Re: openssl 1.1.1k on solaris 2.6 sparc

2021-06-24 Thread Jeff Wieland
eems to ease up. -- Michael Wojcik You can build it on Solaris 10 SPARC, using Studio 12.2 for 32 bit, and Studio 12.4 for 64 bit.  Make sure that these are fully patched up. -- Jeff Wieland, UNIX Systems Administrator Purdue University IT Infrastructure Services UNIX Platforms

Re: building openssl 1.1.1 for Solaris 10

2020-04-08 Thread Jeff Wieland
matter of linking with an additional library. -- Michael Wojcik Distinguished Engineer, Micro Focus On Solaris 10, you need to link with -lrt to pick up the clock_gettime functions.  If you do something like "export LDFLAGS='-lrt'" before you invoke Configure, it should wo

[openssl-users] Which protocols should my client support?

2017-04-24 Thread Jeff Archer
and so will be updating my app at this time anyway. Also, since they are my companies servers, I will be notified ahead of time that change is coming. T ​hanks, ​ Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How do I connect to this server

2017-04-24 Thread Jeff Archer
a demo server which does not require this additional username/password. I am able to connect to the user using a browser by putting the username/password into the url. This proves that I know the correct username/password but has no other relevance. Jeff Archer jeffarch...@gmail.com On Fri, A

[openssl-users] How do I connect to this server

2017-04-21 Thread Jeff Archer
I have a server that requires that username and password be used as https://username:passw...@server.com How do I specify this username and password when using SSL_connect()? Thanks, Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Build problems on Windows

2017-01-10 Thread jeff saremi
plan on building for x86 and you configure for VC-WIN32, then be sure you open the x86 command prompt, and not the x64 one. If you want to build for x64, then be sure to configure with VC-WIN64A, and be sure to open a x64 developer command prompt. If you have the correct command prompt open, then p

Re: [openssl-users] Build problems on Windows

2017-01-10 Thread jeff saremi
I installed ActivePerl and got a lot further I now get link errors. Please see below. The commands are the same: perl Configure VS-WIN64A and nmake: "C:\Perl64\bin\perl.exe" "util\mkdef.pl" "crypto" 32 > libcrypto-1_1-x64.def "C:\Perl64\bin\perl.exe" -i.tmp -pe "s|^LIBRARY\s+cr

Re: [openssl-users] Build problems on Windows

2017-01-10 Thread jeff saremi
On 10/01/17 18:34, jeff saremi wrote: > D:\repos\openssl2\openssl-1.1.0c>perl -v > > This is perl 5, version 22, subversion 1 (v5.22.1) built for > x86_64-msys-thread-multi > Copyright 1987-2015, Larry Wall You are using msys perl but doing a VC build. See this extract

Re: [openssl-users] Build problems on Windows

2017-01-10 Thread jeff saremi
ssl-users@openssl.org Subject: Re: [openssl-users] Build problems on Windows On 10/01/2017 05:04, jeff saremi wrote: > > Hello > > I downloaded openssl-1.1.0c and i'm trying to build this on Windows 10 > using Visual Studio 2015. I'm following the INSTALL and NOTES.WIN > ins

[openssl-users] Build problems on Windows

2017-01-09 Thread jeff saremi
Hello I downloaded openssl-1.1.0c and i'm trying to build this on Windows 10 using Visual Studio 2015. I'm following the INSTALL and NOTES.WIN instructions however I get stopped rather quickly with file not found issues.. I have also installed nasm. The build fails for 32 or 64 with slightly d

Re: [openssl-users] OpenSSL 1.0.2h reports speed test results as 0 secs and Infk ops/sec

2016-11-29 Thread Jeff Wieland
ys times shouldn't be 0.0. -- Jeff Wieland, UNIX/Network Systems Administrator Purdue University IT Infrastructure Services UNIX Platforms -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL 1.0.2h reports speed test results as 0 secs and Infk ops/sec

2016-09-12 Thread Jeff Wieland
md2's in 0.00s ... They appear to work fine on the other SPARC machines that I can get test it on. -- Jeff Wieland, UNIX/Network Systems Administrator Purdue University IT Infrastructure Services UNIX Platforms -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL 1.0.2h reports speed test results as 0 secs and Infk ops/sec

