[openssl-users] Dynamic link openssl with Visual Studio
I would like to use the Shining Light precompiled openssl binaries within Visual Studio. I can dynamic link with gcc and the libraries in OpenSSL/lib/MinGW I can static link with VS and the libraries in OpenSSL/lib/VC/static When I dynamic link with VS and the libraries in OpenSSL/lib/VC, it crashes on a call to PEM_read_PUBKEY(), and appears the stack is corrupted. I believe that the libeay32MDd.lib matches the VS /MDd setting. I tried with and without applink.c. Static link would not be the end of the world, but shouldn't it work? ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS mode uses /dev/urandom ?
Dear all, I'm doing an strace to the FIPS validated version of openssl, and I'm seeing that is uses /dev/urandom. I thought that the FIPS validated module always use /dev/random, isn't this the case, or am I doing something wrong?. If it uses /dev/urandom, is it possible/advisable to change it to /dev/random (how?), and still the module being FIPS validated? Thanks for your help in advance and best regards, Alberto. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to make a rehandshake(renegotiation)?
11.03.2015, 20:38, Salz, Rich rs...@akamai.com: Many servers have disabled client-initiated renegotation. I thought you were testing your client/server. Yes I want to test my own client and server. I don't disable renegotation manually. I don't know how to do this. Maybe it disabled by default? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS mode uses /dev/urandom ?
On Mar 11, 2015, at 11:40 AM, Alberto Roman Linacero aro...@alienvault.com wrote: Dear all, I'm doing an strace to the FIPS validated version of openssl, and I'm seeing that is uses /dev/urandom. I thought that the FIPS validated module always use /dev/random, isn't this the case, or am I doing something wrong?. If it uses /dev/urandom, is it possible/advisable to change it to /dev/random (how?), and still the module being FIPS validated? It would depend on what code is reading from /dev/urandom. If it’s the FIPS Object Module that’s doing the reading, then no, absolutely not. If it’s the FIPS-capable OpenSSL that reads from /dev/urandom, you can probably change it. But I’m curious as to why you would want to do this. Most systems with /dev/random and /dev/urandom are similar to Linux, in that /dev/urandom is the preferred source for “random data”, including when seeding a PRNG (which is how it’s used by OpenSSL). And because /dev/random can block, you might have ridiculously poor performance (and worse, it’ll be unpredictably poor performance, i.e. sometimes it’ll work great, and other times it’ll be horrible, and you never which you’ll get). This page, http://www.2uo.de/myths-about-urandom/ , is specific to Linux, but at a high-level, It’s also true for AIX, HP-UX, Solaris, FreeBSD, and NetBSD (OpenBSD is more complex). I’m not about other UNIX-like systems, as I stopped using those before any of them ever provided such devices. :) TOM Thanks for your help in advance and best regards, Alberto. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Dynamic link openssl with Visual Studio
11.03.2015, 20:22, Ken Goldman kgold...@us.ibm.com: I would like to use the Shining Light precompiled openssl binaries within Visual Studio. I can dynamic link with gcc and the libraries in OpenSSL/lib/MinGW I can static link with VS and the libraries in OpenSSL/lib/VC/static When I dynamic link with VS and the libraries in OpenSSL/lib/VC, it crashes on a call to PEM_read_PUBKEY(), and appears the stack is corrupted. I believe that the libeay32MDd.lib matches the VS /MDd setting. I tried with and without applink.c. Static link would not be the end of the world, but shouldn't it work? I think you must simply build static libraries yourself with Visual C++. And it will work. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Dynamic link openssl with Visual Studio
11.03.2015, 20:22, Ken Goldman kgold...@us.ibm.com: I would like to use the Shining Light precompiled openssl binaries within Visual Studio. I can dynamic link with gcc and the libraries in OpenSSL/lib/MinGW I can static link with VS and the libraries in OpenSSL/lib/VC/static When I dynamic link with VS and the libraries in OpenSSL/lib/VC, it crashes on a call to PEM_read_PUBKEY(), and appears the stack is corrupted. I believe that the libeay32MDd.lib matches the VS /MDd setting. I tried with and without applink.c. Static link would not be the end of the world, but shouldn't it work? I think you must simply build static or dynamic libraries(as you need) with Visual C++ yourself. And they will work. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to make a rehandshake(renegotiation)?
