Re: Evp_Encrypt_Init Segfault
Girish Venkatachalam wrote: Try calling EVP_CIPHER_CTX_cleanup(ctx) at the end... I have tried this, does not change the situation. gdb output is 200 EVP_EncryptInit(ctx, EVP_bf_ecb(), NULL, NULL); (gdb) step Program received signal SIGSEGV, Segmentation fault. 0xb7df82fb in mallopt () from /lib/libc.so.6 I really dont know whats wrong here, Felix __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Evp_Encrypt_Init Segfault
Have you tried with the EVP_EncryptInit_ex() family of functions ? I'm not sure it would help much but it could be worth a try Felix Dorner wrote: Girish Venkatachalam wrote: Try calling EVP_CIPHER_CTX_cleanup(ctx) at the end... I have tried this, does not change the situation. gdb output is 200 EVP_EncryptInit(ctx, EVP_bf_ecb(), NULL, NULL); (gdb) step Program received signal SIGSEGV, Segmentation fault. 0xb7df82fb in mallopt () from /lib/libc.so.6 I really dont know whats wrong here, Felix __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Alain Damiral __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Evp_Encrypt_Init Segfault
Hi, the following code executes once, and does fine. Calling the function a second time gives a segfault during the call marked by -- You may have inadvertantly corrupted the heap the first time your code is executed. I suggest you put several assert statements to ensure that memory outside of that you allocated is not overwritten. Regards, Mark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL_connect fails with SSL_ERROR_SSL
Dear all,
Using openssl (openssl 0.9.7), I have set up a CA and this CA has issued 2
certs - one for client and the other for the server. I have checked that
these certificates are ok.
I am attempting to write a SSL client-server program.
SSL Server:- Java. It has a keystore, which contains the server cert and the
CA cert.
SSL Client: C. In the program, using appropraite openssl calls, I have added
the cleint certificate, the private key and the CA cert to the context.
Please see the code snippet.
/* code snippet starts - all error handling removed for readability */
SSLeay_add_ssl_algorithms();
meth = SSLv3_client_method();
SSL_load_error_strings();
ctx = SSL_CTX_new (meth);
err = SSL_CTX_use_certificate_file(ctx, CertFile,
SSL_FILETYPE_PEM);
err = SSL_CTX_use_PrivateKey_file(ctx, PvtKeyFile,
SSL_FILETYPE_PEM);
SSL_CTX_check_private_key(ctx)
SSL_CTX_load_verify_locations(ctx, TrustedCACertFile, NULL);
/* code snippet ends - all error handling removed for readability */
Initialization is successful, but the handshake fails. We first create TCP
socket and then connect as shown below. Then, we call SSL_connect, which
fails with SSL_ERROR_SSL. At this point, the Java server outputs
SSLException No Trusted certificate.
sd = socket(AF_INET, SOCK_STREAM, 0);
int c = connect(sd, (struct sockaddr*) host_id , sizeof(host_id));
// By now, the SSL context is initialized and the TCP sockets are created.
// Now, SSLize the TCP sockets.
ssl = SSL_new(ctx); // create SSL objects from the
SSL context.
r = SSL_set_fd (ssl, sd); // Associate the network
connection with the SSL
object.
int err = SSL_connect (ssl);// Initiate the SSL handshake
*FAILS
HERE
if (err = 0)
{
int errcode = SSL_get_error(ssl, err);
switch(errcode)
{
/* other cases */
case SSL_ERROR_SSL: LogMesg(logger, LOGFATAL, SSL
connect: Protocol
Error.); break;
}
}
Can anyone please tell me what is happenning?
Best regards,
Ambarish.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: SSL_connect fails with SSL_ERROR_SSL
Dear all,
Using openssl (openssl 0.9.7), I have set up a CA and this CA has issued
2
certs - one for client and the other for the server. I have checked that
these certificates are ok.
I am attempting to write a SSL client-server program.
SSL Server:- Java. It has a keystore, which contains the server cert and
the
CA cert.
SSL Client: C. In the program, using appropraite openssl calls, I have
added
the cleint certificate, the private key and the CA cert to the context.
Please see the code snippet.
...
Initialization is successful, but the handshake fails.
We first create TCP
socket and then connect as shown below. Then, we call SSL_connect,
which
fails with SSL_ERROR_SSL. At this point, the Java server outputs
SSLException No Trusted certificate.
