Re: Newbie - SSL2_WRITE:ssl handshake failure

2001-11-12 Thread J. Johnson

(And I'll cc the developers list so they can see the problem.)

The archives show there have been a number of queries on "handshake
failure" errors in the past year (including mine a couple of weeks ago),
but I haven't seen but one response.  So while I don't (yet) have any
definite answers, perhaps I provide some suggestions.

First of all, note that the "s2_pkt.c:371" the end of the error message is
telling which source code file, and even the line number, where the error
occured.  Hmm, it looks like it ran out of data.  Well, that wasn't too
helpful, but it's good to check. 

A key problem here [hey, developers, take note!] is that we don't know
whether the "error" was the s2_pkt code taking a dive because of a
"shouldn't happen" condition it couldn't handle (poor code?), or because
the two parties here couldn't agree on a handshake. 

Consider the latter possibility.  In my case I was testing a server I am
setting up, and I had doubts about how the certificates are set up. 
Removing them entirely also resulted in a 'handshake failure', so this
could be problem with the certificates.  

Some things to check:  Are the certificates on your second destination
valid?  Does their setup correspond with that on your first destination? 
Do you have other services that use them?  (Are you going to a standard
https server, or a custom server?)  Have you checked the logs? 

Also:  use 'openssl'.  (It may be easier to manipulate than your
executable, and it has a bunch of options affecting the SSL aspects.)  Do
something like 'openssl s_client -connect :443' to connect to the
secure http server.  (There is no prompt.  Type something like "get /
http/1.0" and hit return twice.)  Also note that openssl can also be run
as a minimal web server. 

Good luck, and let me know what if you find anything.

=== JJ =

On Mon, 12 Nov 2001, Vikram Motwani wrote:

> Hi, 
> 
> I am new to ssl and am trying to upload files to a
> server using https post. I am using an executable that
> takes
> as inputs from the command prompt. 
> 
> Unfortunately it was written by someone else. I can
> upload files from a machines on one domain but not on
> other. 
> 
> I get the following error on client trying to upload
> files to server:
> 
> 279:error:1407F0E1:SSL routines:SSL2_WRITE:ssl
> handshake failure.\ssl\s2_pkt.c:371. 
> 
> Can anyone tell me how to fix this and what the
> problem might be. 
> 
> Thanks in advance, 
> 
> Vikram 
> 
> __
> Do You Yahoo!?
> Find a job, post your resume.
> http://careers.yahoo.com
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Man in the middle attacks ?

2001-11-12 Thread J. Johnson

[In response to Pascal Janse van Vuuren, 13 Nov 2001]

The "RSA Security's Official Guide to Cryptography" has pretty good
discussion of various kinds of attacks and how they can be dealt with.
See p108 for a discussion on using Diffie-Hellman based key exchange.
(Doesn't mention OpenSSL, though. Or "open" anything.)

=== JJ =


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: INSTALL OPENSSL

2001-11-12 Thread Prathaban Selvaraj
Title: RE: INSTALL OPENSSL





 Look for a file called 'Install.W32' on your root directory. It contains the Win32 install instructions.


 -P


-Original Message-
From: Francisco Castillejo [mailto:[EMAIL PROTECTED]] 
Sent: Sunday, November 11, 2001 12:28 PM
To: [EMAIL PROTECTED]
Subject: INSTALL OPENSSL


Hi,
i'm new in openssl world XD. I don't know how install openssl in windows.
Can anyone help me?
Sorry, my english is horrible.
Thanks


__
OpenSSL Project http://www.openssl.org
User Support Mailing List    [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]





Re: PKCS11 and building CSP dll's

2001-11-12 Thread Steven A. Bade

On Mon, Nov 12, 2001 at 05:34:15PM -0500, Mark Ng wrote:
> Hello all,  
> 
> I was wondering if any of you know anything about the
> a
> message posted on the openssl mailing list:  
> article:  http://linux.dp.ua/maillist/msg00232.html
> 
> Sergio mentions in the message that he is distributing
> his code as open source.   I'd like to get a copy or
> location for it.   I'm trying to write a csp that
> implements PKCS#11 API interfrace and it would help
> alot if I can check out his code.


