Re: Stitched aes-128 and hmac-sha1 (encrypt-then-mac)

[pablo platt]

AES-GCM will be supported in WebRTC in the future.
It has great performance and I think better security.
The only downside is that packets will be 6 bytes larger and it'll take few
months/years most browsers support it.

Thanks

On Fri, Nov 1, 2019 at 2:01 PM Matt Caswell  wrote:

>
>
> On 01/11/2019 11:59, pablo platt wrote:
> > Thank you for the explanation.
> >
> > The use case is a WebRTC server (SFU) that encrypts and authenticate
> > SRTP packets.
> > Encryption is a major part of CPU load on SFU servers. Reducing it by
> > 50% will have a large impact.
> >
> > Is it planned to add aes-128-hmac-sha1 encrypt-then-mac?
>
> There are no current plans. You might investigate the impact of using
> AEAD ciphers instead.
>
> Matt
>
> >
> > On Fri, Nov 1, 2019 at 1:32 PM Matt Caswell  > <mailto:m...@openssl.org>> wrote:
> >
> >
> >
> > On 01/11/2019 07:56, pablo platt wrote:
> > > Hi,
> > >
> > > Stitching aes-cbc with sha1 can result with x2 performance [1].
> > > Is there support for stitched aes-128-hmac-sha1 encrypt-then-mac?
> This
> > > issue [2] says that only mac-then-encrypt is supported in OpenSSL.
> >
> > The issue is correct. Only mac-then-encrypt is supported. Furthermore
> > these stitched ciphers are specifically targeted at use by libssl and
> > are designed for use in SSL/TLS only. They are not general purpose
> > ciphers and should not be used directly unless you *really* know what
> > you are doing.
> >
> > Note that more modern TLS ciphersuites use AEAD modes such as GCM or
> CCM
> > so that mac-then-encrypt vs encrypt-then-mac and "stitched" ciphers
> are
> > irrelevant anyway.
> >
> > >
> > > Does this implement mac-then-encrypt and relevant [3]?
> >
> > [3] is the aesni assembler implementation used behind the
> > EVP_aes_128_cbc_hmac_sha1() and EVP_aes_256_cbc_hmac_sha1() ciphers,
> > i.e. all the same comments I made above apply here. It's
> > mac-then-encrypt, and specifically targeted for use in SSL/TLS by
> > libssl. It's not intended for general purpose use.
> >
> > The documentation says this about these ciphers:
> >
> > "EVP_aes_128_cbc_hmac_sha1(),
> > EVP_aes_256_cbc_hmac_sha1()
> >
> > Authenticated encryption with AES in CBC mode using SHA-1 as HMAC,
> with
> > keys of 128 and 256 bits length respectively. The authentication tag
> is
> > 160 bits long.
> >
> > WARNING: this is not intended for usage outside of TLS and requires
> > calling of some undocumented ctrl functions. These ciphers do not
> > conform to the EVP AEAD interface."
> >
> >
> https://www.openssl.org/docs/man1.1.1/man3/EVP_aes_128_cbc_hmac_sha1.html
> >
> >
> >
> > > Is it possible to use the same code with just changing the order to
> > > achieve encrypt-then-mac?
> >
> > No.
> >
> > > How can I compile the Perl file to be used from a C program?
> >
> > This is an internal file not intended for use outside of OpenSSL and
> not
> > intended to be compiled separately. You might be able to extract it -
> > but if so, you're on your own.
> >
> >
> > Matt
> >
>

Re: Stitched aes-128 and hmac-sha1 (encrypt-then-mac)

[pablo platt]

Thank you for the explanation.

The use case is a WebRTC server (SFU) that encrypts and authenticate SRTP
packets.
Encryption is a major part of CPU load on SFU servers. Reducing it by 50%
will have a large impact.

Is it planned to add aes-128-hmac-sha1 encrypt-then-mac?

On Fri, Nov 1, 2019 at 1:32 PM Matt Caswell  wrote:

>
>
> On 01/11/2019 07:56, pablo platt wrote:
> > Hi,
> >
> > Stitching aes-cbc with sha1 can result with x2 performance [1].
> > Is there support for stitched aes-128-hmac-sha1 encrypt-then-mac? This
> > issue [2] says that only mac-then-encrypt is supported in OpenSSL.
>
> The issue is correct. Only mac-then-encrypt is supported. Furthermore
> these stitched ciphers are specifically targeted at use by libssl and
> are designed for use in SSL/TLS only. They are not general purpose
> ciphers and should not be used directly unless you *really* know what
> you are doing.
>
> Note that more modern TLS ciphersuites use AEAD modes such as GCM or CCM
> so that mac-then-encrypt vs encrypt-then-mac and "stitched" ciphers are
> irrelevant anyway.
>
> >
> > Does this implement mac-then-encrypt and relevant [3]?
>
> [3] is the aesni assembler implementation used behind the
> EVP_aes_128_cbc_hmac_sha1() and EVP_aes_256_cbc_hmac_sha1() ciphers,
> i.e. all the same comments I made above apply here. It's
> mac-then-encrypt, and specifically targeted for use in SSL/TLS by
> libssl. It's not intended for general purpose use.
>
> The documentation says this about these ciphers:
>
> "EVP_aes_128_cbc_hmac_sha1(),
> EVP_aes_256_cbc_hmac_sha1()
>
> Authenticated encryption with AES in CBC mode using SHA-1 as HMAC, with
> keys of 128 and 256 bits length respectively. The authentication tag is
> 160 bits long.
>
> WARNING: this is not intended for usage outside of TLS and requires
> calling of some undocumented ctrl functions. These ciphers do not
> conform to the EVP AEAD interface."
>
> https://www.openssl.org/docs/man1.1.1/man3/EVP_aes_128_cbc_hmac_sha1.html
>
>
>
> > Is it possible to use the same code with just changing the order to
> > achieve encrypt-then-mac?
>
> No.
>
> > How can I compile the Perl file to be used from a C program?
>
> This is an internal file not intended for use outside of OpenSSL and not
> intended to be compiled separately. You might be able to extract it -
> but if so, you're on your own.
>
>
> Matt
>

Stitched aes-128 and hmac-sha1 (encrypt-then-mac)

[pablo platt]

Hi,

Stitching aes-cbc with sha1 can result with x2 performance [1].
Is there support for stitched aes-128-hmac-sha1 encrypt-then-mac? This
issue [2] says that only mac-then-encrypt is supported in OpenSSL.

Does this implement mac-then-encrypt and relevant [3]?
Is it possible to use the same code with just changing the order to achieve
encrypt-then-mac?
How can I compile the Perl file to be used from a C program?

[1] https://software.intel.com/en-us/articles/improving-openssl-performance
[2] https://github.com/openssl/openssl/issues/8785
[3]
https://github.com/openssl/openssl/blob/master/crypto/aes/asm/aesni-sha1-x86_64.pl

Thanks

Re: Settings to create Timestamping Authority certificate signing request

[Pablo Rogina]

Hey Brad, thank you for your response. It worked well. I've just had to
uncomment this line:

# This is required for TSA certificates.
extendedKeyUsage = critical,timeStamping

just for creating the TSA certificate in order to be used by mod_tsa under
Apache (www.opentsa.org)

Regards,

Pablo

Settings to create Timestamping Authority certificate signing request

[Pablo Rogina]

Hi!

I would need to know what arguments or settings in configuration file  to
use while create a certificate signing request for a Timestamping Authority
(TSA) (per RFC3161).

I guess that X509v3 Extended Key Usage must be timeStamp but don't know how
to set it.

Thanks in advance.

Pablo Rogina

[no subject]

[Pablo Ariel Soto]

Good morning. I need help to renew licences which are used for connections of 
OpenVPN servers using OpenSSL 
All are due. The question is: If ending this time of the certificate How do I 
create another certificate without losing the VPN connection? According to the 
manual to create a certificate for server must first revoke the previous one, 
but I as to copy the new certificates if I no longer have connection with the 
client?. Is there any time between the expiration of the certificate and the 
creation of a new one that will allow me to stay connected? Thank you for your 
help.
_
¡Lo mejor de MSN y Windows Live en tu móvil! Hotmail, Messenger, Spaces… 
Pruébalo ya  y disfruta de todas sus ventajas donde quieras
http://serviciosmoviles.es.msn.com/

Universisdad San Francisco de Quito Development

[Juan Pablo Albuja Riofrío]

Dear friends, I am a student and I am working in one investigation
university project. With this project I am going to get my engineer title. I
want to know if OpenSSl can create wap certificates and how Can I integrate
it in one wap simulator. Please help me. I am studying wap security


-- 
Saludos Cordiales,

Juan Pablo Albuja

Re: OpenSSL PocketPC 2003

[Pablo J Royo]

Look at:
 
http://marc.theaimsgroup.com/?l=openssl-dev&m=112092528123408&w=2
http://marc.theaimsgroup.com/?l=openssl-users&m=112352769609201&w=2

  - Original Message - 
  From: 
  OpenSSLGRT 
  To: openssl-users@openssl.org 
  Sent: Thursday, January 19, 2006 10:30 
  PM
  Subject: OpenSSL PocketPC 2003
  
  
  I downloaded OpenSSL and made a 
  simple SSL client for Windows. I used the binary distribution from http://www.slproweb.com/products/Win32OpenSSL.html 
  and it came with Windows libs. I now want that to work on Pocket PC 2003 
  application. I need to figure out how to get libs for PocketPC 2003 
  (libeay32.lib, ssleay32.lib, and Ws2_32.lib (winsock)). Has anyone built these 
  libs for PocketPC 2003 – is it possible?
   
  Thank 
you!

Re: A problem using a COM dll built with libeay32.dll

[Pablo J Royo]

If it works with VB, and if you have the private key stored in usual Windows
certificate store perhaps your COM has problems to access the private key to
decipher data, because a service has no GUI to access the private key
password.

Also, it could be any other kind of error that happens when your COM has
been called a lot of times, and does not happen when you use it only a few
times. Try to print in the log the parameters you are passing to
RSA_private_decrypt each time.

- Original Message -
From: "  " <[EMAIL PROTECTED]>
To: ; 
Sent: Wednesday, December 21, 2005 12:08 PM
Subject: A problem using a COM dll built with libeay32.dll


Hi, everyone:
I have a problem. The situation is like this--
I built a project with VC, and the project is a ATL COM project. I
built it with libeay32.lib which I added in the "project
settings->link" , and the "code generation" I chose "Multithreaded
DLL". The COM dll was sucessfully built.
When I use the dll in a VB project or asp, it is normal and have
no problem. Now I put the dll in a directory of a web server using
Windows2000 and added it to the "Component Services". The web server
got the data which was encrypted and posted by other clients , then
web server's asp program created an object of the COM dll and
decrypted the data and returned some messages to clients.
When I check the "Event Viewer's Application Log" of the web
server, I find there are some com error produced by the COM
application.The errors are like this--

The system has called a custom component and that component has failed
and generated an exception. This indicates a problem with the custom
component. Notify the developer of this component that a failure has
occurred and provide them with the information below.
Component Prog ID:
Server Application ID: {4FC68A3D-A240-4133-834A-2CF075B0C543}
Server Application Name: GnetDll
The serious nature of this error has caused the process to terminate.
Exception: C005
Address: 0x010A110D
Call Stack:
LIBEAY32!RSA_private_decrypt+0xD


We are sure the error was produced by the COM application because
there are no other program using the libeay32.dll except this.
I put libeay32.dll in the "system32" for that I used static
linking libeay32.lib within my project.

