Re: This is one for the Pros: cert is not privkey
Peter Parker wrote: Dave, Thank you for the quick and thorough response. This is good stuff. Yes, so the files I will be encrypting will be over 100 bytes. I am aware of the key size requirements - 1028 was only used as a placeholder for the example commands I provided. Does this mean that I will be able to use RSA or not? You lost me with the chaining and AKI stuff. I have no idea what either of those mean. Does the CMS approach that you suggested address this issue? In either case, I like the idea of using CMS. The major reason that I am using the x509 (or originally the ca) utility is that I want to be able to set begin and end valid dates (-startdate, -enddate) for the public and private keys and create certificates as well. I also want to associate some metadata with them like organization and locality, for that I am currently using the -subj command. Am I correct that the large PEM file includes both a public and private key? If so I should be able to extract them from the PEM and then use something (rsautl, enc or ...) to encrypt and decrypt the files. After successfully extracting what I understand to be a public key from the PEM, I receive this error from the rsautl utility: "unable to load Public Key. Error in rsautl" Without going into the ins and outs of using the openssl utility, you can actually infer a lot from the output PEM files themselves. They are text files with the certificate parts and key parts base64 encoded and bookended by -BEGIN CERTIFICATE- ... -END CERTIFICATE- for certificates in which case you can use 'openssl x509 arguments' to inspect them, run "openssl x509 -help" for the options in this case. AND -BEGIN RSA PRIVATE KEY- ... -END RSA PRIVATE KEY- for a key (but notice this key is actually an RSA key, you can have other types of keys so this text may be something like 'BEGIN other type PRIVATE KEY'). The RSA keyword gives you the clue to use 'openssl rsa args' to inspect this one, try 'openssl rsa -help' to see what is available. You should also know the password for the private key or you will be told zip by 'openssl rsa'. The private key should be passworded, but you can strip the password from them, which is not recommended but procedurally easier in some circumstances beyond this discussion. Also note that some certificates may or may not include a key in the output file, if they don't you will have a separate key file. But just looking at the certificate or key file and the bookends of the base64 encoded part will tell you which file contains what. Could you give me some examples of how you would use CMS or, just use these utilities properly, to achieve what I'm trying to do. I really appreciate your help. Thanks, Peter On Tue, Nov 20, 2012 at 10:17 PM, Dave Thompson dthomp...@prinpay.com wrote: From: owner-openssl-us...@openssl.org On Behalf Of Peter Parker Sent: Tuesday, 20 November, 2012 20:59 Subject: This is one for the Pros Not really. This is pretty basic. I've been trying to generate a public/private key pair after generating the certificates, but OpenSSL keeps giving me an error. The commands and the error are below. Thanks. No you're not; you're generating a CA keypair and cert (directly), then an application keypair, then an application cert (via CSR). Which is the (well, a) correct sequence, for one entity. Commands #openssl req -new -x509 -extensions v3_ca -days 365 -keyout caKey.pem -passout pass:test -out caCert.crt -batch #openssl genrsa -out application.pem -passout pass:test -des3 1028 1028 is an unusual size for an RSA key; most folks use power-of-2 based values like 1024 1536 2048. 1024 is presently rather marginal for security; for example, NIST has it deprecated since the end of 2010, and prohibited after the end of 2013, for US government use. #openssl req -new -key application.pem -passin pass:test -out application.csr -batch A second req -new -batch generates a CSR with the same DN ... #openssl x509 -req -days 365 -in application.csr -CA caCert.crt -CAcreateserial -CAkey caKey.pem -passin:test -out test-key.pem -extensions ssl_cert ... thus this
Re: 9GB libcrypto.a in openssl-1.0.1c
We saw this earlier with another build product. I think the 'ar' program in some of these build environments (oh all right IDEs) is just adding entries to an existing libcrypto.a. I suspect that the build environment extracts 'libcrypto.a' plus some other binaries out of some source control system. Over time such 'libraries' get a little large (is there an emoticon for irony?). I suggest one of at least three options to remedy this: EITHER 1. Removing the libcrypto.a file from the source control system altogether. OR 2. Modifying the source control system so it knows to only check out source files (rather than binaries) prior to a build OR 3. Adding make clean amd rm Makefile before running Configure in the build environment. 2 and 3 are preferable as there may be other files getting large as a result of the build adding object files to existing (that is checked out) binaries. Good luck Dennis and others. Jeremy Hunt Zack Weinberg wrote: On Sun, Jul 29, 2012 at 11:00 AM, Dennis Clarke dcla...@blastwave.org wrote: After a build of openssl-1.0.1c on Solaris 10 with the Sun Studio 12 compilers I was very surprised to see this : # ls -l libcrypto.a -rw-r--r-- 1 root root 9908820968 Jul 17 19:47 libcrypto.a It's not supposed to be that large. I've never built on Solaris, but this OSX build is typical as far as I can tell: -rw-r--r-- 1 root admin 3136968 May 10 09:28 /opt/local/lib/libcrypto.a I'm inclined to suspect something funny with the Sun Studio compilers. I would be interested to know what size libcrypto.a prints for you. That will indicate which of the object files in the library is/are responsible for its overall size. zw __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Make issue with openssl-1.0.0f and openssl-1.0.0j
The error message is all important. ar: ../../libcrypto.a: cannot write: Bad address Bad address is an invalid pointer, cannot write means some access or system error, which an invalid pointer can be an instance of. Seeing as you can use ar to read to this file, I assume it is there, even though it is truncated (which is a clue in itself). Check that the address used (../../libcrypto.a) points to it from /vobs/IAS_Software_3/COTS/openssl/openssl-1.0.0j/crypto/sha, though it looks right and I would expect the ar command would create a new one if it didn't find it. Make sure that the components sha_dgst.o sha1dgst.o sha_one.o sha1_one.o sha256.o sha512.o sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o have all been created, though I would expect the make would have failed earlier if any didn't exist. Make sure that you have read access to the components and that you have write access to /vobs/IAS_Software_3/COTS/openssl/openssl-1.0.0j though I expect you will, unless you use two user ids to build software with and an earlier make was interrupted, in which case user id 1 may have write access to libcrypto.a and you don't. Make sure you have no disk write errors in your system logs. There was some talk of the file system being full, if this was an issue, how much space do you have left, under Solaris some percentage (I think it is 10%) is left as only writeable by root user to try and stop system crashes due to full file systems. Is this disk a virtual or remotely mounted file system? There may be an issue due to that. You might also like to try writing to libcrypto.a with ar too to see if there is an error. The build has been interrupted, so the file has to be removed anyway, so nothing lost if you corrupt it further. If you can. try writing to it (with ar) from