Re: [openssl-users] Migrating to openssl 1.1.1 in real life linux server

[William A Rowe Jr]

On Tue, Sep 11, 2018, 13:10 Kurt Roeckx  wrote:

> On Tue, Sep 11, 2018 at 04:59:45PM +0200, Juan Isoza wrote:
> > Hello,
> >
> > What is the better way, for anyone running, by example, Apache or nginx
> on
> > a popular Linux districution (Ubuntu, Debian, Suse) and want support TLS
> > 1.3 ?
> >
> > Waiting package update to have openssl 1.1.1 ? probably a lot of time
> >
> > Recompile openssl dynamic library and replace system library ? We must be
> > sure we don't broke the system
> >
> > Recompile Apache or NGinx with openssl statically linked ? probably
> complex
>
> Note that you most likely need an update of both nginx/apache and
> openssl.
>

Note that httpd 2.4 released does not yet support TLS 1.3, although it
compiles against the new OpenSSL, YMMV.

Within the next two httpd releases, we would expect OpenSSL 1.1.1 TLS 1.3
support to be GA. In the interim there is a working branch for 1.1.1
compatibility merges, and svn trunk already supports it, if you want to
live on the bleeding edge.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Static FIPS Library with Address Randomization

[William A Rowe Jr]

On Fri, Mar 17, 2017 at 12:06 PM, Michael Wojcik
 wrote:
>
>> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
>> Of Neptune
>> Sent: Friday, March 17, 2017 09:26
>> To: openssl-users@openssl.org
>> Subject: [openssl-users] Static FIPS Library with Address Randomization
>>
>> Platform: Win32
>> FIPS Object Module: 2.0.13
>> OpenSSL: 1.0.2j
>>
>> We've been using FIPS-capable OpenSSL for over a year now. Some of our
>> components are .dlls that statically link the libraries. Using the BASE:
>> linker flag (but not /FIXED) has worked well with only very occasional
>> address clashes.
>> The new year has brought a new requirement: NIAP. One of the NIAP
>> requirements is ASLR - address space layout randomization. Since turning on
>> these linker flags, the FIPS POST has been failing due to dll address being
>> randomized and no longer respecting the requested address in the BASE:x
>> linker flag. In order to get around this, I've had to add the /FIXED flag.
>> The address is no longer being randomized and the POST succeeds if the dll
>> loads...but therein lies the problem. When linking with the /FIXED flag, if
>> the BASE: address is not available, the dll will not load which is an
>> unacceptable problem and it is happening far too frequenctly.
>> It seems as though the requirements of FIPS-capable OpenSSL and NIAP address
>> randomization are at odds. Is there any way to satisfy both of these
>> requirements on Win32 and guarantee that the dll load?
>
> AIUI, NIAP is just the US implementation of Common Criteria; you're better 
> off using the latter term in general discussion, I think.
>
> I don't believe there is a solution to this problem, generally speaking, for 
> 32-bit processes. (A 64-bit address space gives you a much better chance of 
> finding a base address with a very low probability of conflicts.)
>
> This is simply one of the many problems with FIPS 140-2, particularly for 
> software implementations. Those problems have been discussed extensively on 
> this list; you can find many others weighing in on them, such as:
>
> https://blogs.oracle.com/darren/entry/fips_140_2_actively_harmful
>
> For OpenSSL specifically, this specific question has also been discussed 
> elsewhere, for example:
>
> http://stackoverflow.com/questions/36268301/consequences-for-adding-relocation-information-in-fips-validated-libeay32-dll/36271778
>
> I'm aware of a few solutions, which probably won't help you at all:
> - Switch to 64-bit.
> - Switch to Linux or UNIX. This is primarily (exclusively?) a Windows 
> problem, because of how the PE loader handles relocations; I'm not aware of 
> another OpenSSL platform that has it. Though without looking I don't know 
> which platforms have a recent OpenSSL FIPS validation, either.
> - Switch to a FIPS-validated hardware crypto implementation, and either wire 
> OpenSSL to it using the ENGINE mechanism, or use a different TLS 
> implementation.
> - Put more constraints on the loader, for example by statically linking what 
> you can, and forcing other DLLs to load at other addresses (e.g. by setting 
> preferred bases, etc). In specific cases this may give you sufficient 
> control; in the general case it's a losing battle. Load libeay as early as 
> possible.
> - Put all your TLS processing in a separate service process that includes the 
> bare minimum of code and no DLLs other than OpenSSL; you might even link 
> OpenSSL statically. Use IPC to communicate between this TLS service process 
> and your application. Obviously there are performance and security issues, 
> though they're acceptable for some applications. You can control how the 
> stripped-down service process lays out its memory.
>
> All that said, I've never looked into this problem closely (I avoid the 
> FIPS-validated build as much as I possibly can), so someone else may well 
> have better suggestions.

Note you may not modify the openssl-FIPS build files or process.

However, building the openssl host container of the FIPS library build,
you may pin the DLL file with link flags and dodge this relocation.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Removing some systems

[William A Rowe Jr]

Just FTR...
http://www.osnews.com/story/28933/Blue_Lion_new_OS_2_distribution_due_2016

Not that I'd take that as a mandate to preserve support... We are having
the same internal dialog at the ASF httpd project and coming to the same
conclusions.
On Mar 17, 2016 1:36 PM, "Salz, Rich"  wrote:

> We are planning on removing the following systems from OpenSSL 1.1:
>
> Netware
>
> OS/2
>
>
>
> There are a few reasons for this.  In no particular order they include:
> these platforms are no longer supported by the vendor; the configurations
> and builds have not been testable by the team for years and might not even
> work; nobody on the team has access to any of these.
>
>
>
> As a hopefully mediating factor, please note that they are still part of
> 1.0.2, which we have said is an LTS release with support until 2019.
>
>
>
> People interested in supporting any of these systems should look at
> building their own configuration with the template system; post on the
> openssl-dev list for help.  Reducing the footprint and tangle of #ifdef’s
> is also very important.
>
>
>
> We are also looking at others that are in a similar (although perhaps not
> identical) reason and will post here about them.
>
>
>
> --
>
> Senior Architect, Akamai Technologies
>
> IM: richs...@jabber.at Twitter: RichSalz
>
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: FIPS enabled OpenSSL fails to load libeay32.dll in Windows CE 6

[William A. Rowe Jr.]

On Tue, 21 May 2013 16:12:45 +0530
Abhijit Ray Chaudhury abhijit.ray.chaudh...@gmail.com wrote:

 Hi,
 
 I have compiled openssl-fips and openssl in Windows CE 6. But when I
 run fips_premain_dso.exe libeay32.dll in target environment I get
 following error:
 
 =
 
 217450134:error:2507606A:DSO support routines:WIN32_BIND_FUNC:could
 not bind to the requested symbol
 name:.\crypto\dso\dso_win32.c:296:symname(FINGERPRINT_premain)
 
 217450134:error:2506C06A:DSO support routines:DSO_bind_func:could not
 bind to the requested symbol name:.\crypto\dso\dso_lib.c:294:
 
 =
 
 Which means GetProcAddress is failing for symbol name
 FINGERPRINT_premain. But if I do dumpbin /exports libeay32.dll, I
 can see the symbol FINGERPRINT_premain exported.

You are correct (from dumpbin), which leads me to question whether 
you hadn't run the fips_premain_dso.exe binary in the CE 6 emulation
environment, but perhaps ran a win32 flavor of fips_premain_dso.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: FIPS enabled OpenSSL fails to load libeay32.dll in Windows CE 6

[William A. Rowe Jr.]

