Re: [openssl-users] Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)

[Sahil Gandhi]

Hi Steve,

Thanks for the reply.

Regards,
Sahil

On Wed, Jun 29, 2016 at 6:25 PM, Steve Marquess 
wrote:

> On 06/29/2016 07:09 AM, Sahil Gandhi wrote:
> > Hi Ken,
> >
> > Sorry for the late reply. I really appreciate your suggestion but I some
> > how need to have static library not the dynamic one.
>
> You can statically link an application with the FIPS module, using the
> special "fipsld" link process, but you cannot put the FIPS module in a
> conventional static library (as managed with "ar").
>
> Unfortunately the requirements of FIPS 140-2 conflict in several ways
> with standard software engineering practice; it is the tail that wags
> the dog.
>
> -Steve M.
>
> --
> Steve Marquess
> OpenSSL Validation Services, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD  21710
> USA
> +1 877 673 6775 s/b
> +1 301 874 2571 direct
> marqu...@openssl.com
> gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>



-- 
Sahil Gandhi
Project Engineer
R CDAC, Pune
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Creating multi-valued RDN with config (still not working)

[Sean Leonard]

Just following up...

Sean

On 6/18/2016 10:43 AM, Sean Leonard wrote:
I am trying to create a multi-valued RDN with OpenSSL using a config 
file and the openssl req -x509 command, without success.


According to the 2006 thread "Multi-value RDNs and openssl.cnf format" 
, 
one is supposed to do this by prefixing the keys in the 
distinguished_name section with "+" on subsequent entries to add to a 
multi-valued RDN, such as:


[distinguished_name]
ST = California
+L = Los Angeles
+postalCode=90013

Unfortunately, that (still) does not work. The error from openssl req 
-x509 (etc.) is:


problems making Certificate Request
30008:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num 
too large:.\crypto\asn1\a_object.c:109:
30008:error:0B083077:x509 certificate 
routines:X509_NAME_ENTRY_create_by_txt:invalid field 
name:.\crypto\x509\x509name.c:285:name=+L



I was successful at making a multi-valued RDN with the -multivalue-rdn 
and -subj options, but that is not as versatile/scriptable. Any ideas?


Sean

PS It looks like it may be related to the behavior in auto_info 
(req.c) X509_NAME_add_entry_by_txt (x509name.c), in particular, the 
relationship between the variables mval, type, and p in auto_info 
(req.c). Could be a bug.





--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Creating an X25519-based Certificate

[Abe Racioppo]

tsets

On 6/29/16, Abe Racioppo  wrote:
> 290620161352
>
> On 6/29/16, Salz, Rich  wrote:
>>
>>> But surely the openssl command line tool should provide a mechanism for
>>> allowing an X25519-based certificate to be signed by a CA.
>>
>>> Its seems that the "certificate request" protocol, which requires
>>> self-signing, prevents this in this case.
>>
>> Yes, that is exactly the point.
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>
>
> --
> signature
>


-- 
signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Creating an X25519-based Certificate

[Abe Racioppo]

290620161352

On 6/29/16, Salz, Rich  wrote:
>
>> But surely the openssl command line tool should provide a mechanism for
>> allowing an X25519-based certificate to be signed by a CA.
>
>> Its seems that the "certificate request" protocol, which requires
>> self-signing, prevents this in this case.
>
> Yes, that is exactly the point.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>


-- 
signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Creating an X25519-based Certificate

[Salz, Rich]

> But surely the openssl command line tool should provide a mechanism for 
> allowing an X25519-based certificate to be signed by a CA. 

> Its seems that the "certificate request" protocol, which requires 
> self-signing, prevents this in this case.

Yes, that is exactly the point.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Creating an X25519-based Certificate

[Michael Scott]

On Wed, Jun 29, 2016 at 6:21 PM, Salz, Rich  wrote:

>
> > To repeat: X25519 only supports key exchange.  The 25519 signing
> > mechanism is not yet defined.
>

Which I don't have a problem with.

But surely the openssl command line tool should provide a mechanism for
allowing an X25519-based certificate to be signed by a CA.

Its seems that the "certificate request" protocol, which requires
self-signing, prevents this in this case.


Mike


>
> And see also: https://datatracker.ietf.org/doc/draft-ietf-curdle-pkix/
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Creating an X25519-based Certificate

[Salz, Rich]

> To repeat: X25519 only supports key exchange.  The 25519 signing
> mechanism is not yet defined.

