SSL_accept seg fault when adding extra chain cert
I'm using libssl0.9.8 0.9.8o-3 on Debian Lenny 5.0.3. When I use SSL_CTX_use_certificate then SSL_CTX_add_extra_chain_cert, I get random seg faults when calling SSL_accept for subsequent connections that reuse the SSL_CTX. However, I stopped getting the errors when I replaced SSL_CTX_add_extra_chain_cert with SSL_CTX_get_cert_store and X509_STORE_add_cert. Can anyone tell me what causes this error when using SSL_CTX_add_extra_chain_cert? The stack trace when using SSL_CTX_add_extra_chain_cert is: #4 0x7feead7a7dd2 in asn1_ex_i2c () from /usr/lib/libcrypto.so.0.9.8 #5 0x7feead7a8003 in ?? () from /usr/lib/libcrypto.so.0.9.8 #6 0x7feead7a82a2 in ASN1_item_ex_i2d () from /usr/lib/libcrypto.so.0.9.8 #7 0x7feead7a87a6 in ?? () from /usr/lib/libcrypto.so.0.9.8 #8 0x7feead7a8452 in ASN1_item_ex_i2d () from /usr/lib/libcrypto.so.0.9.8 #9 0x7feead7a882f in ?? () from /usr/lib/libcrypto.so.0.9.8 #10 0x7feead7a8452 in ASN1_item_ex_i2d () from /usr/lib/libcrypto.so.0.9.8 #11 0x7feead7a8b1b in ASN1_item_i2d () from /usr/lib/libcrypto.so.0.9.8 #12 0x7feeada7a0c3 in ssl3_output_cert_chain () from /usr/lib/libssl.so.0.9.8 #13 0x7feeada6ccd8 in ssl3_send_server_certificate () from /usr/lib/libssl.so.0.9.8 #14 0x7feeada708a0 in ssl3_accept () from /usr/lib/libssl.so.0.9.8 #15 0x7feeada7a4b5 in ssl23_get_client_hello () from /usr/lib/libssl.so.0.9.8 #16 0x7feeada7ac85 in ssl23_accept () from /usr/lib/libssl.so.0.9.8 # uname -a Linux telvisvm 2.6.26-2-amd64 #1 SMP Wed Aug 19 22:33:18 UTC 2009 x86_64 GNU/Linux Thank you, Telvis Calhoun tcalh...@barracuda.com 'Like' us on Facebook for exclusive content and other resources on all Barracuda Networks solutions. Visit http://barracudanetworks.com/facebook __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Using certificate and private key from Windows cert store with OpenSSL
Duh... I was sure these were the needed parts. Now, I tried to call CryptExportKey with PRIVATEKEYBLOB flag, and of course it returned error, because the certificate was imported to store without Mark as Exportable option. But there has to be way to use certificate and private key somehow with OpenSSL? I'm really beginner with this certificate thing, maybe I just don't understand something? :) Simple, really: You have not set the private part of the private key (d, p, q, dmp1, dmq1, iqmp). You need to export the private key from CryptoAPI too, and convert that blob, not the public key blob. Alternatively, I have heard rumors of a CryptoAPI engine plug in for OpenSSL which will let OpenSSL directly use the keys and certificates stored by Windows. On 10/28/2011 9:48 AM, Andrejs Štrumfs wrote: Hi! I am trying to make a program, that uses some Web Services in Delphi XE. To connect to the Web Services, i have to use self signed (hope this is correct term) certificate, which is stored in Windows cert store. So, i open the cert store with CertOpenSystemStore, get cert with CertFindCertificateInStore and set it with SSL_CTX_use_certificate. No problem with this. Then i get the public key blob with CryptExportKey and make up a private key like this: function PrivKeyBlob2RSA(const AKeyBlob: PByte; const ALength: Integer; const ASSLCtx: PSSL_CTX): IdSSLOpenSSLHeaders.PEVP_PKEY; var modulus: PByte; bh: PBLOBHEADER; rp: PRSAPUBKEY; rsa_modlen: DWORD; rsa_modulus: PAnsiChar; rkey: PRSA; begin bh := PBLOBHEADER(AKeyBlob); Assert(bh^.bType = PUBLICKEYBLOB); rp := PRSAPUBKEY(AKeyBlob + 8); Assert(rp.magic = $31415352); rsa_modulus := PAnsiChar(Integer(Pointer(rp))+12); rkey := RSA_new_method(ASSLCtx.client_cert_engine); rkey^.References := 1; rkey^.e := BN_new; rkey^.n := BN_new; BN_set_word(rkey^.e, rp^.pubexp); rsa_modlen := (rp^.bitlen div 8) + 1; modulus := AllocMem(rsa_modlen); CopyMemory(modulus, rsa_modulus, rsa_modlen); RevBuffer(modulus, rsa_modlen); BN_bin2bn(modulus, rsa_modlen, rkey^.n); Result := EVP_PKEY_new; EVP_PKEY_assign_RSA(Result, PAnsiChar(rkey)); end; and set it up with SSL_CTX_use_PrivateKey and SSL_CTX_check_private_key. Also, no problem so far. But then, when data transfer begins, i get access violation in libeay32.dll - Access violation at address 09881C5F in module 'libeay32.dll'. Read of address . If i load the key from .pem file, everything is fine. The libeay32.dll version is 1.0.0.5. Tried with version 0.9.something too - got the same error, just different address. Below is the RSA structure i get in PrivKeyBlob2RSA: pad0 version 0 meth $898030C engine nil n $A62D508 e $A62D4D8 d nil p nil q nil dmp1 nil dmq1 nil iqmp nil ex_data (nil, -1163005939 {$BAADF00D}) references 1 flags 6 _method_mod_n nil _method_mod_p nil _method_mod_q nil bignum_data nil {#0} blindingnil mt_blinding nil I checked the n and e bignums, and they are CORRECT, and everything else looks ok. The error happens when calling function ssl_read. I can't see what i am doing wrong, please help :) Thanks Andrejs __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using certificate and private key from Windows cert store with OpenSSL
