RE: Create cert with SHA1: now unexplained window-full and RST?

2011-05-09
>   Firstly I apologize for my insistence about this topic but it is
very important to me.

>   I cleared my head a little and I'm exposing my issue again:

>   There is a client machine integrated in LDAP server (389 DS). 

(Language nit: connected to, maybe integrated with, not integrated in.)
To my knowledge ldap(plain) is 389 and ldaps(SSL) is 636.
Your trace excerpts definitely are 636 (except one oddity below).

> in this client machine I tried to run "getent group", "sudo -l" or "id" 
> and usually fail. I have tried to run these commands without ssl and 
> everything is ok. The problem appears with ssl enabled.

Do you know what code actually does ldap or ldap+SSL client here? 
I.e. Are those utilities modified to do or invoke ldap themselves, 
or do they go through some kernel hook that comes back out to some 
other thing, maybe a helper process? This could make a difference 
in where errors get reported or recorded. On Unix they probably 
should be in some syslog, but which? And *might* be somewhere else.

>   I have captured traffic with wireshark and ... attached ... 
> plain txt with 6 packages ... wireshark says that the transmission 
> window is full and the client closes the connection.

(Language nit: packet(s) not package(s).)

This clearly doesn't have the MAC error you reported before;
did you fix/change something or did it just vanish? 

Aside: this list seems to support binary attachments, so you could 
probably provide the whole .pcap file if (1) it's not too big and 
(2) it doesn't contain any sensitive data like passwords.

What you have here does not look like an SSL protocol problem, 
and may or may not be an OpenSSL problem. Do you know if the ldap 
client code uses OpenSSL's default blocking I/O, or if it does 
something 'advanced' like nonblocking, BIO_pair, or custom BIO?
Does it (in your cases) do more than one request/response, and if so  
are those sequential or do they (try to) pipeline or overlap?

#268 svr-39950 analyzes as window full but you omitted (filtered?) 
the preceding packets which would show how big the window was, 
what was in it, and for how long (although you're <2sec from 
'reference' so it's not very long). I assume it's encrypted; 
did or can you try eNULL so it's (still SSL but) readable? 
Is at least the amount of data (about 251k) appropriate?
If you capture a nonSSL case, does it send and receive 
the same ldap data (modulo timestamps and nonces and such) 
or at least the same amount of data in the same pattern?

Is *some* of the received data acknowledged? I'd expect so, 
since 251k is large for an early window (though not impossible), 
unless a lot of this is handshake and maybe previous responses. 
Could the wire acknowledgement (of the current response only) 
be just in the stack (RCVBUF) or is there evidence that OpenSSL 
has actually recv-ed, or the client code has recv-ed and 
(we hope!) given to OpenSSL, some of it?

#269 39950-svr client immediately sends FIN and then RST.
That's odd; for (Open)SSL shutdown it should send an alert 
first (although possibly you omitted/filtered that)
and even if the client went directly to the socket level, 
perhaps because there has been an error (or it thinks so), 
I would expect to see normal FIN,FIN *xor* abort RST.
But on a quick test it appears (at least some?) Linux 
does FIN then immediate RST for linger 0. Yuck.
Is the client on Linux? sudo certainly implies some Unix.

Does the client display or log anything at this point in time?
Is there indication of a timeout happening, or any timeout that 
should apply here, that you can increase at least for test?

Hmm- maybe in the omitted packets client called SSL_shutdown 
and sent close_notify against a server flow which client didn't 
SSL_read; will OpenSSL (discard and) recv from stack in that case?
I don't have time to read through source or set up a test now.
But if client did that because it thinks there's something wrong 
with the data it's receiving, it really ought to say so.

#271,272 39951-svr send SYN recv SYNACK normally. This is 
presumably  the same client, or maybe a reincarnated one, 
if it got an error just above, trying a new connection. 

#287 svr8807-39950 rcvd RST -- I assume you omitted/filtered here. 
Did client#39950 really send to server#8807 (soon) before this? 
If so, re-using a port like that is very unusual, though legal.
If it didn't, it makes no sense at all for server to respond with 
an unrelated port, unless either it is mangling packets or something 
in between is doing so, and your addresses are very close which 
*usually* implies same link and nothing in between.

#438 after ~40 sec 39951-svr send FIN. Clearly you've omitted or 
filtered plenty here because this shows about 13k sent 26k rcvd,
and noticeable time passing.
#440 immediately send RST, like above except on

Re: Multiple connection from 1 client

2011-05-09


I would take up his offer of help.  Socket control over multiple 
sockets is tricky code and very specific to what you are trying to 
do.  My environment is single threaded and does similar things to 
yours -- but as Gayathri said, there are many details and exceptions 
and although with some online help or books I am sure with enough 
time you could do it (took me forever the first time) I suspect that 
this offer is as good as they get.  I am not jobless (lucky me) so I 
can't put in the time he can.

