Crash on win64-R2
During the load run of the product on win2k8-R2, it keeps crashing after few minutes in OpenSSL 1.0.0.0d with the below call stack of release binary. We are also using the same OpenSSL for other 32 bit platforms (RHEL, Sparc) too and no issue there. libeay32.dll!SHA1_Update(SHAstate_st * c=0x006f, const void * data_=0x000a, unsigned __int64 len=29950912) Line 326 C libeay32.dll!ssleay_rand_bytes(unsigned char * buf=0x01cc17d562ea025e, int num=1) Line 493C libeay32.dll!bnrand(int pseudorand=29970016, bignum_st * rnd=0x01c94da0, int bits=29970304, int top=-1, int bottom=0) Line 152 + 0xb bytes C libeay32.dll!BN_rand(bignum_st * rnd=0x01c94f80, int bits=0, int top=29970272, int bottom=29934480) Line 214C libeay32.dll!bn_rand_range(int pseudo=29970304, bignum_st * r=0x01bf7fe0, const bignum_st * range=0x19e5f680) Line 281 + 0xf bytes C libeay32.dll!BN_BLINDING_create_param(bn_blinding_st * b=0x24cd6830, const bignum_st * e=0x, bignum_st * m=0x01c94f80, bignum_ctx * ctx=0x, int (bignum_st *, const bignum_st *, const bignum_st *, const bignum_st *, bignum_ctx *, bn_mont_ctx_st *)* bn_mod_exp=0x004e1080, bn_mont_ctx_st * m_ctx=0x) Line 334 + 0xc bytes C libeay32.dll!RSA_setup_blinding(rsa_st * rsa=0x0001, bignum_ctx * in_ctx=0x24cd6830) Line 424 C libeay32.dll!rsa_get_blinding(rsa_st * rsa=0x24cd6830, int * local=0x01c90d50, bignum_ctx * ctx=0x01c36260) Line 270 + 0xb bytes C libeay32.dll!RSA_eay_private_encrypt(int flen=35, const unsigned char * from=0x0001, unsigned char * to=0x15f07d00, rsa_st * rsa=0x0004, int padding=1) Line 401C libeay32.dll!RSA_private_encrypt(int flen=434501648, const unsigned char * from=0x0001, unsigned char * to=0x0080, rsa_st * rsa=0xcfa0daf99aacd25d, int padding=1) Line 298C libeay32.dll!RSA_sign(int type=753, const unsigned char * m=0x15f07d00, unsigned int m_len=617441328, unsigned char * sigret=0x15f07d00, unsigned int * siglen=0x19e5f8c0, rsa_st * rsa=0x01c91553) Line 134 C
Re: OpenSSL 1.0.0 BIO_new_accept _only_ binds to IPV6 interface?
Thanks. Finally got an opportunity to reboot the machine and install the new OpenSSL. This patch works correctly for me. Thanks, Justin On 08/05/11 19:02, Michael Tüxen wrote: On May 7, 2011, at 11:14 PM, Justin Schoeman wrote: Michael Tüxen wrote: On May 7, 2011, at 10:40 PM, Justin Schoeman wrote: William A. Rowe Jr. wrote: On 5/7/2011 7:16 AM, Justin Schoeman wrote: It does not matter which of these I try, openssl always binds to '::1:8008', which does not accept IPV4. I have tried various combinations of: BIO_new_accept(0.0.0.0:8008) This syntax should have bound to all IPv4 interfaces alone, so as Michael suggests, it's certainly a bug. Thanks. If I get a chance I will have a further look on Monday. Can I just post a patch here if I manage to figure it out? I know what is going on... I contacted Stephen to figure out what the correct behavior is for BIO_new_accept(8008) BIO_new_accept(*:8080) Currently it is platform specific whether it returns an IPv4 or IPv6 socket. The fix is that you need to add hint.ai_family = AI_PASSIVE; and depending on the semantic of the above hint.ai_family = AF_INET or hint.ai_family = AF_INET6 for the above cases in BIO_get_accept_socket(). As soon as I get an answer from Stephen, I provide a patch. Hi, the attached patch (submitted to the RT tracker) does the following: 1. BIO_new_accept(8008) will give an IPv4 or IPv6 socket, depending on the system. 2. BIO_new_accept(*:8080) will give an IPv4 socket. 3. BIO_new_accept(::8080) will give an IPv6 socket. Best regards Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
David, So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets. // Harshvir On Sun, May 22, 2011 at 10:06 PM, David Schwartz dav...@webmaster.comwrote: On 5/22/2011 5:10 PM, Harshvir Sidhu wrote: Previously I have used SSL_XXX functions for performing SSL operations. Now i have am working on an application which is written in Managed C++ using callback functions(BeginReceive and EndReceive), and SSL_Read function is not working for that. So i tried using BIO_ functions to create a bio pair for internal and network bio and then using them to encrypt/decrypt data before sending using normal socket, but when i try to use that my handshake is not getting completed, i do not see any error on s_server, but it dont seem to work when i try to enter something on server side, my callback dont get called. Can someone point me to some example code for this in which BIO is used to encrypt and decrypt data and then using normal sockets for send/receive? I am not able to find anything in openssl source exmple or on google. You are thinking about the problem wrong. You are thinking I need to send some data. So I send it to OpenSSL. OpenSSL encrypts it, so then I need to get that encrypted data from OpenSSL and write it to the socket. Then, the other end will reply, so I need to read some encrypted data from the socket, give it to OpenSSL, and then OpenSSL will decrypt it and give it to me. This attempt to look through the OpenSSL engine will produce broken code and pain. Instead, treat the OpenSSL engine as a black box whose internals are wholly unknown to you. If you receive some data from the socket, give it to OpenSSL. If OpenSSL wants to send some data on the socket, send it. If you want to send some data to the other side, give it to OpenSSL. If OpenSSL has some plaintext for you, take it and process it. But make no assumptions about the sequence or interactions between these things. For example, a typical mistake is to wait for data to be received on the socket before calling SSL_Read. This is completely broken behavior. Data received on the socket is encrypted. Data received from SSL_Read is decrypted. These are two distinct streams that, as far as your application should be concerned, are totally unrelated. (Except when SSL_Read specifically returns a WANT_READ, of course, and then only until some other event invalidates the WANT_READ indication.) DS
