tag:old.nabble.com,2006:forum-978Nabble - OpenSSL2009-11-27T06:05:54ZThe OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. OpenSSL home is <a href="http://www.openssl.org/" target="_top" rel="nofollow">here</a>.tag:old.nabble.com,2006:post-26542852RE: Adding a custom engine to OpenSSL2009-11-27T06:05:54Z2009-11-27T06:05:54ZLoke Jun Han<html>
<head>
</head>
<body class='hmmessage'>
Thanks, will try it out as soon as I can.<br><br>Regards,<br><br>Jun Han<br><div class='shrinkable-quote'><br>> Date: Thu, 26 Nov 2009 13:24:29 +0100<br>> From: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26542852&i=0" target="_top" rel="nofollow">steve@...</a><br>> To: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26542852&i=1" target="_top" rel="nofollow">openssl-users@...</a><br>> Subject: Re: Adding a custom engine to OpenSSL<br>> <br>> On Thu, Nov 26, 2009, Loke Jun Han wrote:<br>> <br>> > <br>> > Hi,<br>> > <br>> > Is there anyway to for openSSL to automatically load a specific engine when the command line program is executed?<br>> > <br>> <br>> Yes, you specify details in the configuration file openssl.cnf, for the syntax<br>> see:<br>> <br>> http://www.openssl.org/docs/apps/config.html<br>> <br>> Steve.<br>> --<br>> Dr Stephen N. Henson. OpenSSL project core developer.<br>> Commercial tech support now available see: http://www.openssl.org<br>> ______________________________________________________________________<br>> OpenSSL Project http
://www.openssl.org<br>> User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26542852&i=2" target="_top" rel="nofollow">openssl-users@...</a><br>> Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26542852&i=3" target="_top" rel="nofollow">majordomo@...</a></div> <br /><hr />New Windows 7: Find the right PC for you. <a href='http://windows.microsoft.com/shop' target='_new' rel="nofollow">Learn more.</a></body>
</html><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26542828[openssl.org #2113] 1.0.0-beta4 build with mingw-w64's 32-bit compiler fails2009-11-27T06:03:11Z2009-11-27T06:03:11ZMisha Aizatulin via RTHi,
<br><br>I have experienced the enclosed failure during building of
<br>openssl-1.0.0-beta4 by 32-bit native compiler from mingw-w64.sf.net project.
<br><br>At the beginning it might be good to summarize how many mingws we
<br>currently have:
<br>#1) 32-bit gcc-3.x toolchan from mingw.org project
<br>#2) 32-bit gcc-4.x toolchan from mingw.org project
<br>#3) 32-bit gcc-4.x toolchan from mingw-w64.sf.net project
<br>#4) 64-bit gcc-4.x toolchan from mingw-w64.sf.net project
<br><br>Yes, it might be slightly confusing but mingw-w64 project delivers not
<br>only 64-bit Windows toolchain but also 32-bit one.
<br><br>The main difference is that #1+#2 group uses completely different
<br>c-runtime than group #3+#4.
<br><br>Compiling openssl-1.0.0-beta4 works fine with compilers: #1 and #2
<br>Tested by: "perl ./Configure shared mingw" + "make")
<br><br>Compiling openssl-1.0.0-beta4 with #4 works with no-asm option
<br>Tested by: "perl ./Configure shared no-asm mingw64" + "make"
<br>I have used compiler binaries from:
<br><a href="http://download.sourceforge.net/mingw-w64/mingw-w64-bin_x86_64-mingw_20091101_sezero.zip" target="_top" rel="nofollow">http://download.sourceforge.net/mingw-w64/mingw-w64-bin_x86_64-mingw_20091101_sezero.zip</a><br><br>Compiling openssl-1.0.0-beta4 with #3 does not work - see enclosed error.
<br>Tested by: "perl ./Configure shared mingw" + "make"
<br>I have used compiler binaries from:
<br><a href="http://download.sourceforge.net/mingw-w64/mingw-w32-bin_i686-mingw_20091101_sezero.zip" target="_top" rel="nofollow">http://download.sourceforge.net/mingw-w64/mingw-w32-bin_i686-mingw_20091101_sezero.zip</a><br><br>In theory compiler #3 uses exactly the same c-runtime headers as
<br>compiler #4 so there is no obvious (at least obvious to me) reason why
<br>#4 works and #3 does not.
<br><br>My investigation led to some #define/#undef X509_NAME clash between
<br>c-runtime headers (wincrypt.h, ...) and openssl but I was not able to
<br>prepare a sane patch to fix it.
<br><br>I would appreciate any help with this issue.
<br><br>Thanks.
<br><br>--
<br>kmx
<br><br>#####
<br>gcc -I.. -I../.. -I../asn1 -I../evp -I../../include -D_WINDLL
<br>-DOPENSSL_USE_APP
<br>LINK -DOPENSSL_PIC -DOPENSSL_THREADS -DDSO_WIN32 -mno-cygwin -DL_ENDIAN
<br>-DOPENS
<br>SL_NO_CAPIENG -fomit-frame-pointer -O3 -march=i486 -Wall
<br>-DOPENSSL_BN_ASM_PART_W
<br>ORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM
<br>-DSHA512_
<br>ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM -c -o err_all.o
<br>err_all.c
<br><br>In file included from err_all.c:96:
<br>../../include/openssl/ocsp.h:206: error: expected
<br>specifier-qualifier-list befor
<br>e '(' token
<br>../../include/openssl/ocsp.h:350: error: expected
<br>specifier-qualifier-list befor
<br>e '(' token
<br>../../include/openssl/ocsp.h:416: error: expected declaration specifiers
<br>or '...
<br>' before '(' token
<br>../../include/openssl/ocsp.h:427: error: expected declaration specifiers
<br>or '...
<br>' before '(' token
<br>../../include/openssl/ocsp.h:487: error: expected declaration specifiers
<br>or '...
<br>' before '(' token
<br>make[2]: *** [err_all.o] Error 1
<br>make[2]: Leaving directory `/z/_tmp/openssl-1.0.0-beta4/crypto/err'
<br>make[1]: *** [subdirs] Error 1
<br>make[1]: Leaving directory `/z/_tmp/openssl-1.0.0-beta4/crypto'
<br>make: *** [build_crypto] Error 1
<br>#####
<br><br><br /><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Helvetica, Arial, sans-serif">Hi,<br>
<br>
I have experienced the enclosed failure during building of
openssl-1.0.0-beta4 by 32-bit native compiler from mingw-w64.sf.net
project.<br>
<br>
At the beginning it might be good to summarize how many mingws we
currently have:<br>
#1) 32-bit gcc-3.x toolchan from mingw.org project<br>
#2) 32-bit gcc-4.x toolchan from mingw.org project<br>
#3) 32-bit gcc-4.x toolchan from mingw-w64.sf.net project<br>
#4) 64-bit gcc-4.x toolchan from mingw-w64.sf.net project<br>
<br>
Yes, it might be slightly confusing but mingw-w64 project delivers not
only 64-bit Windows toolchain but also 32-bit one.<br>
<br>
The main difference is that #1+#2 group uses completely different
c-runtime than group #3+#4.<br>
<br>
Compiling openssl-1.0.0-beta4 works fine with compilers: #1 and #2<br>
Tested by: "perl ./Configure shared mingw" + "make")<br>
<br>
Compiling openssl-1.0.0-beta4 with #4 works with no-asm option<br>
Tested by: "perl ./Configure shared no-asm mingw64" + "make"<br>
I have used compiler binaries from:<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://download.sourceforge.net/mingw-w64/mingw-w64-bin_x86_64-mingw_20091101_sezero.zip" target="_top" rel="nofollow">http://download.sourceforge.net/mingw-w64/mingw-w64-bin_x86_64-mingw_20091101_sezero.zip</a><br>
<br>
Compiling openssl-1.0.0-beta4 with #3 does not work - see enclosed
error.<br>
Tested by: "perl ./Configure shared mingw" + "make"<br>
I have used compiler binaries from:<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://download.sourceforge.net/mingw-w64/mingw-w32-bin_i686-mingw_20091101_sezero.zip" target="_top" rel="nofollow">http://download.sourceforge.net/mingw-w64/mingw-w32-bin_i686-mingw_20091101_sezero.zip</a><br>
<br>
In theory compiler #3 uses exactly the same c-runtime headers as
compiler #4 so there is no obvious (at least obvious to me) reason why
#4 works and #3 does not. <br>
<br>
My investigation led to some #define/#undef X509_NAME clash between
c-runtime headers (wincrypt.h, ...) and openssl but I was not able to
prepare a sane patch to fix it.<br>
<br>
I would appreciate any help with this issue.<br>
<br>
Thanks.<br>
<br>
--<br>
kmx<br>
<br>
#####<br>
gcc -I.. -I../.. -I../asn1 -I../evp -I../../include -D_WINDLL
-DOPENSSL_USE_APP<br>
LINK -DOPENSSL_PIC -DOPENSSL_THREADS -DDSO_WIN32 -mno-cygwin
-DL_ENDIAN -DOPENS<br>
SL_NO_CAPIENG -fomit-frame-pointer -O3 -march=i486 -Wall
-DOPENSSL_BN_ASM_PART_W<br>
ORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM
-DSHA512_<br>
ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM -c -o err_all.o
err_all.c<br>
<br>
In file included from err_all.c:96:<br>
../../include/openssl/ocsp.h:206: error: expected
specifier-qualifier-list befor<br>
e '(' token<br>
../../include/openssl/ocsp.h:350: error: expected
specifier-qualifier-list befor<br>
e '(' token<br>
../../include/openssl/ocsp.h:416: error: expected declaration
specifiers or '...<br>
' before '(' token<br>
../../include/openssl/ocsp.h:427: error: expected declaration
specifiers or '...<br>
' before '(' token<br>
../../include/openssl/ocsp.h:487: error: expected declaration
specifiers or '...<br>
' before '(' token<br>
make[2]: *** [err_all.o] Error 1<br>
make[2]: Leaving directory `/z/_tmp/openssl-1.0.0-beta4/crypto/err'<br>
make[1]: *** [subdirs] Error 1<br>
make[1]: Leaving directory `/z/_tmp/openssl-1.0.0-beta4/crypto'<br>
make: *** [build_crypto] Error 1<br>
#####</font>
</body>
</html>
<p>From forum: <a href="http://old.nabble.com/OpenSSL---Dev-f980.html" embed="fixTarget[980]" target="_top" >OpenSSL - Dev</a></p>tag:old.nabble.com,2006:post-26542819RE: Adding a custom engine to OpenSSL2009-11-27T06:02:10Z2009-11-27T06:02:10ZLoke Jun Han<html>
<head>
</head>
<body class='hmmessage'>
Yup.<br><br><div class='shrinkable-quote'><br>> From: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26542819&i=0" target="_top" rel="nofollow">openSSL@...</a><br>> To: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26542819&i=1" target="_top" rel="nofollow">openssl-users@...</a><br>> Subject: Re: Adding a custom engine to OpenSSL<br>> Date: Thu, 26 Nov 2009 05:21:35 -0600<br>> <br>> On Thu November 26 2009, Loke Jun Han wrote:<br>> > <br>> > Hi,<br>> > <br>> > Is there anyway to for openSSL to automatically load a specific engine when the command line program is executed?<br>> > <br>> <br>> Like one of the engines in the list from:<br>> openssl engine<br>> ?<br>> <br>> Mike<br>> > Thanks,<br>> > <br>> > Jun Han <br>> > <br>> > _________________________________________________________________<br>> > Windows 7: Find the right PC for you. Learn more.<br>> > http://windows.microsoft.com/shop<br>> <br>> <br>> ______________________________________________________________________<br>> OpenSSL Project http://ww
w.openssl.org<br>> User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26542819&i=2" target="_top" rel="nofollow">openssl-users@...</a><br>> Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26542819&i=3" target="_top" rel="nofollow">majordomo@...</a></div> <br /><hr />Windows 7: Find the right PC for you. <a href='http://windows.microsoft.com/shop' target='_new' rel="nofollow">Learn more.</a></body>
</html><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26542799[FWD] Question on SSL_shutdown timeout2009-11-27T06:01:26Z2009-11-27T06:01:26ZLutz Jaenicke-3Forwarded to openssl-users for public discussion.
<br><br>Best regards,
<br> Lutz
<br>----- Forwarded message from Xavier De Kepper <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26542799&i=0" target="_top" rel="nofollow">xavier.dekepper@...</a>> -----
<br><br>From: Xavier De Kepper <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26542799&i=1" target="_top" rel="nofollow">xavier.dekepper@...</a>>
<br>To: "<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26542799&i=2" target="_top" rel="nofollow">rt@...</a>" <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26542799&i=3" target="_top" rel="nofollow">rt@...</a>>
<br>Date: Fri, 27 Nov 2009 02:15:17 -0800
<br>Subject: Question on SSL_shutdown timeout
<br>Thread-Topic: Question on SSL_shutdown timeout
<br>Thread-Index: AcpvSoR93gXfC8xGT46vvjF0PlcdBQ==
<br>Accept-Language: fr-FR, en-US
<br>acceptlanguage: fr-FR, en-US
<br><br>Hello,
<br><br>I have a question concerning SSL_shutdown in case of SSLv3/TLSv1 connection.
<br>In my usecase, I send a request to a HTTPS server but got no response, therefore my application timeouts.
<br>Then the application is closing the connection with two calls to SSL_shutdown.
<br>Unfortunately the server doesn't respond to the "close notify" therefore the SSL_shutdown call timeout.
<br><br>My question is what is the value of this timeout and how can it be configured ?