In that case look for the CryptoAPI engine for openssl, not sure of its official name though. On 10/29/2011 8:21 AM, Andrejs Štrumfs wrote: Duh... I was sure these were the needed parts. Now, I tried to call CryptExportKey with PRIVATEKEYBLOB flag, and of course it returned error, because the certificate was imported to store without Mark as Exportable option. But there has to be way to use certificate and private key somehow with OpenSSL? I'm really beginner with this certificate thing, maybe I just don't understand something? :) Simple, really: You have not set the private part of the private key (d, p, q, dmp1, dmq1, iqmp). You need to export the private key from CryptoAPI too, and convert that blob, not the public key blob. Alternatively, I have heard rumors of a CryptoAPI engine plug in for OpenSSL which will let OpenSSL directly use the keys and certificates stored by Windows. On 10/28/2011 9:48 AM, Andrejs Štrumfs wrote: Hi! I am trying to make a program, that uses some Web Services in Delphi XE. To connect to the Web Services, i have to use self signed (hope this is correct term) certificate, which is stored in Windows cert store. So, i open the cert store with CertOpenSystemStore, get cert with CertFindCertificateInStore and set it with SSL_CTX_use_certificate. No problem with this. Then i get the public key blob with CryptExportKey and make up a private key like this: function PrivKeyBlob2RSA(const AKeyBlob: PByte; const ALength: Integer; const ASSLCtx: PSSL_CTX): IdSSLOpenSSLHeaders.PEVP_PKEY; var modulus: PByte; bh: PBLOBHEADER; rp: PRSAPUBKEY; rsa_modlen: DWORD; rsa_modulus: PAnsiChar; rkey: PRSA; begin bh := PBLOBHEADER(AKeyBlob); Assert(bh^.bType = PUBLICKEYBLOB); rp := PRSAPUBKEY(AKeyBlob + 8); Assert(rp.magic = $31415352); rsa_modulus := PAnsiChar(Integer(Pointer(rp))+12); rkey := RSA_new_method(ASSLCtx.client_cert_engine); rkey^.References := 1; rkey^.e := BN_new; rkey^.n := BN_new; BN_set_word(rkey^.e, rp^.pubexp); rsa_modlen := (rp^.bitlen div 8) + 1; modulus := AllocMem(rsa_modlen); CopyMemory(modulus, rsa_modulus, rsa_modlen); RevBuffer(modulus, rsa_modlen); BN_bin2bn(modulus, rsa_modlen, rkey^.n); Result := EVP_PKEY_new; EVP_PKEY_assign_RSA(Result, PAnsiChar(rkey)); end; and set it up with SSL_CTX_use_PrivateKey and SSL_CTX_check_private_key. Also, no problem so far. But then, when data transfer begins, i get access violation in libeay32.dll - Access violation at address 09881C5F in module 'libeay32.dll'. Read of address . If i load the key from .pem file, everything is fine. The libeay32.dll version is 1.0.0.5. Tried with version 0.9.something too - got the same error, just different address. Below is the RSA structure i get in PrivKeyBlob2RSA: pad0 version 0 meth $898030C engine nil n $A62D508 e $A62D4D8 d nil p nil q nil dmp1 nil dmq1 nil iqmp nil ex_data (nil, -1163005939 {$BAADF00D}) references 1 flags 6 _method_mod_n nil _method_mod_p nil _method_mod_q nil bignum_data nil {#0} blindingnil mt_blinding nil I checked the n and e bignums, and they are CORRECT, and everything else looks ok. The error happens when calling function ssl_read. I can't see what i am doing wrong, please help :) Thanks Andrejs __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Using certificate and private key from Windows cert store with OpenSSL
