time stamp pathc for openssl-0.9.7g
Hi All, I need to know if the time stamp patch for openssl-0.9.7g would be coming? Regards Aftab Alam
Timestamp server and certificate creation
Hi, I'm trying to setup a timestamp server on a linux box with debian. I've downloaded and compiled apache_1.3.33, mod_ssl-2.8.22-1.3.33 and mod_tsa; all fine until I try to start apache, the server don't start and when I go to search in logs/error_log i find: [Mon Apr 18 13:41:40 2005] [notice] mod_tsa:mod_tsa initialization started, MySQL support:enabled, FireBird support:disabled [Mon Apr 18 13:41:40 2005] [notice] mod_tsa:database driver is set to: None [Mon Apr 18 13:41:42 2005] [notice] mod_tsa:re-initialization started [Mon Apr 18 13:41:42 2005] [notice] mod_tsa:serial file is re-used: /usr/hsm/apache_1.3.33/conf/tsaserial [Mon Apr 18 13:41:42 2005] [notice] mod_tsa:crypto device is set to: builtin [Mon Apr 18 13:41:42 2005] [error] mod_tsa:could not load X.509 certificate: /usr/hsm/apache_1.3.33/conf/tsacert.pem [Mon Apr 18 13:41:42 2005] [emerg] exiting, fatal error during mod_tsa initialisation. The certificate is present and it is world readable, so i think the problem is the certificate, a generic self signed certificate (not with extended key usage) created by me for trial. I've not found anything about command line syntax to create a certificate for timestaming. Someone has some suggest or the command line syntax to use for the creation of a certificate for timestamp purpose? Thanks -- ZABERT Sebastiano Inrete s.r.l. - Via Postiglione 29 10024 Moncalieri (TO) - Italy Tel. 0116811590 - Fax. 0116811603 [EMAIL PROTECTED] www.inrete.it ** __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Generate RSA key
Hello: I want to generate a RSA pair key. I do the following: RSA *claveRSA; int num = 1024; // Tamaño del módulo. unsigned long e = 3; // Exponente público RAND_screen(); claveRSA = RSA_new(); claveRSA = RSA_generate_key(num, e, NULL, NULL); But I obtain the same key allways. When I show the public modulus I obtain the same: printf (public modulus: %i, *(claveRSA-n)); I use VC++ in Windows 2000. What is wrong?. Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Using OpenSSL with 'ubsec' hardware on FreeBSD
Hi, Which version of openssl is the ports tree based on? I don't know about the world version, but the problem with the ports one seems to be (so far) just a matter of paths. I don't do bsd, but I assume that tweaking with LD_LIBRARY_PATH or some such thing ought to be able to convince openssl to find libubsec.so. Whether the result will be version-compatible is another issue, but you might be lucky. the ports version is OpenSSL 0.9.7g 11 Apr 2005 (world version is OpenSSL 0.9.7d 17 Mar 2004) the issue with LD_LIBRARY_PATH appears to be void as there is NO libubsec.so on the filesystem. its simply not made. where can I get it from??? (on Redhat and Fedora Core 3 this file appears in the mystical 'hycrypto' package) I've attempted to actualy make a libubsec.so by hand using the files provided by OpenSSL... eg cd openssl-0.9.7g/crypto/engine cc -o tmp_ubsec.o -I.. -I../.. -I../../include -fPIC -DENGINE_DYNAMIC_SUPPOR T -DOPENSSL_THREADS -pthread -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENS SL_NO_KRB5 -DTERMIOS -DL_ENDIAN -O -pipe -Wl,-rpath,/usr/local/lib -Wall -D SHA1_ASM -DMD5_ASM -DRMD160_ASM -c hw_ubsec.c cc -o tmp_ubsec_err.o -I.. -I../.. -I../../include -fPIC -DENGINE_DYNAMIC_SU PPORT -DOPENSSL_THREADS -pthread -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DO PENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -O -pipe -Wl,-rpath,/usr/local/lib -Wal l -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c hw_ubsec_err.c then link this all up as a nice ELF 32-bit LSB shared object... gcc -shared -o dyn_ubsec.so tmp_ubsec.o tmp_ubsec_err.o -L../.. -lcrypto then attempted to actually USE this file as in the docs that OpenSSL provides.. README.ENGINE # /usr/local/bin/openssl engine ubsec - -pre SO_PATH:./dyn_ubsec.so -t (ubsec) UBSEC hardware engine support [Success]: SO_PATH:./dyn_ubsec.so [ unavailable ] 39977:error:2506406A:DSO support routines:DLFCN_BIND_FUNC:could not bind to the requested symbol name:dso_dlfcn.c:252:symname(ubsec_bytes_to_bits): Undefined symbol ubsec_bytes_to_bits 39977:error:2506C06A:DSO support routines:DSO_bind_func:could not bind to the requested symbol name:dso_lib.c:294: 39977:error:84069067:ubsec engine:UBSEC_INIT:dso failure:hw_ubsec.c:418: SO_PATH: Specifies the path to the 'ubsec' shared library (input flags): STRING ...so, failure is still my no.1 success :-) I'm wondering a couple of things. 1) according to some folk, /dev/crypto should *just work* - and, for some userland test tools (eg cryptotest) it does 2) why doesnt openssl just USE the ubsec engine? its been statically compiled in - so it should be able to utilise... or does it HAVE to use the DSO system? Alan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Error with PEM_write_RSAPrivateKey function
Hello:
I use this function to generate a RSA pair key and write the public and
private key in a files. But this function have a error at execution time. I
think that the problem is on the function:
PEM_write_RSAPrivateKey(fp,key,NULL,NULL,0,NULL,NULL)
But I don´t know what is wrong. The function is the following:
void AlmacenaClavesRSA(char *secfile, char *pubfile)
{
RSA *key=NULL;
FILE *fp;
int size = 1024;
printf(Generating RSA keys[%d bits].\n, size);
if (size 64) {
fprintf(stderr, Error: RSA Key pair size too small.\n);
fprintf(stderr, size = 64\n);
exit(EXIT_FAILURE);
}
if((key = RSA_generate_key(size,3,NULL,NULL)) == NULL) {
fprintf(stderr,%s\n,ERR_error_string(ERR_get_error(),NULL));
exit(EXIT_FAILURE);
}
if(RSA_check_key(key) 1) {
fprintf(stderr,Error: Problems while generating RSA Key.\n \
Retry.\n);
exit(EXIT_FAILURE);
}
printf (clave generada\n);
// Guarda la clave privada
fp=fopen(secfile,w);
if(PEM_write_RSAPrivateKey(fp,key,NULL,NULL,0,NULL,NULL) == 0) {
fprintf(stderr,Error: problems while writing RSA Private \
Key.\n);
exit(EXIT_FAILURE);
}
fclose(fp);
// Guarda la clave publica
fp=fopen(pubfile,w);
if(PEM_write_RSAPublicKey(fp,key) == 0) {
fprintf(stderr,Error: problems while writing RSA Public Key.\n);
exit(EXIT_FAILURE);
}
fclose(fp);
RSA_free(key);
printf(Done.\n);
return;
}
Thanks.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: Using SSL with existing socket
I am having the same problem. I am adding OpenSSL to an existing application
that calls connect(), and have added logic to use OpenSSL after connect()
completes successfully. Here is what I have done:
int existing_sock = nnn;
int rc = 0;
int code = 0;
BIO *bio = NULL;
SSL *ssl = NULL;
bio = BIO_new_socket( existing_sock, BIO_NOCLOSE );
BIO_set_nbio( bio, 1 );
ssl = SSL_new( ctx );
SSL_set_connect_state( ssl );
SSL_set_bio( ssl, bio, bio );
rc = SSL_connect( ssl );
if (rc = 0 )
{
code = SSL_get_error( ssl, rc );
switch( code )
{
case SSL_ERROR_ZERO_RETURN:
buf = ERR_error_string( code, NULL );
etc...
