DTLS - cannot make client detect restarted server
Hi all, I am having some trouble with DTLS. I can easily get into a situation where my server is restarted (or the client's SSL object is removed for other reasons) and the client may not know. Now when the client sends data to the server, a new SSL object is created but the server is stuck in: Info Tue Jan 3 09:55:59 2012 All.DTLS ssl_info_cb: SSL_accept: error in SSLv3 read client hello B Info Tue Jan 3 09:55:59 2012 All.DTLS SSL_read: rc: -1, err: 2 i.e. it returns SSL_WANT_READ and of course expects a handshake, but no alert or similar is sent to the client to indicate the client needs to take some measure. The client happily keeps sending data. Any help on how to resolve this would be greatly appreciated. Best regards, Fredrik Jansson
Re: DTLS - cannot make client detect restarted server
On Jan 3, 2012, at 11:17 AM, Fredrik Jansson wrote: Hi all, I am having some trouble with DTLS. I can easily get into a situation where my server is restarted (or the client's SSL object is removed for other reasons) and the client may not know. Now when the client sends data to the server, a new SSL object is created but the server is stuck in: Info Tue Jan 3 09:55:59 2012 All.DTLS ssl_info_cb: SSL_accept: error in SSLv3 read client hello B Info Tue Jan 3 09:55:59 2012 All.DTLS SSL_read: rc: -1, err: 2 i.e. it returns SSL_WANT_READ and of course expects a handshake, but no alert or similar is sent to the client to indicate the client needs to take some measure. The client happily keeps sending data. The message should go to the listener and discarded there. If not, it is a problem. Any help on how to resolve this would be greatly appreciated. As indicated in my private answer: Your application must detect that the peer is dead. It can do that with its own messages or use DTLS heartbeats for that. Best regards Michael Best regards, Fredrik Jansson __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.1 beta 1 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1 Beta 1 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The first beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-1.0.1-beta1.tar.gz Size: 4445727 MD5 checksum: 2501e8caf6724c5ad747ac0d6df00c3d SHA1 checksum: a97fd63356a787e9ddc9f157ce4b964459a41f40 The checksums were calculated using the following command: openssl md5 openssl-1.0.1-beta1.tar.gz openssl sha1 openssl-1.0.1-beta1.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 52 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES). Also check the latest snapshots at ftp://ftp.openssl.org/snapshot/ or CVS (see http://www.openssl.org/source/repos.html) to avoid reporting previously fixed bugs. Reports and patches should be sent to openssl-b...@openssl.org. Discussions around the development of OpenSSL should be sent to openssl-...@openssl.org. Anything else should go to openssl-users@openssl.org. The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file testlog. Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Ulf Möller Lutz JänickeNils Larsch -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBTwMMMKLSm3vylcdZAQIx4Qf8DULWe5abAiYw1s7Eu1bcC84ffEbtxvo7 qdnz1PWs2RXYFl47jH+B8BA45cJp4WylDhk3KLgkOpEKJk0xHkmPc0Al3vCzRcFg +XzSyQ6lrUrw3b8s3hL8wA91brRF7LLrnmv/0KArh7Mmh5GilSwSHlrLCC/NL9vG 0rEmURWAMTfDpcRd3wlC7Jh3Uev5N9pjFMWorZcIlX/rCBy9xwTnulO6MmU9Vr03 2WHu5ZEeqdoFraryCGRFBMhb0IV7BKus5X/wTQl1amA3cTL8tUV6yCyg5FwCdL/e GHKa/KA9He3/M6Ab4RjBlE6Hduy2ui1rR6f9g5+ZSWhsP8aXqxCmPg== =tftU -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL FIPS Module 2.0 status update
The FIPS 140-2 validation effort for the OpenSSL FIPS Object Module 2.0 has reached an important milestone; we are now in the final phase of this effort. The formal submission prepared by the test lab has been sent to the CMVP. At this point we can only wait for their review and action. Our best estimate of the time this action will take is approximately two months, though please note we have no control over that process and little visibility into any changes in status over time. The corresponding source distribution is: http://opensslfoundation.com/testing/validation-2.0/source/openssl-fips-2.0rc1.tar.gz Note some additional cosmetic changes will be made prior to the formal validation award. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Format to use RSA and ECDSA
Hi, I have some doubts about the formats that openssl use with ECDSA and RSA. I know that openssl implemments PKCS#1 and PKCS#8 to RSA, but ECDSA only uses PKCS#8 ? And PKCS#13 ? Thanks, -- Rick Lopes de Souza
Thunderbird Issue
