where are these functions in openssl-0.9.7e
Title: where are these functions in openssl-0.9.7e Hi, all, I am a newbie in openssl world, and reading ssl3_connect code in openssl-0.9.7e. I found some functions are missing like: i2d_ASN1_INTEGER, i2d_DHparams, and d2i_DHparams. However, I can find them in openssl-0.9.6M, and the code can still be built... Am I missing any points here? where are these functions in openssl-0.9.7e? thank you for your answer. Jie
Strange behaviour of BIO_do_connect for a BIO_s_connect() BIO
Bonjour, I'm running into something strange. Here's an extract of my code: - [...] { time_t start; BIO *cbio = NULL; if ((cbio = BIO_new(BIO_s_connect())) == NULL) { result = ERR(CMCLIENTERR_CONNEXION); goto done; } BIO_set_conn_hostname(cbio, server_name); BIO_set_conn_port(cbio, server_port); /* Configure the BIO as a non-blocking one */ BIO_set_nbio(cbio, 1); /* We'll mesure time from now */ start = time(NULL); /* Let's try to connect, deal with retries and timeout */ while (difftime(time(NULL), start) mytimeout) { res = BIO_do_connect(cbio); /* If BIO_do_connect() said it's OK, then get out of this loop */ if (res 0) break; /* If it failed, check if retrying can be useful */ if ((res = 0) !BIO_should_retry(cbio)) { LOGMSG(LOG_ERR, Unable to connect to CM server); result = ERR(CMCLIENTERR_CANTCONNECT); goto done; } } [... do something useful, since it's OK now ...] done: [my cleanup code]; } - In the normal case, everything works OK. But I found myself trying to connect to a host behind a blocking firewall (with a DROP policy), and the BIO_do_connect() call is performed exactly twice. The first time it returns -1, cbio-flags is set to 12 (BIO_FLAGS_SHOULD_RETRY|BIO_FLAGS_IO_SPECIAL), indicating that I should retry the connect, and cbio-ptr.state is set to 7 (BIO_CONN_S_BLOCKED_CONNECT). The second time it returns something 0, indicating it's OK, but the connection hasn't been performed, and subsequent reads and writes fail. Reading the bss_conn.c source file, I can track down the BIO_do_connect() code down to conn_state(), and the following code: - for (;;) { switch (c-state) { [...] case BIO_CONN_S_BLOCKED_CONNECT: i=BIO_sock_error(b-num); if (i) { BIO_clear_retry_flags(b); SYSerr(SYS_F_CONNECT,i); ERR_add_error_data(4,host=, c-param_hostname, :,c-param_port); BIOerr(BIO_F_CONN_STATE,BIO_R_NBIO_CONNECT_ERROR); ret=0; goto exit_loop; } else c-state=BIO_CONN_S_OK; break; case BIO_CONN_S_OK: ret=1; goto exit_loop; default: /* abort(); */ goto exit_loop; } [...] - That means that if the BIO is in BIO_CONN_S_BLOCKED_CONNECT state (and in my case it is), any subsequent call to BIO_do_connect() returns OK (state changes to BIO_CONN_S_OK, for() loop is executed once more, and the function return with ret=1). Is that really intended to work like this? I know I could check for BIO_should_io_special() for this, but: - there's no standard action to do (if I want to read or write, I can do a select() call, but here?) - even if I call BIO_should_io_special(), the state of the BIO is already set to BIO_CONN_S_BLOCKED_CONNECT, and the next call to BIO_do_connect() will return 1, I loose. If I don't call BIO_set_nbio(), the call to BIO_do_connect() is blocked at connect() (that's normal), and eventually it'll return back to me. Using blocking BIOs is not an option: - I can't control the timeouts - BIO_set_nbio() should be called before connecting (as per the manpage) -- Erwann ABALEA [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
