[no subject]
Hello! I'm developing an application for requesting certificates at a Microsoft CA. I use the openssl libraries to bulid my certificate request. The request to the MS CA needs the enroll certtype extension (OID 1.3.6.1.4.1.311.20.2) where I put the name of the certificate template in. I've already put the extension in the right place using X509_EXTENSION_create_by_NID(), sk_X509_EXTENSION_push() and X509_REQ_add_extensions_nid(). Now the problem is, that the value is inserted as an OCTET STING. But I want to set it as an BMPSTRING. What ever I tried - the value always comes as octet string in my request. The problem seems to be, that the Extension structure only takes octet strings, so I think, that the bmpstring has to set as some kind of subfield?! Can anybody tell me how to set an BMPSTRING in my extension? Thanks. Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[no subject]
In message [EMAIL PROTECTED] on Mon, 12 Feb 2007 11:34:22 +0100, Michael Leuchtner [EMAIL PROTECTED] said: mleuchtner The request to the MS CA needs the enroll certtype extension (OID mleuchtner 1.3.6.1.4.1.311.20.2) where I put the name of the certificate template mleuchtner in. mleuchtner I've already put the extension in the right place using mleuchtner X509_EXTENSION_create_by_NID(), sk_X509_EXTENSION_push() and mleuchtner X509_REQ_add_extensions_nid(). mleuchtner Now the problem is, that the value is inserted as an OCTET STING. But I mleuchtner want to set it as an BMPSTRING. What ever I tried - the value always mleuchtner comes as octet string in my request. The problem seems to be, that the mleuchtner Extension structure only takes octet strings, so I think, that the mleuchtner bmpstring has to set as some kind of subfield?! mleuchtner mleuchtner Can anybody tell me how to set an BMPSTRING in my extension? The way X.509 extensions work, the whole structure of the value resides in that OCTET STRING. What you need to figure out is the structure of the value and how to populate it. This may mean that you have to ask Microsoft. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
BMPSTRING in extensions
Ok, I think I know the structure of the value. When I look at a microsoft style request samle with the openssl command line tool, I get the following output: ... 362:d=6 hl=2 l= 51 cons: SEQUENCE 364:d=7 hl=2 l= 9 prim: OBJECT:1.3.6.1.4.1.311.20.2 375:d=7 hl=2 l= 38 prim: OCTET STRING 415:d=3 hl=3 l= 241 cons: SEQUENCE 418:d=4 hl=2 l= 10 prim: OBJECT:1.3.6.1.4.1.311.13.2.2 430:d=4 hl=3 l= 226 cons: SET 433:d=5 hl=3 l= 223 cons: SEQUENCE 436:d=6 hl=2 l= 1 prim: INTEGER :02 439:d=6 hl=2 l= 78 prim: BMPSTRING 519:d=6 hl=3 l= 137 prim: BIT STRING 659:d=1 hl=2 l= 13 cons: SEQUENCE 661:d=2 hl=2 l= 9 prim: OBJECT:sha1WithRSAEncryption 672:d=2 hl=2 l= 0 prim: NULL 674:d=1 hl=3 l= 129 prim: BIT STRING OpenSSL asn1parse -in testcert.txt -strparse 375 0:d=0 hl=2 l= 36 prim: BMPSTRING OpenSSL So it seems that I have to add a BMPSTRING as a subfield of the OCTET STRING. But how can I do that?! -Ursprüngliche Nachricht- Von: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED] Gesendet: Montag, 12. Februar 2007 12:55 An: openssl-users@openssl.org; Michael Leuchtner Betreff: In message [EMAIL PROTECTED] on Mon, 12 Feb 2007 11:34:22 +0100, Michael Leuchtner [EMAIL PROTECTED] said: mleuchtner The request to the MS CA needs the enroll certtype extension (OID mleuchtner 1.3.6.1.4.1.311.20.2) where I put the name of the certificate template mleuchtner in. mleuchtner I've already put the extension in the right place using mleuchtner X509_EXTENSION_create_by_NID(), sk_X509_EXTENSION_push() and mleuchtner X509_REQ_add_extensions_nid(). mleuchtner Now the problem is, that the value is inserted as an OCTET STING. But I mleuchtner want to set it as an BMPSTRING. What ever I tried - the value always mleuchtner comes as octet string in my request. The problem seems to be, that the mleuchtner Extension structure only takes octet strings, so I think, that the mleuchtner bmpstring has to set as some kind of subfield?! mleuchtner mleuchtner Can anybody tell me how to set an BMPSTRING in my extension? The way X.509 extensions work, the whole structure of the value resides in that OCTET STRING. What you need to figure out is the structure of the value and how to populate it. This may mean that you have to ask Microsoft. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Verify a Certificate
