Re: Windows 10 run-time issue

Please excuse the top post, replying from my cell phone. And so it is. My bad! Andy On Thu, Oct 3, 2019, 8:25 AM Matt Caswell wrote: > > > On 03/10/2019 00:50, Andy Kennedy wrote: > > > So, I connect to the app with the VS debugger and find: > >

Windows 10 run-time issue

bove description, can anyone tell me what I have done wrong in the build? Or, have I stumbled upon a bug? Thanks in advance for any assistance you can provide. Andy

Re: [openssl-users] RFC 7919 DH parameters and OpenSSL DH_check()

Thank you Victor and Kurt for your quick replies! They were very helpful Best, Andy Schmidt On Thu, Jan 3, 2019 at 2:00 PM Kurt Roeckx wrote: > On Thu, Jan 03, 2019 at 12:18:05PM -0800, Andy Schmidt wrote: > > I am adding the RFC 7919 Diffie-Hellman parameters to our TLS serve

[openssl-users] RFC 7919 DH parameters and OpenSSL DH_check()

e full group and the subgroup of the squares? I would like to use DH_check() to attempt to ensure that Diffie Hellman parameters haven't been tampered on operating systems that don't have digital signatures for executable binaries. The OpenSSL version in use is 1.0.2q. Any help is gre

Re: [openssl-users] Building OpenSSL 1.1.0h on HPUX 11 PARISC2 64bit

Hi, > Since I can’t find any current pre-build versions of OpenSSL for this > platform, I am trying to build OpenSSL 1.1.0h with GCC 4.6.1 on HPUX 11.0. > > I’ve tried a basic ./config approach but that appears to select > hpux-parisc1_1-gcc when I want PARISC2. > > I tried building it, but h

Re: [openssl-users] OpenSSL 1.1.1pre2 alpha build error: MS Windows 32 bit

On 03/01/18 01:46, Norm Green wrote: > It looks like 32 bit builds set the -WX flag (treat warnings as errors) > while the 64 bit builds don't. > > >     cl  -W3 -wd4090 -Gs0 -GF -Gy -nologo /MDd /Od -WX /Zi > /Fdossl_static /I "." /I "crypto\include" /I "include" /I > "crypto\ec\curve448\arc

Re: [openssl-users] 1.1.1 pre1 tests failing on Solaris SPARC

> As for -lm, which symbol was undefined? > Undefined   first referenced   symbol in file fabs    test/ct_test.o >>> >>> ??? One can only wonder where does it come from. I see no fabs >>> anywher

Re: [openssl-users] 1.1.1 pre1 tests failing on Solaris SPARC

As for -lm, which symbol was undefined? >>> >>> Undefined   first referenced >>>   symbol in file >>> fabs    test/ct_test.o >> >> ??? One can only wonder where does it come from. I see no fabs >> anywhere... Ah!

Re: [openssl-users] 1.1.1 pre1 tests failing on Solaris SPARC

>> As for -lm, which symbol was undefined? >> > > Undefined   first referenced >  symbol in file > fabs    test/ct_test.o ??? One can only wonder where does it come from. I see no fabs anywhere... There also was remark a

Re: [openssl-users] 1.1.1 pre1 tests failing on Solaris SPARC

> So testsuite is running but this is a non-optimal debug build and only > on the Fujitsu sparc and not on a baseline v9 yet. See "e_flags" in the > ELF header below which is somewhat restrictive. > >   e_flags:    [ EF_SPARCV9_TSO EF_SPARC_SUN_US1 EF_SPARC_SUN_US3 ] If "somewhat restrictive" ref

Re: [openssl-users] OpenSSL 1.1.1pre1 fails to build on AIX 7.1

> Looks like no target .a file is passed to ar ? > > Note: OpenSSL 1.1.0 succeeds on this platform. > > > /export/localnew/RISC6000.AIX/perl-5.24.0/bin/perl -i -pe 's/^.*\|//; s/ > \/(\\.|[^ ])*//; $_ = undef if (/: *$/ || /^(#.*| *)$/); $_.="\n" unless > !defined($_) or /\R$/g;' apps/s_socket.d