1 Main CA and a subordinate CA 1-Many...how can I sign one ca with another ca...
I am trying to create a hirearchy for my CA's...however when I have two separate CA's created similarly: On box 1 Main CA: openssl req -newkey rsa:2048 -days 4380 \ -out cacert.pem -outform PEM -config openssl.cnf On box 2 Subordinate CA: openssl req -newkey rsa:2048 -days 2190 \ -out cacert.pem -outform PEM -config openssl.cnf The configuration files are almost identical. openssl.cnf: [ ca ] default_ca = CA_PROFILE [ CA_PROFILE ] dir = . certificate = $dir/cacert.pem database= $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial default_crl_days= 7 default_days= 4380 default_md = sha1 policy = CA_PROFILE_Policy x509_extensions = certificate_extensions [ CA_PROFILE_Policy ] commonName = supplied stateOrProvinceName = optional countryName = match emailAddress= optional organizationName= match organizationalUnitName = supplied [ certificate_extensions ] basicConstraints= CA:false subjectKeyIdentifier= hash [ req ] default_bits= 2048 default_keyfile = ./private/cakey.pem default_md = sha1 default_days= 4380 prompt = no distinguished_name = root_ca_DN x509_extensions = root_ca_ext [ root_ca_DN ] commonName = MainCA organizationName= Software organizationalUnitName = Branch countryName = US [ root_ca_ext ] basicConstraints= CA:true subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always,issuer:always I try to sign the subordinate CA with the main ca like this: On box1 in the main CA directory: openssl ca -in box2/SubCA/cacert.pem -config openssl.cnf I get an error something along the lines of Expecting: CERTIFICATE REQUEST Any clues? Thanx! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Fwd: TLS secure connection to an LDAP server
Hi, Any idea please? cheers --- fatima riadi [EMAIL PROTECTED] a écrit : Hello all, Here are my configuration files (I deleted comments). You would have any remarq, please let me know. /etc/openldap/slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/openldap.schema #include /etc/openldap/schema/redhat/rfc822-MailMember.schema include /etc/openldap/schema/redhat/autofs.schema allow bind_v2 pidfile /var/run/slapd.pid #argsfile //var/run/slapd.args TLSCertPath /path/to/certs TLSCACertificateFile /path/to/certs/ca.pem TLSCertificateFile /path/to/certs/ldap.example.com.pem TLSCertificateKeyFile /path/to/keys/ldap.example.com.key #I set these ACLs just for testing, I'll change them later! access to * by * write by * read ### # ldbm and/or bdb database definitions ### databaseldbm suffix dc=example,dc=com rootdn cn=Manager,dc=example,dc=com rootpw {SSHA}rootdn_hashed_password # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShelleq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index sambaSID,sambaDomainName,sambaPrimaryGroupSID eq === The ldap client conf file (/etc/openldap/ldap.conf): --- HOST ldap.example.com BASE dc=examlpe,dc=com TLS_CACERT /path/to/certs/ca.pem TLS_CACERTDIR /path/to/certs The /etc/ldap.conf file: --- host ldap.example.com base dc=example,dc=com binddn cn=nssldap,ou=DSA,dc=example,dc=com bindpw clear_text_nssldap_pwd rootbinddn cn=Manager,dc=example,dc=com #port 389 nss_base_passwd dc=example,dc=com?sub nss_base_shadow dc=example,dc=com?sub nss_base_group ou=groups,dc=example,dc=com?one ssl start_tls #ssl on tls_checkpeer yes tls_cacertfile /path/to/certs/ca.pem tls_cacertdir /path/to/certs # SSL cipher suite #tls_ciphers ALL pam_password md5 == I actually tryed to follow steps given on the smbldap-tools howto document. I also reffered to OpenLDAP SSL/TLS how-to, D. Kent Soper and many other docs. s_client to s_server works. Also ldapsearch to s_server works. But s_client to my slapd server does not work. Now, if I try to connect the s_client to the slapd server through the 636 port, the server returns the following: TLS trace: SSL_accept:error in SSLv3 read client hello B TLS: can't accept. TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:882 I tryed to run s_client with many values of the -cipher option
Re: TLS secure connection to an LDAP server
--- Kurt D. Zeilenga [EMAIL PROTECTED] wrote: In your slapd.conf(5) configuration file, it appears that some lines contain inappropriate leading whitespace. Please note that leading white space is significant in slapd.conf(5). They indicate the line is a continuation of the preceding line. Yes, that was the error! I eliminated leading whitespace that was near to TLSCACertificateFile, TLSCertificateFile and TLSCertificateKeyFile and the problem was fixed. Now, s_client tests to the ldap server succed. I also can run ldapsearch against my slapd server... Thank very much to you all for your help. Kind regards __ Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Solaris 10 x86-64 support?
Anyone running on the Solaris for AMD Opteron? If so, what version and configuration do you use? Thanks. -- Kevin Layer [EMAIL PROTECTED]http://www.franz.com/ Franz Inc., 555 12th St., Suite 1450, Oakland, CA 94607, USA Phone: (510) 452-2000 FAX: (510) 452-0182 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Solaris 10 x86-64 support?
No more installed but i was working with a Tyan 2880 with two Opterons 1,4 G, 1,5Gbyte, several network cards. Regards, JPV Kevin Layer a écrit: Anyone running on the Solaris for AMD Opteron? If so, what version and configuration do you use? Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]