On Tue, 21 May 2013 16:12:45 +0530
Abhijit Ray Chaudhury abhijit.ray.chaudh...@gmail.com wrote:
 
 Which means GetProcAddress is failing for symbol name
 FINGERPRINT_premain. But if I do dumpbin /exports libeay32.dll, I
 can see the symbol FINGERPRINT_premain exported.

Quote that output line from dumpbin, exactly.  Namespace decoration \
gets messy.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Can't start Apache when ssl is enabled on RHEL v5.7

[William A Rowe Jr]

/dev/random is your culprit... your config isn't 100% transportable between  
Solaris and linux.


Sent from my Verizon Wireless 4G LTE Phone

-Original message-
From: Ruiyuan Jiang ruiyuan_ji...@liz.com
To: openssl-users@openssl.org openssl-users@openssl.org
Sent: Mon, Jan 23, 2012 23:23:51 GMT+00:00
Subject: Can't start Apache when ssl is enabled on RHEL v5.7

Hi,

I have two Apache 2.2.21 reverse proxy servers on Solaris 10 (SPARC) with  
OpenSSL (v1.0.0x) enabled. They are running fine so far. Now we want to  
migrate Apache to Redhat Enterprise server v5.7 (64 bit). I compiled  
Oopenssl with 64 bit option specified on RHEL and then compiled Apache the  
same way and same option as on the Solaris through a script that I saved. I  
copied all the modified necessary configuration files from Solaris and  
certificates from Solaris to Redhat and made necessary changes such as IP  
addresses for Apache. When I start Apache on the Redhat, Apache just sits  
there without giving back the shell prompt. The Apache access log and error  
log are empty so I don't know the reason. If I disable Apache's https and  
start only http, Apache starts fine. Does anyone know what could be for ssl  
problem on Redhat? Thanks.


Ryan Jiang





This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended 
recipient, please notify the sender immediately by 
replying to this message and then delete it.

Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.

Re: Failing to build OpenSSL 1.0.0f on obsolete Debian box (i386, kernel 2.0.36)

[William A. Rowe Jr.]

On 1/18/2012 9:57 AM, Brooke, Simon wrote:
 Sadly, removing -fomit-frame-pointer does not work.

Isn't that the default behavior for -O3?



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: FW: FIPS validation and TLS 1.2

[William A. Rowe Jr.]

On 11/1/2011 8:35 PM, Bin Lu wrote:
 
 Do you have an answer for my question below? Is the fips-2.0-test code 
 branched off from a
 FIPS-capable version? Which version is it based on if yes?

AIUI, fipscanister doesn't include TLS 1.2.  Nor 1.0, nor SSLv3 or v2.

That's the beauty of proper delineation.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: FIPS-capable OpenSSL that works on Windows NT

[William A. Rowe Jr.]

On 10/5/2011 10:08 AM, Dr. Stephen Henson wrote:
 On Tue, Oct 04, 2011, William A. Rowe Jr. wrote:
 
 On 10/4/2011 10:45 PM, Bill Durant wrote:

 But when I run it under Windows NT, I get the following run-time error:

 The procedure entry point Module32NextW could not be located in the 
 dynamic link library KERNEL32.dll  

 If you use the equivalent of nm against the fipscanister.lib, I'd expect
 you'll find the binding there.
 
 I'd suggest the OP try to build the 2.0 test module and run fips_test_suite on
 NT as it may work. A lot of the platform specific code has been removed from
 the 2.0 module design.

I'd forgotten how significantly the whole POST code has been refactored,
thanks for the reminder Steve!

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: FIPS-capable OpenSSL that works on Windows NT

[William A. Rowe Jr.]

On 10/4/2011 10:45 PM, Bill Durant wrote:
 
 Does anyone know how to produce a FIPS-capable OpenSSL that works on Windows 
 NT?

It's likely not possible...

 But when I run it under Windows NT, I get the following run-time error:
 
   The procedure entry point Module32NextW could not be located in the 
 dynamic link library KERNEL32.dll  

If you use the equivalent of nm against the fipscanister.lib, I'd expect
you'll find the binding there.

I see no reason the team would accommodate this in OpenSSL/FIPS 2.0, though.
Support for Windows NT 4.xx ended on December 31, 2004.  Support for Windows
2000 ended on July 13, 2010.  So updating security or cryptographic software
validation for such systems is something of an oxymoron.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL 1.0.0 BIO_new_accept _only_ binds to IPV6 interface?

[William A. Rowe Jr.]

On 5/7/2011 7:16 AM, Justin Schoeman wrote:
 
 It does not matter which of these I try, openssl always binds to '::1:8008', 
 which does
 not accept IPV4.

 I have tried various combinations of:
 BIO_new_accept(0.0.0.0:8008)

This syntax should have bound to all IPv4 interfaces alone,
so as Michael suggests, it's certainly a bug.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: FIPS compliance question regarding openssl distributions

[William A. Rowe Jr.]

On 3/6/2011 3:48 PM, Tim Hudson wrote:
 In the example of building the openssl FIPS *capable* distribution, it
 seems one should take the distribution from the official
 openssl.org/source website and validate it using PGP.  However,
 FreeBSD ships openssl distribution within its source tree.
 
 You must follow the instructions contained in the Security Policy document 
 with
 no deviations. It's that simple.
 
 So the answer to the question of can you start with a different distribution 
 is
 a simple 'no' - even if the files are almost identical (or in fact even
 identical) you don't get that choice - you must follow the documented 
 procedure.

...for building the fipscanister.  Once you have that, that binary artifact 
(which
you affirm as validated) can be used as the basis for building an openssl 0.9.8
package in a usual manner.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL with Managed C++

[William A. Rowe Jr.]

On 1/31/2011 1:07 PM, John R Pierce wrote:
 On 01/31/11 10:55 AM, Harshvir Sidhu wrote:
 Hi,
Can we use OpenSSL lib with Managed C++? Thanks.

 can you call native C style DLL's from this 'Managed C++' (whatever that 
 is) ?   my
 initial google of 'Managed C++' indicates its a Microsoft .NET thing that was 
 deprecated
 circa 2005.

The concepts of boxing and unboxing native calls from any .NET language
into a C library have never changed.  The syntax of C++.NET underwent
all sorts of convolutions after 1.0, but the concepts are the same.

To answer Harshvir, I haven't heard of anyone who coordinated all of the
pinvoke stubs/headers you might need.  Of course it's possible.  Best of
luck in your efforts, certainly google around for anyone who might have
already tried, and document your efforts for the next one to attempt it :)
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL 0.9.7

[William A. Rowe Jr.]

On 1/6/2011 12:23 PM, Garry S Ditzler wrote:
 
 Can you tell me if OpenSSL 0.9.7 is still supported?

Yes, the answer is no, it is not.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL 1.0.0b testssl fails

[William A. Rowe Jr.]

On 11/18/2010 10:36 AM, Dr. Stephen Henson wrote:
 
 A 1.0.0c release is planned in the next few days. We're just seeing if any
 other issues arise before the release: a couple have been fixed already.

Have any observed issues affected 0.9.8p?  If so, is there a planned .8q?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL 1.0.0b testssl fails

[William A. Rowe Jr.]