<br>I noticed that this timeout doesn't have always the same value.
<br><br>I did a search on the web but didn't find anything on this topic.
<br><br>Thank you very much,
<br>Xavier
<br><br><br>----- End forwarded message -----
<br>--
<br>Lutz Jaenicke <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26542799&i=4" target="_top" rel="nofollow">jaenicke@...</a>
<br>OpenSSL Project <a href="http://www.openssl.org/~jaenicke/" target="_top" rel="nofollow">http://www.openssl.org/~jaenicke/</a><br>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26542799&i=5" target="_top" rel="nofollow">openssl-users@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26542799&i=6" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26540710RE: General question about documentation2009-11-27T02:46:37Z2009-11-27T02:46:37ZMark-487Hi All,
<br><div class='shrinkable-quote'><br>> Rene Hollan wrote:
<br>> >
<br>> > Oh, you need to dig deeper, to understand the semantics and
<br>> not just
<br>> > the syntax of those APIs.
<br>> >
<br>> > I didn't say using the source as documentation was
<br>> convenient, but it
<br>> > is possible, to any degree of detail you want.
<br>> >
<br>> > To wit: given the source code, it is possible to create
<br>> documentation
<br>> > to any degree of convenience. But, given some instance of external
<br>> > documentation and no source, it is not possible to improve the
<br>> > convenience factor of that documentation to an arbitrary degree.
<br>> >
<br>> > Suggesting what people who donate their time DO is rather
<br>> like herding
<br>> > cats. Some like coding and others like documenting and some
<br>> like both.
<br>> > Perhaps instead of an admonition that the project needs better
<br>> > documentation, a question regarding who is willing to contribute to
<br>> > said better documentation is more in order.
<br>> >
<br>>
<br>> unluckily, those of us who most need the docs are least able to
<br>> contribute, as I haven't the foggiest notion how to properly
<br>> use any of
<br>> the APIs at present. I suppose I need to get the ORA book and start
<br>> reading, as eventually I"m going to be helping another
<br>> development team
<br>> at work with getting an SSL connection going that needs to
<br>> use a client
<br>> certificate stored on a PKCS#11 PKI token, so I'll be sorting
<br>> out how to
<br>> use libssl w/ opensc's engine-pkcs11 module, who's
<br>> documentation is just
<br>> about as non-existant as that of openssl. this task was very easy in
<br>> Java, as Java's SecureSocket hides all the complexity, up to and
<br>> including full support for PKCS#11 plugins.
</div><br>The O'Reilly book is essential reading IMHO but it is far from a
<br>complete
<br>guide to OpenSSL. There are many APIs that it does not mention at all.
<br>It is also quite old now (2002).
<br><br>I realize that in Open source projects it is hard to find the time to
<br>document
<br>the software but I believe that documentation is an essential part of
<br>any
<br>project, especially something as complex as OpenSSL.
<br><br>Even if a wiki turnout out to be a better FAQ then it would still be
<br>very useful IMHO.
<br><br>Is it possible to gain sponsorship for this project or charge for the
<br>documentation,
<br>or make a commercial variant of OpenSSL which can support the open
<br>source
<br>version?
<br><br>Mark.
<br><br>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26540710&i=0" target="_top" rel="nofollow">openssl-users@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26540710&i=1" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26540445Re: openssl and hardware tokens2009-11-27T02:17:29Z2009-11-27T02:17:29ZNicolas Pelloux-PrayerI'm currently working on a similar task during the development of a TLS client (with client-side authentication), using a PKCS#11 hardware token.<br><br>The main problem we encountered is that we cannot access the private key stored in the token; Therefore we made an engine which implements RSA signature methods, and used a fake private key file to make OpenSSL think the user cert & private key are present (state SSL3_ST_CW_CERT_B in d1_clnt.c) to be able to run to the CertificateVerify message signature state, which is performed by our engine using our user private key inside the token.<br>
<br>Actually it works, but this approach doesn't feel right as we basically fool the api... I wondered if someone had a better idea of how to do this properly, like a way to make OpenSSL know the engine will handle the private key itself and will not extract it, it would be very helpfull.<br>
<br>Best regards,<br>Nicolas<br><br><div class="gmail_quote">2009/11/16 Victor B. Wagner <span dir="ltr"><<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26540445&i=0" target="_top" rel="nofollow">vitus@...</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>On 2009.11.13 at 04:44:02 -0800, Mansour Dagher wrote:<br>
<br>
> Hi all,<br>
><br>
><br>
> if certificates and associated keys are stored on HW (Sun crypto card for example), is there a way in openssl to specify the card as the location of these certificates/kets?<br>
><br>
> It appears from the methods below, the openSSL only takes filesystem directory paths and file names as input for certificate/key locations:<br>
><br>
> X509_STORE_load_locations()<br>
> SSL_CTX_use_certificate_chain_file()<br>
> SSL_CTX_use_PrivateKey_file()<br>
><br>
> Any suggestions/thought?<br>
<br>
</div>There is SSL_CTX_use_PrivateKey which allows you to use private key<br>
already loaded into memory as EVP_PKEY structure.<br>
<br>
There is ENGINE_load_private_key function, which allows to create<br>
EVP_PKEY structure engine-specific way. Engine is a module, which<br>
handles interaction with some crypto hardware. Really this EVP_PKEY can<br>
contain just reference for key stored in the hardware.<br>
<br>
If engine-initialization code sets up an RSA/DSA/other PKEY method which<br>
knows how to hand of crypto operation to the hardware, you can use<br>
key stored on the token (and never actually leaves it) for all<br>
operations - either PKCS7/CMS/SMIME or SSL/TLS.<br>
<br>
If you store trusted CA certificates on the token as well, engine module<br>
can also provide X509_STORE method, which can be used for certificate<br>
verification. I don't remember in which version of OpenSSL support for<br>
engine-provided X509_STORE method is appeared.<br>
<br>
Things are somewhat worse for certificates for the your private key.<br>
<br>
There was no ENGINE api to load certificates from token in the 0.9.8<br>
version.<br>
<br>
In the 1.0.0 function ENGINE_load_ssl_client_cert appeared, which allows<br>
you to load certificate/private key pair given list of CA names<br>
acceptable by server. This function seems to be designed for use from<br>
SSL client certificate callback.<br>
<br>
But there still no API for loading SSL server certificate/key pair and<br>
for loading SMIME certificate/key pair, not to mention loading<br>
certificate with arbitrary extendedKeyUsage.<br>
<br>
But main problem is that when one want to use hardware token with<br>
OpenSSL, it typically means tha one want to use token with existing<br>
openssl applications, such as Apache, Lynx, OpenVPN etc.<br>
<br>
<br>
OpenVPN has some support for PKCS#11 modules, but I've never tried it.<br>
<br>
Other applications cannot make use of OpenSSL engine API without<br>
modifications.<br>
<br>
I'm not sure that they can work with X509_STORE method provided by<br>
engine, even this method is set as default. Some client applications<br>
such as lynx and wget are happy with X509_STORE_set_default_locations,<br>
but most server applications want greater control on trusted CA store.<br>
<br>
Few years ago I've submitted patch for PostgreSQL which allows to use<br>
keys loaded via ENGINE_load_private_keys to connect to PostgreSQL<br>
database and this patch got into PostgreSQL 8.3 version.<br>
But that time there was no API to load certificates. Now, when we have<br>
ENGINE_load_ssl_client_cert and PostgreSQL 8.4 have certificate<br>
authentication support may be it is time for new patch.<br>
<div><div></div><div><br>
<br>
<br>
<br>
<br>
<br>
<br>
> Thank you in advance.<br>
><br>
><br>
><br>
> ______________________________________________________________________<br>
> OpenSSL Project <a href="http://www.openssl.org" target="_blank" rel="nofollow">http://www.openssl.org</a><br>
> User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26540445&i=1" target="_top" rel="nofollow">openssl-users@...</a><br>
> Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26540445&i=2" target="_top" rel="nofollow">majordomo@...</a><br>
><br>
______________________________________________________________________<br>
OpenSSL Project <a href="http://www.openssl.org" target="_blank" rel="nofollow">http://www.openssl.org</a><br>
User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26540445&i=3" target="_top" rel="nofollow">openssl-users@...</a><br>
Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26540445&i=4" target="_top" rel="nofollow">majordomo@...</a><br>
</div></div></blockquote></div><br>
<p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26539862[openssl.org #2112] Build incorrect crypt/decrypt in Win32. x86. MSVC 2003. MinGW.2009-11-27T01:31:49Z2009-11-27T01:31:49ZMisha Aizatulin via RT Hello openssl Hackers.
<br> I try to explain thread started message and I hope to find any comments/ideas to solve related problems.
<br>There is more general problem than indicated earlier. You can find more unfounded results in more tests and different platforms. Executing crypt/decrypt cycle on FreeBSD and CentOS is not equivalent, although test completed successfully (accidentals?):
<br><br>Successful test; CentOS; openssl-0.9.8k; passw: `123'
<br>7f5d48574e5612219abef351bb14bda3 plaintext
<br>5c9231cbd339d228582ccf486b44aea1 encrypt
<br>7f5d48574e5612219abef351bb14bda3 plaintext.out
<br><br>Successful test; FreeBSD; openssl-0.9.8k; passw: `123'
<br>7f5d48574e5612219abef351bb14bda3 plaintext
<br>ad68a43241b2e660c9c2e6f9167995d4 encrypt
<br>7f5d48574e5612219abef351bb14bda3 plaintext.out
<br>What are you thinking about decryption message in FreeBSD encrypted in CentOS?
<br><br>And more `sexual' behavior under Win32/MinGW system; openssl-0.9.8k; passw: `123'.
<br>7f5d48574e5612219abef351bb14bda3 plaintext
<br>c1720d3a0e5e0948422248d015d1f956 encrypt
<br>dc2f8e8d1c40af27ffe6c5ea6c23b304 plaintext.out
<br>No comments.
<br><br>Uninterested completion of tests using password `0123456789ABCDEF':
<br><br>Win32/MinGW:
<br>7f5d48574e5612219abef351bb14bda3 plaintext
<br>b37945f24828d8e95e182a91f33b60ba encrypt
<br>7f5d48574e5612219abef351bb14bda3 plaintext.out
<br>FreeBSD:
<br>7f5d48574e5612219abef351bb14bda3 plaintext
<br>b37945f24828d8e95e182a91f33b60ba encrypt
<br>7f5d48574e5612219abef351bb14bda3 plaintext.out
<br>CentOS:
<br>7f5d48574e5612219abef351bb14bda3 plaintext
<br>b37945f24828d8e95e182a91f33b60ba encrypt
<br>7f5d48574e5612219abef351bb14bda3 plaintext.out
<br>All right. Now we have cross-platform code execution :-).
<br><br>As you understand now, troubles in key generation. It's time to dip into sources.
<br>Cipher context initialization (and simultaneous key definition) perform in call of EVP_EncryptInit() (in consideration code of crypto_test.cpp). Key-material and initialization vector defines in
<br>bf_skey.c, FIPS_NON_FIPS_VCIPHER_Init(BF) (unwrapped: BF_set_key() ):
<br><br>FIPS_NON_FIPS_VCIPHER_Init(BF)
<br> {
<br> int i;
<br> BF_LONG *p,ri,in[2];
<br> const unsigned char *d,*end;
<br><br><br> memcpy(key,&bf_init,sizeof(BF_KEY));
<br> p=key->P;
<br><br> if (len > ((BF_ROUNDS+2)*4)) len=(BF_ROUNDS+2)*4;
<br><br> d=data;
<br> end= &(data[len]);
<br> for (i=0; i<(BF_ROUNDS+2); i++)
<br> {
<br> ri= *(d++);
<br> if (d >= end) d=data;
<br><br> ri<<=8;
<br> ri|= *(d++);
<br> if (d >= end) d=data;
<br><br> ri<<=8;
<br> ri|= *(d++);
<br> if (d >= end) d=data;
<br><br> ri<<=8;
<br> ri|= *(d++);
<br> if (d >= end) d=data;
<br><br> p[i]^=ri;
<br> }
<br><br> in[0]=0L;
<br> in[1]=0L;
<br> for (i=0; i<(BF_ROUNDS+2); i+=2)
<br> {
<br> BF_encrypt(in,key);
<br> p[i ]=in[0];
<br> p[i+1]=in[1];
<br> }
<br><br> p=key->S;
<br> for (i=0; i<4*256; i+=2)
<br> {
<br> BF_encrypt(in,key);
<br> p[i ]=in[0];
<br> p[i+1]=in[1];
<br> }
<br> }
<br><br>We see initial initialization of `key' with predefined `bf_init' values and next computing over `data' (range: {0 - len}, len - cipher key length). Cipher key length set to 16 bytes (initialization vector length 8 bytes). `Human' key (asciiz-string password) is barely 3 byte length. Computing key material over next 12 bytes is wrong, because it contain undefined data (it was not zero-filled under win32).
<br>Zeroing memory is simplest way but it bring down cryptographic strength of password. I seems we need in unique data block (block length must be equal to cipher key length) that can be computed over password-string. We should use so message digest algorithm, output data length of that is equal to cipher key length. IV can be set in default behavior, for example, with digest data or part of them.
<br><br>I seems it is good idea to insert code of correct initialization key-material and iv-data into {ALG}_set_key functions, or describe this situation (and EVP_ - api) in user's FAQ minimum (man-pages?).
<br><br>Also, default initialization of iv should not be null-padding and we can compute it over password string (require message digest algorithm, output string length of that is equal to cipher iv-length).
<br><br>Thank you.
<br>Nick.
<br><br>P.S.: Sorry for my ugly english. It will fine.
