Re: build openssl with debug information available
1. In openssl-0.9.7g\demos\sign\, type the following command: cl sign.c -I..\..\inc32 ..\..\out32dll\libeay32.lib -MD 2. Copy out32dll\libeay32.dll to demos\sign\, then run sign.exe On 4/17/05, hao chen [EMAIL PROTECTED] wrote: Hi Tiange, Could you please do me a favour of telling me your project settings to make it work in VC 7? thanks! hao --- Si Tiange [EMAIL PROTECTED] wrote: Hi, I just tested demo\sign\sign.c. It works fine on my laptop. On 4/16/05, hao chen [EMAIL PROTECTED] wrote: Hi Tiange, I also would like to know how to add an option such that the built DLL has debug information. So far I did not write any code by using openssl. Just tried to run the sign.c in the demo directory shipped with openssl. It is compiled fine but runs into crashing. Any one know if the sign.c demo code works? thanks hao --- Si Tiange [EMAIL PROTECTED] wrote: In openssl's directory, u should try the following steps as described in INSTALL.W32 1. perl Configure VC-WIN32 2. ms\do_ms 3. Edit ms\ntdll.mak or ms\nt.mak, modify -MD to -MDd 4. nmake -f ms\ntdll.mak p.s. The EVP_SignXXX functions work well. Try check your own code. On 4/15/05, hao chen [EMAIL PROTECTED] wrote: Hi Friends, I highly appreciate if someone let me know how to build openssl with debug information available such that I can use it in debug mode. Also if any one has successful experience to run openssl sign.c test program in VC v7 (.Net visual studio), could please post some of the procedures must be done to make it work. thanks! hao Best Regard __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Best Regard __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Best Regard __ Do you Yahoo!? Plan great trips with Yahoo! Travel: Now over 17,000 guides! http://travel.yahoo.com/p-travelguide __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Confusion about SSL_ERROR_WANT_READ/WRITE
Yes, I think I understand what you are saying. If I get a WANT_READ from a call to SSL_write, that means I need to read some data before I can send. Not quite, it means the OpenSSL engine must read some data (from the socket) before you can perform the 'write' logical operation on the connection state machine. But like you said, there may not be any data to read since the other end may not have sent anything. There may not be any application data, but there should be data sent over the SSL connection. But I think my problem was that I was thinking in terms of application data. What I failed to realize was that there may not be any application data to read, but if the other end is a valid ssl client, there should have been some ssl protocol data that was sent, that my end needs to read before my call to SSL_write will succeed. Does that sound right? If by your end, you mean your end of the SSL connection, yes. If by your end, you mean the application, no. The purpose of the SSL_read function is to read application data from the SSL connection state machine. You should call it if and only if that is what you want to do. And since an SSL_read may write as well as read, and SSL_write may read as well as write, then either of these calls would read the required protocol data such that a retry of the call that resulted in the error should now succeed. There you go. Since you're using socket BIOs, the state machine will access the socket when it needs to, so you just need to retry the operation later. If you want, you can use 'select' to tell when it's enough later. So eventhough my call to SSL_write resulted in the WANT_READ error, if my read thread happened to do an SSL_read first, it still would have read the protocol data, and my retry of SSL_write should succeed. Am I right? Close? Way off? If either an SSL_write or an SSL_read results in a WANT_READ error, it means that neither call can progress until some data is read from the socket. You can retry the operation later, try another operation, or whatever you want to do. You can take the hint that 'select'ing on the socket for readability will likely tell you when the operation is going to succeed. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
CSP Question
Hi all, Im writing a study about design aspects for a cryptographic service provider (CSP) at the moment. So I read some documentation about CSP-11, about the Microsoft Cryptographic API and a lot of others, but I didnt find much general information about a CSP. Can somebody tell me if something like a standard exists? Is the openssl crew working on a solution to manage and use certificates and smart cards (something like a CSP)? Has somebody informations about projects working on similar problems? Thanks for help
RE: Confusion about SSL_ERROR_WANT_READ/WRITE
Yes, I think I understand what you are saying. If I get a WANT_READ from a call to SSL_write, that means I need to read some data before I can send. Not quite, it means the OpenSSL engine must read some data (from the socket) before you can perform the 'write' logical operation on the connection state machine. But like you said, there may not be any data to read since the other end may not have sent anything. There may not be any application data, but there should be data sent over the SSL connection. Protocol data? Like an ack for some previous data sent? But I think my problem was that I was thinking in terms of application data. What I failed to realize was that there may not be any application data to read, but if the other end is a valid ssl client, there should have been some ssl protocol data that was sent, that my end needs to read before my call to SSL_write will succeed. Does that sound