On 11/18/2010 12:05 PM, Victor Duchovni wrote:
 
 None that are publically visible. You can check for yourself:
 
 No commits to the 0.9.8 branch after the release of 0.9.8p.
 
 http://cvs.openssl.org/chngview?cn=19996

I was aware of this.  It's why I raised the question, if any of these were
slated for backport, but simply not applied yet.  The answer is no, so that
resolves my questions.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Building FIPS-capable OpenSSL as a universal binary on Mac OS X

[William A. Rowe Jr.]

On 10/13/2010 3:31 PM, Bill Durant wrote:
 
 I am interested in building the static version of the FIPS-capable OpenSSL as 
 an universal
 binary.

Three builds, per spec, of the FIPS canister.  No tweaks, no exceptions to
the security policy.

Then it's possible but non-trivial to integrate these three components into
any OpenSSL you would like to invent.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Building FIPS-capable OpenSSL as a universal binary on Mac OS X

[William A. Rowe Jr.]

On 10/13/2010 7:22 PM, Bill Durant wrote:
 
 On Oct 13, 2010, at 5:19 PM, William A. Rowe Jr. wrote:
 On 10/13/2010 3:31 PM, Bill Durant wrote:

 I am interested in building the static version of the FIPS-capable OpenSSL 
 as an universal
 binary.

 Three builds, per spec, of the FIPS canister.  No tweaks, no exceptions to
 the security policy.

 Then it's possible but non-trivial to integrate these three components into
 any OpenSSL you would like to invent.
 
 Thanks.  That is exactly the approach that I am currently taking (will use 
 lipo(1) to
 aggregate the FIPS-capable OpenSSL static libs to see if that works)...

That may not be sufficient, can ldfips be modified(?), it's certainly needed to 
link
static to the fips canister.  I'd put your energies into building a dylib which 
would
give you a smidge more flexibility.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: DLL issues with Windows

[William A. Rowe Jr.]

On 9/30/2010 11:42 AM, Jakob Bohm wrote:
 
 In Windows XP, Microsoft introduced their own badly designed idea of
 versioned so-names in the form of so-called Assemblies.  Unless
 you are writing .NET code, you should really avoid that nonsense.

I expect SxS packages for openssl (and several other common libraries) will
all be released and revisioned by the CoApp project in the coming months.
Think of this similarly to any other linux vendor's packaging and distribution
strategy, not replacing source code projects roles.

But as you warn, it is a non trivial problem with several bright people
working to solve the SxS aspects of the build and installer toolchains.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Differences between openssl-0.9.8o and openssl-fips-1.2.tar.gz

[William A. Rowe Jr.]

On 8/3/2010 1:17 PM, William A. Rowe Jr. wrote:
 On 8/3/2010 10:05 AM, Bryan wrote:
 I see a fips directory in 0.9.8o.  If I'm building OpenSSL with FIPS
 on cygwin, should I use the openssl-fips, or use the 0.9.8o tarfile?
 
 This is well documented in the FIPS user guide and security policy, and
 if you haven't read them in detail, what you are compiling undoubtedly
 does not conform to the mandatory FIPS policy.

Sorry, left off the link;

  http://openssl.org/docs/fips/fipsnotes.html
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Differences between openssl-0.9.8o and openssl-fips-1.2.tar.gz

[William A. Rowe Jr.]

On 8/3/2010 10:05 AM, Bryan wrote:
 I see a fips directory in 0.9.8o.  If I'm building OpenSSL with FIPS
 on cygwin, should I use the openssl-fips, or use the 0.9.8o tarfile?

This is well documented in the FIPS user guide and security policy, and
if you haven't read them in detail, what you are compiling undoubtedly
does not conform to the mandatory FIPS policy.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: RPMBuild for FIPS OpenSSL

[William A. Rowe Jr.]

On 7/9/2010 9:05 AM, Steve Marquess wrote:
 Mark Parr wrote:
 Use of the FIPS OpenSSL is a mandated thing and not just something that we
 are looking to do for the fun of it.  In fact, the base OpenSSL was working
 fine using the FIPS AES 256 encryption in a non FIPS Certified mode.

 ...
 
 Yes, that was my assumption and the point I was trying to make: if you
 want to build your product from source in a clean and logical way then
 just leave the FIPS module creation out of it.  You will suffer less
 hair-pulling and tooth gnashing.  If you must use the FIPS validated
 module then IMHO your best approach is to build the validated module
 *once*, by hand with careful documentation, and henceforth just use that
 resulting validated binary. 
 
 Otherwise you're trying to perform what is effectively a ritual ceremony
 in an inappropriate secular context:  from the CMVP perspective the
 source code itself isn't validated, only the resulting binary when the
 specific peculiar build process has been followed, i.e. the ritual. 
 Perform that ritual once and you have one validated module that you can
 use many times -- perform it multiple times and you have multiple
 different validated modules.
 
 Or, here's another way to look at it.  I can take the same source code
 and generate binaries two different ways, one by following the ritual
 and one by deviating from the ritual in some technically trivial way
 (by, say, adding a superfluous --prefix config option).  The resulting
 binaries are functionally identical by any technical test that could be
 devised, yet one module is FIPS 140-2 validated and one isn't.

That isn't to say that it can't be rpm'ed, and the infrequently updated
fips canister (currently v1.2) can't be 'the dependency' for building
openssl-fips.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: error from generated code in ntdll.mak

[William A. Rowe Jr.]

On 6/24/2010 4:04 AM, Deckers, Rob wrote:
Creating library out32dll\libeay32.lib and object out32dll\libeay32.exp
 IF EXIST out32dll\libeay32.dll.manifest mt -nologo -manifest
 out32dll\libeay32.dll.manifest -outputresource:out32dll\libeay32.dll;2
 mt: Unknown option -n
 Usage: mt [-vV] [-[t|f] tapename] command [count]

Your mt commands in your path are conflicted.  I don't think we are writing
a 9 tape in order to compile programs.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: How to attach source code in a debug build(Win32 Visual C++)?

[William A. Rowe Jr.]

On 6/17/2010 10:10 PM, Dave Thompson wrote:
  From: owner-openssl-us...@openssl.org On Behalf Of JC Yang
  Sent: Wednesday, 16 June, 2010 23:53
   
  Hi, I'm new to openssl. I've just compiled openssl with Visual C++
 2008, 
 I've read the installation guide and added the debug command in the
 mk1mf.pl 
 line in do_masm.bat, but I found that there's no source code information 
 included in the build. I'd like to know how can I attach the source code 
 in the debug build for debug's sake?
   
 Does it say something like no debug symbols or like source not found?
 
 1. For at least most of 0.9.8, mk1mf.pl had a flaw and didn't actually 
 put /Zi in the CFLAG setting as intended. If it didn't, do so manually.
 My notes say I also put /Yd; I'm not sure if that's (still?) needed.
 It appears to me 0.9.8o and 1.0.0a have (different!) fixes for this, 
 but I haven't had time yet to actually try either of them.
 
 2. Even if you have symbols, I believe they use relative pathnames, 
 and the IDE has to be told where to find them. In the old VS/VC++6 
 I have, this is in Tools / Options / Directories / SourceFiles .
 In newer versions it's probably different but should be similar.

More to the point, sources are never embedded into the obj/dll/exe.  They
must be distributed/available alongside a binary distribution (not really
a problem for open 'source' - heh).

So 'no source' means what Dave has said, you didn't point to the source.
If you are trying to do something more expansive than work with your own
build, allowing others to, you have a huge education ahead of you to fully
grok the mechanics of a ms dbg compatible source server.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Up-to-date Tutorial

[William A. Rowe Jr.]

