[openssl.org #339] Apache + SSL
This doesn't belong in the bugs database, so I'm killing this ticket. Please resend that mail to [EMAIL PROTECTED] [[EMAIL PROTECTED] - Wed Nov 13 09:17:09 2002]: Hi there. I am wondering if there is an Apache + SSL for win32 for Apache 1.3.27 I have searched almost everywhere and have not found it. I found a lot of SSL stuff for Apache 1.3.26, but not for 1.3.27 Can you please update me on this if you dont mind. Regards Gagan Walia ( http://www.walia.com ) -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ?
On Tue, Nov 12, 2002 at 11:04:17PM +0100, Frédéric Giudicelli via RT wrote: Well IETF didn't answer... I'm guessing that M$ is wrong, that would not be the first time, howerver the real question now, is how do you contact M$, the report the bug, the guy I was in contact with, is: krish shenoy[MS] [EMAIL PROTECTED] He claims that M$ is right, I guess I'll let you big guys convince them ! I think it is software author should convince the customer to buy a product doing something the right way. Cheers ! - Original Message - From: Frédéric Giudicelli [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, November 01, 2002 12:50 AM Subject: Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ? Well Microsoft support tells me it's openssl's fault, and you tell me it's microsoft's ? __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #340] EVP_PKEY_get0_*()
Hi *, I've got a short question: Is it possible to include macros '#define EVP_PKEY_get0_EC_KEY(a) ((a)-pkey.eckey)' etc. in evp.h ? Regards, Nils PS: In case there are no objections, here's a patch: --- openssl-SNAP-2002/crypto/evp/evp.h Mon Aug 12 11:01:02 2002 +++ TC_OpenSSL_Neu/crypto/evp/evp.h Wed Nov 13 12:55:35 2002 @@ -774,21 +774,25 @@ struct rsa_st; int EVP_PKEY_set1_RSA(EVP_PKEY *pkey,struct rsa_st *key); struct rsa_st *EVP_PKEY_get1_RSA(EVP_PKEY *pkey); +#define EVP_PKEY_get0_RSA(a) ((a)-pkey.rsa) #endif #ifndef OPENSSL_NO_DSA struct dsa_st; int EVP_PKEY_set1_DSA(EVP_PKEY *pkey,struct dsa_st *key); struct dsa_st *EVP_PKEY_get1_DSA(EVP_PKEY *pkey); +#define EVP_PKEY_get0_DSA(a) ((a)-pkey.dsa) #endif #ifndef OPENSSL_NO_DH struct dh_st; int EVP_PKEY_set1_DH(EVP_PKEY *pkey,struct dh_st *key); struct dh_st *EVP_PKEY_get1_DH(EVP_PKEY *pkey); +#define EVP_PKEY_get0_DH(a)((a)-pkey.dh) #endif #ifndef OPENSSL_NO_EC struct ec_key_st; int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey,struct ec_key_st *key); struct ec_key_st *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey); +#define EVP_PKEY_get0_EC_KEY(a)((a)-pkey.eckey) #endif EVP_PKEY *EVP_PKEY_new(void); __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #337] bug report (OpenSSL 0.9.6g, RC2 cipher)
Steve answered with instructions on how to do this. This ticket is thereby resolved. [[EMAIL PROTECTED] - Tue Nov 12 17:18:26 2002]: Hi, Situation: == 1.) Call: pCipher=EVP_get_cipherbyname(RC2-CBC) 2.) Call: EVP_CIPHER_CTX_init(ec_ctx) 3.) Call: EVP_CipherInit(ec_ctx,pCipher,byKey,byIV,1) byKey contains 16 octets (128bit RC2 key) 4.) Call: VP_CIPHER_CTX_ctrl(ec_ctx,EVP_CTRL_SET_RC2_KEY_BITS,40,0L); to set effective key length to 40bit Bug: Effective key length is updated in struct. but RC2 key data is NOT updated (bugfix seems to be impossible because VP_CIPHER_CTX_ctrl does not have access to raw key material !?). Regards. -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #172] 0.9.7-beta3: evp.h and compatibility defines break crypt()
This was resolved a while ago by disabling crypt() entirely. If you wish to use an OpenSSL function, use DES_crypt() instead. This ticket is now resolved. -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #193] Bug: test failure on Solaris 8
Since we still haven't heard anything, I'm making this ticket stalled. [jaenicke - Fri Oct 18 15:37:32 2002]: [[EMAIL PROTECTED] - Fri Aug 2 17:50:30 2002]: While compiling openssl-engine-0.9.6e as 64bit on Solaris 8 using gcc3.1, I get the following error when performing 'make test'. ... Any news on this issue? Especially: does it still apply to 0.9.6g? Best regards, Lutz -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #339] Apache + SSL
FYI: I've built mod_ssl-2.8.12 with Apache 1.3.27 on my win2k box , go to http://www.modssl.org/source/ and have a look good luck - Original Message - From: Gagan Walia via RT [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, November 13, 2002 3:17 AM Subject: [openssl.org #339] Apache + SSL Hi there. I am wondering if there is an Apache + SSL for win32 for Apache 1.3.27 I have searched almost everywhere and have not found it. I found a lot of SSL stuff for Apache 1.3.26, but not for 1.3.27 Can you please update me on this if you dont mind. Regards Gagan Walia ( http://www.walia.com ) __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ?