}
}
The first problem I encountered with this code is that when the error occurs,
ERR_get_error_line_data() returns zero. I then added the call to
ERR_error_string(). The value pointed to by 'buf' is this:
error:0005:lib(0):func(0):DH lib
This error always occurs. What could be causing this? Why is this message so
minimally informative?
I've searched the OpenSSL code for an instance of '5' and found 2: ERR_R_DH_LIB
and SYS_F_IOCTLSOCKET. Could it be that the error is not DH at all. Could this
be a problem with the socket when ioctlsocket() is called?
This same problem occurs when accepting a connection using accept(), then the
above technique for SSL_accept().
Thanks for any help you can give,
John Hoel
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Martin Persson
Sent: Thursday, April 14, 2005 3:18 AM
To: openssl-users@openssl.org
Subject: Using SSL with existing socket
Hello, I'm trying to port a library (libiksemel) that currently uses
GnuTLS to OpenSSL. This can be don't very easily if I may connect an
existing socket to a TLS/SSL object and then do read/write on it like
usual. However, I have failed to do this successfully. SSL_connect
usually fails with a message related to DH lib, error code 5.
I've tried associating a socket to both BIO and SSL objects using
new_socket and set_fd groups of commands, but none have worked
out. I don't have enough knowledge about the operation of BIO objects
I guess.
Can anyone give me some advice as how to set up SSL on a socket
connected outside of the OpenSSL suite, or some enlightenment on how
to link BIO's together?
Thanks for your time
Martin Persson
Sweden
xarragon 'magic-symbol' gmail.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
NO RELIANCE: This e-mail will be of no force of effect and will not be binding
unless a hard copy of this e-mail, signed by an authorized official of the
company, has been sent to the recipient of this message.
CONFIDENTIAL AND/OR PROPRIETARY: Information contained in this transmission is
intended for the use of the individual or entity named above and may contain
legally proprietary or confidential information. If the reader of this message
is not the intended recipient, you are hereby notified that any dissemination,
distribution or copy of this communication is strictly prohibited. If you have
received this communication in error, please permanently delete this message
and immediately notify us by telephone at 972-377-1110.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: Generate RSA key
Angel Martinez Gonzalez wrote: Hello: I want to generate a RSA pair key. I do the following: RSA *claveRSA; int num = 1024; // Tamaño del módulo. unsigned long e = 3; // Exponente público RAND_screen(); claveRSA = RSA_new(); claveRSA = RSA_generate_key(num, e, NULL, NULL); the RSA_new() call is superfluous and wrong here But I obtain the same key allways. When I show the public modulus I obtain the same: printf (public modulus: %i, *(claveRSA-n)); use BN_print etc. to print out a bignum Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: WRONG FINAL BLOCK LENGTH
Douglas Laing wrote: I copied the do_crypt routine (General encryption, decryption function example using FILE I/O and RC2 with an 80 bit key) from the EVP_EncryptInit(3) man page and used it to encrypt a 433282 byte file. Function EVP_CipherFinal_ex fails and ERR_get_error returns `error:0606506D:lib(6):func(101):reason(109)', i.e. WRONG FINAL BLOCK LENGTH. ctx.buf_len has a value of 2. I thought EVP_CipherFinal_ex would pad the extra bytes and encrypt them. as only EVP_DecryptFinal_ex can give the EVP_R_WRONG_FINAL_BLOCK_LENGTH error message I guess you are trying to decrypt the message and hence the error Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Error with PEM_write_RSAPrivateKey function
