SWIG and openssl-1.0.1f

Hi all,
I have been working on a c++ project that can make http and https requests; the project uses boost::asio with openssl, and currently works on osx.
Now, I am trying to build the project so that it can run on Adobe's Air platform, and as such I am attempting to build libssl and libcrypto SWC using crossbridge gcc. I have had some success (http://forums.adobe.com/message/6251335#6251335) and i've built libssl.a and libcrypto.a so far.
So I moved on to SWIG; my SWIG interface file has a few %ignore statements, and I am now able to produce ssl.as and as3api_wrap.cxx files (both of which are huge).
The problem im currently having is that i am unable to compile the swig-generated as3api_wrap.cxx to produce the SWC because of ASN1_ITEM defined in asn1.h:
as3api_wrap.cxx:60559: error: aggregate ‘ASN1_ITEM result’ has incomplete type and cannot be defined:
I am having a really hard time separating off just the openssl interface that i am using; ASN1_ITEM isnt relevant at all to boost::asio (which is what will consume the lib). I know the exact interface i need from my list of about 50 resolved externals like (which I get if i don't link openssl in my working darwin version):
src/main.o: error: undefined reference to '_ERR_reason_error_string'
src/main.o: error: undefined reference to '_SSL_library_init'
src/main.o: error: undefined reference to '_SSL_load_error_strings'
src/main.o: error: undefined reference to '_OPENSSL_add_all_algorithms_noconf'
src/main.o: error: undefined reference to '_CRYPTO_num_locks'
src/main.o: error: undefined reference to '_CRYPTO_set_locking_callback'
src/main.o: error: undefined reference to '_CRYPTO_set_id_callback'
src/main.o: error: undefined reference to '_ERR_free_strings'
src/main.o: error: undefined reference to '_ERR_remove_state'
I think im stuck now- and I get the feeling something's very wrong with my approach.
I need a simpler (swig-generated? manually-generated?) interop interface to openssl, im not interested in exposing it's internals!
Am i using SWIG properly or have I made a daft mistake.. how can i generate a simpler interface?
I need some swig wizard-level expert i think- can anyone help?
cheers,
Jon
Message was edited by: jonsl

Similar Messages

HTTP_POST and OpenSSL

Morning all.
I'm using the function module "HTTP_POST" to try to post to a particular page. However, there's a problem. I need to post to an HTTPS URI, and when I try to run it, I get the message "OpenSSL not available". I can't find what that message actually means anywhere - does anyone know? This is a proper blocker for me so if anyone can help it would be much appreciated...

I know what OpenSSL actually is, I just don't know why it's telling me that it isn't available. I've installed SAPCRYPTOLIB as per note <a href="https://websmp203.sap-ag.de/~form/sapnet?_FRAME=CONTAINER&_OBJECT=012006153200000077842002">510007</a> so I shouldn't be having any problems using SSL. I've been into STRUST and created the client certificates to get around the silly technical limitation, too. Maybe I should try using CL_HTTP_CLIENT - it looks a bit more robust. I still wouldn't mind using the function module if someone knows what that error message actually means though? Does it mean there's some configuration I've screwed up or does it mean that the function module fundamentally does not understand HTTPS and SSL?

Ruby on Rails and openssl issue

after a systemupdate ruby on rails isnt working anymore. it seems that the problem is openssl..
at@at-book ~ $ ruby -ropenssl -rzlib -rreadline -e "puts :Hello"
/opt/ruby1.8/lib/ruby/1.8/i686-linux/openssl.so: /opt/ruby1.8/lib/ruby/1.8/i686-linux/openssl.so: undefined symbol: each_conf_value_doall_arg - /opt/ruby1.8/lib/ruby/1.8/i686-linux/openssl.so (LoadError)
from /opt/ruby1.8/lib/ruby/1.8/openssl.rb:17
building the patched version from abs and downgrading openssl(just kills my system ) didn't work.
any ideas or hins?
thx

ruby -ropenssl -rzlib -rreadline -e "puts :Hello"
/usr/lib/ruby/1.9.1/openssl.rb:17:in `require': /usr/lib/ruby/1.9.1/i686-linux/openssl.so: undefined symbol: each_conf_value_doall_arg - /usr/lib/ruby/1.9.1/i686-linux/openssl.so (LoadError)
from /usr/lib/ruby/1.9.1/openssl.rb:17:in `<top (required)>'
from ruby:0:in `require'
i also tried but changed nothing

LMS3.2 and OpenSSL

Hello,
Following the recent announcement about the OpenSSL HeartBleed vulnerability I need to asses whether our CiscoWorks LMS 3.2 (Windows) is vulnerable.
Is it possible to identify which (if any) OpenSSL is used?