Could anyone know why this happend and how could I solve this
problem? Thanks all.

lvjing
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]




__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: forwarding encrypted ssl data

[Pablo J Royo]

Look at :

http://spipe.sourceforge.net

The idea is to use in your Linux box a patch modified Apache / mod-ssl
server who deciphers all he receives in its 443 port, and if what he obtains
is not HTTP then it forwards the stream of bytes to a selected server. If it
is HTTP, it leaves Apache to manage as usual.
This thing only works for Apache 1.3.X servers, because patches to mod_ssl
hasn´t been updated for a time and Apache 2.0 has a different way of
working, so if you use it,  it´s recommended to get the Apache and mod-ssl
versions given in the URL
( 2.8.16 of mod_ssl with version 1.3.29 of Apache) althought it could work
with others.


- Original Message -
From: "Noel Sanchez" <[EMAIL PROTECTED]>
To: 
Sent: Sunday, December 11, 2005 9:40 AM
Subject: forwarding encrypted ssl data


Hello list. I have ssl capable devices out in the field that need to send
encrypted data to my server in my office. The ssl capable device sends the
encrypted data out to my firewall in the office which in turn forwards the
ssl traffic into my lan to my linux box running openssl. The linux box
running ssl then has to forward the data, un-encrypted, to a Windows
server that knows how to handle and process the data. How can I do this?
Can this be done? Any help or suggestions would be great. I am not sure
how to do this.

---   -
|device| -- (ssl) --> | firewall | -- (ssl forwarded traffic) --> |linux|
---   -
|
|
--  < (non-ssl) 
| server |
--


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]




__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Detached envelope

[Pablo J Royo]

> With some effort you even can keep every bit temporary data in the core
> memory, avoiding writing of temporary files. BIO abstraction in OpenSSL
> is powerful enough to do this.

The reason I want to use detached data, is to avoid having all my data  in
memory. Now, OpenSSL handles all PKCS7 stuff in memory.
Using detached data is possible to cipher the stream of bytes, no matter how
big it is,  with the symmetric key, then dump the PKCS7 with this key
encrypted.
In fact, may be more correct to change i2d_PKCS7 and d2i_PKCS7 in some way,
so pointers to access the data are not used, but a BIO so you can
read/create big PKCS7 without loading them in memory.

> Can you point me to the standard document which describes usage of
> detached envelopes for ENCRYPTED data?
>
No, I can't...but I can't find some place where it said is prohibited. My
app must transport big amounts of data, so I can't load them in memory, so
if I want to keep on using OpenSSL to assure portability I must use detached
PKCS7.
Anyway, I think the use of detached or not is an app issue, more than a
standard issue.




__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Detached envelope

[Pablo J Royo]

> >Is there any way to create a detached PKCS7 envelope with openssl
> >utilities (smime) ?
>
> Create S/MIME message and extract signature part using any
> mime-capable tool or just some text processing utitity

This is not an option, because I need to do this inside my programs.

I've been searching Internet with no results. It seems nobody is using
detached envelopes.

In fact, I have used OpenSSL pkcs7 routines to create and read detached
envelopes, but I'm not sure if my envelopes are correct, because there is no
other application to check them.
All I know is that CryptoAPI correctly reads my PKCS7 headers, but gives an
ASN1 bad tag error when reading the (detached) ciphered data, or tries to
decipher more bytes than I put on my envelope, so I don't know what part is
failing, if encryption or decryption.
Thanks anyway.






__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Detached envelope

[Pablo J Royo]

Hi:
 
Is there any way to create a detached PKCS7 
envelope with openssl utilities (smime) ?
 
Thanks

From implicit envelope to detached envelope

[Pablo J Royo]

Hello all:
 
I´m tryng to generate a detached envelope from a 
received implicit (non-detached) envelope.
The idea is to load the old non-detached envelope, 
to copy it in a new PKCS7 envelope struct and then to delete the 
encrypted data from that struct and dump it with i2d_PKCS7_bio to a 
memory BIO. 
 
So, is this correct?:
 
 p7_new->d.enveloped->recipientinfo = 
p7_old->d.enveloped->recipientinfo; //get recipients info from old 
envelope and asing it to new
 
 p7_new->d.enveloped->enc_data = 
p7_old->d.enveloped->enc_data; //get PKCS7_ENC_CONTENT enc_data 
object  p7_new->d.enveloped->enc_data->enc_data = 
NULL; //put its data to 
NULL p7_new->d.enveloped->enc_data->content_type = 
NULL;  /
 
 i2d_PKCS7_bio( mem_bio,p7_new); //Dump to 
memory
 
My doubt is with the content_type. Should 
I put NULL ?
Also, What must be NULL: 
p7_new->d.enveloped->enc_data->enc_data  or 
p7_new->d.enveloped->enc_data ?
 
Thanks

Re: How to verify a pkcs7 detached signature?

[Pablo J Royo]

Try this

openssl smime -verify -in Assinador.tar.gz.pkcs7 -inform DER -content
Assinador.tar.gz -signer signer_certificate.pem -noverify


- Original Message -
From: "Andreas Hasenack" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, July 14, 2005 10:49 PM
Subject: How to verify a pkcs7 detached signature?


> 1.
http://www.iti.br/twiki/pub/Main/PressRelease2005Jun28A/Assinador.tar.gz
> 2.
http://www.iti.br/twiki/pub/Main/PressRelease2005Jun28A/Assinador.tar.gz.pkc
s7
>
> [2] is supposed to be a detached signature for [1], how can this be
> verified with an openssl command? I was able to extract the certificate
> from the .pkcs7 file, but I hit a wall there.
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: 3rd time request... PLEASE help! Phone cert creation

[Pablo J Royo]

I suppose this is not the right forum to ask for Smartphone issues.

Anyway, here:

http://www.jacco2.dds.nl/networking/crtimprt.html

may be you could find a way to do what you need , a little idea or maybe
something more.
He explains how to import a *personal* certificate and a CA certificate on a
PocketPC, running Windows Mobile 2003.
I have tryed the same on a Windows 2002 Smartphone and it doesn't work, but
I think it could work on windows Mobile 2003, becuse it worked in my
PocketPC PDA.
You could also try to use a little CryptoAPI program for that. Again ,I
suspect this is not the right forum  ;-).

Hope this helps

- Original Message -
From: "David Templar" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, July 12, 2005 5:49 PM
Subject: 3rd time request... PLEASE help! Phone cert creation


> Hi all,
>
> I am really stuck and have tried all I can - I really need your help to
> generate a software publishing certificate and its root cert to install
> on motorola phones.
>
> I am enclosing a copy of an already existing cert on the phone. It
> appears to be a V4 x509 cert - I could be wrong though. The phone does
> not seem to accept any certificates I have currently generated. Someone
> said to delete the first 2 octets, using that I can read the file now,
> but how do I generate a certificate like it?? The certificate is called
> motman.crt, but I have attached it as motman.txt as the openssly posting
> does not allow .crt extensions.
>
> The certificate I have enclosed is new to me, and myself as well as
> others are having a problem working out what it is...
>
> Please tell me how to create my own certificates like it either using
> openssl or any other tool.
>
> Your help is really needed and appreciated - even if you cannot help,
> please tell me where I can get some help...
>
> Thanks in advance,
>
> David
>






> 0,©0,' 

0 *?H?÷

0y1 0 UUS10UIllinois10U
Libertyville10U
>  Motorola Inc1 0
> U PCS10UMotorola Java CA40003082107Z18082107Z01 0
UUS10UIllinois10U Libertyville10U
>  Motorola Inc1 0
> U PCS1!0UManufacturer Domain 40-10,
"0 *?H?÷


,
0,

> ,

©ºAJ>^<ÇòÑ-,øæ=>2
ѽv­¨#pË"¿T&9"×~.(Ø"[EMAIL 
PROTECTED](ãL¥_,<ì?á"7?=CÏ:¶Ø¦åv­ñ¨s?wìr';µ46wëȪq?³S
r[êe¡Þ± ­/¬>qyâÿEýBo«"ò?gçùsͺ§.o­f]iïÏ­Ð8O¤a,ÁâZ×ZMá¡YùÅTs\
1~71#¸æß?.éÃÕìÕ'+Éǝ .Ù-s :Ðfg¿h´ÙÛAP-²"¸§¼fý>zQmQ
båÆpA"¯?#&o»Sþã»Ïø¶fôêïfí®iqKlò«½¨*O5,>vÝhq?BZß¿O,ºmÓU~?fupþÏ0G¹-Àf
åJ4à,­æ/Îòú ¤è»f~1½TϧþÇQÜ,°m?
õ÷Z?°)ú ¡®9¢³H<µ®_ÎL9¯kãna¹W½ÚêGÛ Ù²»è
0¥K0ûñyl:¿Ã-_¿b0

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Odd handshake deadlock..

[Pablo J Royo]

I think you can try s_client program, in apps directory.

Using it, you can write "ssl on" after SSL negotiation and see what happens.
If it works, you can use it to build your program. It has all you need.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Multi process Server and openssl

[Pablo J Royo]

If you have control over the father process source code, I think it is
easier to accept( ) the incomming connection in the father process, then do
a fork( ) and let the child to stablish the SSL channel using the inherited
accepted socket returned by accept( ).
This way, you don´t need to share memory becuse all SSL operations are made
in the child process. You only need to "initialize" the OpenSSL library in
the father process (load certificates, keys, set up algorithms...) and use
the inherited structures in the child to create the SSL channel.

- Original Message -
From: <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, April 20, 2005 11:32 AM
Subject: Multi process Server and openssl


Folks,

We have come up against a problem while trying to integrate the openssl
library into our server.

The server architecture is multi process where child processes handle
requests. Each process attaches to a single shared memory segment which
holds common configuration data.

Our problem is:

During the TLS negotiation and after the secure channel is set up different
child processes will handle the request and will need access to the SSL
connection.  The SSL connections are allocated and freed using openssl
library calls therefore are in the address space of the process that
allocated.  There is no method of telling openssl to use our block of shared
memory for its needs.

We solved a similar problem with LDAP connections by putting a tag into
shared memory and each process has its own real LDAP connection to the
server in local memory which it found using the tag.  We don't think that
this approach can be applied to openssl.

