From owner-openssl-users@openssl.org Tue Jan 1 00:41:14 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id AAA07907; Tue, 1 Jan 2002 00:40:20 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from mtiwmhc26.worldnet.att.net id AAA07873; Tue, 1 Jan 2002 00:39:29 +0100 (MET) Received: from att.net ([12.89.173.149]) by mtiwmhc26.worldnet.att.net (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20011231233921.TKEP13869.mtiwmhc26.worldnet.att.net@att.net> for ; Mon, 31 Dec 2001 23:39:21 +0000 Message-ID: <3C30F66B.7BCB930C@att.net> Date: Mon, 31 Dec 2001 18:36:11 -0500 From: Frank Geck Organization: KeyWay Security X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: openssl-users@openssl.org Subject: Re: Problem with PKCS7 verify References: <3C307BF3.32ED7139@att.net> <3C30917E.8B940DAE@gemplus.com> <3C3097A5.B7E06FA3@att.net> <3C30B062.CBD5D54F@gemplus.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Frank Geck X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Thanks. Well did not use PKCS7_verify() because I could not find examples using it. Since you wrote it I guess you might have some examples? As you know lots of this is undocumented and it's hard to figure out what to use. Thanks, Frank Dr S N Henson wrote: > Frank Geck wrote: > > > > Steve, > > Thanks. How did I " tells it to ignore verify errors.."? Did not due > > that on purpose to my understanding. > > > > Well there's a tendency to copy some of the verify callback examples in > various files from OpenSSL. These are largely there for debugging > purposes and to give more information about errors. These will typically > return 1 in some or all circumstances when the supplied 'ok' parameter > is zero. From your example: > > if (!ok) > { > BIO_printf(bio_err,"verify error:num=%d:%s\n",err, > X509_verify_cert_error_string(err)); > if (depth < 6) > { > ok=1; > X509_STORE_CTX_set_error(ctx,X509_V_OK); > } > ... > > This is actually rather dangerous for real purposes in that its telling > the verify code to ignore all errors below a certain depth. Effectively > allowing any certificate (or chain) to be considered valid. > > Unless you want to customize certificate verification in some way you > rarely need a verify callback at all. > > > Well I put the CA cert in the store with a link to the hashed name also > > with a .0 after it. This worked on another program that I did but I seem to > > be having a problem now. If you don't mine could you look at the piece of > > code that I have going this and see if you see any problems (attached)? > > > > Is there some reason you can't use PKCS7_verify()? Its somewhat simpler > to use that the low level stuff. > > Also try verifying the structure using the 'smime' application. If you > can get it working with that it should be OK. Also you can use the > openssl utilities 'pkcs7' (to extract certifictates) and 'verify' to see > if you can get the certificate to verify. > > Usually the cause of such errors is that the root CA isn't included or > can't be found in the trusted certificate store. > > Steve. > -- > Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ > Personal Email: shenson@drh-consultancy.demon.co.uk > Senior crypto engineer, Gemplus: http://www.gemplus.com/ > Core developer of the OpenSSL project: http://www.openssl.org/ > Business Email: drh@celocom.com PGP key: via homepage. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majordomo@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Tue Jan 1 01:13:07 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id BAA09057; Tue, 1 Jan 2002 01:12:12 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from anchor-post-34.mail.demon.net id BAA09047; Tue, 1 Jan 2002 01:11:37 +0100 (MET) Received: from drh-consultancy.demon.co.uk ([193.237.150.98] helo=gemplus.com) by anchor-post-34.mail.demon.net with esmtp (Exim 2.12 #1) id 16LCWm-0008GK-0Y for openssl-users@openssl.org; Tue, 1 Jan 2002 00:11:37 +0000 Message-ID: <3C30FF40.8A865E40@gemplus.com> Date: Tue, 01 Jan 2002 00:13:52 +0000 From: Dr S N Henson X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: openssl-users@openssl.org Subject: Re: Problem with PKCS7 verify References: <3C307BF3.32ED7139@att.net> <3C30917E.8B940DAE@gemplus.com> <3C3097A5.B7E06FA3@att.net> <3C30B062.CBD5D54F@gemplus.com> <3C30F66B.7BCB930C@att.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Dr S N Henson X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Frank Geck wrote: > > Thanks. Well did not use PKCS7_verify() because I could not find examples using > it. Since you wrote it I guess you might have some examples? > > As you know lots of this is undocumented and it's hard to figure out what to use. > Well currently there's the stuff in apps/smime.c The function is pretty simple to use: int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags); p7 is the PKCS#7 structure to verify certs is some optional additional certificates which will be searched to find the signers certificate, normally NULL. store is a trusted certificate store. indata is the signed data (if not included in the PKCS#7 structure) out is a BIO to write the data to and flags flags various flags, normally set to 0. I'll look into adding some docs for this stuff. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: shenson@drh-consultancy.demon.co.uk Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: drh@celocom.com PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Tue Jan 1 01:23:08 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id BAA09383; Tue, 1 Jan 2002 01:22:12 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from cs.columbia.edu id BAA09377; Tue, 1 Jan 2002 01:21:37 +0100 (MET) Received: from metro.cs.columbia.edu (metro.cs.columbia.edu [128.59.19.190]) by cs.columbia.edu (8.9.3/8.9.3) with ESMTP id TAA01311 for ; Mon, 31 Dec 2001 19:21:35 -0500 (EST) Received: from metro.cs.columbia.edu (localhost [127.0.0.1]) by metro.cs.columbia.edu (8.12.1/8.12.1) with ESMTP id g010LZwB002242 for ; Mon, 31 Dec 2001 19:21:35 -0500 (EST) Received: from localhost (sankaran@localhost) by metro.cs.columbia.edu (8.12.1/8.12.1/Submit) with ESMTP id g010LT0r002239 for ; Mon, 31 Dec 2001 19:21:34 -0500 (EST) Date: Mon, 31 Dec 2001 19:21:29 -0500 (EST) From: Sankaran Narayanan To: Subject: openssl on ipv6 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Sankaran Narayanan X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users ...i suppose right now openssl does not natively provide support for IPv6...is there a plan to add one? or, if i want to enable IPv6 support - is writing a BIO the correct thing to do? comments appreciated. ------------------------------------------------------------------- Sankaran Narayanan http://www.cs.columbia.edu/~sankaran ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Tue Jan 1 04:22:07 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id EAA14551; Tue, 1 Jan 2002 04:21:07 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from brev.stacken.kth.se id EAA14538; Tue, 1 Jan 2002 04:20:43 +0100 (MET) Received: from localhost (chicken.stacken.kth.se [130.237.234.71]) by brev.stacken.kth.se (8.9.3/8.9.3) with ESMTP id EAA11576; Tue, 1 Jan 2002 04:20:34 +0100 (MET) Date: Tue, 01 Jan 2002 04:20:28 +0100 (MET) Message-Id: <20020101.042028.125120844.levitte@stacken.kth.se> To: openssl-users@openssl.org, sankaran@cs.columbia.edu Subject: Re: openssl on ipv6 From: Richard Levitte - VMS Whacker In-Reply-To: References: X-Mailer: Mew version 2.0 pre4 on Emacs 20.6 / Mule 4.0 (HANANOEN) X-URL: http://www.stacken.kth.se/~levitte/ X-mailhacking1: I do not send mail using QP. I use 8bit instead. However, some X-mailhacking2: mail servers on the way might find pleasure in converting my X-Mailhacking3: messages to QP anyway. I will not be responsible for that. X-mailhacking4: See =?iso-8859-1?Q?http://www.lysator.liu.se/=E5ttabitars/?= to see the reasons. X-Waved: dead chicken, GNU Emacs 20.6.1, Mew version 2.0 pre4 X-Mew: See http://www.mew.org/ Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Richard Levitte - VMS Whacker X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users From: Sankaran Narayanan sankaran> ...i suppose right now openssl does not natively provide support sankaran> for IPv6...is there a plan to add one? or, if i want to enable IPv6 sankaran> support - is writing a BIO the correct thing to do? Either change the appropriate BIOs or make your own similar that's specific to IPv6. -- Richard Levitte \ Spannvägen 38, II \ LeViMS@stacken.kth.se Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis -- poei@bofh.se Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Tue Jan 1 15:25:10 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id PAA05544; Tue, 1 Jan 2002 15:24:45 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users@openssl.org id PAA05409; Tue, 1 Jan 2002 15:22:31 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from wtama.net id SAA25754; Mon, 31 Dec 2001 18:53:22 +0100 (MET) Received: from plainsdev [65.167.226.131] by wtama.net (SMTPD32-7.04) id A7DC4AEA0124; Mon, 31 Dec 2001 12:01:00 -0600 From: "Scott Frazor" To: Subject: RE: Memory Leak?? I can't find it. Date: Mon, 31 Dec 2001 12:11:02 -0600 Message-ID: <000c01c19226$81f25740$83e2a741@plainsdev> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <4c3a94819e.4819e4c3a9@lgsi.co.in> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: "Scott Frazor" X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Dr H. If you get a chance could you look at this. Thanks Bharath, I gave it a try and it didn't make any difference, although it certainly didn't hurt. It was worth a shot. The memory leak seems to happen every 3 or 4 connections/transfers. It increases by 4K or 8K and never releases the memory back. For 2 or 3 connections/transfers there is no indication of a leak, then on the 3rd or 4th transfer memory will jump usually by 4K, sometimes by 8K. I'm trying to find a pattern, but so far, no luck. Remember, I am making/breaking connection and sending a packet of approximately 360 bytes, once each second (or so). Am I cycling too fast for SSL to release resources maybe? Pulling out hair on this one, Scott -----Original Message----- From: owner-openssl-users@openssl.org [mailto:owner-openssl-users@openssl.org]On Behalf Of T Bharath Sent: Friday, December 28, 2001 1:46 AM To: openssl-users@openssl.org Cc: openssl-users@openssl.org Subject: Re: Memory Leak?? I can't find it. Make sure to call ERR_remove_state(0); in all threads after the transfer ERR_remove_state() frees the error queue associated with thread pid. If pid == 0, the current thread will have its error queue removed. Since error queue data structures are allocated automatically for new threads, they must be freed when threads are terminated in order to avoid memory leaks. Regards Bharath ----- Original Message ----- From: "Scott Frazor" Date: Thursday, December 27, 2001 1:58 pm Subject: Memory Leak?? I can't find it. > Any input would be most helpful. I'm new at this and not sure > I'm doing > everything in order or everything that is necessary. > > I have written a client that processes data at about 1 packet per > second.The requirements are that I create a new SSL connection and > socketconnection for each transaction and then close the SSL > connection and close > the socket. > > As I process the transactions I notice that I use up approximately > 8K and it > is never released back to the application. Before long the system > runs out > of resources/memory. > > Here are the calls I am making to open the socket, SSL and wirte > and read > data, shut them down and free them. Everything runs fine except > the leak. > > > SSL_METHOD:= SSLv3_client_method(); > SSLeay_add_ssl_algorithms() > SSL_CTX:=SSL_CTX_new(SSL_METHOD) > SSL_CTX_set_cipher_list(SSL_CTX,'ALL') > SSL_CTX_set_options(SSL_CTX,SSL_OP_ALL) > SSL_CTX_set_info_callback(SSL_CTX, @ssl_InfoCallback); > SSL_CONNECTION:=SSL_new(SSL_CTX); > SSL_clear(SSL_CONNECTION); > SSL_BIO:= f_BIO_new_socket(sd,BIO_NOCLOSE); > SSL_set_bio(SSL_CONNECTION,SSL_BIO,SSL_BIO); > SSL_set_connect_state(SSL_CONNECTION); > SSL_connect(SSL_CONNECTION) > 0 then ...... > SSL_do_handshake(SSL_CONNECTION); > SSL_get_error(SSL_CONNECTION,i); > ........ > SSL_write > ......... > SSL_read > ......... > ssl_shutdown(SSL_CONNECTION); > if SSL_CONNECTION <> nil then ssl_free(SSL_CONNECTION); > > err:=winsock.closesocket(sd); > > if err=WSAEWOULDBLOCK then > winsock.closesocket(sd); > > Thanks for looking this over, > Scott > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majordomo@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Wed Jan 2 00:42:22 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id AAA25169; Wed, 2 Jan 2002 00:41:19 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from name-ext.deetya.gov.au id AAA25158; Wed, 2 Jan 2002 00:40:40 +0100 (MET) Received: (from root@localhost) by name-ext.deetya.gov.au (8.11.1/8.11.1) id g01NeVF04354 for ; Wed, 2 Jan 2002 10:40:31 +1100 (EST) Date: Wed, 2 Jan 2002 10:40:31 +1100 (EST) Message-Id: <200201012340.g01NeVF04354@name-ext.deetya.gov.au> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Subject: RE: HELP: making under Win32 From: "PARKER,Myles" To: Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by opensource.ee.ethz.ch id AAA25165 Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: "PARKER,Myles" X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Noel, I haven't compiled 0.9.6c, but I just finished compiling 0.9.6b - I didn't get any macro errors but I ran into the final problem with crytolib.h!! Here are the instructions (as sent to me by my new pal Pascal Janse van Vuuren in NZ who helped so much with this problem a week or so ago):- Right, I'm going to go through all the steps EXACTLY as I'm doing them now - to get you a good build of OpenSSL. The first thing, I'm using Winzip 8.0, Visual C++ 6.0 Enterprise edition and ActiveState Perl, as suggested by OpenSSL. The first step I did was to extract "openssl-0.9.6b.tar.gz" to the root directory, specifying that it should use Folder Names. (So it creates a folder called "openssl-0.9.6b". I'm using my D:\ drive, so it ends up as D:\openssl-0.9.6b The drive is completely irrelevant, you can put it on anything from C:\ to Z:\. The path is also irrelevant, I normally use D:\Programming\@wgdev\openssl - so anything should work. I've attached a listing with a copy of the directory tree in it. You can compare yours to it. Then, I opened a command prompt and typed the following commands: 1. D: 2. cd\opensll-0.9.6.b 3. "d:\program files\microsoft visual studio\vc98\bin\vcvars32.bat 4. perl Configure VC-WIN32 5. ms\do_ms 6. nmake -f ms\ntdll.mak The important bit here is the vcvars32.bat which ISN'T mentioned in the install.w32 Good Luck! Myles Parker IT Security Team, Communications & IT Security Section -----Original Message----- From: Noel Burton-Krahn [mailto:noel@burton-krahn.com] Sent: Saturday, 29 December 2001 11:08 To: openssl-users@openssl.org Subject: HELP: making under Win32 I'm trying to compile openssl-0.9.6c under win32 without much success. I follow the instructions in INSTALL.WIN32. Here's how it goes: (1) perl Configure VC-WIN32 ... Configured for VC-WIN32. (2) ms\do_nasm.bat (3) nmake -f ms/ntdll.mak ms/ntdll.mak(239) : fatal error U1001: syntax error : illegal character '^M' in macro The ntdll.mak file is totall screwed up. It has references for files like ./..h, paths like '.\\cryptlib.h' and even \r chars in its macros! (4) ok, strip all \r chars and \\ perl -i.bak -pne 's/\r//g; s/\\\\/\\/g' ms/ntdll.mak nmake -f ms/ntdll.mak NMAKE : fatal error U1073: don't know how to make '.\cryptlib.h' This just isn't working at all. Has anyone build openssl under Win32? (not cygwin!) ----------------------------------------------------- Noel Burton-Krahn CTO, Mercurial Communications noel@burton-krahn.com 200B-1630 Store St. phone: 250-380-2006 Victoria, BC cell: 250-888-0864 V8W 1V3 fax: 250-380-2008 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org Notice: The information contained in this e-mail message and any attached files may be confidential information, and may also be the subject of legal professional privilege. If you are not the intended recipient any use, disclosure or copying of this e-mail is unauthorised. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and delete all copies of this transmission together with any attachments. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Wed Jan 2 01:02:08 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id BAA25743; Wed, 2 Jan 2002 01:01:15 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from zoidberg.111balmoral.co.uk id BAA25705; Wed, 2 Jan 2002 01:00:13 +0100 (MET) Received: from fry.111balmoral.co.uk (fry.111balmoral.co.uk [192.168.0.10]) by zoidberg.111balmoral.co.uk (8.12.1/8.12.1) with ESMTP id g0200ASQ017184 for ; Wed, 2 Jan 2002 00:00:10 GMT Subject: EVP_* Routines From: Chris Plant To: openssl-users@openssl.org Content-Type: multipart/mixed; boundary="=-tTL3bh49jASmpuDoTskp" X-Mailer: Evolution/1.0 (Preview Release) Date: 02 Jan 2002 00:00:19 +0000 Message-Id: <1009929619.9747.2.camel@fry.111balmoral.co.uk> Mime-Version: 1.0 Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Chris Plant X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users --=-tTL3bh49jASmpuDoTskp Content-Type: text/plain Content-Transfer-Encoding: 7bit I've compiled the attached code, and it doesn't decrypt the text correctly. If anyone could explain why to me, or point out a nice tutorial about using these routines, it would be much appreciated. ircd_malloc() is basically malloc() with memset(). Chris Plant --=-tTL3bh49jASmpuDoTskp Content-Disposition: attachment; filename=enpress.h Content-Type: text/x-c; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable #ifndef _ENPRESS_H_ #define _ENPRESS_H_ #include #include #include struct _encryption_contexts { EVP_CIPHER_CTX decrypt; EVP_CIPHER_CTX encrypt; }; typedef struct _encryption_contexts * EncryptInfo; int encrypt_buffer(EncryptInfo,unsigned char *,unsigned char *,int *); int decrypt_buffer(EncryptInfo,unsigned char *,unsigned char *,int); EncryptInfo generate_key(unsigned char *); #endif --=-tTL3bh49jASmpuDoTskp Content-Disposition: attachment; filename=test.c Content-Type: text/x-c; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable #include #include #include #include "enpress.h" int main(int argc,char **argv) { int sockets[2]; char *key=3D"somekeys"; EncryptInfo e_info=3DNULL; e_info=3Dgenerate_key(key);=09 socketpair(AF_UNIX,SOCK_STREAM,0,sockets); if(!fork()) { /* Sending process */ char buffer[512]=3D"NICK Chunky\n\r\0"; char enc_buffer[512]; char out_buffer[512]; int length,enc_length; =09 encrypt_buffer(e_info,buffer,enc_buffer,&enc_length); ircd_sprintf(out_buffer,5,"%04d",enc_length); send(sockets[0],out_buffer,4,0); send(sockets[0],enc_buffer,enc_length,0); } else { /* Reciving process */ char in_buffer[512]; char clean_buffer[512]; char length_buffer[5]; int length,clean_len; recv(sockets[1],length_buffer,4,0); length_buffer[4]=3D'\0'; printf("String is %s\n",length_buffer); length=3Datoi(length_buffer); printf("Number is %d\n",length); recv(sockets[1],in_buffer,length,0); clean_len=3Ddecrypt_buffer(e_info,in_buffer,clean_buffer,length); clean_buffer[clean_len]=3D'\0'; printf("Cleaned buffer, it is %s\n",clean_buffer); } } --=-tTL3bh49jASmpuDoTskp Content-Disposition: attachment; filename=enpress.c Content-Type: text/x-c; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable /* This file is part of Chunky Monkey IRCD=20 * * Chunky Monkey IRCD is free software; you can redistribute it and/or modi= fy * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * Chunky Monkey IRCD is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with Chunky Monkey IRCD; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 US= A *=20 * $Id: enpress.c,v 1.1 2001/12/31 22:05:14 lloydy Exp $ * */ #include "enpress.h" #include "utility.h" #include "logger.h" /* * Lots of casting in here, until I sus out a better way of dealing with th= ings */ /* * Encrypt buffer using key */ int encrypt_buffer(EncryptInfo info,unsigned char *buffer,unsigned char *en= c_buffer,int *enc_len) { unsigned char enc_tmp_buffer[512]; int enc_tmp_len=3D0; =09 *enc_len=3D0; EVP_EncryptUpdate(&(info->encrypt),enc_tmp_buffer,&enc_tmp_len,buffer,strl= en( (const char *)buffer)); *enc_len+=3Denc_tmp_len; strncpy(enc_buffer,enc_tmp_buffer,enc_tmp_len); EVP_EncryptFinal(&(info->encrypt),enc_tmp_buffer,&enc_tmp_len); *enc_len+=3Denc_tmp_len; strncat(enc_buffer,enc_tmp_buffer,enc_tmp_len); return (*enc_len); } /* * Decrypt buffer using key * Assume the buffer is > 512 bytes long */ int decrypt_buffer(EncryptInfo info,unsigned char *buffer,unsigned char *cl= ean,int len) { char denc_tmp_buffer[512]; int tmp_len=3D0,out_len=3D0; =09 EVP_DecryptUpdate(&(info->decrypt),denc_tmp_buffer,&tmp_len,buffer,len); out_len+=3Dtmp_len; strncpy(clean,denc_tmp_buffer,tmp_len); if(!EVP_DecryptFinal(&(info->decrypt),denc_tmp_buffer,&tmp_len)) { printf("Failed to decrypt correctly\n"); } out_len+=3Dtmp_len; strncat(clean,denc_tmp_buffer,tmp_len); return out_len; =09 } =09 /* * Generate a blowfish key using the text */ EncryptInfo generate_key(unsigned char *key_text) { EncryptInfo new=3DNULL; unsigned char key[EVP_MAX_KEY_LENGTH]; unsigned char iv[EVP_MAX_IV_LENGTH]; if(!lc_strncmp(key_text,"*",-1)) { return NULL; } =09 new =3D ircd_malloc(sizeof(struct _encryption_contexts)); =09 EVP_BytesToKey(EVP_bf_cbc(),EVP_md5(),NULL,key_text,strlen(key_text),1,key= ,iv); EVP_EncryptInit(&(new->encrypt),EVP_bf_cbc(),key,iv); EVP_DecryptInit(&(new->decrypt),EVP_bf_cbc(),key,iv); =09 return new; } =09 --=-tTL3bh49jASmpuDoTskp-- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Wed Jan 2 01:21:05 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id BAA26747; Wed, 2 Jan 2002 01:20:13 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from anchor-post-32.mail.demon.net id BAA26719; Wed, 2 Jan 2002 01:19:34 +0100 (MET) Received: from drh-consultancy.demon.co.uk ([193.237.150.98] helo=gemplus.com) by anchor-post-32.mail.demon.net with esmtp (Exim 2.12 #1) id 16LZ81-000HTk-0W for openssl-users@openssl.org; Wed, 2 Jan 2002 00:19:33 +0000 Message-ID: <3C3252B3.481D6714@gemplus.com> Date: Wed, 02 Jan 2002 00:22:11 +0000 From: Dr S N Henson X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: openssl-users@openssl.org Subject: Re: EVP_* Routines References: <1009929619.9747.2.camel@fry.111balmoral.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Dr S N Henson X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Chris Plant wrote: > > I've compiled the attached code, and it doesn't decrypt the text > correctly. If anyone could explain why to me, or point out a nice > tutorial about using these routines, it would be much appreciated. > > ircd_malloc() is basically malloc() with memset(). > There's an example in the EVP_EncryptInit manual page. It also includes the comment: > /* Need binary mode for fopen because encrypted data is > * binary data. Also cannot use strlen() on it because > * it wont be null terminated and may contain embedded > * nulls. > */ This is one problem with your code: you are using strncpy and strncat. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: shenson@drh-consultancy.demon.co.uk Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: drh@celocom.com PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Wed Jan 2 02:07:09 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id CAA28025; Wed, 2 Jan 2002 02:06:51 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via SMTP for from web20205.mail.yahoo.com id CAA27972; Wed, 2 Jan 2002 02:05:17 +0100 (MET) Message-ID: <20020102010515.32170.qmail@web20205.mail.yahoo.com> Received: from [216.50.112.93] by web20205.mail.yahoo.com via HTTP; Tue, 01 Jan 2002 17:05:15 PST Date: Tue, 1 Jan 2002 17:05:15 -0800 (PST) From: Kurt Subject: alpha, mod_ssl, apache, _OtsRemainder32Unsigned undefined symbol To: openssl-users@openssl.