Re: [openssl-users] Migrating to openssl 1.1.1 in real life linux server
On Tue, Sep 11, 2018, 13:10 Kurt Roeckx wrote: > On Tue, Sep 11, 2018 at 04:59:45PM +0200, Juan Isoza wrote: > > Hello, > > > > What is the better way, for anyone running, by example, Apache or nginx > on > > a popular Linux districution (Ubuntu, Debian, Suse) and want support TLS > > 1.3 ? > > > > Waiting package update to have openssl 1.1.1 ? probably a lot of time > > > > Recompile openssl dynamic library and replace system library ? We must be > > sure we don't broke the system > > > > Recompile Apache or NGinx with openssl statically linked ? probably > complex > > Note that you most likely need an update of both nginx/apache and > openssl. > Note that httpd 2.4 released does not yet support TLS 1.3, although it compiles against the new OpenSSL, YMMV. Within the next two httpd releases, we would expect OpenSSL 1.1.1 TLS 1.3 support to be GA. In the interim there is a working branch for 1.1.1 compatibility merges, and svn trunk already supports it, if you want to live on the bleeding edge. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Static FIPS Library with Address Randomization
On Fri, Mar 17, 2017 at 12:06 PM, Michael Wojcikwrote: > >> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf >> Of Neptune >> Sent: Friday, March 17, 2017 09:26 >> To: openssl-users@openssl.org >> Subject: [openssl-users] Static FIPS Library with Address Randomization >> >> Platform: Win32 >> FIPS Object Module: 2.0.13 >> OpenSSL: 1.0.2j >> >> We've been using FIPS-capable OpenSSL for over a year now. Some of our >> components are .dlls that statically link the libraries. Using the BASE: >> linker flag (but not /FIXED) has worked well with only very occasional >> address clashes. >> The new year has brought a new requirement: NIAP. One of the NIAP >> requirements is ASLR - address space layout randomization. Since turning on >> these linker flags, the FIPS POST has been failing due to dll address being >> randomized and no longer respecting the requested address in the BASE:x >> linker flag. In order to get around this, I've had to add the /FIXED flag. >> The address is no longer being randomized and the POST succeeds if the dll >> loads...but therein lies the problem. When linking with the /FIXED flag, if >> the BASE: address is not available, the dll will not load which is an >> unacceptable problem and it is happening far too frequenctly. >> It seems as though the requirements of FIPS-capable OpenSSL and NIAP address >> randomization are at odds. Is there any way to satisfy both of these >> requirements on Win32 and guarantee that the dll load? > > AIUI, NIAP is just the US implementation of Common Criteria; you're better > off using the latter term in general discussion, I think. > > I don't believe there is a solution to this problem, generally speaking, for > 32-bit processes. (A 64-bit address space gives you a much better chance of > finding a base address with a very low probability of conflicts.) > > This is simply one of the many problems with FIPS 140-2, particularly for > software implementations. Those problems have been discussed extensively on > this list; you can find many others weighing in on them, such as: > > https://blogs.oracle.com/darren/entry/fips_140_2_actively_harmful > > For OpenSSL specifically, this specific question has also been discussed > elsewhere, for example: > > http://stackoverflow.com/questions/36268301/consequences-for-adding-relocation-information-in-fips-validated-libeay32-dll/36271778 > > I'm aware of a few solutions, which probably won't help you at all: > - Switch to 64-bit. > - Switch to Linux or UNIX. This is primarily (exclusively?) a Windows > problem, because of how the PE loader handles relocations; I'm not aware of > another OpenSSL platform that has it. Though without looking I don't know > which platforms have a recent OpenSSL FIPS validation, either. > - Switch to a FIPS-validated hardware crypto implementation, and either wire > OpenSSL to it using the ENGINE mechanism, or use a different TLS > implementation. > - Put more constraints on the loader, for example by statically linking what > you can, and forcing other DLLs to load at other addresses (e.g. by setting > preferred bases, etc). In specific cases this may give you sufficient > control; in the general case it's a losing battle. Load libeay as early as > possible. > - Put all your TLS processing in a separate service process that includes the > bare minimum of code and no DLLs other than OpenSSL; you might even link > OpenSSL statically. Use IPC to communicate between this TLS service process > and your application. Obviously there are performance and security issues, > though they're acceptable for some applications. You can control how the > stripped-down service process lays out its memory. > > All that said, I've never looked into this problem closely (I avoid the > FIPS-validated build as much as I possibly can), so someone else may well > have better suggestions. Note you may not modify the openssl-FIPS build files or process. However, building the openssl host container of the FIPS library build, you may pin the DLL file with link flags and dodge this relocation. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Removing some systems
Just FTR... http://www.osnews.com/story/28933/Blue_Lion_new_OS_2_distribution_due_2016 Not that I'd take that as a mandate to preserve support... We are having the same internal dialog at the ASF httpd project and coming to the same conclusions. On Mar 17, 2016 1:36 PM, "Salz, Rich"wrote: > We are planning on removing the following systems from OpenSSL 1.1: > > Netware > > OS/2 > > > > There are a few reasons for this. In no particular order they include: > these platforms are no longer supported by the vendor; the configurations > and builds have not been testable by the team for years and might not even > work; nobody on the team has access to any of these. > > > > As a hopefully mediating factor, please note that they are still part of > 1.0.2, which we have said is an LTS release with support until 2019. > > > > People interested in supporting any of these systems should look at > building their own configuration with the template system; post on the > openssl-dev list for help. Reducing the footprint and tangle of #ifdef’s > is also very important. > > > > We are also looking at others that are in a similar (although perhaps not > identical) reason and will post here about them. > > > > -- > > Senior Architect, Akamai Technologies > > IM: richs...@jabber.at Twitter: RichSalz > > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: FIPS enabled OpenSSL fails to load libeay32.dll in Windows CE 6