"openssl version -v" will tell you the version number. You definitely won't see the patched (1.0.1g) version as it was just released on April 7 2014.
So it comes down to how OpenSSL was implemented in LMS 3.2 (or any other older product). It may actually be such an old version (pre-1.0.1 ca. March 2012) that it didn't support the heartbeat function and thus not have the vulnerability.
The Cisco Security Advisory for the OpenSSL Heartbeat Extension vulnerability will be updated in coming days to further list the known affected (and unaffected) products. Right now, it's a pretty sparse list.

OpenSSL and java interaction

Hi
I am working on a project which requires me to use crypto library of OpenSSL. The calling program is Java. Does anyone have examples of OpenSSL interaction and java ?
Thanks
p

In order of worst to best ideas for doing cryptography that is (or at least should be) compatible with
OpenSSL:
System.exec to call openssl binaries
JNI to wrap calls to OpenSSL methods
Not-Yet-Commons-SSL has some OpenSSL compatible stuff: http://juliusdavies.ca/commons-ssl/
Just use the Java Cryptographic API using algorithms/params that are compatible with OpenSSL.
It seems odd to have a requirement for a project that is written in Java to have to use a C library. If you want open source (free $$) and Java, go with BouncyCastle or Mozilla's JSS (which is FIPS approved, BTW).
It's not too hard to find a common middle ground between such crypto toolkits as Microsoft CAPI, NSS, and OpenSSL.

Compatibility between Java crypto and open ssl

Hello
I have some question about compatibility between java crypto and openssl library.
This is my case:
1.I created DESede key and stored it to file:
SecretKey key = KeyGenerator.getInstance("TripleDES").generateKey();
File f = new File("c:\\key.dat");
DataOutputStream dos =new DataOutputStream(new FileOutputStream(f));
dos.write(key.getEncoded());
dos3.close();2.I encrypt some file "c:\\normal.dat" through:
ecipher.init(Cipher.ENCRYPT_MODE, key2);
byte[] enc = ecipher.doFinal(normalData);
File f2 = new File("c:\\enc.dat");
DataOutputStream dos =new DataOutputStream(new FileOutputStream(f2));
dos.write(enc);
dos.close();

You have carefully left out some critical java code, namely the Cipher.getInstance() method. You'll notice in the documentation for this method that there 3 components to the "transform" argument of this method, the algorithm, the mode, and the padding. All of these must match exactly with the what openssl is using. Furthermore, if you are using one of the modes which require an IV, like CBC mode, then this must match exactly too. If you don't explicitly specify some of these parameters, you might get default values supplied. It is up to you to find out what these are.