Ciao Andrejs. I don't know much about the source code you posted previously but if you build OpenSSL with the 'enable-capieng' option you'll be able to access every single store and all the certs stored in Windows. I hope it helps. Sergio. Date: Mon, 31 Oct 2011 09:44:11 +0100 From: jb-open...@wisemo.com To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL In that case look for the CryptoAPI engine for openssl, not sure of its official name though. On 10/29/2011 8:21 AM, Andrejs Štrumfs wrote: Duh... I was sure these were the needed parts. Now, I tried to call CryptExportKey with PRIVATEKEYBLOB flag, and of course it returned error, because the certificate was imported to store without Mark as Exportable option. But there has to be way to use certificate and private key somehow with OpenSSL? I'm really beginner with this certificate thing, maybe I just don't understand something? :) Simple, really: You have not set the private part of the private key (d, p, q, dmp1, dmq1, iqmp). You need to export the private key from CryptoAPI too, and convert that blob, not the public key blob. Alternatively, I have heard rumors of a CryptoAPI engine plug in for OpenSSL which will let OpenSSL directly use the keys and certificates stored by Windows. On 10/28/2011 9:48 AM, Andrejs Štrumfs wrote: Hi! I am trying to make a program, that uses some Web Services in Delphi XE. To connect to the Web Services, i have to use self signed (hope this is correct term) certificate, which is stored in Windows cert store. So, i open the cert store with CertOpenSystemStore, get cert with CertFindCertificateInStore and set it with SSL_CTX_use_certificate. No problem with this. Then i get the public key blob with CryptExportKey and make up a private key like this: function PrivKeyBlob2RSA(const AKeyBlob: PByte; const ALength: Integer; const ASSLCtx: PSSL_CTX): IdSSLOpenSSLHeaders.PEVP_PKEY; var modulus: PByte; bh: PBLOBHEADER; rp: PRSAPUBKEY; rsa_modlen: DWORD; rsa_modulus: PAnsiChar; rkey: PRSA; begin bh := PBLOBHEADER(AKeyBlob); Assert(bh^.bType = PUBLICKEYBLOB); rp := PRSAPUBKEY(AKeyBlob + 8); Assert(rp.magic = $31415352); rsa_modulus := PAnsiChar(Integer(Pointer(rp))+12); rkey := RSA_new_method(ASSLCtx.client_cert_engine); rkey^.References := 1; rkey^.e := BN_new; rkey^.n := BN_new; BN_set_word(rkey^.e, rp^.pubexp); rsa_modlen := (rp^.bitlen div 8) + 1; modulus := AllocMem(rsa_modlen); CopyMemory(modulus, rsa_modulus, rsa_modlen); RevBuffer(modulus, rsa_modlen); BN_bin2bn(modulus, rsa_modlen, rkey^.n); Result := EVP_PKEY_new; EVP_PKEY_assign_RSA(Result, PAnsiChar(rkey)); end; and set it up with SSL_CTX_use_PrivateKey and SSL_CTX_check_private_key. Also, no problem so far. But then, when data transfer begins, i get access violation in libeay32.dll - Access violation at address 09881C5F in module 'libeay32.dll'. Read of address . If i load the key from .pem file, everything is fine. The libeay32.dll version is 1.0.0.5. Tried with version 0.9.something too - got the same error, just different address. Below is the RSA structure i get in PrivKeyBlob2RSA: pad0 version 0 meth $898030C engine nil n $A62D508 e $A62D4D8 d nil p nil q nil dmp1 nil dmq1 nil iqmp nil ex_data (nil, -1163005939 {$BAADF00D}) references 1 flags 6 _method_mod_n nil _method_mod_p nil _method_mod_q nil bignum_data nil {#0} blindingnil mt_blinding nil I checked the n and e bignums, and they are CORRECT, and everything else looks ok. The error happens when calling function ssl_read. I can't see what i am doing wrong, please help :) Thanks Andrejs __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using certificate and private key from Windows cert store with OpenSSL
Thanks, that was the option I was just suggesting, but I could not remember the name. Thanks for finding the name for me, hope it helps the OP. On 10/31/2011 10:02 AM, Sergio NNX wrote: Ciao Andrejs. I don't know much about the source code you posted previously but if you build OpenSSL with the 'enable-capieng' option you'll be able to access every single store and all the certs stored in Windows. I hope it helps. Sergio. Date: Mon, 31 Oct 2011 09:44:11 +0100 From: jb-open...@wisemo.com To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL In that case look for the CryptoAPI engine for openssl, not sure of its official name though. On 10/29/2011 8:21 AM, Andrejs Štrumfs wrote: Duh... I was sure these were the needed parts. Now, I tried to call CryptExportKey with PRIVATEKEYBLOB flag, and of course it returned error, because the certificate was imported to store without Mark as Exportable option. But there has to be way to use certificate and private key somehow with OpenSSL? I'm really beginner with this certificate thing, maybe I just don't understand something? :) Simple, really: You have not set the private part of the private key (d, p, q, dmp1, dmq1, iqmp). You need to export the private key from