Does anyone have any ideas how this problem can be solved without threading
the server.

thanks,
Martin.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Error to sign with OpenSSL

[Pablo J Royo]

There are a lot of ugly things in your code, but that strlen(firma) has no
sense. I think you are confusing the size of the private key RSA struct with
the size of the buffer you want to sign. Also, you are using strlen with a
buffer (firma) with any content and probaly not ended with 0, so it will
crash your application.

I suggest you to look at the OpenSSL apps directory to see some
examples.(the "rsa" example will help you).

- Original Message -
From: "Angel Martinez Gonzalez" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, April 13, 2005 1:54 PM
Subject: Error to sign with OpenSSL


> Hello:
>
> I want sign with OpenSSL, and I use the RSA_sign fuction:
>
>
> void Firmar(char *mdigest, int longmdigest, RSA *claveRSA)
> {
>  int error;
>  char *firma;
>
>  firma = malloc(RSA_size(claveRSA));
>
>  error = RSA_sign(NID_sha1, mdigest, longmdigest, firma, strlen(firma),
> claveRSA);
>
>  if (error == 1)
>   printf ("Firma realizada con exito\n");
>  else
>   printf ("Error en el firmado\n");
>
> }
>
> And I call to this funcion "Firmar" with this code:
>
> Firmar(messagedigest, longitudMensajeDigest, parClaves);
>
> Where:
> unsigned char messagedigest[EVP_MAX_MD_SIZE];
> int longitudMensajeDigest;
> RSA *parClaves;
>
> and this variables have a valid value.
>
> But I have an error in execution time. What is wrong?.
>
> Thanks.
>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL Segmentation Fault

[Pablo J Royo]

Hi:
 
In our case, it was a client doing 
SSL communication and some PKCS7 handling, but the crash was at specific 
locations too, although very far away of the real error. Stressing the 
application made easier to reproduce the error, and then, by commenting our code 
(i.e, by putting /*...*/ on selected parts) in several places we discovered were 
the problem was.
 
It wasn´t easy: all I can say is that it 
worked to find the errors. 
 
Regards
Pablo J. Royo

  - Original Message - 
  From: 
  Nauman 
  Akbar 
  To: openssl-users@openssl.org 
  Sent: Wednesday, April 06, 2005 2:18 
  PM
  Subject: RE: OpenSSL Segmentation 
  Fault
  
  
  Hello 
  Again
   
  In my case, it is a 
  simple server, not too much complexity with respect to SSL usage or network 
  protocols. Basically just receives a string, parses it and passes the result 
  back, then do some server side processing. Additionally, in my case, the 
  crashing seems to occur at two specific locations; during ssl handshake and 
  while exiting a thread.
   
  Regards
  Nauman 
  Akbar
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Pablo J 
  RoyoSent: Wednesday, April 
  06, 2005 04:58 PMTo: 
  openssl-users@openssl.orgSubject: Re: OpenSSL Segmentation 
  Fault
   
  
  I can´t say what is exactly 
  causing your problem, but we had a very similar problem when stressing our 
  OpenSSL applications with 100 threads. We did exactly the same that you: to 
  use the callbacks you mention in mttest.c.
  
  Our problem was not to use certain 
  reentrant functions as books say (specially gethostbyname_r and other 
  "inet" functions). This was causing very extrange behaviour, 
  specially crashes in extrange places of our code. Also, the OpenSSL 
  OBJ_XXX functions and all that OBJ management gave us 
  problems, because we were dinamically adding some custom OIDs to the 
  internal OpenSSL OID object list and you need a mutex to handle that 
  list.
  
   
  
  We discovered this in a couple of 
  days building a little application to stress our code.This way, the 
  problem is produced in minutes, not days.Once we carefully 
  revised that functions, OpenSSL worked perfectly with the supplied callbacks. 
  

Re: OpenSSL Segmentation Fault

[Pablo J Royo]

I can´t say what is exactly causing your problem, 
but we had a very similar problem when stressing our OpenSSL applications with 
100 threads. We did exactly the same that you: to use the callbacks you mention 
in mttest.c.
Our problem was not to use certain reentrant 
functions as books say (specially gethostbyname_r and other "inet" 
functions). This was causing very extrange behaviour, specially crashes in 
extrange places of our code. Also, the OpenSSL OBJ_XXX functions and all that 
OBJ management gave us problems, because we were dinamically adding 
some custom OIDs to the internal OpenSSL OID object list and you need 
a mutex to handle that list.
 
We discovered this in a couple of days building a 
little application to stress our code.This way, the problem is 
produced in minutes, not days.Once we carefully revised that 
functions, OpenSSL worked perfectly with the supplied callbacks. 

  - Original Message - 
  From: 
  Nauman 
  Akbar 
  To: openssl-users@openssl.org 
  Sent: Wednesday, April 06, 2005 11:51 
  AM
  Subject: OpenSSL Segmentation Fault
  
  
  Dear 
  Users
   
  I have developed a custom OpenSSL 
  based multi-threaded server. It only uses ADH and is working fine except for 
  one problem. The server crashes randomly with segmentation fault. However, it 
  does not generate any core dump. I am developing this server on RH9 with 
  OpenSSL 0.9.7a. The fault occurs either during handshake or occasionally when 
  a thread is finishing up. I have two possible reasons in mind. One is the 
  “Security Advisory” issue 1 listed on main org page. Second is wrong 
  implementation of callback functions. The first reason seems like a remote 
  possibility but still may be causing this.
   
  The callback functions that 
  multi-threaded OpenSSL implementation requires are copied from mttest.c with 
  one change. The “lock_count” variable seemed unnecessary as it was not present 
  in implementations for other platforms and so it was removed. I am not sure if 
  that may be causing this random crash. Please advise if “lock_count” variable 
  is a must in POSIX based implementations. I am testing with this implemented 
  now but still need confirmation as the crash is pretty random. Once it crashed 
  after running for 3 days and handling 3000 
  requests.
   
  Apart from these two reasons, if 
  anyone has any other idea about what may be causing this crash, please let me 
  know. This server is waiting release due to this bug. Any help will be highly 
  appreciated.
   
  Dr. Henson you are quite expert on 
  OpenSSL. Your help has been quite useful in the past. Please suggest some 
  course of action.
   
  Regards,
  Nauman 
  Akbar
  Concise 
  Solutions
  Pakistan

Re: Re(2): RE(2): Re(2): Decryption Problem

[Pablo J Royo]

> There are some hooks for BER and streaming S/MIME in OpenSSL 0.9.8 but
that's
> only at an early stage and no one's really been that interested in it at
> present.

My program has to handle big PKCS7 files, so I´d be very interested in that
streaming.
I had to modify PKCS7_doit( ) routines to do that with *detached*
signatures/envelopes, so I can create/read the big content apart from
signature in a loop without using up my RAM, but I would prefer to leave
that work to OpenSSL internals.
But, in case a big *non-detached* PKCS7 is generated (maybe this is nowadays
more usual), I have no option but to load all big content in memory because
the internal d2i_XXX, i2d_XXX routines use only memory pointers. Something
as a "stream BIO " instead of pointers could be a solution.




__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL en VC1.52 16-bit

[Pablo J Royo]

>
> Depends on what you mean by "PKCS7 handling" if you just mean being able
to
> parse PKCS#7 structures then even SSLeay would handle it. If you mean
S/MIME
> then it first appeared in 0.9.5 but there have been *many* security and
> bugfixing changes since then.
>
> You might be able to use CryptoAPI if the necessary PKCS#7 support was
> present: not sure if it was.
>

I need to sign a buffer and produce a PKCS7 structure. I´ll try with 0.9.5a
Thanks for your answer


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL en VC1.52 16-bit

[Pablo J Royo]

> > ¿Do you know if actual OpenSSL versions do (still) compile with VC1.52
producing 16bit code?
> > I need PKCS7 support for an old 16bit application.
> >
>
> It has not been tested for a long time and I'd be surprised if it still
> worked.
>

In that case, does anybody know which version was the first implementing
PKCS7 handling?
Last 16bit version I used was SSLEay 0.8.1. It has a pkcs7.h include file,
so I think it could work, but I would prefer to use something
as recent as I can. (0.9.5, 0.9.6 ...)

thank you


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

OpenSSL en VC1.52 16-bit

[Pablo J Royo]

Hi
 
¿Do you know if actual OpenSSL versions do (still) 
compile with VC1.52 producing 16bit code?
I need PKCS7 support for an old 16bit 
application.
 
Thanks

Re: Smart cards and private keys

[Pablo J Royo]

Title: Smart cards and private keys



OpenSSL does not manage that directly, but 
it is possible: you will have to create a set of 
functions using your own software, let's say using Windows CryptoAPI to 
access smartcard , and then suply that callbacks to the RSA_METHOD 
structure.
 

  - Original Message - 
  From: 
  Milan Tomic 

  To: openssl-users@openssl.org 
  Sent: Thursday, January 20, 2005 11:45 
  AM
  Subject: Smart cards and private 
  keys
  
  Hi, 
      Is 
  it possible to extract private key from some (any) smart card? I'm using 
  ActivCard equipement and it seems that it is not possible?
  Thank you in advance, Milan 

Re: Request Setup error

[Pablo J Royo]

May be the '+' simbol of  "Telefonica 
I+D" is not an allowed character in the subject for the software or codification 
you are using?
It seems as if some part in it had 
problems building a DN with that string.
 