Not able to read public modulus public exponent fields
Hi All, I am trying to print *public modulus* and *public exponent* from a *X509 certificate*. The code snippet is as follows: modulus_and_exponent(X509 *cert) { RSA *rsa_public_key = NULL; if(cert-cert_info-key-pkey){ rsa_public_key = EVP_PKEY_get1_RSA (cert-cert_info-key-pkey); printf(Public exponent--%s\n,BN_bn2dec(rsa_public_key-e)); printf(Public modulus--%s\n,BN_bn2dec(rsa_public_key-n)); } else { printf(PKEY NOT FOUND\n); } } Output: *PKEY NOT FOUND* The key structure contains other valid fields but pkey field is NULL when checked through gdb: *(gdb) p *(cert-cert_info) * $1 = {version = 0x8f2ecb8, serialNumber = 0x8f2fa38, signature = 0x8f2fa50, issuer = 0x8f2fa60, validity = 0x8f25fb8, subject = 0x8f25ff8, key = 0x8f26050, issuerUID = 0x0, subjectUID = 0x0, extensions = 0x8f2ef58} *(gdb) p *(cert-cert_info-key) * $2 = {algor = 0x8f26060, public_key = 0x8f26070, *pkey = 0x0*} (gdb) The same certificate when printed using OpenSSL command *displays exponent and modulus* as follows*:* Certificate: Data: Version: 3 (0x2) Serial Number: 389 (0x185) Signature Algorithm: sha1WithRSAEncryption Issuer: C=IN, O=CL, OU=XYZ, CN=PC CA Validity Not Before: Nov 25 12:40:41 2010 GMT Not After : Feb 28 12:40:41 2031 GMT Subject: C=IN, O=Global, OU=XYZ, CN=Global CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) * Modulus (2048 bit): * 00:dd:c6:44:3b:c0:39:0d:e8:75:21:89:fa:41:f2: ca:b1:46:d1:a2:b8:ea:78:f2:6e:27:84:03:d1:0a: 4d:85:4f:f9:5a:56:25:85:7b:1b:01:b2:de:31:df: 1a:3d:32:9d:0f:c9:a6:b8:c6:89:7c:87:f3:f9:6d: a9:fd:79:df:0e:b3:ad:90:5e:05:fc:26:d5:11:e5: 03:73:e5:9b:9e:8f:40:af:a5:a0:09:e1:50:4f:22: 06:e5:80:03:77:26:af:d8:62:28:00:c5:bc:a3:fe: c2:e7:68:a7:9a:81:6a:07:35:ee:43:0f:eb:04:d6: ed:53:92:a8:b2:87:6a:02:5c:43:dd:61:cf:da:64: ba:15:13:22:3b:79:b1:83:04:69:0d:25:82:73:f9: d2:78:f6:cd:30:20:3e:eb:f2:7d:8e:56:e3:0f:38: 06:a2:21:b8:c8:a9:50:a8:4a:7f:3c:a8:d3:85:76: ec:53:38:a7:b6:4a:9c:a7:88:a5:b9:06:e0:a5:53: b3:fa:ae:97:bb:ab:e5:35:8a:ad:92:9c:55:b1:ac: a1:11:3b:d0:b6:4f:f8:da:bc:01:74:67:99:c7:7a: d1:d5:14:91:84:76:15:a8:41:34:99:fb:c9:00:92: cf:45:d4:db:66:2c:d7:5c:38:49:c9:a9:4b:0f:80: 55:0f *Exponent: 65537 (0x10001) * X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 25:05:14:41:88:7F:0A:54:A4:04:92:05:9F:7B:F5:B1:63:D5:34:13 X509v3 Authority Key Identifier: keyid:22:31:20:B5:A8:DD:AC:DB:52:28:24:E6:F6:C6:A3:13:F2:94:A0:32 X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 Signature Algorithm: sha1WithRSAEncryption 45:39:8c:c9:91:9a:2c:b1:2b:78:18:2e:66:51:1c:29:9a:be: c0:37:d5:a8:57:a1:0f:f1:ea:83:3e:fc:5b:bf:2f:b4:b2:eb: 5e:7b:ec:7a:15:da:8d:74:15:1e:96:c1:9c:d5:0b:53:ef:0e: 2d:5c:55:17:65:60:38:0f:6c:f4:30:2b:f0:cd:fc:01:e8:9c: da:40:c5:31:f5:a9:3d:ab:20:69:de:4f:01:70:92:a6:e6:a6: 98:5d:ca:1b:d2:14:3d:58:cf:e3:9c:02:c3:82:98:6f:65:3b: 5c:20:f5:3e:47:9c:1c:4e:5c:a1:50:ff:a5:f4:45:c3:96:ce: af:9d:c8:dd:55:33:a6:d0:e5:5d:fc:c6:8a:07:c4:0d:22:45: c6:47:db:90:09:28:06:58:5d:83:1e:0a:35:5d:1a:72:50:d6: 37:ae:f3:84:1c:af:8e:f2:55:5a:68:38:dd:c3:2d:63:cc:03: c9:04:a8:59:c6:dc:ea:2f:23:0f:86:27:95:e3:f0:ba:9f:44: 75:21:80:ad:1b:76:55:fb:70:aa:a1:5b:a0:da:7d:65:61:99: 05:ca:ec:b1:2e:99:91:d5:c4:e8:ad:f5:30:e8:9b:39:e9:ae: 47:fa:a0:d9:d0:e6:36:ea:9b:8b:02:f1:09:ac:08:08:cb:59: bf:3d:bc:57 -BEGIN CERTIFICATE- MIID0jCCArqgAwIBAgICAYUwDQYJKoZIhvcNAQEFBQAwbzELMAkGA1UEBhMCVVMx EjAQBgNVBAoTCUNhYmxlTGFiczEUMBIGA1UECxMLUGFja2V0Q2FibGUxNjA0BgNV BAMTLVBhY2tldENhYmxlIFJvb3QgRGV2aWNlIENlcnRpZmljYXRlIEF1dGhvcml0 eTAeFw0xMDExMjUxMjQwNDFaFw0zMTAyMjgxMjQwNDFaMIGAMQswCQYDVQQGEwJJ TjElMCMGA1UEChMcR2xvYmFsIEVkZ2UgU29mdHdhcmUgTGltaXRlZDEUMBIGA1UE CxMLUGFja2V0Q2FibGUxNDAyBgNVBAMTK0dsb2JhbCBFZGdlIFNvZnR3YXJlIExp bWl0ZWQgUGFja2V0Q2FibGUgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDdxkQ7wDkN6HUhifpB8sqxRtGiuOp48m4nhAPRCk2FT/laViWFexsBst4x
Re: Not able to read public modulus public exponent fields
Hi, Try: EVP_PKEY *pkey = X509_get_pubkey(cert); rsa_public_key = EVP_PKEY_get1_RSA(pkey); Cheers Christian On Mon, May 23, 2011 at 06:41:34PM +0530, Vinay Kumar wrote: Hi All, I am trying to print *public modulus* and *public exponent* from a *X509 certificate*. The code snippet is as follows: modulus_and_exponent(X509 *cert) { RSA *rsa_public_key = NULL; if(cert-cert_info-key-pkey){ rsa_public_key = EVP_PKEY_get1_RSA (cert-cert_info-key-pkey); printf(Public exponent--%s\n,BN_bn2dec(rsa_public_key-e)); printf(Public modulus--%s\n,BN_bn2dec(rsa_public_key-n)); } else { printf(PKEY NOT FOUND\n); } } Output: *PKEY NOT FOUND* The key structure contains other valid fields but pkey field is NULL when checked through gdb: *(gdb) p *(cert-cert_info) * $1 = {version = 0x8f2ecb8, serialNumber = 0x8f2fa38, signature = 0x8f2fa50, issuer = 0x8f2fa60, validity = 0x8f25fb8, subject = 0x8f25ff8, key = 0x8f26050, issuerUID = 