If you want client authentication, you need
to explicitly state this at the server side(ie., you should ask
the client to send the certificate.) So to verify
the authenticity of the certifiacte you shud have the CA( who signed the
cert)in your list of trusted CAs .
I believe you need the following function..
SSL_CTX_set_verify()
I somewhere found that java does not support .pem
format keystore( but im not sure). If I am right and if you are using .pem
that might also be a reason.
Hope this helps,
Samy
sd = socket(AF_INET, SOCK_STREAM, 0);
int c = connect(sd, (struct sockaddr*) host_id , sizeof(host_id));
// By now, the SSL context is initialized and the TCP sockets are created.
// Now, SSLize the TCP sockets.
ssl = SSL_new(ctx);
// create SSL objects from the SSL context.
r = SSL_set_fd (ssl, sd);
// Associate the network connection with the
SSL
object.
int err = SSL_connect (ssl);
// Initiate the SSL handshake *FAILS
HERE
if (err = 0)
{
int
errcode = SSL_get_error(ssl, err);
switch(errcode)
{
/* other cases */
case SSL_ERROR_SSL: LogMesg(logger, LOGFATAL, SSL connect: Protocol
Error.); break;
}
}
Can anyone please tell me what is happenning?
Best regards,
Ambarish.
__
OpenSSL Project
http://www.openssl.org
User Support Mailing List
openssl-users@openssl.org
Automated List Manager
[EMAIL PROTECTED]
RE: SSL_connect fails with SSL_ERROR_SSL
Samy,
Thanksfor your reply. On the server side (Java), I have
explictly set client authentication to true.
ks.load(new
FileInputStream(KEYSTORE_FILE), passphrase);
kmf.init(ks,
passphrase);ctx.init(kmf.getKeyManagers(), null, null);ssf =
ctx.getServerSocketFactory();
sSocket =
(SSLServerSocket)ssf.createServerSocket(tcpPort, 10);//Creation of Server
SocketsSocket.setNeedClientAuth(true);//Needs
successful client
authentication
snip
So to verify
the authenticity of the certifiacte you shud have the CA(who signed the
cert)in your list of "trusted CAs ".
/snip
That CA cert is
in the keystore file already of the server side.
Also, I am not using .PEM certificates,
I am using what the keytool created, got the CSR signed.
-Original
Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of Samy
ThiyagarajanSent: Tuesday, January 31, 2006 4:03 PMTo:
openssl-users@openssl.orgSubject: Re: SSL_connect fails with
SSL_ERROR_SSLDear all,Using
openssl (openssl 0.9.7), I have set up a CA and this CA has issued 2certs
- one for client and the other for the server. I have checked thatthese
certificates are ok.I am attempting to write a SSL client-server
program.SSL Server:- Java. It has a keystore, which contains the
server cert and theCA cert.SSL Client: C. In the program, using
appropraite openssl calls, I have addedthe cleint certificate, the private
key and the CA cert to the context.Please see the code
snippet. ... Initialization is successful, but the handshake fails. We first
create TCPsocket and then "connect" as shown below. Then, we call
SSL_connect, whichfails with SSL_ERROR_SSL. At this point, the Java server
outputsSSLException "No Trusted certificate". If you want client authentication, you need to explicitly
state this at the server side(ie., you should ask the client to send the certificate.) So to verify the authenticity
of the certifiacte you shud have the CA( who signed the cert)in your list of "
trusted CAs ". I believe you need the
following function.. SSL_CTX_set_verify() I
somewhere found that java does not support .pem format keystore( but im not
sure). If I am right and if you are using .pem that might also be a
reason. Hope this helps,
Samy
sd = socket(AF_INET, SOCK_STREAM, 0);
int c = connect(sd, (struct sockaddr*)
host_id , sizeof(host_id));// By now, the SSL context is
initialized and the TCP sockets are created.// Now, SSLize the TCP
sockets.ssl =
SSL_new(ctx);
// create SSL objects from the SSL
context.r =
SSL_set_fd (ssl, sd);
// Associate the
network connection with the SSLobject.
int err = SSL_connect (ssl);
// Initiate the SSL handshake
*FAILSHERE
if (err = 0)
{
int
errcode = SSL_get_error(ssl, err);
switch(errcode)
{
/* other cases */
case SSL_ERROR_SSL: LogMesg(logger, LOGFATAL, "SSL connect:
ProtocolError."); break;
}
}Can anyone please tell me what is happenning?Best
regards,Ambarish.__OpenSSL
Project
http://www.openssl.orgUser
Support Mailing List
openssl-users@openssl.orgAutomated List Manager
[EMAIL PROTECTED]
Re: SSL_connect fails with SSL_ERROR_SSL
Okay. The question is:
You have a CA. Did you encode the CA:true attribute in it?