Angel Martinez Gonzalez wrote: Hello: I use this function to generate a RSA pair key and write the public and private key in a files. But this function have a error at execution time. what kind or error (error message) ? Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Timestamp server and certificate creation
Sebastiano Zabert wrote: Hi, I'm trying to setup a timestamp server on a linux box with debian. I've downloaded and compiled apache_1.3.33, mod_ssl-2.8.22-1.3.33 and mod_tsa; all fine until I try to start apache, the server don't start and when I go to search in logs/error_log i find: [Mon Apr 18 13:41:40 2005] [notice] mod_tsa:mod_tsa initialization started, MySQL support:enabled, FireBird support:disabled [Mon Apr 18 13:41:40 2005] [notice] mod_tsa:database driver is set to: None [Mon Apr 18 13:41:42 2005] [notice] mod_tsa:re-initialization started [Mon Apr 18 13:41:42 2005] [notice] mod_tsa:serial file is re-used: /usr/hsm/apache_1.3.33/conf/tsaserial [Mon Apr 18 13:41:42 2005] [notice] mod_tsa:crypto device is set to: builtin [Mon Apr 18 13:41:42 2005] [error] mod_tsa:could not load X.509 certificate: /usr/hsm/apache_1.3.33/conf/tsacert.pem [Mon Apr 18 13:41:42 2005] [emerg] exiting, fatal error during mod_tsa initialisation. The certificate is present and it is world readable, so i think the problem is the certificate, a generic self signed certificate (not with extended key usage) created by me for trial. I've not found anything about command line syntax to create a certificate for timestaming. Someone has some suggest or the command line syntax to use for the creation of a certificate for timestamp purpose? consider reading http://www.opentsa.org/mod_tsa/mod_tsa-install-20041109.html Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Using SSL with existing socket
On Tue, Apr 19, 2005, John Hoel wrote:
I am having the same problem. I am adding OpenSSL to an existing application
that calls connect(), and have added logic to use OpenSSL after connect()
completes successfully. Here is what I have done:
int existing_sock = nnn;
int rc = 0;
int code = 0;
BIO *bio = NULL;
SSL *ssl = NULL;
bio = BIO_new_socket( existing_sock, BIO_NOCLOSE );
BIO_set_nbio( bio, 1 );
ssl = SSL_new( ctx );
SSL_set_connect_state( ssl );
SSL_set_bio( ssl, bio, bio );
rc = SSL_connect( ssl );
if (rc = 0 )
{
code = SSL_get_error( ssl, rc );
switch( code )
{
case SSL_ERROR_ZERO_RETURN:
buf = ERR_error_string( code, NULL );
etc...
}
}
The first problem I encountered with this code is that when the error
occurs, ERR_get_error_line_data() returns zero. I then added the call to
ERR_error_string(). The value pointed to by 'buf' is this:
error:0005:lib(0):func(0):DH lib
This error always occurs. What could be causing this? Why is this message so
minimally informative?
Because the value returned from SSL_get_error() is one of the SSL_ERROR_*
values (ssl.h) and not usable by the ERR library: so you are getting garbage.
In this case SSL_ERROR_SYSCALL.
I've searched the OpenSSL code for an instance of '5' and found 2:
ERR_R_DH_LIB and SYS_F_IOCTLSOCKET. Could it be that the error is not DH at
all. Could this be a problem with the socket when ioctlsocket() is called?
This same problem occurs when accepting a connection using accept(), then
the above technique for SSL_accept().
Try it without the SSL_set_connect_state() call.