Re: [openssl-users] 1.1.1 pre1 tests failing on Solaris SPARC

>> And "the default for all v9 architectures is -xmemalign=8s". > I'm getting confused.  Since I did not specify -xmemalign at all, And not specifying -xmemalign is equivalent of specifying 8s in 64-bit build such as one in question. > why > did the test fail with SIGBUS in the first place?  Seem

Re: [openssl-users] 1.1.1 pre1 tests failing on Solaris SPARC

> So really we could do all manner of nasty things here and watch all > manner of performance results and cool coredumps and it would be fun to > try.  However the option -xmemalign=8s will enforce "There should be no > misaligned accesses in the program". And "the default for all v9 architectures

Re: [openssl-users] 1.1.1 pre1 tests failing on Solaris SPARC

> https://github.com/openssl/openssl/pull/5423 I wonder how come the problem with asn1_encode_test.c went unnoticed so far. Objects on stack are customarily aligned at pointer size, even if their declaration doesn't imply corresponding guarantee. So there are two options here: a) it's first time i

Re: [openssl-users] 1.1.1 pre1 tests failing on Solaris SPARC

> Interesting comment : > > > Solaris x86 with Sun C setups >     # There used to be solaris-x86-cc target, but it was removed, >     # primarily because vendor assembler can't assemble our modules >     # with -KPIC flag. As result it, assembly support, was not even >     # available as opt

Re: [openssl-users] BN_MUL_MONT for ARM64 v8

> A72 is running 1GHz compared to x86 at 2.1Ghz. So that should hopefully > get down to -1:5. And Mongoose will take you to ~1:2.5 (scaled to same frequency that is). Which I'd say is a fair result. Well, still could have been a bit better, but it's not unreasonable given ISA differences. Keep in

Re: [openssl-users] FW: problem with missing STDINT.H file

>> The attached text file is a snippet from attempting to install >> openssl-1.1.0c on a Solaris 8 machine. As can be seen, failed when >> could not be found. > > Do you have inttypes.h instead? > > As Jeff pointed out in another email this is for uint32_t and similar > types. These get included

Re: [openssl-users] BN_MUL_MONT for ARM64 v8

> Is big number montogomery multiplication as optimized as it can be for > ARM64 as compared to X86-64 from the latest openssl github ? > We are not seeing vmull ( or pmull/pmull2) instructions in > armv8-mont.pl . > >On an ARM cortex-A72 (1GHz) and E5-2620 (

Re: [openssl-users] General approach for keeping a client cert from openssl

. Yes, it seems it's basically overloading one or more crypto action, so we need to match the action to what it wants to do with the cert key. But I guess to get started, we can do what we have code for. Thanks again I will study it. -Andy > -Kyle H > > On Mon, Dec 19, 2016

[openssl-users] General approach for keeping a client cert from openssl

ot; is smart, and we can run code there, and communicate with it. So we need to basically proxy OpenSSL operations on the "other side". I guess this is nothing new under the sun... what's the general approach to integrating this to OpenSSL? Thanks for any advice. -Andy -- openss

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

> 1. With compiler optimization disabled, OpenSSL 1.0.2d function worked > as it is. Another indication in favour of compiler bug is that it worked when you added printf. It's similar to quantum physics when by measuring you force particle to specific state. But understand me correctly. I'm not sa

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

On 12/11/15 17:41, Michael Wojcik wrote: >> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf >> Of Andy Polyakov >> Sent: Friday, December 11, 2015 10:07 >> To: openssl-users@openssl.org >> Subject: Re: [openssl-users] CBC ciphers + TLS

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

>>> static inline unsigned int constant_time_msb(unsigned int a) { >>> -*return 0 - (a >> (sizeof(a) * 8 - 1));* >>> + return (((unsigned)((int)(a) >> (sizeof(int) * 8 - 1; >>> } >> >> >> ... Both versions >> look reasonable to me (ignoring the hardcoded 8 - implying a char is 8 >> bits). >