<br><br>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>Development Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26539862&i=0" target="_top" rel="nofollow">openssl-dev@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26539862&i=1" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---Dev-f980.html" embed="fixTarget[980]" target="_top" >OpenSSL - Dev</a></p>tag:old.nabble.com,2006:post-26538037Re: Add new crypto algorithm into Openssl2009-11-26T21:15:13Z2009-11-26T21:15:13ZGer Hobbelt-2step 0
<br><br>Well, first off a warning (and please read this despite the
<br>admonishing tone it might have; crypto work is playing with live guns
<br>and if a little up-front warning can prevent you from pointing it at
<br>your foot witthout notiing while you ask "is this the trigger, sir?" I
<br>opt for the sermon so survival rate will maybe be a bit higher this
<br>year ;-) ): writing crypto code, especially implementing cryptographic
<br>algorithms themselves, is not for the faint of heart and is definitely
<br>/not/ a good exercise to get to learn a programming language or
<br>development environment - it may sound wicked cool or whatever, but
<br>know that the experience is tough and exacting at several levels and
<br>only truly appealing to anal retentives, so trying this on for size
<br>too early will only cause utter devastation and deception to you.
<br>Crypto is 0% nice and 100% evil and 'Unforgiving' is it's middle name.
<br><br>This warning has to be given, because experience shows that's what
<br>happens from dabbling with these goods too early; though the
<br>government reasons were/are different, it still should be treated as
<br>live ammunitions (guns and stuff), locked and loaded to go and quite
<br>like the antique ones: no safety switch /anywhere/.
<br><br><br>So I'll assume you are fluent in 'C', don't mind a bit of perl on the
<br>side, breathe Makefiles like they're oxygen and are familiar with the
<br>UNIX development platform at console level - forget about the shiny
<br>IDEs for now. That means you can juggle with 'grep', 'sed', 'awk',
<br>'find' and other commandline friends and might be able to teach me a
<br>lesson or two about those.
<br>When you are working on a Windows platform (like I usually am), you
<br>have several years experience of porting UNIX / Windows apps back and
<br>forth and you know a linker from a librarian and don't break out a
<br>sweat when the debugger acts hairy today. You also already have
<br>acquired your own commandline awk/sed/perl/find/etc. equivalents or
<br>are completely confident that you can do the same with the native
<br>Windows commandline tools.
<br><br>If you are not perfectly comfortable with that list, or have not used
<br>some or all of the tools mentioned above yet, make yourself familiar
<br>with those. (Knowing either sed or awk is fine; all the others are
<br>each mandatory and non-interchangeable.) Take several months, because
<br>you don't want to fight this battle at both a tool, a code and a
<br>protocol level all at once.
<br><br>Therefore, the next few steps are described in somewhat terse language
<br>at times - they assume you know all this and are saying to me right
<br>now "no worries! now please get on with it!"
<br><br><br><br>step 1
<br><br>You have a full source distribution of OpenSSL. You have compiled and
<br>run the library itself and the test tools that come with it and you
<br>have made bloody darn sure those tools are actually the ones compiled
<br>by you yourself and are running the openssl library version you just
<br>compiled. They should /not/ by any coincidence whatsoever happen to
<br>work because you inadvertedly started their prebuilt and installed
<br>copies that come with almost all Linux/BSD distros these days.
<br><br>You know what to do when you are not sure whether you adhere to the
<br>above and you already know several ways to indeed verify this.
<br><br><br><br>step 2
<br><br>[There's a discussion going on here about documentation and use cases
<br>just appeared there, but we'll ignore that for now and use that corny
<br>line of developers of all ages: "Use the Source, Luke!"]
<br><br>You make sure you are familiar with the openssl, s_server and s_client
<br>tools and anything else in the kit that is needed to set up a sample
<br>environment where you can perform the cryptographic actions you wish
<br>to perform with your new algorithm. Of course you ensure these
<br>operations work as expected when you pick a few different options and
<br>algorithms.
<br><br>What I call checking out the neighbourhood.
<br><br>Here I would go a bit further even; there's several tutorials on the
<br>net how to generate a client and server certificate and how to apply
<br>it to s_server and s_client so you can play with both for a while,
<br>even when your final solution does not require certificates or SSL.
<br>Getting to know these tools helps you in testing your own work later
<br>on as you attained flexibility in testing approach; a good
<br>implementation should be able to handle these operations you are now
<br>playing with.
<br><br><br>step 3
<br><br>Time to dive into the code proper. First things first: the SSL
<br>protocol is in the ssl/ directory[*]; no need to touch that, because
<br>new crypto algorithms either go directly into libcrypto or are created
<br>as a new 'engine' -- the latter is highly preferred, but both are
<br>possible. The former is harder (= more costly) once your code enters
<br>the maintenance cycle as you'll have to remerge and review every point
<br>release to ensure you're up to par. Better take the road, which is a
<br>bit harder for starters, but has a far better potential play at later
<br>dev stages: a crypto engine plugin.
<br>Yes, that's right, just like the GOST one.
<br><br>Before you go there, realize this: all crypto actions, hashing,
<br>ciphering, etc., should travel through the EVP calls/layer. Rule of
<br>thumb.
<br>Not always true everywhere, but stick to this as a rule of thumb for
<br>99.99% of cases and you didn't ask the question you asked when you're
<br>in that .01% zone anyway, trust me. ;-)
<br><br>Try to see the flow for a basic 'enc'/'dec' encryption and decryption;
<br>you need this, because your code will be part of this flow. Do
<br>yourself a favour:
<br><br>- prep out your favorite debugger
<br>- test a commandline for 'enc' and 'dec' (which is 'enc -d') using
<br>AES128, some content and a key you randomly picked, and make sure it
<br>works.
<br>- do the same, now for GOST.
<br>- having those commandlines and testfiles at the ready, kickstart the
<br>debugger and rerun the buggers again while you trace the callstack and
<br>step through the functions.
<br><br>What you should see happen is 'enc' digging up some info about the
<br>AES128 cipher (EVP_get_cipherbyname()) -- which is lateron going to be
<br>able to deliver info about your own cipher when you did get everything
<br>right in the end! -- then travel further, into several EVP_xyz calls,
<br>which you now know are the wrapping layer around /all/ crypto
<br>activity, so we enter those, and for AES you'll end up at one in the
<br>code that can be found in the directory
<br> crypto/aes/*.[cs]
<br>and don't worry about all the lines, the call stack is a /big/ hint
<br>about what's going down, just by looking at the names, while you
<br>familiarize yourself with the EVP structures.
<br><br>Do this for AES first - notice that the whole engine party will be
<br>skipped completely, because AES is a core library crypto cipher - to
<br>see how it goes down 'old skool'. Know that 'engines' extend on this.
<br><br>When you run into the surprise of landing in assembly language or
<br>parts that are not accessible to sourceview in your debuger or some
<br>such, reconfigure your OpenSSL copy with the 'no-asm' config flag and
<br>rebuild the whole shebang. What this does is rip out all the highly
<br>optimized assembly code (the *.s files) and build a C-only library.
<br>It's slower but it's C, front to back all the way now. Try the
<br>debugger again and see whether you can go everywhere. Watch the
<br>callstack as it will tell you what is happening and after a while
<br>you'll get a sense of when to skip or enter calls. This is mandatory,
<br>because you will be debugging your own produce too -- I have yet to
<br>meet someone who could write non-trivial code blocks and not have a
<br>bug lurking in there at the end.
<br><br>Now you have a feel for how core ciphers travel the code: DES, AES,
<br>RC5, they're all the same that way. Different directories in ./crypto/
<br>but look at those interfaces: they're all the same for all the secret
<br>key ciphers.
<br><br><br><br>[*]Footnote: when you wish to use your own cipher over communication
<br>lines using SSL/TLS/DTLS, you will find that you'll need to edit a few
<br>bits in some definition arrays in the ssl/ directory, but that's
<br>specialist stuff for step6 or maybe it should be a step7. File this
<br>bit away for later and retrieve when you need it.
<br><br><br>step 4
<br><br>Side note: if you wish to implement a new hash, the story is similar,
<br>but hashes are different animals, so they travel a slightly different
<br>path. You both mentioned 'cipher' so I'll leave it at that - once
<br>you've looked at a few, the pattern will emerge, surely.
<br><br>So this time we're going to see how GOST is employed through the
<br>ENGINE interface -- which sits in both
<br> ./crypto/engine/*.[ch]
<br>and
<br> ./engines/*
<br>where the first constitutes the generic interface on the libcrypto
<br>side, while the latter, ./engines/ , carries the different hard- and
<br>software based engines. Several in there are smaller in implementation
<br>that GOST, but when you have a look you'll find that critical parts
<br>are 'missing': those are hardware-based crypto devices which expect
<br>the presence of a hardware/device lib on the backend side of things,
<br>so unless you have such 'dongles', they're useless. Hence we stick to
<br>GOST, as that's a 100% software based engine.
<br><br>You know what to do: enc/dec and maybe a few other things to wish to
<br>try, now with GOST instead of AES128 as the selected cipher and each
<br>of those commandlines executed in the debugger while having a look at
<br>the callstack, etc.
<br><br><br>By now you've a mental image of where OpenSSL will go when you execute
<br>the cipher code, so you have a good initial idea where to poke when
<br>you're going to test your own brand new engine.
<br><br><br>step 5
<br><br>there's several ways to create a new engine, starting from scratch or
<br>borrowing, and though I personally prefer doing such things from
<br>scratch, it is easier to borrow GOST for this, because we can do this
<br>thing in smaller steps. The first is
<br> faking it.
<br><br>That is: we're going to act like our stuff is already done, tested and
<br>all, and exactly the same quality of work as GOST. Which means we're
<br>going to copy /all/ engines/ccgost files into a new directory, say
<br> cp -R engines/ccgost/ engines/mycipher2009/
<br>after we checked where GOST references might be hiding, which is
<br>easily found by running
<br> grep -i gost `find . -type f -print` -l
<br>in the openSSL base directory. It should list a couple of
<br>makefiles,everything in the engines/ccgost/ and a few other files as
<br>well. Note those locations, because that's the places where we'll go
<br>to do the 'fake'.
<br><br>Having copied GOST, we now declare this cipher to be our own
<br>magnificent work called 'mycipher2009' so I'll refer to the
<br>requirements mentioned above and that should combine nicely with the
<br>hint of a little
<br>sed -e 's/GOST/MYCIPHER2009/g'
<br>sed -e 's/gost/mycipher2009/g'
<br>editing of everything in your new mycipher2009 directory.
<br>Plus opening each other file mentioned by that
<br> grep -i gost `find . -type f -print` -l
<br>to see whether we need to vi yy,p the GOST lines in there and edit
<br>gost into mycipher2009 in the copies.
<br>Some files may not need to be changed as they are not relevant to the
<br>build process, but you bet editing the Makefiles is mandatory: add you
<br>new one to the ENGDIRS, for instance, and otherwise inspect each of
<br>those files listed by grep to see and decide whether you should add
<br>you mycipher2009 stuff there.
<br><br>Now that you have made a mirror-copy of GOST under a new name, it's
<br>time to recompile/rebuild and see where you forgot something; expect
<br>the process to go belly up and dig around a bit to fix that. It isn't
<br>hard, it's just work.
<br>Once you have new builds of all the tools all that previous
<br>seemingly-nonsense walking about I had you pays off, because the only
<br>thing to worry about now is whether or not your mycipher2009 engine
<br>gets integrated correctly or not: you know the tools, so you know how
<br>to list the 'known ciphers' using the openssl tool, you know how to
<br>use GOST, so you can now pick your mycipher2009 instead and try with
<br>that and given the fact that you just ripped off a copy of GOST the
<br>encrypted data should even match up with the GOST runs: both
<br>mycipher2009 and GOST are identical twins now, after all.
<br><br><br>Which has you set up for a fresh new engine of your own.
<br><br>The hard part is 'step 6' which will depend on what you want to do:
<br>here the work on your own cipher starts, as those debugger-assisted
<br>walks have given you a clear idea where goes what inside the GOST
<br>engine and with a bit of source-inspection you can start ripping out
<br>parts and replace them by your own. Easy as pie. ;-) <yes, that was an
<br>evil grin, right there>
<br><br>Before you go, do yourself a favor and make a backup - so in case of
<br>panic you don't have to return to step1 but can backpedal to
<br>mycipher2009 and GOST being identical twins, which spares a bit of
<br>work when the faeces hit the propellors.
<br><br>So far the story of building engines. You've got a lot of ground to
<br>cover getting to step6, so I'll assume for now that this is enough to
<br>get you occupied for a while and that last bit of integrating your own
<br>cipher, well, by hen you've seen enough code flows to have a pretty
<br>good idea where you're going.
<br><br>Take care,
<br><br>Ger
<br><br><br><br>PS: forgot to mention this: pick a OpenSSL tree distribution you feel
<br>safe about; I myself like to ride bleeding edge from CVS HEAD, but
<br>that may get you a few surprises at times where you don't want any, so
<br>my advice would be to take the latest bundled tar.gz release and go
<br>from there.
<br><br>[When you go with latest as of the date of this writing, be aware
<br>there's an issue lurking in the SSL renegotiation code that is under
<br>scrutiny right now, so check up on that again once it becomes
<br>important to you: you might need to download the next distrib package
<br>then for this particular communication feature fix-of-a-fix, which is
<br>a nice exercise in merging your code with an updated OpenSSL source
<br>tree -- there's code merge tools for that; I use a semi-manual process
<br>through a windows app called 'Beyond Compare' but that's because I'm
<br>very comfortable with that one and I like to be in total control over
<br>which lines enter my repositories where and when. Pick your own
<br>favorite here. This little blurb is only important when you employ
<br>OpenSSL for its secure /comminucation/ abilities, i.e. when you use it
<br>to provide SSL/TLS/DTLS or anything that's riding on top of that.]