You might also want to try it with a blocking socket first (without the
BIO_set_nbio() call) to see if it works.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: Using SSL with existing socket
Neither change made any difference. (Sigh)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson
Sent: Tuesday, April 19, 2005 1:08 PM
To: openssl-users@openssl.org
Subject: Re: Using SSL with existing socket
On Tue, Apr 19, 2005, John Hoel wrote:
I am having the same problem. I am adding OpenSSL to an existing application
that calls connect(), and have added logic to use OpenSSL after connect()
completes successfully. Here is what I have done:
int existing_sock = nnn;
int rc = 0;
int code = 0;
BIO *bio = NULL;
SSL *ssl = NULL;
bio = BIO_new_socket( existing_sock, BIO_NOCLOSE );
BIO_set_nbio( bio, 1 );
ssl = SSL_new( ctx );
SSL_set_connect_state( ssl );
SSL_set_bio( ssl, bio, bio );
rc = SSL_connect( ssl );
if (rc = 0 )
{
code = SSL_get_error( ssl, rc );
switch( code )
{
case SSL_ERROR_ZERO_RETURN:
buf = ERR_error_string( code, NULL );
etc...
}
}
The first problem I encountered with this code is that when the error
occurs, ERR_get_error_line_data() returns zero. I then added the call to
ERR_error_string(). The value pointed to by 'buf' is this:
error:0005:lib(0):func(0):DH lib
This error always occurs. What could be causing this? Why is this message so
minimally informative?
Because the value returned from SSL_get_error() is one of the SSL_ERROR_*
values (ssl.h) and not usable by the ERR library: so you are getting garbage.
In this case SSL_ERROR_SYSCALL.
I've searched the OpenSSL code for an instance of '5' and found 2:
ERR_R_DH_LIB and SYS_F_IOCTLSOCKET. Could it be that the error is not DH at
all. Could this be a problem with the socket when ioctlsocket() is called?
This same problem occurs when accepting a connection using accept(), then
the above technique for SSL_accept().
Try it without the SSL_set_connect_state() call.
You might also want to try it with a blocking socket first (without the
BIO_set_nbio() call) to see if it works.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
NO RELIANCE: This e-mail will be of no force of effect and will not be binding
unless a hard copy of this e-mail, signed by an authorized official of the
company, has been sent to the recipient of this message.
CONFIDENTIAL AND/OR PROPRIETARY: Information contained in this transmission is
intended for the use of the individual or entity named above and may contain
legally proprietary or confidential information. If the reader of this message
is not the intended recipient, you are hereby notified that any dissemination,
distribution or copy of this communication is strictly prohibited. If you have
received this communication in error, please permanently delete this message
and immediately notify us by telephone at 972-377-1110.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: Can anybody share some ENGINE sample code?
Hi, As we have an ENGINE in this demo (with some asym/symm crypto), if we could help, just let me know. regards, Fred -Original Message- From: [EMAIL PROTECTED] on behalf of Richard Levitte - VMS Whacker Sent: Tue 4/19/2005 12:26 AM To: openssl-users@openssl.org; [EMAIL PROTECTED] Cc: Subject:Re: Can anybody share some ENGINE sample code? In message [EMAIL PROTECTED] on Mon, 18 Apr 2005 15:09:36 -0700, Edward Chan [EMAIL PROTECTED] said: echan Does anybody have some working code that enables the use of echan crypto hardware using the ENGINE API's and would be willing to echan share it? Uhmm, there are a few engines in crypto/engine/ as well as in demos/engines/. If those don't help, maybe you need some specific help. I'd like to help, but I can only do so if you tell me what you really need. Cheers, RIchard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Using OpenSSL with 'ubsec' hardware on FreeBSD