2016-09-12 Thread Jeff Wieland
Dennis Clarke wrote: On 09/11/2016 03:44 PM, Jeff Wieland wrote: I see the same thing on Sun Blade 150 (650Mhz), with OpenSSL 1.0.2h compiled with Studio 12.2 -- and with a Sun Fire V100 (550Mhz). It works correctly on a Sun Fire V240 (1.5Ghz), a Sun Ultra 10 (440Mhz), a Sun Fire T1000, and

Re: [openssl-users] OpenSSL 1.0.2h reports speed test results as 0 secs and Infk ops/sec

2016-09-11 Thread Jeff Wieland
bit builds. It looks like you're building and running this on an UltraSPARC 2e architecture system -- this is what the SB150 and the V100 are. -- Jeff Wieland, UNIX/Network Systems Administrator Purdue University IT Infrastructure Services UNIX Platforms Dennis Clarke wrote: Strange results

[openssl-users] libssl.so.1.0.0

2016-01-12 Thread Jeff Archer
I am building from source that came from openssl-1.0.2e.tar.gz but it appears to be producing output of libssl.so.1.0.0. Is this what I should expect? Jeff Archer jeffarch...@gmail.com ___ openssl-users mailing list To unsubscribe: https

Re: OpenSSL Security Advisory

2014-06-06 Thread Jeff Wieland
nnouncement Mailing List openssl-annou...@openssl.org Automated List Manager majord...@openssl.org -- Jeff Wieland| Purdue University Network Systems Administrator |ITIS UNIX Platforms Voice: (765)496-8234

Re: OpenSSL Security Advisory

2014-06-05 Thread Jeff Wieland
nnouncement Mailing List openssl-annou...@openssl.org Automated List Manager majord...@openssl.org -- Jeff Wieland| Purdue University Network Systems Administrator |ITIS UNIX Platforms Voice: (765)496-8234 |

Re: Is it possible that calling ssl_accept in multi-threading circumstance will result in app to crash?

2014-04-14 Thread 2234822 jeff
? Is there a possibility that some OpenSSL structures are being shared between the threads, right? 2014-03-26 17:37 GMT+08:00 Bodo Moeller : > jeff : > > I keep getting some application crash in openssl module, I checked the >> dumps and stacks and found that although the s

Is it possible that calling ssl_accept in multi-threading circumstance will result in app to crash?

2014-03-26 Thread 2234822 jeff
Dear users, I keep getting some application crash in openssl module, I checked the dumps and stacks and found that although the stacks vary, the ssl_accept function is found on all of them, below are some of exmaples. I google the related information about this, looks like there is some problem wh

Addition of TLS 1.2 client-side support causing failures to Windows servers

2014-01-17 Thread Jeff Franklin
the same server it will report that 'Secure Renegotiation IS supported'. Does anyone have any idea what's going on? Can someone recommend some next steps I can try? Thanks, -- Jeff Franklin Software Engineer, Identity and Access Management UW Informa

Re: Hi, I need help with initialization of OpenSSL

2013-10-10 Thread Jeff Trawick
1process 13262 "fing" 0x0086d1fc in read () > Ouch/I'll shut up now. (I think there's something very basic going wrong/getting corrupted if a segfault is reported in the syscall interface.) > On Thu, Oct 10, 2013 at 7:19 PM, Jeff Trawick wrote: > > On T

Re: Hi, I need help with initialization of OpenSSL

2013-10-10 Thread Jeff Trawick
On Thu, Oct 10, 2013 at 11:50 AM, Angelin Lalev wrote: > Greetings, > I could use some help. > > I'm getting segmentation fault from this code: > >/* Init the openssl library */ > SSL_load_error_strings(); > SSL_library_init(); > > ctx=SSL_CTX_new(SSLv3_client_metho

Re: redirected input to s_client on Windows: Any trick to avoid the keypress?

2013-10-06 Thread Jeff Trawick
On Thu, Oct 3, 2013 at 5:32 PM, Ben Laurie wrote: > > > > On 3 October 2013 22:14, Jeff Trawick wrote: > >> E.g., run >> >> echo GET / | openssl s_client -connect host:port >> >> It does the handshake then stalls until you press a key (which will

Re: redirected input to s_client on Windows: Any trick to avoid the keypress?