On 6/16/2010 12:10 PM, Dr. Stephen Henson wrote:
 
 Those for the bleeding egde development version are also available online too,
 see: http://www.openssl.org/docs/ the API doesn't change that much so those
 will be largely accurate for older versions of OpenSSL.
 
 The examples at the bottom of some pages can help and sometimes include code
 snippets.
 
 There are also some very basic sample programs under demos/ in each
 distribution.

The sources under apps/ (which comprise the tool 'openssl') are also quite 
useful.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: unable to build dynamic library on HP-UX RISC and Itanium

[William A. Rowe Jr.]

On 6/2/2010 11:08 AM, Alona Rossen wrote:
 
 Building dynamic library on HP-UX fails despite I explicitly specify
 ‘shared’ as Configure argument:
 
 ./Configure hpux64-ia64-cc -D_REENTRANT shared

Why are you adding -D for _REENTRANT?

I did a very similar build last week, no such problems, would you care
to be more specific about which OpenSSL package you are configuring?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: unable to build dynamic library on HP-UX RISC and Itanium

[William A. Rowe Jr.]

On 6/2/2010 4:04 PM, Alona Rossen wrote:
 This is a suggested configuration. -D stands for preprocessor define.

The reason I ask is that the entries in Configure should provide the
necessary defines, and if not, that is a bug.  As it was 'suggested',
we'll just presume things are fine w/w-o it.

You still failed to identify the openssl package you were configuring,
which doesn't give anyone much to go on, especially those who are in
some position to look at the problem.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: server side renegotiation

[William A. Rowe Jr.]

On 4/15/2010 12:42 PM, Adam Grossman wrote:
 hello,
 
 i had my code running on 0.9.8e without any issues.  i upgraded to
 0.9.8n, and now when my server initiates a renegotiation with the client
 (which is either IE or Firefox), SSL_renegotiation returns a 0.  i
 understand from the CHANGELOG the it was not allowed until 0.9.8m, but
 this line confuses me:
 
 Re-enable renegotiation but require the extension as needed.
 
 i do not know what it means require extensions.  Short of setting
 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION , what do i need to do to
 have renegotiations work again?

Upgrade the client to support the new negotiation API.  As usual, clients
were lagging for some server implementations to validate against.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: ERROR LINK2019

[William A. Rowe Jr.]

On 4/13/2010 4:49 PM, 芦翔 wrote:
 Dear all,
I am trying to add the security flavor to an application. To achieve
 this objective, I wrote the codes to establish a security tunnel between
 the server and the client with VC2008. When I build the whole project,
 there are tens of similar errors. All of them are as follows:
  
SSLServer.obj : error LNK2019: unresolved external symbol _BIO_free
 referenced in function int __cdecl
 SSL_CTX_use_PrivateKey_file_pass(struct ssl_ctx_st *,char *,char *)
 (?SSL_CTX_use_PrivateKey_file_pass@@YAHPAUssl_ctx_st@@p...@z
 mailto:?SSL_CTX_use_PrivateKey_file_pass@@YAHPAUssl_ctx_st@@p...@z)

That signature is consistent with C++ argument folding.

The openssl headers you've used probably were missing this decoration

#ifdef __cplusplus
extern C {
#endif

...

#ifdef __cplusplus
}
#endif

So you should put your #include references in between the snippets above
(in place of the ... elipses).

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: does bio_get_mem_data handle unicode?

[William A. Rowe Jr.]

On 4/7/2010 12:33 PM, Ryan Pfeifle wrote:
 While we are on the subject of Unicode, there are other areas of OpenSSL
 that need Unicode support added, in particular handling of paths and
 filenames on UTF16-based filesystems that require wchar_t* parameters. 
 For instance, on Windows, OpenSSL cannot load certificate
 files/directories that have Unicode characters in them.  On ‘nix, this
 is not a problem for systems that use UTF8-based filesystems, which can
 be passed via char** *parameters.  The Indy library
 (http://www.indyproject.org) had to work around this issue recently by 
 implementing its own versions of SSL_load_client_CA_file(),
 SSL_CTX_use_certificate_file (), SSL_CTX_use_PrivateKey_file(), and
 SSL_CTX_load_verify_locations() from scratch using a custom
 X509_LOOKUP_METHOD structure and support routines.

That's one approach.  Another is to use UTF-8 filenames as the local code
page, this is the solution the APR library opted for.  Either way, the
OpenSSL API needs customization to pass wchar args for path names, etc.
Starting as utf-8, or handled entirely by unicode.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL 1.0.0 and FIPS

[William A. Rowe Jr.]

On 3/30/2010 10:58 AM, Gatewood (Woody) Green wrote:
 
 I assume the 2010 limit on new validations is the impending finalization
 of 140-3.

What you are thinking of won't be designated 140-3, it's not sequential,
there is such a FIPS level already.  Probably FIPS-{new}-2 or FIPS-140-2 2010
or something like that.

FIPS 140-3 implies a level of physical validation that an open source project
isn't able to consider validating to.  If you were to bundle OpenSSL-FIPS into
a sealed card, and add the appropriate cert/key mgmt, then you could consider
applying for FIPS 140-3 validation for such a physical device.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL 1.0.0 and FIPS

[William A. Rowe Jr.]

On 3/31/2010 4:21 PM, Gatewood (Woody) Green wrote:
 
 Actually, no 140-3 will be successor to 140-2 which is successor to
 140-1.  The hyphenated number is a release version.

Woody, thanks for this clarification...

 You are trying to talk about FIPS 140-2, Level 3 certification in your
 example. (bottom of page two in the gov't 140-2 PDF; see link below)
 
 The levels are *within* the particular 140-x standard.  Case in point,
 the original draft of 140-3 contained five levels but has since been
 reduced back to four as is in the 140-2 version.  Second example, we
 have 140-2, Level 2 certification on a subset of our products (version,
 model and product specific).

and these additional details!  Yes, I had confused the rev level with the
FIPS certification level.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: FIPS linked as a shared library

[William A. Rowe Jr.]

On 1/18/2010 2:42 PM, Kyle Hamilton wrote:
 The way that the FIPS module verifies its signature is that it forces
 itself to load (via a pre-main() section) and then calculate the
 checksum of the image in-core.  Probably the reason why you're running
 into issues is because of the fixup step of the dynamic linker.
 
 If you expect to use FIPS, you should link it as a hard dependency
 (also known as 'strict binding', as opposed to 'lazy binding') so that
 it can be loaded as early as possible, to minimize the chances of the
 linker needing to run fixups after application-code memory allocation.
  As you've found, the image in-core *must* match the original image
 in-core when the signature was generated, and the linker changes the
 pointers of where things are located when it has to.

Wouldn't applying the PIC compiler flag across all .o's accomplish the
same thing?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: CryptoAPI calls failing in rand_win on Windows 7

[William A. Rowe Jr.]

James Baker wrote:
 
 The problem does occur with full admin privileges.

To be 100% clear, this is full admin with no UAC?  UAC will drop privilege
of an app seemingly running as 'administrator'.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: FIPS OpenSSL compilation error

[William A. Rowe, Jr.]

Dave Thompson wrote:
  From: owner-openssl-us...@openssl.org On Behalf Of Pankaj Aggarwal
  Sent: Tuesday, 25 August, 2009 05:06
   
  I am using cygwin on windows xp to compile FIPS Openssl 1.2 using
 Visual studio 2005.
 