You created a server certificate signed by that CA. How?
You created a client certificate signed by that CA. How?
You have loaded the CA certificate into the server's keystore, and
marked it 'trusted'. Have you verified that it exists correctly in
the server's keystore?
You have loaded the CA certificate into the client's keystore, and
marked it 'trusted'. Have you verified that it exists correctly in
the client's keystore?
Have you verified that the serial numbers on the certificates are not the same?
How did you verify that the certificates were okay?
Are there any requirements in Java's SSL implementation for specific
OIDs/extensions to be in the client certificate for it to be
recognized as such?
Do your certificates have 'version=3' properly encoded?
-Kyle H
On 1/31/06, Ambarish Mitra [EMAIL PROTECTED] wrote:
Samy,
Thanks for your reply. On the server side (Java), I have explictly set
client authentication to true.
ks.load(new FileInputStream(KEYSTORE_FILE), passphrase);
kmf.init(ks, passphrase);
ctx.init(kmf.getKeyManagers(), null, null);
ssf = ctx.getServerSocketFactory();
sSocket = (SSLServerSocket)ssf.createServerSocket(tcpPort,
10);//Creation of Server Socket
sSocket.setNeedClientAuth(true);//Needs successful client authentication
snip
So to verify the authenticity of the certifiacte you shud have the CA(who
signed the cert)in your list of trusted CAs .
/snip
That CA cert is in the keystore file already of the server side.
Also, I am not using .PEM certificates, I am using what the keytool created,
got the CSR signed.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Samy Thiyagarajan
Sent: Tuesday, January 31, 2006 4:03 PM
To: openssl-users@openssl.org
Subject: Re: SSL_connect fails with SSL_ERROR_SSL
Dear all,
Using openssl (openssl 0.9.7), I have set up a CA and this CA has issued 2
certs - one for client and the other for the server. I have checked that
these certificates are ok.
I am attempting to write a SSL client-server program.
SSL Server:- Java. It has a keystore, which contains the server cert and the
CA cert.
SSL Client: C. In the program, using appropraite openssl calls, I have added
the cleint certificate, the private key and the CA cert to the context.
Please see the code snippet.
...
Initialization is successful, but the handshake fails. We first create TCP
socket and then connect as shown below. Then, we call SSL_connect, which
fails with SSL_ERROR_SSL. At this point, the Java server outputs
SSLException No Trusted certificate.
If you want client authentication, you need to explicitly state this at
the server side(ie., you should ask
the client to send the certificate.) So to verify the authenticity of the
certifiacte you shud have the CA( who signed the cert)in your list of
trusted CAs .
I believe you need the following function..
SSL_CTX_set_verify()
I somewhere found that java does not support .pem format keystore( but im
not sure). If I am right and if you are using .pem that might also be a
reason.
Hope this helps,
Samy
sd = socket(AF_INET, SOCK_STREAM, 0);
int c = connect(sd, (struct sockaddr*) host_id ,
sizeof(host_id));
// By now, the SSL context is initialized and the TCP sockets are created.
// Now, SSLize the TCP sockets.
ssl = SSL_new(ctx);
// create SSL objects from the SSL context.
r = SSL_set_fd (ssl, sd);
// Associate the network connection with the SSL
object.
int err = SSL_connect (ssl); // Initiate the
SSL handshake *FAILS
HERE
if (err = 0)
{
int errcode = SSL_get_error(ssl, err);
switch(errcode)
{
/* other cases */
case SSL_ERROR_SSL:
LogMesg(logger, LOGFATAL, SSL connect: Protocol
Error.); break;
}
}
Can anyone please tell me what is happenning?
Best regards,
Ambarish.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: SSL_connect fails with SSL_ERROR_SSL
Kyle,
How to check CA:true attribute?
The server cert was signed by using the openssl utility sign-server-cert. It
is provided in the openssl link. Same for client cert. The server cert and
the CA cert was loaded into the keystore and using keytool utility, we
checked that it is okay.
On the client side, there is no keytool, but since it is in C, it is loaded
into the context programatically.
The cert serial numbers and the dates are verified to be okay. version = 3.
Ambarish.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Kyle Hamilton
Sent: Tuesday, January 31, 2006 4:32 PM
To: openssl-users@openssl.org
Subject: Re: SSL_connect fails with SSL_ERROR_SSL
Okay. The question is:
You have a CA. Did you encode the CA:true attribute in it?
