Re: https server using openssl
Hi. I think that you should write simple HTTP server first and add SSL support to it afterwards. Best regards, Andrey Koltsov software developer 29.10.2012 20:49, Indtiny s пишет: Hi, I have CCM chiper suite in the openssl and for some other requirement I have write my own simple webserver... Can somebody help me to develop simple openssl based webserver .. I just need to support the POST operation at my server side i.e , in my requirement , client will post the data to web server , here server should receive the data and provide the HTTP response as 201 to client . How to start implementing this with the help of openssl ..? Rgds Indu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL DES generates '\n' in encrypted code
Hi Tarun. Output of every encryption function is always binary so it can contains ANY character. You should encode this binary string to base64 or hex format by yourself to pass it to your application. Do not forget to do reverse encoding before decrypting. Best regards, Andrey Koltsov software developer CyberplatSoft Ltd 21.08.2012 11:16, Tarun Thakur пишет: Hi All, Issue is encrypted code contains '\n' which is an major issue for my software application. Given below is problem summarized. I have used OpenSSL library's DES_ede3_ofb64_encrypt() function to perform encryption byte by byte on chunk of 24 bytes. For example: Input 24 bytes are: [root@tarun]# cat input.txt It encrypts 24 bytes successfully. Generates encrypted data, for example: [root@tarun]# cat code.txt RÛÄSÒ É#k7uÀÎCZ!°p Here comes problem for my software application, I want all 24 encrypted bytes in sequence WITHOUT '\n'. If possible in printable characters. Can you please help or guidance how to avoid '\n' in encrypted code? Is there any range of characters I can specify to DES algorithm which can be used for encrypted code generation? Please help I am stuck. Thanks. Tarun __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL DES generates '\n' in encrypted code
Hi. base64 format can encode strings of any length. The encoded result would be longer of course. Best regards, Andrey Koltsov software developer CyberplatSoft Ltd 21.08.2012 11:45, Tarun Thakur пишет: Hi, Thanks for your reply.. But issue in base64 encoding is it will generate encoded test greater than 24 bytes. Application output should generate encrypted code exactly 24 bytes as input. Thanks, Tarun Andrey Koltsov-2 wrote: Hi Tarun. Output of every encryption function is always binary so it can contains ANY character. You should encode this binary string to base64 or hex format by yourself to pass it to your application. Do not forget to do reverse encoding before decrypting. Best regards, Andrey Koltsov software developer CyberplatSoft Ltd 21.08.2012 11:16, Tarun Thakur пишет: Hi All, Issue is encrypted code contains '\n' which is an major issue for my software application. Given below is problem summarized. I have used OpenSSL library's DES_ede3_ofb64_encrypt() function to perform encryption byte by byte on chunk of 24 bytes. For example: Input 24 bytes are: [root@tarun]# cat input.txt It encrypts 24 bytes successfully. Generates encrypted data, for example: [root@tarun]# cat code.txt RÛÄSÒ É#k7uÀÎCZ!°p Here comes problem for my software application, I want all 24 encrypted bytes in sequence WITHOUT '\n'. If possible in printable characters. Can you please help or guidance how to avoid '\n' in encrypted code? Is there any range of characters I can specify to DES algorithm which can be used for encrypted code generation? Please help I am stuck. Thanks. Tarun __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL and GOST engine issue (statically linked library )
Do you have following sections in you openssl.cnf file? [openssl_def] engines = engine_section [engine_section] gost = gost_section [gost_section] engine_id = gost default_algorithms = ALL CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet There should not be any dynamic_path parameter in gost_section. Best regards, Andrey Koltsov software developer 14.06.2012 15:25, Abyss Lingvo написал: I have added OpenSSL_add_all_algorithms(); function call to initialization part but without success. The same behavior as before. What's more for dynamically linked version it works without OpenSSL_add_all_algorithms() call. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Question about EVP_PKEY_decrypt() with 4K RSA key