2013-10-04 Thread Jeff Trawick
On Fri, Oct 4, 2013 at 9:17 AM, Salz, Rich wrote: > When you run it interactively, does it work right away or do you need to > hit TWO returns? > It works right away. The keypresses trigger the read of stdin (since the WaitForSingleObject(stdin) is bypassed due to the OPENSSL_SYS_MSDOS issue),

Re: redirected input to s_client on Windows: Any trick to avoid the keypress?

2013-10-03 Thread Jeff Trawick
On Thu, Oct 3, 2013 at 5:14 PM, Jeff Trawick wrote: > E.g., run > > echo GET / | openssl s_client -connect host:port > > It does the handshake then stalls until you press a key (which will be > left unused in the buffer when openssl exits), then it sends the input. I > gue

redirected input to s_client on Windows: Any trick to avoid the keypress?

2013-10-03 Thread Jeff Trawick
E.g., run echo GET / | openssl s_client -connect host:port It does the handshake then stalls until you press a key (which will be left unused in the buffer when openssl exits), then it sends the input. I guess the kbhit() in the s_client code is what is waking it up. I've played around with var

RE: openSSL 1.0.0g on hpux-11i

2012-03-05 Thread Jeff and Lita Pratt
is mentioned in its README, in the section about usage with GPG. JcP The larger the island of knowledge, the longer the shoreline of wonder. -- R. W. Sockman -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeff & Lita

openSSL 1.0.0g on hpux-11i

2012-03-02 Thread Jeff & Lita Pratt
I'm a newbe with openssl, trying to get it installed so I can build cURL libararies. My system does not have /dev/random, etc, so I downloaded, built, and installed the egd daemon. It appears to be running: $ ll $HOME/.rnd -rw--- 1 jeff lms 1024 Mar 2 12:30

Re: Help Needed: SSL Connect starting from a weird state

2011-10-22 Thread Jeff Saremi
ion, the call always failed on the same spot; the same call to RAND_pseudo_byes each time, not before or after. This was regardless of how many successful calls were made prior to. Jeff __ OpenSSL Project

Help Needed: SSL Connect starting from a weird state

2011-10-20 Thread Jeff Saremi
ear the beginning of ssl23_client_hello(): buf=(unsigned char *)s->init_buf->data; if (s->state == SSL23_ST_CW_CLNT_HELLO_A) How can my code start in this state? Any hints would be appreciated. thanks jeff

Re: Running SSL on own socket code

2011-06-03 Thread Jeff Saremi
Yes it was as straightforward as you mentioned. Thanks to those who responded. jeff On 11-06-02 05:47 AM, Neo Liu wrote: > > > On Wed, Jun 1, 2011 at 10:22 PM, Victor Duchovni > <mailto:victor.ducho...@morganstanley.com>> wrote: > > On Tue, May 31, 2011 at 09

Running SSL on own socket code

2011-06-01 Thread Jeff Saremi
I'd like to know the feasibility or complexity around using my own socket code with OpenSSL's ssl code. If I provide OpenSSL with a pair of BIOs to read and write would that be sufficient? How tightly integrated the code is with bio_connect and bio_socket? t

Valgrind Suppressed Leak on dlfcn_globallookup

2011-05-13 Thread Jeff Saremi
I'd like to eliminate this suppressed error in valgrind. Does anyone have any idea? I have my cleanup code also pasted father below ==3317== 20 bytes in 1 blocks are still reachable in loss record 1 of 1 ==3317==at 0x402425F: calloc (vg_replace_malloc.c:467) ==3317==by 0x4063105: _dlerror_

Re: Possibility to create CRL without the CA key

2011-05-02 Thread Jeff Saremi
read my post: http://www.mail-archive.com/openssl-users@openssl.org/msg63740.html On 11-05-02 06:50 AM, Viliam Ďurina wrote: > Hello, > > I'm doing my own CA with openssl and want to regularly generate CRLs. > We plan limited use of the CA (say 1-2 certificates per year), so the > CA private key

Re: CRL validation must be skipped for certs with no CRLDPs

2011-03-21 Thread Jeff Saremi
If I just try to describe the problem in a different way it would be: According to the RFC, is it an error for a certificate and its chain not to have any CRLs and CRL distribtuion points? If the answer to the above is yes, then what OpenSSL does is OK because the programmer would have to explici

Re: CRL validation must be skipped for certs with no CRLDPs

2011-03-19 Thread Jeff Saremi
I'm not sure how you read this. I read it like a programmer. In programming primitives, the spec would be coded like this: Here's the spec: "This algorithm begins by assuming that the certificate is not revoked For each distribution point (DP) in the certificate's CRL distribution points exten

