where are these functions in openssl-0.9.7e
Title: where are these functions in openssl-0.9.7e Hi, all, I am a newbie in openssl world, and reading ssl3_connect code in openssl-0.9.7e. I found some functions are missing like: i2d_ASN1_INTEGER, i2d_DHparams, and d2i_DHparams. However, I can find them in openssl-0.9.6M, and the code can still be built... Am I missing any points here? where are these functions in openssl-0.9.7e? thank you for your answer. Jie
Strange behaviour of BIO_do_connect for a BIO_s_connect() BIO
Bonjour,
I'm running into something strange.
Here's an extract of my code:
-
[...]
{
time_t start;
BIO *cbio = NULL;
if ((cbio = BIO_new(BIO_s_connect())) == NULL)
{
result = ERR(CMCLIENTERR_CONNEXION);
goto done;
}
BIO_set_conn_hostname(cbio, server_name);
BIO_set_conn_port(cbio, server_port);
/* Configure the BIO as a non-blocking one */
BIO_set_nbio(cbio, 1);
/* We'll mesure time from now */
start = time(NULL);
/* Let's try to connect, deal with retries and timeout */
while (difftime(time(NULL), start) mytimeout)
{
res = BIO_do_connect(cbio);
/* If BIO_do_connect() said it's OK, then get out of this loop */
if (res 0)
break;
/* If it failed, check if retrying can be useful */
if ((res = 0) !BIO_should_retry(cbio))
{
LOGMSG(LOG_ERR, Unable to connect to CM server);
result = ERR(CMCLIENTERR_CANTCONNECT);
goto done;
}
}
[... do something useful, since it's OK now ...]
done:
[my cleanup code];
}
-
In the normal case, everything works OK. But I found myself trying to
connect to a host behind a blocking firewall (with a DROP policy), and
the BIO_do_connect() call is performed exactly twice.
The first time it returns -1, cbio-flags is set to 12
(BIO_FLAGS_SHOULD_RETRY|BIO_FLAGS_IO_SPECIAL), indicating that I
should retry the connect, and cbio-ptr.state is set to 7
(BIO_CONN_S_BLOCKED_CONNECT).
The second time it returns something 0, indicating it's OK, but the
connection hasn't been performed, and subsequent reads and writes
fail.
Reading the bss_conn.c source file, I can track down the
BIO_do_connect() code down to conn_state(), and the following code:
-
for (;;)
{
switch (c-state)
{
[...]
case BIO_CONN_S_BLOCKED_CONNECT:
i=BIO_sock_error(b-num);
if (i)
{
BIO_clear_retry_flags(b);
SYSerr(SYS_F_CONNECT,i);
ERR_add_error_data(4,host=,
c-param_hostname,
:,c-param_port);
BIOerr(BIO_F_CONN_STATE,BIO_R_NBIO_CONNECT_ERROR);
ret=0;
goto exit_loop;
}
else
c-state=BIO_CONN_S_OK;
break;
case BIO_CONN_S_OK:
ret=1;
goto exit_loop;
default:
/* abort(); */
goto exit_loop;
}
[...]
-
That means that if the BIO is in BIO_CONN_S_BLOCKED_CONNECT state (and
in my case it is), any subsequent call to BIO_do_connect() returns OK
(state changes to BIO_CONN_S_OK, for() loop is executed once more,
and the function return with ret=1).
Is that really intended to work like this?
I know I could check for BIO_should_io_special() for this, but:
- there's no standard action to do (if I want to read or write, I can
do a select() call, but here?)
- even if I call BIO_should_io_special(), the state of the BIO is
already set to BIO_CONN_S_BLOCKED_CONNECT, and the next call to
BIO_do_connect() will return 1, I loose.
If I don't call BIO_set_nbio(), the call to BIO_do_connect() is
blocked at connect() (that's normal), and eventually it'll return back
to me. Using blocking BIOs is not an option:
- I can't control the timeouts
- BIO_set_nbio() should be called before connecting (as per the
manpage)