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

>> static inline unsigned int constant_time_msb(unsigned int a) { >> -*return 0 - (a >> (sizeof(a) * 8 - 1));* >> + return (((unsigned)((int)(a) >> (sizeof(int) * 8 - 1; >> } > > > ... Both versions > look reasonable to me (ignoring the hardcoded 8 - implying a char is 8 > bits). Hardcod

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

>>> C does not make such a guarantee, though recent-ish POSIX does. (This >>> system is a windows one, thought, right?) >> There are DSPs that only support 32 bit, they don't have a concept >> of 8 bit. But I think there is various code that assumes that >> char is 8 bit, and I doubt you can get

Re: [openssl-users] [openssl-dev] [openssl.org #3804] BUG: OpenSSL 1.0.2 Solaris 32 bit build is broken

Hi, > I have an application that runs quite happily using OpenSSL 1.0.1h on Solaris > 32 bit. I want to upgrade but neither 1.0.2 nor 1.0.2a work. > > Solaris 10 > Solaris Studio 12.4 > > Make test log attached. > > 1 When building 1.0.2 using > > ./Configure solaris-sparcv9-cc no-shared -m32

Re: [openssl-users] Certificate template information

Hi Jakob, Thanks for the feedback, what you say makes sense, so I'll try and avoid the non-standard Microsoft thing. Apologies for the top - posting, I get so used to pressing reply. Kinds regards, Andy ___ openssl-users mailing li

Re: [openssl-users] Certificate template information

so far. Thanks again. Andy -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Jakob Bohm Sent: 28 April 2015 04:17 To: openssl-users@openssl.org Subject: Re: [openssl-users] Certificate template information On 28/04/2015 02:59, Salz, Rich wrote: &g

[openssl-users] Certificate template information

ght on how to do this with openssl? Thanks Andy ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: constant_time_test.c fails to compile on SuSE Enterprise Server 10 32-bit

able to read the information in that link, so I apologize for any obvious RTFM user errors. Andy On Fri, Oct 24, 2014 at 8:45 AM, Emilia Käsper wrote: > The 'inline' keyword is known issue with the latest releases, please see > > https://rt.openssl.org/Ticket/Display.html?

constant_time_test.c fails to compile on SuSE Enterprise Server 10 32-bit

ucceeds, both debug and release. It's a little strange that the inline functions references above fail, while the references to constant_time_eq and constant_time_eq_8 appear to be OK. The full testlog output of make 'report' is attached. Thanks, Andy Schmidt testlog Description: Binary data

Re: Platform removal

> Starting with the next release after 1.0.2, we're planning on removing the > following platforms from the codebase. > NeXT NEWS SUNOS I think it's appropriate to extend the list with MPE/iX, ReliantUNIX, SINIX, DGUX, NCR, Tandem, Cray. > It looks like SUNOS can be handled by adding -Dssi

Change in default behavior from 1.0.1g to 1.0.1h

settings? This would be extremely helpful to incorporating newly released 1.0.1 subversions. The file CHANGES appears to only list security vulnerabilities. Any help is greatly appreciated. Andy Schmidt __ OpenSSL Project

Re: Linking error on Soalris x86 and sparc using fips capable openssl 1.0.1h

> While fips build on soalris, I am getting variour errors: > > Sun-Intel: > > FIPSLD_CC=gcc FIPSLD_LINK=g++ > /unixhome/upg/Unix/SunOS/i386/OpenSource/ssl-1.0.1h/bin/fipsld -fPIC > -shared -g -O2 -o libImpl.so.10.0.0 -lcrypto > Text relocation remains referenced > a

Re: Behavior change in 1.0.1i crypto (?)

to learn enough OpenSSL to find and make the fix. On Thu, Sep 4, 2014 at 9:58 AM, Dr. Stephen Henson wrote: > On Wed, Sep 03, 2014, Andy Schmidt wrote: > >> Great, thank you! >> >> The problem is that the API call sequence generates different S/MIME >> and/or PKCS7 o

