test mail..plz ignore
test mail..please ignore...not receiving mails that i send to openssl -- Thank you, Best Regards Riaz Ur Rahaman __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
ENGINE implementaion done but facing errors
Hi, I am trying to connect using s_client, it works fine for a couple of hours and after that I keep getting this error message. = $ openssl s_client -ssl3 -connect IP_NUMBER:PORT(443) CONNECTED(0003) depth=0 /CN=XYZ 7FDA7830/O=XYZ Co./OU=000E7FDA7830/OU=AS961A 3REJ7961A verify error:num=18:self signed certificate verify return:1 depth=0 /CN=XYZ 7FDA7830/O=XYZ /OU=000E7FDA7830/OU=AS961A 3REJ7 verify return:1 1608:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1031:SSL alert number 20 1608:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:514: = I am using the hardware engine. I had sent a mail sometime back asking why the engine is not getting enabled by default. Well I did manage to get a solution. When using the engine from application point of view, you do require to set the default engine from the application code, but when your engine has to come up and be set as default, then you have to set your engine functions as default by using the API ENGINE_set_default_RSA(ENGINE *e) and the same goes for all the functions that are to be done using the hardware. This is mainly intended for stand alone applications. Also even before the openssl comes up, you have to call the ENGINE_load_builtin_engines which initializes the engine tables with the available engines and during this phase when you make a call to the bind_helper you have to set which engine is going to be your default implementation after binding the function pointers through the API ENGINE_set_default_RSA or what ever you need to set as default. The reason for calling the ENGINE_load_builtin_engines before your openssl comes up is, because, when you don't initialize your engine and set it as default, the openssl code takes the software implementation as default. So it is as safe implementation if you can do that in the start. Hope the above info helps. And some one please advice me about the above error... -- Thank you, Best Regards Riaz Ur Rahaman __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
What happens if certificate validation failes - what s_client error codes exist?
I was going to write a perl script that updates my ip at dyndns.org using a secure connection, making use of openssl s_client to keep it simple (and to avoid newbie mistakes). I use the -CAfile to point to the Thawte root certificate I got from thawte.com as dyndns.org uses a Thawte-signed certificate. What I do exactly is: openssl s_client -CAfile /path/to/thawte/certificate -connect www.dyndns.org:443 Now this faciliates quite a lot of output and lots of verify return:1 lines, and in the end a block with SSL session id and Verify return code: 0 (ok). As I could not find any comment about the s_client's error codes I'm not quite sure if and how I could detect the SSL connection has been established and the server's certificate was accepted. Does no verify return codes except 1 and 0 mean everything is okay? Thanks for reading and best regards, Peter Asemann __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
bad record mac in handshake
Hi. I'm trying to implement an EAP-TLS server. Now I can get the TLS handshake start between my server and the client. The problem is that after receiving the change_cipher_spec and the finished message (encrypted) from the client, the ssl object send an alert message (bad record mac). What can be the causes of this error? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Engine driver for FPGA?
Hi everybody. Is there anyone who implemented an engine driver for hardware encryption in an FPGA? The goal is to preform DES and 3DES, and one possible core could be Alliance MC-XIL-DES Data Encryption Standard Engine Core Whitch is the best approach to make this work? //André __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
undefined symbol _cleanup (binding 1 type 0)
hi i have configured openssl for vxworks-mipsle with no-shared and no-fips option make was successful . but on the embedded application if i load the , some of the exe files of test directory give the error undefined symbol _cleanup(binding 1 type 0) undefined symbol _exit(binding 1 and type 0) can't relocate ; recompile module with -mlong-calls flag(which i have already done) ld error: error reading file(errno = 0x3d0001) could anyone tell me what could be wrong. thank you vijay Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term'
Re: Engine driver for FPGA?
