SSLeay_add_all_algorithms usage problem?
Hi All, I am writing a function in which I am calling these lines void Func() { SSLeay_add_all_algorithms(); ERR_load_crypto_strings(); // Now just free this. ERR_free_strings(); CRYPTO_cleanup_all_ex_data(); // I don't know if it can do the thing. } At the end of execution I am informed from compiler about a long list of memory leaks I want to know that is to be done to free SSLeay_add_all_algorithms(); Regards, Muhammad Aftab Alam __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSLeay_add_all_algorithms usage problem?
Hi Again, I just went through FAQ and found out that if I call EVP_cleanup() then the identified leaks go away but now when I call int nVal = PKCS12_parse(pPKCS12, password, pPrivateKey, pSignerCert, pskSignerCertChain); if(nVal == PKCS12_ERROR) { coutError Parsing PKCS12endl; } if(buffer) delete[] buffer; if(pPrivateKey) EVP_PKEY_free(pPrivateKey); if(pSignerCert) X509_free(pSignerCert); if(pPKCS12) PKCS12_free(pPKCS12); if(pskSignerCertChain) sk_X509_free(pskSignerCertChain); //ERR_remove_state() EVP_cleanup(); ERR_free_strings(); CRYPTO_cleanup_all_ex_data();, There is a list of memory leaks please let me know what I am doing wrong or point me to some existing post or documentation. Regards, Muhammad Aftab Alam. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aftab Alam Sent: Friday, April 15, 2005 3:03 PM To: openssl-users@openssl.org Subject: SSLeay_add_all_algorithms usage problem? Hi All, I am writing a function in which I am calling these lines void Func() { SSLeay_add_all_algorithms(); ERR_load_crypto_strings(); // Now just free this. ERR_free_strings(); CRYPTO_cleanup_all_ex_data(); // I don't know if it can do the thing. } At the end of execution I am informed from compiler about a long list of memory leaks I want to know that is to be done to free SSLeay_add_all_algorithms(); Regards, Muhammad Aftab Alam __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: build openssl with debug information available
Hi, I would like to add more information to the second question. I built openssl successfully by following the install.w32 instructions and tested the build without any problem. When I tried to run sign.c in VC v7 IDE environment, the program crashes. I did change the complier option to /MTd and it did not work. Any help is appreciated. hao --- hao chen [EMAIL PROTECTED] wrote: Hi Friends, I highly appreciate if someone let me know how to build openssl with debug information available such that I can use it in debug mode. Also if any one has successful experience to run openssl sign.c test program in VC v7 (.Net visual studio), could please post some of the procedures must be done to make it work. thanks! hao Best Regard __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Best Regard __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL Bus Error from Stunnel 4.05 on Solaris
Hi, I'm experiencing odd behaviour which results in a bus error core dump on Solaris. I'm using OpenSSL as the SSL provider for stunnel 4.05. I can successfully start stunnel to open a tunnel to one host, eg: accept=localhost:4445 connect=host.domain.com:14445 but I get a bus error core dump in OpenSSL on starting stunnel when I try and open a tunnel to a different host, eg: accept=localhost:4445 connect=hostUAT.domain.com:14445 Backtrace as follows: (gdb) where #0 0x000b83e8 in engine_table_select () #1 0x0006e514 in RAND_status () #2 0x00030770 in prng_seeded (bytes=0) at ssl.c:284 #3 0x00030678 in init_prng () at ssl.c:182 #4 0x00030378 in context_init () at ssl.c:79 #5 0x0003185c in main_execute () at stunnel.c:102 #6 0x00031780 in main (argc=0, argv=0xffbef684) at stunnel.c:72 Environment is OpenSSL 0.9.7b from Stunnel 4.05 on Solaris 8. What might cause a host name change to result in a bus error from the random number generator code? Regards, Andrew Gubb Visit our website at http://www.ubs.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: build openssl with debug information available