the directory you had problems with /vobs/IAS_Software_3/COTS/openssl/openssl-1.0.0j/crypto/sha. If you can find nothing wrong, then try unpacking openssl-1.0.0j somewhere else (with lots of room) and rebuilding, see if that works Good luck, I hope that little task list helps you find your problem. Jeremy Barone, Philip wrote: -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Jakob Bohm Sent: Tuesday, July 17, 2012 1:03 PM To: openssl-users@openssl.org Subject: Re: Make issue with openssl-1.0.0f and openssl-1.0.0j On 7/17/2012 6:22 PM, Barone, Philip wrote: Hi, I am having issues make'ing openssl-1.0.0j, f fails as well, on Solaris Patch level 5.10 Generic_147440-13 sparc. It works fine at OS patch level 5.10 Generic_125100-10 sparc. I am compiling this using solaris64-sparcv9-cc like I have always done. It fails trying to create libcrypto.a, I notice that libcrypto.a is over 11GB when the make finally quits. This is what it looks like when it quits: ... /apps/sun_studio_10_p2/SUNWspro/bin/cc -I.. -I../.. -I../asn1 - I../evp -I../../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -c -o sha512-sparcv9.o sha512-sparcv9.s ar r ../../libcrypto.a sha_dgst.o sha1dgst.o sha_one.o sha1_one.o sha256.o sha512.o sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o ar: ../../libcrypto.a: cannot write: Bad address make[2]: *** [lib] Error 2 make[2]: Leaving directory `/vobs/IAS_Software_3/COTS/openssl/openssl-1.0.0j/crypto/sha' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/vobs/IAS_Software_3/COTS/openssl/openssl-1.0.0j/crypto' make: *** [build_crypto] Error 1 I was wondering if there are any other Solaris guys out there that may have input on this? [Barone, Philip] Jakob, Thanks for the quick reply, see my responses below. Not a Solaris guy, but here are two things to check with this set of error messages: 1. Is the disk full due to this unreasonably large .a file? [Barone, Philip] I did have disk space issues at first, because of the size, but was able to free up more than enough space to get this to run to completion. 2. Does the 11GB .a file contain multiple copies of each .o file, perhaps every version you ever compiled? (You can test this with the command $ ar -t libcrypto.a [Barone, Philip] This does not appear to be the issue either Server1 ar -t libcrypto.a cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o o_dir.o sparcv9cap.o sparccpuid.o o_names.o obj_dat.o obj_lib.o obj_err.o obj_xref.o md4_dgst.o md4_one.o md5_dgst.o md5_one.o If the second is true, then there is a bug in how make invokes ar when an .o file has been recompiled. The workaround would then be to do a clean build every time. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote
Re: Apache 2.2.22 and OpenSSL
The Doctor wrote: On Wed, May 30, 2012 at 08:45:46AM -0400, bhorow...@vai.net wrote: Quick question for the group? I am running Apache 2.2.22 with OpenSSL 1.0.1c installed. This machine formerly had 1.0.0d and I am noticing that the apache logs are stating that OpenSSL is still at the earlier version. However when I do an openSSL version command it responds saying I am at the later release. How do I gracefully correct this situation (Linux Suse Enterprise server 11)? I thought that if I go through the Apache install again and point to the OpenSSL version that is installed that this problem would be solved but I was wrong. Any help would be appreciated. Commands used to install openSSL ./config --prefix=/usr/local/lib/openssl make make test make install Commands to install apache ./configure --enable-proxy --enable-so --enable-ssl --with-ssl=/usr/local/lib/openssl (-location of openssl 1.0.1c) make make install Did you recompile your apache with the new openssl? Hi Bernard, Perhaps the Doctor is suggesting you may need to to do a make of apache in a totally clean directory. If you have built apache before you installed the new OpenSSL in that directory, then running make in it again will not rebuild and relink your code. So you may need to unpack a totally new apache directory which is possibly safer than using 'make clean'. I say this because if you ran 'configure' in that directory previously it will have done things like create your Makefiles which will probably set the library paths. Three other things to try: 1. Assuming you are using dynamic libraries, then run strace to see where apache is getting its SSL libraries. You may need to change your library path in the apache startup script. 2. This is probably related to 1, investigate how SELinux sets the user environment, check to see what your system is doing and how this affects library searches for dynamic libraries. 3. If apache uses static libraries (unlikely) and you have built from a clean directory, I suggest you look to see if the old libraries still exist on your system, you may find the build is finding them before your new libraries. You will find this from the make output. If this is the case you need to modify your library path for the build, or move (or remove) the other version of OpenSSL before the build. Be careful of the latter case, other code on your system will almost certainly be using the other libraries so removing or even moving them may not be a good idea. Good Luck, Jeremy __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl/crypto cleanup
Hi Nou, In that case my third point seems most relevant to you. There are a whole bunch of structures that are set up to hold and retain the various pieces of network data, file data, crypto data, certificates and keys required for SSL. If you are doing a thorough test then you are probably using a lot of them, have a look in apps/X509.c, which is probably able to do a lot of the stuff you are doing to test certificates and look at the structures created and released. To be more helpful, try and isolate the section in your code that is failing to identify the structure with the bad data. You might be able do this by progressively pulling out crypto tests until you found the test(s) that are dirtying the offending structure. Good luck Jeremy Nou Dadoun wrote: Thanks for the note, seems like it's even more fundamental than that because the unit test not only doesn't establish an ssl connection, it doesn't even use an ssl context! As a certificate unit test, it's *only* testing our various certificate deployment scenarios to make sure that we retrieve the right CA certificate and do a verification correctly (we also do a test encrypt/decrypt on the keys to make sure they're usable). The spoiler crypto tests don't use an ssl context either (they're really just using test encrypt/decrypts for the various algorithm deployments scenarios) so it's still a little mysterious why the two would interfere with each other! It would seem to be right down in the crypto algorithm code because that seems to be all that they have in common. That's why a total scrub cleanup function would be useful ... N --- Nou Dadoun ndad...@teradici.com 604-628-1215 -Original Message- From: jeremy hunt [mailto:jere...