Re: Errors building 1.1.1 on RHEL 7

[Viktor Dukhovni]

> On Jul 18, 2019, at 3:13 PM, Mark Richter  wrote:
> 
> 2. Not at all clear on what the "_OPT" part means - do I need to change my 
> source code to use this for accessors or ???

Just try it and see.  The "_OPT" in the symbol version is internally
generated from "-opt" in the shlib_variant SONAME.  To support multiple
shlib_variants now or in the future, add the major.minor (ABI version)
to the variant tag:

shlib_variant => "-opt1.1"
shlib_variant => "-opt1.2"
shlib_variant => "-somevendor-3.0"
...

The non-alnum characters in the shlib_variant map to "_" in
the symbol version, and the letters are mapped to upper case
(IIRC).

-- 
Viktor.

Re: Errors building 1.1.1 on RHEL 7

[Viktor Dukhovni]

> On Jul 18, 2019, at 2:57 PM, Mark Richter  wrote:
> 
> Also, once I figure out the build issues, how can I statically link the ssl 
> libraries into my app?  (That way we don't require our customers to build and 
> install OpenSSL 1.1.1 pon their RHEL 7 hosts.)  Are there any gotchas to 
> doing this? E.g., our app also uses the curl library, which I believe uses 
> the default openssl on the host.

Static linking has much worse library version conflicts than
dynamic linking if you're delivering a library, or if your
application will run on systems where the C-library (perhaps
through nsswitch modules) also loads the default OpenSSL.

You lose the isolation made possible by symbol versioning
with dynamic libraries.

If you want to ship code to users to deploy on their own
systems you should generally use whichever OpenSSL is
in the base platform.  To deliver a custom OpenSSL,
for your application only, you'll need to build a
shlib_variant shared library and perhaps make its
location flexible using $ORIGIN in the dependent's
run path.

-- 
Viktor.

RE: Errors building 1.1.1 on RHEL 7

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Mark Richter
> Sent: Thursday, July 18, 2019 12:57
>
> Is Linux considered to be the same as (or similar enough to) Unix w.r.t. the
> building instructions?  I'm reading the INSTALL file and it doesn't mention
> Linux (nor are there templates for, etc.).

Yes. Note there are a couple of references to Linux in NOTES.UNIX (and in 
NOTES.PERL). There are Linux-relevant stanzas in config, and so on.

We build on a number of Linux platforms and distributions, including some 
obscure ones, generally without issues.

> Also, once I figure out the build issues, how can I statically link the ssl
> libraries into my app?

You can Configure it for static linkage before building it, but per NOTES.UNIX 
you should get a set of static (archive) libraries as well as the dynamic ones 
even if you don't.

I recommend building OpenSSL as loadable - e.g. as PIC (position-independent 
code) on ELF platforms such as Linux - even if you intend to link it 
statically. Then you have the option of statically linking it into a shared 
object. That's what we do: build OpenSSL as loadable, and link it statically 
into our own wrapper library, which is a shared object (or DLL on Windows).

> Are there any gotchas to
> doing this?  E.g., our app also uses the curl library, which I believe uses
> the default openssl on the host.

As Viktor explained in some recent messages to the list, you may need to build 
OpenSSL with munged symbol names, to ensure each OpenSSL library resolves 
symbols to itself. However, if you're linking it statically that probably won't 
be an issue. Aside from that it shouldn't be a problem, as long as you don't 
try to share OpenSSL objects between the OpenSSL binaries.

--
Michael Wojcik
Distinguished Engineer, Micro Focus

RE: Errors building 1.1.1 on RHEL 7

[Mark Richter]

> -Original Message-
> From: openssl-users  On Behalf Of Viktor 
> Dukhovni
> Sent: Wednesday, July 17, 2019 12:42 PM
> To: openssl-users@openssl.org
> Subject: Re: Errors building 1.1.1 on RHEL 7
>:
>   4. Build and install OpenSSL 1.1.1c with "--prefix=/opt/openssl/1.1"
>  or similar for the custom target platorm.  Make sure that the
>  SONAME and symbol versions contain the "-opt" or "_OPT" tweak.

In reading the various README and INSTALL files, I'm not entirely clear on what 
this means.  I'm guessing:

1. During the build, the makefile ld flags have to include the variant -opt to 
get the right libraries to link.

2. Not at all clear on what the "_OPT" part means - do I need to change my 
source code to use this for accessors or ???

Thanks.

The information contained in this message is confidential and is intended for 
the addressee(s) only. If you have received this message in error, please 
notify the sender immediately and delete the message. Unless you are an 
addressee (or authorized to receive for an addressee), you may not use, copy or 
disclose to anyone this message or any information contained in this message. 
The unauthorized use, disclosure, copying or alteration of this message is 
strictly prohibited.

RE: Errors building 1.1.1 on RHEL 7

[Mark Richter]

-Original Message- [edited]
From: openssl-users  On Behalf Of Viktor 
Dukhovni
Sent: Wednesday, July 17, 2019 6:17 PM
To: openssl-users@openssl.org
Subject: Re: Errors building 1.1.1 on RHEL 7

>>>   2. Configure your OpenSSL build to use the corresponding "rpath":
>>>  -Wl,-rpath,/opt/openssl/1.1/lib
>>>
> > Again, how do I specify that?
>
>Command-line argument to "Configure" or custom platform template.

Is Linux considered to be the same as (or similar enough to) Unix w.r.t. the 
building instructions?  I'm reading the INSTALL file and it doesn't mention 
Linux (nor are there templates for, etc.).

Also, once I figure out the build issues, how can I statically link the ssl 
libraries into my app?  (That way we don't require our customers to build and 
install OpenSSL 1.1.1 pon their RHEL 7 hosts.)  Are there any gotchas to doing 
this?  E.g., our app also uses the curl library, which I believe uses the 
default openssl on the host.

Thanks.

Mark

The information contained in this message is confidential and is intended for 
the addressee(s) only. If you have received this message in error, please 
notify the sender immediately and delete the message. Unless you are an 
addressee (or authorized to receive for an addressee), you may not use, copy or 
disclose to anyone this message or any information contained in this message. 
The unauthorized use, disclosure, copying or alteration of this message is 
strictly prohibited.

Re: Errors building 1.1.1 on RHEL 7

[Blumenthal, Uri - 0553 - MITLL]

Probably, disregard: the problem seems to be related to the incomplete support 
for ISO C11 in GCC on CentOS (and I'm willing to bet - on RHEL). 

Changing the standard to "-std=gnu99" lead to a successful build with all the 
tests passing.


On 7/18/19, 12:28 PM, "openssl-users on behalf of Blumenthal, Uri - 0553 - 
MITLL"  wrote:

I'm getting a somewhat different error trying to build OpenSSL_1_1_1-stable 
on CentOS 7 (similar to RHEL 7).

Configuration:

./config --prefix=$HOME/openssl-1.1 --debug 
--openssldir=$HOME/openssl-1.1/etc --with-rand-seed=rdcpu enable-aria 
enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-weak-ssl-ciphers 
enable-zlib-dynamic shared threads enable-rfc3779 enable-ssl-trace

Followed by 

  make depend && make clean && make -j 2 all && make test && make install

I'm appending the output of "perl configdata.pm -d" at the end.

Here's the problem:

. . . . .
gcc  -I. -Icrypto/include -Iinclude -fPIC -pthread -m64 -Wa,--noexecstack 
-std=gnu11 -O3 -march=native -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC 
-DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT 
-DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM 
-DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM 
-DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM 
-DOPENSSLDIR="\"/home/ur20980/openssl-1.1/etc\"" 
-DENGINESDIR="\"/home/ur20980/openssl-1.1/lib/engines-1.1\"" -DZLIB 
-DZLIB_SHARED  -MMD -MF crypto/asn1/a_strex.d.tmp -MT crypto/asn1/a_strex.o -c 
-o crypto/asn1/a_strex.o crypto/asn1/a_strex.c
In file included from crypto/include/internal/evp_int.h:11:0,
 from crypto/asn1/a_sign.c:22:
include/internal/refcount.h:21:25: fatal error: stdatomic.h: No such file 
or directory
 #  include 
 ^
compilation terminated.
make[1]: *** [crypto/asn1/a_sign.o] Error 1
make[1]: *** Waiting for unfinished jobs

This is the compiler used:
$ gcc -v
Using built-in specs.
COLLECT_GCC=/usr/bin/gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/4.8.5/lto-wrapper
Target: x86_64-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man 
--infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla 
--enable-bootstrap --enable-shared --enable-threads=posix 
--enable-checking=release --with-system-zlib --enable-__cxa_atexit 
--disable-libunwind-exceptions --enable-gnu-unique-object 
--enable-linker-build-id --with-linker-hash-style=gnu 
--enable-languages=c,c++,objc,obj-c++,java,fortran,ada,go,lto --enable-plugin 
--enable-initfini-array --disable-libgcj 
--with-isl=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/isl-install
 
--with-cloog=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/cloog-install
 --enable-gnu-indirect-function --with-tune=generic --with-arch_32=x86-64 
--build=x86_64-redhat-linux
Thread model: posix
gcc version 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) 
$

External flags:
$ env | grep FLAGS
CXXFLAGS=-std=gnu++11 -O3 -march=native
CFLAGS=-std=gnu11 -O3 -march=native
$

Finally, output of "perl configdata.pm -d":

Command line (with current working directory = .):

/usr/bin/perl ./Configure linux-x86_64 
--prefix=/home/ur20980/openssl-1.1 --debug 
--openssldir=/home/ur20980/openssl-1.1/etc --with-rand-seed=rdcpu enable-aria 
enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-weak-ssl-ciphers 
enable-zlib-dynamic shared threads enable-rfc3779 enable-ssl-trace

Perl information:

/usr/bin/perl
5.16.3 for x86_64-linux-thread-multi

Enabled features:

aria
asm
async
autoalginit
autoerrinit
autoload-config
bf
blake2
buildtest-c\+\+
camellia
capieng
cast
chacha
cmac
cms
comp
ct
deprecated
des
dgram
dh
dsa
dtls
dynamic-engine
ec
ec2m
ecdh
ecdsa
ec_nistp_64_gcc_128
engine
err
filenames
gost
hw(-.+)?
idea
makedepend
md2
md4
mdc2
multiblock
nextprotoneg
pinshared
ocb
ocsp
pic
poly1305
posix-io
psk
rc2
rc4
rc5
rdrand
rfc3779
rmd160
scrypt
seed
shared
siphash
sm2
sm3
sm4
sock
srp
srtp
sse2
ssl
ssl-trace
static-engine
stdio
tests
threads
tls
ts
ui-console
whirlpool
weak-ssl-ciphers
zlib

Re: Errors building 1.1.1 on RHEL 7

[Blumenthal, Uri - 0553 - MITLL]

I'm getting a somewhat different error trying to build OpenSSL_1_1_1-stable on 
CentOS 7 (similar to RHEL 7).

Configuration:

./config --prefix=$HOME/openssl-1.1 --debug --openssldir=$HOME/openssl-1.1/etc 
--with-rand-seed=rdcpu enable-aria enable-ec_nistp_64_gcc_128 enable-md2 
enable-rc5 enable-weak-ssl-ciphers enable-zlib-dynamic shared threads 
enable-rfc3779 enable-ssl-trace

Followed by 

  make depend && make clean && make -j 2 all && make test && make install

I'm appending the output of "perl configdata.pm -d" at the end.

Here's the problem:

. . . . .
gcc  -I. -Icrypto/include -Iinclude -fPIC -pthread -m64 -Wa,--noexecstack 
-std=gnu11 -O3 -march=native -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC 
-DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT 
-DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM 
-DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM 
-DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM 
-DOPENSSLDIR="\"/home/ur20980/openssl-1.1/etc\"" 
-DENGINESDIR="\"/home/ur20980/openssl-1.1/lib/engines-1.1\"" -DZLIB 
-DZLIB_SHARED  -MMD -MF crypto/asn1/a_strex.d.tmp -MT crypto/asn1/a_strex.o -c 
-o crypto/asn1/a_strex.o crypto/asn1/a_strex.c
In file included from crypto/include/internal/evp_int.h:11:0,
 from crypto/asn1/a_sign.c:22:
include/internal/refcount.h:21:25: fatal error: stdatomic.h: No such file or 
directory
 #  include 
 ^
compilation terminated.
make[1]: *** [crypto/asn1/a_sign.o] Error 1
make[1]: *** Waiting for unfinished jobs

This is the compiler used:
$ gcc -v
Using built-in specs.
COLLECT_GCC=/usr/bin/gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/4.8.5/lto-wrapper
Target: x86_64-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man 
--infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla 
--enable-bootstrap --enable-shared --enable-threads=posix 
--enable-checking=release --with-system-zlib --enable-__cxa_atexit 
--disable-libunwind-exceptions --enable-gnu-unique-object 
--enable-linker-build-id --with-linker-hash-style=gnu 
--enable-languages=c,c++,objc,obj-c++,java,fortran,ada,go,lto --enable-plugin 
--enable-initfini-array --disable-libgcj 
--with-isl=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/isl-install
 
--with-cloog=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/cloog-install
 --enable-gnu-indirect-function --with-tune=generic --with-arch_32=x86-64 
--build=x86_64-redhat-linux
Thread model: posix
gcc version 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) 
$

External flags:
$ env | grep FLAGS
CXXFLAGS=-std=gnu++11 -O3 -march=native
CFLAGS=-std=gnu11 -O3 -march=native
$

Finally, output of "perl configdata.pm -d":

Command line (with current working directory = .):

/usr/bin/perl ./Configure linux-x86_64 --prefix=/home/ur20980/openssl-1.1 
--debug --openssldir=/home/ur20980/openssl-1.1/etc --with-rand-seed=rdcpu 
enable-aria enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 
enable-weak-ssl-ciphers enable-zlib-dynamic shared threads enable-rfc3779 
enable-ssl-trace

Perl information:

/usr/bin/perl
5.16.3 for x86_64-linux-thread-multi

Enabled features:

aria
asm
async
autoalginit
autoerrinit
autoload-config
bf
blake2
buildtest-c\+\+
camellia
capieng
cast
chacha
cmac
cms
comp
ct
deprecated
des
dgram
dh
dsa
dtls
dynamic-engine
ec
ec2m
ecdh
ecdsa
ec_nistp_64_gcc_128
engine
err
filenames
gost
hw(-.+)?
idea
makedepend
md2
md4
mdc2
multiblock
nextprotoneg
pinshared
ocb
ocsp
pic
poly1305
posix-io
psk
rc2
rc4
rc5
rdrand
rfc3779
rmd160
scrypt
seed
shared
siphash
sm2
sm3
sm4
sock
srp
srtp
sse2
ssl
ssl-trace
static-engine
stdio
tests
threads
tls
ts
ui-console
whirlpool
weak-ssl-ciphers
zlib
zlib-dynamic
tls1
tls1-method
tls1_1
tls1_1-method
tls1_2
tls1_2-method
tls1_3
dtls1
dtls1-method
dtls1_2
dtls1_2-method

Disabled features:

afalgeng[too-old-kernel] 
asan[default]OPENSSL_NO_ASAN
crypto-mdebug   [default]OPENSSL_NO_CRYPTO_MDEBUG
crypto-mdebug-backtrace [default]OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
devcryptoeng[default]OPENSSL_NO_DEVCRYPTOENG
egd [default]OPENSSL_NO_EGD
external-tests  [default]OPENSSL_NO_EXTERNAL_TESTS
fuzz-libfuzzer  [default]OPENSSL_NO_FUZZ_LIBFUZZER
fuzz-afl[default]OPENSSL_NO_FUZZ_AFL
heartbeats  [default]OPENSSL_NO_HEARTBEATS
msan

Re: Errors building 1.1.1 on RHEL 7

[Viktor Dukhovni]

On Thu, Jul 18, 2019 at 12:54:51AM +, Mark Richter wrote:

> I'm still really new at this - a few questions:

Understood.

>   1. Choose some location that is not on the default library search path
>  to install the 1.1.1 custom libraries.  I use /opt/openssl/1.1/lib
>
> > How do I specify that?  A config parameter (and which one)?

--prefix=/opt/openssl/1.1

>   2. Configure your OpenSSL build to use the corresponding "rpath":
>  -Wl,-rpath,/opt/openssl/1.1/lib
>
> > Again, how do I specify that?

Command-line argument to "Configure" or custom platform template.

>   3. Add a custom target platform to the "targets" array in
>  Configurations/.conf.  This can inherit from
>  the configuration you're using now, but add a setting
>  for "shlib_variant" as described in Configurations/README
> 
> ...
> inherit_from => "",
> shlib_variant => "-opt",
> ...
> > I can find that...

You'll to read the existing files in the "Configurations" directory,
and cargo-cult a new target definition that meets your needs and
also adds "shlib_variant".

>   4. Build and install OpenSSL 1.1.1c with "--prefix=/opt/openssl/1.1"
>  or similar for the custom target platorm.  Make sure that the
>  SONAME and symbol versions contain the "-opt" or "_OPT" tweak.
>
> > Not familiar with that tweak.

Setting "shlib_variant" correctly is all it takes.  The results
can be verified via "readelf -d".

I've not had the opportunity to write up the process in more
step-by-step detail, perhaps if you get this working, you
can write it as a contribution to the Wiki, or blog it, ...

-- 
Viktor.

RE: Errors building 1.1.1 on RHEL 7

[Mark Richter]

I'm still really new at this - a few questions:

-Original Message-
From: openssl-users  On Behalf Of Viktor 
Dukhovni
Sent: Wednesday, July 17, 2019 12:42 PM
To: openssl-users@openssl.org
Subject: Re: Errors building 1.1.1 on RHEL 7

On a system with OpenSSL 1.0.2 or OpenSSL 1.1.0 in /usr/lib (on the default 
search path), and especially when you're linking with other libraries that in 
turn were linked against the OpenSSL version in /usr/lib, using OpenSSL
1.1.1 in your application requires care...

Specifically:

  1. Choose some location that is not on the default library search path
 to install the 1.1.1 custom libraries.  I use /opt/openssl/1.1/lib
> How do I specify that?  A config parameter (and which one)?

  2. Configure your OpenSSL build to use the corresponding "rpath":
 -Wl,-rpath,/opt/openssl/1.1/lib
> Again, how do I specify that?

  3. Add a custom target platform to the "targets" array in
 Configurations/.conf.  This can inherit from
 the configuration you're using now, but add a setting
 for "shlib_variant" as described in Configurations/README

...
inherit_from => "",
shlib_variant => "-opt",
...
> I can find that...

  4. Build and install OpenSSL 1.1.1c with "--prefix=/opt/openssl/1.1"
 or similar for the custom target platorm.  Make sure that the
 SONAME and symbol versions contain the "-opt" or "_OPT" tweak.
> Not familiar with that tweak.

  5. Link your application against this library:

-I/opt/openssl/1.1/include -L/opt/openssl/1.1/lib 
-Wl,-rpath,/opt/openssl/1.1/lib
> Can do.

  6.  Check with "readelf -d" that the application records the expected SONAME
  for the OpenSSL library (libcrypto and/or libssl) dependencies.
> Can do.

You can now have your code using OpenSSL 1.1.1 and other libraries you use, 
using whichever OpenSSL they were compiled with.  However, you cannot pass 
OpenSSL objects you create into such libraries, their use of OpenSSL must be 
self-contained.

--
Viktor.

The information contained in this message is confidential and is intended for 
the addressee(s) only. If you have received this message in error, please 
notify the sender immediately and delete the message. Unless you are an 
addressee (or authorized to receive for an addressee), you may not use, copy or 
disclose to anyone this message or any information contained in this message. 
The unauthorized use, disclosure, copying or alteration of this message is 
strictly prohibited.

