[openssl-users] How to debug SSLV3_ALERT_BAD_RECORD_MAC

[craig_we...@trendmicro.com]

We have recently upgraded our product to 1.0.2k.  We are getting this error on 
a packet sent to us from our browser-based user interface.  I really need some 
suggestions as to how to debug this problem.  I know it is in our code rather 
than OpenSSL but I have no idea how to dig into what is happening.

[Image]


Craig Weeks | Sr. Software Developer, Support Response Team (SRT), Trend Micro 
Inc.

11305 Alterra Parkway, Austin, TX  78758


Securing Your Journey to the Cloud
www.trendmicro.com





TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Disable/Enable TLS versions for all connections at runtime

[craig_we...@trendmicro.com]

I am an OpenSSL neophyte, so please bear with me if the answer is obvious in 
the documentation.

Our product is going to provide runtime options to the user to enable and 
disable TLS 1.0, 1.1 and 1.2 in a discrete manner. For example: today enable 
1.0 and 1.2, disable 1.1; tomorrow enable 1.1 and 1.2, disable 1.0.

How do I use the available APIs to toggle the availability of these versions of 
TLS at runtime (as opposed to some compile time switch that permanently removes 
support for 1 or more versions)? I want these settings to apply to all new 
connections after they have been enabled or disabled.

Craig Weeks | Senior Software Engineer, Support Response Team (SRT)

craig_we...@trendmicro.com<mailto:richard_fang...@trendmicro.com>

14231 Tandem Blvd, Austin TX 78728

www.trendmicro.com<http://www.trendmicro.com>



TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL 1.0.2.f undefined reference: _Stoul

[craig_we...@trendmicro.com]

Ok, I see *how* this is happening, but I don't understand why.  In the version 
of stdlib.h that I am including I see:

*-*-*-*-*-*-*-*-*-*
#if defined(__cplusplus) && !defined(_NO_CPP_INLINES)
[snip]
#else /* defined(__cplusplus) && !defined(_NO_CPP_INLINES) */
_C_LIB_DECL
/* DECLARATIONS AND MACRO OVERRIDES, FOR C */
typedef int _Cmpfun(const void *, const void *);

int atexit(void (*)(void));
void * bsearch(const void *, const void *, size_t, size_t, _Cmpfun *);
void qsort(void *, size_t, size_t, _Cmpfun *);

double atof(const char *);
int atoi(const char *);
long atol(const char *);
double strtod(const char *_Restrict, char **_Restrict);
unsigned long strtoul(const char *_Restrict, char **_Restrict, int);

#define atof(str)   _Stod(str, 0, 0)
#define atoi(str)   (int)_Stoul(str, 0, 10)
#define atol(str)   (long)_Stoul(str, 0, 10)
#define strtod(str, endptr) _Stod(str, endptr, 0)
#define strtoul(str, endptr, base)  _Stoul(str, endptr, base)
[snip]
#endif
*-*-*-*-*-*-*-*-*-*

So, for C code this header maps strtoul() (see parse_tagging() in 
crypto/asn1/asn1_gen.c for an example) to _Stroul().  That is definitely 
"helping" me more than I want but I don't know how to make it stop.

-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Salz, Rich
Sent: Friday, October 14, 2016 4:21 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] OpenSSL 1.0.2.f undefined reference: _Stoul

Stoul is usually a C++ function.  Are you sure you're using the right compiler? 
 Add -lm to your link libraries?

That's all I've got.

--  
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richs...@jabber.at Twitter: RichSalz


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Where to find definitions of certain functions

[craig_we...@trendmicro.com]

I’m interested in the rest of this story.  Does compiling a separate library 
for linking work for you now?  Our product runs on two platforms: one 
Pentium-based and one Mips-based. The Pentium build works fine but the Mips 
build fails at link time with unresolved function references.

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Ajay Garg
Sent: Sunday, October 16, 2016 10:16 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Where to find definitions of certain functions

Aah... I guess I was being an idiot.
I just realize that the recommended/best/easier way is to compile openssl as a 
separate library (enabling/disabling/removing features as required), and then 
link this library to our application-binary.

Thanks a ton Salz, you have saved me a LOT of hours :)

Thanks and Regards,
Ajay

On Sun, Oct 16, 2016 at 10:09 PM, Salz, Rich 
> wrote:

> Also, I am not using Makefiles, rather compiling each "c unit" using gcc 
> using first-principles.
> Could that be an issue?