You created a server certificate signed by that CA. How?
You created a client certificate signed by that CA. How?
You have loaded the CA certificate into the server's keystore, and
marked it 'trusted'. Have you verified that it exists correctly in
the server's keystore?
You have loaded the CA certificate into the client's keystore, and
marked it 'trusted'. Have you verified that it exists correctly in
the client's keystore?
Have you verified that the serial numbers on the certificates are not the
same?
How did you verify that the certificates were okay?
Are there any requirements in Java's SSL implementation for specific
OIDs/extensions to be in the client certificate for it to be
recognized as such?
Do your certificates have 'version=3' properly encoded?
-Kyle H
On 1/31/06, Ambarish Mitra [EMAIL PROTECTED] wrote:
Samy,
Thanks for your reply. On the server side (Java), I have explictly set
client authentication to true.
ks.load(new FileInputStream(KEYSTORE_FILE), passphrase);
kmf.init(ks, passphrase);
ctx.init(kmf.getKeyManagers(), null, null);
ssf = ctx.getServerSocketFactory();
sSocket = (SSLServerSocket)ssf.createServerSocket(tcpPort,
10);//Creation of Server Socket
sSocket.setNeedClientAuth(true);//Needs successful client
authentication
snip
So to verify the authenticity of the certifiacte you shud have the CA(who
signed the cert)in your list of trusted CAs .
/snip
That CA cert is in the keystore file already of the server side.
Also, I am not using .PEM certificates, I am using what the keytool
created,
got the CSR signed.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Samy Thiyagarajan
Sent: Tuesday, January 31, 2006 4:03 PM
To: openssl-users@openssl.org
Subject: Re: SSL_connect fails with SSL_ERROR_SSL
Dear all,
Using openssl (openssl 0.9.7), I have set up a CA and this CA has issued 2
certs - one for client and the other for the server. I have checked that
these certificates are ok.
I am attempting to write a SSL client-server program.
SSL Server:- Java. It has a keystore, which contains the server cert and
the
CA cert.
SSL Client: C. In the program, using appropraite openssl calls, I have
added
the cleint certificate, the private key and the CA cert to the context.
Please see the code snippet.
...
Initialization is successful, but the handshake fails. We first create TCP
socket and then connect as shown below. Then, we call SSL_connect, which
fails with SSL_ERROR_SSL. At this point, the Java server outputs
SSLException No Trusted certificate.
If you want client authentication, you need to explicitly state this at
the server side(ie., you should ask
the client to send the certificate.) So to verify the authenticity of the
certifiacte you shud have the CA( who signed the cert)in your list of
trusted CAs .
I believe you need the following function..
SSL_CTX_set_verify()
I somewhere found that java does not support .pem format keystore( but im
not sure). If I am right and if you are using .pem that might also be a
reason.
Hope this helps,
Samy
sd = socket(AF_INET, SOCK_STREAM, 0);
int c = connect(sd, (struct sockaddr*) host_id ,
sizeof(host_id));
// By now, the SSL context is initialized and the TCP sockets are created.
// Now, SSLize the TCP sockets.
ssl = SSL_new(ctx);
// create SSL objects from the SSL context.
r = SSL_set_fd (ssl, sd);
// Associate the network connection with the SSL
object.
int err = SSL_connect (ssl); // Initiate
the
SSL handshake *FAILS
HERE
if (err = 0)
{
int errcode = SSL_get_error(ssl, err);
switch(errcode)
{
/* other cases */
case SSL_ERROR_SSL:
LogMesg(logger, LOGFATAL, SSL connect: Protocol
Error.); break;
}
}
Can
Errors with firefox
Hello thereI've previously sent this to the mod_ssl list with no success. Sorry if you've seen it before:I have apache compiled on solaris with sun cc with mod_ssl- 2.8.25-1.3.34 and openssl-0.9.8a (I've also tried 0.9.7i and the nightly build).When accessing the site using Internet Explorer I have no problems. With Firefox the browser reports an 'incorrect Message Authentication Code' and the server logs report: [Mon Jan 23 13:13:54 2006] [error] mod_ssl: SSL handshake failed (server xxx:443, client xxx) (OpenSSL library error follows)[Mon Jan 23 13:13:54 2006] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac I do have previous builds that 'work' ... but have been unable to determine precisely what change initiated this problem. It might be the release of openssl, it might also be the Sun compiler, which was now from studio 11 and was previously from an earlier version which I don't have access to any more. Any suggestions much appreciatedThanksMichael Smith
OpenSSL 0.9.8a dumps core in SSL_CTX_load_verify_locations()
hi
I'm having problems with the OpenSSL SSL_CTX_load_verify_locations()
routine dumping core on Solaris 8 (sparc, 64-bit). I first noticed
this problem with Apache mod_ssl but it can be reproduced with a
minimal standalone C program which calls SSL_CTX_load_verify_locations
().