On Tue, 21 May 2013 16:12:45 +0530 Abhijit Ray Chaudhury abhijit.ray.chaudh...@gmail.com wrote: Hi, I have compiled openssl-fips and openssl in Windows CE 6. But when I run fips_premain_dso.exe libeay32.dll in target environment I get following error: = 217450134:error:2507606A:DSO support routines:WIN32_BIND_FUNC:could not bind to the requested symbol name:.\crypto\dso\dso_win32.c:296:symname(FINGERPRINT_premain) 217450134:error:2506C06A:DSO support routines:DSO_bind_func:could not bind to the requested symbol name:.\crypto\dso\dso_lib.c:294: = Which means GetProcAddress is failing for symbol name FINGERPRINT_premain. But if I do dumpbin /exports libeay32.dll, I can see the symbol FINGERPRINT_premain exported. You are correct (from dumpbin), which leads me to question whether you hadn't run the fips_premain_dso.exe binary in the CE 6 emulation environment, but perhaps ran a win32 flavor of fips_premain_dso. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS enabled OpenSSL fails to load libeay32.dll in Windows CE 6
On Tue, 21 May 2013 16:12:45 +0530 Abhijit Ray Chaudhury abhijit.ray.chaudh...@gmail.com wrote: Which means GetProcAddress is failing for symbol name FINGERPRINT_premain. But if I do dumpbin /exports libeay32.dll, I can see the symbol FINGERPRINT_premain exported. Quote that output line from dumpbin, exactly. Namespace decoration \ gets messy. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Can't start Apache when ssl is enabled on RHEL v5.7
/dev/random is your culprit... your config isn't 100% transportable between Solaris and linux. Sent from my Verizon Wireless 4G LTE Phone -Original message- From: Ruiyuan Jiang ruiyuan_ji...@liz.com To: openssl-users@openssl.org openssl-users@openssl.org Sent: Mon, Jan 23, 2012 23:23:51 GMT+00:00 Subject: Can't start Apache when ssl is enabled on RHEL v5.7 Hi, I have two Apache 2.2.21 reverse proxy servers on Solaris 10 (SPARC) with OpenSSL (v1.0.0x) enabled. They are running fine so far. Now we want to migrate Apache to Redhat Enterprise server v5.7 (64 bit). I compiled Oopenssl with 64 bit option specified on RHEL and then compiled Apache the same way and same option as on the Solaris through a script that I saved. I copied all the modified necessary configuration files from Solaris and certificates from Solaris to Redhat and made necessary changes such as IP addresses for Apache. When I start Apache on the Redhat, Apache just sits there without giving back the shell prompt. The Apache access log and error log are empty so I don't know the reason. If I disable Apache's https and start only http, Apache starts fine. Does anyone know what could be for ssl problem on Redhat? Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited.
Re: Failing to build OpenSSL 1.0.0f on obsolete Debian box (i386, kernel 2.0.36)
On 1/18/2012 9:57 AM, Brooke, Simon wrote: Sadly, removing -fomit-frame-pointer does not work. Isn't that the default behavior for -O3? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FW: FIPS validation and TLS 1.2
On 11/1/2011 8:35 PM, Bin Lu wrote: Do you have an answer for my question below? Is the fips-2.0-test code branched off from a FIPS-capable version? Which version is it based on if yes? AIUI, fipscanister doesn't include TLS 1.2. Nor 1.0, nor SSLv3 or v2. That's the beauty of proper delineation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS-capable OpenSSL that works on Windows NT
On 10/5/2011 10:08 AM, Dr. Stephen Henson wrote: On Tue, Oct 04, 2011, William A. Rowe Jr. wrote: On 10/4/2011 10:45 PM, Bill Durant wrote: But when I run it under Windows NT, I get the following run-time error: The procedure entry point Module32NextW could not be located in the dynamic link library KERNEL32.dll If you use the equivalent of nm against the fipscanister.lib, I'd expect you'll find the binding there. I'd suggest the OP try to build the 2.0 test module and run fips_test_suite on NT as it may work. A lot of the platform specific code has been removed from the 2.0 module design. I'd forgotten how significantly the whole POST code has been refactored, thanks for the reminder Steve! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS-capable OpenSSL that works on Windows NT
On 10/4/2011 10:45 PM, Bill Durant wrote: Does anyone know how to produce a FIPS-capable OpenSSL that works on Windows NT? It's likely not possible... But when I run it under Windows NT, I get the following run-time error: The procedure entry point Module32NextW could not be located in the dynamic link library KERNEL32.dll If you use the equivalent of nm against the fipscanister.lib, I'd expect you'll find the binding there. I see no reason the team would accommodate this in OpenSSL/FIPS 2.0, though. Support for Windows NT 4.xx ended on December 31, 2004. Support for Windows 2000 ended on July 13, 2010. So updating security or cryptographic software validation for such systems is something of an oxymoron. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0 BIO_new_accept _only_ binds to IPV6 interface?
On 5/7/2011 7:16 AM, Justin Schoeman wrote: It does not matter which of these I try, openssl always binds to '::1:8008', which does not accept IPV4. I have tried various combinations of: BIO_new_accept(0.0.0.0:8008) This syntax should have bound to all IPv4 interfaces alone, so as Michael suggests, it's certainly a bug. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS compliance question regarding openssl distributions
On 3/6/2011 3:48 PM, Tim Hudson wrote: In the example of building the openssl FIPS *capable* distribution, it seems one should take the distribution from the official openssl.org/source website and validate it using PGP. However, FreeBSD ships openssl distribution within its source tree. You must follow the instructions contained in the Security Policy document with no deviations. It's that simple. So the answer to the question of can you start with a different distribution is a simple 'no' - even if the files are almost identical (or in fact even identical) you don't get that choice - you must follow the documented procedure. ...for building the fipscanister. Once you have that, that binary artifact (which you affirm as validated) can be used as the basis for building an openssl 0.9.8 package in a usual manner. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL with Managed C++
On 1/31/2011 1:07 PM, John R Pierce wrote: On 01/31/11 10:55 AM, Harshvir Sidhu wrote: Hi, Can we use OpenSSL lib with Managed C++? Thanks. can you call native C style DLL's from this 'Managed C++' (whatever that is) ? my initial google of 'Managed C++' indicates its a Microsoft .NET thing that was deprecated circa 2005. The concepts of boxing and unboxing native calls from any .NET language into a C library have never changed. The syntax of C++.NET underwent all sorts of convolutions after 1.0, but the concepts are the same. To answer Harshvir, I haven't heard of anyone who coordinated all of the pinvoke stubs/headers you might need. Of course it's possible. Best of luck in your efforts, certainly google around for anyone who might have already tried, and document your efforts for the next one to attempt it :) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 0.9.7