<br><br><br><br>On Wed, Nov 25, 2009 at 12:05 PM, Mystic Boy <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26538037&i=0" target="_top" rel="nofollow">sbprabhakar@...</a>> wrote:
<div class='shrinkable-quote'><br>>
<br>>
<br>>
<br>> Gloria Lee wrote:
<br>>>
<br>>> Hi,
<br>>> I wanna ask something...
<br>>> Im trying to add crypto algorithm into Openssl,
<br>>> I heard about the engine(ccgost), and read the README.txt file, but I
<br>>> don't understand
<br>>> how to do it..
<br>>> I wonder If I add my own algorithm, Do I just copy ccgost pattern? or have
<br>>> to change
<br>>> entire openssl core source??..
<br>>> Besides that, I want to know how to use ccgost engine, It's very hard for
<br>>> me.
<br>>> Thanks,... :)
<br>>>
<br>>
<br>> Hi,
<br>> I am also trying to add new crypto algo. to the crypto library. But didn't
<br>> succeed. I explored OpenSSL/crypto library, it's different algo. has
<br>> dependencies on different files.
<br>> I am looking forward for help
<br>>
<br>> Thanks:
<br>> --
<br>> View this message in context: <a href="http://old.nabble.com/Add-new-crypto-algorithm-into-Openssl-tp26488823p26510888.html" target="_top" rel="nofollow">http://old.nabble.com/Add-new-crypto-algorithm-into-Openssl-tp26488823p26510888.html</a><br>> Sent from the OpenSSL - User mailing list archive at Nabble.com.
<br>> ______________________________________________________________________
<br>> OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>> User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26538037&i=1" target="_top" rel="nofollow">openssl-users@...</a>
<br>> Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26538037&i=2" target="_top" rel="nofollow">majordomo@...</a>
<br>>
</div><br><br><br>--
<br>Met vriendelijke groeten / Best regards,
<br><br>Ger Hobbelt
<br><br>--------------------------------------------------
<br>web: <a href="http://www.hobbelt.com/" target="_top" rel="nofollow">http://www.hobbelt.com/</a><br> <a href="http://www.hebbut.net/" target="_top" rel="nofollow">http://www.hebbut.net/</a><br>mail: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26538037&i=3" target="_top" rel="nofollow">ger@...</a>
<br>mobile: +31-6-11 120 978
<br>--------------------------------------------------
<br>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26538037&i=4" target="_top" rel="nofollow">openssl-users@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26538037&i=5" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26536646Re: General question about documentation2009-11-26T16:42:56Z2009-11-26T16:42:56ZRandy Turner-2<br>This is an example of a relatively common use-case that I was alluding to in a previous email...it would be nice to not have to figure this out either by guessing, reverse-engineering something, or other sub-optimal form of development strategy....
<br><br>Randy
<br><br><br>On Nov 26, 2009, at 4:03 PM, John R Pierce wrote:
<br><div class='shrinkable-quote'><br>> Rene Hollan wrote:
<br>>>
<br>>> Oh, you need to dig deeper, to understand the semantics and not just the syntax of those APIs.
<br>>>
<br>>> I didn't say using the source as documentation was convenient, but it is possible, to any degree of detail you want.
<br>>>
<br>>> To wit: given the source code, it is possible to create documentation to any degree of convenience. But, given some instance of external documentation and no source, it is not possible to improve the convenience factor of that documentation to an arbitrary degree.
<br>>>
<br>>> Suggesting what people who donate their time DO is rather like herding cats. Some like coding and others like documenting and some like both. Perhaps instead of an admonition that the project needs better documentation, a question regarding who is willing to contribute to said better documentation is more in order.
<br>>>
<br>>
<br>> unluckily, those of us who most need the docs are least able to contribute, as I haven't the foggiest notion how to properly use any of the APIs at present. I suppose I need to get the ORA book and start reading, as eventually I"m going to be helping another development team at work with getting an SSL connection going that needs to use a client certificate stored on a PKCS#11 PKI token, so I'll be sorting out how to use libssl w/ opensc's engine-pkcs11 module, who's documentation is just about as non-existant as that of openssl. this task was very easy in Java, as Java's SecureSocket hides all the complexity, up to and including full support for PKCS#11 plugins.
<br>>
<br>>
<br>>
<br>> .
<br>>
<br>>
<br>>
<br>>
<br>> ______________________________________________________________________
<br>> OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>> User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536646&i=0" target="_top" rel="nofollow">openssl-users@...</a>
<br>> Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536646&i=1" target="_top" rel="nofollow">majordomo@...</a>
<br>>
</div><br>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536646&i=2" target="_top" rel="nofollow">openssl-users@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536646&i=3" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26536636Re: General question about documentation2009-11-26T16:40:41Z2009-11-26T16:40:41ZRandy Turner-2<br>Yes, I noted that usage of the APIs in combination with common use-cases is more appropriate, but this doesn't obviate the need for per-API documentation, as has occurred so far on the openssl website.
<br><br>And I agree with the previous point that we should be trying to collectively figure out how to update the documentation in sync with the available features and functionality of the 1.0 release.
<br><br>Randy
<br><br><br><br>On Nov 26, 2009, at 3:35 PM, John R Pierce wrote:
<br><div class='shrinkable-quote'><br>>
<br>>> Finally, the source code IS the only reliable source of documentation (assuming you can trust your compiler, OS, and hardware to do "the right thing"). It isn't the most CONVENIENT, which is why we desire other forms.
<br>>>
<br>>
<br>> the implementation details of the 250-odd API entry points in libssl.so would tell me very little about how to properly USE those APIs, and in fact, designing an application around my interpretation of the library developers intent would likely lead me down some rabbit holes I'd rather not explore.
<br>>
<br>> This is my idea of how open source documentation should be organized and written.
<br>> <a href="http://www.postgresql.org/docs/current/static/index.html" target="_top" rel="nofollow">http://www.postgresql.org/docs/current/static/index.html</a><br>>
<br>>
<br>> ______________________________________________________________________
<br>> OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>> User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536636&i=0" target="_top" rel="nofollow">openssl-users@...</a>
<br>> Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536636&i=1" target="_top" rel="nofollow">majordomo@...</a>
<br>>
</div><br>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536636&i=2" target="_top" rel="nofollow">openssl-users@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536636&i=3" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26536479Re: General question about documentation2009-11-26T16:16:33Z2009-11-26T16:16:33ZTim Ward-3From: "John R Pierce" <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536479&i=0" target="_top" rel="nofollow">pierce@...</a>>
<br>>
<br>> this task was very easy in Java, as Java's SecureSocket hides all the
<br>> complexity, up to and including full support for PKCS#11 plugins.
<br><br>Weren't you lucky.
<br><br>I gave up trying to do that sort of thing in Java when I ran across its
<br>habit of doing reverse DNS lookups on every IP address it came across, just
<br>in case it needed the FQDN for anything (I think it was stuck in the mindset
<br>of "people only use SSL to talk to web servers, don't they, and the only way
<br>of validating a web server is a certificate containing an FDQN, isn't it, so
<br>whenever I see an IP address I'd better get the FQDN, hadn't I, because I'm
<br>bound to need it soon, aren't I").
<br><br>Well, no, actually. Guess what: sometimes people use SSL for purposes other
<br>than talking to web severs, and in the cases of embedded devices with no DNS
<br>records talking to each other by explicitly configured IP address the DNS
<br>lookup took minutes to time out before Java would deign to get on with doing
<br>what it was told. With no way of switching this nonsense off. Hence I used a
<br>C++ DLL to do the crypto stuff.
<br><br>Tim Ward - Brett Ward Limited - 07801 703 600
<br>www.brettward.co.uk
<br><br>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536479&i=1" target="_top" rel="nofollow">openssl-users@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536479&i=2" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26536458Secure command line "enc -K"2009-11-26T16:10:39Z2009-11-26T16:10:39ZMichael D. AdamsIs there a way to securely pass an exact key to "openssl enc"? The
<br>"-pass" option is looking for a password that it will pass though a
<br>key derivation function (IIUC), but I want to specify the exact binary
<br>key to use without it being passed though a key derivation function.
<br>The "-K" option would fit my needs, except that since it requires the
<br>key to be put on the literal command line, it exposes the key to other
<br>users on the same system (they can run "ps -f").
<br><br>I'm looking for something like "-pass file:<keyfile>" (to keep the key
<br>off the command line) except I want to bypass the key derivation
<br>function. (If I were hashing instead of encoding I would just use
<br>"openssl sha1 -sign hmac.pem".)
<br><br>Michael D. Adams
<br>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536458&i=0" target="_top" rel="nofollow">openssl-users@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536458&i=1" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26536407Re: General question about documentation2009-11-26T16:03:03Z2009-11-26T16:03:03ZJohn R PierceRene Hollan wrote:
<div class='shrinkable-quote'><br>>
<br>> Oh, you need to dig deeper, to understand the semantics and not just
<br>> the syntax of those APIs.
<br>>
<br>> I didn't say using the source as documentation was convenient, but it
<br>> is possible, to any degree of detail you want.
<br>>
<br>> To wit: given the source code, it is possible to create documentation
<br>> to any degree of convenience. But, given some instance of external
<br>> documentation and no source, it is not possible to improve the
<br>> convenience factor of that documentation to an arbitrary degree.
<br>>
<br>> Suggesting what people who donate their time DO is rather like herding
<br>> cats. Some like coding and others like documenting and some like both.
<br>> Perhaps instead of an admonition that the project needs better
<br>> documentation, a question regarding who is willing to contribute to
<br>> said better documentation is more in order.
<br>>
</div><br>unluckily, those of us who most need the docs are least able to
<br>contribute, as I haven't the foggiest notion how to properly use any of
<br>the APIs at present. I suppose I need to get the ORA book and start
<br>reading, as eventually I"m going to be helping another development team
<br>at work with getting an SSL connection going that needs to use a client
<br>certificate stored on a PKCS#11 PKI token, so I'll be sorting out how to
<br>use libssl w/ opensc's engine-pkcs11 module, who's documentation is just
<br>about as non-existant as that of openssl. this task was very easy in
<br>Java, as Java's SecureSocket hides all the complexity, up to and
<br>including full support for PKCS#11 plugins.
<br><br><br><br>.
<br><br><br><br><br>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536407&i=0" target="_top" rel="nofollow">openssl-users@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536407&i=1" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26536304RE: General question about documentation2009-11-26T15:40:14Z2009-11-26T15:40:14ZRene Hollan-2<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7655.3">
<TITLE>RE: General question about documentation</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Oh, you need to dig deeper, to understand the semantics and not just the syntax of those APIs.<BR>
<BR>
I didn't say using the source as documentation was convenient, but it is possible, to any degree of detail you want.<BR>
<BR>
To wit: given the source code, it is possible to create documentation to any degree of convenience. But, given some instance of external documentation and no source, it is not possible to improve the convenience factor of that documentation to an arbitrary degree.<BR>
<BR>
Suggesting what people who donate their time DO is rather like herding cats. Some like coding and others like documenting and some like both. Perhaps instead of an admonition that the project needs better documentation, a question regarding who is willing to contribute to said better documentation is more in order.<BR>
<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536304&i=0" target="_top" rel="nofollow">owner-openssl-users@...</a> on behalf of John R Pierce<BR>
Sent: Thu 11/26/2009 3:35 PM<BR>
To: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536304&i=1" target="_top" rel="nofollow">openssl-users@...</a><BR>
Subject: Re: General question about documentation<BR>
<BR>
<BR>
> Finally, the source code IS the only reliable source of documentation<BR>
> (assuming you can trust your compiler, OS, and hardware to do "the<BR>
> right thing"). It isn't the most CONVENIENT, which is why we desire<BR>
> other forms.<BR>
><BR>
<BR>
the implementation details of the 250-odd API entry points in libssl.so<BR>
would tell me very little about how to properly USE those APIs, and in<BR>
fact, designing an application around my interpretation of the library<BR>
developers intent would likely lead me down some rabbit holes I'd rather<BR>
not explore.<BR>
<BR>
This is my idea of how open source documentation should be organized and<BR>
written.<BR>
<A HREF="http://www.postgresql.org/docs/current/static/index.html" target="_top" rel="nofollow">http://www.postgresql.org/docs/current/static/index.html</A><BR>
<BR>
<BR>
______________________________________________________________________<BR>
OpenSSL Project <A HREF="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</A><BR>
User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536304&i=2" target="_top" rel="nofollow">openssl-users@...</a><BR>
Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536304&i=3" target="_top" rel="nofollow">majordomo@...</a><BR>
<BR>
</FONT>
</P>
</BODY>
</HTML><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26536237Re: General question about documentation2009-11-26T15:35:42Z2009-11-26T15:35:42ZJohn R Pierce<br>> Finally, the source code IS the only reliable source of documentation
<br>> (assuming you can trust your compiler, OS, and hardware to do "the
<br>> right thing"). It isn't the most CONVENIENT, which is why we desire
<br>> other forms.
<br>>
<br><br>the implementation details of the 250-odd API entry points in libssl.so
<br>would tell me very little about how to properly USE those APIs, and in
<br>fact, designing an application around my interpretation of the library
<br>developers intent would likely lead me down some rabbit holes I'd rather
<br>not explore.
<br><br>This is my idea of how open source documentation should be organized and
<br>written.