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Kurt X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Hi there, I've been trying to run apache (1.3.12) and mod_ssl (2.6.6-1.3.12). I've also tried using both OpenSSL 0.9.5a and 0.9.6c (for my purposes, both perform identically). Everything compiles fine, however when I attempt to run 'apachectl startssl' is says the following: [root@tokyo bin]# ./apachectl startssl Syntax error on line 208 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/libexec/libssl.so into server: /usr/local/apache/libexec/libssl.so: undefined symbol: _OtsRemainder32Unsigned ./apachectl startssl: httpd could not be started However, 'apachectl start' works just fine. 'apachectl configtest' says "Syntax OK". Line 207, 208, and 209 are as follows: LoadModule ssl_module libexec/libssl.so I've compiled mod_ssl and apache more ways than you can shake a stick at. One of the many ways i've compiled each was the following: mod_ssl: ./configure \ --with-apache=../apache_1.3.12 \ --with-ssl=../openssl-0.9.5a \ --prefix=/usr/local/apache \ --enable-module=ssl \ --enable-module=all \ --enable-shared=max \ --enable-rule=EAPI apache: make make certificate TYPE=custom make install I am compiling and running this on an alpha 600 running the 2.2.16 Linux kernel. When I compile OpenSSL it uses the platform version of 'linux-alpha+bwx-ccc'. Lastly, I sent mail to the mod_ssl user list and someone commented about it looking like an openssl build issue. Any ideas? Thanks a bunch, Kurt __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Wed Jan 2 10:37:09 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id KAA16498; Wed, 2 Jan 2002 10:36:12 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from novou13.novogroup.com id KAA16453; Wed, 2 Jan 2002 10:35:24 +0100 (MET) Received: from helexc04.novogroup.com ([62.236.77.30]) by novou13.novogroup.com (Netscape Messaging Server 3.6) with ESMTP id AAA429D for ; Wed, 2 Jan 2002 11:35:12 +0200 Received: by helexc04.novogroup.com with Internet Mail Service (5.5.2653.19) id ; Wed, 2 Jan 2002 11:28:22 +0200 Message-ID: <3785FE3BF539D411A49D00508B956A1802D4461B@helexc04.novogroup.com> From: Wirta Ville To: openssl-users@openssl.org Subject: Static OpenSSL lib in NT with VC++ Date: Wed, 2 Jan 2002 11:28:21 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Wirta Ville X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Hi! Has anyone tried building (and using) static OpenSSL (0.9.6c) libraries on Win NT? I'm building with VC++ and get the following error: (I don't suffer from these with dynamic libs) Linking... MSVCRT.lib(MSVCRT.dll) : error LNK2005: _time already defined in LIBCMT.lib(time.obj) there are about 25 more of those all dealing with common functions like memmove, strncpy etc. I told the linker to ignore LIBCMT.lib ...with no better success. I know this is an environment question and propably has nothing to do with OpenSSL but just with my project files, but I'd appreciate a helping hand if there's one available :-) Thanks! VW ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Wed Jan 2 10:49:11 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id KAA16985; Wed, 2 Jan 2002 10:48:15 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from shell.webmaster.com id KAA16969; Wed, 2 Jan 2002 10:47:30 +0100 (MET) Received: from whenever ([206.171.168.130]) by shell.webmaster.com (Post.Office MTA v3.5.3 release 223 ID# 0-12345L500S10000V35) with SMTP id com for ; Wed, 2 Jan 2002 01:47:24 -0800 From: David Schwartz To: X-Mailer: PocoMail 2.51 (995) - Registered Version Date: Wed, 2 Jan 2002 01:47:23 -0800 In-Reply-To: <3785FE3BF539D411A49D00508B956A1802D4461B@helexc04.novogroup.com> Subject: Re: Static OpenSSL lib in NT with VC++ Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Message-ID: <20020102094724.AAA72@shell.webmaster.com@whenever> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by opensource.ee.ethz.ch id KAA16976 Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: David Schwartz X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Sounds like a classic case of mixing use of the multithreaded run-time library with use of the single-threaded run-time library. You should compile both OpenSSL and all your appls with the multi-threaded run-time library. (Who writes single-threaded apps on WIN32 anyway?!) DS On Wed, 2 Jan 2002 11:28:21 +0200, Wirta Ville wrote: >Hi! > >Has anyone tried building (and using) static OpenSSL (0.9.6c) libraries on >Win NT? I'm building with VC++ and get the following error: (I don't suffer >from these with dynamic libs) > >Linking... >MSVCRT.lib(MSVCRT.dll) : error LNK2005: _time already defined in >LIBCMT.lib(time.obj) > >there are about 25 more of those all dealing with common functions like >memmove, strncpy etc. I told the linker to ignore LIBCMT.lib ...with no >better success. I know this is an environment question and propably has >nothing to do with OpenSSL but just with my project files, but I'd >appreciate a helping hand if there's one available :-) > >Thanks! VW > >______________________________________________________________________ >OpenSSL Project http://www.openssl.org User >Support Mailing List openssl-users@openssl.org Automated >List Manager majordomo@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Wed Jan 2 12:16:13 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id MAA22148; Wed, 2 Jan 2002 12:15:18 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from zoidberg.111balmoral.co.uk id MAA22124; Wed, 2 Jan 2002 12:14:47 +0100 (MET) Received: from fry.111balmoral.co.uk (fry.111balmoral.co.uk [192.168.0.10]) by zoidberg.111balmoral.co.uk (8.12.1/8.12.1) with ESMTP id g02BEhSQ017613 for ; Wed, 2 Jan 2002 11:14:44 GMT Subject: Re: EVP_* Routines From: Chris Plant To: openssl-users@openssl.org In-Reply-To: <3C3252B3.481D6714@gemplus.com> References: <1009929619.9747.2.camel@fry.111balmoral.co.uk> <3C3252B3.481D6714@gemplus.com> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Evolution/1.0 (Preview Release) Date: 02 Jan 2002 11:14:52 +0000 Message-Id: <1009970093.1432.0.camel@fry.111balmoral.co.uk> Mime-Version: 1.0 Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Chris Plant X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users ok, thanks. I did look at the EVP_EncryptInit man page, but the code I had there, was loosely based on some code I found on the net, they probably had the same problem. Chris ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Wed Jan 2 12:46:15 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id MAA23017; Wed, 2 Jan 2002 12:45:18 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from novou13.novogroup.com id MAA22998; Wed, 2 Jan 2002 12:44:48 +0100 (MET) Received: from helexc04.novogroup.com ([62.236.77.30]) by novou13.novogroup.com (Netscape Messaging Server 3.6) with ESMTP id AAA130D for ; Wed, 2 Jan 2002 13:44:39 +0200 Received: by helexc04.novogroup.com with Internet Mail Service (5.5.2653.19) id ; Wed, 2 Jan 2002 13:37:49 +0200 Message-ID: <3785FE3BF539D411A49D00508B956A1802D4461D@helexc04.novogroup.com> From: Wirta Ville To: "'openssl-users@openssl.org'" Subject: RE: Static OpenSSL lib in NT with VC++ Date: Wed, 2 Jan 2002 13:37:48 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Wirta Ville X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Okay, I'll bet your're right :-) How do I build OpenSSL with multithread option on? The option is on in my project so I'm guessing it must be off in OpenSSLs nt.mak? Atleast there's "/MD"-option which is the same as in the ntdll.mak... Should it be /MT? I tried that but keep still getting the very same errors :-( Could there be other options also upside down? yours VW -----Original Message----- From: David Schwartz [mailto:davids@webmaster.com] Sent: Wednesday, January 02, 2002 11:47 AM To: openssl-users@openssl.org Subject: Re: Static OpenSSL lib in NT with VC++ Sounds like a classic case of mixing use of the multithreaded run-time library with use of the single-threaded run-time library. You should compile both OpenSSL and all your appls with the multi-threaded run-time library. (Who writes single-threaded apps on WIN32 anyway?!) DS On Wed, 2 Jan 2002 11:28:21 +0200, Wirta Ville wrote: >Hi! > >Has anyone tried building (and using) static OpenSSL (0.9.6c) libraries on >Win NT? I'm building with VC++ and get the following error: (I don't suffer >from these with dynamic libs) > >Linking... >MSVCRT.lib(MSVCRT.dll) : error LNK2005: _time already defined in >LIBCMT.lib(time.obj) > >there are about 25 more of those all dealing with common functions like >memmove, strncpy etc. I told the linker to ignore LIBCMT.lib ...with no >better success. I know this is an environment question and propably has >nothing to do with OpenSSL but just with my project files, but I'd >appreciate a helping hand if there's one available :-) > >Thanks! VW > >______________________________________________________________________ >OpenSSL Project http://www.openssl.org User >Support Mailing List openssl-users@openssl.org Automated >List Manager majordomo@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Wed Jan 2 13:22:06 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id NAA24293; Wed, 2 Jan 2002 13:21:06 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from smtp01.mrf.mail.rcn.net id NAA24279; Wed, 2 Jan 2002 13:20:28 +0100 (MET) Received: from r9yg033687aa.hlb.cable.rcn.com ([209.122.65.31] helo=remington.iconsinc.net.iconsinc.com) by smtp01.mrf.mail.rcn.net with esmtp (Exim 3.33 #10) id 16LkNe-0005SG-00 for openssl-users@openssl.org; Wed, 02 Jan 2002 07:20:26 -0500 From: "Andrew W. Gray" To: openssl-users@openssl.org In-reply-to: <3785FE3BF539D411A49D00508B956A1802D4461D@helexc04.novogroup.com> (Ville.Wirta@novogroup.com) Subject: Re: Static OpenSSL lib in NT with VC++ References: <3785FE3BF539D411A49D00508B956A1802D4461D@helexc04.novogroup.com> Message-Id: Date: Wed, 02 Jan 2002 07:20:26 -0500 Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: "Andrew W. Gray" X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users http://www.openssl.org/support/faq.html#PROG2 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Wed Jan 2 15:47:12 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id PAA28800; Wed, 2 Jan 2002 15:46:12 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via SMTP for from mail.crown.de id PAA28776; Wed, 2 Jan 2002 15:45:22 +0100 (MET) Received: from [212.6.157.9] by mail.crown.de (NTMail 3.03.0018/1.bnzv) with ESMTP id va184413 for ; Wed, 2 Jan 2002 15:41:38 +0100 Message-Id: <5.1.0.14.2.20020102151904.0249d008@mail.crown.de> X-Sender: js@mail.crown.de X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 02 Jan 2002 15:43:54 +0100 To: openssl-users@openssl.org From: "J. Schroeder" Subject: Problems with Virtual Hosts (Apache) and OpenSSL In-Reply-To: References: <3785FE3BF539D411A49D00508B956A1802D4461D@helexc04.novogroup.com> <3785FE3BF539D411A49D00508B956A1802D4461D@helexc04.novogroup.