On 1/6/2011 12:23 PM, Garry S Ditzler wrote: Can you tell me if OpenSSL 0.9.7 is still supported? Yes, the answer is no, it is not. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0b testssl fails
On 11/18/2010 10:36 AM, Dr. Stephen Henson wrote: A 1.0.0c release is planned in the next few days. We're just seeing if any other issues arise before the release: a couple have been fixed already. Have any observed issues affected 0.9.8p? If so, is there a planned .8q? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0b testssl fails
On 11/18/2010 12:05 PM, Victor Duchovni wrote: None that are publically visible. You can check for yourself: No commits to the 0.9.8 branch after the release of 0.9.8p. http://cvs.openssl.org/chngview?cn=19996 I was aware of this. It's why I raised the question, if any of these were slated for backport, but simply not applied yet. The answer is no, so that resolves my questions. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building FIPS-capable OpenSSL as a universal binary on Mac OS X
On 10/13/2010 3:31 PM, Bill Durant wrote: I am interested in building the static version of the FIPS-capable OpenSSL as an universal binary. Three builds, per spec, of the FIPS canister. No tweaks, no exceptions to the security policy. Then it's possible but non-trivial to integrate these three components into any OpenSSL you would like to invent. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building FIPS-capable OpenSSL as a universal binary on Mac OS X
On 10/13/2010 7:22 PM, Bill Durant wrote: On Oct 13, 2010, at 5:19 PM, William A. Rowe Jr. wrote: On 10/13/2010 3:31 PM, Bill Durant wrote: I am interested in building the static version of the FIPS-capable OpenSSL as an universal binary. Three builds, per spec, of the FIPS canister. No tweaks, no exceptions to the security policy. Then it's possible but non-trivial to integrate these three components into any OpenSSL you would like to invent. Thanks. That is exactly the approach that I am currently taking (will use lipo(1) to aggregate the FIPS-capable OpenSSL static libs to see if that works)... That may not be sufficient, can ldfips be modified(?), it's certainly needed to link static to the fips canister. I'd put your energies into building a dylib which would give you a smidge more flexibility. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: DLL issues with Windows
On 9/30/2010 11:42 AM, Jakob Bohm wrote: In Windows XP, Microsoft introduced their own badly designed idea of versioned so-names in the form of so-called Assemblies. Unless you are writing .NET code, you should really avoid that nonsense. I expect SxS packages for openssl (and several other common libraries) will all be released and revisioned by the CoApp project in the coming months. Think of this similarly to any other linux vendor's packaging and distribution strategy, not replacing source code projects roles. But as you warn, it is a non trivial problem with several bright people working to solve the SxS aspects of the build and installer toolchains. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Differences between openssl-0.9.8o and openssl-fips-1.2.tar.gz
On 8/3/2010 1:17 PM, William A. Rowe Jr. wrote: On 8/3/2010 10:05 AM, Bryan wrote: I see a fips directory in 0.9.8o. If I'm building OpenSSL with FIPS on cygwin, should I use the openssl-fips, or use the 0.9.8o tarfile? This is well documented in the FIPS user guide and security policy, and if you haven't read them in detail, what you are compiling undoubtedly does not conform to the mandatory FIPS policy. Sorry, left off the link; http://openssl.org/docs/fips/fipsnotes.html __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Differences between openssl-0.9.8o and openssl-fips-1.2.tar.gz
On 8/3/2010 10:05 AM, Bryan wrote: I see a fips directory in 0.9.8o. If I'm building OpenSSL with FIPS on cygwin, should I use the openssl-fips, or use the 0.9.8o tarfile? This is well documented in the FIPS user guide and security policy, and if you haven't read them in detail, what you are compiling undoubtedly does not conform to the mandatory FIPS policy. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RPMBuild for FIPS OpenSSL
On 7/9/2010 9:05 AM, Steve Marquess wrote: Mark Parr wrote: Use of the FIPS OpenSSL is a mandated thing and not just something that we are looking to do for the fun of it. In fact, the base OpenSSL was working fine using the FIPS AES 256 encryption in a non FIPS Certified mode. ... Yes, that was my assumption and the point I was trying to make: if you want to build your product from source in a clean and logical way then just leave the FIPS module creation out of it. You will suffer less hair-pulling and tooth gnashing. If you must use the FIPS validated module then IMHO your best approach is to build the validated module *once*, by hand with careful documentation, and henceforth just use that resulting validated binary. Otherwise you're trying to perform what is effectively a ritual ceremony in an inappropriate secular context: from the CMVP perspective the source code itself isn't validated, only the resulting binary when the specific peculiar build process has been followed, i.e. the ritual. Perform that ritual once and you have one validated module that you can use many times -- perform it multiple times and you have multiple different validated modules. Or, here's another way to look at it. I can take the same source code and generate binaries two different ways, one by following the ritual and one by deviating from the ritual in some technically trivial way (by, say, adding a superfluous --prefix config option). The resulting binaries are functionally identical by any technical test that could be devised, yet one module is FIPS 140-2 validated and one isn't. That isn't to say that it can't be rpm'ed, and the infrequently updated fips canister (currently v1.2) can't be 'the dependency' for building openssl-fips. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: error from generated code in ntdll.mak
On 6/24/2010 4:04 AM, Deckers, Rob wrote: Creating library out32dll\libeay32.lib and object out32dll\libeay32.exp IF EXIST out32dll\libeay32.dll.manifest mt -nologo -manifest out32dll\libeay32.dll.manifest -outputresource:out32dll\libeay32.dll;2 mt: Unknown option -n Usage: mt [-vV] [-[t|f] tapename] command [count] Your mt commands in your path are conflicted. I don't think we are writing a 9 tape in order to compile programs. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to attach source code in a debug build(Win32 Visual C++)?