If you are actualy implementing PKCS#11 then you might want to
look at our openCryptoki project on Developerworks

http://www.ibm.com/developerworks/projects/opencryptoki

On the other hand if you are trying to integrate a PKCS#11 provider into
the openSSL code, you shuold look through the archives, there 
are a bunch of people who claim to have done this, but I've never had the
time to actualy play with them... 
> 
> I've tried he mailing his address : [EMAIL PROTECTED] but
> it not longer exists.   Can you help?   
> 
> Thanks.
> 
> 
> 
> 
> 
> ___
> Build your own website in minutes and for free at http://ca.geocities.com
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Steven A. Bade
UNIX Network Security Cryptographic Strategy and Development Architecture
[EMAIL PROTECTED]
T/L 678-4799
(512)-838-4799

--
To convert from Hogsheads to Cubic Feet - Multiply by 8.4219

"Two-way communication is necessary to proactively facilitate acceptance
and involvement and to get insights about the journey it takes to get where
we want"

this mess is so big and so bad and so tall, 
we cannot clean it up, there is no way at all  
(Cat in the Hat)


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



PKCS11 and building CSP dll's

2001-11-12 Thread Mark Ng

Hello all,  

I was wondering if any of you know anything about the
a
message posted on the openssl mailing list:  
article:  http://linux.dp.ua/maillist/msg00232.html

Sergio mentions in the message that he is distributing
his code as open source.   I'd like to get a copy or
location for it.   I'm trying to write a csp that
implements PKCS#11 API interfrace and it would help
alot if I can check out his code.

I've tried he mailing his address : [EMAIL PROTECTED] but
it not longer exists.   Can you help?   

Thanks.





___
Build your own website in minutes and for free at http://ca.geocities.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Man in the middle attacks ?

2001-11-12 Thread Eric Rescorla

"Pascal Janse van Vuuren" <[EMAIL PROTECTED]> writes:
> I'm not a real crypto expert. But, I'm facing a potential (?)
> problem. I've used OpenSSL to negotiate a secure control channel
> between two nodes of a private network. The generated private keys
> are encrypted with a specific password. Naturally, any secure system
> is only as strong as it's weakest link, but yesterday one of our
> developers raised the following concern. (I've included his email
> below)
> 
> > MITM is particularly an issue for a proxy product, particularly with a nat. 
> > One could write a proxy that provided this functionality!
> 
> > Consider this situation, a standard man in the middle:
> 
> > 1 Bob connects to the master.
> > 2 Mary intercepts the connection, and makes her own connection to the master.
> 
> > Bob <-> Mary <-> Master
> 
> > Mary is acting like a transparent proxy, and Bob does not know.
> 
> > 3 Master send Bob the public key.
> > 4 Mary grabs it
> > 5 Mary creates her own key pair and send the public one to Bob.
> > 6 Bob Encrypts a new "session key" with Marys public key, that he thinks is 
> > Masters key.
> > 7 Mary decrypts the data, re-encrypts it with the Real Qbik master key and 
> > sends it.
> > 8 Master is happy, and the session starts with the session key.
> 
> > Mary has all the pieces of the puzzle.
> 
> > We can easily overcome this by using an extra level of security: Encrypting 
> > with a shared secret the initial public key that is transmitted. 
> 
> Our key pairs are pre-generated, along with the associated, self-signed certifcates. 
>They won't be used in any other instance, but for negotiating this connection. After 
>the control-channel has been negotiated, we do normal user/node authentication, etc.
It's hard to answer your question because you don't say whether you're
using SSL or just some ad-hoc protocol with OpenSSL for your crypto.
For the sake of the rest of the discussion I'll assume you're using
SSL. If you've invented your own protocol you probably have bigger
problems than this.

> Is this a vulnerability, or something we should be concerned about ? 
The usual way SSL prevents man-in-the-middle attacks is by having the
client check the server's certificate against a trusted CA. If you're
using self-signed certificates and the client doesn't have any
independent knowledge of the server's certificate you certainly are
vulnerable to a man-in-the-middle attack.