Well IETF didn't answer... I'm guessing that M$ is wrong, that would not be the first time, howerver the real question now, is how do you contact M$, the report the bug, the guy I was in contact with, is: krish shenoy[MS] [EMAIL PROTECTED] He claims that M$ is right, I guess I'll let you big guys convince them ! Cheers ! - Original Message - From: Frédéric Giudicelli [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, November 01, 2002 12:50 AM Subject: Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ? Well Microsoft support tells me it's openssl's fault, and you tell me it's microsoft's ? It's dead end, what am I supposed to tell my clients ? Well... altough PKIX recommends the use of the authorityKeyId, and that the French Government says you must to have this extension, to be certified, I'll have to remove this extension ? To make everybody happy let's read the RFC http://www.ietf.org/rfc/rfc2459.txt 4.2.1.1 Authority Key Identifier ...The identification may be based on either the key identifier (the subject key identifier in the issuer's certificate) or on the issuer name and serial number. 4.2.1.2 Subject Key Identifier ...The value of the subject key identifier MUST be the value placed in the key identifier field of the Authority Key Identifier extension (see sec. 4.2.1.1) of certificates issued by the subject of this certificate. Well the least that we could say, it is crystal clear :). it's incomprehensible. I'm writting to the authors to see what they say about it, becaus MS has another comprehension than yours. - Original Message - From: Richard Levitte - VMS Whacker via RT [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, November 01, 2002 12:23 AM Subject: Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ? In message [EMAIL PROTECTED] on Thu, 31 Oct 2002 23:19:17 +0100 (MET), Frédéric Giudicelli via RT [EMAIL PROTECTED] said: rt All I know, is that MS Windows 2000 SP3 consider the chain broken, rt it links the EndUser Cert with the ROOT CERT, and since the issuer rt of the EndUser Cert is not ROOT CA, badaboum, unusable rt certificate. In that case, I think Windows has it wrong. rt When authorityKeyId=keyid, it works, when authorityKeyId=keyid, rt issuer - doesn't work. OK, listen up: It's not the combination keyID+issuer that should be looked up, it's the combination issuer+serial (look at the certificate, there should be a serial number there as well). If Windows breaks on such values, it's broken. rt I'm sorry but when we talk about the issuer of the EndUser Cert, rt we talk about INTERMEDIATE CA, not ROOT CA. Again, listen up: The intermediate CA certificate can be refered to by subject or by rootsubject+serial (that is, the serial number that you can see in the intermediate CA certificate). It's the latter lookup method that should be used when the authorityKeyIdentifier is used. rt That's a non sense. No, you just keep ignoring the serial number, and apparently, so does Windows. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ?
