SSL_renegotiation using non block sockets
Hi, I am using Non Blocking sockets, and would like to know the behaviour wrt SSL_renegotiation. Once I make a call to do_handshake, as the FD is non blocking it will return immediately with a success, but from the application's point of view how will it come to know that the renegotiation in thro' so that it can call SSL_write/SSL_read? Should the application poll on that do_handshake flag within the ssl control block? Any suggestion/help appreciated a lot. Thanks --Gayathri __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
valgrind errors
Hello all, I develeopped a server which seems to work quite fine. When I use Valgrind to check for problems, it returns me thousands of problems wich seems to be caused by the OpenSSL librairie! follows some of the returns: ==23622== Syscall param write(buf) points to uninitialised byte(s) ==23622==at 0x82C573: __write_nocancel (in /lib/tls/libc-2.3.3.so) ==23622==by 0x7D202A: _IO_do_write@@GLIBC_2.1 (in /lib/tls/libc-2.3.3.so) ==23622==by 0x7D17C4: _IO_file_close_it@@GLIBC_2.1 (in /lib/tls/libc-2.3.3.so) ==23622==by 0x7C83F1: fclose@@GLIBC_2.1 (in /lib/tls/libc-2.3.3.so) ==23622==by 0x8073637: RAND_write_file (in /home/tools/version_courante/mybin) ==23622==by 0xCF39EAD1: ??? ==23622== Address 0x25989000 is not stack'd, malloc'd or (recently) free'd ==23622== ==23622== Thread 3: ==23622== Conditional jump or move depends on uninitialised value(s) ==23622==at 0x8072F5E: lh_retrieve (in /home/tools/version_courante/mybin) ==23622== ==23622== Use of uninitialised value of size 4 ==23622==at 0x8072F73: lh_retrieve (in /home/tools/version_courante/mybin) ... The first lines are retruned when calling RAND_write_file(), the other lines are all returned when calling SSL_accept(). Does anyone know if it is an error of my own or not? Alexis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL_renegotiation using non block sockets
Hi I did the same thing yesterday myself but because I wanted to implement a timeout solution as well as quick shutdown of my COM object via object notification. You might be able to hack my work ... this is what I came up with... It takes a blocking socket, makes it un-blocking... negotiates with timeout and signalling considerations and then passes back normal error codes... // SSLConnectWithTimeout, connect to a remote server with timeout int CHTTP::SSLConnectWithTimeout(DWORD timeout, SOCKET s, SSL *ssl) { //- // Set the socket I/O mode: In this case FIONBIO // enables or disables the blocking mode for the // socket based on the numerical value of iMode. // If iMode = 0, blocking is enabled; // If iMode != 0, non-blocking mode is enabled. int iMode = 1; LogInformation2(Running SSL non-blocking connection timeout = %ld, timeout); if (timeout) { // establish non- blocking mode to enable us to time out. ioctlsocket(s, FIONBIO, (u_long FAR*) iMode); } // make the connection attempt int nRet = SSL_connect(ssl); // if we are using a timeout then ... if (timeout) { // convert nRet to a real error if necessary if (nRet != 1) nRet = SSL_get_error(ssl, nRet); LogInformation2(connect run return value %d., nRet); LogInformation1(Starting SSL polling loop); // get the start time DWORD starttime = timeGetTime(); while ((nRet==SSL_ERROR_WANT_READ || nRet==SSL_ERROR_WANT_WRITE) !isStopEventSignaled()) { // Back off to let the connection happen. //Sleep(50); // reiterate the connection nRet = SSL_connect(ssl); if (nRet != 1) nRet = SSL_get_error(ssl, nRet); // check for timeout if ((timeGetTime() - starttime = timeout) || m_signalled) { // return an error nRet = -1; break; } } LogInformation2(Finished polling loop signalled? %d, m_signalled); // if we made it to here with nRet = 1 we are SSL connected if (nRet == 1) { LogInformation2(Successful connection made! returning %d., nRet); // turn off non-blocking mode, back to blocking mode for the rest // of the connection iMode = 0; ioctlsocket(s, FIONBIO, (u_long FAR*) iMode); } else { // just a log the error, remember logging disappears when compiled // without LOG_BUILD defined. LogInformation2(Timeout occurred returning %d., nRet); } } // return connection state. return nRet; } -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 2 June 2005 2:14 PM To: openssl-users@openssl.org Subject: SSL_renegotiation using non block sockets Hi, I am using Non Blocking sockets, and would like to know the behaviour wrt SSL_renegotiation. Once I make a call to do_handshake, as the FD is non blocking it will return immediately with a success, but from the application's point of view how will it come to know that the renegotiation in thro' so that it can call SSL_write/SSL_read? Should the application poll on that do_handshake flag within the ssl control block? Any suggestion/help appreciated a lot. Thanks --Gayathri __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: valgrind errors
