Hi, How do i validate a certificate chain. is there a EVP api for it ? thanks Kunal
From: Marek Marcola <[EMAIL PROTECTED]> Reply-To: openssl-users@openssl.org To: openssl-users@openssl.org Subject: Re: OpenSSL Generating Extra Packets Date: Fri, 25 Aug 2006 23:51:45 +0200 Hello, > I am working on an application on Mac OS X that's using OpenSSL to talk > to a server via SSL. Because I'm using custom nonblocking socket code, I > setup a BIO pair to do the SSL encoding internally. Everything works > great--handshaking is successful, data is properly encrypted and > decrypted, and the application and server are both properly sending and > receiving data--except that OpenSSL is generating a lot of records that, > when decoded, have no data. I.e., they are valid SSL application data > records, but the records have no payload. This is a problem both because > I'm wasting about 24 kB/min and because matrixSsl, which runs the SSL > stack on the server, aborts the connection fairly quickly because it > interprets the large number of payload-less SSL packets as a DoS attack. > I verified both that BIO_write is never told to write 0 bytes to either > end of the BIO pair, and that BIO_write never returns 0 from either end > of the pair. Does anyone have any idea what I could be doing wrong, or > else, perhaps what setting I need to disable so that these packets > aren't generated internally? Sending empty SSL record (I mean record with only MAC) before SSL record with real application data guards against some timing CBC attacks and is enabled in OpenSSL by default. To disable this set SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS with SSL_CTX_set_options(). matrixSsl has hard encoded limit (1024) for internal counter called ignoredMessageCount which is incremented when receiving empty SSL record. And I must say: reading source of matrixSsl was always pleasure for me - great, clear implementation. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