Hi, I think ubsec driver in included in FreeBSD release, so you should be able to use the ENGINE related to /dev/crypto. (hw_cryptodev.c) Ubsec ENGINE should be ok for BroadCom FreebSD driver. I think that you should not mix them. Hope it could help, Fred -Original Message- From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Tue 4/19/2005 12:40 PM To: openssl-users@openssl.org Cc: Subject:Re: Using OpenSSL with 'ubsec' hardware on FreeBSD Hi, Which version of openssl is the ports tree based on? I don't know about the world version, but the problem with the ports one seems to be (so far) just a matter of paths. I don't do bsd, but I assume that tweaking with LD_LIBRARY_PATH or some such thing ought to be able to convince openssl to find libubsec.so. Whether the result will be version-compatible is another issue, but you might be lucky. the ports version is OpenSSL 0.9.7g 11 Apr 2005 (world version is OpenSSL 0.9.7d 17 Mar 2004) the issue with LD_LIBRARY_PATH appears to be void as there is NO libubsec.so on the filesystem. its simply not made. where can I get it from??? (on Redhat and Fedora Core 3 this file appears in the mystical 'hycrypto' package) I've attempted to actualy make a libubsec.so by hand using the files provided by OpenSSL... eg cd openssl-0.9.7g/crypto/engine cc -o tmp_ubsec.o -I.. -I../.. -I../../include -fPIC -DENGINE_DYNAMIC_SUPPOR T -DOPENSSL_THREADS -pthread -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENS SL_NO_KRB5 -DTERMIOS -DL_ENDIAN -O -pipe -Wl,-rpath,/usr/local/lib -Wall -D SHA1_ASM -DMD5_ASM -DRMD160_ASM -c hw_ubsec.c cc -o tmp_ubsec_err.o -I.. -I../.. -I../../include -fPIC -DENGINE_DYNAMIC_SU PPORT -DOPENSSL_THREADS -pthread -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DO PENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -O -pipe -Wl,-rpath,/usr/local/lib -Wal l -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c hw_ubsec_err.c then link this all up as a nice ELF 32-bit LSB shared object... gcc -shared -o dyn_ubsec.so tmp_ubsec.o tmp_ubsec_err.o -L../.. -lcrypto then attempted to actually USE this file as in the docs that OpenSSL provides.. README.ENGINE # /usr/local/bin/openssl engine ubsec - -pre SO_PATH:./dyn_ubsec.so -t (ubsec) UBSEC hardware engine support [Success]: SO_PATH:./dyn_ubsec.so [ unavailable ] 39977:error:2506406A:DSO support routines:DLFCN_BIND_FUNC:could not bind to the requested symbol name:dso_dlfcn.c:252:symname(ubsec_bytes_to_bits): Undefined symbol ubsec_bytes_to_bits 39977:error:2506C06A:DSO support routines:DSO_bind_func:could not bind to the requested symbol name:dso_lib.c:294: 39977:error:84069067:ubsec engine:UBSEC_INIT:dso failure:hw_ubsec.c:418: SO_PATH: Specifies the path to the 'ubsec' shared library (input flags): STRING ...so, failure is still my no.1 success :-) I'm wondering a couple of things. 1) according to some folk, /dev/crypto should *just work* - and, for some userland test tools (eg cryptotest) it does 2) why doesnt openssl just USE the ubsec engine? its been statically compiled in - so it should be able to utilise... or does it HAVE to use the DSO system? Alan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] winmail.dat
Re: Using SSL with existing socket
On Tue, Apr 19, 2005, John Hoel wrote: Neither change made any difference. (Sigh) The error indicates a problem with the underlying transport. See what ERR_print_errors_fp(stderr) produces and if the errno value gives anything useful. I suggest you first try to connect to a known working SSL host which might give useful diagnostic output such as s_server. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Using SSL with existing socket
Calling WSAGetLastError was the key. SSL_connect is now progressing. Thanks for the idea! __ John Hoel Product Author Skywire Software 2401 Internet Blvd., Suite 201 Frisco, Texas 75034 (972)377-1110 main (425)396-4687 direct [EMAIL PROTECTED] www.skywiresoftware.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson Sent: Tuesday, April 19, 2005 2:58 PM To: openssl-users@openssl.org Subject: Re: Using SSL with existing socket On Tue, Apr 19, 2005, John Hoel wrote: Neither change made any difference. (Sigh) The error indicates a problem with the underlying transport. See what ERR_print_errors_fp(stderr) produces and if the errno value gives anything useful. I suggest you first try to connect to a known working SSL host which might give useful diagnostic output such as s_server. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] NO RELIANCE: This e-mail will be of no force of effect and will not be binding unless a hard copy of this e-mail, signed by an authorized official of the company, has been sent to the recipient of this message. CONFIDENTIAL AND/OR PROPRIETARY: Information contained in this transmission is intended for the use of the individual or entity named above and may contain legally proprietary or confidential information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copy of this communication is strictly prohibited. If you have received this communication in error, please permanently delete this message and immediately notify us by telephone at 972-377-1110. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Using OpenSSL with 'ubsec' hardware on FreeBSD