<br><a href="http://www.postgresql.org/docs/current/static/index.html" target="_top" rel="nofollow">http://www.postgresql.org/docs/current/static/index.html</a><br><br><br>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536237&i=0" target="_top" rel="nofollow">openssl-users@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536237&i=1" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26536194Re: General question about documentation2009-11-26T14:53:42Z2009-11-26T14:53:42ZRandy Turner-2<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><br></div><blockquote type="cite"><div><p><font size="2">Finally, the source code IS the only reliable source of documentation (assuming you can trust your compiler, OS, and hardware to do "the right thing"). It isn't the most CONVENIENT, which is why we desire other forms.<br></font></p></div></blockquote><div>Just to clarify...</div><div><br></div>There isn't a debate about whether "source code" is documentation - documentation is something altogether different from source code, and it this altogether different form that is open to debate.<div><br></div><div>I think the layout, and organization of the existing OpenSSL website is evidence enough that the group intended to provide an organized documentation tree - that much is certain, so</div><div>we can defer the goals/desires semantic discussion. My only point is, I think documentation has taken a back seat "priority-wise" due to other apparently higher-priority development tasks (including possibly paid consulting time). My suggestion is, that we try to find some way to update the documentation on the website to reflect the features and functionality of the 1.0 release. The 1.0 release seems like a natural point at which to revisit how we (the community) or the core developers, or both, can re-sync the documentation sufficient to cover the common use-cases</div><div>envisioned for the feature-set. Including the basic API docs which make up the bulk of the existing documentation at the site today.</div><div><br></div><div>I wouldn't necessarily damn the wiki out of the gate, but I agree it will need some organization and possibly editorial support from the core development team, to be sufficiently usable to keep</div><div>users of the toolkit productive. And I reiterate, as a user of the toolkit, I would be happy to contribute to such a Wiki.</div><div><br></div><div>Randy</div><div><br></div><div><br><div><div>On Nov 26, 2009, at 1:15 PM, Rene Hollan wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<div>
<!-- Converted from text/plain format --><p><font size="2">You are confusing goals and desires.<br>
<br>
Someone who wants documentation beyond what they have can either (a) write it themselves, (b) wait, (c) offer a bounty. (c) is the only practical choice, if they have money but neither time, nor expertise.<br>
<br>
Someone who wants to produce open source code to solve a problem and share the solution will do the least to get the job done. Someone who wants to produce open source software to INFLUENCE others to use it will try to produce the most usable software they can. I submit most open source projects fall somewhere in the middle.<br>
<br>
Finally, the source code IS the only reliable source of documentation (assuming you can trust your compiler, OS, and hardware to do "the right thing"). It isn't the most CONVENIENT, which is why we desire other forms.<br>
<br>
Should the O'Reilly book be rewritten? Not unless it's truly awful. But, a wiki shouldn't start from scratch. It should draw upon existing documentation and fill in the gaps. Sucks if you don't have those docs (or can't afford the book), but it is the fastest way to "get there from here" because you don't have to start from nothing.<br>
<br>
The problem with wikis is that they tend to be a large forest of information with little organization. Unless there is some editing effort, it will be little more useful than a FAQ and mailing list archive.<br>
<br>
<br>
<br>
-----Original Message-----<br>
From: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536194&i=0" target="_top" rel="nofollow">owner-openssl-users@...</a> on behalf of Randy Turner<br>
Sent: Thu 11/26/2009 11:38 AM<br>
To: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536194&i=1" target="_top" rel="nofollow">openssl-users@...</a><br>
Subject: Re: General question about documentation<br>
<br>
<br>
That's a great idea Mark and Will, I would be happy to contribute anything that I learn about the toolkit.<br>
<br>
There have been a wide range of comments from people saying "look at the code" all the way to basically suggesting an attempt<br>
at a new version of the O'Reilly book.<br>
<br>
I can't imagine anyone with any experience at all in software development suggesting that the only source of documentation be the source code.<br>
<br>
And I don't think I was suggesting that the OpenSSL team necessarily write a new version of the O'Reilly book.<br>
<br>
Someone also said that if we wanted documentation we should pay for it - which seems counter to the whole open source effort. I'm assuming that the OpenSSL developers<br>
are not spending all this time working on the toolkit for the hell of it - I would think they would like as many people to use it as possible, and with that goal in mind, I think the 1.0 release (when it comes out of beta) would be a good stopping point to re-visit the documentation set and providing examples that reflect the most common use-cases. The mailing list is always here for unusual use-cases.<br>
<br>
That being said, I think a Wiki is also a great idea, but would not obviate the need for the developers of the toolkit to complete the documentation set. I've spent a quite a bit of time with OpenSSL and would be happy to contribute to a Wiki.<br>
<br>
Thanks!!<br>
Randy<br>
<br>
<br>
On Nov 25, 2009, at 3:13 PM, Will Bickford wrote:<br>
<br>
> IMO a wiki would be a great resource for both developers and users of<br>
> OpenSSL.<br>
><br>
> Something along the lines of the Subversion Book - an online reference<br>
> "book" for OpenSSL.<br>
><br>
> --Will<br>
><br>
>> -----Original Message-----<br>
>> From: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536194&i=2" target="_top" rel="nofollow">owner-openssl-users@...</a><br>
>> [<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536194&i=3" target="_top" rel="nofollow">owner-openssl-users@...</a>] On Behalf Of Mark<br>
>> Sent: Wednesday, November 25, 2009 3:27 AM<br>
>> To: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536194&i=4" target="_top" rel="nofollow">openssl-users@...</a><br>
>> Subject: RE: General question about documentation<br>
>><br>
>>> I would like to post a general observation regarding users of the<br>
>>> OpenSSL toolkit.<br>
>><br>
>> [snip stuff about documentation]]<br>
>><br>
>> A long time ago it was suggested to use a wiki for this<br>
>> purpose. Can this idea be resurrected?<br>
>><br>
>> Mark.<br>
>><br>
>> ______________________________________________________________________<br>
>> OpenSSL Project <a href="http://www.openssl.org/" target="_top" rel="nofollow">http://www.openssl.org</a><br>
>> User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536194&i=5" target="_top" rel="nofollow">openssl-users@...</a><br>
>> Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536194&i=6" target="_top" rel="nofollow">majordomo@...</a><br>
>><br>
>><br>
> ______________________________________________________________________<br>
> OpenSSL Project <a href="http://www.openssl.org/" target="_top" rel="nofollow">http://www.openssl.org</a><br>
> User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536194&i=7" target="_top" rel="nofollow">openssl-users@...</a><br>
> Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536194&i=8" target="_top" rel="nofollow">majordomo@...</a><br>
><br>
<br>
______________________________________________________________________<br>
OpenSSL Project <a href="http://www.openssl.org/" target="_top" rel="nofollow">http://www.openssl.org</a><br>
User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536194&i=9" target="_top" rel="nofollow">openssl-users@...</a><br>
Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26536194&i=10" target="_top" rel="nofollow">majordomo@...</a><br>
<br>
</font>
</p>
</div>
</blockquote></div><br></div></body></html><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26535592RE: Help with error - hardware capability unsupported SSE22009-11-26T14:14:33Z2009-11-26T14:14:33ZJ. J. Farrell<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16915" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><FONT face=Verdana color=#000080 size=2></FONT> </DIV><BR>
<BLOCKQUOTE dir=ltr style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000080 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Jeremy Farrell</FONT></DIV><BR>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000080 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Chris Copeland<BR></FONT></DIV>
<DIV class=gmail_quote><FONT face=Verdana color=#000080 size=2></FONT>
<DIV><BR>I am building and packaging the following on one machine (the
"build"<BR>machine) and attempting to install and use on other machines
("target"<BR>machines) some of which have different processors.<BR><BR>*
OpenSSL 0.9.8l<BR>* Apache 2.2.14<BR>* Tomcat Connectors 1.2.28<BR><BR>The
problem, as far as I can tell, is that the build machine has more<BR>CPU
capabilities than the target machine resulting in binaries that<BR>are not
executable on the target machine. I have attempted to use<BR>configure
and compiler flags to disable use of the offending<BR>instructions without
luck.<BR><BR>Ultimately I get this error:<BR><BR>$ ./apachectl start httpd:
Syntax error on line 58 of<BR>/usr/local/apache-2.2.14/conf/httpd.conf:
Cannot load<BR>/usr/local/apache2/modules/mod_ssl.so into server: ld.so.1:
httpd:<BR>fatal: /usr/local/openssl/lib/libssl.so.0.9.8: hardware
capability<BR>unsupported: 0x1000 [ SSE2 ]<BR><BR><SPAN class=053180722-26112009><FONT face=Verdana color=#000080 size=2> ...</FONT></SPAN></DIV></DIV></BLOCKQUOTE>
<DIV class=gmail_quote><SPAN class=053180722-26112009><FONT face=Verdana color=#000080 size=2>According to the message, your problem is that mod_ssl.so
requires SSE2. You'd be best to ask the community responsible for that library
how to build a version of it which doesn't require SSE2. I don't know for
sure, but I think I recall mention that it's part of
Apache.</FONT></SPAN></DIV>
<DIV class=gmail_quote><SPAN class=053180722-26112009></SPAN> </DIV>
<DIV class=gmail_quote><SPAN class=053180722-26112009><FONT face=Verdana color=#000080 size=2>On the surface your OpenSSL build looks fit for
purpose.</FONT> <SPAN class=476221222-26112009><FONT face=Verdana color=#000080 size=2> </FONT></SPAN></SPAN></DIV></BLOCKQUOTE>
<DIV class=gmail_quote dir=ltr style="MARGIN-RIGHT: 0px"><SPAN class=053180722-26112009><SPAN class=476221222-26112009><FONT face=Verdana color=#000080 size=2>Grrr ... Apologies, that's nonsense. It always pays to read
all the message before commenting.</FONT> <FONT face=Verdana color=#000080 size=2>I've no idea what's going on here; I'll leave it to someone who actually
has a clue to say something useful.</FONT></SPAN></SPAN></DIV></BODY></HTML>
<p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26535550RE: Help with error - hardware capability unsupported SSE22009-11-26T14:10:39Z2009-11-26T14:10:39ZJ. J. Farrell<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16915" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><FONT face=Verdana color=#000080 size=2></FONT> </DIV><BR>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000080 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Chris Copeland<BR></FONT></DIV>
<DIV class=gmail_quote><FONT face=Verdana color=#000080 size=2></FONT>
<DIV><BR>I am building and packaging the following on one machine (the
"build"<BR>machine) and attempting to install and use on other machines
("target"<BR>machines) some of which have different processors.<BR><BR>*
OpenSSL 0.9.8l<BR>* Apache 2.2.14<BR>* Tomcat Connectors 1.2.28<BR><BR>The
problem, as far as I can tell, is that the build machine has more<BR>CPU
capabilities than the target machine resulting in binaries that<BR>are not
executable on the target machine. I have attempted to use<BR>configure
and compiler flags to disable use of the offending<BR>instructions without
luck.<BR><BR>Ultimately I get this error:<BR><BR>$ ./apachectl start httpd:
Syntax error on line 58 of<BR>/usr/local/apache-2.2.14/conf/httpd.conf: Cannot
load<BR>/usr/local/apache2/modules/mod_ssl.so into server: ld.so.1:
httpd:<BR>fatal: /usr/local/openssl/lib/libssl.so.0.9.8: hardware
capability<BR>unsupported: 0x1000 [ SSE2 ]<BR><BR><SPAN class=053180722-26112009><FONT face=Verdana color=#000080 size=2> ...</FONT></SPAN></DIV></DIV></BLOCKQUOTE>
<DIV class=gmail_quote><SPAN class=053180722-26112009><FONT face=Verdana color=#000080 size=2>According to the message, your problem is that mod_ssl.so
requires SSE2. You'd be best to ask the community responsible for that library
how to build a version of it which doesn't require SSE2. I don't know for sure,
but I think I recall mention that it's part of Apache.</FONT></SPAN></DIV>
<DIV class=gmail_quote><SPAN class=053180722-26112009></SPAN> </DIV>
<DIV class=gmail_quote><SPAN class=053180722-26112009><FONT face=Verdana color=#000080 size=2>On the surface your OpenSSL build looks fit for
purpose.</FONT> </SPAN></DIV></BODY></HTML>
<p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26534998[openssl.org #2111] [PATCH] Handle OOM for bn_wexpand2009-11-26T13:18:39Z2009-11-26T13:18:39ZMisha Aizatulin via RTThis patch makes OOM handling consistent with the rest of the file.