10.03.2015, 21:40, Salz, Rich rs...@akamai.com:
Yes.
You probably need more than that. :) Take a look at the apps/s_client and
look for the 'R' constant to see how to do client-initiated reneg.
I have took a look at the apps/s_client.
I see only several lines of code about renegotiation:
//...
static int ;
if (++ == 52) {
SSL_renegotiate(con);
= 0;
}
//...
if ((!c_ign_eof) (cbuf[0] == 'R')) {
BIO_printf(bio_err, RENEGOTIATING\n);
SSL_renegotiate(con);
cbuf_len = 0;
}
//...
So only one function is used: SSL_renegotiate
I also use it - but nothing happens or error:
OpenSSL error: 5044:error:140940F5:SSL routines:ssl3_read_bytes:unexpected
record:.\ssl\s3_pkt.c:1611:
NO renegotioation!
More than that I tested s_client on several domains. I typed R after s_client
was connected but got a error:
2992:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake
failure:.\ssl\s3_pkt.c:644: error in s_client
I also have took a look at the s_server and saw only one function:
SSL_renegotiate that seems to be must make a renegotioation. I do some else in
code but: NO renegotioation happens! Why?
Can anybody help and though explain about renegotiation at all? Maybe I don't
know something...
When it can be used? Maybe it's disable by default for security reasons in
OpenSSL?
There is a function SSL_get_secure_renegotiation_support. Seems to be
renegotiation can be secure or no. Maybe something else
But right now I want to perform ANY type of renegotiation )) Nothing happens or
error...
Regards.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Delay of email delivery for the list
11.03.2015, 08:20, Kurt Roeckx k...@roeckx.be: The mta.opensslfoundation.net was only very temporary and should not be used. openssl-users@openssl.org works just fine and doesn't have any delay for me. Ok. You can always check the headers why or where it has any delay. It's not so important for me as for example How to make a rehandshake(renegotiation) )) but let's see in my email's headers: Was sent: Date: Wed, 11 Mar 2015 19:02:30 +0300 The path: Received: by web8g.yandex.ru with HTTP; Wed, 11 Mar 2015 19:02:30 +0300 Received: from forward20.mail.yandex.net (forward20.mail.yandex.net by mta.openssl.org (Postfix) with ESMTPS id E6E9D2015F for openssl-users@openssl.org; Wed, 11 Mar 2015 16:10:20 + (UTC) [for my timezone 19:10:20 +0300] . Received: by mta.openssl.org (Postfix, from userid 106) id 7505E2044B; Wed, 11 Mar 2015 16:50:48 + (UTC) [for my timezone 19:50:48 +0300] . Received: from mta.openssl.org (mta.openssl.org [194.97.150.230]) by mxfront7j.mail.yandex.net (nwsmtp/Yandex) with ESMTPS id yN2OVojEOL-onhON31U; Wed, 11 Mar 2015 19:50:49 +0300 Received: from mxfront7j.mail.yandex.net ([127.0.0.1]) by mxfront7j.mail.yandex.net with LMTP id nT56hQSL for ra...@yandex.com; Wed, 11 Mar 2015 19:50:50 +0300 So, it was sent by me at 19:02 (GMT+3). It was received by mta.openssl.org from my mail server already at 19:10 (GMT+3). And was delayed there until 19:50 (GMT+3). My mail server received it only at 19:50 (GMT+3). Once again, it's not so important. But the delay is on the mta.openssl.org mail server(s). Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
On 10/03/2015 20:10, Serj Rakitov wrote: Hi, Jakob. Thanks for reply. Now I have seen OpenSSL code and something clear for me. WANT_READ/WANT_WRITE it's just an implementation for WOULDBLOCK: not fatal error for non-blocking IO. So, for example for socket and Windows it's just WSAEWOULDBLOCK returns by WSAGetLastError. Peforms by BIO_sock_should_retry/BIO_sock_non_fatal_error in sock_read/sock_write. There was some incomprehension for me because I forgot that SSL_read/SSL_write can perform a handshake if it didn't happen before. This is the key, because if handshake took place when SSL_write never will want read(to my mind), because it's just perform writesocket(send) operation. But with Rehandshaking (renegotiation) still incomprehension... I don't know why there is a silence about this here and in the net! I have read Eric Rescorla's old(January 10, 2002) article and there he told about Rehandshaking on the Server and on the Client, so it's possible with OpenSSL, but maybe in newer versions of OpenSSL it is not possible? Jakob, can you tell me: is it possible to renegotiate a connection in OpenSSL? And if yes how to do it right? There is lots of mention of renegotiation (what you call rehandshaking) in the OpenSSL documents and discussions, so I am reasonably sure it can be done. It also seems there are secure and insecure ways to do it. I don't know the details though. This implies that the general rules about applications using non-blocking sockets having to always handle the possibility of WANT_READ/WANT_WRITE at any time might be invoked by renegotiation scenarios at any time. Because the rules say at any time, there is no specific discussion of applying those rules at specific times (such as during renegotiation). 