right? If by your end, you mean your end of the SSL connection, yes. If by your end, you mean the application, no. The purpose of the SSL_read function is to read application data from the SSL connection state machine. You should call it if and only if that is what you want to do. Since I'm using socket BIO, I am letting SSL_read/SSL_write handle all my socket I/O. So I am not explicitly reading from the socket and feeding it to OpenSSL (I just call SSL_read). So when I say your end, I mean the other end of the socket. And since an SSL_read may write as well as read, and SSL_write may read as well as write, then either of these calls would read the required protocol data such that a retry of the call that resulted in the error should now succeed. There you go. Since you're using socket BIOs, the state machine will access the socket when it needs to, so you just need to retry the operation later. If you want, you can use 'select' to tell when it's enough later. So eventhough my call to SSL_write resulted in the WANT_READ error, if my read thread happened to do an SSL_read first, it still would have read the protocol data, and my retry of SSL_write should succeed. Am I right? Close? Way off? If either an SSL_write or an SSL_read results in a WANT_READ error, it means that neither call can progress until some data is read from the socket. You can retry the operation later, try another operation, or whatever you want to do. You can take the hint that 'select'ing on the socket for readability will likely tell you when the operation is going to succeed. I do select on the socket. Basically, I have a thread pool that I use for I/O. Writes are synchronous, so I expect to finish writing all the data before I exit my write function. But since I don't want to tie up a thread blocking on the read waiting for data to arrive (since I have no idea when data will arrive), I add it to a list of sockets that I am select'ing on. Since my write is synchronous, and if I get a WANT_READ error, then that means I need to read some ssl data before I can continue. So I will select on the socket until data arrives. I'm assuming that the data WILL arrive. There is no chance that I could be blocked here indefinitely is there? I'm assuming that the data is some SSL protocol data that is SHOULD have been sent by the other end of the connection (assuming it is a valid SSL client). Now, I also have a read thread that was select'ing on the socket waiting for data to arrive. So either of these 2 threads may read data. Both threads are select'ing on the socket. So if the read thread wakes up first and acquires the lock, then it will do an SSL_read before the write thread wakes up and retries an SSL_write (which was the operation that caused the WANT_READ error in the first place). So my question is, is this ok? If it was an SSL_write that caused the WANT_READ error, do I HAVE to retry the SSL_write before I can do an SSL_read? The SSL_read should read whatever data the ssl state machine was expecting, and the next try of SSL_write should then succeed right? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Confusion about SSL_ERROR_WANT_READ/WRITE
There may not be any application data, but there should be data sent over the SSL connection. Protocol data? Like an ack for some previous data sent? Well, remember no data at all can be sent until a key is negotiated. So if you immediately call SSL_write, it will be unable to do anything. If either an SSL_write or an SSL_read results in a WANT_READ error, it means that neither call can progress until some data is read from the socket. You can retry the operation later, try another operation, or whatever you want to do. You can take the hint that 'select'ing on the socket for readability will likely tell you when the operation is going to succeed. I do select on the socket. Basically, I have a thread pool that I use for I/O. Writes are synchronous, so I expect to finish writing all the data before I exit my write function. But since I don't want to tie up a thread blocking on the read waiting for data to arrive (since I have no idea when data will arrive), I add it to a list of sockets that I am select'ing on. Since my write is synchronous, and if I get a WANT_READ error, then that means I need to read some ssl data before I can continue. So I will select on the socket until data arrives. I'm assuming that the data WILL arrive. There is no chance that I could be blocked here indefinitely is there? I'm assuming that the data is some SSL protocol data that is SHOULD have been sent by the other end of the connection (assuming it is a valid SSL client). You can impose timeouts if you want. You have this same issue for TCP. If the other side doesn't read any data, eventually your 'write' will block forever. You have to handle this yourself. Now, I also have a read thread that was select'ing on the socket waiting for data to arrive. So either of these 2 threads may read data. Both threads are select'ing on the socket. So if the read thread wakes up first and acquires the lock, then it will do an SSL_read before the write thread wakes up and retries an SSL_write (which was the operation that caused the WANT_READ error in the first place). So my question is, is this ok? Yes. Just understand that it's not unusual to see data on the socket (in a call to 'select') and then not get any *application* data from SSL_read. If it was an SSL_write that caused the WANT_READ error, do I HAVE to retry the SSL_write before I can do an SSL_read? No. You will likely need to enable SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER and will probably want to enable SSL_MODE_ENABLE_PARTIAL_WRITE as well. Read up on these and make sure you understand the implications and especially the very unusual default of net accepting moving write buffers! The SSL_read should read whatever data the ssl state machine was expecting, and the next try of SSL_write should then succeed right? Yes. Just remember that there are two weird cases that could happen -- expect them. 1) You get a read hit from 'select', but before you can call SSL_read, your write thread calls SSL_write, which reads the data. So now when you call SSL_read, nothing at all happens. 