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: "J. Schroeder" X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Hi there, I use Apache 1.3.20 with OpenSSL on Windows NT 4. I also use Virtual Hosts with Apache. So my problem is the following: I defined a lot of Virtual Hosts (see below). I use a lot of hosts only on port 80, but some other hosts on port 443 for SSL. For the hosts with SSL, I use different IP addresses, so that each host with SSL has its own IP. When I try to start Apache, I get the message: "Mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results." So what can I do? I tell you shortly what I want to have... 1. I want to run a lot of hosts on port 80 on this machine (most hosts have the same IP) 2. I want to run also some hosts with SSL (443), where each host (SSL) has its own IP. Maybe, I only have to put a ":80" behind every "normal" host and a ":443" behind every SSL-host?! I hope, someone can help me... Thank you! Here is my definition of the virtual hosts: NameVirtualHost xxx.xxx.xxx.xxx (for a lot of hosts only on port 80) NameVirtualHost yyy.yyy.yyy.yyy (for only one SSL host) ... ServerName host1.domain.com ... ... ServerName host2.domain.com ... ... ServerName ssl_host.domain.com ... Best regards, J. Schroeder ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Wed Jan 2 16:37:10 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id QAA00426; Wed, 2 Jan 2002 16:36:15 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from vic.cc.purdue.edu id QAA00382; Wed, 2 Jan 2002 16:35:16 +0100 (MET) Received: from VIC3 (vic3.cc.purdue.edu [128.210.135.172]) by vic.cc.purdue.edu (8.11.6/8.11.6) with SMTP id g02FXVt27994; Wed, 2 Jan 2002 10:33:31 -0500 (EST) From: "Vic Abell" To: Cc: "vicabell" Subject: broken memcmp() in NeXTSTEP libc banjaxes OpenSSL 0.9.6c Date: Wed, 2 Jan 2002 10:37:26 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Importance: Normal Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: "Vic Abell" X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users When I upgraded from OpenSSL 0.9.6b to 0.9.6c on my (very) old NeXT cube, running NEXTSTEP 3.1, an existing application started failing. I tracked the failure first to the X509_NAME_oneline() function, which was no longer returning object names (e.g., "C") but was instead returning OIDs (e.g., 2.5.4.6). Deeper debugging showed that OBJ_obj2nid() wasn't returning names. The eventual problem turned out to be that the NEXTSTEP 3.1 memcmp() C library function returns an erroneous value to obj_cmp(). Since I have no way to change the C library I hacked a change into crypto/objects that substitutes a working memcmp(). That hack confirmed the memcmp() bug failure. However, the hack is just a hack. My question is how to do a proper substitute of the correct memcmp() function for the incorrect one in the C library. What config options might be appropriate? (I used -Dmemcmp=my_memcmp for the hack and put a my_memcmp() function in crypto/objects/obj_lib.c.). Where should the correct memcmp() function be located? How should the remainder of the OpenSSL source code be told to use the correct function? I would really appreciate some advice from the OpenSSL developers on the best way to work around the failing C library's memcmp() function. Vic Abell ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Wed Jan 2 19:00:13 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id SAA05802; Wed, 2 Jan 2002 18:59:12 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from spisa.act.uji.es id SAA05798; Wed, 2 Jan 2002 18:58:45 +0100 (MET) Received: from localhost (juan@localhost) by spisa.act.uji.es (8.11.6/8.11.4) with ESMTP id g02I02N08306 for ; Wed, 2 Jan 2002 19:00:03 +0100 Date: Wed, 2 Jan 2002 19:00:02 +0100 (CET) From: Juan Segarra To: Subject: Re: EVP_* Routines In-Reply-To: <1009929619.9747.2.camel@fry.111balmoral.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Juan Segarra X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users On 2 Jan 2002, Chris Plant wrote: > I've compiled the attached code, and it doesn't decrypt the text > correctly. If anyone could explain why to me, or point out a nice > tutorial about using these routines, it would be much appreciated. I've been writing a tutorial about EVP routines in spanish (i'll wrote an english version after my exams :-P)... perhaps you'll find it useful (or useless :-P). http://spisa.act.uji.es/~juan/tutoriales/openssl/evp/ je,je,je... use at yout own risk ;-P ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Wed Jan 2 19:59:10 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id TAA07734; Wed, 2 Jan 2002 19:58:11 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from zoidberg.111balmoral.co.uk id TAA07729; Wed, 2 Jan 2002 19:57:59 +0100 (MET) Received: from fry.111balmoral.co.uk (fry.111balmoral.co.uk [192.168.0.10]) by zoidberg.111balmoral.co.uk (8.12.1/8.12.1) with ESMTP id g02IvtSQ017776 for ; Wed, 2 Jan 2002 18:57:56 GMT Subject: Re: EVP_* Routines From: Chris Plant To: openssl-users@openssl.org In-Reply-To: References: Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Evolution/1.0 (Preview Release) Date: 02 Jan 2002 18:58:05 +0000 Message-Id: <1009997886.1409.0.camel@fry.111balmoral.co.uk> Mime-Version: 1.0 Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Chris Plant X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users On Wed, 2002-01-02 at 18:00, Juan Segarra wrote: > On 2 Jan 2002, Chris Plant wrote: > > > I've compiled the attached code, and it doesn't decrypt the text > > correctly. If anyone could explain why to me, or point out a nice > > tutorial about using these routines, it would be much appreciated. > > > I've been writing a tutorial about EVP routines in spanish (i'll wrote an > english version after my exams :-P)... perhaps you'll find it useful (or > useless :-P). > > http://spisa.act.uji.es/~juan/tutoriales/openssl/evp/ > > je,je,je... use at yout own risk ;-P > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majordomo@openssl.org Thanks, I managed to make some sense of it, and I'm getting somewhere with my software now. Chris Plant ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 04:33:05 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id EAA23286; Thu, 3 Jan 2002 04:32:09 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from cobalt.sopac.org.fj id EAA23267; Thu, 3 Jan 2002 04:31:11 +0100 (MET) Received: from bigiron.sopac.org.fj (unknown [10.0.0.180]) by cobalt.sopac.org.fj (Postfix) with ESMTP id DB49D17C7D; Thu, 3 Jan 2002 15:30:42 +1200 (FJT) Received: by BIGIRON with Internet Mail Service (5.5.2650.21) id ; Thu, 3 Jan 2002 15:42:22 +1200 Message-ID: From: Franck Martin To: "'openssl-users@openssl.org'" Cc: "'esriram_in@yahoo.com'" Subject: RE: How to create a certificate Date: Thu, 3 Jan 2002 15:42:15 +1200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Franck Martin X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Read the HOWTO at www.linuxdoc.org Franck Martin Network and Database Development Officer SOPAC South Pacific Applied Geoscience Commission Fiji E-mail: franck@sopac.org Web site: http://www.sopac.org/ Support FMaps: http://fmaps.sourceforge.net/ This e-mail is intended for its addresses only. Do not forward this e-mail without approval. The views expressed in this e-mail may not be necessarily the views of SOPAC. -----Original Message----- From: sriram eswaran [mailto:esriram_in@yahoo.com] Sent: Saturday, 29 December 2001 4:32 To: openssl-users@openssl.org Subject: How to create a certificate Dear team I have Apache1.3.22, mod_jk and open-ssl-0.9.6 compiled in my machine(Redhat linux 6.2). Followed the documentation of mod_ssl (INSTALL) Now each time I want to create a certificate I need to go to the directory where I had compiled apache and type "make certificate". Now if I need to test my product with SSL in someother persons PC I either have to do the full apache-openssl-mod_ssl compilation or create a certificate from my PC. Is there a way where I can create a certificate using openssl. (ie) If a person has openssl in his machine he should be able to create a certificate. This question may sound silly but I am (very)new to SSL. Expecting a quick reply, Thanks & Regards E.Sriram __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 05:56:07 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id FAA25331; Thu, 3 Jan 2002 05:55:09 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from aenima.basementresearch.net id FAA25327; Thu, 3 Jan 2002 05:55:00 +0100 (MET) Received: from aenima.basementresearch.net (th1nk3r@localhost [127.0.0.1]) by aenima.basementresearch.net (8.12.1/8.10.1) with ESMTP id g034rowJ010239 for ; Wed, 2 Jan 2002 22:53:50 -0600 (CST) Received: (from th1nk3r@localhost) by aenima.basementresearch.net (8.12.1/8.12.0/Submit) id g034roFD031089 for openssl-users@openssl.org; Wed, 2 Jan 2002 22:53:50 -0600 (CST) Date: Wed, 2 Jan 2002 22:53:50 -0600 From: Vincent Toms To: openssl-users@openssl.org Subject: Cipher questions... Message-ID: <20020102225350.A3000@aenima.basementresearch.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Vincent Toms X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Hello All, I have a question about what ciphers to use in an export ready app. In my client I am doing the following: char* sipher_list = "EXP1024-DHE-DSS-RC4-SHA+EXP1024-RC4-SHA+EXP1024-DHE-DSS-DES-CBC-SHA+EXP1024-DES-CBC-SHA+EXP1024-RC2-CBC-MD5+EXP1024-RC4-MD5+EXP-EDH-RSA-DES-CBC-SHA+EXP-EDH-DSS-DES-CBC-SHA+EXP-DES-CBC-SHA+EXP-RC2-CBC-MD5+EXP-RC4-MD5+EXP-RC2-CBC-MD5+EXP-RC4-MD5"; SSL_CTX_set_cipher_list(ctx,sipher_list); I then watch the connection and it picks one of these ciphers and conducts the interaction successfully. My question is do I need to do any more than use one of these ciphers? I was also thinking of doing some stuff on the server, but for now I'll let the client pick until I figure a better way to check client location from the server. Does any one have suggestions as to what I should do? Thank you Vincent Toms ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 10:00:21 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id JAA04830; Thu, 3 Jan 2002 09:59:11 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from shell.webmaster.com id JAA04788; Thu, 3 Jan 2002 09:58:32 +0100 (MET) Received: from whenever ([206.171.168.130]) by shell.webmaster.com (Post.Office MTA v3.5.3 release 223 ID# 0-12345L500S10000V35) with SMTP id com for ; Thu, 3 Jan 2002 00:58:26 -0800 From: David Schwartz To: X-Mailer: PocoMail 2.51 (995) - Registered Version Date: Thu, 3 Jan 2002 00:58:25 -0800 In-Reply-To: <20020102225350.A3000@aenima.basementresearch.net> Subject: Re: Cipher questions... Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Message-ID: <20020103085826.AAA3708@shell.webmaster.com@whenever> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by opensource.ee.ethz.ch id JAA04826 Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: David Schwartz X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users On Wed, 2 Jan 2002 22:53:50 -0600, Vincent Toms wrote: >Hello All, I have a question about what ciphers to use in an export ready >app. >I then watch the connection and it picks one of these ciphers and conducts >the interaction successfully. My question is do I need to do any more than >use one of these ciphers? I was also thinking of doing some stuff on the >server, but for now I'll let the client pick until I figure a better way to >check client location from the server. >Does any one have suggestions as to what I should do? How do you link to the OpenSSL library? And is this an open-source app? Which license exemption were you aiming for or were you planning to seek a license? DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 13:09:07 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id NAA14798; Thu, 3 Jan 2002 13:08:13 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from mutha.scytl.net id NAA14791; Thu, 3 Jan 2002 13:07:59 +0100 (MET) Received: from localhost.localdomain (unknown [192.168.0.52]) by mutha.scytl.net (Postfix) with ESMTP id C57274FF45 for ; Thu, 3 Jan 2002 13:05:05 +0100 (CET) Subject: PKCS7 Singned and Enveloped From: Aleix Conchillo To: openssl-users@openssl.org Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Evolution/1.0 (Preview Release) Date: 03 Jan 2002 13:07:08 +0100 Message-Id: <1010059628.771.65.camel@klauz> Mime-Version: 1.0 Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Aleix Conchillo X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Hi, I have a few questions about the usage of the PKCS7 functions in OpenSSL. My code works: it creates a PKCS7 SignedAndEnveloped. I get the idea from the enc.c and dec.c files in crypto/pkcs7 directory. Before my code worked i wrote another code that seemed to be ok but didn't work. Let me explain, PKCS7 standard says that a SignerInfo is needed to create the PKCS7 so i called the next functions: X509 *cert = ... EVP_PKEY *pkey = ... PKCS7_SIGNER_INFO* signer = PKCS7_SIGNER_INFO_new(); PKCS7_SIGNER_INFO_set(signer, cert, pkey, EVP_sha1()); PKCS7_add_signer(p7, signer); PKCS7_add_recipient(p7, rec_cert); PKCS7_dataFinal(p7, bio); This seemed to be the most reasonable way to do it but it didn't work. The code i have now (the one that works) is: PKCS7_add_signature(p7, cert, pkey, EVP_sha1()); PKCS7_add_certificate(p7, cert); PKCS7_add_recipient(p7, rec_cert); PKCS7_dataFinal(p7, bio); Can anyone explain what are those PKCS7_add_signature and PKCS7_add_certificate calls? Do they set a PKCS_SignerInfo automatically? I do not really understand why my initial code didn't work. Any help would be really appreciated. Regards, Aleix ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 14:45:08 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id OAA19040; Thu, 3 Jan 2002 14:44:13 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from ezclan.propagation.net id OAA19035; Thu, 3 Jan 2002 14:43:40 +0100 (MET) Received: from dev006 ([63.120.170.66]) by ezclan.propagation.net (8.8.5/8.8.5) with ESMTP id HAA18458 for ; Thu, 3 Jan 2002 07:41:55 -0600 Message-ID: <002301c1945c$ba8cdb60$f500a8c0@esecurity> From: "Andrew T. Finnell" To: References: <20020103085826.AAA3708@shell.webmaster.com@whenever> Subject: Re: Cipher questions... Date: Thu, 3 Jan 2002 08:44:12 -0500 Organization: ActiveSol MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: "Andrew T. Finnell" X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users I was under the impression that we didnt need to use export ciphers anymore? Could someone just glaze over this fact? - Andrew ----- Original Message ----- From: "David Schwartz" To: Sent: Thursday, January 03, 2002 3:58 AM Subject: Re: Cipher questions... > > On Wed, 2 Jan 2002 22:53:50 -0600, Vincent Toms wrote: > >Hello All, I have a question about what ciphers to use in an export ready > >app. > > >I then watch the connection and it picks one of these ciphers and conducts > >the interaction successfully. My question is do I need to do any more than > >use one of these ciphers? I was also thinking of doing some stuff on the > >server, but for now I'll let the client pick until I figure a better way to > >check client location from the server. > >Does any one have suggestions as to what I should do? > > How do you link to the OpenSSL library? And is this an open-source app? > Which license exemption were you aiming for or were you planning to seek a > license? > > DS > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majordomo@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 14:49:06 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id OAA19272; Thu, 3 Jan 2002 14:48:13 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from aenima.basementresearch.net id OAA19184; Thu, 3 Jan 2002 14:47:10 +0100 (MET) Received: from aenima.basementresearch.net (th1nk3r@localhost [127.0.0.1]) by aenima.basementresearch.net (8.12.1/8.10.1) with ESMTP id g03Dk1wJ005482 for ; Thu, 3 Jan 2002 07:46:01 -0600 (CST) Received: (from th1nk3r@localhost) by aenima.basementresearch.net (8.12.1/8.12.0/Submit) id g03Dk1c3027619 for openssl-users@openssl.org; Thu, 3 Jan 2002 07:46:01 -0600 (CST) Date: Thu, 3 Jan 2002 07:46:01 -0600 From: Vincent Toms To: openssl-users@openssl.org Subject: Re: Cipher questions... Message-ID: <20020103074601.A19938@aenima.basementresearch.net> References: <20020102225350.A3000@aenima.basementresearch.net> <20020103085826.AAA3708@shell.webmaster.com@whenever> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020103085826.AAA3708@shell.webmaster.com@whenever>; from davids@webmaster.com on Thu, Jan 03, 2002 at 12:58:25AM -0800 Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Vincent Toms X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users The App itself is closed source but I use opensouce libs namely OpenSSL and a popular image manipulation library. The client is win32 and I am linking dynamicly. I just want it so that I can release the app both here and abroad with out fear of encryption law violations. Thanks again. Vincent T. On Thu, Jan 03, 2002 at 12:58:25AM -0800, David Schwartz wrote: > > On Wed, 2 Jan 2002 22:53:50 -0600, Vincent Toms wrote: > >Hello All, I have a question about what ciphers to use in an export ready > >app. > > >I then watch the connection and it picks one of these ciphers and conducts > >the interaction successfully. My question is do I need to do any more than > >use one of these ciphers? I was also thinking of doing some stuff on the > >server, but for now I'll let the client pick until I figure a better way to > >check client location from the server. > >Does any one have suggestions as to what I should do? > > How do you link to the OpenSSL library? And is this an open-source app? > Which license exemption were you aiming for or were you planning to seek a > license? > > DS > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majordomo@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 15:34:06 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id PAA21244; Thu, 3 Jan 2002 15:33:12 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from zolera.com id PAA21239; Thu, 3 Jan 2002 15:32:58 +0100 (MET) Received: from zolera.com (os390.zolera.com [10.0.1.9]) by zolera.com (8.11.6/8.11.6) with ESMTP id g03EZTK15328; Thu, 3 Jan 2002 09:35:30 -0500 Message-ID: <3C346C31.5000407@zolera.com> Date: Thu, 03 Jan 2002 09:35:29 -0500 From: Rich Salz User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.6) Gecko/20011120 X-Accept-Language: en-us MIME-Version: 1.0 To: "Andrew T. Finnell" CC: openssl-users@openssl.org Subject: Re: Cipher questions... References: <20020103085826.AAA3708@shell.webmaster.com@whenever> <002301c1945c$ba8cdb60$f500a8c0@esecurity> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Rich Salz X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Andrew T. Finnell wrote: > I was under the impression that we didnt need to use export ciphers > anymore? Could someone just glaze over this fact? > There is no legal reason for US software to use export ciphers. You might have to support old browsers or apps, however. -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 16:14:46 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id QAA23067; Thu, 3 Jan 2002 16:13:20 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users@openssl.org id QAA23040; Thu, 3 Jan 2002 16:12:39 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP from yellow.rahul.net id TAA14647; Tue, 1 Jan 2002 19:35:44 +0100 (MET) Received: by yellow.rahul.net (Postfix, from userid 2717) id DE1537F22; Tue, 1 Jan 2002 10:35:42 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by yellow.rahul.net (Postfix) with ESMTP id C48147D24; Tue, 1 Jan 2002 10:35:42 -0800 (PST) Date: Tue, 1 Jan 2002 10:35:42 -0800 (PST) From: Doug Kaufman To: "John E. Lopez" Cc: openssl-dev@openssl.org, openssl-users@openssl.org Subject: Re: MS-Dos support. In-Reply-To: <000601c19244$20095b00$0a01a8c0@jelopez.adasoftware.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Doug Kaufman X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users On Mon, 31 Dec 2001, John E. Lopez wrote: > I want to write a TCP(Watt-32 tcp/ip http://www.bgnett.no/~giva/) msdos > application that uses openssl. Openssl compiles with DJGPP just fine. It doesn't support the entropy gathering daemon, so you have to make sure that your program supplies a source of "random" data. To compile with DJGPP apply the patch I posted to openssl-dev and read the generated file "install.djgpp". The patch for the latest stable release (0.9.6c) can be found at: "http://www.mail-archive.com/openssl-dev@openssl.org/msg10318.html" A patch for the development branch can be found at: "http://www.mail-archive.com/openssl-dev@openssl.org/msg10317.html" After applying the patch, pick your configuration options, and run (from the bash shell) Configure, then make. I haven't heard of openssl being ported to the other DOS compilers. Doug __ Doug Kaufman Internet: dkaufman@rahul.net ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 16:14:48 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id QAA23071; Thu, 3 Jan 2002 16:13:25 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users@openssl.org id QAA23046; Thu, 3 Jan 2002 16:12:50 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from dns1.dnsmagical.com id XAA21554; Tue, 1 Jan 2002 23:12:06 +0100 (MET) Received: from NETGENERAL ([64.232.241.50]) by dns1.dnsmagical.com (Netscape Mail Server v2.01) with SMTP id AAA78; Tue, 1 Jan 2002 16:24:35 -0600 Message-ID: <01bc01c192b5$1c4786b0$32f1e840@NETGENERAL> From: robert@netgeneral.com (robert) To: Cc: "Robert Lambert" Subject: NT with msvc 5/6 non MFC Wapper Class Date: Tue, 1 Jan 2002 05:11:49 -0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_01B9_01C19282.D166BEE0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: robert@netgeneral.com (robert) X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users This is a multi-part message in MIME format. ------=_NextPart_000_01B9_01C19282.D166BEE0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi All About a 15 months ago i asked if there were any developers interested in = creating a C++ wrapper class library using openssl for NT non MFC and = coexisting with IIS, STL and Sql Server. If Interested please drop me a = line robert ------=_NextPart_000_01B9_01C19282.D166BEE0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi All
 
About a 15 months ago i asked if there = were any=20 developers interested in creating a C++ wrapper class library = using openssl=20 for NT non MFC and coexisting with IIS, STL and Sql Server.  If = Interested=20 please drop me a line
robert
 
 