 Apparently you mean cygwin _perl_. The MS compiler and linker 
 (which are the only ones permitted under the validated policy)
 run in the normal Windows environment not the Unixoid cygwin one.

Dave, I'm pretty sure you are the one confused.  The last I looked,
which was a while ago, MinGW was the only option for building openssl
in FIPS mode.  But they have introduced a CC flag, so all bets are off.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: FIPS OpenSSL compilation error

[William A. Rowe, Jr.]

William A. Rowe, Jr. wrote:
 Dave Thompson wrote:
 From: owner-openssl-us...@openssl.org On Behalf Of Pankaj Aggarwal
 Sent: Tuesday, 25 August, 2009 05:06
  
 I am using cygwin on windows xp to compile FIPS Openssl 1.2 using
 Visual studio 2005.

 Apparently you mean cygwin _perl_. The MS compiler and linker 
 (which are the only ones permitted under the validated policy)
 run in the normal Windows environment not the Unixoid cygwin one.
 
 Dave, I'm pretty sure you are the one confused.  The last I looked,
 which was a while ago, MinGW was the only option for building openssl
 in FIPS mode.  But they have introduced a CC flag, so all bets are off.

I reread this this moring and Dave is right, he just confused me :)
You need to set up the MSYS/MinGW toolchain instead of Microsoft C
to build at least the FIPS canister.  The fact that you installed
cygwin already is a good start, but you need to point your path to
reference the MSYS/MinGW tools first.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: openssl 0.9.8D, Solaris 10 difficulties

[William A. Rowe, Jr.]

[EMAIL PROTECTED] wrote:
 
 In the previous post, another subscriber suggested patching SunStudio 11.
 I applied all the patches I could find on SunSolve (namely, 120761-03,
 121023-04, and 122142-03.)  I'm getting the same result, so I'm really
 baffled at this point.   Any suggestions would be very much appreciated!

You must have missed one... otherwise crank down your optimizations with
the notes suggested in the RT ticket 1281.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: 0.9.8d compile and/or test problems with Solaris 10 compiler on sparc v9

[William A. Rowe, Jr.]

Michael Durket wrote:
 There seem to be a few problems successfully building OpenSSL
 on a Sun T2000 running Solaris 10 using the Sun Studio 11
 compiler suite.
 
   I ignored those warnings and ran make which appeared to 
 work. However, after doing a 'make test' I received this 
 error:
 
 Testing cipher AES-128-ECB(encrypt)

That's the loop unroll bug 1281.  You didn't bother to patch your
installed sunstudio, eh?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSLv3 handshaking fails on solaris

[William A. Rowe, Jr.]

Because Solaris has a loop unroll optimization bug.

Apply all the latest patches to SunStudio 11 and it should work.  Please
check back in to let us know.

It's a really high level bug - because it hit both sparc and x86 :)

Donny Dinh wrote:
 
 I managed to get the solaris build to work properly by changing the
 compiler flags
 
 i.e. using config rule debug-solaris-sparcv8-cc instead of
  solaris-sparcv8-cc
 
 Why exactly does it work now...? I'm not too sure, but I reckon its some
 kind of timing issue
 (considering that Michael Stroder suggested using the -pause option -
 which btw didn't work for me)
 
 
 
 
 
 *Michael Ströder [EMAIL PROTECTED]*
 Sent by: [EMAIL PROTECTED]
 
 12/12/2006 09:06 PM
 Please respond to
 openssl-users@openssl.org
 
 
   
 To
   openssl-users@openssl.org
 cc
   
 Subject
   Re: SSLv3 handshaking fails on solaris
 
 
   
 
 
 
 
 
 Donny Dinh wrote:

 * ./openssl s_client -connect www.google.com:443 -state*
 [..]
 *6709:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record
 mac:s3_pkt.c:1057:SSL alert number 20*
 *6709:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
 failure:s23_lib.c:188:*

 If I force it to use SSLv2 only, it works correctly.
 
 Also try the option -pause together with SSLv3.
 
 I think this is a solaris problem because I have tested this on other
 platforms (linux, hpux, aix) and it works correctly.
 
 I have seen similar problems on other platforms (client and server). I
 was not able to track it down to a deterministic failure though.
 
 Ciao, Michael.
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: WIN32 winsock vs winsock2 coexistence?

[William A. Rowe, Jr.]

Michael - just to rest your mind - you might want to examine both wsock32.dll
and winsock2.dll using DEPENDS.EXE.

You'll find the results are interesting :)
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: WIN32 winsock vs winsock2 coexistence?

[William A. Rowe, Jr.]

Brown, Michael A wrote:
 I’m looking at an app where the app and all libs/DLLs it uses EXCEPT
 openssl use ws2_32, and openssl uses wsock32. Is this a problem or can
 the two coexist peacefully? It makes me somewhat uneasy.

Well, using winsock period makes me uneasy ;-)

Seriously - no - there's no issue.  You are coming from a unix perspective
where an exported function such as 'connect()' exists once in the global
symbol table.  Not so on win32 - it's more akin to the OSX two-level name-
space schema.  When you bind a symbol on windows, you bind the PE Binary to
the specific function -within- a specific DLL.

Because they all become system handles, there are really no other differences.

Bigger issues include using nonblocking sockets on winsock functions that
really expected a blocking socket, etc.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Question reagrding OpenSSL recent security advisory

[William A. Rowe, Jr.]

Marek Marcola wrote:
 Hello,
 I have read the advisory an I am a bit puzzled regarding the there are
 CAs using exponent 3 in wide use comment, I have tried to check and
 could not found any CA using this exponent, all the CA’s I have seen
 are using 0x10001 (CA’s I have generate by OpenSSL using default
 values, world wide trusted CA’s such as VeriSign and Thawte etc..)

 are only old CA’s using exponent 3 ? 
 Could anyone elaborate some on this?

 Look at:
 http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html

That's a rather worthless answer Marek, the question isn't what is the
flaw (mishandled exponent 3-signed certificates), but the prevalence.

My cursory examination shows most keygen tools have been using F4 style
exponents most of this century.  Two cases came to mind...

  Private CA's generated with very old tools (such tools fester a long time)

  Old signing keys reused for fresh signing request keys (anathema of best
  practices)

but most importantly, public signing keys.  Hagai asks how prevalent such
exponent 3 public or commercial signing keys still are?  Someone stated
they are in wide use.  This is not 'private' information, and Hagai just
asked if someone has done the actual research of affected public/commercial
signing authorities?




__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: license question

[William A. Rowe, Jr.]

Ryan Shon wrote:
 
 I work for nFocal, a company in
 Rochester, New York.  We want to develop a variant of OpenSSL
 in which we optimize the cryptography library to run on
 a particular DSP.  The other components of OpenSSL would remain
 unchanged except where needed to utilize our custom library.
 We might modify OpenSSL's cryptography library,
 or we may write our own from scratch.  Could you please explain
 our licensing restrictions for these two scenarios?

Just an observation, but if you left the OpenSSL core alone, and created
your optimized module as a loadable engine for OpenSSL - I suspect you
would have a win-win from licensing, distribution and code design views.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Hiding headers for OpenSSL

[William A. Rowe, Jr.]

Thomas J. Hruska wrote:
 Now compare that number to how many hackers know and care about the same
 information.