-Ekr

-- 
[Eric Rescorla   [EMAIL PROTECTED]]
http://www.rtfm.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Man in the middle attacks ?

2001-11-12 Thread Keary Suska

Probably not, as long as the client can properly respond to a changed server
key. For instance, in SSH2, the ssh client "remembers" the server's key on
the first connection. The client can be configured to abort server
connections when the key changes from a known value, or at the minimum the
client is alerted that the server key has changed and has the option to
abort, which they should unless they have received instructions otherwise
from the sys admin. This flouts the traditional MITM attack.

In SSL, this is prevented by peer certificate verification by the PKI
system.

Keary Suska
Esoteritech, Inc.
"Leveraging Open Source for a better Internet"

From: "Pascal Janse van Vuuren" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date: Tue, 13 Nov 2001 08:36:47 +1300
To: <[EMAIL PROTECTED]>
Subject: Man in the middle attacks ?


Hi all,
 
I'm not a real crypto expert. But, I'm facing a potential (?) problem. I've
used OpenSSL to negotiate a secure control channel between two nodes of a
private network. The generated private keys are encrypted with a specific
password. Naturally, any secure system is only as strong as it's weakest
link, but yesterday one of our developers raised the following concern.
(I've included his email below)
 
> MITM is particularly an issue for a proxy product, particularly with a nat.
> One could write a proxy that provided this functionality!

> Consider this situation, a standard man in the middle:

> 1 Bob connects to the master.
> 2 Mary intercepts the connection, and makes her own connection to the master.

> Bob <-> Mary <-> Master

> Mary is acting like a transparent proxy, and Bob does not know.

> 3 Master send Bob the public key.
> 4 Mary grabs it
> 5 Mary creates her own key pair and send the public one to Bob.
> 6 Bob Encrypts a new "session key" with Marys public key, that he thinks is
> Masters key.
> 7 Mary decrypts the data, re-encrypts it with the Real Qbik master key and
> sends it.
> 8 Master is happy, and the session starts with the session key.

> Mary has all the pieces of the puzzle.

> We can easily overcome this by using an extra level of security: Encrypting
> with a shared secret the initial public key that is transmitted.
 
Our key pairs are pre-generated, along with the associated, self-signed
certifcates. They won't be used in any other instance, but for negotiating
this connection. After the control-channel has been negotiated, we do normal
user/node authentication, etc.
 
Is this a vulnerability, or something we should be concerned about ?
 
__
 
Pascal
Qbik New Zealand
 



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: API's ??

2001-11-12 Thread lgazis

Yes, there are.  If you look at req.c and genrsa.c, in the apps directory,
you can see what API calls wind up being used when you run "openssl genrsa
..." or "openssl req ..."

Lynn Gazis

-Original Message-
From: Ruby Cruiser [mailto:[EMAIL PROTECTED]]
Sent: Sunday, November 11, 2001 12:12 PM
To: [EMAIL PROTECTED]
Subject: API's ??


For generating the certifcate and private file, I am
currently using the command line interface... that is
commands like "openssl genrsa ..." and "openssl req
-new -x509..." etc.

But, are there any openssl API's for the same? If yes,
please let me know few APIs.

Thanks for the assistance,
Ruby



__
Do You Yahoo!?
Find a job, post your resume.
http://careers.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Newbie - SSL2_WRITE:ssl handshake failure

2001-11-12 Thread Vikram Motwani

Hi, 

I am new to ssl and am trying to upload files to a
server using https post. I am using an executable that
takes
as inputs from the command prompt. 

Unfortunately it was written by someone else. I can
upload files from a machines on one domain but not on
other. 

I get the following error on client trying to upload
files to server:

279:error:1407F0E1:SSL routines:SSL2_WRITE:ssl
handshake failure.\ssl\s2_pkt.c:371. 

Can anyone tell me how to fix this and what the
problem might be. 