0x0, subjectUID = 0x0, extensions = 0x8f2ef58} *(gdb) p *(cert-cert_info-key) * $2 = {algor = 0x8f26060, public_key = 0x8f26070, *pkey = 0x0*} (gdb) The same certificate when printed using OpenSSL command *displays exponent and modulus* as follows*:* Certificate: Data: Version: 3 (0x2) Serial Number: 389 (0x185) Signature Algorithm: sha1WithRSAEncryption Issuer: C=IN, O=CL, OU=XYZ, CN=PC CA Validity Not Before: Nov 25 12:40:41 2010 GMT Not After : Feb 28 12:40:41 2031 GMT Subject: C=IN, O=Global, OU=XYZ, CN=Global CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) * Modulus (2048 bit): * 00:dd:c6:44:3b:c0:39:0d:e8:75:21:89:fa:41:f2: ca:b1:46:d1:a2:b8:ea:78:f2:6e:27:84:03:d1:0a: 4d:85:4f:f9:5a:56:25:85:7b:1b:01:b2:de:31:df: 1a:3d:32:9d:0f:c9:a6:b8:c6:89:7c:87:f3:f9:6d: a9:fd:79:df:0e:b3:ad:90:5e:05:fc:26:d5:11:e5: 03:73:e5:9b:9e:8f:40:af:a5:a0:09:e1:50:4f:22: 06:e5:80:03:77:26:af:d8:62:28:00:c5:bc:a3:fe: c2:e7:68:a7:9a:81:6a:07:35:ee:43:0f:eb:04:d6: ed:53:92:a8:b2:87:6a:02:5c:43:dd:61:cf:da:64: ba:15:13:22:3b:79:b1:83:04:69:0d:25:82:73:f9: d2:78:f6:cd:30:20:3e:eb:f2:7d:8e:56:e3:0f:38: 06:a2:21:b8:c8:a9:50:a8:4a:7f:3c:a8:d3:85:76: ec:53:38:a7:b6:4a:9c:a7:88:a5:b9:06:e0:a5:53: b3:fa:ae:97:bb:ab:e5:35:8a:ad:92:9c:55:b1:ac: a1:11:3b:d0:b6:4f:f8:da:bc:01:74:67:99:c7:7a: d1:d5:14:91:84:76:15:a8:41:34:99:fb:c9:00:92: cf:45:d4:db:66:2c:d7:5c:38:49:c9:a9:4b:0f:80: 55:0f *Exponent: 65537 (0x10001) * X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 25:05:14:41:88:7F:0A:54:A4:04:92:05:9F:7B:F5:B1:63:D5:34:13 X509v3 Authority Key Identifier: keyid:22:31:20:B5:A8:DD:AC:DB:52:28:24:E6:F6:C6:A3:13:F2:94:A0:32 X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 Signature Algorithm: sha1WithRSAEncryption 45:39:8c:c9:91:9a:2c:b1:2b:78:18:2e:66:51:1c:29:9a:be: c0:37:d5:a8:57:a1:0f:f1:ea:83:3e:fc:5b:bf:2f:b4:b2:eb: 5e:7b:ec:7a:15:da:8d:74:15:1e:96:c1:9c:d5:0b:53:ef:0e: 2d:5c:55:17:65:60:38:0f:6c:f4:30:2b:f0:cd:fc:01:e8:9c: da:40:c5:31:f5:a9:3d:ab:20:69:de:4f:01:70:92:a6:e6:a6: 98:5d:ca:1b:d2:14:3d:58:cf:e3:9c:02:c3:82:98:6f:65:3b: 5c:20:f5:3e:47:9c:1c:4e:5c:a1:50:ff:a5:f4:45:c3:96:ce: af:9d:c8:dd:55:33:a6:d0:e5:5d:fc:c6:8a:07:c4:0d:22:45: c6:47:db:90:09:28:06:58:5d:83:1e:0a:35:5d:1a:72:50:d6: 37:ae:f3:84:1c:af:8e:f2:55:5a:68:38:dd:c3:2d:63:cc:03: c9:04:a8:59:c6:dc:ea:2f:23:0f:86:27:95:e3:f0:ba:9f:44: 75:21:80:ad:1b:76:55:fb:70:aa:a1:5b:a0:da:7d:65:61:99: 05:ca:ec:b1:2e:99:91:d5:c4:e8:ad:f5:30:e8:9b:39:e9:ae: 47:fa:a0:d9:d0:e6:36:ea:9b:8b:02:f1:09:ac:08:08:cb:59: bf:3d:bc:57 -BEGIN CERTIFICATE- MIID0jCCArqgAwIBAgICAYUwDQYJKoZIhvcNAQEFBQAwbzELMAkGA1UEBhMCVVMx EjAQBgNVBAoTCUNhYmxlTGFiczEUMBIGA1UECxMLUGFja2V0Q2FibGUxNjA0BgNV BAMTLVBhY2tldENhYmxlIFJvb3QgRGV2aWNlIENlcnRpZmljYXRlIEF1dGhvcml0
Re: [openssl-users] CA
If this isn't resolved yet, can you post the contents of the old cert, new cert and the user cert? -Sandeep On Fri, May 20, 2011 at 8:33 PM, Alex Bergmann a...@linlab.net wrote: Hi Erwann! On 05/19/2011 10:20 AM, Erwann ABALEA wrote: old end-user certificates can only be verified by the old CA certificate, of course (in case the CA is renewed, with its key changed, etc). I didn't renew the CA certificate, I've used the existing private key to create thr new one. The only way I found was to give the new Root Certificate the same serial number as the previous one. That's forbidden by X.509 standard. And the serial number has nothing to do with the SKI/AKI. I agree, using the same serial number seems to be not valid. But, according to RFC 3280 the Authority Key Identifier MAY be based on either the key identifier ... or on the issuer name and serial number. My Root CA Certificate and user certificates shows exactly this information: Root CA Certificate: X509v3 Subject Key Identifier: A8:C3:14:22:3A:48:50:66:78:89:97:02:A8:B0:CE:D3:EE:FC:0F:1E X509v3 Authority Key Identifier: keyid:A8:C3:14:22:3A:48:50:66:78:89:97:02:A8:B0:CE:D3:EE:FC:0F:1E DirName:Root CA Subject/Issuer DN serial:1C:26:30:4D:53:64:7A:83 User Certificate: - X509v3 Subject Key Identifier: 7C:F7:66:B5:A4:83:42:1A:FF:AA:CB:0D:07:37:8A:81:E7:48:B8:1D X509v3 Authority Key Identifier: keyid:A8:C3:14:22:3A:48:50:66:78:89:97:02:A8:B0:CE:D3:EE:FC:0F:1E DirName:Root CA Subject/Issuer DN serial:1C:26:30:4D:53:64:7A:83 So the Root CA Certificate serial number is part of my X509v3 Authority Key Identifier. Did you change the private key of the CA? If not, then: - the SKI of the new CA certificate will be the same as the old certificate (it's a *Key* identifier, and is generally constructed from the public key) I didn't change the private key, so the X509v3 Subject Key Identifier is always the same, right. - you don't need to have the same serial number (remember, it's forbidden by X.509 standard) Right, I've check that with RFC 2459. - you will be able to verify old end-user certificates with the new CA certificate (since the CA key didn't change), if the rest of the CA certificate permits it (validity dates, extensions). This seems to be a problem if you're using openssl to verify the certificate. I've generated a new CA certificate with the same CA key as before. But only the verification with the old CA certificate was working. # openssl verify -CAfile newca.pem user_cert.pem user_cert.pem: User DN error 20 at 0 depth lookup:unable to get local issuer certificate According to old threads on this list this message has something to do with the AKID/SKID. If you were in this situation, and only were able to verify end-user certificates if the new CA certificate had the same serial number as the old one, then I'm sure you made a mistake in your tests. I agree, maybe I did something wrong here. What steps would I have to do to recertify my CA with openssl? Cheers, Alex __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SnowLeopard: Broken 64-bit FIPS-capable OpenSSL?