In message 03f201c28a97$38a075d0$0200a8c0@station1 on Tue, 12 Nov 2002 23:02:41 +0100, Frédéric Giudicelli [EMAIL PROTECTED] said: groups I'm guessing that M$ is wrong, that would not be the first time, howerver groups the real question now, is how do you contact M$, the report the bug, the guy groups I was in contact with, is: groups krish shenoy[MS] [EMAIL PROTECTED] groups He claims that M$ is right, I guess I'll let you big guys convince them ! I was very close to saying tough for them and ignoring the whole thing. But then I changed my mind, and mailed that fellow. I was even polite :-). In the mean time, I'll kill the ticket if it hasn't already been done. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #227] Building openssl 0.9.7 on sunos 4.1.3_U1
Applied and committed. This ticket is now resolved. [[EMAIL PROTECTED] - Wed Aug 21 03:59:19 2002]: On Fri, 16 Aug 2002, Richard Levitte - VMS Whacker via RT wrote: In message Pine.BSF.4.21.0208151853170.45263- [EMAIL PROTECTED] on Thu, 15 Aug 2002 19:17:27 -0700 (PDT), Doug Kaufman [EMAIL PROTECTED] said: dkaufman I recently tried to build the August 9th snapshot of openssl 0.9.7 on dkaufman a sun sparc machine running sunos 4.1.3_U1. This failed in several ... dkaufman I wasn't sure which define to use to identify this version of sunos. The best thing would probably be to insert an identifying name in the $sys_id field of the sunos-gcc target (I assume that's the one you got to use, right?). OK. Here is a redone patch. I have attached it because of the long lines. Doug __ Doug Kaufman Internet: [EMAIL PROTECTED] -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ?
Politeness is always better, especially in deadend conversations, like those, you know, you're wrong ! no it's you who is wrong ! Althoug I'll be tempted to think that MS is particullary good at this. :) Well I hope MS will be able to get into an adult argumentation, I think it's mostly about the comprehension of the RFC, since it's really not clear the way IETF expresses it. The best solution would be that one of you big people, contact IETF, about the RFC comprehension, at least that would quit any kind of linguistic argumentation. Imagine, the headlines in every journal of the world: Microsoft is proved, by the OpenSSL community, to be unable to understand english ! WARFWARFWARF ! Sorry, I had a stressfull day. - Original Message - From: Richard Levitte - VMS Whacker [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 13, 2002 5:09 PM Subject: Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ? In message 03f201c28a97$38a075d0$0200a8c0@station1 on Tue, 12 Nov 2002 23:02:41 +0100, Frédéric Giudicelli [EMAIL PROTECTED] said: groups I'm guessing that M$ is wrong, that would not be the first time, howerver groups the real question now, is how do you contact M$, the report the bug, the guy groups I was in contact with, is: groups krish shenoy[MS] [EMAIL PROTECTED] groups He claims that M$ is right, I guess I'll let you big guys convince them ! I was very close to saying tough for them and ignoring the whole thing. But then I changed my mind, and mailed that fellow. I was even polite :-). In the mean time, I'll kill the ticket if it hasn't already been done. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ?
On Wed, 13 Nov 2002, Frédéric Giudicelli wrote: Well I hope MS will be able to get into an adult argumentation, I think it's mostly about the comprehension of the RFC, since it's really not clear the way IETF expresses it. The best solution would be that one of you big people, contact IETF, about the RFC comprehension, at least that would quit any kind of linguistic argumentation. I personally don't think this would be useful. The corresponding paragraph of the RFC3280 is more or less a copy of the text of the X.509 standard. It is clearly stated at the beginning of this paragraph (the one of the RFC3280, as not everyone has a copy of the X.509 right now) that: The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a certificate. This extension is used where an issuer has multiple signing keys (either due to multiple concurrent key pairs or due to changeover). The identification MAY be based on either the key identifier (the subject key identifier in the issuer's certificate) or on the issuer name and serial number. So the purpose of this extension is to find 'the issuer of the present certificate', and the remaining text should be placed on that context. More precisely, when it is talked about 'the issuer name', one must understand 'the issuer name of the issuer of the present certificate', just as when it is talked about the 'keyIdentifier', one must understand 'the keyIdentifier of the issuer of the present certificate', and when it is talked about 'the serial number', one must understand 'the serial number of the issuer of the present certificate'. RFCs-reading is an art, just like Standards-reading ;) So far, I think that only Microsoft made this mistake, I never found it in any other product I've seen. Based on that, I really don't think it might be necessary to rewrite the RFC, or the X.509 standard (which would involve *much* more work). -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - Unspeakable error in module Cthulhu at address R'lyeh. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #323] Bug in authorityKeyIdentifier extension ?