Hello Andre, I've found this project: http://www.opencores.org/projects.cgi/web/des/overview It is DES and 3DES implementation fitted to Xylinx Altera fpga; verilog sources tomas On Wednesday 16 of February 2005 14:46, [EMAIL PROTECTED] wrote: Hi everybody. Is there anyone who implemented an engine driver for hardware encryption in an FPGA? The goal is to preform DES and 3DES, and one possible core could be Alliance MC-XIL-DES Data Encryption Standard Engine Core Whitch is the best approach to make this work? //André __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Unexpected record when client renegotiates
I am experiencing some problems with OpenSSL renegotiations. The scenario is quite simple: If a server is sending data to the client while the client requests a renegotiation, the client will fail because it encountered an unexpected application data record. I'm unsure whether this is behavior is a bug or whether it is expected behavior. I checked the OpenSSL documentation but was unable to find anything that related this problem. I searched the mailing list archives and discovered that others have already asked about this problem, but I could find no responses to these questions. Here are four related posts, with the most recent posts listed first: * http://groups-beta.google.com/group/mailing.openssl.users/browse_thread/thre ad/21a982b37abc3b1a/b59af8dd1bced845 * http://groups-beta.google.com/group/mailing.openssl.users/browse_thread/thre ad/b4e4dfb5afe85ae5/c0504dc6db750f71 * http://groups-beta.google.com/group/mailing.openssl.users/browse_thread/thre ad/a21dfc5e8e2fd414/1f46224112e3cc4b * http://groups-beta.google.com/group/mailing.openssl.users/browse_thread/thre ad/2324b7b1bab8070c/05d055256fabe8d1 This problem can be demonstrated in the s_server and s_client sample programs. I have tested this with the last stable release (openssl-0.9.7e) as well as with Monday's snapshot (openssl-SNAP-20050214.tar.gz). Here's how to duplicate: -Launch the server and client, using default settings--no command line parameters, and using the certs in apps folder -In the server type a message such as Hello, but do not press enter. -In the client press 'R'; it will display a RENEGOTIATING message. -In the server, press enter to send the Hello message. The client will fail with the following error: 3520:error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record:.\ssl\s3_pkt.c:1194: In a real-world environment, it appears that when the client requests a renegotiation while the server is streaming data, the client will fail because it received unexpected application data from the server. Is this a limitation of the SSL protocol, of the OpenSSL library, or of the s_server and s_client samples? Also, what is the appropriate way of dealing with this problem? Will OpenSSL eventually support this, or is this something that must be built in each application's protocol? Thank you. Matthias Miller __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL_CTX_load_verify_locations
Is there any alternative API for SSL_CTX_load_verify_locations? SSL_CTX_load_verify_location ends up using STDIO calls and i am trying to avoid STDIO calls. I am stuck here and i need yr help to proceed further. Any help is appreicated. Thanks Vijay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David Schwartz Sent: Tuesday, February 15, 2005 10:31 AM To: openssl-users@openssl.org Subject: RE: use os BIOs I'm trying to implement an eap-tls server using openssl and I've found only few examples about using memory BIOs to perform a TLS handshake. Can you give me some pointer to documentation about this or to some examples? The code that I'm using is very simple: openssl initialization ... SSL_set_accept_state(ssl); when a packet is received BIO_write(in_BIO, packet data, datalen); BIO_read(out_BIO, data, datalen); send packet with data Can this approach work? Yes. Sometimes the read returns -1 (no data available), but it should give some data (e.g. the ServerHello). What I'm missing? What you're missing is that the OpenSSL engine is the boss of what to do when. You have to do four things, and you must do each one when the OpenSSL engine tells you to: 1) You must receive encrypted data from the other end and hand it to OpenSSL. 2) You must take encrypted data from OpenSSL and send it to the other end. 3) You must take plaintext from the application and give it to OpenSSL to encryptd. 4) You must take plaintext from OpenSSL and process it. Do not ever assume that because you did 1, you will next do 4. This might happen, but it might not. Assumptions will lead to deadlock. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL_CTX_load_verify_locations
Is there any alternative API for SSL_CTX_load_verify_locations? SSL_CTX_load_verify_location ends up using STDIO calls and i am trying to avoid STDIO calls. I am stuck here and i need yr help to proceed further. Any help is appreicated. Just add them to the verification tree manually. You can use functions like SSL_CTX_add_extra_chain_cert, SSL_CTX_add_client_CA_list, SSL_add_client_CA, SSL_set_client_CA_list and so on. If you have some patience, you can follow the logic in SSL_CTX_load_verify_locations and call the same lower-level functions it ultimately calls. I don't at the moment. ;) DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Moving openssl servers
Hi, I got a question regarding migrating servers. I have a root CA running openssl. And I want to move it to another server. The current root CA have already create and signed a lot of certificates. My concern is the procedure to take so that when the new server is up and installed with openssl, all the certificates will still work per normal and new certificates generated from the new root CA server should be working as well. What files should I copy over from the root CA to the new root CA to ensure consistency for future creation and signing of certs? The other question:- If I upgrade the version of the openssl from 0.95 to 0.97e, will the old certs be valid? On a redhat machine, can I just use rpm -Uvh to upgrade it? Thanks a lot. adrian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]