Re: how to generate PRNG in Solaris 8 ?

2003-01-11 Thread Marek . Dolezal 


you can use the ANDIrand package from
http://anders.fix.no/solaris/pkg/sol8/random/.
works fine.

regards








**
Marek Dolezal, SE
COMPAREX Informační systémy spol. s r.o.
Zavadilova 5/1296
160 00 Praha 6, Czech republic
Tel: +420 2 2431 8781
Fax: +420 2 2432 2292
Mobile: +420 724 035 531
[EMAIL PROTECTED]
http://www.comparex.cz
**


   
   
"Leonardo Lagos"   
   
<[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>
   
Sent by:cc:
   
owner-openssl-users@o   Subject: how to generate PRNG in 
Solaris 8 ?  
penssl.org 
   
   
   
   
   
03.01.2003 16:57   
   
Please respond to  
   
openssl-users  
   
   
   
   
   




Hi People,

After downloading openssl and openssh from sunfreeware.com, for my sparc/8,
I'm
geeting the error "PRNG not seed" whenever I try to use ssh.

Reading the FAQ, this error is there, but I still am unable to fix it.

I've run, as root:

# /usr/local/ssl/bin/openssl
OpenSSL> rand 128
unable to load 'random state'
This means that the random number generator has not been seeded
with much random data.
Consider setting the RANDFILE environment variable to point at a file that
'random' data can be kept in (the file will be overwritten).
563:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
seeded:md_rand.c:501:You need to read the OpenSSL FAQ,
http://www.openssl.org/support/faq.html
error in rand
OpenSSL>

So, what am I doing wrong??

I've also installed patch 112438-01, to enable random support, but the file
/dev/random is not in my system (I even rebooted the machine after
installing
the patch).

Thanks a lot,

Leo

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

What do RSA functions use?

2003-01-11 Thread Ramon Martinez Pena 
Hello,
I'm doing a C program using RSA functions and I also have files that
contain digital signs and digital certificates that I have created
with the commands of openssl (openssl genrsa, openssl rsautl and
openssl req). This files are .key and .crt and I don't know what
functions are availables in C to let me work with this files. 
Can you help me? 
Thanks for advanced.
PD: I have read something about PKCS#12 files (.p12 and .pem) that
maybe let me to work in C but it isn't very clear what functions I
can use for this.

Proxy'ing client certs

2003-01-11 Thread Chandrasekhar R S 
I have the following scenario -

client-Proxy  - server.
SSLClient -   SSLServer | SSLClient   - SSL Server.

It is my intent to pass on the clients certificate to the server for
verification and acceptance.

Since, the connection is via a proxy, the clients certificate could reach
upto the proxy only and not beyond, to the server.  I believe, that the
proxy should not be able to use the clients cert in its connection with the
server, as the client certificate is tightly coupled with its public key.

I have visited the redhat's Stronghold webpage and their proxy server seems
to be capable of doing just this.

Is anyone aware of the technique employed.

Namaste,
R S Chandrasekhar
[EMAIL PROTECTED]
ISD : 091-080-2051166
Telnet : 847-1166
Phone : 2052427
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

obtaining expiry dates

2003-01-11 Thread Dicks, Gareth M 
Hi,

I'm trying to write an automated script to check for pending expiry dates in
SSL certs. I know how to get this info from a standard cert file in X509
format:-

openssl x509 -in cert.cer -enddate

The problem is I have inherited a set of iPlanet web servers with the certs
already loaded with no sign of the original certificates. Does anyone know
ant method of extracting the certs from the iPlanet database into a format
that can be used with openssl?

Thanks,
Gareth
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

trouble compiling

2003-01-11 Thread Wayne Thomas 
I am attempting to compile openssl-0.9.7 on my Solaris 8 Sun Blade 100
with simply ./config and make. The following error occurs:

"/usr/ucbinclude/signal.h", line 49: syntax error before or at: int
"/usr/ucbinclude/signal.h", line 49: warning: undefined or missing type
for: int
*** Error code 2
make: Fatal error: Command failed for target `speed.o'
Current working directory /usr/local/src/openssl-0.9.7/apps
*** Error code 1
make: Fatal error: Command failed for target `sub_all'

Any suggestions on how to get past this?

thanks,
Wayne Thomas
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

problem running tests on Windows CE

2003-01-11 Thread b l 
hi,
i'm having difficulty running all the tests on Windows
CE.
the PRNG hasn't been seeded so key gen tests won't
work.
how can i seed the PRNG on the Pocket PC ?
i have read the faq but i don't quite understand.
do i have to create a RANDFILE environment variable on
the Pocket Pc (how is this done?)
and copy a corresponding random file onto the WCE
device or how do i do it.