I've been very pleasantly surprised, in the last few months, at the responsiveness of MS support people and developers whom I have encountered by submitting support requests related to Kerberos and X.509. If someone would turn down the flame-meter a notch or two and construct a concise document explaining what's wrong with their implementation, you might get what you want. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: cvs commit: openssl/test Makefile.ssl
[EMAIL PROTECTED] wrote: ... Index: t_x509.c === RCS file: /e/openssl/cvs/openssl/crypto/asn1/t_x509.c,v retrieving revision 1.31 retrieving revision 1.32 diff -u -r1.31 -r1.32 --- t_x509.c2002/08/07 10:49:22 1.31 +++ t_x509.c2002/11/13 15:42:14 1.32 @@ -444,15 +444,17 @@ int X509_NAME_print(BIO *bp, X509_NAME *name, int obase) { - char *s,*c; + char *s,*c,*b; int ret=0,l,ll,i,first=1; - char buf[256]; ll=80-2-obase; - s=X509_NAME_oneline(name,buf,256); + b=s=X509_NAME_oneline(name,NULL,0); if (!*s) + { + free(b); ^^ Shouldn't it be OPENSSL_free() ? return 1; + } s++; /* skip the first slash */ l=ll; @@ -508,6 +510,7 @@ err: X509err(X509_F_X509_NAME_PRINT,ERR_R_BUF_LIB); } + free(b); ^^ dito return(ret); } Regards, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: cvs commit: openssl/test Makefile.ssl
Good catch, thanks! I just applied a change. In message [EMAIL PROTECTED] on Wed, 13 Nov 2002 20:04:19 +0100, Nils Larsch [EMAIL PROTECTED] said: nlarsch [EMAIL PROTECTED] wrote: nlarsch ... nlarschIndex: t_x509.c nlarsch=== nlarschRCS file: /e/openssl/cvs/openssl/crypto/asn1/t_x509.c,v nlarschretrieving revision 1.31 nlarschretrieving revision 1.32 nlarschdiff -u -r1.31 -r1.32 nlarsch--- t_x509.c 2002/08/07 10:49:22 1.31 nlarsch+++ t_x509.c 2002/11/13 15:42:14 1.32 nlarsch@@ -444,15 +444,17 @@ nlarsch nlarsch int X509_NAME_print(BIO *bp, X509_NAME *name, int obase) nlarsch { nlarsch- char *s,*c; nlarsch+ char *s,*c,*b; nlarsch int ret=0,l,ll,i,first=1; nlarsch- char buf[256]; nlarsch nlarsch ll=80-2-obase; nlarsch nlarsch- s=X509_NAME_oneline(name,buf,256); nlarsch+ b=s=X509_NAME_oneline(name,NULL,0); nlarsch if (!*s) nlarsch+ { nlarsch+ free(b); nlarsch ^^ nlarsch Shouldn't it be OPENSSL_free() ? nlarsch nlarsch return 1; nlarsch+ } nlarsch s++; /* skip the first slash */ nlarsch nlarsch l=ll; nlarsch@@ -508,6 +510,7 @@ nlarsch err: nlarsch X509err(X509_F_X509_NAME_PRINT,ERR_R_BUF_LIB); nlarsch } nlarsch+ free(b); nlarsch ^^ nlarsch dito nlarsch nlarsch return(ret); nlarsch } -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Please help: SSL_read() hang after read http 100 continue header
Hi, I have a client program using Openssl to send request to and receive response from a web server. SSL_read hangs if the web server sends the following headers. The following is the header dump without SSL. I think the problem is the separator 0d 0a 0d 0a between the two block of headers. 0x | 48 54 54 50 2f 31 2e 31 20 31 30 30 20 43 6f 6e |HTTP/1.1 100 Con0x0010 | 74 69 6e 75 65 0d 0a 53 65 72 76 65 72 3a 20 4d |tinue..Server: M0x0020 | 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 35 2e 30 |icrosoft-IIS/5.00x0030 | 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 33 30 20 | ..Date:Wed, 300x0040 | 4f 63 74 20 32 30 30 32 20 30 36 3a 33 34 3a 35 | Oct 2002 06:34:50x0050 | 36 20 47 4d 54 0d 0a 0d 0a | 6 GMT0x | 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.0x0010 | 0a 53 65 72 76 65 72 3a 20 4d 69 63 72 6f 73 6f |.Server: Microso0x0020 | 66 74 2d 49 49 53 2f 35 2e 30 0d 0a 44 61 74 65 |ft-IIS/5.0..Date0x0030 | 3a 20 57 65 64 2c 20 33 30 20 4f 63 74 20 32 30 | : Wed,30 Oct 200x0040 | 30 32 20 30 36 3a 33 35 3a 30 37 20 47 4d 54 0d | 02 06:35:07 GMT.0x0050 | 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a |.Content-Length:0x0060 | 20 31 38 36 33 0d 0a 43 6f 6e 74 65 6e 74 2d 54 |1863..Content-T0x0070 | 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a | ype:text/html..0x0080 | 45 78 70 69 72 65 73 3a 20 57 65 64 2c 20 33 30 |Expires: Wed, 300x0090 | 20 4f 63 74 20 32 30 30 32 20 30 36 3a 33 35 3a | Oct 2002 06:35:0x00a0 | 30 37 20 47 4d 54 0d 0a 43 61 63 68 65 2d 63 6f | 07 GMT..Cache-co0x00b0 | 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 0d 0a | ntrol: private.. You can see, it is like HTTP/1.1 