On 6/17/2010 10:10 PM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of JC Yang Sent: Wednesday, 16 June, 2010 23:53 Hi, I'm new to openssl. I've just compiled openssl with Visual C++ 2008, I've read the installation guide and added the debug command in the mk1mf.pl line in do_masm.bat, but I found that there's no source code information included in the build. I'd like to know how can I attach the source code in the debug build for debug's sake? Does it say something like no debug symbols or like source not found? 1. For at least most of 0.9.8, mk1mf.pl had a flaw and didn't actually put /Zi in the CFLAG setting as intended. If it didn't, do so manually. My notes say I also put /Yd; I'm not sure if that's (still?) needed. It appears to me 0.9.8o and 1.0.0a have (different!) fixes for this, but I haven't had time yet to actually try either of them. 2. Even if you have symbols, I believe they use relative pathnames, and the IDE has to be told where to find them. In the old VS/VC++6 I have, this is in Tools / Options / Directories / SourceFiles . In newer versions it's probably different but should be similar. More to the point, sources are never embedded into the obj/dll/exe. They must be distributed/available alongside a binary distribution (not really a problem for open 'source' - heh). So 'no source' means what Dave has said, you didn't point to the source. If you are trying to do something more expansive than work with your own build, allowing others to, you have a huge education ahead of you to fully grok the mechanics of a ms dbg compatible source server. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Up-to-date Tutorial
On 6/16/2010 12:10 PM, Dr. Stephen Henson wrote: Those for the bleeding egde development version are also available online too, see: http://www.openssl.org/docs/ the API doesn't change that much so those will be largely accurate for older versions of OpenSSL. The examples at the bottom of some pages can help and sometimes include code snippets. There are also some very basic sample programs under demos/ in each distribution. The sources under apps/ (which comprise the tool 'openssl') are also quite useful. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: unable to build dynamic library on HP-UX RISC and Itanium
On 6/2/2010 11:08 AM, Alona Rossen wrote: Building dynamic library on HP-UX fails despite I explicitly specify ‘shared’ as Configure argument: ./Configure hpux64-ia64-cc -D_REENTRANT shared Why are you adding -D for _REENTRANT? I did a very similar build last week, no such problems, would you care to be more specific about which OpenSSL package you are configuring? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: unable to build dynamic library on HP-UX RISC and Itanium
On 6/2/2010 4:04 PM, Alona Rossen wrote: This is a suggested configuration. -D stands for preprocessor define. The reason I ask is that the entries in Configure should provide the necessary defines, and if not, that is a bug. As it was 'suggested', we'll just presume things are fine w/w-o it. You still failed to identify the openssl package you were configuring, which doesn't give anyone much to go on, especially those who are in some position to look at the problem. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: server side renegotiation
On 4/15/2010 12:42 PM, Adam Grossman wrote: hello, i had my code running on 0.9.8e without any issues. i upgraded to 0.9.8n, and now when my server initiates a renegotiation with the client (which is either IE or Firefox), SSL_renegotiation returns a 0. i understand from the CHANGELOG the it was not allowed until 0.9.8m, but this line confuses me: Re-enable renegotiation but require the extension as needed. i do not know what it means require extensions. Short of setting SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION , what do i need to do to have renegotiations work again? Upgrade the client to support the new negotiation API. As usual, clients were lagging for some server implementations to validate against. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ERROR LINK2019
On 4/13/2010 4:49 PM, 芦翔 wrote: Dear all, I am trying to add the security flavor to an application. To achieve this objective, I wrote the codes to establish a security tunnel between the server and the client with VC2008. When I build the whole project, there are tens of similar errors. All of them are as follows: SSLServer.obj : error LNK2019: unresolved external symbol _BIO_free referenced in function int __cdecl SSL_CTX_use_PrivateKey_file_pass(struct ssl_ctx_st *,char *,char *) (?SSL_CTX_use_PrivateKey_file_pass@@YAHPAUssl_ctx_st@@p...@z mailto:?SSL_CTX_use_PrivateKey_file_pass@@YAHPAUssl_ctx_st@@p...@z) That signature is consistent with C++ argument folding. The openssl headers you've used probably were missing this decoration #ifdef __cplusplus extern C { #endif ... #ifdef __cplusplus } #endif So you should put your #include references in between the snippets above (in place of the ... elipses). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: does bio_get_mem_data handle unicode?
On 4/7/2010 12:33 PM, Ryan Pfeifle wrote: While we are on the subject of Unicode, there are other areas of OpenSSL that need Unicode support added, in particular handling of paths and filenames on UTF16-based filesystems that require wchar_t* parameters. For instance, on Windows, OpenSSL cannot load certificate files/directories that have Unicode characters in them. On ‘nix, this is not a problem for systems that use UTF8-based filesystems, which can be passed via char** *parameters. The Indy library (http://www.indyproject.org) had to work around this issue recently by implementing its own versions of SSL_load_client_CA_file(), SSL_CTX_use_certificate_file (), SSL_CTX_use_PrivateKey_file(), and SSL_CTX_load_verify_locations() from scratch using a custom X509_LOOKUP_METHOD structure and support routines. That's one approach. Another is to use UTF-8 filenames as the local code page, this is the solution the APR library opted for. Either way, the OpenSSL API needs customization to pass wchar args for path names, etc. Starting as utf-8, or handled entirely by unicode. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0 and FIPS
On 3/30/2010 10:58 AM, Gatewood (Woody) Green wrote: I assume the 2010 limit on new validations is the impending finalization of 140-3. What you are thinking of won't be designated 140-3, it's not sequential, there is such a FIPS level already. Probably FIPS-{new}-2 or FIPS-140-2 2010 or something like that. FIPS 140-3 implies a level of physical validation that an open source project isn't able to consider validating to. If you were to bundle OpenSSL-FIPS into a sealed card, and add the appropriate cert/key mgmt, then you could consider applying for FIPS 140-3 validation for such a physical device. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0 and FIPS
On 3/31/2010 4:21 PM, Gatewood (Woody) Green wrote: Actually, no 140-3 will be successor to 140-2 which is successor to 140-1. The hyphenated number is a release version. Woody, thanks for this clarification... You are trying to talk about FIPS 140-2, Level 3 certification in your example. (bottom of page two in the gov't 140-2 PDF; see link below) The levels are *within* the particular 140-x standard. Case in point, the original draft of 140-3 contained five levels but has since been reduced back to four as is in the 140-2 version. Second example, we have 140-2, Level 2 certification on a subset of our products (version, model and product specific). and these additional details! Yes, I had confused the rev level with the FIPS certification level. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS linked as a shared library
On 1/18/2010 2:42 PM, Kyle Hamilton wrote: The way that the FIPS module verifies its signature is that it forces itself to load (via a pre-main() section) and then calculate the checksum of the image in-core. Probably the reason why you're running into issues is because of the fixup step of the dynamic linker. If you expect to use FIPS, you should link it as a hard dependency (also known as 'strict binding', as opposed to 'lazy binding') so that it can be loaded as early as possible, to minimize the chances of the linker needing to run fixups after application-code memory allocation. As you've found, the image in-core *must* match the original image in-core when the signature was generated, and the linker changes the pointers of where things are located when it has to. Wouldn't applying the PIC compiler flag across all .o's accomplish the same thing? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CryptoAPI calls failing in rand_win on Windows 7
James Baker wrote: The problem does occur with full admin privileges. To be 100% clear, this is full admin with no UAC? UAC will drop privilege of an app seemingly running as 'administrator'. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS OpenSSL compilation error
Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Pankaj Aggarwal Sent: Tuesday, 25 August, 2009 05:06 I am using cygwin on windows xp to compile FIPS Openssl 1.2 using Visual studio 2005. Apparently you mean cygwin _perl_. The MS compiler and linker (which are the only ones permitted under the validated policy) run in the normal Windows environment not the Unixoid cygwin one. Dave, I'm pretty sure you are the one confused. The last I looked, which was a while ago, MinGW was the only option for building openssl in FIPS mode. But they have introduced a CC flag, so all bets are off. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS OpenSSL compilation error
William A. Rowe, Jr. wrote: Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Pankaj Aggarwal Sent: Tuesday, 25 August, 2009 05:06 I am using cygwin on windows xp to compile FIPS Openssl 1.2 using Visual studio 2005. Apparently you mean cygwin _perl_. The MS compiler and linker (which are the only ones permitted under the validated policy) run in the normal Windows environment not the Unixoid cygwin one. Dave, I'm pretty sure you are the one confused. The last I looked, which was a while ago, MinGW was the only option for building openssl in FIPS mode. But they have introduced a CC flag, so all bets are off. I reread this this moring and Dave is right, he just confused me :) You need to set up the MSYS/MinGW toolchain instead of Microsoft C to build at least the FIPS canister. The fact that you installed cygwin already is a good start, but you need to point your path to reference the MSYS/MinGW tools first. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl 0.9.8D, Solaris 10 difficulties
[EMAIL PROTECTED] wrote: In the previous post, another subscriber suggested patching SunStudio 11. I applied all the patches I could find on SunSolve (namely, 120761-03, 121023-04, and 122142-03.) I'm getting the same result, so I'm really baffled at this point. Any suggestions would be very much appreciated! You must have missed one... otherwise crank down your optimizations with the notes suggested in the RT ticket 1281. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: 0.9.8d compile and/or test problems with Solaris 10 compiler on sparc v9
Michael Durket wrote: There seem to be a few problems successfully building OpenSSL on a Sun T2000 running Solaris 10 using the Sun Studio 11 compiler suite. I ignored those warnings and ran make which appeared to work. However, after doing a 'make test' I received this error: Testing cipher AES-128-ECB(encrypt) That's the loop unroll bug 1281. You didn't bother to patch your installed sunstudio, eh? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSLv3 handshaking fails on solaris
Because Solaris has a loop unroll optimization bug. Apply all the latest patches to SunStudio 11 and it should work. Please check back in to let us know. It's a really high level bug - because it hit both sparc and x86 :) Donny Dinh wrote: I managed to get the solaris build to work properly by changing the compiler flags i.e. using config rule debug-solaris-sparcv8-cc instead of solaris-sparcv8-cc Why exactly does it work now...? I'm not too sure, but I reckon its some kind of timing issue (considering that Michael Stroder suggested using the -pause option - which btw didn't work for me) *Michael Ströder [EMAIL PROTECTED]* Sent by: [EMAIL PROTECTED] 12/12/2006 09:06 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: SSLv3 handshaking fails on solaris Donny Dinh wrote: * ./openssl s_client -connect www.google.com:443 -state* [..] *6709:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1057:SSL alert number 20* *6709:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:* If I force it to use SSLv2 only, it works correctly. Also try the option -pause together with SSLv3. I think this is a solaris problem because I have tested this on other platforms (linux, hpux, aix) and it works correctly. I have seen similar problems on other platforms (client and server). I was not able to track it down to a deterministic failure though. Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: WIN32 winsock vs winsock2 coexistence?
Michael - just to rest your mind - you might want to examine both wsock32.dll and winsock2.dll using DEPENDS.EXE. You'll find the results are interesting :) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: WIN32 winsock vs winsock2 coexistence?
Brown, Michael A wrote: I’m looking at an app where the app and all libs/DLLs it uses EXCEPT openssl use ws2_32, and openssl uses wsock32. Is this a problem or can the two coexist peacefully? It makes me somewhat uneasy. Well, using winsock period makes me uneasy ;-) Seriously - no - there's no issue. You are coming from a unix perspective where an exported function such as 'connect()' exists once in the global symbol table. Not so on win32 - it's more akin to the OSX two-level name- space schema. When you bind a symbol on windows, you bind the PE Binary to the specific function -within- a specific DLL. Because they all become system handles, there are really no other differences. Bigger issues include using nonblocking sockets on winsock functions that really expected a blocking socket, etc. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Question reagrding OpenSSL recent security advisory
Marek Marcola wrote: Hello, I have read the advisory an I am a bit puzzled regarding the there are CAs using exponent 3 in wide use comment, I have tried to check and could not found any CA using this exponent, all the CA’s I have seen are using 0x10001 (CA’s I have generate by OpenSSL using default values, world wide trusted CA’s such as VeriSign and Thawte etc..) are only old CA’s using exponent 3 ? Could anyone elaborate some on this? Look at: http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html That's a rather worthless answer Marek, the question isn't what is the flaw (mishandled exponent 3-signed certificates), but the prevalence. My cursory examination shows most keygen tools have been using F4 style exponents most of this century. Two cases came to mind... Private CA's generated with very old tools (such tools fester a long time) Old signing keys reused for fresh signing request keys (anathema of best practices) but most importantly, public signing keys. Hagai asks how prevalent such exponent 3 public or commercial signing keys still are? Someone stated they are in wide use. This is not 'private' information, and Hagai just asked if someone has done the actual research of affected public/commercial signing authorities? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: license question
Ryan Shon wrote: I work for nFocal, a company in Rochester, New York. We want to develop a variant of OpenSSL in which we optimize the cryptography library to run on a particular DSP. The other components of OpenSSL would remain unchanged except where needed to utilize our custom library. We might modify OpenSSL's cryptography library, or we may write our own from scratch. Could you please explain our licensing restrictions for these two scenarios? Just an observation, but if you left the OpenSSL core alone, and created your optimized module as a loadable engine for OpenSSL - I suspect you would have a win-win from licensing, distribution and code design views. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Hiding headers for OpenSSL
Thomas J. Hruska wrote: Now compare that number to how many hackers know and care about the same information. None. If an exploit exists, it will be exploited. You are a fool if you expect that a hacker would rely on the reported version number to elect one of the dozens of past exploits. They simply pound all of them at the server until they discover one works. Legitimate users are the actual browsers and other non-interactive clients which make deterministic decisions about process flow and exploit *features* based on if they know the server is capable of using the optimization or bandwidth saving feature reliably. Close any vulnerabilities by applying the current/corrected code, if you actually want to prevent your server from being exploited. Hiding your head in the sand by attempting to hide the software you are running is foolish and silly. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CHecking the version of OpenSSL
Randy Turner wrote: I would probably consider the publishing of the openssl version on the web server announcment message as a security issue. And some of us would laugh in your general direction ;-) Exploiters don't need to know, they can just persist till they find a known exploit. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Last call to BIO_read in loop freezes
David Schwartz wrote: Notice the two persistent connection headers returned? And, in practice, the connection is in fact persistent. If you were correct, the server would ignore the Connection header since it has no meaning. Try it without a connection header and you will see the difference. Exactly. In HTTP/1.1, keepalive is implicit. In HTTP/1.0, on servers which support it, a Connection: keep-alive header achieves the same. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to verify OpenSSL lib version from autoconf?
