Getting the tls-unique channel binding

2011-07-15 Thread Antoine Pitrou 

Hello,

The tls-unique channel binding is necessary to implement the
SCRAM-SHA-1-PLUS authentication mechanisms (see RFC 5802, RFC 5929).
We have a pending patch for Python's ssl binding to compute that
piece of information (*), and I would like to know if there's some
example code somewhere so that we can confirm our implementation is
right.

(*) http://bugs.python.org/issue12551

Thank you

Antoine.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OSX still defaulting to .9 libraries after 1.0 build

2010-04-25 Thread Antoine Pitrou 

 The problem is in my include statements.  The output of the following
 test program is OpenSSL version included is: 9466063 even when I
 compile with -I/usr/local/ssl/include/openssl.

What if you try -I/usr/local/ssl/include/ instead?


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL and Python

2010-04-21 Thread Antoine Pitrou 
Le mercredi 21 avril 2010 à 16:06 -0700, gary clark a écrit :
 ImportError: /usr/local/lib/python2.5/site-packages/OpenSSL/crypto.so:
 undefined symbol: PyUnicodeUCS2_Decode

This is a Python problem, not an unicode one. I suggest posting on
comp.lang.python.
Basically, you should use the pyOpenSSL package provided by your Linux
distribution, or compile it from the source; but not install a
standalone binary package.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: openssl-1.0.0 compile issues on SUSE 10.1

2010-04-16 Thread Antoine Pitrou 
Le vendredi 16 avril 2010 à 10:47 -0700, Jon Strait a écrit :
 Please bear with me as I am in the midst of my crash-course in Linux
 upgrade management.
 
 
 I am trying to upgrade from openssl-0.9.8 to openssl-1.0.0 on SUSe
 10.1 32bit with HP dl380's.

Why do you? Your Linux distribution will provide updated binary packages
if necessary (for example to fix hypothetical security issues).

They also might have their own custom patches to OpenSSL, which means
your self-compiled vanilla version of OpenSSL might break installed
applications.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Strange SSL_shutdown() error return (SSL_ERROR_SYSCALL but errno == 0)

2010-04-09 Thread Antoine Pitrou 

Hello again,

 I have investigated this issue of -1/SSL_ERROR_SYSCALL with errno==0.
 
 
  From the SSL_get_error(3) man page:
 
 SSL_ERROR_SYSCALL
 Some I/O error occurred.  The OpenSSL error queue may contain more 
 information on the error.  If the error queue is empty (i.e. 
 ERR_get_error() returns 0), ret can be used to find out more about the 
 error: If ret == 0, an EOF was observed that violates the protocol.  If 
 ret == -1, the underlying BIO reported an I/O error (for socket I/O on 
 Unix systems, consult errno for details).

Well, in our case, and unless I'm mistaken,
ret == -1, ERR_get_error() == 0 and then errno (the Unix errno) == 0.

Perhaps errno gets cleared by another operation... I may try to
investigate if I get some time.

Regards

Antoine.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Strange SSL_shutdown() error return (SSL_ERROR_SYSCALL but errno == 0)

2010-04-06 Thread Antoine Pitrou 

Hello,

While testing Python's SSL support with OpenSSL = 0.9.8m, we have
encountered a strange error return from SSL_shutdown on a non-blocking
socket (note: this is a different problem from the one described by
Victor Stinner in an earlier thread last month). Basically:

- SSL_shutdown(ssl object) returns -1
- SSL_get_error(ssl object, -1) returns SSL_ERROR_SYSCALL
- ERR_get_errno() returns 0
- errno is equal to 0

This situation was not hit before 0.9.8m. Our temptative workaround
right now (not yet committed, awaiting your insight :-)) is to detect
this particular situation and consider the call successful rather than
raise an exception.

What encouraged me in that workaround is that some LightHTTPd users have
encountered what looks like the same issue, also starting from 0.9.8m:
http://redmine.lighttpd.net/boards/2/topics/2779

« SSL_shutdown failed, SSL_get_error returned SSL_ERROR_SYSCALL,
but errno == 0 - I think there is something wrong with your ssl
lib. »

« Since I updated to openssl 0.9.8m I have noticed the same
error messages in my log. (using lighttpd 1.4.26 with the same
patch applied) »

I would welcome any explanations and suggestions concerning this
situation. Is it an OpenSSL bug? Or does this error return correspond to
an applicative error? (in which case, which error exactly, since the
return codes don't point to anything precise)

Thank you

Antoine Pitrou.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org