> Hello,
>
> The Windows NT 4.0 system has the workstation service stopped.
>
> This causes the following snippet from rand_win.c to return 0
>
> if (netstatget(NULL, L"LanmanWorkstation", 0, 0,
> &outbuf) == 0)
> {
> RAND_add(outbuf, si
> Actually before closing a TLS connection I need to make sure that no
> pending data is present on the that socket. So, calling SSL_peek would
> tell if this is the case or not.
No, it won't. Okay, you call SSL_peek, and there's no pending data.
Now, you're about to call SSL_shutdown. How do yo
> Thanks for the suggestionb but the RAND_poll function already
> pulls from the system right after the big #if 0 block as described
> below in the stetup for the calls.
>
> if (advapi)
> {
> /*
> * If it's available, then it's available
> btw, when i try to get the error code by
> printf("Error code: %d", ERR_get_error());
> i get Error code: 67567722
Your code says:
result = RSA_public_decrypt(pValidationData.ulValidationDataLength,
pValidationData.rgbValidationData, outputPlaintext, publicKey,
RSA_PKCS1_
Aravinda Babu wrote:
> Problem is our application will verify only DER format certificates.
> So if i get the peer certificate in PEM format , i will convert
> that into DER and i will verify the peer certificate.
> Is there any openSSL API which will tell me a'out the peer
> certificate encodi
> Documentation tells me that the SSL pointer should inherit
> the blocking property from the socket passed to SSL_set_fd.
Right.
> However, when I call SSL_shutdown with the SSL handle,
> the return code I get is not an error or a shutdown completed
> but a shutdown in progress (return code= 0)
> Most of the time but not all I get
> 140A90F1:lib(20):func(169):reason(241) from the error stack when
> I try to call sl_ctx_new. I am using 9.8i in a win32 environment.
> Any information on what the error message means would be much appreciated.
The OpenSSL executable has the 'errstr' comma
> David Schwartz wrote:
> > Which is pretty much the same as every other operation. If you
> > call 'send'
> > or 'write' on a blocking TCP socket, and you get a zero return,
> > does that
> > mean the data has been sent? No. It means the d
> Never ship a Shared OpenSSL library. Anyone can rebuild it to output
> the socket buffer to disk prior to encryption and replace yours.
>
> :-)
A party to an encrypted conversation can put its contents in a full-page ad
in the New York Times if they want to. There's no need to keep a
conversati
Gabriel Soto wrote:
> {
> // Create BIO with some random nonexistent host.
> BIO *bio = BIO_new_connect("192.168.9.9:");
>
> if (bio == NULL) {
> // Failed to obtain BIO.
> return false;
> }
>
> // Set as non-blocking.
> BIO_set_nbio(bio, 1);
>
> //
> I was thinking about an alternate solution, using blocking sockets,
> and doing the connect on another thread. If the user cancels the
> operation I'd close the socket (BIO_free) and I guess the connect
> would return with an error and the thread would exit then. Seems a
> little dirty but it co
> > I was thinking about an alternate solution, using blocking sockets,
> > and doing the connect on another thread. If the user cancels the
> > operation I'd close the socket (BIO_free) and I guess the connect
> > would return with an error and the thread would exit then. Seems a
> > little dirty
> Hello list,
>
> I write a application which acts like a proxy/repeater between
> two ssl - endpoints. For my app I use OpenSSL 0.9.8g.
> The two endpoints connect to the app and idenfity themselves
> using a id (Both use the matrixssl implementation for ssl handling).
> Two matching id's sta
> please tell me where the deadlock is.
> As far as I know a deadlock arise when one process locks a
> resource an other
> process requests and vice versa.
A deadlock occurs when two or more agents are waiting for each other. Neither
can make forward progress until the other does. This is preci
Let me try one more time to explain the problem with an unrealistic, but I hope
easy to follow, example. Consider:
A <-> B
Now, imagine A sends a message to B requesting some unit of data. B begins
sending a very, very large chunk of data to A, many tens of MB. After 10 MB or
so, A realizes t
Md Lazreg wrote:
> Actually the same question is valid even if I am not using SSL sockets.
> So is there a way to distinguish between if a socket was closed because
> of a client crash or because of a netwrok issue?. If yes, is there an
> equivalent under SSL sockets?
You have three choices:
1)
> Hello,
>
> In appendix B of the openssl FIPS security policy it is stated
> that the module must be built with a particular tar file
> (openssl-fips-1.1.2.tar.gz) and a hmac hash value for the tar
> file is specified. Furthermore it is stated that there shall be
> no additions, deletions, or alt
> Thanks David.