  - Original Message - 
  From: 
  Angel Martinez 
  Gonzalez 
  To: [EMAIL PROTECTED] 
  Sent: Thursday, November 11, 2004 1:03 
  PM
  Subject: Request Setup error
  
  Hello:
   
  I´m trying to initializate OpenCA. In Request 
  Setup of Phase 1, I enter this DN:
   
  C=ES, ST=Valladolid, L=Boecillo, O=Telefonica 
  I+D, OU=Casa Domotica, CN=domolinux.hi.inet/[EMAIL PROTECTED]
   
  obtained from this OpenSSL 
  certificate:
   
  Certificate:    
  Data:    Version: 1 
  (0x0)    Serial Number: 0 
  (0x0)    Signature Algorithm: 
  md5WithRSAEncryption    Issuer: 
  C=ES, ST=Valladolid, L=Boecillo, O=Telefonica I+D, OU=Casa Domotica, 
  CN=domolinux.hi.inet/[EMAIL PROTECTED]    
  Validity    
  Not Before: Jun 28 11:30:55 2004 
  GMT    Not 
  After : Jun 28 11:30:55 2005 GMT    
  Subject: C=ES, ST=Valladolid, L=Boecillo, O=Telefonica I+D, OU=Casa Domotica, 
  CN=domolinux.hi.inet/[EMAIL PROTECTED]    
  Subject Public Key 
  Info:    
  Public Key Algorithm: 
  rsaEncryption    
  RSA Public Key: (1024 
  bit)    
  Modulus (1024 
  bit):    
  00:b0:31:94:3a:60:28:6a:04:65:25:74:43:e2:8a:    
  ae:92:50:a4:61:d3:4d:a3:5c:ca:20:63:8f:48:ac:    
  b2:c1:2d:e9:f3:72:cb:97:9d:3a:72:7b:ae:97:8d:    
  51:76:34:32:6c:39:ca:71:5e:09:83:b2:36:a8:9c:    
  e2:c6:77:78:a2:01:19:06:af:ed:cd:81:0e:96:b5:    
  ec:48:af:0b:c1:76:04:5e:7a:6a:7e:b4:f4:44:58:    
  a1:0f:b7:79:e1:a9:ef:7f:09:b4:67:00:9d:d4:7f:    
  42:32:0a:64:30:67:57:5d:8c:49:94:29:ef:8f:92:    
  02:7e:16:28:9f:5a:d9:c3:c3    
  Exponent: 65537 (0x10001)    Signature Algorithm: 
  md5WithRSAEncryption    
  20:f1:44:48:64:ae:b7:6b:9d:e9:e6:38:54:d6:f8:69:c8:c6:    
  59:63:c9:0a:61:23:99:a0:c4:13:65:e6:9b:8f:34:59:07:75:    
  13:de:a8:06:6e:9e:1f:06:d0:66:78:c6:e2:a9:58:cb:ea:21:    
  63:6a:95:64:5f:28:89:ba:32:dd:f5:36:29:6c:f8:0d:7b:f1:    
  d6:31:1d:63:b5:a8:e3:ac:34:74:be:46:0b:57:31:3f:cd:9b:    
  86:fe:55:4d:b0:c9:9e:ba:66:e7:20:ec:b7:d9:b3:32:35:fc:    
  11:fd:df:cb:a4:a6:71:b3:63:1b:cd:6b:41:10:67:95:e9:e7:    
  20:6f
  But I have this error:
   
  
  
Error 7712013
General Error. OpenCA::OpenSSL 
  failed.OpenCA::OpenSSL->genReq: Cannot build X500::DN-object from 
  subject C=ES, ST=Valladolid, L=Boecillo, O=Telefonica I+D, OU=Casa 
  Domotica, 
  CN=domolinux.hi.inet/[EMAIL PROTECTED]
  Somebody can help me?
   
  Thanks.

Subject string to X509_NAME

[Pablo J Royo]

Hello:

I have a subject string in its common format:

C=XX /O=xxx /OU=yy /CN=z...etc

and I´d like to create a X509_NAME object with it, in order to handle its
different fields (X509_NAME_ENTRY) correctly.
Is there any function in OpenSSL X509 interface to do this (as easy as
possible)?

Thanks

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: PKCS7_sign error

[Pablo J Royo]

> error:2106906D:lib(33):func(105):reason(109)
> error:21074041:lib(33):func(116):reason(65)

>From crypto/err/err.h you se the 33 sub-library is PKCS7.
>From pkcs7/pkcs7.h you see the 105 function is PKCS7_dataInit, and from that
file you see the reason 109 is "unknown digest type".

116 is the PKCS7_Sign function, but I don´t know what error reason 65 means,
but errors below 99 are not specific sub-library errors. Malloc or fatal
error, perhaps?.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL session hangs

[Pablo J Royo]

Hi

May be this problem could nothing to do with OpenSSL?

I experienced this problem under a , non SSL, private protocol for sending
files to a server.
The symptons were VERY similar: a hang after sending a file to a server,
then exchanging little packets betwen client and server.
I made experiments with the "low watermark" socket option, used by select( )
to detect when a packet has come to a socket.
I remember that lowering that parameter could improve the situation but then
I discovered the same effects in a LAN with fragmented packets incorrectly
handled by broken routers and forget that tests. I suppose this is not your
problem , unless something very ugly is happening on your OS.

Not sure if this can help, or distract you. Anyway, hope it can help.



- Original Message -
From: "Dr. Stephen Henson" <[EMAIL PROTECTED]>
To: "Paul L. Allen" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, February 24, 2004 2:50 PM
Subject: Re: OpenSSL session hangs


> 
>
> On Mon, Feb 23, 2004, Paul L. Allen wrote:
>
> >
> > OK, here's where it took me:
> >
> > The setup is a stack consisting of a buffered BIO, an SSL BIO, and
> > a socket BIO.  In a typical test run, client and server have had a
> > conversation of a hundred or so messages.  The most recent exchange
> > involved a message from the client of about 4500 bytes.  Messages are
> > newline-delimited ASCII lines exchanged via BIO_puts()/BIO_gets(),
> > with a BIO_flush() after each BIO_puts().
> >
> > The client sends a 4-byte message using BIO_puts().
> > buffer_write() stashes the bytes in the buffer and returns.
> > The client calls BIO_flush() on the buffered BIO.
> > In buffer_ctl(), BIO_write() gets called to get the SSL BIO to write the
> > bytes.
> > BIO_write() calls the bwrite method on the SSL BIO, which resolves to
> > ssl_write().
> > ssl_write() calls SSL_write().
> > SSL_write() calls ssl->method->ssl_write, which resolves to
ssl3_write().
> > ssl3_write() calls ssl3_write_bytes().
> > ssl3_write_bytes() calls do_ssl3_write().
> > do_ssl3_write() calls s->method->ssl3_enc->mac(), which hangs until a
> > SIGALRM gets delivered in about 60 seconds.
> >
> > On all prior runs down this pathway, s->method->ssl3_enc->mac()
> > returns OK, s->method->ssl3_enc->enc() is called, followed by s2n(),
> > ssl3_write_pending() gets called to ask the socket BIO to write the
> > data, and we return back up the stack to where BIO_flush() returns to
> > my code.  The above experiment is with the 2/19 snapshot of the OpenSSL
> > code, liberally sprinkled with fprintf's.  It's possible that I've
> > missed some links in the chain, although I've tried pretty hard not to.
> >
> > The hang always involves a short message from the client following
> > an interchange involving a long message from the client.  If I move
> > the transaction containing the long line around in the sequence of
> > test transactions, the client sometimes does not hang.  But when it
> > does hang, it is always right after a long transaction.  Interestingly,
> > the "long" transactions consist of a 4500 byte message from the client,
> > a short (100 bytes) message from the server, another short message from
> > the client (which always succeeds), and another short message from the
> > server.  When the hang happens, it is on the next message from the
> > client (the second short client message after a long one).
> >
> > I'm stumped!
> >
>
> I'm not immediately sure what the problem is either. It might be stack
> corruption somewhere or something confusing the malloc library. Have you
tried
> it under a debugging malloc library that can detect and out of bounds
> accesses?
>
> Have you tried this under a different OS to see if you get the same
behaviour?
>
> I could look into this as part of my commercial consultancy services if
you
> can't get anywhere. Maybe with a discount if it turned out to be an
OpenSSL
> bug :-)
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Purify problems

[Pablo J Royo]

 
I'm compiling openssl with "Configure purify" 
and I get the following "unresolved" errors:
 
des_options 
/u0/common/sec/openssl-0.9.6l/apps/speed_pure_p9_c0_111202132_32.odes_crypt   
/u0/common/sec/openssl-0.9.6l/apps/passwd_pure_p9_c0_111202132_32.oOpenSSL_add_all_algorithms  
/u0/common/sec/openssl-0.9.6l/apps/openssl_pure_p9_c0_111202132_32.oPKCS12_pack_safebag 
/u0/common/sec/openssl-0.9.6l/apps/pkcs12_pure_p9_c0_111202132_32.oPKCS12_decrypt_d2i  
/u0/common/sec/openssl-0.9.6l/apps/pkcs12_pure_p9_c0_111202132_32.odes_ncbc_encrypt    
/u0/common/sec/openssl-0.9.6l/apps/speed_pure_p9_c0_111202132_32.odes_ede3_cbc_encrypt    
/u0/common/sec/openssl-0.9.6l/apps/speed_pure_p9_c0_111202132_32.odes_set_key_unchecked   
/u0/common/sec/openssl-0.9.6l/apps/speed_pure_p9_c0_111202132_32.o
This are linkage errors building the apps 
binaries in apps directory. Althought libcrypto and libssl libraries are 
created,  when I use this libraries in my application I get very similar 
errors.
 
My enviroment is:
 
Library OpenSSL 
0.9.6l 
System Sparc Solaris 9
Compiler gcc 2.95.3
make  
gmake
Purify 2003.06.00
 
When I try "Configure purify" in Solaris7 
with purify-5.3, everything goes OK. If I compile without "purify" option in 
Solaris9 libraries and programs are generated correctly. 
Do you know what happens? I know this seems a 
problem with my enviroment or Purify, but I have tested everything and don't 
know what is happening here. 
 
Thanks
 
 

CSP source code

[Pablo Cortijo]

Hello. I've been unsuccessfully trying to get 
in touch with Sergio Tabanelli. I wanted to ask him to send me the source 
code of the Cryptographic Service Provider he implemented 3 years ago. See 
http://linux.dp.ua/maillists/lug/27/msg00028.html for more info. I was wondering if his CSP source code has been made 
available somewhere. If anybody knows of any other downloadable CSP source code 
I will be pleased to hear about it. Excuse me if this mail is a bit out of the 
scope of the mailing list. Thanks in 
advance,
        Pablo 
Cortijo.

Re: Reissue CA certificate

[pablo neira]

Hi David,

I found your question quite interesting, I thought it wasn't possible in 
the beginning but I found some documentation related to this stuff after 
some time.

http://www.qxmail.com/bio/structuredarts/docs/edu/reissue.htm

This link is documentation related to how to reissue the Root CA 
certificate by using Netscape Certificate Server (propietary software), 
anyway I think it's nice to reissue your Root CA by using OpenSSL, it 
makes sense what it says.

Here comes the magical recipe:

1) You must generate a request (pkcs#10) with the same Distinguish Name 
and NotBefore (beginning date) fields (I would also use the same 
EmailAddress...).  The NotAfter must be older than the first one. The 
extensions must be also the same (nsCertType, nsX...).
2) Use the same Private Key to self-sign the Root CA cert.
3) Load the new Root CA cert to all server and clients.

I didn't try this and I cannot do it at this moment, so let me know how 
everything goes.

Pablo

David wrote:

Hello list,

I've a some questions about reissuing of CA certificates. Imagine I've 
got
the following hierarchy within my PKI.

  TLCA
|
   CA
|
end-entities
If the CA-certificate is about to expire before the certificates
of the end-entities do, can i reissue the CA certificate with an extended
validity period to work around this ?
If yes,
Can I do this by issuing a certificate with the same public-key, CN and
subjectKeyIdentifier from the current CA-certificate? Cause that are the
only "fields" which are used within the verifying process, if I'm right.
I hope someone can shine some light on this situation,

Thanks in advange,

David


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Problem building openssl-0.97b on alpha-dec-osf1

[LDC - Pablo Endres Lozada]

  Hi, I've been trying to build openssl-0.97b on an alpha with
Tru64g and gcc-3.2.3 for a couple of days now with no luck.