Hi. Here is a result on my Cygwin + OpenSSL 1.0.1c 10 May 2012 Reading keys...keys are ready. Encrytion/decryption with RSA-based function is OK. Encrytion/decryption with EVP-based function is OK. Signature chek is OK. It seems it works fine. Best regards, Andrey Koltsov 13.06.2012 15:51, Oleksiy Lukin написал: Hi, openssl hackers! I wrote little program that demonstrates problem, see attached file. It's a bit long but it shows that only EVP_PKEY_decrypt() fails with 4K keys. Rest of functions are just fine. See evp_decrypt_with_pvtk() function for failure. 06.06.12 05:40, Dave Thompson написав(ла): From: owner-openssl-us...@openssl.org On Behalf Of Oleksiy Lukin Sent: Tuesday, 05 June, 2012 03:59 I have problem with EVP_PKEY_decrypt() function and 4K RSA private key decrypting data encrypted with EVP_PKEY_encrypt() and corresponding public key. Keys generated using openssl CA shell script. Are you counting bits (as is conventional) or bytes/octets? Bits, sure. EVP_PKEY_decrypt() just returns -2 saying that this key is not supported. BUT! RSA_private_decrypt() works just fine with this key and successfully decrypts data encrypted by EVP_PKEY_encrypt()! Sign and verify operations works fine with EVP_PKEY_sign() and EVP_PKEY_verify() with the same keys. I use openssl 1.0.1c. The questions are: 1. Is there some meaningful limitation coded into EVP_PKEY_decrypt() that does not allow decrypt operation? Not that I see, and 1c works for me with a 4kbit RSA key. There is a limit in the *RSA* module to 16kbit in all cases, and a smaller limit on publickey operations *not* using a small exponent. Both these limits apply whether used through EVP or directly, and RSA keys generated by OpenSSL (always?) have small exponents. 2. If no such limitations, how I can make it work with 4K RSA keys? No idea. Try to produce a minimal test program that fails and post it. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL and GOST engine issue (statically linked library )
Hi. I think you should add OpenSSL_add_all_algorithms(); in your initialization part. Best regards, Andrey Koltsov software developer 13.06.2012 17:21, Abyss Lingvo написал: Hi all ! This is my first mail to openssl mailing list. I have a problem with statically linked openSSL library and GOST crypto engine. Openssl 1.0.0g I have simple client/server application using GOST keys and certificates. It works fine with GOST keys but only if I use dynamically linked version of openSSL library. If I try to use statically linked openSSL I got an error message. This is how I initialized openSSL library: OPENSSL_config(correct config file path); SSL_library_init(); SSL_load_error_strings(); When I try to read certificate file I got an error. SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) Return value here is not 1. So this is an error. The human readable error message is: 3084809868:error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm:p_lib.c:239: 3084809868:error:0B07706F:x509 certificate routines:X509_PUBKEY_get:unsupported algorithm:x_pubkey.c:155: 3084809868:error:140BF10C:SSL routines:SSL_SET_CERT:x509 lib:ssl_rsa.c:402: When I use the same code with dynamically linked openSSL library with external GOST engine library everything works fine. So what is the difference between static and dynamic version? The only idea that I have at this time that my library initialization sequence is wrong. I checked symbols in the compiled libcrypto.a library. nm ./libcrypto.a | grep gost This command gave me output with many GOST function which were included to libcrypto.a library. So I think that library was compiled properly and all GOST engine functions were included in the static library. Unsupported algorithm error message means that GOST functions was not initialized properly. The question is: how properly initialize engines with statically linked openSSL? Is it possible to use engines and statically linked openssl library in general? Best Regards Xidex __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL attack scenario
João Távora пишет: TCP does not provide delivery assurance. If the application needs to know the data got through, it must use application-level ackwowledgements. SSL does not change this and provides the same set of guarantees and assurances TCP does. I'm sorry to disagree but TCP, unlike UDP, does provide reliable data transfer. It does allow hijacking. I'll take from wikipedia to try to explain better http://en.wikipedia.org/wiki/Transmission_Control_Protocol TCP is a reliable stream delivery service that guarantees delivery of a data stream sent from one host to another without duplication or losing data. Since packet transfer is not reliable, a technique known as positive acknowledgment with retransmission is used to guarantee reliability of packet transfers. This fundamental technique requires the receiver to respond with an acknowledgment message as it receives the data. The sender keeps a record of each packet it sends, and waits for acknowledgment before sending the next packet. The sender also keeps a timer from when the packet was sent, and retransmits a packet if the timer expires. The timer is needed in case a packet gets lost or corrupted. What this article says is this: if you *received* data from TCP connection it will be without duplication or losing data. It doesn't say: if you *send* data it will be received correctly by other host. It's impossible to garantee. -- Andrey Koltsov __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Question about GOST engine in Openssl 1.0