Re: Errors building 1.1.1 on RHEL 7

[Viktor Dukhovni]

> On Jul 17, 2019, at 3:41 PM, Viktor Dukhovni  
> wrote:
> 
> On a system with OpenSSL 1.0.2 or OpenSSL 1.1.0 in /usr/lib (on the default
> search path), and especially when you're linking with other libraries that
> in turn were linked against the OpenSSL version in /usr/lib, using OpenSSL
> 1.1.1 in your application requires care...

By the way, today I'm uneventfully running an SSH server and client
that are linked against OpenSSL 1.0.2 for crypto in OpenSSH, but
also Heimdal Kerberos for GSSAPI, which in turn is linked against
OpenSSL 1.1.1 for its crypto.  The two libraries coëxist (ships
in the night) in the same process with no conflict.  They are
built with version-specific "shlib_variant" values, so that
the symbol versions and SONAMEs are distinct.

It all works.  Perhaps there should be a blog-post or other
document somewhere that explains this with a more detailed
walk-through of the required steps.  Anyone care to contribute?

-- 
Viktor.

Re: Errors building 1.1.1 on RHEL 7

[Viktor Dukhovni]

On a system with OpenSSL 1.0.2 or OpenSSL 1.1.0 in /usr/lib (on the default
search path), and especially when you're linking with other libraries that
in turn were linked against the OpenSSL version in /usr/lib, using OpenSSL
1.1.1 in your application requires care...

> On Jul 17, 2019, at 2:22 PM, Mark Richter  wrote:
> 
> However, although I modified our make file to use 
> '-I/usr/local/openssl/include' and '-L/usr/local/openssl/lib', I now see this 
> warning:
> 
> cc -DLOG_LEVEL=LOG_INFO -Wall -Werror -D__ci_driver__ -D__ci_ul_driver__ 
> -D_GNU_SOURCE -DWITH_MCDI_V2 -DWITH_TLS12=0 
> -DSOLAR_SECURE_VERSION="1.0.3.1020 (3bf2875895d5+ Wed Jul 17 11:14:55 PDT 
> 2019)" -Isrc/include -I/usr/local/openssl/include -Isrc/tools/mc-comms 
> -Isrc/tools/mc-comms/include -Isrc/emulators/mbedtls/include 
> -I/usr/include/json-c   -g3 -fno-omit-frame-pointer build/src/tools/sfslc.o 
> -o build/bin/sfslc -Lbuild/lib -L/usr/local/openssl/lib  -lsfsl_api -lsf_core 
> -lcm -lss -lcrypto  -lpci -lcurl -lpthread -lrt -lssl -luuid -ljson-c
> /usr/bin/ld: warning: libssl.so.10, needed by /usr/lib64/libssh2.so.1, may 
> conflict with libssl.so.1.1
> /usr/bin/ld: warning: libcrypto.so.10, needed by /usr/lib64/libssh2.so.1, may 
> conflict with libcrypto.so.1.1

Specifically:

  1. Choose some location that is not on the default library search path
 to install the 1.1.1 custom libraries.  I use /opt/openssl/1.1/lib

  2. Configure your OpenSSL build to use the corresponding "rpath":
 -Wl,-rpath,/opt/openssl/1.1/lib

  3. Add a custom target platform to the "targets" array in
 Configurations/.conf.  This can inherit from
 the configuration you're using now, but add a setting
 for "shlib_variant" as described in Configurations/README

...
inherit_from => "",
shlib_variant => "-opt",
...

  4. Build and install OpenSSL 1.1.1c with "--prefix=/opt/openssl/1.1"
 or similar for the custom target platorm.  Make sure that the
 SONAME and symbol versions contain the "-opt" or "_OPT" tweak.

  5. Link your application against this library:

-I/opt/openssl/1.1/include -L/opt/openssl/1.1/lib 
-Wl,-rpath,/opt/openssl/1.1/lib

  6.  Check with "readelf -d" that the application records the expected SONAME
  for the OpenSSL library (libcrypto and/or libssl) dependencies.

You can now have your code using OpenSSL 1.1.1 and other libraries you use,
using whichever OpenSSL they were compiled with.  However, you cannot pass
OpenSSL objects you create into such libraries, their use of OpenSSL must
be self-contained.

-- 
Viktor.

RE: Errors building 1.1.1 on RHEL 7

[Mark Richter]

It works better with 1.1.1c.

Thank you.

-Original Message-
From: Matt Caswell 
Sent: Wednesday, July 17, 2019 1:16 AM
To: Mark Richter ; openssl-users@openssl.org
Subject: Re: Errors building 1.1.1 on RHEL 7



On 16/07/2019 23:27, Mark Richter wrote:
> Result: PASS

Well that's quite odd because this test was failing for you before. I assume 
that after you had done the "make clean" that "make test" is still failing? Is 
it failing with the same set of tests that were failing before or different 
ones?

Matt


> make[1]: Leaving directory `/tmp/openssl-1.1.1'
> [root@sfsdr220d openssl-1.1.1]# perl -v
>
> This is perl 5, version 16, subversion 3 (v5.16.3) built for
> x86_64-linux-thread-multi (with 33 registered patches, see perl -V for
> more detail)
>
> Copyright 1987-2012, Larry Wall
>
> Perl may be copied only under the terms of either the Artistic License
> or the GNU General Public License, which may be found in the Perl 5 source 
> kit.
>
> Complete documentation for Perl, including FAQ lists, should be found
> on this system using "man perl" or "perldoc perl".  If you have access
> to the Internet, point your browser at http://www.perl.org/, the Perl Home 
> Page.
>
>
> Mark Richter | Senior Staff Engineer
> SolarFlare Communications, Inc. | www.Solarflare.com
> 9444 Waples Street, #170, San Diego, CA  92121
> Mobile: +1 949-632-8403
>
>
> 
> From: openssl-users  on behalf of
> Matt Caswell 
> Sent: Tuesday, July 16, 2019 3:20 PM
> To: openssl-users@openssl.org
> Subject: Re: Errors building 1.1.1 on RHEL 7
>
> On 16/07/2019 22:23, Mark Richter wrote:
>> After I built version 1.1.1 on RHEL 7, I got these errors at the end of the 
>> 'make test.'  What do they mean?
>>
>>
>> Test Summary Report
>> ---
>> ../test/recipes/15-test_dsa.t(Wstat: 768 Tests: 6 
>> Failed: 3)
>>   Failed tests:  4-6
>>   Non-zero exit status: 3
>
> Looks like something fundamentally wrong to get this many errors
> (guess: perl version is too low?)
>
> Please run:
>
> make TESTS=test_dsa V=1 test
>
> Also lets see the output from:
>
> perl -v
>
> Matt
>
>
>> ../test/recipes/15-test_ec.t (Wstat: 768 Tests: 5 
>> Failed: 3)
>>   Failed tests:  3-5
>>   Non-zero exit status: 3
>> ../test/recipes/15-test_genrsa.t (Wstat: 1024 Tests: 5 
>> Failed: 4)
>>   Failed tests:  2-5
>>   Non-zero exit status: 4
>> ../test/recipes/15-test_mp_rsa.t (Wstat: 7680 Tests: 31 
>> Failed: 30)
>>   Failed tests:  2-31
>>   Non-zero exit status: 30
>> ../test/recipes/15-test_out_option.t (Wstat: 256 Tests: 4 
>> Failed: 1)
>>   Failed test:  2
>>   Non-zero exit status: 1
>> ../test/recipes/15-test_rsa.t(Wstat: 768 Tests: 6 
>> Failed: 3)
>>   Failed tests:  4-6
>>   Non-zero exit status: 3
>> ../test/recipes/15-test_rsapss.t (Wstat: 512 Tests: 5 
>> Failed: 2)
>>   Failed tests:  1, 5
>>   Non-zero exit status: 2
>> ../test/recipes/20-test_enc.t(Wstat: 256 Tests: 87 
>> Failed: 1)
>>   Failed test:  2
>>   Non-zero exit status: 1
>>   Parse errors: Bad plan.  You planned 172 tests but ran 87.
>> ../test/recipes/20-test_enc_more.t   (Wstat: 256 Tests: 137 
>> Failed: 1)
>>   Failed test:  2
>>   Non-zero exit status: 1
>> ../test/recipes/25-test_crl.t(Wstat: 768 Tests: 7 
>> Failed: 3)
>>   Failed tests:  2, 6-7
>>   Non-zero exit status: 3
>> ../test/recipes/25-test_pkcs7.t  (Wstat: 512 Tests: 3 
>> Failed: 2)
>>   Failed tests:  2-3
>>   Non-zero exit status: 2
>> ../test/recipes/25-test_req.t(Wstat: 1024 Tests: 9 
>> Failed: 4)
>>   Failed tests:  2, 7-9
>>   Non-zero exit status: 4
>> ../test/recipes/25-test_sid.t(Wstat: 256 Tests: 2 
>> Failed: 1)
>>   Failed test:  2
>>   Non-zero exit status: 1
>> ../test/recipes/25-test_x509.t   (Wstat: 1792 Tests: 9 
>> Failed: 7)
>>   Failed tests:  2-8
>>   Non-zero exit status: 7
>> ../test/recipes/40-test_rehash.t (Wstat: 65280 Tests: 0 
>> Failed: 0)
>>   Non-zero exit status: 255
>>   Parse errors: Bad plan.  You planned 4 tests but ran 0.
>> ../test/recipes/60-test_x509_store.t (Wstat: 65280 Tests: 0 
>> Failed: 0)
>>   Non-zero exit status: 255
>>   Parse errors

RE: Errors building 1.1.1 on RHEL 7

[Mark Richter]

Hi Jan,

Thanks for that.  I got 1.1.1c and it built properly.

I configured it to use /usr/local/openssl for the target per the instructions 
on https://blacksaildivision.com/how-to-install-openssl-on-centos, and 
everything seemed to go well.  I get this:

11:02 [mrichter@sfsdr220d:~] $ openssl version
OpenSSL 1.1.1c  28 May 2019

After I log out and back in.

However, although I modified our make file to use 
'-I/usr/local/openssl/include' and '-L/usr/local/openssl/lib', I now see this 
warning:

cc -DLOG_LEVEL=LOG_INFO -Wall -Werror -D__ci_driver__ -D__ci_ul_driver__ 
-D_GNU_SOURCE -DWITH_MCDI_V2 -DWITH_TLS12=0 -DSOLAR_SECURE_VERSION="1.0.3.1020 
(3bf2875895d5+ Wed Jul 17 11:14:55 PDT 2019)" -Isrc/include 
-I/usr/local/openssl/include -Isrc/tools/mc-comms -Isrc/tools/mc-comms/include 
-Isrc/emulators/mbedtls/include -I/usr/include/json-c   -g3 
-fno-omit-frame-pointer build/src/tools/sfslc.o -o build/bin/sfslc -Lbuild/lib 
-L/usr/local/openssl/lib  -lsfsl_api -lsf_core -lcm -lss -lcrypto  -lpci -lcurl 
-lpthread -lrt -lssl -luuid -ljson-c
/usr/bin/ld: warning: libssl.so.10, needed by /usr/lib64/libssh2.so.1, may 
conflict with libssl.so.1.1
/usr/bin/ld: warning: libcrypto.so.10, needed by /usr/lib64/libssh2.so.1, may 
conflict with libcrypto.so.1.1

I tried googling this and get lots of suggestion for similar errors with 
libcurl, but not this one.

What am I missing?

-Original Message-
From: Jan Just Keijser 
Sent: Wednesday, July 17, 2019 2:53 AM
To: Mark Richter ; Matt Caswell ; 
openssl-users@openssl.org
Subject: Re: Errors building 1.1.1 on RHEL 7

FWIW:

I just downloaded openssl 1.1.1c, untarred it on my CentOS 7 box, then ran
   ./config
   make
   make test

The tests passed with the following output (the "ok" tests stripped out):

...
../test/recipes/05-test_md2.t .. skipped: md2 is not 
supported by this OpenSSL build ...
../test/recipes/05-test_rc5.t .. skipped: rc5 is not 
supported by this OpenSSL build ...
../test/recipes/30-test_afalg.t  skipped: test_afalg not 
supported for this build ...
../test/recipes/90-test_gost.t . skipped: No test GOST 
engine found ...
../test/recipes/90-test_overhead.t . skipped: Only supported in 
no-shared builds ...
../test/recipes/95-test_external_boringssl.t ... skipped: No external tests 
in this configuration ../test/recipes/95-test_external_krb5.t  
skipped: No external tests in this configuration 
../test/recipes/95-test_external_pyca.t  skipped: No external tests 
in this configuration ...
All tests successful.
Files=155, Tests=1452, 66 wallclock secs ( 1.44 usr  0.11 sys + 62.90 cusr 
13.51 csys = 77.96 CPU)
Result: PASS
make[1]: Leaving directory `/home/janjust/src/openssl-1.1.1c'


Share and enjoy,

JJK

On 17/07/19 00:27, Mark Richter wrote:
> I removed the directory, re-untarred the source, ran 'make clean', then 
> 'make', then 'make TESTS=test_dsa V=1 test':
>
> [root@sfsdr220d openssl-1.1.1]# make TESTS=test_dsa V=1 test make
> depend && make _tests
> make[1]: Entering directory `/tmp/openssl-1.1.1'
> make[1]: Leaving directory `/tmp/openssl-1.1.1'
> make[1]: Entering directory `/tmp/openssl-1.1.1'
> ( cd test; \
>mkdir -p test-runs; \
>SRCTOP=../. \
>BLDTOP=../. \
>RESULT_D=test-runs \
>PERL="/usr/bin/perl" \
>EXE_EXT= \
>OPENSSL_ENGINES=`cd .././engines 2>/dev/null && pwd` \
>OPENSSL_DEBUG_MEMORY=on \
>  /usr/bin/perl .././test/run_tests.pl test_dsa )
> /tmp/openssl-1.1.1/test ../test/recipes/15-test_dsa.t ..
> 1..6
> ok 1 - require '../../test/recipes/tconversion.pl';
>  # Subtest: ../../test/dsatest
>  1..1
>  ok 1 - dsa_test
> ../../util/shlib_wrap.sh ../../test/dsatest => 0 ok 2 - running
> dsatest
>  # Subtest: ../../test/dsa_no_digest_size_test
>  1..3
>  ok 1 - dsa_exact_size_test
>  ok 2 - dsa_small_digest_test
>  ok 3 - dsa_large_digest_test
> ../../util/shlib_wrap.sh ../../test/dsa_no_digest_size_test => 0 ok 3
> - running dsa_no_digest_size_test
>  1..10
>  ok 1 - initializing
> read DSA key
> writing DSA key
> ../../util/shlib_wrap.sh ../../apps/openssl dsa -in dsa-fff.p -inform p -out 
> dsa-f.d -outform d => 0
>  ok 2 - p -> d
> read DSA key
> writing DSA key
> ../../util/shlib_wrap.sh ../../apps/openssl dsa -in dsa-fff.p -inform p -out 
> dsa-f.p -outform p => 0
>  ok 3 - p -> p
> read DSA key
> writing DSA key
> ../../util/shlib_wrap.sh ../../apps/openssl dsa -in dsa-f.d -inform d -out 
> dsa-ff.dd -outform d => 0
>  ok 4 - d -> d
> read DSA key
> writing DSA key
> ../../util/shlib_wrap.sh ../../apps/openssl dsa -in dsa-f.p -inform p -out 
> dsa-ff.pd -outform d => 0
&g

Re: Errors building 1.1.1 on RHEL 7

[Jan Just Keijser]

k 3 - p -> p
read DSA key
writing DSA key
../../util/shlib_wrap.sh ../../apps/openssl dsa -pubin -pubout -in msb-fff.p 
-inform p -out msb-f.msblob -outform msblob => 0
 ok 4 - p -> msblob
read DSA key
writing DSA key
../../util/shlib_wrap.sh ../../apps/openssl dsa -pubin -pubout -in msb-f.d -inform 
d -out msb-ff.dd -outform d => 0
 ok 5 - d -> d
read DSA key
writing DSA key
../../util/shlib_wrap.sh ../../apps/openssl dsa -pubin -pubout -in msb-f.p -inform 
p -out msb-ff.pd -outform d => 0
 ok 6 - p -> d
read DSA key
writing DSA key
../../util/shlib_wrap.sh ../../apps/openssl dsa -pubin -pubout -in msb-f.msblob 
-inform msblob -out msb-ff.msblobd -outform d => 0
 ok 7 - msblob -> d
read DSA key
writing DSA key
../../util/shlib_wrap.sh ../../apps/openssl dsa -pubin -pubout -in msb-f.d -inform 
d -out msb-ff.dp -outform p => 0
 ok 8 - d -> p
read DSA key
writing DSA key
../../util/shlib_wrap.sh ../../apps/openssl dsa -pubin -pubout -in msb-f.p -inform 
p -out msb-ff.pp -outform p => 0
 ok 9 - p -> p
read DSA key
writing DSA key
../../util/shlib_wrap.sh ../../apps/openssl dsa -pubin -pubout -in msb-f.msblob 
-inform msblob -out msb-ff.msblobp -outform p => 0
 ok 10 - msblob -> p
read DSA key
writing DSA key
../../util/shlib_wrap.sh ../../apps/openssl dsa -pubin -pubout -in msb-f.d -inform 
d -out msb-ff.dmsblob -outform msblob => 0
 ok 11 - d -> msblob
read DSA key
writing DSA key
../../util/shlib_wrap.sh ../../apps/openssl dsa -pubin -pubout -in msb-f.p -inform 
p -out msb-ff.pmsblob -outform msblob => 0
 ok 12 - p -> msblob
read DSA key
writing DSA key
../../util/shlib_wrap.sh ../../apps/openssl dsa -pubin -pubout -in msb-f.msblob 
-inform msblob -out msb-ff.msblobmsblob -outform msblob => 0
 ok 13 - msblob -> msblob
 ok 14 - comparing orig to p
 ok 15 - comparing p to dp
 ok 16 - comparing p to pp
 ok 17 - comparing p to msblobp
 ok 18 - comparing msblob to dmsblob
 ok 19 - comparing msblob to pmsblob
 ok 20 - comparing msblob to msblobmsblob
ok 6 - dsa conversions -- public key
ok
All tests successful.
Files=1, Tests=6,  1 wallclock secs ( 0.02 usr  0.00 sys +  0.23 cusr  0.08 
csys =  0.33 CPU)
Result: PASS
make[1]: Leaving directory `/tmp/openssl-1.1.1'
[root@sfsdr220d openssl-1.1.1]# perl -v

This is perl 5, version 16, subversion 3 (v5.16.3) built for 
x86_64-linux-thread-multi
(with 33 registered patches, see perl -V for more detail)

Copyright 1987-2012, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl".  If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.


Mark Richter | Senior Staff Engineer
SolarFlare Communications, Inc. | www.Solarflare.com
9444 Waples Street, #170, San Diego, CA  92121
Mobile: +1 949-632-8403



From: openssl-users  on behalf of Matt Caswell 

Sent: Tuesday, July 16, 2019 3:20 PM
To: openssl-users@openssl.org
Subject: Re: Errors building 1.1.1 on RHEL 7

On 16/07/2019 22:23, Mark Richter wrote:

After I built version 1.1.1 on RHEL 7, I got these errors at the end of the 
'make test.'  What do they mean?


Test Summary Report
---
../test/recipes/15-test_dsa.t(Wstat: 768 Tests: 6 Failed: 3)
   Failed tests:  4-6
   Non-zero exit status: 3

Looks like something fundamentally wrong to get this many errors (guess: perl
version is too low?)