Hello, I have a secure connection with a buffered BIO, and after the connection is established, I want to verify (on th eClient) the Servers certificate with a Root-CA. How can I do this with openssl? thanks in advance Markus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: BMPSTRING in extensions
On Mon, Feb 12, 2007, Michael Leuchtner wrote: Ok, I think I know the structure of the value. When I look at a microsoft style request samle with the openssl command line tool, I get the following output: ... 362:d=6 hl=2 l= 51 cons: SEQUENCE 364:d=7 hl=2 l= 9 prim: OBJECT:1.3.6.1.4.1.311.20.2 375:d=7 hl=2 l= 38 prim: OCTET STRING 415:d=3 hl=3 l= 241 cons: SEQUENCE 418:d=4 hl=2 l= 10 prim: OBJECT:1.3.6.1.4.1.311.13.2.2 430:d=4 hl=3 l= 226 cons: SET 433:d=5 hl=3 l= 223 cons: SEQUENCE 436:d=6 hl=2 l= 1 prim: INTEGER :02 439:d=6 hl=2 l= 78 prim: BMPSTRING 519:d=6 hl=3 l= 137 prim: BIT STRING 659:d=1 hl=2 l= 13 cons: SEQUENCE 661:d=2 hl=2 l= 9 prim: OBJECT:sha1WithRSAEncryption 672:d=2 hl=2 l= 0 prim: NULL 674:d=1 hl=3 l= 129 prim: BIT STRING OpenSSL asn1parse -in testcert.txt -strparse 375 0:d=0 hl=2 l= 36 prim: BMPSTRING OpenSSL So it seems that I have to add a BMPSTRING as a subfield of the OCTET STRING. But how can I do that?! Create a BMPSTRING, generate its encoding with i2d_BMPSTRING and make that the content of the OCTET STRING. If you are using the file based extension functions in OpenSSL you can make use of its mini-ASN1 compiler to achieve the same result. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: BMPSTRING in extensions
In message [EMAIL PROTECTED] on Mon, 12 Feb 2007 13:24:25 +0100, Michael Leuchtner [EMAIL PROTECTED] said: mleuchtner 362:d=6 hl=2 l= 51 cons: SEQUENCE mleuchtner 364:d=7 hl=2 l= 9 prim: OBJECT:1.3.6.1.4.1.311.20.2 mleuchtner 375:d=7 hl=2 l= 38 prim: OCTET STRING [...] mleuchtner OpenSSL asn1parse -in testcert.txt -strparse 375 mleuchtner 0:d=0 hl=2 l= 36 prim: BMPSTRING mleuchtner OpenSSL mleuchtner mleuchtner So it seems that I have to add a BMPSTRING as a subfield mleuchtner of the OCTET STRING. But how can I do that?! It's more embedding a BMPSTRING in the OCTET STRING than anything else. You create and populate an OCTET_STRING like so: ASN1_OCTET_STRING *aos = ASN1_OCTET_STRING_new(); ASN1_OCTET_STRING_set(aos, YourBMPString, YourBMPStringLength); Then you create the extension itself (assuming you alread have a NID for that OID): X509_EXTENSION *xext = X509_EXTENSION_create_by_nid(NULL, YourNID, 0, aos); Finally, add it to the certificate you create like so: X509_add_ext(x509, xext, int loc); TOTALLY UNTESTED! I leave the rest to you. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Library loading issue on multi processor Windows 2003
Luc, Have you implemented the CRYPTO locking callbacks? Mark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Verify a Certificate
Hello, I have a secure connection with a buffered BIO, and after the connection is established, I want to verify (on th eClient) the Servers certificate with a Root-CA. How can I do this with openssl? With functions like: cert = SSL_get_peer_certificate(ssl); X509_STORE_load_locations(CAcerts, file, NULL) X509_STORE_CTX_init(ca_ctx, CAcerts, cert, NULL); X509_verify_cert(ca_ctx); Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Library loading issue on multi processor Windows 2003
Mark wrote: Luc, Have you implemented the CRYPTO locking callbacks? Mark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Well, my sample code is such simple that i did not think to implement them. Nevertheless, it works really fine on ANY platform it has been tested, BUT under quadri Xeon Windows 2003. As a matter of fact, there is NO multithreading involved in my test. ONLY multi processing. As far as i understood, the crypto locking callbacks are usefull only when multi threading is involved. Then, do you really think the crypto locking callbacks can do anything for me ? Well, i'll try to extract mttest.c corresponding code to do some more tests ... -- alea+ Luc begin:vcard fn:Luc Perthuis n:Perthuis;Luc org:Atempo S.A.;Engineering adr:;;PIBS;VANNES;;56000;FRANCE email;internet:[EMAIL PROTECTED] title:Core Technologies Group Manager tel;work:02 97 68 40 26 tel;fax:02 97 68 40 25 tel;cell:06 89 16 96 37 note;quoted-printable:Enabling Information Lifecycle Strategies=0D=0A= x-mozilla-html:TRUE url:http://www.atempo.com version:2.1 end:vcard
