[openssl-users] SSL_ERROR_WANT_READ but nothing to read
HI, I have a client application using a single read-write socket in non-blocking mode. In C, on Linux, using openssl 1.0.1e. After the connection is established and all the initial handshaking is done, the client issues SSL_read(), then enters a loop of: - Interpret results (such as break upon socket close) - select() on the socket - SSL_read() again . . . until the expected number of bytes have been read. The first SSL_read() returns SSL_ERROR_WANT_READ and loops to attempt to retry the operation. But select() indicates that the socket is not readable, so we block forever and the server times out (the server had written a record which the client never reads). I experimented by skipping the select() and just sleeping a little, but in that case, infinite retries of SSL_read() did not help. Another experiment was to try writing some arbitrary data. That _DID_ seem to help and moved the protocol forwards a bit. But I shouldn't have to do that - we have nothing to write until we have received the full read record. In case it matters, the server on the other end is an OpenDaylight controller. Its logs indicate successful handshake, appropriate cipher suite, etc. And my test client-server application using this logic works just fine. Also, no SSL_writes() are happening during this, or any other operation that would change the SSL* object state, AFAIK. I've tried Wireshark on this, but I have not been able to glean too much from it, as everything is encrypted and also it seems to be showing transport sized packets of 15xx bytes instead of application sized records - could that be pointing at the problem? I did not set the read_ahead option. Any ideas? I have spent hours reading the SSL documentation (such as SSL_get_error) and many, many posts and answers, plus several SSL books. It seems that I am doing the right thing here. So why is select() blocking? There is no outstanding write operation, so shouldn't a retry of SSL_read() clear any handshake/renegotiation stuff? Thanks for any thoughts. N ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Forthcoming OpenSSL releases
Thanks for the heads up. Just to confirm, is this highest severity defect a yet-to-be-disclosed vulnerability, or a fix for an already known one? Sent from my mobile On Mar 16, 2015, at 3:05 PM, Matt Caswell m...@openssl.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf. These releases will be made available on 19th March. They will fix a number of security defects. The highest severity defect fixed by these releases is classified as high severity. Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVByl7AAoJENnE0m0OYESRm5MIAJV4ElRSS575QkYwPcOw7VTK 8Ulc6TMHsy2s5UvTXl/THqEoy5n92v99Cm69Y69TSWOgK9FK8aV0BuKkVZVYp3Ko MYV4VMr8a7YiNh/16HctRLfEPH8bg5AkY76Y4RM5i1AXafSR6wMuwlJl21TmqMI+ J+HA39UvlWZ9zI7Lzz0v1BMoGAXg0cr8//QRcrFFgZZuUVtscwRRA9nRS65+AJhX ogd3ncUPUI3YEzxqv0kDfUre/2XeUNOM+N+u9pyfjoXHaMVsSX3A1HtpmEAMyzhE DqF+kmhTEyK0HYCVLnl6PLnBdHpPKY3qNFYd8trFyC2hpB9U6Qsut4KeKNtAi2g= =Uwpw -END PGP SIGNATURE- ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: Converting AES_ctr128_encrypt() to EVP_ methods
On Mon, Mar 16, 2015, jonetsu wrote: Hello, An application that needs converting to FIPS is currently using AES_ctr128_encrypt(). That function calls in turn CRYPTO_ctr128_encrypt() which then does some internal computations. They are not documented in the 'full list of crypto APIs'. What would be the FIPS-compatible EVP equivalent(s) ? The EVP cipher is called EVP_aes_128_ctr(): once you pass that as the EVP_CIPHER argument (for example to EVP_EncryptInit_ex) you can use EVP like any other cipher. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: Converting AES_ctr128_encrypt() to EVP_ methods
Hello, An application that needs converting to FIPS is currently using AES_ctr128_encrypt(). That function calls in turn CRYPTO_ctr128_encrypt() which then does some internal computations. They are not documented in the 'full list of crypto APIs'. What would be the FIPS-compatible EVP equivalent(s) ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: ECC licensing
Hello, The licenses, patents for ECC was noticed. In short, if we do not care about this in the sense of not willing to be in any patent infringement situation down the road, the -ecb archive should be used, is that right ? Also, there is a mention of a NSA-PLA.pdf agreemnet statement. The file is not found. Is this still valid in some ways ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Reg : SCEP using OPENSSL