Please run:

make TESTS=test_dsa V=1 test

Also lets see the output from:

perl -v

Matt



../test/recipes/15-test_ec.t (Wstat: 768 Tests: 5 Failed: 3)
   Failed tests:  3-5
   Non-zero exit status: 3
../test/recipes/15-test_genrsa.t (Wstat: 1024 Tests: 5 Failed: 
4)
   Failed tests:  2-5
   Non-zero exit status: 4
../test/recipes/15-test_mp_rsa.t (Wstat: 7680 Tests: 31 Failed: 
30)
   Failed tests:  2-31
   Non-zero exit status: 30
../test/recipes/15-test_out_option.t (Wstat: 256 Tests: 4 Failed: 1)
   Failed test:  2
   Non-zero exit status: 1
../test/recipes/15-test_rsa.t(Wstat: 768 Tests: 6 Failed: 3)
   Failed tests:  4-6
   Non-zero exit status: 3
../test/recipes/15-test_rsapss.t (Wstat: 512 Tests: 5 Failed: 2)
   Failed tests:  1, 5
   Non-zero exit status: 2
../test/recipes/20-test_enc.t(Wstat: 256 Tests: 87 Failed: 
1)
   Failed test:  2
   Non-zero exit status: 1
   Parse errors: Bad plan.  You planned 172 tests but ran 87.
../test/recipes/20-test_enc_more.t   (Wstat: 256 Tests: 137 Failed: 
1)
   Failed test:  2
   Non-zero exit status: 1
../test/recipes/25-test_crl.t(Wstat: 768 Tests

Re: Errors building 1.1.1 on RHEL 7

[Matt Caswell]

On 16/07/2019 23:27, Mark Richter wrote:
> Result: PASS

Well that's quite odd because this test was failing for you before. I assume
that after you had done the "make clean" that "make test" is still failing? Is
it failing with the same set of tests that were failing before or different 
ones?

Matt


> make[1]: Leaving directory `/tmp/openssl-1.1.1'
> [root@sfsdr220d openssl-1.1.1]# perl -v
> 
> This is perl 5, version 16, subversion 3 (v5.16.3) built for 
> x86_64-linux-thread-multi
> (with 33 registered patches, see perl -V for more detail)
> 
> Copyright 1987-2012, Larry Wall
> 
> Perl may be copied only under the terms of either the Artistic License or the
> GNU General Public License, which may be found in the Perl 5 source kit.
> 
> Complete documentation for Perl, including FAQ lists, should be found on
> this system using "man perl" or "perldoc perl".  If you have access to the
> Internet, point your browser at http://www.perl.org/, the Perl Home Page.
> 
> 
> Mark Richter | Senior Staff Engineer
> SolarFlare Communications, Inc. | www.Solarflare.com
> 9444 Waples Street, #170, San Diego, CA  92121
> Mobile: +1 949-632-8403
> 
> 
> 
> From: openssl-users  on behalf of Matt 
> Caswell 
> Sent: Tuesday, July 16, 2019 3:20 PM
> To: openssl-users@openssl.org
> Subject: Re: Errors building 1.1.1 on RHEL 7
> 
> On 16/07/2019 22:23, Mark Richter wrote:
>> After I built version 1.1.1 on RHEL 7, I got these errors at the end of the 
>> 'make test.'  What do they mean?
>>
>>
>> Test Summary Report
>> ---
>> ../test/recipes/15-test_dsa.t(Wstat: 768 Tests: 6 
>> Failed: 3)
>>   Failed tests:  4-6
>>   Non-zero exit status: 3
> 
> Looks like something fundamentally wrong to get this many errors (guess: perl
> version is too low?)
> 
> Please run:
> 
> make TESTS=test_dsa V=1 test
> 
> Also lets see the output from:
> 
> perl -v
> 
> Matt
> 
> 
>> ../test/recipes/15-test_ec.t (Wstat: 768 Tests: 5 
>> Failed: 3)
>>   Failed tests:  3-5
>>   Non-zero exit status: 3
>> ../test/recipes/15-test_genrsa.t (Wstat: 1024 Tests: 5 
>> Failed: 4)
>>   Failed tests:  2-5
>>   Non-zero exit status: 4
>> ../test/recipes/15-test_mp_rsa.t (Wstat: 7680 Tests: 31 
>> Failed: 30)
>>   Failed tests:  2-31
>>   Non-zero exit status: 30
>> ../test/recipes/15-test_out_option.t (Wstat: 256 Tests: 4 
>> Failed: 1)
>>   Failed test:  2
>>   Non-zero exit status: 1
>> ../test/recipes/15-test_rsa.t(Wstat: 768 Tests: 6 
>> Failed: 3)
>>   Failed tests:  4-6
>>   Non-zero exit status: 3
>> ../test/recipes/15-test_rsapss.t (Wstat: 512 Tests: 5 
>> Failed: 2)
>>   Failed tests:  1, 5
>>   Non-zero exit status: 2
>> ../test/recipes/20-test_enc.t(Wstat: 256 Tests: 87 
>> Failed: 1)
>>   Failed test:  2
>>   Non-zero exit status: 1
>>   Parse errors: Bad plan.  You planned 172 tests but ran 87.
>> ../test/recipes/20-test_enc_more.t   (Wstat: 256 Tests: 137 
>> Failed: 1)
>>   Failed test:  2
>>   Non-zero exit status: 1
>> ../test/recipes/25-test_crl.t(Wstat: 768 Tests: 7 
>> Failed: 3)
>>   Failed tests:  2, 6-7
>>   Non-zero exit status: 3
>> ../test/recipes/25-test_pkcs7.t  (Wstat: 512 Tests: 3 
>> Failed: 2)
>>   Failed tests:  2-3
>>   Non-zero exit status: 2
>> ../test/recipes/25-test_req.t(Wstat: 1024 Tests: 9 
>> Failed: 4)
>>   Failed tests:  2, 7-9
>>   Non-zero exit status: 4
>> ../test/recipes/25-test_sid.t(Wstat: 256 Tests: 2 
>> Failed: 1)
>>   Failed test:  2
>>   Non-zero exit status: 1
>> ../test/recipes/25-test_x509.t   (Wstat: 1792 Tests: 9 
>> Failed: 7)
>>   Failed tests:  2-8
>>   Non-zero exit status: 7
>> ../test/recipes/40-test_rehash.t (Wstat: 65280 Tests: 0 
>> Failed: 0)
>>   Non-zero exit status: 255
>>   Parse errors: Bad plan.  You planned 4 tests but ran 0.
>> ../test/recipes/60-test_x509_store.t (Wstat: 65280 Tests: 0 
>> Failed: 0)
>>   Non-zero exit status: 255
>>   Parse errors: Bad plan.  You planned 3 tests but ran 0.
>> ../test/recipes/80-test_ca.t (Wstat: 256 Tests: 5 
>> Failed: 1)
>>   Failed test:  1
>>   Non-zero exit status: 1
>>

Re: Errors building 1.1.1 on RHEL 7

[Mark Richter]

out -in msb-f.d 
-inform d -out msb-ff.dmsblob -outform msblob => 0
ok 11 - d -> msblob
read DSA key
writing DSA key
../../util/shlib_wrap.sh ../../apps/openssl dsa -pubin -pubout -in msb-f.p 
-inform p -out msb-ff.pmsblob -outform msblob => 0
ok 12 - p -> msblob
read DSA key
writing DSA key
../../util/shlib_wrap.sh ../../apps/openssl dsa -pubin -pubout -in msb-f.msblob 
-inform msblob -out msb-ff.msblobmsblob -outform msblob => 0
ok 13 - msblob -> msblob
ok 14 - comparing orig to p
ok 15 - comparing p to dp
ok 16 - comparing p to pp
ok 17 - comparing p to msblobp
ok 18 - comparing msblob to dmsblob
ok 19 - comparing msblob to pmsblob
ok 20 - comparing msblob to msblobmsblob
ok 6 - dsa conversions -- public key
ok
All tests successful.
Files=1, Tests=6,  1 wallclock secs ( 0.02 usr  0.00 sys +  0.23 cusr  0.08 
csys =  0.33 CPU)
Result: PASS
make[1]: Leaving directory `/tmp/openssl-1.1.1'
[root@sfsdr220d openssl-1.1.1]# perl -v

This is perl 5, version 16, subversion 3 (v5.16.3) built for 
x86_64-linux-thread-multi
(with 33 registered patches, see perl -V for more detail)

Copyright 1987-2012, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl".  If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.


Mark Richter | Senior Staff Engineer
SolarFlare Communications, Inc. | www.Solarflare.com
9444 Waples Street, #170, San Diego, CA  92121
Mobile: +1 949-632-8403



From: openssl-users  on behalf of Matt 
Caswell 
Sent: Tuesday, July 16, 2019 3:20 PM
To: openssl-users@openssl.org
Subject: Re: Errors building 1.1.1 on RHEL 7

On 16/07/2019 22:23, Mark Richter wrote:
> After I built version 1.1.1 on RHEL 7, I got these errors at the end of the 
> 'make test.'  What do they mean?
>
>
> Test Summary Report
> ---
> ../test/recipes/15-test_dsa.t(Wstat: 768 Tests: 6 Failed: 
> 3)
>   Failed tests:  4-6
>   Non-zero exit status: 3

Looks like something fundamentally wrong to get this many errors (guess: perl
version is too low?)

Please run:

make TESTS=test_dsa V=1 test

Also lets see the output from:

perl -v

Matt


> ../test/recipes/15-test_ec.t (Wstat: 768 Tests: 5 Failed: 
> 3)
>   Failed tests:  3-5
>   Non-zero exit status: 3
> ../test/recipes/15-test_genrsa.t (Wstat: 1024 Tests: 5 
> Failed: 4)
>   Failed tests:  2-5
>   Non-zero exit status: 4
> ../test/recipes/15-test_mp_rsa.t (Wstat: 7680 Tests: 31 
> Failed: 30)
>   Failed tests:  2-31
>   Non-zero exit status: 30
> ../test/recipes/15-test_out_option.t (Wstat: 256 Tests: 4 Failed: 
> 1)
>   Failed test:  2
>   Non-zero exit status: 1
> ../test/recipes/15-test_rsa.t(Wstat: 768 Tests: 6 Failed: 
> 3)
>   Failed tests:  4-6
>   Non-zero exit status: 3
> ../test/recipes/15-test_rsapss.t (Wstat: 512 Tests: 5 Failed: 
> 2)
>   Failed tests:  1, 5
>   Non-zero exit status: 2
> ../test/recipes/20-test_enc.t(Wstat: 256 Tests: 87 
> Failed: 1)
>   Failed test:  2
>   Non-zero exit status: 1
>   Parse errors: Bad plan.  You planned 172 tests but ran 87.
> ../test/recipes/20-test_enc_more.t   (Wstat: 256 Tests: 137 
> Failed: 1)
>   Failed test:  2
>   Non-zero exit status: 1
> ../test/recipes/25-test_crl.t(Wstat: 768 Tests: 7 Failed: 
> 3)
>   Failed tests:  2, 6-7
>   Non-zero exit status: 3
> ../test/recipes/25-test_pkcs7.t  (Wstat: 512 Tests: 3 Failed: 
> 2)
>   Failed tests:  2-3
>   Non-zero exit status: 2
> ../test/recipes/25-test_req.t(Wstat: 1024 Tests: 9 
> Failed: 4)
>   Failed tests:  2, 7-9
>   Non-zero exit status: 4
> ../test/recipes/25-test_sid.t(Wstat: 256 Tests: 2 Failed: 
> 1)
>   Failed test:  2
>   Non-zero exit status: 1
> ../test/recipes/25-test_x509.t   (Wstat: 1792 Tests: 9 
> Failed: 7)
>   Failed tests:  2-8
>   Non-zero exit status: 7
> ../test/recipes/40-test_rehash.t (Wstat: 65280 Tests: 0 
> Failed: 0)
>   Non-zero exit status: 255
>   Parse errors: Bad plan.  You planned 4 tests but ran 0.
> ../test/recipes/60-test_x509_store.t (Wstat: 65280 Tests: 0 
> Failed: 0)
>   Non-zero exit status: 255
>   Parse errors: Bad plan.  You planned 3 tests but ran 0.
> ../test/recipes/80-test_ca.t (Wstat: 256 Tests: 5 Failed: 
> 1)
>   Failed 

Re: Errors building 1.1.1 on RHEL 7

[Matt Caswell]

On 16/07/2019 22:23, Mark Richter wrote:
> After I built version 1.1.1 on RHEL 7, I got these errors at the end of the 
> 'make test.'  What do they mean?
> 
> 
> Test Summary Report
> ---
> ../test/recipes/15-test_dsa.t(Wstat: 768 Tests: 6 Failed: 
> 3)
>   Failed tests:  4-6
>   Non-zero exit status: 3

Looks like something fundamentally wrong to get this many errors (guess: perl
version is too low?)

Please run:

make TESTS=test_dsa V=1 test

Also lets see the output from:

perl -v

Matt


> ../test/recipes/15-test_ec.t (Wstat: 768 Tests: 5 Failed: 
> 3)
>   Failed tests:  3-5
>   Non-zero exit status: 3
> ../test/recipes/15-test_genrsa.t (Wstat: 1024 Tests: 5 
> Failed: 4)
>   Failed tests:  2-5
>   Non-zero exit status: 4
> ../test/recipes/15-test_mp_rsa.t (Wstat: 7680 Tests: 31 
> Failed: 30)
>   Failed tests:  2-31
>   Non-zero exit status: 30
> ../test/recipes/15-test_out_option.t (Wstat: 256 Tests: 4 Failed: 
> 1)
>   Failed test:  2
>   Non-zero exit status: 1
> ../test/recipes/15-test_rsa.t(Wstat: 768 Tests: 6 Failed: 
> 3)
>   Failed tests:  4-6
>   Non-zero exit status: 3
> ../test/recipes/15-test_rsapss.t (Wstat: 512 Tests: 5 Failed: 
> 2)
>   Failed tests:  1, 5
>   Non-zero exit status: 2
> ../test/recipes/20-test_enc.t(Wstat: 256 Tests: 87 
> Failed: 1)
>   Failed test:  2
>   Non-zero exit status: 1
>   Parse errors: Bad plan.  You planned 172 tests but ran 87.
> ../test/recipes/20-test_enc_more.t   (Wstat: 256 Tests: 137 
> Failed: 1)
>   Failed test:  2
>   Non-zero exit status: 1
> ../test/recipes/25-test_crl.t(Wstat: 768 Tests: 7 Failed: 
> 3)
>   Failed tests:  2, 6-7
>   Non-zero exit status: 3
> ../test/recipes/25-test_pkcs7.t  (Wstat: 512 Tests: 3 Failed: 
> 2)
>   Failed tests:  2-3
>   Non-zero exit status: 2
> ../test/recipes/25-test_req.t(Wstat: 1024 Tests: 9 
> Failed: 4)
>   Failed tests:  2, 7-9
>   Non-zero exit status: 4
> ../test/recipes/25-test_sid.t(Wstat: 256 Tests: 2 Failed: 
> 1)
>   Failed test:  2
>   Non-zero exit status: 1
> ../test/recipes/25-test_x509.t   (Wstat: 1792 Tests: 9 
> Failed: 7)
>   Failed tests:  2-8
>   Non-zero exit status: 7
> ../test/recipes/40-test_rehash.t (Wstat: 65280 Tests: 0 
> Failed: 0)
>   Non-zero exit status: 255
>   Parse errors: Bad plan.  You planned 4 tests but ran 0.
> ../test/recipes/60-test_x509_store.t (Wstat: 65280 Tests: 0 
> Failed: 0)
>   Non-zero exit status: 255
>   Parse errors: Bad plan.  You planned 3 tests but ran 0.
> ../test/recipes/80-test_ca.t (Wstat: 256 Tests: 5 Failed: 
> 1)
>   Failed test:  1
>   Non-zero exit status: 1
> ../test/recipes/80-test_cms.t(Wstat: 1024 Tests: 4 
> Failed: 4)
>   Failed tests:  1-4
>   Non-zero exit status: 4
> ../test/recipes/80-test_ocsp.t   (Wstat: 512 Tests: 11 
> Failed: 2)
>   Failed tests:  1, 10
>   Non-zero exit status: 2
> ../test/recipes/80-test_ssl_new.t(Wstat: 6912 Tests: 27 
> Failed: 27)
>   Failed tests:  1-27
>   Non-zero exit status: 27
> ../test/recipes/80-test_ssl_old.t(Wstat: 1536 Tests: 6 
> Failed: 6)
>   Failed tests:  1-6
>   Non-zero exit status: 6
> ../test/recipes/80-test_tsa.t(Wstat: 3328 Tests: 0 
> Failed: 0)
>   Non-zero exit status: 13
>   Parse errors: Bad plan.  You planned 20 tests but ran 0.
> ../test/recipes/90-test_store.t  (Wstat: 3328 Tests: 0 
> Failed: 0)
>   Non-zero exit status: 13
>   Parse errors: Bad plan.  You planned 209 tests but ran 0.
> Files=152, Tests=850, 30 wallclock secs ( 0.38 usr  0.10 sys + 31.02 cusr  
> 4.55 csys = 36.05 CPU)
> Result: FAIL
> make[1]: *** [_tests] Error 1
> make[1]: Leaving directory `/home/mrichter/bin/openssl-1.1.1'
> make: *** [tests] Error 2
> 
> ?
> 
> 
> Mark Richter | Senior Staff Engineer
> SolarFlare Communications, Inc. | 
> www.Solarflare.com
> 9444 Waples Street, #170, San Diego, CA  92121
> Mobile: +1 949-632-8403
> [Description: Description: cid:EC628FDE-ACA6-4F34-A8AE-E1F672D4E395]
> The information contained in this message is confidential and is intended for 
> the addressee(s) only. If you have received this message in error, please 
> notify the sender immediately and delete the message. Unless you are an 
> addressee (or authorized to receive for an addressee), you may not use, copy 
> or disclose to anyone this message or any information contained in this 
> message. The unauthorized use, disclosure, copying or alteration of this 
> message is strictly prohibited.
> 

Re: Errors building 1.1.1 on RHEL 7

[Viktor Dukhovni]

On Tue, Jul 16, 2019 at 09:23:32PM +, Mark Richter wrote:

> After I built version 1.1.1 on RHEL 7, I got these errors at the end of the 
> 'make test.'  What do they mean?

The test scripts exited with non-zero exit codes.

> Test Summary Report
> ---
> ../test/recipes/15-test_dsa.t(Wstat: 768 Tests: 6 Failed: 
> 3)
>   Failed tests:  4-6
>   Non-zero exit status: 3

> ../test/recipes/20-test_enc.t(Wstat: 256 Tests: 87 
> Failed: 1)
>   Failed test:  2
>   Non-zero exit status: 1
>   Parse errors: Bad plan.  You planned 172 tests but ran 87.

Something looks wrong with your build.

> Files=152, Tests=850, 30 wallclock secs ( 0.38 usr  0.10 sys + 31.02 cusr  
> 4.55 csys = 36.05 CPU)
> Result: FAIL

Insufficient detail, but make sure the directory is "clean" before
you do the build. And post the build options in future problem
reports.  IIRC, you can use "make V=1 ..." to get more verbose test
output.

-- 
Viktor.

