Re: [openssl-users] Re: connection problem with the version 1.0.1e
Le 11/10/2013 19:57, nehakochar a écrit : Erwann ABALEA wrote The server and client are both compliant. With the first command, you tell the client to use TLS1.0 only. No more, no less. The server is ok with it, and both negociate TLS1.0. With the second command, you tell the client to use TLS1.2 only, again no more no less. The server receives a TLS1.2 negociation, replies with a TLS1.0 server hello message, and the client refuses it, cleanly (because you told it to do so). If you want to allow only TLS1.0, TLS1.1 and TLS1.2, use -no_ssl2 -no_ssl3 options instead. In my case, SSL client is using OpenSSL 1.0.1e. I do not which version is the server using, but must be an older version. When the client is sending ClientHello with version 0x0303 (TLS1.2), the server does not respond at all. In which versions of OpenSSL is the above server behavior expected? I used the same server you're talking about earlier in the thread: emea.webservices.travelport.com:443 And this server behaves as I wrote, correctly, sending a TLS1.0 ServerHello, refused by the client. Are you talking about another one? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
can non-blocking SSL_read() and SSL_write() be interleaved?
Can calls to non-blocking SSL_read() and SSL_write() be interleaved? I'm doing select() / event driven IO, and using a BIO pair to handle the underlying socket IO myself. A typical sequence might be: SSL_read(ssl, read_buf, read_size); /* returns e.g. SSL_ERROR_WANT_READ */ select(); /* woken up by an unrelated event which triggers: */ SSL_write(ssl, write_buf, write_size); /* which causes data to be appended to the BIO slave, then returns SSL_ERROR_NONE. We read the data from BIO master and schedule it to be writtenl then: */ select(); /* data available; read() and append to BIO master, then: */ SSL_read(ssl, read_buf, read_size); /* returns SSL_ERROR_NONE */ select(); Is that call to SSL_write() legitimate while the SSL_read() isn't finished? -- Any [programming] language that doesn't occasionally surprise the novice will pay for it by continually surprising the expert. -- Larry Wall __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: can non-blocking SSL_read() and SSL_write() be interleaved?
Dave Mitchell wrote: Can calls to non-blocking SSL_read() and SSL_write() be interleaved? I'm doing select() / event driven IO, and using a BIO pair to handle the underlying socket IO myself. Yes, but not from 2 threads working on the same SSL * at the same time. So your single threaded example is fine. 2 threads can work on 2 different SSL * instances at the same time, providing you have setup and configured the necessary OpenSSL threading primitives. There is no such thing as an unfinished SSL_read() call. Either it returns data or it doesn't. Each time you call the method OpenSSL will attempt to make further progress on returning more data. Some people might say that when you call SSL_write() to push more data that you can not change some elements of arguments to the call, when you got a partial write occur (100% of the data you offered was not written). I have never found this to be the case. Search for Internet concerning: /usr/include/openssl/ssl.h:#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x0002L Even the description does not make much sense, the address of the bytes isn't important. No one on this list has explained why this exists and a look over the source for the macro label shows it to make no difference. Darryl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
make install of openssl-1.0.0 exits error
Hello, I am trying to install openssl-1.0.0 on fedora 19. I tried different versions: openssl-1.0.0k.tar.gz openssl-1.0.0f.tar.gz and openssl-1.0.0.tar.gz ./config and make appear ok but make install always ends like this: installing man1/gendsa.1 installing man1/genpkey.1 genpkey.pod around line 117: You forgot a '=back' before '=head1' POD document had syntax errors at /bin/pod2man line 69. make: *** [install_docs] Error 1 [root@legolas openssl-1.0.0f]# Any ideas, suggestions? BTW: I am trying this because packettracer asks for this version: [root@legolas Downloads]# cd /opt/pt/bin [root@legolas bin]# ./PacketTracer6 ./PacketTracer6: error while loading shared libraries: libcrypto.so.1.0.0: cannot open shared object file: No such file or directory [root@legolas bin]# Thanks Joost
Re: make install of openssl-1.0.0 exits error
On 14 October 2013 22:29, Joost Ringoot jo...@ringoot.org wrote: Hello, I am trying to install openssl-1.0.0 on fedora 19. I tried different versions: openssl-1.0.0k.tar.gz openssl-1.0.0f.tar.gz and openssl-1.0.0.tar.gz ./config and make appear ok but make install always ends like this: installing man1/gendsa.1 installing man1/genpkey.1 genpkey.pod around line 117: You forgot a '=back' before '=head1' POD document had syntax errors at /bin/pod2man line 69. make: *** [install_docs] Error 1 [root@legolas openssl-1.0.0f]# Not familiar with PacketTracer so can't help there, but the above just looks like a bug building the documentation (possibly something to do with your perl version??) If you're not fussed about installing the docs, try the following instead: make install_sw __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org