Hi all, I need guidance in understanding as to how SCEP server can be used integrated with OpenSSL. My understanding is that SCEP can be used to enroll devices then it communicates to Certificate Authority that generate certificates. Can some one point me in right direction ? Basically i am trying to achieve following: Using SCEP to enroll devices then generate Certificates usingCA. Any reference to opensource SCEP will be helpful... I'm also exploring few opensource SCEP implementation, like openscep, sscep, autosscep.. etc Thanks, Sindhu ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] How to select supported signature algorithms
Hello, I am developing a simple client/server application with openSSL. Using wireshark, I can see in the Client Hello message that there is an extension signature_algorithms, in which are fields Signature Hash Algorithms. I can see a lot of supported algorithms, such as RSA, DSA, ECDSA in the fields *Signature Hash Algorithm Signature* ,and SHA1, SHA256, MD5, ... for *Signature Hash Algorithm Hash*. The same behavior happens in the Server Key Exchange message. My question is: how can I restrict this list of algorithms to use only one? Note that I am already using the function set_cipher_list(), and as a consequence, the field *Cipher Suites* in those messages only contains the suite I want to use. So I don't know what is the API function to use instead of ssl_ctx_set_cipher_list(). I didn't find anything in the documentation. Thank you for your help, Jack ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to select supported signature algorithms
On Mon, Mar 16, 2015, Jacques FLORENCE wrote: Hello, I am developing a simple client/server application with openSSL. Using wireshark, I can see in the Client Hello message that there is an extension signature_algorithms, in which are fields Signature Hash Algorithms. I can see a lot of supported algorithms, such as RSA, DSA, ECDSA in the fields *Signature Hash Algorithm Signature* ,and SHA1, SHA256, MD5, ... for *Signature Hash Algorithm Hash*. The same behavior happens in the Server Key Exchange message. My question is: how can I restrict this list of algorithms to use only one? Note that I am already using the function set_cipher_list(), and as a consequence, the field *Cipher Suites* in those messages only contains the suite I want to use. So I don't know what is the API function to use instead of ssl_ctx_set_cipher_list(). I didn't find anything in the documentation. You need OpenSSL 1.0.2 to set a custom supported signature algorithms extension. You can use the macro SSL_CTX_set1_sigalgs_list(ctx, sigstring) where sigstring has the format of SignatureAlgorithms documented at: https://www.openssl.org/docs/ssl/SSL_CONF_cmd.html For example SSL_CTX_set1_sigalgs_list(ctx, RSA+SHA256); For the signature algorithm associated with client authentication you use SSL_CTX_set1_client_sigalgs_list instead. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: ECC licensing
On 03/16/2015 01:55 PM, jonetsu wrote: Hello, The licenses, patents for ECC was noticed. In short, if we do not care about this in the sense of not willing to be in any patent infringement situation down the road, the -ecb archive should be used, is that right ? It's ecp, not ecb. But yes, the ecp version omits binary curve ECC for those concerned about those patents. Also, there is a mention of a NSA-PLA.pdf agreemnet statement. The file is not found. Is this still valid in some ways ? Still valid: http://openssl.com/testing/validation-2.0/docs/NSA-PLA.pdf -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Forthcoming OpenSSL releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf. These releases will be made available on 19th March. They will fix a number of security defects. The highest severity defect fixed by these releases is classified as high severity. Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVByl7AAoJENnE0m0OYESRm5MIAJV4ElRSS575QkYwPcOw7VTK 8Ulc6TMHsy2s5UvTXl/THqEoy5n92v99Cm69Y69TSWOgK9FK8aV0BuKkVZVYp3Ko MYV4VMr8a7YiNh/16HctRLfEPH8bg5AkY76Y4RM5i1AXafSR6wMuwlJl21TmqMI+ J+HA39UvlWZ9zI7Lzz0v1BMoGAXg0cr8//QRcrFFgZZuUVtscwRRA9nRS65+AJhX ogd3ncUPUI3YEzxqv0kDfUre/2XeUNOM+N+u9pyfjoXHaMVsSX3A1HtpmEAMyzhE DqF+kmhTEyK0HYCVLnl6PLnBdHpPKY3qNFYd8trFyC2hpB9U6Qsut4KeKNtAi2g= =Uwpw -END PGP SIGNATURE- ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users