AW: SSL alert (write): fatal: bad record mac
Hi all, I have promblems with the encrypten and decryption of large Strings. the following code works fine with little data. // Encrypt ... PEM_SealInit( ctx,EVP_des_cbc(),EVP_md5(),ekey,ekeylen,iv,pubKey,pubkeyscount); ... PEM_SealUpdate( ctx,outbuf, outlen,intext,intextlen); ... PEM_SealFinal( ctx,outbufsig, outlensig, outbuf[outlen], outlen2,privatekey); // Decrypt // all parameters already bas64decoded if neccessary ... EVP_OpenInit( ctx,EVP_des_cbc(),deK,deKlen,iv,pk) 0; ... EVP_OpenUpdate( ctx,buf, buflen,ptx,ptxlen); ... EVP_OpenFinal( ctx, buf, buflen); Everything works fine, But for large intext 1000 Byte EVP_OpenFinal produces the errors EVP_R_WRONG_FINAL_BLOCK_LENGTH or EVP_R_BAD_DECRYPT What am I doing wrong ? Thanks in advance for any help: Martin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Using OpenSSL over a high level peer-to-peer middleware
The security work in SNMPv3 is old and outdated and years behind current practice. Some of that is understandable, but but even back then we knew enough to know that raw UDP is almost architecturally flawed. Not quite on the list topic - but if you were aware of the constraints placed on SNMP protocol and its security model, you probably wouldn't be so rash in judgement. P.S. I'm sure Marshall Rose would love to hear your arguments against UDP. :-) And so would DTLS crowd. :-) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
CRYPTO_thread_setup CRYPTO_thread_cleanup
Hello guys, I have a problem in implementation of CRYPTO_thread_setup() and cleanup functions. I've already implemented an application which consists of 4 thread. Each thread of those 4 spawns 100 other threads with different gsoap clients. The problem is that I can't separate some Openssl calls such as CRYPTO_set_id_callback, CRYPTO_set_locking_callback, CRYPTO_set_dynlock_create_callback to be different for each of those 4 threads. If I use one CRYPTO_thread_setup and one CRYPTO_thread_cleanup only in one of the threads I will have memory leaks in the other threads. How can I have 4 different openssl environments with its own CRYPTO_* fucntions? Regards, marios __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problems with dynamic engine on windows
On Thu, 20 Oct 2005 13:30:14 +0400 Victor B. Wagner [EMAIL PROTECTED] wrote: On 2005.10.19 at 19:26:36 +0200, Steffen Pankratz wrote: Hi I'm trying to get my dynamic engine to work on windows (openssl 0.9.8a, ms vc++ 7) it runs fine in linux Have you configured openssl with right way when building? Check openssl include files you are using when compiling for definition of OPENSSL_NO_DYNAMIC_ENGINE macro. It should be in opensslconf.h If it is there, you have to run perl Configure VC-WIN32 shared and rebuild openssl as described in INSTALL.W32 You are right it's defined in opensslconf.h but also even if i add 'shared' to the Configure command. This is strange. Btw on Linux it's not even mentioned in opensslconf.h. schnip-- #ifndef OPENSSL_NO_DYNAMIC_ENGINE static int bind_helper(ENGINE *e, const char *id) { if(id (strcmp(id, engine_desecb_id) != 0)) return 0; if(!bind_desecb(e)) return 0; return 1; } IMPLEMENT_DYNAMIC_CHECK_FN() IMPLEMENT_DYNAMIC_BIND_FN(bind_helper) Note that on Windows one have to add export declaration before both of these macros. Otherwise functions, implemented by these macros wouldn't be exported from DLL and openssl would be unable to load engine dynamically. I have following code in my engine which loads successfully under Win32: #ifdef _WIN32 extern __declspec( dllexport ) #endif IMPLEMENT_DYNAMIC_BIND_FN(bind_gost); #ifdef _WIN32 extern __declspec( dllexport ) #endif IMPLEMENT_DYNAMIC_CHECK_FN(); Symbol _WIN32 is defined automagically by all Win32 compilers I've tested (gcc/mingw32, gcc cross-compiler on Linix, various versions of Borland, starting with 4.x, MSVC ) I thought as much but i had it in the wrong place. So i put it before the 2macros as you and it's working great now. so i tricked and did a #undef OPENSSL_NO_DYNAMIC_ENGINE but i can't load my dll in openssl at all Without this trick it's still doing the stuff in the else part. I have to figure out why OPENSSL_NO_DYNAMIC_ENGINE is defined in opensslconf.h. Thank you very much for your help, Victor. -- Hypnos powered by LFS SVN-20041206 (Linux 2.6.13.4) visit http://www.kratz00.org/ http://liflg.org/ Best regards, Steffen Pankratz. PGP PUBLIC KEY: http://www.kratz00.org/kratz00.at.gmx.de.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: openssl on Solaris8 with Openldap