I've only experienced this problem with one certain CA bundle file.
The problem doesn't appear with OpenSSL release 0.9.7e (and at least
d) but starting with f I'm getting core dumps (tested with i, g, f
and 0.9.8a).
Any ideas on what has changed between 0.9.7e and 0.9.7f that may be
causing this?
Here's the code for reproducing the problem:
/*
export PATH=/opt/local/gcc/4.0/bin:$PATH:/usr/ccs/bin:/opt/sfw/bin
export or=/home/aspa/tmp/openssl098a
coreadm -p core $$
gcc x509catest.c -g -m64 -I$or/include -L$or/lib -lssl -lcrypto -
lsocket -ldl
./a.out
*/
#include openssl/ssl.h
int main() {
char *capath=/home/aspa/kronodoc/dev-3.4/httpd/conf/ssl.crt;
char *cafile;
cafile=/home/aspa/kronodoc/dev-3.4/httpd/conf/ssl.crt/bundle.crt;
cafile=/home/aspa/kronodoc/dev-3.4/httpd/conf/ssl.crt/ca-
bundle.crt;
SSL_load_error_strings();
SSL_library_init();
SSL_CTX *ctx = SSL_CTX_new(SSLv3_method());
int r = SSL_CTX_load_verify_locations(ctx, cafile, capath);
printf(SSL_CTX_load_verify_locations: %d\n,r);
}
Here's the stack backtrace from the core file:
#0 0x0001000639a8 in x509_object_cmp (a=value optimized out,
b=value optimized out) at x509_lu.c:161
161 ret=((*a)-type - (*b)-type);
(gdb) bt
#0 0x0001000639a8 in x509_object_cmp (a=value optimized out,
b=value optimized out) at x509_lu.c:161
#1 0x7ef53a9c in qsort () from /usr/lib/64/libc.so.1
#2 0x00010004d9ac in sk_sort (st=0x1002351a0) at stack.c:331
#3 0x00010004dac0 in sk_find (st=0x1002351a0, data=0x100291900
) at stack.c:227
#4 0x0001000640f4 in X509_OBJECT_retrieve_match (h=0x1002351a0,
x=0x100291900)
at x509_lu.c:460
#5 0x000100064354 in X509_STORE_add_cert (ctx=0x10021db80,
x=0x100257f70)
at x509_lu.c:344
#6 0x0001000663e8 in X509_load_cert_crl_file (ctx=0x1002354a0,
file=value optimized out, type=value optimized out) at
by_file.c:287
#7 0x000100066504 in by_file_ctrl (ctx=0x1002354a0, cmd=1,
argp=0x18 Address 0x18 out of bounds, argl=1, ret=0x0) at
by_file.c:120
#8 0x000100063858 in X509_LOOKUP_ctrl (ctx=0x0, cmd=1,
argc=0x1000d0210 /home/aspa/kronodoc/dev-3.4/httpd/conf/ssl.crt/
ca-bundle.crt,
argl=1, ret=0x0) at x509_lu.c:117
#9 0x000100060258 in X509_STORE_load_locations (ctx=0x10021db80,
file=0x1000d0210 /home/aspa/kronodoc/dev-3.4/httpd/conf/ssl.crt/
ca-bundle.crt,
path=0x1000d01a0 /home/aspa/kronodoc/dev-3.4/httpd/conf/
ssl.crt) at x509_d2.c:92
#10 0x000100023e64 in main () at x509catest.c:17
Here's the exact build procedure I'm using to build OpenSSL:
# build OpenSSL
export PATH=/opt/local/gcc/4.0/bin:$PATH:/usr/ccs/bin:/opt/sfw/bin
perl Configure solaris64-sparcv9-gcc no-idea no-shared -g -fPIC --
prefix=/home/aspa/tmp/openssl098a
gmake depend
gmake
gmake test
gmake install
--
aspa
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: Evp_Encrypt_Init Segfault
I'm not much of an expert with any of this, but you may want to look at
some of the return values of some of the functions to make sure
everything is good, such as on EVP_EncryptFinal. Please take a look at
some code I did up last summer in C++ (but it is almost all C), located at
http://lunir.com/Encryption.cpp. The Function in particular would be int
Encryption::encrypt(std::ifstream istream, std::ofstream ostream). It
deals with streams but converts it all into cstrings, so it should
roughtly be the same. Hope this helps.