Re: Behavior change in 1.0.1i crypto (?)

not have the BAD OBJECTs (or with my openssl executable), parsed with "openssl smime -in JohnHancock.smime.h -pk7out | openssl asn1parse | grep INVALID" On Wed, Sep 3, 2014 at 2:40 PM, Viktor Dukhovni wrote: > On Wed, Sep 03, 2014 at 02:01:35PM -0700, Andy Schmidt wrote: > >>

Behavior change in 1.0.1i crypto (?)

ation code did work with 1.0.1h (and also e and g) but no longer works with 1.0.1i ... and I would like to emphasize that I am not reporting a bug, just an unexpected change in behavior. Andy JohnHancock.smime Description: Binary data

Re: Platform query

> Does anyone want to speak up for the requirement that we continue to > support BEOS (apparently B/1 and R5?), OS/2, or pre-Windows MSDOS? Minor clarification is appropriate. MSDOS is supported in single "stance", namely DJGPP, which is 32-bit environment. 16-bit code was never supported by OpenS

Re: Undefined reference to 'FIPS_text_start()'

Santhosh Kokala wrote: I would really appreciate, if someone helps me with this issue. Why not just think for a second? export FIPSLD_CC=g++ export CC=gcc means that it's using g++ to compile fips_premain.c. FIPSLD_CC takes precedence over CC in fipsld: CC=${FIPSLD_CC:-${CC}} export CXX

Re: SubjectAltName in a wildcard certificate - is this possible?

I was just trying to find out where it may be documented with why wildcards are not allowed in SubjectAltNames for certificates - if this is the case of course. Thanks, Andy Goktas >>> Hanno Böck 5/12/2012 5:26 AM >>> On Fri, 11 May 2012 12:21:10 -0700 "Andy GOKTAS"

SubjectAltName in a wildcard certificate - is this possible?

m able to read about this? Thanks, Andy Goktas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated Lis

subjectAltName requirements

will experience issues. Is this true? If so, why? Thanks, Andy Goktas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated

Re: FIPS fingerprint in .data not .rodata

> Another option (but shoot it down if its bogus :-): I noticed that if I > compile > fipscanister.o without "-fPIC", then the const variables do get placed in > the (really readonly) .rodata section as desired. I thought maybe if I did > that and went the static route - build libcrypto with no-sh

Re: FIPS fingerprint in .data not .rodata

> Though in FIPS 2.0 there is new option that might work in this case. > Besides switching to another compiler that is. Introduced to rectify > situation with rodata segments not being position-independent on Win64, > defining __fips_constseg might prove useful even in this situatio

Re: FIPS fingerprint in .data not .rodata

>>> Though in FIPS 2.0 there is new option that might work in this case. >>> Besides switching to another compiler that is. Introduced to rectify >>> situation with rodata segments not being position-independent on Win64, >>> defining __fips_constseg might prove useful even in this situation. See >

Re: FIPS fingerprint in .data not .rodata

>>> After I had gotten the extra "-f" options from Harvey for this platform >>> (BSD-powerpc), >> Using -f[data|function]-sections options is inappropriate as they >> undermine the idea of "capturing" fipscanister code and rodata between >> start/end symbols. It was bad advice/idea, do *not* use th

Re: FIPS fingerprint in .data not .rodata

> The key thing I realized is that the incore script that comes with the FIPS > Object Module v2.0 tarball > handles both native AND cross-compile scenarios. Even though FIPS 2.0 util/incore is capable of handling arbitrary ELF binary (native or not), it's not used in non-cross-compile/native cas

Re: AES-Assembler for Powerpc

>> The first problem was the usage of r13. On Page 3 of the PowerPC EABI >> spec [1], the r13 register is described as a dedicated register. So >> the usage of such a register is delicate. > > Other ABI specs are not as categorical about r2 and r13. I was told by > IBM that r2 is used as TLS poi