10.03.2015, 19:06, Jakob Bohm jb-open...@wisemo.com: Not having tested or read the relevant OpenSSL code, I presume that SSL_write could want a read if it has sent a handshake message, but not yet received the reply, thus it cannot (encrypt and) send user data until it has received and acted on the handshake reply message. Maybe the easier scenarios are at the start of a session, where the initial handshake has not yet completed, as happens in a HTTPS client (always writes a request before the first read) or a simple SMTPS server (always writes a banner line before the first read of client commands, except in some servers that do an early read to check if a broken/spammer client is trying to send before receiving the banner). ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to make a rehandshake(renegotiation)?
Many servers have disabled client-initiated renegotation. I thought you were testing your client/server. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Delay of email delivery for the list
The mta.opensslfoundation.net was only very temporary and should not be used. openssl-users@openssl.org works just fine and doesn't have any delay for me. You can always check the headers why or where it has any delay. Guess I'll mention this here. After the mailing list changes, MARC stopped archiving the OpenSSL lists, e.g. http://openssl.org/support/community.html Those don't have anything since January. I emailed MARC about it but got no reply. Maybe the list owners should try? BBB ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Handling “OpenSSL internal error, assertion failed”
When MD5 (or any non FIPS compliant) algorithm is used in FIPS mode, OpenSSL gives following error and application aborts. fips_md.c(146): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored Aborted (core dumped) In our application we want to handle this error and gracefully exit by logging appropriate error message. For which, we are looking out for an OpenSSL API or mechanism which can say whether the algorithm is FIPS compliant or not. And would not like to have hard coded algorithm list to check if its FIPS compliant or not. Can anyone help me out on this. Thanks!! -- View this message in context: http://openssl.6102.n7.nabble.com/Handling-OpenSSL-internal-error-assertion-failed-tp56907.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Handling ???OpenSSL internal error, assertion failed???
On Wed, Mar 11, 2015, Tejaswini wrote: When MD5 (or any non FIPS compliant) algorithm is used in FIPS mode, OpenSSL gives following error and application aborts. fips_md.c(146): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored Aborted (core dumped) In our application we want to handle this error and gracefully exit by logging appropriate error message. For which, we are looking out for an OpenSSL API or mechanism which can say whether the algorithm is FIPS compliant or not. And would not like to have hard coded algorithm list to check if its FIPS compliant or not. Can anyone help me out on this. You get an error code from EVP_DigestInit* if you attempt to use a non-FIPS algorithm in FIPS mode. You only get the above condition if you ignore that initial error. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Delay of email delivery for the list
Guess I'll mention this here. After the mailing list changes, MARC stopped archiving the OpenSSL lists, e.g. Thanks, I'll get in touch with them. -- Senior Architect, Akamai Technologies IM: rs...@jabber.me Twitter: RichSalz ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Handling ???OpenSSL internal error, assertion failed???
Thanks Steve, for the input. It helps me in handling the error. -- View this message in context: http://openssl.6102.n7.nabble.com/Handling-OpenSSL-internal-error-assertion-failed-tp56907p56930.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