Thanks, static compilation works fine. And one remark. This file engines/ccgost/readme.gost has an example configuration for GOST engine [gost_section] engine_id = gost dynamic_path = /usr/lib/ssl/engines/libgost.so default_algorithms = ALL crypt_params = id-Gost28147-89-CryptoPro-A-ParamSet The last line doesn't work in Linux and Windows. It should read CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet Victor B. Wagner пишет: On 2009.05.05 at 13:47:50 +0200, Dr. Stephen Henson wrote: Yes it's just a case of hacking util/mkmf.pl and/or some Makefiles. If OpenSSL is compiled without shared library engines (enable-static-engine) in the command line you *do* get the GOST engine under VC++. And I think that static compilation is only case where compiling OpenSSL with VC++ can be important. Mingw-compiled DLLs are compatible with VC++ compiled applications. But with static libraries situation is slightly different. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- С уважением, Андрей Кольцов программист ОАО Киберплат __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Question about GOST engine in Openssl 1.0
As I understand, GOST engine works on Windows with mingw support only. Is it planned to make it to compile with VC++ also? If no, is it because technical problems or some legal issues? Thanks, Andy Koltsov __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: unexpected SSL_ERROR_ZERO_RETURN
In my case (not Md Lazreg) I can control only client part of connection. I use heavily patched OpenSSL 0.9.8d The sever side use some version of MS WIndows. I believe it MS Server 2003 or newer. I was hoping that the solution for Md Lazreg will help in my case. Kyle Hamilton пишет: Specifically, what versions of the MS operating system are you running on the servers? -Kyle H On Wed, Jan 7, 2009 at 4:44 AM, Andrey Koltsov kolt...@cyberplat.com wrote: I have the same problem with my client Openssl application. The server side is MS IIS. And all other parties use Microsoft based clients and have no such problems. It seems that a client side is a source of trouble not a server side. Suggestions from anyone are welcome. Hi, I have an SSL server handling many clients successfully using openssl-0.9.8e. From time to time however, there are some clients that fail to connect to it. Debugging shows that the problem happens when the client attempts the first SSL_read, which unexpectedly returns 0. Checking then for the SSL error shows that it has the value SSL_ERROR_ZERO_RETURN. According to the SSL documentation this should happen only if the SSL connection has been closed. I do know that my server is not closing it since it is handling many other clients correctly, I also know that for the clients facing this problem, the handshake phase is done correctly it is only when the first SSL_read happens that somehow the connection is dropped I have no idea why if anyone can help me. Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: unexpected SSL_ERROR_ZERO_RETURN
I have the same problem with my client Openssl application. The server side is MS IIS. And all other parties use Microsoft based clients and have no such problems. It seems that a client side is a source of trouble not a server side. Suggestions from anyone are welcome. Hi, I have an SSL server handling many clients successfully using openssl-0.9.8e. From time to time however, there are some clients that fail to connect to it. Debugging shows that the problem happens when the client attempts the first SSL_read, which unexpectedly returns 0. Checking then for the SSL error shows that it has the value SSL_ERROR_ZERO_RETURN. According to the SSL documentation this should happen only if the SSL connection has been closed. I do know that my server is not closing it since it is handling many other clients correctly, I also know that for the clients facing this problem, the handshake phase is done correctly it is only when the first SSL_read happens that somehow the connection is dropped I have no idea why if anyone can help me. Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