Alexis Lefort wrote: Hello all, I develeopped a server which seems to work quite fine. When I use Valgrind to check for problems, it returns me thousands of problems wich seems to be caused by the OpenSSL librairie! follows some of the returns: ==23622== Syscall param write(buf) points to uninitialised byte(s) ==23622==at 0x82C573: __write_nocancel (in /lib/tls/libc-2.3.3.so) ==23622==by 0x7D202A: _IO_do_write@@GLIBC_2.1 (in /lib/tls/libc-2.3.3.so) ==23622==by 0x7D17C4: _IO_file_close_it@@GLIBC_2.1 (in /lib/tls/libc-2.3.3.so) ==23622==by 0x7C83F1: fclose@@GLIBC_2.1 (in /lib/tls/libc-2.3.3.so) ==23622==by 0x8073637: RAND_write_file (in /home/tools/version_courante/mybin) ==23622==by 0xCF39EAD1: ??? ==23622== Address 0x25989000 is not stack'd, malloc'd or (recently) free'd ==23622== ==23622== Thread 3: ==23622== Conditional jump or move depends on uninitialised value(s) ==23622==at 0x8072F5E: lh_retrieve (in /home/tools/version_courante/mybin) ==23622== ==23622== Use of uninitialised value of size 4 ==23622==at 0x8072F73: lh_retrieve (in /home/tools/version_courante/mybin) ... The first lines are retruned when calling RAND_write_file(), the other lines are all returned when calling SSL_accept(). Does anyone know if it is an error of my own or not? build openssl with ./config ... -DPURIFY ... and then try again. most of the uninitialized ... warnings are caused by the fact that openssl uses uninitialized memory during the random number generation (and using uninitialized memory there isn't/shouldn't be problematic). I guess this should be put in the FAQ Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Generate a CRL from an OCSP request
Dr. Stephen Henson [EMAIL PROTECTED] a écrit : On Wed, Jun 01, 2005, Julien VEHENT wrote: Hi all, I'm having an OCSP Responder on my CA and i want to use it in order to generate CRL's on others servers. So the idea is: +-+ | CA |ocsp request(1)===+---+(3) |ocsp |...|openvpn srv|..(CRL GENERATION) +-+=ocsp response===(2)==+---+(4)/ and with the ocsp response i want to generate a CRL. For the ocsp resquest, i'm using the openssl toolkit with a cron. But i have several problems: _How can i request all certificates managed by my CA in one ocsp request ? (i don't want to copy all of these signed certificates on all of my openvpn servers) _How can i encode the response in PEM format in order to use it with OpenVPN ? I really want to use the OCSP protocol for several reason (including security consideration) so publication through HTTP protocol is not a good solution for me. Could you help me ?... :) OCSP can't really be used that way unless you include the serial numbers of *all* that CAs certificates in the request. That could result in a very large request and responder overhead. What is your problem with HTTP? A CRL is digitally signed so it can't be tampered with. I don't want to use HTTP just because web server are to much attacked. Moreover, OCSP is very interesting for the student that i am :) OK so if i use a boring script which request 100 serial in one line, what is the correct syntax to generate a CRL using the OpenSSL OCSP request ? I've tried to use the -respout argument and a crl conversion (with openssl crl -inform DER [...] -outform PEM [...] ) but it doesn't work... the error message is : unable to load CRL And the openssl ocsp --help doesn't speak about CRL generation.. Thank you very much for your answers :) -- J. VEHENT Student in Computer Security [EMAIL PROTECTED] -- Microgate | 02.47.66.95.01| www.microgate.fr pgpgNqAsVH9QJ.pgp Description: Signature =?iso-8859-1?b?bnVt6XJpcXVl?= PGP bin1fMKTnvwJz.bin Description: Clef publique PGP
Re: valgrind errors