Thanks in advance, 

Vikram 

__
Do You Yahoo!?
Find a job, post your resume.
http://careers.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



ÉϹØϵͨƽ̨£¬½»ÊÂÒµÅóÓÑ£¬ÖÐÐĶ¯´ó½±

2001-11-12 Thread up30.com
Title: ÉϹØϵͨ£¬½±ÉÌÎñͨ£¡






  




 
  
  


  

  

  


  

  
 
   
   
   

 
   
ÉϹØϵͨ£¬½±ÉÌÎñͨ
  
   

  

  
   
"¹Øϵͨ"Èí¼þÊÇÈýÊ®¶øÁ¢Íøwww.up30.com¹ØϵÁªÃËÊý¾Ý¿âµÄ·ÃÎÊƽ̨£¬ÕâÊÇÒ»¸ö¾ßÓÐÐÅÓÃÌصãµÄÍøÂç½»Íùƽ̨£¬ËùÓÐÓû§ÒÔ¸öÈËÕæʵÉí·Ý¼ÓÈë¡£ÈýÊ®¶øÁ¢ÍøϵĹØϵÁªÃËÊÇһȺҵÄÚÈËʿΪÁË·½±ãÉÌÎñÁªÏµ£¬½»»»ÐÅÏ¢¶ø½¨Á¢µÄÒ»¸ö¹ØϵÁªÃË£¬¸÷¸öÐÐÒµ¡¢µØÇø¾ùÓпÊÍû²»¶ÏÍØÕ¹¸öÈ˹ØϵµÄ¾«Ó¢¼ÓÈë¡£ÒªÔÚ"¹Øϵͨ"½¨Á¢¸öÈ˸ü¹ã·ºµÄÈ˼ʹØϵ£¬ÄãËùÒª×öµÄ¾ÍÊÇÒÔÕæʵµÄÉí·ÝºÍÆäËûÓû§Ö÷¶¯È¥½»»»ÐÅÏ¢¡£ 
  "¿ªÍعØϵ£¬ÈýÊ®¶øÁ¢"ÊÇÎÒÃǵĿںţ¡

  

  

 
µÇ½ÈýÊ®¶øÁ¢ÍøÕ¾www.up30.com£¬×¢²á³ÉΪ"¹Øϵͨ"ƽ̨Óû§£¬ÖÚ¶à¾ßÓÐÕæʵÉí·ÝºÍÐÅÓü¶±ðµÄÒµ½ç¾«Ó¢µÈ×ÅÄã¡£ÉÏ"¹Øϵͨ"£¬¿ªÍعØϵ£¬ÈýÊ®¶øÁ¢¡£
»î¶¯Ï¸Ôò£º
£¨»î¶¯Ê±¼ä£º2001Äê11ÔÂ1ÈÕµ½2001Äê11ÔÂ30ÈÕ£©
¡ô ÏÖÔڵǽÈýÊ®¶øÁ¢ÍøÕ¾×¢²á¸öÈËÕæʵ×ÊÁϳÉΪ"¹Øϵͨ"Óû§£»£¨Ê¹ÓÃ"ÃûƬ½»»»"¹¦ÄܾͿÉÒԺܿ콨Á¢ÆðÄãµÄ¹ØϵȦ£©£»
¡ô 
ÔÚ11ÔÂ30ÈÕÇ°ÔÚÈýÊ®¶øÁ¢ÍøÕ¾Ê×Ò³ÉϽøÐÐÍƼö3λ"¹Øϵͨ"ÉÏÄãÈÏΪ×îÓмÛÖµµÄÅóÓÑ£»£¨´ó¼ÒҪעÒâµ½ÍøÕ¾Éϲ鿴һÏÂÍƼöÅÅÃû£©
¡ô 
µÃµ½ÍƼö×î¶àµÄ1λÓû§½«»ñµÃ"×îÓмÛÖµ»ï°é½±"£¬½±£º¼ÛÖµ4680ÔªµÄÉÌÎñͨ±¼Ñï2186£»
¡ô¸ù¾ÝÓû§µÄÆÀÓÎÒÃÇÔÚ»ñµÃÍƼöµÄÇ°10ÃûÓû§ÖÐÑ¡³ö"×îÕæʵÓû§½±"1ÃûºÍ"×îÈÈÇéÓû§½±"¸÷1Ãû£¬½±£º¼ÛÖµ1380ÔªµÄÉÌÎñͨÏȽÝMBA8823£»
¡ô 
Ç°30ÃûÓû§³ÉΪ"¹Øϵͨ"µÄVIPÓû§£¬ÔÚÈýÊ®¶øÁ¢ÍøÕ¾ÉϽøÐиöÐÔÍƼö½éÉÜ£¬²¢ÏíÓÐÒÔºóµÄ¶àÖÖÌØÊâ·þÎñ¡£
¡ô 
ÿλÓû§ÔÚʹÓùØϵͨµÄÇ°3´Î¿ÉÒÔÓлú»á½éÉÜÄãµÄ10λÀÏÓÑ¡£ÔÚÈκÎÒ»´Î¹ØϵͨµÄ»î¶¯ÖÐÖ»ÒªÄãÖн±£¬ËûÃǾͻáÁ¬´øÖн±¡£±¾´Î»î¶¯"×îÓмÛÖµÓû§"µÄ10λºÃÓÑ¿ÉÔÚJAZZÄÐÊ¿ÏãË®¡¢¾­µäÈ«¸ÖÔ˶¯±í¡¢SANFOÖпÕËÄ¿×ÃÞÂÃÐÐ˯´ü¡¢È«Ì׶¡¶¡ÀúÏÕ¼ÇÖÐÑ¡Ôñ1·ÝÀñÆ·¡£