Re: Verify a Certificate
On Mon, Feb 12, 2007, Marek Marcola wrote: Hello, I have a secure connection with a buffered BIO, and after the connection is established, I want to verify (on th eClient) the Servers certificate with a Root-CA. How can I do this with openssl? With functions like: cert = SSL_get_peer_certificate(ssl); X509_STORE_load_locations(CAcerts, file, NULL) X509_STORE_CTX_init(ca_ctx, CAcerts, cert, NULL); X509_verify_cert(ca_ctx); You would additionally have to set an appropriate purpose (SSL server typically) and include the whole chain, not just the peer certificate. That is handled automatically if verification is enabled on the SSL context itself. The host name should also be verified against the certificate. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Library loading issue on multi processor Windows 2003
Hi Luc, Mark wrote: Have you implemented the CRYPTO locking callbacks? Well, my sample code is such simple that i did not think to implement them. Nevertheless, it works really fine on ANY platform it has been tested, BUT under quadri Xeon Windows 2003. As a matter of fact, there is NO multithreading involved in my test. ONLY multi processing. As far as i understood, the crypto locking callbacks are usefull only when multi threading is involved. Then, do you really think the crypto locking callbacks can do anything for me ? Well, i'll try to extract mttest.c corresponding code to do some more tests ... I'm not an expert in OpenSSL but AFAIK OpenSSL uses threads internally and the locking callbacks are necessary to synchronise its internal data. Perhaps someone else can clarify this? Mark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Library loading issue on multi processor Windows 2003
Hello, Mark wrote: Have you implemented the CRYPTO locking callbacks? Well, my sample code is such simple that i did not think to implement them. Nevertheless, it works really fine on ANY platform it has been tested, BUT under quadri Xeon Windows 2003. As a matter of fact, there is NO multithreading involved in my test. ONLY multi processing. As far as i understood, the crypto locking callbacks are usefull only when multi threading is involved. Then, do you really think the crypto locking callbacks can do anything for me ? Well, i'll try to extract mttest.c corresponding code to do some more tests ... I'm not an expert in OpenSSL but AFAIK OpenSSL uses threads internally and the locking callbacks are necessary to synchronise its internal data. Perhaps someone else can clarify this? OpenSSL does not use threads internally and if you don't use threads too in your program then there is no need to implement static locking callback (for example for daemon working in fork() mode). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AW: BMPSTRING in extensions
Seems I do something wrong when I create/ convert my BMPSTRING. When I create my certificate reqeust I always get an octet string value (FD FD FD FD AB AB AB AB AB AB AB AB ) but no embedded bmpstring. Strange thing is, when I alternate the string (myTemplate) to an other string (of the same length) the octet value (FD FD ...) don't change. What's wrong? Here's my code: ... char* t = myTemplate; nid = OBJ_create(1.3.6.1.4.1.311.20.2, szOID_ENROLL_CERTTYPE_EXTENSION, szOID_ENROLL_CERTTYPE_EXTENSION); ASN1_BMPSTRING* str = ASN1_BMPSTRING_new(); ASN1_STRING_set(str, (unsigned char*)t, strlen(t)); int size = i2d_ASN1_BMPSTRING(str, NULL); unsigned char *oStr = (unsigned char*)malloc(size); i2d_ASN1_BMPSTRING(str, oStr); ASN1_OCTET_STRING *aos = ASN1_OCTET_STRING_new(); ASN1_STRING_set(aos, oStr ,size); ext = X509_EXTENSION_create_by_NID(NULL, nid, 0, aos); sk_X509_EXTENSION_push(exts, ext); ... Thanks! Michael -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Dr. Stephen Henson Gesendet: Montag, 12. Februar 2007 13:43 An: openssl-users@openssl.org Betreff: Re: BMPSTRING in extensions On Mon, Feb 12, 2007, Michael Leuchtner wrote: Ok, I think I know the structure of the value. When I look at a microsoft style request samle with the openssl command line tool, I get the following output: ... 