And see also: https://datatracker.ietf.org/doc/draft-ietf-curdle-pkix/

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Creating an X25519-based Certificate

[Salz, Rich]

>as it objects that X25519 does not support signature.  

To repeat: X25519 only supports key exchange.  The 25519 signing mechanism is 
not yet defined.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Creating an X25519-based Certificate

[Michael Scott]

Thanks Erwann, but that's not an answer to my question.

To get the CA to sign (using RSA or anything) a certificate that contains
an X25519 public key, that certificate must first submit to the CA
something called a "Certificate request". This takes the form of the
supplicant certificate, which is self-signed. However you cannot self-sign
with an X25519 key (using the openssl command line tool), as it objects
that X25519 does not support signature.

So the issue arises around the "certificate request" process. There is I
agree no problem in creating the certificate itself.


Mike



On Wed, Jun 29, 2016 at 4:27 PM, Erwann Abalea 
wrote:

> Bonjour,
>
> You may have a classic certificate containing your
> {X,Ed}{25519,448,whatever} public key once:
>
>- an OID is allocated to identify this type of public key (it will go
>into tbs.subjectPublicKeyInfo.algorithm.algorithm)
>- a set of associated optional parameters are defined for this OID (to
>go into tbs.subjectPublicKeyInfo.algorithm.parameters)
>- a canonical encoding for this type of public key is defined, so the
>key material can be enclosed into tbs.subjectPublicKeyInfo.subjectPublicKey
>
>
> This certificate may be RSA-signed or ECDSA-signed (or whatever-signed, in
> fact).
>
> For a CA to be able to Ed{25519,448,whatever}-sign something, the previous
> steps must have been done, plus:
>
>- an OID is allocated to identify the signature algorithm to apply (it
>will not be ECDSA) -> cert.signatureAlgorithm.algorithm
>- a set of associated optional parameters are defined for this OID ->
>cert.signatureAlgorithm.parameters
>- a canonical encoding for the signature value is defined, so it can
>be enclosed into cert.signatureValue
>
>
> All this is being discussed at CFRG.
>
> Cordialement,
> Erwann Abalea
>
> Le 29 juin 2016 à 16:46, Michael Scott  a écrit :
>
> Hello,
>
>
> How do I do this? Using the OpenSSL command line tool, a certificate
> request must be self-signed, but the X25519 elliptic curve (newly supported
> in version 1.1.0), doesn't do signature, it can only be used for key
> exchange.
>
> (Of course the X25519 Montgomery curve is birationally equivalent to an
> Edwards curve which can do signature. And indeed it is our intention to use
> the Edwards curve. But first I need a CA-signed X25519 cert. But because of
> the above catch-22 problem, I cannot create one.)
>
>
> Mike
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Creating an X25519-based Certificate

[Erwann Abalea]

Bonjour,

You may have a classic certificate containing your {X,Ed}{25519,448,whatever} 
public key once:

  *   an OID is allocated to identify this type of public key (it will go into 
tbs.subjectPublicKeyInfo.algorithm.algorithm)
  *   a set of associated optional parameters are defined for this OID (to go 
into tbs.subjectPublicKeyInfo.algorithm.parameters)
  *   a canonical encoding for this type of public key is defined, so the key 
material can be enclosed into tbs.subjectPublicKeyInfo.subjectPublicKey

This certificate may be RSA-signed or ECDSA-signed (or whatever-signed, in 
fact).

For a CA to be able to Ed{25519,448,whatever}-sign something, the previous 
steps must have been done, plus:

  *   an OID is allocated to identify the signature algorithm to apply (it will 
not be ECDSA) -> cert.signatureAlgorithm.algorithm
  *   a set of associated optional parameters are defined for this OID -> 
cert.signatureAlgorithm.parameters
  *   a canonical encoding for the signature value is defined, so it can be 
enclosed into cert.signatureValue

All this is being discussed at CFRG.

Cordialement,
Erwann Abalea

Le 29 juin 2016 à 16:46, Michael Scott 
> a écrit :

Hello,


How do I do this? Using the OpenSSL command line tool, a certificate request 
must be self-signed, but the X25519 elliptic curve (newly supported in version 
1.1.0), doesn't do signature, it can only be used for key exchange.

(Of course the X25519 Montgomery curve is birationally equivalent to an Edwards 
curve which can do signature. And indeed it is our intention to use the Edwards 
curve. But first I need a CA-signed X25519 cert. But because of the above 
catch-22 problem, I cannot create one.)