I have just tried the option -DPURIFY and unfortunately it does not help. I still have hundreds of Conditional jump... and Use of uninitialised value Any other suggestion would be greatly appreciated. :) Alexis Nils Larsch a écrit : Alexis Lefort wrote: Hello all, I develeopped a server which seems to work quite fine. When I use Valgrind to check for problems, it returns me thousands of problems wich seems to be caused by the OpenSSL librairie! follows some of the returns: ==23622== Syscall param write(buf) points to uninitialised byte(s) ==23622==at 0x82C573: __write_nocancel (in /lib/tls/libc-2.3.3.so) ==23622==by 0x7D202A: _IO_do_write@@GLIBC_2.1 (in /lib/tls/libc-2.3.3.so) ==23622==by 0x7D17C4: _IO_file_close_it@@GLIBC_2.1 (in /lib/tls/libc-2.3.3.so) ==23622==by 0x7C83F1: fclose@@GLIBC_2.1 (in /lib/tls/libc-2.3.3.so) ==23622==by 0x8073637: RAND_write_file (in /home/tools/version_courante/mybin) ==23622==by 0xCF39EAD1: ??? ==23622== Address 0x25989000 is not stack'd, malloc'd or (recently) free'd ==23622== ==23622== Thread 3: ==23622== Conditional jump or move depends on uninitialised value(s) ==23622==at 0x8072F5E: lh_retrieve (in /home/tools/version_courante/mybin) ==23622== ==23622== Use of uninitialised value of size 4 ==23622==at 0x8072F73: lh_retrieve (in /home/tools/version_courante/mybin) ... The first lines are retruned when calling RAND_write_file(), the other lines are all returned when calling SSL_accept(). Does anyone know if it is an error of my own or not? build openssl with ./config ... -DPURIFY ... and then try again. most of the uninitialized ... warnings are caused by the fact that openssl uses uninitialized memory during the random number generation (and using uninitialized memory there isn't/shouldn't be problematic). I guess this should be put in the FAQ Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL_renegotiation using non block sockets
Thanks pj, the code was real helpful. Just one minor clarification, once a call to SSL_renegotiate is made, should I check the protocol status by calling SSL_accept (mine is server) within the while loop you have? I have gone into an accept_pending state and calling SSL_accept until it returns with a 1..is this correct? Thanks --Gayathri Hi I did the same thing yesterday myself but because I wanted to implement a timeout solution as well as quick shutdown of my COM object via object notification. You might be able to hack my work ... this is what I came up with... It takes a blocking socket, makes it un-blocking... negotiates with timeout and signalling considerations and then passes back normal error codes... // SSLConnectWithTimeout, connect to a remote server with timeout int CHTTP::SSLConnectWithTimeout(DWORD timeout, SOCKET s, SSL *ssl) { //- // Set the socket I/O mode: In this case FIONBIO // enables or disables the blocking mode for the // socket based on the numerical value of iMode. // If iMode = 0, blocking is enabled; // If iMode != 0, non-blocking mode is enabled. int iMode = 1; LogInformation2(Running SSL non-blocking connection timeout = %ld, timeout); if (timeout) { // establish non- blocking mode to enable us to time out. ioctlsocket(s, FIONBIO, (u_long FAR*) iMode); } // make the connection attempt int nRet = SSL_connect(ssl); // if we are using a timeout then ... if (timeout) { // convert nRet to a real error if necessary if (nRet != 1) nRet = SSL_get_error(ssl, nRet); LogInformation2(connect run return value %d., nRet); LogInformation1(Starting SSL polling loop); // get the start time DWORD starttime = timeGetTime(); while ((nRet==SSL_ERROR_WANT_READ || nRet==SSL_ERROR_WANT_WRITE) !isStopEventSignaled()) { // Back off to let the connection happen. //Sleep(50); // reiterate the connection nRet = SSL_connect(ssl); if (nRet != 1) nRet = SSL_get_error(ssl, nRet); // check for timeout if ((timeGetTime() - starttime = timeout) || m_signalled) { // return an error nRet = -1; break; } } LogInformation2(Finished polling loop signalled? %d, m_signalled); // if we made it to here with nRet = 1 we are SSL connected if (nRet == 1) { LogInformation2(Successful connection made! returning %d., nRet); // turn off non-blocking mode, back to blocking mode for the rest // of the connection iMode = 0; ioctlsocket(s, FIONBIO, (u_long FAR*) iMode); } else { // just a log the error, remember logging disappears when compiled // without LOG_BUILD defined. LogInformation2(Timeout occurred returning %d., nRet); } } // return connection state. return nRet; } -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 2 June 2005 2:14 PM To: openssl-users@openssl.org Subject: SSL_renegotiation using non block sockets Hi, I am using Non Blocking sockets, and would like to know the behaviour wrt SSL_renegotiation. Once I make a call to do_handshake, as the FD is non blocking it will return immediately with a success, but from the application's point of view how will it come to know that the renegotiation in thro' so that it can call SSL_write/SSL_read? Should the application poll on that do_handshake flag within the ssl control block? Any suggestion/help appreciated a lot. Thanks --Gayathri __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005 __ OpenSSL Project http://www.openssl.org User Support