None.  If an exploit exists, it will be exploited.  You are a fool if you
expect that a hacker would rely on the reported version number to elect
one of the dozens of past exploits.  They simply pound all of them at the
server until they discover one works.

Legitimate users are the actual browsers and other non-interactive clients
which make deterministic decisions about process flow and exploit *features*
based on if they know the server is capable of using the optimization or
bandwidth saving feature reliably.

Close any vulnerabilities by applying the current/corrected code, if you
actually want to prevent your server from being exploited.  Hiding your
head in the sand by attempting to hide the software you are running is
foolish and silly.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: CHecking the version of OpenSSL

[William A. Rowe, Jr.]

Randy Turner wrote:
 I would probably consider the publishing of the openssl version on the web 
 server announcment message as a security issue.

And some of us would laugh in your general direction ;-)

Exploiters don't need to know, they can just persist till they find
a known exploit.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Last call to BIO_read in loop freezes

[William A. Rowe, Jr.]

David Schwartz wrote:


Notice the two persistent connection headers returned? And, in practice,
the connection is in fact persistent. If you were correct, the server would
ignore the Connection header since it has no meaning. Try it without a
connection header and you will see the difference.


Exactly.  In HTTP/1.1, keepalive is implicit.  In HTTP/1.0, on servers which
support it, a Connection: keep-alive header achieves the same.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: How to verify OpenSSL lib version from autoconf?

[William A. Rowe, Jr.]

httpd's scripts are known to the autoconf community as gross bastardizations
of intent of autoconf, so forwared ;-)  But they do illustrate verifying the
version of openssl, take a look at APACHE_CHECK_SSL_TOOLKIT in;

http://svn.apache.org/repos/asf/httpd/httpd/trunk/acinclude.m4

Matt England wrote:
My project's code is apparently compatible with OpenSSL 0.9.7g (and 
possibly higher) but not 0.9.8 (because the header file changed from 
0.9.7 and 0.9.8...which seems rather undesirable).


In any case, I'd like our autoconf macros to be able to automatically 
check to see if 0.9.7g and higher is installed (but 0.9.8 or higher).  
Does anyone have a recommendation for how to do this?


-Matt

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Reading/Writing to disk files on Windows...

[William A. Rowe, Jr.]

Kendall, Jerry wrote:

Now, I have a Unix Project that runs wonderfully on Linux/Aix/Solaris…..
There are two lines of code that cause a windows exception.

   PEM_write_PrivateKey(fp, NewKeyReq, Cipher, GetCode(0),strlen(GetCode(0)), 
NULL, NULL);

   PEM_write_X509(fp, x509_Cert);


Did you call CRYPTO_malloc_init();   ?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: FIPS 1.1 module availability

[William A. Rowe, Jr.]

I heard 'very soon now' :)

Tinnerello, Richard wrote:
Can anyone say when the openssl-fips-1.1.tar.gz distribution announced 
on Saturday will be available for download? Thanks!


Richard


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Is FIPS 140-2 Validation violated

[William A. Rowe, Jr.]

Kyle Hamilton wrote:

It will violate the FIPS security policy.  That much has been stated,
but there's been no workaround that I'm aware of to select alternate
options like that.


Right, not with openssl ./config.  However, some folks might want to consider
if their compiler environment can be adjusted to correctly default to their
preferred flavor, in such a way that openssl respects and defaults to the sys
configuration?  /pondering an alternate implementation of 'uname', too.


(yay lack of foresight and a required-to-be-closed validation process.)


The best laid plans of mice.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: 0.9.8b windows binaries

[William A. Rowe, Jr.]

hunter wrote:

On 5/7/06, William A. Rowe, Jr. [EMAIL PROTECTED] wrote:


Typically one links to the static library then, which of course will only
link in .obj files that are consumed.  One bit of OpenSSL magic are the
seperate objects which create a (relatively) quite small binary.  That is,
if you use explicit methods, e.g. use TLSV1_server_init if you will only
respond with TLS, instead of SSLV23_server_init where you draw in much
more conditional code.


Are you saying that if I build and provide a package with static libs
and headers that an application could use this to compile smaller
binaries?


Yes.


I will look for instructions on how to do this...


You should find ms/ntdll.mak as well as ms/nt.mak, one spits out dynamic libs
into out32dll/, the other static libs into out32/.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: 0.9.8b windows binaries

[William A. Rowe, Jr.]

Mike Ehlert wrote:


but what I'm after now is some information on any tricks to compiling
the DLL's with only the features needed for my application to reduce
their size.


Typically one links to the static library then, which of course will only
link in .obj files that are consumed.  One bit of OpenSSL magic are the
seperate objects which create a (relatively) quite small binary.  That is,
if you use explicit methods, e.g. use TLSV1_server_init if you will only
respond with TLS, instead of SSLV23_server_init where you draw in much
more conditional code.

Bill
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: setup question

[William A. Rowe, Jr.]

Bill Angus wrote:
I'm having a little trouble with setting up a secure server on windows 
with openssl and Apache2 + Mod_SSL. 


Well, you are in the wrong place, this should be on [EMAIL PROTECTED]
Neverminding that blunder, and possibly aggrivating your good openssl user
supporters by entertaining your question...


The config I am attempting to use for the secure directory is as below.
listen 443
...
VirtualHost *:443


Why *:443?  stop and consider - them's named virtual host fighting words, and
you aren't (shouldn't be using) named ssl hosts (unless you have a couple weeks
to spare to understand exactly what you are doing).  You meant to say...

VirtualHost _default_:443

or

VirtualHost 0.0.0.0:443

or when you know exactly which IP (you should!) then spit it out boy...

VirtualHost 192.168.1.27:443


ServerName www.psychtest.com http://www.psychtest.com:443


I hope this is a quirk in your mailer.  You should simply have...
ServerName www.psychtest.com


DocumentRoot C:/Homepage/secure
Directory C:/Homepage/secure


I'm thinking you wanted to add to this Dir  section...

SSLRequireSSL

if you want to be sure nothing can access that directory except through ssl.


#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on


That's good, the rest looks good, I hope you had a trailing /VirtualHost
you just forgot to mention.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: setup question

[William A. Rowe, Jr.]

William A. Rowe, Jr. wrote:

Bill Angus wrote:

I'm having a little trouble with setting up a secure server on windows 
with openssl and Apache2 + Mod_SSL. 



The config I am attempting to use for the secure directory is as below.
listen 443
...
VirtualHost *:443


Why *:443?  stop and consider - them's named virtual host fighting words, and
you aren't (shouldn't be using) named ssl hosts (unless you have a couple weeks
to spare to understand exactly what you are doing).


Actually if you attempted this, you would need a corresponding NamedVirtualHost
directive for port 443, and you want to review this page;

http://wiki.cacert.org/wiki/VhostTaskForce

Sorry I forgot to throw in the link in my earlier reply.

Bill
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL fips 1.0 Borland Builder 5

[William A. Rowe, Jr.]

Rovan, Jim (IMS) wrote:

When I attempt to follow the instructions from the Compilation of
OpenSSL-fips-1.0 under Windows thread (2006-03-31) to build fips
OpenSSL for Borland Builder 5, I can make it through the point where I
run ms\do_nasm fips to create bcb.mak for the 0.9.7 snapshot.  But
when I attempt to run the make file with make -f bcb.mak,  I get
unresolved external errors.  The non-fips version builds correctly, so
my guess is that the make file is not being constructed correctly when
the fips option is applied to do_nasm.  Any ideas? I've included the
actual error messages below.