2) You get a read hit from 'select', but it's all protocol data, no application data. So you call SSL_read and no application data is returned. And, of course, remember that you need a mutex for the connection to prevent a concurrent SSL_read and SSL_write. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL handshake failed
Hi All I installed Apache/1.3.33 (Unix) mod_perl/1.29 mod_ssl/2.8.22 OpenSSL/0.9.7d on Solaris But when I try to browse it using https://my.website.com I am getting the following error in the browser: The connection to my.website.com has terminated unexpectedly. Some data may have been transferred The Apache error log says: [Sun Apr 17 22:35:21 2005] [error] mod_ssl: SSL handshake failed (server my.website.com:443, client 192.168.0.15) (OpenSSL library error follows) [Sun Apr 17 22:35:21 2005] [error] OpenSSL: error:1409D08A:SSL routines:SSL3_SETUP_KEY_BLOCK:cipher or hash unavailable This is how my SSLCipherSuite looks like in httpd.conf: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL I tried to change it like these and neither one was successful: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+SSLv3:+EXP:+eNULL -OR- SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW I used Google to search the OpenSSL and modssl sites and the web with so solution. Any help or suggestion would be greatly appreciated. Thanks -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu ..there are two kinds of people: those who work and those who take the credit...try to be in the first group;...less competition there. - Indira Gandhi __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Confusion about SSL_ERROR_WANT_READ/WRITE
First of all, I want to thank everyone for all the information, especially David with his excellent explanations. I know this thread is getting long, but I really think I'm getting it now :) Just a few more questions and comments... There may not be any application data, but there should be data sent over the SSL connection. Protocol data? Like an ack for some previous data sent? Well, remember no data at all can be sent until a key is negotiated. So if you immediately call SSL_write, it will be unable to do anything. Of course :) If either an SSL_write or an SSL_read results in a WANT_READ error, it means that neither call can progress until some data is read from the socket. You can retry the operation later, try another operation, or whatever you want to do. You can take the hint that 'select'ing on the socket for readability will likely tell you when the operation is going to succeed. I do select on the socket. Basically, I have a thread pool that I use for I/O. Writes are synchronous, so I expect to finish writing all the data before I exit my write function. But since I don't want to tie up a thread blocking on the read waiting for data to arrive (since I have no idea when data will arrive), I add it to a list of sockets that I am select'ing on. Since my write is synchronous, and if I get a WANT_READ error, then that means I need to read some ssl data before I can continue. So I will select on the socket until data arrives. I'm assuming that the data WILL arrive. There is no chance that I could be blocked here indefinitely is there? I'm assuming that the data is some SSL protocol data that is SHOULD have been sent by the other end of the connection (assuming it is a valid SSL client). You can impose timeouts if you want. You have this same issue for TCP. If the other side doesn't read any data, eventually your 'write' will block forever. You have to handle this yourself. Of course. But what I mean is, if I get a WANT_READ from an SSL_write, than I assume that means I am waiting for some protocol data to satisfy the ssl state machine, right? After all, SSL_write should not be waiting for any application data. So if that is the case, does that mean that the protocol data that I am waiting for SHOULD have been sent by the other end of the connection? Now, I also have a read thread that was select'ing on the socket waiting for data to arrive. So either of these 2 threads may read data. Both threads are select'ing on the socket. So if the read thread wakes up first and acquires the lock, then it will do an SSL_read before the write thread wakes up and retries an SSL_write (which was the operation that caused the WANT_READ error in the first place). So my question is, is this ok? Yes. Just understand that it's not unusual to see data on the socket (in a call to 'select') and then not get any *application* data from SSL_read. If it was an SSL_write that caused the WANT_READ error, do I HAVE to retry the SSL_write before I can do an SSL_read? No. You will likely need to enable SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER and will probably want to enable SSL_MODE_ENABLE_PARTIAL_WRITE as well. Read up on these and make sure you understand the implications and especially the very unusual default of net accepting moving write buffers! The SSL_read should read whatever data the ssl state machine was expecting, and the next try of SSL_write should then succeed right? Yes. Just remember that there are two weird cases that could happen -- expect them. 1) You get a read hit from 'select', but before you can call SSL_read, your write thread calls SSL_write, which reads the data. So now when you call SSL_read, nothing at all happens. Will SSL_read return 0 bytes read, or will I get a WANT_READ error indicating there was nothing to be read since the data was already read off the socket? 