thanks

this is the error i get when testss.bat is run

testss
make a certificate request using 'req'
Loading 'screen' into random state - done
unable to load 'random state'
This means that the random number generator has not
been seeded
with much random data.
Generating a 512 bit RSA private key
252953866:error:24064064:random number
generator:SSLEAY_RAND_BYTES:PRNG not seed
ed:.\crypto\rand\md_rand.c:503:You need to read the
OpenSSL FAQ, http://www.open
ssl.org/support/faq.html
252953866:error:04069003:rsa
routines:RSA_generate_key:BN lib:.\crypto\rsa\rsa_g
en.c:182:

__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Some functions are just plain slow... [Re-Sent]

2003-01-11 Thread Raymond C . Rodgers 
I've managed to get OpenSSL 0.9.7 compiled and installed on a BeOS R5.0.x 
system with BONE (a networking stack), but I'm not able to use OpenSSL for 
reasons I've yet to determine. When I start up a freshly compiled app that 
uses OpenSSL, and has worked fine under previous versions, I'm seeing that 
RAND_egd(), RAND_status(), and other functions (including SSL_connect()) are 
taking minutes to finish executing. I believe these functions are actually 
failing, but I haven't been able to get any details on exactly what's 
happening.

Even "make test" for OpenSSL takes an extremely long time (over 12 hours in 
fact), especially in exptest and randtest. I'm going to attach the 
maketest.log file to this message so anyone that might have a clue what's 
happening might be able to help. According to the maketest.log, the tests 
passed but when in use my application's connection is timing out long before 
it establishes a SSL connection. I hardly think that's successful.

So, what configure options might cause such pitiful performance? I compiled 
OpenSSL with the following options:
-DOPENSSL_THREADS  -DOPENSSL_NO_KRB5 -DTERMIO -m486 l -D_REENTRANT -DSHA1_ASM 
-DMD5_ASM -DELF -DNO_SYSLOG -DNO_SYS_UN_H -DTERMIOS -DL_ENDIAN -fomit-frame-
pointer -O3 -m486  -DSHA1_ASM -DMD5_ASM -DRMD160_ASM


Any and all help is appreciated.
Raymond


make[1]: Entering directory `/zanos/openssl/openssl-0.9.7_bone'
testing...
make[2]: Entering directory `/zanos/openssl/openssl-0.9.7_bone/test'
make[3]: Entering directory `/zanos/openssl/openssl-0.9.7_bone'
making all in apps...
make[4]: Entering directory `/zanos/openssl/openssl-0.9.7_bone/apps'
make[4]: Nothing to be done for `all'.
make[4]: Leaving directory `/zanos/openssl/openssl-0.9.7_bone/apps'
make[3]: Leaving directory `/zanos/openssl/openssl-0.9.7_bone'
LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH="$LIBPATH"; DYLD_LIBRARY_PATH="$LIBPATH"; 
SHLIB_PATH="$LIBPATH"; if [ "beos-elf" = "DJGPP" ]; then PATH="$LIBPATH\;$PATH"; elif 
[ "beos-elf" = "Cygwin" ]; then PATH="${LIBPATH}:$PATH"; fi; export LD_LIBRARY_PATH 
DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; ./destest
Doing cbcm
Doing ecb
Doing ede ecb
Doing cbc
Doing desx cbc
Doing ede cbc
Doing pcbc
Doing cfb8 cfb16 cfb32 cfb48 cfb64 cfb64() ede_cfb64() done
Doing ofb
Doing ofb64
Doing ede_ofb64
Doing cbc_cksum
Doing quad_cksum
input word alignment test 0 1 2 3
output word alignment test 0 1 2 3
fast crypt test 
LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH="$LIBPATH"; DYLD_LIBRARY_PATH="$LIBPATH"; 
SHLIB_PATH="$LIBPATH"; if [ "beos-elf" = "DJGPP" ]; then PATH="$LIBPATH\;$PATH"; elif 
[ "beos-elf" = "Cygwin" ]; then PATH="${LIBPATH}:$PATH"; fi; export LD_LIBRARY_PATH 
DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; ./ideatest
ecb idea ok
cbc idea ok
cfb64 idea ok
LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH="$LIBPATH"; DYLD_LIBRARY_PATH="$LIBPATH"; 
SHLIB_PATH="$LIBPATH"; if [ "beos-elf" = "DJGPP" ]; then PATH="$LIBPATH\;$PATH"; elif 
[ "beos-elf" = "Cygwin" ]; then PATH="${LIBPATH}:$PATH"; fi; export LD_LIBRARY_PATH 
DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; ./shatest
test 1 ok
test 2 ok
test 3 ok
LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH="$LIBPATH"; DYLD_LIBRARY_PATH="$LIBPATH"; 
SHLIB_PATH="$LIBPATH"; if [ "beos-elf" = "DJGPP" ]; then PATH="$LIBPATH\;$PATH"; elif 
[ "beos-elf" = "Cygwin" ]; then PATH="${LIBPATH}:$PATH"; fi; export LD_LIBRARY_PATH 
DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; ./sha1test
test 1 ok
test 2 ok
test 3 ok
LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH="$LIBPATH"; DYLD_LIBRARY_PATH="$LIBPATH"; 
SHLIB_PATH="$LIBPATH"; if [ "beos-elf" = "DJGPP" ]; then PATH="$LIBPATH\;$PATH"; elif 
[ "beos-elf" = "Cygwin" ]; then PATH="${LIBPATH}:$PATH"; fi; export LD_LIBRARY_PATH 
DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; ./md4test
test 1 ok
test 2 ok
test 3 ok
test 4 ok
test 5 ok
test 6 ok
test 7 ok
LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH="$LIBPATH"; DYLD_LIBRARY_PATH="$LIBPATH"; 
SHLIB_PATH="$LIBPATH"; if [ "beos-elf" = "DJGPP" ]; then PATH="$LIBPATH\;$PATH"; elif 
[ "beos-elf" = "Cygwin" ]; then PATH="${LIBPATH}:$PATH"; fi; export LD_LIBRARY_PATH 
DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; ./md5test
test 1 ok
test 2 ok
test 3 ok
test 4 ok
test 5 ok
test 6 ok
test 7 ok
LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH="$LIBPATH"; DYLD_LIBRARY_PATH="$LIBPATH"; 
SHLIB_PATH="$LIBPATH"; if [ "beos-elf" = "DJGPP" ]; then PATH="$LIBPATH\;$PATH"; elif 
[ "beos-elf" = "Cygwin" ]; then PATH="${LIBPATH}:$PATH"; fi; export LD_LIBRARY_PATH 
DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; ./hmactest
test 0 ok
test 1 ok
test 2 ok
test 3 ok
LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH="$LIBPATH"; DYLD_LIBRARY_PATH="$LIBPATH"; 
SHLIB_PATH="$LIBPATH"; if [ "beos-elf" = "DJGPP" ]; then PATH="$LIBPATH\;$PATH"; elif 
[ "beos-elf" = "Cygwin" ]; then PATH="${LIBPATH}:$PATH"; fi; export LD_LIBRARY_PATH 
DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; ./md2test
test 1 ok
test 2 ok
test 3 ok
test 4 ok
test 5 ok
test 6 ok
test 7 ok
LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH="$LIBPATH"; DYLD_LIBRARY_