Re: AES-Assembler for Powerpc

I'd suggest to move the discussion to openss-dev, as I unfortunately don't have time to follow openssl-users. > I tried using the AES-assembler code for my PowerPC EABI, but > everytime I start "speed aes" my OS crashes. The 32Bit OS is a custom > one. OS crashes? Not application, but OS? > The

Re: 64 bit OpenSSL FIPS 1.2.3 with asm slow performance problems on AES

> I've been having consistent performance problems with the 64 bit > openssl FIPS 1.2.3 with asm on AES. The assembly code on 64 bit > architectures is much slower than without assembly. Running the same > tests on a 32 bit machine results with ASM being faster than no-asm, > which is expected. >

RE: Re:SSL_connect is indicating the www.google.com certificate is expired

depth was 2 if that helps with any pointing in the right direction too. Regards, Andy From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Ziyu Liu Sent: 11. oktober 2011 11:40 To: openssl-users@openssl.org Subject: Re:SSL_connect is indicating the

SSL_connect is indicating the www.google.com certificate is expired

:) Regards, Andy PS: To give more of a context, I am working with Qt directly here (as a developer to some extent on Qt) and thus I have not written the code that is failing myself so if it is likely to be a problem with how the code is implemented I can try and reproduce it standalone.

Retrieve basic information from an existing certificate already in place

n't matter). Such as issuer, cn, expiration, encryption strength, etc.. I don't need to export it to text or anything like that. Just want to use it as a quick took to pull a certs info via https, ldap over ssl, etc

Re: Duplicate serial number

log to the serial.srl file that's updated each time it's used? In short, a list of cert name (=CN perhaps) and serial number associated with it. ?? Thanks, Andy Goktas >>> 9/19/2010 1:53 PM >>> If you generate multiple certs with the same serial number, Firefox (and an

Re: Duplicate serial number

Great! Thanks for that information Patrick. :) Thanks, Andy Goktas >>> Patrick Patterson 9/17/2010 6:11 AM >>> Hi Andy: Well, aside from violating most of the standards around PKI, the main problem you will have is revocation - the way you revoke a certificate is to put i

Duplicate serial number

Is it merely a method of basic tracking on how many certificates a CA signs? Thanks, Andy Goktas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-

Re: Fwd: Microsoft RSA SChannel Cryptographic Provider - DoesopenSSL support?

r.p12 -CSP 'Microsoft RSA SChannel Cryptographic Provider' And is this particular arg used when generating a pkcs12 only? ?? Thanks! >>> "Dr. Stephen Henson" 9/5/2010 9:48 AM >>> On Fri, Sep 03, 2010, Andy GOKTAS wrote: > Hello, > > I'm using ope

Fwd: Microsoft RSA SChannel Cryptographic Provider - Does openSSL support?

Hello, I'm using openSSL 1.0.0a to generate certificates for our Microsoft Windows environment - LDAP over SSL required on Domain Controllers. You'll notice here: http://support.microsoft.com/kb/321051 that the following is required: "You must use the Schannel cryptographic service provide

Fwd: Microsoft RSA SChannel Cryptographic Provider - Does openSSL support?

Hello, I'm using openSSL 1.0.0a to generate certificates for our Microsoft Windows environment - LDAP over SSL required on Domain Controllers. You'll notice here: http://support.microsoft.com/kb/321051 that the following is required: "You must use the Schannel cryptographic service provide

Need help with signing a csr with a openssl generated CA.

Hello, We're trying to generate self signed certs and don't seem to keep the attributes after a csr is signed by a self generated CA via openssl (i.e.: OIDs specified in openssl.cfg drop off the server cert after signed, thus creating a V1 cert). Here is an example of the syntax I'm using:

Need help with signing a csr with a openssl generated CA.