CRL validation must be skipped for certs with no CRLDPs

2011-03-18 Thread Jeff Saremi
alidation failure in validation callback) for the normal process of certificate/CRL validation to take its course. Is this a reasonable expectation? thanks Jeff * Original Problem Statement Re: Need Help with Programmatic Downloading+Checking of CRLs ... > So as per previo

Re: Handling Indirect CRL Issuer

2011-03-18 Thread Jeff Saremi
With great many thanks to Dr. Henson for not only responding to every post I have had so far but also for providing solid guidance on how to address the problem leading to the heading of this thread, I am adding some extra material and some verbatim quotes from Dr. Henson here so that they might be

Re: Need Help with Programmatic Downloading+Checking of CRLs

2011-03-18 Thread Jeff Saremi
> There are other "out of band" mechanisms where a CRL might be available but > not mentioned in a CRLDP. OpenSSL has no way of telling what those might be > and if the absence is really an error or not. > > The best you can do is trap the issuer error in the verify callback and ignore > it if app

How can I make CertificateIssuer extension show up in CRL Entries?

2011-03-17 Thread Jeff Saremi
command line option of config entry for that? thanks jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager

Re: Handling Indirect CRL Issuer

2011-03-17 Thread Jeff Saremi
It looks like we need to support indirect CRL Issuers at least for CRL's issued for ourselves. I have done most of the work. It looks I don't quite know how to generate CRLs with the indirect CRL issuer or I don't know how to generate the CRL issuer's certificate using the root certificate. So I

Handling Indirect CRL Issuer

2011-03-17 Thread Jeff Saremi
the cert to the store? (using X509_STORE_add_cert()?) Any other steps? thanks jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org

Re: Need Help with Programmatic Downloading+Checking of CRLs

2011-03-17 Thread Jeff Saremi
CRL checking? Is that something I should be doing in lookup_crl? Or should the framework be smart enough not to even ask me for a CRL in this case? thanks jeff __ OpenSSL Project http

what does X509_STORE_get1_crls() return and how?

2011-03-17 Thread Jeff Saremi
If I call X509_STORE_get1_crls(ctx, nm) with nm being the issuer name, the method is supposed to return a list of CRL's with that issuer name. How does it do that when it comes to CRLs issued by a CRL issuer authorized by the original issuer? Does it use Authority Key Identifier? thanks,

Re: Need Help with Programmatic Downloading+Checking of CRLs

2011-03-16 Thread Jeff Saremi
> Try supplying your own lookup_crls() implementation instead. This can be much > simpler and just needs to return any CRLs which match the supplied X509_NAME > value. If there are multiple CRLs it will pick the most appopriate. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core develope

Re: Need Help with Programmatic Downloading+Checking of CRLs

2011-03-16 Thread Jeff Saremi
0 > > Hi Jeff: > > If you are looking for a solution that not only handles CRL but OCSP as well, > you might want to check out Pathfinder: > > http://www.carillon.ca/tools/pathfinder.php > > It allows you to easily add a custom callback to the _verify() routines that

Re: Need Help with Programmatic Downloading+Checking of CRLs

2011-03-15 Thread Jeff Saremi
o of the same calls to get_crl() with the same issuer. There is a possibility that one could check X509_STORE and fill the passed parameter X509_CRL** with that. - For certificates which do not have a CRL distribution point, what is one supposed to do? Return 0 or 1? What should the X509_CRL** be fil

Need Help with Programmatic Downloading+Checking of CRLs

2011-03-15 Thread Jeff Saremi
I seriously need help with this piece. I searched the forum and I could not find what i was looking for. During an SSL handshake, I need to be able to examine the CRL distribution points on a certificate (chain), download them, and pass them along to OpenSSL for further revocation checks. I thought

Cert Verification based on CRL when least expected

2011-03-12 Thread Jeff Saremi
at's the one stop that I think all errors are caught. Now i need guidance on the best way to troubleshoot this. Is there a debug flag or print flag I can turn on during the certificate validation to see all details? I ca

RE: SSL_VERIFY_PEER and the presence of client's X509 certificate after the handshake