Hello, Has anyone been successful at calling FIPS_mode_set() from a 64-bit application on SnowLeopard? I have a one-line app that uses the 64-bit version of a FIPS-capable OpenSSL but it core dumps when I call FIPS_mode_set(). The core dump occurs in EVP_SignFinal(). If this is working for anyone, I would appreciate if you could share some details about how the OpenSSL was built. Or does anyone know if the 64-bit version of a FIPS-capable OpenSSL is supported on SnowLeopard? So far it looks like it is not. Thanks, Bill __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
Anyone any comments on this. Is openssl appropriate choice for my case? // Harshvir On Mon, May 23, 2011 at 3:59 AM, Harshvir Sidhu hvssi...@gmail.com wrote: David, So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets. // Harshvir On Sun, May 22, 2011 at 10:06 PM, David Schwartz dav...@webmaster.comwrote: On 5/22/2011 5:10 PM, Harshvir Sidhu wrote: Previously I have used SSL_XXX functions for performing SSL operations. Now i have am working on an application which is written in Managed C++ using callback functions(BeginReceive and EndReceive), and SSL_Read function is not working for that. So i tried using BIO_ functions to create a bio pair for internal and network bio and then using them to encrypt/decrypt data before sending using normal socket, but when i try to use that my handshake is not getting completed, i do not see any error on s_server, but it dont seem to work when i try to enter something on server side, my callback dont get called. Can someone point me to some example code for this in which BIO is used to encrypt and decrypt data and then using normal sockets for send/receive? I am not able to find anything in openssl source exmple or on google. You are thinking about the problem wrong. You are thinking I need to send some data. So I send it to OpenSSL. OpenSSL encrypts it, so then I need to get that encrypted data from OpenSSL and write it to the socket. Then, the other end will reply, so I need to read some encrypted data from the socket, give it to OpenSSL, and then OpenSSL will decrypt it and give it to me. This attempt to look through the OpenSSL engine will produce broken code and pain. Instead, treat the OpenSSL engine as a black box whose internals are wholly unknown to you. If you receive some data from the socket, give it to OpenSSL. If OpenSSL wants to send some data on the socket, send it. If you want to send some data to the other side, give it to OpenSSL. If OpenSSL has some plaintext for you, take it and process it. But make no assumptions about the sequence or interactions between these things. For example, a typical mistake is to wait for data to be received on the socket before calling SSL_Read. This is completely broken behavior. Data received on the socket is encrypted. Data received from SSL_Read is decrypted. These are two distinct streams that, as far as your application should be concerned, are totally unrelated. (Except when SSL_Read specifically returns a WANT_READ, of course, and then only until some other event invalidates the WANT_READ indication.) DS
Re: SSL Communication using BIO
On 05/23/11 1:59 AM, Harshvir Sidhu wrote: So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets. if you are working in Windows Managed space, why not use the Windows native SSL functionality? I believe thats provided by SSPI and its Schannel support. http://msdn.microsoft.com/en-us/library/aa380493(v=vs.85).aspx http://msdn.microsoft.com/en-us/library/aa380493%28v=vs.85%29.aspx http://msdn.microsoft.com/en-us/library/aa380123(v=VS.85).aspx http://msdn.microsoft.com/en-us/library/aa380123%28v=VS.85%29.aspx -- john r pierceN 37, W 123 santa cruz ca mid-left coast __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
I have discussed that with my team, we only have to use OpenSSL, SSAPI has been ruled out for our work. // Harshvir On Mon, May 23, 2011 at 3:56 PM, John R Pierce pie...@hogranch.com wrote: On 05/23/11 1:59 AM, Harshvir Sidhu wrote: So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets. if you are working in Windows Managed space, why not use the Windows native SSL functionality? I believe thats provided by SSPI and its Schannel support. http://msdn.microsoft.com/en-us/library/aa380493(v=vs.85).aspx http://msdn.microsoft.com/en-us/library/aa380493%28v=vs.85%29.aspx http://msdn.microsoft.com/en-us/library/aa380123(v=VS.85).aspx http://msdn.microsoft.com/en-us/library/aa380123%28v=VS.85%29.aspx -- john r pierceN 37, W 123 santa cruz ca mid-left coast __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Download fips 1.2.3
Hi, all Has anyone had problem with openssl-fips-1.2.3.tar.gz? When I tried to tar xvf on my Solaris 10 SPARC, the source had error message unexpected EOF. I have tried with different proxy servers and direct download from the site but had no luck. I now downloaded v1.2.2 and no problem with the source to configure and make. Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited.