Configuring httpd-ssl.conf on Leopard and Apache 2.2.6

Hi everybody,
I recently migrated to Leopard from Tiger 10.4.10. On my Tiger client I had installed my own web server using mod_ssl with Apache 1.3 server. On Leopard, apache 2.2.6 and OpenSSL 0.9.7 are now installed and configurations files have changed.
Since two weeks, I'm trying to install mod_ssl without success on my machine. Thereafter, I will show only what's relevant from two configuration files :
First -> Httpd.conf (which is in /etc/apache2/)
#My port 80 is blocked by my isp
Listen 8080
<IfDefine SSL>
LoadModule ssl_module libexec/apache2/mod_ssl.so
</IfDefine SSL>
LoadModule php5_module /usr/local/php5/libphp5.so
User www
Group www
</IfModule>
<IfModule mod_ssl.c>
Listen 8080
Listen 8083
</IfModule>
DocumentRoot "/Library/WebServer/Documents"
<IfModule dir_module>
DirectoryIndex index.htm lndex.php index.htm default.html
</IfModule>
ErrorLog /private/var/log/apache2/error_log
# Virtual hosts
#Include /private/etc/apache2/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual
Include /private/etc/apache2/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)
#Include /private/etc/apache2/extra/httpd-dav.conf
# Various default settings
#Include /private/etc/apache2/extra/httpd-default.conf
# Secure (SSL/TLS) connections
#Include /private/etc/apache2/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
DirectoryIndex index.html index.php
</IfModule>
#Include /private/etc/apache2/other/*.conf
# end of httpd.conf
Second ->httpd-ssl.conf (which is in /etc/apache2/extra/)( I elided personnal information)
<IfModule mod_ssl.c>
listen 8080
listen 8083
</IfModule>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
#SSLSessionCache "dbm:/private/var/run/ssl_scache"
SSLSessionCache "shmcb:/private/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex "file:/private/var/run/ssl_mutex"
<VirtualHost default:8080>
#Just to keep things sane...
DocumentRoot "/Library/WebServer/Documents"
ServerName myadress.com
ServerAdmin [email protected]
SSLEngine off
</VirtualHost>
<VirtualHost default:8083>
# General setup for the virtual host
DocumentRoot "/Library/WebServer/Documents"
ServerName myadress.com
ServerAdmin [email protected]
ErrorLog "/private/var/log/apache2/error_log"
TransferLog "/private/var/log/apache2/access_log"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:eNULL
# Server Certificate:
SSLCertificateFile "/private/etc/apache2/ssl.key/server.crt"
#SSLCertificateFile "/private/etc/apache2/server-dsa.crt"
# Server Private Key:
SSLCertificateFile "/private/etc/apache2/ssl.key/server.key"
#SSLCertificateKeyFile "/private/etc/apache2/server-dsa.key"
# Server Certificate Chain:
#SSLCertificateChainFile "/private/etc/apache2/server-ca.crt"
# Certificate Authority (CA):
#SSLCACertificatePath "/private/etc/apache2/ssl.crt"
SSLCACertificatePath "/private/etc/apache2/ssl.key/"
#SSLCACertificateFile "/private/etc/apache2/ssl.crt/ca-bundle.crt"
# Certificate Revocation Lists (CRL):
#SSLCARevocationPath "/private/etc/apache2/ssl.crl"
#SSLCARevocationFile "/private/etc/apache2/ssl.crl/ca-bundle.crl"
# Client Authentication (Type):
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSLCLIENT_S_DNO} eq "Snake Oil, Ltd." \
# and %{SSLCLIENT_S_DNOU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/Library/WebServer/CGI-Executables">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
BrowserMatch ".MSIE." \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
CustomLog "/private/var/log/apache2/sslrequestlog" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
### end of httpd-ssl.conf
When I uncomment this line in httpd.conf :
LoadModule ssl_module libexec/apache2/mod_ssl.so
and try to send the 'apachectl start' command in terminal nothing happens. Apache seems to hang and
no "Apache/2.2.6 (Unix) DAV/2 PHP/5.2.5 configured -- resuming normal operations" in my console log. Of course, nothing in my error_log.
I've read somewhere else that there would be a bug in 9.7 version of modssl and that we should install 9.8 version. Could anybody confirm this ?
Is there somebody here who succeeded installing ssl on apache 2.2.6 and Leopard 10.5.1 ?
Thanks for helping me
Regards

You need the latest plugin.
Get it from at least 6.1 SP4.
Eric
"Michael Congdon" <[email protected]> wrote in message
news:[email protected]..
>
I am having the exact same problem with Apache 2.0.40 on Solaris 2.7 andWebLogic
6.1 SP 1.
Please let me know if you get any help. I don't know of anyone who hassuccessfully
used Apache 2.0 w/WebLogic.
"Yanjing Liu" <[email protected]> wrote:
I tried to use apache plug-in to forward request to a wls6.1sp1 on
Win2000.
>>
So I installed Apache 2.0.40 running on Solaris 8 and simply copymod_wl.so
from
WL_HOME\lib\Solaris to APATHE_HOME/libexec. A few lines has been added
to my httpd.conf,
which are:
LoadModule weblogic_module libexec/mod_wl.so
<IfModule mod_weblogic.c>
WebLogicHost myweblogicserver.com WebLogicPort 7001
</IfModule>
<Location /weblogic>
SetHandler weblogic-handler
</Location>
When I verify the syntax of the httpd.conf file with the followingcommand:
>>
/export/home/apache2/bin/apachectl configtest
Here are the errors I got:
Cannot load /export/home/apache2/libexec/mod_wl_20.so into server:ld.so.1
>>
/export/home/apache2/bin/httpd:fatal: relocation error:file
/export/home/apache2/libexec/mod_wl_20.so: symbol apr_pool_create:referenced
symbol not found.
Has anyone expereinced a similiar problem?
Thanks,
Yanjing

