Re: How to timeout a SSL_connect?
Sean Walker wrote: That's what I was going to do too, but under Win32 you can't set the All of my research has said the same thing. I couldn't set the timeouts. If you can manage to figure it out, please post your solution! :) SO_RCVTIMEO/SO_SNDTIMEO doesn't work (i.e. read only or ignored) even on several Unixes. You should use select() with timeout, however this will require modifications to OpenSSL. Alexey __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to timeout a SSL_connect?
You could start a secondary thread that sleeps for the desired number of seconds then close the socket (if the primary thread has still not succeeded in connecting). This should exit the primary thread socket call with an error. Nicolas Roumiantzeff. Sean Walker wrote: That's what I was going to do too, but under Win32 you can't set the All of my research has said the same thing. I couldn't set the timeouts. If you can manage to figure it out, please post your solution! :) Sean Walker Dingbat Designs __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to use OpenSSL with nonblocking IO
On Thu, Dec 16, 1999 at 05:40:18PM -0700, Alexey Melnikov wrote: I am developing multithreaded server that uses asynchronous socket IO. I would like to add SSL support, however it seems that OpenSSL handles socket IO itself. Server architecture requires that all socket operations are controlled by socket IO subsystem, but not by OpenSSL. Does anybody use OpenSSL with nonblocking sockets? Non-blocking sockets (of the O_NONBLOCK kind) are no problem even if OpenSSL does all the socket I/O itself. If you need some other variety of I/O and don't want to write a special BIO module for it, then look at BIO pairs (crypto/bio/bss_bio.c, example code in ssl/ssltest.c, more example code [in Lisp] available from URL: ftp://ftp.lavielle.com/pub%2fcl-https%2f1999-10-15;type=d). They are pipe-like -- you can give one end to the SSL library for writing and reading, at the other end your application relays between the SSL library and the actual I/O mechanisms. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL CA as trusted CA in Netscape browser - help
NortonNg wrote: hi.. i saw your post at openssl mailing list about a way to add any arbitrary CA certificate into certificate database of Netscape Communicator, i am interesting about it..can you show me the source code. jkng. Soory You got the wrong person, mine was only a reply stating that it is very dangerous to add certificates to Netscape db WITHOUT explicit user acceptance and that it should be forwarded to Netscape and signaled as a bug: it does not give the ability to the user to refuse the certificate... :-D If you want to add a CA certificate to Netscape db, simply send a certificate in .der format with the Content-Type: application/x-x509-ca-cert Then the user will be asked to accept the CA certificate. I send you some code from the OpenCA project. C'you, Massimiliano Pala ([EMAIL PROTECTED]) #!/usr/bin/perl ## Send Certificates Tool - V2.0 ## (c) 1999 by Massimiliano Pala and the OpenCA Group ## Uses the OpenCA::TRIStateCGI module by Massimiliano Pala ## to generate, check and manipulate FORMs Objects use OpenCA::TRIStateCGI; ## Uses the OpenCA::Configuration module by Massimiliano Pala ## to load the configuration file use OpenCA::Configuration; my $query = new OpenCA::Configuration; ## Build a Configuration Object my $config = new OpenCA::Configuration; ## Define the Configuration Name my $CONFIG = 'secure.cnf'; ## Load the Configuration file (read and parse) if( $config-loadCfg( $CONFIG ) == undef ) { print "Content-type: text/html\n\n"; configError( "Unable to load configuration file (request.cnf)!"); } ## Flush the output stream $|=1; my $cacert = getRequired( 'CACert' ); putCACert( "$cacert" ); ## Subroutines Section (Last Modified on 08 September 1998) ## Changes by Massimiliano Pala ([EMAIL PROTECTED]) sub putCACert { my @keys = @_; $cacert = $keys[0]; print "Content-Type: application/x-x509-ca-cert\n\n"; open (FD ,"$cacert") or die "Error: Can't access CA Certificate!"; while (FD) { print $_; } close FD } sub getRequired { ## Returns required parameter SINGLE STRING VALUE ## this function simplifies the parameter access ## but returns only the first parameter my $name = @_[0]; my $tmp; if( ($tmp = $config-getParam($name)) == undef ) { ## If there is an Error, just send the missing ## parameter error to the browser configError( "Missing Configuration Keyword : $dir" ); } ## If all gone well we should have the value string in ## $ret and return it to the calling funcion; $ret = $tmp-{VALUES}-[0]; return $ret; } sub configError { my @keys = @_; my $err = $keys[0]; print $query-start_html(-title="Administration Error", -BGCOLOR="#FF"); print "CENTERBRHR WIDTH=80%BR/CENTER"; print "OLOLH1FONT COLOR=redError 690 /FONT/H1"; print "OL BConfiguration Error/B. $err./OL/OL/OL"; print "CENTERHR/CENTER\n/BODY\n/HTML\n"; } S/MIME Cryptographic Signature
Re: Other quetion..
Raul Gutierrez Rodriguez wrote: Where can i find all posible value of the fields: subjectKeyIdentifier authorityKeyIdentifier basicConstraints keyUsage RFC http://www.microsoft.com/security/tech/certificates/structuring.asp nsCertType doc/openssl.txt of your friendly OpenSSL source tree. http://www1.netscape.com/eng/security/certs.html Ciao, Michael. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: apps\ca Y2K bug
Nelson Alves da Silva Filho wrote: POSSIBLE bug regarding the ca application (OpenSSL-0.9.4). I think the function ASN1_UTCTIME_set_string (a_utctm.c) is not Y2K safe and, consequently, the "startdate" and "enddate" entries of openssl.cnf ca section as well. Check out the description of UTCTime in RFC2459. If you still think there's a problem please be a bit more specific. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Other quetion..
HI: Where can i find all posible value of the fields: subjectKeyIdentifier authorityKeyIdentifier basicConstraints keyUsage nsCertType at the openssl.conf file and what is the meaning of echa file? Slds Raul Gutierrez __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]