Mike


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Creating an X25519-based Certificate

[Salz, Rich]

> 1. What is CFRG, I don't remember that acronym.

Crypto Forum Research Group,  part of the IETF's affiliated research group.  
Co-chair is Kenny Paterson of lucky-13 (etc).  Useful documents here as well as 
pointers to the mailing list https://datatracker.ietf.org/rg/cfrg/documents/  

> 2. What is the general procedure for generating a CSR for
>an encryption-only algorithm, such as DH, ECDH etc.?

I don't know of one.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Creating an X25519-based Certificate

[Michael Scott]

WellI can help with CFRG - its Crypto Forum Research Group.

Mike


On Wed, Jun 29, 2016 at 4:10 PM, Jakob Bohm  wrote:

> On 29/06/2016 16:53, Salz, Rich wrote:
>
>> How do I do this? Using the OpenSSL command line tool, a certificate
>>> request must be self-signed, but the X25519 elliptic curve (newly supported
>>> in version 1.1.0), doesn't do signature, it can only be used for key
>>> exchange.
>>>
>> You cannot do it.
>>
>> You should look at the CFRG documents on Ed25519.
>>
>> This raises two general questions:
>
> 1. What is CFRG, I don't remember that acronym.
>
> 2. What is the general procedure for generating a CSR for
>   an encryption-only algorithm, such as DH, ECDH etc.?
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Creating an X25519-based Certificate

[Jakob Bohm]

On 29/06/2016 16:53, Salz, Rich wrote:

How do I do this? Using the OpenSSL command line tool, a certificate request 
must be self-signed, but the X25519 elliptic curve (newly supported in version 
1.1.0), doesn't do signature, it can only be used for key exchange.

You cannot do it.

You should look at the CFRG documents on Ed25519.


This raises two general questions:

1. What is CFRG, I don't remember that acronym.

2. What is the general procedure for generating a CSR for
  an encryption-only algorithm, such as DH, ECDH etc.?

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Creating an X25519-based Certificate

[Salz, Rich]

> How do I do this? Using the OpenSSL command line tool, a certificate request 
> must be self-signed, but the X25519 elliptic curve (newly supported in 
> version 1.1.0), doesn't do signature, it can only be used for key exchange.

You cannot do it.

You should look at the CFRG documents on Ed25519.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Creating an X25519-based Certificate

[Michael Scott]

Hello,


How do I do this? Using the OpenSSL command line tool, a certificate
request must be self-signed, but the X25519 elliptic curve (newly supported
in version 1.1.0), doesn't do signature, it can only be used for key
exchange.

(Of course the X25519 Montgomery curve is birationally equivalent to an
Edwards curve which can do signature. And indeed it is our intention to use
the Edwards curve. But first I need a CA-signed X25519 cert. But because of
the above catch-22 problem, I cannot create one.)


Mike
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)

[Steve Marquess]

On 06/29/2016 07:09 AM, Sahil Gandhi wrote:
> Hi Ken,
> 
> Sorry for the late reply. I really appreciate your suggestion but I some
> how need to have static library not the dynamic one.

You can statically link an application with the FIPS module, using the
special "fipsld" link process, but you cannot put the FIPS module in a
conventional static library (as managed with "ar").

Unfortunately the requirements of FIPS 140-2 conflict in several ways
with standard software engineering practice; it is the tail that wags
the dog.

-Steve M.

-- 
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Using SSL with wokring sockets and events

[Devchandra L Meetei]

If you are intending to use asynchronous event based NIO library libuv,
then
you might like to use BIO pair.

I have done some abstraction  on top
of openSSL so that it becomes easy for callback based async lib.

May be you can have a look at it


On Wed, Jun 29, 2016 at 2:16 PM, Oz  wrote:

> I have a running program, the program is written in C
> I want to convert it from connecting to an HTTP to HTTPS (SSL)
>
> I have an event for write/read/timeout/error and such
>
> How do I continue and use the current sockets FD I have, but using openSSL
> over it? the most easy and simple way?
>
> I have created a CTX object, and an SSL object over it (SSL_new(..))
>
> I thought about using BIO_new_socket, but having problems with the
> connection/ hand shake and reading/writing data (I am the client code only)
>
>
>
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>



-- 
Warm Regards
--Dev
OpenPegasus Developer

"I'm one of those people that think Thomas Edison and the light bulb
changed the world more than Karl Marx ever did,” Steve Jobs
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Getting error 'SSLv2_client_method': identifier not found