Read a Bignum from file
Hello: I wrote a BIGNUM into a file using the function: int BN_print_fp(FILE *fp, const BIGNUM *a); But, How I can read this bignum from this file?. I don´t know a openssl function to read a bignum from a file. Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: AIX-64-bit build
FYI, 0.9.7g builds and executes fine on AIX, in 64-bit mode (aix64-cc). Thanks to Peter Waltenberg for all his help. Cheers, Prab. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
FW: AIX-64-bit build
Many thanks Paul Franz and Andy Polyakov for their input also. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gill, Prabhprit (Prabh) Sent: 02 June 2005 16:02 To: openssl-users@openssl.org Subject: RE: AIX-64-bit build FYI, 0.9.7g builds and executes fine on AIX, in 64-bit mode (aix64-cc). Thanks to Peter Waltenberg for all his help. Cheers, Prab. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Derving the root CA's cert from a given SSL cert
No (with qualifications). If the server sends you the entire certificate chain, then yes you can retrieve the root certificate since it was sent to you. If the server only sends you it's certificate, then all you have is the server's pubic key digitally signed by the issuer. The issuer's certificate is not embedded within. On Jun 1, 2005, at 11:01 AM, Davy Durham wrote: Hi, I was wondering if it's possible to derive (or extract?) the root CA's cert from an given SSL cert using openssl. What I mean by root CA's cert is the certficate that would be installed in a browsers list of trusted CAs. For instance if I have an SSL certificate signed by verisign, I would like to get verisign's certificate out of that cert that would have to be in the browser's trusted list (for it to be trust). Is this possible? Thanks, Davy __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
Re: Problem in compiling openssl 0.9.7g on Windows with MSVC workspace
I have the exact same problem and can't fix it. Can someone give a step by step procedure to fix the problem ? Or maybe correct MSVC workspace exist somewhere ? btw: Compiling works OK when using the make file. It only fails as explained below when using MSVC workspace. -- [EMAIL PROTECTED] The author for the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be - Original Message - From: ahmad hassan [EMAIL PROTECTED] To: openssl-users@openssl.org Cc: [EMAIL PROTECTED] Sent: Tuesday, May 03, 2005 1:20 PM Subject: Problem in compiling openssl 0.9.7g on Windows Hello, I am trying to build openssl 0.9.7g on windows, which i was successfully able to do using steps mentioned in INSTALL.W32 file. Now i would like to include libeay32 and ssleay32 source code as a workspace in my Visual C++ 6.0 project. For that i went to http://www.openssl.org/related/ and the second link gave me the dsp to use and compile openssl source code through vc++ environment. It is actually so that i had openssl 0.9.7d with me which i downloaded a year ago and compiled it using this visual studio project file but now it is not compiling with the latest version giving me messages like this. There is some problem with proxy certifiactes thing. How do i reslove these errors. Some are just defined in the libeay32.def file which i removed but PROXY_CERT_INFO_EXTENSION_free is not declared anywhere and is being used in number of places like openssl-0.9.7g\crypto\x509\x509_vfy.c etc. Can anyone guide me or give me related information regarding how to include latest openssl version as workspace in my project. Configuration: libeay32 - Win32 Debug Linking... libeay32.def : error LNK2001: unresolved external symbol PROXY_CERT_INFO_EXTENSION_free libeay32.def : error LNK2001: unresolved external symbol PROXY_CERT_INFO_EXTENSION_it libeay32.def : error LNK2001: unresolved external symbol PROXY_CERT_INFO_EXTENSION_new libeay32.def : error LNK2001: unresolved external symbol PROXY_POLICY_free libeay32.def : error LNK2001: unresolved external symbol PROXY_POLICY_it libeay32.def : error LNK2001: unresolved external symbol PROXY_POLICY_new libeay32.def : error LNK2001: unresolved external symbol d2i_PROXY_CERT_INFO_EXTENSION libeay32.def : error LNK2001: unresolved external symbol d2i_PROXY_POLICY libeay32.def : error LNK2001: unresolved external symbol i2d_PROXY_CERT_INFO_EXTENSION libeay32.def : error LNK2001: unresolved external symbol i2d_PROXY_POLICY ..