very well. Steps: a) perl Configure mingw shared enable-capieng --prefix=/mingw --openssldir=C:/OpenSSL b) make After a while, you'll have openssl.exe and a couple of DLLs. At this stage, you'll be able to access Windows Certificate store. If you're using Windows boxes, I can send you my copy of OpenSSL for you to test. I hope it helps. Sergio. From: ml.vladimbe...@gmail.com To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL Date: Mon, 31 Oct 2011 21:40:44 +0400 Sergio, how to set this option building OpenSSL? I didn't find any suggestions in documentation. And can you give a link to the documentation on the site openssl.org where there are functions of API to work with Windows CERT Stores? From: Sergio NNX Sent: Monday, October 31, 2011 1:02 PM To: openssl-users@openssl.org Subject: RE: Using certificate and private key from Windows cert store with OpenSSL Ciao Andrejs. I don't know much about the source code you posted previously but if you build OpenSSL with the 'enable-capieng' option you'll be able to access every single store and all the certs stored in Windows. I hope it helps. Sergio. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using certificate and private key from Windows cert store with OpenSSL
Sergio, how to set this option building OpenSSL? I didn't find any suggestions in documentation. And can you give a link to the documentation on the site openssl.org where there are functions of API to work with Windows CERT Stores? From: Sergio NNX Sent: Monday, October 31, 2011 1:02 PM To: openssl-users@openssl.org Subject: RE: Using certificate and private key from Windows cert store with OpenSSL Ciao Andrejs. I don't know much about the source code you posted previously but if you build OpenSSL with the 'enable-capieng' option you'll be able to access every single store and all the certs stored in Windows. I hope it helps. Sergio. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RAND_seed & RAND_bytes on Windows. How many random bytes I must give for function RAND_seed to seed PRNG properly?
Thanks for answers, Jeff. But I still have questions: Why not allow OpenSSL to auto seed itself? Because on Windows we have not /dev/random and that's why I think that auto seed will be worse. But if OpenSSL seed PRNG automatically and I must not do anything else, why in FAQ I see: "On other systems, applications have to call the RAND_add() or RAND_seed() function with appropriate data before generating keys or performing public key encryption."? During debugging my program, I saw that RAND_poll is called only once after first calling RAND_bytes or SSL_CTX_new. After that I called several RAND_bytes and got at least 2 bytes but RAND_poll isn't called. It's worth saying that ssleay_rand_add(RAND_add) operates with internal ring buffer named "state" and it's size is only 1039 bytes(1023+MD_DIGEST_LENGTH). This is an entropy pool I think. That's why senselessly to give more than 1024 bytes of random data to RAND_seed function, because entropy pool will be overwritten. And that's why I think we must explicitly call RAND_seed from time to time - when RAND_bytes is used. The question is: when do internal functions of OpenSSL library use RAND_bytes and how many bytes they are use. Having received the answer to it, I can exactly know when and how often I must explicitly call RAND_seed. If you have an overwhelming desire to provide entropy, why not use Windows (http://msdn.microsoft.com/en-us/library/aa379942(v=vs.85).aspx)? I know CryptGenRandom function. But somewhere I read that this function only seeds PRNG with cryptographically random value and after that it gives data generated by the typical random number generator such as the one shipped with C compiler(rand,random). It is far more random only because random seeding. May be I am wrong. It will be very easy to seed PRNG on Windows if I am wrong. CryptGenRandom is easy to use. But what about my assumptions, Jeffrey? As for the number of bytes required, I don't recall reading anything for asymmetric key generation. For symmetric ciphers, Gutmann recommends [key size in bits] + 64 bits (though Gutmann wrote the paper, I believe I read it from NIST's site). Thanks for answer. http://www.openssl.org/docs/crypto/RAND_bytes.html "RAND_pseudo_bytes() returns 1 if the bytes generated are cryptographically strong, 0 otherwise". But what about RAND_bytes? Is it also return 0 if the bytes generated are already not cryptographically strong? Is there a limit or no? I think must be a limit because entropy pool is limited to 1039 bytes. And how about SSL-TLS programming? Where in my program and how often I must explicitly call RAND_seed to be sure that all internal functions use good(cryptographically strong and unpredictable) data? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RAND_seed & RAND_bytes on Windows. How many random bytes I must give for function RAND_seed to seed PRNG properly?