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Jeffrey Walton
> Sent: Tuesday, June 28, 2016 18:04
> To: OpenSSL Users
> Subject: Re: [openssl-users] Getting error 'SSLv2_client_method': identifier
> not found
> 
> On Mon, Jun 27, 2016 at 3:49 PM, Michael Wojcik
>  wrote:
> > SSLv2 is no longer supported, and neither are the SSLv2_*_method calls.
> (And
> > yes, this causes build problems when updating to newer OpenSSL builds;
> and
> > while that causes some pain, it was the Right Thing to do.)
> 
> The library should have unconditionally set OPENSSL_NO_SSL2 when it
> yanked SSLv2 support. Iit was warned about use cases like this.
> 
> When SSLv2 was re-added to return NULL because, it still omitted
> OPENSSL_NO_SSL2.
> 
> There was no need to break existing client code in this case.

That's a valid argument. There was a time, not so long ago, when I made a 
similar argument on this very list (and was pretty cranky about proposed 
changes to the OpenSSL API).

At the moment, I'm inclined to prefer a compile-time error to a run-time one in 
this case. I suspect there's a fair bit of code out there which doesn't check 
for a null return from the *_method calls, leading to some puzzlement on the 
part of developers. (I'll agree re OPENSSL_NO_SSL2; that ought to be defined.)

But perhaps tomorrow I'll feel differently. There's an argument to be made 
either way.

-- 
Michael Wojcik
Technology Specialist, Micro Focus


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)

[Sahil Gandhi]

Hi Ken,

Sorry for the late reply. I really appreciate your suggestion but I some
how need to have static library not the dynamic one.

Thanks & Regards,
-Sahil

On Mon, Jun 27, 2016 at 2:43 PM, Ken Chow  wrote:

> I think you should refer the way of building Android application
> https://wiki.openssl.org/index.php/Android .
>
> Trying to warp libcryto.so to your dynamic library by the specified FIPS
> compiler, once you successfully generated your dynamic library, then no
> need to specify FIPS compiler for compiling your execute program any more,
> and it worked for me, whatever under linux(gcc) or android(NDK).
>
>
> 
>
>
> Ken Chow
> about.me/kenchowcn
> [image: Ken Chow on about.me]
>   
>
> 2016-06-27 16:37 GMT+08:00 Sahil Gandhi :
>
>> Hi Steve,
>>
>> Could you please elaborate in detail?
>>
>> Many Thanks,
>> Sahil
>>
>> On Mon, Jun 27, 2016 at 12:49 PM, Sahil Gandhi 
>> wrote:
>>
>>> Hi Jakob,
>>>
>>> Thanks a lot for your time and detailed explanation.
>>>
>>> Regards,
>>> Sahil
>>>
>>> On Fri, Jun 24, 2016 at 7:13 PM, Jakob Bohm 
>>> wrote:
>>>
 On 24/06/2016 15:24, Sahil Gandhi wrote:

> Hi Steve,
>
> Could you please help me out?
> I tried to re-read that part of user-guide but no success.
> I know how to generate fingerprint but once i create new static
> library out of libcrypto.a and libssl.a.
> And I do generate the finger print of that new library but don't know
> how to proceed further with that.
>
> because if i use that new library(to create executable) as it is, it
> throws fingerprint mismatch error.
> My sample source file has FIPS_mode_set(1) call only.
>
> Because fipscannister.o is not compiled as 100% position independent
 code (and cannot legally be done so due to the bureaucratic rules of
 the FIPS validation), every new program linked to the FIPS enabled
 libcrypto.a will end up with a different fingerprint for the
 fipscannister.

 And if load address randomization is enabled in the operating system,
 each new run of the program will end up with a different fingerprint
 and thus not work.

 The situation is slightly better for the libcrypto.so DLL, because
 if load address randomization is turned off and it is ensured that
 libcrypto.so will load at a particular address every time, there
 will only be one fingerprint for each compiled libcrypto.so DLL.