> Unfortunately option 1) and 3) are not possible for my clients.
In other words, you cannot engineer a sensible option and have to fake it.
That's fine, but solutions that aren't engineered tend to be poor.
> option 2) seems the way to go for me, but so far it proved unreliable
> Calling SSL_accept.
> Error code: 5
> error::lib(0):func(0):reason(0)
> Error: SSL_ERROR_SYSCALL, errlist: No such file or directory
> WSAGetLastError, rc=0
>
> This is basically the APIs I call to get the above information.
>
> err = SSL_get_error(ssl, rc);
> printf("Error code: %d", er
> So I can now see the Solaris side. It appears it gets
> "gibberish", probably
> encrypted data. Does anyone know why it would appear that the socket is
> not decrypting the data? This same code works fine on a Windows system.
>
> SSL_ca_file: /opt/bf-567/Platform/keystore/CA.pem
> SSL_cert
> On 2008.09.22 at 16:37:58 +0200, F. wrote:
>
> > Any way to collect only from HRNG?
>
> You can write your own RAND_METHOD
> and encapsulate it in the engine module.
>
> Then you can load this engine via openssl.cnf
> and set default rand method to this engine.
>
> Really, this is not very good
> Thank you again David,
You are welcome.
> As for the network issue scenarios here are some details about the last
case:
> 1)The server is running on UNIX, the client is running on windows or unix.
> unplug the client or the server. The server does not report anything!
Logical, nothing has h
> All -
>
> I am using OpenSSL with memory BIOs for the communication. I have
> everything working just fine, until I came across a server that sends
> Application data in the final packet of the TLS handshake.
> Specifically, Wireshark shows the following in its output :
>
> Change Cipher Spec,
> There needs to be a call to fcntl(fd,F_SETFL,O_NONBLOCK) just after
> the socket() call and error status check.
>
> -Kyle H
That will just waste CPU. The code will spin in each loop "while (!success)"
loop until it gets what it wants. It will still not return any time soon, but
will do so at
Ben Sandee wrote:
> On Thu, Nov 6, 2008 at 9:11 PM, David Schwartz <[EMAIL PROTECTED]>
wrote:
>> > There needs to be a call to fcntl(fd,F_SETFL,O_NONBLOCK) just after
>> > the socket() call and error status check.
>> That will just waste CPU. The code will spin
> That's a great question. Indeed, this platform (AIX) does have
> /dev/random but apparently that too was exhausted because that
> is checked first in our implementation. I think the fault is truly
> with the system in question, because prngd should not have blocked
> in the manner it did. Des
>> So what do you want to do if you run out of entropy?
> Fail with an error condition stating that, rather than
> the indeterminate hang in read() that was experienced.
I believe you need to compile with EGD support then. This will get you the
behavior you want. EGD provides no way to tell whet
> Yes. Hence the correct solution would be non-blocking with select()...
>
> Best regards,
> Lutz
How do you determine (portably) if the socket you got from 'socket' is
inside the legal range for FD_SET? Many platforms, including Linux, will
happilly allow 'socket' to return values that are w
> I'm using RSA to encrypt/decrypt some text. I encrypt the data using the
> private key and then decrypt it using RSA_public_decrypt(). One thing i
> noticed was that if the data was not encrypted using the correct
> private key
> that RSA_public_decrypt() will just set the output to giberish.
> Where am i going wrong here?
> char* message = "Hello World";
> if(RSA_sign(NID_md5, (unsigned char*) message, strlen(message),
> signature, &slen, private_key) != 1) {
The problem is that your RSA key is very small. A 256-bit RSA key can only
sign up to 32 bytes. 11 bytes are
> RSA_verify(NID_md5, datatosign, (strlen(datatosign)), signature,
> strlen(signature), key);
The 'strlen' function is only useable on a C-style string. The signature cannot
be a C-style string because it is arbitrary binary data.
> Best regards,
> Am. Sivaramakrishnan
DS
__
> Hi all,
>
> it seems that I am missing the usage of the set of obscure functions:
>
> CRYPTO_set_dynlock_create_callback()
> CRYPTO_set_dynlock_lock_callback()
> CRYPTO_set_dynlock_destroy_callback()
>
> but I have no idea how to initialize those functions - is there
> any
> SSL_accept always returns < 0 error. With SSL_get_error I found that the
> error is SSL_ERROR_WANT_READ.