 
¡¡

1. ½«¶Ô»ñ½±Õß½øÐÐ×ÊÁÏÓèÒԺ˶ԣ¬Èç¹û³öÏÖÐé¼ÙÇé¿ö£¬È¡Ïû²Î¼Ó»î¶¯×ʸñ¡£
2. ÉîÛÚ°®¶ûÆÕÐÅÏ¢¿Æ¼¼ÓÐÏÞ¹«Ë¾ÓµÓжԻµÄ×îÖÕ½âÊÍȨ¡£
  

 
   
   
   

 
  

  

  


  

  


  
www.up30.com
  Copyright ©2001 
  UP30com All rights reserved. 
  

 



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


Man in the middle attacks ?

2001-11-12 Thread Pascal Janse van Vuuren



Hi all,
 
I'm not a real crypto expert. But, I'm facing 
a potential (?) problem. I've used OpenSSL to negotiate a secure control channel 
between two nodes of a private network. The generated private keys are encrypted 
with a specific password. Naturally, any secure system is only as strong as it's 
weakest link, but yesterday one of our developers raised the following concern. 
(I've included his email below)
 
> MITM is particularly an issue for a proxy 
product, particularly with a nat. > One 
could write a proxy that provided this functionality!> Consider this situation, a standard man in the 
middle:> 1 Bob connects to the 
master.> 2 Mary intercepts the connection, and makes her own connection 
to the master.> Bob <-> Mary <-> 
Master> Mary is acting like a transparent proxy, and Bob does 
not know.> 3 Master send Bob the public key.> 4 Mary 
grabs it> 5 Mary creates her own key pair and send the public one to 
Bob.> 6 Bob Encrypts a new "session key" with Marys public key, that 
he thinks is > Masters key.> 7 Mary decrypts the data, 
re-encrypts it with the Real Qbik master key and > sends it.> 
8 Master is happy, and the session starts with the session key.> 
Mary has all the pieces of the puzzle.
> We can easily overcome this by using an 
extra level of security: Encrypting > with a shared secret the initial 
public key that is transmitted. 
 
Our key pairs are pre-generated, along with the 
associated, self-signed certifcates. They won't be used in any other instance, 
but for negotiating this connection. After the control-channel has been 
negotiated, we do normal user/node authentication, etc.
 
Is this a vulnerability, or something we should be 
concerned about ? 
 
__
 
PascalQbik New Zealand
 


RE: openssl-0.9.6b on solaris-sparcv9-cc

2001-11-12 Thread lgazis

Alternatively, if you *do* have a Solaris C compiler installed, you need to
check and make sure it comes first in your path.  /opt/SUNWspro/bin (or
whatever directory you installed the C compiler in, if you didn't place it
in the default location) should come before /usr/ucb in your path.  As long
as you pick up /usr/ucb/cc first, OpenSSL won't build.  If you don't have
the SUNWspro compiler, follow Erich's advice and use gcc.