Re: Download fips 1.2.3
You need to: gunzip openssl-fips-1.2.3.tar.gz That will create openssl-fips-1.2.3.tar Then tar -xvf openssl-fips-1.2.3.tar Eric At 03:11 PM 5/23/2011, Ruiyuan Jiang wrote: Hi, all Has anyone had problem with openssl-fips-1.2.3.tar.gz? When I tried to tar xvf on my Solaris 10 SPARC, the source had error message unexpected EOF. I have tried with different proxy servers and direct download from the site but had no luck. I now downloaded v1.2.2 and no problem with the source to configure and make. Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com Pictures of Snake in Spring http://www.facebook.com/album.php?aid=115547id=1409661701l=1c375e1f49 Pictures of Camp Verde http://www.facebook.com/album.php?aid=12771id=1409661701l=fc0e0a2bcf Pictures of Land Cruiser in Sedona http://www.facebook.com/album.php?aid=50953id=1409661701 Pictures of Flagstaff area near our cabin http://www.facebook.com/album.php?aid=12750id=1409661701 Pictures of Cheryl in a Horse Show http://www.facebook.com/album.php?aid=32484id=1409661701 Pictures of the AZ Desert http://www.facebook.com/album.php?aid=58827id=1409661701 (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Download fips 1.2.3
Hi, Eric That is what I did exactly and failed on tar xvf and I don't have problem with 1.2.2. Ryan -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Eric S. Eberhard Sent: Monday, May 23, 2011 6:22 PM To: openssl-users@openssl.org; openssl-users@openssl.org Subject: Re: Download fips 1.2.3 You need to: gunzip openssl-fips-1.2.3.tar.gz That will create openssl-fips-1.2.3.tar Then tar -xvf openssl-fips-1.2.3.tar Eric At 03:11 PM 5/23/2011, Ruiyuan Jiang wrote: Hi, all Has anyone had problem with openssl-fips-1.2.3.tar.gz? When I tried to tar xvf on my Solaris 10 SPARC, the source had error message unexpected EOF. I have tried with different proxy servers and direct download from the site but had no luck. I now downloaded v1.2.2 and no problem with the source to configure and make. Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com Pictures of Snake in Spring http://www.facebook.com/album.php?aid=115547id=1409661701l=1c375e1f49 Pictures of Camp Verde http://www.facebook.com/album.php?aid=12771id=1409661701l=fc0e0a2bcf Pictures of Land Cruiser in Sedona http://www.facebook.com/album.php?aid=50953id=1409661701 Pictures of Flagstaff area near our cabin http://www.facebook.com/album.php?aid=12750id=1409661701 Pictures of Cheryl in a Horse Show http://www.facebook.com/album.php?aid=32484id=1409661701 Pictures of the AZ Desert http://www.facebook.com/album.php?aid=58827id=1409661701 (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Download fips 1.2.3
Oh -- if you like being efficient and not wasting disk space this works nicely: gunzip -c openssl-fips-1.2.3.tar.gz | tar xvf - This will uncompress on the fly and leave the compressed file. At 03:21 PM 5/23/2011, Eric S. Eberhard wrote: You need to: gunzip openssl-fips-1.2.3.tar.gz That will create openssl-fips-1.2.3.tar Then tar -xvf openssl-fips-1.2.3.tar Eric At 03:11 PM 5/23/2011, Ruiyuan Jiang wrote: Hi, all Has anyone had problem with openssl-fips-1.2.3.tar.gz? When I tried to tar xvf on my Solaris 10 SPARC, the source had error message unexpected EOF. I have tried with different proxy servers and direct download from the site but had no luck. I now downloaded v1.2.2 and no problem with the source to configure and make. Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com Pictures of Snake in Spring http://www.facebook.com/album.php?aid=115547id=1409661701l=1c375e1f49 Pictures of Camp Verde http://www.facebook.com/album.php?aid=12771id=1409661701l=fc0e0a2bcf Pictures of Land Cruiser in Sedona http://www.facebook.com/album.php?aid=50953id=1409661701 Pictures of Flagstaff area near our cabin http://www.facebook.com/album.php?aid=12750id=1409661701 Pictures of Cheryl in a Horse Show http://www.facebook.com/album.php?aid=32484id=1409661701 Pictures of the AZ Desert http://www.facebook.com/album.php?aid=58827id=1409661701 (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com Pictures of Snake in Spring http://www.facebook.com/album.php?aid=115547id=1409661701l=1c375e1f49 Pictures of Camp Verde http://www.facebook.com/album.php?aid=12771id=1409661701l=fc0e0a2bcf Pictures of Land Cruiser in Sedona http://www.facebook.com/album.php?aid=50953id=1409661701 Pictures of Flagstaff area near our cabin http://www.facebook.com/album.php?aid=12750id=1409661701 Pictures of Cheryl in a Horse Show http://www.facebook.com/album.php?aid=32484id=1409661701 Pictures of the AZ Desert http://www.facebook.com/album.php?aid=58827id=1409661701 (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
On 23 May 2011, at 1:29 PM, Harshvir Sidhu wrote: Anyone any comments on this. Is openssl appropriate choice for my case? As I understand it you want OpenSSL to handle the protocol and encryption, but you don't want OpenSSL to do any network I/O itself: you want to do that (via the C# sockets class). An example of using OpenSSL in this way is in demos/state_machine/state_machine.c in the OpenSSL distribution. As David Schwartz says, the important thing is not to assume that reads and writes of your data correspond directly to reads and writes on the socket. SSL may need to perform multiple reads and writes before you see any data (for example, during a handshake or renegotiation). state_machine.c uses memory BIOs to buffer data going in and out of SSL. I think a better way to do it in current versions of OpenSSL is to make your own, nonblocking BIO which calls into your C# code as needed. But I could be wrong. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