2010-12-18 Thread Jeff Saremi
So this is some minor debugging I did to get to this problem. Modified the following methods to add two printf lines: ssl_lib.c: X509 *SSL_get_peer_certificate(const SSL *s) { X509 *r; if ((s == NULL) || (s->session == NULL)) { printf("SSL_get_p

SSL_VERIFY_PEER and the presence of client's X509 certificate after the handshake

2010-12-15 Thread Jeff Saremi
ll to SSL_get_peer_certificate() returns null after a successful SSL accept is done on the server. My question is if there are conditions under which one cannot rely on the presence of the peer certificate even if SSL_VERIFY_PEER is set? thanks

Enhancement Request: 64bit BIO API

2010-10-12 Thread Jeff Saremi
ve and beyond what is there now -acts like 32 under 32bits (add 'l' or '64' prefixes or suffixes at will) - as a transparent approach: in 64bit compilations you get 64bit versions otherwise 32 - as a complementary set always available regardless of the underlying addressin

RE: Getting detailed ssl-handshake debug output

2010-10-11 Thread Jeff Saremi
I received the answer in a direct email and just wanted to share it here too: - command line: openssl s_client -state -debug -connect host:port - programmatic: One can look in the callback mechanism used in the above, specifically in apps/s_cb.c ___

Getting detailed ssl-handshake debug output

2010-10-08 Thread Jeff Saremi
I'd like to know if there's a way -- programmatic, config, environment -- that I can get detailed print of what goes on during a handshake at the client or the server? Below is the output from Apache Tomcat as an example of the level of details i'm looking for: http-442-1, READ: TLSv1 Handshake,

Re: 64bit BIOs and support in OpenSSL

2010-10-06 Thread Jeff Saremi
Are there any plans to change this? Getting streams larger than 4GB is not very unusual these days anymore. > On Mon, Oct 04, 2010 at 10:37:55AM -0400, Jeff Saremi wrote: > > > Does BIO support 64 bit IO (large files)? If so would the rest of > > OpenSSL (such as the s

64bit BIOs and support in OpenSSL

2010-10-04 Thread Jeff Saremi
Does BIO support 64 bit IO (large files)? If so would the rest of OpenSSL (such as the ssl itself) support those BIOs? I configured the build with 64bit support and didn't see any noticeable changes. Specifically, I'd like to know if BIO_tell() is able to return a 64bit value?

Is there a function to invoke ad-hoc to report an error without having to load/unload strings?

2010-08-25 Thread Jeff Saremi
uncts[]= { {ERR_FUNC(BIO_F_ACPT_STATE),"ACPT_STATE"}, {ERR_FUNC(BIO_F_BIO_ACCEPT),"BIO_accept"}, ... } static ERR_STRING_DATA BIO_str_reasons[]= { {ERR_REASON(BIO_R_ACCEPT_ERROR) ,"accept error"}, {ERR_REASON(BIO_R_BAD_FOPEN_MODE) ,&q

Re: dynamic locks don't get cleaned up

2010-08-20 Thread Jeff Saremi
4,496 allocs, 4,496 frees, 137,484 bytes allocated ==3959== >>> ==3959== All heap blocks were freed -- no leaks are possible On 10-08-18 04:28 PM, Jeff Saremi wrote: > any takers from the openssl team? true, false? known issue, user error? > anything? > > On 10-08-17 04:23 PM,

Re: dynamic locks don't get cleaned up

2010-08-18 Thread Jeff Saremi
any takers from the openssl team? true, false? known issue, user error? anything? On 10-08-17 04:23 PM, Jeff Saremi wrote: > I apologize if this shows up more than once. I've been having problems > sending emails out, all day. > > First I encountered this with valgrind but

dynamic locks don't get cleaned up

2010-08-17 Thread Jeff Saremi
I apologize if this shows up more than once. I've been having problems sending emails out, all day. First I encountered this with valgrind but then I decided to have openssl print the leaks and it was also confirmed. I have reduced my code to the following two lines. Prior to this if course init

Re: My custom engine_finish method does not get called through ENGINE_finish

2010-08-13 Thread Jeff Saremi
/* Release the functional reference from ENGINE_init() */ ENGINE_finish(e); /* Release the structural reference from ENGINE_by_id() */ ENGINE_free(e); } On 10-08-13 09:23 AM, Jeff Saremi wrote: > I'm trying to use my custom engine however I cannot get it to clean up &

My custom engine_finish method does not get called through ENGINE_finish

2010-08-13 Thread Jeff Saremi
I'm trying to use my custom engine however I cannot get it to clean up nicely. For the initialization i used the sample in openssl ENGINE(3) documentation. Here's how it goes: ENGINE *loadEngine() { ENGINE *e; e = ENGINE_by_id(MY_ENGINE_ID); if(!e) ENG

Re: Procedure to define and add new lock types?