I'm doing the config with the following line:
./Configure --openssldir=%{openssldir} alpha-gcc zlib \
threads shared no-bio

This is the erro that I'm getting:
make[2]: Entering directory
`/usr/local/src/dec/BUILD/openssl-0.9.7b/crypto/err'gcc -I.. -I../..
-I../../include -DZLIB -DOPENSSL_THREADS -DDSO_DLFCN -DHAVE_DLFCN_H
-DOPENSSL_NO_KRB5 -DSSL_ALLOW_ADH -D_REENTRANT -DOPENSSL_NO_BIO
-DOPENSSL_NO_ERR -O3   -c -o err.o err.c
err.c: In function `ERR_add_error_data':
err.c:1007: incompatible type for argument 1 of `__builtin_stdarg_start'
err.c:1034: incompatible type for argument 1 of `__builtin_va_end'
err.c:1011: first argument to `va_arg' not of type `va_list'
make[2]: *** [err.o] Error 1
make[2]: Leaving directory
`/usr/local/src/dec/BUILD/openssl-0.9.7b/crypto/err'
make[1]: *** [subdirs] Error 1
make[1]: Leaving directory
`/usr/local/src/dec/BUILD/openssl-0.9.7b/crypto'
make: *** [sub_all] Error 1

If I use
./Configure --openssldir=%{openssldir} alpha-gcc zlib \
threads shared
I get the following:
gcc -I.. -I../.. -I../../include -DZLIB -DOPENSSL_THREADS -DDSO_DLFCN
-DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DSSL_ALLOW_ADH -D_REENTRANT
-DOPENSSL_NO_ERR -O3   -c -o b_print.o b_print.c
b_print.c: In function `_dopr':
b_print.c:238: first argument to `va_arg' not of type `va_list'
b_print.c:258: first argument to `va_arg' not of type `va_list'
b_print.c:297: first argument to `va_arg' not of type `va_list'
b_print.c:300: first argument to `va_arg' not of type `va_list'
b_print.c:303: first argument to `va_arg' not of type `va_list'
b_print.c:306: first argument to `va_arg' not of type `va_list'
b_print.c: In function `BIO_printf':
b_print.c:771: incompatible type for argument 1 of
`__builtin_stdarg_start'
b_print.c:775: incompatible type for argument 1 of `__builtin_va_end'
b_print.c: In function `BIO_snprintf':
b_print.c:817: incompatible type for argument 1 of
`__builtin_stdarg_start'
b_print.c:821: incompatible type for argument 1 of `__builtin_va_end'
make[2]: *** [b_print.o] Error 1
make[2]: Leaving directory
`/usr/local/src/dec/BUILD/openssl-0.9.7b/crypto/bio'
make[1]: *** [subdirs] Error 1
make[1]: Leaving directory
`/usr/local/src/dec/BUILD/openssl-0.9.7b/crypto'


I'm working on Tru64 4.0g with gcc-3.2.3

Any Ideas on whats going on?

-- 
Democracy is two wolves and a sheep voting on what to have for dinner.
Liberty is two wolves attempting to have a sheep for dinner and
finding a well-informed, well-armed sheep.


   .-.
  /  .-.   Pablo Endres Lozada.-.  \
 |  /   \   Laboratorio Docente de Computacion  /   \  |
 | |\_.  |USB - Venezuela  |/| |
 |\|  | /| |\  | |/|
 | `---' |   [EMAIL PROTECTED] | `---' |
 |   | |   | 
 |   |-|   |
 \   | |   /
  \ /   \ /
   `---' `---'

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Automating Openssl commands

[pablo neira]

Dr. Stephen Henson wrote:

On Fri, Jun 06, 2003, Kwan Hon Luen wrote:

 

Hi,

How do I automate the signing of server certificate by a CA ?
without the following prompt:
(1) "Enter PEM pass phrase:"
(2) "Sign the certificate?"
(3) "commit?"
   

Use the 'x509' utility instead, passphrase can be entered via -passin there
are no other prompts.
but this way you don't keep the index.txt file the all valid 
certificates generated, so it seems there's no way to automate the 
process by using the 'ca' utility, am I right?

Thanks
Pablo
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Startup error

[pablo neira]

Swenson, Chris wrote:

I have install apache 1.3.27 with openssl-0.9.7b and mod-ssl2.8.13-1.3.27
This is all running on RH 8.0.
I installed the default certificate to play with and all was good.
I purchased a certificate from VeriSign and things are so so.
When the server starts in the ssl_engine_log I get the following error
[warn] Init: (ragnarock.domain.tld:443) RSA server certificate CommonName
'RAGNAROCK' does not match server name!?
I have messed with the server name ad nauseum.  Any ideas out there?
 

the Common Name of your server certificate should be the FDQN, so it 
should be "ragnarock.domain.tld" and not "ragnarock", that's why you got 
that warning message.

Also since this service runs on a virtual server, should I have the virtual
server under a different name then the actual server name?  This is a single
purpose server only.
 

Cheers,
Pablo
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

revoking the OCSP responder certificate

[pablo]

Hi everyone,

I just revoked the OCSP responder certificate as you can see:

 file index.txt --
R   040530223109Z   030605151409Z   03  unknown 
/C=ES/ST=Andalusia/L=Seville/O=Mazinger Z inc./OU=pepe/CN=OCSP responder 
prueba 2/emailAddress=ocsp
- end of index.txt -

openssl ocsp -index private/index.txt -port 8890 -CA private/cacert.crt 
-rsigner certs/3.crt -rkey key/3.key -text -out log.txt

certs/3.crt is the file which contents the certificate and key/3.key 
contents the private key.

It still works as OCSP responder whether it even returned info about its 
status (revoked).

What shall I do if I want to revoke the OCSP responder certificate? by 
using a CRL?

Thank you,
Pablo
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Automating Openssl commands

[pablo]

Hi,

I'm developing a CA which automates this stuff that you need, maybe it 
could help you (http://cultura.eii.us.es/~pablo/elyca/), it's free 
software and still an early release but if you only need to do generate 
certs for your servers I suppose it's enough for you. There's also 
similar free-software outthere (have a look at freshmeat).

Pablo

Kwan Hon Luen wrote:

Hi ,

I am currently using Openssl to generate CA and server/client key certs.

Right now, the Openssl prompt me for password when generating CA key/cert:

openssl req -new -x509 -days 3650 -keyout cakey.pem -out
trusted_ca_cert.pem -config openssl.cnf
(1) Is there a way to use the password as a parameter so that I can create
the CA key/cert with just one command, without any password prompting?
The command below is for generating client/server key/cert. It prompt me for
password, the CN, etc.
openssl req -new -keyout test_key.pem -out test_request.pem -config
openssl.cnf
(2) Is there a way to use the password, CN,etc as parameters so that I can
create the CA key/cert with just one command, without any password, CN, etc
prompting?
The command below is for certifying the client/server cert using the CA. It
prompt me to approve the certifying.
openssl ca -policy policy_anything -out test_cert.pem -config
openssl.cnf -infiles test_new.pem
(3) Is there a way to use parameter such that the command will not prompt me
to confirm certifying the certificate?
Thanks.

Hon Luen

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
 



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: problems with ocsp

[pablo]

Hi again,

first of all, thank you Stephen.

Dr. Stephen Henson wrote:

On Sat, May 31, 2003, pablo wrote:

 

Hi everyone,

this is the first time I post something, so sorry if any mistake is done.

I've been playing with the ocsp implementation of openssl and I got some 
errors, I've been looking for stuff about the matter but there's no so 
much info about openssl ocsp, I suppose because of it's a new feature 
included not so long. I know the implementation is not full and it's not 
mature at all, I also read http://www.openssl.org/docs/apps/ocsp.html 
from corner to corner. Well, I won't talk anymore, this is my problem:

I ran the ocsp responder:

$ openssl ocsp -index private/index.txt -port 8890 -CA 
private/cacert.crt -rkey key/2.key -rsigner certs/2.crt -text -out log.txt

- cacert.crt file is a simple self-signed certificate using the default 
openssl.cnf config.
- 2.key and 2.crt files are the private key and the certificate for the 
responder

the netscape certType of the responder certificate is Object signing, as 
you can see:

$ openssl x509 -inform PEM -in certs/2.crt -text -noout

Certificate:
  Data:
  Version: 3 (0x2)
  Serial Number: 2 (0x2)
  Signature Algorithm: sha1WithRSAEncryption
  ... blah
  Netscape Cert Type:
  Object Signing
  ... blah

the 2.key file is a simple 1024 bit RSA key.

   

An OCSP responder needs an extended key usage of OCSPSigning with the line:

extendedKeyUsage=OCSPSigning

to work as a delegated OCSP responder.

I've got no errors since I generated a new certificate for the OCSP 
responder with that extendedKeyUsage, so that was the problem.

...
-END CERTIFICATE-
Response verify OK
0x1: revoked
   This Update: May 31 22:34:47 2003 GMT
   Revocation Time: May 30 18:27:04 2003 GMT
 

time to make a resquest to the ocsp responder, well, I'll ask for the 
status of the certificate 0x1:

$ openssl ocsp -issuer private/cacert.crt -serial 0x1 -text -CAfile 
private/cacert.crt -url http://localhost:8890/

 blah
  OCSP Response Status: successful (0x0)
  Response Type: Basic OCSP Response
  Version: 1 (0x0)
  Responder Id: C = ES, ST = Andalusia, L = Seville, O = rammataz, OU 
= computers, CN = responder OCSP prueba, emailAddress = prueba

... blah
 Cert Status: revoked<--- (cert 0x1 is revoked, it's ok, this is true)
and something else, when I ask for the status of a non-revoked cert I 
got this:

CertStatus: unknown

I had a look at the index.txt and it seems there's only info about 
revoked certs so, is that why the reponder said "unknown" when I ask for 
a-still-valid cert?

   

It responds unknown because it has no information about the certificate you
requested.
How did you create index.txt? It will normally come from a CA which has been
maintained using the 'ca' utility. This will then contain information about
all certificates issued.
No, I've been using the 'x509' utility to issue certs and the 'ca' 
utility to revoke, so I'll start using this 'ca' utility right now.

By the way, a line of the index.txt looks like:

R   040524223048Z   030530182704Z   01  unknown 
/C=ES/ST=Andalusia/L=Seville/O=acme/OU=devel/CN=pablo/[EMAIL PROTECTED]

what's the meaning of the columns number two and three?

Thank you,
Pablo
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

problems with ocsp

[pablo]

Hi everyone,

this is the first time I post something, so sorry if any mistake is done.