The same answer applies to Borland, Jim, as the recent posts for Visual C
compiler users.  You must use the MSYS toolchain to do your initial build
and create the fips bundle module.  Once that is done, you can rebuild
the rest of the window dressing however you like, but the fips object
module can never again vary.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Addendum, make report included

[William A. Rowe, Jr.]

[EMAIL PROTECTED] wrote:
I am unable to install openssl 0.9.8a as I sent earlier. Here is make 
report:
 
Compiler: gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 
release)


EEEK!  2.91?  Really?

Try a more modern compiler that understands modern assembly syntax.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: How to debug into the OpenSSL(openssl-0.9.8a) source code

[William A. Rowe, Jr.]

Jie Zhang wrote:

Hello everybody,

I am not able to debug into the OpenSSL library(openssl-0.9.8a) with my Microsoft 
Visual C++ .net IDE.

But during my application execution, I got:

'alfssl2_server.exe': Loaded 
'C:\Jie\vscode\alfssl2_work_client\Debug\ssleay32.dll', Symbols loaded.


'alfssl2_server.exe': Loaded 'C:\Jie\vscode\alfssl2_work_client\Debug\libeay32.dll', Symbols loaded. 

My application is running in debug mode, in my applicatioin’s project properties, 


Debug Information Format is: Program Database(/Zi)

Runtime Library: Multi-threaded Debug DLL(/MDd)


I don't use the 'debug' flavor, I make sure my compile includes /Zi /Oy- and
my link includes /debug /opt:ref

This usually works for me (although it optimizes out alot of locals, I usually
only need to see the arguments passed down the call stack.)

Bill
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: How to debug into the OpenSSL(openssl-0.9.8a) source code

[William A. Rowe, Jr.]

Venkata Sairam wrote:

I am also encountering the same problem. I tried adding in options as 
suggested. I had modified the CFLAG and LFLAG as below.
CFLAG= /MD /Ox /O2 /Zi /Oy /Ob2 /W3 /WX /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_SYSNAME_WINNT -DUNICODE -D_UNICODE -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_KRB5


LFLAGS=/nologo /subsystem:console /machine:I386 /debug /opt:ref


NOT /Oy !!!  That's a BS optimization, sure it reduces processing time
at the cost of making your stack worthless.

/Oy-

The minus sign is NOT a typo.  Turn off the option, then report back.

Bill
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Updating OPENSSL

[William A. Rowe, Jr.]

Richard Levitte - VMS Whacker wrote:

In message [EMAIL PROTECTED] on Sat, 18 Mar 2006 02:27:18 -0500, Hector Santos 
[EMAIL PROTECTED] said:

ssluser I have multiple applications using OPENSSL 0.9.7c and I'm finally 
getting
ssluser around to updating it.
ssluser 
ssluser Can I just use the new DLLs for 0.9.8a or do I need to

ssluser recompile my applications?  I take it I will be fine with
ssluser 0.9.7i dlls.


The 0.9.8 are likely to be binary-incompatible with your modssl compiled for
0.9.7.  Stay with 0.9.7 until you update your mod_ssl.so module!  They must
stay in-sync.


It really depends on what your application uses the libraries for.
There are some fundamental changes in some parts of the libraries
between the 0.9.7 and the 0.9.8 series, so to be on the safe side, I'd
recommend you to recompile your applications for 0.9.8a.


Also keep in mind when building httpd that if you are compiling in with
php, perl, or openldap, they must all be binding to the same openssl binary.
If you load mod_php, mod_perl, and mod_authnz_ldap built against openldap
(ssl-enabled) you are loading these bindings on the fly, and if one has
been built against a different openssl, things will come crashing down
around you (if they load at all.)

Bill
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: GNU C (MinGW) - Error 2

[William A. Rowe, Jr.]

Doug Frippon wrote:

I mean instead of just writting tmp\e_os.h in your config file ( there
one probably) write down c:\openssl-0.9.8a\tmp\e_os.h
maybe mingw32 couldn't find tmp\e_os.h and need the full path to that file


Certain that \o isn't a quoted o in this context?  Forward or doubled-back
slashes?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Compiled on windows but lacking symbols

[William A. Rowe, Jr.]

Chandi Bernier wrote:


My point was... why on Linux did I need only libssl and to compile the 
same client on Windows/MinGW requires libssl and libeay32.  


Something's wrong.

You either want libssl + libcrypto, or libssl32 + libeay32.

On Linux the reason it -probably- worked is that

 1. linux doesn't care that symbols aren't resolved, and
 2. libssl.so might have had an internal linkage to libcrypto.so, causing
it to be loaded on the fly.
 3. libtool may have picked up the libcrypto.so dependency from the pkgconfig
file for the library.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Compiled on windows but lacking symbols

[William A. Rowe, Jr.]

William A. Rowe, Jr. wrote:

Chandi Bernier wrote:

My point was... why on Linux did I need only libssl and to compile the 
same client on Windows/MinGW requires libssl and libeay32.  


Something's wrong.

You either want libssl + libcrypto, or libssl32 + libeay32.


Whoops - you either want libssl + libcrypto, or ssleay32 + libeay32.
Sorry for the confusion and thanks to the good Dr. for pointing this out.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: compile error in randfile.c on Solaris 10 Opteron

[William A. Rowe, Jr.]

Tinnerello, Richard wrote:

Hello,
I'm having trouble building 0.9.7i on a Solaris 10 on x86 (Opteron) 
machine. I configured manually with:
./Configure solaris-x86-gcc --prefix=/sci/openssl-0.9.7i no-idea no-rc5 
no-mdc2 fiips


make depend is OK, but make gets this compile error:

/usr/include/sys/siginfo.h:259: error: parse error before ctid_t


Yes, that's a failure to run ./mkheaders from the gcc package, instructions
are clearly shown in red font on sunfreeware.com's site amoung others.

Glad your admin worked that out.

Bill
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Trying to build OpenSSL 0.9.8a from source

[William A. Rowe, Jr.]

Fabro, Loic wrote:

Hum... I remove support for IDEA (and no fPIC) and now the test is segfaulting..


make clean
make depends

?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: function PEM_read_RSAPrivateKey not returning

[William A. Rowe, Jr.]

Matthias wrote:

Kyle Hamilton wrote:


Did you make sure to remove %SYSTEMROOT%\system32\ssleay32.dll and
libeay32.dll?  Just running the uninstaller doesn't get rid of them.


No, I forgot that. Sorry, my fault.

I now replaced those two DLLs with the ones I compiled myself.

Good news: in Release mode my program works as expected.

Bad news: in Debug mode it crashes.


This is very typical of applications compiled under Microsoft compilers
where the library is built one way and the application is built another.

Please make certain your debug build of your consuming app and the library
match in cl.exe/link.exe flags, both debug, or both release.

Bill
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: function PEM_read_RSAPrivateKey not returning

[William A. Rowe, Jr.]

Matthias wrote:

I deleted all ssl-related DLLs on my system now.

When I compile OpenSSL as described in INSTALL.W32, point the include 
library directory of my example program on openssl\out32dll, recompile 
my example program, copy the 2 DLLs from openssl\out32dll to my 
example project directory...
...then my example program will succeed when I run it in Release Mode 
but will crash when I run it in Debug Mode.


When I compile OpenSSL as described in INSTALLW32 with that tweak (*),
point the library include directory on openssl\out32dll.dbg, recompile 
my example program, copy the 2 DLLs from openssl\out32.dbg to my 
example project directory...