2010-08-09 Thread Jeff Saremi
CRYPTO_set_dynlock_create_callback CRYPTO_set_dynlock_lock_callback CRYPTO_set_dynlock_destroy_callback The desired lock type is passed in the struct CRYPTO_dynlock_value * parameter to the cusom dynlock_lock_callback. On 10-08-09 09:18 AM, Jeff Saremi wrote: > In my engine, i'd like to use a new

Procedure to define and add new lock types?

2010-08-09 Thread Jeff Saremi
y way of defining and adding this lock? thanks jeff This email contains Morega Systems Inc. Privileged and Confidential information. __ OpenSSL Project http://www.openssl.org User Support Mailing

Re: Frustration with method based on EVP_PKEY_METHOD

2010-07-08 Thread Jeff Saremi
OK. Thanks for replying. On Thu, 2010-07-08 at 18:59 +0200, Dr. Stephen Henson wrote: > The only current example of an external EVP_PKEY_METHOD (in the gost ENGINE) > implements everything from scratch. > > It is perfectly reasonable for another implementation to copy existing methods > or inter

Frustration with method based on EVP_PKEY_METHOD

2010-07-08 Thread Jeff Saremi
There are no "get" methods. If there's any rationale behind this, I'd love to know that. thanks jeff This email contains Morega Systems Inc. Privileged and Confidential information. __ OpenSSL Project

ENGINE: RSA_METHOD->rsa_keygen does not behave like other function pointers

2010-07-04 Thread Jeff Saremi
To avoid having to override every RSA function, I could fill my engine's custom RSA_METHOD with methods from RSA_PKCS1_SSLeay. Alternatively I could have my functions wrap the internal OpenSSL functions. For instance: int myEngineRsaModExp(BIGNUM *r0,const BIGNUM *I,RSA *rsa,BN_CTX *ctx) { int rc

ENGINE: where are corresponding 'save' methods for ENGINE_set_load_pub/privatekey_function?

2010-07-04 Thread Jeff Saremi
How does one provide own engine functions for saving public and private keys? thanks jeff This email contains Morega Systems Inc. Privileged and Confidential information. __ OpenSSL Project http

Re: How to free SSL_METHOD structure

2010-06-21 Thread jeff
here any way to create unique instances of this struct to possibly achieve some of the goals above? thanks jeff > > There isn't one. It is a static structure. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. This email contains Morega Systems Inc. P

Re: NameConstraints are not being applied (or I don't know how to enforce them?)

2010-06-05 Thread jeff
[ permitted_trust_ca_DN ] O=good CN=Good The problem went away. I revised my script to have a good test case and a failed one. The latest are attached for those who may benefit from this. Thanks to Victor Duchovni and Dr. Stephen Henson for providing guidance and help. jeff On Sat,

Re: NameConstraints are not being applied (or I don't know how to enforce them?)

2010-06-05 Thread jeff
I tested this openssl 1.0.0. Error 34 is gone now but now error 47 shows up which shows the name constraint is being applied. However, it's being applied or verified in a way that I don't understand. To show you I have simplified the test. Generating only one end certificate and specifying one very

Re: NameConstraints are not being applied (or I don't know how to enforce them?)

2010-06-04 Thread jeff
yes it's 0.98 I'll do a test with 1.0 before Monday and i'll let everyone know This email contains Morega Systems Inc. Privileged and Confidential information. __ OpenSSL Project http://www.openss

Re: NameConstraints are not being applied (or I don't know how to enforce them?)

2010-06-04 Thread jeff
e updated script and config file are enclosed. jeff On Fri, 2010-06-04 at 11:20 +0200, Dr. Stephen Henson wrote: > Try this instead: > > openssl verify -CAfile root.pem -untrusted cas.pem badcert.pem > > Where "root.pem" contains the root CA only and "cas.pem" i

Re: NameConstraints are not being applied (or I don\'t know how to enforce them?)