httpd's scripts are known to the autoconf community as gross bastardizations of intent of autoconf, so forwared ;-) But they do illustrate verifying the version of openssl, take a look at APACHE_CHECK_SSL_TOOLKIT in; http://svn.apache.org/repos/asf/httpd/httpd/trunk/acinclude.m4 Matt England wrote: My project's code is apparently compatible with OpenSSL 0.9.7g (and possibly higher) but not 0.9.8 (because the header file changed from 0.9.7 and 0.9.8...which seems rather undesirable). In any case, I'd like our autoconf macros to be able to automatically check to see if 0.9.7g and higher is installed (but 0.9.8 or higher). Does anyone have a recommendation for how to do this? -Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] . __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Reading/Writing to disk files on Windows...
Kendall, Jerry wrote: Now, I have a Unix Project that runs wonderfully on Linux/Aix/Solaris….. There are two lines of code that cause a windows exception. PEM_write_PrivateKey(fp, NewKeyReq, Cipher, GetCode(0),strlen(GetCode(0)), NULL, NULL); PEM_write_X509(fp, x509_Cert); Did you call CRYPTO_malloc_init(); ? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: FIPS 1.1 module availability
I heard 'very soon now' :) Tinnerello, Richard wrote: Can anyone say when the openssl-fips-1.1.tar.gz distribution announced on Saturday will be available for download? Thanks! Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Is FIPS 140-2 Validation violated
Kyle Hamilton wrote: It will violate the FIPS security policy. That much has been stated, but there's been no workaround that I'm aware of to select alternate options like that. Right, not with openssl ./config. However, some folks might want to consider if their compiler environment can be adjusted to correctly default to their preferred flavor, in such a way that openssl respects and defaults to the sys configuration? /pondering an alternate implementation of 'uname', too. (yay lack of foresight and a required-to-be-closed validation process.) The best laid plans of mice. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: 0.9.8b windows binaries
hunter wrote: On 5/7/06, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Typically one links to the static library then, which of course will only link in .obj files that are consumed. One bit of OpenSSL magic are the seperate objects which create a (relatively) quite small binary. That is, if you use explicit methods, e.g. use TLSV1_server_init if you will only respond with TLS, instead of SSLV23_server_init where you draw in much more conditional code. Are you saying that if I build and provide a package with static libs and headers that an application could use this to compile smaller binaries? Yes. I will look for instructions on how to do this... You should find ms/ntdll.mak as well as ms/nt.mak, one spits out dynamic libs into out32dll/, the other static libs into out32/. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: 0.9.8b windows binaries
Mike Ehlert wrote: but what I'm after now is some information on any tricks to compiling the DLL's with only the features needed for my application to reduce their size. Typically one links to the static library then, which of course will only link in .obj files that are consumed. One bit of OpenSSL magic are the seperate objects which create a (relatively) quite small binary. That is, if you use explicit methods, e.g. use TLSV1_server_init if you will only respond with TLS, instead of SSLV23_server_init where you draw in much more conditional code. Bill __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: setup question
Bill Angus wrote: I'm having a little trouble with setting up a secure server on windows with openssl and Apache2 + Mod_SSL. Well, you are in the wrong place, this should be on [EMAIL PROTECTED] Neverminding that blunder, and possibly aggrivating your good openssl user supporters by entertaining your question... The config I am attempting to use for the secure directory is as below. listen 443 ... VirtualHost *:443 Why *:443? stop and consider - them's named virtual host fighting words, and you aren't (shouldn't be using) named ssl hosts (unless you have a couple weeks to spare to understand exactly what you are doing). You meant to say... VirtualHost _default_:443 or VirtualHost 0.0.0.0:443 or when you know exactly which IP (you should!) then spit it out boy... VirtualHost 192.168.1.27:443 ServerName www.psychtest.com http://www.psychtest.com:443 I hope this is a quirk in your mailer. You should simply have... ServerName www.psychtest.com DocumentRoot C:/Homepage/secure Directory C:/Homepage/secure I'm thinking you wanted to add to this Dir section... SSLRequireSSL if you want to be sure nothing can access that directory except through ssl. # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on That's good, the rest looks good, I hope you had a trailing /VirtualHost you just forgot to mention. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: setup question
William A. Rowe, Jr. wrote: Bill Angus wrote: I'm having a little trouble with setting up a secure server on windows with openssl and Apache2 + Mod_SSL. The config I am attempting to use for the secure directory is as below. listen 443 ... VirtualHost *:443 Why *:443? stop and consider - them's named virtual host fighting words, and you aren't (shouldn't be using) named ssl hosts (unless you have a couple weeks to spare to understand exactly what you are doing). Actually if you attempted this, you would need a corresponding NamedVirtualHost directive for port 443, and you want to review this page; http://wiki.cacert.org/wiki/VhostTaskForce Sorry I forgot to throw in the link in my earlier reply. Bill __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL fips 1.0 Borland Builder 5
Rovan, Jim (IMS) wrote: When I attempt to follow the instructions from the Compilation of OpenSSL-fips-1.0 under Windows thread (2006-03-31) to build fips OpenSSL for Borland Builder 5, I can make it through the point where I run ms\do_nasm fips to create bcb.mak for the 0.9.7 snapshot. But when I attempt to run the make file with make -f bcb.mak, I get unresolved external errors. The non-fips version builds correctly, so my guess is that the make file is not being constructed correctly when the fips option is applied to do_nasm. Any ideas? I've included the actual error messages below. The same answer applies to Borland, Jim, as the recent posts for Visual C compiler users. You must use the MSYS toolchain to do your initial build and create the fips bundle module. Once that is done, you can rebuild the rest of the window dressing however you like, but the fips object module can never again vary. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Addendum, make report included
[EMAIL PROTECTED] wrote: I am unable to install openssl 0.9.8a as I sent earlier. Here is make report: Compiler: gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) EEEK! 2.91? Really? Try a more modern compiler that understands modern assembly syntax. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to debug into the OpenSSL(openssl-0.9.8a) source code