...then my example program will crash when I run it in Release Mode
but will succeed when I run it in Debug Mode (so just vice versa).

(*) tweak in file ms\do_masm.bat:
perl util\mk1mf.pl debug VC-WIN32 ms\nt.mak
perl util\mk1mf.pl debug dll VC-WIN32 ms\ntdll.mak

Surprisingly the DLLs have exactly the same size, no matter whether
compiled with that tweak or not. They are binary different though.


This is not a surprise.  Debug symbols land in a seperate file, but the
segment alignment means that minor changes to the compile process generally
create identically sized files.


libeay32.dll: 1.220.608 Bytes
ssleay32.dll:   249.856 Bytes

Despite many *.pdb files in the openssl\out32dll.dbg directory
I am unfortunately not able to produce a more nice call stack :(


You are looking for the result from the linker, probably libssl32.pdb
and libeay32.pdb, which you should move *WITH* the actual .dll files to
their final location.


So, result is that I have to use the LIBs and DLLs from out32dll
when compiling and running in Release mode and the LIBs and DLLs
from out32dll.dbg when compiling and running in Debug Mode.
In any other mixture it simply crashes. But at least it doesn't
just halt/loop anymore.


One most confusing thing is that MS actually has two -different- pdb
files.  One is a source program database, one is an executable program
database.  You want to locate the one with a name matching your .dll
files into the same location as the .dll that your application loads.
You also want to ensure that /ZI or /Zi is used to compile your app,
and /debug given to linking your app, so that you can unwind the stack
from the library into your app.  Finally, it also helps to turn off
optimization (/Od to the compiler) to make stacks more readable, and
I personally throw out the /Oy flag (/Oy- to force this) no matter what.
That flag causes the compiler not to build neat stack frames out of some
twisted desire for efficiency.  Even my release builds are /Zi /O2 /Oy-
to get all the optimizations but with stack frames and .pdb results,
and then linked with /debug /opt:ref.

Bill
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Problems with deprecated kbhit() under MS VC/C++ V8.0 (Visual Studio 2005)

[William A. Rowe, Jr.]

Daniel Maag wrote:

Hi,
I am trying to compile OpenSSL V0.9.8a.
Visual Studio 2005 has  several functions deprecated
(read,write,fileno).


Honestly, I don't believe that OpenSSL should waste cycles to support any
compiler that deliberate moves away from posix.  Fairly certain it's MS's
goal to move as far away from building open source as they can without
pissing off commercial developer/users enough to move to alternate compilers
(which don't necessarily keep up with every latest and greatest hooks into
the MS API).  Just my 2c.

[FYI I understand the behavior varied in multiple versions of the beta into
the final release.]

You might refer to the cl flags to enable the 'deprecated' posix standard
for C; the ISO C++ standard doesn't apply to C language code, in spite of all
the dreamy //thoughts Microsoft has on C language parsing.

Bill

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL v2/3 and TLS.. How to be flexible?

[William A. Rowe, Jr.]

TLSv1_server_methods() do not speak the crufty old SSLv2 garbage, you
can't connect to it using a multi-protocol handshake.

For maxiumum portability use SSLv23_server_methods()

On the client side it doesn't matter, if you want a TLSv1 connection
only, then by all means use TLSv1_client_methods().



Lee Dilkie wrote:

Hey Folks,

I've hit a bit of a wall here. I want to build a simple client and 
server that can handle SSL and TLS connections. It's not turning out as 
simple as it looks and googling hasn't yielded a solution either.


Put simply. If I create a client-server where one end uses 
TLSv1_method() and the other uses SSLv23_method(), they refuse to 
negotiate. If both ends are set to SSLv23_method() then I see (from 
SSL_get_current_cipher) that an SSLv3 connection is negotiated (wish it 
was TLS, then i'd be happy).


Is there some (hopefully easy) method to create a server that can handle 
either SSL or TLS incoming connections? Or, if both ends support it, 
negotiate to TLS?


TIA,

-lee

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: servername extension and apache 2.2.0

[William A. Rowe, Jr.]

If you want to submit and have considered by the httpd project, perhaps you
ment to submit it there?

Nice work b.t.w.

Bill


Peter Sylvester wrote:

Hello,

I just have put together the small patch for apache 2.2.0 which allows 
to use the sernername extension
logic in the development snapshot in order to select a different ssl 
context, and also to
renegotiate if the vhost indicated by Host: has a different SSL_ctx 
(e.g. certificate).


The patch also includes a little const fix due the SSL_method change.

See  
http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch

and http://www.edelweb.fr/EdelKey/  for the background story

Have fun
Peter

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: how to install MOD_SSL on Windows2003 server .. plz help!

[William A. Rowe, Jr.]

kadir iscmng wrote:

I downloaded and installed SFU35SEL_EN.exe (Windows Services for UNIX) software


I'll just warn you you've wandered deep, deep into uncharted waters :)

The native win32 build is the only one most folks support.  Some have invested
effort and energy into getting 1.3 cygwin running, afaik without major issues.
The 2.x versions definately aren't completely cygwin ready but some folks are
working on cygwin, and mingw builds.

Never read about anyone successfully deploying under SFU.

Good luck.

Bill
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: How to build openssl for Mac-Intel computers

[William A. Rowe, Jr.]

Jörg Eyring wrote:

Hi everybody,

we have a new platform - Macs with Intel processors.

Is there a chance to build a static library (i386 code) for linking in Xcode
2.2? A static library with ppc code has been done already. I'd like to end
up with a Universal Binary of my code.


For fun; doesn't configuring to build bsd x86 work for you?  Provided your
toolchain looks even remotely like a bsd box, where darwin is derived from,
the assembly code will be x86.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSA patching

[William A. Rowe, Jr.]

Bernhard Froehlich wrote:

Dan Peacock wrote:


I've got a production site running OpenSA 1.0.4 (which uses OpenSSL
0.9.6c, Apache 1.3.27, and mod_ssl 2.8.11) and we need to upgrade it
to plug the security holes that this version has.  Is there anything
that I can do to upgrade this install?  Can I drop in the latest
version of Apache 1.3 and mod_ssl?

As far as I am concerned I didn't have any troubles with Apache while 
upgrading OpenSSL (the two times i did it). But I don't have any idea 
about OpenSA.


Nor I.  But in general, unless your source tarball is within the last 60
days, you might want to upgrade with 0.9.7-latest, since 0.9.8 introduces
some changed declarations that older, e.g. 1.3.33+mod_ssl and 2.0.54 versions
of Apache will choke on.

The bleeding edge 1.3.34+mod_ssl-latest and 2.0.55 both support 0.9.8a, I do
believe.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: (export control) AES 128 bit

[William A. Rowe, Jr.]

Dudue Doo wrote:


I would like to implement a C++ program that will use openssl to encrypt 
packets using AES 128 bit key.


However, the problem is that I live in the US.  Does this mean that I 
will be breaking the export control law if I put the program on a server 
for others to download?  I have look at various sources but could not 
find the answer to my question.


You *really* should have a lawyer guide you, but if you look on the BIS website
with respect to open source code, there are certain TSU exemptions for open
source software, and alternate policies w.r.t. commercial applications that
rely on open source cryptography modules, relying on some basic notifications
to the BIS at time of publication.

Not saying it's not an issue, just that it's one you can probably address
without too much hand wringing or cost.

Bill
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]