Finally got Openssl 1.0.1 daily working However, Mozilla Thunderbird is choking saying SSL received a malformed Server Hello handshake message. (Error code: ssl_error_rx_malformed_server_hello) No such problem in Outlook Express. -- Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! https://www.fullyfollow.me/rootnl2k Merry Christmas 2011 and Happy New Year 2012 ! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Thunderbird Issue
Are you using OpenSSL to generate a certificate for a mail server? On 01/03/2012 01:52 PM, The Doctor wrote: Finally got Openssl 1.0.1 daily working However, Mozilla Thunderbird is choking saying SSL received a malformed Server Hello handshake message. (Error code: ssl_error_rx_malformed_server_hello) No such problem in Outlook Express. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Thunderbird Issue
On Tue, Jan 03, 2012, The Doctor wrote: Finally got Openssl 1.0.1 daily working However, Mozilla Thunderbird is choking saying SSL received a malformed Server Hello handshake message. (Error code: ssl_error_rx_malformed_server_hello) No such problem in Outlook Express. I can confirm I can reproduce the problem. Looking into it. Temporary workaround is to use no-heartbeats as a configuration option. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Thunderbird Issue
On Tue, Jan 03, 2012, Dr. Stephen Henson wrote: On Tue, Jan 03, 2012, The Doctor wrote: Finally got Openssl 1.0.1 daily working However, Mozilla Thunderbird is choking saying SSL received a malformed Server Hello handshake message. (Error code: ssl_error_rx_malformed_server_hello) No such problem in Outlook Express. I can confirm I can reproduce the problem. Looking into it. Temporary workaround is to use no-heartbeats as a configuration option. Should be fixed now, thanks for the report. Please try tomorrows snapshot or apply this patch: http://cvs.openssl.org/chngview?cn=21914 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Thunderbird Issue
On Tue, Jan 03, 2012 at 09:36:24PM +0100, Dr. Stephen Henson wrote: On Tue, Jan 03, 2012, The Doctor wrote: Finally got Openssl 1.0.1 daily working However, Mozilla Thunderbird is choking saying SSL received a malformed Server Hello handshake message. (Error code: ssl_error_rx_malformed_server_hello) No such problem in Outlook Express. I can confirm I can reproduce the problem. Looking into it. Temporary workaround is to use no-heartbeats as a configuration option. Please explain whaty you are saying. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! https://www.fullyfollow.me/rootnl2k Merry Christmas 2011 and Happy New Year 2012 ! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Thunderbird Issue
On Tue, Jan 03, 2012 at 06:08:54PM -0700, The Doctor wrote: On Tue, Jan 03, 2012 at 09:36:24PM +0100, Dr. Stephen Henson wrote: On Tue, Jan 03, 2012, The Doctor wrote: Finally got Openssl 1.0.1 daily working However, Mozilla Thunderbird is choking saying SSL received a malformed Server Hello handshake message. (Error code: ssl_error_rx_malformed_server_hello) No such problem in Outlook Express. I can confirm I can reproduce the problem. Looking into it. Temporary workaround is to use no-heartbeats as a configuration option. Please explain whaty you are saying. Nwever mind. I caught the explanation. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Member - Liberal InternationalThis is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! https://www.fullyfollow.me/rootnl2k Merry Christmas 2011 and Happy New Year 2012 ! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! https://www.fullyfollow.me/rootnl2k Merry Christmas 2011 and Happy New Year 2012 ! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Thunderbird Issue
On Tue, Jan 03, 2012 at 11:16:36PM +0100, Dr. Stephen Henson wrote: On Tue, Jan 03, 2012, Dr. Stephen Henson wrote: On Tue, Jan 03, 2012, The Doctor wrote: Finally got Openssl 1.0.1 daily working However, Mozilla Thunderbird is choking saying SSL received a malformed Server Hello handshake message. (Error code: ssl_error_rx_malformed_server_hello) No such problem in Outlook Express. I can confirm I can reproduce the problem. Looking into it. Temporary workaround is to use no-heartbeats as a configuration option. Should be fixed now, thanks for the report. Please try tomorrows snapshot or apply this patch: http://cvs.openssl.org/chngview?cn=21914 Steve. Error log reports Jan 3 22:21:19 gallifrey doctor[42]: exim[13062]: 2012-01-03 22:21:19 TLS error on connection from vg138.ntf.els4.ticketmaster.com [209.104.37.138] (SSL_accept): error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Jan 3 22:29:22 gallifrey doctor[42]: exim[16704]: 2012-01-03 22:29:22 TLS error on connection from st.dwins.com [211.78.81.129] (SSL_accept): error::lib(0):func(0):reason(0) Jan 3 22:31:32 gallifrey doctor[42]: exim[16960]: 2012-01-03 22:31:32 TLS error on connection from vg198.ntf.els4.ticketmaster.com [209.104.37.198] (SSL_accept): error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Jan 