Re: Errors with certificate signing x509v1 when making test. Test failed

[Michael S. Zick]

On Tue May 31 2011, gvfb wrote:
 
 De: owner-openssl-us...@openssl.org
 Para: openssl-users@openssl.org
 Cc: 
 Fecha: Tue, 31 May 2011 23:08:18 -0400
 Asunto: RE: Errors with certificate signing x509v1 when making test. Test 
 failed
 
 From: owner-openssl-us...@openssl.org On Behalf Of gvfb
 Sent: Tuesday, 31 May, 2011 18:17
  
 
   Now I'm trying to walk the steps over again, so I will reinstall OpenSSL, 
   which is needed for the IMAP toolkit. However, when making OpenSSL 
  
  Aside: the people here probably can't help with the IMAP and PHP 
  parts. But we can try to help you get OpenSSL right.
  
   it did not pass the tests, and throws an error when trying to test 
   the x509v1 signing utility. 
  
  For info: the x509 utility, which covers v1 and v3 and 
  multiple functions not just signing. The first test cases 
  are of *reformatting* v1 certificate files.
  
I have some hints that point to the problem being with the 
   certificates, since the make of the OpenSSL throwed numerous warnings 
   about pem_all.c, pem_xaux.c and pem_x509.c being called through a 
   non-compatible type, and the making of PHP and OpenSSL throwing the errors
  
   I mentioned make me think the matter are the certificates. 
  
  See below.
  
 The error that make test of OpenSSL throws is: 
 echo test normal x509v1 certificate 
 test normal x509v1 certificate 
 sh ./tx509 2/dev/null 
 testing x509 conversions 
 p - d
 make [1]: 
  
 ***[test_x509] Error 1 
 make[1] : se sale del directorio
  /home/gerardo/Descargas/openssl-0.9.8e/test 
 make:***[tests] Error 
  
  1. OpenSSL 0.9.8e is over 4 years old. I don't know about Ubuntu 
  schedule, but I would hope they would have a newer version.
  Poking around a little, I find packages.ubuntu.com/natty 
  has openssl-0.9.8o listed. But in case it matters, there was 
  a visible change in 0.9.8j Jan2009 in use of extensions, and 
  0.9.8m Feb2010 and later specifically the renegotiation extension -- 
  which was added partly to fix a serious Apache vulnerability!
  
  2. Is the source you are building from a Ubuntu/Debian package 
  (copied to your homedir?) or base release from www.openssl.org? 
  If the former, are there any indications that it has been changed 
  from base, and if so how, for example a patches list? 
  
  3. Did you do 'config' and with what result, or 'Configure' and with 
  what option(s)? What do you have in the first noncomment block of the 
  toplevel Makefile (and is it recent)? 
  
  4. Exactly what warnings did you get on 'make'? If they're too many, 
  maybe the first 10 or so? For comparison, when I did 0.9.8e in 2007 
  on RedHat (config'ed as plain linux-elf with shared) with gcc 3.4.4, 
  I got no such warnings on the sourcefiles you name, and all tests worked.
  
  5. Try running a single simple test with output visible:
cd $BUILDDIR/test
../util/shlib_wrap.sh ../apps/openssl x509 -in testx509.pem -text 
  Do you get better error message(s)? Or even normal output? 
  
 Thanks, I've got the package for shared libraries libssl0.9.8 as well as the 
 -dev packages which I need to compile IMAP toolkit, I'll probably use those, 
 unless I manage to install from source and then I will enable mod_ssl on 
 apache, with a simple a2enmod. I did config without changing anything on 
 Configure, I simply did config and apparently succesfully, it only informed 
 it was configured for linux - elf. The warnings I got had to do with the pem 
 signatures, I believe, they were sort of: 
  
 pem_all.c: In function ‘PEM_read_bio_X509_REQ’:pem_all.c:141:1: warning: 
 function called through a non-compatible typepem_all.c:141:1: note: if this 
 code is reached, the program will abort 
  

What compiler and compiler version are you using?
If gcc, gcc has changed a lot in the past 4 years.

Mike
 (...compiling)pem_all.c:147:1: warning: function called through a 
 non-compatible typepem_all.c:147:1: note: if this code is reached, the 
 program will abort
  
 (...compiling)pem_x509.c: In function ‘PEM_read_bio_X509’:pem_x509.c:68:1: 
 warning: function called through a non-compatible typepem_x509.c:68:1: note: 
 if this code is reached, the program will abortpem_x509.c: In function 
 ‘PEM_read_X509’: (same result) // this was certainly not the output of the 
 machine, its a comment of mine :)
  
 (...compiling)pem_x509.c: In function ‘PEM_read_bio_X509’:pem_x509.c:68:1: 
 warning: function called through a non-compatible typepem_x509.c:68:1: note: 
 if this code is reached, the program will abortpem_x509.c: In function 
 ‘PEM_read_X509’: (same result)
  
 pem_xaux.c: In function ‘PEM_read_bio_X509_AUX’:pem_xaux.c:68:1: warning: 
 function called through a non-compatible typepem_xaux.c:68:1: note: if this 
 code is reached, the program will abort 
  
 (...compiling)pem_pk8.c: In function ‘PEM_read_bio_PKCS8’:pem_pk8.c:240:1: 
 warning: function called through a non-compatible typepem_pk8.c:240:1

Re: Errors with certificate signing x509v1 when making test. Test failed

[Dr. Stephen Henson]

On Tue, May 31, 2011, gvfb wrote:

 
 Thanks, I've got the package for shared libraries libssl0.9.8 as well as the 
 -dev packages which I need to compile IMAP toolkit, I'll probably use those, 
 unless I manage to install from source and then I will enable mod_ssl on 
 apache, with a simple a2enmod. I did config without changing anything on 
 Configure, I simply did config and apparently succesfully, it only informed 
 it was configured for linux - elf. The warnings I got had to do with the pem 
 signatures, I believe, they were sort of: 
  
 pem_all.c: In function ???PEM_read_bio_X509_REQ???:pem_all.c:141:1: warning: 
 function called through a non-compatible typepem_all.c:141:1: note: if this 
 code is reached, the program will abort 
  
 (...compiling)pem_all.c:147:1: warning: function called through a 
 non-compatible typepem_all.c:147:1: note: if this code is reached, the 
 program will abort
  
 (...compiling)pem_x509.c: In function 
 ???PEM_read_bio_X509???:pem_x509.c:68:1: warning: function called through a 
 non-compatible typepem_x509.c:68:1: note: if this code is reached, the 
 program will abortpem_x509.c: In function ???PEM_read_X509???: (same result) 
 // this was certainly not the output of the machine, its a comment of mine :)
  
 (...compiling)pem_x509.c: In function 
 ???PEM_read_bio_X509???:pem_x509.c:68:1: warning: function called through a 
 non-compatible typepem_x509.c:68:1: note: if this code is reached, the 
 program will abortpem_x509.c: In function ???PEM_read_X509???: (same result)
  
 pem_xaux.c: In function ???PEM_read_bio_X509_AUX???:pem_xaux.c:68:1: warning: 
 function called through a non-compatible typepem_xaux.c:68:1: note: if this 
 code is reached, the program will abort 
  
 (...compiling)pem_pk8.c: In function 
 ???PEM_read_bio_PKCS8???:pem_pk8.c:240:1: warning: function called through a 
 non-compatible typepem_pk8.c:240:1: note: if this code is reached, the 
 program will abort
  
 (...compiling)x_all.c: In function ???d2i_RSA_PUBKEY_bio???:x_all.c:266:9: 
 warning: function called through a non-compatible typex_all.c:266:9: note: if 
 this code is reached, the program will abort
  
 (Those are not the first 10, but a collection of the warnings of which I made 
 a text grouping them by order of appearance and by what I could understand 
 they meant, I obviously didn't do a good work there :) 
  
 As for the output test (should I do the commands inside those directories or 
 is it supposed to be a sort of bash script) Anyway, I'm sorry to say I have 
 deleted the directory that I used to build, so I would have to run the config 
 and making again. I will let you know if I can manage to do the test.  
  

Those relate to the old way OpenSSL (ab)used function pointers which more
recent versions of gcc object to. Although they are warnings they will cause
OpenSSL to abort in many places rendering it unusable. You must use a newer
version of OpenSSL sources where this was addressed.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Errors with certificate signing x509v1 when making test. Test failed

[Michael S. Zick]

On Wed June 1 2011, Dr. Stephen Henson wrote:
 On Tue, May 31, 2011, gvfb wrote:
 
  
  Thanks, I've got the package for shared libraries libssl0.9.8 as well as 
  the -dev packages which I need to compile IMAP toolkit, I'll probably use 
  those, unless I manage to install from source and then I will enable 
  mod_ssl on apache, with a simple a2enmod. I did config without changing 
  anything on Configure, I simply did config and apparently succesfully, it 
  only informed it was configured for linux - elf. The warnings I got had to 
  do with the pem signatures, I believe, they were sort of: 
   
  pem_all.c: In function ???PEM_read_bio_X509_REQ???:pem_all.c:141:1: 
  warning: function called through a non-compatible typepem_all.c:141:1: 
  note: if this code is reached, the program will abort 
   
  (...compiling)pem_all.c:147:1: warning: function called through a 
  non-compatible typepem_all.c:147:1: note: if this code is reached, the 
  program will abort
   
  (...compiling)pem_x509.c: In function 
  ???PEM_read_bio_X509???:pem_x509.c:68:1: warning: function called through a 
  non-compatible typepem_x509.c:68:1: note: if this code is reached, the 
  program will abortpem_x509.c: In function ???PEM_read_X509???: (same 
  result) // this was certainly not the output of the machine, its a comment 
  of mine :)
   
  (...compiling)pem_x509.c: In function 
  ???PEM_read_bio_X509???:pem_x509.c:68:1: warning: function called through a 
  non-compatible typepem_x509.c:68:1: note: if this code is reached, the 
  program will abortpem_x509.c: In function ???PEM_read_X509???: (same result)
   
  pem_xaux.c: In function ???PEM_read_bio_X509_AUX???:pem_xaux.c:68:1: 
  warning: function called through a non-compatible typepem_xaux.c:68:1: 
  note: if this code is reached, the program will abort 
   
  (...compiling)pem_pk8.c: In function 
  ???PEM_read_bio_PKCS8???:pem_pk8.c:240:1: warning: function called through 
  a non-compatible typepem_pk8.c:240:1: note: if this code is reached, the 
  program will abort
   
  (...compiling)x_all.c: In function ???d2i_RSA_PUBKEY_bio???:x_all.c:266:9: 
  warning: function called through a non-compatible typex_all.c:266:9: note: 
  if this code is reached, the program will abort
   
  (Those are not the first 10, but a collection of the warnings of which I 
  made a text grouping them by order of appearance and by what I could 
  understand they meant, I obviously didn't do a good work there :) 
   
  As for the output test (should I do the commands inside those directories 
  or is it supposed to be a sort of bash script) Anyway, I'm sorry to say I 
  have deleted the directory that I used to build, so I would have to run the 
  config and making again. I will let you know if I can manage to do the 
  test.  
   
 
 Those relate to the old way OpenSSL (ab)used function pointers which more
 recent versions of gcc object to. Although they are warnings they will cause
 OpenSSL to abort in many places rendering it unusable. You must use a newer
 version of OpenSSL sources where this was addressed.


If for some reason you must stay with the older version of OpenSSL -
Your Debian/Ubuntu system supports multiple versions of gcc -
You can select v-3.4.? as the default and compile the older OpenSSL
with the older version of gcc.

Mike 
 Steve.
 --
 Dr Stephen N. Henson. OpenSSL project core developer.
 Commercial tech support now available see: http://www.openssl.org
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
 
 


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Errors with certificate signing x509v1 when making test. Test failed

[Dave Thompson]

   From: owner-openssl-us...@openssl.org On Behalf Of gvfb
   Sent: Tuesday, 31 May, 2011 18:17

   snip: trouble installing IMAP(?) and PHP on Ubuntu 11
 Now I'm trying to walk the steps over again, so I will reinstall OpenSSL, 
 which is needed for the IMAP toolkit. However, when making OpenSSL 

Aside: the people here probably can't help with the IMAP and PHP 
parts. But we can try to help you get OpenSSL right.

 it did not pass the tests, and throws an error when trying to test 
 the x509v1 signing utility. 

For info: the x509 utility, which covers v1 and v3 and 
multiple functions not just signing. The first test cases 
are of *reformatting* v1 certificate files.

 snip I have some hints that point to the problem being with the 
 certificates, since the make of the OpenSSL throwed numerous warnings 
 about pem_all.c, pem_xaux.c and pem_x509.c being called through a 
 non-compatible type, and the making of PHP and OpenSSL throwing the errors

 I mentioned make me think the matter are the certificates. snip

See below.

   The error that make test of OpenSSL throws is: 
   echo test normal x509v1 certificate 
   test normal x509v1 certificate 
   sh ./tx509 2/dev/null 
   testing x509 conversions 
   p - d
   make [1]: 

   ***[test_x509] Error 1 
   make[1] : se sale del directorio
/home/gerardo/Descargas/openssl-0.9.8e/test 
   make:***[tests] Error 

1. OpenSSL 0.9.8e is over 4 years old. I don't know about Ubuntu 
schedule, but I would hope they would have a newer version.
Poking around a little, I find packages.ubuntu.com/natty 
has openssl-0.9.8o listed. But in case it matters, there was 
a visible change in 0.9.8j Jan2009 in use of extensions, and 
0.9.8m Feb2010 and later specifically the renegotiation extension -- 
which was added partly to fix a serious Apache vulnerability!

2. Is the source you are building from a Ubuntu/Debian package 
(copied to your homedir?) or base release from www.openssl.org? 
If the former, are there any indications that it has been changed 
from base, and if so how, for example a patches list? 

3. Did you do 'config' and with what result, or 'Configure' and with 
what option(s)? What do you have in the first noncomment block of the 
toplevel Makefile (and is it recent)? 

4. Exactly what warnings did you get on 'make'? If they're too many, 
maybe the first 10 or so? For comparison, when I did 0.9.8e in 2007 
on RedHat (config'ed as plain linux-elf with shared) with gcc 3.4.4, 
I got no such warnings on the sourcefiles you name, and all tests worked.

5. Try running a single simple test with output visible:
  cd $BUILDDIR/test
  ../util/shlib_wrap.sh ../apps/openssl x509 -in testx509.pem -text 
Do you get better error message(s)? Or even normal output? 



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Errors with certificate signing x509v1 when making test. Test failed

[gvfb]

De: owner-openssl-us...@openssl.org
Para: openssl-users@openssl.org
Cc: 
Fecha: Tue, 31 May 2011 23:08:18 -0400
Asunto: RE: Errors with certificate signing x509v1 when making test. Test failed

  From: owner-openssl-us...@openssl.org On Behalf Of gvfb
  Sent: Tuesday, 31 May, 2011 18:17
 
  
  Now I'm trying to walk the steps over again, so I will reinstall OpenSSL, 
  which is needed for the IMAP toolkit. However, when making OpenSSL 
 
 Aside: the people here probably can't help with the IMAP and PHP 
 parts. But we can try to help you get OpenSSL right.
 
  it did not pass the tests, and throws an error when trying to test 
  the x509v1 signing utility. 
 
 For info: the x509 utility, which covers v1 and v3 and 
 multiple functions not just signing. The first test cases 
 are of *reformatting* v1 certificate files.
 
   I have some hints that point to the problem being with the 
  certificates, since the make of the OpenSSL throwed numerous warnings 
  about pem_all.c, pem_xaux.c and pem_x509.c being called through a 
  non-compatible type, and the making of PHP and OpenSSL throwing the errors
 
  I mentioned make me think the matter are the certificates. 
 
 See below.
 
  The error that make test of OpenSSL throws is: 
  echo test normal x509v1 certificate 
  test normal x509v1 certificate 
  sh ./tx509 2/dev/null 
  testing x509 conversions 
  p - d
  make [1]: 
   
  ***[test_x509] Error 1 
  make[1] : se sale del directorio
 /home/gerardo/Descargas/openssl-0.9.8e/test 
  make:***[tests] Error 
 
 1. OpenSSL 0.9.8e is over 4 years old. I don't know about Ubuntu 
 schedule, but I would hope they would have a newer version.
 Poking around a little, I find packages.ubuntu.com/natty 
 has openssl-0.9.8o listed. But in case it matters, there was 
 a visible change in 0.9.8j Jan2009 in use of extensions, and 
 0.9.8m Feb2010 and later specifically the renegotiation extension -- 
 which was added partly to fix a serious Apache vulnerability!
 
 2. Is the source you are building from a Ubuntu/Debian package 
 (copied to your homedir?) or base release from www.openssl.org? 
 If the former, are there any indications that it has been changed 
 from base, and if so how, for example a patches list? 
 
 3. Did you do 'config' and with what result, or 'Configure' and with 
 what option(s)? What do you have in the first noncomment block of the 
 toplevel Makefile (and is it recent)? 
 
 4. Exactly what warnings did you get on 'make'? If they're too many, 
 maybe the first 10 or so? For comparison, when I did 0.9.8e in 2007 
 on RedHat (config'ed as plain linux-elf with shared) with gcc 3.4.4, 
 I got no such warnings on the sourcefiles you name, and all tests worked.
 
 5. Try running a single simple test with output visible:
   cd $BUILDDIR/test
   ../util/shlib_wrap.sh ../apps/openssl x509 -in testx509.pem -text 
 Do you get better error message(s)? Or even normal output? 
 
Thanks, I've got the package for shared libraries libssl0.9.8 as well as the 
-dev packages which I need to compile IMAP toolkit, I'll probably use those, 
unless I manage to install from source and then I will enable mod_ssl on 
apache, with a simple a2enmod. I did config without changing anything on 
Configure, I simply did config and apparently succesfully, it only informed it 
was configured for linux - elf. The warnings I got had to do with the pem 
signatures, I believe, they were sort of: 
 
pem_all.c: In function ‘PEM_read_bio_X509_REQ’:pem_all.c:141:1: warning: 
function called through a non-compatible typepem_all.c:141:1: note: if this 
code is reached, the program will abort 
 
(...compiling)pem_all.c:147:1: warning: function called through a 
non-compatible typepem_all.c:147:1: note: if this code is reached, the program 
will abort
 
(...compiling)pem_x509.c: In function ‘PEM_read_bio_X509’:pem_x509.c:68:1: 
warning: function called through a non-compatible typepem_x509.c:68:1: note: if 
this code is reached, the program will abortpem_x509.c: In function 
‘PEM_read_X509’: (same result) // this was certainly not the output of the 
machine, its a comment of mine :)
 
(...compiling)pem_x509.c: In function ‘PEM_read_bio_X509’:pem_x509.c:68:1: 
warning: function called through a non-compatible typepem_x509.c:68:1: note: if 
this code is reached, the program will abortpem_x509.c: In function 
‘PEM_read_X509’: (same result)
 
pem_xaux.c: In function ‘PEM_read_bio_X509_AUX’:pem_xaux.c:68:1: warning: 
function called through a non-compatible typepem_xaux.c:68:1: note: if this 
code is reached, the program will abort 
 
(...compiling)pem_pk8.c: In function ‘PEM_read_bio_PKCS8’:pem_pk8.c:240:1: 
warning: function called through a non-compatible typepem_pk8.c:240:1: note: if 
this code is reached, the program will abort
 
(...compiling)x_all.c: In function ‘d2i_RSA_PUBKEY_bio’:x_all.c:266:9: warning: 
function called through a non-compatible typex_all.c:266:9: note: if this code

Re: Errors in openssl-SNAP-20090130

[Michael S. Zick]

On Fri January 30 2009, The Doctor wrote:
 
 From this morning's compile:
 

- - - 380KB snipped - - -

*) You have read the first paragraph of:
http://www.openssl.org/source/repos.html
Correct?

*) Please keep these posts off of the users list;
The developers can speak for themselves, but they
have probably read the above paragraph.