Re: shared library not built on linux

2003-01-11 Thread Richard Levitte - VMS Whacker 
In message <[EMAIL PROTECTED]> on Fri, 10 
Jan 2003 15:43:42 +, Andrew Marlow <[EMAIL PROTECTED]> said:

apm35> Hello, an earlier msg in this archive indicated that there are
apm35> problems building libssl.so on linux-sparc but I have the same
apm35> problem just building the shared library on a linux PC.
apm35> Has the issue of silently not building a shared library
apm35> even went it has been explicitly asked for been addressed yet please?

I've just added some text in Configure that warns the user about that.

Please test tomorrow's snapshot.

Note, this is for the 0.9.7 and 0.9.8-dev branches only.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Proxy'ing client certs

2003-01-11 Thread Vadim Fedukovich 
On Fri, Jan 10, 2003 at 02:57:12PM +0530, Chandrasekhar R S wrote:
> I have the following scenario -
> 
>   client-Proxy  - server.
> SSLClient -   SSLServer | SSLClient   - SSL Server.
> 
> It is my intent to pass on the clients certificate to the server for
> verification and acceptance.
> 
> Since, the connection is via a proxy, the clients certificate could reach
> upto the proxy only and not beyond, to the server.  I believe, that the
> proxy should not be able to use the clients cert in its connection with the
> server, as the client certificate is tightly coupled with its public key.
> 
> I have visited the redhat's Stronghold webpage and their proxy server seems
> to be capable of doing just this.
> 
> Is anyone aware of the technique employed.

CONNECT method of HTTP can be used to setup TCP connections first
and run SSL next. Proxy could forward SSL traffic

> 
> Namaste,
> R S Chandrasekhar
> [EMAIL PROTECTED]
> ISD : 091-080-2051166
> Telnet : 847-1166
> Phone : 2052427
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: obtaining expiry dates

2003-01-11 Thread Vadim Fedukovich 
On Fri, Jan 10, 2003 at 04:52:07PM -, Dicks, Gareth M wrote:
> Hi,
> 
> I'm trying to write an automated script to check for pending expiry dates in
> SSL certs. I know how to get this info from a standard cert file in X509
> format:-
> 
> openssl x509 -in cert.cer -enddate
> 
> The problem is I have inherited a set of iPlanet web servers with the certs
> already loaded with no sign of the original certificates. Does anyone know
> ant method of extracting the certs from the iPlanet database into a format
> that can be used with openssl?

could you run s_client to talk to your servers?

> 
> Thanks,
> Gareth
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: how to generate PRNG in Solaris 8 ?

2003-01-11 Thread [EMAIL PROTECTED] 
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html

Best Regards,
[EMAIL PROTECTED]

-- 
/*  Security is a work in progress - dreamwvr */
# 
# Note: To begin Journey type man afterboot,man help,man hier[.]  
# 
// "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \?  ;-]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]