> During debugging and troubleshooting, I realised that when I use "normal"
> blocking windows socket, SSL_accept works fine.
>
> Why using non-blocking windows socket caused that error ?
Th
> > I used fwrite(signature,1,strlen(signature),fp) and got the
> > same results.
You seem to have a fundamental misunderstanding about how strings work
in
C. That's not good for someone writing security software. The 'strlen'
function computes the length of a C-style string. The signatu
> In the non-blocking mode, is there a better way than watch return value of
> BIO_do_accept() in a loop ?
>
> Is there a way to be notified when a handshake is initiated from
> the client
> ? A kind of "WAITINCOMINGHANDSHAKE" which have a timeout ? Or
> nothing else ?
>
> The OpenSSL documentatio
> Then how would I fix it so it would compil and not violation any security
policy
Getting a FIPS build just right is a major pain and requires all kinds of
trade offs. I just wouldn't bother unless you absolutely, positively must
have a FIPS build for some reason.
What you have to do is find s
> The only reasion I'm installing openSSL is because Perl SSH2 requires it.
> Am I getting to deep into this or is there another way I can get the
> library I need?
Get OpenSSL-0.9.8e or any other version that SSH2 supports.
> > Then how would I fix it so it would compil and not violation
> > an
> Hello,
>
> Can you explain-me how ssl can to be security comunicating first by the
> public key, and them negociate a private key?
>
> If anyone can get the public key, anyone can get the private sniffing
> the packs.
>
> Thanks.
> Walter Neto - Brazil
Private keys are never sent over the netwo
> Ok. I am a little bit confused. You are telling me that a same
> data encrypted
> with the same key can generate different results?
Yes. This is absolutely essential for any public-key system to be secure.
Imagine if someone asks you, "Should we attack at dawn? Send the message
securely using m
> Hi!
>
> I am doing a SHA256 on a RSA* private key. I used the result as a
> symmetric
> key for AES encryption.
Do you have a specification for how to do this? What ensures that the RSA
private key has the same binary representation each time?
For example, "3" and "03" represent the same numbe
BiGNoRm6969:
> Never heard about binary specification of the RSA* private key.
> Can you give
> more more information about that please.
Okay, think about this logically. You want to take the SHA256 hash of an RSA
private key and get the same result every time. But the SHA256 hash function
takes
> And, I should note, you've already proved our point a dozen times
> over. Your
> code contains three separate bugs, all of them extremely serious. For
> example, you used the byte size of the *MODULUS* (that's what RSA_size
> returns) as the hash input size for the private key.
And, by the way,
> For information: I am using this key to encrypt / decrypt files
> locally on a
> host.
Why not use the RSA key for this purpose, using an established and tested
algorithm? Since you have the RSA key, and there are any number of
established algorithms to use an RSA key for encryption, why did y
> > Why not use the RSA key for this purpose, using an established
> > and tested
> > algorithm? Since you have the RSA key, and there are any number of
> > established algorithms to use an RSA key for encryption, why
> > did you roll
> > your own?
>
> This too is wrong,
If it's wrong, why did yo
> - Don't choose algorithms for security, choose protocols for
> security.
That sounds completely backwards to me. When we have a set of security
requirements, the first thing we do is select the algorithms that meet those
requirements, then we look for protocols that implement them.
F
> > If we want secure compare
> > by hash, then almost any sync protocol that uses SHA-256 will
> > be fine but
> > almost any that uses MD5 will not. Why? Because SHA-256 is good
> > for compare
> > by hash and MD5 is not. Any protocol that's not brain-damaged that uses
> > SHA-256 will work, and
> No, my risk model is to simply ascertain whether distributing the certs
> as files in the application directory is a serious security risk or not
> and, if it is, what steps can make it less so.
If it's a security risk, it's because something is broken someplace else.
Why do you need to hide a
> It is not just about you but about many people that have skills
> in security,
> but I have this feeling that those people likes to bash on
> newbies, thinking
> that they are stupid.
Would you want to drive over a bridge that was built by a newbie engineer
who didn't think it was important to
Kyle Hamilton wrote:
> If your company hires a security consultant, s/he will state the
> same thing.