--
Matthew Clarkson
On Mon, 30 Jan 2006, Felix Dorner wrote:
Hi,
the following code executes once, and does fine. Calling the function a
second time gives a segfault during the call marked by --
unsigned char *encrypt_message(unsigned char *message, int inl, int *outl)
{
EVP_CIPHER_CTX ctx;
EVP_CIPHER_CTX_init(ctx);
--EVP_EncryptInit(ctx, EVP_bf_ecb(), NULL, NULL);
EVP_CIPHER_CTX_set_key_length(ctx, SHA_DIGEST_LENGTH);
EVP_EncryptInit(ctx, NULL, k, NULL);
char *ret;
int tmp, ol;
ol = 0;
ret = (char *)malloc(inl + EVP_CIPHER_CTX_block_size(ctx));
EVP_EncryptUpdate(ctx, ret[ol], tmp, message, inl);
ol = tmp;
EVP_EncryptFinal(ctx, ret[ol], tmp);
*outl = ol+tmp;
return ret;
}
Anything obvious that might lead to the segfault?
Thanks,
Felix
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
any information regarding adding DTLS using OpenSSL
Dear all, I am a student and am trying to setup a demonstration with TLS and DTLS support between a SIP client and a Proxy. Has anyone some information regarding adding DTLS support for a SIP client/Proxy or a more generic one using OpenSSL. I just need it for demonstration purposes and so error handling's if any need not be complete. Just a simple support and a demonstration of both would do fine. If anyone has any information regarding this, may be a how to start or any introductory article would be of great help, kindly let me know. This would be of great help. Any suggestions regarding the same are most welcome. kindly let me know and thank you very much. regards, Pjothi
OPENSSL for z/OS 1.4 ???
Hello ... where can I find OPENSSL for z/OS 1.4 ?? The IBM site directs me to the OPENSSL site but I do not see an OPENSSLversion specifically listed for z/OS ??? thanks so much for any info you can supply !!! marian
RE: OPENSSL for z/OS 1.4 ???
You should take the OpenSSL tar file for the version you want. All the materials you need are there. once you un-tar, you should use the command./Confgure OS390-Unix, and then make. I would recommend Perl 5.6.1, and you need GNU make. Dave McLellan --Consulting Software Engineer - SPEA Engineering EMC Corporation 228 South St. Mail Stop: 228 LL/AA-24 Hopkinton, MA 01748 USA +1-508-249-1257 F: +1-508-497-8030 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MarianSent: Tuesday, January 31, 2006 12:52 PMTo: openssl-users@openssl.orgSubject: OPENSSL for z/OS 1.4 ??? Hello ... where can I find OPENSSL for z/OS 1.4 ?? The IBM site directs me to the OPENSSL site but I do not see an OPENSSLversion specifically listed for z/OS ??? thanks so much for any info you can supply !!! marian
SSL_METHOD
It appears that the SSL_METHOD functions don't allow a server to accept connections using either SSL or TLS, so it has to be either one or the other. Does anyone have a work around to allow both SSL and TLS connections to be accepted? -Chris Clark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
PKCS7_TEXT with PKCS7_NOVERIFY | PKCS7_NOSIGS
Hello, I am trying to obtain a MIME version of an S/MIME message...I can sign and verify e-mail messages with the libraries provided. However when I don't want to verify and I just want to receive the text with MIME headers, it fails. It works fine when there is a valid certificate, but if I don't have a valid certificate/or don't use a certificate, it returns 0. I just want to view it in NON-S/MIME I am not concerned about the signature, because that works... Here is the function I am trying to use: cout PKCS7_verify(pkcs7, NULL, NULL, pkcs7BIO, outBIO, PKCS7_NOVERIFY|PKCS7_NOSIGS|PKCS7_TEXT) endl; I get the following errors from ERR: SMIME_text:invalid mime type: pk7_mime.c:348:type: multipart/mixed PKCS7_verify:smime text error:pk7_smime.c:250 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: PKCS7_TEXT with PKCS7_NOVERIFY | PKCS7_NOSIGS
On Tue, Jan 31, 2006, Chevalier, Victor T. wrote: Hello, I am trying to obtain a MIME version of an S/MIME message...I can sign and verify e-mail messages with the libraries provided. However when I don't want to verify and I just want to receive the text with MIME headers, it fails. It works fine when there is a valid certificate, but if I don't have a valid certificate/or don't use a certificate, it returns 0. I just want to view it in NON-S/MIME I am not concerned about the signature, because that works... Here is the function I am trying to use: cout PKCS7_verify(pkcs7, NULL, NULL, pkcs7BIO, outBIO, PKCS7_NOVERIFY|PKCS7_NOSIGS|PKCS7_TEXT) endl; I get the following errors from ERR: SMIME_text:invalid mime type: pk7_mime.c:348:type: multipart/mixed PKCS7_verify:smime text error:pk7_smime.c:250 As the docs say PKCS7_TEXT expects text headers. If you that isn't true don't use that flag. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL_METHOD