In openssl's directory, u should try the following steps as described in INSTALL.W32 1. perl Configure VC-WIN32 2. ms\do_ms 3. Edit ms\ntdll.mak or ms\nt.mak, modify -MD to -MDd 4. nmake -f ms\ntdll.mak p.s. The EVP_SignXXX functions work well. Try check your own code. On 4/15/05, hao chen [EMAIL PROTECTED] wrote: Hi Friends, I highly appreciate if someone let me know how to build openssl with debug information available such that I can use it in debug mode. Also if any one has successful experience to run openssl sign.c test program in VC v7 (.Net visual studio), could please post some of the procedures must be done to make it work. thanks! hao Best Regard __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: build openssl with debug information available
Hi Tiange, I also would like to know how to add an option such that the built DLL has debug information. So far I did not write any code by using openssl. Just tried to run the sign.c in the demo directory shipped with openssl. It is compiled fine but runs into crashing. Any one know if the sign.c demo code works? thanks hao --- Si Tiange [EMAIL PROTECTED] wrote: In openssl's directory, u should try the following steps as described in INSTALL.W32 1. perl Configure VC-WIN32 2. ms\do_ms 3. Edit ms\ntdll.mak or ms\nt.mak, modify -MD to -MDd 4. nmake -f ms\ntdll.mak p.s. The EVP_SignXXX functions work well. Try check your own code. On 4/15/05, hao chen [EMAIL PROTECTED] wrote: Hi Friends, I highly appreciate if someone let me know how to build openssl with debug information available such that I can use it in debug mode. Also if any one has successful experience to run openssl sign.c test program in VC v7 (.Net visual studio), could please post some of the procedures must be done to make it work. thanks! hao Best Regard __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Best Regard __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
mod_ssl/OpenSSL crashing Safari 1.2.4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi All, I'm having some problems with https and Safari. OpenSSL 0.9.7a, mod_ssl 2.8.22, Apache 1.3.33. Fedora Core 3 + cPanel. The Safari log can be found at http://www.wildgardenseed.com/Taj/Safari-log.txt Any ideas, this has been driving people nuts (because when they try to order, Safari crashes :(). Here's the log from Apache: [04/Mar/2005 21:27:02 15733] [info] Connection to child 11 established (server www.wildgardenseed.com:443, client 17.232.17.122) [04/Mar/2005 21:27:02 15733] [info] Seeding PRNG with 1160 bytes of entropy [04/Mar/2005 21:27:12 15733] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] [04/Mar/2005 21:27:12 15070] [info] Connection to child 5 closed with standard shutdown (server www.wildgardenseed.com:443, client 24.44.233.113) [04/Mar/2005 21:27:12 14093] [info] Connection to child 7 closed with standard shutdown (server www.wildgardenseed.com:443, client 24.44.233.113) [04/Mar/2005 21:29:09 11206] [info] Connection to child 4 established (server www.wildgardenseed.com:443, client 17.232.17.122) [04/Mar/2005 21:29:09 11206] [info] Seeding PRNG with 1160 bytes of entropy [04/Mar/2005 21:29:09 11206] [error] SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [04/Mar/2005 21:29:09 11206] [error] System: Connection reset by peer (errno: 104) [04/Mar/2005 21:29:09 15904] [info] Connection to child 11 established (server www.wildgardenseed.com:443, client 17.232.17.122) [04/Mar/2005 21:29:09 15904] [info] Seeding PRNG with 1160 bytes of entropy [04/Mar/2005 21:29:12 15904] [info] Connection: Client IP: 17.232.17.122, Protocol: SSLv2, Cipher: RC4-MD5 (128/128 bits) [04/Mar/2005 21:29:12 15904] [info] Initial (No.1) HTTPS request received for child 11 (server www.wildgardenseed.com:443) [04/Mar/2005 21:29:12 14158] [info] Connection to child 2 established (server www.wildgardenseed.com:443, client 17.232.17.122) [04/Mar/2005 21:29:12 14158] [info] Seeding PRNG with 1160 bytes of entropy [04/Mar/2005 21:29:12 15904] [info] Connection to child 11 closed with unclean shutdown (server www.wildgardenseed.com:443, client 17.232.17.122) [04/Mar/2005 21:29:13 14158] [error] SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [04/Mar/2005 21:29:13 14158] [error] System: Connection reset by peer (errno: 104) [04/Mar/2005 21:29:13 14155] [info] Connection to child 0 established (server www.wildgardenseed.com:443, client 17.232.17.122) [04/Mar/2005 21:29:13 14155] [info] Seeding PRNG with 1160 bytes of entropy [04/Mar/2005 21:29:13 14155] [info] Connection: Client IP: 17.232.17.122, Protocol: SSLv2, Cipher: RC4-MD5 (128/128 bits) [04/Mar/2005 21:29:13 14155] [info] Initial (No.1) HTTPS request received for child 0 (server www.wildgardenseed.com:443) [04/Mar/2005 21:29:13 14155] [info] Connection to child 0 closed with unclean shutdown (server www.wildgardenseed.com:443, client 17.232.17.122) [04/Mar/2005 21:29:14 11206] [info] Connection to child 4 established (server www.wildgardenseed.com:443, client 17.232.17.122) [04/Mar/2005 21:29:14 11206] [info] Seeding PRNG with 1160 bytes of entropy [04/Mar/2005 21:29:14 15906] [info] Connection to child 13 established (server www.wildgardenseed.com:443, client 17.232.17.122) [04/Mar/2005 21:29:14 15906] [info] Seeding PRNG with 1160 bytes of entropy [04/Mar/2005 21:29:14 15907] [info] Connection to child 14 established (server www.wildgardenseed.com:443, client 17.232.17.122) [04/Mar/2005 21:29:14 15907] [info] Seeding PRNG with 1160 bytes of entropy [04/Mar/2005 21:29:14 15908] [info] Connection to child 15 established (server www.wildgardenseed.com:443, client 17.232.17.122) [04/Mar/2005 21:29:14 15908] [info] Seeding PRNG with 1160 bytes of entropy [04/Mar/2005 21:29:14 11206] [info] Connection: Client IP: 17.232.17.122, Protocol: SSLv2, Cipher: RC4-MD5 (128/128 bits) [04/Mar/2005 21:29:14 15906] [info] Connection: Client IP: 17.232.17.122, Protocol: SSLv2, Cipher: RC4-MD5 (128/128 bits) [04/Mar/2005 21:29:14 15907] [info] Connection: Client IP: 17.232.17.122, Protocol: SSLv2, Cipher: RC4-MD5 (128/128 bits) [04/Mar/2005 21:29:14 15906] [info] Initial (No.1) HTTPS request received for child 13 (server www.wildgardenseed.com:443) [04/Mar/2005 21:29:14 15906] [info] Connection to child 13 closed with unclean shutdown (server www.wildgardenseed.com:443, client 17.232.17.122) [04/Mar/2005 21:29:14 15907] [info] Initial (No.1) HTTPS request received for child 14 (server www.wildgardenseed.com:443) Thanks! - -- Taj -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.7 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCYDZNqFV3Jf1Ui+IRAl/2AJ98c6IEmbk2w4WeK0X/9WgG9qSFDQCfWvNc xxEV8w/MEmLZMP5AyfVi2Dc= =RN4S -END PGP SIGNATURE- __
Confusion about SSL_ERROR_WANT_READ/WRITE
Title: Confusion about SSL_ERROR_WANT_READ/WRITE I have an app where reads and writes happen from different threads. Now, ideally, one would envision that I just replace the reads/writes with SSL_read/SSL_write. Now I know it is not as simple as that. What exactly is the meaning of the SSL_ERROR_WANT_READ/WRITE errors? If I get I get a WANT_READ from an SSL_read, I guess that means I need to read more data but no data is available on the socket yet. So I basically poll/select waiting for more data to arrive before I can reissue the SSL_read. Is that right? If I get a WANT_WRITE from an SSL_read, does that mean that I need to do an SSL_write before I can reissue the SSL_read? And if so, what if I have no data to write? Can I just do an SSL_write() with an empty buffer? I'm assuming it is not application data that needs to be written, but some data contained in some internal ssl buffer? If I get a WANT_WRITE from an SSL_write, does that mean the network buffer is full and I cannot write to the socket yet? In which case, I would just poll/select until the socket becomes writable and retry the SSL_write? What if I get a WANT_READ from an SSL_write? Does that mean that I need to do an SSL_read before I can reissue the SSL_write? Again, I'm assuming the data that needs to be read is not application data. So can I just do an SSL_read giving it a 0 length buffer? Will this cause whatever data that is stored in the ssl buffers to be processed without reading data off the network (since I have a separate thread for reading and processing application data)? Ed