Apache Vhosts and SSL

Hi all,
Iam having this problem with Virtual Hosts and SSL.
The subdomains work fine but the problem is when you try to connect to the one with SSL then you get "ssl_error_rx_record_too_long"
Its not a permission error and the certificate is created with the ssh.mydomain.com as FQDN name if that is of any importance
Listen 443
<VirtualHost 172.16.2.250:80>
DocumentRoot /srv/http/www
ServerName www.mydomain.com
</VirtualHost>
<VirtualHost 172.16.2.250:80>
DocumentRoot /srv/http/glype
ServerName proxy.mydomain.com
</VirtualHost>
<VirtualHost 172.16.2.250:80>
DocumentRoot /srv/http/forum
ServerName forum.mydomain.com
</VirtualHost>
<VirtualHost 172.16.2.250:443>
DocumentRoot /srv/http/ssh
ServerName ssh.mydomain.com
SSLEngine ON
SSLCertificateKeyFile "/etc/httpd/certs/server.key"
SSLCertificateFile "/etc/httpd/certs/server.crt"
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8100/
ProxyPassReverse / http://localhost:8100/
</VirtualHost>
Iam grateful for all the help i can recieve.

neddie_seagoon wrote:SSL needs to run on a dedicated IP (and responds to all https requests on that IP) so you can't have multiple vhosts with SSL on the same IP. You would need to bring up more IPs and then configure your other vhosts to use them.
fyi: recent builds of apache and openssl can now do SNI.
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
Also, if you use wildcard certificates, and your vhosts are all subdomains of the same top level domain, then that would work too. I have done this a few times before. Apache squaks a little when it starts up, but it works fine.
But in the general case, and when using older builds of apache, you are correct regarding the ip requirements.
Last edited by cactus (2009-08-29 18:44:16)

Can't import an OpenSSL signed cert into a JKS using keytool

Hey everyone,
*[Update]* When I do a "openssl x509 -in server1.pem -issuer -noout" after I've supposedly signed it with the CA, the issuer is, for some reason, the DN string of server1. If server1 generated the CSR, and it is coming up as issued by server1, doesn't that indicate a self signed cert? How could the CA be producing a cert that has an issuer of another server?
I hope this is the right place for this, but I'm having some difficulty using the java keytool and OpenSSL tool on a Solaris system. Any help would be greatly appreciated.
I have a server (CA server) with OpenSSL installed that I would like to use as a Certificate Authority. The second server (server1) is a WebLogic server with JDK 1.6.0_21. I'm trying to configure it to use a certificate that has been signed by server1.
For some reason it keeps giving me this error when I try to import the signed SSL certificate: keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Am I doing something wrong in this whole process?
1) Generate the Private Key for the CA server
openssl genrsa -out CA.key -des 2048
2) Generate the CSR on the CA
openssl req -new -key CA.key -out CA.csr
3) Sign the new CSR so that it can be used as the root certificate
openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 730 -req -in CA.csr -out CA.pem -extfile /usr/local/ssl/openssl.cnf
4) On server1, create Server Private Key KeyStore
keytool -genkey -alias server1 -keysize 2048 -keyalg RSA -keystore server1.jks -dname "CN=server1.domain.com,OU=Organization,O=Company,L=City,ST=State,C=US"
5) On server1, create a CSR from the recently created Private Key
keytool -certreq -alias server1 -sigalg SHA1WithRSA -keystore server1.jks -file server1.csr
6) Transfer the CSR over to the CA (server1) so that it can be signed
openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 365 -req -in server1.csr -out server1.pem -extfile /usr/local/ssl/openssl.cnf
7) Transfer CA Public Cert to server1 and Import into keytool
keytool -import -trustcacerts -alias CA_Public -file CA.pem -keystore server1.jks
8) Import recently signed CSR to app server keystore (This is where I receive the error)
keytool -import -trustcacerts -alias server1 -file server1.pem -keystore server1.jks
Thanks!
Edited by: user13378168 on Feb 11, 2011 2:03 PM