100 Continue Server: Microsoft-IIS/5.0 Date: Wed, 30 Oct 2002 06:34:56 GMT 0d 0a 0d 0a HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Wed, 30 Oct 2002 06:34:56 GMT Content-Length: 1863 . There is separator 0d 0a 0d 0a between the two block of headers. My program just stuck in the separator and couldn't get the following HTTP/1.1 200 OK ... If I change it to non-blocking, SSL_read() doesn't hang any more, but it keep getting SSL_ERROR_WANT_READ error, if I keeping SSL_read, it keep getting SSL_ERROR_WANT_READ and doesn't return valid data. Can anyone help me on this? I tried to post message on diferent site in the last two weeks and didn't get much response. Thanks Lin
Re: Please help: SSL_read() hang after read http 100 continue header
On Wed, Nov 13, 2002 at 09:53:34AM -0800, Lin Ma wrote: I have a client program using Openssl to send request to and receive response from a web server. SSL_read hangs if the web server sends the following headers. The following is the header dump without SSL. I think the problem is the separator 0d 0a 0d 0a between the two block of headers. No. The SSL layer does not care about the data transferred, whether it is line oriented or not. ... You can see, it is like HTTP/1.1 100 Continue Server: Microsoft-IIS/5.0 Date: Wed, 30 Oct 2002 06:34:56 GMT 0d 0a 0d 0a HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Wed, 30 Oct 2002 06:34:56 GMT Content-Length: 1863 . There is separator 0d 0a 0d 0a between the two block of headers. My program just stuck in the separator and couldn't get the following HTTP/1.1 200 OK ... If I change it to non-blocking, SSL_read() doesn't hang any more, but it keep getting SSL_ERROR_WANT_READ error, if I keeping SSL_read, it keep getting SSL_ERROR_WANT_READ and doesn't return valid data. This means, that no data has been received or at least not enough data to complete the TLS record. SSL_read() is waiting for (more) data. Use ssldump to analyze the traffic. What platform are you working on? Windows or UNIX? Can you try your program on another platform? Microsoft IIS is not know to be free of errors, but it seems to work good enough that I don't think the problem is caused by the server side. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
IMPORTANT: Please try these specific snapshots
As we're starting up our release process again, we'd need to have as many as possible test the latest snapshots for us. I can personally cover Debian GNU/Linux on i386. -- 0.9.6h: One of the upcoming releases will be 0.9.6h (basically to fix all bugs that have been found in 0.9.6g and in the development branches), which will happen very soon (we haven't set a fixed date yet, but my personal guess is early next week). Therefore, the most urgent snapshots to test are: openssl-0.9.6-stable-SNAP-200211xx.tar.gz non-engine version openssl-e-0.9.6-stable-SNAP-200211xx.tar.gz engine version where 'xx' really is the highest day number you can find. At the point of writing, it's '12', but tomorrow, it will be '13'. I'm trying to keep the engine version as tightly synchronised with the non-engine version as I possibly can. -- 0.9.7: OpenSSL version 0.9.7 is also on it's way, starting tuesday next week when we hope to get beta 4 rolling (it will depend on a certain patch that will hopefully be sent to us very soon). We expect that release to have problem, considering everything that has gone in since beta 3, so we will not call that a final beta. Instead, we're giving it about two weeks to get thoroughly tested, and will then release beta 5 december 3rd. That one will hopefully be a final beta, and we're giving it a week for tests, and have a full release on dece,ber 10th. -- In summary: Starting now: please try every snapshot you can, as often as you can. The current important snapshot names are: openssl-0.9.6-stable-SNAP-2002mmdd.tar.gz openssl-e-0.9.6-stable-SNAP-2002mmdd.tar.gz openssl-0.9.7-stable-SNAP-2002mmdd.tar.gz where 'mmdd' is the current month and day numbers. Between now and november 19 (included): Release of 0.9.6h November 19:Release of 0.9.7 beta 4 December 3:Release of 0.9.7 beta 5 (hopefully beta) December 10:Release of 0.9.7 NOTE: during the beta testing periods, we may ask for targeted tests of snapshots. It would be nice if people who're willing to help could make themselves known. Updates will be available on the web: http://www.openssl.org/news/state.html -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #230] [BUG 0.9.6] RAND_poll on Winnt is not thread safe with ODBC