We're trying to generate self signed certs and don't seem to keep the attributes after a csr is signed by a self generated CA via openssl (i.e.: OIDs specified in openssl.cfg drop off the server cert after signed, thus creating a V1 cert). Here is an example of the syntax I'm using: Generat

Problem with self-signed certificate on HP JetDirect Card...

nd be sure to include the entire certificate correctly." Is there some kind soul out there who can enlighten me as to what I'm missing? TIA! Andy B. __ Information from ESET NOD32 Antivirus, version of virus signature database 5076 (20100430) __

Re: Win32 OPENSSL_USE_APPLINK usage

> I actually ended up solving it by removing all uses of BIO_new_fp() in > favor of my own custom BIO that I just finished writing earlier this > week. Why not BIO_new_file? >>> Yeah, I discovered while analyzing the code that using BIO_new_file() >>> rather than BIO_new_fp() woul

Re: OpenSSL 0.9.8n released - it doesn't compile

This version also doesn't compile on both Suse and RedHat on the s390 z-series platform: gcc -I.. -I../.. -I../../include -DDSO_DLFCN -DHAVE_DLFCN_H -fPIC -mbackchain -DB_ENDIAN -DTERMIO -O1 -Wall -c -o md4_dgst.o md4_dgst.c md4_dgst.c: In function 'md4_block_data_order': md4_dgst.c:115: error:

Re: Crash in BIO_set_fp(): Windows esp SL VC9?

Aside: all 4 pairs of .lib's in lib\VC (and one in lib) are exportlibs for the one pair of DLL's, which are actually /MD but use the applink mechanism, as mentioned in the FAQ, to get the right CRT -- assuming the EXE correctly compiles applink.c, and the code you referenced does. So this "sh

wpa_supplicant problem w/CA

about not getting a crl (if I try to verify the certificate chain). --Andy __ OpenSSL Project http://www.openssl.org User Support Mailing Listope

RE: (SCL: 1) Re: SSL_CTX_load_verify_locations was SSL_shutdown never returns 1

the object should be constructed once per application. Is this a showstopper or was the original developer correct to use it in this way? Andy > -Original Message- > From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Kyle Hamilton > S

RE: SSL_shutdown never returns 1

as 0, so it'll > stick around forever. (Unless you're saying that you check the > refcount after the SSL_CTX_free and SSL_free, and they are 0 at that > time?) > > -Kyle H > > On Tue, May 19, 2009 at 2:14 AM, Andy Murphy > wrote: > > Hi Kyle, thanks for the

SSL_CTX_load_verify_locations was SSL_shutdown never returns 1

mory after I've done with a ping? I can't see anything in the documentation. Thanks Andy > -Original Message- > From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Andy Murphy > Sent: 19 May 2009 10:15 > To: openssl-u

RE: SSL_shutdown never returns 1

* We get a steady 200k "leak" for each call. I read somewhere that OpenSSL keeps an internal cache and am wondering if this could be the cause. A bit more history is that as always the original developer has long flown the nest so I'm learning the library here. Thanks for a

SSL_shutdown never returns 1

Hi, we are trying to track down a memory leak that occurs when we run secure comms using the OpenSSL library. Now we've had this before where we thought it was the library but I tracked it down to us not using the word virtual on our base class' destructor, so I'm not about to start blaming OpenSS

Re: exception with purify in bn_mont.c:402 (v=bn_mul_add_words(rp,np,nl,(rp[0]*n0)&BN_MASK2);)

I am getting exception in crypto\bn\bn_mont.c:402 (v=bn_mul_add_words(rp,np,nl,(rp[0]*n0)&BN_MASK2);) while executing with Rational purify. Does it mean that you can confirm that the program works if not executed with purify? I think bn_mul_add_words called as assembly code from crypto\bn\a

Re: openssl 0.9.8h on Solaris 10.3 amd64 blues

> I compile using gcc32 with the following options: > > Configure solaris-x86-gcc threads no-krb5 > > I definitely need threads. Compilation goes through without problems but > when I do a make test I get: > > Doing certs > touch rehash.time > testing... > ../util/shlib_wrap.sh ./destest > make[

OpenSSL on WM5 (V2)

nd am still at the stupid question stage. Thanks Andy Andy Murphy Senior Software Developer <http://www.tbsmobility.com/> Office Reception: +44 1773 596900 Fax: +44 1773 596901 Skype: andyleemurphy Web: www.tbsmobility.com <http://www.tbsmobility.com/> Email: [EMAIL PROTECTED] <>

RE: Direct trust in server certificate?