2010-06-04 Thread jeff
I would expect such constraints to only apply when certificates are being *verified*. There seems to be little point in preventing a CA from attempting to sign violating certificates. Yes I later tried to "verify" and I still got no

Re: NameConstraints are not being applied (or I don't know how to enforce them?)

2010-06-04 Thread jeff
I will try to include complete attachments with examples. In the mean time I had to say that I was also told (aside from the one of the replies on this thread) that the enforcement of the constraints would be at the time of verification. Therefore I took the following steps to "verify" the produce

NameConstraints are not being applied (or I don't know how to enforce them?)

2010-06-03 Thread jeff
I miss something when creating the sub-CA certificate or issuing the user certificate? thanks/jeff "openssl.cnf" lines for Root CA when issued the sub-CA's certificate: ... nameConstraints = critical,@name_const_section [ name_const_section ] e

Q: Ramifications of creating new X509-Store and setting it in SSL_CTX while SSL_accept's being done

2010-05-14 Thread Jeff Saremi
In order to update the CRLs in our server socket and due to seemingly lack of any CRL update methods, I decided to create new X509_STOREs and set them in the SSL_CTX every time there's a change in the CRL list. I'd like to know the effects of that if at the same time new SSLs being created, setup

validating signature against cert

2009-10-01 Thread Jeff Strope
he signing certificate via openssl? Any help would be appreciated. Best, Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated Li

SSL_get_peer_certificate fails with 0.9.8k, works with 0.9.8j

2009-05-01 Thread Jeff Davey
p using gcc 4.3.3 I tried doing a quick diff between 0.9.8j, and 0.9.8k, but didn't see anything obvious. Any ideas? Thanks, Jeff

OpenSSL 0.9.8h and Win64A

2008-06-05 Thread Melnick, Jeff
r the help. Jeff Melnick Sr Engineer <http://www.securecomputing.com/> Your trusted source for enterprise security(tm) www.securecomputing.com <http://www.securecomputing.com/> NASDAQ: SCUR +1 (925) 288-4154 (Direct Phone) +1 (651) 307-1471 (Mobile Phone) +1 (925)

Re: sk_value causes seg fault

2008-04-08 Thread Jeff Amiel
--- <[EMAIL PROTECTED]> wrote: > > #0 0xfee8ec23 in sk_value () from /usr/local/ssl/lib/libcrypto.so.0.9.8 > #1 0xfef5b05b in ssl3_output_cert_chain () from > /usr/local/ssl/lib/libssl.so.0.9.8 > #2 0x in ?? () > > This appears to be version 0.9.8e Sorry for wasting your time

sk_value causes seg fault

2008-04-08 Thread Jeff Amiel
Openssl team, I've had a recurring problem utilizing postgresql over SSL on our Solaris platform (had a similar problem on FreeBSD but one thing at a time). Essentially, when client's connect and read/write using SSL to our database, the result is a segfault. It was happening predominantly wit

How to enable ssl?

2008-03-25 Thread Jeff Andrews
Hey i was wondering how i enable ssl to cover all my ports and such. I downloaded and installed but i want to cover all my ports with it and i dont know how to enable it. Is there a GUI i can use? Thanks, Jeff - Be a better friend, newshound, and know

RE: newer versions of openssl via yum

2008-02-13 Thread Jeff
Victor, Thanks for the reply. "openssl version" reports: OpenSSL 0.9.8a 11 Oct 2005 Looks like I should take this up with the folks at Fedora... Best, -Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Wednesday, F

newer versions of openssl via yum

2008-02-12 Thread Jeff
I have some Fedora 5 systems on which I'd like to upgrade openssl. I'm currently running 0.9.8a-5.4, which is reported by yum as the latest version: > yum list openssl Installed Packages openssl.i686 0.9.8a-5.4 installed Available Packages openssl.i386

Re: CryptoSwift 200 PCI Card Errors

2007-08-25 Thread Jeff
somewhere. Richard Levitte wrote: In message <[EMAIL PROTECTED]> on Sat, 25 Aug 2007 16:51:42 -0700 (PDT), Jeff said: dvdrom_box> Ok, so I guess no-shared is the option I should be using. dvdrom_box> dvdrom_box> And I'm entering -engine cswift, the error message says it dvdr

Re: CryptoSwift 200 PCI Card Errors

2007-08-25 Thread Jeff
t the errors I get from that make me think that they're not interchangeable. Richard Levitte wrote: In message <[EMAIL PROTECTED]> on Sat, 25 Aug 2007 16:17:38 -0700 (PDT), Jeff said: dvdrom_box> Thanks... dvdrom_box> My libcswift.so is in /usr/local/ssl/lib/engines d