*) When posting, please trim the content down to
the relevant portion - if you don't know the relevant
portion - don't post.

Example follows:

 making all in ssl...
 gcc -I../crypto -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB 
 -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN 
 -DHAVE_DLFCN_H -g -O3 -Wall -mcpu=pentium3  -DPERL5 -DL_ENDIAN -DTERMIOS 
 -fomit-frame-pointer -O9 -march=pentium3 -Wall -g -DOPENSSL_BN_ASM_PART_WORDS 
 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM 
 -DRMD160_ASM -DAES_ASM -c s2_pkt.c
 s2_pkt.c: In function `n_do_ssl_write':
 s2_pkt.c:546: `p' undeclared (first use in this function)
 s2_pkt.c:546: (Each undeclared identifier is reported only once
 s2_pkt.c:546: for each function it appears in.)
 s2_pkt.c:518: warning: unused variable `size'
 *** Error code 1
 
 Stop.
 *** Error code 1
 
 Stop.
 doctor.nl2k.ab.ca//usr/source/openssl-SNAP-20090130$ exit
 exit

Mike
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: errors while installing openssl-SNAP-20080915

[Ger Hobbelt]

Ajay,

I did not mean the commandline options for nmake, but for the compiler
itself (cl.exe).

Quick check in documentation -- /WX option must be removed (in your
cl.exe commandline, that is the '-WX' option.

Checked the repository -- you should remove the '-WX' from the
Configure script (and probably the TABLE file as well, but I'm not
sure there; as I said, I don't use this part for my Win32/64 builds
myself)


(-WX = Treat warnings as errors)


On Thu, Sep 18, 2008 at 6:32 AM, DHARNA, AJAY [AG/1000]
[EMAIL PROTECTED] wrote:
 Thanks for your help Ger, I looked up nmake options
 (http://msdn.microsoft.com/en-us/library/afyyse50(VS.80).aspx) and there
 was the -c option:

-- 
Met vriendelijke groeten / Best regards,

Ger Hobbelt

--
web: http://www.hobbelt.com/
 http://www.hebbut.net/
mail: [EMAIL PROTECTED]
mobile: +31-6-11 120 978
--
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: errors while installing openssl-SNAP-20080915

[DHARNA, AJAY [AG/1000]]

\ssleay32.dll' : build failed; /K
specified, con
tinuing ...
NMAKE : warning U4011: 'out32dll\evp_test.exe' : not all dependents
available; t
arget not built
NMAKE : warning U4010: 'out32dll\ssleay32.dll' : build failed; /K
specified, con
tinuing ...
NMAKE : warning U4011: 'out32dll\enginetest.exe' : not all dependents
available;
 target not built
NMAKE : warning U4010: 'out32dll\ssleay32.dll' : build failed; /K
specified, con
tinuing ...
NMAKE : warning U4011: 'out32dll\wp_test.exe' : not all dependents
available; ta
rget not built
NMAKE : warning U4010: 'out32dll\ssleay32.dll' : build failed; /K
specified, con
tinuing ...
NMAKE : warning U4011: 'out32dll\ssltest.exe' : not all dependents
available; ta
rget not built
NMAKE : warning U4010: 'out32dll\ssleay32.dll' : build failed; /K
specified, con
tinuing ...
NMAKE : warning U4011: 'out32dll\openssl.exe' : not all dependents
available; ta
rget not built
NMAKE : warning U4011: 'exe' : not all dependents available; target not
built
NMAKE : warning U4011: 'all' : not all dependents available; target not
built

---



Thank you 
Aj


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ger Hobbelt
Sent: Wednesday, September 17, 2008 2:08 AM
To: openssl-users@openssl.org
Subject: Re: errors while installing openssl-SNAP-20080915

On Wed, Sep 17, 2008 at 6:10 AM, DHARNA, AJAY [AG/1000]
[EMAIL PROTECTED] wrote:
[...]
 cl /Fotmp32dll\bn_nist.obj  -Iinc32 -Itmp32dll /MD /Ox /O2
/Ob2
[...]
 crypto\bn\bn_nist.c(718) : error C2220: warning treated as error - no
object
[...]
 Please let me know how I can get past this error message.

Turn off the commandline switch which forces warnings to be treated as
errors (sorry, don't know that one off the top of my head, but it's in
the MSVC documentation anyway) and you'd be good to go.

I do not use the Win/VC makefiles or Windows configure script (I use
MSVC project files for that platform) so the relevant cl.exe
commandline switch may be introduced by the configure script, but I
expact it's more probably coming from an environment viriable; anyhow
3 places to look for the switch: the makefiles themselves, the Windows
config script and your environment variables.


-- 
Met vriendelijke groeten / Best regards,

Ger Hobbelt

--
web: http://www.hobbelt.com/
 http://www.hebbut.net/
mail: [EMAIL PROTECTED]
mobile: +31-6-11 120 978
--
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


-
This e-mail message may contain privileged and/or confidential information, and 
is intended to be received only by persons entitled to receive such 
information. If you have received this e-mail in error, please notify the 
sender immediately. Please delete it and all attachments from any servers, hard 
drives or any other media. Other use of this e-mail by you is strictly 
prohibited.


All e-mails and attachments sent and received are subject to monitoring, 
reading and archival by Monsanto, including its subsidiaries. The recipient of 
this e-mail is solely responsible for checking for the presence of Viruses or 
other Malware. Monsanto, along with its subsidiaries, accepts no liability 
for any damage caused by any such code transmitted by or accompanying this 
e-mail or any attachment.
-

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: errors while installing openssl-SNAP-20080915

[Kyle Hamilton]

 NMAKE : warning U4010: 'out32dll\ssleay32.dll' : build failed; /K
 specified, con
 tinuing ...
 NMAKE : warning U4011: 'out32dll\ecdhtest.exe' : not all dependents
 available; t
 arget not built
 NMAKE : warning U4010: 'out32dll\ssleay32.dll' : build failed; /K
 specified, con
 tinuing ...
 NMAKE : warning U4011: 'out32dll\ecdsatest.exe' : not all dependents
 available;
 target not built
 NMAKE : warning U4010: 'out32dll\ssleay32.dll' : build failed; /K
 specified, con
 tinuing ...
 NMAKE : warning U4011: 'out32dll\randtest.exe' : not all dependents
 available; t
 arget not built
 NMAKE : warning U4010: 'out32dll\ssleay32.dll' : build failed; /K
 specified, con
 tinuing ...
 NMAKE : warning U4011: 'out32dll\evp_test.exe' : not all dependents
 available; t
 arget not built
 NMAKE : warning U4010: 'out32dll\ssleay32.dll' : build failed; /K
 specified, con
 tinuing ...
 NMAKE : warning U4011: 'out32dll\enginetest.exe' : not all dependents
 available;
  target not built
 NMAKE : warning U4010: 'out32dll\ssleay32.dll' : build failed; /K
 specified, con
 tinuing ...
 NMAKE : warning U4011: 'out32dll\wp_test.exe' : not all dependents
 available; ta
 rget not built
 NMAKE : warning U4010: 'out32dll\ssleay32.dll' : build failed; /K
 specified, con
 tinuing ...
 NMAKE : warning U4011: 'out32dll\ssltest.exe' : not all dependents
 available; ta
 rget not built
 NMAKE : warning U4010: 'out32dll\ssleay32.dll' : build failed; /K
 specified, con
 tinuing ...
 NMAKE : warning U4011: 'out32dll\openssl.exe' : not all dependents
 available; ta
 rget not built
 NMAKE : warning U4011: 'exe' : not all dependents available; target not
 built
 NMAKE : warning U4011: 'all' : not all dependents available; target not
 built
 
 ---



 Thank you
 Aj


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Ger Hobbelt
 Sent: Wednesday, September 17, 2008 2:08 AM
 To: openssl-users@openssl.org
 Subject: Re: errors while installing openssl-SNAP-20080915

 On Wed, Sep 17, 2008 at 6:10 AM, DHARNA, AJAY [AG/1000]
 [EMAIL PROTECTED] wrote:
 [...]
 cl /Fotmp32dll\bn_nist.obj  -Iinc32 -Itmp32dll /MD /Ox /O2
 /Ob2
 [...]
 crypto\bn\bn_nist.c(718) : error C2220: warning treated as error - no
 object
 [...]
 Please let me know how I can get past this error message.

 Turn off the commandline switch which forces warnings to be treated as
 errors (sorry, don't know that one off the top of my head, but it's in
 the MSVC documentation anyway) and you'd be good to go.

 I do not use the Win/VC makefiles or Windows configure script (I use
 MSVC project files for that platform) so the relevant cl.exe
 commandline switch may be introduced by the configure script, but I
 expact it's more probably coming from an environment viriable; anyhow
 3 places to look for the switch: the makefiles themselves, the Windows
 config script and your environment variables.


 --
 Met vriendelijke groeten / Best regards,

 Ger Hobbelt

 --
 web: http://www.hobbelt.com/
  http://www.hebbut.net/
 mail: [EMAIL PROTECTED]
 mobile: +31-6-11 120 978
 --
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]


 -
 This e-mail message may contain privileged and/or confidential information, 
 and is intended to be received only by persons entitled to receive such 
 information. If you have received this e-mail in error, please notify the 
 sender immediately. Please delete it and all attachments from any servers, 
 hard drives or any other media. Other use of this e-mail by you is strictly 
 prohibited.


 All e-mails and attachments sent and received are subject to monitoring, 
 reading and archival by Monsanto, including its subsidiaries. The recipient 
 of this e-mail is solely responsible for checking for the presence of 
 Viruses or other Malware. Monsanto, along with its subsidiaries, accepts 
 no liability for any damage caused by any such code transmitted by or 
 accompanying this e-mail or any attachment.
 -

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL

Re: errors while installing openssl-SNAP-20080915

[Ger Hobbelt]

On Wed, Sep 17, 2008 at 6:10 AM, DHARNA, AJAY [AG/1000]
[EMAIL PROTECTED] wrote:
[...]
 cl /Fotmp32dll\bn_nist.obj  -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2
[...]
 crypto\bn\bn_nist.c(718) : error C2220: warning treated as error - no object
[...]
 Please let me know how I can get past this error message.

Turn off the commandline switch which forces warnings to be treated as
errors (sorry, don't know that one off the top of my head, but it's in
the MSVC documentation anyway) and you'd be good to go.

I do not use the Win/VC makefiles or Windows configure script (I use
MSVC project files for that platform) so the relevant cl.exe
commandline switch may be introduced by the configure script, but I
expact it's more probably coming from an environment viriable; anyhow
3 places to look for the switch: the makefiles themselves, the Windows
config script and your environment variables.


-- 
Met vriendelijke groeten / Best regards,

Ger Hobbelt

--
web: http://www.hobbelt.com/
 http://www.hebbut.net/
mail: [EMAIL PROTECTED]
mobile: +31-6-11 120 978
--
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Errors while building OpenSSL in Windows

[Geoff Thorpe]

Did you try building with an up-to-date CVS snapshot?
  ftp://ftp.openssl.org/snapshot/
I don't know if you were using some already-released package version, but if 
so, then you would miss any fixes since then. (Ie. we don't rerelease 0.9.8x 
when bugs are found, we release 0.9.8y instead...)

And FWIW, there's a number of windows issues[1] a contributor is helping me to 
fix right now, I hope that we'll be done with that soon. So it may be that 
things will get a little smoother at that point.

[1] And when I say windows issues, I of course mean issues with OpenSSL 
compilation ... Vista is beyond anyone's handyman mojo ... grumble

Cheers,
Geoff

On Thursday 10 July 2008 16:50:20 Panthers Rock wrote:
  I am trying to do a default build of OpenSSL on Windows.  The compiler
 does not like building with ASM files and complains the following:

   ml /Cp /coff /c /Cx /Focrypto\sha\asm\s1_win32.obj
 .\crypto\sha\asm\s1_win32.asm

Assembling: .\crypto\sha\asm\s1_win32.asm

   Microsoft (R) Macro Assembler Version 8.00.50727.762

   Copyright (C) Microsoft Corporation.  All rights reserved.

   .\crypto\sha\asm\s1_win32.asm(13) : error A2008: syntax error :
 integer



   NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual
 Studio 8\VC\bin\ml.EXE' : return code '0x1'

   Stop.


 This problem seems to be a known issue.
 http://marc.info/?l=openssl-devm=121204499318732w=1

 I tried both the solutions mentioned but to no avail.

 Any other suggestions?

 Cheers,
 Simon M


-- 
Un terrien, c'est un singe avec des clefs de char...
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Errors while building OpenSSL in Windows

[Panthers Rock]

Thanks for your responses.  I downloaded the latest snapshot
ftp://ftp.openssl.org/snapshot/openssl-0.9.8-stable-SNAP-20080711.tar.gz and
ran the perl configure.  Then I executed the ms\do_masm batch file.   I
called nmake on the ms\ntdll.mak.  The compile  still fails :

 Assembling: .\crypto\sha\asm\s1_win32.asm
.\crypto\sha\asm\s1_win32.asm(13) : error A2008: syntax error : integer
NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio
8\VC\BIN\m
l.EXE' : return code '0x1'
Stop.

I check the s1_win32.asm and see the 16 still there on line 13.  Not
wanting to mess with the perl files , I remove line 13 and do a rebuild.  It
builds great.


Cheers,
Simon M


.

On Fri, Jul 11, 2008 at 10:37 AM, Geoff Thorpe [EMAIL PROTECTED]
wrote:

 Did you try building with an up-to-date CVS snapshot?
  ftp://ftp.openssl.org/snapshot/
 I don't know if you were using some already-released package version, but
 if
 so, then you would miss any fixes since then. (Ie. we don't rerelease
 0.9.8x
 when bugs are found, we release 0.9.8y instead...)

 And FWIW, there's a number of windows issues[1] a contributor is helping me
 to
 fix right now, I hope that we'll be done with that soon. So it may be that
 things will get a little smoother at that point.

 [1] And when I say windows issues, I of course mean issues with OpenSSL
 compilation ... Vista is beyond anyone's handyman mojo ... grumble

 Cheers,
 Geoff

 On Thursday 10 July 2008 16:50:20 Panthers Rock wrote:
   I am trying to do a default build of OpenSSL on Windows.  The compiler
  does not like building with ASM files and complains the following:
 
ml /Cp /coff /c /Cx /Focrypto\sha\asm\s1_win32.obj
  .\crypto\sha\asm\s1_win32.asm
 
 Assembling: .\crypto\sha\asm\s1_win32.asm
 
Microsoft (R) Macro Assembler Version 8.00.50727.762
 
Copyright (C) Microsoft Corporation.  All rights reserved.
 
.\crypto\sha\asm\s1_win32.asm(13) : error A2008: syntax error :
  integer
 
 
 
NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual
  Studio 8\VC\bin\ml.EXE' : return code '0x1'
 
Stop.
 
 
  This problem seems to be a known issue.
  http://marc.info/?l=openssl-devm=121204499318732w=1
 
  I tried both the solutions mentioned but to no avail.
 
  Any other suggestions?
 
  Cheers,
  Simon M


 --
 Un terrien, c'est un singe avec des clefs de char...
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]

Re: Errors while building OpenSSL in Windows

[Mounir IDRASSI]

Hi,

This error have been already reported. Check the following link :

http://www.mail-archive.com/[EMAIL PROTECTED]/msg24173.html

I'm not sure if my fix have been put into cvs.

Cheers,
-- 
Mounir IDRASSI
IDRIX
http://www.idrix.fr


On Thu, July 10, 2008 10:50 pm, Panthers Rock wrote:
  I am trying to do a default build of OpenSSL on Windows.  The compiler
 does
 not like building with ASM files and complains the following:

   ml /Cp /coff /c /Cx /Focrypto\sha\asm\s1_win32.obj
 .\crypto\sha\asm\s1_win32.asm

Assembling: .\crypto\sha\asm\s1_win32.asm

   Microsoft (R) Macro Assembler Version 8.00.50727.762

   Copyright (C) Microsoft Corporation.  All rights reserved.

   .\crypto\sha\asm\s1_win32.asm(13) : error A2008: syntax error :
 integer



   NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual
 Studio 8\VC\bin\ml.EXE' : return code '0x1'

   Stop.


 This problem seems to be a known issue.
 http://marc.info/?l=openssl-devm=121204499318732w=1

 I tried both the solutions mentioned but to no avail.

 Any other suggestions?

 Cheers,
 Simon M


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Errors reading public key from BIO

[Dr. Stephen Henson]

On Wed, Aug 15, 2007, Dan Spirlock wrote:

 Hello,
 
 I'm working on an application where I'd like to have the public key  
 stored in a local variable and compiled with the app, but I'm getting  
 a runtime error when I try to read the public key after it has been  
 stored in a BIO_mem_buf.  I've tried two different ways, but I get  
 the same error each time.  If I read the same public key from a file  
 using PEM_read_RSA_PUBKEY(), it works fine.  I generated a private/ 
 public key pair to test with.  Here is an example I've tried:
 
 static char *pubKey = -BEGIN PUBLIC KEY- 
 \nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvbB1yh71tGgX5wQ5PbYR+2V9K 
 \nbmCqcVjbKdcsR9u91dfsXEeH+17kr6TPy2HQcAn1wk5jos8B78bSRLV8STs54Teq 
 \nPa6Z4JrLim89+zgaxbS5k9W87oP06BZ2suf6fBB2M296UJbzBqSYCVTsxbEHQDbP\n/ 
 hSGRtueV5668F8qzwIDAQAB\n-END PUBLIC KEY-\n;
 
 BIO *pub_bio = BIO_new_mem_buf(pubKey, sizeof(pubKey);
 if(pub_bio == NULL)
 {
   ERR_print_errors_fp(stdout);
   return -1;
 }
 
 // rsaPubKey was previously initialized with RSA_new()
 rsaPubKey = PEM_read_bio_RSAPublicKey(pub_bio, rsaPubKey, NULL, NULL);
 if(rsaPubKey == NULL) // always fails here
 {
   ERR_print_errors_fp(stdout);
   return -1;
 }
 
 The error is always:  PEM_read_bio:no start line:pem_lib.c: 
 642:Expecting: RSA PUBLIC KEY
 I've added the \n newline characters to the pubKey variable, but I  
 always get the same error.  Is there something I'm missing in this  
 process? I'm sure there is otherwise I wouldn't need to be posting to  
 the list. :-)
 
 Thanks for any help that anyone can provide,

Two problems, the sizeof is wrong: you'll end up passing the size of a pointer
which isn't what you want. Pass -1 instead and it automatically does a
strlen() on the buffer.

Second problem, wrong public key format. Use PEM_read_bio_RSA_PUBKEY()
instead.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Errors reading public key from BIO

[Dan Spirlock]

Hello Steve,

Thank you very much for you help. It worked like a charm.