I've been playing with the ocsp implementation of openssl and I got some 
errors, I've been looking for stuff about the matter but there's no so 
much info about openssl ocsp, I suppose because of it's a new feature 
included not so long. I know the implementation is not full and it's not 
mature at all, I also read http://www.openssl.org/docs/apps/ocsp.html 
from corner to corner. Well, I won't talk anymore, this is my problem:

I ran the ocsp responder:

$ openssl ocsp -index private/index.txt -port 8890 -CA 
private/cacert.crt -rkey key/2.key -rsigner certs/2.crt -text -out log.txt

- cacert.crt file is a simple self-signed certificate using the default 
openssl.cnf config.
- 2.key and 2.crt files are the private key and the certificate for the 
responder

the netscape certType of the responder certificate is Object signing, as 
you can see:

$ openssl x509 -inform PEM -in certs/2.crt -text -noout

Certificate:
   Data:
   Version: 3 (0x2)
   Serial Number: 2 (0x2)
   Signature Algorithm: sha1WithRSAEncryption
   ... blah
   Netscape Cert Type:
   Object Signing
   ... blah

the 2.key file is a simple 1024 bit RSA key.

time to make a resquest to the ocsp responder, well, I'll ask for the 
status of the certificate 0x1:

$ openssl ocsp -issuer private/cacert.crt -serial 0x1 -text -CAfile 
private/cacert.crt -url http://localhost:8890/

 blah
   OCSP Response Status: successful (0x0)
   Response Type: Basic OCSP Response
   Version: 1 (0x0)
   Responder Id: C = ES, ST = Andalusia, L = Seville, O = rammataz, OU 
= computers, CN = responder OCSP prueba, emailAddress = prueba

... blah
  Cert Status: revoked<--- (cert 0x1 is revoked, it's ok, this is true)
(it seems the reply is ok, but I got these errors)

-END CERTIFICATE-
Response Verify Failure
1214:error:2706A067:OCSP routines:OCSP_CHECK_DELEGATED:missing 
ocspsigning usage:ocsp_vfy.c:348:
1214:error:27069070:OCSP routines:OCSP_basic_verify:root ca not 
trusted:ocsp_vfy.c:148:
0x1: revoked

what's wrong? is anything missing?

and something else, when I ask for the status of a non-revoked cert I 
got this:

CertStatus: unknown

I had a look at the index.txt and it seems there's only info about 
revoked certs so, is that why the reponder said "unknown" when I ask for 
a-still-valid cert?

Thank you very much,

Pablo

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Seeding the OpenSSL PRNG on Windows

[Pablo J Royo]

Check this:

http://www.counterpane.com/yarrow.html

It's a "try icon" application for Windows, but you can change it to be a
service.


- Original Message -
From: "Edward Chan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, October 03, 2002 1:47 AM
Subject: Seeding the OpenSSL PRNG on Windows


> Can anyone suggest how I would seed the OpenSSL PRNG
> on Windows? I guess on Unix systems, I can use
> /dev/random.  But is there an equivalent on Windows?
> Note, that the OpenSSL application I'm writing is a
> server application.  So it is likely that it will run
> on a box with little or no UI interaction.  So I don't
> want to use something that depends on user clicks or
> whatever, to build entropy.  Can anybody suggest a
> good src of entropy on Windows, and how to use it from
> a C/C++ program?
>
> Thanks,
> Ed
>
> __
> Do you Yahoo!?
> New DSL Internet Access from SBC & Yahoo!
> http://sbc.yahoo.com
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Problems with ssl and apache 1.3.26

[Pablo Rodriguez]

Title: Problems with ssl and apache 1.3.26







I'm having a problem for starting apache 1.3.26 web server that was compiled using openssl-0.9.6.

The error is the following: 


# /usr/local/apache/bin/apachectl startssl
Syntax error on line 206 of /usr/local/apache/conf/httpd.conf:
Cannot load /usr/local/apache/libexec/libssl.so into server: ld.so.1: /usr/local/apache/bin/httpd: fatal: relocation error: file /usr/local/apache/libexec/libssl.so: symbol ap_user_id: referenced symbol not found

/usr/local/apache/bin/apachectl startssl: httpd could not be started



OS is Solaris 8 (64 bits)


I had no problem or warning at compiling... is that version of apache not compatible with that version of openssl?
Are you familiar whit this problem?


Thanks a lot 


Pablo



Este mensaje se dirige exclusivamente a su destinatario y puede contener
información CONFIDENCIAL sometida a secreto profesional o cuya divulgación
esté prohibida en virtud de la legislación vigente. Si ha recibido este
mensaje por error, le rogamos que nos lo comunique inmediatamente por esta
misma vía o por teléfono (54.11 5776-5000) y proceda a su destrucción.
Nótese que el correo electrónico vía Internet no permite asegurar ni la
confidencialidad de los mensajes que se transmiten ni la correcta recepción
de los mismos. En caso de que el destinatario de este mensaje no
consintiera la utilización de correo electrónico vía Internet rogamos lo
ponga en nuestro conocimiento de manera inmediata.

Re: Large files with smime

[Pablo J Royo]

Althougth no such a big files, we also create big 
PKCS7 files (tens of Mbytes) using detached PKCS7.I don´t know exactly if this 
is supported by OpenSSL now, but there is a "detached" attribute for files in 
PKCS7 routines, and working in PKCS7_verify(),PKCS7_init(),PKCS7_data() you can 
do it.You have to change memory BIOs (yes,all the data is handled in memory) by 
file BIOs.
 
Pablo J. Royo
 
- Original Message - 

  From: 
  Girish 
  Venkatachalam 
  To: [EMAIL PROTECTED] 
  Sent: Tuesday, May 14, 2002 3:28 PM
  Subject: Large files with smime
  
  Hi everyone, 
  Openssl smime is not able to handle big files ( 
  We tried with a 500MB file). It doesn't report any error message. 

   
  On stepping through the source, we found that 
  it's failing in OPENSSL_malloc.
   
  However openssl enc works fine with files larger 
  than 2 GB. 
   
  There is a bug in one of those pkcs7_ routines. 
  Is there a workaround for this problem? 
   
  We are using Openssl 0.9.6c 21 Dec 2001 version. 
  
   
  Any help is greatly appreciated. 
   
  Thanks and regards,
  Girish

Re: Csslsocket

[Pablo J Royo]

Hi :

I did exactly the same and it gave me the same error.
I have read you have to install Windows SDK to get the right libs and
headers (schannel.dll) installed in your machine in order to compile, but I
did that and errors were the same.

I  hope you'll share the solution if you solve this.


- Original Message -
From: "M.Srikanth" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, March 27, 2002 7:00 PM
Subject: Csslsocket


>
> Has ne one used the Csslsocket . I found the links in
> www.codeproject.com and downloaded the demos. but i cud not compile them.
> in case ne one has done this kindly help me.
>
> srikanth
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL and proxy server

[Pablo J Royo]

Hi:

I´ve faced the same problem.The true problem comes up when you want to
authenticate the remote server and in the process you resolve the IP of the
CN field of the certificate that he(the server) sends you during handshake
to see if its the same you are connected to.If this is the case (which
depends on how you program your verify_callback() function,or how your
client works) then that IPs are different, so full authentication can´t take
place.
If your client doesn´t resolve the certificate CN IP, there is no problem.I
have used methods as CONNECT, port mappings or SOCKS to go out trough proxy
servers with no problems.

Hope this helps.


- Original Message -
From: "M.Srikanth" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, February 27, 2002 7:38 PM
Subject: SSL and proxy server


> guys,
> i am faced with a small problem. I am developing an ssl based
> application based on client - server model but one constraint i have is
> that the application shud work even if the client is behind a proxy.
> so i have to implement ssl and this needs to work even in the presence
> of a proxy. In the normal case there is no problem but i dont have an
> idea of how to proceed in this case.
>
> If ne one of u ppl out there has ne idea bout it... please gimme a piece
> of ur mind.
>
> srikanth
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Using a proxy to my advantage

[Pablo J. Royo]

To use the CONNECT method you will have to enable what ports will be allowed
by the proxy.This is done in a different way in each proxy server so if you
want something that is the same on all servers you can also use
SOCKS,described in RFC 1928,1929.The code to do it is at

http://www.codeguru.com/internet/CSocksifiedSocket.htm

Hope this helps

Pablo J. Royo


-Original Message-
From: Vincent Toms <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: sábado 15 de septiembre de 2001 1:59
Subject: Using a proxy to my advantage


>Hello all,
> I have a question I need some guidance on.
> I have built this app using OpenSSL for transport and a protocol of my
>design to transfer the data it is similar to HTTP.  Any way at the moment I
>am running it over port 1977.  However, in most networks this port is going
>to be locked; however from experience 99% of companies will at a minimum
>have either 443 and 80 open or they will be proxied.  I want to verify if
my
>understanding of using SSL over a proxy is correct.  This is what I have
>gathered from doing some packet sniffing:
>
>client:
>CONNECT SERVER:PORT HTTP/1.0
>Proxy-authorization: Basic Base_64(USER:PASS)
>\n\n
>
>server:
>connection OK
>
>client then does all SSL sends and Recv's to the proxy.
>
>is this about all there is to it.  I have looked on google and no one can
>give me a clear definition of proxy auth at least not at a protocol level.
>I basically want to make my program so that pretty much no matter what I
can
>connect out to the net, and this seems like it would be a good step in that
>direction.
>
>Thank you in advance.
>
>V->T
>
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

validity time

[Pablo Millet]

Hi.
 
How do i set the "Valid from" and/or 
"Valid to" parameters in the certificate?
 