--
Erwann ABALEA [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
1 Main CA and a subordinate CA 1-Many...how can I sign one ca with another ca...
I am trying to create a hirearchy for my CA's...however when I have two separate CA's created similarly: On box 1 Main CA: openssl req -newkey rsa:2048 -days 4380 \ -out cacert.pem -outform PEM -config openssl.cnf On box 2 Subordinate CA: openssl req -newkey rsa:2048 -days 2190 \ -out cacert.pem -outform PEM -config openssl.cnf The configuration files are almost identical. openssl.cnf: [ ca ] default_ca = CA_PROFILE [ CA_PROFILE ] dir = . certificate = $dir/cacert.pem database= $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial default_crl_days= 7 default_days= 4380 default_md = sha1 policy = CA_PROFILE_Policy x509_extensions = certificate_extensions [ CA_PROFILE_Policy ] commonName = supplied stateOrProvinceName = optional countryName = match emailAddress= optional organizationName= match organizationalUnitName = supplied [ certificate_extensions ] basicConstraints= CA:false subjectKeyIdentifier= hash [ req ] default_bits= 2048 default_keyfile = ./private/cakey.pem default_md = sha1 default_days= 4380 prompt = no distinguished_name = root_ca_DN x509_extensions = root_ca_ext [ root_ca_DN ] commonName = MainCA organizationName= Software organizationalUnitName = Branch countryName = US [ root_ca_ext ] basicConstraints= CA:true subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always,issuer:always I try to sign the subordinate CA with the main ca like this: On box1 in the main CA directory: openssl ca -in box2/SubCA/cacert.pem -config openssl.cnf I get an error something along the lines of Expecting: CERTIFICATE REQUEST Any clues? Thanx! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Fwd: TLS secure connection to an LDAP server
Hi,
Any idea please?
cheers
--- fatima riadi [EMAIL PROTECTED] a écrit :
Hello all,
Here are my configuration files (I deleted
comments).
You would have any remarq, please let me know.
/etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include
/etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/misc.schema
include
/etc/openldap/schema/openldap.schema
#include
/etc/openldap/schema/redhat/rfc822-MailMember.schema
include
/etc/openldap/schema/redhat/autofs.schema
allow bind_v2
pidfile /var/run/slapd.pid
#argsfile //var/run/slapd.args
TLSCertPath /path/to/certs
TLSCACertificateFile /path/to/certs/ca.pem
TLSCertificateFile
/path/to/certs/ldap.example.com.pem
TLSCertificateKeyFile
/path/to/keys/ldap.example.com.key
#I set these ACLs just for testing, I'll change
them
later!
access to *
by * write
by * read
###
# ldbm and/or bdb database definitions
###
databaseldbm
suffix dc=example,dc=com
rootdn cn=Manager,dc=example,dc=com
rootpw {SSHA}rootdn_hashed_password
# The database directory MUST exist prior to
running
slapd AND
# should only be accessible by the slapd and slap
tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShelleq,pres
index uid,memberUid
eq,pres,sub
index nisMapName,nisMapEntry
eq,pres,sub
index
sambaSID,sambaDomainName,sambaPrimaryGroupSID
eq
===
The ldap client conf file (/etc/openldap/ldap.conf):
---
HOST ldap.example.com
BASE dc=examlpe,dc=com
TLS_CACERT /path/to/certs/ca.pem
TLS_CACERTDIR /path/to/certs
The /etc/ldap.conf file:
---
host ldap.example.com
base dc=example,dc=com
binddn cn=nssldap,ou=DSA,dc=example,dc=com
bindpw clear_text_nssldap_pwd
rootbinddn cn=Manager,dc=example,dc=com
#port 389
nss_base_passwd dc=example,dc=com?sub
nss_base_shadow dc=example,dc=com?sub
nss_base_group
ou=groups,dc=example,dc=com?one
ssl start_tls
#ssl on
tls_checkpeer yes
tls_cacertfile /path/to/certs/ca.pem
tls_cacertdir /path/to/certs
# SSL cipher suite
#tls_ciphers ALL
pam_password md5
==
I actually tryed to follow steps given on the
smbldap-tools howto document. I also reffered to
OpenLDAP SSL/TLS how-to, D. Kent Soper and many
other docs.
s_client to s_server works. Also ldapsearch to
s_server works.
But s_client to my slapd server does not work.
Now, if I try to connect the s_client to the slapd
server through the 636 port, the server returns the
following:
TLS trace: SSL_accept:error in SSLv3 read client
hello B
TLS: can't accept.
TLS: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c:882
I tryed to run s_client with many values of the
-cipher option
Re: TLS secure connection to an LDAP server
--- Kurt D. Zeilenga [EMAIL PROTECTED] wrote: In your slapd.conf(5) configuration file, it appears that some lines contain inappropriate leading whitespace. Please note that leading white space is significant in slapd.conf(5). They indicate the line is a continuation of the preceding line. Yes, that was the error! I eliminated leading whitespace that was near to TLSCACertificateFile, TLSCertificateFile and TLSCertificateKeyFile and the problem was fixed. Now, s_client tests to the ldap server succed. I also can run ldapsearch against my slapd server... Thank very much to you all for your help. Kind regards __ Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Solaris 10 x86-64 support?
Anyone running on the Solaris for AMD Opteron? If so, what version and configuration do you use? Thanks. -- Kevin Layer [EMAIL PROTECTED]http://www.franz.com/ Franz Inc., 555 12th St., Suite 1450, Oakland, CA 94607, USA Phone: (510) 452-2000 FAX: (510) 452-0182 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Solaris 10 x86-64 support?
No more installed but i was working with a Tyan 2880 with two Opterons 1,4 G, 1,5Gbyte, several network cards. Regards, JPV Kevin Layer a écrit: Anyone running on the Solaris for AMD Opteron? If so, what version and configuration do you use? Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