362:d=6 hl=2 l= 51 cons: SEQUENCE 364:d=7 hl=2 l= 9 prim: OBJECT:1.3.6.1.4.1.311.20.2 375:d=7 hl=2 l= 38 prim: OCTET STRING 415:d=3 hl=3 l= 241 cons: SEQUENCE 418:d=4 hl=2 l= 10 prim: OBJECT:1.3.6.1.4.1.311.13.2.2 430:d=4 hl=3 l= 226 cons: SET 433:d=5 hl=3 l= 223 cons: SEQUENCE 436:d=6 hl=2 l= 1 prim: INTEGER :02 439:d=6 hl=2 l= 78 prim: BMPSTRING 519:d=6 hl=3 l= 137 prim: BIT STRING 659:d=1 hl=2 l= 13 cons: SEQUENCE 661:d=2 hl=2 l= 9 prim: OBJECT:sha1WithRSAEncryption 672:d=2 hl=2 l= 0 prim: NULL 674:d=1 hl=3 l= 129 prim: BIT STRING OpenSSL asn1parse -in testcert.txt -strparse 375 0:d=0 hl=2 l= 36 prim: BMPSTRING OpenSSL So it seems that I have to add a BMPSTRING as a subfield of the OCTET STRING. But how can I do that?! Create a BMPSTRING, generate its encoding with i2d_BMPSTRING and make that the content of the OCTET STRING. If you are using the file based extension functions in OpenSSL you can make use of its mini-ASN1 compiler to achieve the same result. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Library loading issue on multi processor Windows 2003
Marek Marcola wrote: Hello, Mark wrote: I'm not an expert in OpenSSL but AFAIK OpenSSL uses threads internally and the locking callbacks are necessary to synchronise its internal data. Perhaps someone else can clarify this? OpenSSL does not use threads internally and if you don't use threads too in your program then there is no need to implement static locking callback (for example for daemon working in fork() mode). Best regards, Thanks Marek ! That's what i've just understood closely comparing my small sample and crypto/threads/mttest.c. But, so far, that does not solve nor explain the found issue. Is there anyone up there with an idea of how to close it ? Some tests around compiling openssl libs with some specific flags for VC7 compiler are on the fly. But they will probably take some time to converge (if ever). So any help will be welcome. -- alea+ Luc begin:vcard fn:Luc Perthuis n:Perthuis;Luc org:Atempo S.A.;Engineering adr:;;PIBS;VANNES;;56000;FRANCE email;internet:[EMAIL PROTECTED] title:Core Technologies Group Manager tel;work:02 97 68 40 26 tel;fax:02 97 68 40 25 tel;cell:06 89 16 96 37 note;quoted-printable:Enabling Information Lifecycle Strategies=0D=0A= x-mozilla-html:TRUE url:http://www.atempo.com version:2.1 end:vcard
Re: BMPSTRING in extensions
On Mon, Feb 12, 2007, Michael Leuchtner wrote: Seems I do something wrong when I create/ convert my BMPSTRING. When I create my certificate reqeust I always get an octet string value (FD FD FD FD AB AB AB AB AB AB AB AB ) but no embedded bmpstring. Strange thing is, when I alternate the string (myTemplate) to an other string (of the same length) the octet value (FD FD ...) don't change. What's wrong? Here's my code: ... char* t = myTemplate; nid = OBJ_create(1.3.6.1.4.1.311.20.2, szOID_ENROLL_CERTTYPE_EXTENSION, szOID_ENROLL_CERTTYPE_EXTENSION); ASN1_BMPSTRING* str = ASN1_BMPSTRING_new(); ASN1_STRING_set(str, (unsigned char*)t, strlen(t)); int size = i2d_ASN1_BMPSTRING(str, NULL); unsigned char *oStr = (unsigned char*)malloc(size); i2d_ASN1_BMPSTRING(str, oStr); The above call is wrong: read the FAQ. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
VeriSign Payflow Pro Configuration
I am a new user to OpenSSL and I am trying to get our Payflow Pro account to accept transaction using XMLPay. I keep getting a certificate error: Could not verify the first certificate I am trying to send the transaction from X-Cart Shopping Cart Software with the following command: C:\OpenSSL\bin\openssl.exe s_client -connect test-payflow.verisign.com:443 -quiet C:\path\to\xct956.tmp 2C:\path\to\xct957.tmp I have tried adding -CApath C:\path\to\payflow\cert, but this does not work either. Anybody have any ideas? Ken Vandegrift [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Web Administrator Sharis Mgmt. Corp
Re: OpenSSL crashes in verify with this specific file.