On Tue, Jan 31, 2006, Chris Clark wrote: It appears that the SSL_METHOD functions don't allow a server to accept connections using either SSL or TLS, so it has to be either one or the other. Have you tried SSLv23_server_method()? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: CVSNT sserver SSL error
Your client is trying to use SSLv2, or SSLv3, and the server is configured to not allow that protocol. (Or, the server isn't configured to use any protocol.) I don't know the specifics of how to configure what you're doing, but I do know that there are environment variables available to specify what protocol versions to accept. -Kyle H On 1/31/06, Jason Williard [EMAIL PROTECTED] wrote: I just installed CVSNT 2.5.03.2151 on a Red Hat Enterprise 4 server. OpenSSL was previously installed with prefix /usr. When I attempt to connect using TortoiseCVS, I get the following error: SSL connection failed (-1): error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number cvs.exe [import aborted]: Connection to server failed Does anyone know what could be wrong? Thank You, Jason Williard I considered this as a possibility. The part that doesn't make sense is that I was under the belief that OpenSSL v0.9.7i supports both SSLv2 SSLv3. Is this correct? Thank You, Jason Williard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CVSNT sserver SSL error
On 1/31/06, Jason Williard [EMAIL PROTECTED] wrote: I considered this as a possibility. The part that doesn't make sense is that I was under the belief that OpenSSL v0.9.7i supports both SSLv2 SSLv3. Is this correct? It does, yes, but by default there's no ciphers or protocol versions enabled. (It also supports TLSv1.) They have to be explicitly enabled -- and a server certificate installed on the server -- before SSL can be used at all. You need to check the documentation for cvsNT to see how to properly configure it. -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: PKCS7_TEXT with PKCS7_NOVERIFY | PKCS7_NOSIGS
The headers are text...and it works when there is a certificate present and I do a normal verify, but when I just want to spit it out, no go...any ideas? Victor -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Tuesday, January 31, 2006 2:02 PM To: openssl-users@openssl.org Subject: Re: PKCS7_TEXT with PKCS7_NOVERIFY | PKCS7_NOSIGS On Tue, Jan 31, 2006, Chevalier, Victor T. wrote: Hello, I am trying to obtain a MIME version of an S/MIME message...I can sign and verify e-mail messages with the libraries provided. However when I don't want to verify and I just want to receive the text with MIME headers, it fails. It works fine when there is a valid certificate, but if I don't have a valid certificate/or don't use a certificate, it returns 0. I just want to view it in NON-S/MIME I am not concerned about the signature, because that works... Here is the function I am trying to use: cout PKCS7_verify(pkcs7, NULL, NULL, pkcs7BIO, outBIO, PKCS7_NOVERIFY|PKCS7_NOSIGS|PKCS7_TEXT) endl; I get the following errors from ERR: SMIME_text:invalid mime type: pk7_mime.c:348:type: multipart/mixed PKCS7_verify:smime text error:pk7_smime.c:250 As the docs say PKCS7_TEXT expects text headers. If you that isn't true don't use that flag. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: PKCS7_TEXT with PKCS7_NOVERIFY | PKCS7_NOSIGS
On Tue, Jan 31, 2006, Chevalier, Victor T. wrote: The headers are text...and it works when there is a certificate present and I do a normal verify, but when I just want to spit it out, no go...any ideas? Well the error messages suggests it is type multipart/mixed. Does the smime utility do the same? Can you post an example message? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Evp_Encrypt_Init Segfault
I somehow corrupted the ctx object by overshooting the malloced area as Mark had pointed out. The problem is solved now, thanks, felix __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: any information regarding adding DTLS using OpenSSL