<br><br><br />diff -rup openssl-1.0.0-beta4/crypto/bn/bn_mul.c openssl-1.0.0-beta4_fixed/crypto/bn/bn_mul.c
<br>--- openssl-1.0.0-beta4/crypto/bn/bn_mul.c 2009-06-17 13:47:54.000000000 +0200
<br>+++ openssl-1.0.0-beta4_fixed/crypto/bn/bn_mul.c 2009-11-24 16:12:35.000000000 +0100
<br>@@ -1032,15 +1032,15 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, c
<br> goto err;
<br> if (al > j || bl > j)
<br> {
<br>- bn_wexpand(t,k*4);
<br>- bn_wexpand(rr,k*4);
<br>+ if (bn_wexpand(t,k*4) == NULL) goto err;
<br>+ if (bn_wexpand(rr,k*4) == NULL) goto err;
<br> bn_mul_part_recursive(rr->d,a->d,b->d,
<br> j,al-j,bl-j,t->d);
<br> }
<br> else /* al <= j || bl <= j */
<br> {
<br>- bn_wexpand(t,k*2);
<br>- bn_wexpand(rr,k*2);
<br>+ if (bn_wexpand(t,k*2) == NULL) goto err;
<br>+ if (bn_wexpand(rr,k*2) == NULL) goto err;
<br> bn_mul_recursive(rr->d,a->d,b->d,
<br> j,al-j,bl-j,t->d);
<br> }
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---Dev-f980.html" embed="fixTarget[980]" target="_top" >OpenSSL - Dev</a></p>tag:old.nabble.com,2006:post-26534971RE: General question about documentation2009-11-26T13:15:17Z2009-11-26T13:15:17ZRene Hollan-2<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7655.3">
<TITLE>RE: General question about documentation</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>You are confusing goals and desires.<BR>
<BR>
Someone who wants documentation beyond what they have can either (a) write it themselves, (b) wait, (c) offer a bounty. (c) is the only practical choice, if they have money but neither time, nor expertise.<BR>
<BR>
Someone who wants to produce open source code to solve a problem and share the solution will do the least to get the job done. Someone who wants to produce open source software to INFLUENCE others to use it will try to produce the most usable software they can. I submit most open source projects fall somewhere in the middle.<BR>
<BR>
Finally, the source code IS the only reliable source of documentation (assuming you can trust your compiler, OS, and hardware to do "the right thing"). It isn't the most CONVENIENT, which is why we desire other forms.<BR>
<BR>
Should the O'Reilly book be rewritten? Not unless it's truly awful. But, a wiki shouldn't start from scratch. It should draw upon existing documentation and fill in the gaps. Sucks if you don't have those docs (or can't afford the book), but it is the fastest way to "get there from here" because you don't have to start from nothing.<BR>
<BR>
The problem with wikis is that they tend to be a large forest of information with little organization. Unless there is some editing effort, it will be little more useful than a FAQ and mailing list archive.<BR>
<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534971&i=0" target="_top" rel="nofollow">owner-openssl-users@...</a> on behalf of Randy Turner<BR>
Sent: Thu 11/26/2009 11:38 AM<BR>
To: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534971&i=1" target="_top" rel="nofollow">openssl-users@...</a><BR>
Subject: Re: General question about documentation<BR>
<BR>
<BR>
That's a great idea Mark and Will, I would be happy to contribute anything that I learn about the toolkit.<BR>
<BR>
There have been a wide range of comments from people saying "look at the code" all the way to basically suggesting an attempt<BR>
at a new version of the O'Reilly book.<BR>
<BR>
I can't imagine anyone with any experience at all in software development suggesting that the only source of documentation be the source code.<BR>
<BR>
And I don't think I was suggesting that the OpenSSL team necessarily write a new version of the O'Reilly book.<BR>
<BR>
Someone also said that if we wanted documentation we should pay for it - which seems counter to the whole open source effort. I'm assuming that the OpenSSL developers<BR>
are not spending all this time working on the toolkit for the hell of it - I would think they would like as many people to use it as possible, and with that goal in mind, I think the 1.0 release (when it comes out of beta) would be a good stopping point to re-visit the documentation set and providing examples that reflect the most common use-cases. The mailing list is always here for unusual use-cases.<BR>
<BR>
That being said, I think a Wiki is also a great idea, but would not obviate the need for the developers of the toolkit to complete the documentation set. I've spent a quite a bit of time with OpenSSL and would be happy to contribute to a Wiki.<BR>
<BR>
Thanks!!<BR>
Randy<BR>
<BR>
<BR>
On Nov 25, 2009, at 3:13 PM, Will Bickford wrote:<BR>
<BR>
> IMO a wiki would be a great resource for both developers and users of<BR>
> OpenSSL.<BR>
><BR>
> Something along the lines of the Subversion Book - an online reference<BR>
> "book" for OpenSSL.<BR>
><BR>
> --Will<BR>
><BR>
>> -----Original Message-----<BR>
>> From: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534971&i=2" target="_top" rel="nofollow">owner-openssl-users@...</a><BR>
>> [<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534971&i=3" target="_top" rel="nofollow">owner-openssl-users@...</a>] On Behalf Of Mark<BR>
>> Sent: Wednesday, November 25, 2009 3:27 AM<BR>
>> To: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534971&i=4" target="_top" rel="nofollow">openssl-users@...</a><BR>
>> Subject: RE: General question about documentation<BR>
>><BR>
>>> I would like to post a general observation regarding users of the<BR>
>>> OpenSSL toolkit.<BR>
>><BR>
>> [snip stuff about documentation]]<BR>
>><BR>
>> A long time ago it was suggested to use a wiki for this<BR>
>> purpose. Can this idea be resurrected?<BR>
>><BR>
>> Mark.<BR>
>><BR>
>> ______________________________________________________________________<BR>
>> OpenSSL Project <A HREF="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</A><BR>
>> User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534971&i=5" target="_top" rel="nofollow">openssl-users@...</a><BR>
>> Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534971&i=6" target="_top" rel="nofollow">majordomo@...</a><BR>
>><BR>
>><BR>
> ______________________________________________________________________<BR>
> OpenSSL Project <A HREF="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</A><BR>
> User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534971&i=7" target="_top" rel="nofollow">openssl-users@...</a><BR>
> Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534971&i=8" target="_top" rel="nofollow">majordomo@...</a><BR>
><BR>
<BR>
______________________________________________________________________<BR>
OpenSSL Project <A HREF="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</A><BR>
User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534971&i=9" target="_top" rel="nofollow">openssl-users@...</a><BR>
Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534971&i=10" target="_top" rel="nofollow">majordomo@...</a><BR>
<BR>
</FONT>
</P>
</BODY>
</HTML><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26534841Re: [openssl.org #2110] [PATCH] Changed behavior of BIO_CTRL_DGRAM_GET_PEER breaks DTLS apps2009-11-26T13:01:57Z2009-11-26T13:01:57ZMisha Aizatulin via RT> The latest changes of bss_dgram.c affected the behavior of
<br>> BIO_CTRL_DGRAM_GET_PEER, which now requires to preset the expected IP
<br>> type before requesting the current peer.
<br><br>Which was just wrong to assume, my bad. Thanks for report and
<br>suggestion. Slightly modified version is committed as per
<br><a href="http://cvs.openssl.org/chngview?cn=18912" target="_top" rel="nofollow">http://cvs.openssl.org/chngview?cn=18912</a>. A.
<br><br><br>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>Development Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534841&i=0" target="_top" rel="nofollow">openssl-dev@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534841&i=1" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---Dev-f980.html" embed="fixTarget[980]" target="_top" >OpenSSL - Dev</a></p>tag:old.nabble.com,2006:post-26534824Re: DES3 Encryption & Decryption2009-11-26T12:59:36Z2009-11-26T12:59:36ZMichael S. Zick-4On Wed November 25 2009, Krishna, Bharath wrote:
<div class='shrinkable-quote'><br>> Hi All,
<br>>
<br>> I am new for Unix development work.
<br>>
<br>> Can you please enlighten me clearly about the OPENSSL tool kit and
<br>> how we could achieve the below requirement.
<br>>
<br>> Requirement:
<br>>
<br>> As per customer requirements we should use DES3 algorithm to store
<br>> password in a file. For this, we have installed OPENSSL toolkit in our
<br>> server.
<br>>
</div><br>Any particular operating system?
<br>In linux, you can already choose to use DES3 for shadow passwords.
<br><br>Nothing more required than a current passwd utility.
<br><br>Mike
<div class='shrinkable-quote'><br>> Issue:
<br>>
<br>> I don't know, how to use the OPENSSL toolkit to achieve the above
<br>> requirement.
<br>>
<br>>
<br>> Can you please anybody help on this.
<br>>
<br>> ______________________________________________________________________
<br>> OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>> User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534824&i=0" target="_top" rel="nofollow">openssl-users@...</a>
<br>> Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534824&i=1" target="_top" rel="nofollow">majordomo@...</a>
<br>>
<br>>
</div><br><br>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534824&i=2" target="_top" rel="nofollow">openssl-users@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534824&i=3" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26534363Re: DES3 Encryption & Decryption2009-11-26T12:07:44Z2009-11-26T12:07:44ZPatrick Patterson-3Hey there;
<br><br>When asking for advice, please at least say whether you are trying to do
<br>something programatically (i.e.: using the OpenSSL API), or just need to
<br>do it from the command line.
<br><br>If it is the command line, then please include what you have tried, and
<br>the results that you got.
<br><br>To this current issue, if you are trying to do it via the command line,
<br>the man page ('man enc') has several really good examples of how to do
<br>3DES encryption.
<br><br>If you need to do it programatically, take a look at the WvStreams
<br>'wvtripledes' class code at <a href="http://code.google.com/p/wvstreams/" target="_top" rel="nofollow">http://code.google.com/p/wvstreams/</a> .
<br><br>Have fun.
<br><br>Patrick.
<br><br><br><br><br>Krishna, Bharath wrote:
<div class='shrinkable-quote'><br>> Hi All,
<br>>
<br>> I am new for Unix development work.
<br>>
<br>> Can you please enlighten me clearly about the OPENSSL tool kit and
<br>> how we could achieve the below requirement.
<br>>
<br>> Requirement:
<br>>
<br>> As per customer requirements we should use DES3 algorithm to store
<br>> password in a file. For this, we have installed OPENSSL toolkit in our
<br>> server.
<br>>
<br>> Issue:
<br>>
<br>> I don't know, how to use the OPENSSL toolkit to achieve the above
<br>> requirement.
<br>>
<br>>
<br>> Can you please anybody help on this.
<br>>
<br>> ______________________________________________________________________
<br>> OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>> User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534363&i=0" target="_top" rel="nofollow">openssl-users@...</a>
<br>> Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534363&i=1" target="_top" rel="nofollow">majordomo@...</a>
</div><br>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534363&i=2" target="_top" rel="nofollow">openssl-users@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534363&i=3" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26534388Re: New blackout2009-11-26T11:39:25Z2009-11-26T11:39:25ZLutz JaenickeChris Wilson wrote:
<br>> On Wed, 25 Nov 2009, The Doctor wrote:
<br>>
<br>>> I was able to see openssl.org last night MST but not at this current
<br>>> time.
<br>>
<br>> Works fine for me.
<br><br>We did have "filesystem full" problems in the last days which led to
<br>system panics. These issues should be sorted out now (thanks to Ralf S.
<br>Engelschall who is technically operating the server hardware).
<br>Please excuse any inconvenience.
<br><br>Best regards,
<br> Lutz
<br>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534388&i=0" target="_top" rel="nofollow">openssl-users@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534388&i=1" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26534088Re: General question about documentation2009-11-26T11:38:28Z2009-11-26T11:38:28ZRandy Turner-2<br>That's a great idea Mark and Will, I would be happy to contribute anything that I learn about the toolkit.
<br><br>There have been a wide range of comments from people saying "look at the code" all the way to basically suggesting an attempt
<br>at a new version of the O'Reilly book.
<br><br>I can't imagine anyone with any experience at all in software development suggesting that the only source of documentation be the source code.
<br><br>And I don't think I was suggesting that the OpenSSL team necessarily write a new version of the O'Reilly book.
<br><br>Someone also said that if we wanted documentation we should pay for it - which seems counter to the whole open source effort. I'm assuming that the OpenSSL developers
<br>are not spending all this time working on the toolkit for the hell of it - I would think they would like as many people to use it as possible, and with that goal in mind, I think the 1.0 release (when it comes out of beta) would be a good stopping point to re-visit the documentation set and providing examples that reflect the most common use-cases. The mailing list is always here for unusual use-cases.
<br><br>That being said, I think a Wiki is also a great idea, but would not obviate the need for the developers of the toolkit to complete the documentation set. I've spent a quite a bit of time with OpenSSL and would be happy to contribute to a Wiki.
<br><br>Thanks!!
<br>Randy
<br><br><br>On Nov 25, 2009, at 3:13 PM, Will Bickford wrote:
<br><div class='shrinkable-quote'><br>> IMO a wiki would be a great resource for both developers and users of
<br>> OpenSSL.
<br>>
<br>> Something along the lines of the Subversion Book - an online reference
<br>> "book" for OpenSSL.
<br>>
<br>> --Will
<br>>
<br>>> -----Original Message-----
<br>>> From: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534088&i=0" target="_top" rel="nofollow">owner-openssl-users@...</a>
<br>>> [mailto:<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534088&i=1" target="_top" rel="nofollow">owner-openssl-users@...</a>] On Behalf Of Mark
<br>>> Sent: Wednesday, November 25, 2009 3:27 AM
<br>>> To: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534088&i=2" target="_top" rel="nofollow">openssl-users@...</a>
<br>>> Subject: RE: General question about documentation
<br>>>
<br>>>> I would like to post a general observation regarding users of the
<br>>>> OpenSSL toolkit.
<br>>>
<br>>> [snip stuff about documentation]]
<br>>>
<br>>> A long time ago it was suggested to use a wiki for this
<br>>> purpose. Can this idea be resurrected?
<br>>>
<br>>> Mark.
