thanks a lot. I opened a "VS2015 x64 Native Tools" window as opposed to a
"VS2015 x64 x86 Cross Tools" and everything worked amazingly with no issues.
The names are super confusing.
but i'm ok now. thanks
From: openssl-users on behalf of Jeffrey
Walton
Sent:
I installed ActivePerl and got a lot further
I now get link errors. Please see below. The commands are the same: perl
Configure VS-WIN64A and nmake:
"C:\Perl64\bin\perl.exe" "util\mkdef.pl" "crypto" 32 >
libcrypto-1_1-x64.def
"C:\Perl64\bin\perl.exe" -i.tmp -pe "s|^LIBRARY\s+cr
On 10/01/17 18:34, jeff saremi wrote:
> D:\repos\openssl2\openssl-1.1.0c>perl -v
>
> This is perl 5, version 22, subversion 1 (v5.22.1) built for
> x86_64-msys-thread-multi
> Copyright 1987-2015, Larry Wall
You are using msys perl but doing a VC build.
See this extract
ssl-users@openssl.org
Subject: Re: [openssl-users] Build problems on Windows
On 10/01/2017 05:04, jeff saremi wrote:
>
> Hello
>
> I downloaded openssl-1.1.0c and i'm trying to build this on Windows 10
> using Visual Studio 2015. I'm following the INSTALL and NOTES.WIN
> ins
Hello
I downloaded openssl-1.1.0c and i'm trying to build this on Windows 10 using
Visual Studio 2015. I'm following the INSTALL and NOTES.WIN instructions
however I get stopped rather quickly with file not found issues..
I have also installed nasm. The build fails for 32 or 64 with slightly
d
My initial analysis of this was very misleading. I have to apologize for
that.
The problem was that during the first part of the handshake
(clienthello), the call failed without anything being written out.
Tracing ssl23_client_hello() in s23_clnt.c showed that the following
statement returned false
We've been running our SSL code for a while now with no issues. But
recently one of our developers started encountering this problem.
We did the best we could to troubleshoot to no avail. I know the
problem is not OpenSSL and it's something we're doing incorrectly,
probably at the start up.
The p
Yes it was as straightforward as you mentioned.
Thanks to those who responded.
jeff
On 11-06-02 05:47 AM, Neo Liu wrote:
>
>
> On Wed, Jun 1, 2011 at 10:22 PM, Victor Duchovni
> <mailto:victor.ducho...@morganstanley.com>> wrote:
>
> On Tue, May 31, 2011 at 09
I'd like to know the feasibility or complexity around using my own
socket code with OpenSSL's ssl code. If I provide OpenSSL with a pair of
BIOs to read and write would that be sufficient? How tightly integrated
the code is with bio_connect and bio_socket? thanks
jeff
__
I'd like to eliminate this suppressed error in valgrind.
Does anyone have any idea? I have my cleanup code also pasted father below
==3317== 20 bytes in 1 blocks are still reachable in loss record 1 of 1
==3317==at 0x402425F: calloc (vg_replace_malloc.c:467)
==3317==by 0x4063105: _dlerror_
read my post:
http://www.mail-archive.com/openssl-users@openssl.org/msg63740.html
On 11-05-02 06:50 AM, Viliam ġurina wrote:
> Hello,
>
> I'm doing my own CA with openssl and want to regularly generate CRLs.
> We plan limited use of the CA (say 1-2 certificates per year), so the
> CA private key
If I just try to describe the problem in a different way it would be:
According to the RFC, is it an error for a certificate and its chain not
to have any CRLs and CRL distribtuion points?
If the answer to the above is yes, then what OpenSSL does is OK because
the programmer would have to explici
I'm not sure how you read this. I read it like a programmer.
In programming primitives, the spec would be coded like this:
Here's the spec:
"This algorithm begins by assuming that the certificate is not revoked
For each distribution point (DP) in the certificate's CRL distribution
points exten
This was mentioned briefly in another thread by myself. I thought it
deserved its own discussion. The copies of how it went on are pasted below.