Regards,
Dan

On Aug 15, 2007, at 2:22 PM, Dr. Stephen Henson wrote:


On Wed, Aug 15, 2007, Dan Spirlock wrote:


Hello,

I'm working on an application where I'd like to have the public key
stored in a local variable and compiled with the app, but I'm getting
a runtime error when I try to read the public key after it has been
stored in a BIO_mem_buf.  I've tried two different ways, but I get
the same error each time.  If I read the same public key from a file
using PEM_read_RSA_PUBKEY(), it works fine.  I generated a private/
public key pair to test with.  Here is an example I've tried:

static char *pubKey = -BEGIN PUBLIC KEY-
\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvbB1yh71tGgX5wQ5PbYR+2V9K
\nbmCqcVjbKdcsR9u91dfsXEeH+17kr6TPy2HQcAn1wk5jos8B78bSRLV8STs54Teq
\nPa6Z4JrLim89+zgaxbS5k9W87oP06BZ2suf6fBB2M296UJbzBqSYCVTsxbEHQDbP\n/
hSGRtueV5668F8qzwIDAQAB\n-END PUBLIC KEY-\n;

BIO *pub_bio = BIO_new_mem_buf(pubKey, sizeof(pubKey);
if(pub_bio == NULL)
{
ERR_print_errors_fp(stdout);
return -1;
}

// rsaPubKey was previously initialized with RSA_new()
rsaPubKey = PEM_read_bio_RSAPublicKey(pub_bio, rsaPubKey, NULL,  
NULL);

if(rsaPubKey == NULL)   // always fails here
{
ERR_print_errors_fp(stdout);
return -1;
}

The error is always:  PEM_read_bio:no start line:pem_lib.c:
642:Expecting: RSA PUBLIC KEY
I've added the \n newline characters to the pubKey variable, but I
always get the same error.  Is there something I'm missing in this
process? I'm sure there is otherwise I wouldn't need to be posting to
the list. :-)

Thanks for any help that anyone can provide,


Two problems, the sizeof is wrong: you'll end up passing the size  
of a pointer

which isn't what you want. Pass -1 instead and it automatically does a
strlen() on the buffer.

Second problem, wrong public key format. Use PEM_read_bio_RSA_PUBKEY()
instead.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: errors in DTLS implementation in openssl0.9.8a

[Rob Dugal]

There seems to be some confusion on
the version number for DTLS. 
Here is what RFC4347 says:

version
   The version
of the protocol being employed. This document
   describes
DTLS Version 1.0, which uses the version { 254, 255
   }. The
version value of 254.255 is the 1's complement of DTLS
   Version 1.0.
This maximal spacing between TLS and DTLS version
   numbers ensures
that records from the two protocols can be
   easily distinguished.
It should be noted that future on-the-wire
   version numbers
of DTLS are decreasing in value (while the true
   version number
is increasing in value.)


This paragraph is confusing. It first
says This document describes DTLS Version 1.0, which uses the
version { 254, 255 }. .
Then it says The version value
of 254.255 is the 1's complement of DTLS Version 1.0. 

My interpretation of this is that the
version number is { 254,255 }. 
However, openssl 0.9.8 appear to interpret
this as saying the version is { 01, 00 }

Can the authors please clarify?

thanks,
Rob

 List:openssl-users
 Subject:  Re: errors
in DTLS implementation in openssl0.9.8a
 From:Prashant
Kumar pkix2005 () yahoo ! com
 Date:2005-12-13
14:52:05
 Message-ID: 20051213145205.74076.qmail
() web52008 ! mail ! yahoo ! com
 [Download message RAW]
 
 16 01 00 for a DTLS handshake is
the right code
  
  16, Content type, and it
is a handshake
  
  DTLS version is 01 00
  
  Thanks,
  Prashant.
 
 Eduardo Pérez Ureta [EMAIL PROTECTED]
wrote:
  Maybe you can try:
 http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=1245
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=335703
 This patch may fix the segmentation
fault that I also confirm on
 openssl-0.9.8a running on linux-2.6.14/686
 Some developer should review that
patch.
 (I'll try it later if nobody has)
 
 On 2005-12-10 16:38:16 +, robert
dugal wrote:
  Openssl 0.9.8a is incorrectly
encoding the DTLS version as 0x01,0x00 
  instead of 0xfe,0xff
  $ ./openssl s_client -dtls1
-debug
  CONNECTED(0003)
  write to 0x5d3640 [0x5dd3f8]
(119 bytes = 119 (0x77))
   - 16 01 00 00 00 00 00
00-00 00 00 00 6a 01 00 00 j...
  
  
  
  Openssl 0.9.8a is incorrectly
encoding the ChangeCipherSpec message as 3 
  bytes instead of 1 byte, including
a 2 byte message sequence number.
  $ ./openssl s_client -dtls1
-debug
  
  write to 0x5d3640 [0x5e2d80]
(16 bytes = 16 (0x10))
   - 14 01 00 00 00 00 00
00-00 00 03 00 03 01 00 03 
  The first 13 bytes are the
record header followed by the CCS which is 3 
  bytes: 01 00 03
  
  There is no MSN in the CCS.
I had a lengthy discussion with Eric on this 
  topic and he was very clear
that the CCS has no MSN and he did not want to 
  add it to the CCS.
  
  
  I also discovered it is very
easy to crash openssl or make the handshake 
  fail using the -mtu argument
(testing on windows xp).
  
  ./openssl s_server -dtls1
-debug -mtu 100
  ./openssl s_client -dtls1
-debug -mtu 100
  - server Segmentation fault
(core dumped)
  
  ./openssl s_server -dtls1
-debug -mtu 128
  ./openssl s_client -dtls1
-debug -mtu 128
  - server 888:error:143F8412:SSL
routines:DTLS1_READ_BYTES:sslv3 alert bad 
  certificate
  - client 4052:error:1409000D:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 
  lib:s3_clnt.c
  
  ./openssl s_server -dtls1
-debug -mtu 256
  ./openssl s_client -dtls1
-debug -mtu 256
  - server DTLS1_READ_BYTES:sslv3
alert bad certificate
  - client 3080:error:1409000D:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 
  lib:s3_clnt.c
  
  ./openssl s_server -dtls1
-debug -mtu 512
  ./openssl s_client -dtls1
-debug -mtu 512
  - server SSL3_GET_FINISHED:digest
check failed
  - client handshake failure

Re: Errors compiling snapshot under Win32

[Dae-Oh Bae]

Try to run ms\do_ms instead of running ms\do_masm
-Daeoh


2006/4/17, Chris Clark [EMAIL PROTECTED]: 
I'm having trouble compiling the current snapshot of OpenSSL under VC++.Configure and domasm are both successful, but when I run nmake I get 
the following result: nmake -f ms\ntdll.makMicrosoft (R) Program Maintenance Utility Version 6.00.9782.0Copyright (C) Microsoft Corp 1988-1998. All rights reserved.Building OpenSSL
 perl util/copy.pl .\crypto\buildinf.h tmp32dll\buildinf.hCopying: ./crypto/buildinf.h to tmp32dll/buildinf.h ml /Cp /coff /c /Cx /Focrypto\md5\asm\m5_win32.obj .\crypto\md5\asm\m5_win32.asmMicrosoft (R) Macro Assembler Version 
6.15.8803Copyright (C) Microsoft Corp 1981-2000.All rights reserved.Assembling: .\crypto\md5\asm\m5_win32.asm ml /Cp /coff /c /Cx /Focrypto\sha\asm\s1_win32.obj.\crypto\sha\asm\s1_win32.asm
Microsoft (R) Macro Assembler Version 6.15.8803Copyright (C) Microsoft Corp 1981-2000.All rights reserved.Assembling: .\crypto\sha\asm\s1_win32.asm ml /Cp /coff /c /Cx /Focrypto\ripemd\asm\rm_win32.obj 
.\crypto\ripemd\asm\rm_win32.asmMicrosoft (R) Macro Assembler Version 6.15.8803Copyright (C) Microsoft Corp 1981-2000.All rights reserved.Assembling: .\crypto\ripemd\asm\rm_win32.asm ml /Cp /coff /c /Cx /Focrypto\des\asm\d_win32.obj 
.\crypto\des\asm\d_win32.asmMicrosoft (R) Macro Assembler Version 6.15.8803Copyright (C) Microsoft Corp 1981-2000.All rights reserved.Assembling: .\crypto\des\asm\d_win32.asm ml /Cp /coff /c /Cx /Focrypto\des\asm\y_win32.obj 
.\crypto\des\asm\y_win32.asmMicrosoft (R) Macro Assembler Version 6.15.8803Copyright (C) Microsoft Corp 1981-2000.All rights reserved.Assembling: .\crypto\des\asm\y_win32.asm ml /Cp /coff /c /Cx /Focrypto\rc4\asm\r4_win32.obj 
.\crypto\rc4\asm\r4_win32.asmMicrosoft (R) Macro Assembler Version 6.15.8803Copyright (C) Microsoft Corp 1981-2000.All rights reserved.Assembling: .\crypto\rc4\asm\r4_win32.asm ml /Cp /coff /c /Cx /Focrypto\bf\asm\b_win32.obj 
.\crypto\bf\asm\b_win32.asmMicrosoft (R) Macro Assembler Version 6.15.8803Copyright (C) Microsoft Corp 1981-2000.All rights reserved.Assembling: .\crypto\bf\asm\b_win32.asm ml /Cp /coff /c /Cx /Focrypto\cast\asm\c_win32.obj 
.\crypto\cast\asm\c_win32.asmMicrosoft (R) Macro Assembler Version 6.15.8803Copyright (C) Microsoft Corp 1981-2000.All rights reserved.Assembling: .\crypto\cast\asm\c_win32.asm ml /Cp /coff /c /Cx /Focrypto\bn\asm\bn_win32.obj 
.\crypto\bn\asm\bn_win32.asmMicrosoft (R) Macro Assembler Version 6.15.8803Copyright (C) Microsoft Corp 1981-2000.All rights reserved.Assembling: .\crypto\bn\asm\bn_win32.asm cl /Fotmp32dll\t_pkey.obj-Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX / 
Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_RC 
5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -D_WINDLL-DOPENSSL_BUILD_SHLIBCRYPTO -c .\crypto\asn1\t_pkey.ct_pkey.c.\crypto\asn1\t_pkey.c(161) : error C2220: warning treated as error -
no object file generated.\crypto\asn1\t_pkey.c(161) : warning C4013: 'ASN1_bn_print'undefined; assuming extern returning intNMAKE : fatal error U1077: 'cl' : return code '0x2'Stop.Could anyone point me in the right direction? 
-Chris__OpenSSL Project 
http://www.openssl.orgUser Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]

Re: Errors compiling snapshot under Win32

[Dr. Stephen Henson]

On Sun, Apr 16, 2006, Chris Clark wrote:

 I'm having trouble compiling the current snapshot of OpenSSL under VC++.
 
 Configure and domasm are both successful, but when I run nmake I get
 the following result:
 
 Could anyone point me in the right direction?
 

It would help if you said which snapshot version. There was a problem with one
0.9.8 snapshot yesterday which should be fixed now.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Errors when coding X509 attributes - help needed

[Daniel Díaz Sánchez]

Hello,

I am still developing an attribute certificates module for OpenSSL, I solved
the problem of the attribute policyAuthority: everything solved using
GENERAL_NAME instead of GENERAL_NAMES.

Now I have a couple of questions concerning clearance attributes and
enumerated. 

1.- The definition of this attribute is the one that follows:

   Clearance  ::=  SEQUENCE {
 policyId  [0] OBJECT IDENTIFIER,
 classList [1] ClassList DEFAULT {unclassified},
 securityCategories
  [2] SET OF SecurityCategory OPTIONAL
}

ClassList  ::=  BIT STRING {
 unmarked   (0),
 unclassified   (1),
 restricted (2)
 confidential   (3),
 secret (4),
 topSecret  (5)
}

SecurityCategory ::= SEQUENCE {
 type  [0]  IMPLICIT OBJECT IDENTIFIER,
 value [1]  ANY DEFINED BY type
}

I have been having a look to OpenSSL code y I didn't found how to declare
the field ClassList (maybe I did not search in the correct places). How can
I limit the BIT STRING to 5 elements? 

2.- What about ENUMERATED
anyCode :: 
name ENUMERATED{
item1  (1),
item2  (2),
item3  (3),..
}

Thanks a lot

Daniel

--
Daniel Diaz Sanchez
Telecommunication Engineer
Researcher / Teaching Assistant
 

Dep. Ing. Telemática
Universidad Carlos III de Madrid
Av. Universidad, 30
28911 Leganés (Madrid/Spain)
Tel: (+34) 91-624-8817, Fax: -8749
Web: http://www.it.uc3m.es/dds
web: http://www.it.uc3m.es/pervasive
Mail: [EMAIL PROTECTED]
[--Remove nospam to contact--]


 -Mensaje original-
 De: Daniel Díaz Sánchez [mailto:[EMAIL PROTECTED]
 Enviado el: jueves, 16 de marzo de 2006 17:41
 Para: 'openssl-users@openssl.org'
 Asunto: RE: Errors when coding X509 attributes - help needed
 
 Dr. Henson,
 
 I am using your ASN1 module, with some modifications to adapt it to the
 RFC3281. I have been busy, but now I have some time, let me try your
 recommendations in order to correct the ASN1 syntax of the attributes.
 I will provide feedback ASAP.
 
 Thank you for your help,
 
 --
 Daniel Diaz Sanchez
 Telecommunication Engineer
 Researcher / Teaching Assistant
 
 
 Dep. Ing. Telemática
 Universidad Carlos III de Madrid
 Av. Universidad, 30
 28911 Leganés (Madrid/Spain)
 Tel: (+34) 91-624-8817, Fax: -8749
 Web: www.it.uc3m.es/dds
 web: http://www.it.uc3m.es/pervasive
 Mail: [EMAIL PROTECTED]
 [--Remove nospam to contact--]
 
  There is an attribute certificate ASN1 module in my play area on
  openssl.org.
 
  At least one problem is the policyAuthority syntax. The GENERAL_NAMES
 type
  is
  what is known as an item teplate and you can't apply modifiers to that
 so
  the
  ASN1_OPT line wont work.
 
  Instead you use the GENERAL_NAME type and delcare that as a SEQUENCE OF
  IMPLICIT, OPT.
 
  Steve.
  --
  Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
  OpenSSL project core developer and freelance consultant.
  Funding needed! Details on homepage.
  Homepage: http://www.drh-consultancy.demon.co.uk
 
 
  -Mensaje original-
  De: [EMAIL PROTECTED] [mailto:owner-openssl-
  [EMAIL PROTECTED] En nombre de Dr. Stephen Henson
  Enviado el: lunes, 20 de febrero de 2006 13:32
  Para: openssl-users@openssl.org
  Asunto: Re: Errors when coding X509 attributes - help needed
 
  On Mon, Feb 20, 2006, Daniel Daz Snchez wrote:
 
   [Sorry for the prior empty mails I am experiencing some problems with
  mail]
  
   Hello,
  
   I’m implementing some X509 attributes for a Openssl based X509
 attribute
   certificates API (will be available when finished). I have some
 problems
   with one attribute, I don't know if I am implementing it correctly or
  not so
   I need help. Let me present the problem: fist the definition (by the
  IETF)
   of the attribute, then the implementation details (declaration and
   implementation) and the piece of code that does not work. Any help
 would
  be
   indeed very much grateful.
  
   -Definition (IETF)
  
   IetfAttrSyntax ::= SEQUENCE {
 policyAuthority [0] GeneralNamesOPTIONAL,
 values  SEQUENCE OF CHOICE {
 octetsOCTET STRING,
 oid   OBJECT IDENTIFIER,
 stringUTF8String
}
   }
  
   -Declaration (.h)
  
   typedef struct IetfAttrSyntax_st {
 GENERAL_NAMES *policyAuthority;
 int type;
 union{
 ASN1_OCTET_STRING *octets;
 ASN1_OBJECT *oid;
 ASN1_UTF8STRING *string;
 }values;
   } IetfAttrSyntax;
  
   DECLARE_ASN1_ITEM(IetfAttrSyntax)
   DECLARE_ASN1_FUNCTIONS(IetfAttrSyntax)
  
   -Implementation (.c)
  
   ASN1_CHOICE(IetfAttrValues)= {
 ASN1_SIMPLE(IetfAttrSyntax ,values.octets , ASN1_OCTET_STRING ),
 ASN1_SIMPLE(IetfAttrSyntax ,values.oid , ASN1_OBJECT ),
 ASN1_SIMPLE(IetfAttrSyntax ,values.string , ASN1_UTF8STRING

RE: Errors when coding X509 attributes - help needed

[Daniel Díaz Sánchez]

Dr. Henson,

I am using your ASN1 module, with some modifications to adapt it to the
RFC3281. I have been busy, but now I have some time, let me try your
recommendations in order to correct the ASN1 syntax of the attributes.
I will provide feedback ASAP.

Thank you for your help,

--
Daniel Diaz Sanchez
Telecommunication Engineer
Researcher / Teaching Assistant
 

Dep. Ing. Telemática
Universidad Carlos III de Madrid
Av. Universidad, 30
28911 Leganés (Madrid/Spain)
Tel: (+34) 91-624-8817, Fax: -8749
Web: www.it.uc3m.es/dds
web: http://www.it.uc3m.es/pervasive
Mail: [EMAIL PROTECTED]
[--Remove nospam to contact--]

 There is an attribute certificate ASN1 module in my play area on
 openssl.org.
 
 At least one problem is the policyAuthority syntax. The GENERAL_NAMES type
 is
 what is known as an item teplate and you can't apply modifiers to that so
 the
 ASN1_OPT line wont work.
 
 Instead you use the GENERAL_NAME type and delcare that as a SEQUENCE OF
 IMPLICIT, OPT.
 
 Steve.
 --
 Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
 OpenSSL project core developer and freelance consultant.
 Funding needed! Details on homepage.
 Homepage: http://www.drh-consultancy.demon.co.uk


 -Mensaje original-
 De: [EMAIL PROTECTED] [mailto:owner-openssl-
 [EMAIL PROTECTED] En nombre de Dr. Stephen Henson
 Enviado el: lunes, 20 de febrero de 2006 13:32
 Para: openssl-users@openssl.org
 Asunto: Re: Errors when coding X509 attributes - help needed
 
 On Mon, Feb 20, 2006, Daniel Daz Snchez wrote:
 
  [Sorry for the prior empty mails I am experiencing some problems with
 mail]
 
  Hello,
 
  I’m implementing some X509 attributes for a Openssl based X509 attribute
  certificates API (will be available when finished). I have some problems
  with one attribute, I don't know if I am implementing it correctly or
 not so
  I need help. Let me present the problem: fist the definition (by the
 IETF)
  of the attribute, then the implementation details (declaration and
  implementation) and the piece of code that does not work. Any help would
 be
  indeed very much grateful.
 
  -Definition (IETF)
 
  IetfAttrSyntax ::= SEQUENCE {
policyAuthority [0] GeneralNamesOPTIONAL,
values  SEQUENCE OF CHOICE {
octetsOCTET STRING,
oid   OBJECT IDENTIFIER,
stringUTF8String
   }
  }
 
  -Declaration (.h)
 
  typedef struct IetfAttrSyntax_st {
  GENERAL_NAMES *policyAuthority;
  int type;
  union{
  ASN1_OCTET_STRING *octets;
  ASN1_OBJECT *oid;
  ASN1_UTF8STRING *string;
  }values;
  } IetfAttrSyntax;
 
  DECLARE_ASN1_ITEM(IetfAttrSyntax)
  DECLARE_ASN1_FUNCTIONS(IetfAttrSyntax)
 
  -Implementation (.c)
 
  ASN1_CHOICE(IetfAttrValues)= {
  ASN1_SIMPLE(IetfAttrSyntax ,values.octets , ASN1_OCTET_STRING ),
  ASN1_SIMPLE(IetfAttrSyntax ,values.oid , ASN1_OBJECT ),
  ASN1_SIMPLE(IetfAttrSyntax ,values.string , ASN1_UTF8STRING )
  }ASN1_CHOICE_END_selector(IetfAttrSyntax, IetfAttrValues, type);
 
  ASN1_SEQUENCE(IetfAttrSyntax) = {
  ASN1_OPT(IetfAttrSyntax, policyAuthority, GENERAL_NAMES, 0),
  ASN1_EX_COMBINE(0, 0, IetfAttrValues)
  }ASN1_SEQUENCE_END(IetfAttrSyntax);
 
  IMPLEMENT_ASN1_FUNCTIONS(IetfAttrSyntax)
  IMPLEMENT_ASN1_DUP_FUNCTION(IetfAttrSyntax)
 
 
 
 There is an attribute certificate ASN1 module in my play area on
 openssl.org.
 