I got it! Here's how I resolved it.
1) Going back to the CA server I went and looked at the server1.pem that was produced. I tried to validate it against the CA's certificate
openssl verify -CAFile CA.pem server1.pem
server1.pem: /C=REDACTED/ST=REDACTED/L=REDACTED/O=REDACTED/OU=REDACTED/CN=server1.domain.com
error 18 at 0 depth lookup:self signed certificate
OK
Seemed to be a clear indication that the certificate was not properly signed by OpenSSL.
2) I tried signing it using a different command I found here: http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html
openssl ca -policy policy_match -config openssl.cnf -extensions v3_ca -cert CA.pem -in server1.csr -keyfile CA.key -days 365 -out server1.pem
I received a much different set of responses from OpenSSL including
+Sign the certificate? [y/n]+
+1 out of 1 certificate requests certified, commit? [y/n]+
3) I tried my validate command again and got a plain "OK"
4) I now tried to import this new server1.pem using the keytool command and actually got the following error:
keytool error: java.security.cert.CertificateParsingException: invalid
DER-encoded certificate data
5) When I looked at the file it seems that OpenSSL had added quite a bit of extra certificate information to the file. I deleted everything up to (but not including) the -----BEGIN CERTIFICATE----- line and tried the import one more time and it imported successfully!
Sabre, thanks for helping me look into this one.
Edited by: user13378168 on Feb 14, 2011 12:50 PM - Added correct signing command

WSMAN CredSSP TLS 1.2 support and cipher suites

Hi all,
The protocol document [MS-CSSP] explains the first base64 encoded token send in the authenticate from the client to the server is a TLS Client Hello. The response is a ServerHello.
The diagram in section 4 'Protocol Examples' of the document indicates the ServerHello has a cipher suite of TLS_RSA_WITH_RC_128_SHA. The TLS version and cipher suites are not mentioned anywhere else in the document.
So lets take a look a network packet capture of a CredSSP authentication between a winrm.exe client and a Windows 2008 R2 server. I have base64 decoded the contents of the CredSSP Authorization headers,
The ClientHello bytes (without the extensions) send by my client are:
16 03 01 00 6B 01 00 00 67 03 01 54 DB 64 77 22
A2 1C A3 23 93 61 3B 00 1B DE 1C 6D 42 34 94 8D
1D 44 2C 64 8B 42 AC 41 B4 E2 DE 00 00 14 00 2F
00 35 00 0A C0 13 C0 14 C0 09 C0 0A 00 32 00 38
00 13 01 00 00 2A FF 01 00 01 00 00 00 00 11 00
0F 00 00 0C
Decoding this we can see that this is TLS 1.0 {03, 01}, taking a look at the ciphers we have:
TLS_RSA_WITH_AES_128_CBC_SHA 0x00 0x2F
TLS_RSA_WITH_AES_256_CBC_SHA 0x00 0x35
TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x00,0x0A
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC0,0x13
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC0,0x14
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC0,0x09
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC0,0x0A
TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x00,0x32
TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x00,0x38
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x00,0x13
Now lets look at the ServerHello (without the extensions)
16 03 01 02 3C 02 00 00 4D 03 01 54 DB 64 78 73
92 C6 86 A3 F8 FF 3D D4 36 77 C0 FC 80 61 3F 4D
8C BC 60 CD BC 4D B1 1C 4A CF 0A 20 DA 14 00 00
38 11 DB C9 1C D0 8C 76 E7 A0 B9 F7 A5 D4 94 DF
8B 83 38 B3 FF EB AA 65 EB 23 03 0A 00 2F 00 00
05 FF 01 00 01 00 0B 00 01 E3 00 01 E0 00 01 DD
30 82 01 D9 30 82 01 42 A0 03 02 01 02 02 10 44
56 23 69 44 ED 93 85 43 DF B8 DF E3 75 DC A7 30
0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 2B
31 29 30 27 06 03 55 04 03 13 20
The server responds with TLS 1.0 and selected cipher (0x00 0x2F)
TLS_RSA_WITH_AES_128_CBC_SHA
Based on this I created a WSMan CredSSP client using Python and OpenSSL and configured it to use TLS 1.2. I found the Windows server always responded with TLS 1.0. So, I configured my OpenSSL client for TLS 1.0 and set the cipherlist to AES128-SHA (like winrs.exe).
The CredSSP TLS handshake completes, but the first ASN.1 encoded TSRequest token (containing an NTLM negotiate token) is rejected. However, if my openssl cipherlist is set to RC4, the TSRequest token is accepted and authentication is successful.
This raises several questions:
1. Despite sending a TLS 1.2 ClientHello the WSMan CredSSP Server always responded with TLS 1.0 ServerHello. A number of security experts consider this version effectivly broken. Does CredSSP support TLS 1.2?
2. I can authenticate with CredSSP using openssl 'RC4' cipher suites - but not with AES128-SHA suites. Are suites besides RC4 supported (winrs.exe appears to use AES).
Thanks
Ian