Steffen Lips wrote: Hi Kyle, I am using version 0.9.8c. I know that the verifying is ok when using -inform DER, because the format is DER. But when using -inform SMIME, OpenSSL normally exits normally with some error messages. But with this file openssl crashes. This happens in PKCS7_read_SMIME(). I would expect that this procedure would return NULL (what it does normally), but not that it crashes (what happens with this special file). could you please file a bug report at rt.openssl.org for this problem ? Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
BIO_read(), SSL_read(), return values
Hi, I have a question. I have multithread system, with non blocking I/O and perhaps 100 connections to servers. I have a special thread, that waits on select(). When it returns me, that I have some data for reading, I start the reading for every connection. When the select throws me timeout, I start the readig too, because it´s possible that some data came, while I was doing previous reading. I have two types of connection. One TCP, where I use for reading the BIO_read function and one TLS where I use the SSL_read function. Now I have this problem. When I try to read data from some connection, it is posible, that there is not any data. I have read, that when there is not any data, the BIO_read function throws me 0 or -1, but these return values can mean error too. How can I recognize, that this means, that I read only 0b of data? And I have the similar problem with SSL_read. I use SSL_get_error function to determine, what hapen in reading, but I havent find what error code it returns me, when I read no data? Will it be SSL_ERROR_NONE or SSL_ERROR_ZERO_RETURN? I apologize for my English. Thanks for answer. Milan Křápek __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: BIO_read(), SSL_read(), return values
Hi, I have a question. I have multithread system, with non blocking I/O and perhaps 100 connections to servers. I have a special thread, that waits on select(). When it returns me, that I have some data for reading, I start the reading for every connection. That's not particularly efficient. You could look at the 'select' set returned and only read on the connections where data was received. When the select throws me timeout, I start the readig too, because it´s possible that some data came, while I was doing previous reading. The 'select' function doesn't only return if the operation becomes possible while you're blocked in 'select'. It's a status-reporting function. If you get a timeout, it means that none of the operations you tested for could complete. However, this type of coding is very defensive and saves you from having to correctly handle some complicated cases. So you may encounter problems if you try to change it, and then incorrectly think it's because data arrived during the read. For example, suppose you call SSL_write, and during the write process, some data is read from the socket. A call to 'select' won't indicate a read can succeed on the socket because the data was already read, but an SSL_read might have some data for you. I have two types of connection. One TCP, where I use for reading the BIO_read function and one TLS where I use the SSL_read function. Now I have this problem. When I try to read data from some connection, it is posible, that there is not any data. I have read, that when there is not any data, the BIO_read function throws me 0 or -1, but these return values can mean error too. Zero means normal termination of the connection. Only negative return values indicate an error. How can I recognize, that this means, that I read only 0b of data? BIO_should_retry. And I have the similar problem with SSL_read. I use SSL_get_error function to determine, what hapen in reading, but I havent find what error code it returns me, when I read no data? Will it be SSL_ERROR_NONE or SSL_ERROR_ZERO_RETURN? SSL_ERROR_NONE means the operation completed successfully. SSL_ERROR_ZERO_RETURN means the connection closed normally. The cases that mean you need to 'select' are SSL_WANT_READ or SSL_WANT_WRITE. Getting an SSL_WANT_READ or SSL_WANT_WRITE are the *only* cases where you should wait for a 'select' hit before calling SSL_read or SSL_write. And after a 'select' hit in either direction, you should retry both a read or a write operation that you deferred. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Extracting Public Key from .CER file
Hello, I want to use the Open SSL function call to extract the Public Key from the Manufacturers X.509 Certificate, which is in the .CER format. Could someone please advise me? Thanks Regards - Need Mail bonding? Go to the Yahoo! Mail QA for great tips from Yahoo! Answers users.