Re: CryptoSwift 200 PCI Card Errors

2007-08-25 Thread Jeff
Thanks... My libcswift.so is in /usr/local/ssl/lib/engines I set LD_LIBRARY_PATH, OPENSSL_ENGINES, and SHLIB_PATH to that path directory and still get the same error. One more thing, I've tried several running the openssl config script with different options to get it to work. Using "shared" bu

CryptoSwift 200 PCI Card Errors

2007-08-25 Thread Jeff
Hello, I've been trying to get this card, Rainbow CryptoSwift 200, to work with openssl without any success. When I do "openssl speed -engine cswift" I get: DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:100:filename(libswift.so): libswift.so: cannot open shared

ip changes prevent ssl

2006-09-02 Thread jeff sacksteder
I have a server on a dynamic ip address. If the ip address changes I can no longer establish connections. Although my certs refer to a dns name rather than an ip, if the dns is updated to reflect the new address, ssl fails. If the application is restarted, everything works with no changes. It appea

RE: Question on error creating server key

2006-03-24 Thread Jeff Gross
er file x509_extensions = usr_cert # The extentions to add to the cert == == Somehow the KEY_DIR is not getting the backslash inserted or the where the name of the key to use, the backslash is missing. I'm really not sur

RE: Question on error creating server key

2006-03-24 Thread Jeff Gross
s are going much smoother. The other issue is definitely my lack of understanding of the openssl.cnf file. That too I'm starting to catch onto. Everyone's suggestions have helped tremendously. Thanks. */Jeff/* -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROT

Question on error creating server key

2006-03-24 Thread Jeff Gross
Hi, I'm new to all this, thank God I found this forum When I build the server key using command : build-key-server server I keep getting the following error: Error opening CA private key "C:\Program Files\OpenVPN\easy-rsa\keys"/ca.key 2648:error:0200107B:system library:fopen:Unknown

Re: Silly CA/certs questions...

2006-02-22 Thread Jeff Wiegley
up the main/earlier pages geared towards the true newbs such as myself. I haven't set up a wiki before. I'll look into later today or tomorrow afternoon. If anybody has suggestions for what wiki software to use I'd like to hear them. (My publication expertise is in the TeX/LaTe

Silly CA/certs questions...

2006-02-21 Thread Jeff Wiegley
ative certificate so that clients automatically accept certificates signed by the result. The only thing I can offer is that if you help me then I will attempt to write a very detailed and accurate description of the process so that newbs like me don't have su

Re: HPUX compile woes

2006-01-26 Thread Jeff Fulmer
On Thu, Jan 26, 2006 at 12:58:21PM -0800, Rick Jones wrote: > >>Second, _which_ gcc version? > > > > > >Reading specs from > >/opt/gcc/lib/gcc-lib/hppa2.0n-hp-hpux11.00/2.95.2/specs > >gcc version 2.95.2 19991024 (release) > > Are you still running 11.0? > Yeah, B.11.00 -- #include int main(

Re: HPUX compile woes

2006-01-26 Thread Jeff Fulmer
On Thu, Jan 26, 2006 at 12:08:36PM -0800, Rick Jones wrote: > Jeff Fulmer wrote: > >I'm trying to compile openssl-0.9.8a on HPUX with the following > >configuration: > > > >#!/bin/sh > > > >./config \ > > --prefix=/usr/local/ssl \ > >

HPUX compile woes

2006-01-26 Thread Jeff Fulmer
irectory `/home/jdfulmer/src/openssl-0.9.8a/crypto/bio' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/home/jdfulmer/src/openssl-0.9.8a/crypto' make: *** [build_crypto] Error 1 Any thoughts? Cheers, Jeff -- #include int main(){int a[]={74,117,115,116,32,97,1

Seeking Merge Module

2005-12-13 Thread Jeff Bowman
Hello   Does anyone know whether a Windows Installer Merge Module is available for OpenSSL?   Thanks, Jeff Bowman  

Seeking Merge Module

2005-12-12 Thread Jeff Bowman
Hello   Does anyone know whether a Windows Installer Merge Module is available for OpenSSL?   Thanks, Jeff Bowman  

  1   2   >