Forum Update:
I can now answer my 2nd question. The reason CredSSP is rejecting my TSRequest token when using AES128-SHA is because this ciphersuite is using CBC.
Some years ago OpenSSL added empty fragments to SSLv3 and TLS 1.0 packets to address a potential security vulnerability. These empty fragments are not compatible with Microsofts SChannel implementation so Windows is unable to decrypt the data. OpenSSL added
a compatibility flag SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (0x00000800L) that must be set in the openssl client's context options to address this issue with Microsofts implementation. Once I set this option my python openssl client successfully authenticated
with a Windows 2012 R2 server using ECDHE-RSA-AES256-SHA - much better.
Question 1 is still unanswered. Is TLS 1.2 with CredSSP supported?

OFM 11gr1 and php 5.2.13 on a sun sparc platform

Hello,
I have a sun sparc 64 platform. Currently upgrading to 11g and have most things up and running.
I need to upgrade my version of php to 5.x. Wanted to upgrade to 5.3 but apparently it is not available for my platform.
But, php 5.2.13 for the sparc is available from the sunfree site. However, it requires mysql, openldap, and openssl and some other packages.
Has anyone had any success installing/configuring and using this version of php inconjuction with the 11g OFM weblogic server products.
I'm concerned that installing them will result in port conflicts.
We have no need to install these additional packages other than they appear to be "required".
Thanks.
So the sysadmin has installed all of the packages. Apparently the libphp5.so is in 32bit mode. We getting the following error when we try to start the ohs:
/disk0/Oracle/Middleware/as_tools/ohs/bin/apachectl startssl: execing httpd
httpd.worker: Syntax error on line 247 of /disk0/Oracle/Middleware/asinst_tools/config/OHS/ohs1/httpd.conf: Cannot load /usr/local/apache2/modules/libphp5.so into server: ld.so.1: httpd.worker: fatal: /usr/local/apache2/modules/libphp5.so: wrong ELF class: ELFCLASS32
I want to pass on the steps in the "PHP instructions for OHS" article that was on otn but it is for linux not solaris sparc.
Does anyone have any notes on installing php on a sparc platform with 11g?
Edited by: emmett on Jun 8, 2010 11:46 AM

Hello,
I have a sun sparc 64 platform. Currently upgrading to 11g and have most things up and running.
I need to upgrade my version of php to 5.x. Wanted to upgrade to 5.3 but apparently it is not available for my platform.
But, php 5.2.13 for the sparc is available from the sunfree site. However, it requires mysql, openldap, and openssl and some other packages.
Has anyone had any success installing/configuring and using this version of php inconjuction with the 11g OFM weblogic server products.
I'm concerned that installing them will result in port conflicts.
We have no need to install these additional packages other than they appear to be "required".
Thanks.
So the sysadmin has installed all of the packages. Apparently the libphp5.so is in 32bit mode. We getting the following error when we try to start the ohs:
/disk0/Oracle/Middleware/as_tools/ohs/bin/apachectl startssl: execing httpd
httpd.worker: Syntax error on line 247 of /disk0/Oracle/Middleware/asinst_tools/config/OHS/ohs1/httpd.conf: Cannot load /usr/local/apache2/modules/libphp5.so into server: ld.so.1: httpd.worker: fatal: /usr/local/apache2/modules/libphp5.so: wrong ELF class: ELFCLASS32
I want to pass on the steps in the "PHP instructions for OHS" article that was on otn but it is for linux not solaris sparc.
Does anyone have any notes on installing php on a sparc platform with 11g?
Edited by: emmett on Jun 8, 2010 11:46 AM