CryptoAPI too, and convert that blob, not the public key blob. Alternatively, I have heard rumors of a CryptoAPI engine plug in for OpenSSL which will let OpenSSL directly use the keys and certificates stored by Windows. On 10/28/2011 9:48 AM, Andrejs Štrumfs wrote: Hi! I am trying to make a program, that uses some Web Services in Delphi XE. To connect to the Web Services, i have to use self signed (hope this is correct term) certificate, which is stored in Windows cert store. So, i open the cert store with CertOpenSystemStore, get cert with CertFindCertificateInStore and set it with SSL_CTX_use_certificate. No problem with this. Then i get the public key blob with CryptExportKey and make up a private key like this: function PrivKeyBlob2RSA(const AKeyBlob: PByte; const ALength: Integer; const ASSLCtx: PSSL_CTX): IdSSLOpenSSLHeaders.PEVP_PKEY; var modulus: PByte; bh: PBLOBHEADER; rp: PRSAPUBKEY; rsa_modlen: DWORD; rsa_modulus: PAnsiChar; rkey: PRSA; begin bh := PBLOBHEADER(AKeyBlob); Assert(bh^.bType = PUBLICKEYBLOB); rp := PRSAPUBKEY(AKeyBlob + 8); Assert(rp.magic = $31415352); rsa_modulus := PAnsiChar(Integer(Pointer(rp))+12); rkey := RSA_new_method(ASSLCtx.client_cert_engine); rkey^.References := 1; rkey^.e := BN_new; rkey^.n := BN_new; BN_set_word(rkey^.e, rp^.pubexp); rsa_modlen := (rp^.bitlen div 8) + 1; modulus := AllocMem(rsa_modlen); CopyMemory(modulus, rsa_modulus, rsa_modlen); RevBuffer(modulus, rsa_modlen); BN_bin2bn(modulus, rsa_modlen, rkey^.n); Result := EVP_PKEY_new; EVP_PKEY_assign_RSA(Result, PAnsiChar(rkey)); end; and set it up with SSL_CTX_use_PrivateKey and SSL_CTX_check_private_key. Also, no problem so far. But then, when data transfer begins, i get access violation in libeay32.dll - Access violation at address 09881C5F in module 'libeay32.dll'. Read of address . If i load the key from .pem file, everything is fine. The libeay32.dll version is 1.0.0.5. Tried with version 0.9.something too - got the same error, just different address. Below is the RSA structure i get in PrivKeyBlob2RSA: pad0 version 0 meth $898030C engine nil n $A62D508 e $A62D4D8 d nil p nil q nil dmp1 nil dmq1 nil iqmp nil ex_data (nil, -1163005939 {$BAADF00D}) references 1 flags 6 _method_mod_n nil _method_mod_p nil _method_mod_q nil bignum_data nil {#0} blindingnil mt_blinding nil I checked the n and e bignums, and they are CORRECT, and everything else looks ok. The error happens when calling function ssl_read. I can't see what i am doing wrong, please help :) Thanks Andrejs __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Open SSL API's Support For IPv6.
Hi, I tried with some different logic in the else part to get the dump of the error returned by Bio_do_connect() API, but no luck. File is getting created but nothing is getting written over there. else { FILE * pFile1; char mystring [500]; pFile1 = fopen (result.txt,a); if (pFile1!=NULL) { ERR_print_errors_fp(stderr); if ( fgets (mystring , 500 , stderr) != NULL ) { fputs (mystring, pFile); } fclose(pFile1); } cout The Bio_do_connect failed endl; break; } And also tried this one, but no luck. else { FILE * pFile1; char mystring [500]; pFile1 = fopen (result.txt,a); if (pFile1!=NULL) { ERR_print_errors_fp(stderr); fgets (mystring , 500 , stderr); fputs (mystring, pFile); fclose(pFile1); } cout The Bio_do_connect failed endl; break; } Could you please have a look and help me here. I am not able to proceed further. Thanks Akanksha Shukla. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Akanksha Shukla Sent: Saturday, October 29, 2011 11:47 PM To: openssl-users@openssl.org Subject: RE: Open SSL API's Support For IPv6. Hi Michael, Sorry for the confusion caused but the whole code sequence is like this: int retryCounter = 0; while(retryCounter CONNECT_MAX_TRY) { int retVal = BIO_do_connect(conn); if(retVal = 0) { if(BIO_should_retry(conn)) { retryCounter++; sleep(CONNECT_SLEEP_INTERVAL); FILE * pFile; pFile = fopen (result_retry.txt,a); if (pFile!=NULL) { ERR_print_errors_fp(pFile); fclose(pFile); } continue; } else { FILE * pFile1; pFile1 = fopen (result.txt,a); if (pFile1!