<br>>>
<br>>> ______________________________________________________________________
<br>>> OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>>> User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534088&i=3" target="_top" rel="nofollow">openssl-users@...</a>
<br>>> Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534088&i=4" target="_top" rel="nofollow">majordomo@...</a>
<br>>>
<br>>>
<br>> ______________________________________________________________________
<br>> OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>> User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534088&i=5" target="_top" rel="nofollow">openssl-users@...</a>
<br>> Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534088&i=6" target="_top" rel="nofollow">majordomo@...</a>
<br>>
</div><br>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534088&i=7" target="_top" rel="nofollow">openssl-users@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26534088&i=8" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26533954[openssl.org #2110] [PATCH] Changed behavior of BIO_CTRL_DGRAM_GET_PEER breaks DTLS apps2009-11-26T11:24:16Z2009-11-26T11:24:16ZMisha Aizatulin via RTThe latest changes of bss_dgram.c affected the behavior of BIO_CTRL_DGRAM_GET_PEER, which now requires to preset the expected IP type before requesting the current peer. This was done to prevent that the user always has to use sockaddr_storage, even if he doesn't use IPv6 at all. The default is to return the length of a sockaddr structure which is always wrong, therefore existing DTLS applications which rely on this function for cookie generation, such as s_server/s_client, don't work anymore. Additionally, this requires that the user has to guess which IP type the peer has. This can be difficult, e.g. if the client uses IPv4 to connect to an IPv6 socket and a system returns AF_INET then.
<br><br>A better solution is to use the num parameter of BIO_ctrl() to limit the length if desired. When num is 0, the function returns either sockaddr_in or sockaddr_in6, depending on what's necessary, so the user should use sockaddr_storage. If the user knows that he only uses IPv4 and doesn't want to use sockaddr_storage, he can limit the copied length by setting the num parameter to sizeof(struct sockaddr_in). He can then check if the family variable of the passed structure is really AF_INET and try again with sockaddr_storage or handle it as an error in case it's not.
<br><br><br><br>Index: crypto/bio/bss_dgram.c
<br>===================================================================
<br>RCS file: /v/openssl/cvs/openssl/crypto/bio/bss_dgram.c,v
<br>retrieving revision 1.7.2.20
<br>diff -u -r1.7.2.20 bss_dgram.c
<br>--- crypto/bio/bss_dgram.c 22 Nov 2009 12:24:43 -0000 1.7.2.20
<br>+++ crypto/bio/bss_dgram.c 26 Nov 2009 10:20:24 -0000
<br>@@ -566,18 +970,24 @@
<br> break;
<br> case BIO_CTRL_DGRAM_GET_PEER:
<br> to = (struct sockaddr *) ptr;
<br>- switch (to->sa_family)
<br>+ switch (data->peer.sa.sa_family)
<br> {
<br> case AF_INET:
<br>- memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in)));
<br>+ if (num == 0 || num > sizeof(data->peer.sa_in))
<br>+ num = sizeof(data->peer.sa_in);
<br>+ memcpy(to,&data->peer,(ret=num));
<br> break;
<br> #if OPENSSL_USE_IPV6
<br> case AF_INET6:
<br>- memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in6)));
<br>+ if (num == 0 || num > sizeof(data->peer.sa_in6))
<br>+ num = sizeof(data->peer.sa_in6);
<br>+ memcpy(to,&data->peer,(ret=num));
<br> break;
<br> #endif
<br> default:
<br>- memcpy(to,&data->peer,(ret=sizeof(data->peer.sa)));
<br>+ if (num == 0 || num > sizeof(data->peer.sa))
<br>+ num = sizeof(data->peer.sa);
<br>+ memcpy(to,&data->peer,(ret=num));
<br> break;
<br> }
<br> break;
<br><br><br><br><br /> <div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>get_peer.patch</strong> (1K) <a href="http://old.nabble.com/attachment/26533954/0/get_peer.patch" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/OpenSSL---Dev-f980.html" embed="fixTarget[980]" target="_top" >OpenSSL - Dev</a></p>tag:old.nabble.com,2006:post-26533682Re: CMS with PBE (Was Re: Decrypting a password encrypted pkcs7-envelopedData)2009-11-26T10:59:50Z2009-11-26T10:59:50ZDr. Stephen HensonOn Mon, Nov 23, 2009, Mathieu Malaterre wrote:
<br><div class='shrinkable-quote'><br>> Steve,
<br>>
<br>> >> Do you have a sample PBE blob you want to decrypt?
<br>> >
<br>> > Here is one:
<br>> >
<br>> > $ wget <a href="http://idisk.mac.com/dclunie-Public/securedicomfileset.tar.bz2" target="_top" rel="nofollow">http://idisk.mac.com/dclunie-Public/securedicomfileset.tar.bz2</a><br>> > $ openssl asn1parse -in DICOMDIR -inform DER
<br>> >
<br>> > It was generated using Bouncy Castle
<br>>
<br>> I forgot to mention, if you need help from me, do not hesitate !
<br>>
</div><br>I've added experimental support to HEAD. This seems to decrypt the example OK
<br>and can decrypt its own output. It adds a new option -pwri_password to the
<br>cms utility (will need something better at some point).
<br><br>Steve.
<br>--
<br>Dr Stephen N. Henson. OpenSSL project core developer.
<br>Commercial tech support now available see: <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26533682&i=0" target="_top" rel="nofollow">openssl-users@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26533682&i=1" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26528693Re: Adding a custom engine to OpenSSL2009-11-26T04:24:29Z2009-11-26T04:24:29ZDr. Stephen HensonOn Thu, Nov 26, 2009, Loke Jun Han wrote:
<br><br>>
<br>> Hi,
<br>>
<br>> Is there anyway to for openSSL to automatically load a specific engine when the command line program is executed?
<br>>
<br><br>Yes, you specify details in the configuration file openssl.cnf, for the syntax
<br>see:
<br><br><a href="http://www.openssl.org/docs/apps/config.html" target="_top" rel="nofollow">http://www.openssl.org/docs/apps/config.html</a><br><br>Steve.
<br>--
<br>Dr Stephen N. Henson. OpenSSL project core developer.
<br>Commercial tech support now available see: <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26528693&i=0" target="_top" rel="nofollow">openssl-users@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26528693&i=1" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26533948[PATCH] Fixup compilation for gcc-aix target2009-11-26T03:37:52Z2009-11-26T03:37:52ZAlon Bar-LevVersion 1.0.0-beta4 and latest 1.0.0.0 snapshot.
<br>Tested to work in Linux-2.4, Linux-2.6, Solaris-8, Solaris-10, AIX-3.5
<br><br>"""
<br>sltest.c:157:1: error: "_XOPEN_SOURCE" redefined
<br>In file included from /opt/freeware/lib/gcc/powerpc-ibm-aix5.3.0.0/4.2.0/include/assert.h:64,
<br>from ssltest.c:146:
<br>/usr/include/standards.h:114:1: error: this is the location of the previous definition
<br>make: 1254-004 The error code from the last command is 1.
<br><br><br>Stop.
<br>make: 1254-004 The error code from the last command is 1.
<br>"""
<br><br>diff -urNp openssl-1.0.0-beta4.org/ssl/ssltest.c openssl-1.0.0-beta4/ssl/ssltest.c
<br>--- openssl-1.0.0-beta4.org/ssl/ssltest.c 2009-01-08 01:44:27.000000000 +0200
<br>+++ openssl-1.0.0-beta4/ssl/ssltest.c 2009-11-21 09:24:46.001175088 +0200
<br>@@ -143,6 +143,9 @@
<br> #define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
<br> on Linux and GNU platforms. */
<br>
<br>+#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
<br>+ VMS (at least with DECompHP C). */
<br>+
<br> #include <assert.h>
<br> #include <errno.h>
<br> #include <limits.h>
<br>@@ -154,8 +157,6 @@
<br> #define USE_SOCKETS
<br> #include "e_os.h"
<br>
<br>-#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
<br>- VMS (at least with DECompHP C). */
<br> #include <ctype.h>
<br>
<br> #include <openssl/bio.h>
<br>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>Development Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26533948&i=0" target="_top" rel="nofollow">openssl-dev@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26533948&i=1" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---Dev-f980.html" embed="fixTarget[980]" target="_top" >OpenSSL - Dev</a></p>tag:old.nabble.com,2006:post-26527952Re: Adding a custom engine to OpenSSL2009-11-26T03:21:35Z2009-11-26T03:21:35ZMichael S. Zick-4On Thu November 26 2009, Loke Jun Han wrote:
<br>>
<br>> Hi,
<br>>
<br>> Is there anyway to for openSSL to automatically load a specific engine when the command line program is executed?
<br>>
<br><br>Like one of the engines in the list from:
<br>openssl engine
<br>?
<br><br>Mike
<br>> Thanks,
<br>>
<br>> Jun Han
<br>>
<br>> _________________________________________________________________
<br>> Windows 7: Find the right PC for you. Learn more.
<br>> <a href="http://windows.microsoft.com/shop" target="_top" rel="nofollow">http://windows.microsoft.com/shop</a><br><br><br>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26527952&i=0" target="_top" rel="nofollow">openssl-users@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26527952&i=1" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26526324Adding a custom engine to OpenSSL2009-11-26T00:52:09Z2009-11-26T00:52:09ZLoke Jun Han<html>
<head>
</head>
<body class='hmmessage'>
Hi,<br><br> Is there anyway to for openSSL to automatically load a specific engine when the command line program is executed?<br><br>Thanks,<br><br>Jun Han <br> <br /><hr />Windows 7: Find the right PC for you. <a href='http://windows.microsoft.com/shop' target='_new' rel="nofollow">Learn more.</a></body>
</html><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26524394Re: Application crashes when trying to access X509 Certificate Extension returned by X509_get_ext method2009-11-25T19:14:00Z2009-11-25T19:14:00ZSanjay Bhat<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.18702"></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Tahoma">
<DIV>Hi Kyle,</DIV>
<DIV> </DIV>
<DIV>Thanks a ton for the quick reply buddy :)</DIV>
<DIV> </DIV>
<DIV>When we debug our application in visual studio, we see that both "Extension" and "Extension->value" are not NULL. But "Extension->value->data" seems to be NULL or corrupted, causing our application to crash.</DIV>
<DIV> </DIV>
<DIV>I am trying these options for debugging the problem :</DIV>
<DIV>> make sure the X509 certificate we are using is a valid one, containing the extension we are looking for, because "Certificate->valid" is set to 0 for our certificate.</DIV>
<DIV>> debug through the openssl function X509_get_ext( ) in visual studio by attaching the openssl source, to see why "Extension->value->data" is not being set correctly.</DIV>
<DIV>> also try using some older openssl version instead of the current 0.9.8 d we are currently using. </DIV>
<DIV> </DIV>
<DIV>I will update again after trying these options.</DIV>
<DIV> </DIV>
<DIV>I suspect something being wrong in this certificate itself, may be it does not comply to the X509 certificate format. Can you please confirm that the certificate we are using is a valid x509 certificate ? <BR></DIV>
<DIV> </DIV>
<DIV>This is the certificate we are using :</DIV>
<DIV> </DIV>
<DIV>static unsigned char *LETestDefaultKey = {<BR> "-----BEGIN RSA PRIVATE KEY-----\r\n"<BR> "MIIBPAIBAAJBAM6ss7cWYg0Yf7Ot6PkdWBtQ0Pp89YO/2rG0K8iAJW5AY399hh/s\r\n"<BR> "VjiIfPZpqCwqJka/2r23jzZJfW8X19nTiqECAwEAAQJATBeXv0P1a77mXYAdM4LT\r\n"<BR> "SpNRrbfOKOi9GworyJEtts5Cn153ROK3750NHrOeaXbkFl89/UD0oMsO22TnF+Ol\r\n"<BR> "lQIhAO0gkTZggugyZ7HDQihy/7EVAgK9rg7SPc5JnyZITW5bAiEA3x+q4AZDXUHW\r\n"<BR> "26W7BlZoedPy6Mo5wWNb/gN9x/T987MCIQCt8TfUFZOxVFgwU7USCtl5QpnI/O7T\r\n"<BR> "PHHOAr9Vy6/RBQIhAJPO76y+mWuzDPmu/YmCPm3OWZGbPc1929gXSgDnrD//AiEA\r\n"<BR> "vwlwVtb26OSBJX47M+MZeWsiD3GVydtRdcL9+Xy0XEw=\r\n"<BR> "-----END RSA PRIVATE KEY-----\r\n"<BR> };<BR>static unsigned char *LETestDefaultCert = {<BR> "-----BEGIN CERTIFICATE-----\r\n"<BR> "MIIBojCCAUygAwIBAgIBMzANBgkqhkiG9w0BAQQFADAqMQswCQYDVQQGEwJVUzEb\r\n"<BR> "MBkGA1UEAxMSTm92ZWxsIE5TdXJlIEF1ZGl0MB4XDTA1MTAxMTE3NDEyOFoXDTE1\r\n"<BR> "MTAwOTE3NDEyOFowJjELMAkGA1UEBhMCVVMxFzAVBgNVBAMTDlNlY3VyZUxvZ2lu\r\n"<BR> "U1NPMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAM6ss7cWYg0Yf7Ot6PkdWBtQ0Pp8\r\n"<BR> "9YO/2rG0K8iAJW5AY399hh/sVjiIfPZpqCwqJka/2r23jzZJfW8X19nTiqECAwEA\r\n"<BR> "AaNhMF8wDgYDVR0PAQH/BAQDAgWgMBgGA1UdEQQRMA+BDWFyZ2xAYmxhaC5jb20w\r\n"<BR> "EQYJYIZIAYb4QgEBBAQDAgWgMCAGDGCGSAGG+DcBglsKAQQQFg5TZWN1cmVMb2dp\r\n"<BR> "blNTTzANBgkqhkiG9w0BAQQFAANBABaOsowc+4encEksW5w1v1dHg7DNdBbQJHct\r\n"<BR> "JSNfzPfE8igm617Ggsfrb0nkc50mdlyugkfZC/dX+sx4vtQk1Ok=\r\n"<BR> "-----END CERTIFICATE-----\r\n"<BR> };<BR></DIV>
<DIV>Looking forward for your reply... have a wonderful day ahead !!!</DIV>
<DIV> </DIV>
<DIV>Regards,</DIV>
<DIV>Sanjay </DIV>
<DIV><BR>>>> Kyle Hamilton <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26524394&i=0" target="_top" rel="nofollow">aerowolf@...</a>> 11/24/2009 4:56 AM >>><BR>Are you checking to make sure that there *is* data in that extension?<BR>Or that the extension value even exists?<BR><BR>if (NULL == Extension->value) assert("Extension->value NULL");<BR>if (NULL == Extension->value->data) assert ("Extension->value->data NULL");<BR>OrgPtr=Extension->value->data;<BR><BR>-Kyle H<BR><BR>On Fri, Nov 20, 2009 at 3:50 AM, Sanjay Bhat <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26524394&i=1" target="_top" rel="nofollow">bsanjay@...</a>> wrote:<div class='shrinkable-quote'><BR>><BR>> Hi,<BR>><BR>> Our application running in windows 2008 64-bit platform crashes when we try<BR>> to access the data member of X509_EXTENSION returned by X509_get_ext().<BR>><BR>> We are using 0.9.8d version of openssl compiled for windows 64 bit<BR>> platform.<BR>><BR>> We are clueless why this is happening and are badly stuck with this. Please<BR>> help us.<BR>><BR>> Here is the code snippet of our application with the point of crash in bold<BR>> :<BR>><BR>> BOOL GetX509ObjectString(X509 *Certificate, unsigned char *ASN1, unsigned<BR>> char *Short, unsigned char *Description, unsigned char *Buffer, unsigned<BR>> long BufSize)<BR>> {<BR>> X509_EXTENSION *Extension;<BR>> int nid;<BR>> int Position;<BR>> ASN1_STRING *Value;<BR>> unsigned char *OrgPtr;<BR>><BR>> if (!Buffer) {<BR>> return(FALSE);<BR>> }<BR>> Buffer[0]='\0';<BR>><BR>> nid = OBJ_create(ASN1, Short, Description);<BR>> Position=X509_get_ext_by_NID(Certificate, nid, -1);<BR>> if (Position==-1) {<BR>> return(FALSE);<BR>> }<BR>><BR>> Extension=X509_get_ext(Certificate, Position);<BR>> if (!Extension) {<BR>> return(FALSE);<BR>> }<BR>><BR>> /* The M_d2i function alters the pointer, so keep a copy */<BR>> OrgPtr=Extension->value->data; //This is the point of crash. Referencing<BR>> data member seems to be causing the crash<BR>> Value=M_d2i_ASN1_IA5STRING(NULL, &(Extension->value->data),<BR>> Extension->value->length);<BR>> Extension->value->data=OrgPtr;<BR>> strncpy(Buffer, Value->data, min(Value->length+1, BufSize));<BR>> Buffer[min(Value->length+1, BufSize)-1]='\0';<BR>> ASN1_STRING_free(Value);<BR>> return(TRUE);<BR>> }<BR>><BR>> Appreciate any kind of help on this is greatly appreciated.<BR>><BR>> Thanks & Regards,<BR>> Sanjay.</div>______________________________________________________________________<BR>OpenSSL Project <A href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</A><BR>User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26524394&i=2" target="_top" rel="nofollow">openssl-users@...</a><BR>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26524394&i=3" target="_top" rel="nofollow">majordomo@...</a><BR></DIV></BODY></HTML>
<p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26522760Re: Add new crypto algorithm into Openssl2009-11-25T16:38:05Z2009-11-25T16:38:05ZGloria LeeThanks for reply....