Lynn Gazis

-Original Message-
From: Erich Titl [mailto:[EMAIL PROTECTED]]
Sent: Sunday, November 11, 2001 6:11 AM
To: [EMAIL PROTECTED]
Subject: Re: openssl-0.9.6b on solaris-sparcv9-cc


Hi

Aslam wrote the following at 19:48 09.11.2001:
>I'm trying to compile openssl-0.9.6b on solaris-sparcv9-cc.. and when I do 
>"make" as per the install in openssl-0.9.6b\.. I get following error
message..
>
>$ make
>+ rm -f libcrypto.so.0
>+ rm -f libcrypto.so
>+ rm -f libcrypto.so.0.9.6
>+ rm -f libssl.so.0
>+ rm -f libssl.so
>+ rm -f libssl.so.0.9.6
>making all in crypto...
>cc -I. -I../include -KPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN 
>-DHAVE_DLFCN_H -xta
>rget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN 
>-DBN_DIV2W -DUL
>TRASPARC -DMD5_ASM  -c  cryptlib.c
>/usr/ucb/cc:  language optional software package not installed
>*** Error code 1
>make: Fatal error: Command failed for target `cryptlib.o'
>Current working directory /etc/export/home/openssl/openssl-0.9.6b/crypto
>*** Error code 1
>make: Fatal error: Command failed for target `sub_all'
>
>Could any one tell me what all he is asking about ??

Looks like you are missing some software on your solaris installation, e.g. 
the compiler
You might try to use gcc

regards

Erich Titl

THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024  8D8A B7D4 FF9D 05B8 0A16

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Sharing a SSL connection between processes

2001-11-12 Thread Tal Mozes

Hi, and sorry for the previous empty message.

My question, in short: Is there a way to serialize the contents of the
SSL_CTX and SSL structs to a bio?

Some more details: I'm trying to figure out a way to use SSL between the
client and server of my application. The problem is that there are several
different clients that may run simultaneously on the same machine, and the
server is unaware of that...

The clients can communicate with one another using shared memory and an
event. Currently, I use this means of communication in order to share the
session's security parameters (such as a session key, message sequence
number etc.), and to avoid 2 requests being sent simultaneously to the
server. If I change the protocol to SSL, each client must have an updated
SSL struct in order to be able to communicate with the server. So I'm
looking for a way to (1) make OpenSSL allocate the SSL struct in the shared
memory or (2) dump the SSL struct (not a pointer to it) to the shared memory
after a communication, and load it from the shared memory before a
communication.

I don't want to let each client use its own SSL connection (too much work on
the server side). 

Answers, or new ideas are very welcome.

Tal




__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



[no subject]

2001-11-12 Thread Tal Mozes

Hi all,

I'm trying 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Certification check.

2001-11-12 Thread Viacheslav N Tararin

Hi all,

I'm new with SSL.
I have one problem with certificate verification routines.

When I include next code in server

--
... ssl initialization ...

SSL_CTX_set_verify(*ctx,
SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|SSL_VERIFY_CLIENT_ONCE, NULL);

... continue ...
--

On handshake I've got next error:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned


On client side I perform:
SSL_CTX_use_certificate_file(*ctx, cert_file, SSL_FILETYPE_PEM);

What, I must perform additional on client side for return certificate
to server?
Any example, or guide?


Thanks.

-- 
Best regards,
 Viacheslav  mailto:[EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Question

2001-11-12 Thread Esbold

Hi
I have problem.
I want to use SSL over SCTP(stream control transmission protocol).
SCTP is like TCP.
It works over TCP but it doesn't work over SCTP.
I need more documetns and examples.
Where can I found more documents BIO commands of SSl or TLS ?