Re: Confusion about SSL_ERROR_WANT_READ/WRITE
Whats wrong with select? Or are you using java that does not support select() On Fri, 2005-04-15 at 18:24, Edward Chan wrote: I have an app where reads and writes happen from different threads. Now, ideally, one would envision that I just replace the reads/writes with SSL_read/SSL_write. Now I know it is not as simple as that. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Confusion about SSL_ERROR_WANT_READ/WRITE
On Fri, Apr 15, 2005, Edward Chan wrote: I have an app where reads and writes happen from different threads. Now, ideally, one would envision that I just replace the reads/writes with SSL_read/SSL_write. Now I know it is not as simple as that. If you read and write the same stream in different threads that's a problem as this isn't supported. Some people have reported success by using appropriate locking. What exactly is the meaning of the SSL_ERROR_WANT_READ/WRITE errors? Irrespective of the call that returned that error it has the same meaning: the underlying transport (socket) has indicated that data cannot be currently read or written and that the call should be retried when that is possible. So if you get SSL_ERROR_WANT_READ you might typically select on the socket until data can be read. If you get SSL_ERROR_WANT_WRITE you do the same but until data can be written: due to internal buffering you wont often see SSL_ERROR_WANT_WRITE. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Confusion about SSL_ERROR_WANT_READ/WRITE
I have an app where reads and writes happen from different threads. Now, ideally, one would envision that I just replace the reads/writes with SSL_read/SSL_write. Now I know it is not as simple as that. You need to wrap each SSL connection with a lock and hold that lock when you call SSL_read or SSL_write. This will prevent concurrent accesses to the same connection from different threads, which is not supported. What exactly is the meaning of the SSL_ERROR_WANT_READ/WRITE errors? [snip] The OpenSSL connection does not have exactly the same semantics as a TCP connection. Say you try to send data before the handshaking is finished. OpenSSL cannot send any data over the socket until it reads the handshake from the other side.So a 'WANT_READ' error means that OpenSSL needs to read some encrypted data from the other side before it can write the application data you want to send. The way you deal with these is just by not doing the thing that the error stops you from doing until you've made some forward progress. There are four things you are happening: 1) If the application wants to send some plaintext, that plaintext has to go OpenSSL to encrypt. 2) If OpenSSL has some decrypted data, it need to get to the application. 3) If some encrypted data is (ready on / received on) the socket, it needs to get to OpenSSL. 4) If OpenSSL has some encrypted data to send, and the socket is ready to receive, the data needs to b sent. These operations inter-relate. Sometimes it's obvious, for example, you can't receive any decrypted data until the encrypted data is ready on the socket. However, sometimes it's not obvious. So say you go to send some data using SSL_write and you get 'WANT_READ'. That means OpenSSL wants to read some encrypted data from the other side before it can do the send. So you could, for example, 'select' on the socket and when there's data to read, call OpenSSL again. It will then do step 3 itself. If you go to receive some data using SSL_read and get 'WANT_WRITE, that means OpenSSL can't receive any data because it has to send some data to the other side first. So you could 'select' for write to wait for the socket buffer to drain and then call OpenSSL again. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Confusion about SSL_ERROR_WANT_READ/WRITE