Dear Pjothi, Making an application TLS aware/TLS enabled is not much trouble once you have access to the source code. You have to set up the SSL/TLS server with proper X.509 certificate and corresponding private key, specify which protocol(in your case TLS v1) you want to use and then call SSL_accept() at the server side. In the client side you would have to call an SSL_connect() which would take care of the SSL/TLS handshake. After that all you have to do is replace all send/write with SSL_write() and all read/recv with SSL_read(). There are a few examples for you to get started. For generating X.509 certificates you can use the openssl command line tool or get a readymade keypair. Here are links that will help you in this endeavor. http://www.rtfm.com/sslbook/examples/c-examples.tar.gz http://www.opensslbook.com/NSwO-1.3.tar.gz I have no idea about DTLS. This website seems to give some info. http://crypto.stanford.edu/~nagendra/projects/dtls/dtls.html Once you get familiarised with TLS DTLS should not be much different I guess. All the best! regards, Girish --- Pjothi [EMAIL PROTECTED] wrote: Dear all, I am a student and am trying to setup a demonstration with TLS and DTLS support between a SIP client and a Proxy. Has anyone some information regarding adding DTLS support for a SIP client/Proxy or a more generic one using OpenSSL. I just need it for demonstration purposes and so error handling's if any need not be complete. Just a simple support and a demonstration of both would do fine. If anyone has any information regarding this, may be a how to start or any introductory article would be of great help, kindly let me know. This would be of great help. Any suggestions regarding the same are most welcome. kindly let me know and thank you very much. regards, Pjothi __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL on OpenBSD - complexities?
Hello, We are planning on using OpenSSL on an OpenBSD 3.8 platform to generate RSA key pairs, sign them with our own CA and embed them in hard tokens. I notice a question in the FAQ: ''Why does OpenBSD-i386 build fail on des-586.s with 'Unimplemented segment type'?'' The answer makes me wonder: are there complexities to this combination (OpenBSD/OpenSSL) that we should know about? Thanks in advance. -- Wes Kussmaul CIO The Village Group 738 Main Street Waltham, MA 02451 781-647-7178 My uncle likes to say that the world’s biggest troubles started when the serpent said, “Try this fruit, and by the way if a bunch of people collectively calling themselves Arthur Andersen signs something it’s the same as if a person named Arthur Andersen signed it.” I don’t get the serpent and fruit part. Must be some Swiss mythology thing. He can be a bit obscure. P.K. Iggy _How I Like Fixed The Internet_ (Tales from the Great Infodepression of 2009 and the prosperity that followed) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: any information regarding adding DTLS using OpenSSL
The problem is this: DTLS code exists in OpenSSL somewhere, but it's not documented. -Kyle H On 1/31/06, Girish Venkatachalam [EMAIL PROTECTED] wrote: Dear Pjothi, Making an application TLS aware/TLS enabled is not much trouble once you have access to the source code. You have to set up the SSL/TLS server with proper X.509 certificate and corresponding private key, specify which protocol(in your case TLS v1) you want to use and then call SSL_accept() at the server side. In the client side you would have to call an SSL_connect() which would take care of the SSL/TLS handshake. After that all you have to do is replace all send/write with SSL_write() and all read/recv with SSL_read(). There are a few examples for you to get started. For generating X.509 certificates you can use the openssl command line tool or get a readymade keypair. Here are links that will help you in this endeavor. http://www.rtfm.com/sslbook/examples/c-examples.tar.gz http://www.opensslbook.com/NSwO-1.3.tar.gz I have no idea about DTLS. This website seems to give some info. http://crypto.stanford.edu/~nagendra/projects/dtls/dtls.html Once you get familiarised with TLS DTLS should not be much different I guess. All the best! regards, Girish --- Pjothi [EMAIL PROTECTED] wrote: Dear all, I am a student and am trying to setup a demonstration with TLS and DTLS support between a SIP client and a Proxy. Has anyone some information regarding adding DTLS support for a SIP client/Proxy or a more generic one using OpenSSL. I just need it for demonstration purposes and so error handling's if any need not be complete. Just a simple support and a demonstration of both would do fine. If anyone has any information regarding this, may be a how to start or any introductory article would be of great help, kindly let me know. This would be of great help. Any suggestions regarding the same are most welcome. kindly let me know and thank you very much. regards, Pjothi __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