Regards Esbold
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: SSL_CTX_set_client_CA_list

2001-11-12 Thread Lutz Jaenicke

On Sun, Nov 11, 2001 at 09:50:26AM +0200, Sharon Hezy wrote:
> I'm trying to implement client authentication with OpenSSL client & server.
> Everything works fine: server asks for client's certificate, gets it &
> verification successes too. The only problem is that I can't make client to
> send to the server certificate that matches one of the names in server's CA
> list (defined on the server side with SSL_CTX_set_client_CA_list()). What I
> want is that client will send certificate ONLY if it signed by one of
> server's trusted CA's (from the CA list), and, if the client doesn't have
> certificate like that - he shouldn't send anything. In fact, I'm getting a
> different behavior: client always sends its certificate, even if it signed
> by CA unknown to the server. From SSL_CTX_set_client_CA_list() documentation
> is seems to me that the behavior that I'm expecting is the right one, and
> the one I'm getting - is the wrong one. Does anybody know how to help me?

You are experiencing the default behaviour of the OpenSSL client code.
It does not check whether the client certificate available does match
the list of client CAs sent.
There exists a callback function set via SSL_CTX_set_client_cert_cb(),
that should help an application to perform the required operation:
upon client certificate request, the callback is being called and the
application can then load the according private key and certificate.
The exact functioning is not (yet?) documented. Due to limitations
in the data structures (OpenSSL can only handle one certificate chain
per SSL object that is never reset), it would be necessary to
SSL_free() the SSL object afterwards, which is contradictory to the normal
behaviour, where SSL_clear() is good enough.
I have therefore not written the according manual pages, as I would not
like to give incomplete examples.

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



ÉϹØϵͨƽ̨£¬½»ÊÂÒµÅóÓÑ£¬ÖÐÐĶ¯´ó½±

2001-11-12 Thread up30.com
Title: ÉϹØϵͨ£¬½±ÉÌÎñͨ£¡






  




 
  
  


  

  

  


  

  
 
   
   
   

 
   
ÉϹØϵͨ£¬½±ÉÌÎñͨ
  
   

  

  
   
"¹Øϵͨ"Èí¼þÊÇÈýÊ®¶øÁ¢Íøwww.up30.com¹ØϵÁªÃËÊý¾Ý¿âµÄ·ÃÎÊƽ̨£¬ÕâÊÇÒ»¸ö¾ßÓÐÐÅÓÃÌصãµÄÍøÂç½»Íùƽ̨£¬ËùÓÐÓû§ÒÔ¸öÈËÕæʵÉí·Ý¼ÓÈë¡£ÈýÊ®¶øÁ¢ÍøϵĹØϵÁªÃËÊÇһȺҵÄÚÈËʿΪÁË·½±ãÉÌÎñÁªÏµ£¬½»»»ÐÅÏ¢¶ø½¨Á¢µÄÒ»¸ö¹ØϵÁªÃË£¬¸÷¸öÐÐÒµ¡¢µØÇø¾ùÓпÊÍû²»¶ÏÍØÕ¹¸öÈ˹ØϵµÄ¾«Ó¢¼ÓÈë¡£ÒªÔÚ"¹Øϵͨ"½¨Á¢¸öÈ˸ü¹ã·ºµÄÈ˼ʹØϵ£¬ÄãËùÒª×öµÄ¾ÍÊÇÒÔÕæʵµÄÉí·ÝºÍÆäËûÓû§Ö÷¶¯È¥½»»»ÐÅÏ¢¡£ 
  "¿ªÍعØϵ£¬ÈýÊ®¶øÁ¢"ÊÇÎÒÃǵĿںţ¡

  

  