>
> -Kyle H
The fundamental problem is this:
You have one door. Every customer must walk through it. However, you don't want
a customer to run amuck once he gets through the door. Your solut
Edward Diener wrote:
> Please suggest ways to do so. The server is no different from any other
> server database. It accepts a username/password to prevent unauthorized
> users from accessing its data. I am perfectly willing to listen to other
> server techniques which involve security, or rea
Edward Diener
> > Your scheme requires you to put the credentials where an
> > attacker can get them in unencrypted form. All an attacker need
> > do is terminate your process as soon as it attempts a network
> > connection (or intercept its filesystem calls and snapshot every
> > file before
Edward Diener:
> But other than vague remonstrances about security planning, and that I
> was not qualified as a mere "programmer" to handle security issues from
> people who have no idea about my ability, I have yet to receive any
> specifics from others about what they would do in this very com
Victor Duchovni wrote (ironically, just a week ago):
> No, it is the protocol design (how all the pieces fit together), not the
> specific algorithms that make it secure (yes the pieces have to have
> the right general properties, but this is secondary).
I can't resist pointing out how today's n
Edward Diener wrote:
> In this last case I do not understand how the client can encrypt data
> going to the server if it has no private key of its own.
Your question is kind of puzzling. Why would the client needs its own
private key in order to encrypt data going to the server? In general,
priv
> The TLS protocol did not fail, what failed is the X.509v3 protocol where
> algorithm choices are not made by SSL users, rather the poor choices
> were made by CAs, who should have known better, and in any case have
> largely phased out MD5, with Verisign (reportedly) just one month away
> from c
> I can understand your summary quite clearly.
Great.
> Suppose the server encrypts data it sends to the client and the client
> needs to decrypt that data. This is the case when my client SELECTs data
> from the MySQL database. Does this need a different sequence than the
> sequence mentioned a
Edward Diener wrote:
> Perhaps your seeing this shows why I was at least nominally concerned
> about the MySQL client having its own public key-private key
> certificates. I have tried to find out what actual use the client's
> public key-private key has in MySQL, from either the client or the
>
Edward Diener wrote:
> > 1) You need someone to confirm that having a client use a
> > known-compromised
> > private key to authenticate over SSL is no worse than the
> > client using no
> > key at all. It seems to me like you'd almost have to try to make this a
> > problem, but who knows -- mayb
> Hi,
>
> I am writing an application that using openssl to do some encryption and
> decryption. I am wondering if there is a way, on the command line or
> otherwise, to make sure that no memory that OPENSSL is using is ever
> paged out to disk? I want to make sure that after the program is done
>
> Please note that I can not solve this problem via the protocol that I
> use on top of DTLS - which is IPFIX - because IPFIX - by definition -
> only *sends* but does not receive data. I.e. I can not infer that the
> server crashed from the fact the he does not send any data because he
> does not
> All,
>
> I am trying to build OpenSSL-fips-1.2 on a Solaris 10 machine
> with Sun Studio 8 and force it to build 32-bit objects. Is there
> a way I can do that without changing the makefile and thus
> violating the fips validation?
I'm not specifically familiar with 64-bit Solaris, but I k
> Can you please elaborate on how would the higher-layer security
> infrastructure go about this?
Simply put, whatever put the certificate in its trusted position is what is
to remove it. If a CA says to trust a certificate, that CA can say not to.
But if the certificate is self-signed, the trust
Olaf Gellert:
> I would not say so. If I found a CRL which contains the
> self signed root certificate I would stop to trust it
> immediately.
Why? What do you think that CRL means? Specifically, do you think it means
the public key was compromised? Do you think it means the issuer of the
origin
> Has anyone seen problems encrypting credit card numbers with BlowFish.
> When encrypting with a 32 char or a 56 char key the there are a number
> of values that are not encrypting and thus decrypting all of the
> characters.
This sounds like a classic example of bugs caused by the "everything i
> Hi... a simple question, i hope somebody know the solution:
> I need to use the EVP_DecryptUpdate... but for fifth argument,
> i need the large of encrypted.. how i do this? i'm sure that
> strlen not works...
You cannot have a chunk of data without knowing how big it is. What it means to
"h
> When i use to encrypt data, i have not problems.. when i
> decrypt the result of this code, i have not problem...
> when i decrypt with this program, i have
> 13015:error:06065064:digital envelope routines:
> EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:461:
> The EVP_DecryptUpdate works ok, dec
> buff = (char *)malloc(bptr->length);
> memcpy(buff, bptr->data, bptr->length-1);
> buff[bptr->length-1] = 0;
Umm, you don't copy the last byte of data. You don't allocate enough space to
hold the data and a terminator. This is probably your main error. How will
'buff' hold a C-style string wh
> Victor Duchovni wrote:
> > Because in amost all cases that's exactly the right advice.