\..\out32dll\Debug/libeay32.lib : fatal error LNK1120: 10 unresolved externals LINK : fatal error LNK1141: failure during build of exports file Error executing link.exe. libeay32.dll - 12 error(s), 0 warning(s) Configuration: libeay32 - Win32 Debug _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl config file location
Hi, the page http://www.openssl.org/docs/crypto/OPENSSL_config.html claims that OPENSSL_CONFIG should be the environment variable to set for an alternate config file, however it appears that the code wants OPENSSL_CONF. Also, the OPENSSL_config.3 man page shows OPENSSL_CONFIG.. Others manpages such as ca.1 show OPENSSL_CONF... Kent __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl config file location
On Thu, Jun 02, 2005, Kent Yoder wrote: Hi, the page http://www.openssl.org/docs/crypto/OPENSSL_config.html claims that OPENSSL_CONFIG should be the environment variable to set for an alternate config file, however it appears that the code wants OPENSSL_CONF. Also, the OPENSSL_config.3 man page shows OPENSSL_CONFIG.. Others manpages such as ca.1 show OPENSSL_CONF... That web page and OPENSSL_config.3 are from the same .pod file so they will say the same :-) Thanks for the report I'll fix it. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL_renegotiation using non block sockets
HI, SSL_accept/SSL_connect is something that we use to establish an initial SSL connection and we use SSL-renegotiate/SSL_do_handshake based on timers we install for SSL for re-negotiating KEYs such that hacking the SSL connection is robust. Having said that.. I assume you already have an SSL connection established and want to implement re-negotiation in your application. It should go like this ( OPENSSL says for re-negotiation we should make the underlying transport BLOCKING) If openssl version is 0.9.7 * SSL *ssl; int fd; fd = SSL_get_fd(ssl); set_blocking(fd); SSL_renegotiate(ssl); SSL_do_handshake(ssl); while( ssl-state != SSL_ST_OK) { /* you may want to implement timeout here, if you want to */ ssl-state |= SSL_ST_ACCEPT; SSL_do_handshake(ssl); } set_nonblocking(fd); return SUCCESS; IF openssl version 0.9.7 * SSL *ssl; int fd; fd = SSL_get_fd(ssl); set_blocking(fd); SSL_renegotiate(ssl); SSL_do_handshake(ssl); while( SSL_renegotiate_pending(ssl)) { /* you may want to implement timeout here, if you want to */ SSL_do_handshake(ssl); } set_nonblocking(fd); return SUCCESS; *** set_blocking and set_nonblocking are functions that can be implemented very easily using fcntl. HTH, Lokesh. On 6/2/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Thanks pj, the code was real helpful. Just one minor clarification, once a call to SSL_renegotiate is made, should I check the protocol status by calling SSL_accept (mine is server) within the while loop you have? I have gone into an accept_pending state and calling SSL_accept until it returns with a 1..is this correct? Thanks --Gayathri Hi I did the same thing yesterday myself but because I wanted to implement a timeout solution as well as quick shutdown of my COM object via object notification. You might be able to hack my work ... this is what I came up with... It takes a blocking socket, makes it un-blocking... negotiates with timeout and signalling considerations and then passes back normal error codes... // SSLConnectWithTimeout, connect to a remote server with timeout int CHTTP::SSLConnectWithTimeout(DWORD timeout, SOCKET s, SSL *ssl) { //- // Set the socket I/O mode: In this case FIONBIO // enables or disables the blocking mode for the // socket based on the numerical value of iMode. // If iMode = 0, blocking is enabled; // If iMode != 0, non-blocking mode is enabled. int iMode = 1; LogInformation2(Running SSL non-blocking connection timeout = %ld, timeout); if (timeout) { // establish non- blocking mode to enable us to time out. ioctlsocket(s, FIONBIO, (u_long FAR*) iMode); } // make the connection attempt int nRet = SSL_connect(ssl); // if we are using a timeout then ... if (timeout) { // convert nRet to a real error if necessary if (nRet != 1) nRet = SSL_get_error(ssl, nRet); LogInformation2(connect run return value %d., nRet); LogInformation1(Starting SSL polling loop); // get the start time DWORD starttime = timeGetTime(); while ((nRet==SSL_ERROR_WANT_READ || nRet==SSL_ERROR_WANT_WRITE) !isStopEventSignaled()) { // Back off to let the connection happen. //Sleep(50); // reiterate the connection nRet = SSL_connect(ssl); if (nRet != 1) nRet = SSL_get_error(ssl, nRet); // check for timeout if ((timeGetTime() - starttime = timeout) || m_signalled) { // return an error nRet = -1; break; } } LogInformation2(Finished polling loop signalled? %d, m_signalled); // if we made it to here with nRet = 1 we are SSL connected if (nRet == 1) { LogInformation2(Successful connection made! returning %d., nRet); // turn off non-blocking mode, back to blocking mode for the rest // of the connection iMode = 0; ioctlsocket(s, FIONBIO, (u_long FAR*) iMode); } else { // just a log the error, remember logging disappears when compiled // without LOG_BUILD defined.
Re: Default CApath in Debian (OpenSSL 0.9.6c-2)
HI, Pls check man page of SSL_load_verify_locations(...) which can be used in writing the server or client program. -Lokesh. On 6/1/05, Vaclav Stepan [EMAIL PROTECTED] wrote: Hi, I ran in trouble with the following thing. There is a Debian woody, with OpenSSL 0.9.6c installed. I am trying to set OpenSSL so it per default uses CA certificates in /etc/ssl/certs (I want to force Sylpheed to actually use a CA certificate to verify server certificate). I put the CA files to /etc/ssl/certs and generated hash names. If I do openssl s_client -CApath /etc/ssl -connect ... then OpenSSL correctly finds the CA certificate and verifies the server certificate (return code 0). If I omit the CApath, using the default settins, the verification fails with Verify return code: 21 (unable to verify the first certificate) I searched Google and archives - the only relevant thing I found is that if it is my client app, I may ask it to use some CA cert. But how do I set a CApath per default? Thanks for any hint Vaclav Stepan -- Vaclav Stepan [EMAIL PROTECTED] http://linux.fjfi.cvut.cz/~w/ -- Vaclav Stepan [EMAIL PROTECTED] http://linux.fjfi.cvut.cz/~w/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: timeout vs. SSL_ERROR_WANT_XXXX
HI, You may want to consider using SSL_CTX_set_mode(...) with SSL_MODE_AUTO_RETRY flag such that you would'nt recieve SSL_ERROR_WANT_XXX messages. Normally those messages come when the other side requests for re-negotiation. -Lokesh. On 5/31/05, opt [EMAIL PROTECTED] wrote: Hi everyone I want to use timeout with select and I wonder how to cancel operation (SSL_read or SSL_write non-blocking) that caused SSL_ERROR_WANT_READ (or *_WRITE). I've got messages queue to send (and one for received too). If I cannot send whole particular msg within some time (5 sec) I want to discard this message and start sending another one. The problem is, when not fully transmited (received) msg locks in state where I receive SSL_ERROR_WANT_XXX. From docs etc. I know, that when I've got SSL_ERROR_WANT_* I have to retry operation which caused this error but it require more time, which I haven't got becouse I want to send another message ! I can always close connection and open it again, but it is ugly solution. Is there any way, to do it in more polite way ? -- Mariusz Kedzierawski __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Generate a CRL from an OCSP request
Julien VEHENT wrote: I don't want to use HTTP just because web server are to much attacked. Moreover, OCSP is very interesting for the student that i am :) OK so if i use a boring script which request 100 serial in one line, what is the correct syntax to generate a CRL using the OpenSSL OCSP request ? I don't think you can do what you want anyway - you have a chicken-n-egg problem. As far as I'm aware, an OCSP environment implies the following. You (e.g. the HTTPS server) are asked to interact with a remote cert, you can tell it was signed by a CA you trust - but you don't know if it hasn't been revoked. So you call OCSP and say is serial 7423342 still valid and it answers yes or no. So for you to dump all the revoked certs contained within a OCSP db, you'd need to know all of the serial numbers in advance. And the only thing that know all the assigned serial numbers - is the CA itself. So now what do you do? Log into the CA and dump the serial numbers, copy them over to the box and then use OCSP to recursively do the lookups?!?! A waste of time - you could have just grabbed the CRL file in the first place. What we do is have a distribution of CRL Servers. Simply Apache server with a copy of our CRL (rsync'ed onto the Apache servers from the CA on an hourly basis). As Stephen said, all CRLs are digitally signed by the CA - so THEY CANNOT BE ALTERED. Worst case scenario is that the Web server is compromised and...? The CRL is deleted...? Corrupted? It can't be altered. I mean if you're Web server is compromised, the integrity of your CRL file is irrelevant -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Self CA Setup