@optimation.com.au] Sent: April 10, 2012 6:11 PM To: openssl-users@openssl.org Cc: Nou Dadoun Subject: Re: openssl/crypto cleanup On a disconnect check the state of the SSL data structure and call SSL_free if it is not null. if (*sslptr != NULL) { SSL_free (*sslptr); *sslptr = NULL; } Though as you say it is a certificate issue, then perhaps you need to look at SSL_CTX_free(*sslctxptr) Look at the man page for this. Perhaps you are reusing an SSL context structure. We don't need to call this in our disconnect code, but testing code may reuse a structure that running code doesn't. If these don't work for you, then maybe you should look at putting in some diagnostic printfs to look for where the dirty data is being kept, you might be reusing something like a DH or X509 structure and you may need to call a free or cleanup function for that particular structure. I don't know about the callback function, but I like your guess. Good Luck, Jeremy Nou Dadoun wrote: Hi, I've looked at the archives and didn't see any apropos discussions so I thought I'd go straight to the list: We use the openssl crypto libraries in several places in our product both in fips and non-fips modes. We have a set of unit tests to exercise various portions of our code to ensure that our implementations using these tools work the way that they're supposed to. I've run into an unusual problem, we have a set of crypto (encrypt/decrypt) tests and a separate set of certificate tests (e.g. retrieve a certificate and its CA and do a certificate verification). If I run the certificate tests first and then the crypto tests, all the tests pass and everything works great. If I run the crypto tests first and then the certificate test, the verification fails due to a signature failure. This implies to me that the crypto tests are leaving something in the openssl/crypto machinery in a funky state which breaks the subsequent certificate signature computation. A couple of questions: What can I do to completely clean the openssl/crypto state to ensure that this doesn't happen? I've added: CRYPTO_cleanup_all_ex_data(); ENGINE_cleanup(); But this appears to be inadequate (I suspect necessary but insufficient), any suggestions? (I've reordered the tests so that they're passing now but I'd like to avoid this hack if I can.) Second question, I added a verification callback routine, e.g. staticint verify_callback(int ok, X509_STORE_CTX *stor) { if(!ok) { printf(verify_callback Certificate Verification Error: %s\n, X509_verify_cert_error_string(stor-error)); } else { printf(verify_callback Certificate Verification Success\n); } return ok; } I've put a breakpoint in it and noticed that when verifying a certificate, this callback is called twice, In the successful order above (cert then crypto tests) both calls have ok == 1, In the unsuccessful order (crypto then cert), the first call is 1 and the second is 0 with a signature error reported. Why is it called twice and what's the difference? (I suspect the second is signature checking and the first is everything else but I'm curious). Thanks in advance ... N --- Nou Dadoun ndadoun@teradici.com_ _604-628-1215
Re: openssl/crypto cleanup
On a disconnect check the state of the SSL data structure and call SSL_free if it is not null. if (*sslptr != NULL) { SSL_free (*sslptr); *sslptr = NULL; } Though as you say it is a certificate issue, then perhaps you need to look at SSL_CTX_free(*sslctxptr) Look at the man page for this. Perhaps you are reusing an SSL context structure. We don't need to call this in our disconnect code, but testing code may reuse a structure that running code doesn't. If these don't work for you, then maybe you should look at putting in some diagnostic printfs to look for where the dirty data is being kept, you might be reusing something like a DH or X509 structure and you may need to call a free or cleanup function for that particular structure. I don't know about the callback function, but I like your guess. Good Luck, Jeremy Nou Dadoun wrote: Hi, I’ve looked at the archives and didn’t see any apropos discussions so I thought I’d go straight to the list: We use the openssl crypto libraries in several places in our product both in fips and non-fips modes. We have a set of unit tests to exercise various portions of our code to ensure that our implementations using these tools work the way that they’re supposed to. I’ve run into an unusual problem, we have a set of crypto (encrypt/decrypt) tests and a separate set of certificate tests (e.g. retrieve a certificate and its CA and do a certificate verification). If I run the certificate tests first and then the crypto tests, all the tests pass and everything works great. If I run the crypto tests first and then the certificate test, the verification fails due to a “signature” failure. This implies to me that the crypto tests are leaving something in the openssl/crypto machinery in a funky state which breaks the subsequent certificate signature computation. A couple of questions: What can I do to completely clean the openssl/crypto state to ensure that this doesn’t happen? I’ve added: CRYPTO_cleanup_all_ex_data(); ENGINE_cleanup(); But this appears to be inadequate (I suspect necessary but insufficient), any suggestions? (I’ve reordered the tests so that they’re passing now but I’d like to avoid this hack if I can.) Second question, I added a verification callback routine, e.g. staticint verify_callback(int ok, X509_STORE_CTX *stor) { if(!ok) { printf(verify_callback Certificate Verification Error: %s\n, X509_verify_cert_error_string(stor-error)); } else { printf(verify_callback Certificate Verification Success\n); } return ok; } I’ve put a breakpoint in it and noticed that when verifying a certificate, this callback is called twice, In the successful order above (cert then crypto tests) both calls have ok == 1, In the unsuccessful order (crypto then cert), the first call is 1 and the second is 0 with a “signature error” reported. Why is it called twice and what’s the difference? (I suspect the second is signature checking and the first is everything else but I’m curious). Thanks in advance … N --- Nou Dadoun ndadoun@teradici.com_ _604-628-1215 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OS390 UNIX - openssl install questions
Hi Terri et al, I think Jaaron has probably answered the wrong question, let it pass. Now Terri, you say you attempted to install OpenSSL , perhaps you could give us some more information and we could help you: 1. Did you build OpenSSL on or for the OS390? Or did you get a copy or package from somewhere else? 2. How did you attempt to install OpenSSL on your OS390? 3. What errors did you get when attempting to use or install it? 4. If the errors you got were when attempting to use it, how or what did you invoke to get these errors? 5. Were the errors on your screen, or from a log? At a guess, you say you had errors when attempting to configure it, so I would guess that you have installed an OS390 package. You don't really give us a lot to go on. Regards, Jeremy Jeremy Farrell wrote: I suppose that might be useful for someone who's interested in installing OpenSSL on a Mac, though I can't imagine how they'd be supposed to guess to search that particular site. What's it got to do with your subject line or the question you replied to though? And why is it of high importance? -Original Message- From: Jaaron Anderson [mailto:janders...@widener.edu] Sent: Thursday, April 05, 2012 2:28 PM To: openssl-users@openssl.org Cc: terri.e.shaf...@jpmchase.com Subject: RE: OS390 UNIX - openssl install questions Importance: High install openssl on mac http://lmgtfy.com/?q=install+openssl+on+mac+site%3Aexperts-exchange.com hth -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Shaffer, Terri E Sent: Wednesday, April 04, 2012 3:15 PM To: openssl-users@openssl.org Subject: OS390 UNIX - openssl install questions Hi, I was wondering if anyone had any information on how to install openssl on z/OS UNIX? I have been getting numerous errors with the config and/or Configure files and sortof at a loss. Thanks Ms. Terri E. Shaffer terri.e.shaf...@jpmchase.com Engineer J.P.Morgan Chase Co. GTI DCT ECS Core Services zSoftware Group / Emerging Technologies Office: # 614-213-3467 Cell: # 412-519-2592 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Successfully building openssl-1.0.1 with Microsoft Visual Studio.