Did you ever find a solution to your question? I know the newer patches to solaris 8 add ssl capability. If you posted your slapd.conf and ldap.conf files I could prolly figure it out unless its how your making your certs? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 20, 2005 2:56 AM To: openssl-users@openssl.org Subject: openssl on Solaris8 with Openldap Hello list, I'm using Solaris8 with Openldap2.2.26 and Openssl-0.9.8. What I want is an encrypted authentification via ldap. On Solaris you have to use the native ldapclient as client and I'm using Openldap as the server. The encryption between Apache2.0 and Openldap works fine. But Apache2.0 brings the contraint that I have to use SSL, not TLS. So created SSL certificates openssl ... -nodes and it works fine with Apache. So I want to use these SSL certificates. If I start the ldap.client on port 636 I get the output TLS: can't accept. TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:585 I think the certificates are also good for TLS. So I've got no problem to use TLS. But there is just no reaction on the flag NS_LDAP_AUTH_TLS by the ldapclient. The error I got is an ssl error. Maybe somebody knows a workaround or a real solution to get an encryption between openldap and the ldapclient. Thx, Sebastian Lorkowski -- Highspeed-Freiheit. Bei GMX supergünstig, z.B. GMX DSL_Cityflat, DSL-Flatrate für nur 4,99 Euro/Monat* http://www.gmx.net/de/go/dsl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: openssl on Solaris8 with Openldap
No, I didn't find a solution. The new patches are already installed(relevant would be patch 108993-49, I think -- http://sunsolve.sun.com/search/advsearch.do?collection=PATCHtype=collectionsmax=50language=enqueryKey5=108993toDocument=yes) The server.pem file is a self signed certificate; created with openssl req new x509 nodes out server.pem keyout server.pem days 830 slapd.conf: [include schema] # Define global ACLs to disable default read access. include /usr/local/etc/openldap/slapd.access.conf pidfile /usr/local/var/run/slapd.pid argsfile/usr/local/var/run/slapd.args TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCertificateFile /usr/local/etc/openldap/cert/server.pem TLSCertificateKeyFile /usr/local/etc/openldap/cert/server.pem TLSCACertificateFile/usr/local/etc/openldap/cert/server.pem ### # BDB database definitions ### databasebdb suffix dc=root,dc=dn rootdn dc=bind,dc=dn rootpw secret directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq index uid,cn,sn,givenname,memberuid,gecos,description eq,sub index gidnumber,userpassword,uidnumber,homedirectory,loginShell eq loglevel-1 # The ldap.conf is not very necessary for me, because I had to use the native solaris ldapclient to get an authentification via pam_ldap. Here the ldapconfigfile: NS_LDAP_FILE_VERSION= 1.0 NS_LDAP_SERVERS= 127.0.0.1:636 NS_LDAP_SEARCH_BASEDN= dc=netlive,dc=arcor.net NS_LDAP_AUTH= NS_LDAP_AUTH_SIMPLE NS_LDAP_SEARCH_REF= NS_LDAP_FOLLOWREF NS_LDAP_SEARCH_DN= passwd:(ou=people,dc=netlive,dc=arcor.net) NS_LDAP_SEARCH_DN= shadow:(ou=people,dc=netlive,dc=arcor.net) NS_LDAP_SEARCH_SCOPE= NS_LDAP_SCOPE_SUBTREE NS_LDAP_SEARCH_TIME= 30 NS_LDAP_CACHETTL= 3600 NS_LDAP_PROFILE= __default_config NS_LDAP_BIND_TIME= 30 If really necessary for what ever, the ldap.conf: BASEdc=bind,dc=dn URI ldaps://127.0.0.1:636 TLS_CACERT /usr/local/etc/openldap/cert/demoCA/cacert.pem