=NULL) { ERR_print_errors_fp(pFile1); fclose(pFile1); } cout The Bio_do_connect failed endl; break; } } else { cout The Bio_do_connect passes endl; break; } } The retry counter is meant for Bio_should_retry() API and it should try for 10 times as the value of CONNECT_MAX_TRY is set to 10. But in this case, the Bio_should_retry() API is passed, hence value of retry counter is not incremented and control goes to the else part where I am trying to print the error in file. The break statement is else part will cause the control to move out of the while loop and hence the Bio_do_connect failed gets printed for one time only. But problem is that in the file result.txt, nothing is getting dumped as I explained you in the earlier mails also. But when I use fputs, I can see output in the file. So, please suggest here what mistake I am making in writing the error to the file. Any help would be really appreciable here as I am getting struck in IPv4 only case, while I wanted to have such logic which could have serve my purpose for both IPv4 as well as IPV6. Thanks Akanksha Shukla. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Michael S. Zick Sent: Wednesday, October 26, 2011 2:26 AM To: openssl-users@openssl.org Subject: Re: Open SSL API's Support For IPv6. On Tue October 25 2011, Akanksha Shukla wrote: Hi Stephen, I added debug code as: int retryCounter = 0; while(retryCounter CONNECT_MAX_TRY) { int retVal = BIO_do_connect(conn); if(retVal = 0) { if(BIO_should_retry(conn)) { retryCounter++; sleep(CONNECT_SLEEP_INTERVAL); FILE * pFile; pFile = fopen (result_retry.txt,a); if (pFile!=NULL) { ERR_print_errors_fp(pFile); } continue; } else { FILE * pFile1; pFile1 = fopen (result.txt,a); if (pFile1!=NULL) { ERR_print_errors_fp(pFile1); } cout The Bio_do_connect failed endl; } } } After execution of program, I saw that only result.txt file is getting created and not the result_retry.txt file
Re: Open SSL API's Support For IPv6.
On Mon October 31 2011, Akanksha Shukla wrote: Could you please have a look and help me here. I am not able to proceed further. Sorry, I do not have the required experience in either C or C like languages to be of any help. And you really need the help of a beginner's coding forum. I am lucky that I can even read anything C or C like. ;-) Whatever forum you find that can help you with your program structure and implementation, keep in mind they will probably want posts in 'plain text' form - not HTML. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Open SSL API's Support For IPv6.
Hi Michael, Thanks for the reply. But I think the issue is not from the C perspective. As I already mentioned, that if I use fputs to directly write a string to file, then I am able to do that successfully. But when I try to write the error code thrown by Bio_do_connect() API, then nothing is getting written in file and for that I have used the API suggested by Stephen in the forum (ERR_print_errors_fp(pFile)). Do you still think, its programming fault. My point is that you all must have used these API's to get error dump in a file, then why it is not coming in my case. Please clarify. Thanks Akanksha Shukla. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Michael S. Zick Sent: Monday, October 31, 2011 6:49 PM To: openssl-users@openssl.org Subject: Re: Open SSL API's Support For IPv6. On Mon October 31 2011, Akanksha Shukla wrote: Could you please have a look and help me here. I am not able to proceed further. Sorry, I do not have the required experience in either C or C like languages to be of any help. And you really need the help of a beginner's coding forum. I am lucky that I can even read anything C or C like. ;-) Whatever forum you find that can help you with your program structure and implementation, keep in mind they will probably want posts in 'plain text' form - not HTML. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Open SSL API's Support For IPv6.
On Mon October 31 2011, Akanksha Shukla wrote: ERR_print_errors_fp(stderr); Because your writing to stderr rather than pFile? Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Open SSL API's Support For IPv6.
Hi, This was what I tried today to isolate the issue. But if you look into earlier mail chains, then you would find that I have tried to write the error in pFile1. Please refer to that. Thanks Akanksha Shukla. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Michael S. Zick Sent: Monday, October 31, 2011 10:19 PM To: openssl-users@openssl.org Subject: Re: Open SSL API's Support For IPv6. On Mon October 31 2011, Akanksha Shukla wrote: ERR_print_errors_fp(stderr); Because your writing to stderr rather than pFile? Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RE: Open SSL API's Support For IPv6.