Thomas J. Hruska wrote: On 3/23/2012 12:53 AM, jeremy hunt wrote: This posting is to help people to build OpenSSL 1.0.1 with Microsoft Visual Studio. It may also indicate a required change to the build instructions for Microsoft Visual Studio. Summary: -- I found I needed to install the Windows SDK and manually configure my build environment to successfully build OpenSSL 1.0.1 Details: (cut out for this reply, refer to my original posting if you need help) Regards, Jeremy If you had to do that, then your command line build environment on your new machine was not set up correctly to begin with. Most modern projects would probably not have built (not just OpenSSL). As a Windows developer, the Windows SDK is an implied requirement for any project. Thanks for that Thomas. Generally what you say in this list is good but in this case I do not think your statement is very helpful. It would be more collaborative to suggest a way to do that just for those people who have missed it, ... as I attempted to do in my original posting. I was pointing out that the standard tools did not do that for you. Perhaps you do not use the Microsoft Visual Studio Command Prompt Window for builds as I do. If there is a previous requirement for a build, the documentation generally states it. I am trying to help by suggesting a small change in the documentation which might cut down questions in this list. If you think things that you take for granted are too trivial to tell the list, that is fine. I prefer to let people know problems I have had in the past in the hope it will help some of them and make them and this list more productive. By the way I had built a number of other Windows products on the new build environment before building OpenSSL, ... successfully and without the Windows SDK. As I stated it was a new build environment. OpenSSL was the fifth product I had built on the new environment and the first that required the Windows SDK, so I am unsure if I agree with your statement. Wouldn't it be better to explicitly state the requirement, rather than rely on previous knowledge. Personally I am surprised that OpenSSL uses a native crypto lib, not that I have investigated why. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Successfully building openssl-1.0.1 with Microsoft Visual Studio.
This posting is to help people to build OpenSSL 1.0.1 with Microsoft Visual Studio. It may also indicate a required change to the build instructions for Microsoft Visual Studio. Summary: -- I found I needed to install the Windows SDK and manually configure my build environment to successfully build OpenSSL 1.0.1 Details: --- I recently had to move my build machine to another PC, and I needed to build OpenSSL 1.0.1. I had installed MS Visual Studio 2005 on a Win XP system. I followed the excellent build instructions in the INSTALL.W32 file. I built from a Visual Studio 2005 Command Prompt window as I always do. Unfortunately my first build failed in the link phase because it couldn't find crypt32.lib. On further investigation I found that crypt32.lib was in the Microsoft SDK which I had to download and install on my build machine. I trashed my build directory and unpacked a new one, so I could go through the configure script with the installed SDK. I started a new Visual Studio 2005 Command Prompt Window for the build. Unfortunately the configure script did not find the SDK libraries and my build failed in the same place. So I manually modified the vsvars32.bat file that the Visual Studio Command Prompt uses to load its environment variables. I added: %Program Files%\Microsoft SDKs\Windows\7.0\Bin to PATH %Program Files%\Microsoft SDKs\Windows\7.0\Include to INCLUDE %Program Files%\Microsoft SDKs\Windows\7.0\Lib to LIB (On my system this file can be found in %Program Files%\Microsoft Visual Studio 8\Common7\Tools) Again I trashed the build directory and unpacked a new one. I started a new Visual Studio 2005 Command Prompt Window and went from the configure phase right through to build and test. Everything worked beautifully. All modules were built and all the tests passed successfully. As I said, I hope this helps others and, if appropriate, the developers might want to state the Microsoft SDK is a requirement for Visual Studio builds. Regards, Jeremy __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: VMS client ASN1 decoding error, was RE: Hello!
Dave may be right about there being no direct evidence for a read. However I have since looked at the code the error is coming from and the error is being reported at the time the SSL context is being interpreted, which doesn't mean the initial loading of the SSL context wasn't error free as it appears the context can be loaded erroneously without a complaint. If that is true and the error occurs at context parse time, then any conjecture we make about the actual cause of the error is purely conjecture. I apologize to irivas for jumping to conclusions initially and suggested offline to him that he get more information from tools like snoop/tcpdump and truss/strace that may or may not be available in openvms. The relevant information I gave to Irivas is this: The error he was getting comes from ssl/s3_clnt.c in the ssl3_get_server_certificate() function. When this function parses a message buffer it decides is a certificate chain and cannot decode the DER format of one of the certificate elements in the chain via the function d2i_X509(), then it emits the error Irivas sees. If you look at http://www.openssl.org/docs/crypto/d2i_X509.html you will see that it says that the reverse function i2d_X509() has bad error handling in some versions of openssl and can result in the creation of a bad structure for d2i_X509() to process later. By way of explanation openssl loads stuff into buffers first and processes it later. One last thing I hope the metadata of the openvms file structure doesn't get in the way of flat text processing. If a file is a different format to flat text, then you process it differently. The Windows/Unix text file nonsense is purely a disagreement about the end of line token and nothing to do with the file structure. On 6/10/2010 7:34 AM, Dave Thompson wrote: snip much and fix formatting 545318540:error:0D07809F:asn1 encoding routines:ASN1_ITEM_EX_D2I:unexpected eoc:TASN_DEC:337:Type=X509_ALGOR 545318540:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:TASN_DEC:566:Field=sig_alg, Type=X509 545318540:error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 lib:S3_CLNT:816:$! NOTE: SSL3_GET_SERVER_CERTIFICATE 1409000D F_SSL3_GET_SERVER_CERTIFICATE R_ASN1_LIB sure looks to me like parsing the wire message. If verification failed because it couldn't parse the store, that's 14090086 F_SSL3_GET_SERVER_CERTIFICATE R_CERTIFICATE_VERIFY_FAILURE with an error stack including at least 0B06F009. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- The whole modern world has divided itself into Conservatives and Progressives. The business of Progressives is to go on making mistakes. The business of the Conservatives is to prevent the mistakes from being corrected. -- G. K. Chesterton I must be a Progressive then :) -- J. T. Hunt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Hello!