 
~~~~~~Pablo MilletRed  
MessageWeb Developer & DesignerMob.: 0706 - 762 556
 
www.redmessage.com~~

Re: error:wrong version number

[Pablo J. Royo]

Hola Jorge:

Althougth I dont know how this could happen with stunnel or your server I´ve
had similar errors when a client which doesn´t speak SSL talks with a SSL
server who expects  SSL.
This can also happen, I think, when there is a SSLv23/v3 mismatch between
client and server, so perhaps you should try -ssl3/23 options in s_server
command.

Hope this helps

Pablo J. Royo

-Original Message-
From: Jorge Olmos <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: lunes 5 de febrero de 2001 12:18
Subject: error:wrong version number


>Hello,
>I want to commmunicate a server I´ve developed over openssl, with a
>non-ssl client through a stunnel.
>
>First, I have tried to comunicate using:s_server <-secure->
>stunnel <-plain-text-> telnet
>$ openssl s_server -accept 4567 -cert my_cert.pem -key my_key.pem
>as server, and
>>telnet myhost 5000
>as a client through stunnel 3.11 (I´ve tried over openssl 0.9.6/win and
>0.9.5a/solaris). command line is
>$ stunnel -f -r myhost:4567 -d 5000 -p my_certANDkey.pem
>
>It works fine most of time, but sometimes I get errors like this from
>stunnel:
>LOG5[727:4]: myhost.4567 connected from 127.0.0.1:32862
>LOG3[727:4]: SSL_read: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
>version number
>LOG5[727:4]: Connection reset: 13 bytes sent to SSL, 0 bytes sent to
>socket
>
>which closes the connection.
>What does this error means? How can I help it?
>
>--
>
>Jorge Olmos Forés
>SGI Soluciones Globales Internet [http://www.sgi.es] GMV Sistemas S.A.
>Sector Foresta 1, 2ª planta
>28760 Tres Cantos, Madrid, España.
>E-mail: [EMAIL PROTECTED]
>
>PGP keyId: 0xCB290369 Searchable at certserver.pgp.com
>
>
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: mod_ssl / openssl for win32 trouble

[Pablo J. Royo]

I dont want to confuse you, so please disregard this if it sounds too
extrange.
I have seen similar problems when the proxy configuration wasnt correct
because the ports were wrongly mapped.Also, when a router in the path
between client and server had a broken router wich set the "DF" bit in
TCP/IP packets.
Symtoms are that comunication with some clients "freezes" after the
conection is made and other not.And it depends on the size of the
packet.(becuse of the dont fragment bit)


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL_read, non-blocking sockets, and Windows.

[Pablo J. Royo]

I think you should change the line

int tNumSocketsReady = select(1, &tSet, NULL, NULL, &tTimeout);

 by

int tNumSocketsReady = select( tSocketFD+1, &tSet, NULL, NULL,
&tTimeout);

If not, the descriptor you are selecting on may be totally wrong, so your
select() doesn´t works.


-Original Message-
From: James Gaskell <[EMAIL PROTECTED]>
To: 'SSLU' <[EMAIL PROTECTED]>
Date: lunes 9 de octubre de 2000 10:33
Subject: SSL_read, non-blocking sockets, and Windows.


>Hi.
>
>I'm just starting out with the OpenSSL library, and I've got a problem that
>I don't know how to fix.
>
>I'm trying to read data using SSL_read() from a non-blocking socket on a
>Windows machine.
>
>The problem is that when the SSL_read returns SSL_ERROR_WANT_READ, I don't
>know how to wait for data to become available.
>
>My code is something like:
>
>fd_set tSet;
>FD_ZERO(&tSet);
>
>SOCKET tSocketFD = SSL_get_fd(pSSL); // Get the underlying socket.
>FD_SET(tSocketFD, &tSet);
>
>int tNumSocketsReady = select(1, &tSet, NULL, NULL, &tTimeout);
>
>if (tNumSocketsReady)
>{
>tRetVal = SSL_read(pSSL, buf, num);
>}
>else
>{
>tRetVal = SOCKET_ERROR;
>}
>
>However, this doesn't work -- the select() call always returns immediately.
>
>I've been banging my head against
>http://www.openssl.org/docs/ssl/SSL_read.html but it just says:
>
>The calling process then must repeat the call after taking
>appropriate action to satisfy the needs of SSL_read().
>The action depends on the underlying BIO.
>
>What SSL function acts like select() on ordinary sockets? Is there some
kind
>of event I can wait on?
>
>Thanks for listening!
>
>James Gaskell.
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SOLARIS 8 GCC 2.95.2 ld: fatal: file values-Xa.o

[Pablo J. Royo]

Sorry.The true page is

http://www.sunfreeware.com/faq.html

Question is Q5.

-Original Message-
From: Pablo J. Royo <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: martes 19 de septiembre de 2000 17:30
Subject: Re: SOLARIS 8 GCC 2.95.2 ld: fatal: file values-Xa.o


>See the Solaris2 FAQ, question five Q5 at
>
>http://www.wins.uva.nl/pub/solaris/solaris2/
>
>
>-Original Message-
>From: Castellanos, Leon <[EMAIL PROTECTED]>
>To: '[EMAIL PROTECTED]' <[EMAIL PROTECTED]>
>Date: martes 19 de septiembre de 2000 17:15
>Subject: SOLARIS 8 GCC 2.95.2 ld: fatal: file values-Xa.o
>
>
>>Anyone know how to fix this? The file exists but it doesn't seem to like
it
>>
>>making all in apps...
>>rm -f openssl
>>gcc -o openssl -DMONOLITH -I../include -DTHREADS -D_REENTRANT
>>-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W
>>-DULTRASPARC -DMD5_ASM openssl.o verify.o asn1pars.o req.o dgst.o dh.o
>>dhparam.o enc.o passwd.o gendh.o errstr.o  ca.o pkcs7.o crl2p7.o crl.o
>>rsa.o dsa.o dsaparam.o  x509.o genrsa.o gendsa.o s_server.o s_client.o
>>speed.o  s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o
>>ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o -L. -L.. -L../..
>>-L../../.. -L.. -lssl -L.. -lcrypto -lsocket -lnsl
>>ld: fatal: file values-Xa.o: cannot open file: No such file or directory
>>ld: fatal: File processing errors. No output written to openssl
>>collect2: ld returned 1 exit status
>>*** Error code 1
>>__
>>OpenSSL Project http://www.openssl.org
>>User Support Mailing List[EMAIL PROTECTED]
>>Automated List Manager   [EMAIL PROTECTED]
>>
>
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SOLARIS 8 GCC 2.95.2 ld: fatal: file values-Xa.o

[Pablo J. Royo]

See the Solaris2 FAQ, question five Q5 at

http://www.wins.uva.nl/pub/solaris/solaris2/


-Original Message-
From: Castellanos, Leon <[EMAIL PROTECTED]>
To: '[EMAIL PROTECTED]' <[EMAIL PROTECTED]>
Date: martes 19 de septiembre de 2000 17:15
Subject: SOLARIS 8 GCC 2.95.2 ld: fatal: file values-Xa.o


>Anyone know how to fix this? The file exists but it doesn't seem to like it
>
>making all in apps...
>rm -f openssl
>gcc -o openssl -DMONOLITH -I../include -DTHREADS -D_REENTRANT
>-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W
>-DULTRASPARC -DMD5_ASM openssl.o verify.o asn1pars.o req.o dgst.o dh.o
>dhparam.o enc.o passwd.o gendh.o errstr.o  ca.o pkcs7.o crl2p7.o crl.o
>rsa.o dsa.o dsaparam.o  x509.o genrsa.o gendsa.o s_server.o s_client.o
>speed.o  s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o
>ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o -L. -L.. -L../..
>-L../../.. -L.. -lssl -L.. -lcrypto -lsocket -lnsl
>ld: fatal: file values-Xa.o: cannot open file: No such file or directory
>ld: fatal: File processing errors. No output written to openssl
>collect2: ld returned 1 exit status
>*** Error code 1
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: How can I change "libssl.a" into "libssl.so"?

[Pablo J. Royo]

I think you could try this:

Extract *.o files in the static library with

ar -x libssl.a

Then link them again with:

ld -rpath "/usr/local/ssl" -shared -o libssl.so *.o

The command "file libssl.so" reports then:

libssl.so: ELF 32-bit LSB shared object, Intel 80386, version 1, not
stripped

so I think this is correct.

But ther is a compiler option in the makefiles to compile as shared libs
directly.

-Original Message-
From: Ricardo Stella <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: lunes 28 de agosto de 2000 14:57
Subject: Re: How can I change "libssl.a" into "libssl.so"?


>
>You need to do a little more reading...
>
>Sure you can 'rename' it, but that won't do you any good...
>
>Anything with a '.so' extension is a shared library, and must be
>compiled as such.
>
>My .02...
>
>Howard wrote:
>>
>> ÄãºÃ£¡
>>
>> I find "libssl.a" and "libcrypto.a" in the path "/usr/local/ssl/lib/".
>>
>> I cannot find "libssl.so" ,there is only "libcrypto.so" in "/usr/lib/"?
>>
>> Oh... what shall I do?
>>
>> PS: My OS is "RedHat Linux 6.2".
>>
>> ÖÂ
>> Àñ£¡
>>
>> Howard
>> [EMAIL PROTECTED]
>>
>> __
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List[EMAIL PROTECTED]
>> Automated List Manager   [EMAIL PROTECTED]
>
>--
>--
> Ricardo Stella  O.I.T.
> (609)896-5000 x7436   _suAve_   Rider University
>  *** Remove 'no-spam' from e-mail address before replying.  ***

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

PEM certs formatted at 76 chars per line

[Pablo J. Royo]

Hi

I´m using this cert from Baltimore with openssl0.9.5a.
I don´t know why they generate PEM certs with 76 chars in each line, instead
of 64 as everybody does.If you take the cert and manually put it with 64
chars per line and the "BEGIN/END CERTIFICATE" stuff all goes well, but if
not x509 command says:

unable to load certificate
12482:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:761:

So I´d like to know if there is a way to use the same b64 functions to
handle it, or what kind of modification should I do to bio64 or PEM
routines.It would be easy?

Thanks



 baltimore.pem

Re: PKCS12 unpack error

[Pablo J. Royo]

Hi

I had the same problem, and I didn't find how to solve it except #undefining
that M_XXX macros in my source file,then #defining it correctly.After using
them in my file, you can letf then unchanged again if you like.
I´d like to know if there is a better (and elegant) way to do it.

Here it is what I did(just a cast).Hope this helps.


#ifdef M_PKCS12_unpack_authsafes
#undef M_PKCS12_unpack_authsafes
#define M_PKCS12_unpack_authsafes(p12)
ASN1_seq_unpack(p12->authsafes->d.data->data, \
  p12->authsafes->d.data->length, (char *(*)())d2i_PKCS7,(void
(*)())PKCS7_free)
#endif

#ifdef M_PKCS12_unpack_p7encdata
#undef M_PKCS12_unpack_p7encdata
#define M_PKCS12_unpack_p7encdata(p7, pass, passlen) \
(STACK *) PKCS12_decrypt_d2i ((p7)->d.encrypted->enc_data->algorithm,\
(char *(*)())d2i_PKCS12_SAFEBAG,(void (*)()) PKCS12_SAFEBAG_free, \
   (pass), (passlen), \
   (p7)->d.encrypted->enc_data->enc_data, 3)
#endif

#ifdef M_PKCS12_unpack_p7data
#undef M_PKCS12_unpack_p7data
#define M_PKCS12_unpack_p7data(p7) \
ASN1_seq_unpack ((p7)->d.data->data, p7->d.data->length, \
