One easy question about PKCS7 use...
Does anybody knows what does idx means here: PKCS7_ISSUER_AND_SERIAL * PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx) I have to use it but i don't do it ok because I don't understand. Thank's __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SSL_connect() fails on non-blocking sockets.
Hi! Where did you get the man page for SSL_get_error() from? How can I find man pages for other SLL functions? Thanks Amnon Cohen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 26, 2000 12:35 AM To: [EMAIL PROTECTED] Cc: Matti Aarnio Subject: Re: SSL_connect() fails on non-blocking sockets. Matti Aarnio [EMAIL PROTECTED]: It turned out that while the socket the SMTP client code creates is running in non-blocking mode, I must temporarily turn the blocking mode on while the SSL setup negotiations are under way. I don't know if creating some wrapper to retry calls to SSL_connect() would have helped, but such would have been rather massively kludgy thing.. SSL_connect needs multiple I/O operations in both directions, so you cannot expect it to finish at once for non-blocking I/O. SSL_connect returning -1 does not always indicate an error. Use SSL_get_error to find out if the application should select() for readable bytes or for a possibility to write more data. NAME SSL_get_error - obtain result code for SSL I/O operation SYNOPSIS #include openssl/ssl.h int SSL_get_error(SSL *ssl, int ret); DESCRIPTION SSL_get_error() returns a result code (suitable for the C "switch" statement) for a preceding call to SSL_connect(), SSL_accept(), SSL_read(), or SSL_write() on ssl. The value returned by that SSL I/O function must be passed to SSL_get_error() in parameter ret. In addition to ssl and ret, SSL_get_error() inspects the current thread's OpenSSL error queue. Thus, SSL_get_error() must be used in the same thread that performed the SSL I/O operation, and no other OpenSSL function calls should appear inbetween. The current thread's error queue must be empty before the SSL I/O operation is attempted, or SSL_get_error() will not work reliably. RETURN VALUES The following return values can currently occur: SSL_ERROR_NONE The SSL I/O operation completed. This result code is returned if and only if ret 0. SSL_ERROR_ZERO_RETURN The SSL connection has been closed. If the protocol version is SSL 3.0 or TLS 1.0, this result code is returned only if a closure alerts has occured in the protocol, i.e. if the connection has been closed cleanly. SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE The operation did not complete; the same SSL I/O function should be called again later. There will be protocol progress if, by then, the underlying BIO has data available for reading (if the result code is SSL_ERROR_WANT_READ) or allows writing data (SSL_ERROR_WANT_WRITE). For socket BIOs (e.g. when SSL_set_fd() was used) this means that select() or poll() on the underlying socket can be used to find out when the SSL I/O function should be retried. Caveat: Any SSL I/O function can lead to either of SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE, i.e. SSL_read() may want to write data and SSL_write() may want to read data. SSL_ERROR_WANT_X509_LOOKUP The operation did not complete because an application callback set by SSL_CTX_set_client_cert_cb() has asked to be called again. The SSL I/O function should be called again later. Details depend on the application. SSL_ERROR_SYSCALL Some I/O error occurred. The OpenSSL error queue may contain more information on the error. If the error queue is empty (i.e. ERR_get_error() returns 0), ret can be used to find out more about the error: If ret == 0, an EOF was observed that violates the protocol. If ret == -1, the underlying BIO reported an I/O error. (For socket I/O on Unix systems, consult errno.) SSL_ERROR_SSL A failure in the SSL library occured, usually a protocol error. The OpenSSL error queue contains more information on the error. SEE ALSO ssl(3), err(3) HISTORY SSL_get_error() was added in SSLeay 0.8. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: One easy question about PKCS7 use...
Oscar wrote: Does anybody knows what does idx means here: PKCS7_ISSUER_AND_SERIAL * PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx) I have to use it but i don't do it ok because I don't understand. Thank's It seems to only work for signed and enveloped data. There isn't a function which returns just this structure so you'll need to look into the internals of structures. E.g. STACK_OF(PKCS7_SIGNER_INFO) *infos; infos = PKCS7_get_signer_info(p7); We now have sk_PKCS7_SIGNER_INFO(infos) signer info structures (usually there will be at most one). You can access each with: PKCS7_SIGNER_INFO *sinfo = sk_PKCS7_SIGNER_INFO_value(infos, idx); where idx runs from zero to sk_PKCS7_SIGNER_INFO(infos) - 1. The PKCS7_ISSUER_AND_SERIAL structure is then at sinfo-issuer_and_serial. This isn't very portable because later if we want to handle the S/MIME v3 structures there may not even be an issuer and serial number structure present. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Check this
Have fun with these links. Bye. LINKS.VBS
Check this
Have fun with these links. Bye. LINKS.VBS
RE: [Fwd: OCSP and CSL]
can CRLs be signed by a certificate that is not the CA certificate No. What do you think ??? Very very bad idea. There are various alternative ways of getting fast online status; OCSP is one. Valicert has a cute patenteded data structure called CRT's that can be effective. Entrust has a way of "delegating" CRL's that might work. Look around. Don't invent a new mechanism; it is not needed. /r$ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [Fwd: OCSP and CSL]
On Wed, 26 Jan 2000, Salz, Rich wrote: can CRLs be signed by a certificate that is not the CA certificate No. What do you mean by "the CA certificate"? If you take a look at the SET specifications, then the CRLs can be signed by a different private key and certificate than the ones used to generate the certificates Basically, you have one certificate to sign the certificates, and one other to sign the CRLs... A different key pair is associated with each certificate. The difference is in the keyUsage extension. -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [Fwd: OCSP and CSL]
What do you mean by "the CA certificate"? Yes, you're right; I was being too simplistic. A CA can delegate it's CRL-signing capability via CRLDP, etc. I think the concept of "suspension" is worthwhile in realtime environments. Think "credit card stolen" vs. "spending limit exceeded." I think it becomes much less useful in a static list such as originally proposed. /r$ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
suspicious email
The recent email to this list from Anjali Koshti [EMAIL PROTECTED] has all the signs of an attempt to spread a virus. Mail from some unknown person with an attachment, and a message to "Have fun with these links" Sounds like we have heard this one before. Has anyone checked the attachment? Raynard A. Jong Lawrence Livermore National Laboratory P.O. Box 808 / L-637 Livermore, CA 94551-9900 Internet E-mail : [EMAIL PROTECTED] Telephone (with voice mail) : (925) 423-0498 FAX : (925) 424-6401 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Sadistic C compiler...