On April 19, 2005 06:40 am, [EMAIL PROTECTED] wrote: the issue with LD_LIBRARY_PATH appears to be void as there is NO libubsec.so on the filesystem. its simply not made. where can I get it from??? (on Redhat and Fedora Core 3 this file appears in the mystical 'hycrypto' package) The ENGINE in openssl is little more than a shim to the user-space libraries that support the hardware - this is not part of openssl or any openssl distribution (that I'm aware of), it is provided by the vendor just as the kernel-drivers and associated bits-n-bobs are provided by the vendor. Openssl's engine was originally compiled internally to openssl, but more recently it has been possible to build them as external libraries - this is probably what you see in the fedora package. In this way, the openssl shim is *also* external and so can be shipped by vendors (or distributions) at the same time as their proprietary user-space libraries and APIs. This doesn't change the fact that the openssl engine knows nothing about the syscall interface or software environment of the hardware. It merely converts the API language openssl speaks into whatever interface the hardware's libraries use. So the library the ubsec engine is trying to load is the *vendor* library, the one that actually causes the real actions to happen. The library shipped in fedora was probably just a shared-library version of the ubsec engine, but it should *also* have needed to load the vendor library to work. Whether that vendor library would work ok with the engine shim at a version-compatibility level is another thing - it probably should but no promises. However you need to find that library, and then convince openssl of how to find it too. If you got fedora running with the card at some point, then it must have had the vendor libraries installed and in some location where it could find them. Or it ships with the hardware support packaged-in somehow. Or have I misunderstood something. BTW, someone mentioned in another post that the /dev/crypto engine might work on Free/OpenBSD if the kernel has a built-in driver, but that might only provide access to cipher/hash functionality - I doubt public-key crypto stuff goes through /dev/crypto. I should check, but I don't recall seeing this get added. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ Greedy Genghis George, Guru of God and Guns. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Confusion about SSL_ERROR_WANT_READ/WRITE
Thanks for the info. One last question :) So if I am using blocking sockets, than would I ever get a WANT_WRITE error? I'm guessing no? But if I am using BIO pairs, and blocking sockets, is it possible to get a WANT_WRITE error? Sorry, that was two more questions. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, April 17, 2005 11:01 PM To: openssl-users@openssl.org Subject: Re: Confusion about SSL_ERROR_WANT_READ/WRITE If all that was sent was the protocol data that the write was waiting for to satisfy the ssl state machine, and no application data was sent, would SSL_read return the number of bytes actually read off the socket (which is just protocol data), or would it read that transparently and return 0 indicating that no application data was read? Ah. Key question! SSL_read will return a positive number indicating the number of APPLICATION DATA bytes written into your buffer. A ZERO indicates a closed connection. A negative result indicates an error (or rather, that your request could not be satisfied). In the case of a WANT_READ or WANT_WRITE, that some action in the BIO needs to occur to satisfy the request. The important thing to keep in mind is that the SSL objects are not inherently tied to sockets. You might be trying to read SSL decrypted data from your own internal buffer. In which case, a WANT_READ means that you need to move a few more bytes into the BIO's buffer. Check out the man page for the SSL_get_error function yet once again. Skip down to the section titled SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE in the context of these discussions, keeping in mind the idea that an SSL object might not be necessarily connected to a socket. (What really frustrated me when I was learning how this worked was that the examples and discussions in the O'Reilly OpenSSL book were wrong on this topic.) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