Hello. I'll collect entropy(random bytes) myself on Windows. How many random bytes I must give for function RAND_seed to seed PRNG properly in two cases: 1) Generating RSA keys. 2) Programming SSL-TLS. And where I must call RAND_seed during SSL-TLS programming? I think internal functions of OpenSSL call RAND_bytes when they need random data. So, it is very important for me to understand how RAND_seed and RAND_bytes work together. I don't understand how it works. For example, if I have seeded PRNG with 256 bytes, how many random bytes I can get with RAND_bytes after that and be sure that they are unpredictable enough(good for cryptographical operations)? I would be grateful for help and advices. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Why does memory BIO use "internal copy operation" after reading?
In the documentation(http://www.openssl.org/docs/crypto/BIO_s_mem.html) I have read that: "Every read from a read write memory BIO will remove the data just read with an internal copy operation..." Why does memory BIO use "internal copy operation" after reading? Why it does not use a ring buffer and only changes the pointers after read operation? It will be more faster. And is it applicable to all BIO's types or only to Memory BIO? For example, BIO_new_bio_pair. It creates two BIOs type of BIO_s_bio(). Is BIO_s_bio() similar to BIO_s_mem() in that sense that it uses "internal copy operation" after read or no? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: What is the maximum data size for encrypting with rsautl command?
Thanks for answer, Chris. I understand that slow RSA algorithm is not used to encrypt large amounts of data, instead of it symmetric algorithms are used. But is it the limit of RSA-algorithm or only OpenSSL library's limit? From: Chris Dodd Sent: Monday, June 27, 2011 8:36 PM Roughly keysize - paddingsize is the limit. keysize in your case is 512 bytes and padding size for OAEP padding (the common standard) is ~41, so the limit is about 471 bytes. Usually when encrypting a file, you use a symmetric cipher with a randomly chosen key, and then encrypt the key with RSA and prepend that to the encrypted file. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
What Random number generator is used in the OpenSSL library?
Hello, What Random number generator is used in the OpenSSL library? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
What Random Number Generator OpenSSL uses on Windows Platform?
What Random Number Generator(RNG) OpenSSL uses on Windows Platform? And if it is own, how does it work? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: where to find the ca.txt file
I think there is no such file yet. I could be mistaken. For what do you need this file? Do you want to know how to create a self-signed test certificate or something else? - Original Message - From: "sara bai" To: Sent: Thursday, April 29, 2010 5:58 AM Subject: where to find the ca.txt file hi: at the official HOWTO's column ,said there is an doc/HOWTO/. ca.txt ,but I can find that fille neither the website nor the source code does any one know where to find it thanks """ 4. Creating a self-signed test certificate If you don't want to deal with another certificate authority, or just want to create a test certificate for yourself. This is similar to creating a certificate request, but creates a certificate instead of a certificate request. This is NOT the recommended way to create a CA certificate, seeca.txt. """ HOWTO'sHere you can find a number of howto's. These howto's are also part of the OpenSSL distribution, in doc/HOWTO/. * Bytes Timestamp Filename** * 4254 Apr 29 03:16:13 2010 certificates.txt 2603 Apr 29 03:16:13 2010 keys.txt 12233 Apr 29 03:16:13 2010 proxy_certificates.txt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Default Compiling&Linking of OpenSSL
Hi, What is the default compiling&linking for the openssl libraries? Release or Debug? And how I can change it from one to another? I use Visual C++ 2008 Express command promt for compiling&linking. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org