On Mon 31/10/11 4:25 PM , Akanksha Shukla akshu...@cisco.com sent: Hi Michael, Thanks for the reply. But I think the issue is not from the C perspective. As I already mentioned, that if I use fputs to directly write a string to file, then I am able to do that successfully. But when I try to write the error code thrown by Bio_do_connect() API, then nothing is getting written in file and for that I have used the API suggested by Stephen in the forum (ERR_print_errors_fp(pFile)). Are you loading the strings? From:http://www.openssl.org/docs/ssl/SSL_library_init.htmlEXAMPLES A typical TLS/SSL application will start with the library initialization, and provide readable error messages. SSL_load_error_strings();/* readable error messages */ SSL_library_init(); /* initialize library */ Carl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using certificate and private key from Windows cert store with OpenSSL
Sergio, how to set this option building OpenSSL? I didn't find any suggestions in documentation. And can you give a link to the documentation on the site openssl.org where there are functions of API to work with Windows CERT Stores? From: Sergio NNX Sent: Monday, October 31, 2011 1:02 PM To: openssl-users@openssl.org Subject: RE: Using certificate and private key from Windows cert store with OpenSSL Ciao Andrejs. I don't know much about the source code you posted previously but if you build OpenSSL with the 'enable-capieng' option you'll be able to access every single store and all the certs stored in Windows. I hope it helps. Sergio. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: openssl-1.0.1-stable-SNAP-20110927
Hi Steve, Is it still disabled by default? In build 1.0.1-stable-SNAP-20111028, I do not see that line in ssl/ssl_lib.c as you mentioned, meaning enabled by default going forward? Thanks, -binlu -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, September 29, 2011 3:20 AM To: openssl-users@openssl.org Subject: Re: openssl-1.0.1-stable-SNAP-20110927 On Thu, Sep 29, 2011, Michael Haas wrote: Hello, i tried to enable TLS1.1 + TLS1.2 on Apache 2.2.21 with openssl-1.0.1-stable-SNAP-20110927 but didn't succeed. TLS 1.1 is working as excpected but TLS 1.2 not. I don't get a connection with TLS1.2, tried IE9 and Opera. Should TLS 1.2 work already with openssl 1.0.1 or is only the implimentation of TLS 1.1 finished? I get the following error in the apache log with openssl s_client -tls1_2 -CAfile SSL_CA.pem -connect XXX.XXX.XXX.XXX:443 SSL Library Error: 336151598 error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version TLS v1.2 is disabled by default at present but can be reenabled at runtime or with a minor change to OpenSSL. In ssl/ssl_lib.c remove the line: ret-options |= SSL_OP_NO_TLSv1_2; Or in the application call: SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2); Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Using certificate and private key from Windows cert store with OpenSSL
Ciao. I use MinGW to build OpenSSL and it has always worked very well. Steps: a) perl Configure mingw shared enable-capieng --prefix=/mingw --openssldir=C:/OpenSSL b) make After a while, you'll have openssl.exe and a couple of DLLs. At this stage, you'll be able to access Windows Certificate store. If you're using Windows boxes, I can send you my copy of OpenSSL for you to test. I hope it helps. Sergio. From: ml.vladimbe...@gmail.com To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL Date: Mon, 31 Oct 2011 21:40:44 +0400 Sergio, how to set this option building OpenSSL? I didn't find any suggestions in documentation. And can you give a link to the documentation on the site openssl.org where there are functions of API to work with Windows CERT Stores? From: Sergio NNX Sent: Monday, October 31, 2011 1:02 PM To: openssl-users@openssl.org Subject: RE: Using certificate and private key from Windows cert store with OpenSSL Ciao Andrejs. I don't know much about the source code you posted previously but if you build OpenSSL with the 'enable-capieng' option you'll be able to access every single store and all the certs stored in Windows. I hope it helps. Sergio. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: strong TLS connections
Our monolithic program (which runs in well under a meg including the program and all memory it uses) is monitored for correct hash (an algorithm we have to give a 21 byte hash total of files for which I have never seen two different files with the same hash) from an off-site program AND onsite cron processes. It also has calls within itself to validate it has not been de-compiled and modified. It has timing alerts that make using gdb/dbx with break points virtually impossible. It is also tied to the serial number of the AIX box or network card address on others. If even one byte does not match what was sent, email alerts are sent, the program is removed (after document user ids dates and times), the port is disabled, and so forth. Nothing is impenetrable, but an ordinary patching is not going to do the job. Secondly, dynamic libraries if shared by say 10 programs could be modified for some purpose OTHER than my program. They may be debugging their software, and hence write a log file of data, not realizing that they are logging my raw credit card data. My software then becomes non-compliant due to the innocent actions of others. Or their software may require a certain version that has a vulnerability that I can't live with. And I don't want to have to monitor this. Third, I certify my software with the static link. I know -- and the PCI compliance auditors know -- that it is compliant. If I have no control over dynamic libraries I have no way of KNOWING I am compliant in that environment. Neither does the customer or the auditor. Stray debug logging is, in fact, one of