Probably.

Only "make" is supported.  You are on your own.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
Regards,
Ajay


TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL 1.0.2.f undefined reference: _Stoul

[craig_we...@trendmicro.com]

I think  you are right about some kind of munging of the .c source via some 
header file.  I just don't know exactly how to track that down.  Here are the 
files that reference _Stoul in libcrypto.a:

ec_pmeth.c
rsa_pmeth.c 
dsa_pmeth.c
dh_pmeth.c
b_sock.c
asn1_gen.c
a_strnid.c
ocsp_ht.c
ts_conf.c


TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL 1.0.2.f undefined reference: _Stoul

[craig_we...@trendmicro.com]

We are integrating 1.0.2f into a single product that is built for a 
Pentium-based platform and a Mips-based platform, both running on VxWorks.  The 
Pentium-based version compiles and links without error.  But the Mips-based 
version fails with undefined references to _Stoul.  If I search the 2 
libcrypto.a files for 'toul' I see this:

Mips-based:
nm vendor/openssl/62/install/lib/libcrypto.a | grep -i toul
 U _Stoul
 U _Stoul
 U _Stoul
 U _Stoul
 U _Stoul
 U _Stoul
 U _Stoul
 U _Stoul
 U _Stoul

Pentium-based:
nm vendor/openssl/69/install/lib/libcrypto.a | grep -i toul
 U strtoul
 U strtoul
 U strtoul

What can I do to get libcrypto.a to reference a function that will actually be 
resolved by the library files I use?

Craig Weeks | Senior Software Engineer, Support Response Team (SRT)

craig_we...@trendmicro.com

14231 Tandem Blvd, Austin TX 78728

www.trendmicro.com


TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Linking FIPS 2.0.12 and OpenSSL 1.0.2f - "multiple definition of `bn_div_3_words"

[craig_we...@trendmicro.com]

I was able to at least make the multiple definition error go away by specifying 
'no-asm' as a parameter to the Configure command.  Can anyone explain what the 
implications of such a setting are?

From: Craig Weeks (RD-US)
Sent: Friday, October 7, 2016 1:45 PM
To: 'openssl-users@openssl.org' <openssl-users@openssl.org>
Subject: Linking FIPS 2.0.12 and OpenSSL 1.0.2f - "multiple definition of 
`bn_div_3_words"

I am trying to build a library of FIPS 2.0.12 and OpenSSL 1.0.2f for MIPS 
architecture on vxWorks.  I am getting this error during the link step:

../libcrypto.a(bn-mips.o)(.text+0x700): In function `bn_div_3_words':
: multiple definition of `bn_div_3_words'
/usr/local/src/w/branches/zorro/tos390_tls/vendor/openssl-fips-2.0.12_installation/lib//fipscanister.o(.text+0x321c0):
 first defined here

I see that others have encountered this problem in the past, but I have found 
no explanation or resolution.

https://marc.info/?l=openssl-users=141216400714219=2

Can someone provide guidance for resolving this error?

Craig Weeks | Senior Software Engineer, Support Response Team (SRT)

craig_we...@trendmicro.com<mailto:richard_fang...@trendmicro.com>

14231 Tandem Blvd, Austin TX 78728

www.trendmicro.com<http://www.trendmicro.com>



TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Linking FIPS 2.0.12 and OpenSSL 1.0.2f - "multiple definition of `bn_div_3_words"

[craig_we...@trendmicro.com]

I am trying to build a library of FIPS 2.0.12 and OpenSSL 1.0.2f for MIPS 
architecture on vxWorks.  I am getting this error during the link step:

../libcrypto.a(bn-mips.o)(.text+0x700): In function `bn_div_3_words':
: multiple definition of `bn_div_3_words'
/usr/local/src/w/branches/zorro/tos390_tls/vendor/openssl-fips-2.0.12_installation/lib//fipscanister.o(.text+0x321c0):
 first defined here

I see that others have encountered this problem in the past, but I have found 
no explanation or resolution.

https://marc.info/?l=openssl-users=141216400714219=2

Can someone provide guidance for resolving this error?

Craig Weeks | Senior Software Engineer, Support Response Team (SRT)

craig_we...@trendmicro.com<mailto:richard_fang...@trendmicro.com>

14231 Tandem Blvd, Austin TX 78728

www.trendmicro.com<http://www.trendmicro.com>



TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users