TLS_CERT /usr/local/etc/openldap/cert/server.pem TLS_KEY /usr/local/etc/openldap/cert/server.pem TLS_REQCERT never rootbinddn cn=ldapprofile,ou=profile,dc=bind,dc=dn pam_login_attribute uid pam_filter objectclass=posixAccount pam_member_attribute memberUid pam_password exop ### Thx, Sebastian Lorkowski --- Ursprüngliche Nachricht --- Von: Chevalier, Victor T. [EMAIL PROTECTED] An: openssl-users@openssl.org Betreff: RE: openssl on Solaris8 with Openldap Datum: Fri, 21 Oct 2005 09:37:49 -0500 Did you ever find a solution to your question? I know the newer patches to solaris 8 add ssl capability. If you posted your slapd.conf and ldap.conf files I could prolly figure it out unless its how your making your certs? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 20, 2005 2:56 AM To: openssl-users@openssl.org Subject: openssl on Solaris8 with Openldap Hello list, I'm using Solaris8 with Openldap2.2.26 and Openssl-0.9.8. What I want is an encrypted authentification via ldap. On Solaris you have to use the native ldapclient as client and I'm using Openldap as the server. The encryption between Apache2.0 and Openldap works fine. But Apache2.0 brings the contraint that I have to use SSL, not TLS. So created SSL certificates openssl ... -nodes and it works fine with Apache. So I want to use these SSL certificates. If I start the ldap.client on port 636 I get the output TLS: can't accept. TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:585 I think the certificates are also good for TLS. So I've got no problem to use TLS. But there is just no reaction on the flag NS_LDAP_AUTH_TLS by the ldapclient. The error I got is an ssl error. Maybe somebody knows a workaround or a real solution to get an encryption between openldap and the ldapclient. Thx, Sebastian Lorkowski -- 10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail +++ GMX - die erste Adresse für Mail, Message, More +++ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problems with dynamic engine on windows
On Fri, 21 Oct 2005 15:29:42 +0200 Steffen Pankratz [EMAIL PROTECTED] wrote: On Thu, 20 Oct 2005 13:30:14 +0400 Victor B. Wagner [EMAIL PROTECTED] wrote: On 2005.10.19 at 19:26:36 +0200, Steffen Pankratz wrote: Hi I'm trying to get my dynamic engine to work on windows (openssl 0.9.8a, ms vc++ 7) it runs fine in linux Have you configured openssl with right way when building? Check openssl include files you are using when compiling for definition of OPENSSL_NO_DYNAMIC_ENGINE macro. It should be in opensslconf.h If it is there, you have to run perl Configure VC-WIN32 shared and rebuild openssl as described in INSTALL.W32 You are right it's defined in opensslconf.h but also even if i add 'shared' to the Configure command. This is strange. Btw on Linux it's not even mentioned in opensslconf.h. schnip-- #ifndef OPENSSL_NO_DYNAMIC_ENGINE static int bind_helper(ENGINE *e, const char *id) { if(id (strcmp(id, engine_desecb_id) != 0)) return 0; if(!bind_desecb(e)) return 0; return 1; } IMPLEMENT_DYNAMIC_CHECK_FN() IMPLEMENT_DYNAMIC_BIND_FN(bind_helper) Note that on Windows one have to add export declaration before both of these macros. Otherwise functions, implemented by these macros wouldn't be exported from DLL and openssl would be unable to load engine dynamically. I have following code in my engine which loads successfully under Win32: #ifdef _WIN32 extern __declspec( dllexport ) #endif IMPLEMENT_DYNAMIC_BIND_FN(bind_gost); #ifdef _WIN32 extern __declspec( dllexport ) #endif IMPLEMENT_DYNAMIC_CHECK_FN(); Symbol _WIN32 is defined automagically by all Win32 compilers I've tested (gcc/mingw32, gcc cross-compiler on Linix, various versions of Borland, starting with 4.x, MSVC ) I thought as much but i had it in the wrong place. So i put it before the 2macros as you and it's working great now. so i tricked and did a #undef OPENSSL_NO_DYNAMIC_ENGINE but i can't load my dll in openssl at all Without this trick it's still doing the stuff in