I have a of ios compile openssl environmental issues

hi:
     Compile openSSL, I encountered a troublesome problem when compile-arch i386 compiler-arch armv7 when wrong.
I encountered this problem has been for several days, and I suspect that is not different simulator sdk and iphone sdk or my sdk missing file.
os x 10.8.2 xcode 4.6.1 iphone sdk 6.1.
openssl the makefile:
VERSION=1.0.0e
MAJOR=1
MINOR=0.0
SHLIB_VERSION_NUMBER=1.0.0
SHLIB_VERSION_HISTORY=
SHLIB_MAJOR=1
SHLIB_MINOR=0.0
SHLIB_EXT=.$(SHLIB_MAJOR).$(SHLIB_MINOR).dylib
PLATFORM=darwin-armv7-cc
OPTIONS= no-gmp no-jpake no-krb5 no-md2 no-rc5 no-rfc3779 no-shared no-store no-zlib no-zlib-dynamic static-engine
CONFIGURE_ARGS=darwin-armv7-cc
SHLIB_TARGET=darwin-shared
HERE=.
INSTALL_PREFIX=
INSTALLTOP=/usr/local/ssl
OPENSSLDIR=/usr/local/ssl
CC= /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Develope r/usr/bin/gcc
CFLAG= -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch armv7 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Develope r/SDKs/iPhoneOS6.1.sdk -O3 -fomit-frame-pointer -DL_ENDIAN
DEPFLAG= -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_STORE
PEX_LIBS= -Wl,-search_paths_first
EX_LIBS=
EXE_EXT=
ARFLAGS=
AR= ar $(ARFLAGS) r
RANLIB= /opt/local/bin/ranlib
NM= nm
PERL= /opt/local/bin/perl5
TAR= tar
TARFLAGS= --no-recursion
MAKEDEPPROG=makedepend
LIBDIR=lib
The Log:
Undefined symbols for architecture armv7:
"_accept$UNIX2003", referenced from:
      _do_server in s_socket.o
      _BIO_accept in libcrypto.a(b_sock.o)
"_bind$UNIX2003", referenced from:
      _do_server in s_socket.o
      _BIO_get_accept_socket in libcrypto.a(b_sock.o)
"_chmod$UNIX2003", referenced from:
      _RAND_write_file in libcrypto.a(randfile.o)
"_close$UNIX2003", referenced from:
      _sv_body in s_server.o
      _s_client_main in s_client.o
      _speed_main in speed.o
      _s_time_main in s_time.o
      _init_client in s_socket.o
      _do_server in s_socket.o
      _acpt_ctrl in libcrypto.a(bss_acpt.o)
"_closedir$UNIX2003", referenced from:
      _OPENSSL_DIR_end in libcrypto.a(o_dir.o)
"_connect$UNIX2003", referenced from:
      _init_client in s_socket.o
      _conn_state in libcrypto.a(bss_conn.o)
      _BIO_get_accept_socket in libcrypto.a(b_sock.o)
      _RAND_query_egd_bytes in libcrypto.a(rand_egd.o)
"_fdopen$UNIX2003", referenced from:
      _speed_main in speed.o
"_fopen$UNIX2003", referenced from:
      _enc_main in enc.o
      _BIO_new_file in libcrypto.a(bss_file.o)
      _file_ctrl in libcrypto.a(bss_file.o)
      _RAND_load_file in libcrypto.a(randfile.o)
      _RAND_write_file in libcrypto.a(randfile.o)
      _open_console in libcrypto.a(ui_openssl.o)
"_fputs$UNIX2003", referenced from:
      _main in openssl.o
      _BIO_debug_callback in libcrypto.a(bio_cb.o)
      _write_string in libcrypto.a(ui_openssl.o)
      _read_string in libcrypto.a(ui_openssl.o)
"_fstat$INODE64", referenced from:
      _RAND_poll in libcrypto.a(rand_unix.o)
"_fwrite$UNIX2003", referenced from:
      _check in verify.o
      _req_main in req.o
      _dsa_main in dsa.o
      _speed_main in speed.o
      _s_time_main in s_time.o
      _load_index in apps.o
      _write_fp in libcrypto.a(b_dump.o)
Can you help me solve it, thank you very much~！
Online waiting~~~