You are reading files, see inline for discussion. On 5/10/2010 7:36 AM, irivas wrote: I don't even know where those errors come from. As I said before, the same code under Solaris runs alright. I'm only connecting to a regular webserver with ssl, nothing more, nothing less. I'm not consciously using anything other than plain http-- none of which is used up to that point. Calls made beforehand are: SSL_load_error_strings(); ERR_load_BIO_strings(); OpenSSL_add_all_algorithms(); ctx = SSL_CTX_new(SSLv23_client_method()); SSL_CTX_load_verify_locations(ctx,NULL,foldername);//ctx is a SSL_CTX* See http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html If *CApath* is not NULL, it points to a directory containing CA certificates in PEM format. The files each contain one CA certificate. The files are looked up by the CA subject name hash value, which must hence be available. If more than one CA certificate with the same name hash value exist, the extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in the ordering of the extension number, regardless of other properties of the certificates. Use the *c_rehash* utility to create the necessary links. The certificates in *CApath* are only looked up when required, e.g. when building the certificate chain or when actually performing the verification of a peer certificate. If you look at the error below it is reading the certificate file. Try running a filter like unix2dos on your certificate files, and probably your configuration files on your OpenVMS system. Your certificate files are flat ascii files. bio = BIO_new_ssl_connect(ctx);//bio is a BIO* BIO_get_ssl(bio,ssl); //ssl is a SSL* SSL_set_mode(ssl,SSL_MODE_AUTO_RETRY); BIO_set_conn_hostname(bio,buffer);//buffer is a string of the form host:portnumber Anything I should be doing? The error occurs immediately afterwards. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Pierre DELAAGE Sent: Monday, October 04, 2010 4:15 PM To: openssl-users@openssl.org Subject: Re: Hello! ASN.1 encoding will require much more than a simple sprintf. If your resulting string is expected to be encoded in ASN.1, then there may be a problem there. Pierre Le 04/10/2010 22:02, irivas a écrit : To further clarify: The error is a result of a call to BIO_do_connect(); Prior to that call, I make a call to sprintf(%s:%d); (no newlines involved). I'll try substituting the sprintf for a more ubiquitous process and let you know. Any further ideas on the matter? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Pierre DELAAGE Sent: Monday, October 04, 2010 3:25 PM To: openssl-users@openssl.org Subject: Re: Hello! I do not know anything about OpenVMS and Solaris, BUT big endian / little endian and improper use of htons in YOUR software could explain many things. You should check also \r and \r \n issue, even if not reading any file, because it may be in cause in fprintf(fd, \n); \n being expanded differently on some platforms. Hope this may help, Pierre Le 04/10/2010 21:09, irivas a écrit : I have a tiny software written to communicate with an http server; on a Solaris system it works alright, but on an OpenVMS system I'm getting these errors: 545318540:error:0D07809F:asn1 encoding routines:ASN1_ITEM_EX_D2I:unexpected eoc:TASN_DEC:337:Type=X509_ALGOR 545318540:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:TASN_DEC:566:Field=sig_alg, Type=X509 545318540:error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 lib:S3_CLNT:816:$! NOTE: SSL3_GET_SERVER_CERTIFICATE Any ideas? Where and what should I look for to fix this? First thought - line endings. At least with local text file storage, OpenVMS provides cr-lf on reads. Solaris uses lf Could this somehow be related to your problem over-the-wire? I don't really think so -- I'm not reading from any files at the point this error occurs. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: memory growing when using SSL connections
David wrote: [safeTgram (safetgram-in) receive status: NOT encrypted, NOT signed.] After running my app for a couple of iterations for over an hour, I get the following: [11:45:42]10 file=stack.c, line=125, thread=15418, number=20, address=20077768 ... 868 bytes leaked in 24 chunks However, I get the same info over and over again (same time stamps), no matter the amount of iterations. I believe this shows that there is no continuous memory leak in SSL. The 868 bytes reported as a leak by CRYPTO_mem_leaks_fp() appears to be some initial memory that has been allocated for the life of the application. Thanks, David David, I am a bit confused by what you say .. Initially you said the application was growing intermittently in 4KB multiples. Do you see this behaviour when you add Dr Henson's calls? If so then where have you added the calls? I presume inside the loop after SSL_new() and SSL_free(), if all you did previously was remove CRYPTO_cleanup_all_ex_data(). If both of these statements are correct then either CRYPTO_mem_leaks_fp() missed the leak or it really isn't in your SSL code. Yet you say that without the SSL code you get no memory leaks, ... and you get no memory leaks on the Solaris platform. Looks like you may need a more general tool. Valgrind 3.3 does work on some versions of AIX on some hardware (experimentally, apparently), you could try to find a copy of the source, approach the developers or try to build the latest version on AIX. And there is purify or insure++. Some other thoughts that you may have already considered: How large does the memory leak manifest itself? Are there any broken connections hanging around that might keep memory until they timeout? There isn't some AIX kernel tuning parameter that keeps memory that has been freed reported as allocated until another process needs it is there, in other words tuning for a delayed memory cleanup algorithm? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: memory growing when using SSL connections