You might also consider using stunnel which works perfectly and is easy to use in many cases and unless your volume is silly-high has plenty of performance to run in inetd mode which is very reliable. stunnel is based on openssl. It also makes your app independent of SSL changes which I like. Eric At 03:47 PM 5/23/2011, Wim Lewis wrote: On 23 May 2011, at 1:29 PM, Harshvir Sidhu wrote: Anyone any comments on this. Is openssl appropriate choice for my case? As I understand it you want OpenSSL to handle the protocol and encryption, but you don't want OpenSSL to do any network I/O itself: you want to do that (via the C# sockets class). An example of using OpenSSL in this way is in demos/state_machine/state_machine.c in the OpenSSL distribution. As David Schwartz says, the important thing is not to assume that reads and writes of your data correspond directly to reads and writes on the socket. SSL may need to perform multiple reads and writes before you see any data (for example, during a handshake or renegotiation). state_machine.c uses memory BIOs to buffer data going in and out of SSL. I think a better way to do it in current versions of OpenSSL is to make your own, nonblocking BIO which calls into your C# code as needed. But I could be wrong. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com Pictures of Snake in Spring http://www.facebook.com/album.php?aid=115547id=1409661701l=1c375e1f49 Pictures of Camp Verde http://www.facebook.com/album.php?aid=12771id=1409661701l=fc0e0a2bcf Pictures of Land Cruiser in Sedona http://www.facebook.com/album.php?aid=50953id=1409661701 Pictures of Flagstaff area near our cabin http://www.facebook.com/album.php?aid=12750id=1409661701 Pictures of Cheryl in a Horse Show http://www.facebook.com/album.php?aid=32484id=1409661701 Pictures of the AZ Desert http://www.facebook.com/album.php?aid=58827id=1409661701 (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Download fips 1.2.3
Try this -- you may have a space problem. gunzip -c openssl-fips-1.2.3.tar.gz | tar xvf - (this uncompresses on the fly) You also might have had a space problem when you downloaded and the file is not complete, check the number of bytes against the ftp severver. Last, you may have accidently downloaded in ASCII mode instead of binary, which makes a mess of the file. Given that EOF seems to be the problem, I suspect download or gunzip space problems. May also want to try another mirror? Eric At 03:27 PM 5/23/2011, Ruiyuan Jiang wrote: Hi, Eric That is what I did exactly and failed on tar xvf and I don't have problem with 1.2.2. Ryan -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Eric S. Eberhard Sent: Monday, May 23, 2011 6:22 PM To: openssl-users@openssl.org; openssl-users@openssl.org Subject: Re: Download fips 1.2.3 You need to: gunzip openssl-fips-1.2.3.tar.gz That will create openssl-fips-1.2.3.tar Then tar -xvf openssl-fips-1.2.3.tar Eric At 03:11 PM 5/23/2011, Ruiyuan Jiang wrote: Hi, all Has anyone had problem with openssl-fips-1.2.3.tar.gz? When I tried to tar xvf on my Solaris 10 SPARC, the source had error message unexpected EOF. I have tried with different proxy servers and direct download from the site but had no luck. I now downloaded v1.2.2 and no problem with the source to configure and make. Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com Pictures of Snake in Spring http://www.facebook.com/album.php?aid=115547id=1409661701l=1c375e1f49 Pictures of Camp Verde http://www.facebook.com/album.php?aid=12771id=1409661701l=fc0e0a2bcf Pictures of Land Cruiser in Sedona http://www.facebook.com/album.php?aid=50953id=1409661701 Pictures of Flagstaff area near our cabin http://www.facebook.com/album.php?aid=12750id=1409661701 Pictures of Cheryl in a Horse Show http://www.facebook.com/album.php?aid=32484id=1409661701 Pictures of the AZ Desert http://www.facebook.com/album.php?aid=58827id=1409661701 (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com Pictures of Snake in Spring http://www.facebook.com/album.php?aid=115547id=1409661701l=1c375e1f49 Pictures of Camp Verde http://www.facebook.com/album.php?aid=12771id=1409661701l=fc0e0a2bcf Pictures of Land Cruiser in Sedona http://www.facebook.com/album.php?aid=50953id=1409661701 Pictures of Flagstaff area near our cabin http://www.facebook.com/album.php?aid=12750id=1409661701 Pictures of Cheryl in a Horse Show http://www.facebook.com/album.php?aid=32484id=1409661701 Pictures of the AZ Desert http://www.facebook.com/album.php?aid=58827id=1409661701 (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List
Re: SSL Communication using BIO
I think you can read this article and it will be help. http://www.lenholgate.com/blog/2002/11/using-openssl-with-asynchronous-sockets.html On Mon, May 23, 2011 at 4:59 PM, Harshvir Sidhu hvssi...@gmail.com wrote: David, So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets.
Re: SSL Communication using BIO
actually I would seriously recommend you read the OpenSSL book written by Eric Rescorla, it discusses all the use cases of openssl, BIO, async/sync usages..so that you get an idea of how OpenSSL itself works. On Mon, May 23, 2011 at 6:02 PM, Neo Liu diablo...@gmail.com wrote: I think you can read this article and it will be help. http://www.lenholgate.com/blog/2002/11/using-openssl-with-asynchronous-sockets.html On Mon, May 23, 2011 at 4:59 PM, Harshvir Sidhu hvssi...@gmail.comwrote: David, So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets.