2) You get a read hit from 'select', but it's all protocol data, no application data. So you call SSL_read and no application data is returned. Does SSL_read always return the number of bytes of application data read? If so, that means that SSL_read could return 0, and that this should not be construed as an error. And, of course, remember that you need a mutex for the connection to prevent a concurrent SSL_read and SSL_write. Of course. That was my first mistake. But I know better now :) DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL
Re: Confusion about SSL_ERROR_WANT_READ/WRITE
A return result of 0 typically means the other side closed the connection. Here is the section from SSL_read's man page with regards to a 0 return: 0 The read operation was not successful. The reason may either be a clean shutdown due to a close notify alert sent by the peer (in which case the SSL_RECEIVED_SHUTDOWN flag in the ssl shutdown state is set (see SSL_shutdown(3), SSL_set_shutdown(3)). It is also pos- sible, that the peer simply shut down the underlying transport and the shutdown is incomplete. Call SSL_get_error() with the return value ret to find out, whether an error occurred or the connection was shut down cleanly (SSL_ERROR_ZERO_RETURN). -Joe On Apr 17, 2005, at 9:12 PM, Edward Chan wrote: Does SSL_read always return the number of bytes of application data read? If so, that means that SSL_read could return 0, and that this should not be construed as an error. smime.p7s Description: S/MIME cryptographic signature
RE: Confusion about SSL_ERROR_WANT_READ/WRITE
Right, but let's say I'm doing an SSL_write, and I get a WANT_READ error. I then select on the socket until data is available for reading. I then call SSL_read. If all that was sent was the protocol data that the write was waiting for to satisfy the ssl state machine, and no application data was sent, would SSL_read return the number of bytes actually read off the socket (which is just protocol data), or would it read that transparently and return 0 indicating that no application data was read? Or would it just read the required protocol data and return an error of WANT_READ to indicate that I should retry the SSL_read when more data arrives? Now that I think about it, I'm guessing the latter. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, April 17, 2005 9:48 PM To: openssl-users@openssl.org Subject: Re: Confusion about SSL_ERROR_WANT_READ/WRITE A return result of 0 typically means the other side closed the connection. Here is the section from SSL_read's man page with regards to a 0 return: 0 The read operation was not successful. The reason may either be a clean shutdown due to a close notify alert sent by the peer (in which case the SSL_RECEIVED_SHUTDOWN flag in the ssl shutdown state is set (see SSL_shutdown(3), SSL_set_shutdown(3)). It is also pos- sible, that the peer simply shut down the underlying transport and the shutdown is incomplete. Call SSL_get_error() with the return value ret to find out, whether an error occurred or the connection was shut down cleanly (SSL_ERROR_ZERO_RETURN). -Joe On Apr 17, 2005, at 9:12 PM, Edward Chan wrote: Does SSL_read always return the number of bytes of application data read? If so, that means that SSL_read could return 0, and that this should not be construed as an error. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Confusion about SSL_ERROR_WANT_READ/WRITE
You're right -- the latter. Another thing to think about is that at any time, the remote peer might request a re-negotiation. During such time, the session key will be re-established requiring a few round-trips during the DH process. This will all be handled behind the scenes as you attempt to move application data through the system. If the SSL state machine is waiting on some remote data to be received during the re-negotiation, you will get a WANT_READ in response to an SSL_write (or an SSL_read). At this point, you could call select() waiting for data to arrive. When select() indicates that the socket has data ready, you can just call SSL_write (or SSL_read) again so that the state machine can work its way through the protocol. In my program's case, I had to periodically call SSL_read() on a non-blocking socket so that I could detect whenever the remote peer closed the connection, even though I was not expecting any application data to arrive. On Apr 17, 2005, at 10:20 PM, Edward Chan wrote: Right, but let's say I'm doing an SSL_write, and I get a WANT_READ error. I then select on the socket until data is available for reading. I then call SSL_read. If all that was sent was the protocol data that the write was waiting for to satisfy the ssl state machine, and no application data was sent, would SSL_read return the number of bytes actually read off the socket (which is just protocol data), or would it read that transparently and return 0 indicating that no application data was read? Or would it just read the required protocol data and return an error of WANT_READ to indicate that I should retry the SSL_read when more data arrives? Now that I think about it, I'm guessing the latter. smime.p7s Description: S/MIME cryptographic signature