Hi David et al, On reading the responses so far two new thoughts occur to me: 1. In view of Dr Henson's response, I wonder if removing the CRYPTO_cleanup_all_ex_data() call in your loop will fix the problem. Perhaps reusing the context structure after calling it may have the reverse effect. 2. It may not be an SSL problem at all. Can you remove the SSL calls from your application and see if you still get the memory leak? Your underlying telnet application may be the cause. Good Luck, Jeremy Dr. Stephen Henson wrote: [safeTgram (safetgram-in) receive status: NOT encrypted, NOT signed.] On Thu, Jan 07, 2010, David wrote: Hi, I'm using tn3270 sessions running over SSL. I may have up to 124 sessions activated concurrently, although I plan to get up to 250 sessions at some point. Whenever the sessions are stopped and restarted, I notice intermittently that memory grows in multiples of 4K bytes. I'm running on AIX 5.1, 5.2 and 5.3 and using openssl-0.9.8l. There doesn't appear to be an obvious memory leak in either my application or the OpenSSL stuff (all memory allocated when the sessions are started are freed when the sessions are stopped). Here's a summary of the code structure: SSL_library_init(); meth = TLSv1_client_method(); RAND_seed(); ctx = SSL_CTX_new(meth); while ([some telnet connection wants to do SSL]) { ssl = SSL_new(ctx); SSL_set_fd() SSL_set_cipher_list(); SSL_set_connect_state(); SSL_connect(); do SSL_read(), SSL_write() SSL_shutdown(); close FD; SSL_free(); CRYPTO_cleanup_all_ex_data(); } Any ideas would be appreciated. Thanks, David Some cleanups occur on each connection and others only when the application shuts down. You should *not* call CRYPTO_cleanup_all_ex_data() on every SSL connection because later SSL connections may use it and end up not freeing data correctly. This is especially an issue if connections use compression (OpenSSL compiled against zlib) as it is by default in some linux distributions. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. -- Nathaniel Borenstein, co-creator of MIME __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL and distributed embedded systems
Thomas Taranowski wrote: *[safeTgram (safetgram-in) receive status: NOT encrypted, NOT signed.]* I think this question may be more general than OpenSSL, and will expose my SSL n00biness, but I'm not sure where to turn. I'm working on integrating the use of openssl on an embedded target which I have widely distributed in the field. The issue I have is that each target is nestled within someone elses private network, and I have no control over the IP address, nor domain name assignment, yet I still want to be able to setup secure web communications between the target and client. What I want is to use a single certificate request file, and have a single private key for each of my deployed servers, each of which will have a different domain name and IP address. From what I understand, using the same certificate and server private key is not possible, so I have to generate and get signed a certificate for each and every one of the thousand units I have deployed. To compound the difficulty, since these are small embedded targets, the certificate and key needs to be compiled into the target code at build time, so I have to make 1000 different builds, one for each target. This just seems wrong. Can someone help me get my learn on? Thomas Taranowski Certified netburner consultant baringforge.com http://baringforge.com Hi Thomas, You do not have to compile anything unique if you have some reliable persistence storage and a unique id for each device, that is unique to the device and not derived from its location. If these requirements are satisfied then a solution to this problem, as stated, is to have a certificate authority ready to sign certificate requests. Each device could have a canned library to pick up the unique identifier, add any other relevant information which may be derived from its location, and use this to create a certificate request to submit to the certificate authority to sign. The certificate authority can be one specified location that is independent from the location of the devices. The signed certificate can then stored locally and used for later SSL communications for the lifetime of the certificate. Some issues to be aware of: 1. Secure storage, I assume that you want authentication of the device to prove it is that device. 2. Certificate revocation lists. Ask yourself if you want to be able to mark some certificates as invalid in the future? 3. Uptime of and access to the certificate authority. 4. Are you concerned about some devices impersonating others? How important is authentication in your scheme? From your comments about reusing a certificate and private key, it seems like this is not important to you. Lastly, is it SSL you want, or something like Kerberos or IPsec? What are your requirements? SSL or the others I mentioned may be too heavy duty or too high level for your application. Regards, Jeremy __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: memory growing when using SSL connections
Hi David, Off the top of my head I notice that you do not call this as part of the cleanup: SSL_CTX_free() [ http://www.openssl.org/docs/ssl/SSL_CTX_free.html# ] There is also this: [ http://www.openssl.org/support/faq.html#PROG13 ] Regards, Jeremy David wrote: *[safeTgram (safetgram-in) receive status: NOT encrypted, NOT signed.]* Hi, I'm using tn3270 sessions running over SSL. I may have up to 124 sessions activated concurrently, although I plan to get up to 250 sessions at some point. Whenever the sessions are stopped and restarted, I notice intermittently that memory grows in multiples of 4K bytes. I'm running on AIX 5.1, 5.2 and 5.3 and using openssl-0.9.8l. There doesn't appear to be an obvious memory leak in either my application or the OpenSSL stuff (all memory allocated when the sessions are started are freed when the sessions are stopped). Here's a summary of the code structure: SSL_library_init(); meth = TLSv1_client_method(); RAND_seed(); ctx = SSL_CTX_new(meth); while ([some telnet connection wants to do SSL]) { ssl = SSL_new(ctx); SSL_set_fd() SSL_set_cipher_list(); SSL_set_connect_state(); SSL_connect(); do SSL_read(), SSL_write() SSL_shutdown(); close FD; SSL_free(); CRYPTO_cleanup_all_ex_data(); } Any ideas would be appreciated. Thanks, David -- The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. -- Nathaniel Borenstein, co-creator of MIME __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: memory growing when using SSL connections
Hi David, After reading this [http://www.nlnetlabs.nl/downloads/publications/hsm/hsm_node21.html] , it occurs to me that you might need EVP_cleanup() too. You might consider his clean_up() routine in general, or at least consider his comments on it. I think it is true to say that for every function in openSSL that sets up structures etc there is a corresponding free function. Regards, Jeremy David wrote: *[safeTgram (safetgram-in) receive status: NOT encrypted, NOT signed.]* Hi, I'm using tn3270 sessions running over SSL. I may have up to 124 sessions activated concurrently, although I plan to get up to 250 sessions at some point. Whenever the sessions are stopped and restarted, I notice intermittently that memory grows in multiples of 4K bytes. I'm running on AIX 5.1, 5.2 and 5.3 and using openssl-0.9.8l. There doesn't appear to be an obvious memory leak in either my application or the OpenSSL stuff (all memory allocated when the sessions are started are freed when the sessions are stopped). Here's a summary of the code structure: SSL_library_init(); meth = TLSv1_client_method(); RAND_seed(); ctx = SSL_CTX_new(meth); while ([some telnet connection wants to do SSL]) { ssl = SSL_new(ctx); SSL_set_fd() SSL_set_cipher_list(); SSL_set_connect_state(); SSL_connect(); do SSL_read(), SSL_write() SSL_shutdown(); close FD; SSL_free(); CRYPTO_cleanup_all_ex_data(); } Any ideas would be appreciated. Thanks, David __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Not so Ancient History