Re: SSL Communication using BIO
or ... keep it simple and at least consider using stunnel. I have a LOT of applications using openssl, 3/4 I just use stunnel and forget about it. For a few when I need to do crazy things, I code and link in to my application. But you can save a lot of trouble with stunnel, at least as a first step (proof of concept). BTW, I also use the Windows version which you can download with an installer and it works great as well. E At 04:12 PM 5/23/2011, Gayathri Sundar wrote: actually I would seriously recommend you read the OpenSSL book written by Eric Rescorla, it discusses all the use cases of openssl, BIO, async/sync usages..so that you get an idea of how OpenSSL itself works. On Mon, May 23, 2011 at 6:02 PM, Neo Liu mailto:diablo...@gmail.comdiablo...@gmail.com wrote: I think you can read this article and it will be help. http://www.lenholgate.com/blog/2002/11/using-openssl-with-asynchronous-sockets.htmlhttp://www.lenholgate.com/blog/2002/11/using-openssl-with-asynchronous-sockets.html On Mon, May 23, 2011 at 4:59 PM, Harshvir Sidhu mailto:hvssi...@gmail.comhvssi...@gmail.com wrote: David, So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets. Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com Pictures of Snake in Spring http://www.facebook.com/album.php?aid=115547id=1409661701l=1c375e1f49 Pictures of Camp Verde http://www.facebook.com/album.php?aid=12771id=1409661701l=fc0e0a2bcf Pictures of Land Cruiser in Sedona http://www.facebook.com/album.php?aid=50953id=1409661701 Pictures of Flagstaff area near our cabin http://www.facebook.com/album.php?aid=12750id=1409661701 Pictures of Cheryl in a Horse Show http://www.facebook.com/album.php?aid=32484id=1409661701 Pictures of the AZ Desert http://www.facebook.com/album.php?aid=58827id=1409661701 (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
On 5/23/2011 1:59 AM, Harshvir Sidhu wrote: David, So are you suggesting that i change the approach in my Code. Hard for me to give you a useful answer without seeing your code. If your code tries to treat OpenSSL as a filter, expecting input and output to correlate, then yes. If your code handled OpenSSL as a black box with four separate I/O paths (encrypted data in, encryped data out, plaintext in, plaintext out) without assuming any relationship between them, then it's fine. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets. When your callback function is called, that means encrypted data is available on the socket. The SSL_Read function is for reading unencrypted data from the SSL engine. It is only appropriate to call SSL_Read in response to a data available callback on the socket in one case -- if your last SSL operation was an SSL_Read and it returned a WANT_READ indication. In any other case, this is broken behavior reflecting erroneously trying to look through the SSL engine. Your code must treat the SSL engine as a black box. Yes, we happen to know that *IN* *GENERAL* we're reading encrypted data from the socket, decrypting it, and then passing the plaintext to the application, your code should treat this as an OpenSSL internal detail and should not pretend it knows that this will happen. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
On Sun, May 22, 2011, Bill Durant wrote: Hello, Has anyone been able to build a working 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7 (SnowLeopard)? I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7. But fips_shatest and the openssl command are core dumping when I do a 'make test' For example: ./config fipscanisterbuild make make test (fips_shatest and openssl core dump at this step) Does fips_test_suite run OK? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Download fips 1.2.3
Solaris has a buggy tar. You need to use gnu tar. -Kyle H On Mon, May 23, 2011 at 3:11 PM, Ruiyuan Jiang ruiyuan_ji...@liz.com wrote: Hi, all Has anyone had problem with openssl-fips-1.2.3.tar.gz? When I tried to “tar xvf” on my Solaris 10 SPARC, the source had error message “unexpected EOF”. I have tried with different proxy servers and direct download from the site but had no luck. I now downloaded v1.2.2 and no problem with the source to configure and make. Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. Verify This Message with Penango.p7s Description: S/MIME Cryptographic Signature
Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
On May 23, 2011, at 7:20 PM, Dr. Stephen Henson wrote: On Sun, May 22, 2011, Bill Durant wrote: Hello, Has anyone been able to build a working 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7 (SnowLeopard)? I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7. But fips_shatest and the openssl command are core dumping when I do a 'make test' For example: ./config fipscanisterbuild make make test (fips_shatest and openssl core dump at this step) Does fips_test_suite run OK? I ran fips_test_suite and it has been pegged for almost two hours on the following: = $ ./fips_test_suite FIPS-mode test application 1. Non-Approved cryptographic operation test... = The CPU is at 100% on fips_test_suite. It does not get past that. Any ideas? Thanks, Bill Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FIPS-capable OpenSSL stops working sporadically