------=_NextPart_000_01B9_01C19282.D166BEE0-- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 16:16:48 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id QAA23161; Thu, 3 Jan 2002 16:14:37 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users@openssl.org id QAA23055; Thu, 3 Jan 2002 16:13:03 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from scn4.scn.org id DAA00457; Wed, 2 Jan 2002 03:10:27 +0100 (MET) Received: from scn.org (jj@scn [209.63.95.146]) by scn4.scn.org (8.9.1/8.9.1) with ESMTP id SAA19969 for ; Tue, 1 Jan 2002 18:05:46 -0800 (PST) Received: from localhost (jj@localhost) by scn.org (8.9.1/8.9.1) with SMTP id SAA02417 for ; Tue, 1 Jan 2002 18:12:29 -0800 (PST) Date: Tue, 1 Jan 2002 18:12:28 -0800 (PST) From: "J. Johnson" X-Sender: jj@scn To: openssl-users@openssl.org Subject: Wrong "CC" in Makefiles. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: "J. Johnson" X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users In OpenSSL 0.9.6b, for both SunOS 4 and Solaris 2.6, I have noticed that specifying gcc as the compiler is reflected in some of the Makefiles, but not all: in some of subdirectories "CC" is left set to the default "cc". I suspect this is really a problem with either the Configure script, or with the provided parameters, but I'm not sufficiently well-versed in either to see what's happening (or not). Any ideas? On our Solaris machine there isn't a problem because cc is linked to gcc, so it's all the same. And while I haven't seen any problems on our SunOS machine, I wonder if there is a prospect of incompatibilities. (Please respond directly, as I'm not on the openssl-users list.) === JJ ============================================================= ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 16:17:03 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id QAA23170; Thu, 3 Jan 2002 16:14:43 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users@openssl.org id QAA23082; Thu, 3 Jan 2002 16:13:28 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from mail.learningsoft.net id QAA29966; Wed, 2 Jan 2002 16:15:20 +0100 (MET) Received: from there (raclark.learningsoft.net [192.168.0.53]) by mail.learningsoft.net with SMTP for ``'' id g02FF3w01574; Wed, 2 Jan 2002 10:15:03 -0500 config @(#)ls-send-x1.cf 1.0.7 01-Jul-2001 [deland!tanner] Message-Id: <200201021515.g02FF3w01574@mail.learningsoft.net> Content-Type: text/plain; charset="iso-8859-1" From: Rick Clark Organization: LearningSoft To: openssl-users@openssl.org Subject: Re: Problems with Virtual Hosts (Apache) and OpenSSL Date: Wed, 2 Jan 2002 10:14:52 -0500 X-Mailer: KMail [version 1.3] References: <3785FE3BF539D411A49D00508B956A1802D4461D@helexc04.novogroup.com> <5.1.0.14.2.20020102151904.0249d008@mail.crown.de> In-Reply-To: <5.1.0.14.2.20020102151904.0249d008@mail.crown.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by opensource.ee.ethz.ch id QAA29986 Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Rick Clark X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Named based virtualhosts are not supported in ssl. The server has to start the encryption before it has the name information. Just remove the 'NameVirtualHost yyy.yyy.yyy.yyy' and all should work. Rick Clark Sr. System Admin. Learningsoft corp. On Wednesday 02 January 2002 09:43, you wrote: > Hi there, > > I use Apache 1.3.20 with OpenSSL on Windows NT 4. I also use Virtual Hosts > with Apache. > So my problem is the following: I defined a lot of Virtual Hosts (see > below). I use a lot of hosts > only on port 80, but some other hosts on port 443 for SSL. For the hosts > with SSL, I use different > IP addresses, so that each host with SSL has its own IP. > When I try to start Apache, I get the message: > "Mixing * ports and non-* ports with a NameVirtualHost address is not > supported, proceeding with > undefined results." So what can I do? I tell you shortly what I want to > have... > > 1. I want to run a lot of hosts on port 80 on this machine (most hosts have > the same IP) > 2. I want to run also some hosts with SSL (443), where each host (SSL) has > its own IP. > > Maybe, I only have to put a ":80" behind every "normal" host and a ":443" > behind every SSL-host?! > I hope, someone can help me... Thank you! > > Here is my definition of the virtual hosts: > > NameVirtualHost xxx.xxx.xxx.xxx (for a lot of hosts only on port 80) > NameVirtualHost yyy.yyy.yyy.yyy (for only one SSL host) > > > > ... > ServerName host1.domain.com > ... > > > > > ... > ServerName host2.domain.com > ... > > > > > ... > ServerName ssl_host.domain.com > ... > > > > Best regards, J. Schroeder > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majordomo@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 16:17:04 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id QAA23174; Thu, 3 Jan 2002 16:14:46 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users@openssl.org id QAA23106; Thu, 3 Jan 2002 16:14:03 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from mail.coyotesong.com id TAA06602; Wed, 2 Jan 2002 19:09:52 +0100 (MET) Received: (qmail 1261 invoked from network); 2 Jan 2002 18:06:46 -0000 Received: from eris.coyotesong.com (root@192.168.1.3) by chaos.coyotesong.com with SMTP; 2 Jan 2002 18:06:46 -0000 Received: (from bear@localhost) by eris.coyotesong.com (8.9.3/8.9.3/Debian 8.9.3-21) id LAA00362 for openssl-users@openssl.org; Wed, 2 Jan 2002 11:06:46 -0700 From: Bear Giles Message-Id: <200201021806.LAA00362@eris.coyotesong.com> Subject: Root cert questions To: openssl-users@openssl.org Date: Wed, 2 Jan 2002 11:06:46 -0700 (MST) X-Mailer: ELM [version 2.4ME+ PL66 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Bear Giles X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users I have two quick questions about root certs: 1) can they have a serial number? 2) should they have different subject and issuer? The rationale behind the second question is vague memories of people reporting problems with MS (of course) products accepting certs with an identical subject and issuer fields. The reported workaround was changing the issuer field. The rationale behind the first question is more complex. I wish to store the certs issued by the CA in a relational database with strict integrity checking. (For an explanation of *why* this is so important, see the bottom of the message.) The table of issued certs should look something like this when using my current libpkixpq library: create table certs ( cert x509 not null, status varchar(10) not null, -- 'valid', 'revoked', 'expired' revdate datetime, -- date revoked revcause varchar(10), -- reason revoked -- -- cache basic fields -- serial hugeint not null constraint c1 check (serial = x509_serial(cert)), subject principal not null constraint c2 check (subject = x509_subject(cert)), issuer principal not null constraint c3 check (issuer = x509_issuer(cert)), notbefore datetime not null constraint c4 check (notbefore = x509_notbefore(cert)), notafter datetime not null constraint c5 check (notafter = x509_notafter(cert)), -- -- cache PKIX recommended extensions -- subject_keyid varchar(60) not null constraint c6 check (subject_keyid = x509_subject_keyid(cert)), authority_keyid varchar(60) not null constraint c7 check (authority_keyid = x509_authority_keyid(cert)), authority_serial hugeint not null constraint c8 check ( authority_serial = x509_authority_keyid_serial(cert)), -- is this a self-signed cert? (not sure on constraint syntax...) selfsigned boolean not null constraint c9 check (selfsigned = (subject_keyid = authority_keyid)), -- -- primary key -- primary key (serial), -- -- referential integrity checks -- foreign key authority_keyid references certs(subject_keyid) deferrable, foreign key authority_serial references certs(serial) deferrable ); create index certs_idx1 on certs(subject_keyid); (the main difference between this version and the latest published version are renaming "x509_name" to "principal" and "asn1_integer" to "hugeint", and defining relational operators to each of them. It should hit my website by this weekend.) The cache/constraint combination is used to cache the results of the PKIX functions, while ensuring that these fields aren't subsequently modified by some ne'er-do-well. The fields can then be used in other queries without the performance hit that we would get if calling the stored procedure every time. What's much more interesting are the referential integrity checks - they only allow certs to be inserted if the signer is already in the table. Without the "deferrable" option even self-signed certs could not be added to the database. Since this is CA table, it can ensure that the subject and authority keyids are always valid, but they aren't unique identifiers. Serial numbers are unique, but with null values there would still be problems in using them as a primary key / foreign key. ---- Why is storage in a relational database with referential integrity so important? Because it makes it makes some tasks trivial: 1) revoke a CA cert, e.g., because it was obtained fradulently? A database 'rule' can automatically revoke all certs signed by this one - it's a modification of the standard rule for cascading deletions. 2) if there's a question about a cert, you can always obtain all of the other certs in the chain. 3) you can trivially identify all root certs. As an aside, the PostgreSQL rule system makes it easy to maintain this table. You first create a new view that handles insertions: create view certs_insert as select cert,status from certs; create rule certi as on insert to certs_insert do instead insert into certs (cert,status,serial,subject,issuer,...) values(new.cert,new.status,new.revdate,new.revcause, x509_serial(new.cert), x509_subject(new.cert), x509_issuer(new.cert),...); and similar rules for updates and deletes (e.g., deletion actually marks the cert 'revoked'). Then you can lock down access to the table and do all access via the views. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 16:17:26 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id QAA23332; Thu, 3 Jan 2002 16:16:38 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users@openssl.org id QAA23226; Thu, 3 Jan 2002 16:15:23 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via SMTP for from hk.sina.com.hk id PAA20748; Thu, 3 Jan 2002 15:17:20 +0100 (MET) Received: (qmail 19267 invoked by uid 99); 3 Jan 2002 22:17:00 -0000 Message-ID: <20020103221700.19266.qmail@hk.sina.com.hk> From: "=?big5?B?Y19wdWl5ZWU=?=" Subject: =?big5?B?UmFuZG9tIG51bWJlciBnZW5lcmF0b3I=?= To: "=?big5?B?b3BlbnNzbC11c2Vyc0BvcGVuc3NsLm9yZyAg?=" Date: Thu, 3 Jan 2002 22:17:00 +0800 Content-Type: text/plain;charset="big5" Content-Disposition: inline Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: "=?big5?B?Y19wdWl5ZWU=?=" X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Dear Sir/Mandom, I am searching for a PRNG for an application, how can i extract only the random number generator of openSSL? ================================================================== ·s®ö§K¶O¹q¤l«H½c http://sinamail.sina.com.hk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 16:17:28 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id QAA23280; Thu, 3 Jan 2002 16:16:20 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users@openssl.org id QAA23125; Thu, 3 Jan 2002 16:14:15 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via SMTP for from mailweb33.rediffmail.com id UAA07823; Wed, 2 Jan 2002 20:00:42 +0100 (MET) Received: (qmail 30088 invoked by uid 510); 2 Jan 2002 19:01:14 -0000 Date: 2 Jan 2002 19:01:14 -0000 Message-ID: <20020102190114.30087.qmail@mailweb33.rediffmail.com> Received: from unknown (128.198.60.23) by rediffmail.com via HTTP; 02 Jan 2002 19:01:14 -0000 MIME-Version: 1.0 From: "ganesh kumar godavari" To: "Lucas Armendares" Cc: chow@cs.uccs.edu, openssl-users@openssl.org Subject: Re SSL_ERROR_SYSCALLon write Content-type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by opensource.ee.ethz.ch id UAA07840 Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: "ganesh kumar godavari" X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Hi, can u tell me are u getting SSL_ERROR_SYSCALL on reading or writing? in my case i found that SSL_ERROR_SYSCALL occured during SSL_write. using SSL_dump i found the connection was closed accidently by me. so it was causing this error. can u send me a copy of your ssl dump? cheers, ganesh On Tue, 01 Jan 2002 Lucas Armendares wrote : > > Hi, > > I was looking for a solution for the same problem > (SSL_ERROR_SYSCALL was ocurring when using netscape, I > am not getting this > error on I.E. i used Error_get_error and found the that > the return value is > 0.) > and I was wondering if you have found the solution. > > Please help. > Thanks. > Aremndares > > > ________________________________________________________- > _________ > Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp. > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 16:17:30 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id QAA23339; Thu, 3 Jan 2002 16:16:44 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users@openssl.org id QAA23236; Thu, 3 Jan 2002 16:15:28 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from ns.potsdam.de id PAA20869; Thu, 3 Jan 2002 15:22:13 +0100 (MET) Received: from i200057 (c-217.27.193.218.host.tnp-potsdam.de [217.27.193.218] (may be forged)) by ns.potsdam.de (8.9.3/8.9.3) with SMTP id PAA08362 for ; Thu, 3 Jan 2002 15:21:41 +0100 From: =?iso-8859-1?Q?Ren=E9_Gebauer?