 On Fri, Jun 24, 2016 at 4:14 PM, Steve Marquess  > wrote:
>
> On 06/24/2016 03:10 AM, Sahil Gandhi wrote:
> > Hi Jakob,
> >
> > Could you please elaborate it? I am not getting it.
> > I might missing something but I did not get it.
> >
> > Many Thanks Jakob for replying.
> >
> > -Sahil
> >
> > On Fri, Jun 24, 2016 at 11:57 AM, Jakob Bohm
> 
> > >>
> wrote:
> >
> > On 24/06/2016 07:59, Sahil Gandhi wrote:
> >
> > Hi All,
> >
> > I have built Openssl-fips-2.0.10.tar on* RHEL Linux*
> (/_*Same
> > happens with Solaris 10*_/). Then I built Openssl-1.0.1p
> using
> > respective fips object module (i.e.
> Openssl-fips-2.0.10.tar).
> >
> > Once I have built Openssl-1.0.1p, libcrypto.a and
> libssl.a has
> > been created.
> > I need to join these 2 libraries and make it one.
> >
> > I am doing it using "ar" command as follows:
> >
> > ar -x libssl.a
> > ar -x libcrypto.a
> >
> > Then combine all .o files to make third library:
> > ar -r libnew.a *.o
> >
> > But when i use this libnew.a in my sample(contain
> > FIPS_mode_set(1)), it compiles successfully but when
> execute the
> > executable it throws error* finger print does not
> match:fips.c:232*
> >
> >  Plz help.
> >  I need to combine both libaries and make it one.
> >
> > Any help/suggestion?
> >
> >
> > You forgot the special link step for FIPS enabled
> applications,
> > perhaps also some of the other required steps from the FIPS
> > module users guide.
> >
>
> See https://openssl.org/docs/fips/UserGuide-2.0.pdf.
>
> The FIPS module requires special build-time voodoo to satisfy the
> peculiar requirements of the FIPS 

Re: [openssl-users] Using SSL with wokring sockets and events

[Jakob Bohm]

On 29/06/2016 10:46, Oz wrote:

I have a running program, the program is written in C
I want to convert it from connecting to an HTTP to HTTPS (SSL)

I have an event for write/read/timeout/error and such

How do I continue and use the current sockets FD I have, but using openSSL
over it? the most easy and simple way?

I have created a CTX object, and an SSL object over it (SSL_new(..))

I thought about using BIO_new_socket, but having problems with the
connection/ hand shake and reading/writing data (I am the client code only)

Try BIO_new_socket + BIO_set_fd

Then do the standard OpenSSL socket loop that repeatedly checks if
OpenSSL wants you to wait for socket send ready, socket receive
ready, data from application ready or data to application ready,
then proceeds accordingly (There is an example in apps/s_client.c,
but it is difficult to read and contains optional stuff you won't
need in your app).  I think there is a better example somewhere.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Using SSL with wokring sockets and events

[Oz]

I have a running program, the program is written in C
I want to convert it from connecting to an HTTP to HTTPS (SSL)

I have an event for write/read/timeout/error and such

How do I continue and use the current sockets FD I have, but using openSSL
over it? the most easy and simple way?

I have created a CTX object, and an SSL object over it (SSL_new(..))

I thought about using BIO_new_socket, but having problems with the
connection/ hand shake and reading/writing data (I am the client code only)





-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Getting error 'SSLv2_client_method': identifier not found

[Matt Caswell]

On 29/06/16 01:03, Jeffrey Walton wrote:
> On Mon, Jun 27, 2016 at 3:49 PM, Michael Wojcik
>  wrote:
>> SSLv2 is no longer supported, and neither are the SSLv2_*_method calls. (And
>> yes, this causes build problems when updating to newer OpenSSL builds; and
>> while that causes some pain, it was the Right Thing to do.)
>>
>> As Rich said, don't use SSLv2. Don't use SSLv3. If you can help it, don't
>> use anything older than TLSv1.2.
> 
> The library should have unconditionally set OPENSSL_NO_SSL2 when it
> yanked SSLv2 support. Iit was warned about use cases like this.
> 
> When SSLv2 was re-added to return NULL because, it still omitted
> OPENSSL_NO_SSL2.

Huh? We do define it?

>From my 1.0.2 opensslconf.h:

#ifndef OPENSSL_NO_SSL2
# define OPENSSL_NO_SSL2
#endif


Matt

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL s_time output meaning

[danigrosu]

Using the `$ openssl s_time -connect localhost:443 -new -time 30` command
gives this output:

No CIPHER specified
Collecting connection statistics for 30 seconds
** etc.
8102 connections in 12.65s; 640.47 connections/user sec, bytes read 0
8102 connections in 31 real seconds, 0 bytes read per connection

What is the difference between 8102 connections in 12.65s and 8102
connections in 31 real seconds ?



--
View this message in context: 
http://openssl.6102.n7.nabble.com/OpenSSL-s-time-output-meaning-tp67092.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users