 
µÇ½ÈýÊ®¶øÁ¢ÍøÕ¾www.up30.com£¬×¢²á³ÉΪ"¹Øϵͨ"ƽ̨Óû§£¬ÖÚ¶à¾ßÓÐÕæʵÉí·ÝºÍÐÅÓü¶±ðµÄÒµ½ç¾«Ó¢µÈ×ÅÄã¡£ÉÏ"¹Øϵͨ"£¬¿ªÍعØϵ£¬ÈýÊ®¶øÁ¢¡£
»î¶¯Ï¸Ôò£º
£¨»î¶¯Ê±¼ä£º2001Äê11ÔÂ1ÈÕµ½2001Äê11ÔÂ30ÈÕ£©
¡ô ÏÖÔڵǽÈýÊ®¶øÁ¢ÍøÕ¾×¢²á¸öÈËÕæʵ×ÊÁϳÉΪ"¹Øϵͨ"Óû§£»£¨Ê¹ÓÃ"ÃûƬ½»»»"¹¦ÄܾͿÉÒԺܿ콨Á¢ÆðÄãµÄ¹ØϵȦ£©£»
¡ô 
ÔÚ11ÔÂ30ÈÕÇ°ÔÚÈýÊ®¶øÁ¢ÍøÕ¾Ê×Ò³ÉϽøÐÐÍƼö3λ"¹Øϵͨ"ÉÏÄãÈÏΪ×îÓмÛÖµµÄÅóÓÑ£»£¨´ó¼ÒҪעÒâµ½ÍøÕ¾Éϲ鿴һÏÂÍƼöÅÅÃû£©
¡ô 
µÃµ½ÍƼö×î¶àµÄ1λÓû§½«»ñµÃ"×îÓмÛÖµ»ï°é½±"£¬½±£º¼ÛÖµ4680ÔªµÄÉÌÎñͨ±¼Ñï2186£»
¡ô¸ù¾ÝÓû§µÄÆÀÓÎÒÃÇÔÚ»ñµÃÍƼöµÄÇ°10ÃûÓû§ÖÐÑ¡³ö"×îÕæʵÓû§½±"1ÃûºÍ"×îÈÈÇéÓû§½±"¸÷1Ãû£¬½±£º¼ÛÖµ1380ÔªµÄÉÌÎñͨÏȽÝMBA8823£»
¡ô 
Ç°30ÃûÓû§³ÉΪ"¹Øϵͨ"µÄVIPÓû§£¬ÔÚÈýÊ®¶øÁ¢ÍøÕ¾ÉϽøÐиöÐÔÍƼö½éÉÜ£¬²¢ÏíÓÐÒÔºóµÄ¶àÖÖÌØÊâ·þÎñ¡£
¡ô 
ÿλÓû§ÔÚʹÓùØϵͨµÄÇ°3´Î¿ÉÒÔÓлú»á½éÉÜÄãµÄ10λÀÏÓÑ¡£ÔÚÈκÎÒ»´Î¹ØϵͨµÄ»î¶¯ÖÐÖ»ÒªÄãÖн±£¬ËûÃǾͻáÁ¬´øÖн±¡£±¾´Î»î¶¯"×îÓмÛÖµÓû§"µÄ10λºÃÓÑ¿ÉÔÚJAZZÄÐÊ¿ÏãË®¡¢¾­µäÈ«¸ÖÔ˶¯±í¡¢SANFOÖпÕËÄ¿×ÃÞÂÃÐÐ˯´ü¡¢È«Ì׶¡¶¡ÀúÏÕ¼ÇÖÐÑ¡Ôñ1·ÝÀñÆ·¡£

 
¡¡

1. ½«¶Ô»ñ½±Õß½øÐÐ×ÊÁÏÓèÒԺ˶ԣ¬Èç¹û³öÏÖÐé¼ÙÇé¿ö£¬È¡Ïû²Î¼Ó»î¶¯×ʸñ¡£
2. ÉîÛÚ°®¶ûÆÕÐÅÏ¢¿Æ¼¼ÓÐÏÞ¹«Ë¾ÓµÓжԻµÄ×îÖÕ½âÊÍȨ¡£
  

 
   
   
   

 
  

  

  


  

  


  
www.up30.com
  Copyright ©2001 
  UP30com All rights reserved. 
  

 



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


pb with apache-ssl

2001-11-12 Thread Laurent Jouannic

Hi to the ML,

I got a big pb with apache-ssl (debian)

It was running well, but now when I want to connect in https, the server
ask me if I accept the certificat and after it give me the following
message:

the connection contained no data.

What's on?

Thank's.

Regards.

Laurent.



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: listening to browser output

2001-11-12 Thread Erich Titl

Hi
At 08:24 12.11.2001 +0100, you wrote:
>I am doing a lot of client programming replacing the browser by a client 
>program.
>To verify my program I look at the browser output with ngrep.
>But in case of SSL I don't see anything. Is there a solution for this need.

maybe ssldump ??

regards

Erich


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]