> >
> > The cryptography learning that is sufficient and desirable is from books
> > such as "Applied Cryptography" which cover protocols and algorithms
> > at a high level. Studying the implementation or cre
> Hello all,
> I have a general query regarding FIPS mode. I am running an simple openssl
> https server based on openssl that services https requests from window
> clients. I have the following setting in my windows XP "Use FIPS comliant
> algorithms for encryption, hashing and signing set to 1"
> Hi,
>
>
> Do you know why an extra charater "/" is attached in front of the
> subject name?
>
> X509_NAME_oneline(X509_get_subject_name(cert), data, 256);
>
> fprintf(stderr, " Subject = %s\n", data);
>
> The output is like "/CN=XXX.hp.com".
>
> Carol
X509_NAME_online is known to be buggy and
>> FIPS validated cryptography is mandated on endpoints which handle
>> sensitive information by the US Federal Government (though current
>> practice includes "procurement", not necessarily "implementation").
> Thanks David and kyle for your time.
> Kyle,
> "though current practice includes "pro
> One final question. Given that non fips mode openssl can talk with fips
> validated implementations , Lets say i have a server
> which is using openssl in non fips mode which speaks and suports all the
> ciphers (including the FIPS ciphers) .Now for a FIPS validated client is
> there any way for
> Why does the call to d2i_ECPrivateKey(NULL, &pptr, len); always fail?
Because you didn't pass it a key. Change that 'NULL' to 'eckey'.
DS
__
OpenSSL Project http://www.openssl.org
User Support
> Hello,
> I am currently developing an interface to a 3rd party product that
requires
> HTTPS support using an X.509 certificate.
> I have been given instructions on how to generate the certificate using
openssl.
> While in development mode (this is a commercial product), do I need
> to include
> thanks for the response.
>
> I just need the certificate to securely identify that a request is
> coming from who I think it is coming.
Then you need some way to distribute a certificate to that endpoint and for
the other end to know what certificate that endpoint has.
> My goal is that I can
> Is there any way i can make my implementaion of openssl
> FIPS capable and FIPS compliant ?
If you change even one line of code or one parameter in the building of the
canister, you have to go through the FIPS process yourself. Contact any of
the 13 accredited testing labs.
http://ts.nist.gov/
> I have some doudt regarding fips capbable openssl... If in my system ,
> one of the my application gets into fips mode .. whether that going to
> effect other application to use fips enabled cryptography alogorithm..
No.
> I have seen in some fips enabled library, if one application gets into
> I have a general query regarding FIPS mode.
> I am running an simple openssl https server based on openssl
> that services https requests from window clients.
Is it in FIPS mode, yes or not? If not, then you cannot claim it is FIPS
compliant.
> I have the following setting in my windows XP
> Hi All,
> I have some weird problem extracting Subject field from certificate
> when using windows API and openssl API.
> Using windows API results the following subject:
> e=li...@mailaddress.com,CN=lior,OU=SLS,O=Sales,L=Depart,S=NLS,C=DE
> And using openssl API / openssl.exe utility result
> The end result is that I had to change the makefile to -q32 to get
> it to work with the openssl-0.9.8j distribution, which smartly does
> use 32_64 mode and will FAIL if I did not change the fips-1.2 makefile.
This violates the security policy and invalides the FIPS certification. You
cannot c
> Hi,
>
> My application uses EPOLL. I have integrated openSSL in my
> application. While running the application with 2000 client application
> takes 100% CPU usage. If change my application to use "select" it works
> fine.
>
> Please suggest regarding this.
>
> Thanks in advance for
> We have upgraded Openssl in our application to Openssl-fips-1.2
> along with Openssl-0.9.8j, so that we can run the server (Apache
webserver)
> in FIPS mode. After the changes, the server works fine in FIPS mode, on
most
> of the systems, except for these two machines, where the server refuses t
> Francois -
>
> Thanks for your reply.
>
> On the source (where I am running openssl client):
> - The windows firewall is disabled (I have no other software
> based firewall
> software loaded)
> - I can connect to other (non-windows 2008/iis7) destination servers
> properly using the openssl clie
> I'm trying to create a sub-ca with name constraints for website
> certificate generation with the effect that sub-ca can sign only certs
> for *.mydomain.com, i.e. anything ending in .mydomain.com
> thanks
> stephen
You should be aware that, unfortunately, this is only possible in a
controlled
> > be aware that SSL BIO's (and (SSL*) sessions!) are 'threadsafe'
> > in the sense that OpenSSL *assumes* a (SSL *) or
> > /any/ BIO remains inside a single thread from the moment it
> > becomes 'active', i.e. is set up / is going to do some work.