<br>Now I'm adding it by myself ,
<br>I'm just coping AES mechanism, and
<br>Now It's very hard to register NID of new algorithm... (crypto/objects/obj_dat.h, obj_mac.h files)
<br>Is there anyone who knows about this??!!!
<br><br><blockquote class="quote light-black dark-border-color"><div class="quote light-border-color">
<div class="quote-author" style="font-weight: bold;">Mystic Boy wrote:</div>
<div class="quote-message shrinkable-quote"><blockquote class="quote light-black dark-border-color"><div class="quote light-border-color">
<div class="quote-author" style="font-weight: bold;">Gloria Lee wrote:</div>
<div class="quote-message shrinkable-quote">Hi,
<br>I wanna ask something...
<br>Im trying to add crypto algorithm into Openssl,
<br>I heard about the engine(ccgost), and read the README.txt file, but I don't understand
<br>how to do it..
<br>I wonder If I add my own algorithm, Do I just copy ccgost pattern? or have to change
<br>entire openssl core source??..
<br>Besides that, I want to know how to use ccgost engine, It's very hard for me.
<br>Thanks,... :)
</div>
</div></blockquote>
Hi,
<br>I am also trying to add new crypto algo. to the crypto library. But didn't succeed. I explored OpenSSL/crypto library, it's different algo. has dependencies on different files.
<br>I am looking forward for help
<br><br>Thanks:
</div>
</div></blockquote>
<p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26533934Help with error - hardware capability unsupported SSE22009-11-25T15:31:30Z2009-11-25T15:31:30ZChris Copeland-3<div class="gmail_quote"><div><div></div><div>Hello All,<br>
<br>
I am building and packaging the following on one machine (the "build"<br>
machine) and attempting to install and use on other machines ("target"<br>
machines) some of which have different processors.<br>
<br>
* OpenSSL 0.9.8l<br>
* Apache 2.2.14<br>
* Tomcat Connectors 1.2.28<br>
<br>
The problem, as far as I can tell, is that the build machine has more<br>
CPU capabilities than the target machine resulting in binaries that<br>
are not executable on the target machine. I have attempted to use<br>
configure and compiler flags to disable use of the offending<br>
instructions without luck.<br>
<br>
Ultimately I get this error:<br>
<br>
$ ./apachectl start httpd: Syntax error on line 58 of<br>
/usr/local/apache-2.2.14/conf/httpd.conf: Cannot load<br>
/usr/local/apache2/modules/mod_ssl.so into server: ld.so.1: httpd:<br>
fatal: /usr/local/openssl/lib/libssl.so.0.9.8: hardware capability<br>
unsupported: 0x1000 [ SSE2 ]<br>
<br>
Here is my complete build process with links to the full output<br>
generated by each command.<br>
<br>
**The Build Machine**<br>
<br>
$ echo $PATH<br>
/usr/bin:/usr/ccs/bin:/usr/sfw/bin:/opt/sfw/bin:/usr/sbin<br>
<br>
$ isainfo -v<br>
32-bit i386 applications<br>
pause sse2 sse fxsr mmx cmov sep cx8 tsc fpu<br>
<br>
$ uname -a<br>
SunOS bsiausstgdb02 5.10 Generic_120012-14 i86pc i386 i86pc<br>
<br>
**The Target Machine**<br>
<br>
$ isainfo -v<br>
32-bit i386 applications<br>
sse fxsr mmx cmov sep cx8 tsc fpu<br>
<br>
$ uname -a<br>
SunOS bsiausdevweb01 5.10 Generic_120012-14 i86pc i386 i86pc<br>
<br>
**Compile OpenSSL 0.9.8l**<br>
<br>
$ CC=/usr/bin/cc<br>
$ export CC<br>
<br>
$ CFLAGS="-xarch=sse"<br>
$ export CFLAGS<br>
<br>
$ ./Configure \<br>
solaris-x86-cc \<br>
shared \<br>
no-asm \<br>
no-sse2 \<br>
-xarch=sse \<br>
--openssldir=/usr/local/openssl-0.9.8l<br>
<br>
view full output:<br>
<a href="http://sites.google.com/site/gchris/home/a/openssl-configure.txt" target="_blank" rel="nofollow">http://sites.google.com/site/gchris/home/a/openssl-configure.txt</a><br>
<br>
<br>
$ make && make test<br>
<br>
view full output<br>
<a href="http://sites.google.com/site/gchris/home/a/openssl-make-and-test.txt" target="_blank" rel="nofollow">http://sites.google.com/site/gchris/home/a/openssl-make-and-test.txt</a><br>
<br>
$ sudo make install<br>
<br>
view full output:<br>
<a href="http://sites.google.com/site/gchris/home/a/openssl-make-install.txt" target="_blank" rel="nofollow">http://sites.google.com/site/gchris/home/a/openssl-make-install.txt</a><br>
<br>
**Compile Apache 2.2.14**<br>
<br>
$ CC=/usr/bin/cc<br>
$ export CC<br>
<br>
$ CFLAGS="-xarch=sse"<br>
$ export CFLAGS<br>
<br>
$ ./configure \<br>
--prefix=/usr/local/apache-2.2.14 \<br>
--with-mpm=prefork \<br>
--enable-so \<br>
--enable-unique-id=shared \<br>
--enable-rewrite=shared \<br>
--enable-spelling=shared \<br>
--enable-info=shared \<br>
--enable-headers=shared \<br>
--enable-deflate=shared \<br>
--enable-expires=shared \<br>
--enable-unique-id=shared \<br>
--enable-speling=shared \<br>
--enable-ssl=shared \<br>
--with-ssl=/usr/local/openssl<br>
<br>
full output:<br>
<a href="http://sites.google.com/site/gchris/home/a/apache-configure.txt" target="_blank" rel="nofollow">http://sites.google.com/site/gchris/home/a/apache-configure.txt</a><br>
<br>
$ make<br>
<br>
full output:<br>
<a href="http://sites.google.com/site/gchris/home/a/apache-make.txt" target="_blank" rel="nofollow">http://sites.google.com/site/gchris/home/a/apache-make.txt</a><br>
<br>
$ sudo make install<br>
<br>
full output:<br>
<a href="http://sites.google.com/site/gchris/home/a/apache-make-install.txt" target="_blank" rel="nofollow">http://sites.google.com/site/gchris/home/a/apache-make-install.txt</a><br>
<br>
**Compile Tomcat Connectors 1.2.28**<br>
<br>
$ CC=/usr/bin/cc<br>
$ export CC<br>
<br>
$ CFLAGS="-xarch=sse"<br>
$ export CFLAGS<br>
<br>
$ cd native<br>
$ ./configure \<br>
--with-apxs=/usr/local/apache2/bin/apxs<br>
<br>
full output:<br>
<a href="http://sites.google.com/site/gchris/home/a/tomcat-connector-configure.txt" target="_blank" rel="nofollow">http://sites.google.com/site/gchris/home/a/tomcat-connector-configure.txt</a><br>
<br>
$ make<br>
<br>
full output:<br>
<a href="http://sites.google.com/site/gchris/home/a/tomcat-connector-make.txt" target="_blank" rel="nofollow">http://sites.google.com/site/gchris/home/a/tomcat-connector-make.txt</a><br>
<br>
$ sudo make install<br>
<br>
full output:<br>
<a href="http://sites.google.com/site/gchris/home/a/tomcat-connector-make-install.txt" target="_blank" rel="nofollow">http://sites.google.com/site/gchris/home/a/tomcat-connector-make-install.txt</a><br>
<br>
**Testing**<br>
<br>
At this point everything will work on the build machine. Once I<br>
package these files and install them on the target machine, I get this<br>
error when Apache is started with mod_ssl enabled.<br>
<br>
$ ./apachectl start<br>
httpd: Syntax error on line 58 of<br>
/usr/local/apache-2.2.14/conf/httpd.conf: Cannot load<br>
/usr/local/apache2/modules/mod_ssl.so into server: ld.so.1: httpd:<br>
fatal: /usr/local/openssl/lib/libssl.so.0.9.8: hardware capability<br>
unsupported: 0x1000 [ SSE2 ]<br>
<br>
-Chris<br>
</div></div></div><br>
<p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>tag:old.nabble.com,2006:post-26533920RE: General question about documentation2009-11-25T15:13:38Z2009-11-25T15:13:38ZWill BickfordIMO a wiki would be a great resource for both developers and users of
<br>OpenSSL.
<br><br>Something along the lines of the Subversion Book - an online reference
<br>"book" for OpenSSL.
<br><br>--Will
<br><div class='shrinkable-quote'><br>> -----Original Message-----
<br>> From: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26533920&i=0" target="_top" rel="nofollow">owner-openssl-users@...</a>
<br>> [mailto:<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26533920&i=1" target="_top" rel="nofollow">owner-openssl-users@...</a>] On Behalf Of Mark
<br>> Sent: Wednesday, November 25, 2009 3:27 AM
<br>> To: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26533920&i=2" target="_top" rel="nofollow">openssl-users@...</a>
<br>> Subject: RE: General question about documentation
<br>>
<br>> > I would like to post a general observation regarding users of the
<br>> > OpenSSL toolkit.
<br>>
<br>> [snip stuff about documentation]]
<br>>
<br>> A long time ago it was suggested to use a wiki for this
<br>> purpose. Can this idea be resurrected?
<br>>
<br>> Mark.
<br>>
<br>> ______________________________________________________________________
<br>> OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>> User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26533920&i=3" target="_top" rel="nofollow">openssl-users@...</a>
<br>> Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26533920&i=4" target="_top" rel="nofollow">majordomo@...</a>
<br>>
<br>>
</div>______________________________________________________________________
<br>OpenSSL Project <a href="http://www.openssl.org" target="_top" rel="nofollow">http://www.openssl.org</a><br>User Support Mailing List <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26533920&i=5" target="_top" rel="nofollow">openssl-users@...</a>
<br>Automated List Manager <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26533920&i=6" target="_top" rel="nofollow">majordomo@...</a>
<br><p>From forum: <a href="http://old.nabble.com/OpenSSL---User-f981.html" embed="fixTarget[981]" target="_top" >OpenSSL - User</a></p>