@openssl.org Subject: Re: Direct trust in server certificate? On Wed, Feb 13, 2008 at 05:06:35PM -0500, Cooper, Andy wrote: > Thank you. I've managed to write code that does fingerprint > verification like you suggested, and it seems to work. Cool. If you are concerned about "second pr

RE: Direct trust in server certificate?

users@openssl.org Subject: Re: Direct trust in server certificate? On Tue, Feb 12, 2008 at 04:33:49PM -0500, Cooper, Andy wrote: > Now, on the client I'm trying to make sure that only the certificate > I've created is valid and that any other certificate is not valid. > What I

Direct trust in server certificate?

I'm a relative newcomer to OpenSSL so I apologize in advance if this has been asked before. I'm trying to get an OpenSSL client to accept only a *specific* server certificate as opposed to it accepting any certificate that is issued by a given CA. I need to skip the hostname check - the client

Re: DTLS non-compliant list (based on snapshot 20070801)

4) Handshake "headers" are omitted in the signature computation in both CertificateVerify and Finished messages. (RFC 4347 does not clearly state what is to be included. However, according to the TLS v1.1 (RFC 4346), it shall be the complete handshake message, starting from Handshake.msg_type. H

RE: SSL verify options

Thanks for the response. I can get #1 to work fine now. As for #2, does anyone have code sample for verifying the common name in the server cert against the expected name? - Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lutz Jaenicke Sent

SSL verify options

seem to have an error code for this. I think I can just get the server certificate and verify it myself, but I wonder is there a better way to do it using OpenSSL primitives. I would appreciate any assistance I can get on this. Thank you very much. Best regards, Andy

Re: configuring openSSL in Solaris

\ --install_prefix=/usr/src/OPENSSL \ --prefix=/usr/local/ssl\ --openssldir=/usr/local/ssl\ --shared \ no-asm \ ${TARGET} -- Andy Harrison

solaris x86 32-bit compile problem

c /usr/local/bin/gcc # gcc --version gcc (GCC) 3.4.5 -- Andy Harrison __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Au

Re: Source for entropy on Windows platforms with CryptoAPI installed

It just occurred to me that the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed (type REG_BINARY) contains the latest seeded value from everything that CryptoAPI takes into account when generating its random seed. CryptoAPI permutes it with RC4 to come up with a pseudo-ran

PHP, SoapClient, Apache, Windows, SSL

I'm brand new to Soap and SSL. I have used SoapClient functionality built within PHP to successfully call a web service using its WSDL. So, I feel fairly comfortable about that. However, I am now working on a project that calls for me to call a web service and authenticate myself using a digital

Re: Kx=RSA vs Kx=RSA(1024)

Thanks very much, now I understand :) Dr. Stephen Henson wrote: On Wed, May 10, 2006, Andy Bontoft wrote: Hello Victor, Yes agreed, but I didn't think that the 'export' masking of the encryption algorithms key bits had anything to do with the key exchange algorithms. W

Re: Kx=RSA vs Kx=RSA(1024)

Hello Victor, Yes agreed, but I didn't think that the 'export' masking of the encryption algorithms key bits had anything to do with the key exchange algorithms. Was this view in error? If so, do you have an idea what key size the 'normal' key exchange RSA is usin

Kx=RSA vs Kx=RSA(1024)

Hello, Could someone please explain what the Kx=RSA denotes (By this I mean the RSA by itself)? It seems straight forward what Kx=RSA(512) and Kx=RSA(1024) mean but I don't understand what RSA without a bit specification would represent, and how it differs. Thanks for your time andy smim

Re: having both release and debug version of openssl on win32?