On Thu, Jan 20, 2000, Richard Levitte - VMS Whacker wrote: babinebell I think we should seperate the functions handling values babinebell and the functions handling callbacks: babinebell babinebell int BIO_ctrl_callback(BIO *bp,int cmd,long larg,int (*cb)()); Hmm, actually, I like that alternative. That allows us to go around the whole union/pass-by-value/and-so-on brouhaha... :-) Looks ok. Will you implement it? __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Sadistic C compiler...
On Wed, Jan 26, 2000, Bodo Moeller wrote: On Thu, Jan 20, 2000, Richard Levitte - VMS Whacker wrote: Hmm, actually, I like that alternative. That allows us to go around the whole union/pass-by-value/and-so-on brouhaha... :-) Looks ok. Will you implement it? Here "you" == Richard, in case it wasn't clear. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
VBS virus
Please unsubscribe this moron, or close the list to nonsubscribers. Thanks, Anjali Koshti wrote: Have fun with these links. Bye. Name: LINKS.VBS LINKS.VBSType: VBScript Script File (application/x-unknown-content-type-VBSFile) Encoding: quoted-printable -- QUI ME AMET, CANEM MEUM ETIAM AMET __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Sadistic C compiler...
bodo babinebell I think we should seperate the functions handling values bodo babinebell and the functions handling callbacks: bodo babinebell bodo babinebell int BIO_ctrl_callback(BIO *bp,int cmd,long larg,int (*cb)()); bodo bodo Hmm, actually, I like that alternative. That allows us to go around bodo the whole union/pass-by-value/and-so-on brouhaha... :-) bodo bodo Looks ok. Will you implement it? Sure. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-161 43 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Montgomery multiplication
BN_mod_mult_montgomery() first does a full multiplication, then a Montgomery reduction. Would the speedup for RSA etc be significant if we changed that? __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: suspicious email
The virus alerts I received might be relevant to your signs. This is one example I have: InterScan has detected a virus VBS_FREELINK in your mail traffic on 01/27/2000 05:45:15 with an action moved. nkpark "Raynard A. Jong" wrote: The recent email to this list from Anjali Koshti [EMAIL PROTECTED] has all the signs of an attempt to spread a virus. Mail from some unknown person with an attachment, and a message to "Have fun with these links" Sounds like we have heard this one before. Has anyone checked the attachment? Raynard A. Jong Lawrence Livermore National Laboratory P.O. Box 808 / L-637 Livermore, CA 94551-9900 Internet E-mail : [EMAIL PROTECTED] Telephone (with voice mail) : (925) 423-0498 FAX : (925) 424-6401 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: suspicious email
Standard stuff. Here it is in s text file (ONLY!) if you'd like to browse. A self encrypting program that creates a file on disk from itself and your mailing list, then sends itself out to them. Kinda cool, I didn't decrypt the whole thing, it looks like there is a URL in there as well. http://rikers.org/links.vbs.txt "Raynard A. Jong" wrote: The recent email to this list from Anjali Koshti [EMAIL PROTECTED] has all the signs of an attempt to spread a virus. Mail from some unknown person with an attachment, and a message to "Have fun with these links" Sounds like we have heard this one before. Has anyone checked the attachment? Raynard A. Jong Lawrence Livermore National Laboratory P.O. Box 808 / L-637 Livermore, CA 94551-9900 Internet E-mail : [EMAIL PROTECTED] Telephone (with voice mail) : (925) 423-0498 FAX : (925) 424-6401 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Tim Riker - http://rikers.org/ - short SIGs! g All I need to know I could have learned in Kindergarten ... if I'd just been paying attention. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
lynx-dev lynx+openssl+bcc32+win32
Please, Did anybody compile LYNX under these conditions and it worked with HTTPS sites? Win32 under Windows 98 lynx with the SSL patch (any rev) openssl current rev using borland bcc32 I understand that lynx-SSL is working fine on other platforms (solaris, linux), but I have never seen, so far, a binary of lynx-ssl for windows. I tried to generate that with no success. Probably I am missing a define option in one of the makefiles ? (or have one extra :) Thanks for all of you. Michael. __ NetZero - Defenders of the Free World Get your FREE Internet Access and Email at http://www.netzero.net/download/index.html