the else part. I have to figure out why OPENSSL_NO_DYNAMIC_ENGINE is defined in opensslconf.h. Thank you very much for your help, Victor. Engine loads fine but i can't use it. OpenSSL keeps crashing if i try to use it. I think it cause of OPENSSL_NO_DYNAMIC_ENGINE I really have to figure out why it's defined And a other question is: Where to place the dll? On Linux it's always $PREFIX/lib/engines/lib${CRYPTO_PARALLEL_LIB_NAME}.so so i named the dll des-ecb.dll but where should it be placed in? -- Hypnos powered by LFS SVN-20041206 (Linux 2.6.13.4) visit http://www.kratz00.org/ http://liflg.org/ Best regards, Steffen Pankratz. PGP PUBLIC KEY: http://www.kratz00.org/kratz00.at.gmx.de.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
certificate digest different results before writing to PEM?
Hi list, I'm trying to calculate a certificate digest using X509_digest. I created an X509 certificate (self-signed) programmatically with X509_new (and I set the version and the organization and country etc with X509_NAME_add_entry_by_txt).. I then call X509_set_issuer_name and use X509_sign to self-sign my cert. Then I get the PEM representation of this cert with PEM_write_bio_X509. After I read this PEM text back in, I get a new X509 - which gives me a differenct digest than what I got before I wrote to PEM. However, every time I read the PEM, I get the same fingerprint. It looke like writing to PEM somehow changes the fingerprint. What do I do to fix this? Thank you very much, -M Find your next car at Yahoo! Canada Autos
Re: Using OpenSSL over a high level peer-to-peer middleware
Alain, One of the nice things about the openssl implementation is the use of BIO's for communication, protocol becomes totally irrelevant, if you could write a bio to control white (or grey or black) mice to carry your data you could implement secure communications across any road/way/path the mice could trave(mmm cats and timeouts would maybe a trouble). Johan --- Alain Damiral [EMAIL PROTECTED] wrote: Greetings to everyone, This is my first mail to this list so first of all I hope to avoid making too much of a fool of myself. I am a student in computer science and I have been charged with the task of implementing a secure communication mechanism for a high level peer-to-peer middleware designed for use in the Oz language (www.mosart-oz.org). This peer-to-peer network is a structured network in which there should not necessarily be a direct TCP connexion between two communicating peers. So far it seems like a fine idea to use SSL over this network rather than directly over TCP as is usually done. Before damaging my health too much on this work I'd appreciate some advice from fine people such as many of you certainly are about the following questions: How feasible is it to use OpenSSL's SSL library to generate the raw data that is to be sent through the transport layer independent of the latter's implementation ? And read this data on the other end... Would it be a better idea to use OpenSSL's crypto library to handle cryptographic operations and certificates and reimplement the rest of SSL's behaviour according to it's specification ? (At least to the extent required for my piece of work) Is there any known similar project, in which OpenSSL has been used to implement SSL over non-TCP connexions ? Well that's it for now and I thank you all for your time, Alain Damiral, Université Catholique de Louvain - student, alain.damiral'at'student.uclouvian.be __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
DTLS examples?
Hi all, I'm curious if anyone has any actual DTLS examples kicking around. I'm very interested in giving it a shot, but I haven't found much for API docs or even simple examples. The DTLS paper keeps talking about how similar it is to TLS, but I haven't really coded TLS either, so that doesn't help me much. A simple DTLS example would help tremendously. Thanks, Adam __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]