= To: Subject: ssl handshake - what happens? Date: Thu, 3 Jan 2002 15:31:01 +0100 Message-ID: <000001c19462$e92fbbd0$e600a8c0@i200057> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: =?iso-8859-1?Q?Ren=E9_Gebauer?= X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users hi, i use openssl in my own application under win2000 and win98. all openssl fuction-calls run in one thread (to avoid blocking) and there are some other threads of my application. under win2000 the handshake takes more than 30 seconds, but under win98 it will be ready after 5 seconds. i tried to find out more about this problem and used an sniffer to see the traffic from client to server and back. these are the results: 1) client sends data to server --> i think this is the 'hello' 2) server responds --> should be the 'server hello' 3) client sends data to server --> should be the 'use this pre-master secret' 4) NOW NOTHING HAPPENS FOR 30 SECONDS --> my problem !!! 5) client sends message to server --> should be the 'client will encrypt future data with the session key' 6) ... and so on ... NOW MY QUESTION: what happens at step 4 ? why does it takes so long under win2000 ? is a key created at this time? if so, can i create this key somehow else (without to connect to the server)?? i tried to set my own thread (which calls the openssl fuctions) to a higher priority. now the handshake takes just 25 seconds, but my whole system slows down. ... and this should be not the solution for my problem ;) ... any suggestion ?? rené ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 16:17:33 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id QAA23347; Thu, 3 Jan 2002 16:16:47 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users@openssl.org id QAA23194; Thu, 3 Jan 2002 16:15:00 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from mail.coyotesong.com id JAA03823; Thu, 3 Jan 2002 09:27:46 +0100 (MET) Received: (qmail 2791 invoked from network); 3 Jan 2002 08:24:39 -0000 Received: from eris.coyotesong.com (root@192.168.1.3) by chaos.coyotesong.com with SMTP; 3 Jan 2002 08:24:39 -0000 Received: (from bear@localhost) by eris.coyotesong.com (8.9.3/8.9.3/Debian 8.9.3-21) id BAA28758; Thu, 3 Jan 2002 01:24:39 -0700 From: Bear Giles Message-Id: <200201030824.BAA28758@eris.coyotesong.com> Subject: silly Netscape plugin announcement (plus libpkixpq 0.2) Date: Thu, 3 Jan 2002 01:24:39 -0700 (MST) CC: openssl-dev@openssl.org, openssl-users@openssl.org, crypt@bxa.doc.gov X-Mailer: ELM [version 2.4ME+ PL66 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Bear Giles X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users First, the serious stuff. Version 0.2 of my libpkixpq library is up at http://www.dimensional.com/~bgiles. It mostly renames asn1_integer to hugeint and x509_name to principal, and adds a slew of operators to each type. This should make it possible to create indices on either type, although I haven't actually verified this yet. Now the silly stuff. I am perplexed to announce the first (and probably final) release of a Netscape 4.x plugin that uses the OpenSSL library to display the contents of an X.509 cert. You can embed a cert into another document with the EMBED tag: The plugin should also catch any content with this MIME type, but I haven't actually verified this. Since I'm lazy, this plugin requires the Motif (or Lesstif) library. It should be trivial to convert to another toolkit, it would be a lot more work to implement a scrolling text window in Xlib. This plugin is not intended for serious use, nor as a tongue-in-cheek suggestion for people can't figure out "openssl x509 -noout -text". It's purely proof-of-concept - can you create a plugin that links in both Motif (or Qt/Gnome/whatever) and OpenSSL and have it actually do something? What's a serious use for this type of plugin? Perhaps something that establishes a secure connection to a streaming media server with sensitive information, e.g., a "real media player" that has realtime stock quotes instead of the time-delayed quotes available to the public. Or perhaps a plugin that only displays content with a valid S/MIME signature. I've posted this announcement to -users in case people have ideas about possible applications, and to -dev so it can be added to the contrib directory. This package is available at the same URL. A copy of this announcement has been sent to crypt@bxa.doc.gov. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 16:17:51 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id QAA23419; Thu, 3 Jan 2002 16:17:04 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users@openssl.org id QAA23212; Thu, 3 Jan 2002 16:15:06 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via SMTP for from web20401.mail.yahoo.com id KAA06883; Thu, 3 Jan 2002 10:46:15 +0100 (MET) Message-ID: <20020103094613.43034.qmail@web20401.mail.yahoo.com> Received: from [202.138.163.51] by web20401.mail.yahoo.com via HTTP; Thu, 03 Jan 2002 01:46:13 PST Date: Thu, 3 Jan 2002 01:46:13 -0800 (PST) From: Alvin Ian Paule Subject: throw problem To: gnu@gnu.org, openssl-users@openssl.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Alvin Ian Paule X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users i have a weird problem here concerning the throw function and the -lcrypto lib. whenenver a program was linked with -lcrypto and a throw is executed, the program does not catch it with the catch() handler. instead, the program terminates and produces a core dump. i was wondering why it happens. the following is the source code i used (i made it as simple as possible and it was written in a file named program.cc): -------------------------------------------------------- #include #include using namespace std; class Program { public: Program(); }; Program::Program() { throw string("error\n"); } int main(void) { try { Program p; } catch (string s) { cout << s ; } return 0; } -------------------------------------------------------- here is the makefile i used to compile and link the program: -------------------------------------------------------- # COMPILER OPTIONS CC = g++ FLG = -c LIB = -L/usr/local/ssl/lib -lcrypto COM = # FILE GROUPS SRC = program.cc EXE = program OBJ = program.o # MAKE OPTIONS all : $(OBJ) $(EXE) clean: rm -f *.o $(EXE) # LM OBJECT FILES program.o : $(SRC) $(CC) $(COM) $(FLG) $(SRC) -o $(OBJ) # EXECUTABLE FILES program : $(OBJ) $(CC) $(OBJ) $(LIB) -o $(EXE) -------------------------------------------------------- as additional info, my compiler is a gcc 3.0.2, the libcrypto i used is libcrypto.0.9.6, my operating system is a Solaris 8, and my machine is a Sun Ultra 10. i hope you could solve the problem or at least have an idea i could use to solve it. thanks! alvin __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 16:41:33 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id QAA24716; Thu, 3 Jan 2002 16:40:13 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from xenau105.zenez.com id QAA24678; Thu, 3 Jan 2002 16:39:27 +0100 (MET) Received: from xenau105.zenez.com (xenau105.zenez.com [198.60.105.2]) by xenau105.zenez.com (8.11.0/SCO5) with ESMTP id g03FdPL05460 for ; Thu, 3 Jan 2002 08:39:25 -0700 (MST) Date: Thu, 3 Jan 2002 08:39:25 -0700 (MST) From: Boyd Lynn Gerber To: =?big5?B?b3BlbnNzbC11c2Vyc0BvcGVuc3NsLm9yZyAg?= Subject: Re: =?big5?B?UmFuZG9tIG51bWJlciBnZW5lcmF0b3I=?= In-Reply-To: <20020103221700.19266.qmail@hk.sina.com.hk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Boyd Lynn Gerber X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users On Thu, 3 Jan 2002, [big5] c_puiyee wrote: > Date: Thu, 3 Jan 2002 22:17:00 +0800 > From: "[big5] c_puiyee" > Reply-To: openssl-users@openssl.org > To: "[big5] openssl-users@openssl.org " > Subject: [big5] Random number generator > > > Dear Sir/Mandom, > I am searching for a PRNG for an application, how can i extract only the random number generator of openSSL? Author: ======= - Lutz Jaenicke Download: ========= - The latest version of PRNGD can be accessed via http://ftp.aet.TU-Cottbus.DE/personen/jaenicke/postfix_tls/prngd.html -- Boyd Gerber ZENEZ 3748 Valley Forge Road, Magna Utah 84044 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 16:51:16 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id QAA25609; Thu, 3 Jan 2002 16:50:15 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from zolera.com id QAA25580; Thu, 3 Jan 2002 16:49:41 +0100 (MET) Received: from zolera.com (os390.zolera.com [10.0.1.9]) by zolera.com (8.11.6/8.11.6) with ESMTP id g03FqBK15921; Thu, 3 Jan 2002 10:52:11 -0500 Message-ID: <3C347E2B.8050107@zolera.com> Date: Thu, 03 Jan 2002 10:52:11 -0500 From: Rich Salz User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.6) Gecko/20011120 X-Accept-Language: en-us MIME-Version: 1.0 To: Bear Giles CC: openssl-users@openssl.org Subject: Re: Root cert questions References: <200201021806.LAA00362@eris.coyotesong.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Rich Salz X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users By definition, a "root cert" is one where the issuer is also the signer. How you determine issuer===signer can be problematic (insert various Gutman data here :), but most software probably compares DN's. If your libpkixpg functions generate the keyid if not present, then your schema looks correct. A more correct term, although not as impressive, is probably "self-signed cert." /r$ -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 16:53:16 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id QAA25696; Thu, 3 Jan 2002 16:52:09 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from brev.stacken.kth.se id QAA25676; Thu, 3 Jan 2002 16:51:56 +0100 (MET) Received: from localhost (chicken.stacken.kth.se [130.237.234.71]) by brev.stacken.kth.se (8.9.3/8.9.3) with ESMTP id QAA19816; Thu, 3 Jan 2002 16:51:55 +0100 (MET) Date: Thu, 03 Jan 2002 16:51:49 +0100 (MET) Message-Id: <20020103.165149.82047530.levitte@stacken.kth.se> To: openssl-users@openssl.org, jj@scn.org Subject: Re: Wrong "CC" in Makefiles. From: Richard Levitte - VMS Whacker In-Reply-To: References: X-Mailer: Mew version 2.0 pre4 on Emacs 20.6 / Mule 4.0 (HANANOEN) X-URL: http://www.stacken.kth.se/~levitte/ X-mailhacking1: I do not send mail using QP. I use 8bit instead. However, some X-mailhacking2: mail servers on the way might find pleasure in converting my X-Mailhacking3: messages to QP anyway. I will not be responsible for that. X-mailhacking4: See =?iso-8859-1?Q?http://www.lysator.liu.se/=E5ttabitars/?= to see the reasons. X-Waved: dead chicken, GNU Emacs 20.6.1, Mew version 2.0 pre4 X-Mew: See http://www.mew.org/ Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Richard Levitte - VMS Whacker X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users From: "J. Johnson" jj> In OpenSSL 0.9.6b, for both SunOS 4 and Solaris 2.6, I have noticed that jj> specifying gcc as the compiler is reflected in some of the Makefiles, but jj> not all: in some of subdirectories "CC" is left set to the default "cc". If you take a closer look, you wil see that any normal (i.e. "make" in any directory) build will go back to the top-most makefile, which in turn call submakes with a lot of variables set on the command line. CC is one of them. -- Richard Levitte \ Spannvägen 38, II \ LeViMS@stacken.kth.se Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis -- poei@bofh.se Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 17:03:08 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id RAA26249; Thu, 3 Jan 2002 17:02:21 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from brev.stacken.kth.se id RAA26225; Thu, 3 Jan 2002 17:01:49 +0100 (MET) Received: from localhost (chicken.stacken.kth.se [130.237.234.71]) by brev.stacken.kth.se (8.9.3/8.9.3) with ESMTP id RAA20009; Thu, 3 Jan 2002 17:01:48 +0100 (MET) Date: Thu, 03 Jan 2002 17:01:42 +0100 (MET) Message-Id: <20020103.170142.36853196.levitte@stacken.kth.se> To: openssl-users@openssl.org, bear@coyotesong.com Subject: Re: Root cert questions From: Richard Levitte - VMS Whacker In-Reply-To: <200201021806.LAA00362@eris.coyotesong.com> References: <200201021806.LAA00362@eris.coyotesong.com> X-Mailer: Mew version 2.0 pre4 on Emacs 20.6 / Mule 4.0 (HANANOEN) X-URL: http://www.stacken.kth.se/~levitte/ X-mailhacking1: I do not send mail using QP. I use 8bit instead. However, some X-mailhacking2: mail servers on the way might find pleasure in converting my X-Mailhacking3: messages to QP anyway. I will not be responsible for that. X-mailhacking4: See =?iso-8859-1?Q?http://www.lysator.liu.se/=E5ttabitars/?