RE: timeout vs. SSL_ERROR_WANT_XXXX
I want to use timeout with select and I wonder how to cancel operation (SSL_read or SSL_write non-blocking) that caused SSL_ERROR_WANT_READ (or *_WRITE). I've got messages queue to send (and one for received too). If I cannot send whole particular msg within some time (5 sec) I want to discard this message and start sending another one. That is just not possible. Byte streams don't work that way. The problem is, when not fully transmited (received) msg locks in state where I receive SSL_ERROR_WANT_XXX. From docs etc. I know, that when I've got SSL_ERROR_WANT_* I have to retry operation which caused this error but it require more time, which I haven't got becouse I want to send another message ! I can always close connection and open it again, but it is ugly solution. Is there any way, to do it in more polite way ? No. Rethink whatever it is about your design that imposed this bizarre requirement. Byte streams do not support all or nothing operations. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[no subject]
Hi, I am using Non Blocking sockets, and would like to know the behaviour wrt SSL_renegotiation. Once I make a call to do_handshake, as the FD is non blocking it will return immediately with a success, but from the application's point of view how will it come to know that the renegotiation in thro' so that it can call SSL_write/SSL_read? Should the application poll on that do_handshake flag within the ssl control block? Any suggestion/help appreciated a lot. Thanks --Gayathri __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl-users] Re: Generate a CRL from an OCSP request
Hodie post. Kal. Iun. MMV est, Julien VEHENT scripsit: Dr. Stephen Henson [EMAIL PROTECTED] a écrit : On Wed, Jun 01, 2005, Julien VEHENT wrote: I'm having an OCSP Responder on my CA and i want to use it in order to generate CRL's on others servers. Usually, it's the other way around: provide an OCSP service based on a CRL. In fact, what you're trying to do is impossible to do. An OCSP response can't be transformed into a valid CRL. I don't want to use HTTP just because web server are to much attacked. Then use a small web server, and apply the necessary security patches. Isn't your OCSP responder attacked? -- Erwann ABALEA [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Read a Bignum from file
Angel Martinez Gonzalez wrote: Hello: I wrote a BIGNUM into a file using the function: int BN_print_fp(FILE *fp, const BIGNUM *a); But, How I can read this bignum from this file?. I don´t know a openssl function to read a bignum from a file. Hello, you can read Bignum from file with this method, #include stdio.h #include stdlib.h #include openssl/bn.h int main() { BIGNUM *b; FILE*f; charbuff[128]; /* must depend of Bignum size */ b = BN_new(); if (b == NULL) return 0; BN_add_word(b, 123456789); f = fopen(bignum, w); if (f == NULL) return 0; BN_print_fp(f, b); BN_free(b); fclose(f); /* start reading */ f = fopen(bignum, r); if (f == NULL) return 0; if (fread(buff, sizeof(char), sizeof(buff), f) = 0) { fclose(f); return 0; } fclose(f); if (!BN_hex2bn(b, buff)) return 0; printf(BN read from file : ); BN_print_fp(stdout, b); printf(\n); BN_add_word(b, 1); printf(BN read from file + 1 : ); BN_print_fp(stdout, b); printf(\n); BN_free(b); return 1; } -- Ludovic FLAMENT __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
valgrind errors
Hello all, I develeopped a server which seems to work quite fine. When I use Valgrind to check for problems, it returns me thousands of problems wich seems to be caused by the OpenSSL librairie! follows some of the returns: ==23622== Syscall param write(buf) points to uninitialised byte(s) ==23622==at 0x82C573: __write_nocancel (in /lib/tls/libc-2.3.3.so) ==23622==by 0x7D202A: _IO_do_write@@GLIBC_2.1 (in /lib/tls/libc-2.3.3.so) ==23622==by 0x7D17C4: _IO_file_close_it@@GLIBC_2.1 (in /lib/tls/libc-2.3.3.so) ==23622==by 0x7C83F1: fclose@@GLIBC_2.1 (in /lib/tls/libc-2.3.3.so) ==23622==by 0x8073637: RAND_write_file (in /home/tools/version_courante/mybin) ==23622==by 0xCF39EAD1: ??? ==23622== Address 0x25989000 is not stack'd, malloc'd or (recently) free'd ==23622== ==23622== Thread 3: ==23622== Conditional jump or move depends on uninitialised value(s) ==23622==at 0x8072F5E: lh_retrieve (in /home/tools/version_courante/mybin) ==23622== ==23622== Use of uninitialised value of size 4 ==23622==at 0x8072F73: lh_retrieve (in /home/tools/version_courante/mybin) ... The first lines are retruned when calling RAND_write_file(), the other lines are all returned when calling SSL_accept(). Does anyone know if it is an error of my own or not? Alexis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl upgrade - subject problem