Hello, Does any one know how can any application work 100% reliably with a FIPS-capable OpenSSL given the following requirement from page 33 of the OpenSSL UserGuide at http://www.openssl.org/docs/fips/UserGuide.pdf: === The standard OpenSSL build with the fips option will use a base address for libeay32.dll of 0xFB0 by default. This value was chosen because it is unlikely to conflict with other dynamically loaded libraries. In the event of a clash with another dynamically loaded library which will trigger runtime relocation of libeay32.dll the integrity check will fail with the error FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELATED A base address conflict can be resolved by shuffling the other DLLs or re compiling OpenSSL with an alternative base address specified with the with baseaddr= option. Note that the developer can identify which DLLs are relocated with the Process Explorer utility fromhttp://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx.; = I am hitting this problem sporadically with my application on various Windows flavors. The dynamic loader on Windows changes the base address of libeay32.dll whenever it wants to. As a result, my application stops working because FIPS_mode_set() fails. So I am ending up with an unreliable application. I have no control on all of the dynamically loaded libraries in a system so I unable shuffle the other DLLs as suggested in the user guide. And changing the base address at build time is also not guaranteed to work 100% reliably because it could also conflict with some other DLL's base address. So what to do? Is there some trick/workaround to make this work? Thanks, Bill
Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
On Tue, May 24, 2011 at 12:05 AM, ciphertexto cipherte...@gmail.com wrote: On May 23, 2011, at 7:20 PM, Dr. Stephen Henson wrote: On Sun, May 22, 2011, Bill Durant wrote: Hello, Has anyone been able to build a working 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7 (SnowLeopard)? I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7. But fips_shatest and the openssl command are core dumping when I do a 'make test' For example: ./config fipscanisterbuild make make test (fips_shatest and openssl core dump at this step) Does fips_test_suite run OK? [SNIP] Not for me with 10.6.7 (from About the Mac) on a Core 2 Duo. jeffrey@newton~/openssl-fips-1.2$ uname -a Darwin newton 10.7.0 Darwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 i386 ../util/shlib_wrap.sh ./sha512t Testing SHA-512 ... passed. Testing SHA-384 ... passed. if [ -n libcrypto ]; then \ ../util/shlib_wrap.sh ./fips_shatest SHAmix.req | diff -w SHAmix.fax - ; \ fi 1,129d0 [L = 64] Len = 16 Msg = 98a1 MD = 74d78642f70ca830bec75fc60a585917e388cfa4cd1d23daab1c4d9ff1010cac3e67275df64db5a6a7c7d0fda24f1fc3eb272678a7c8becff6743ee812129078 ... Len = 13976 Msg = 07a6372c863c7d7c6764e4f05addbbe161762735dfd2d23bf268e2d603cd28de9c369ac379390473e1d3fa7e37af1178cca54fa0f782dfbe68070952b93462ea46c640d43ffe71f5fba42df98f4c48ada0d8aca8753e0731508bc15dff283178ae5c10a6ff132eca5dde63a78d3ac94685152897828eb25a55fdf140fd33fd4e7b03f283e201a1baae8986d25603fb0b2566aab345fb48031d648144dddc2e3556c0ceb1104f348d96ae7dc0152e45c625d21b46e70c31f250c858aec4ab2cf5e79d8c79b0854e0abf5330b9f044113d306161968f4ad6f0973160c9dc296056d5a11523ea2b56fbce8387070fccc639ec1c65ec663b9dc49aa880dc4ddd3020c9d44ff7e8cab6266e436af19b4ecb82010a0f8f9469ef380034a02e3f50051a6a3f233dcfe9d553459dc1bebc538ae0183448c9405c351271dea808d908480e61e9793cca111b4cfb9874b799626a1bd9a0f6e0929ad51b97ad81b2438f5fc255db3a3dfec9f0d8393c6b245b03d3faeb58021db3ad391b17a91174a66db4feef1b4c889699bcbea7928f4d29be2d47f76455c8cb1dc7da9cda41962a28ad8cd7b39965b809e7c7eca1c6792c1ce1c8a4cad6290170e91fcc49fa5ff64ab433b4aa081c8da2d9bbb072f9f18ca455469b946c877e3006b34ffd2219335b30ba2e0980f43cebfb629d0b11fe70dff28883ca012c6ae4855fcefea20a08e189eaeed7eb36ed6db3835976f4e60053205805727c5eec15d0e9f155637a9e66268b9c1c302bcaae6ae88cbb8cf1668a487cc996c4662c4a4e195f094cb31c717165e0e13718f8388957dfe0bf69c70cd0bd763dc38c530b67b9c12244fcab8bd13f602de848a2937699f9ef77944e5f22e3b470601789e1838fbea9359c733aaee2c7082b02ee459b7684ef9bbc200da4b62d368351f5520a65ffa506dc9b097117bb7ae88d04d85fb525e91327689ec0fe86971480c0e864012b1e9f044c7d80a4e48c07320dd4292086e4c71d4c98dd826a9bfced112bfa2beb1ce85cad204451ec45703931bf637d4fe89fe8f485620b7f4b21e011a232ade7a8c92be77925e878ae0bea9723749528fe83cf89ecb9616dae6ca0e8d5754ec6c92abb21108c2f33cdc18c6887c430b72c5b193356494cddccc577bd4c2cd53188f352846edff0c2ac7869cb74bb16a77c0f0f194a7a9477ae15abb890bd0bcfeb0c39381a87f1d05319c7e971c10e9ef687f96450b400e25b4285032892b849fd5db8649cedfb03c88defea063ee144a1ab1f3bf05f59c7db364dc39c11a446c3ce16307d78d50315ba29f5bb9a57438564c8c7b3e367cd37d74b2375a4966f47489dc5448f4979428abd32193d3840aa983d3020a9f29d760fc7493ab2576c90b1934b799c1d0d55e4f2caa78f4ce61930c79dc017c2dea0c5085d73a3b0e4a6f341e9a5061a6658af11e5edf95bdad915ac3619969e39bee15788a8de667f92f4efc84f35082d52d562aa74e12cc7f22d3425b58f5056d74afcf162cd44e65b9ee510ff91af094c3d2d42c3b088536d62a98f1c689edcf3ea3fc228d711c109d76ae83d82d6a34dcfbad563cf3726519b519fd48b51741aa86720836494b7a589c778927047a25d73508adaa401e9a6c0767a675e31c5556cbe35fadc9671359b45e985c3c8af84113989b299ae4474b85e4b5d4b0578ab1e8a2915a8df97c4f52a639fe32272cb91bbfb721505dec46d51383cb8973425a714245c2e37d0577fbe0d66381d9239db1f08a380cf609dc699698e0fada2caeda44d58d766c4f8214b10642b80b8d7d8add7cc41d47108ab7d07dab71069a2d982cc900b331caec317942122158bac6eac9175c2dcba0c04443aa9188832b553f5ca8c336880824d6bc02486a2b4c086665d276aafe3b1b93729829adca50c44466fd5b5cb977aa78fbcf5c0f0da1b09216468a11493ffb39efdeda5d669ae92bee2f2fb250aa1b9cbb11c36c7a6c6dd26cdc3cfd572ffd8c1dd72a13c27a327a34c6b6b3d80fc6c67c72152eec0c8ecbdc1bd5cb829b811e7f29af6d786f4e93dd4c96fdda295a6aa258d7b2fcf291c2d68e0b1866032475964ec0c6f2fa8c2d6a3936ecb187350def4e818507bf157c0e9b33406be7660605af149c799b4e051d0d0899e53495bb8931a6e2984bc6dbe4e02ec8b4642fc2f1cb5fd5a5520b48cfcb49e1f9533838753554dd98b6a1b8a67409279df477330e5f37367e06247ca5c3ffefd00e693dcc0c9c30754121c9ee88a574915b9e77c104fd2f921c2c096573951407ba9b440423d76bdc6fc978237a6e302cede7f99038ec31500884775556941f1edc30e3a417b0e02cb6fb5bfbe5cdfacf4006411287bedc565fb06f1be987416407dc852254934df4ab59edce476f3506e65be6ce6ddf91038642291fb8e92ba5b1f0b105670905a2c14796110bac6f52455b430a47b8eff61 MD = 1adccf11e5b7ce2a3ddf71e920138c8647ad699c Len = 48824 Msg =