= to see the reasons. X-Waved: dead chicken, GNU Emacs 20.6.1, Mew version 2.0 pre4 X-Mew: See http://www.mew.org/ Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Richard Levitte - VMS Whacker X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users From: Bear Giles bear> I have two quick questions about root certs: bear> bear> 1) can they have a serial number? Yes. When created with OpenSSL, it's often set to 0. bear> 2) should they have different subject and issuer? Nope. A root cert has by definition subject and issuer being the same. Otherwise, that wouldn't be the root, would it. bear> The rationale behind the second question is vague memories bear> of people reporting problems with MS (of course) products bear> accepting certs with an identical subject and issuer fields. bear> The reported workaround was changing the issuer field. I haven't had any problems, but it may depend on the use. A root cert should be a CA cert, not an end cert. bear> Since this is CA table, it can ensure that the subject and authority bear> keyids are always valid, but they aren't unique identifiers. Serial bear> numbers are unique, but with null values there would still be problems bear> in using them as a primary key / foreign key. Note that serial numbers are (or at least should be) unique *per issuer*! This means that if you have a flat space of serial numbers with no regard to the issuer (as it appears according to your primary key), you loose. If you want to use the serial number as part of a key, the key should be the tuple . -- Richard Levitte \ Spannvägen 38, II \ LeViMS@stacken.kth.se Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis -- poei@bofh.se Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Thu Jan 3 21:42:17 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id VAA09585; Thu, 3 Jan 2002 21:41:34 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from mtiwmhc26.worldnet.att.net id VAA09559; Thu, 3 Jan 2002 21:40:51 +0100 (MET) Received: from att.net ([12.89.77.156]) by mtiwmhc26.worldnet.att.net (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020103204040.OBJX13869.mtiwmhc26.worldnet.att.net@att.net> for ; Thu, 3 Jan 2002 20:40:40 +0000 Message-ID: <3C34C109.5556AA0F@att.net> Date: Thu, 03 Jan 2002 15:37:29 -0500 From: Frank Geck Organization: KeyWay Security X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: openssl-users@openssl.org Subject: Re: Problem with PKCS7 verify References: <3C307BF3.32ED7139@att.net> <3C30917E.8B940DAE@gemplus.com> <3C3097A5.B7E06FA3@att.net> <3C30B062.CBD5D54F@gemplus.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Frank Geck X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Steve, I seem to have narrowed the problem down to a platform issue I think. On Solaris 2.8 it is not working but when I move it to Linux RH7.0 it works fine. I'm using 0.9.6b. Any Solaris issues other than the random number generator problem? Thanks, Frank Dr S N Henson wrote: > Frank Geck wrote: > > > > Steve, > > Thanks. How did I " tells it to ignore verify errors.."? Did not due > > that on purpose to my understanding. > > > > Well there's a tendency to copy some of the verify callback examples in > various files from OpenSSL. These are largely there for debugging > purposes and to give more information about errors. These will typically > return 1 in some or all circumstances when the supplied 'ok' parameter > is zero. From your example: > > if (!ok) > { > BIO_printf(bio_err,"verify error:num=%d:%s\n",err, > X509_verify_cert_error_string(err)); > if (depth < 6) > { > ok=1; > X509_STORE_CTX_set_error(ctx,X509_V_OK); > } > ... > > This is actually rather dangerous for real purposes in that its telling > the verify code to ignore all errors below a certain depth. Effectively > allowing any certificate (or chain) to be considered valid. > > Unless you want to customize certificate verification in some way you > rarely need a verify callback at all. > > > Well I put the CA cert in the store with a link to the hashed name also > > with a .0 after it. This worked on another program that I did but I seem to > > be having a problem now. If you don't mine could you look at the piece of > > code that I have going this and see if you see any problems (attached)? > > > > Is there some reason you can't use PKCS7_verify()? Its somewhat simpler > to use that the low level stuff. > > Also try verifying the structure using the 'smime' application. If you > can get it working with that it should be OK. Also you can use the > openssl utilities 'pkcs7' (to extract certifictates) and 'verify' to see > if you can get the certificate to verify. > > Usually the cause of such errors is that the root CA isn't included or > can't be found in the trusted certificate store. > > Steve. > -- > Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ > Personal Email: shenson@drh-consultancy.demon.co.uk > Senior crypto engineer, Gemplus: http://www.gemplus.com/ > Core developer of the OpenSSL project: http://www.openssl.org/ > Business Email: drh@celocom.com PGP key: via homepage. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majordomo@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Fri Jan 4 00:38:21 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id AAA19604; Fri, 4 Jan 2002 00:36:29 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from finch-post-10.mail.demon.net id AAA19564; Fri, 4 Jan 2002 00:35:45 +0100 (MET) Received: from drh-consultancy.demon.co.uk ([193.237.150.98] helo=gemplus.com) by finch-post-10.mail.demon.net with esmtp (Exim 2.12 #1) id 16MHOi-000ECi-0A for openssl-users@openssl.org; Thu, 3 Jan 2002 23:35:44 +0000 Message-ID: <3C34EB75.CC810770@gemplus.com> Date: Thu, 03 Jan 2002 23:38:29 +0000 From: Dr S N Henson X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: openssl-users@openssl.org Subject: Re: Problem with PKCS7 verify References: <3C307BF3.32ED7139@att.net> <3C30917E.8B940DAE@gemplus.com> <3C3097A5.B7E06FA3@att.net> <3C30B062.CBD5D54F@gemplus.com> <3C34C109.5556AA0F@att.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Dr S N Henson X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Frank Geck wrote: > > Steve, > I seem to have narrowed the problem down to a platform issue I think. On > Solaris 2.8 it is not working but when I move it to Linux RH7.0 it works fine. > I'm using 0.9.6b. Any Solaris issues other than the random number generator > problem? > Try extracting the signers certificate and verifying manually with the openssl verify utility. Try both the -CAfile and -CApath options for the root CA. If both work then there's some problem with the program or its setup. If one or both options fails then it may be something else. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: shenson@drh-consultancy.demon.co.uk Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: drh@celocom.com PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Fri Jan 4 02:18:12 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id CAA24684; Fri, 4 Jan 2002 02:17:22 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from www.nsfocus.com id CAA24663; Fri, 4 Jan 2002 02:16:39 +0100 (MET) Received: from magpie (intra.nsfocus.com [211.167.65.123]) by NSFOCUS (1.1.1) with SMTP id g0417bg77291 for ; Fri, 4 Jan 2002 09:07:40 +0800 (CST) Message-Id: <200201040107.g0417bg77291@www.nsfocus.com> Date: Fri, 4 Jan 2002 9:17:58 +0800 From: liqun To: "openssl-users@openssl.org" Subject: Re: ssl handshake - what happens? X-mailer: FoxMail 4.0 beta 2 [cn] Mime-Version: 1.0 Content-Type: text/plain; charset="GB2312" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by opensource.ee.ethz.ch id CAA24670 Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: liqun X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Hi, René_Gebauer£¡ You can use ssldump to see what on earth they say. You can get ssldump from http://www.rtfm.com/ssldump/ ======= 2002-01-03 15:31:00 your mail said£º======= >hi, >i use openssl in my own application under win2000 and win98. all openssl >fuction-calls run in one thread (to avoid blocking) and there are some other >threads of my application. >under win2000 the handshake takes more than 30 seconds, but under win98 it >will be ready after 5 seconds. i tried to find out more about this problem >and used an sniffer to see the traffic from client to server and back. these >are the results: >1) client sends data to server --> i think this is the 'hello' >2) server responds --> should be the 'server hello' >3) client sends data to server --> should be the 'use this pre-master >secret' >4) NOW NOTHING HAPPENS FOR 30 SECONDS --> my problem !!! >5) client sends message to server --> should be the 'client will encrypt >future data with the session key' >6) ... and so on ... > >NOW MY QUESTION: what happens at step 4 ? why does it takes so long under >win2000 ? is a key created at this time? if so, can i create this key >somehow else (without to connect to the server)?? >i tried to set my own thread (which calls the openssl fuctions) to a higher >priority. now the handshake takes just 25 seconds, but my whole system slows >down. ... and this should be not the solution for my problem ;) > >.... any suggestion ?? > >rené >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List openssl-users@openssl.org >Automated List Manager majordomo@openssl.org = = = = = = = = = = = = = = = = = = = = liqun liqun@nsfocus.com 2002-01-04 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-users@openssl.org Fri Jan 4 15:06:11 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-L id PAA02300; Fri, 4 Jan 2002 15:05:17 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from mtiwmhc22.worldnet.att.net id PAA02295; Fri, 4 Jan 2002 15:05:00 +0100 (MET) Received: from att.net ([12.89.131.155]) by mtiwmhc22.worldnet.att.net (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020104140452.XFAM941.mtiwmhc22.worldnet.att.net@att.net> for ; Fri, 4 Jan 2002 14:04:52 +0000 Message-ID: <3C35B5CE.7E0BAFDA@att.net> Date: Fri, 04 Jan 2002 09:01:51 -0500 From: Frank Geck Organization: KeyWay Security X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: openssl-users@openssl.org Subject: Re: Problem with PKCS7 verify References: <3C307BF3.32ED7139@att.net> <3C30917E.8B940DAE@gemplus.com> <3C3097A5.B7E06FA3@att.net> <3C30B062.CBD5D54F@gemplus.com> <3C34C109.5556AA0F@att.net> <3C34EB75.CC810770@gemplus.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-openssl-users@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Frank Geck X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users I've done that and in both cases it verified the cert just fine. Please let me just check with you what I did to make sure I did it correctly. First take the PKCS7 file and get certs out openssl pkcs7 -in data.signed -print_certs -out certs.pem Then verify cert(s) openssl verify -CApath certs.pem openssl verify -CAfile certs.pem So this tells me