Section 6.3.3. of RFC 5280 - CRL Processing
"This algorithm begins by assuming that the certificate is not revoked
For each distribution point (DP)
With great many thanks to Dr. Henson for not only responding to every
post I have had so far but also for providing solid guidance on how to
address the problem leading to the heading of this thread, I am adding
some extra material and some verbatim quotes from Dr. Henson here so
that they might be
> There are other "out of band" mechanisms where a CRL might be available but
> not mentioned in a CRLDP. OpenSSL has no way of telling what those might be
> and if the absence is really an error or not.
>
> The best you can do is trap the issuer error in the verify callback and ignore
> it if app
I'm generating my CRLs using "openssl ca" command. In the CRL entry
extension list, I can see "X509v3 CRL Reason Code" but I'd like to also
include the certificate issuer. (I think this is needed if an issuer
does the issuing indirectly for another CA).
Is there a command line option of config en
It looks like we need to support indirect CRL Issuers at least for CRL's
issued for ourselves.
I have done most of the work. It looks I don't quite know how to
generate CRLs with the indirect CRL issuer or I don't know how to
generate the CRL issuer's certificate using the root certificate.
So I
Does anyone have an example of how an indirect CRL issuer is handled?
This is my understanding of needs to be done.
If at least someone could verify that, I'd be really appreciative:
1. download the CRL
2. If not indirect, handle as usual (let's pretend for now that we know
how to handle these in
So as per previous posts, I implemented lookup_crl().
Now one of the major problems is what do I return from this method, if
the certificate has no CRL distribution points!
Returning an empty stack causes get_crl_delta() to fail.
Is there a flag that I can setup to let this cert be excluded from CR
If I call X509_STORE_get1_crls(ctx, nm) with nm being the issuer name,
the method is supposed to return a list of CRL's with that issuer name.
How does it do that when it comes to CRLs issued by a CRL issuer
authorized by the original issuer?
Does it use Authority Key Identifier?
thanks,
jeff
> Try supplying your own lookup_crls() implementation instead. This can be much
> simpler and just needs to return any CRLs which match the supplied X509_NAME
> value. If there are multiple CRLs it will pick the most appopriate.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core develope
Thanks Patrick. Unfortunately this has be a part of our code to run on
various platforms. If you know of any openssl-based implementation that
does this and is opensource please let me know so at least I could use
that as an example.
>
> Patrick Patterson
> Tue, 15 Mar 2011 13:11:11 -0700
>
> Hi
Here are some more interesting points that I'm banging my head against
the wall until I find the answer:
- Overwriting get_crl forces you to provide your own CRL checking logic
as well. Specifically two things need to be set during this check which
are required witin check_cert():
a) score of this
I seriously need help with this piece. I searched the forum and I could
not find what i was looking for.
During an SSL handshake, I need to be able to examine the CRL
distribution points on a certificate (chain), download them, and pass
them along to OpenSSL for further revocation checks.
I thought
We're trying to enable CRL checking on our client-side application. When
doing limited unit tests, everything is OK. But when we extend the tests
to real server we see errors from places where least expected.
The error is "unable to get certificate CRL depth:0". The scenario is a
mutually authenti
So this is some minor debugging I did to get to this problem.
Modified the following methods to add two printf lines:
ssl_lib.c:
X509 *SSL_get_peer_certificate(const SSL *s)
{
X509 *r;
if ((s == NULL) || (s->session == NULL))
{
printf("SSL_get_p
We have some intermittent problems which seem to go away after
restarting our server.
The problem is that the client's certificate disappears on the server,
even though SSL_VERIFY_PEER is set in the context using
SSL_CTX_set_verify().
So under situations that are not entirely clear, a call to
SSL_
ve and beyond what is there now -acts like
32 under 32bits (add 'l' or '64' prefixes or suffixes at will)
- as a transparent approach: in 64bit compilations you get 64bit
versions otherwise 32
- as a complementary set always available regardless of the underlying
addressin
I received the answer in a direct email and just wanted to share it
here too:
- command line:
openssl s_client -state -debug -connect host:port
- programmatic:
One can look in the callback mechanism used in the above, specifically in
apps/s_cb.c
___
I'd like to know if there's a way -- programmatic, config, environment
-- that I can get detailed print of what goes on during a handshake at
the client or the server? Below is the output from Apache Tomcat as an
example of the level of details i'm looking for:
http-442-1, READ: TLSv1 Handshake,
Are there any plans to change this? Getting streams larger than 4GB is not very
unusual these days anymore.