Gayathri -- would you be interested in pure C coding on a contract 
basis (intermittent, not really a job, more like occasional tasks) -- 
the code we write runs on AIX, Linux, OS/X, SCO, HP/UX, Centos, etc. 
so it is a little tricky to make work.  If you have interest let me 
know your rates and real email and so forth.

Thanks, Eric

If u have any specific doubts in writing this asynchronous state
machine email me privately at
I am pretty much jobless right now and can spend some time on this.


> Thanks, I will give this a try.
> // Harshvir
> Change the sockets.  This is what I use:
> Thanks for the reply Gayathri.
> Do you mean to changing the sockets to non blocking, or when i 
create bio for ssl to make that as non blocking?

> Thanks.
Re: command line to c++ code

2011-05-09 Thread lists

On 04/13/2011 07:16 PM, luis hernandez wrote:

I do not know if you have talk about this here, but I can not find the 

How to translate a command line commandt to a c++ code?

For instance if at commandd prompt i do this: openssl x509 -inform DER 
-in cert.cer 

There is no single openssl "main".
In this case, look into the source, the file is apps/x509.c
If you were issuing a command like openssl smime ..., then look into 
apps/smime.c, etc.

The "core" code for each OpenSSL command is in the file that I have 
indicated, common code to apps mostly does stuff like reading the 
configuration file, initializing OpenSSL (read the FAQ), etc.

-noout -enddate

What code will generate the same result?

Is there howto already written?

I have bought the book Network security with Openssl by O'reilly. But 
I can not figure it out.

TIA for your help.

Luis Hernandez

Re: Multiple connection from 1 client

On 5/9/2011 6:27 AM, Harshvir Sidhu wrote:

On 5/9/2011 6:27 AM, Harshvir Sidhu wrote:

 Also i suspect, that if i change the socket to non blocking, then
my current read write code will not work. i mean the one in which i use
FD_SET and select to perform operations.

It's very easy to get things wrong and it won't work unless you get 
everything right.

The most common mistake is refusing to call one of the SSL_* functions 
until you get a 'select' hit. You should only do that if OpenSSL 
specifically tells you to do that.

The second most common mistake is assuming that an SSL connection has 
separate read and write readiness, like a TCP connection does. An SSL 
connection is a single state machine and so has only a single state. (So 
if SSL_Read returns WANT_READ and then you call SSL_Write, regardless of 
what return value you get, the WANT_READ from SSL_Read is invalidated 
because SSL_Write can change the state of the SSL connection.)


Re: Multiple connection from 1 client

2011-05-09

Yes, once you make the socket noblocking, your current ssl API,s will
not work. that is why I asked you to write the asynchronous state
machine. Go thro the man pages for ssl accept, ssl read, ssl write for
non blocking cases. You need to handle special cases called want read
and write errors.

I will send a detailed email a little later.

> Hi,
Re: Multiple connection from 1 client

2011-05-09
I used the following code to change the socket to non blocking, but its
still not successful, now its not even able to complete SSL_Accept. I am
changing the socket option for the accepted socket.

 unsigned long iMode = 1;
 int nReturn = ioctlsocket(sock, FIONBIO, &iMode);
 if(nReturn != NO_ERROR)
 printf(("ioctlsocket failed with error: %ld\n", nReturn));

Also i suspect, that if i change the socket to non blocking, then my
current read write code will not work. i mean the one in which i use FD_SET
and select to perform operations.


// Harshvir

RE: Initialization Vector for EVP_rc4() ?

2011-05-09
This is contrary to the specification: "The total length of an Enhanced 
Provider symmetric
key and its salt value cannot be greater than 128 bits."
So, I think this salt value should not have any influence, as the bits you can 
set are the
trailing bits between the reduced key size and the one the algorithm requires.


I forgot to mention: the original application uses the Enhanced Cryptography 
 ) which 
supports 128 bit
RC4 keys. The application sets the RC4 cipher from a full 128 bit key and a 128 
bit salt.

I need to exchange encrypted content with an existing application on Windows 
with an RC4
key that is salted as per 
(KP_SALT_EX). Note that
this is not a passphrase and salt key derivation, but a cipher initialized with 
some a
known key and known initialization vector, similar to a block cipher.

I think technically RC4 does not have an IV, but what is the equivalent 
operation I can
perform in openssl to get the cipher in the desired state? Specifying the salt 
as the iv
param in EVP_EncryptInit does not work.

~ Remus

Re: Peer certificate doesn't survive i2d_SSL_SESSION / d2i_SSL_SESSION

2011-05-09
Arno Garrels wrote:
> Hi *,
> After a d2i_SSL_SESSION() session has been successfully
> resumed SSL_get_peer_certificate() returns NULL.
> Am I doing something wrong or is that the expected result?

Sorry, wrong test case, it actually works.

Arno Garrels
Peer certificate doesn't survive i2d_SSL_SESSION / d2i_SSL_SESSION

2011-05-09
Hi *,

After a d2i_SSL_SESSION() session has been successfully
resumed SSL_get_peer_certificate() returns NULL.
Am I doing something wrong or is that the expected result?

Thanks in advance.

Arno Garrels