hi! I just updated: apache_1.3.24.tar.gz mod_perl-1.26.tar.gz mod_ssl-2.8.8-1.3.24.tar.gz openssl-0.9.6d.tar.gz To: apache_1.3.33.tar.gz mod_perl-1.29.tar.gz mod_ssl-2.8.22-1.3.33.tar.gz openssl-0.9.7g.tar.gz The problem: the environment was: 'SSL_CLIENT_S_DN' = '/C=AT/ST=... /Email=xxx', And now is: 'SSL_CLIENT_S_DN' = '/C=AT/ST=... /emailAddress=xxx', I'm using this variable for authentification. 1) Did I something wrong while installing? or 2) Is this the current behavior and I should change my software? Thanks Ciao, Armin Obersteiner -- [EMAIL PROTECTED]pgp public key on requestCU __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
I am having a hard time getting SSL_Accept to work with a non blocking socket
Hi there, I am pulling my hair out trying to get SSL_accept to work with a non blocking socket. When I make a call to SSL_accept and then perform an SSL_get_error. I get the error SSL_ERROR_WANT_READ. At this point what should I do. Currently I am doing the following: while (((rc = SSL_accept(ssl)) = 0) ((SSL_get_error(ssl, rc) == SSL_ERROR_WANT_READ) || (SSL_get_error(ssl, rc) == SSL_ERROR_WANT_WRITE))) {} but I never get out of this loop. I am also using select to obtain read events for this socket. In the case mentioned above do I need to check select for a read event prior to calling retrying SSL_accept. HELP MUCH APPRECIATED! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Determining key size for DSA and DH?
I'm trying to determine the length (in bits) for my DSA and DH keys. I'm happily using RSA_size() for RSA keys, and I assumed that DSA_size and DH_size would do equivalent operations (based on the man page for BN_size_bits, which states 'If you want to know the key size of such a key, either use functions like RSA_size(), DH_size() and DSA_size()'.. However the man page for DSA_size says that it returns the size of the signature (which for me is always 48 bytes or 384 bits, irrespective of the key parameters) Is there a way to determine the keylength for DSA keys and DH keys? Brad pgpak3U2X8O8k.pgp Description: PGP signature
Re: valgrind errors
On Wed, 1 Jun 2005 23:31 pm, [EMAIL PROTECTED] wrote: Hello all, I develeopped a server which seems to work quite fine. When I use Valgrind to check for problems, it returns me thousands of problems wich seems to be caused by the OpenSSL librairie! follows some of the returns: There is no assurance that all of the problems are of one kind or another, however based on some advice I got on this list, I recompiled openssl with the -DPURIFY option, and most of the errors went away. The reason is that openssl tries to use uninitialised memory to help get randomness. Your results may vary. Brad pgpey75AOLHra.pgp Description: PGP signature
Re: Determining key size for DSA and DH?
Brad Hards wrote: I'm trying to determine the length (in bits) for my DSA and DH keys. I'm happily using RSA_size() for RSA keys, and I assumed that DSA_size and DH_size would do equivalent operations (based on the man page for BN_size_bits, which states 'If you want to know the key size of such a key, either use functions like RSA_size(), DH_size() and DSA_size()'.. yep, that's a bug. However the man page for DSA_size says that it returns the size of the signature (which for me is always 48 bytes or 384 bits, irrespective of the key parameters) Is there a way to determine the keylength for DSA keys and DH keys? in case of a EVP_PKEY object EVP_PKEY_bits, otherwise BN_num_bits(dsa-p). But as the NOTES section in the BN_num_bits manpage already says this isn't really a satisfying solution, it would be better to have functions like size_t DSA_signature_size(const DSA *); size_t DSA_pkey_size(const DSA *); for this ... just a thought. You should send a bug report to [EMAIL PROTECTED] Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Determining key size for DSA and DH?
On Sun, 5 Jun 2005 21:20 pm, Nils Larsch wrote: Is there a way to determine the keylength for DSA keys and DH keys? in case of a EVP_PKEY object EVP_PKEY_bits, otherwise As it turns out, I do have a EVP_PKEY, so this is just what I needed. BN_num_bits(dsa-p). But as the NOTES section in the BN_num_bits manpage already says this isn't really a satisfying solution, it would be better to have functions like size_t DSA_signature_size(const DSA *); size_t DSA_pkey_size(const DSA *); for this ... just a thought. Yeah, that would make it more obvious. Even without the doco confusion, it is still a bit dangerous to have FOO_size() do completely different things. You should send a bug report to [EMAIL PROTECTED] I just forwarded the email train to that address, but if there is a better way to do the report, just let me know (pointer to a webpage, whatever). Brad pgpR8HYG2pobM.pgp Description: PGP signature
Re: Determining key size for DSA and DH?