Thanks for this explanation. As I read more, I think I am getting a better understanding of this. So unlike normal tcp connections, where a read juts reads, and a write just writes, SSL_read may write, and SSL_write may read. This is all done under the hood, so I don't need to be concerned with that, except to reissue the call when I get a WANT_READ or WANT_WRITE error. And when I get one of these, I basically just have to wait (select/poll or whatever) until the socket is readable/writable, then reissue the call. Does that sound right? And regarding the use of multiple threads, if I protect the SSL object with a lock, that should be fine right? But it sounds like a single thread for both read and writes is the norm. Is this true? And if so, other than the fact that I need to co-ordinate access to the SSL obj with a mutex, is there any draw back to using multiple threads? So if I had the following: /* Read thread */ bool ok = false; while (!ok) { mutex.lock(); // protect ssl int ret = SSL_read(ssl, buf, len); int err = SSL_get_error(ssl, ret); mutex.unlock(); if (err == SSL_ERROR_NONE) { ok = true; } else if (err == SSL_ERROR_WANT_READ) { fd_set read_fds; FD_ZERO(read_fds); FD_SET(m_sock, read_fds); // wait for socket to be readable if (select(1, read_fds, 0, 0, 0) = 0) return 0; // error continue; // re-issue the read } else if (err == SSL_ERROR_WANT_WRITE) { fd_set write_fds; FD_ZERO(write_fds); FD_SET(m_sock, write_fds); // wait for socket to be wriable if (select(1, 0, write_fds, 0, 0) = 0) return 0; // error continue; // re-issue the read } else { return 0; // error } } /* write thread */ int offset = 0; while (len) { mutex.lock(); int ret = SSL_write(ssl, buf+offset, len); int err = SSL_get_error(ssl, ret); mutex.unlock(); if (err == SSL_ERROR_NONE) { offset += ret; len -= ret; } else if (err == SSL_ERROR_WANT_READ) { fd_set read_fds; FD_ZERO(read_fds); FD_SET(m_sock, read_fds); // wait for socket to be readable if (select(1, read_fds, 0, 0, 0) = 0) return 0; // error continue; // re-issue the write } else if (err == SSL_ERROR_WANT_WRITE) { fd_set write_fds; FD_ZERO(write_fds); FD_SET(m_sock, write_fds); // wait for socket to be writable if (select(1, 0, write_fds, 0, 0) = 0) return 0; // error continue; // re-issue the write } else { return 0; // error } } Does that look ok? Since these the read and writes may be done in different threads, than it could happen that the write thread got a WANT_READ and was waiting for data to arrive. But the read thread may also be waiting for data to arrive. One of these threads will wake up first. If the read thread wakes up, it will do SSL_read. If the write thread wakes up, it will try a SSL_write. Only one will happen first because they are protected by a lock. But if the read thread was able to read first. Then when the write thread acquires the lock and retries the SSL_write, it will still succeed because whatever data it was waiting to read was read by the read thread. Does that make sense? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, April 15, 2005 4:58 PM To: openssl-users@openssl.org Subject: RE: Confusion about SSL_ERROR_WANT_READ/WRITE I have an app where reads and writes happen from different threads. Now, ideally, one would envision that I just replace the reads/writes with SSL_read/SSL_write. Now I know it is not as simple as that. You need to wrap each SSL connection with a lock and hold that lock when you call SSL_read or SSL_write. This will prevent concurrent accesses to the same connection from different threads, which is not supported. What exactly is the meaning of the SSL_ERROR_WANT_READ/WRITE errors? [snip] The OpenSSL connection does not have exactly the same semantics as a TCP connection. Say you try to send data before the handshaking is finished. OpenSSL cannot send any data over the socket until it reads the handshake from the other side.So a 'WANT_READ' error means that OpenSSL needs to read some encrypted data from the other side before it can write the application data you want to send.