3 22:34:55 gallifrey doctor[42]: exim[17753]: 2012-01-03 22:34:55 TLS error on connection from peebles.dataspaces.com [216.176.58.138] (SSL_accept): error::lib(0):func(0):reason(0) Jan 3 22:36:07 gallifrey doctor[42]: exim[18025]: 2012-01-03 22:36:07 TLS error on connection from st.dwins.com [211.78.81.129] (SSL_accept): error::lib(0):func(0):reason(0) Jan 3 22:41:41 gallifrey doctor[42]: exim[18935]: 2012-01-03 22:41:41 TLS error on connection from vg94.ntf.els4.ticketmaster.com [209.104.37.94] (SSL_accept): error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Jan 3 22:44:53 gallifrey doctor[42]: exim[18861]: 2012-01-03 22:44:53 TLS error on connection from st.dwins.com [211.78.81.129] (SSL_accept): timed out Jan 3 22:52:58 gallifrey doctor[42]: exim[185]: 2012-01-03 22:52:58 TLS error on connection from s010600226b4f684c.ed.shawcable.net [68.149.51.98] (SSL_accept): error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired Jan 3 22:53:18 gallifrey doctor[42]: exim[217]: 2012-01-03 22:53:18 TLS error on connection from s010600226b4f684c.ed.shawcable.net [68.149.51.98] (SSL_accept): error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired Jan 3 22:55:03 gallifrey doctor[42]: exim[447]: 2012-01-03 22:55:03 TLS error on connection from s010600226b4f684c.ed.shawcable.net [68.149.51.98] (SSL_accept): error::lib(0):func(0):reason(0) -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! https://www.fullyfollow.me/rootnl2k Merry Christmas 2011 and Happy New Year 2012 ! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Thunderbird Issue
On Tue, Jan 03, 2012 at 10:57:42PM -0700, The Doctor wrote: On Tue, Jan 03, 2012 at 11:16:36PM +0100, Dr. Stephen Henson wrote: On Tue, Jan 03, 2012, Dr. Stephen Henson wrote: On Tue, Jan 03, 2012, The Doctor wrote: Finally got Openssl 1.0.1 daily working However, Mozilla Thunderbird is choking saying SSL received a malformed Server Hello handshake message. (Error code: ssl_error_rx_malformed_server_hello) No such problem in Outlook Express. I can confirm I can reproduce the problem. Looking into it. Temporary workaround is to use no-heartbeats as a configuration option. Should be fixed now, thanks for the report. Please try tomorrows snapshot or apply this patch: http://cvs.openssl.org/chngview?cn=21914 Steve. Error log reports Jan 3 22:21:19 gallifrey doctor[42]: exim[13062]: 2012-01-03 22:21:19 TLS error on connection from vg138.ntf.els4.ticketmaster.com [209.104.37.138] (SSL_accept): error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Jan 3 22:29:22 gallifrey doctor[42]: exim[16704]: 2012-01-03 22:29:22 TLS error on connection from st.dwins.com [211.78.81.129] (SSL_accept): error::lib(0):func(0):reason(0) Jan 3 22:31:32 gallifrey doctor[42]: exim[16960]: 2012-01-03 22:31:32 TLS error on connection from vg198.ntf.els4.ticketmaster.com [209.104.37.198] (SSL_accept): error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Jan 3 22:34:55 gallifrey doctor[42]: exim[17753]: 2012-01-03 22:34:55 TLS error on connection from peebles.dataspaces.com [216.176.58.138] (SSL_accept): error::lib(0):func(0):reason(0) Jan 3 22:36:07 gallifrey doctor[42]: exim[18025]: 2012-01-03 22:36:07 TLS error on connection from st.dwins.com [211.78.81.129] (SSL_accept): error::lib(0):func(0):reason(0) Jan 3 22:41:41 gallifrey doctor[42]: exim[18935]: 2012-01-03 22:41:41 TLS error on connection from vg94.ntf.els4.ticketmaster.com [209.104.37.94] (SSL_accept): error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Jan 3 22:44:53 gallifrey doctor[42]: exim[18861]: 2012-01-03 22:44:53 TLS error on connection from st.dwins.com [211.78.81.129] (SSL_accept): timed out Jan 3 22:52:58 gallifrey doctor[42]: exim[185]: 2012-01-03 22:52:58 TLS error on connection from s010600226b4f684c.ed.shawcable.net [68.149.51.98] (SSL_accept): error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired Jan 3 22:53:18 gallifrey doctor[42]: exim[217]: 2012-01-03 22:53:18 TLS error on connection from s010600226b4f684c.ed.shawcable.net [68.149.51.98] (SSL_accept): error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired Jan 3 22:55:03 gallifrey doctor[42]: exim[447]: 2012-01-03 22:55:03 TLS error on connection from s010600226b4f684c.ed.shawcable.net [68.149.51.98] (SSL_accept): error::lib(0):func(0):reason(0) ITs working. Thunderbird has to accept the next Exim cert. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Member - Liberal InternationalThis is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! https://www.fullyfollow.me/rootnl2k Merry Christmas 2011 and Happy New Year 2012 ! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! https://www.fullyfollow.me/rootnl2k Merry Christmas 2011 and Happy New Year 2012 ! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org