Hello, I am using the Win32OpenSSL-v0.9.7f.exe download running on Win Me. I am writing a web-based accounting system for a client who is a chartered accountant. He has been using my system for many years in-house. But city traffic being more of a problem he wants his staff to be able to work from home so I am writing a webbased interface. Because the data is the financial data of his clients, it needs to be secured. What I am looking at is a system that is used by a few trusted staff, but over the internet. I envisaged that I could create my own certificate authority certificate and append it to my servers cacert file along with all the others, then create private key and certificate based on the cacert and put that in the webserver. I have been able to make a self-cert work but it does bring up an untrusted message on first use and I am not sure it is really secure in the internet at large. I have created a certificate authority certificate - a x509 cert but it is only the encrypted section and not the full verbose form that cacerts have in the servers cacert file. When I try: exec C:/OpenSSL/bin/openssl.exe x509 -in cacert.pem -text Error opening Certificate cacert.pem 4294003705:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\bss_file.c:278:fopen('cacert.pem','rb') 4294003705:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:280: unable to load certificate I dont have a crypto directory or a bss_file.c anywhere. Am I missing something from the distribution ? I want to know how to create a full cacert to put in the server cacert file. I am also wondering if the approach outlined above is adequate. Perhaps a private reply is appropriate. Thank you in advance, Paul Nash webscool.org [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: timeout vs. SSL_ERROR_WANT_XXXX
Hi, What I think is as its the application's responsibility to retry the same openssl operation whenever it receives a WANT_READ or WANT_WRITE, why cant we simply overwrite the buffer that is passed to say SSL_write with the next payload that needs to be sent when we hit that error code, in this way we can automatically drop the earlier payload that was attempted. Hope this is correct. Thanks --Gayathri === HI, You may want to consider using SSL_CTX_set_mode(...) with SSL_MODE_AUTO_RETRY flag such that you would'nt recieve SSL_ERROR_WANT_XXX messages. Normally those messages come when the other side requests for re-negotiation. -Lokesh. On 5/31/05, opt [EMAIL PROTECTED] wrote: Hi everyone I want to use timeout with select and I wonder how to cancel operation (SSL_read or SSL_write non-blocking) that caused SSL_ERROR_WANT_READ (or *_WRITE). I've got messages queue to send (and one for received too). If I cannot send whole particular msg within some time (5 sec) I want to discard this message and start sending another one. The problem is, when not fully transmited (received) msg locks in state where I receive SSL_ERROR_WANT_XXX. From docs etc. I know, that when I've got SSL_ERROR_WANT_* I have to retry operation which caused this error but it require more time, which I haven't got becouse I want to send another message ! I can always close connection and open it again, but it is ugly solution. Is there any way, to do it in more polite way ? -- Mariusz Kedzierawski __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[Fwd: Re: SSL_renegotiation using non block sockets]