You're looking for assistance with porting OpenSSL to iOS? While it would be more typical to use iOS core frameworks such as CFNetwork or other higher-level frameworks such as AFNetwork, there are other OpenSSL-based alternatives and ports for iOS, if you really want or need your own copy.
I just ended up writing a "framework" for OpenSSL for another platform. That was "fun". But I digress.
Quoting from the Apple documentation: "Although OpenSSL is commonly used in the open source community, OpenSSL does not provide a stable API from version to version. For this reason, although OS X provides OpenSSL libraries, the OpenSSL libraries in OS X are deprecated, and OpenSSL has never been provided as part of iOS. Use of the OS X OpenSSL libraries by apps is strongly discouraged."
Accordingly, I'd generally recommend against having your own embedded SSL/TLS security code as that means full ownership of security updates and security fixes and API changes and the rest, but if you do really need to have OpenSSL around, then you're going to get to build your own dynamic library containing OpenSSL, as was described in the links above.
For more information on what's happening with OpenSSL, SSL/TLS, CDSA and other such within iOS and OS X, there are some WWDC sessions that will definitely be of interest. Given the (programming) choice here, I'd probably go with AFNetwork or CFNetwork, or with Common Crypto or such. Not with OpenSSL.
For the best and fastest answers to these sorts of questions, I'd also suggest posting to the Apple developer forums, rather than here in the consumer forums. For instance, see this thread...

Openssl vulnerability -- Adobe Connect 8.2

What is the supported patch / fix for Adobe Connect 8.2 and Openssl vulnerabilities discovered over the last few months? I'm assuming it is due to an old stunnel implementation.
The remote service accepted an SSL ChangeCipherSpec message at an incorrect point in the handshake  leading to weak keys being used, and then attempted to decrypt an SSL record using those weak keys.
CVE-2010-5298 
CVE-2014-0076 
CVE-2014-0195
 CVE-2014-0198 
CVE-2014-0221
 CVE-2014-0224
CVE-2014-3470

You should go and download the Stunnel application and replace the version included with Connect 8.2. stunnel: Downloads
So you are aware, Connect 9 and newer installers no longer come with Stunnel, So you will need to go to Stunnel's site to download the latest version when upgrading (unless you are already on the latest version).

Unable to monitor SLES 10 SP4,SLES 11 SP3 and SLES 11 SP2 via SCOM 2012 R2

Hi ,
I am unable to get SLES 10 SP4, SLES 11 SP3 and SLES 11 SP2 under SCOM 2012 R2 monitoring. The PAM ,glibc and openssl are at the right versions.
Per the documentation SCOM MP for unix/Linux provides monitoring of SUSE Linux Enterprise
Server 9, SUSE Linux Enterprise Server 10 SP1, and SUSE Linux Enterprise Server 11 operating systems. Does this mean it cannot monitor SP2, SP3 and SP4 for the same Operating systems?
Plat form not supported is the error which I get.
Thank you much,

There should not be any problems with monitoring SLES 10 SP4 or SLES 11 SP2/SP3. If you are getting a "platform not supported" error, it may be that the right management packs have not successfully imported. Can you give more details on when
you get the error, and the management pack versions that you have installed? And what Update Rollup (UR) for OpsMgr do you have installed? The latest is UR4, and the Linux/UNIX management packs for UR4 are here:
http://www.microsoft.com/en-hk/download/details.aspx?id=29696 . Be sure to download the version for "R2".
Michael Kelley, Lead Program Manager, Open Source Technology Center

Openssl 0.9.8 brings problems

Yesterday I did pacman -Syu and openssl has been upgraded and ssh gives the following err:
ssh: error while loading shared libraries: libcrypto.so.0.9.7: cannot open shared object file: No such file or directory
Now gdm doesn't work because it uses ssh, d4x and wget use libssl.so.0.9.7 and they don't work, too.
I have debian on another partion and there are both 0.9.7 and 0.9.8 and copied 0.9.7 and now everything is working.

tomk wrote:If I understand you correctly, this is a bad solution. You copied individual 0.9.7 libs from Debian to Arch, but pacman still thinks you have 0.9.8 installed, and doesn't know anything about the copied files.The right thing to do is downgrade to 0.9.7 - using pacman, of course.
The first think I checked was if I have openssl 0.9.7 but no luck(I recently have deleted all cached packages)
I know that is not good solution but I needed ssh running.
I had removed openssh-CHROOT and installed openssh and now everythning is OK.
Thanks for the help

SWIG and openssl-1.0.1f

Similar Messages

Maybe you are looking for