Jie Zhang wrote: Hello everybody, I am not able to debug into the OpenSSL library(openssl-0.9.8a) with my Microsoft Visual C++ .net IDE. But during my application execution, I got: 'alfssl2_server.exe': Loaded 'C:\Jie\vscode\alfssl2_work_client\Debug\ssleay32.dll', Symbols loaded. 'alfssl2_server.exe': Loaded 'C:\Jie\vscode\alfssl2_work_client\Debug\libeay32.dll', Symbols loaded. My application is running in debug mode, in my applicatioin’s project properties, Debug Information Format is: Program Database(/Zi) Runtime Library: Multi-threaded Debug DLL(/MDd) I don't use the 'debug' flavor, I make sure my compile includes /Zi /Oy- and my link includes /debug /opt:ref This usually works for me (although it optimizes out alot of locals, I usually only need to see the arguments passed down the call stack.) Bill __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to debug into the OpenSSL(openssl-0.9.8a) source code
Venkata Sairam wrote: I am also encountering the same problem. I tried adding in options as suggested. I had modified the CFLAG and LFLAG as below. CFLAG= /MD /Ox /O2 /Zi /Oy /Ob2 /W3 /WX /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_SYSNAME_WINNT -DUNICODE -D_UNICODE -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_KRB5 LFLAGS=/nologo /subsystem:console /machine:I386 /debug /opt:ref NOT /Oy !!! That's a BS optimization, sure it reduces processing time at the cost of making your stack worthless. /Oy- The minus sign is NOT a typo. Turn off the option, then report back. Bill __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Updating OPENSSL
Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Sat, 18 Mar 2006 02:27:18 -0500, Hector Santos [EMAIL PROTECTED] said: ssluser I have multiple applications using OPENSSL 0.9.7c and I'm finally getting ssluser around to updating it. ssluser ssluser Can I just use the new DLLs for 0.9.8a or do I need to ssluser recompile my applications? I take it I will be fine with ssluser 0.9.7i dlls. The 0.9.8 are likely to be binary-incompatible with your modssl compiled for 0.9.7. Stay with 0.9.7 until you update your mod_ssl.so module! They must stay in-sync. It really depends on what your application uses the libraries for. There are some fundamental changes in some parts of the libraries between the 0.9.7 and the 0.9.8 series, so to be on the safe side, I'd recommend you to recompile your applications for 0.9.8a. Also keep in mind when building httpd that if you are compiling in with php, perl, or openldap, they must all be binding to the same openssl binary. If you load mod_php, mod_perl, and mod_authnz_ldap built against openldap (ssl-enabled) you are loading these bindings on the fly, and if one has been built against a different openssl, things will come crashing down around you (if they load at all.) Bill __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: GNU C (MinGW) - Error 2
Doug Frippon wrote: I mean instead of just writting tmp\e_os.h in your config file ( there one probably) write down c:\openssl-0.9.8a\tmp\e_os.h maybe mingw32 couldn't find tmp\e_os.h and need the full path to that file Certain that \o isn't a quoted o in this context? Forward or doubled-back slashes? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Compiled on windows but lacking symbols
Chandi Bernier wrote: My point was... why on Linux did I need only libssl and to compile the same client on Windows/MinGW requires libssl and libeay32. Something's wrong. You either want libssl + libcrypto, or libssl32 + libeay32. On Linux the reason it -probably- worked is that 1. linux doesn't care that symbols aren't resolved, and 2. libssl.so might have had an internal linkage to libcrypto.so, causing it to be loaded on the fly. 3. libtool may have picked up the libcrypto.so dependency from the pkgconfig file for the library. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Compiled on windows but lacking symbols
William A. Rowe, Jr. wrote: Chandi Bernier wrote: My point was... why on Linux did I need only libssl and to compile the same client on Windows/MinGW requires libssl and libeay32. Something's wrong. You either want libssl + libcrypto, or libssl32 + libeay32. Whoops - you either want libssl + libcrypto, or ssleay32 + libeay32. Sorry for the confusion and thanks to the good Dr. for pointing this out. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: compile error in randfile.c on Solaris 10 Opteron
Tinnerello, Richard wrote: Hello, I'm having trouble building 0.9.7i on a Solaris 10 on x86 (Opteron) machine. I configured manually with: ./Configure solaris-x86-gcc --prefix=/sci/openssl-0.9.7i no-idea no-rc5 no-mdc2 fiips make depend is OK, but make gets this compile error: /usr/include/sys/siginfo.h:259: error: parse error before ctid_t Yes, that's a failure to run ./mkheaders from the gcc package, instructions are clearly shown in red font on sunfreeware.com's site amoung others. Glad your admin worked that out. Bill __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Trying to build OpenSSL 0.9.8a from source
Fabro, Loic wrote: Hum... I remove support for IDEA (and no fPIC) and now the test is segfaulting.. make clean make depends ? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: function PEM_read_RSAPrivateKey not returning
Matthias wrote: Kyle Hamilton wrote: Did you make sure to remove %SYSTEMROOT%\system32\ssleay32.dll and libeay32.dll? Just running the uninstaller doesn't get rid of them. No, I forgot that. Sorry, my fault. I now replaced those two DLLs with the ones I compiled myself. Good news: in Release mode my program works as expected. Bad news: in Debug mode it crashes. This is very typical of applications compiled under Microsoft compilers where the library is built one way and the application is built another. Please make certain your debug build of your consuming app and the library match in cl.exe/link.exe flags, both debug, or both release. Bill __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: function PEM_read_RSAPrivateKey not returning
Matthias wrote: I deleted all ssl-related DLLs on my system now. When I compile OpenSSL as described in INSTALL.W32, point the include library directory of my example program on openssl\out32dll, recompile my example program, copy the 2 DLLs from openssl\out32dll to my example project directory... ...then my example program will succeed when I run it in Release Mode but will crash when I run it in Debug Mode. When I compile OpenSSL as described in INSTALLW32 with that tweak (*), point the library include directory on openssl\out32dll.dbg, recompile my example program, copy the 2 DLLs from openssl\out32.dbg to my example project directory... ...then my example program will crash when I run it in Release Mode but will succeed when I run it in Debug Mode (so just vice versa). (*) tweak in file ms\do_masm.bat: perl util\mk1mf.pl debug VC-WIN32 ms\nt.mak perl util\mk1mf.pl debug dll VC-WIN32 ms\ntdll.mak Surprisingly the DLLs have exactly the same size, no matter whether compiled with that tweak or not. They are binary different though. This is not a surprise. Debug symbols land in a seperate file, but the segment alignment means that minor changes to the compile process generally create identically sized files. libeay32.dll: 1.220.608 Bytes ssleay32.dll: 249.856 Bytes Despite many *.pdb files in the