Actually, I have an application and a DLL. The DLL depends on the previous libraries. And I just saw the applink.c tip in the FAQ. As I don't really want to debug OpenSSL, but rather my application and my DLL, I have included applink.c in my DLL project, compiled it in Debug mode (/MDd) against

Re: 0.9.8a Build Error

gcc -I.. -I../.. -I../../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DMD5_ASM -c -c -o des_enc-sparc.o des_enc-sparc.S des_enc-sparc.S: Assembler messages: des_enc-sparc.S:205

Re: Problem with OpenSSL on Solaris x86 *

Freshly installed and patched Solaris 8 x86 system # gcc -v Reading specs from /usr/local/lib/gcc/i386-pc-solaris2.8/3.4.2/specs Configured with: ... Doing certs Segmentation Fault - core dumped argena.pem => .0 Segmentation Fault - core dumped Any suggestions? ./PROBLEMS, "triggered gcc bugs.

Re: Binary compatibility between 0.9.7g and 0.9.7h?

Do I have to apply this to 0.9.8a too? NO. A. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager

Re: Binary compatibility between 0.9.7g and 0.9.7h?

I just tried to upgrade from openssl-0.9.7g to 0.9.7h and noticed that my openssh-4.2p1 server and clients now crash with segfault with the new openssl shared library! I tested this on two installations and both had this problem. We discovered similar problems caused by a change in the s

Re: Windows BIO operation glitch

The Win32 OpenSSL Installation Project is built as follows: Visual C++ 6 SP6 w/ MASM is used to build the core DLLs and the Visual C++ libraries. Borland's IMPLIB tool is used to create libraries from the DLLs for Builder 4/5/6. As to your specific problem, I haven't been following it up to

Re: Building the libraries with Borland Builder.

I've downloaded the latest windows libs. They crash with this stdio linking thing. I've tried using the applink stuff to fix it and it fixes some, but not all of the places things crash. It looks like it's BIOs which are newed and then have "set_fd" called on them. Earlier you mentioned that you

Re: Building the libraries with Borland Builder.

I'm a long time UNIX developer desperately trying to get OpenSSL to work on Windows with Borland Builder 6. I can't change compiler. The rest of the project needs builder, so switching to VC++ is out of the question. Keep in mind that some OpenSSL targets are 100% community supported and suppor

Re: s_server doesn't work with IE 6.0

I use IE 6.0 from Windows XP and Mozilla 1.7 from linux. I use openssl 0.9.8. When I start openssl s_server -key keydsa2.pem -cert certdsa2.pem -www -cipher EDH-DSS-DES-CBC3-SHA Mozilla successfully shows debug page, but IE doesn't. You should add -bugs argument to allow IE talk. In this cont

Re: Windows BIO operation glitch

We're using the binary distributions from Shining Light for Windows compiling with Borland C++ Builder 6.0 , the source version from OpenSSL.org for Linux. Linux works peachy. ... the applink bit (which is a pain) but eventually that all seems sorted. PEM_read_X509 still crashes. ... So I have

Re: openssl-0.9.8-stable-SNAP-20050805 on WinCE5.0

5. I still needed to change the MLFLAGS and LFLAGS in cedll.mak and ce.mak from machine:ARM to machine:thumb. Otherwise, the compiler compains about an incompatibility with winsock.lib (winsock.dll), which was linked with machine:thumb. http://cvs.openssl.org/chngview?cn=14356. a. _

Re: openssl-0.9.8-stable-SNAP-20050805 on WinCE5.0

3. In bf_skey, memcpy was undefined, Will look into it... Looked into it and it didn't make any sense. Required header file is included so it shouldn't be a problem... Strangely enough there're a number of files calling memcpy, which are compiled prior bf_skey.c, so how come it gets "angry"

Re: openssl-0.9.8-stable-SNAP-20050805 on WinCE5.0

Steven, I've put a new wcecompat.zip up at essemer.com.au which includes ENOMEM and EAGAIN. The remainder of the problems need to be corrected in OpenSSL. Do you number wcecompat releases? I mean I'd like to mention some reference point in INSTALL.WCE, e.g. "at least version x.y" or "downlo

  1   2   >