On Sun, 5 Jun 2005 22:03 pm, Brad Hards wrote: On Sun, 5 Jun 2005 21:20 pm, Nils Larsch wrote: Is there a way to determine the keylength for DSA keys and DH keys? in case of a EVP_PKEY object EVP_PKEY_bits, otherwise As it turns out, I do have a EVP_PKEY, so this is just what I needed. Not sure how I managed to miss it, but I missed the huge thanks for the fast response part of my message. Thanks Nils - this saved me a lot of work, and is truly appreciated. Brad pgpgiruS9Fh4v.pgp Description: PGP signature
Re: openssl upgrade - subject problem
Armin Obersteiner wrote: hi! The problem: the environment was: 'SSL_CLIENT_S_DN' = '/C=AT/ST=... /Email=xxx', And now is: 'SSL_CLIENT_S_DN' = '/C=AT/ST=... /emailAddress=xxx', Email is not an officcial short name for the object identifier 1.2.840.113549.1.9.1. because of this the term Email was dropped and only the official name emailAddress kept. Bye Goetz -- DMCA: The greed of the few outweighs the freedom of the many smime.p7s Description: S/MIME Cryptographic Signature
[Solution] Re: Problem in compiling openssl 0.9.7g on Windows with MSVC workspace
Simple: there was a second missing file: v3_pci.c. So the final solution is to add two files to the libeay32/x509v3 folder in the worlspace: v3_pci.c and v3_pcia.c -- [EMAIL PROTECTED] The author for the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be - Original Message - From: Francois PIETTE [EMAIL PROTECTED] To: openssl-users@openssl.org Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, June 05, 2005 3:37 PM Subject: Re: Problem in compiling openssl 0.9.7g on Windows with MSVC workspace I'm progressing ! The file v3_pcia.c was missing from libeay32/x509v3 files ! Now I have only one undefined symbol remaining: v3_pci --- cut here --- Creating library ..\..\out32dll\Debug/libeay32.lib and object ..\..\out32dll\Debug/libeay32.exp v3_lib.obj : error LNK2001: unresolved external symbol _v3_pci ..\..\out32dll\Debug/libeay32.dll : fatal error LNK1120: 1 unresolved externals Error executing link.exe. --- cut here --- I still have to find where it is defined. Probably in another file that is missing from libeay32.dll project. -- [EMAIL PROTECTED] The author for the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be - Original Message - From: Francois PIETTE [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Saturday, June 04, 2005 5:09 PM Subject: Re: Problem in compiling openssl 0.9.7g on Windows with MSVC workspace From the looks of it you are missing some include files. Search the source for where those symbols are defined. Get those include files into your project. There are no missing source file. The symbols are defined by various macros. Everything is there (I can compile correctly with the command line make file). I think it us only a matter of compiler or linker option. I think it currently compile the symbols as externals. BTW, why not just link to the libs? You could even link statically. I need the DLL because I don't write any C/C++ application but a Delphi application which dynamically link to the two OpenSSL DLL. -- [EMAIL PROTECTED] The author for the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be Francois PIETTE wrote: Am i the only one still using MSVC workspace ? Can someone give a look at my message below ? - Original Message - From: Francois PIETTE [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Thursday, June 02, 2005 6:37 PM Subject: Re: Problem in compiling openssl 0.9.7g on Windows with MSVC workspace I have the exact same problem and can't fix it. Can someone give a step by step procedure to fix the problem ? Or maybe correct MSVC workspace exist somewhere ? btw: Compiling works OK when using the make file. It only fails as explained below when using MSVC workspace. - Original Message - From: ahmad hassan [EMAIL PROTECTED] To: openssl-users@openssl.org Cc: [EMAIL PROTECTED] Sent: Tuesday, May 03, 2005 1:20 PM Subject: Problem in compiling openssl 0.9.7g on Windows Hello, I am trying to build openssl 0.9.7g on windows, which i was successfully able to do using steps mentioned in INSTALL.W32 file. Now i would like to include libeay32 and ssleay32 source code as a workspace in my Visual C++ 6.0 project. For that i went to http://www.openssl.org/related/ and the second link gave me the dsp to use and compile openssl source code through vc++ environment. It is actually so that i had openssl 0.9.7d with me which i downloaded a year ago and compiled it using this visual studio project file but now it is not compiling with the latest version giving me messages like this. There is some problem with proxy certifiactes thing. How do i reslove these errors. Some are just defined in the libeay32.def file which i removed but PROXY_CERT_INFO_EXTENSION_free is not declared anywhere and