I applied the required changed from 0.9.7-stable. This ticket is now resolved. [[EMAIL PROTECTED] - Sun Aug 18 12:30:48 2002]: Here is some info on this subject In crypto/rand/rand_win.c RegQueryValueEx(HKEY_PERFORMANCE_DATA, Global, ... is called. This call lock registry access (_PredefinedHandleTableCriticalSection) and than load perfomance dll using LoadLibraryEx and GetProcessAddress (requires _LoadCriticalSection). If another thread in this time is calling ODBC initialization, the process became deadlocked. This happen due to DllMain of ODBCCP32.DLL, which calls ReQueryValueEx(HKEY_LOCAL_MACHINE, .. In deadlock situation the DllMain of ODBCCP32.DLL has lock on _LoadCriticalSection, and is waiting on _PredefinedHandleTableCriticalSection. But call from rand_win.c has lock on _PredefinedHandleTableCriticalSection and is waiting on critical section _LoadCriticalSection. _LoadCriticalSection is in this place (is probably same object in all threads) mov eax,fs:[0018] mov eax,dword ptr [eax+30h] pushdword ptr [eax+0A0h] - ptr to CriticalSectionObject I dont know if this is problem of calling RegQueryValueEx in DllMain or RegQueryValueEx holding lock on registry during Perfomance Dll initialization. This must be solve by Microsoft. Here are some comments about this in crypto/rand/rand_win.c from 0.9.7 snapshot / * It appears like this can cause an exception deep within ADVAPI32.DLL * at random times on Windows 2000. Reported by Jeffrey Altman. * Only use it on NT. */ /* Wolfgang Marczy [EMAIL PROTECTED] reports that * the RegQueryValueEx call below can hang on NT4.0 (SP6). * So we don't use this at all for now. */ #if 0 if ( osverinfo.dwPlatformId == VER_PLATFORM_WIN32_NT This #if 0 must be used in 0.9.6 to use openssl in multithreaded ODBC apllication. Without this my apllication became deadlocked every time I reboot computer (every computer with NT4.0 SP6 MDAC2.6 I tried) and sometimes during heavy disk usage. Please make some FAQ of this (calls to RAND_poll must be serialized) or don't use RegQueryValueEx(HKEY_PERFORMANCE_DATA) at all. Milan Dadok e-mail: [EMAIL PROTECTED] -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #233] build fails on Mac OS X Server 1.x (Rhapsody)
Please try an 0.9.6 snapshot, and tell us if that helped. [[EMAIL PROTECTED] - Tue Aug 20 08:44:07 2002]: I'm attempting to biuld openSSL on a Mac OS X Server 1.2v3 system a/k/a Rhapsody. Apple's cc version cc-783.1, based on gcc version 2.7.2.1 All goes well until the link step when I get an undefined symbol mesage from ld in vuilding openssl itself: cc -o openssl -DMONOLITH -I../include -O3 -DB_ENDIAN openssl.o verify.o asn1pars. o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o s_server. o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version. o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o -L.. -lssl -L.. -lcrypto /usr/bin/ld: Undefined symbols: _ftime make[1]: *** [openssl] Error 1 make: *** [sub_all] Error 1 Upon further investigation, it appears that Apple didn't include the compatibility library binary with the system, though they did ship a man page for ftime( ). Are there any work-arounds for this? It looks like you could roll your own ftime() using gettimeofday() easily enough. I'd need some guidance in adding it to the makefiles, though. TIA Regards, Milo -- Milo Velimirovic [EMAIL PROTECTED] Unix Computer Network Administrator (608) 785-6618 University of Wisconsin - La Crosse La Crosse, Wisconsin 54601 USA 43 48 05 N 91 14 22 W -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #241] MacOS compilation bugs in OpenSSL 0.9.6g