> On Mon, Oct 04, 2010 at 10:37:55AM -0400, Jeff Saremi wrote:
>
> > Does BIO support 64 bit IO (large files)? If so would the rest of
> > OpenSSL (such as the s
Does BIO support 64 bit IO (large files)? If so would the rest of
OpenSSL (such as the ssl itself) support those BIOs?
I configured the build with 64bit support and didn't see any noticeable
changes.
Specifically, I'd like to know if BIO_tell() is able to return a 64bit
value?
I'm looking for something like:
ERR_report_oneoff_error(const char *func, const char *reason, int line,
const char *file)
that I could use without having to define structures like the following
or calling Err_load_strings and Err_unload_strings:
static ERR_STRING_DATA BIO_str_functs[]=
{
{ER
4,496 allocs, 4,496 frees, 137,484 bytes
allocated
==3959==
>>> ==3959== All heap blocks were freed -- no leaks are possible
On 10-08-18 04:28 PM, Jeff Saremi wrote:
> any takers from the openssl team? true, false? known issue, user error?
> anything?
>
> On 10-08-17 04:23 PM,
any takers from the openssl team? true, false? known issue, user error?
anything?
On 10-08-17 04:23 PM, Jeff Saremi wrote:
> I apologize if this shows up more than once. I've been having problems
> sending emails out, all day.
>
> First I encountered this with valgrind but
I apologize if this shows up more than once. I've been having problems
sending emails out, all day.
First I encountered this with valgrind but then I decided to have
openssl print the leaks and it was also confirmed.
I have reduced my code to the following two lines. Prior to this if
course init
/* Release the functional reference from ENGINE_init() */
ENGINE_finish(e);
/* Release the structural reference from ENGINE_by_id() */
ENGINE_free(e);
}
On 10-08-13 09:23 AM, Jeff Saremi wrote:
> I'm trying to use my custom engine however I cannot get it to clean up
&
I'm trying to use my custom engine however I cannot get it to clean up
nicely.
For the initialization i used the sample in openssl ENGINE(3) documentation.
Here's how it goes:
ENGINE *loadEngine()
{
ENGINE *e;
e = ENGINE_by_id(MY_ENGINE_ID);
if(!e)
ENG
CRYPTO_set_dynlock_create_callback
CRYPTO_set_dynlock_lock_callback
CRYPTO_set_dynlock_destroy_callback
The desired lock type is passed in the struct CRYPTO_dynlock_value *
parameter to the cusom dynlock_lock_callback.
On 10-08-09 09:18 AM, Jeff Saremi wrote:
> In my engine, i'd like to use a new
In my engine, i'd like to use a new lock for a set of operations. This
lock is not CRYPTO_LOCK_ENGINE or any other defined ones.
Is there any way in OpenSSL to define a say user lock (type) and then
use CRYPTO_Lock function on it?
What would happen to CRYPTO_NUM_LOCKS? would that increase by way o
OK. Thanks for replying.
On Thu, 2010-07-08 at 18:59 +0200, Dr. Stephen Henson wrote:
> The only current example of an external EVP_PKEY_METHOD (in the gost ENGINE)
> implements everything from scratch.
>
> It is perfectly reasonable for another implementation to copy existing methods
> or inter
The structure itself is only forward-declared meaning that a programmer
has no way of getting into the actual evp_pkey_method_st and its fields.
Now that would be fine if there were a complete set of methods
EVP_PKEY_meth_* to manipulate the pointers to EVP_PKEY_METHOD. But alas
there's only a few.
To avoid having to override every RSA function, I could fill my engine's
custom RSA_METHOD with methods from RSA_PKCS1_SSLeay. Alternatively I
could have my functions wrap the internal OpenSSL functions. For
instance:
int myEngineRsaModExp(BIGNUM *r0,const BIGNUM *I,RSA *rsa,BN_CTX *ctx)
{
int rc
How does one provide own engine functions for saving public and private
keys?
thanks
jeff
This email contains Morega Systems Inc. Privileged and Confidential information.
__
OpenSSL Project http:/
In order to update the CRLs in our server socket and due to seemingly
lack of any CRL update methods, I decided to create new X509_STOREs and
set them in the SSL_CTX every time there's a change in the CRL list.
I'd like to know the effects of that if at the same time new SSLs being
created, setup
46 matches
Mail list logo