openssl\out32dll.dbg directory I am unfortunately not able to produce a more nice call stack :( You are looking for the result from the linker, probably libssl32.pdb and libeay32.pdb, which you should move *WITH* the actual .dll files to their final location. So, result is that I have to use the LIBs and DLLs from out32dll when compiling and running in Release mode and the LIBs and DLLs from out32dll.dbg when compiling and running in Debug Mode. In any other mixture it simply crashes. But at least it doesn't just halt/loop anymore. One most confusing thing is that MS actually has two -different- pdb files. One is a source program database, one is an executable program database. You want to locate the one with a name matching your .dll files into the same location as the .dll that your application loads. You also want to ensure that /ZI or /Zi is used to compile your app, and /debug given to linking your app, so that you can unwind the stack from the library into your app. Finally, it also helps to turn off optimization (/Od to the compiler) to make stacks more readable, and I personally throw out the /Oy flag (/Oy- to force this) no matter what. That flag causes the compiler not to build neat stack frames out of some twisted desire for efficiency. Even my release builds are /Zi /O2 /Oy- to get all the optimizations but with stack frames and .pdb results, and then linked with /debug /opt:ref. Bill __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problems with deprecated kbhit() under MS VC/C++ V8.0 (Visual Studio 2005)
Daniel Maag wrote: Hi, I am trying to compile OpenSSL V0.9.8a. Visual Studio 2005 has several functions deprecated (read,write,fileno). Honestly, I don't believe that OpenSSL should waste cycles to support any compiler that deliberate moves away from posix. Fairly certain it's MS's goal to move as far away from building open source as they can without pissing off commercial developer/users enough to move to alternate compilers (which don't necessarily keep up with every latest and greatest hooks into the MS API). Just my 2c. [FYI I understand the behavior varied in multiple versions of the beta into the final release.] You might refer to the cl flags to enable the 'deprecated' posix standard for C; the ISO C++ standard doesn't apply to C language code, in spite of all the dreamy //thoughts Microsoft has on C language parsing. Bill __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL v2/3 and TLS.. How to be flexible?
TLSv1_server_methods() do not speak the crufty old SSLv2 garbage, you can't connect to it using a multi-protocol handshake. For maxiumum portability use SSLv23_server_methods() On the client side it doesn't matter, if you want a TLSv1 connection only, then by all means use TLSv1_client_methods(). Lee Dilkie wrote: Hey Folks, I've hit a bit of a wall here. I want to build a simple client and server that can handle SSL and TLS connections. It's not turning out as simple as it looks and googling hasn't yielded a solution either. Put simply. If I create a client-server where one end uses TLSv1_method() and the other uses SSLv23_method(), they refuse to negotiate. If both ends are set to SSLv23_method() then I see (from SSL_get_current_cipher) that an SSLv3 connection is negotiated (wish it was TLS, then i'd be happy). Is there some (hopefully easy) method to create a server that can handle either SSL or TLS incoming connections? Or, if both ends support it, negotiate to TLS? TIA, -lee __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: servername extension and apache 2.2.0
If you want to submit and have considered by the httpd project, perhaps you ment to submit it there? Nice work b.t.w. Bill Peter Sylvester wrote: Hello, I just have put together the small patch for apache 2.2.0 which allows to use the sernername extension logic in the development snapshot in order to select a different ssl context, and also to renegotiate if the vhost indicated by Host: has a different SSL_ctx (e.g. certificate). The patch also includes a little const fix due the SSL_method change. See http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch and http://www.edelweb.fr/EdelKey/ for the background story Have fun Peter __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: how to install MOD_SSL on Windows2003 server .. plz help!
kadir iscmng wrote: I downloaded and installed SFU35SEL_EN.exe (Windows Services for UNIX) software I'll just warn you you've wandered deep, deep into uncharted waters :) The native win32 build is the only one most folks support. Some have invested effort and energy into getting 1.3 cygwin running, afaik without major issues. The 2.x versions definately aren't completely cygwin ready but some folks are working on cygwin, and mingw builds. Never read about anyone successfully deploying under SFU. Good luck. Bill __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to build openssl for Mac-Intel computers
Jörg Eyring wrote: Hi everybody, we have a new platform - Macs with Intel processors. Is there a chance to build a static library (i386 code) for linking in Xcode 2.2? A static library with ppc code has been done already. I'd like to end up with a Universal Binary of my code. For fun; doesn't configuring to build bsd x86 work for you? Provided your toolchain looks even remotely like a bsd box, where darwin is derived from, the assembly code will be x86. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSA patching
Bernhard Froehlich wrote: Dan Peacock wrote: I've got a production site running OpenSA 1.0.4 (which uses OpenSSL 0.9.6c, Apache 1.3.27, and mod_ssl 2.8.11) and we need to upgrade it to plug the security holes that this version has. Is there anything that I can do to upgrade this install? Can I drop in the latest version of Apache 1.3 and mod_ssl? As far as I am concerned I didn't have any troubles with Apache while upgrading OpenSSL (the two times i did it). But I don't have any idea about OpenSA. Nor I. But in general, unless your source tarball is within the last 60 days, you might want to upgrade with 0.9.7-latest, since 0.9.8 introduces some changed declarations that older, e.g. 1.3.33+mod_ssl and 2.0.54 versions of Apache will choke on. The bleeding edge 1.3.34+mod_ssl-latest and 2.0.55 both support 0.9.8a, I do believe. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: (export control) AES 128 bit
Dudue Doo wrote: I would like to implement a C++ program that will use openssl to encrypt packets using AES 128 bit key. However, the problem is that I live in the US. Does this mean that I will be breaking the export control law if I put the program on a server for others to download? I have look at various sources but could not find the answer to my question. You *really* should have a lawyer guide you, but if you look on the BIS website with respect to open source code, there are certain TSU exemptions for open source software, and alternate policies w.r.t. commercial applications that rely on open source cryptography modules, relying on some basic notifications to the BIS at time of publication. Not saying it's not an issue, just that it's one you can probably address without too much hand wringing or cost. Bill __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]