./Configure --prefix=/usr --openssldir=/etc/ssl shared os/compiler:gcc -march=i386 -lnsl -lsocket\ 21 | tee log.conf exit $PIPESTATUS) I have found the best way to pass non-std gcc flags is to set the os/compiler to gcc -flags. In this case -lnsl and -lsocket are not set by default and are needed for the openssl sample application and for some test builds. Confifure and config has a mechanism to pass -D -l and -L flags, and so I do not include them as part of my os/compiler parameter. If it helps I also have some old linux builds for openssl-0.9.8a and 0.9.6j. Paul Rogers wrote: [safeTgram (safetgram-in) receive status: NOT encrypted, NOT signed.] On Tue, 9 Jun 2009 22:54:41 -0700, Kyle Hamilton aerow...@gmail.com said: Did you run './config 386'? Mostly I was following a LFS page: # linux-elf is close, but we need -march=i386 instead of -m486 cp Configure{,.backup} sed '/^linux-elf/s/486/386/' Configure.backup Configure rm -f Configure.backup (./Configure 386 linux-elf --prefix=/usr --openssldir=/etc/ssl shared \ 21 | tee log.conf exit $PIPESTATUS) That's to eliminate any confusion I thought might exist with linux-elf's m486. I've tried half a dozen things I though might help, what they hey, what's one more? I can try config, it just ends up running configure anyhow. -- Retirement at sixty-five is ridiculous. When I was sixty-five I still had pimples. George Burns. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 答复: How to install 2 instances of openssl on the same machine
Hi Srinivas, Why is this an issue? Is it for an application? From a library point of view, the version installed on the system should make no difference unless you are using deprecated (old) or brand new routines in the library. This should not be an issue, especially as you are talking about point revisions. If you are using dynamic libraries, the entry points for the old product should be the same in version i, j k as in version a. There may be possible exceptions like the 'des' entry points (ouch!). If you are using statically linked libraries then this should not be an issue at all. Have you tried the old application on a system with just openssl 0.9.8i installed? If so, then what errors do you get? Post them to the list and see what solutions are proposed. If you really do need two separate versions of openSSL on the same machine, then you can install them and name them differently as Kyle has suggested. Say you had: /opt/openssl.0.9.8b and /opt/openssl.0.9.8i (and you could just as easily have these in /usr/local as in /opt) You would just manipulate your PATH and LD_LIBRARY_PATH appropriately for each application. If this failed, in a unix environment you could set up two chroot'd environments for each application to run in. In each chroot'd environment the correct version of openssl for each application could be installed. I hope these ideas help, Jeremy Srinivas Jonnalagadda wrote: [safeTgram (safetgram-in) receive status: NOT encrypted, NOT signed.] Hi Kyle, Thank you very much for information. I dont have any problem upgrading to 0.9.8k. The problem for us is we have separate product which is dependent on openssl. There are 2 versions of this product installed on 2 different unix machines. One version is dependent on 0.9.8b and other is dependent on 0.9.8i. Now we are trying to migrate the version which is dependent on 0.9.8b to the machine which is dependent on 0.9.8i. Confusing and really tricky task for me but my bosses instructions the original configurations or installation structures should not be disturbed. Now if i solev this openssl problem the next is that i have 2 different versions of apache http servers. Regards, Srinivas J -Original Message- From: Kyle Hamilton aerow...@gmail.com Sent: Mar 26, 2009 10:59 PM To: openssl-users@openssl.org Subject: Re: ??: How to install 2 instances of openssl on the same machine Er... no. If you want to install two separate versions on the same machine, you MUST put them in separate --prefixes. You also need to make sure that each compilation of Apache refers to the correct prefix. (You cannot rely on the system Doing The Right Thing, here, you must compile your own.) Especially if you're using the 'shared' option -- that creates shared libraries, which must be properly referred to by their own path. (And why are you not using 0.9.8k?) -Kyle H On Thu, Mar 26, 2009 at 7:43 PM, shawnlau net17shawn...@gmail.com wrote: Just download openssl-0.9.8i.tar.gz, and install it in a folder what defined all by yourself. Just like /usr/local/openssl, then using the follow commands: tar -zxvf openssl-0.9.8i.tar.gz cd openssl-0.9.8i ./config --prefix=/usr/local/openssl shared threads make make test (if there have no error information occured) make install OK! -- ???: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] ?? Srinivas Jonnalagadda : 2009?3?26? 21:04 ???: openssl-users@openssl.org ??: suneelk.m...@gmail.com ??: How to install 2 instances of openssl on the same machine Hi, I need to have 2 separate installations of apache2 http server refereing to 2 different versions of openssl. One is using 0.9.8b and the other uses 0.9.8i. How do i install open ssl in such a scenario. Help is urgently needed. Thanks in advance, Regards, Srinivas Jonnalagadda __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List
Re: openssl performance
try typing openssl s_time ? raj H wrote: *[safeTgram (optim1) receive status: NOT encrypted, NOT signed.]* Thanks Jimmy! This command looks to help me for the performance! Only thing is I have to get it working. I keep on getting errors. Anyways, thanks! I will go through and get it running. Any inputs on session reuse? On Thu, Apr 3, 2008 at 12:39 PM, jimmy bahuleyan [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: raj H wrote: Thanks Marek for your comments! [snip] I am sorry these questions are really vague and not of challenge for the technical personals. But I believe these are the questions any solution developer or openssl user would have. Isn't the OpenSSL publishes any numbers? Have you tried the command $ openssl s_time -jb -- Real computer scientists don't comment their code. The identifiers are so long they can't afford the disk space. __ OpenSSL Project http://www.openssl.org http://www.openssl.org/ User Support Mailing List openssl-users@openssl.org mailto:openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Prematurely terminated packets?