[[EMAIL PROTECTED] - Thu Aug 22 08:48:58 2002]: I'm building OpenSSL 0.9.6g on MacOS 9, using the CodeWarrior 8 compiler. I've found three minor compilation problems. In MacSocket.cp MacSocket.h, the buffer parameter for MacSocket_send is declared void * when it should be const void *. Fixed and committed. In randfile.c, the macro NO_SYS_TYPES_H is used before openssl/e_os.h is included. For mac builds, NO_SYS_TYPES_H is defined in e_os.h. Perhaps it should be defined instead in the prefix files, or maybe the order of the inclusions in randfile.c is wrong. Fixed and committed. And finally, idea_lcl.h has, according to the IDE, inconsistent line endings. Apparently this confuses the compiler as well, because when the macro E_IDEA is expanded, the compiler erroneously leaves in the last three backslashes. Normalizing the line endings allows i_cbc.c to compile. I don't understand. Please show me what change is needed. -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #243] OpenSSL 0.9.6g fail on IBM OS/390
Hi, [[EMAIL PROTECTED] - Thu Oct 10 20:39:27 2002]: 2. Failure! Has to do with selftest.pl looking for a last line in maketest.log for platform name. May be related to other issues shown below. 3. make: Makefile.ssl: line 238: Warning -- FSUM9433 Duplicate entry [../include/openssl/e_os.h] in prerequisite list We are concerned about this. Just a warning, meaning there is (was?) a double dependency on e_os.h. I believe that can safely be ignored... Which Makefile.ssl, BTW? 4. 2006 file=./engine_list.c, line=399, number=72, address=1C1E67C8 72 bytes leaked in 1 chunks We are concerned about this. That was recently fixed, please try the latest 0.9.6 snapshot. -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #257] openssl-0.9.7-beta3 on Irix
There have been some changes lately, so could you try the latest 0.9.7 snapshot and see if that works better? [[EMAIL PROTECTED] - Wed Aug 28 21:40:37 2002]: Hi, I have a problem with `make test' on Irix 6.5.15 (cc used): NIST curve P-384 -- Generator: x = 0xAA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7 y = 0x3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F verify group order ok NIST curve P-521 -- Generator: x = 0xC6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66 y = 0x11839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650 verify group order ...ectest.c:520: ABORT make[2]: *** [test_ec] Error 1 make[2]: Leaving directory `/software/scratch/openssl-0.9.7- beta3/test' Do you know what does it mean? -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #277] COMP_zlib Problem
OK, it's been some time, I haven't heard anything about this. So, I'll assume all is well, and resolve this ticket. If there are any more problems with COMP_zlib, don't hesitate to send in a new bug report. [levitte - Fri Oct 4 15:19:38 2002]: [jaenicke - Tue Sep 10 10:15:16 2002]: However: If COMP_zlib() fails, a pointer to the zlib_method_nozlib structure is returned. This is also a valid pointer (not a NULL pointer), but it does not provide any compression at all. Its type is NID_undef, which in turn is 0. From the code, it seems, that this would be the result with ZLIB_SHARED and COMP_zlib() being called more than once. zlib_loaded is true (succussfully loaded the first time) and then meth is not set to zlib_method again... Thanks for identifying the bug. I just commited a fix, please try it. -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #306] EVP_xxx_{cfb,ofb} problems in openssl 0.9.7-beta3
The actual bug in this ticket has been fixed. However, it also contains a proposal on a generalised modes hack, which is a different matter. Therefore, instead of simply resolving this ticket, I'm changing the milestone keyword from 0.9.7 to 0.9.8. -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #309] how to port openssl 0.9.6g onto VxWorks
Please try the latest 0.9.6 snapshot, there's been some work done on the VxWorks parts. I'll kill this ticket. If you find bugs in the snapshot, please file a new bug report. [[EMAIL PROTECTED] - Mon Oct 21 09:02:54 2002]: Hi All, I want to port to openssl 0.9.6g onto VxWorks,but I don't know how to do it, could you tell me how to do it in detail? Thanks in advance! -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL and compression using ZLIB