(char *(*)())d2i_PKCS12_SAFEBAG, (void (*)())PKCS12_SAFEBAG_free)
#endif

#ifdef M_PKCS12_decrypt_skey
#undef M_PKCS12_decrypt_skey
#define M_PKCS12_decrypt_skey(bag, pass, passlen) \
(PKCS8_PRIV_KEY_INFO *) PKCS12_decrypt_d2i ((bag)->value.shkeybag->algor, \
(char *(*)())d2i_PKCS8_PRIV_KEY_INFO, (void (*)())PKCS8_PRIV_KEY_INFO_free,
\
  (pass), (passlen), \
(bag)->value.shkeybag->digest, 2)
#endif



>Hi,
>
>VC6 reported that there're error with the following line:
>if (!(asafes = M_PKCS12_unpack_authsafes(p12))) return 0;
>
>The error was:
>error C2664: 'ASN1_seq_unpack' : cannot convert parameter 4 from 'void
(struct
>pkcs7_st *)' to 'void (__cdecl *)(void)'
>None of the functions with this name in scope match the target type
>
>I use OpenSSL 0.9.5a compiled using VC6 on Win98SE. What's wrong? Thank
you.
>
>Angus Lee


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Signing objects and signtool

[Pablo Rodriguez]

Can anybody setup openssl to generata a certificate for the netscape signtool utility?

ha get this message:
signtool: the cert "omeguita CA" does not exist in the database: Certificate extension 
was not found

when I compare the output from the certificate y one (self-signed) created with the 
signtool itself (openssl x509 -in -text -noout) I can't see any difference.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Problems creating a certificate request..

[Arisi Pablo]

Title: Problems creating a certificate request..





Hi,


I have some problems creating a new certificate request.., 
Actually I have the last OpenSSL version , its 0.9.5a running on OpenBSD 2.7.


I follow these steps, first I run this line : " openssl req -new -key my.key -out my.csr "
Then I write the PEM Pass phrase, and complete all the questions...
And finally I receive this error message :
"10161:error:0D072006::lib(13) :func(114) :reason(6):NA:0:
error in req"
 
Can you help me?
Where Is my error?


Thanks very much!


Pablo Arisi
Gcia. Tecnología
VISA Argentina

Re: Error after converting C++

[Pablo J. Royo]

Check if declarations for that functions are 
enclosed in an #ifdef __cplusplus statement.
 

-Original Message-From: 
Tugrul Bingol <[EMAIL PROTECTED]>To: 
[EMAIL PROTECTED] 
<[EMAIL PROTECTED]>Date: 
lunes 17 de abril de 2000 18:17Subject: Error after 
converting C++Hi, 
I wrote a C++ class using openssl, however I am getting a linking error 
message although I tried to solve it for hours. I have no problem with the C 
code, I can compile&link successfully. The followings are my command 
line and error message.   
--- 
% gcc -o MnSecure MnSecure.cxx -Iinclude -Ixlib -Lbin -lssl -Lbin 
-lcrypto -Lbin -ltb 
ld32: ERROR 33: Unresolved text symbol "set_cert_stuff(ssl_ctx_st *, 
char *, char *)" -- 1st referenced by /var/tmp/cc8r0YDy.o. 
 Use linker option -v to see when and which objects, archives and 
dsos are loaded. ld32: ERROR 33: Unresolved text symbol 
"verify_callback(int, x509_store_state_st *)" -- 1st referenced by 
/var/tmp/cc8r0YDy.o.  Use linker option -v to see when and which 
objects, archives and dsos are loaded. ld32: INFO 152: Output file 
removed because of error. collect2: ld returned 2 exit status 
-- 

set_cert_stuff(...) and verify_callback(...) functions are in s_cb.o and 
I included this object file in libtb.so which is one of the libraries I used 
for linking. As I said before I have no problem with any of these 
libraries and functions when I write in C, so I suspect I do something wrong 
or I should do something more for C++. Can anyone tell me about this error?Thanks...Tugrul  

Re: About SSL_SERVER_CERT and SSL_CLIENT_CERT

[Juan Pablo Rojas Jimenez]

Raul Gutierrez wrote:

> Hi:
>
> How can i see the field of Server and Client's Certificated in apache +
> mod_ssl, i read in the http.conf that exist two environment variables
> SSL_SERVER_CERT and SSL_CLIENT_CERT , but i dont kow to work with it. Exist
> some CGI that show all field of the CERTIFICATE? if exist please send me.
>

They're all in as enviroment variables of the CGI , take a look at
http://www.apache-ssl.org/docs.html#CGI

>
> Thanks in advance.
> Raul Gutierrez
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]


begin:vcard 
n:Rojas Jimenez;Juan Pablo
x-mozilla-html:FALSE
org:Faculad de Informática;DDpto. de Lenguajes y Sistemas Infotmáticos.
adr:;;
version:2.1
email;internet:[EMAIL PROTECTED]
title:Laboratorio de Teleinformática
x-mozilla-cpt:;-31968
fn:Juan Pablo Rojas Jimenez
end:vcard

Re: doc for openssl ?

[Juan Pablo Rojas Jimenez]

"Herve R.-P." wrote:

> Hi all !
>
> I'm currently developping a client/server app with openssl.
>
> As the only doc I have is the prototypes of the functions, it's
> a bit difficult to make something solid (ie test return codes,
> for example, SSL_accept() return -1, what does it mean ???).
>
> Does someone know of a good doc on the API ?
>

I'm sorry but i'm trying to do the same as you and the only thing
i've found interesting in order to know what functions to use and how have
been
compiling s_client s_server and debugging them with the options I was
interested in.

I don't think you'll need much more.


>
> Thanks
>

;-)

>
>  Herve Regad-Pellagru
> (E-mail address: replace what is before '@' by 'regad' in the FROM line)
>
> benchmark: [techspeak] n. An inaccurate measure of computer
> performance.  "In the computer industry, there are three kinds of
> lies: lies, damn lies, and benchmarks."
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]


begin:vcard 
n:Rojas Jimenez;Juan Pablo
x-mozilla-html:FALSE
org:Faculad de Informática;DDpto. de Lenguajes y Sistemas Infotmáticos.
adr:;;
version:2.1
email;internet:[EMAIL PROTECTED]
title:Laboratorio de Teleinformática
x-mozilla-cpt:;-31968
fn:Juan Pablo Rojas Jimenez
end:vcard

Certificate Chain

[Juan Pablo Rojas Jimenez]

Does anyone know the way of creating the certificate chain for a
signed certificate.

The thing is that i'm trying to sign a java applet with keytool ,
but i don't wont to use the selfsigned cert generated by this one. But ,
after signing the certificate request generated by keytool and trying to
add it to java's cert store , it tells me that it cannot find the
certificate chain for that key.

Does anyone know what i'm doing wrong.




begin:vcard 
n:Rojas Jimenez;Juan Pablo
x-mozilla-html:FALSE
org:Faculad de Informática;DDpto. de Lenguajes y Sistemas Infotmáticos.
adr:;;
version:2.1
email;internet:[EMAIL PROTECTED]
title:Laboratorio de Teleinformática
x-mozilla-cpt:;-31968
fn:Juan Pablo Rojas Jimenez
end:vcard

Re: How to use Netscape-generated keys?

[Juan Pablo Rojas Jimenez]

Phil Tracy wrote:

> For test purposes, I'd like to create my own CA.  I've already used openssl
> to set up the CA.  I can generate a CSR, then use pkcs12 to export the keys
> and certificate.  So far, so good.
>
> What'd I'd rather do is use the  tag inside an HTML form for my
> Netscape browser, then create a certificate signing request based on that
> (and other) info to feed into the CA.
>

   try with "ca -spkac" option once yoy have the information about the
"requester"
of the certificate,  it should be something like that:

 ca -spkac data_of_the_requester -key  your CA key  -batch   >
certificate_file

where the file data_of_the_requester is somthing like  this:



countryName = ES
stateOrProvinceName = MADRID
localityName = BOADILLA DEL MONTE
organizationName = UNIVERSIDAD POLITECNICA DE MADRID
organizationalUnitName = DLSIIS
commonName = Juan Pablo Rojas Jimenez
Email = [EMAIL PROTECTED]
SPKAC= THE PUBLIC KEY GENERATED BY NETSCAPE ( OR IE ) WITH KEYGEN

I hope this will help you.

Bye.




>
> I've accomplished the 1st half of this -- I can read the contents of the
> submitted form and base64-decode what Netscape calls the
> SignedPublicKeyAndChallenge, but I don't know what to do with it after that.
>
> This chunk of DER-encoded data is apparently not (just) an RSA key, nor is
> it obviously a full CSR.  What is it, exactly?  And is there any way I can
> use openssl (or some other utility) to massage it into a CSR which I can
> sign and return to the browser?  How do the folks at Verisign, Thawte, et
> al. do it?
>
> Thanks.
> --
> Phil Tracy
> Northwestern University, Evanston, IL   USA
> mailto:[EMAIL PROTECTED]http://dopey.at.nwu.edu/tracy/
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List    [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]


begin:vcard 
n:Rojas Jimenez;Juan Pablo
x-mozilla-html:FALSE
org:Faculad de Informática;DDpto. de Lenguajes y Sistemas Infotmáticos.
adr:;;
version:2.1
email;internet:[EMAIL PROTECTED]
title:Laboratorio de Teleinformática
x-mozilla-cpt:;-31968
fn:Juan Pablo Rojas Jimenez
end:vcard

Re: Multiple OU in personal certificate

[Juan Pablo Rojas Jimenez]

Mario Fabiano wrote:

>Part 1.1Type: Plain Text (text/plain)
>Encoding: 7bit

Does anyone know how to do the same with ca -spkac option.


Tanks in advance.



begin:vcard 
n:Rojas Jimenez;Juan Pablo
x-mozilla-html:FALSE
org:Faculad de Informática;DDpto. de Lenguajes y Sistemas Infotmáticos.
adr:;;
version:2.1
email;internet:[EMAIL PROTECTED]
title:Laboratorio de Teleinformática
x-mozilla-cpt:;-31968
fn:Juan Pablo Rojas Jimenez
end:vcard

Re: Form to generate certs

[Juan Pablo Rojas Jimenez]

GOMEZ Henri wrote:

> Hi !!!
>
> Where can I found HTML/CGI script to generate client certs (pem/p12)
> with openssl.
> At least can I pass parameters to ssleay/openssl (like cert password and
> so one) on
> command line ???

try with "ca -spkac" option once yoy have the information about the
"requester"
of the certificate,  it should be something like that:

 ca -spkac data_of_the_requester -key  your CA key  -batch   >
certificate_file

where the file data_of_the_requester is somthing like  this:



countryName = ES
stateOrProvinceName = MADRID
localityName = BOADILLA DEL MONTE
organizationName = UNIVERSIDAD POLITECNICA DE MADRID
organizationalUnitName = DLSIIS
commonName = Juan Pablo Rojas Jimenez
Email = [EMAIL PROTECTED]
SPKAC= THE PUBLIC KEY GENERATED BY NETSCAPE ( OR IE )

I hope this will help you.

Bye.

>
>
> Thanks
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]


begin:vcard 
n:Rojas Jimenez;Juan Pablo
x-mozilla-html:FALSE
org:Faculad de Informática;DDpto. de Lenguajes y Sistemas Infotmáticos.
adr:;;
version:2.1
email;internet:[EMAIL PROTECTED]
title:Laboratorio de Teleinformática
x-mozilla-cpt:;-31968
fn:Juan Pablo Rojas Jimenez
end:vcard