Dear General, Before starting your putty session: 1. go to the Session Logging category 2. select Log SSH packet data 3. make a note of where your putty log is, it is probably best to start with a new one. Now attempt a connection to your server. On rejection, peruse your putty.log file. The complete negotiation from the client's perspective will be logged and you should be told why the server is rejecting you. Alternatively, you may see no negotiation with the server at all. If this is the case the server is not running or is blocked for you. However, from your description I would guess that your server is negotiating with you. Perhaps it is configured to reject you, perhaps because of a restriction at the server end that you are not following. You might be able to work this out or you might need to talk to your IT administrator with this information. The other (remote) possibility that occurs to me is that you are falling foul of some fancy all in one security product. Occasionally these products decide that perfectly acceptable networking products like VNC, putty, banking applications, email, etcetera are viruses or trojans and cut them off after a successful protocol negotiation. You could check the web site of or google for the security products you are running and see if there is a (recent) clash with putty. If this happens, the all in one security products eventually get an update which solves the problem. In any case good luck, Jeremy GeneralNMX wrote: [safeTgram (optim1) receive status: NOT encrypted, NOT signed.] I'm trying to figure out why I can't ssh from work. Our IT admin is always busy, so I can't ask him. PuTTY (yes, Windows-only office, unfortunately) returns Server unexpectedly closed connection when connecting to the ports I setup for SSH. Originally I set it up for the IP range my office uses, but now the ports are open willy-nilly and still returns the same thing. My router, running Debian, shows rejected packets when I use the wrong port, but nothing when I use the right port, so the packet isn't being rejected. Shields Up! shows the port open, and I can login locally using that port, so I know sshd is configured correctly. Considering that the corporate firewall may be blocking 22 for security reasons, I've tried different ports, like 465, etc. Where would I start debugging a situation like this? I just added a log statement to the forwarded packet to make sure I am receiving the packet and forwarding it properly. Shields Up! confirms this. For my workstation, it runs Windows XP with just the basic firewall turned on. I have administrator-level access to the machine (the real administrator account), so it has to be something inbetween. Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: A BEG / PLEA For Help. Solaris 8 Will not compile, MUST be someth ing I am doing.
Further to the earlier missive suggesting an OpenSSL library clash, as it was destest that crashed, it is likely there is another DES library in your path, which may not be from OpenSSL. Try running destest manually and finding out a little more information, like where exactly it crashed. DARCY,MATTHEW (HP-UnitedKingdom,ex2) wrote: hi, I am trying to compile openssl-9.6g with shared librarys on solaris 8 on a Netra T1. I have mailed this group with this problem before and got some input on how to fix it, I have tried the input and I am still lost. I run a ./config --openssldir=/usr/local/ssl -prefix=/usr -shared this works I then do a make this works make test fails and core dumps. make test Doing certs ca-cert.pem = .0 WARNING: Skipping duplicate certificate dsa-ca.pem WARNING: Skipping duplicate certificate dsa-pca.pem WARNING: Skipping duplicate certificate factory.pem WARNING: Skipping duplicate certificate ICE-CA.pem WARNING: Skipping duplicate certificate ICE-root.pem WARNING: Skipping duplicate certificate ICE-user.pem WARNING: Skipping duplicate certificate nortelCA.pem WARNING: Skipping duplicate certificate pca-cert.pem WARNING: Skipping duplicate certificate rsa-cca.pem WARNING: Skipping duplicate certificate thawteCb.pem WARNING: Skipping duplicate certificate thawteCp.pem WARNING: Skipping duplicate certificate timCA.pem WARNING: Skipping duplicate certificate tjhCA.pem WARNING: Skipping duplicate certificate vsign1.pem WARNING: Skipping duplicate certificate vsign2.pem WARNING: Skipping duplicate certificate vsign3.pem WARNING: Skipping duplicate certificate vsignss.pem WARNING: Skipping duplicate certificate vsigntca.pem touch rehash.time testing... make[1]: Entering directory `/usr/local/src/openssl-0.9.6g/test' make[2]: Entering directory `/usr/local/src/openssl-0.9.6g/apps' make[2]: Nothing to be done for `all'. make[2]: Leaving directory `/usr/local/src/openssl-0.9.6g/apps' ./destest make[1]: *** [test_des] Illegal Instruction (core dumped) make[1]: Leaving directory `/usr/local/src/openssl-0.9.6g/test' make: *** [tests] Error 2 Now initially I was using gcc 2.9.5 from sunfreeware.com I was told to use a more supported/recommended gcc version, so I tried gcc 3.1 (with 3.1 libs) and now gcc 3.2 with 3.2 libs and I am getting the same result every time. I really need to understand why openssl is failing, and also get my finger out and get it working as I then need to re-compile apache / ftp etc etc. Any help appriciated. Matt. / /\ / / \ __ /_/ /\ \ /_/\ __\ \ \_\ \ Matt Darcy \ \ \/ /\\ \ \/ / GBIT -EMEA, Bristol, UK \ \ \/ \\ \ /Hewlett-Packard \ \ /\ \\ \ \ \ \ \ \ \\ \ \ Telnet312 8859 \ \ \_\/ \ \ \ Telephone +44 (0) 117 312 8859 \ \ \\_\/ Mobile +44 (0) 776 766 0991 \_\/ Email: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Apache-style licence for openssl
See the license in the Distrib: bash-2.05$ more LICENSE LICENSE ISSUES == The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact [EMAIL PROTECTED] ... Erik Christiansen wrote: Chasing down the licencing requirements for openssl, on the site, in the FAQ, and in the list archive, I've so far only found my way to the generic Apache-style licence at: http://www.opensource.org/licenses/index.php It seems odd giving credit to Apache for OpenSSL, unless they are the same guys. Does anyone have knowledge of this? Regards, Erik So it is actually a BSD-style license, which Eric originally thought had a more relaxed attitude to freware licensing than the more popular GNU style license. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate management tools
From: Bennett Samowich [EMAIL PROTECTED] Subject: Certificate management tools Greetings, This may or may not be the right place to ask this, but does anyone know of "canned" utilities for certificate management. A client of ours may want to start using proprietary certs and I don't want to reinvent the wheel. Thanks in advance, - Bennett iPlanet has a product called CMS (Certificate Management Server) see http://www.iplanet.com/products/infrastructure/dir_security/cert_sys/index.html#platform It runs on NT or Solaris, it may need their Directory Server product or some other LDAP implementation. It will not be cheap. There is also openCA at www.openca.org for free. I have used neither. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]