is being used in number of places like openssl-0.9.7g\crypto\x509\x509_vfy.c etc. Can anyone guide me or give me related information regarding how to include latest openssl version as workspace in my project. Configuration: libeay32 - Win32 Debug Linking... libeay32.def : error LNK2001: unresolved external symbol PROXY_CERT_INFO_EXTENSION_free libeay32.def : error LNK2001: unresolved external symbol PROXY_CERT_INFO_EXTENSION_it libeay32.def : error LNK2001: unresolved external symbol PROXY_CERT_INFO_EXTENSION_new libeay32.def : error LNK2001: unresolved external symbol PROXY_POLICY_free libeay32.def : error LNK2001: unresolved external symbol PROXY_POLICY_it libeay32.def : error LNK2001: unresolved external symbol PROXY_POLICY_new libeay32.def : error LNK2001: unresolved external symbol d2i_PROXY_CERT_INFO_EXTENSION libeay32.def : error LNK2001: unresolved external symbol d2i_PROXY_POLICY libeay32.def : error LNK2001: unresolved external symbol
[0.9.7g ] do_subject function missing from req.c, found in ca.c
I'm recompiling version 0.9.7g and found that do_subject function is missing in req.c. I copied the code from ca.c and it compile fine. Not tested at runtime. -- [EMAIL PROTECTED] The author for the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [0.9.7g ] do_subject function missing from req.c, found in ca.c
Well but later it fails compiling OpenSSL command line tool because it is defined in both ca.c and req.c :-( -- [EMAIL PROTECTED] http://www.overbyte.be - Original Message - From: Francois PIETTE [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Sunday, June 05, 2005 4:01 PM Subject: [0.9.7g ] do_subject function missing from req.c, found in ca.c I'm recompiling version 0.9.7g and found that do_subject function is missing in req.c. I copied the code from ca.c and it compile fine. Not tested at runtime. -- [EMAIL PROTECTED] The author for the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Default CApath in Debian (OpenSSL 0.9.6c-2)
Hi, I was looking for a system-wide setting via openssl.cnf, but it seems that there is not any. Thank you for the hint, I will adapt the client program. Vaclav Stepan -- Vaclav Stepan [EMAIL PROTECTED] http://linux.fjfi.cvut.cz/~w/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: I am having a hard time getting SSL_Accept to work with a nonblocking socket
Eric Gold wrote: Hi there, I am pulling my hair out trying to get SSL_accept to work with a non blocking socket. When I make a call to SSL_accept and then perform an SSL_get_error. I get the error SSL_ERROR_WANT_READ. At this point what should I do. Currently I am doing the following: while (((rc = SSL_accept(ssl)) = 0) ((SSL_get_error(ssl, rc) == SSL_ERROR_WANT_READ) || (SSL_get_error(ssl, rc) == SSL_ERROR_WANT_WRITE))) {} but I never get out of this loop. I am also using select to obtain read events for this socket. In the case mentioned above do I need to check select for a read event prior to calling retrying SSL_accept. HELP MUCH APPRECIATED! Have you already had a look at http://www.openssl.org/docs/ssl/SSL_accept.html? Is the socket already connected? What kind of BIO are you using? Just want to gain time to make some tests myself... ;) Ted ;) smime.p7s Description: S/MIME Cryptographic Signature
[ANNOUNCE] OpenSSL 0.9.8 beta 4 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8 Beta 4 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The fourth beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-0.9.8-beta4.tar.gz MD5 checksum: 55268415737b3d21726307d778fdf39e SHA1 checksum: 3d2a19de0c7e1972f8a3f0420e6cf9ac35bbaf4f The checksums were calculated using the following command: openssl md5 openssl-0.9.8-beta4.tar.gz openssl sha1 openssl-0.9.8-beta4.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 104 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES and http://www.openssl.org/source/exp/NEWS). Since the third beta, the following has happened: - Ultrix issues are fixed (we think). - ia64 issues are fixed (we think). - NetWare is updated. - More VMS issues are fixed. - rpm build issues are fixed (we think). - Engine padloack isses are fixed (we think). - pqueue should now work a lot better on systems that do not support integer types larger than 32 bits. Reports and patches should be sent to [EMAIL PROTECTED] Discussions around the development of OpenSSL should be sent to [EMAIL PROTECTED] Anything else should go to [EMAIL PROTECTED] The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file testlog. Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Ulf Möller Lutz JänickeNils Larsch -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCo6SSp6+eePcJRTsRAoGtAJwOQJxueNPiSaMFJ2Rrc2cvgOHP9gCfaDeF xKCWTtFoUUfZnYbuwy3B7JI= =wDna -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]