the primary causes of non-PCI compliance. Fourth, I use different compiler switches than the open source (different thread choices, different one-char default behavior, etc). How that works without a static link is an open question (and there are many other issues). The point of a static link is that ... it is static. You know what your program will do and you know how it will behave and you have tested, certified, and deployed in that manner. It is easy to validate that it has not been harassed. The point of a dynamic link is to allow O/S updates that fix perceived bugs/holes. In some situations this may not be a good thing (like say in my stray debug example). And usually not relevant. I might be using only one particular encryption. The fixes might be for others. And ... as usual with all software, sometimes fixes also have unintended consequences. I still think that the highest security is achieved with a static link. The easiest to keep current and updated is obviously the dynamic link. So that balance should be what decides. E At 12:13 PM 10/30/2011, you wrote: There are taste issues on this -- but you may be happier with a static link. It will load a giga-blip faster too with static link, and you won't even notice :-) A lot will depend on what your software is and how much of it. We have thousands of customers. We do credit cards which requires certification and you cannot (should not) allow the customer to change your software by installing a dynamic library. In fact, what if they built themselves their own libraries that wrote the unencrypted text out to a file? Then they could steal credit card numbers. BAD BAD BAD. It is a security hole to allow dynamic libraries because you have no control on what is really there. If the code is running at the customer site, you have no control over it, whether it's static or dynamic linked. It might be a giga-blip easier for your customer/attacker to patch a dll, put it's still trivial to patch your monolithic program. Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com For pictures: http://www.vicsmba.com/ourpics/index.html (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl-1.0.1-stable-SNAP-20110927
On Mon, Oct 31, 2011, Bin Lu wrote: Hi Steve, Is it still disabled by default? In build 1.0.1-stable-SNAP-20111028, I do not see that line in ssl/ssl_lib.c as you mentioned, meaning enabled by default going forward? It is enabled by default in newer snapshots now. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: RE: Open SSL API's Support For IPv6.
Hi Carl, I added the API's call as mentioned by you in the else part to get the dump of the error. But this time also, I am not successful. else { SSL_load_error_strings(); SSL_library_init(); FILE * pFile1; pFile1 = fopen (result.txt,a); if (pFile1!=NULL) { ERR_print_errors_fp(pFile1); fclose(pFile1); } cout The Bio_do_connect failed endl; break; } This time also, I got blank file without having any output in it. Am is missing something here or using them in incorrect way? Please suggest. Thanks Akanksha Shukla. -Original Message- From: carlyo...@keycomm.co.uk [mailto:carlyo...@keycomm.co.uk] Sent: Monday, October 31, 2011 10:07 PM To: openssl-users@openssl.org; Akanksha Shukla Subject: Re: RE: Open SSL API's Support For IPv6. On Mon 31/10/11 4:25 PM , Akanksha Shukla akshu...@cisco.com sent: Hi Michael, Thanks for the reply. But I think the issue is not from the C perspective. As I already mentioned, that if I use fputs to directly write a string to file, then I am able to do that successfully. But when I try to write the error code thrown by Bio_do_connect() API, then nothing is getting written in file and for that I have used the API suggested by Stephen in the forum (ERR_print_errors_fp(pFile)). Are you loading the strings? From:http://www.openssl.org/docs/ssl/SSL_library_init.htmlEXAMPLES A typical TLS/SSL application will start with the library initialization, and provide readable error messages. SSL_load_error_strings();/* readable error messages */ SSL_library_init(); /* initialize library */ Carl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: RE: Open SSL API's Support For IPv6.
From: Akanksha Shukla [mailto:akshu...@cisco.com] Hi Carl, I added the API's call as mentioned by you in the else part to get the dump of the error. But this time also, I am not successful. else { SSL_load_error_strings(); SSL_library_init(); FILE * pFile1; pFile1 = fopen (result.txt,a); if (pFile1!=NULL) { ERR_print_errors_fp(pFile1); fclose(pFile1); } cout The Bio_do_connect failed endl; break; } This time also, I got blank file without having any output in it. Am is missing something here or using them in incorrect way? Please suggest. Thanks Akanksha Shukla. -Original Message- From: carlyo...@keycomm.co.uk [mailto:carlyo...@keycomm.co.uk] On Mon 31/10/11 4:25 PM , Akanksha Shukla akshu...@cisco.com sent: Hi Michael, Thanks for the reply. But I think the issue is not from the C perspective. As I already mentioned, that if I use fputs to directly write a string to file, then I am able to do that successfully. But when I try to write the error code thrown by Bio_do_connect() API, then nothing is getting written in file and for that I have used the API suggested by Stephen in the forum (ERR_print_errors_fp(pFile)). Are you loading the strings? From:http://www.openssl.org/docs/ssl/SSL_library_init.htmlEXAMPLES A typical TLS/SSL application will start with the library initialization, and provide readable error messages. SSL_load_error_strings();/* readable error messages */ SSL_library_init(); /* initialize library */ Carl Did you read the page he referred you to? Did you read the text he quoted? Did you think about what it said at all? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: RE: Open SSL API's Support For IPv6.