6.2.2. Record compression and decompression [snip snip] The compression algorithm translates a TLSPlaintext structure into a TLSCompressed structure. Compression functions are initialized with default state information whenever a connection state is made active. The connection is active the whole time, isn't it? I don't see any language to suggest that the connection becomes inactive between blocks. IMO, the SSL engine should only force a sync from zlib when the input queue empties. I see no reason it should ever reset the dictionary for as long as a connection remains. Oops, I meant 2246. And reading it more carefully, I agree with your interpretation. The dictionary need not be reset. Compression state can and should be maintained across records. Did anyone do an rfc-draft for deflate in tls? __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #241] MacOS compilation bugs in OpenSSL 0.9.6g
I don't understand. Please show me what change is needed. Some of the lines in the file end with LF (or maybe it was CR; I've forgotten), others end with CRLF. And it appears that CodeWarrior gets used to the one-byte ending, so \CRLF in a macro is interpreted as an escaped CR followed by an unescaped LF, which terminates the macro. The fix is to change all the line endings to any of CR, LF, or CRLF. Thanks for the other changes. --Lisa __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #241] MacOS compilation bugs in OpenSSL 0.9.6g
[[EMAIL PROTECTED] - Thu Nov 14 01:27:18 2002]: The fix is to change all the line endings to any of CR, LF, or CRLF. OK, this is weird. I've now looked pretty thoroughly at that file, including the change history. It hasn't changed since February 3rd 2000. There are no CRs, only LFs as line endings. I also checked for the other possibility, a backslash followed by a space or a tab. None of that. The only conclusion I can make is that something went wrong during transfer or unpacking of the OpenSSL distribution. I'd like to ask you to fetch the latest 0.9.6 snapshot and test it. Thanks for the other changes. You're welcome. -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #43] Double Free Error
Is this still an issue, even if testing the latest snapshot? If not, I will consider this ticket resolved. [[EMAIL PROTECTED] - Thu May 30 19:28:13 2002]: Hi, Just wanted you to know that I'm still having problems with DER format certificates. A more thorough inspection turned up additional double free errors in the same directory :( Best Rgds, -H- On Thu, 30 May 2002, Richard Levitte via RT wrote: [[EMAIL PROTECTED] - Fri May 17 19:50:59 2002]: Installed openssl-0.9.6d source and built it locally. Built a PEM certificate for testing U of W IMAP with SSL. SSL didn't work, wouldn't accept the certificate. Discovered that code still has a double free bug that was reported back in 2000? :(( Unfortunately, we didn't have a ticket system until just recently, so some reports got lost. Very sorry about that... Fixed double free by hand by setting pointer to NULL after call to xxx_free in three locations. IMAP with SSL now appears to work. I just committed the suggested change. Thanks for the report. -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #308] A bug when end-of line is not present in the conf file
I just committed a fix. Please test tomorrows snapshot. This ticket is now resolved. [[EMAIL PROTECTED] - Fri Oct 18 14:43:31 2002]: Hi. I am using OpenSSL 0.9.6g under Windows NT. I would like to report that OpenSSL does NOT read the last line of the conf file if eol (cr) is not present. Hope that someone will get use of it. Get 250 full-color business cards FREE right now! http://businesscards.lycos.com __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #326] BUG: i2d_X509_fp() doesn't return number cert length
I believe your understanding is incorrect. i2d_X509() should, and does, return the length of the result. i2d_X509_fp() and i2d_X509_bio() are different in that respect. This ticket is now resolved. [[EMAIL PROTECTED] - Fri Nov 1 08:53:47 2002]: Hi, I'm running openssl-0.9.6g (on WinXP, compiled with VC6 and masm). As I understands it, the i2d_X509_fp function should return the cert length (in bytes) upon success. It doesn't, 1 is always returned. When I stepped into the code, I end up in a function called ASN1_i2d_bio (a_i2d- fp.c). This function always returns 1 upon success. I think it should return 'i', from last BIO_write() call. Thanks, Jonas Sundgren PS. Please hide my email address if this message is published somewhere--I don't want spam mails! -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]