This is completely incorrect. It's totaly nonse
> the application read the first
> 1500 bytes, then "select(...)" no more indicates that something has to
> be read on the fd. So the OFTP application behind the gateway doesn't
> send the new "credit authorisation" because it didn't receive the
> complete previous credit. And the sender waits unt
> Hi Srinivas,
> We compiled our code with the new version of lib files from
> openssl-0.9.8j version and replaced the new client dll's.
> Is any specific step has to be followed?
> Regards,
> Sweta
Did you compile against the new header files?
The client is saying the server cut the TCP conne
> After lots and lots of testing, trying and debugging I still
> haven't managed
> to get the same results from RSA_sign and CryptSignHash. I've discovered a
> problem with the base64 decoding function i use to decode the
> hash i want to
> sign, so now i get a different signature from RSA_sign bu
> After lots and lots of testing, trying and debugging I still
> haven't managed
> to get the same results from RSA_sign and CryptSignHash. I've discovered a
> problem with the base64 decoding function i use to decode the
> hash i want to
> sign, so now i get a different signature from RSA_sign bu
> David,
> When I sign the same hash with the same certificate I should get the same
> signature. That sounds pretty logical to me.
Really? So if you sign the same contract twice, the two signatures will be
precisely identical?
> The company I'm doing this
> project for also told me that I shoul
> OK, but from the source, I discovered that SSL_read is blocking until it
> receives a complete record. So, if I want to be awaken with select I
> must either:
Combining 'select' with blocking operations almost never works right. This is
the most difficult conceivable situation and you should
> Is it
> openssl speed -evp aes-128-cbc -engine xx -elapsed
> or
> openssl speed -evp aes-128-cbc -engine xx
It depends what you want to measure.
> I have seen examples with both of them on the internet and I get
> different results with each of them. What exactly does "elapsed"
> opt
> Hi All!
>
> I've have some doubts regarding SSL_write in non blocking mode..
>
> 1. if SSL_write returned SSL_ERROR_WANT_WRITE, it is mentioned that the
> call has to be repeated with the same arguments.
> Does this means the same buffer to be used again?? or the data
> passed in the initia
> Actually, I do that. And I think I understand what SSL_pending does : it
> returns the number of decrypted bytes remaining in the SSL buffer.
> Implied: at least 1 SSL_read has been done before ! Am I wrong ?
You are wrong in theory. Any SSL operation can churn the SSL state machine and
decr
> Dear SSL Users,
>
> I am looking at the debug output of the s_client command, trying
> to compare the
> binary data with structures described in rfc 5246... Everything
> is more or less
> clear, but, I can not figure out where three bytes in front of
> each structure
> come from...
>
> Each dat
> I'm attempting to establish an SSL connection, where everything
> seems OK until SSL_connect, which returns -1. error is set to 11,
> and perror() gives "Resource temporarily unavailable."
> ERR_error_string rather useless output:
> error:0002:lib(0):func(0):system lib, even though both
> SS
> This is on SuSE 10.3. The socket is non-blocking, for the only reason
> that I thought it would make debugging the problem easier.
Debugging non-blocking sockets is much more complex than blocking ones.
> With the socket in blocking mode (which is all I need), I have the
> problem where SSL_c
> we tried to create a ssl certification via openssl.
> Our problem is that we have in intern server called SVR02. This server
> could be reached via name.dyndns.org:443. If we create a certification
> with the CO SVR02 the server accept this and install the certification.
> But if we try it from
> I am using a BIO pair under SSL and a BIO above SSL to handle
> asynchronous traffic that is delivered to me on a
> non-standard system.
> It works very well, except when I try to free the SSL sessions
> at the end of a connection. I'm calling BIO_free_all() on the BIO
> that wraps the SSL sess
> Yeah, I think I tried that.
>
> But I got multiple free errors. Maybe I did it wrong. I'll try
> what you suggest. What I remember was that it was wrong to delete
> the SSL session (implicitly deleting the equivalent of io_bio in
> your example), and then ap_bio. I didn't try deleting io_bio
301 - 400 of 1114 matches
Mail list logo