Hi, I am sorry if I misunderstood things. I went through the text quoted by him. Also, I did google search for that and what I understood was: ERR_load_crypto_strings() registers the error strings for all libcrypto functions. SSL_load_error_strings() does the same, but also registers the libssl error strings. One of these functions should be called before generating textual error messages. However, this is not required when memory usage is an issue. ERR_free_strings() frees all previously loaded error strings. So, I thought by calling SSL_load_error_strings() will register the SSL error strings automatically and once that is done, then probably SSL error string will get dumped in file. This is what I understood and also I am not much familiar with SSl API's. So, here it might be possible that I mis-interpreted things. Thanks Akanksha Shukla. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeremy Farrell Sent: Tuesday, November 01, 2011 1:39 AM To: openssl-users@openssl.org; carlyo...@keycomm.co.uk Subject: RE: RE: Open SSL API's Support For IPv6. From: Akanksha Shukla [mailto:akshu...@cisco.com] Hi Carl, I added the API's call as mentioned by you in the else part to get the dump of the error. But this time also, I am not successful. else { SSL_load_error_strings(); SSL_library_init(); FILE * pFile1; pFile1 = fopen (result.txt,a); if (pFile1!=NULL) { ERR_print_errors_fp(pFile1); fclose(pFile1); } cout The Bio_do_connect failed endl; break; } This time also, I got blank file without having any output in it. Am is missing something here or using them in incorrect way? Please suggest. Thanks Akanksha Shukla. -Original Message- From: carlyo...@keycomm.co.uk [mailto:carlyo...@keycomm.co.uk] On Mon 31/10/11 4:25 PM , Akanksha Shukla akshu...@cisco.com sent: Hi Michael, Thanks for the reply. But I think the issue is not from the C perspective. As I already mentioned, that if I use fputs to directly write a string to file, then I am able to do that successfully. But when I try to write the error code thrown by Bio_do_connect() API, then nothing is getting written in file and for that I have used the API suggested by Stephen in the forum (ERR_print_errors_fp(pFile)). Are you loading the strings? From:http://www.openssl.org/docs/ssl/SSL_library_init.htmlEXAMPLES A typical TLS/SSL application will start with the library initialization, and provide readable error messages. SSL_load_error_strings();/* readable error messages */ SSL_library_init(); /* initialize library */ Carl Did you read the page he referred you to? Did you read the text he quoted? Did you think about what it said at all? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Open SSL API's Support For IPv6.
From: owner-openssl-us...@openssl.org On Behalf Of Akanksha Shukla Sent: Monday, 31 October, 2011 08:48 snip { FILE * pFile1; char mystring [500]; pFile1 = fopen (result.txt,a); if (pFile1!=NULL) { ERR_print_errors_fp(stderr); if ( fgets (mystring , 500 , stderr) != NULL ) { fputs (mystring, pFile); } fclose(pFile1); } snip And also tried this one, but no luck. snip: same thing but no if() on fgets return These will never work. First of all, there's no promise you can read from stderr (or stdout) at all. Even on systems and in situations (e.g. redirection) where you can read, you have to fseek or fsetpos first (or fflush if you are already positioned, which here you aren't). The approach I thought you had before, if( pFile1 != NULL ) ERR_print_errors_fp (pFile1) should work assuming the fopen succeeded. Could 'results.txt' be a pre-existing file that is not writable? (If this code is part of a bigger program/process, is everything run and owned by your userid, or is it more complicated?) I suggest divide and conquer -- just call ERR_print_errors_fp(stdout) You won't get the info to the file where you may want it, but you should get it somewhere you can see, assuming you are seeing the other cout stuff. And printf or cout retVal, just to make sure what it is. Then you can figure out writing to a file. Even if you get hex codes instead of friendly strings, because you didn't _load_error_strings, it's still better than nothing. You can decode them with commandline errstr. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Problems with AES-CFB1
From: owner-openssl-us...@openssl.org On Behalf Of Michael S. Zick Sent: Sunday, 30 October, 2011 06:36 On Sun October 30 2011, Ananthasayanan Kandiah wrote: #include stdio.h #include string.h #include openssl/aes.h #include openssl/bio.h #define KEY_SIZE 16 Ask the compiler to help you: mszick@wolf466:~/crypto$ gcc -Wall -E aes_test.c | grep _SIZE aes_test.c:6:9: error: macro names must be identifiers unsigned char key_data[KEY_SIZE] = { AES_set_encrypt_key(key_data, KEY_SIZE * 8, key); I don't know what happened to the message you got, but I got #define KEY_SIZE 16 which is a valid identifier, compiled without error, and gave the symptom reported -- because CRYPTO_cfb128_1_encrypt treats the length as bits not bytes (apparently only used for AES and Camellia). 97 bits is 12 bytes plus 1 bit, and that 'extra' bit is 0 and thus 'disappears'. Note these CFB-1 and CFB-8 modes don't update 'num', so OP's line 68 is unnecessary (but harmless). CFB-block (16bytes=128bits) does. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org