 At least one problem is the policyAuthority syntax. The GENERAL_NAMES type
 is
 what is known as an item teplate and you can't apply modifiers to that so
 the
 ASN1_OPT line wont work.
 
 Instead you use the GENERAL_NAME type and delcare that as a SEQUENCE OF
 IMPLICIT, OPT.
 
 Steve.
 --
 Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
 OpenSSL project core developer and freelance consultant.
 Funding needed! Details on homepage.
 Homepage: http://www.drh-consultancy.demon.co.uk
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]
 
 --
 No virus found in this incoming message.
 Checked by AVG Free Edition.
 Version: 7.1.385 / Virus Database: 268.2.3/281 - Release Date: 14/03/2006
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.2.3/281 - Release Date: 14/03/2006
 

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Errors when coding X509 attributes - help needed

[Dr. Stephen Henson]

On Mon, Feb 20, 2006, Daniel Daz Snchez wrote:

 [Sorry for the prior empty mails I am experiencing some problems with mail]
 
 Hello,
 
 I’m implementing some X509 attributes for a Openssl based X509 attribute
 certificates API (will be available when finished). I have some problems
 with one attribute, I don't know if I am implementing it correctly or not so
 I need help. Let me present the problem: fist the definition (by the IETF)
 of the attribute, then the implementation details (declaration and
 implementation) and the piece of code that does not work. Any help would be
 indeed very much grateful.
 
 -Definition (IETF)
 
 IetfAttrSyntax ::= SEQUENCE {
   policyAuthority [0] GeneralNamesOPTIONAL,
   values  SEQUENCE OF CHOICE {
   octetsOCTET STRING,
   oid   OBJECT IDENTIFIER,
   stringUTF8String
  }
 }
 
 -Declaration (.h)
 
 typedef struct IetfAttrSyntax_st {
   GENERAL_NAMES *policyAuthority;
   int type; 
   union{ 
   ASN1_OCTET_STRING *octets;
   ASN1_OBJECT *oid;
   ASN1_UTF8STRING *string;
   }values;
 } IetfAttrSyntax;
 
 DECLARE_ASN1_ITEM(IetfAttrSyntax)
 DECLARE_ASN1_FUNCTIONS(IetfAttrSyntax)
 
 -Implementation (.c)
 
 ASN1_CHOICE(IetfAttrValues)= {
   ASN1_SIMPLE(IetfAttrSyntax ,values.octets , ASN1_OCTET_STRING ),
   ASN1_SIMPLE(IetfAttrSyntax ,values.oid , ASN1_OBJECT ),
   ASN1_SIMPLE(IetfAttrSyntax ,values.string , ASN1_UTF8STRING )
 }ASN1_CHOICE_END_selector(IetfAttrSyntax, IetfAttrValues, type);
 
 ASN1_SEQUENCE(IetfAttrSyntax) = {
   ASN1_OPT(IetfAttrSyntax, policyAuthority, GENERAL_NAMES, 0),
   ASN1_EX_COMBINE(0, 0, IetfAttrValues)
 }ASN1_SEQUENCE_END(IetfAttrSyntax);
 
 IMPLEMENT_ASN1_FUNCTIONS(IetfAttrSyntax)
 IMPLEMENT_ASN1_DUP_FUNCTION(IetfAttrSyntax)
 
 

There is an attribute certificate ASN1 module in my play area on
openssl.org.

At least one problem is the policyAuthority syntax. The GENERAL_NAMES type is
what is known as an item teplate and you can't apply modifiers to that so the
ASN1_OPT line wont work.

Instead you use the GENERAL_NAME type and delcare that as a SEQUENCE OF
IMPLICIT, OPT.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Errors with firefox

[Michael Smith]

OK I have been able to 'fix' this by adding the following directive:

SSLProtocol SSLv2
Does this suggest a buggy SSL v3 implementation in openssl on my platform? Odd that nobody else is experiencing it.

Michael
On 1/31/06, Michael Smith [EMAIL PROTECTED] wrote:
Hello thereI've previously sent this to the mod_ssl list with no success. Sorry if you've seen it before:
I have apache compiled on solaris with sun cc with mod_ssl- 2.8.25-1.3.34 and openssl-0.9.8a (I've also tried 0.9.7i and the nightly build).When accessing the site using Internet Explorer I have no problems. With 
Firefox the browser reports an 'incorrect Message Authentication Code' and the server logs report: [Mon Jan 23 13:13:54 2006] [error] mod_ssl: SSL handshake failed (server xxx:443, client xxx) (
OpenSSL library error follows)[Mon Jan 23 13:13:54 2006] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac 
I do have previous builds that 'work' ... but have been unable to determine precisely what change initiated this problem. It might be the release of openssl, it might also be the Sun compiler, which was now from studio 11 and was previously from an earlier version which I don't have access to any more. 
Any suggestions much appreciatedThanksMichael Smith

Re: Errors with firefox

[Samy Thiyagarajan]

hi Michael,

SSLv2 is obsolete and vulnerable to
several attacks. It is always better not to use v2.

Did u tried with SSLv23 ..?

Samy











Michael Smith [EMAIL PROTECTED]

Sent by:
[EMAIL PROTECTED]
07.02.2006 14:47



Please respond to
openssl-users@openssl.org





To
openssl-users@openssl.org


cc



Subject
Re: Errors with firefox


Classification










OK I have been able to 'fix' this by adding the following
directive:

SSLProtocol SSLv2
 
Does this suggest a buggy SSL v3 implementation in openssl
on my platform? Odd that nobody else is experiencing it.

Michael

 
On 1/31/06, Michael Smith [EMAIL PROTECTED]
wrote: 
Hello there

I've previously sent this to the mod_ssl list with no success. Sorry
if you've seen it before: 

I have apache compiled on solaris with sun cc with mod_ssl- 2.8.25-1.3.34
and openssl-0.9.8a (I've also tried 0.9.7i and the nightly build).

When accessing the site using Internet Explorer I have no problems. With
Firefox the browser reports an 'incorrect Message Authentication Code'
and the server logs report: 

[Mon Jan 23 13:13:54 2006] [error] mod_ssl: SSL handshake failed (server
xxx:443, client xxx) ( OpenSSL library error follows)
[Mon Jan 23 13:13:54 2006] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption
failed or bad record mac 

I do have previous builds that 'work' ... but have been unable to determine
precisely what change initiated this problem. It might be the release
of openssl, it might also be the Sun compiler, which was now from studio
11 and was previously from an earlier version which I don't have access
to any more. 


Any suggestions much appreciated

Thanks

Michael Smith

Re: Errors with firefox

[Michael Smith]

Thanks for the response.Yes I'd rather use SSLv3 if I can get it to work! How do I try with SSLv23? It doesn't seem to be an option in mod_ssl.MichaelOn 2/7/06, 
Samy Thiyagarajan [EMAIL PROTECTED] wrote:

hi Michael,

SSLv2 is obsolete and vulnerable to
several attacks. It is always better not to use v2.

Did u tried with SSLv23 ..?

Samy











Michael Smith [EMAIL PROTECTED]

Sent by:
[EMAIL PROTECTED]
07.02.2006 14:47



Please respond to
openssl-users@openssl.org





To
openssl-users@openssl.org


cc



Subject
Re: Errors with firefox


Classification










OK I have been able to 'fix' this by adding the following
directive:

SSLProtocol SSLv2
 
Does this suggest a buggy SSL v3 implementation in openssl
on my platform? Odd that nobody else is experiencing it.

Michael

 
On 1/31/06, Michael Smith [EMAIL PROTECTED]

wrote: 
Hello there

I've previously sent this to the mod_ssl list with no success. Sorry
if you've seen it before: 

I have apache compiled on solaris with sun cc with mod_ssl- 2.8.25-1.3.34
and openssl-0.9.8a (I've also tried 0.9.7i and the nightly build).

When accessing the site using Internet Explorer I have no problems. With
Firefox the browser reports an 'incorrect Message Authentication Code'
and the server logs report: 

[Mon Jan 23 13:13:54 2006] [error] mod_ssl: SSL handshake failed (server
xxx:443, client xxx) ( OpenSSL library error follows)
[Mon Jan 23 13:13:54 2006] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption
failed or bad record mac 

I do have previous builds that 'work' ... but have been unable to determine
precisely what change initiated this problem. It might be the release
of openssl, it might also be the Sun compiler, which was now from studio
11 and was previously from an earlier version which I don't have access
to any more. 


Any suggestions much appreciated

Thanks

Michael Smith

Re: errors in DTLS implementation in openssl0.9.8a

[Prashant Kumar]

16 01 00 for a DTLS handshake is the right code16, Content type, and it is a handshakeDTLS version is 01 00Thanks,  Prashant.Eduardo Pérez Ureta [EMAIL PROTECTED] wrote:  Maybe you can try:http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=1245http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=335703This patch may fix the segmentation fault that I also confirm onopenssl-0.9.8a running on linux-2.6.14/686Some developer should review that patch.(I'll try it later if nobody has)On 2005-12-10 16:38:16 +, robert dugal wrote: Openssl 0.9.8a is incorrectly encoding the DTLS version as 0x01,0x00  instead of 0xfe,0xff $ ./openssl s_client -dtls1 -debug
 CONNECTED(0003) write to 0x5d3640 [0x5dd3f8] (119 bytes = 119 (0x77))  - 16 01 00 00 00 00 00 00-00 00 00 00 6a 01 00 00 j...Openssl 0.9.8a is incorrectly encoding the ChangeCipherSpec message as 3  bytes instead of 1 byte, including a 2 byte message sequence number. $ ./openssl s_client -dtls1 -debug  write to 0x5d3640 [0x5e2d80] (16 bytes = 16 (0x10))  - 14 01 00 00 00 00 00 00-00 00 03 00 03 01 00 03  The first 13 bytes are the record header followed by the CCS which is 3  bytes: 01 00 03  There is no MSN in the CCS. I had a lengthy discussion with Eric on this  topic and he was very clear that the CCS has no MSN and he did not want to  add it to the CCS.   I also discovered it is very easy to crash openssl or make the handshake  fail using the -mtu
 argument (testing on windows xp).  ./openssl s_server -dtls1 -debug -mtu 100 ./openssl s_client -dtls1 -debug -mtu 100 - server Segmentation fault (core dumped)  ./openssl s_server -dtls1 -debug -mtu 128 ./openssl s_client -dtls1 -debug -mtu 128 - server 888:error:143F8412:SSL routines:DTLS1_READ_BYTES:sslv3 alert bad  certificate - client 4052:error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1  lib:s3_clnt.c  ./openssl s_server -dtls1 -debug -mtu 256 ./openssl s_client -dtls1 -debug -mtu 256 - server DTLS1_READ_BYTES:sslv3 alert bad certificate - client 3080:error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1  lib:s3_clnt.c  ./openssl s_server -dtls1 -debug -mtu 512 ./openssl s_client -dtls1 -debug -mtu 512 - server SSL3_GET_FINISHED:digest check failed - client handshake
 failure__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]  
	
		Yahoo! Shopping 
Find Great Deals on Holiday Gifts at Yahoo! Shopping 

Re: errors in DTLS implementation in openssl0.9.8a

[Eduardo Pérez Ureta]

Maybe you can try:
http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=1245
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=335703
This patch may fix the segmentation fault that I also confirm on
openssl-0.9.8a running on linux-2.6.14/686
Some developer should review that patch.
(I'll try it later if nobody has)

On 2005-12-10 16:38:16 +, robert dugal wrote:
 Openssl 0.9.8a is incorrectly encoding the DTLS version as 0x01,0x00 
 instead of 0xfe,0xff
 $ ./openssl s_client -dtls1 -debug
 CONNECTED(0003)
 write to 0x5d3640 [0x5dd3f8] (119 bytes = 119 (0x77))
  - 16 01 00 00 00 00 00 00-00 00 00 00 6a 01 00 00   j...
 
 
 
 Openssl 0.9.8a is incorrectly encoding the ChangeCipherSpec message as 3 
 bytes instead of 1 byte, including a 2 byte message sequence number.
 $ ./openssl s_client -dtls1 -debug
 snipped
 write to 0x5d3640 [0x5e2d80] (16 bytes = 16 (0x10))
  - 14 01 00 00 00 00 00 00-00 00 03 00 03 01 00 03   
 The first 13 bytes are the record header followed by the CCS which is 3 
 bytes: 01 00 03
 
 There is no MSN in the CCS. I had a lengthy discussion with Eric on this 
 topic and he was very clear that the CCS has no MSN and he did not want to 
 add it to the CCS.
 
 
 I also discovered it is very easy to crash openssl or make the handshake 
 fail using the -mtu argument (testing on windows xp).
 
 ./openssl s_server -dtls1 -debug -mtu 100
 ./openssl s_client -dtls1 -debug -mtu 100
 - server Segmentation fault (core dumped)
 
 ./openssl s_server -dtls1 -debug -mtu 128
 ./openssl s_client -dtls1 -debug -mtu 128
 - server 888:error:143F8412:SSL routines:DTLS1_READ_BYTES:sslv3 alert bad 
 certificate
 - client 4052:error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 
 lib:s3_clnt.c
 
 ./openssl s_server -dtls1 -debug -mtu 256
 ./openssl s_client -dtls1 -debug -mtu 256
 - server DTLS1_READ_BYTES:sslv3 alert bad certificate
 - client 3080:error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 
 lib:s3_clnt.c
 
 ./openssl s_server -dtls1 -debug -mtu 512
 ./openssl s_client -dtls1 -debug -mtu 512
 - server SSL3_GET_FINISHED:digest check failed
 - client handshake failure
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: errors processing PKCS12 file

[Todd A. Oberly]

On 06/19/2003, Todd A. Oberly wrote:

 I wanted to try processing a binary PKCS12 file (ie.
 split apart the 3 certificates inside) as downloaded from Thawte's
 FreeMail service, but keep getting the same errors no matter what I try.
 For example
[...]

FYI, I finally figured it out myself.  Well, sort of.  I was having
trouble because the certificate sequence isn't a PKCS12 (no private key
;-) or a PKCS7, but a Netscape Certificate Sequence.  Unfortunately,
OpenSSL's NSEQ tools are still primitive, and processing it with

./openssl nseq -in ~/deliver.exe

still generates an error. :-(  So I'm off to report a bug and perhaps
write a little tool of my own.  (I'd offer a fix, but I'm not that good
with C...)

Cheers,

Todd

-- 
Todd Oberly  My joke has a beautiful voice...
[EMAIL PROTECTED] Poor Rich Ones, Special Angle
ICQ: 34926408

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: errors processing PKCS12 file

[Dr. Stephen Henson]

On Fri, Jun 20, 2003, Todd A. Oberly wrote:

 On 06/19/2003, Todd A. Oberly wrote:
 
  I wanted to try processing a binary PKCS12 file (ie.
  split apart the 3 certificates inside) as downloaded from Thawte's
  FreeMail service, but keep getting the same errors no matter what I try.
  For example
 [...]
 
 FYI, I finally figured it out myself.  Well, sort of.  I was having
 trouble because the certificate sequence isn't a PKCS12 (no private key
 ;-) or a PKCS7, but a Netscape Certificate Sequence.  Unfortunately,
 OpenSSL's NSEQ tools are still primitive, and processing it with
 
 ./openssl nseq -in ~/deliver.exe
 
 still generates an error. :-(  So I'm off to report a bug and perhaps
 write a little tool of my own.  (I'd offer a fix, but I'm not that good
 with C...)
 

What does the file look like? Does it appear binary or base64 encoded with
headers?

If you can post or send me a copy I'll have a look at it. 

The last time I looked Thawte had several options for downloading certificates
including PKCS#7, raw and nseq, you may have more luck with another form.

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: errors processing PKCS12 file

[Todd A. Oberly]

On 06/20/2003, Dr. Stephen Henson wrote:
 On Fri, Jun 20, 2003, Todd A. Oberly wrote:

[...]
 OpenSSL's NSEQ tools are still primitive, and processing it with
 
 ./openssl nseq -in ~/deliver.exe
 
 still generates an error. :-(  So I'm off to report a bug and perhaps
 write a little tool of my own.  (I'd offer a fix, but I'm not that good
 with C...)

 What does the file look like? Does it appear binary or base64 encoded
 with headers?
 
 If you can post or send me a copy I'll have a look at it. 

It's a binary file containing 3 certificates...my email certificate, an
intermediate Thawte CA certificate, and Thawte's FreeMail root
certificate.  So far, asn1parse is the only openssl command that will
touch it.  Thanks for the offer! :-)  I'm forwarding you a copy
privately.

 The last time I looked Thawte had several options for downloading
 certificates including PKCS#7, raw and nseq, you may have more luck with
 another form.

Not for their Freemail service, AFAIK.  Being free, I suspect they want as
few variables as possible, to minimize support requests.  The only format
option involves choosing a browser type, which they enforce by checking
the User-Agent string.  Without a bit of local hacking, a Netscape
Certificate Sequence is my only choice. :-(

Cheers,

Todd

-- 
Todd Oberly  I'm just passing through here, on my way to
[EMAIL PROTECTED]   somewhere civilised...and maybe I'll even
ICQ: 34926408 arriveMorrissey, Asian Rut

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Errors by compiling Apapache with mod_ssl

[Lutz Jaenicke]

On Fri, Jun 21, 2002 at 03:02:46PM +0200, ?ernoevi? Michal wrote:
 I can't compile Apache 1.3.24 with openssl-beta2, mod_ssl and mod_perl, but there is 
no error with 0.96d version. Can anybody see some problems? 

Update to mod_ssl-2.8.9, which is adapted for OpenSSL 0.9.7 use.
You will need it anyway due to the recommended upgrade to Apache 1.3.26.
http://www.openssl.org/support/faq.html#PROG11

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Errors

[Sharon Hezy]

See answers below.
I hope it helps.

Best Regards,
Sharon Hezy.

---Original Message-
--From: Shalendra Chhabra [mailto:[EMAIL PROTECTED]]
--Sent: Tue, June 04, 2002 3:01 PM
--To: [EMAIL PROTECTED]
--Subject: Errors
--
--
--I need some help
--
--1. I am able to generate Certificate and Private Key
--using command line options in Openssl.
--can someone tell me are they considered good? and if they are good 
--why do we need Certificates from companies like
--Microsoft, Verisign???
--
You're right that you can generate private key  certificate *request* 
using openssl command line tool. As well you can use browsers/servers U/I 
for certificate request and private key generation.
But, creation of certificate - it's already another thing. When you're
signing 
certificate request - you should be a *valid* certificate authority. The
regular
ca tool of openssl signs your request using test certificate authority
(which is
inside OpenSSL by courtesy of OpenSSL developers). If you choose to trust it
- you
should add it to your browsers' trusted certificates list (or to your
servers' trusted
certificates list). Anyway, if you will send this certificate signed by
test CA 
to anybody else (not your server/browser) - your certificate will not be
trusted by
anybody because nobody else except you knows who's test CA is. But, known 
companies as Verisign, Thawte, etc. - are known worldwide and if they sign 
your certificate you will not have verification problems (at least not CA
verification problems...:-) ). For example, their certificates are part of
default trusted CA 
list which you get when you're installing IE or Netscape browsers.
Simply, it's all a matter of trust: are other people trust person who signes

your personal certificate. ;-)
--
--
--2. I have downloaded the OpenSSL 0.9.6 24 Sep 2000
--version. In
--openssl-0.9.6d/openssl-0.9.6d/demos/maurice
--when I write make
--I get the following errors
--cc -g -I../../include -Wall   -c -o loadkeys.o loadkeys.c
--loadkeys.c: In function `ReadPublicKey':
--loadkeys.c:36: too few arguments to function `PEM_ASN1_read'
--loadkeys.c: In function `ReadPrivateKey':
--loadkeys.c:67: too few arguments to function `PEM_ASN1_read'
--make: *** [loadkeys.o] Error 1
--
--when I open loadkeys.c, line 36 is
--
--x509 = (X509 *)PEM_ASN1_read ((char *(*)())d2i_X509,
--PEM_STRING_X509,
--fp, NULL, NULL);
--
--
--and line 67 is
--
-- pkey = (EVP_PKEY*)PEM_ASN1_read ((char 
--*(*)())d2i_PrivateKey,
--   PEM_STRING_EVP_PKEY,
--   fp,
--   NULL, NULL);
--
--But when I went to openssl.org I could not find whats the syntax 
--of the
--PEM_ASN1_read function. Please help what the arguments should 
--be???