Original Message Subject: Re: SSL_renegotiation using non block sockets From:[EMAIL PROTECTED] Date:Thu, June 2, 2005 8:41 pm -- HI Lokesh., Thanks for the response. Actually yesterday I spent close to 3hrs trying all sorts of things, and finally concluded myself that renegotiation has to be only on blocking sockets. But I thought that was a restriction on openssl 0.9.6. I am using 0.9.7. could someone pls clarify on this? The thing is once I call renegotiation/do_handshake encrypted handshake messages are exchanged by the peers but then, checking the SSL_renegotiate_pending api in a loop wherein I call that for FD_WRITE_POLL noticed that pkts in the TCP RecvQ were just not getting read. So the Client never tried to establish the next new connection. Could you pls let me more about the SSL_renegotiate_pending() api? I dont think it reads/writes data, simply returs with Non-Zero if the renegotiation is still going on and a One for completion. The main scenerio is for authentication wherein after a user has established a valid SSL_Session, and tries to Login into our application, we want to renegotiate with client certificate for extra priviledges, what I now see is, the response encrypted handshake msg is not read by SSL, its there in the TCP RecvQ and I dont know what api to use so that the server can read that. Will this be solved if it were made blocking? Thanks --Gayathri HI, SSL_accept/SSL_connect is something that we use to establish an initial SSL connection and we use SSL-renegotiate/SSL_do_handshake based on timers we install for SSL for re-negotiating KEYs such that hacking the SSL connection is robust. Having said that.. I assume you already have an SSL connection established and want to implement re-negotiation in your application. It should go like this ( OPENSSL says for re-negotiation we should make the underlying transport BLOCKING) If openssl version is 0.9.7 * SSL *ssl; int fd; fd = SSL_get_fd(ssl); set_blocking(fd); SSL_renegotiate(ssl); SSL_do_handshake(ssl); while( ssl-state != SSL_ST_OK) { /* you may want to implement timeout here, if you want to */ ssl-state |= SSL_ST_ACCEPT; SSL_do_handshake(ssl); } set_nonblocking(fd); return SUCCESS; IF openssl version 0.9.7 * SSL *ssl; int fd; fd = SSL_get_fd(ssl); set_blocking(fd); SSL_renegotiate(ssl); SSL_do_handshake(ssl); while( SSL_renegotiate_pending(ssl)) { /* you may want to implement timeout here, if you want to */ SSL_do_handshake(ssl); } set_nonblocking(fd); return SUCCESS; *** set_blocking and set_nonblocking are functions that can be implemented very easily using fcntl. HTH, Lokesh. On 6/2/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Thanks pj, the code was real helpful. Just one minor clarification, once a call to SSL_renegotiate is made, should I check the protocol status by calling SSL_accept (mine is server) within the while loop you have? I have gone into an accept_pending state and calling SSL_accept until it returns with a 1..is this correct? Thanks --Gayathri Hi I did the same thing yesterday myself but because I wanted to implement a timeout solution as well as quick shutdown of my COM object via object notification. You might be able to hack my work ... this is what I came up with... It takes a blocking socket, makes it un-blocking... negotiates with timeout and signalling considerations and then passes back normal error codes... // SSLConnectWithTimeout, connect to a remote server with timeout int CHTTP::SSLConnectWithTimeout(DWORD timeout, SOCKET s, SSL *ssl) { //- // Set the socket I/O mode: In this case FIONBIO // enables or disables the blocking mode for the // socket based on the numerical value of iMode. // If iMode = 0, blocking is enabled; // If iMode != 0, non-blocking mode is enabled. int iMode = 1; LogInformation2(Running SSL non-blocking connection timeout = %ld, timeout); if (timeout) { // establish non- blocking mode to enable us to time out. ioctlsocket(s, FIONBIO, (u_long FAR*) iMode); } // make the connection attempt int nRet = SSL_connect(ssl); // if we are using a timeout then ... if (timeout) { // convert nRet to a real error if necessary if (nRet != 1) nRet = SSL_get_error(ssl, nRet); LogInformation2(connect run return value %d., nRet); LogInformation1(Starting SSL polling loop); // get the start time DWORD starttime
Determining the root CA cert from an SSL cert
Ok, so deriving/extracting the root CA's certificate from an SSL certificate is not possible. So, another question: Can openssl be given an SSL cert and a list of trusted root CAs' certs and it just output the root CA's cert that goes with (signed) that SSL cert? Or is it a matter of doing an openssl command that would tell you a fingerprint of the issuer's key/cert from the SSL cert, then another command to find that fingerprint in a list of other certs? Thanks, Davy __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]