How about checking the appropriate .h file? You can find the function 
with grep in Unix or find on Windows.

--Thanks
--Shalendra
--_
--Click below to visit monsterindia.com and review jobs in India or 
--Abroad
--http://monsterindia.rediff.com/jobs
--
--_
--_
--OpenSSL Project 
http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Errors

[Jacobson Erik P Civ AFRL/IFGC]

Whether the certificates are good or not depends on your usage of them.
As far as securing your own communications, yes they are good(If properly
created with a decent key etc.).  The Microsoft, Verisign, Thawte, etc...
certificates are for the general public's peace of mind.  They are normally
used on commercial websites or publicly distributed software.  The reason
these commercial certificate companies are important although their
certificates are functionally the same as yours, is they are established as
trusted companies by the software community at large.  They are known to
verify the people that they distribute signed certificates to as being who
they say they are.

If you have a certificate from some no name certificate authority (
http://www.theregister.co.uk/content/30/25547.html :) ) instead of a well
known one like Verisign that says it is for Microsoft corporation, it will
work for securing your code.  But it does not mean that the company is
actually Microsoft.  But if you have a certificate from Verisign saying it
was signed for Microsoft, then you can feel fairly confident that you aren't
being misled by whoever is using the certificate.

The issue is Trust.  You have to believe that whoever is issuing the
certificate is verifying who they sign it for.  And they charge enough money
for their seal of approval also. :/

-Original Message-
From: Shalendra Chhabra [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 9:01 AM
To: [EMAIL PROTECTED]
Subject: Errors


I need some help

1. I am able to generate Certificate and Private Key
using command line options in Openssl.
can someone tell me are they considered good? and if they are good 
why do we need Certificates from companies like
Microsoft, Verisign???
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Errors

[Mark H. Wood]

On 4 Jun 2002, Shalendra Chhabra wrote:
 1. I am able to generate Certificate and Private Key
 using command line options in Openssl.
 can someone tell me are they considered good? and if they are good
 why do we need Certificates from companies like
 Microsoft, Verisign???

Considered good by whom, and what does good mean?  Certificates produced
using OpenSSL ought to be just as good in the mathematical sense as anyone
else's.  What those certificates *mean* depends on just how hard the
issuer works to prove that the entity requesting the certificate is
providing a valid identity to be bound to the requested certificate.

Certificates from recognized commercial CAs have considerable value
because we believe that those CAs do a reasonable job of verifying
identity.  Certificates issued by the experimental OpenSSL-based CA I have
on my office workstation have no particular value, and in fact my CPS says
so.  Certificates issued by random CAs set up with Microsoft's cert.
management tools have value in proportion to the trust you place in the
person running the CA and the security of the CA host machine.

Commercial certificates for e.g. web servers have other value as well, in
that most Web browsers will already be set up to trust those CAs.  If you
mint your own cert.s using OpenSSL or the Windows gadget, nobody will have
heard of your CA so you have to convince them that you're trustworthy
before they'll add your CA's self-signed cert. to their store of trusted
authorities.  (Of course, some people don't require much convincing.)  A
private CA is probably best used for internal projects only, since it's a
lot easier to develop the necessary trust within a small, closed
community.

The MS gadget has one other thing going for it:  it's all wrapped up in a
pretty package so that you can just push a few buttons and have a private
CA ready for use.  OTOH OpenSSL lets you see what it is doing, and it's
flexible enough to do a lot more than just issue magic numbers.

-- 
Mark H. Wood, Lead System Programmer   [EMAIL PROTECTED]
MS Windows *is* user-friendly, but only for certain values of user.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Errors

[terr]

I sort of agree with the sentiments expressed by Shalendra Chhabra.  The value added 
by M$ or verisign is questionable.  I would rather I could pop over to my local bank 
and get a cert.  They know me and I trust them.  I do not trust Verisign.

I have said this before in this group and I will repeat it.  I see nothing that would 
stop a felon in prison from incorporating a company and getting a cert.  The bottom 
line is that the theory is fine... but in practice I feel commercial CA's should be 
institututions that we already trust - like the local bank or law office.  Trusting 
verisign or Microsoft is questionable.  I also feel it is somewhat ludicrus that my 
local bank should be expected to shell out $1000's so they can get a cert that allows 
them to re-issue certs.  IMHO this is just a racket.

In practice I think good works like this.  Any cert that does not fire up a warning 
message from the windows machine running the browser would be considered good.  This 
means that one can use any of many ways to load a good cert into the machine.  
Windows has a LOT of exploits.  Security is only as strong as the weakest link.  This 
means the end user is probably the biggest security weakness in most cases.  Simply 
pop up a dialog that asks the user to download the cert you want as a prior step.  
Perhaps write a signed active-x control and use it to install your own cert.  If the 
machine is vulnerable to a virus then one can use that hole to install a cert.  

Am I wrong?


On Tue, Jun 04, 2002 at 10:27:34AM -0500, Mark H. Wood wrote:
 On 4 Jun 2002, Shalendra Chhabra wrote:
  1. I am able to generate Certificate and Private Key
  using command line options in Openssl.
  can someone tell me are they considered good? and if they are good
  why do we need Certificates from companies like
  Microsoft, Verisign???
 
 Considered good by whom, and what does good mean?  Certificates produced
 using OpenSSL ought to be just as good in the mathematical sense as anyone
 else's.  What those certificates *mean* depends on just how hard the
 issuer works to prove that the entity requesting the certificate is
 providing a valid identity to be bound to the requested certificate.
 
 Certificates from recognized commercial CAs have considerable value
 because we believe that those CAs do a reasonable job of verifying
 identity.  Certificates issued by the experimental OpenSSL-based CA I have
 on my office workstation have no particular value, and in fact my CPS says
 so.  Certificates issued by random CAs set up with Microsoft's cert.
 management tools have value in proportion to the trust you place in the
 person running the CA and the security of the CA host machine.
 
 Commercial certificates for e.g. web servers have other value as well, in
 that most Web browsers will already be set up to trust those CAs.  If you
 mint your own cert.s using OpenSSL or the Windows gadget, nobody will have
 heard of your CA so you have to convince them that you're trustworthy
 before they'll add your CA's self-signed cert. to their store of trusted
 authorities.  (Of course, some people don't require much convincing.)  A
 private CA is probably best used for internal projects only, since it's a
 lot easier to develop the necessary trust within a small, closed
 community.
 
 The MS gadget has one other thing going for it:  it's all wrapped up in a
 pretty package so that you can just push a few buttons and have a private
 CA ready for use.  OTOH OpenSSL lets you see what it is doing, and it's
 flexible enough to do a lot more than just issue magic numbers.
 
 -- 
 Mark H. Wood, Lead System Programmer   [EMAIL PROTECTED]
 MS Windows *is* user-friendly, but only for certain values of user.
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Errors

[Martin Kochanski]

At 09:16 04/06/02 -0600, you wrote:
I have said this before in this group and I will repeat it.  I see nothing that would 
stop a felon in prison from incorporating a company and getting a cert.  

And she should be allowed to. The certificate will say that it was issued to that 
company. The certificate is entirely legitimate and should be trusted, because what it 
says is true: company X exists, and this certificate was issued to company X.

The bottom line is that the theory is fine... but in practice I feel commercial CA's 
should be institututions that we already trust - like the local bank or law office.  

I don't trust your local bank or law office. I don't even know who or where they are.

In practice I think good works like this.  Any cert that does not fire up a warning 
message from the windows machine running the browser would be considered good.  This 
means that one can use any of many ways to load a good cert into the machine.  
Windows has a LOT of exploits.  Security is only as strong as the weakest link.  This 
means the end user is probably the biggest security weakness in most cases.  Simply 
pop up a dialog that asks the user to download the cert you want as a prior step.  
Perhaps write a signed active-x control and use it to install your own cert.  If the 
machine is vulnerable to a virus then one can use that hole to install a cert.  

This is entirely true. The only browser that can really be trusted is one into which 
new certificates can never be installed and which refuses to connect to a site if the 
certificate can't be verified.

Whether such a browser would be useful in the real world is another matter.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Re: Errors

[Shalendra Chhabra]

Greetings I did not get this piece  of line..



This is entirely true. The only browser that can really be 
trusted is one into which new certificates can never be installed 
and which refuses to connect to a site if the certificate can't 
be verified.??

what does this mean ?? than how will the certificates be 
installed
(Please dont mind I am new and weak in concepts)


Whether such a browser would be useful in the real world is 
another matter.

OpenSSL Project 
http://www.openssl.org
User Support Mailing List
[EMAIL PROTECTED]
Automated List Manager   
[EMAIL PROTECTED]

_
Click below to visit monsterindia.com and review jobs in India or 
Abroad
http://monsterindia.rediff.com/jobs

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Errors in Apache

[Laurent Jouannic]

Hi Mark

Nazzaro, Mark (Mark) wrote:

 We are getting the following error messages in our Apache error_log:
 [Wed Nov 21 08:43:40 2001] [error] mod_ssl: SSL handshake failed (server
 mylucent.web.lucent.com:443, client 135.103.93.70) (OpenSSL library error
 follows)
 [Wed Nov 21 08:43:40 2001] [error] OpenSSL: error:27066221::lib(39)
 :func(102) :reason(545)
 [Wed Nov 21 08:43:40 2001] [error] OpenSSL: error:1409B004::lib(20)
 :func(155) :reason(4)

 Any help would be greatly appreciated.

Was your server running OK befor, or is it a new error?
Which service: apache wih mod_ssl or apache_ssl?
Which version?


Laurent Jouannic
http:/www.d2i.fr (in french)



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Errors in compiling Net_SSLeay

[Lutz Jaenicke]

On Tue, Oct 30, 2001 at 08:22:59PM -0500, DING,SCOTT (HP-PaloAlto,ex1) wrote:
 I tried to install Net_SSLeay as part of process to set perl-ldap up. When I
 compile the Net_SSLeay, I got the errors:
 
 ld: Invalid loader fixup in text space needed in output file for symbol
 $0058 in input file /usr/loca
 l/ssl/lib/libssl.a(ssl_lib.o)

You must have either libssl (and libcrypto) as shared libraries or at
least you need relocatable object files.

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Errors with CRL.

[Ryan Hurst]

Title: Errors with CRL.









What CA generated the CRL? Are you sure it
is in PEM? Does it have the PEM armor (- BEGIN...,  END)?



Ryan



-Original Message-
From: Eldi Espinosa (InfoSpace
Inc) [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, September 04, 2001
1:01 PM
To: '[EMAIL PROTECTED]'
Subject: Errors with CRL.



I just installed openssl and I created a RSA cert.
I'm trying to use CRL to check issuer info, last update etc as this information
is going to be important for audit but when i try to use it it just gives me an
error.

this is my command line: 
openssl
crl -in test.pem -text 

And this is the error message: 
unable
to load CRL 
1340:error:0906D06C:PEM
routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib 
.c:662:Expecting:
X509 CRL 

Please help 

Thanks 

Eldi 

RE: errors building openssl 0.9.6b on Solaris 8

[Tony Vo]

Are 
you login as root (in order to have write permission)?

  -Original Message-From: Faine, Mark 
  [mailto:[EMAIL PROTECTED]]Sent: Wednesday, July 25, 2001 
  10:44 AMTo: '[EMAIL PROTECTED]'Subject: errors 
  building openssl 0.9.6b on Solaris 8
  I get this error 
  message:
  
  make[1]: Entering 
  directory `/export/home6/temp/openssl-0.9.6b/apps'rm -f opensslgcc -o 
  openssl -DMONOLITH -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN 
  -DHAVE_DLFCN_H -mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W 
  openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o 
  gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o 
  x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o 
  s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o 
  spkac.o smime.o rand.o -L.. -lssl -L.. -lcrypto -lsocket -lnsl 
  -ldl/var/ld: installation problem, cannot exec `/var/ld': Permission 
  deniedcollect2: ld returned 255 exit statusmake[1]: *** [openssl] 
  Error 1make[1]: Leaving directory 
  `/export/home6/temp/openssl-0.9.6b/apps'make: *** [sub_all] Error 
  1
  
  Any help would be 
  appreciated.
  
  -Mark

Re: errors building openssl 0.9.6b on Solaris 8

[Paul Allen]

Mark,

You wrote:

I get this error message:
 
make[1]: Entering directory `/export/home6/temp/openssl-0.9.6b/apps'
rm -f openssl
gcc -o openssl -DMONOLITH -I../include -fPIC -DTHREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN
-DBN_DIV2W openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o
passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o
dsaparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o
apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o
pkcs12.o pkcs8.o spkac.o smime.o rand.o  -L.. -lssl -L.. -lcrypto -lsocket
-lnsl -ldl
/var/ld: installation problem, cannot exec `/var/ld': Permission denied
collect2: ld returned 255 exit status
make[1]: *** [openssl] Error 1
make[1]: Leaving directory `/export/home6/temp/openssl-0.9.6b/apps'
make: *** [sub_all] Error 1
 
Any help would be appreciated.

Oh, come on.  If you did know what the problem was, what would it be?
(Sorry.  Patience wears thin at the end of the day.)

Your compiler is getting a permission denied error when it tries to exec
the linker.  Either your compiler, your linker, or both are incorrectly
installed.

Good luck!

Paul Allen
-- 
Boeing Phantom Works   \ Paul L. Allen, (425) 865-3297
Math  Computing Technology  \ [EMAIL PROTECTED]
POB 3707 M/S 7L-40, Seattle, WA 98124-2207 \ Prototype Systems Group
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Errors in Demo serv and cli

[Tom Biggs]

At 11:16 AM 11/27/00 -0500, Antai wrote:

Client side:
11691:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
seeded:md_rand.c:474:You need to read the OpenSSL FAQ,
http://www.openssl.org/support/faq.html
...
  How to avoid the error?

The error message told you what you needed to know:
"PRNG not seeded"
and
"You need to read the OpenSSL FAQ"

Did you read the OpenSSL FAQ?


If I were a psychic, I'd guess that you are
doing this on a Solaris system.  But I'm not.



Tom Biggs
'89 FJ1200 DoD #1146

"The whole aim of practical politics is to keep the populace alarmed -
and hence clamorous to be led to safety - by menacing it with an endless
series of hobgoblins, all of them imaginary."  -- H.L. Mencken


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: errors in SSL_connect() session caching overload

[p . wagemans]

Louis LeBlanc wrote:

 Just in case anyone is interested, I have come across a problem with
 the SSL session caching.  Under heavy load, my app would dump core,
 sometimes the core exceeded 300MB (though a good part of this was
 memory allocated for application functionality).  The problem
 disappeared when I turned off client side session caching.

 If anyone has experience with this, a quick rundown would be greatly
 appreciated.

I've seen this with an old stunnel client too. It did not attempt to
re-use client side sessions (this is not automatic), so every connect
resulted in a new session, and they were all put into the cache. This
cache can get pretty big under heavy load (if I remember correctly
only timed-out sessions are purged). All these new sessions also put
an extra crypto load on the server.

The current stunnel code (3.8p4) tries to re-use sessions, using
SSL_set_session (see ssl.c). It doesn't show the same problem, so you
might want to look at it to see if your application can use the same
technique.

Hope this helps.

Peter Wagemans

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Errors after upgrading to OpenSSL 0.9.5

[Bennett Samowich]

This post is just for the error tracking...

A am running (Apache/1.3.11 Ben-SSL/1.38) and the change from OpenSSL-0.9.4 
to OpenSSL-0.9.5 was uneventful.  I'm not sure if I needed to recompile 
Apache or not in order to fully use the new OpenSSL package.

Cheers,
- Bennett

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Errors after upgrading to OpenSSL 0.9.5

[Lutz Jaenicke]

On Tue, Feb 29, 2000 at 01:08:39AM -0500, Peter Avalos wrote:
 After upgrading from OpenSSL 0.9.4 to 0.9.5, I get this error when trying to
 start apache:
 [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key
 
 I can't find any information about this error.
 
 Here's some info about my webserver:
 [notice] Apache/1.3.12 (Unix) PHP/3.0.15 mod_ssl/2.6.0 OpenSSL/0.9.4
 
 BSD/OS xenon 4.0.1 BSDI BSD/OS 4.0.1 Kernel #2: Tue Feb 22 22:50:55 PST 2000
 pavalos@xenon:/usr/src/sys/compile/XENON  i386

Hi,

I just experienced the same problem (but I have been prepared :-)
OpenSSL 0.9.5 is more picky about the correct seeding of the PRNG
(pseudo random number generator). It seems (did not check this out *) that the
internal seed generation
 SSLRandomSeed startup builtin
is not good enough anymore (not enough entropy bits).
You must now explicetly seed the PRNG as decribed. Since you have a BSD
derivative you might have a /dev/urandom device. Use
 SSLRandomSeed startup file:/dev/urandom 512
If you don't have one, you must load entropy bits from another source.
Specify a file containing random bits as in
 SSLRandomSeed startup file:/etc/postfix/random_file 1024
I recommend obtaining EGD (described in the OpenSSL 0.9.5 docs) in this case.
It includes a sample script egc.pl, so that you can
 perl5 egc.pl /var/run/egd-pool read 255  /etc/postfix/random_file
before starting apache.
Of course, your filenames will be different :-)

Since 0.9.5 includes support for EGD, Ralf should consider including a
 SSLRandomSeed startup egd:/path/to/egd-socket
feature into mod_ssl.

Best regards,
Lutz

(*) I did not trace the mod_ssl startup, but after seeding the PRNG as
described, Apache/mod_ssl started up fine. Hence I am quite confident that
my guess is not too far off.
(Note) When /dev/urandom is available, the OpenSSL-library might use it
for additional seeding directly without ask anybody about it. So probably
you don't have /dev/urandom and users of Linux (and some other OS) will not
be able to reproduce this effect.
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: ERRORS

[Bodo Moeller]

hari krishna [EMAIL PROTECTED]:

 I am trying to install on PC-SOLARIS ver2.7 with gcc
 ver 2.7.2.3 and perl ver 5.004_03.
 
 Any body knows what is it and the resolution.

See INSTALL, lines 122-124.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: ERRORS Compiling Latest openssl-SNAP-19990802

[Bodo Moeller]

Howard Uman [EMAIL PROTECTED]:

 When I issue my usual request to ./Configure the openssl-SNAP-19990802, I
 have been using "solaris-usparc-cc" as my compiler, but that option appears
 to be gone  This worked as recently as the openssl-SNAP19990725 file.
 What to do?

Simply trying "./config", which guesses the platform and runs
Configure, is one possibility; or run ./Configure without options to
see which platforms are available; or look at the actual definitions
in Configure.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]